Papers

Topics

Authors

Recent

View all

AI Research Assistant

Well-researched responses based on relevant abstracts and paper content.

Custom Instructions Pro

Preferences or requirements that you'd like Emergent Mind to consider when generating responses.

Gemini 2.5 Flash

Gemini 2.5 Flash 89 tok/s

Gemini 2.5 Pro 43 tok/s Pro

GPT-5 Medium 24 tok/s Pro

GPT-5 High 24 tok/s Pro

GPT-4o 112 tok/s Pro

Kimi K2 199 tok/s Pro

GPT OSS 120B 449 tok/s Pro

Claude Sonnet 4 37 tok/s Pro

2000 character limit reached

Additive Oblivious Adversaries

Updated 9 September 2025

Additive oblivious adversaries are defined as adversaries whose noise is pre-determined and independent of the actual data, ensuring a fixed corruption budget.
The model supports robust estimator design in statistics, machine learning, coding theory, and cryptography by contrasting with the more powerful adaptive adversaries.
Key results reveal that while oblivious adversaries allow for precise error bounds and manageable sample complexity, adaptive adversaries incur significantly harsher robustness challenges.

Additive oblivious adversaries are a class of statistical or computational adversaries defined by the restriction that their interference—typically in the form of additive corruptions—must be chosen independently of (i.e., be oblivious to) the realized sample or input data. This notion contrasts with fully adaptive adversaries, which can examine the true sample or protocol execution before selecting their corruptions. Additive oblivious adversaries have become a central object of paper in robust statistics, information theory, machine learning, coding theory, and cryptography, bridging the gap between random-noise and fully adversarial models.

1. Formal Definitions and Model Distinctions

The additive oblivious adversary model is characterized by a two-level constraint: (i) Additivity—the adversary injects noise, errors, or new points into the system according to a constrained budget (e.g., Huber contamination, fixed-fraction additive noise, or a set number of deletions), and (ii) Obliviousness—the adversary must fix or randomize its corruption sequence before seeing the realized data, possibly knowing only the distribution or system specification.

Common formalizations:

Statistical Setting: Given a data-generating distribution $p$ over domain %%%%1%%%% and data $S \sim p^m$ , an oblivious additive adversary defines a mapping $V$ producing a corrupted dataset $V(S)$ such that the additive budget

$\operatorname{budget}^{\mathrm{add}}(V,m) = \max_{S \in \mathcal{X}^m} \frac{|V(S)| - m}{m} \leq \eta$

for some $\eta > 0$ . The mapping $V$ must be independent of any specific sample $S$ and may only depend on $p$ , the distribution class, or public system parameters (Lechner et al., 5 Sep 2025).

Oblivious vs. Adaptive: Adaptive adversaries are allowed to observe $S$ (and sometimes the learner output) before producing corruptions, enabling them to choose which sample points (or which features of the sample) to target. This adaptive interaction strictly increases the adversary's power; learnability and robustness guarantees that hold for additive oblivious adversaries generally do not extend to the adaptive case without further increases in sample complexity or accuracy loss (Lechner et al., 5 Sep 2025, Canonne et al., 2023).

2. Learnability and Robustness Under Additive Oblivious Adversaries

A statistical or learning problem is said to be robustly solvable under additive oblivious adversaries if there exists an algorithm $A$ and sample complexity function $m(\varepsilon, \delta, \eta)$ such that, for any distribution $p$ in the class $\mathcal{C}$ and any additive oblivious adversary $V$ within budget $\eta$ ,

$\Pr_{S \sim p^m}\left[ d_{TV}(A(V(S)), p) \leq \alpha \cdot \eta + \varepsilon \right] \geq 1 - \delta\,,$

where $d_{TV}$ is total variation distance and $\alpha$ is a small constant.

A principal result is that robust learning (in total variation or parameter estimation) with respect to additive oblivious adversaries is fundamentally easier than with respect to adaptive adversaries. Explicitly, there exist distribution classes and estimation tasks where robust estimators exist for the oblivious setting but no estimator, regardless of sample size, can guarantee comparable robustness against adaptive additive adversaries under the same budget (Lechner et al., 5 Sep 2025).

This establishes a separation: additive adaptivity is strictly harder than additive obliviousness for robust learnability in general distribution classes and sample spaces.

