{"title": "On the Hardness of Robust Classification", "book": "Advances in Neural Information Processing Systems", "page_first": 7446, "page_last": 7455, "abstract": "It is becoming increasingly important to understand the vulnerability of machine learning models to adversarial attacks.  In this paper we study the feasibility of robust learning from the perspective of computational learning theory, considering both sample and computational complexity.  In particular, our definition of robust learnability requires polynomial sample complexity.  We start with two negative results.  We show that no non-trivial concept class can be robustly learned in the distribution-free setting against an adversary who can perturb just a single input bit.  We show moreover that the class of monotone conjunctions cannot be robustly learned under the uniform distribution against an adversary who can perturb $\\omega(\\log n)$ input bits. However if the adversary is restricted to perturbing $O(\\log n)$ bits, then the class of monotone conjunctions can be robustly learned with respect to a general class of distributions (that includes the uniform distribution). Finally, we provide a simple proof of the computational hardness of robust learning on the boolean hypercube. Unlike previous results of this nature, our result does not rely on another computational model (e.g. the statistical query model) nor on any hardness assumption other than the existence of a hard learning problem in the PAC framework.", "full_text": "On the Hardness of Robust Classi\ufb01cation\n\nPascale Gourdeau\nUniversity of Oxford\n\npascale.gourdeau@cs.ox.ac.uk\n\nVarun Kanade\n\nUniversity of Oxford\n\nvarunk@cs.ox.ac.uk\n\nMarta Kwiatkowska\nUniversity of Oxford\n\nJames Worrell\n\nUniversity of Oxford\n\nmarta.kwiatkowska@cs.ox.ac.uk\n\njames.worrell@cs.ox.ac.uk\n\nAbstract\n\nIt is becoming increasingly important to understand the vulnerability of machine\nlearning models to adversarial attacks. In this paper we study the feasibility of\nrobust learning from the perspective of computational learning theory, considering\nboth sample and computational complexity. In particular, our de\ufb01nition of robust\nlearnability requires polynomial sample complexity. We start with two negative\nresults. We show that no non-trivial concept class can be robustly learned in\nthe distribution-free setting against an adversary who can perturb just a single\ninput bit. We show moreover that the class of monotone conjunctions cannot\nbe robustly learned under the uniform distribution against an adversary who can\nperturb !(log n) input bits. However if the adversary is restricted to perturbing\nO(log n) bits, then the class of monotone conjunctions can be robustly learned with\nrespect to a general class of distributions (that includes the uniform distribution).\nFinally, we provide a simple proof of the computational hardness of robust learning\non the boolean hypercube. Unlike previous results of this nature, our result does\nnot rely on another computational model (e.g. the statistical query model) nor on\nany hardness assumption other than the existence of a hard learning problem in the\nPAC framework.\n\n1\n\nIntroduction\n\nThere has been considerable interest in adversarial machine learning since the seminal work\nof Szegedy et al. [25], who coined the term adversarial example to denote the result of apply-\ning a carefully chosen perturbation that causes a classi\ufb01cation error to a previously correctly classi\ufb01ed\ndatum. Biggio et al. [4] independently observed this phenomenon. However, as pointed out by Biggio\nand Roli [3], adversarial machine learning has been considered much earlier in the context of spam\n\ufb01ltering [8, 19, 20]. Their survey also distinguished two settings: evasion attacks, where an adversary\nmodi\ufb01es data at test time, and poisoning attacks, where the adversary modi\ufb01es the training data.1\n\nSeveral different de\ufb01nitions of adversarial learning exist in the literature and, unfortunately, in some\ninstances the same terminology has been used to refer to different notions (for some discussion see\ne.g., [11, 10]). Our goal in this paper is to take the most widely-used de\ufb01nitions and consider their\nimplications for robust learning from a statistical and computational viewpoint. For simplicity, we\nwill focus on the setting where the input space is the boolean hypercube X = {0, 1}n and consider\nthe realizable setting, i.e. the labels are consistent with a target concept in some concept class.\n\nAn adversarial example is constructed from a natural example by adding a perturbation. Typically,\nthe power of the adversary is curtailed by specifying an upper bound on the perturbation under some\n\n1For an in-depth review and de\ufb01nitions of different types of attacks, the reader may refer to [3, 11].\n\n33rd Conference on Neural Information Processing Systems (NeurIPS 2019), Vancouver, Canada.