We thank the reviewer for their time and effort. We are pleased that the reviewer found the paper well-written, well-motivated, and supported by comprehensive experiments. Below, we systematically address each of the weaknesses and questions raised in the review.

For Weakness 1, we understand the reviewer’s concern. Indeed, for a diffusion model (generative tasks), unlearning often focuses on concept unlearning, where the aim is to forget an entire class or concept represented by a label. In these scenarios, the notion of residual knowledge, as defined in our paper, does not directly apply, since the input is not a sample but a label or prompt. However, there are notable exceptions. For instance, in image-to-image (I2I) generation (as shown in Fan et al. (2023, Figure 6) and Li et al. (2024, Figure 1)), the input is a partial image (e.g., an unmasked region) rather than a label. In such cases, residual knowledge may still manifest: perturbations to the input region could lead the model to regenerate forgotten content. However, we have conducted larger-scale experiments on the ImageNet-100 dataset—a subset of ImageNet-1k containing 100 classes and approximately 1,300 images per class (for a total of 130k images)—using ResNet-50. In this setting, we select class 0 as the forget class and perform 50% random sample unlearning, evaluating the results as summarized in Table 1 below. Due to time constraints, we include a subset of competitive baselines for comparison. As shown in the results, RURK consistently achieves the smallest average gap compared to GD and NegGrad+, confirming its effectiveness even at scale. Additionally, we provide the tabular version of the residual knowledge corresponding to Figure 2. The results reveal that GD still exhibits residual knowledge $> 1$, since it only fine-tunes on retain samples and lacks explicit control over forget samples or residual knowledge. Similarly, SSD, when applied to a large architecture like ResNet-50, struggles to identify and suppress all neurons associated with the forget information, leading to suboptimal mitigation. While NegGrad+ does not suffer from residual knowledge in the same way, its residual knowledge remains farther from 1 compared to RURK, indicating less alignment with the re-trained model. These findings support that the phenomenon of residual knowledge is not limited to small-scale settings, and that RURK remains effective in controlling it, even on larger and more complex datasets. We will incorporate and refine this new empirical evidence in the revised version.

For Weakness 2, please refer to our response to Question 2 below.

For Weaknesses 3, 4 and Question 3, we appreciate the thoughtful comments regarding the residual knowledge $r_\tau$, and will expand on this discussion in the revised manuscript. The reason we introduce residual knowledge $r_\tau$ is to bring in the re-trained model $a$, as the ideal outcome of unlearning is that the unlearned model $m$ and $a$ behave consistently on both the training samples and their perturbed counterparts (see Lines 183–186). The residual knowledge captures the tendency of the unlearned model $m$ to re-recognize slightly perturbed forget samples compared to the re-trained model $a$, revealing a potential privacy risk (see Lines 33–39). Therefore, $r_\tau$ cannot be defined using the unlearned model $m$ alone. As explained in Lines 263–266, RURK is designed to reduce residual knowledge by directly minimizing $\Pr[m(x') = y]$, avoiding reliance on the re-trained model during the unlearning process. The example raised by the reviewer illustrates exactly the phenomenon that $r_\tau$ is intended to capture: even if $\Pr[m(x') = y]$ is small, when divided by a smaller $\Pr[a(x') = y]$, the ratio $r_\tau > 1$, indicating that the unlearned model is still more prone to re-identify the forget sample than the re-trained model. This is the precise privacy risk we aim to define and mitigate in this work.

For Question 1, Figure 1 provides a pictorial illustration of residual knowledge, which is later supported by the quantitative results in Table 1 and Figure 2. The figure is intended to convey that, after successful unlearning, the unlearned and re-trained models should make consistent decisions on all samples. However, due to slight deviations in the model parameters or decision boundaries (as captured by $(\epsilon, \delta)$-indistinguishability), the models may disagree on perturbed samples near the decision boundary. This discrepancy illustrates the presence of residual knowledge. We will incorporate this clarification into the revised caption of Figure 1.

