Bridging Symmetry and Robustness: On the Role of Equivariance in Enhancing Adversarial Robustness

We thank this reviewer for the thoughtful and constructive feedback.

Weakness 1:

The mathematical treatment lacks clarity for scale equivariance. Some formulations are unclear to me and appear to work only for rotations and not scaling (e.g., line 192, I think a scaling term should be present).

Answer:
We appreciate this insightful question.

While the theoretical analysis in Section 4 effectively establishes robustness guarantees for group-equivariant architectures under the assumption of norm-preserving transformations, such as rotations with orthogonal Jacobians, the extension to scale-equivariant models requires additional consideration.

Scale transformations, unlike rotations, do not preserve norms. Specifically, a scaling transformation $x \mapsto \alpha x$ has a Jacobian $D_\alpha = \alpha I$, meaning that the gradient norm transforms as $\|D_\alpha v\| = \alpha \|v\|$. This directly violates the assumption used in Lemma 1 and Theorem 1, which relies on the orthogonality of both the group representation $\rho(g)$ and the transformation Jacobian $D_{g^{-1}}$.

As a result, the CLEVER-certified robustness bounds derived under the assumption of norm invariance do not apply directly to scale-equivariant networks. Instead, these bounds must be rescaled to account for the effect of dilation on the gradient magnitude. In particular, the Lipschitz constant of the margin function becomes scale-dependent, and its growth must be explicitly quantified.

Despite this, scale-equivariant networks still promote adversarial robustness through a different mechanism: orbit-averaged gradient smoothing. By aggregating gradients across scaled versions of the input, scale-equivariant architectures reduce high-frequency fluctuations and suppress gradient sensitivity to perturbations that deviate from the scale-induced orbit. This aggregation process, while not norm-preserving, effectively stabilizes model behavior under scale transformations and yields smoother decision boundaries.

To formalize this, we can define the orbit-averaged gradient field over a discrete scale group $G_s = \{\alpha_1, \ldots, \alpha_k\} \subset \mathbb{R}^+$ as $\bar{\phi}_j(x) = \frac{1}{|G_s|} \sum_{\alpha \in G_s} \nabla f_j(\alpha x),$ where each term captures the gradient at a different scale-transformed version of the input. Although these gradients vary in norm due to scaling, the averaging process reduces local gradient variance, contributing to robustness. This is particularly effective when combined with architectural fusion mechanisms, such as channel-wise concatenation or weighted summation of multi-scale features.

While scale-equivariant models do not satisfy the same Jacobian norm invariance as rotation-equivariant models, they still enhance robustness by regularizing the gradient landscape across scales.

Weakness 2:

The evaluation is limited to small datasets (CIFAR variants)

Answer:
We initially selected CIFAR-10, CIFAR-100, and CIFAR-10C as our primary benchmarks to facilitate controlled evaluation across architectural variants, attack settings, and theoretical alignment, all within a feasible computational budget.
To that end, we have conducted additional experiments on the ImageNet-100 subset, a 100-class subset of ImageNet commonly used for mid-scale evaluation. Our results demonstrate that group-equivariant architectures continue to yield consistent improvements in adversarial robustness on this more challenging dataset, while maintaining manageable computational overhead.

Adversarial Robustness on ImageNet-100 – 4-layer Equivariant Model

Adversarial Robustness on ImageNet-100 – 10-layer Equivariant Model

Weakness 3:

the authors develop their own simplified models instead of using these existing architectures.

Answer:
This is a valuable observation. While our architectural design draws inspiration from established equivariant models such as G-CNNs , Harmonic Networks, and Steerable CNNs, we intentionally adopt a modular and interpretable architecture to facilitate controlled experimentation and analysis. Specifically, our design allows for the systematic ablation of individual symmetry-enforcing components—e.g., rotation-only, scale-only, and different fusion strategies (parallel vs. cascaded)—which is more difficult to achieve in tightly integrated models like Steerable or Harmonic CNNs.This level of interpretability and control is a key motivation behind our simplified implementation.