\n\n\f(a)\n\n(b)\n\n(c)\n\nFigure 1: (a) The support of the distribution is such that RC\n\u21e2 (h, c) = 0 can only be achieved if c is\nconstant. (b) The \u21e2-expansion of the support of the distribution and target c admit hypotheses h such\nthat RC\n\u21e2 differ. The red concept is the target, while\nthe blue one is the hypothesis. The dots are the support of the distribution and the shaded regions\nrepresent their \u21e2-expansion. The diamonds represent perturbed inputs which cause RE\n\n\u21e2 (h, c) = 0. (c) An example where RC\n\n\u21e2 and RE\n\n\u21e2 > 0.\n\nP\n\nx\u21e0D\n\nD to a point y such that h(y) 6= c(y). The constant in the ball risk RC\n\nnorm; in our case, the only meaningful norm is the Hamming distance. For a point x 2 X , let\nB\u21e2(x) denote the Hamming ball of radius \u21e2 around x. Given a distribution D on X , we consider\nthe adversarial risk of a hypothesis h with respect to a target concept c and perturbation budget\n\u21e2. We focus on two de\ufb01nitions of risk. The exact in the ball risk RE\n\u21e2 (h, c) is the probability\n(9y 2 B\u21e2(x) \u00b7 h(y) 6= c(y)) that the adversary can perturb a point x drawn from distribution\n\u21e2 (h, c) is the probability\n(9y 2 B\u21e2(x) \u00b7 h(y) 6= c(x)) that the adversary can perturb a point x drawn from distribution\nP\nD to a point y such that h(y) 6= c(x). These de\ufb01nitions encode two different interpretations of\nrobustness. In the \ufb01rst view, robustness speaks about the \ufb01delity of the hypothesis to the target\nconcept, whereas in the latter view robustness concerns the sensitivity of the output of the hypothesis\nto corruptions of the input. In fact, the latter view of robustness can in some circumstances be in\ncon\ufb02ict with accuracy in the traditional sense [26].\n\nx\u21e0D\n\n1.1 Overview of Our Contributions\n\nWe view our conceptual contributions to be at least as important as the technical results and believe\nthat the issues highlighted in our work will result in more concrete theoretical frameworks being\ndeveloped to study adversarial learning.\n\nImpossibility of Robust Learning in Distribution-Free PAC Setting\n\nWe \ufb01rst consider the question of whether achieving zero (or low) robust risk is possible under either\nof the two de\ufb01nitions. If the balls of radius \u21e2 around the data points intersect so that the total region\nis connected, then unless the target function is constant, it is impossible to achieve RC\n\u21e2 (h, c) = 0\n(see Figure 1). In particular, in most cases RC\n\u21e2 (c, c) 6= 0, i.e., even the target concept does not have\nzero risk with respect to itself. We show that this is the case for extremely simple concept classes\nsuch as dictators or parities. When considering the exact on the ball notion of robust learning, we at\nleast have RE\n\u21e2 (c, c) = 0; in particular, any concept class that can be exactly learned can be robustly\nlearned in this sense. However, even in this case we show that no \u201cnon-trivial\u201d class of functions\ncan be robustly learned. We highlight that these results show that a polynomial-size sample from\nthe unknown distribution is not suf\ufb01cient, even if the learning algorithm has arbitrary computational\npower (in the sense of Turing computability).2\n\n2We do require any operation performed by the learning algorithm is computable; the results of Bubeck et al.\n[7] imply that an algorithm that can potentially evaluate uncomputable functions can always robustly learn using\na polynomial-size sample. See the discussion on computational hardness below.\n\n2\n\n\fRobust Learning of Monotone Conjunctions\n\nGiven the impossibility of distribution-free robust learning, we consider robust learning under speci\ufb01c\ndistributions. We consider one of the simplest concept class studied in PAC Learning, the class of\nmonotone conjunctions, under the class of log-Lipschitz distributions (which includes the uniform\ndistribution) and show that this class of functions is robustly learnable provided \u21e2 = O(log n) and is\nnot robustly learnable with polynomial sample complexity for \u21e2 = !(log n). A class of distributions\nis said to be \u21b5-log-Lipschitz if the logarithm of the density function is log(\u21b5)-Lipschitz with respect\nto the Hamming distance. Our results apply in the setting where the learning algorithm only receives\nrandom labeled examples. On the other hand, a more powerful learning algorithm that has access to\nmembership queries can exactly learn monotone conjunctions and as a result can also robustly learn\nwith respect to exact in the ball loss.\n\nComputational Hardness of PAC Learning\n\nFinally, we consider computational aspects of robust learning. Our focus is on two questions:\ncomputability and computational complexity. Recent work by Bubeck et al. [7] provides a result\nthat states that minimizing the robust loss on a polynomial-size sample suf\ufb01ces for robust learning.\nHowever, because of the existential quanti\ufb01er over the ball implicit in the de\ufb01nition of the exact\nin the ball loss, the empirical risk cannot be computed as this requires enumeration over the reals.