adv-lib 0.2.2__py3-none-any.whl

adv_lib/attacks/carlini_wagner/l2.py

@@ -0,0 +1,151 @@
+# Adapted from https://github.com/carlini/nn_robust_attacks
+
+from typing import Tuple, Optional
+
+import torch
+from torch import nn, optim, Tensor
+from torch.autograd import grad
+
+from adv_lib.utils.losses import difference_of_logits
+from adv_lib.utils.visdom_logger import VisdomLogger
+
+
+def carlini_wagner_l2(model: nn.Module,
+                      inputs: Tensor,
+                      labels: Tensor,
+                      targeted: bool = False,
+                      confidence: float = 0,
+                      learning_rate: float = 0.01,
+                      initial_const: float = 0.001,
+                      binary_search_steps: int = 9,
+                      max_iterations: int = 10000,
+                      abort_early: bool = True,
+                      callback: Optional[VisdomLogger] = None) -> Tensor:
+    """
+    Carlini and Wagner L2 attack from https://arxiv.org/abs/1608.04644.
+
+    Parameters
+    ----------
+    model : nn.Module
+        Model to attack.
+    inputs : Tensor
+        Inputs to attack. Should be in [0, 1].
+    labels : Tensor
+        Labels corresponding to the inputs if untargeted, else target labels.
+    targeted : bool
+        Whether to perform a targeted attack or not.
+    confidence : float
+        Confidence of adversarial examples: higher produces examples that are farther away, but more strongly classified
+        as adversarial.
+    learning_rate: float
+        The learning rate for the attack algorithm. Smaller values produce better results but are slower to converge.
+    initial_const : float
+        The initial tradeoff-constant to use to tune the relative importance of distance and confidence. If
+        binary_search_steps is large, the initial constant is not important.
+    binary_search_steps : int
+        The number of times we perform binary search to find the optimal tradeoff-constant between distance and
+        confidence.
+    max_iterations : int
+        The maximum number of iterations. Larger values are more accurate; setting too small will require a large
+        learning rate and will produce poor results.
+    abort_early : bool
+        If true, allows early aborts if gradient descent gets stuck.
+    callback : Optional
+
+    Returns
+    -------
+    adv_inputs : Tensor
+        Modified inputs to be adversarial to the model.
+
+    """
+    device = inputs.device
+    batch_size = len(inputs)
+    batch_view = lambda tensor: tensor.view(batch_size, *[1] * (inputs.ndim - 1))
+    t_inputs = (inputs * 2).sub_(1).mul_(1 - 1e-6).atanh_()
+    multiplier = -1 if targeted else 1
+
+    # set the lower and upper bounds accordingly
+    c = torch.full((batch_size,), initial_const, device=device)
+    lower_bound = torch.zeros_like(c)
+    upper_bound = torch.full_like(c, 1e10)
+
+    o_best_l2 = torch.full_like(c, float('inf'))
+    o_best_adv = inputs.clone()
+    o_adv_found = torch.zeros(batch_size, device=device, dtype=torch.bool)
+
+    i_total = 0
+    for outer_step in range(binary_search_steps):
+
+        # setup the modifier variable and the optimizer
+        modifier = torch.zeros_like(inputs, requires_grad=True)
+        optimizer = optim.Adam([modifier], lr=learning_rate)
+        best_l2 = torch.full_like(c, float('inf'))
+        adv_found = torch.zeros(batch_size, device=device, dtype=torch.bool)
+
+        # The last iteration (if we run many steps) repeat the search once.
