1.1  Related Work

Some studies proposed certified defenses for classification, which guarantee certified robustness deterministically. This type of certified defense includes a verification algorithm that computes the upper and lower bounds of logits in a deterministic manner. [19], [23] utilize the Lipschitz constant of neural networks to calculate the bounds. [16]-[18] calculate the bounds by linear relaxations of ReLU activations. [20], [21] propose a straightforward but effective method called interval bound propagation (IBP) that propagates the upper and lower bounds for each layer. These deterministic certified defenses can guarantee certified robustness for low-resolution images such as CIFAR10 (\(32\times32\)) with small false negatives. However, they are known to be difficult to scale to high-resolution images such as ImageNet (\(224\times224\)) [14] because the evaluation of the upper and lower bounds is too loose.

Another line of certified defense for classification is probabilistic. This type of certified defense is also called randomized smoothing (RS). RS achieves the verification for certified robustness by estimating the upper and lower bounds of the classifier’s prediction in a probabilistic manner. Concretely, RS smooths the classifier with Gaussian [22], [24] or Laplace [25] distribution and theoretically derives the upper and lower bounds on the prediction of the smoothed model. Then, the bounds are probabilistically estimated by Monte Carlo algorithm. As a result, different from the deterministic verification algorithms, the result of RS contains not only false negatives but also false positives with small probability. However, RS can scale to high-resolution images; RS can provide the meaningful evaluation of the upper and lower bounds for high-resolution images.

Although certified defense for classification has been investigated extensively, less attention has been paid to certified defense for CBIR. Moreover, the existing certified defenses for classification cannot be directly applied to CBIR because the goals of the adversarial attack against classification and CBIR are completely different. Specifically, the adversarial attacks against classification aim to change the predicted class label of the classifier, whereas the adversarial attacks against CBIR aim to change the ranking results of CBIR calculated by feature extraction DNNs. Thus, new definitions of certified robustness tailored to CBIR and certified defense to guarantee it should be considered. Only [26] have proposed a certified defense for CBIR, named RetrievalGuard, which guarantees that no AX changes the top-1 ranking results of CBIR. However, since RetrievalGuard does not guarantee the invariance of any ranking result other than top-1, its use is limited.

1.2  Our Contributions

In this paper, we develop two types of certified defenses for CBIR that guarantee robustness deterministically or probabilistically. Our contribution is four-fold. First, we define the new certified robustness of CBIR, named \((l_p, \alpha, \epsilon)\)-robustness. \((l_p, \alpha, \epsilon)\)-robustness means that no AX exists within \(l_{p}\)-balls with radius \(\epsilon \in \mathbb{R}\) centered on the query or candidate images that changes the ranking result of a specific candidate image more than \(\alpha \in \mathbb{N}\). Different from the existing certified robustness of CBIR that guarantees the invariance of top-1 ranking results [26], \((l_p,\alpha, \epsilon)\)-robustness can guarantee the invariance of any ranking results.

Second, we introduce a tractable sufficient condition for \((l_p, \alpha, \epsilon)\)-robustness. To verify whether a given feature extraction DNN satisfies \((l_p,\alpha, \epsilon)\)-robustness at given a query and candidate images, we need to evaluate the exact maximum and minimum distances in the feature space between AXs in the \(l_p\)-balls and the benign images. That makes the verification computationally intractable. To alleviate this, we derive the sufficient condition for \((l_p,\alpha, \epsilon)\)-robustness using the upper and lower bounds of the distances. Then, we achieve certified defenses that guarantee \((l_\infty,\alpha, \epsilon)\)-robustness and \((l_2,\alpha, \epsilon)\)-robustness by evaluating the upper and lower bounds of the distances with our proposed deterministic and probabilistic tractable methods, respectively.

