Ascent Fails to Forget

We would like to thank the reviewer for their detailed review and the positive evaluation of our work.

Below, we address the specific questions and weaknesses raised.

Weaknesses:

• Regarding Lemma 1: The choice of a classification task in Lemma 1 is arbitrary, and the result can be extended to regression by simply modifying the metric. Accuracy is used solely for clarity and simplicity in the lemma’s formulation. Regarding the connection between regression and classification: logistic regression is a classic example of a regression-based method commonly used for classification both in traditional machine learning and in deep learning (in its nonlinear realization), hence we opt for classification throughout this work.

• Potential for Theoretical Expansion: We agree that extending the result to multi-layer networks would be extremely interesting and broaden the impact of this study. We leave this open for future work.

• Explaining the 1st and 2nd PC relation to difficulty in unlearning: We believe some intuition can be given with a relatively simple example: Consider once again a 2-dimensional logistic regression task, where labels are generated by a linear transformation of the data $y_i =T x_i,i=1\ldots N$, where $T\in \mathbb{R}^2$ is a fixed teacher vector. In particular, we can simply choose $T=$ { $1,-1$ } , which would then correspond to classifying points above and below the line $x_{i,1}-x_{i,2}=0$ as negative and positive, respectively. Next, we train a student with weights $S\in \mathbb{R}^2$ to perform logistic regression with labels given by the teacher $T$. If it succeeds, then we expect $S=T$. If we sample points uniformly in a small region near the origin, the influence matrix between a specific point and a test point can be approximated by $I_{z,z_{test}}\approx -y_{test}y \sigma(-y_{test}S x_{test})\sigma(-y S x)x_{test}^T x$ $=-(x_{test,1}-x_{test,2})(x_1-x_2) \sigma(-(x_{test,1}-x_{test,2})^2)\sigma(-(x_1-x_2)^2)x_{test}^T x$, where the inverse Hessian term which should appear is proportional to the identity matrix. If we focus on points scattered on a line of roughly constant $x_1-x_2\approx x_{test,1}-x_{test,2} \approx c$, the amount of correlation between $x_{test}$ and $x$ determines the influence of the point, thus the PCs of $x_{test}^T x$ are expected to align with the influence PCs. We stress that this explanation is only meant to give intuition, and it would be interesting to perform this analysis directly on the full influence matrices in some tractable, as well as realistic settings.

• Minor Suggestion: We thank the reviewer for pointing out the inconsistency. We made the paragraph style consistent with the paragraph above for the rest of the related work section.

Questions:

• Degradation in other unlearning methods: This is a very interesting question, indeed the findings might be applicable to other schemes. The main intuition is that, when unlearning a random forget set, any method that attempts to approximate an oracle model should have a similar accuracy on the forget set and on the test set, since they are perceived by the network as statistically identical. Consequently, methods which aim to produce a large drop in forget set accuracy will deviate from oracle models. Our findings show that this is indeed a prevalent problem in DA based methods. We do not expect the same to occur in influence function-based approaches and certified-unlearning methods since they do not necessarily target a drop in forget set accuracy.

• KLoM and baselines: In [1] the authors show how an influence function oriented method (using datamodels) achieves low KLoM scores on the forget set. Since this method does not perform gradient ascent we left it out of this work. We agree it is important to explicitly mention ``datamodels'' success and we will include it in our discussion of related methods.

• MNIST and high correlations: Thank you for this insightful question about DA-based methods on highly correlated datasets like MNIST.

  We argue that MNIST is fundamentally degenerate for machine unlearning evaluation, making it difficult to assess whether any unlearning method (including DA-based approaches) has truly succeeded. The core issue is that most MNIST points are highly similar to multiple other points in the dataset. When we retrain an oracle model that has never seen the forget set points, its distribution of margins remains very similar to the pretrained model, even on the forget set, making it hard to distinguish between the two.

  To demonstrate this degeneracy, we compare pretrained models (trained on the full dataset) with oracle models (trained without forget sets, requiring no unlearning whatsoever). Previously, on CIFAR-10, oracle and pretrained models show large representational differences on forget sets (high 95th percentile KLoM scores) while remaining similar on retained data, consistent with [1]. This pattern indicates that forget set points were meaningfully learned and their absence creates detectable differences.