+        if (binary_search_steps >= 10) and outer_step == (binary_search_steps - 1):
+            c = upper_bound
+
+        prev = float('inf')
+        for i in range(max_iterations):
+
+            adv_inputs = (torch.tanh(t_inputs + modifier) + 1) / 2
+            l2_squared = (adv_inputs - inputs).flatten(1).square().sum(1)
+            l2 = l2_squared.detach().sqrt()
+            logits = model(adv_inputs)
+
+            if outer_step == 0 and i == 0:
+                # setup the target variable, we need it to be in one-hot form for the loss function
+                labels_onehot = torch.zeros_like(logits).scatter_(1, labels.unsqueeze(1), 1)
+                labels_infhot = torch.zeros_like(logits).scatter_(1, labels.unsqueeze(1), float('inf'))
+
+            # adjust the best result found so far
+            predicted_classes = (logits - labels_onehot * confidence).argmax(1) if targeted else \
+                (logits + labels_onehot * confidence).argmax(1)
+
+            is_adv = (predicted_classes == labels) if targeted else (predicted_classes != labels)
+            is_smaller = l2 < best_l2
+            o_is_smaller = l2 < o_best_l2
+            is_both = is_adv & is_smaller
+            o_is_both = is_adv & o_is_smaller
+
+            best_l2 = torch.where(is_both, l2, best_l2)
+            adv_found.logical_or_(is_both)
+            o_best_l2 = torch.where(o_is_both, l2, o_best_l2)
+            o_adv_found.logical_or_(is_both)
+            o_best_adv = torch.where(batch_view(o_is_both), adv_inputs.detach(), o_best_adv)
+
+            logit_dists = multiplier * difference_of_logits(logits, labels, labels_infhot=labels_infhot)
+            loss = l2_squared + c * (logit_dists + confidence).clamp_(min=0)
+
+            # check if we should abort search if we're getting nowhere.
+            if abort_early and i % (max_iterations // 10) == 0:
+                if (loss > prev * 0.9999).all():
+                    break
+                prev = loss.detach()
+
+            optimizer.zero_grad(set_to_none=True)
+            modifier.grad = grad(loss.sum(), modifier, only_inputs=True)[0]
+            optimizer.step()
+
+            if callback:
+                i_total += 1
+                callback.accumulate_line('logit_dist', i_total, logit_dists.mean())
+                callback.accumulate_line('l2_norm', i_total, l2.mean())
+                if i_total % (max_iterations // 20) == 0:
+                    callback.update_lines()
+
+        if callback:
+            best_l2 = o_best_l2.masked_select(o_adv_found).mean()
+            callback.line(['success', 'best_l2', 'c'], outer_step, [o_adv_found.float().mean(), best_l2, c.mean()])
+
+        # adjust the constant as needed
+        upper_bound[adv_found] = torch.min(upper_bound[adv_found], c[adv_found])
+        adv_not_found = ~adv_found
+        lower_bound[adv_not_found] = torch.max(lower_bound[adv_not_found], c[adv_not_found])
+        is_smaller = upper_bound < 1e9
+        c[is_smaller] = (lower_bound[is_smaller] + upper_bound[is_smaller]) / 2
+        c[(~is_smaller) & adv_not_found] *= 10
+
+    # return the best solution found
+    return o_best_adv

adv_lib/attacks/carlini_wagner/linf.py

@@ -0,0 +1,158 @@
+# Adapted from https://github.com/carlini/nn_robust_attacks
+
+from typing import Tuple, Optional
+
+import torch
+from torch import nn, optim, Tensor
+
+from adv_lib.utils.losses import difference_of_logits
+from adv_lib.utils.visdom_logger import VisdomLogger
+
+
+def carlini_wagner_linf(model: nn.Module,
+                        inputs: Tensor,
+                        labels: Tensor,
+                        targeted: bool = False,
+                        learning_rate: float = 0.01,
+                        max_iterations: int = 1000,
+                        initial_const: float = 1e-5,
+                        largest_const: float = 2e+1,
+                        const_factor: float = 2,
+                        reduce_const: bool = False,
+                        decrease_factor: float = 0.9,
+                        abort_early: bool = True,
+                        callback: Optional[VisdomLogger] = None) -> Tensor:
+    """
+    Carlini and Wagner Linf attack from https://arxiv.org/abs/1608.04644.
+
+    Parameters
+    ----------
+    model : nn.Module
+        Model to attack.
+    inputs : Tensor
+        Inputs to attack. Should be in [0, 1].
+    labels : Tensor
+        Labels corresponding to the inputs if untargeted, else target labels.
+    targeted : bool
+        Whether to perform a targeted attack or not.
+    learning_rate: float
+        The learning rate for the attack algorithm. Smaller values produce better results but are slower to converge.
+    max_iterations : int
+        The maximum number of iterations. Larger values are more accurate; setting too small will require a large
+        learning rate and will produce poor results.
+    initial_const : float
+        The initial tradeoff-constant to use to tune the relative importance of distance and classification objective.