Third, we present a certified defense for CBIR, which guarantees \((l_\infty,\alpha, \epsilon)\)-robustness in a deterministic manner. To this end, we first propose a tractable verification algorithm, which evaluates the derived sufficient condition by applying interval bound propagation (IBP) [21] to feature extraction DNNs. Concretely, we evaluate the upper and lower bounds of the distances by propagating bounds from the input space to the feature space. Since the computational complexity of IBP is equivalent to two forward propagations of DNNs, we can evaluate the derived sufficient conditions in polynomial time. Moreover, we also propose robustness training methods of feature extraction DNNs that attain tighter evaluation of the upper and lower bounds of the distances. When the bounds are loose, our verification algorithms can judge truly robust inputs as non-robust. To decrease such misjudging, we introduce new objective functions to train feature extraction DNNs that encourage tighter bounds of distances evaluated by IBP. We experimentally confirmed that the robustness training method can increase the number of samples verified by our proposed deterministic verification algorithm for MNIST [27], Fashion-MNIST [28], and CIFAR10 [29].

Fourth, we present a certified defense for CBIR, which guarantees \((l_2,\alpha, \epsilon)\)-robustness probabilistically. We experimentally confirmed that our proposed deterministic certified defense does not scale to high-resolution images such as CUB (\(224\times224\)) [30]. To overcome this limitation, inspired by the success of randomized smoothing (RS) for classification setting, we propose a verification algorithm to evaluate the derived sufficient condition using the upper and lower bounds of Gaussian smoothed distances, of which input is smoothed with Gaussian distributions. Specifically, we theoretically derive the upper and lower bounds on the Gaussian smoothed distance and probabilistically estimate them by our proposed Monte Carlo algorithms. Moreover, we propose to use Gaussian data augmentation [22], [26] to training data of feature extraction DNNs for obtaining tighter bounds of the Gaussian smoothed distances. We theoretically and experimentally show that our probabilistic certified defense, different from the deterministic one, includes false positives as well as false negatives but can scale to higher-resolution images.

Note that this is an extension of our conference paper [31]. The main content extended from the conference paper is the proposal and experimental evaluations of the probabilistic certified defense.

The paper is organized as follows. Section 2 describes the background of this study and defines the new certified robustness of CBIR, \((l_p, \alpha, \epsilon)\)-robustness. Section 3 derives the sufficient conditions of \((l_p, \alpha, \epsilon)\)-robustness using the upper and lower bounds of the distances. Section 4 proposes deterministic certified defense: deterministic verification algorithms and their robustness training. Section 5 proposes probabilistic certified defense: probabilistic verification algorithms and their robustness training. In Sect. 6, we evaluate our proposed deterministic and probabilistic certified defenses. Section 7 provides potential directions for future research focusing on enhancing the certified defense for CBIR. Section 8 concludes the paper.

2.1  Content-Based Image Retrieval (CBIR)

CBIR is a task to find images similar to a query image in a set of candidate images. Let \(X\) be the instance space. Let \(q \in X\) be a query image and \(C=\{c_i | c_i \in X \}^{|C|}_{i=1}\) be a set of candidate images. Let \(f: X \rightarrow \mathbb{R}^{d}\) be a feature extractor where \(d\) is the feature dimension. Then, CBIR ranks \(\forall c \in C\) with distance \(d(f(q),f(c))\) and retrieves the top-\(k\) similar images to \(q\) in \(C\). In this paper, \(\mathrm{Rank}(q, c, C)\) represents the rank of \(c \in C\) in terms of the similarity to \(q\). We omit \(f\) from the augments of \(\mathrm{Rank}(q, c, C)\) for notational simplicity when it is obvious from the context.

2.2  Adversarial Attacks against CBIR

In recent years, many studies have focused on adversarial attacks on CBIR [2]-[10]. These attacks can be categorized into two types of attacks, query attack (QA) and candidate attack (CA), depending on whether the AX is given as a query image or a candidate image.

Query Attack (QA). Let \(C_t \subset C\) be the target candidates in \(C\) specified by the adversary. The adversary aiming at QA perturbs a source query image \(q_s\) to raise or lower the rank of the candidates in \(C_t\). When the attacker’s goal is to raise the rank of the candidates in \(C_t\), adversarial perturbation \(\delta\) for QA is obtained by solving the following optimization problem:

where \(\|\cdot \|_{p}\) is \(l_p\) norm and \(\epsilon \in \mathbb{R}_{\geq 0}\) is a constant that bounds the size of the perturbation. Equation (1) cannot be solved directly due to the discrete nature of \(\mathrm{Rank}(\cdot)\). Instead, [2], [3] minimizes the following objective function:

Minimization in Eq. (1) is changed to maximization when the attacker’s goal is to lower the rank of the candidates in \(C_t\).