\nEven if one restricted attention to concepts de\ufb01ned over Qn, computing the loss would be recursively\nenumerable, but not recursive. In the case of functions de\ufb01ned over \ufb01nite instance spaces, such as\nthe boolean hypercube, the loss can be evaluated provided the learning algorithm has access to a\nmembership query oracle; for the constant in the ball loss membership queries are not required. For\nfunctions de\ufb01ned on Rn it is unclear how either loss function can be evaluated even if the learner\nhas access to membership queries, since in principle it requires enumerating over the reals. Under\nstrong assumptions of inductive bias on the target and hypothesis class, it may be possible to evaluate\nthe loss functions; however this would have to be handled on a case by case basis \u2013 for example,\nproperties of the target and hypothesis, such as Lipschitzness or large margin, could be used to\ncompute the exact in the ball loss in \ufb01nite time.\n\nSecond, we consider the computational complexity of robust learning. Bubeck et al. [6] and Degwekar\nand Vaikuntanathan [9] have shown that there are concept classes that are hard to robustly learn\nunder cryptographic assumptions, even when robust learning is information-theoretically feasible.\nBubeck et al. [7] establish super-polynomial lower bounds for robust learning in the statistical query\nframework. We give an arguably simpler proof of hardness, based simply on the assumption that\nthere exist concept classes that are hard to PAC learn. In particular, our reduction also implies that\nrobust learning is hard even if the learning algorithm is allowed membership queries, provided the\nconcept class that we reduce from is hard to learn using membership queries. Since the existence\nof one-way functions implies the existence of concept classes that are hard to PAC learn (with or\nwithout membership queries), our result is also based on a slightly weaker assumption than Bubeck\net al. [7]3.\n\n1.2 Related work on the Existence of Adversarial Examples\n\nThere is a considerable body of work that studies the inevitability of adversarial examples, e.g., [12,\n14, 13, 16, 24]. These papers characterize robustness in the sense that a classi\ufb01er\u2019s output on a point\nshould not change if a perturbation of a certain magnitude is applied to it. Among other things, these\nworks study geometrical characteristics of classi\ufb01ers and statistical characteristics of classi\ufb01cation\ndata that lead to adversarial vulnerability.\n\nCloser to the present paper are [10, 21, 22], which work the with exact-in-a-ball notion of robust risk.\nIn particular, [10] considers the robustness of monotone conjunctions under the uniform distribution\non the boolean hypercube for this notion of risk (therein called the error region risk). However [10]\ndoes not address the sample and computational complexity of learning: their results rather concern\nthe ability of an adversary to magnify the missclassi\ufb01cation error of any hypothesis with respect to\nany target function by perturbing the input. For example, they show that an adversary who can perturb\nO(pn) bits can increase the missclassi\ufb01cation probability from 0.01 to 1/2. By contrast we show\n\n3It is believed that the existence of hard to PAC learn concept classes is not suf\ufb01cient to construct one-way\n\nfunctions. [1].\n\n3\n\n\fthat a weaker adversary, who can perturb only !(log n) bits, renders it impossible to learn monotone\nconjunctions with polynomial sample complexity. The main tool used in [10] is the isoperimetric\ninequality for the Boolean hypercube, which gives lower bounds on the volume of the expansions of\narbitrary subsets. On the other hand, we use the probabilistic method to establish the existence of a\nsingle hard-to-learn target concept for any given algorithm with polynomial sample complexity.\n\n2 De\ufb01nition of Robust Learning\n\nThe notion of robustness can be accommodated within the basic set-up of PAC learning by adapting\nthe de\ufb01nition of risk function. In this section we review two of the main de\ufb01nitions of robust risk\nthat have been used in the literature. For concreteness we consider an input space X = {0, 1}n with\nmetric d : X \u21e5 X ! N, where d(x, y) is the Hamming distance of x, y 2 X . Given x 2 X , we write\nB\u21e2(x) for the ball {y 2 X : d(x, y) \uf8ff \u21e2} with centre x and radius \u21e2  0.\nThe \ufb01rst de\ufb01nition of robust risk asks that the hypothesis be exactly equal to the target concept in the\nball B\u21e2(x) of radius \u21e2 around a \u201ctest point\u201d x 2 X :\nDe\ufb01nition 1. Given respective hypothesis and target functions h, c : X ! {0, 1}, distribution D on\nX , and robustness parameter \u21e2  0, we de\ufb01ne the \u201cexact in the ball\u201d robust risk of h with respect to\nc to be\n\nRE\n\n\u21e2 (h, c) = P\nx\u21e0D\n\n(9z 2 B\u21e2(x) : h(z) 6= c(z)) .