adv-lib 0.2.2__py3-none-any.whl

adv_lib/attacks/fast_adaptive_boundary/projections.py

@@ -0,0 +1,164 @@
+import math
+
+import torch
+from torch import Tensor
+from torch.nn import functional as F
+
+
+def projection_l1(points_to_project: Tensor, w_hyperplane: Tensor, b_hyperplane: Tensor) -> Tensor:
+    device = points_to_project.device
+    t, w, b = points_to_project, w_hyperplane.clone(), b_hyperplane
+
+    c = (w * t).sum(1).sub_(b)
+    ind2 = (c >= 0).float().mul_(2).sub_(1)
+    w.mul_(ind2.unsqueeze(1))
+    c.mul_(ind2)
+
+    w_abs = w.abs()
+    r = (1 / w_abs).clamp_(max=1e12)
+    indr = torch.argsort(r, dim=1)
+    indr_rev = torch.argsort(indr)
+
+    d = (w < 0).float().sub_(t).mul_(w != 0)
+    ds = torch.min(-w * t, (1 - t).mul_(w)).gather(1, indr)
+    ds2 = torch.cat((c.unsqueeze(-1), ds), 1)
+    s = torch.cumsum(ds2, dim=1)
+
+    c2 = s[:, -1] < 0
+
+    lb = torch.zeros(c2.sum(), device=device)
+    ub = torch.full_like(lb, s.shape[1])
+    nitermax = math.ceil(math.log2(w.shape[1]))
+
+    s_ = s[c2]
+    for counter in range(nitermax):
+        counter4 = (lb + ub).mul_(0.5).floor_()
+        counter2 = counter4.long().unsqueeze(1)
+        c3 = s_.gather(1, counter2).squeeze(1) > 0
+        lb = torch.where(c3, counter4, lb)
+        ub = torch.where(c3, ub, counter4)
+
+    lb2 = lb.long()
+
+    if c2.any():
+        indr = indr[c2].gather(1, lb2.unsqueeze(1)).squeeze(1)
+        u = torch.arange(0, w.shape[0], device=device).unsqueeze(1)
+        u2 = torch.arange(0, w.shape[1], device=device, dtype=torch.float).unsqueeze(0)
+        alpha = s[c2, lb2].neg().div_(w[c2, indr])
+        c5 = u2 < lb.unsqueeze(-1)
+        u3 = c5[u[:c5.shape[0]], indr_rev[c2]]
+        d[c2] *= u3
+        d[c2, indr] = alpha
+
+    return d.mul_(w_abs > 1e-8)
+
+
+def projection_l2(points_to_project: Tensor, w_hyperplane: Tensor, b_hyperplane: Tensor) -> Tensor:
+    device = points_to_project.device
+    t, w, b = points_to_project, w_hyperplane.clone(), b_hyperplane
+
+    c = (w * t).sum(1).sub_(b)
+    ind2 = (c >= 0).float().mul_(2).sub_(1)
+    w.mul_(ind2.unsqueeze(1))
+    w_nonzero = w.abs() > 1e-8
+    c.mul_(ind2)
+
+    r = torch.maximum(t / w, (t - 1).div_(w)).clamp_(min=-1e12, max=1e12)
+    r.masked_fill_(~w_nonzero, 1e12)
+    r[r == -1e12] *= -1
+    rs, indr = torch.sort(r, dim=1)
+    rs2 = F.pad(rs[:, 1:], (0, 1))
+    rs.masked_fill_(rs == 1e12, 0)
+    rs2.masked_fill_(rs2 == 1e12, 0)
+
+    w3s = w.square().gather(1, indr)
+    w5 = w3s.sum(dim=1, keepdim=True)
+    ws = w5 - torch.cumsum(w3s, dim=1)
+    d = (r * w).neg_()
+    d.mul_(w_nonzero)
+    s = torch.cat((-w5 * rs[:, 0:1], torch.cumsum((rs - rs2).mul_(ws), dim=1).sub_(w5 * rs[:, 0:1])), 1)
+
+    c4 = s[:, 0] + c < 0
+    c3 = (d * w).sum(dim=1).add_(c) > 0
+    c2 = ~(c4 | c3)
+
+    lb = torch.zeros(c2.sum(), device=device)
+    ub = torch.full_like(lb, w.shape[1] - 1)