Candidate Attack (CA). Let \(Q_t=\{q_i \in X\}_{i=1}^{M}\) be a set of target query images specified by the adversary. The adversary aiming at CA perturbs a source candidate image \(c_s \in C\) so that the rank of perturbed \(c_s\) is raised or lowered when \(\forall q \in Q_t\) is issued as a query. When the attacker’s goal is to raise the rank of the perturbed \(c_s\), adversarial perturbation for CA is obtained by the following minimization problem with respect to \(\delta\):

where \(\|\cdot\|_{p}\) is \(l_p\) norm and \(\epsilon \in \mathbb{R}_{\geq 0}\) is a constant that bounds the size of the perturbation. Since optimization in Eq. (3) is intractable, [2], [3] optimizes the following objective function instead:

As well as QA, minimization in Eq. (3) is changed to maximization when the attacker’s goal is to lower the rank of the perturbed \(c\).

2.3  Certified Robustness

Here, we briefly review the existing definition of the certified robustness and verification algorithms for classification. Then, we define two new certified robustness of CBIR.

4.1  Deterministic Verification Algorithms

In this subsection, we propose verification algorithms, which verify whether given inputs satisfy \((l_\infty, \epsilon, \alpha)\)-robustness against QA and CA in a tractable deterministic manner. Our deterministic verification algorithms evaluate the derived sufficient conditions Eqs. (13) and (14). Since they are sufficient conditions, they do not necessarily hold for inputs truly satisfying \((l_p, \epsilon, \alpha)\)-robustness against QA and CA. Whether they can hold depends on the tightness of \(\overline{d}_{x_2}(x_1)\) and \(\underline{d}_{x_2}(x_1)\). For this reason, we need to obtain meaningfully tight evaluation of \(\overline{d}_{x_2}(x_1)\) and \(\underline{d}_{x_2}(x_1)\). To obtain a meaningfully tight evaluation of \(\overline{d}_{x_2}(x_1)\) and \(\underline{d}_{x_2}(x_1)\), we utilize interval bound propagation (IBP) [21], [34]. IBP is an tractable algorithm for calculating the upper and lower bounds of logits when an \(l_\infty\)-ball is given as input. IBP is used for deterministic verification for classification and is known to give a meaningfully tight bound for this purpose.

Original interval bound propagation (IBP). Given, \(x \in X\), \(\epsilon \in \mathbb{R}_{\geq 0}\), and \(L\)-layer classifier \(f_c\), original IBP evaluates the upper and lower bounds of \(f_c(x+\delta)\) for \(\forall \delta \in \{\delta \ | \ \delta \in X, \|\delta \|_{\infty} \leq \epsilon \}\). Let \(z^l = W^l h^{l-1} + b^l\) be the \(l\)-th affine layer (e.g. fully connected layer and convolution layer) and \(h^{l-1}=\sigma(z^{l-1})\) be a monotonic activation function (e.g. ReLU) where \(l \in \{1, \ldots, L\}\) and \(h^{0} = x\). Then, IBP provides upper and lower bounds on the outputs of \(l\)-th affine layers as follows:

where \(|\cdot|\) represents the element-wise absolute value operator, \(\overline{h}^{l-1} = \sigma(\overline{z}^{l-1})\), \(\underline{h}^{l-1} = \sigma(\underline{z}^{l-1})\), \(\overline{h}^0=x + \epsilon \mathbf{1}\), and \(\underline{h}^0=x - \epsilon \mathbf{1}\).

4.2  Robust Training Methods

In this subsection, we propose robustness training methods that increase the number of samples verified by our deterministic verification algorithms, Eq. (19). We experimentally confirm that Eqs. (13) and (14) are always not satisfied for all \(q\), \(c_i\), and \(C\) used in our experiments when using \(f\) trained by conventional metric learning (See Sect. 6 for details). This is because the upper and lower bounds calculated by Eqs. (17) and (18) can be too loose to satisfy the sufficient conditions Eqs. (13) and (14). To increase the number of inputs that satisfy Eqs. (13) and (14), we need to train \(f\) so that attains tighter evaluation of \(\overline{d}_{x_2}(x_1)\) and \(\underline{d}_{x_2}(x_1)\).