\n\nWhile this de\ufb01nition captures a natural notion of robustness, an obvious disadvantage is that evaluating\nthe risk function requires the learner to have knowledge of the target function outside of the training\nset, e.g., through membership queries. Nonetheless, by considering a learner who has oracle access\nto the predicate 9z 2 B\u21e2(x) : h(z) 6= c(z), we can use the exact-in-the-ball framework to analyse\nsample complexity and to prove strong lower bounds on the computational complexity of robust\nlearning.\n\nA popular alternative to the exact-in-the-ball risk function in De\ufb01nition 1 is the following constant-in-\nthe-ball risk function:\nDe\ufb01nition 2. Given respective hypothesis and target functions h, c : X ! {0, 1}, distribution D on\nX , and robustness parameter \u21e2  0, we de\ufb01ne the \u201cconstant in the ball\u201d robust risk of h with respect\nto c as\n\nRC\n\n\u21e2 (h, c) = P\nx\u21e0D\n\n(9z 2 B\u21e2(x) : h(z) 6= c(x)) .\n\nAn obvious advantage of the constant in the ball risk over the exact in the ball version is that in the\nformer, evaluating the loss at point x 2 X requires only knowledge of the correct label of x and the\nhypothesis h. In particular, this de\ufb01nition can also be carried over to the non-realizable setting, in\nwhich there is no target. However, from a foundational point of view the constant in the ball risk\nhas some drawbacks: recall from the previous section that under this de\ufb01nition it is possible to have\nstrictly positive robust risk in the case that h = c. (Let us note in passing that the risk functions RC\n\u21e2\nand RE\n\u21e2 > 0.)\nAdditionally, when we work in the hypercube, or a bounded input space, as \u21e2 becomes larger, we\neventually require the function to be constant in the whole space. Essentially, to \u21e2-robustly learn\nin the realisable setting, we require concept and distribution pairs to be represented as two sets D+\nand D whose \u21e2-expansions don\u2019t intersect, as illustrated in Figures 1a and 1b. These limitations\nappear even more stringent when we consider simple concept classes such as parity functions, which\n\n\u21e2 are in general incomparable. Figure 1c gives an example in which RC\n\nare de\ufb01ned for an index set I \u2713 [n] as fI (x) = Pi xi + b mod 2 for b 2 {0, 1}. This class can\nbe PAC-learned, as well as exactly learned with n membership queries. However, for any point, it\nsuf\ufb01ces to \ufb02ip one bit of the index set to switch the label, so RC\n\u21e2 (fI , fI ) = 1 for any \u21e2  1 if I 6= ;.\nUltimately, we want the adversary\u2019s power to come from creating perturbations that cause the\nhypothesis and target functions to differ in some regions of the input space. For this reason we favor\nthe exact-in-the-ball de\ufb01nition and henceforth work with that.\n\n\u21e2 = 0 and RE\n\nHaving settled on a risk function, we now formulate the de\ufb01nition of robust learning. For our\npurposes a concept class is a family C = {Cn}n2N, with Cn a class of functions from {0, 1}n to\n{0, 1}. Likewise a distribution class is a family D = {Dn}n2N, with Dn a set of distributions on\n{0, 1}n. Finally a robustness function is a function \u21e2 : N ! N.\n\n4\n\n\fDe\ufb01nition 3. Fix a function \u21e2 : N ! N. We say that an algorithm A ef\ufb01ciently \u21e2-robustly learns\na concept class C with respect to distribution class D if there exists a polynomial poly(\u00b7, \u00b7, \u00b7) such\nthat for all n 2 N, all target concepts c 2 Cn, all distributions D 2 Dn, and all accuracy and\ncon\ufb01dence parameters \u270f,  > 0, there exists m \uf8ff poly(1/\u270f, 1/, n), such that when A is given access\n\u21e2(n)(h, c) < \u270f\u2318 > 1  .\nto a sample S \u21e0 Dm it outputs h : {0, 1}n ! {0, 1} such that P\n\nS\u21e0Dm\u21e3RE\n\nNote that the de\ufb01nition of robust learning requires polynomial sample complexity and allows improper\nlearning (the hypothesis h need not belong to the concept class Cn).\n\nIn the standard PAC framework, a hypothesis h is considered to have zero risk with respect to a\n(h(x) 6= c(x)) = 0. We have remarked that exact learnability implies\ntarget concept c when P\nrobust learnability; we next give an example of a concept class C and distribution D such that C is\nPAC learnable under D with zero risk and yet cannot be robustly learned under D (regardless of the\nsample complexity).\n\nx\u21e0D\n\n(x1 = x2) = 1 and P\n\nLemma 4. The class of dictators is not 1-robustly learnable (and thus not robustly learnable for any\n\u21e2  1) with respect to the robust risk of De\ufb01nition 1 in the distribution-free setting.\nProof. Let c1 and c2 be the dictators on variables x1 and x2, respectively. Let D be such that\n2 for k  3. Draw a sample S \u21e0 Dm and label it\nP\naccording to c \u21e0 U (c1, c2). By the choice of D, the elements of S will have the same label regardless\nof whether c1 or c2 was picked. However, for x \u21e0 D, it suf\ufb01ces to \ufb02ip any of the \ufb01rst two bits to\ncause c1 and c2 to disagree on the perturbed input. We can easily show that, for any h 2 {0, 1}X ,\n1 (c1, h) + RE\n\n1 (c1, c2) = 1. Then\n\n(xk = 1) = 1\n\nx\u21e0D\n\n1 (c2, h)  RE\n\nx\u21e0D\n\nRE\n\nE\n\nc\u21e0U (c1,c2)\n\nE\n\nS\u21e0Dm\u21e5RE\n\n1 (h, c)\u21e4  1/2 .