+    nitermax = math.ceil(math.log2(w.shape[1]))
+
+    s_, c_ = s[c2], c[c2]
+    for counter in range(nitermax):
+        counter4 = (lb + ub).mul_(0.5).floor_()
+        counter2 = counter4.long().unsqueeze(1)
+        c3 = s_.gather(1, counter2).squeeze(1).add_(c_) > 0
+        lb = torch.where(c3, counter4, lb)
+        ub = torch.where(c3, ub, counter4)
+
+    lb = lb.long()
+
+    if c4.any():
+        alpha = c[c4] / w5[c4].squeeze(-1)
+        d[c4] = -alpha.unsqueeze(-1) * w[c4]
+
+    if c2.any():
+        alpha = (s[c2, lb] + c[c2]).div_(ws[c2, lb]).add_(rs[c2, lb])
+        alpha[ws[c2, lb] == 0] = 0
+        c5 = alpha.unsqueeze(-1) > r[c2]
+        d[c2] = (d[c2] * c5).sub_((~c5).float().mul_(alpha.unsqueeze(-1)).mul_(w[c2]))
+
+    return d.mul_(w_nonzero)
+
+
+def projection_linf(points_to_project: Tensor, w_hyperplane: Tensor, b_hyperplane: Tensor) -> Tensor:
+    device = points_to_project.device
+    t, w, b = points_to_project, w_hyperplane.clone(), b_hyperplane.clone()
+
+    sign = ((w * t).sum(1).sub_(b) >= 0).float().mul_(2).sub_(1)
+    w.mul_(sign.unsqueeze(1))
+    b.mul_(sign)
+
+    a = (w < 0).float()
+    d = (a - t).mul_(w != 0)
+
+    p = (2 * a).sub_(1).mul_(t).neg_().add_(a)
+    indp = torch.argsort(p, dim=1)
+
+    b.sub_((w * t).sum(1))
+    b0 = (w * d).sum(1)
+
+    indp2 = indp.flip((1,))
+    ws = w.gather(1, indp2)
+    bs2 = -ws * d.gather(1, indp2)
+
+    s = torch.cumsum(ws.abs_(), dim=1)
+    sb = torch.cumsum(bs2, dim=1).add_(b0.unsqueeze(1))
+
+    b2 = sb[:, -1] - s[:, -1] * p.gather(1, indp[:, 0:1]).squeeze(1)
+    c_l = b - b2 > 0
+    c2 = (b - b0 > 0) & (~c_l)
+    lb = torch.zeros(c2.sum(), device=device)
+    ub = torch.full_like(lb, w.shape[1] - 1)
+    nitermax = math.ceil(math.log2(w.shape[1]))
+
+    indp_, sb_, s_, p_, b_ = indp[c2], sb[c2], s[c2], p[c2], b[c2]
+    for counter in range(nitermax):
+        counter4 = (lb + ub).mul_(0.5).floor_()
+
+        counter2 = counter4.long().unsqueeze(1)
+        indcurr = indp_.gather(1, indp_.size(1) - 1 - counter2)
+        b2 = sb_.gather(1, counter2).sub_(s_.gather(1, counter2).mul_(p_.gather(1, indcurr))).squeeze(1)
+        c = b_ - b2 > 0
+
+        lb = torch.where(c, counter4, lb)
+        ub = torch.where(c, ub, counter4)
+
+    lb = lb.long()
+
+    if c_l.any():
+        lmbd_opt = (b[c_l] - sb[c_l, -1]).div_(-s[c_l, -1]).clamp_(min=0).unsqueeze_(-1)
+        d[c_l] = (2 * a[c_l]).sub_(1).mul_(lmbd_opt)
+
+    lmbd_opt = (b[c2] - sb[c2, lb]).div_(-s[c2, lb]).clamp_(min=0).unsqueeze_(-1)
+    d[c2] = torch.minimum(lmbd_opt, d[c2]).mul_(a[c2]).add_(torch.maximum(-lmbd_opt, d[c2]).mul_(1 - a[c2]))
+
+    return d.mul_(w != 0)

adv_lib/attacks/fast_minimum_norm.py

@@ -0,0 +1,218 @@
+# Adapted from https://github.com/maurapintor/Fast-Minimum-Norm-FMN-Attack
+
+import math
+from functools import partial
+from typing import Optional
+
+import torch
+from torch import Tensor, nn