To this end, we propose two new objective functions to train feature extractor for CBIR. One is training of general feature extractor that attains tighter bounds in Eqs. (17) and (18) without knowledge of query and candidate images. The other is fine tuning of feature extractor given that candidate images for the target CBIR are provided. We remark that both algorithms are independent, and the latter algorithm can be applied to the feature extractor trained with the former algorithm.

5.1  Probabilistic Verification Algorithms

In this subsection, we propose algorithms to verify whether given inputs satisfy \((l_2, \epsilon, \alpha)\)-robustness against QA and CA in a probabilistic manner. We experimentally confirm that our deterministic verification algorithms, Eq. (19), can not verify high-resolution images even if we learn \(f\) with our robust training method, Eq. (20) (See Sect. 6 for details). To overcome the limitation, we utilize randomized smoothing (RS) [22], [24] to evaluate \(\overline{d}_{x_2}(x_1)\) and \(\underline{d}_{x_2}(x_1)\). RS is a tractable algorithm to estimate the upper and lower bounds of the class probability of the classifier against AXs in an \(l_2\)-ball. RS is used for probabilistic verification algorithms for classification and is known to scale to high-resolution images [14].

Original randomized smoothing (RS). Let \(F_c: X \rightarrow [C]\) be a classifier. Let \(N(0, \sigma^2 I)\) be a Gaussian distribution with mean 0 and standard deviation \(\sigma\). Gaussian smoothed classifier \(G_{F_c}(x): X \rightarrow [C]\) is defined as follows:

Then, randomized smoothing estimates the upper and lower bounds of the class probability of Gaussian smoothed classifier \(\Pr[G_{F_c}(x+\delta)=i]\) for \(\forall \delta \in \{\delta \ | \ \delta \in X, \|\delta \|_{2} \leq \epsilon \}\) with a certain probabilistic guarantee. Precisely, randomized smoothing uses Monte Carlo algorithm to estimate the upper and lower bounds \(\Phi(\Phi^{-1}(\Pr[G_{F_c}(x)=i])-\epsilon/\delta) \leq \Pr[G_{F_c}(x+\delta)=i]\leq \Phi(\Phi^{-1}(\Pr[G_{F_c}(x)=i])+\epsilon/\delta)\) theoretically derived by the Lipschitz continuity of Gaussian smoothed functions:

Theorem 5 (Lipschitz continuity of Gaussian Smoothed Functions [24], [36]). For any function \(h: X \rightarrow [0,1]\), \(\Phi^{-1}(\mathbb{E}_{\xi \sim N(0, \sigma^2 I)}[h(x+\xi)])\) is \(\frac{1}{\sigma}\)-Lipschitz in terms of \(l_2\) distance, where \(\Phi^{-1}\) is the inverse of standard Gaussian CDF.

5.2  Robustness Training Methods

In this subsection, we discuss the robust training method for the feature extractor \(f\), which increases the number of inputs verified by our probabilistic verification algorithm Eq. (36). Recall that tighter evaluation of the upper bound in Eq. (28) and the lower bound in Eq. (29) is needed to attain certified robustness in a meaningful way. From Eqs. (28) and (29), we can obtain a tighter evaluation of the upper and lower bounds when using a larger standard deviation \(\sigma\). However, when \(\sigma\) is large, obtaining meaningful CBIR ranking results is difficult because the estimated smoothed distances \(\hat{sd}_{c}(q)\) or \(\hat{sd}_{q}(c)\) become indistinguishable for \(\forall c \in C\). This is because the distribution difference between the training images of \(f\) and the input images with Gaussian noises becomes larger. To mitigate the distribution shift, we can utilize Gaussian data augmentation [22], [26], which adds sampled Gaussian noise \(\xi \sim N(0,\sigma^2 I)\) to the training data of feature extractor \(f\). In Sect. 6, we show that training \(f\) with Gaussian data augmentation increases the number of inputs verified by our probabilistic verification algorithms.