\n\nWe conclude that one of c1 or c2 has robust risk at least 1/2.\n\nNote that a PAC learning algorithm with error probability threshold \" = 1/3 will either output c1 or\nc2 and will hence have standard risk zero. We refer the reader to Appendix B for further discussion\non the relationship between robust and zero-risk learning.\n\n3 No Distribution-Free Robust Learning in {0\n\n,\n\n1}n\n\nIn this section, we show that no non-trivial concept class is ef\ufb01ciently 1-robustly learnable in\nthe boolean hypercube. Such a class is thus not ef\ufb01ciently \u21e2-robustly learnable for any \u21e2  1.\nEf\ufb01cient robust learnability then requires access to a more powerful learning model or distributional\nassumptions.\n\nLet Cn be a concept class on {0, 1}n, and de\ufb01ne a concept class as C = Sn1 Cn. We say that a class\n\nof functions is trivial if Cn has at most two functions, and that they differ on every point.\nTheorem 5. Any concept class C is ef\ufb01ciently distribution-free robustly learnable iff it is trivial.\n\nThe proof of the theorem relies on the following lemma:\n\nLemma 6. Let c1, c2 2 {0, 1}X and \ufb01x a distribution on X . Then for all h : {0, 1}n ! {0, 1}\n\nRE\n\n\u21e2 (c1, c2) \uf8ff RE\n\n\u21e2 (c1, h) + RE\n\n\u21e2 (c2, h) .\n\nProof. Let x 2 {0, 1}n be arbitrary, and suppose that c1 and c2 differ on some z 2 B\u21e2(x). Then\neither h(z) 6= c1(z) or h(z) 6= c2(z). The result follows.\nThe idea of the proof of Theorem 5 (which can be found in Appendix C) is a generalization of\nthe proof of Lemma 4 that dictators are not robustly learnable. However, note that we construct a\ndistribution whose support is all of X . It is possible to \ufb01nd two hypotheses c1 and c2 and create a\ndistribution such that c1 and c2 will likely look identical on samples of size polynomial in n but have\nrobust risk \u2126(1) with respect to one another. Since any hypothesis h in {0, 1}X will disagree either\n\n5\n\n\fwith c1 or c2 on a given point x if c1(x) 6= c2(x), by choosing the target hypothesis c at random from\nc1 and c2, we can guarantee that h won\u2019t be robust against c with positive probability. Finally, note\nthat an analogous argument can be made for a more general setting (for example in Rn).\n\n4 Monotone Conjunctions\n\nIt turns out that we do not need recourse to \u201cbad\u201d distributions to show that very simple classes of\nfunctions are not ef\ufb01ciently robustly learnable. As we demonstrate in this section, MON-CONJ,\nthe class of monotone conjunctions, is not ef\ufb01ciently robustly learnable even under the uniform\ndistribution for robustness parameters that are superlogarithmic in the input dimension.\n\n4.1 Non-Robust Learnability\n\nThe idea to show that MON-CONJ is not ef\ufb01ciently robustly learnable is in the same vein as the\nproof of Theorem 5. We \ufb01rst start by proving the following lemma, which lower bounds the robust\nrisk of two disjoint monotone conjunctions.\nLemma 7. Under the uniform distribution, for any n 2 N, disjoint c1, c2 2 MON-CONJ of length\n3 \uf8ff l \uf8ff n/2 on {0, 1}n and robustness parameter \u21e2  l/2, we have that RE\n\u21e2 (c1, c2) is bounded\nbelow by a constant that can be made arbitrarily close to 1\n\n2 as l gets larger.\n\nProof. For a hypothesis c 2 MON-CONJ , let Ic be the set of variables in c. Let c1, c2 2 C be as in\nthe theorem statement. Then the robust risk RE\n\n\u21e2 (c1, c2) is bounded below by\n\nP\n\nx\u21e0D\n\n(c1(x) = 0 ^ x has at least l/2 1\u2019s in Ic2 ) = (1  2l)/2 .\n\nNow, the following lemma shows that if we choose the length of the conjunctions c1 and c2 to be\nsuper-logarithmic in n, then, for a sample of size polynomial in n, c1 and c2 will agree on S with\nprobability at least 1/2. The proof can be found in Appendix D.1.\n\nLemma 8. For any functions l(n) = !(log(n)) and m(n) = poly(n), for any disjoint monotone\nconjunctions c1, c2 such that |Ic1 | = |Ic2 | = l(n), there exists n0 such that for all n  n0, a sample\nS of size m(n) sampled i.i.d. from D will have that c1(x) = c2(x) = 0 for all x 2 S with probability\nat least 1/2.\n\nWe are now ready to prove our main result of the section.\n\nTheorem 9. MON-CONJ is not ef\ufb01ciently \u21e2-robustly learnable for \u21e2(n) = !(log(n)) under the\nuniform distribution.\n\nProof. Fix any algorithm A for learning MON-CONJ . We will show that the expected robust risk\nbetween a randomly chosen target function and any hypothesis returned by A is bounded below by a\nconstant. Fix a function poly(\u00b7, \u00b7, \u00b7, \u00b7, \u00b7), and note that, since size(c) and \u21e2 are both at most n, we can\nsimply consider a function poly(\u00b7, \u00b7, \u00b7) in the variables 1/\u270f, and 1/, n instead. Let  = 1/2, and \ufb01x a\nfunction l(n) = !