+from torch.autograd import grad
+
+from adv_lib.utils.losses import difference_of_logits
+from adv_lib.utils.projections import clamp_, l1_ball_euclidean_projection
+
+
+def l0_projection_(δ: Tensor, ε: Tensor) -> Tensor:
+    """In-place l0 projection"""
+    δ = δ.flatten(1)
+    δ_abs = δ.abs()
+    thresholds = δ_abs.topk(k=ε.long().max(), dim=1).values.gather(1, (ε.long().unsqueeze(1) - 1).clamp_(min=0))
+    δ[δ_abs < thresholds] = 0
+    return δ
+
+
+def l1_projection_(δ: Tensor, ε: Tensor) -> Tensor:
+    """In-place l1 projection"""
+    δ = l1_ball_euclidean_projection(x=δ.flatten(1), ε=ε, inplace=True)
+    return δ
+
+
+def l2_projection_(δ: Tensor, ε: Tensor) -> Tensor:
+    """In-place l2 projection"""
+    δ = δ.flatten(1)
+    l2_norms = δ.norm(p=2, dim=1, keepdim=True).clamp_(min=1e-12)
+    δ.mul_(ε.unsqueeze(1) / l2_norms).clamp_(max=1)
+    return δ
+
+
+def linf_projection_(δ: Tensor, ε: Tensor) -> Tensor:
+    """In-place linf projection"""
+    δ, ε = δ.flatten(1), ε.unsqueeze(1)
+    δ = clamp_(δ, lower=-ε, upper=ε)
+    return δ
+
+
+def l0_mid_points(x0: Tensor, x1: Tensor, ε: Tensor) -> Tensor:
+    n_features = x0[0].numel()
+    δ = l0_projection_(δ=x1 - x0, ε=n_features * ε)
+    return δ.view_as(x0).add_(x0)
+
+
+def l1_mid_points(x0: Tensor, x1: Tensor, ε: Tensor) -> Tensor:
+    threshold = (1 - ε).unsqueeze(1)
+    δ = (x1 - x0).flatten(1)
+    δ_abs = δ.abs()
+    mask = δ_abs <= threshold
+    mid_points = δ_abs.sub_(threshold).copysign_(δ)
+    mid_points[mask] = 0
+    return mid_points.view_as(x0).add_(x0)
+
+
+def l2_mid_points(x0: Tensor, x1: Tensor, ε: Tensor) -> Tensor:
+    ε = ε.unsqueeze(1)
+    return x0.flatten(1).mul(1 - ε).addcmul_(ε, x1.flatten(1)).view_as(x0)
+
+
+def linf_mid_points(x0: Tensor, x1: Tensor, ε: Tensor) -> Tensor:
+    ε = ε.unsqueeze(1)
+    δ = clamp_((x1 - x0).flatten(1), lower=-ε, upper=ε)
+    return δ.view_as(x0).add_(x0)
+
+
+def fmn(model: nn.Module,
+        inputs: Tensor,
+        labels: Tensor,
+        norm: float,
+        targeted: bool = False,
+        steps: int = 10,
+        α_init: float = 1.0,
+        α_final: Optional[float] = None,
+        γ_init: float = 0.05,
+        γ_final: float = 0.001,
+        starting_points: Optional[Tensor] = None,
+        binary_search_steps: int = 10) -> Tensor:
+    """
+    Fast Minimum-Norm attack from https://arxiv.org/abs/2102.12827.
+
+    Parameters
+    ----------
+    model : nn.Module
+        Model to attack.
+    inputs : Tensor
+        Inputs to attack. Should be in [0, 1].
+    labels : Tensor
+        Labels corresponding to the inputs if untargeted, else target labels.
+    norm : float
+        Norm to minimize in {0, 1, 2 ,float('inf')}.
+    targeted : bool
+        Whether to perform a targeted attack or not.
+    steps : int
+        Number of optimization steps.
+    α_init : float
+        Initial step size.