For Question 2, we appreciate the reviewer’s careful attention to detail and will incorporate additional explanation in the revision. (1): The assumption underlying the isoperimetric inequality---that samples lie on the surface of a unit sphere---is indeed a strong one. However, the underlying phenomenon of the isoperimetric inequality (if a subset occupies a small volume, its boundary must be relatively large) can be extended beyond the unit sphere. In fact, this principle generalizes to the entire unit cube (not just its surface), as shown in Proposition 2.8 of [R1]. The unit cube is a more realistic assumption, as images are often scaled such that pixel values lie in $[0, 1]$. That said, Proposition 2 is still meaningful: it illustrates that disagreement on perturbed samples can arise even under the stricter assumption of a unit sphere (which is a smaller space of samples, compared with the unit cube), making the result even more compelling when considering looser assumptions like the unit cube. We will extend Proposition 2 with the unit cube assumption and include it in Line 195 and in the Appendix. (2): The reviewer is also correct that the expression in question is indeterminate unless a specific relationship between $\epsilon$ and $\delta$ is defined. To address this, we can make the relationship explicit by setting $\delta = k\epsilon$ for some constant $k$. This allows us to apply L’Hôpital’s Rule to evaluate the limit: $\lim_{\epsilon \to 0} \frac{\frac{d}{d\epsilon}(2k\epsilon)}{\frac{d}{d\epsilon}(1-\exp(-\epsilon))} = \lim_{\epsilon \to 0} \frac{2k}{\exp(-\epsilon)} = 0$. We will include this clarification in Line 206.

Thank you again for your thoughtful feedback. We're happy to provide any additional information or address further questions. If you feel that we’ve sufficiently addressed your main concerns, we kindly ask you to consider updating your score accordingly.

[R1] Ledoux, M., 2001. The concentration of measure phenomenon (No. 89). American Mathematical Soc.

Thanks for your response, but I would like to continue the discussion on Q4. Let me first show my understanding of your paper (which I will use [Y] to represent) and the reference (which I still use [A] to represent). I will then attempt to bridge the two papers based on my understanding.

Let $S_{train}$ be the training set, consisting of $S_{retain}$ and $S_{forget}$. Here $S_{retain}$ is the set to remember, while $S_{forget}$ is the set to forget. Let $S_{poison}$ and $S_{perturb}$ be the poisoned data and perturbed data of $S_{forget}$, respectively.

• My understanding of [Y]: An unlearned model, which tries to forget $S_{forget}$ from a model trained on $S_{retain}$ and $S_{forget}$, can still remember $S_{perturb}$.

• My understanding of [A]: An unlearned model, which tries to forget $S_{poison}$ from a model trained on $S_{retain}$ and $S_{poison}$, can still remember (backdoor trigger of) $S_{poison}$.

Let me make a hypothesis based on my understanding of [Y]: An unlearned model, which tries to forget $S_{perturb}$ from a model trained on $S_{retain}$ and $S_{perturb}$, can still remember $S_{forget}$.

If this hypothesis is true, I think both papers are observing the same phenomenon: There is some essential knowledge that cannot be erased from the original model during unlearning. In [Y], such knowledge is the recognition of an image, because removing/adding noise does not affect the model's classification on (perturbed) forget samples. In [A], such knowledge is the recognition of backdoor patterns, where we can consider the images themselves as the noise/perturbation.

My questions are:

1. Is my hypothesis true or not? I understand that proving it theoretically or conducting empirical experiments may be non-trivial, but from my view, it is a reasonable and straightforward hypothesis.
2. If my hypothesis is true, is my understanding of the connection between [A] and [Y] correct as well?
3. If the answer to the 2nd question is yes, is there any further connection between [A] and [Y]? What is the contribution of [Y] beyond [A]?

Thank you for your time and thoughtful review. We’re glad you recognized the overlooked challenge of handling perturbations in unlearning and appreciated the mathematical formulation. We clarify limitations and address your questions in detail.

For Question 1, the original model, trained on both retain and forget samples, achieves 100% accuracy on the forget set—this is the forget accuracy. However, the Unlearn Accuracy in Table 1 is defined as 1 - forget accuracy (Footnote 6 Page 8), following the evaluation in Fan et al. (2023, Line 330). We ensure the original model performs well to allow a fair comparison; otherwise, it would be unclear if unlearning occurred. This setup leads to consistent 100% forget accuracy (i.e., 0% unlearn accuracy) and thus zero std. Forget samples are randomly selected, and results are averaged over trials with different model initializations.