Weakness 4:

No direct comparison with adversarial training is provided.

Answer:
This is a fair and valuable critique. The table below compares the adversarial robustness of a Standard CNN with adversarial training against a Fully Equivariant G-CNN without adversarial training on CIFAR-10. Remarkably, the G-CNN achieves comparable or even superior performance under certain perturbation levels, highlighting the intrinsic robustness conferred by equivariance alone.

Question 1:

Could you clarify the theoretical treatment of scale equivariance?

Answer:
Please see the response in Weakness 1

Question 2:

Can you provide insight on how your approach would perform if integrated into equivariant network architectures from the literature?

Answer:
Our modular framework—particularly the parallel and cascaded fusion designs—is architecture-agnostic and readily extensible to more expressive equivariant models. In principle, the rotation-equivariant branch used in our current implementation could be replaced with more advanced architectures such as Harmonic Networks, Steerable CNNs, or LieConv, which provide continuous and steerable representations under group transformations.

Integrating such models may further enhance the robustness and representation capacity of our approach, especially in tasks requiring fine-grained geometric invariance. However, these architectures typically come with increased computational overhead and implementation complexity, which may limit their practicality in some settings.

We will experiment with steerable convolutional variants within our framework. These extensions, along with scalability and implementation considerations, are discussed in the revised manuscript’s Future Work section.

Question 3:

What is the computational overhead of group convolutions compared to standard convolutions?

Answer:
It is worth noting that in our parallel architecture, equivariant branches are introduced only at the first layer of the network. This design ensures that the computational overhead introduced by group-equivariant operations does not scale with network depth, allowing us to retain the benefits of symmetry enforcement while maintaining computational efficiency across deeper models.

Empirically, we find that rotation-equivariant convolutions based on the $\mathrm{P4}$ group introduce approximately 1.5× more FLOPs than standard convolutional layers with equivalent dimensions, primarily due to additional orientation channels. Scale-equivariant branches, which process multiple rescaled versions of the input, incur modest additional runtime and memory overhead—typically around 1.7×—owing to interpolation and multi-scale channel stacking.

In the full parallel G-CNN configuration, which includes standard, rotation-, and scale-equivariant branches, the total computational cost scales roughly linearly with the number of branches. However, because each branch can be made shallow or low-dimensional, our design supports flexible, budget-aware trade-offs between robustness, representation capacity, and efficiency.

We will provide detailed runtime and FLOP analysis in the Appendix.

Thank you for your thoughtful and encouraging comments. We're pleased that the clarifications and additional results addressed your concerns and that you're inclined to increase your score.

We especially appreciate your suggestion to elaborate on the distinct robustness mechanisms underlying scale- and rotation-equivariant models that is currently underemphasized in the draft. We will make sure to highlight this theoretical distinction more clearly in the revised manuscript. We're also pleased that the scalability results on ImageNet-100 and the comparison with adversarial training helped demonstrate the practical relevance of our approach.

Lastly, we’re grateful for your recognition of our modular design rationale and for your engagement in the review.

We thank this reviewer for the thoughtful and constructive feedback.

Weakness 1: The paper’s entire theoretical robustness framework relies on local Lipschitz.

Answer:
We agree with the reviewer that our theoretical analysis is focused on local robustness. While this is a common and well-accepted approach for formal robustness analysis, we acknowledge that it does not extend to global robustness or general distribution shifts.
Our primary goal in this work is to establish a precise and tractable theoretical connection between group equivariance and local certified robustness—specifically, how symmetry-enforcing architectures influence the model's local Lipschitz properties and decision margin sensitivity.
This framework serves as a mathematically grounded tool that complements empirical evaluation, offering insights into the role of architectural inductive bias in enhancing robustness. Extending our theoretical framework to global robustness, distributional robustness, or manifold-aware perturbations is an important and promising direction for future work.

Weakness 2: Models are tested only on relatively small datasets.