+    α_final : float
+        Final step size after cosine annealing.
+    γ_init : float
+        Initial factor by which ε is modified: ε = ε * (1 + or - γ).
+    γ_final : float
+        Final factor, after cosine annealing, by which ε is modified.
+    starting_points : Tensor
+        Optional warm-start for the attack.
+    binary_search_steps : int
+        Number of binary search steps to find the decision boundary between inputs and starting_points.
+
+    Returns
+    -------
+    adv_inputs : Tensor
+        Modified inputs to be adversarial to the model.
+
+    """
+    _dual_projection_mid_points = {
+        0: (None, l0_projection_, l0_mid_points),
+        1: (float('inf'), l1_projection_, l1_mid_points),
+        2: (2, l2_projection_, l2_mid_points),
+        float('inf'): (1, linf_projection_, linf_mid_points),
+    }
+    if inputs.min() < 0 or inputs.max() > 1: raise ValueError('Input values should be in the [0, 1] range.')
+    device = inputs.device
+    batch_size = len(inputs)
+    batch_view = lambda tensor: tensor.view(batch_size, *[1] * (inputs.ndim - 1))
+    dual, projection, mid_point = _dual_projection_mid_points[norm]
+    α_final = α_init / 100 if α_final is None else α_final
+    multiplier = 1 if targeted else -1
+
+    # If starting_points is provided, search for the boundary
+    if starting_points is not None:
+        start_preds = model(starting_points).argmax(dim=1)
+        is_adv = (start_preds == labels) if targeted else (start_preds != labels)
+        if not is_adv.all():
+            raise ValueError('Starting points are not all adversarial.')
+        lower_bound = torch.zeros(batch_size, device=device)
+        upper_bound = torch.ones(batch_size, device=device)
+        for _ in range(binary_search_steps):
+            ε = (lower_bound + upper_bound) / 2
+            mid_points = mid_point(x0=inputs, x1=starting_points, ε=ε)
+            pred_labels = model(mid_points).argmax(dim=1)
+            is_adv = (pred_labels == labels) if targeted else (pred_labels != labels)
+            lower_bound = torch.where(is_adv, lower_bound, ε)
+            upper_bound = torch.where(is_adv, ε, upper_bound)
+
+        δ = mid_point(x0=inputs, x1=starting_points, ε=upper_bound).sub_(inputs)
+    else:
+        δ = torch.zeros_like(inputs)
+    δ.requires_grad_(True)
+
+    if norm == 0:
+        ε = torch.ones(batch_size, device=device) if starting_points is None else δ.flatten(1).norm(p=0, dim=1)
+    else:
+        ε = torch.full((batch_size,), float('inf'), device=device)
+
+    # Init trackers
+    worst_norm = torch.maximum(inputs, 1 - inputs).flatten(1).norm(p=norm, dim=1)
+    best_norm = worst_norm.clone()
+    best_adv = inputs.clone()
+    adv_found = torch.zeros(batch_size, dtype=torch.bool, device=device)
+
+    for i in range(steps):
+        cosine = (1 + math.cos(math.pi * i / steps)) / 2
+        α = α_final + (α_init - α_final) * cosine
+        γ = γ_final + (γ_init - γ_final) * cosine
+
+        δ_norm = δ.data.flatten(1).norm(p=norm, dim=1)
+        adv_inputs = inputs + δ
+        logits = model(adv_inputs)
+        pred_labels = logits.argmax(dim=1)
+
+        if i == 0:
+            labels_infhot = torch.zeros_like(logits).scatter_(1, labels.unsqueeze(1), float('inf'))
+            logit_diff_func = partial(difference_of_logits, labels=labels, labels_infhot=labels_infhot)
+
+        logit_diffs = logit_diff_func(logits=logits)
+        loss = multiplier * logit_diffs
+        δ_grad = grad(loss.sum(), δ, only_inputs=True)[0]
+
+        is_adv = (pred_labels == labels) if targeted else (pred_labels != labels)