For Questions 2 and 3, we appreciate the reviewer for highlighting this distinction. Our framework involves two sources of randomness: (1) from the unlearning algorithm (e.g., model initialization), and (2) from perturbations of forget samples. Section 3 focuses on the first to show that disagreement between unlearned and re-trained models on perturbed forget samples is inevitable (Prop. 2). But showing existence is not enough—we also need to quantify this disagreement in practice. Thus, in Section 4, we fix a realization of models $m$ and $a$ (sampling once from the first randomness) and evaluate disagreement under the second, by perturbing forget samples (Lines 221–222, Footnote 4). This motivates our definition of residual knowledge (Lines 229–235) and the design of RURK to reduce it. While it is possible to define residual knowledge using both randomness, doing so would require characterizing the distribution of $m$ or $a$—an intractable task without strong assumptions (Guo et al., 2020; Chourasia and Shah, 2023; Chien et al., 2024)—making it impractical for methods like RURK. To capture the second randomness, we perturb forget samples using various methods (Lines 361–374), including Gaussian sampling from the $\mathcal{B}_p(\tau)$ ball and adversarial methods like PGD, which can be viewed as non-isotropic sampling. We will revise the draft to clarify this distinction.

For Question 4, assumed referring to Fig 2, which evaluates residual knowledge—how consistently a perturbed forget sample is treated by the unlearned model relative to the re-trained model. Ideally, an unlearned model should produce a flat line at $y = 1$ across different $\tau$ (x-axis), indicating full alignment with the re-trained model. For instance, in the bottom-right panel (RURK), we observe residual knowledge close to 1 for all $\tau \leq 0.01$, showing greater robustness than other baselines (Lines 366–372). Together with Table 1, these results highlight RURK’s overall strength: minimal accuracy gaps, while effectively reducing residual knowledge. We will clarify this in the revised discussion of Figure 2 in Section 5.

For Question 5, this connection is interesting. In MIA against an unlearned model, an adversary may exploit side information—such as the minimal perturbation needed for the model to re-recognize a forget sample. A small perturbation norm may suggest prior inclusion in the training set, increasing the chance of successful inference. This presents a compelling direction for future MIA research in unlearning. Emerging work has begun leveraging such side information—e.g., model variation near training points [R1, R2] or perturbation dynamics [R3]—to strengthen attacks. We will expand the discussion in the revision to motivate further exploration.

For Question 6, we thank the reviewer for highlighting the distinction. In classification, unlearning targets individual samples (random or all samples in a class)—enabling direct perturbation to assess residual knowledge. In contrast, generative tasks often focus on concept unlearning, where inputs are labels or prompts, making our definition less directly applicable. However, exceptions exist. In image-to-image generation (e.g., Fan et al. 2023; Li et al. 2024), inputs are partial images, where perturbations may still trigger forgotten content. Language generation adds further complexity due to its compositional nature (Lines 92–93), and forget/retain definitions differ significantly (Line 307), making residual knowledge harder to formalize. Our focus is to introduce and analyze residual knowledge in a controlled classification setting, where evaluation is clearer and more comparable—we will clarify this in Section 2. That said, prior work [R4–R6] shows LLMs can still leak sensitive information post-unlearning, through relearning or jailbreaking—behaviors conceptually related to residual knowledge, which we aim to explore in future work.

For Limitation 1, thanks for raising this point. We did not tune RURK’s unlearn accuracy to match the re-trained model. Instead, we ran unlearning until the RURK loss in Eq. (6) converged, allowing a fair comparison across methods. Under this setup, RURK achieves the second-smallest unlearn accuracy gap relative to the re-train baseline (highlighted in blue in Table 1), closely following NGD. This indicates comparable performance. Importantly, in random sample unlearning, absolute unlearn accuracy is less meaningful than the gap from the re-trained model—consistent with the evaluation protocol in Fan et al. (2023).