3. Technical Framework for Separation

The proof of separation is achieved by constructing explicit distribution classes and adversaries for which:

For every algorithm $A$ and any constant $\alpha \geq 1$ , there is an adaptive additive adversary $V_A$ such that, with non-negligible probability (over the randomness of $S$ ), the estimation error

$d_{TV}(A(V_A(S)), p) > \alpha \cdot \eta$

for all sufficiently large $m$ .

For the same distribution class, there exists a learning algorithm $A^*$ robust to any oblivious additive adversary (even at budget $\eta$ ) such that

$d_{TV}(A^*(V(S)), p) \leq \alpha \cdot \eta + \varepsilon$

holds with high probability for all oblivious $V$ (Lechner et al., 5 Sep 2025).

The construction exploits the fact that an adaptive adversary, by examining the realized sample, can "zero in" on statistically informative regions—such as points of high probability or decision boundary regions—effectively "simulating" subtractive attacks or maximizing confusion. In contrast, an oblivious adversary, being blind to $S$ , must distribute its corruption without such targeting, making it much less effective.

4. Implications Across Domains

Robust Statistics and Machine Learning

Huber Contamination: Many robust estimators for mean, covariance, or parameter estimation have optimal breakdown and minimax risk under Huber $\eta$ -contamination in the oblivious setting (i.e., $\mathcal{D}_{\text{corrupted}} = (1-\eta)\mathcal{D} + \eta \mathcal{E}$ ). These guarantees need not hold for adaptive adversaries (Blanc et al., 2021).
Distribution Learning: Distribution classes (e.g., certain structured or nonparametric families) may be robustly learnable in total variation under additive oblivious adversaries but fail to be robust when adversarial adaptivity is allowed, even under the same corruption budget (Lechner et al., 5 Sep 2025).

Information Theory and Coding Theory

List-Decoding: For channels or codes designed under additive oblivious error models, the list-decoding capacity, code redundancy, and explicit constructions can be significantly better than for worst-case adversarial models. Techniques for oblivious adversaries often fail, or must be altered, to maintain guarantees under adaptive error placement (Zhang et al., 2020, Con et al., 23 Jun 2025).

Cryptography

Oblivious Transfer and Secure Computation: Security definitions for cryptographic primitives often rely on the assumption that adversarial actions are oblivious or independent of system randomness. Adaptive adversaries capable of tailoring their attacks to protocol executions must be handled with more advanced techniques, reducing protocol efficiency and increasing the need for cryptographic hardness assumptions (Dowsley et al., 2014).

Several adjacent papers analyze the relationship between oblivious and adaptive adversaries:

The equivalence between oblivious and adaptive adversaries (up to polynomial sample complexity blowup) can be established for certain algorithms, especially statistical-query (SQ) learning procedures and for tasks where a sub-sampling step can hide the sample from the adversary. However, this equivalence can fail outside those domains, especially when non-SQ, information-rich algorithms or sample-optimal rates are needed (Blanc et al., 2021, Blanc et al., 17 Oct 2024).
The sample complexity and minimax rates for robust testing and estimation tasks may show strict information-theoretic separations between oblivious and adaptive contamination (Canonne et al., 2023).

6. Consequences and Open Directions

Algorithmic Design: Robust learning and estimation algorithms proven secure under additive oblivious adversaries cannot automatically be considered robust under adaptive adversaries. Explicit consideration of adversarial adaptivity—including possibly increasing sample sizes, adjusting regularization, or employing cryptographic tools—may be necessary in such settings (Lechner et al., 5 Sep 2025).
Lower Bound Constructions: The theoretical distinction informs foundational lower bounds: for any fixed corruption budget, the achievable risk or estimation error under adaptive adversaries can be strictly worse than in the oblivious setting, even for arbitrarily large samples.
Practical Security: In practical machine learning and data analysis pipelines, the distinction guides the construction of protocols, data access restrictions, and privacy-preserving mechanisms (e.g., secure aggregation) for defenses against adaptive compromise.

In summary, additive oblivious adversaries define a fundamental model of statistical corruption that is strictly weaker than adaptive additivity. The gap is realized by their inability to tailor interference after observing data, yielding both more optimistic learnability conditions and tighter information-theoretic bounds—establishing a central axis for understanding robustness in high-dimensional and adversarial environments (Lechner et al., 5 Sep 2025, Con et al., 23 Jun 2025, Deng et al., 2020, Canonne et al., 2023, Blanc et al., 17 Oct 2024).