+    largest_const : float
+        The maximum tradeoff-constant to use to tune the relative importance of distance and classification objective.
+    const_factor : float
+        The multiplicative factor by which the constant is increased if the search failed.
+    reduce_const : float
+        If true, after each successful attack, make the constant smaller.
+    decrease_factor : float
+        Rate at which τ is decreased. Larger produces better quality results.
+    abort_early : bool
+        If true, allows early aborts if gradient descent gets stuck.
+    image_constraints : Tuple[float, float]
+        Minimum and maximum pixel values.
+    callback : Optional
+
+    Returns
+    -------
+    adv_inputs : Tensor
+        Modified inputs to be adversarial to the model.
+
+    """
+    device = inputs.device
+    batch_size = len(inputs)
+    t_inputs = (inputs * 2).sub_(1).mul_(1 - 1e-6).atanh_()
+    multiplier = -1 if targeted else 1
+
+    # set modifier and the parameters used in the optimization
+    modifier = torch.zeros_like(inputs)
+    c = torch.full((batch_size,), initial_const, device=device, dtype=torch.float)
+    τ = torch.ones(batch_size, device=device)
+
+    o_adv_found = torch.zeros_like(c, dtype=torch.bool)
+    o_best_linf = torch.ones_like(c)
+    o_best_adv = inputs.clone()
+
+    outer_loops = 0
+    total_iters = 0
+    while (to_optimize := (τ > 1 / 255) & (c < largest_const)).any():
+
+        inputs_, t_inputs_, labels_ = inputs[to_optimize], t_inputs[to_optimize], labels[to_optimize]
+        batch_view = lambda tensor: tensor.view(len(inputs_), *[1] * (inputs_.ndim - 1))
+
+        if callback:
+            callback.line(['const', 'τ'], outer_loops, [c[to_optimize].mean(), τ[to_optimize].mean()])
+            callback.line(['success', 'best_linf'], outer_loops, [o_adv_found.float().mean(), best_linf.mean()])
+
+        # setup the optimizer
+        modifier_ = modifier[to_optimize].requires_grad_(True)
+        optimizer = optim.Adam([modifier_], lr=learning_rate)
+        c_, τ_ = c[to_optimize], τ[to_optimize]
+
+        adv_found = torch.zeros(len(modifier_), device=device, dtype=torch.bool)
+        best_linf = o_best_linf[to_optimize]
+        best_adv = inputs_.clone()
+
+        if callback:
+            callback.line(['const', 'τ'], outer_loops, [c_.mean(), τ_.mean()])
+            callback.line(['success', 'best_linf'], outer_loops, [o_adv_found.float().mean(), o_best_linf.mean()])
+
+        for i in range(max_iterations):
+
+            adv_inputs = (torch.tanh(t_inputs_ + modifier_) + 1) / 2
+            linf = (adv_inputs.detach() - inputs_).flatten(1).norm(p=float('inf'), dim=1)
+            logits = model(adv_inputs)
+
+            if i == 0:
+                labels_infhot = torch.zeros_like(logits).scatter_(1, labels[to_optimize].unsqueeze(1), float('inf'))
+
+            # adjust the best result found so far
+            predicted_classes = logits.argmax(1)
+
+            is_adv = (predicted_classes == labels_) if targeted else (predicted_classes != labels_)
+            is_smaller = linf < best_linf
+            is_both = is_adv & is_smaller
+            adv_found.logical_or_(is_both)
+            best_linf = torch.where(is_both, linf, best_linf)
+            best_adv = torch.where(batch_view(is_both), adv_inputs.detach(), best_adv)
+
+            logit_dists = multiplier * difference_of_logits(logits, labels_, labels_infhot=labels_infhot)
+            linf_loss = (adv_inputs - inputs_).abs_().sub_(batch_view(τ_)).clamp_(min=0).flatten(1).sum(1)
+            loss = linf_loss + c_ * logit_dists.clamp_(min=0)
+
+            # check if we should abort search
+            if abort_early and (loss < 0.0001 * c_).all():
+                break
+
+            optimizer.zero_grad()
+            loss.sum().backward()
+            optimizer.step()
+
+            if callback:
+                callback.accumulate_line('logit_dist', total_iters, logit_dists.mean())
+                callback.accumulate_line('linf_norm', total_iters, linf.mean())
+
+                if (i + 1) % (max_iterations // 10) == 0 or (i + 1) == max_iterations:
+                    callback.update_lines()
+
+            total_iters += 1
+
+        o_adv_found[to_optimize] = adv_found | o_adv_found[to_optimize]
+        o_best_linf[to_optimize] = torch.where(adv_found, best_linf, o_best_linf[to_optimize])
+        o_best_adv[to_optimize] = torch.where(batch_view(adv_found), best_adv, o_best_adv[to_optimize])
+        modifier[to_optimize] = modifier_.detach()
+
+        smaller_τ_ = adv_found & (best_linf < τ_)
+        τ_ = torch.where(smaller_τ_, best_linf, τ_)
+        τ[to_optimize] = torch.where(adv_found, decrease_factor * τ_, τ_)
+        c[to_optimize] = torch.where(~adv_found, const_factor * c_, c_)
+        if reduce_const:
+            c[to_optimize] = torch.where(adv_found, c[to_optimize] / 2, c[to_optimize])
+
+        outer_loops += 1
+
+    # return the best solution found
+    return o_best_adv

adv_lib/attacks/decoupled_direction_norm.py

@@ -0,0 +1,113 @@
+import math
+from typing import Optional
+
+import torch
+from torch import Tensor, nn
+from torch.autograd import grad
+from torch.nn import functional as F
+
+from adv_lib.utils.visdom_logger import VisdomLogger
+
+
+def ddn(model: nn.Module,
+        inputs: Tensor,
+        labels: Tensor,
+        targeted: bool = False,
+        steps: int = 100,
+        γ: float = 0.05,
+        init_norm: float = 1.,
+        levels: Optional[int] = 256,
+        callback: Optional[VisdomLogger] = None) -> Tensor:
+    """
+    Decoupled Direction and Norm attack from https://arxiv.org/abs/1811.09600.
+
+    Parameters
+    ----------
+    model : nn.Module
+        Model to attack.
+    inputs : Tensor
+        Inputs to attack. Should be in [0, 1].
+    labels : Tensor
+        Labels corresponding to the inputs if untargeted, else target labels.
+    targeted : bool
+        Whether to perform a targeted attack or not.
+    steps : int
+        Number of optimization steps.
+    γ : float
+        Factor by which the norm will be modified. new_norm = norm * (1 + or - γ).
+    init_norm : float
+        Initial value for the norm of the attack.
+    levels : int
+        If not None, the returned adversarials will have quantized values to the specified number of levels.
+    callback : Optional
+
+    Returns
+    -------
+    adv_inputs : Tensor
+        Modified inputs to be adversarial to the model.
+
+    """
+    if inputs.min() < 0 or inputs.max() > 1: raise ValueError('Input values should be in the [0, 1] range.')
+    device = inputs.device
+    batch_size = len(inputs)
+    batch_view = lambda tensor: tensor.view(batch_size, *[1] * (inputs.ndim - 1))
+
+    # Init variables
+    multiplier = -1 if targeted else 1
+    δ = torch.zeros_like(inputs, requires_grad=True)
+    ε = torch.full((batch_size,), init_norm, device=device, dtype=torch.float)
+    worst_norm = torch.max(inputs, 1 - inputs).flatten(1).norm(p=2, dim=1)
+
+    # Init trackers
+    best_l2 = worst_norm.clone()
+    best_adv = inputs.clone()
+    adv_found = torch.zeros(batch_size, dtype=torch.bool, device=device)
+
+    for i in range(steps):
+        l2 = δ.data.flatten(1).norm(p=2, dim=1)
+        adv_inputs = inputs + δ
+        logits = model(adv_inputs)
+        pred_labels = logits.argmax(1)
+        ce_loss = F.cross_entropy(logits, labels, reduction='none')
+        loss = multiplier * ce_loss
+
+        is_adv = (pred_labels == labels) if targeted else (pred_labels != labels)
+        is_smaller = l2 < best_l2
+        is_both = is_adv & is_smaller
+        adv_found.logical_or_(is_adv)
+        best_l2 = torch.where(is_both, l2, best_l2)