+        is_smaller = δ_norm < best_norm
+        is_both = is_adv & is_smaller
+        adv_found.logical_or_(is_adv)
+        best_norm = torch.where(is_both, δ_norm, best_norm)
+        best_adv = torch.where(batch_view(is_both), adv_inputs.detach(), best_adv)
+
+        if norm == 0:
+            ε = torch.where(is_adv,
+                            torch.minimum(torch.minimum(ε - 1, (ε * (1 - γ)).floor_()), best_norm),
+                            torch.maximum(ε + 1, (ε * (1 + γ)).floor_()))
+            ε.clamp_(min=0)
+        else:
+            distance_to_boundary = loss.detach().abs() / δ_grad.flatten(1).norm(p=dual, dim=1).clamp_(min=1e-12)
+            ε = torch.where(is_adv,
+                            torch.minimum(ε * (1 - γ), best_norm),
+                            torch.where(adv_found, ε * (1 + γ), δ_norm + distance_to_boundary))
+
+        # clip ε
+        ε = torch.minimum(ε, worst_norm)
+
+        # normalize gradient
+        grad_l2_norms = δ_grad.flatten(1).norm(p=2, dim=1).clamp_(min=1e-12)
+        δ_grad.div_(batch_view(grad_l2_norms))
+
+        # gradient ascent step
+        δ.data.add_(δ_grad, alpha=α)
+
+        # project in place
+        projection(δ=δ.data, ε=ε)
+
+        # clamp
+        δ.data.add_(inputs).clamp_(min=0, max=1).sub_(inputs)
+
+    return best_adv

adv_lib/attacks/perceptual_color_attacks/__init__.py

@@ -0,0 +1 @@
+from .perceptual_color_distance_al import perc_al

adv_lib/attacks/perceptual_color_attacks/differential_color_functions.py

@@ -0,0 +1,181 @@
+# Adapted from https://github.com/ZhengyuZhao/PerC-Adversarial
+import numpy as np
+import torch
+from torch import Tensor
+
+
+def rgb2xyz(rgb_image):
+    device = rgb_image.device
+    mt = torch.tensor([[0.4124, 0.3576, 0.1805],
+                       [0.2126, 0.7152, 0.0722],
+                       [0.0193, 0.1192, 0.9504]], device=device)
+    mask1 = (rgb_image > 0.0405).float()
+    mask1_no = 1 - mask1
+    temp_img = mask1 * (((rgb_image + 0.055) / 1.055) ** 2.4)
+    temp_img = temp_img + mask1_no * (rgb_image / 12.92)
+    temp_img = 100 * temp_img
+
+    res = torch.matmul(mt, temp_img.permute(1, 0, 2, 3).contiguous().view(3, -1)).view(
+        3, rgb_image.size(0), rgb_image.size(2), rgb_image.size(3)).permute(1, 0, 2, 3)
+    return res
+
+
+def xyz_lab(xyz_image):
+    mask_value_0 = (xyz_image == 0).float()
+    mask_value_0_no = 1 - mask_value_0
+    xyz_image = xyz_image + 0.0001 * mask_value_0
+    mask1 = (xyz_image > 0.008856).float()
+    mask1_no = 1 - mask1
+    res = mask1 * (xyz_image) ** (1 / 3)
+    res = res + mask1_no * ((7.787 * xyz_image) + (16 / 116))
+    res = res * mask_value_0_no
+    return res
+
+
+def rgb2lab_diff(rgb_image):
+    """
+    Function to convert a batch of image tensors from RGB space to CIELAB space.
+    parameters: xn, yn, zn are the CIE XYZ tristimulus values of the reference white point.
+    Here use the standard Illuminant D65 with normalization Y = 100.
+    """
+    rgb_image = rgb_image
+    res = torch.zeros_like(rgb_image)
+    xyz_image = rgb2xyz(rgb_image)
+
+    xn = 95.0489
+    yn = 100
+    zn = 108.8840
+
+    x = xyz_image[:, 0, :, :]
+    y = xyz_image[:, 1, :, :]
+    z = xyz_image[:, 2, :, :]
+
+    L = 116 * xyz_lab(y / yn) - 16
+    a = 500 * (xyz_lab(x / xn) - xyz_lab(y / yn))
+    b = 200 * (xyz_lab(y / yn) - xyz_lab(z / zn))
+    res[:, 0, :, :] = L
+    res[:, 1, :, :] = a
+    res[:, 2, :, :] = b
+
+    return res
+
+
+def degrees(n): return n * (180. / np.pi)
+
+
+def radians(n): return n * (np.pi / 180.)
