Adversarial Tradeoffs in Robust State Estimation

Thomas T.C.K. Zhang , Bruce D. Lee¹¹footnotemark: 1 , Hamed Hassani, and Nikolai Matni Equal contribution

(Department of Electrical and Systems Engineering, University of Pennsylvania)

Abstract

Adversarially robust training has been shown to reduce the susceptibility of learned models to targeted input data perturbations. However, it has also been observed that such adversarially robust models suffer a degradation in accuracy when applied to unperturbed data sets, leading to a robustness-accuracy tradeoff. Inspired by recent progress in the adversarial machine learning literature which characterize such tradeoffs in simple settings, we develop tools to quantitatively study the performance-robustness tradeoff between nominal and robust state estimation. In particular, we define and analyze a novel adversarially robust Kalman Filtering problem. We show that in contrast to most problem instances in adversarial machine learning, we can precisely derive the adversarial perturbation in the Kalman Filtering setting. We provide an algorithm to find this perturbation given data realizations, and develop upper and lower bounds on the adversarial state estimation error in terms of the standard (non-adversarial) estimation error and the spectral properties of the resulting observer. Through these results, we show a natural connection between a filter’s robustness to adversarial perturbation and underlying control theoretic properties of the system being observed, namely the spectral properties of its observability gramian.

1 Introduction

It has been demonstrated across various application areas that contemporary learning-based models, despite their impressive nominal performance, can be extremely susceptible to small, adversarially designed input perturbations (Carlini and Wagner, 2016; Goodfellow et al., 2014; Szegedy et al., 2013; Huang et al., 2017). In order to mitigate the effects of such attacks, various adversarially robust training algorithms (Carlini and Wagner, 2016, 2017; Madry et al., 2017; Xie et al., 2020; Deka et al., 2020) have been developed. However, it was soon noticed that while adversarial training could be used to improve model robustness, it often comes with a corresponding decrease in accuracy on nominal (unperturbed) data. Further, various simplified theoretical models (Tsipras et al., 2018; Zhang et al., 2019; Nakkiran, 2019; Raghunathan et al., 2019; Chen et al., 2020; Javanmard et al., 2020), have been used to explain this phenomena, and to argue that such robustness-accuracy tradeoffs are unavoidable.

In this paper, we extend the study of such robustness-accuracy tradeoffs to data generated by a dynamical system via the setting of adversarially robust Kalman Filtering. Adversarial robustness is an appealing model of robust filtering, as it captures measurement disturbances that are composed of both stochastic and worst-case components. Motivated by applications of adversarial robustness in the reinforcement literature (Lutter et al., 2021; Pinto et al., 2017; Mandlekar et al., 2017), we provide the first theoretical analysis robustness-accuracy tradeoffs for state estimation of a dynamical system, and in doing so establish connections to natural control theoretic properties of the underlying system.

Our specific contributions can be summarized as follows:

•

We propose a simple and computationally efficient algorithm that provably finds optimal worst-case $\ell^{2}$ norm-bounded adversarial perturbations of the measurements for a given observer and trajectory data. This allows us to efficiently compute and explore the Pareto-optimal robustness-accuracy tradeoff curve.
•

We analyze the adversarially robust Kalman Filtering problem, and show that upper and lower bounds on the gap between the adversarial and standard (unperturbed) state estimation error can be controlled in terms of the spectral properties of the observability gramian (Zhou and Doyle, 1998) of the underlying system.
•

As an intermediate step to deriving the aforementioned bounds, we bound the gap between adversarial and standard (unperturbed) risks for general linear inverse problems in terms of the spectral properties of a given linear model. We also show that our bounds are tight in the one-dimensional setting, recovering the results of Javanmard et al. (2020), and for matrices with full column rank and orthogonal columns. These results may be of independent interest.
•

We empirically demonstrate through numerical simulations that our results predict robustness-accuracy tradeoffs in Kalman Filtering as a function of underlying spectral properties of the observability gramian.

The rest of this paper is organized as follows: in Section 2, we pose the adversarially robust Kalman Filtering problem. In Section 3, we first present tight upper and lower bounds on the adversarial risk in a general linear inverse problem, then refine these bounds for the Kalman filtering setting. The results reveal that for the setting where data is generated by a dynamical system, robustness-accuracy tradeoffs are dictated by natural control theoretic properties of the underlying system (namely, the observability gramian). In Section 4, we provide empirical evidence to support the trends predicted by our bounds, and demonstrate the efficacy of adversarially robust Kalman Filtering against sensor drift. We end with conclusions and a discussion of future work in Section 5.

1.1 Related Work

Our work makes connections between adversarial robustnesss and robust estimation and control. We now provide a brief overview of work related to ours from these areas.