+        best_adv = torch.where(batch_view(is_both), adv_inputs.detach(), best_adv)
+
+        δ_grad = grad(loss.sum(), δ, only_inputs=True)[0]
+        # renorming gradient
+        grad_norms = δ_grad.flatten(1).norm(p=2, dim=1)
+        δ_grad.div_(batch_view(grad_norms))
+        # avoid nan or inf if gradient is 0
+        if (zero_grad := (grad_norms < 1e-12)).any():
+            δ_grad[zero_grad] = torch.randn_like(δ_grad[zero_grad])
+
+        α = 0.01 + (1 - 0.01) * (1 + math.cos(math.pi * i / steps)) / 2
+
+        if callback is not None:
+            cosine = F.cosine_similarity(δ_grad.flatten(1), δ.data.flatten(1), dim=1).mean()
+            callback.accumulate_line('ce', i, ce_loss.mean())
+            callback_best = best_l2.masked_select(adv_found).mean()
+            callback.accumulate_line(['ε', 'l2', 'best_l2'], i, [ε.mean(), l2.mean(), callback_best])
+            callback.accumulate_line(['cosine', 'α', 'success'], i,
+                                     [cosine, torch.tensor(α, device=device), adv_found.float().mean()])
+
+            if (i + 1) % (steps // 20) == 0 or (i + 1) == steps:
+                callback.update_lines()
+
+        δ.data.add_(δ_grad, alpha=α)
+
+        ε = torch.where(is_adv, (1 - γ) * ε, (1 + γ) * ε)
+        ε = torch.minimum(ε, worst_norm)
+
+        δ.data.mul_(batch_view(ε / δ.data.flatten(1).norm(p=2, dim=1)))
+        δ.data.add_(inputs).clamp_(min=0, max=1)
+        if levels is not None:
+            δ.data.mul_(levels - 1).round_().div_(levels - 1)
+        δ.data.sub_(inputs)
+
+    return best_adv

adv_lib/attacks/fast_adaptive_boundary/__init__.py

@@ -0,0 +1 @@
+from .fast_adaptive_boundary import fab

adv_lib/attacks/fast_adaptive_boundary/fast_adaptive_boundary.py

@@ -0,0 +1,215 @@
+# Adapted from https://github.com/fra31/auto-attack
+
+import warnings
+from functools import partial
+from typing import Optional, Tuple
+
+import torch
+from torch import Tensor, nn
+from torch.autograd import grad
+
+from .projections import projection_l1, projection_l2, projection_linf
+
+
+def fab(model: nn.Module,
+        inputs: Tensor,
+        labels: Tensor,
+        norm: float,
+        n_iter: int = 100,
+        ε: Optional[float] = None,
+        α_max: float = 0.1,
+        β: float = 0.9,
+        η: float = 1.05,
+        restarts: Optional[int] = None,
+        targeted_restarts: bool = False,
+        targeted: bool = False) -> Tensor:
+    """
+    Fast Adaptive Boundary (FAB) attack from https://arxiv.org/abs/1907.02044
+
+    Parameters
+    ----------
+    model : nn.Module
+        Model to attack.
+    inputs : Tensor
+        Inputs to attack. Should be in [0, 1].
+    labels : Tensor
+        Labels corresponding to the inputs if untargeted, else target labels.
+    norm : float
+        Norm to minimize in {1, 2 ,float('inf')}.
+    n_iter : int
+        Number of optimization steps. This does not correspond to the number of forward / backward propagations for this
+        attack. For a more comprehensive discussion on complexity, see section 4 of https://arxiv.org/abs/1907.02044 and
+        for a comparison of complexities, see https://arxiv.org/abs/2011.11857.
+        TL;DR: FAB performs 2 forwards and K - 1 (i.e. number of classes - 1) backwards per step in default mode. If
+        `targeted_restarts` is `True`, performs `2 * restarts` forwards and `restarts` or (K - 1) backwards per step.
+    ε : float
+        Maximum norm of the random initialization for restarts.
+    α_max : float
+        Maximum weight for the biased  gradient step. α = 0 corresponds to taking the projection of the `adv_inputs` on
+        the decision hyperplane, while α = 1 corresponds to taking the projection of the `inputs` on the decision
+        hyperplane.
+    β : float
+        Weight for the biased backward step, i.e. a linear interpolation between `inputs` and `adv_inputs` at step i.