6.1  Experiments for Deterministic Certified Defenses

6.2  Results for Deterministic Certified Defenses

Tables 1 and 2 show the results for deterministic certified defense proposed in Sect. 4. We can see that our proposed robust training TBT has less Recall@K than Triplet, ACT, and C-IBP from Table 1. This is presumably due to the fact that the diversity of feature representation is reduced by making the upper and lower bound evaluated tighter. However, the gap in Recall@K between TBT and the existing methods becomes smaller as K increases. Thus, that is not a practical problem in situations where K is large.

Table 1  Comparison of Recall@K for deterministic certifed defense. Each value is rounded off to two decimal places.

Table 2  Comparison of empirical robust (ER) Recall@K and certified robust (CR) Recall@K for deterministic certified defense. QA and CA represent query and candidate attack, respectively. Each value is rounded off to two decimal places.

We can also confirm both ER-Recall@K and CR-Recall@K of Triplet are significantly lower than the other methods from Table 2. C-IBP and ACT achieve higher ER-Recall@K than Triplet, while their CR-Recall@K is zero or nearly zero, even with larger \(K\). This implies that C-IBP and ACT cannot help to provide certified robustness of CBIR. This is because ACT is training to improve empirical robustness, which is no enough to improve certified robustness. We also conjecture that C-IBP is not sufficient to tighten Eqs. (17) and (18) since it aims at tightening the upper and lower bounds of logits. In contrast, TBT achieves significantly higher CR-recall@K, particularly when \(K\) is large. This is because TBT can tighten Eqs. (17) and (18) successfully.

We can also confirm that fine-tuning pre-trained feature extractor with TBT to candidate images (FCTB) improve CR-Recall@K while maintaining Recall@K from Tables 1 and 2. This implies that FCTB can further reduce the gap between Definition 3 and the corresponding sufficient condition.

Limitations of deterministic certified defense. A drawback of our deterministic verification algorithms are that it does not scale to high-resolution images, which require advanced architecture. We train feature extractor with TBT using CUB and VGG architecture [41]. As a result, its training collapses, which means that the trained feature extractor returns the same value for all test inputs. This is because IBP provides very loose bounds for advanced deep architectures, resulting in extremely large regularization terms in Eq. (20).

6.3  Experiments for Probabilistic Certified Defenses

6.4  Implementations of Feature Extractors

Architectures. We use ResNet50 [44] as model architecture of \(f\). We use the parameters pre-trained on ImageNet [33] obtained from torchvision library in PyTorch [45] as initial parameters. We set the feature dimension is \(d=128\). We use the codes² provided by [46] for training \(f\).

Hyperparameters. We use Triplet loss with margin \(m=0.2\) as the loss function. The total number of training epochs is 150. We use the Adam optimizer [40] with a batch size of \(112\), an initial learning rate of 0.00001, and a weight decay of 0.0004. We decay the learning rate by times 0.3 at 1000 iterations. When using Gaussian data augmentation, we sample noise from \(N(0, \sigma^2 I)\) where \(\sigma \in \{0.1,1.0\}\) at each parameter update and added to the training data. Then, We use the same \(\sigma\) during training and testing.

6.5  Results for Probabilistic Certified Defenses

Table 3 shows the results of the lower bounds of Recall@K and CR-Recall@K for probabilistic certified defense proposed in Sect. 5. All results in Table 3 use \(N=100000\). Triplet and GA-Triplet represent the results of models trained with Triplet Loss and Triplet Loss with Gaussian data augmentation, respectively. Note that the results for \(\sigma=0.0\) are a baseline that represents Recall@K when using general Euclidean distance for calculating ranking results. From Table 3, we can see that GA-Triplet has higher lower bounds of Recall@K and CR-Recall@K than Triplet. These are due to the fact that Gaussian data augmentation successfully mitigates the distribution shift between the training and test data of feature extractor \(f\), allowing \(f\) to compute a meaningfully distinguishable estimated smoothed distance \(\hat{sd}_{c}(q)\) or \(\hat{sd}_{q}(c)\) for \(\forall c \in C\). GA-Triplet has less Recall@K than the baseline, but the gap gets smaller as K increases. Thus, that is not a practical problem when \(K\) is large.