Answer:
We initially selected CIFAR-10, CIFAR-100, and CIFAR-10C as our primary benchmarks to facilitate controlled evaluation across architectural variants, attack settings, and theoretical alignment, all within a feasible computational budget.
To that end, we have conducted additional experiments on the ImageNet-100 subset, a 100-class subset of ImageNet commonly used for mid-scale evaluation. Our results demonstrate that group-equivariant architectures continue to yield consistent improvements in adversarial robustness on this more challenging dataset, while maintaining manageable computational overhead.

Adversarial Robustness on ImageNet-100 – 4-layer Equivariant Model

Adversarial Robustness on ImageNet-100 – 10-layer Equivariant Model

Weakness 3: There is no discussion on computational cost.

Answer:
Thank you for pointing this out. Please see our response in question 1.

Weakness 4: Figures 1 and 2 do not include error bars.

Answer:
We appreciate this valuable suggestion. we have included error bars in the draft. Due to limited space, the data is not included here.

Weakness 5: The motivation behind the chosen architectures.

Answer:
We appreciate the reviewer’s concern and agree that a clearer explanation of the architectural design choices is warranted.
To summarize:

• The Parallel G-CNN offers modular symmetry enforcement by maintaining independent branches (e.g., standard and rotation-equivariant), which enhances robustness but increases model size and computational cost.
• The Parallel G-CNN with Rotation- and Scale-Equivariant Branches extends this by incorporating additional symmetry priors and enabling more diverse feature extraction.
• The Cascaded G-CNN provides a more compact design by stacking symmetry-aware layers sequentially, although this may introduce an information bottleneck if the early equivariant layer restricts feature expressiveness.
• The Weighted Parallel G-CNN replaces hard feature concatenation with learnable fusion weights, offering a flexible mechanism to dynamically adapt to task-specific signal strength from each branch.
• The Standard CNN serves as the baseline for comparison.

Weakness 6: Theoretical analysis is for discrete and finite group transformations, would results extend to continuous/Lie group transformations which are common in computer vision tasks.

Answer:
This is an excellent observation. Our current theoretical framework is developed for finite discrete groups (e.g., P4 for discrete rotations), which simplifies the analysis and aligns with widely adopted G-CNN implementations in practice.
The extension to continuous group requires generalizing the group action. For discrete groups, actions are defined over a finite set of transformations. In contrast, Lie groups possess a smooth manifold structure, and their actions on the input space are described by differentiable maps. To analyze equivariant robustness in this setting, we consider group elements in a neighborhood of the identity, represented as exponentials of Lie algebra elements. This provides a foundation for defining infinitesimal transformations—the continuous analogs of discrete group elements—and enables us to formulate sensitivity metrics along smooth group orbits. Extending orbit-averaged Jacobian smoothing techniques to Lie groups requires the use of Haar measures—the invariant integration measure on the group. For compact groups such as $\mathrm{SO}(2)$, this integration is well-defined and finite. For non-compact groups like \mathrm{SE}(2) $ $ or \mathbb{R}^2 $$, we must either impose bounded supports or consider localized versions of the group action.

Question 1: How much computational overhead?

Answer:
It is worth noting that in our parallel architecture, equivariant branches are introduced only at the first layer of the network. This design ensures that the computational overhead introduced by group-equivariant operations does not scale with network depth, allowing us to retain the benefits of symmetry enforcement while maintaining computational efficiency across deeper models.

Empirically, we find that rotation-equivariant convolutions based on the P4 group introduce approximately 1.5× more FLOPs than standard convolutional layers with equivalent dimensions, primarily due to additional orientation channels.
Scale-equivariant branches, which process multiple rescaled versions of the input, incur modest additional runtime and memory overhead—typically around 1.7×—owing to interpolation and multi-scale channel stacking.

In the full parallel G-CNN configuration, which includes standard, rotation-, and scale-equivariant branches, the total computational cost scales roughly linearly with the number of branches. However, because each branch can be made shallow or low-dimensional, our design supports flexible, budget-aware trade-offs between robustness, representation capacity, and efficiency.

Question 2: How do robustness guarantees scale with network depth or complexity?