+        β = 0 corresponds to taking the original `inputs` and β = 1 corresponds to taking the `adv_inputs`.
+    η : float
+        Extrapolation for the optimization step. η = 1 corresponds to projecting the `adv_inputs` on the decision
+        hyperplane. η > 1 corresponds to overshooting to increase the probability of crossing the decision hyperplane.
+    restarts : int
+        Number of random restarts in default mode; starts from the inputs in the first run and then add random noise for
+        the consecutive restarts. Number of classes to attack if `targeted_restarts` is `True`.
+    targeted_restarts : bool
+        If `True`, performs targeted attack towards the most likely classes for the unperturbed `inputs`. If `restarts`
+        is not given, this will attack each class (except the original class). If `restarts` is given, the `restarts`
+        most likely classes will be attacked. If `restarts` is larger than K - 1, this will re-attack the most likely
+        classes with random noise.
+    targeted : bool
+        Placeholder argument for library. FAB is only for untargeted attacks, so setting this to True will raise a
+        warning and return the inputs.
+
+    Returns
+    -------
+    adv_inputs : Tensor
+        Modified inputs to be adversarial to the model.
+
+    """
+    if targeted:
+        warnings.warn('FAB attack is untargeted only. Returning inputs.')
+        return inputs
+
+    best_adv = inputs.clone()
+    best_norm = torch.full_like(labels, float('inf'), dtype=torch.float)
+
+    fab_attack = partial(_fab, model=model, norm=norm, n_iter=n_iter, ε=ε, α_max=α_max, β=β, η=η)
+
+    if targeted_restarts:
+        logits = model(inputs)
+        n_target_classes = logits.size(1) - 1
+        labels_infhot = torch.zeros_like(logits).scatter_(1, labels.unsqueeze(1), float('inf'))
+        k = min(restarts or n_target_classes, n_target_classes)
+        topk_labels = (logits - labels_infhot).topk(k=k, dim=1).indices
+
+    n_restarts = restarts or (n_target_classes if targeted_restarts else 1)
+    for i in range(n_restarts):
+
+        if targeted_restarts:
+            target_labels = topk_labels[:, i % n_target_classes]
+            adv_inputs_run, adv_found_run, norm_run = fab_attack(
+                inputs=inputs, labels=labels, random_start=i >= n_target_classes, targets=target_labels, u=best_norm)
+        else:
+            adv_inputs_run, adv_found_run, norm_run = fab_attack(inputs=inputs, labels=labels, random_start=i != 0,
+                                                                 u=best_norm)
+
+        is_better_adv = adv_found_run & (norm_run < best_norm)
+        best_norm[is_better_adv] = norm_run[is_better_adv]
+        best_adv[is_better_adv] = adv_inputs_run[is_better_adv]
+
+    return best_adv
+
+
+def get_best_diff_logits_grads(model: nn.Module,
+                               inputs: Tensor,
+                               labels: Tensor,
+                               other_labels: Tensor,
+                               q: float) -> Tuple[Tensor, Tensor]:
+    batch_view = lambda tensor: tensor.view(-1, *[1] * (inputs.ndim - 1))
+    min_ratio = torch.full_like(labels, float('inf'), dtype=torch.float)
+    best_logit_diff, best_grad_diff = torch.zeros_like(labels, dtype=torch.float), torch.zeros_like(inputs)
+
+    inputs.requires_grad_(True)
+    logits = model(inputs)
+    class_logits = logits.gather(1, labels.unsqueeze(1)).squeeze(1)
+
+    n_other_labels = other_labels.size(1)
+    for i, o_labels in enumerate(other_labels.transpose(0, 1)):
+        other_logits = logits.gather(1, o_labels.unsqueeze(1)).squeeze(1)
+        logits_diff = other_logits - class_logits
+        grad_diff = grad(logits_diff.sum(), inputs, only_inputs=True, retain_graph=i + 1 != n_other_labels)[0]