For Limitation 2, we conducted larger-scale experiments on the ImageNet-100 dataset (100 classes, ~130k images) using ResNet-50. We unlearn 50% of class 0 via random sampling and report results in the updated Table 1 below. Due to time constraints, we include a subset of strong baselines. RURK consistently achieves the smallest average gap relative to the re-trained model, outperforming GD and NegGrad+, and confirming its scalability. We also provide a tabular version of the residual knowledge results from Figure 2. GD shows residual knowledge $> 1$, as it only fine-tunes on retain samples without explicitly mitigating forget signals. SSD struggles with large models like ResNet-50, failing to fully suppress neurons encoding forget information. While NegGrad+ avoids the same failure mode, its residual knowledge remains farther from 1 than RURK, indicating weaker alignment with the re-trained model. These findings confirm that residual knowledge persists at scale and that RURK effectively mitigates it. We will incorporate and refine this evidence in the revised manuscript.

For Limitation 3, we will clarify this point in the revision. The approach of obfuscating forget sample labels—via randomization or mislabeling—is effectively captured by the GA method in Table 1. GA pushes predictions away from the original labels, as described in Graves et al. (2021, Page 3), and is already included in our evaluation. Table 1 compares standard unlearning metrics (Lines 117–126, 328–344) to ensure unlearning is not overly aggressive. Even with strong unlearning, a well-behaved model should not re-identify small perturbations of forget samples—unlike a re-trained model, which naturally fails to recognize them. A properly unlearned model should produce uncertain outputs, leading to low residual knowledge—precisely what our metric captures.

Thank you again! We’re happy to provide any additional information. If you feel that we’ve adequately addressed your main concerns, we would greatly appreciate your consideration in updating the score accordingly.

[R1] Jalalzai, H., Kadoche, E., Leluc, R. and Plassier, V., 2022. Membership inference attacks via adversarial examples. arXiv:2207.13572.

[R2] Del Grosso, G., Jalalzai, H., Pichler, G., Palamidessi, C. and Piantanida, P., 2022. Leveraging adversarial examples to quantify membership information leakage. In Proceedings of CVPR.

[R3] Xue, J., Sun, Z., Ye, H., Luo, L., Chang, X., Tsang, I. and Dai, G., 2025. Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack. arXiv:2506.02711.

[R4] Hu, S., Fu, Y., Wu, S. and Smith, V., 2024. Jogging the memory of unlearned models through targeted relearning attacks. In ICML 2024 Workshop on Foundation Models in the Wild.

[R5] Shumailov, I., Hayes, J., Triantafillou, E., Ortiz-Jimenez, G., Papernot, N., Jagielski, M., Yona, I., Howard, H. and Bagdasaryan, E., 2024. Ununlearning: Unlearning is not sufficient for content regulation in advanced generative ai. arXiv:2407.00106.

[R6] Liu, S., Yao, Y., Jia, J., Casper, S., Baracaldo, N., Hase, P., Yao, Y., Liu, C.Y., Xu, X., Li, H. and Varshney, K.R., 2025. Rethinking machine unlearning for large language models. Nature Machine Intelligence.

We thank the reviewer for their time and thoughtful feedback. We’re glad to hear that the reviewer found the paper well-written and shares our interest in the newly identified privacy risk of residual knowledge. Below, we address each of the reviewer’s comments and suggestions in detail.

For Weakness 1, we understand the reviewer’s concern and have conducted larger-scale experiments on the ImageNet-100 dataset—a subset of ImageNet-1k containing 100 classes and approximately 1,300 images per class (for a total of 130k images)—using ResNet-50. In this setting, we select class 0 as the forget class and perform 50% random sample unlearning, evaluating the results as summarized in Table 1 below. Due to time constraints, we include a subset of competitive baselines for comparison. As shown in the results, RURK consistently achieves the smallest average gap compared to GD and NegGrad+, confirming its effectiveness even at scale. Additionally, we provide the tabular version of the residual knowledge corresponding to Figure 2. The results reveal that GD still exhibits residual knowledge $> 1$, since it only fine-tunes on retain samples and lacks explicit control over forget samples or residual knowledge. Similarly, SSD, when applied to a large architecture like ResNet-50, struggles to identify and suppress all neurons associated with the forget information, leading to suboptimal mitigation. While NegGrad+ does not suffer from residual knowledge in the same way, its residual knowledge remains farther from 1 compared to RURK, indicating less alignment with the re-trained model. These findings support that the phenomenon of residual knowledge is not limited to small-scale settings, and that RURK remains effective in controlling it, even on larger and more complex datasets. We will incorporate and refine this new empirical evidence in the revised version.