  MNIST exhibits the opposite pattern: Oracle and pretrained models remain nearly identical even on forget sets, with consistently low KLoM scores across all data splits. This similarity persists even when scaling forget set size to 10% of training data. We also tested on FashionMNIST which shows some increase in forget set KLoM scores, though not approaching CIFAR-10 magnitudes and clear distinguishability from pretrained models.

  This fundamental issue means that any unlearning method - whether DA-based or otherwise - could appear to "succeed" on MNIST simply by "doing nothing" (e.g. very small learning rate or number of steps) because the dataset's inherent redundancy makes meaningful forgetting hard to verify.

  Dataset	Forget %	Forget KLoM (95th)	Retain KLoM (95th)	Val KLoM (95th)
  MNIST	0.02%	0.5	0.7	0.71
  MNIST	0.2%	2.72	2.88	2.9
  MNIST	10%	1.79	1.65	1.71
  FashionMNIST	0.02%	4.13	1.87	2.76
  FashionMNIST	0.2%	2.72	1.79	2.70
  FashionMNIST	10%	2.69	2.0	3.31

  For reference, we trained 100 pretrained models for each dataset and 100 oracles for each forget set as in our original experiments. We will add this insights to the appendix for the camera ready version.

• Accuracy of test: Yes, it is standard practice to represent the ground truth distribution accuracy using test dataset accuracy. The test set serves as an unbiased estimator of the true population performance, as it remains unseen during model development. By the law of large numbers, this estimator converges to the true accuracy as the test set size increases. Since the ground truth distribution is inherently unknown in practice, the test set accuracy provides the most principled approximation available. This approach aligns with established machine learning evaluation protocols where test performance serves as the gold standard for assessing generalization capability.

• ImageNet-Living-17: We apologize for this it was a typo we meant to write cifar-10 here.

[1] Georgiev et al "Attribute-to-Delete: Machine Unlearning via Datamodel Matching." arXiv:2410.23232v2

To the reviewer,

Thank you for your quick reply. Let us provide some additional clarification, regarding the additional comment.

In practice, the goal is to deploy a model that performs optimally under the ground truth distribution, as this would yield the best expected performance on an unseen test set, whose exact composition is not known in advance. As an additional clarification, we noted that test performance converges to the expected performance under the ground truth distribution as the test set size grows. Ultimately, the primary objective is to achieve the highest possible accuracy with respect to the ground truth distribution, thereby ensuring that the model generalizes well to unseen test data, consequently, we don't require additional assumptions, for our theoretical results.

We thank the reviewer for their detailed feedback and the opportunity to clarify our work. We understand the concerns raised regarding novelty, the theoretical setup, and clarity. Below, we address each point in the order in which it was raised. We hope these clarifications will demonstrate the value and significance of our contributions and lead the reviewer to kindly reconsider their assessment and score.

Weaknesses

1. On the novelty of Claim 1 (DA methods fail in practice)

We agree with the reviewer that prior works, such as Georgiev et al. [1], have empirically observed the existence of instabilities in unlearning with DA methods. However, our primary contribution is not the observation of failure itself, but the identification and rigorous analysis of a key underlying cause: the statistical dependence between forget and retain sets.

Prior work has not established this causal link. Our contributions here are twofold:

• Empirical Disentanglement: We deliberately designed experiments to isolate the effect of correlation. In Fig. 2, we show that for random sets (where correlations are present but not systematically structured), DA methods are highly unstable, sporadically succeeding but often breaking the model. In contrast, in Fig. 3, where we unlearn sets with high structural correlation (points aligned with top PCs of the influence matrix), the failure is systematic and complete. To our knowledge, this direct empirical demonstration linking the degree of correlation to the severity of failure has not been demonstrated in the existing literature. On top of this, our work shows fine-grained results considering all parameter settings while [1], and other previous works, evaluate over a grid of hyperparameters and report the best score relative to compute time (Appendix C3 in [1]) which can mislead practitioners as explained in the "Ascent Forgets Illusion" (Figure 2).

• Distinct Findings from Georgiev et al. [1]: The specific figures cited by the reviewer show different phenomena than what we analyze.