(log(n)) that satis\ufb01es l(n) \uf8ff n/2, and let \u21e2(n) = l(n)/2 (n is not yet \ufb01xed). Let\nn0 be as in Lemma 8, where m(n) is the \ufb01xed sample complexity function.Then Equation (8) holds\nfor all n  n0.\nNow, let D be the uniform distribution on {0, 1}n for n  max(n0, 3), and choose c1, c2 as in\nLemma 7. Note that RE\n12 by the choice of n. Pick the target function c uniformly at\nrandom between c1 and c2, and label S \u21e0 Dm with c, where m = poly(1/\u270f, 1/, n). By Lemma 8,\nc1 and c2 agree with the labeling of S (which implies that all the points have label 0) with probability\nat least 1\nDe\ufb01ne the following three events for S \u21e0 Dm:\n\n2 over the choice of S.\n\n\u21e2 (c1, c2) > 5\n\nE : c1|S = c2|S , Ec1 : c = c1 , Ec2 : c = c2 .\n\nThen, by Lemmas 8 and 6,\n\n6\n\n\fE\n\nc,S\u21e5RE\n\n\u21e2 (A(S), c)\u21e4  P\n\nc,S\n\n(E) E\n\nc,S\u21e5RE\n\n(Ec1 ) E\n\n\u21e2 (A(S), c) | E\u21e4\nS \u21e5RE\n\n\u21e2 (A(S), c1) + RE\n\n>\n\n=\n\n1\n\nc,S\n\n2 \u2713 P\nS \u21e5RE\nS \u21e5RE\n\n1\n4\n1\n4\n\nE\n\nE\n\n\n> 0.1 .\n\n\u21e2 (c2, c1)\u21e4\n\n\u21e2 (A(S), c2) | E\u21e4\n\n\u21e2 (A(S), c) | E \\ Ec1\u21e4 + P\n\nc,S\n\n(Ec2 ) E\n\nS \u21e5RE\n\n\u21e2 (A(S), c) | E \\ Ec2\u21e4\u25c6\n\n4.2 Robust Learnability Against a Logarithmically-Bounded Adversary\n\nThe argument showing the non-robust learnability of MON-CONJ under the uniform distribution\nin the previous section cannot be carried through if the conjunction lengths are logarithmic in the\ninput dimension, or if the robustness parameter is small compared to that target conjunction\u2019s length.\nIn both cases, we show that it is possible to ef\ufb01ciently robustly learn these conjunctions if the class\nof distributions is \u21b5-log-Lipschitz, i.e. there exists a universal constant \u21b5  1 such that for all\nn 2 N, all distributions D on {0, 1}n and for all input points x, x0 2 {0, 1}n, if dH (x, x0) = 1, then\n| log(D(x))  log(D(x0))| \uf8ff log(\u21b5) (see Appendix A.3 for further details and useful facts).\nTheorem 10. Let D = {Dn}n2N, where Dn is a set of \u21b5-log-Lipschitz distributions on {0, 1}n for\nall n 2 N. Then the class of monotone conjunctions is \u21e2-robustly learnable with respect to D for\nrobustness function \u21e2(n) = O(log n).\n\nThe proof can be found in Appendix D. This combined with Theorem 10 shows that \u21e2(n) = log(n)\nis essentially the threshold for ef\ufb01cient robust learnability of the class MON-CONJ .\n\n5 Computational Hardness of Robust Learning\n\nIn this section, we establish that the computational hardness of PAC-learning a concept class C with\nrespect to a distribution class D implies the computational hardness of robustly learning a family of\nconcept-distribution pairs from a related class C0 and a restricted class of distributions D0. This is\nessentially a version of the main result of [7], which used the constant-in-the-ball de\ufb01nition of robust\nrisk. Our proof also uses the [7] trick of encoding a point\u2019s label in the input for the robust learning\nproblem. Interestingly, our proof does not rely on any assumption other than the existence of a hard\nlearning problem in the PAC framework and is valid under both De\ufb01nitions 1 and 2 of robust risk.\n\nConstruction of C0. Suppose we are given C = {Cn}n2N and D = {Dn}n2N with Cn and Dn\nde\ufb01ned on Xn = {0, 1}n. Given k 2 N, we de\ufb01ne the family of concept and distribution pairs\nk,n = {0, 1}(2k+1)n+1 as follows. Let\n{(c0, D0)}D02D0\nmajk : X 0\nk,n ! Xn be the function that returns the majority vote on each subsequent block of k\nbits, and ignores the last bit. We de\ufb01ne C0\nk,n be\nde\ufb01ned as\n\n(k,n) = c  maj2k+1 | c 2 Cn . Let 'k : Xn ! X 0\n\nc0 ,c02C 0 , where C0 = {C0\n\n(k,n)}k,n2N on X 0\n\n'k(x) := x1 . . . x1x2 . . . xd1xd . . . xd\n\nc(x) , 'k(S) := {'k(xi) | xi 2 S} ,\n\nc0 , where c0 = c  maj2k+1 and D0(z) = D(x) if z = 'k(x), and D0(z) = 0 otherwise.\n\nfor x = x1x2 . . . xd 2 X and S \u2713 X . For a concept c 2 Cn, each D 2 Dn induces a distribution\nD0 2 D0\nAs shown below, this set up allows us to see that any algorithm for learning Cn with respect to\nDn yields an algorithm for learning the pairs {(c0, D0)}D02D0\nc0 ,c02C 0 . However, any robust learning\nalgorithm cannot solely rely on the last bit of the input, as it could be \ufb02ipped by an adversary. Then,\nthis algorithm can be used to PAC-learn Cn. This establishes the equivalence of the computational dif-\n\ufb01culty between PAC-learning Cn with respect to Dn and robustly learning {(c0, D0)}D02D0\n.\n\nc0 ,c02C 0\n\n(k,n)\n\n|\n\n2k+1 copies of each xi\n\n{z\n\n}\n\n7\n\n\fAs mentioned earlier, we can still ef\ufb01ciently PAC-learn the pairs {(c0, D0)}D02D0\nalways outputting a hypothesis that returns the last bit of the input.\n\nc0 ,c02C 0 simply by\n\nTheorem 11. For any concept class Cn, family of distributions Dn over {0, 1}n and k 2 N, there\n(k,n) over {0, 1}(2k+1)n+1 such that\nexists a concept class C0\nef\ufb01cient k-robust learnability of the concept-distribution pairs {(c0, D0)}D02D0\nand either\nof the robust risk functions RC\n\n(k,n) and a family of distributions D0\n\nk implies ef\ufb01cient PAC-learnability of Cn with respect to Dn.