Robust Conformal Prediction with a Single Binary Certificate

TL;DR

This paper addresses the computational burden and inefficiency of existing robust conformal prediction methods under adversarial perturbations. It introduces BinCP, a binarized conformal prediction framework that uses a thresholded, smoothed score and a single binary certificate to guarantee coverage even within adversarial perturbation balls. The method provides closed-form or efficiently computable bounds for common smoothing schemes, supports finite-sample corrections via Clopper-Pearson intervals, and can employ de-randomized certificates to further reduce sampling needs. Empirically, BinCP delivers smaller robust prediction sets with dramatically fewer Monte-Carlo samples across CIFAR-10, ImageNet, and Cora-ML, while maintaining the formal guarantees. Overall, BinCP offers a practical, model-agnostic, black-box approach to robust uncertainty quantification with substantial efficiency gains and broad applicability.

Abstract

Conformal prediction (CP) converts any model's output to prediction sets with a guarantee to cover the true label with (adjustable) high probability. Robust CP extends this guarantee to worst-case (adversarial) inputs. Existing baselines achieve robustness by bounding randomly smoothed conformity scores. In practice, they need expensive Monte-Carlo (MC) sampling (e.g. $\sim10^4$ samples per point) to maintain an acceptable set size. We propose a robust conformal prediction that produces smaller sets even with significantly lower MC samples (e.g. 150 for CIFAR10). Our approach binarizes samples with an adjustable (or automatically adjusted) threshold selected to preserve the coverage guarantee. Remarkably, we prove that robustness can be achieved by computing only one binary certificate, unlike previous methods that certify each calibration (or test) point. Thus, our method is faster and returns smaller robust sets. We also eliminate a previous limitation that requires a bounded score function.

Figures (14)

• Figure 1: [Left] Average set size with different MC sample rates, [Middle] empirical coverage of vanilla and robust CPs under attack, and [Right] runtime of robust CP as a function of calibration datapoints (after computing the MC samples which is the number of lower bound computations).
• Figure 2: [Left] Function $\mathrm{accept}({\bm{x}}_i, y_i; p, \tau)$ for different $(p, \tau)$ pairs for four random CIFAR-10 instances. Black equals $1$ and white equals $0$. [Right] Empirical coverage for different $(p, \tau)$ pairs. Any $(p, \tau)$ pair on the dashed black line (the 0.9 contour) gives conformal sets with 90% coverage.
• Figure 3: [From left to right] Certified bounds for sparse smoothing, $\ell_1$ ball with de-randomized uniform smoothing levine2021improved, and $\ell_2$ (same as $\ell_1$) ball with Gaussian smoothing.
• Figure 4: [Left to right] Average prediction set size of robust CP for CIFAR-10, and ImageNet with Gaussian smoothing ($\sigma=0.5$), and CoraML with sparse smoothing. All results are for 2000 Monte-Carlo samples. We set $1 - \alpha = 0.85$ for ImageNet, and $1 - \alpha = 0.9$ for CIFAR-10 and CoraML.
• Figure 5: On ImageNet dataset, [left] average set size for $1 - \alpha=0.85$ with various MC sampling budgets. [Middle] Set size across various levels of $1 - \alpha$ for $2\times10^3$ samples. [Right] Set size without sample correction (asymptotically valid assumption). The sample-corrected variants are shown with a dotted line. In all plots $y$-axis is log-scaled.

Theorems & Definitions (15)

• Theorem 1: Robust CP from zargarbashirobust
• Proposition 1
• Lemma 1
• Lemma 2
• Lemma 3
• Corollary 1
• Proposition 2
• Theorem 2: Conformal Risk Control - rephrased
• proof : Proof to \ref{['thrm:vote-cp']}
• proof : Proof to \ref{['thrm:views-equal']}