  • Figure 2 in [1] shows that different points unlearn at different rates for a fixed hyperparameter setting of a DA method (SCRUB).
  • Figure 11 in [1] shows that for a linear model, gradient ascent eventually diverges, which one might argue can be fixed with early stopping.
  • Our work goes further by providing a theoretical explanation as to why this happens in more complex, non-linear problems (logistic regression) and demonstrating a more severe failure mode: DA can be actively detrimental from the very first step, regardless of early stopping (Lemma 3).

2. On the theoretical settings being "too stylized" (Claim 2)

We appreciate the reviewer's concern about the generality of our theoretical results. Our goal with these "stylized" settings was to use a standard fundamental scientific approach: isolate a complex phenomenon (the effect of correlation in DA unlearning) in a tractable environment where it can be analyzed with mathematical rigor.

• Clarification on the "Orthogonal" Setting: We thank the reviewer for highlighting this, as it seems to be a key point of confusion. The data in our analysis is explicitly non-orthogonal along the dimensions of interest, which is central to our claim. The "semi-orthogonal" construction (Assumption 1) means that we are analyzing a high-dimensional space where dependencies are localized to specific coordinates. This allows us to prove that correlations along a few dimensions can cause failure, even when all other data dimensions are perfectly orthogonal and non-interfering. This setup strengthens, rather than weakens, our claim by showing that cross-dimensional information cannot necessarily rescue the unlearning process and save the model. We would stress that in purely orthogonal data, DA unlearning may not be problematic, but this is a case of less relevance to the real world.

• On the "Stringent" Labeling Assumption: The only additional labeling assumption made throughout the paper is Assumption 2. It is easy to see that the assumption is rather general and it simply requires that no two points, one in the forget set other in the retain set, with the same data (x) have opposite labels (y). This is a requirement to establish that no step size or stopping criteria can salvage the unlearning process when DA is used in this scenario. It is a mild assumption in practice since on most datasets (e.g. cifar10, imagenet) very similar data points rarely have opposite labels, as one might expect.

• On Correlation as the Cause of Failure: The reviewer suggests DA might hurt even without correlations, citing Fig. 11 in [1]. While other failure modes may exist, our work's focus is to prove that correlation is a sufficient condition for catastrophic failure. Our Lemma 3 demonstrates that for our non-linear setting, the DA solution progressively moves away from the oracle solution from the very beginning, for any step size, making the process actively harmful regardless of early stopping. This is a much stronger and more specific result than observing eventual divergence in a linear model, which one could argue can potentially be resolved with early stopping.

3. On the generality of the 2D "Bad Minima" example

The 2D example in Section 5.2 is intended as a clear, visualizable illustration of a more general mechanism: how DA can maliciously reshape the loss landscape to trap a model in a suboptimal basin of attraction.

The reviewer asks if this holds for overparameterized neural networks. While a full analysis is beyond the scope of our paper, the underlying principle remains valid. In any model, non-convex or otherwise, the final parameters are a result of balancing gradients from all data points. If a forget set is highly correlated with a subset of the retain set that is critical for defining a good decision boundary (e.g., analogous to support vectors), the ascent-descent process does more than just "remove" information. It can create a "hole" in the loss landscape where the correct minimum used to be, while simultaneously deepening an incorrect minimum elsewhere. This trapping mechanism is not exclusive to low dimensions and provides a strong intuition for why simple finetuning on the retain set afterwards may fail to recover the correct solution. As a concrete example, consider our setting of semi-orthogonal data with a smaller number of data points than dimensions $d>N$, where there are still multiple points correlated on a single axis. Since the data is orthogonal on the other axes, unlearning is still effectively a one dimensional problem, although the network operates in the overparameterized regime, and our results hold. We agree that repeating the analysis for more complex overparameterized networks is an excellent natural extension, which we postpone to future work. As a final point we would like to argue that the regime with $N > d$ has become more common in practice, where our findings clearly apply, for example, Large Language Models are usually trained on many more tokens than their number of parameters.

Questions & Clarifications

We thank the reviewer for pointing out several areas of unclear language. We will revise the paper to improve clarity based on this feedback.

• Line 173: "The data is separable into orthogonal sets Sj for each coordinate j."