\n\nk or RE\n\nc0 ,c02C 0\n\n(k,n)\n\nBefore proving the above result, let us \ufb01rst prove the following proposition.\nProposition 12. The concept-distribution pairs {(c0, D0)}D02D0\n\nc0 ,c02C 0\n\n(k,n)\n\ncan be k-robustly learned\n\n examples.\n\n\u270f log |Cn| + log 1\n\nProof. First note that, since Cn is \ufb01nite, we can use PAC-learning sample bounds for the realizable set-\n\nusing O 1\nting (see for example [23]) to get that the sample complexity of learning Cn is O 1\n ).\n\u270f (log |Cn| + log 1\nNow, if we have PAC-learned Cn with respect to Dn, and h is the hypothesis returned on a sample\nlabeled according to a target concept c 2 Cn, we can compose it with the function majk to get a\nhypothesis h0 for which any perturbation of at most k bits of x0 \u21e0 D0 (where D0 is the distribution\ninduced by the target concept c and distribution D) will not change h0(x0). Thus, we also have\nk-robustly learned C0\n\n(k,n).\n\nRemark 13. The sample complexity in Proposition 12 is independent of k, and so the construction of\nthe class C0 on X 0 allows the adversary to modify 1\n2n fraction of the bits. There are ways to make the\nadversary more powerful and keep the sample complexity unchanged. Indeed, the fraction of the bits\nthe adversary can \ufb02ip can be increased by using error correction codes. For example, BCH codes\n[5, 17] would allow us to obtain an input space X 0 of dimension n + k log n where the adversary can\n\ufb02ip\n\nk\n\nn+k log n bits.\n\nWe are now ready to prove the main result of this section.\n\n(k,n)\n\n(k,n)\n\nc0 ,c02C 0\n\nc0 }c02C 0\n\n(k,n) and {D0\n\nand a sample complexity m.\n\nProof of Theorem 11. Given Cn and D, let C0\nbe constructed as above. Sup-\npose that it is hard to PAC-learn Cn with respect to the distribution family Dn. Suppose that we are\ngiven an algorithm A0 to k-robustly learn {(c0, D0)}D02D0\nLet \u270f,  > 0 be arbitrary and c 2 Cn be an arbitrary target concept and let c0 2 C0\n(k,n) be such that\nc0 = c  maj2k+1. Let D 2 Dn be a distribution on Xn, and let D0 2 D0\nc0 be its induced distribution\nk,n. A PAC-learning algorithm for Cn is as follows. Draw a sample S \u21e0 Dm and let S0 = 'k(S).\non X 0\nNote that this simulates a sample S0 \u21e0 D0m, and that c0 will give the same label to all points in the\n\u21e2-ball centred at x0 for any x0 in the support of D0.\nSince A0 k-robustly learns the concept-distribution pairs {(c0, D0)}D02D0\n, with probability\nat least 1   over S0, for any x \u21e0 D, we have that h0 will be wrong on 'k(x) (where the last bit is\nrandom) with probability at most \u270f. So by outputting h = h0  'k, we have an algorithm to PAC-learn\nCn with respect to the distribution family Dn.\n\nc0 ,c02C 0\n\n(k,n)\n\n6 Conclusion\n\nWe have studied robust learnability from a computational learning theory perspective and have shown\nthat ef\ufb01cient robust learning can be hard \u2013 even in very natural and apparently straightforward settings.\nWe have moreover given a tight characterization of the strength of an adversary to prevent robust\nlearning of monotone conjunctions under certain distributional assumptions. An interesting avenue\nfor future work is to see whether this result can be generalised to other classes of functions. Finally,\nwe have provided a simpler proof of the previously established result of the computational hardness\nof robust learning.\n\nIn the light of our results, it seems to us that more thought needs to be put into what we want out of\nrobust learning in terms of computational ef\ufb01ciency and sample complexity, which will inform our\nchoice of risk functions. Indeed, at \ufb01rst glance, robust learning de\ufb01nitions that have appeared in prior\nwork seem in many ways natural and reasonable; however, their inadequacies surface when viewed\n\n8\n\n\funder the lens of computational learning theory. Given our negative results in the context of the\ncurrent robustness models, one may surmise that requiring a classi\ufb01er to be correct in an entire ball\nnear a point is asking for too much. Under such a requirement, we can only solve \u201ceasy problems\u201d\nwith strong distributional assumptions. Nevertheless, it may still be of interest to study these notions\nof robust learning in different learning models, for example where one has access to membership\nqueries.\n\nAcknowledgments\n\nVarun Kanade was supported in part by the Alan Turing Institute under the EPSRC grant\nEP/N510129/1.\n\nReferences\n\n[1] Benny Applebaum, Boaz Barak, and David Xiao. On basing lower-bounds for learning on\nworst-case assumptions. In Proceedings of the 49th Annual IEEE symposium on Foundations of\ncomputer science, 2008.\n\n[2] Pranjal Awasthi, Vitaly Feldman, and Varun Kanade. Learning using local membership queries.\n\nIn COLT, volume 30, pages 1\u201334, 2013.