Robustness-accuracy tradeoffs: We draw inspiration from recent work offering theoretical characterizations of robustness-accuracy tradeoffs: Tsipras et al. (2018) and Zhang et al. (2019) posit that high standard accuracy is fundamentally at odds with high robust accuracy by considering classification problems, whereas Nakkiran (2019) suggests an alternative explanation that classifiers that are simultaneously robust and accurate are complex, and may not be contained in current function classes. However, Raghunathan et al. (2019) shows that the tradeoff is not due to optimization or representation issues by showing that such tradeoffs exist even for a problem with a convex loss where the optimal predictor achieves 100% standard and robust accuracy. In contrast to previous work, we provide sharp and interpretable characterizations of the robustness-accuracy tradeoffs that may arise in inverse problems, albeit restricted to linear models. Most closely related to our work, Javanmard et al. (2020) derive a formula for the exact tradeoff between standard and robust accuracy in the linear regression setting. We derive similar results for a matrix-valued linear inverse problem, and apply these tools to the adversarially robust Kalman Filtering problem, wherein data is generated by a dynamical system.

Robust estimation and control: Robustness in estimation and control has traditionally been studied from a worst-case induced gain perspective (Hassibi et al., 1999; Zhou and Doyle, 1998). When perturbations are restricted to be $\ell^{2}$ -bounded, this gives rise to $\mathcal{H}_{\infty}$ estimation and control problems. Although widely known, and celebrated for their applications in robust control, $\mathcal{H}_{\infty}$ -based methods are often overly conservative. This conservatism can be reduced by using mixed $\mathcal{H}_{2}/\mathcal{H}_{\infty}$ methods (Khargonekar et al., 1996), which blend Gaussian and worst-case disturbance assumptions. While such an approach is related to the adversarially robust Kalman Filtering problem that we pose, we note that mixed $\mathcal{H}_{2}/\mathcal{H}_{\infty}$ decouples the worst-case and stochastic inputs during design, leading to a fundamentally different tradeoff. On the other hand, our method considers the stochastic and worst-case components jointly, finding the optimal filter robust to $\ell^{2}$ -bounded disturbances given the realizations of stochastic noise. We note the decoupling of worst-case and stochastic inputs allows mixed $\mathcal{H}_{2}/\mathcal{H}_{\infty}$ methods to guarantee stability under dynamic uncertainties. We leave similar guarantees for the filtering problem that we pose, and further characterizing connections between traditional and adversarial robustness to future work. More recently, Al Makdah et al. (2020) have considered the robustness-accuracy tradeoff in data-driven perception-based control. However, the adversary in Al Makdah et al. (2020) perturbs the covariance of the noise distribution, which is assumed to remain Gaussian, whereas our adversary additively attacks each measurement, which is more aligned to the perturbations considered in machine learning and robust control contexts. Additionally, Al Makdah et al. (2020) does not quantitatively analyze the severity of tradeoffs, but rather proves the existence of tradeoffs. Our prior work Lee et al. (2022) studies analogous tradeoffs to the ones in this paper arising in the setting of adversarially robust LQR, and bounds the severity of these tradeoffs in terms of the spectral properties of the controllability gramian.

2 Adversarially Robust Kalman Filtering

We consider a modification to the standard Kalman Filtering problem to incorporate adversarial robustness. We then bound the inflation of the state estimation error caused by the adversary, with the goal of relating control theoretic properties of the underlying linear dynamical system to the robustness-accuracy tradeoffs that it induces.

2.1 State Estimation and Observability

The Kalman filter is designed for the setting where the underlying dynamical system is linear, and disturbances are Gaussian. In particular, consider a linear-time-invariant (LTI) autonomous system with state and measurement disturbances: let $x_{t}\in\mathbb{R}^{n}$ be the system state, $w_{t}\in\mathbb{R}^{n}$ the process noise, $y_{t}\in\mathbb{R}^{p}$ the measurement, and $v_{t}\in\mathbb{R}^{p}$ the measurement noise. The initial condition, process noise, and measurement noise are assumed to be i.i.d. zero-mean Gaussians: $x_{0}\sim{}\mathcal{N}(0,\Sigma_{0})$ , $w_{t}\overset{\mathrm{i.i.d.}}{\sim}\mathcal{N}(0,\Sigma_{w})$ , $v_{t}\overset{\mathrm{i.i.d.}}{\sim}\mathcal{N}(0,\Sigma_{v})$ . The LTI system is then defined by:

	$\displaystyle x_{t+1}$	$\displaystyle=Ax_{t}+w_{t},$		(1)
	$\displaystyle y_{t}$	$\displaystyle=Cx_{t}+v_{t}.$		(1)