  • Clarification: We will rephrase this to be clearer. This assumption simply means the data matrix has a block-diagonal structure after a permutation of rows, where each block corresponds to a set of samples that only have non-zero elements on a unique, shared set of coordinates. Thus, samples in different sets $S_j$ and $S_k$ (for $j \neq k$) are orthogonal, while samples within the same set $S_j$ can be (and are in our analysis) correlated.

• Line 193: "Lemma 3 shows that the DA solution is always farthest away from the oracle solution".

  • Clarification: In the 1D context of Lemma 3, "farthest away" has a precise geometric meaning that we will make explicit. It means the DA solution $w^{\text{DA}}$ and the oracle solution $w^{\mathcal{R}}$ lie on opposite sides of the original model's solution $w^{\mathcal{D}}$. Therefore, any step in the DA direction moves the model away from the oracle, making it a worse solution than keeping the pretrained model as is.

• Corollary 1: "What is e_j? Also, the text says it follows from lemma 4, but lemma 4 shows no dependence on lambda."

  • Clarification: We apologize for the typo; $e_j$ should be $\alpha$. We thank the reviewer for pointing out this error. The corollary follows from combining Lemma 4 and Lemma 5. Lemma 4 shows the distance between the original and oracle solutions is bounded (independent of $\lambda$). Lemma 5, its counterpart, provides a lower bound on the distance between the DA and oracle solutions, which grows as $\lambda \to 0$. The combination of these two results leads directly to the conclusion of the corollary, which is a divergence of the solutions. We will correct the text and the typo.

• Lemma 4: "Is there any condition on alpha? The upper bound seems to become negative when alpha < |F| / |R|?"

  • Clarification: The right-hand side of the inequality is non-negative because the logarithm is inside an absolute value: $|\ln((1+\alpha))|$. This may not have been immediately obvious. We thank the reviewer for this close reading and will add a note to the text to prevent this confusion. The bound holds for any $\alpha > 0$.

[1] Georgiev et al "Attribute-to-Delete: Machine Unlearning via Datamodel Matching." arXiv:2410.23232v2

We thank you for your detailed and constructive review. We appreciate that you found our contribution to be useful to the community.

Below, we address the specific weaknesses and questions brought up in your review.

Weaknesses:

• Lemma 1 seems problematic and does not consider the effect of model training. We apologize for this crucial misunderstanding and would like to clarify the confusion regarding Lemma 1. In the text above the Lemma, we briefly state that this Lemma corresponds to the oracle model, trained only on the retain set, and not to a pre-trained and then unlearned model. It is important to stress that the oracle model is obtained by training from scratch on the retain set, and so it is never exposed to the forget set. Therefore, there are no dependencies between the random variables since the model parameters are only dependent on the retain set. We will clarify this further by specifying in the statement of the Lemma that we refer to the oracle model instead of simply the model as in the current version.

• In Figure 5 and section 5.2, there is no discussion on the effect of training dynamics. Our results throughout section 5 concern the landscape of the optimization process and the locations of the optimal minimizers. As a result, the training dynamics do not affect them, as long as the pre-defined objective function is unchanged. For example, the magnitude of the learning rate is not important and no assumptions have been made on it to draw the conclusions for the solutions of the optimization problem. Regarding the regularization parameter, similar to section 5.1.1, changing it does not alter the relative positions of the minimizers, it only controls their distance from the origin and between them. Hence, the decision boundaries in Figure 5 are not affected by the regularization parameter.

• It would be better to include more discussion on the related works or future directions. Thanks for the suggestion, we would be happy to include more details in the future directions and related work for the camera ready version.

Questions:

• Question 1: Hoeffding's inequality: Regarding the application of Hoeffding's inequality, it is indeed applied to model predictions. Nevertheless, as we mentioned in our reply to the raised weaknesses, Lemma 1 concerns the oracle model which has been trained using only the retain set and has not seen the forget set, so it does not contradict the assumptions required for the inequality to hold.