Answer:
This is an excellent and important question. From a theoretical perspective, the gradient regularization induced by equivariance propagates through the layers of a network, preserving certain structural properties of the Jacobian and contributing to robustness.
However, in deeper architectures, the influence of symmetry constraints may become diluted, particularly if a large portion of the network consists of standard layers.

Although full-scale experiments on very deep models were constrained by available computational resources, we conducted additional evaluations on ResNet-18 and ResNet-50 architectures to explore scalability. These experiments indicate that while the absolute robustness tends to decrease with depth—likely due to increased model complexity and overfitting—the equivariant models (G-CNN variants) continue to outperform their standard CNN counterparts.
This confirms that the robustness advantage of equivariant design remains valid even as model depth increases, though the relative gain may be reduced.

ResNet50_GCNN on CIFAR-100

ResNet18_GCNN on CIFAR-100

Please let the authors know whether their rebuttal has adequately addressed your concerns. If any issues remain, please communicate your specific, unresolved concerns as soon as possible to ensure timely discussion.

We thank this reviewer for the great suggestion!

Weakness 1

Experiments are done with a mix of standard and group-equivariant convolutions, and the theoretical findings thus do not directly transfer to the investigated architectures.

Answer:
We appreciate this important observation. Our theoretical analysis is developed under the assumption of purely group-equivariant models, where all layers respect the symmetry constraints imposed by the group action. However, as presented in Appendix C.3, our implemented architectures—particularly the parallel design—intentionally combine standard convolutional layers with group-equivariant branches.

This hybrid structure was chosen for two key reasons. First, it enables a balance between representational expressiveness and computational efficiency. Second, and more importantly for this work, it provides a controlled framework to isolate and evaluate the impact of symmetry-enhancing components on adversarial robustness. Our central aim is not to enforce full equivariance end-to-end, but to investigate how the inclusion of symmetry-aware submodules influences a model’s robustness to adversarial perturbations. While the hybrid architecture does not fully meet the assumptions of our theoretical framework, the equivariant branches themselves do. Their behavior aligns closely with the theoretical predictions derived under group-equivariant assumptions. This is empirically supported by our ablation studies in Appendix D.2, where models containing only rotation-equivariant or scale-equivariant branches consistently outperform standard CNN baselines in adversarial robustness, even in the absence of adversarial training. Thus, the hybrid architecture serves as a practical testbed for validating the theoretical insights and allows us to draw meaningful conclusions about the role of equivariance in improving model robustness.

Weakness 2

No results from reference methods, such as standard adversarial robustness, are reported.

Answer:
This is a fair and valuable critique. Our goal was to investigate the intrinsic robustness of symmetry-enforced architectures without adversarial training or data augmentation, in order to isolate the architectural contribution. The table below compares the adversarial robustness of a Standard CNN with adversarial training against a Fully Equivariant G-CNN without adversarial training on CIFAR-10. Remarkably, the G-CNN achieves comparable or even superior performance under certain perturbation levels, highlighting the intrinsic robustness conferred by equivariance alone.

Adversarial Robustness Comparison on CIFAR-10

Weakness 3

The formal proofs assume differentiability at $x$, which is not necessarily a given in neural networks.

Answer:
We fully agree and appreciate the reviewer’s technical rigor. The theoretical results rely on local Lipschitz continuity and Jacobian-based reasoning, which strictly hold almost everywhere for ReLU networks due to their piecewise linearity. While differentiability may not hold at every point, prior works (e.g., [Weng et al., 2018], [Anselmi et al., 2019]) similarly adopt this assumption as a tractable and widely accepted approximation. We have clarified this point in the revised text, explicitly noting that our results apply under the standard assumption of almost-everywhere differentiability.

Weng, Tsui Wei, Cho Jui Hsieh, and Luca Daniel. Evaluating the robustness of neural networks: An extreme value theory approach. In ICLR 2018

Fabio Anselmi and Tomaso Poggio. Symmetry-adapted representation learning. Pattern Recognition 2019

Question 1

In how far does the usage of the standard convolution branch undermine most of the theoretical results...?