Table 3  Comparison of the lower bounds of Recall@K and certified robust (CR) Recall@K for probabilistic certified defense. All results use \(N=100000\) and \(\beta=0.01\). Note that the results for \(\sigma=0.0\) are a baseline that represents Recall@K when using general Euclidean distance for calculating ranking results. QA and CA represent query and candidate attack, respectively.

The effect of standard deviation \(\sigma\). Table 4 shows the results of the lower bounds of Recall@K and CR-Recall@K for GA-Triplet with different standard deviation \(\sigma\). All results in Table 3 use \(N=100000\). We can see that \(\sigma\) controls the trade-off between Recall@K and CR-Recall@K. This is because as \(\sigma\) increases, the upper and lower bounds of the smooth distance in Eqs. (28) and (29) become smaller, but it becomes more difficult to compute a meaningfully distinguishable estimated smoothed distance \(\hat{sd}_{c}(q)\) or \(\hat{sd}_{q}(c)\) for \(\forall c \in C\).

Table 4  Comparison of the lower bounds of Recall@K and certified robust (CR) Recall@K for probabilistic certified defense with different standard deviation \(\sigma\). All results use \(N=100000\) and \(\beta=0.01\). QA and CA represent query and candidate attack, respectively.

The effect of sample sizes of Gaussian noises \(N\). Table 5 shows the results of the lower bounds of Recall@K and CR-Recall@K for GA-Triplet with different sample sizes of Gaussian noises \(N\). All results in Table 5 use \(\sigma=1.0\). We can see that Recall@K and CR-Recall@K improve as \(N\) increases. This is because the upper and lower bounds of Gaussian smoothed distances and ranking results can be tight as the sample size of Gaussian noises \(N\), as explained in Sect. 5. However, the computational complexity increases as \(N\) increases.

Table 5  Comparison of the lower bounds of Recall@K and certified robust (CR) Recall@K for probabilistic certified defense with different sample sizes of Gaussian noises \(N\). All results use \(\sigma=1.0\) and \(\beta=0.01\). QA and CA represent query and candidate attack, respectively.

Limitations of probabilistic certified defense. A drawback of our probabilistic verification algorithm is its high computational cost. As denoted in Sect. 5, in the probabilistic verification algorithms, the total number of forward propagation of DNN in evaluating Eqs. (34) and (35) is equivalent to \(N + |C|\) and \(1 + N|C|\), respectively. For example, we require a total of 101000 and 100000001 forwards to evaluate Eqs. (34) and (35) when \(N=100000\) and \(|C|=1000\).

A.1 Proof of Lemma 1

Proof. From definitions of Eqs. (7) and (8), for \(\forall \delta \in \{\delta \ | \ \delta \in X, \|\delta \|_{p} \leq \epsilon \}\), the following holds:

Equations (A\(\cdot\) 1) and (A\(\cdot\) 2) represent the lower bounds of the number of candidate images that are more dissimilar and similar to \(q+\delta\) than \(c_i\), respectively. Thus, we get the claim. \(\tag*{◻}\)

A.2 Proof of Lemma 2

Proof. From Eqs. (7) and (8), for \(\tilde{C}=\{c_i + \delta_i\}_{i=1}^{N}\) where \(\forall \delta_1, \ldots, \delta_N \in \{\delta \ | \ \delta \in X, \|\delta \|_{p} \leq \epsilon \}\), the following holds:

Equations (A\(\cdot\) 3) and (A\(\cdot\) 4) represent the lower bounds of the number of perturbed candidate images in \(\tilde{C}\) that are more dissimilar and similar to \(q\) than \(c_i+\delta_i\), respectively. Thus, we get the claim. \(\tag*{◻}\)

A.3 Proof of Theorem 1

Proof. When Eq. (13) is satisfied, from Theorem 1,

holds for \(\forall \delta \in \{\delta \ | \ \delta \in X, \|\delta \|_{p} \leq \epsilon \}\), which is equivalent to Eq. (5). \(\tag*{◻}\)