• Question 2: The result of section 5.2 and equal learning rates: We thank the reviewer for this very interesting question. As we mentioned above, the learning rate magnitude has no real effect on our results and they would still hold. However, selecting different learning rates for the retain and forget sets (i.e. the ascent and descent steps on DA) alters the objective function. Specifically, the new objective function would be weighted according to the ratio of the learning rates. While it is possible to select a weighting so that the specific example in Figure 5 is not problematic, one could find a problematic instance along the lines we describe for any ratio. For example, assume that for the unlearning process we select a step size for the forget set that is double that of the retain. Now, in the Figure 5 instance you can simply reduce the size of the forget set from 2 samples to 1 (by removing the other sample from the original dataset), this would lead again to the same optimization landscape as the one we have described.

We sincerely hope that you kindly consider raising your score if our reply has alleviated your concerns regarding our work.

We would like to thank the reviewer for their work and the positive evaluation of our work.

Below, we address the specific questions raised in the review.

Questions:

• Are strong statistical correlations between the forget and retain dataset an ecologically valid assumption (unlearning telephone numbers etc.) : While unlearning a specific fact like a phone number might seem like a low-correlation task, subtle dependencies still exist. A phone number is not a random string; its components, such as the area and central office codes, are strongly correlated with geographic location. If the model is given the associations between a person and their city/state (which would be in the retain set), the area code in the forget set is not independent. Our work shows that even such nuanced correlations, which are often overlooked, can be sufficient to cause DA methods to fail. More importantly, many of the most prevalent and large-scale unlearning requests are inherently high-correlation problems. Consider:

  • Unlearning Codebases: A frequent request involves removing a proprietary codebase from a Large Language Model. The "forget set" (the proprietary code) will inevitably share common libraries (e.g., NumPy, TensorFlow), widely-used algorithms, and standard design patterns with the "retain set" (e.g., public code from GitHub). The statistical dependence here is unavoidable.
  • Unlearning Visual Data: Imagine an autonomous vehicle model trained on footage from both public and private roads. If a request is made to unlearn footage from a specific private property, this "forget set" is visually almost indistinguishable from the "retain set" of public roads. Both contain asphalt, trees, lane markings, and curbs. Attempting to unlearn one via gradient ascent risks degrading the model's fundamental concept of what a "road" is, a prime example of the detrimental failure modes we analyze.
  • Unlearning Copyrighted or Stylistic Content: In generative models, a request might be to unlearn a specific artist's work. The "forget set" (the artist's images) is highly correlated with the "retain set" through a shared artistic style, subject matter, or visual motifs that the model has learned to generalize. Forgetting the specific instances without harming the stylistic understanding is precisely the challenge our work addresses.

• Cifar 10 datset: Cifar 10 is rather standard for testing in Machine Unlearning (e.g [1-4]). The dataset is not degenerately correlated as MNIST or Fashion-MNIST (please see the response we give to question 3 asked by reviewer MLpH). Pretrained models are clearly distinguishable from oracle models trained from scratch without the forget set by a notable divergence in the forget set margins distribution (high $95^{\text{th}}$ percentile of KLoM scores, e.g. grey dotted vertical line in Figure 1).

• Scale of dataset and F/D: Our results in section 5 crucially rely on the fraction of $|\mathcal{F}|/ |\mathcal{D}|$. The overall size of the dataset is not important in our derivations. Nevertheless, it is true that as the fraction of forget points out of the entire dataset $|\mathcal{F}|/ |\mathcal{D}|$ goes to 0, where the model is asked to unlearn a negligible fraction of its training data, DA may not necessarily be harmful, as shown in section 5.1. In the limit of $|\mathcal{F}|/ |\mathcal{D}| \to 0$, it is also important to note that the differences between the pretrained model and the oracle would collapse so it is likely that a DA based method that just stays very close to the pretrained model would achieve reasonable performance.

• Minor Typos: We thank the reviewer for pointing out the typos, we have corrected them in the revised manuscript.

[1] Georgiev et al "Attribute-to-Delete: Machine Unlearning via Datamodel Matching." arXiv:2410.23232v2

[2] Kurmanji et al. "Towards Unbounded Machine Unlearning." arXiv:2302.09880

[3] Hoang et al. "Learn to Unlearn for Deep Neural Networks: Minimizing Unlearning Interference with Gradient Projection." arXiv:2312.04095v1

[4] Goel et al. "Towards Adversarial Evaluations for Inexact Machine Unlearning." arXiv:2201.06640v3