+
+
+def hpf_diff(x, y):
+    mask1 = ((x == 0) * (y == 0)).float()
+    mask1_no = 1 - mask1
+
+    tmphp = degrees(torch.atan2(x * mask1_no, y * mask1_no))
+    tmphp1 = tmphp * (tmphp >= 0).float()
+    tmphp2 = (360 + tmphp) * (tmphp < 0).float()
+
+    return tmphp1 + tmphp2
+
+
+def dhpf_diff(c1, c2, h1p, h2p):
+    mask1 = ((c1 * c2) == 0).float()
+    mask1_no = 1 - mask1
+    res1 = (h2p - h1p) * mask1_no * (torch.abs(h2p - h1p) <= 180).float()
+    res2 = ((h2p - h1p) - 360) * ((h2p - h1p) > 180).float() * mask1_no
+    res3 = ((h2p - h1p) + 360) * ((h2p - h1p) < -180).float() * mask1_no
+
+    return res1 + res2 + res3
+
+
+def ahpf_diff(c1, c2, h1p, h2p):
+    mask1 = ((c1 * c2) == 0).float()
+    mask1_no = 1 - mask1
+    mask2 = (torch.abs(h2p - h1p) <= 180).float()
+    mask2_no = 1 - mask2
+    mask3 = (torch.abs(h2p + h1p) < 360).float()
+    mask3_no = 1 - mask3
+
+    res1 = (h1p + h2p) * mask1_no * mask2
+    res2 = (h1p + h2p + 360.) * mask1_no * mask2_no * mask3
+    res3 = (h1p + h2p - 360.) * mask1_no * mask2_no * mask3_no
+    res = (res1 + res2 + res3) + (res1 + res2 + res3) * mask1
+    return res * 0.5
+
+
+def ciede2000_diff(lab1, lab2):
+    """
+    CIEDE2000 metric to claculate the color distance map for a batch of image tensors defined in CIELAB space
+
+    This version contains errors:
+     - Typo in the formula for T: "- 39" should be "- 30"
+     - 0.0001s added for numerical stability change the conditional values
+
+    """
+    L1 = lab1[:, 0, :, :]
+    A1 = lab1[:, 1, :, :]
+    B1 = lab1[:, 2, :, :]
+    L2 = lab2[:, 0, :, :]
+    A2 = lab2[:, 1, :, :]
+    B2 = lab2[:, 2, :, :]
+    kL = 1
+    kC = 1
+    kH = 1
+
+    mask_value_0_input1 = ((A1 == 0) * (B1 == 0)).float()
+    mask_value_0_input2 = ((A2 == 0) * (B2 == 0)).float()
+    mask_value_0_input1_no = 1 - mask_value_0_input1
+    mask_value_0_input2_no = 1 - mask_value_0_input2
+    B1 = B1 + 0.0001 * mask_value_0_input1
+    B2 = B2 + 0.0001 * mask_value_0_input2
+
+    C1 = torch.sqrt((A1 ** 2.) + (B1 ** 2.))
+    C2 = torch.sqrt((A2 ** 2.) + (B2 ** 2.))
+
+    aC1C2 = (C1 + C2) / 2.
+    G = 0.5 * (1. - torch.sqrt((aC1C2 ** 7.) / ((aC1C2 ** 7.) + (25 ** 7.))))
+    a1P = (1. + G) * A1
+    a2P = (1. + G) * A2
+    c1P = torch.sqrt((a1P ** 2.) + (B1 ** 2.))
+    c2P = torch.sqrt((a2P ** 2.) + (B2 ** 2.))
+
+    h1P = hpf_diff(B1, a1P)
+    h2P = hpf_diff(B2, a2P)
+    h1P = h1P * mask_value_0_input1_no
+    h2P = h2P * mask_value_0_input2_no
+
+    dLP = L2 - L1
+    dCP = c2P - c1P
+    dhP = dhpf_diff(C1, C2, h1P, h2P)
+    dHP = 2. * torch.sqrt(c1P * c2P) * torch.sin(radians(dhP) / 2.)