A.4 Proof of Theorem 2

Proof. When Eq. (14) is satisfied, from Theorem 2,

holds for \(\tilde{C}=\{\mathrm{IR}_f(q, C)_i + \delta_i\}_{i=1}^{N}\) where \(\forall \delta_1, \ldots, \delta_N \in \{\delta \ | \ \delta \in X, \|\delta \|_{p} \leq \epsilon \}\), which is equivalent to Eq. (6). \(\tag*{◻}\)

A.5 Proof of Theorem 3

Proof. Since \(\underline{f}(x_1)_{i} \leq f(x_1+\delta)_i \leq \overline{f}(x_1)_{i}\) holds for \(\forall \delta \in \{\delta \ | \ \delta \in X, \|\delta \|_{\infty} \leq \epsilon \}\) from the definitions of \(\underline{f}(x)_{i}\) and \(\overline{f}(x)_{i}\), \(\max_{\delta \in X, \|\delta \|_{\infty} \leq \epsilon}(f(x_1+\delta)_i - f(x_2)_i)^2 \leq \max\bigl \{ |\overline{f}(x_1)_{i}-f(x_2)_{i}|, |f(x_2)_{i}-\underline{f}(x_1)_{i}| \bigr \}^2\) holds. Then, we obtain

\(\tag*{◻}\)

A.6 Proof of Theorem 4

Proof. Since \(\underline{f}(x_1)_{i} \leq f(x_1+\delta)_i \leq \overline{f}(x_1)_{i}\) holds for \(\forall \delta \in \{\delta \ | \ \delta \in X, \|\delta \|_{\infty} \leq \epsilon \}\) from the definitions of \(\underline{f}(x)_{i}\) and \(\overline{f}(x)_{i}\), \(\min_{\delta \in X, \|\delta \|_{\infty} \leq \epsilon}(f(x_1+\delta)_i - f(x_2)_i)^2 \geq \min\bigl \{ 0, \overline{f}(x_1)_{i}-f(x_2)_{i}, f(x_2)_{i}-\underline{f}(x_1)_{i} \bigr \}^2\) holds. Then, we obtain

\(\tag*{◻}\)

A.7 Proof of Lemma 3

Proof. Since \(0 \leq sd_{x_2}(x_1) \leq 1\) for \(\forall x_1, x_2 \in X\) from definition of smoothed distance Eq. (23), the following holds for any \(t>0\) by Hoeffding’s Inequality:

Then, for \(q \in X\) and \(C=\{c_i | c_i \in X\}^{M}_{i=1}\), we have:

Since \(\mathbb{P}\bigl[\cup_{c \in C} (|sd_{c}(q) - \hat{sd}_{c}(q)| \geq t) \bigr] + \mathbb{P}\bigl[\cap_{c \in C} (|sd_{c}(q) - \hat{sd}_{c}(q)| < t) \bigr] = 1\), we have

Equation (A\(\cdot\) 9) represents that \(\hat{sd}_{c}(q) - t < sd_{c}(q) < \hat{sd}_{c}(q) + t\) holds simultaneously for \(\forall c \in C\) with probability at least \(1- 2|C| \exp (-2N t^2)\). Note that Eq. (A\(\cdot\) 9) satisfies if we replace \(sd_c(q)\) and \(\hat{sd}_{c}(q)\) with \(sd_q(c)\) and \(\hat{sd}_{q}(c)\), respectively. If we set \(2|C| \exp (-2N t^2) = \beta\), we obtain \(t=\sqrt{\frac{1}{2N} \log\left(\frac{2|C|}{\beta}\right)}\). Thus, we get the claim. \(\tag*{◻}\)

A.8 Proof of Corollary 1

Proof. Since both \(\Phi\) and \(\Phi^{-1}\) are monotonic increasing functions, the followings with probability at least \(1-\beta\) hold by combining Lemma 3, Eqs. (24), and (25):

Thus, we get the claim. \(\tag*{◻}\)

A.9 Proof of Theorem 6 and Theorem 7

Proof. Using Lemma 3, the following holds with probability at least \(1-\beta\):

wherer \(t = \sqrt{\frac{1}{2N} \log \frac{2 |C|}{\beta}}\). Note that both Eqs. (A\(\cdot\) 12) and (A\(\cdot\) 13) satisfy if we replace \(sd_c(q)\) and \(\hat{sd}_{c}(q)\) by \(sd_q(c)\) and \(\hat{sd}_{q}(c)\), respectively. Equations (A\(\cdot\) 12) and (A\(\cdot\) 13) represent the lower bounds of the number of candidate images that are more dissimilar and similar to \(q\) than \(c_i\), respectively. Thus, we get the claim. \(\tag*{◻}\)