Answer:
Thank you for raising this important and nuanced concern. In our parallel architecture, the standard convolutional branch operates independently and is fused with the outputs of the equivariant branches only at later stages of the network. As such, it does not directly contribute to the theoretical guarantees derived under the assumption of full group equivariance.

However, the primary role of the standard branch is to complement the equivariant representations with additional expressive capacity rather than to interfere with or override the symmetry-induced regularization effects. To better understand the extent to which the inclusion of the standard branch affects the theoretical insights, we have conducted additional experiments (see response to the next question), where we compare models with and without the standard branch. These results help quantify the influence of each branch and assess how the theoretical benefits attributed to equivariance manifest in hybrid settings.

Question 2

Would you expect a purely group-equivariant model to exhibit the same benefits? I am willing to update my score if this is either discussed sufficiently or, ideally, shown experimentally.

Answer:
Yes—based on our theoretical framework, we indeed expect a fully group-equivariant model to offer even stronger robustness guarantees compared to hybrid architectures. To validate this expectation empirically, we have conducted additional experiments using both 4-layer and 10-layer models composed entirely of group-equivariant layers. These models were trained on CIFAR-10, CIFAR-100 to assess their performance across datasets of increasing complexity.

The experimental results (included below) demonstrate that purely group-equivariant models consistently achieve superior robustness under both FGSM and PGD attacks, outperforming the hybrid models presented in the main paper. These findings support the theoretical claim that enforcing full equivariance throughout the architecture enhances the model's ability to resist adversarial perturbations. We have added these results to the revised manuscript to further strengthen the empirical foundation of our analysis.

Adversarial Robustness of 4-layer Fully Equivariant Network on CIFAR-10

Adversarial Robustness of 4-layer Fully Equivariant Network on CIFAR-100

Adversarial Robustness of 10-layer Fully Equivariant Network on CIFAR-10

Adversarial Robustness of 10-layer Fully Equivariant Network on CIFAR-100

We sincerely appreciate the time and attention you devoted to reading our article, and we are truly grateful for your positive feedback. Your endorsement, which will elevate our evaluation from “borderline accept” to “accept”, is both encouraging and deeply affirming of the significance of our work. Thank you for your thoughtful support.

In the additional experiments provided during the rebuttal, the fully group-equivariant model was constructed by sequentially stacking rotation-equivariant blocks, following the theoretical principles outlined in our main analysis. These blocks were implemented using the e2cnn library (Weiler & Cesa, 2019), which provides tools for building layers that are equivariant under specified group actions. Each layer in the model is composed of an R2Conv operation that maps between representations over the group, followed by an InnerBatchNorm to normalize feature responses in a symmetry-preserving manner. Nonlinear activation is achieved via ReLU applied in the group feature space. To enable spatial downsampling, each layer concludes with a PointwiseMaxPool operation.

The implementation of a single equivariant block is as follows:

self.block = enn.SequentialModule(
    enn.R2Conv(in_type, out_type1, kernel_size=3, padding=1),
    enn.InnerBatchNorm(out_type1),
    enn.ReLU(out_type1),
    enn.PointwiseMaxPool(out_type1, kernel_size=2)
)

This end-to-end equivariant design ensures alignment with the theoretical assumptions made in our robustness analysis.

We are currently conducting experiments with fully scale-equivariant models as well as combined rotation–scale equivariant architectures. Hopefully, the results will be available by the end of the discussion phase. In the revised manuscript, we will provide a clearer explanation of how these architectures are derived and describe how the underlying group structure can be adjusted to isolate rotation equivariance, scale equivariance, or their combination. This flexibility enables more targeted ablation studies while remaining consistent with our theoretical framework.

We believe these updates will strengthen the paper’s empirical contributions and improve its clarity. We sincerely appreciate your thoughtful feedback and guidance throughout the review process.

Reference

Weiler, Maurice, and Gabriele Cesa. General E(2)-Equivariant Steerable CNNs. Advances in Neural Information Processing Systems 32 (2019).