+    mask_0_no = 1 - torch.max(mask_value_0_input1, mask_value_0_input2)
+    dHP = dHP * mask_0_no
+
+    aL = (L1 + L2) / 2.
+    aCP = (c1P + c2P) / 2.
+    aHP = ahpf_diff(C1, C2, h1P, h2P)
+    T = 1. - 0.17 * torch.cos(radians(aHP - 39)) + 0.24 * torch.cos(radians(2. * aHP)) + 0.32 * torch.cos(
+        radians(3. * aHP + 6.)) - 0.2 * torch.cos(radians(4. * aHP - 63.))
+    dRO = 30. * torch.exp(-1. * (((aHP - 275.) / 25.) ** 2.))
+    rC = torch.sqrt((aCP ** 7.) / ((aCP ** 7.) + (25. ** 7.)))
+    sL = 1. + ((0.015 * ((aL - 50.) ** 2.)) / torch.sqrt(20. + ((aL - 50.) ** 2.)))
+
+    sC = 1. + 0.045 * aCP
+    sH = 1. + 0.015 * aCP * T
+    rT = -2. * rC * torch.sin(radians(2. * dRO))
+
+    #     res_square=((dLP / (sL * kL)) ** 2.) + ((dCP / (sC * kC)) ** 2.) + ((dHP / (sH * kH)) ** 2.) + rT * (dCP / (sC * kC)) * (dHP / (sH * kH))
+
+    res_square = ((dLP / (sL * kL)) ** 2.) + ((dCP / (sC * kC)) ** 2.) * mask_0_no + (
+            (dHP / (sH * kH)) ** 2.) * mask_0_no + rT * (dCP / (sC * kC)) * (dHP / (sH * kH)) * mask_0_no
+    mask_0 = (res_square <= 0).float()
+    mask_0_no = 1 - mask_0
+    res_square = res_square + 0.0001 * mask_0
+    res = torch.sqrt(res_square)
+    res = res * mask_0_no
+
+    return res
+
+
+def ciede2000_loss(input: Tensor, target: Tensor) -> Tensor:
+    Lab_input, Lab_target = map(rgb2lab_diff, (input, target))
+    return ciede2000_diff(Lab_input, Lab_target).flatten(1).norm(p=2, dim=1)

adv_lib/attacks/perceptual_color_attacks/perceptual_color_distance_al.py

@@ -0,0 +1,128 @@
+# Adapted from https://github.com/ZhengyuZhao/PerC-Adversarial
+
+from math import pi, cos
+
+import torch
+from torch import nn, Tensor
+from torch.autograd import grad
+
+from .differential_color_functions import rgb2lab_diff, ciede2000_diff
+
+
+def quantization(x):
+    """quantize the continus image tensors into 255 levels (8 bit encoding)"""
+    x_quan = torch.round(x * 255) / 255
+    return x_quan
+
+
+def perc_al(model: nn.Module,
+            images: Tensor,
+            labels: Tensor,
+            num_classes: int,
+            targeted: bool = False,
+            max_iterations: int = 1000,
+            alpha_l_init: float = 1.,
+            alpha_c_init: float = 0.5,
+            confidence: float = 0, **kwargs) -> Tensor:
+    """
+    PerC_AL: Alternating Loss of Classification and Color Differences to achieve imperceptibile perturbations with few
+    iterations. Adapted from https://github.com/ZhengyuZhao/PerC-Adversarial.
+
+    Parameters
+    ----------
+    model : nn.Module
+        Model to fool.
+    images : Tensor
+        Batch of image examples in the range of [0,1].
+    labels : Tensor
+        Original labels if untargeted, else labels of targets.
+    targeted : bool, optional
+        Whether to perform a targeted adversary or not.
+    max_iterations : int
+        Number of iterations for the optimization.
+    alpha_l_init: float
+        step size for updating perturbations with respect to classification loss
+    alpha_c_init: float
+        step size for updating perturbations with respect to perceptual color differences. for relatively easy
+        untargeted case, alpha_c_init is adjusted to a smaller value (e.g., 0.1 is used in the paper)
+    confidence : float, optional
+        Confidence of the adversary for Carlini's loss, in term of distance between logits.