A.10 Proof of Theorem 8

Proof. From Theorem 6, the following holds with probability at least \(1-\beta\):

where \(\overline{\mathrm{Rank}}(q, c, C)=|C|- \sum_{c \in C} \text{𝟙} (\hat{sd}_{c_i}(q) + t < \hat{sd}_{c}(q) - t)\) and \(\underline{\mathrm{Rank}}(q, c, C)=\sum_{c \in C} \text{𝟙} (\hat{sd}_{c}(q) + t < \hat{sd}_{c_i}(q) - t) + 1\). Moreover, combining Theorem 1 and Corollary 1, the followings also hold with probability at least \(1-\beta\):

where \(\overline{sd}_{x_2}(x_1) = \Phi(\Phi^{-1}(\hat{sd}_{x_2}(x_1)+\sqrt{(1/2N) \log (2|C|/\beta)})+\frac{\epsilon}{\sigma})\) and \(\underline{sd}_{x_2}(x_1) \,{=}\, \Phi(\Phi^{-1}(\hat{sd}_{x_2}(x_1)-\sqrt{(1/2N) \log (2 |C|/\beta)})-\frac{\epsilon}{\sigma})\). Thus, when Eq. (34) holds, the followings hold with probability at least \(1-\beta\) by combining Eqs. (A\(\cdot\) 14) and (A\(\cdot\) 15):

Thus, we get the claim. \(\tag*{◻}\)

A.11 Proof of Theorem 9

Proof. From Theorem 7, the following holds probability at least \(1-\beta\):

where \(\overline{\mathrm{Rank}}(q, c_i, C)=|C|- \sum_{c \in C} \text{𝟙} (\hat{sd}_{q}(c_i) + t < \hat{sd}_{q}(c) - t)\), and \(\underline{\mathrm{Rank}}(q, c_i, C)=\sum_{c \in C} \text{𝟙} (\hat{sd}_{q}(c) + t < \hat{sd}_{q}(c_i) - t) + 1\). Combining Theorem 2 and Corollary 1, the followings holds with probability at least \(1-\beta\):

where \(\overline{sd}_{x_2}(x_1)=\Phi(\Phi^{-1}(\hat{sd}_{x_2}(x_1)+\sqrt{(1/2N) \log (2|C|/\beta}))+\frac{\epsilon}{\sigma})\), \(\underline{sd}_{x_2}(x_1)=\Phi(\Phi^{-1}(\hat{sd}_{x_2}(x_1)-\sqrt{(1/2N) \log (2 |C|/\beta)})-\frac{\epsilon}{\sigma})\). Thus, when Eq. (34) holds, the followings hold with probability at least \(1-\beta\) by combining Eqs. (A\(\cdot\) 16) and (A\(\cdot\) 17):

Thus, we get the claim. \(\tag*{◻}\)

B.1 Hyperparameters of ACT and C-IBP

When training with ACT, we set the fixed maximum perturbation size of the adversarial examples as \(\epsilon=0.2\) for MNIST and FMNIST and \(\epsilon= \frac{2}{255}\) for CIFAR10. Then we generate them by using PGD [12] with the step size of \(\frac{\epsilon}{10}\) and the number of updates of \(20\).

When training with C-IBP, we use the scheduling strategy for \(\epsilon\) and \(\kappa\) proposed in [20] as well as training of TBT. Specifically, \(\epsilon\) is gradually increased from \(0.0\) to \(\epsilon_{e}\), and the \(\kappa\) is gradually decreased from \(1.0\) to \(\kappa_{e}\). We use \(\epsilon_{e}=0.2\) for MNIST and FMNIST, and \(\epsilon_{e}=\frac{2}{255}\) for CIFAR10, respectively. We use \(\kappa_{e}=0.5\) for all datasets. Then, we linearly increase \(\epsilon\) and decrease \(\kappa\) between \(2K\) and \(10K\) steps.