For Weakness 2, we appreciate the reviewer’s insight and will clarify this point in the revised version. In Table 1, because we focus on the random-sample unlearning setting, the increasing or decreasing values of the metrics do not inherently indicate better performance. Rather, the unlearning performance is considered better when the metrics are closer to those of the re-train baseline, which serves as the gold standard. This is why we report the absolute gaps (in blue) between each method and the re-train side-by-side; the smaller the gap, the better the performance. In class unlearning, (results provided in Appendix Table C.2 and referenced in Line 306) the criteria is the same, as the re-trained model is still the gold baseline to compare with.

For Weakness 3, we appreciate the reviewer’s feedback in helping us clarify this point. We would like to emphasize that the performance of the methods is best understood by jointly considering Table 1 and Figure 2. This is because we are concerned not only with standard metrics such as retain and unlearn accuracy (reported in Table 1), but also with residual knowledge (illustrated in Figure 2). As discussed in the main text (Line 354), SSD tends to aggressively erase forget-set information, resulting in high unlearn accuracy but at the cost of test accuracy dropping below 90%. Furthermore, although SSD and RURK exhibit similar trends in Figure 2, RURK is more resistant to residual knowledge, as indicated by its longer plateau. Additionally, RURK offers a tunable mechanism for controlling residual knowledge via the parameter $\tau$ of the ball $\mathcal{B}_p(x, \tau)$ in Eq. (6). We included an ablation study of the hyper-parameters of RURK in Appendix C.3, Table C.4 and Figure C.11---parameter $\tau$ effectively reflects on the increase of unlearning accuracy and the plateau of the residual knowledge curves.

For Weakness 4, due to space constraints, we chose to omit a summary of the work and instead prioritized discussions on limitations, future directions, and broader impact in Section 6 (Final Remark). However, we are happy to include a conventional concluding paragraph in the revised version.

For Question 1, please refer to our response in Weakness 1.

For Question 2, we appreciate the reviewer’s suggestion. Indeed, unlearning has became an active area of research in LLMs (Lines 92-93), and it presents significantly greater complexity due to the inherent nature of language. In particular, the unlearning process---including the definitions of forget/retain samples and the evaluation metrics---differs considerably between LLMs and classification settings (e.g., the baseline methods discussed in Line 307). In this paper, our primary goal is to highlight a new privacy risk: residual knowledge. To do so, we focus on classification settings, which allow for clearer and more controlled evaluation. We will make this focus more explicit in the revised version. That said, several existing works [R1–R3] have demonstrated that sensitive information can still be reverse-engineered from LLMs even after unlearning—either through relearning (using different text corpora with similar contexts) or via jailbreaking techniques. While these observations are not directly equivalent, they are conceptually related to the residual knowledge phenomenon we investigate in the classification setting. We are excited to further explore this connection in future work.

For Question 3, yes---Figure 2 presents results where RURK is trained using a Gaussian noise attack, and the residual knowledge is also evaluated with respect to the same Gaussian noise, ensuring a fair comparison. We also include results for other adversarial attacks, such as FGSM and PGD, where both RURK and the residual knowledge evaluation are based on the same respective attack. These additional results are provided in Appendix Figure C.11 and referenced in Lines 373–374.

Thanks again for the comment! We are happy to provide more information or answer any follow-up questions. Please consider raising our score if you think we have addressed your main concerns.

[R1] Hu, S., Fu, Y., Wu, S. and Smith, V., 2024. Jogging the memory of unlearned models through targeted relearning attacks. In ICML 2024 Workshop on Foundation Models in the Wild.