+        Note that this approach only supports confidence setting in an untargeted case
+
+    Returns
+    -------
+    Tensor
+        Batch of image samples modified to be adversarial
+    """
+
+    if images.min() < 0 or images.max() > 1: raise ValueError('Input values should be in the [0, 1] range.')
+    device = images.device
+
+    alpha_l_min = alpha_l_init / 100
+    alpha_c_min = alpha_c_init / 10
+    multiplier = -1 if targeted else 1
+
+    X_adv_round_best = images.clone()
+    inputs_LAB = rgb2lab_diff(images)
+    batch_size = images.shape[0]
+    delta = torch.zeros_like(images, requires_grad=True)
+    mask_isadv = torch.zeros(batch_size, dtype=torch.bool, device=device)
+    color_l2_delta_bound_best = torch.full((batch_size,), 100000, dtype=torch.float, device=device)
+
+    if (targeted == False) and confidence != 0:
+        labels_onehot = torch.zeros(labels.size(0), num_classes, device=device)
+        labels_onehot.scatter_(1, labels.unsqueeze(1), 1)
+        labels_infhot = torch.zeros_like(labels_onehot).scatter_(1, labels.unsqueeze(1), float('inf'))
+    if (targeted == True) and confidence != 0:
+        print('Only support setting confidence in untargeted case!')
+        return
+
+    # check if some images are already adversarial
+    if (targeted == False) and confidence != 0:
+        logits = model(images)
+        real = logits.gather(1, labels.unsqueeze(1)).squeeze(1)
+        other = (logits - labels_infhot).amax(dim=1)
+        mask_isadv = (real - other) <= -40
+    elif confidence == 0:
+        if targeted:
+            mask_isadv = model(images).argmax(1) == labels
+        else:
+            mask_isadv = model(images).argmax(1) != labels
+    color_l2_delta_bound_best[mask_isadv] = 0
+    X_adv_round_best[mask_isadv] = images[mask_isadv]
+
+    for i in range(max_iterations):
+        # cosine annealing for alpha_l_init and alpha_c_init
+        alpha_c = alpha_c_min + 0.5 * (alpha_c_init - alpha_c_min) * (1 + cos(i / max_iterations * pi))
+        alpha_l = alpha_l_min + 0.5 * (alpha_l_init - alpha_l_min) * (1 + cos(i / max_iterations * pi))
+
+        loss = multiplier * nn.CrossEntropyLoss(reduction='sum')(model(images + delta), labels)
+        grad_a = grad(loss, delta, only_inputs=True)[0]
+        delta.data[~mask_isadv] = delta.data[~mask_isadv] + alpha_l * (grad_a.permute(1, 2, 3, 0) / torch.norm(
+            grad_a.flatten(1), dim=1)).permute(3, 0, 1, 2)[~mask_isadv]
+
+        d_map = ciede2000_diff(inputs_LAB, rgb2lab_diff(images + delta)).unsqueeze(1)
+        color_dis = torch.norm(d_map.flatten(1), dim=1)
+        grad_color = grad(color_dis.sum(), delta, only_inputs=True)[0]
+        delta.data[mask_isadv] = delta.data[mask_isadv] - alpha_c * (grad_color.permute(1, 2, 3, 0) / torch.norm(
+            grad_color.flatten(1), dim=1)).permute(3, 0, 1, 2)[mask_isadv]
+
+        delta.data = (images + delta.data).clamp_(min=0, max=1) - images
+        X_adv_round = quantization(images + delta.data)
+
+        if (targeted == False) and confidence != 0:
+            logits = model(X_adv_round)
+            real = logits.gather(1, labels.unsqueeze(1)).squeeze(1)
+            other = (logits - labels_infhot).amax(dim=1)
+            mask_isadv = (real - other) <= -40
+        elif confidence == 0:
+            if targeted:
+                mask_isadv = model(X_adv_round).argmax(1) == labels
+            else:
+                mask_isadv = model(X_adv_round).argmax(1) != labels
+        mask_best = (color_dis.data < color_l2_delta_bound_best)
+        mask = mask_best * mask_isadv
+        color_l2_delta_bound_best[mask] = color_dis.data[mask]
+        X_adv_round_best[mask] = X_adv_round[mask]
+
+    return X_adv_round_best