+        ratio = logits_diff.abs().div_(grad_diff.flatten(1).norm(p=q, dim=1).clamp_(min=1e-12))
+
+        smaller_ratio = ratio < min_ratio
+        min_ratio = torch.min(ratio, min_ratio)
+        best_logit_diff = torch.where(smaller_ratio, logits_diff.detach(), best_logit_diff)
+        best_grad_diff = torch.where(batch_view(smaller_ratio), grad_diff.detach(), best_grad_diff)
+
+    inputs.detach_()
+    return best_logit_diff, best_grad_diff
+
+
+def _fab(model: nn.Module,
+         inputs: Tensor,
+         labels: Tensor,
+         norm: float,
+         n_iter: int = 100,
+         ε: Optional[float] = None,
+         α_max: float = 0.1,
+         β: float = 0.9,
+         η: float = 1.05,
+         random_start: bool = False,
+         u: Optional[Tensor] = None,
+         targets: Optional[Tensor] = None) -> Tuple[Tensor, Tensor, Tensor]:
+    _projection_dual_default_ε = {
+        1: (projection_l1, float('inf'), 5),
+        2: (projection_l2, 2, 1),
+        float('inf'): (projection_linf, 1, 0.3)
+    }
+
+    device = inputs.device
+    batch_size = len(inputs)
+    batch_view = lambda tensor: tensor.view(-1, *[1] * (inputs.ndim - 1))
+    projection, dual_norm, default_ε = _projection_dual_default_ε[norm]
+    ε = default_ε if ε is None else ε
+
+    logits = model(inputs)
+    if targets is not None:
+        other_labels = targets.unsqueeze(1)
+    else:
+        # generate all other labels
+        n_classes = logits.size(1)
+        other_labels = torch.zeros(len(labels), n_classes - 1, dtype=torch.long, device=device)
+        all_classes = set(range(n_classes))
+        for i in range(len(labels)):
+            diff_labels = list(all_classes.difference({labels[i].item()}))
+            other_labels[i] = torch.tensor(diff_labels, device=device)
+
+    get_df_dg = partial(get_best_diff_logits_grads, model=model, labels=labels, other_labels=other_labels, q=dual_norm)
+
+    adv_inputs = inputs.clone()
+    adv_found = logits.argmax(dim=1) != labels
+    best_norm = torch.full((batch_size,), float('inf'), device=device, dtype=torch.float) if u is None else u
+    best_norm[adv_found] = 0
+    best_adv = inputs.clone()
+
+    if random_start:
+        if norm == float('inf'):
+            t = torch.rand_like(inputs).mul_(2).sub_(1)
+        elif norm in [1, 2]:
+            t = torch.randn_like(inputs)
+
+        adv_inputs.add_(t.mul_(batch_view(best_norm.clamp(max=ε) / t.flatten(1).norm(p=norm, dim=1).mul_(2))))
+        adv_inputs.clamp_(min=0.0, max=1.0)
+
+    for i in range(n_iter):
+        df, dg = get_df_dg(inputs=adv_inputs)
+        b = (dg * adv_inputs).flatten(1).sum(dim=1).sub_(df)
+        w = dg.flatten(1)
+
+        d3 = projection(torch.cat((adv_inputs.flatten(1), inputs.flatten(1)), 0), w.repeat(2, 1), b.repeat(2))
+        d1, d2 = map(lambda t: t.view_as(adv_inputs), torch.chunk(d3, 2, dim=0))
+
+        a0 = batch_view(d3.flatten(1).norm(p=norm, dim=1).clamp_(min=1e-8))
+        a1, a2 = torch.chunk(a0, 2, dim=0)
+
+        α = a1.div_(a2.add_(a1)).clamp_(min=0, max=α_max)
+        adv_inputs.add_(d1, alpha=η).mul_(1 - α).add_(inputs.add(d2, alpha=η).mul_(α)).clamp_(min=0, max=1)
+
+        is_adv = model(adv_inputs).argmax(1) != labels
+        adv_found.logical_or_(is_adv)
+        adv_norm = (adv_inputs - inputs).flatten(1).norm(p=norm, dim=1)
+        is_smaller = adv_norm < best_norm
+        is_both = is_adv & is_smaller
+        best_norm = torch.where(is_both, adv_norm, best_norm)
+        best_adv = torch.where(batch_view(is_both), adv_inputs, best_adv)
+
+        adv_inputs = torch.where(batch_view(is_adv), inputs + (adv_inputs - inputs) * β, adv_inputs)
+
+    return best_adv, adv_found, best_norm