\n\n[3] Battista Biggio and Fabio Roli. Wild patterns: Ten years after the rise of adversarial machine\n\nlearning. arXiv preprint arXiv:1712.03141, 2017.\n\n[4] Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim \u0160rndi\u00b4c, Pavel Laskov,\nGiorgio Giacinto, and Fabio Roli. Evasion attacks against machine learning at test time. In\nJoint European conference on machine learning and knowledge discovery in databases, pages\n387\u2013402. Springer, 2013.\n\n[5] Raj Chandra Bose and Dwijendra K Ray-Chaudhuri. On a class of error correcting binary group\n\ncodes. Information and control, 3(1):68\u201379, 1960.\n\n[6] S\u00e9bastien Bubeck, Yin Tat Lee, Eric Price, and Ilya Razenshteyn. Adversarial examples from\n\ncryptographic pseudo-random generators. arXiv preprint arXiv:1811.06418, 2018.\n\n[7] S\u00e9bastien Bubeck, Eric Price, and Ilya Razenshteyn. Adversarial examples from computational\n\nconstraints. arXiv preprint arXiv:1805.10204, 2018.\n\n[8] Nilesh Dalvi, Pedro Domingos, Sumit Sanghai, Deepak Verma, et al. Adversarial classi\ufb01cation.\nIn Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery\nand data mining, pages 99\u2013108. ACM, 2004.\n\n[9] Akshay Degwekar and Vinod Vaikuntanathan. Computational limitations in robust classi\ufb01cation\n\nand win-win results. arXiv preprint arXiv:1902.01086, 2019.\n\n[10] Dimitrios Diochnos, Saeed Mahloujifar, and Mohammad Mahmoody. Adversarial risk and\nrobustness: General de\ufb01nitions and implications for the uniform distribution. In Advances in\nNeural Information Processing Systems, 2018.\n\n[11] Tommaso Dreossi, Shromona Ghosh, Alberto Sangiovanni-Vincentelli, and Sanjit A Seshia. A\nformalization of robustness for deep neural networks. arXiv preprint arXiv:1903.10033, 2019.\n\n[12] Alhussein Fawzi, Seyed-Mohsen Moosavi-Dezfooli, and Pascal Frossard. Robustness of\nclassi\ufb01ers: from adversarial to random noise. In Advances in Neural Information Processing\nSystems, pages 1632\u20131640, 2016.\n\n[13] Alhussein Fawzi, Hamza Fawzi, and Omar Fawzi. Adversarial vulnerability for any classi\ufb01er.\n\narXiv preprint arXiv:1802.08686, 2018.\n\n[14] Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. Analysis of classi\ufb01ers? robustness to\n\nadversarial perturbations. Machine Learning, 107(3):481\u2013508, 2018.\n\n9\n\n\f[15] Dan Feldman and Leonard J Schulman. Data reduction for weighted and outlier-resistant\nclustering. In Proceedings of the twenty-third annual ACM-SIAM symposium on Discrete\nAlgorithms, pages 1343\u20131354. Society for Industrial and Applied Mathematics, 2012.\n\n[16] Justin Gilmer, Luke Metz, Fartash Faghri, Samuel S Schoenholz, Maithra Raghu, Martin\nWattenberg, and Ian Goodfellow. Adversarial spheres. arXiv preprint arXiv:1801.02774, 2018.\n\n[17] Alexis Hocquenghem. Codes correcteurs d\u2019erreurs. Chiffres, 2(2):147\u201356, 1959.\n\n[18] Vladlen Koltun and Christos H Papadimitriou. Approximately dominating representatives.\n\nTheoretical Computer Science, 371(3):148\u2013154, 2007.\n\n[19] Daniel Lowd and Christopher Meek. Adversarial learning. In Proceedings of the eleventh ACM\nSIGKDD international conference on Knowledge discovery in data mining, pages 641\u2013647.\nACM, 2005.\n\n[20] Daniel Lowd and Christopher Meek. Good word attacks on statistical spam \ufb01lters. In CEAS,\n\nvolume 2005, 2005.\n\n[21] Saeed Mahloujifar and Mohammad Mahmoody. Can adversarially robust learning leverage\n\ncomputational hardness? arXiv preprint arXiv:1810.01407, 2018.\n\n[22] Saeed Mahloujifar, Dimitrios I Diochnos, and Mohammad Mahmoody. The curse of concentra-\ntion in robust learning: Evasion and poisoning attacks from concentration of measure. AAAI\nConference on Arti\ufb01cial Intelligence, 2019.\n\n[23] Mehryar Mohri, Afshin Rostamizadeh, and Ameet Talwalkar. Foundations of machine learning.\n\nMIT press, 2012.\n\n[24] Ali Shafahi, W Ronny Huang, Christoph Studer, Soheil Feizi, and Tom Goldstein. Are adver-\n\nsarial examples inevitable? arXiv preprint arXiv:1809.02104, 2018.\n\n[25] Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Good-\nfellow, and Rob Fergus. Intriguing properties of neural networks. In International Conference\non Learning Representations, 2013.\n\n[26] Dimitris Tsipras, Shibani Santurkar, Logan Engstrom, Alexander Turner, and Aleksander\nMadry. Robustness may be at odds with accuracy. In International Conference on Learning\nRepresentations, 2019.\n\n[27] Leslie G Valiant. A theory of the learnable. In Proceedings of the sixteenth annual ACM\n\nsymposium on Theory of computing, pages 436\u2013445. ACM, 1984.\n\n10\n\n\f", "award": [], "sourceid": 4058, "authors": [{"given_name": "Pascale", "family_name": "Gourdeau", "institution": "University of Oxford"}, {"given_name": "Varun", "family_name": "Kanade", "institution": "University of Oxford"}, {"given_name": "Marta", "family_name": "Kwiatkowska", "institution": "University of Oxford"}, {"given_name": "James", "family_name": "Worrell", "institution": "University of Oxford"}]}