[R2] Shumailov, I., Hayes, J., Triantafillou, E., Ortiz-Jimenez, G., Papernot, N., Jagielski, M., Yona, I., Howard, H. and Bagdasaryan, E., 2024. Ununlearning: Unlearning is not sufficient for content regulation in advanced generative ai. arXiv preprint arXiv:2407.00106.

[R3] Liu, S., Yao, Y., Jia, J., Casper, S., Baracaldo, N., Hase, P., Yao, Y., Liu, C.Y., Xu, X., Li, H. and Varshney, K.R., 2025. Rethinking machine unlearning for large language models. Nature Machine Intelligence, pp.1-14.

We thank the reviewer for their time and constructive feedback. We address the weaknesses and questions point-by-point below.

For Weakness 1 and Question 1, we appreciate the reviewer’s observation and will further clarify in the revision. While assuming samples lie on the unit sphere is strong, the core idea of the isoperimetric inequality—that a small-volume set must have a large boundary—extends to more realistic settings. Specifically, Prop 2.8 in [R1] generalizes this principle to the unit cube, which better reflects image data where pixel values are normalized in $[0, 1]$. Nonetheless, Prop. 2 remains meaningful: it shows disagreement on perturbed samples even under the stricter unit sphere assumption, making the result compelling under broader assumptions like the unit cube. We will extend Propo 2 accordingly in the revision.

For Weakness 2, Weakness 8, and Question 4, we conducted larger-scale experiments on the ImageNet-100 dataset (100 classes, ~130k images) using ResNet-50. We unlearn 50% of class 0 via random sampling and report results in the updated Table 1 below. Due to time constraints, we include a subset of strong baselines. RURK consistently achieves the smallest average gap relative to the re-trained model, outperforming GD and NegGrad+, and confirming its scalability. We also provide a tabular version of the residual knowledge results from Figure 2. GD shows residual knowledge $> 1$, as it only fine-tunes on retain samples without explicitly mitigating forget signals. SSD struggles with large models like ResNet-50, failing to fully suppress neurons encoding forget information. While NegGrad+ avoids the same failure mode, its residual knowledge remains farther from 1 than RURK, indicating weaker alignment with the re-trained model. These findings confirm that residual knowledge persists at scale and that RURK effectively mitigates it. We will incorporate and refine this evidence in the revised manuscript.

For Weakness 3, please refer to the response on large-scale classification experiments. We also thank the reviewer for drawing attention to generative tasks. In such settings—e.g., image or text generation—unlearning typically targets entire concepts or classes via labels or prompts, making our definition of residual knowledge less directly applicable. However, exceptions exist. In image-to-image (I2I) generation (e.g., Fan et al., 2023; Li et al., 2024), inputs are partial images, and perturbing them can still trigger forgotten content. Language generation is even more complex due to its compositional nature (Lines 92–93) and differing forget/retain semantics (Line 307), complicating the definition and evaluation of residual knowledge. Our goal in this paper is to introduce and study residual knowledge as a privacy risk in classification, where evaluation is clearer and more controlled. We will clarify this scope in Section 2. That said, prior work [R2–R4] shows that LLMs can still leak forgotten content through context relearning or jailbreaking—phenomena conceptually related to residual knowledge, which we aim to investigate in future work.

For Weakness 4 and Question 2, we appreciate the reviewer for raising this point. In classification unlearning, access to forget samples is standard practice in recent work—including the baselines we use (Lines 307–327, Appendix B.2), such as Fan et al. (2023), Kurmanji et al. (2024), and Graves et al. (2021). This assumption is also practical: if a user requests deletion, they must either provide the sample or ask the provider to retrieve it. Unlike generative unlearning (which targets entire concepts), classification unlearning becomes infeasible if neither forget nor retain samples are accessible. Moreover, both our residual knowledge definition (Eq. (4)) and RURK objective (Eq. (6)) rely on forget samples. Fine-tuning on retain samples alone cannot ensure residual knowledge is removed. Finally, RURK is an integrated unlearning process—not a post hoc correction—explicitly designed to eliminate residual knowledge at the time of unlearning. We will clarify these points in revised Sections 2 and 4.

For Weakness 5 and Question 5, we appreciate the reviewer’s concern and offer the following clarification. The notions of $(\epsilon, \delta)$-unlearning and residual knowledge (Lines 108–116) are theoretical constructs that require the unlearned model to closely match a re-trained model—either in weight distribution or output behavior on perturbed forget samples. RURK, however, avoids dependence on the re-trained model during unlearning. Rather than forcing residual knowledge to be exactly 1, RURK constrains it to be ≤1, since values above 1 signal a stronger privacy risk. This design choice enables practical unlearning without retraining, as explained in Lines 261–266 and supported by Figure 2. We acknowledge this trade-off in Section 6. Computing the proxy term (ii) in Eq. (6) is analogous to using empirical adversarial examples to estimate adversarial loss. We will highlight this rationale and our design decisions more explicitly in the revised Section 4.

For Weakness 6 and Question 3, we thank the reviewer for pointing out the lack of clarity. In the main text, we set $v=1$ (i.e., one sample from the vulnerable set using Gaussian noise) in Term (ii) of Eq. (6). RURK’s overhead grows linearly with $v$, but since sampling is done in constant time, its overall complexity remains comparable to other gradient-based methods like GD, NGD, and NegGrad+ (Lines 347–349). Appendix C.3 provides an ablation on $v$. For the larger-scale experiment (on an NVIDIA 8xA10g node) shown above, RURK completes in 42.95 minutes, compared to 1920.48 minutes for full retraining. We will add a more detailed runtime comparison in the revision.

For Weakness 7, we thank the reviewer for prompting a more comprehensive discussion. In addition to Lines 345–374, we offer the following clarifications. Figure 2 uses different y-axis scales across subfigures. NTK exhibits residual knowledge because it linearizes the model via the neural tangent kernel and ignores higher-order output terms. Fisher aggressively adds Gaussian noise to model weights to erase forget information but harms utility (test accuracy). Fine-tuning-only methods like GD and CF-k show high residual knowledge, underscoring the need to access forget samples—as RURK does. NGD, though also fine-tuning only on retain samples, adds controlled weight noise (similar to Fisher), reducing residual knowledge more effectively than GD and CF-k, but still less than RURK. GA fine-tunes on forget samples using reversed gradients, over-erasing forget information and deviating from the re-trained model. EU-k updates only the last layers on forget samples, leaving residuals in earlier representations. SSD selectively dampens weights and behaves similarly to GA due to over-removal. SCRUB performs comparably to RURK but is more expensive due to its reliance on a teacher model. NegGrad+ has a similar objective to RURK but retains more residual knowledge, validating the effectiveness of Term (ii) in Eq. (6). We will incorporate these points in the revision.

Thanks again! We are happy to address any additional questions. If you think that we’ve adequately addressed the limitations, we would greatly appreciate your consideration in updating the score accordingly.

[R1] Ledoux, M., 2001. The concentration of measure phenomenon (No. 89). American Mathematical Soc.

[R2] Hu, S., Fu, Y., Wu, S. and Smith, V., 2024. Jogging the memory of unlearned models through targeted relearning attacks. In ICML 2024 Workshop on Foundation Models in the Wild.

[R3] Shumailov, I., Hayes, J., Triantafillou, E., Ortiz-Jimenez, G., Papernot, N., Jagielski, M., Yona, I., Howard, H. and Bagdasaryan, E., 2024. Ununlearning: Unlearning is not sufficient for content regulation in advanced generative ai. arXiv preprint arXiv:2407.00106.

[R4] Liu, S., Yao, Y., Jia, J., Casper, S., Baracaldo, N., Hase, P., Yao, Y., Liu, C.Y., Xu, X., Li, H. and Varshney, K.R., 2025. Rethinking machine unlearning for large language models. Nature Machine Intelligence, pp.1-14.

Thank you for your detailed rebuttal and additional experiments which address some concerns from my review. The results strengthen the case for RURK, but the issues with forget set dependency, computational cost, and non-vision applicability are there. I will review other reviewers feedback and if I am satisfied, I will update my recommendation accordingly. Please include new results and address remaining gaps in the revision.