Finite horizon state estimation determines an estimate for the state of the system at time $k$ given some sequence of measurements $y_{0},\dots,y_{N}$ . This problem encompasses smoothing ( $k<N$ ), filtering ( $k=N$ ), and prediction ( $k>N$ ). When the measurement and process noise satisfy the assumptions above, the optimal state estimator is the celebrated Kalman filter (or smoother/predictor), which produces state estimates that are a linear function of the observations. Therefore, the optimal estimate $\hat{x}_{k}$ of the state $x_{k}$ at time $k$ can be written as¹¹1State-space representations for the Kalman filter (see Appendix A) also exist (Hassibi et al., 1999), but for our purposes it is more convenient to view it as a linear map. $\hat{x}_{k}:=LY_{N}$ , where $L\in\mathbb{R}^{n\times p(N+1)}$ is some matrix and $Y_{N}$ is a vector of stacked observations

Y_{N}:=\begin{bmatrix}y_{0}&\ldots&y_{N}\end{bmatrix}^{\top}.

We similarly define the stacked process and measurement noise vectors as

W_{N}:=\begin{bmatrix}w_{0}&\ldots&w_{N-1}\end{bmatrix}^{\top}\mbox{ and }V_{N}:=\begin{bmatrix}v_{0}&\ldots&v_{N}\end{bmatrix}^{\top}.

Furthermore, suppose $k\leq N$ and let

	$\displaystyle\mathcal{O}_{N}$	$\displaystyle=\begin{bmatrix}C\\ CA\\ \vdots\\ CA^{N}\end{bmatrix},\quad\tau_{N}=\begin{bmatrix}0&&&&\\ C&0&&\\ CA&C&&&\\ \vdots&&\ddots&0&\\ CA^{N-1}&\ldots&&C&0\end{bmatrix}$
	$\displaystyle\Gamma_{k}$	$\displaystyle=\begin{bmatrix}A^{k-1}&A^{k-2}&\ldots&I&0&\ldots&0\end{bmatrix}$

so that $Y_{N}=\mathcal{O}_{N}x_{0}+\tau_{N}W_{N}+V_{N}$ and $x_{k}=A^{k}x_{0}+\Gamma_{k}W_{N}$ . Here $\mathcal{O}_{N}$ is the $N$ -step observability matrix, which is a quantity of interest in our analysis. Recall that a system of the form (1) is observable if and only if the observability matrix $\mathcal{O}_{n-1}$ has rank $n$ .

Throughout the remainder of the paper we make the following assumption:

Assumption 2.1.

System (1) is observable and $N\geq n-1$ .

As stated, observability is a binary notion that determines whether state consistent estimation is possible. However, observability does not capture the conditioning of the problem defining the Kalman filter.

A more refined, non-binary notion of observability can be defined in terms of the observability gramian of a system.

Definition 2.1.

The $N$ -step observability gramian is defined as $W_{o}(N):=\mathcal{O}_{N}^{\top}\mathcal{O}_{N}$ . If the spectral radius of $A$ is less than one, then taking the limit as $N\to\infty$ results in the observability gramian $W_{o}(\infty)=\sum_{t=0}^{\infty}\left(A^{t}\right)^{\top}C^{\top}CA^{t}$ .

The observability gramian provides significantly more information about the difficulty of state estimation than the rank condition on the observability matrix. In particular, the ellipsoid $\left\{x\,|\,x^{\top}W_{o}(\infty)x\leq 1\right\}$ contains the initial states $x$ that lead to measurement signals with $\ell^{2}$ norm bounded by $1$ in the absense of process and measurement noise. To see this, let $x_{0}=x$ . Then we have $x_{0}^{\top}W_{o}(\infty)x_{0}=\sum_{t=0}^{\infty}x_{0}^{\top}\left(A^{t}\right)^{\top}C^{\top}CA^{t}x_{0}=\sum_{t=0}^{\infty}x_{t}^{\top}C^{\top}Cx_{t}=\sum_{t=0}^{\infty}\left\|y_{t}\right\|_{2}^{2}$ . As such, small eigenvalues of the observability gramian imply that a large subset of the state space leads to relatively small impacts on future measurements. This makes it difficult to use measurements to distinguish states in this region in the presence of process and measurement noise, requiring high-gain estimators. This in turn suggests that such estimators may be more susceptible to small adversarial perturbations.

2.2 Kalman Filtering and Smoothing

We begin by reviewing relevant results from standard Kalman Filtering and Smoothing.

Standard State Estimation

Under Assumption 2.1, we define the minimum mean square estimator for the state $x_{k}$ as

\displaystyle\hat{L}_{k}=\operatorname*{argmin}_{L\in\mathbb{R}^{n\times p(N+1)}}\mathbb{E}\left[\left\|x_{k}-LY_{N}\right\|_{2}^{2}\right].

(2)

We note that the optimal solution to this problem is precisely the Kalman filter ( $k=N$ ) or smoother ( $k<N$ ). We explicitly solve for the minimum mean square estimator $\hat{L}_{k}$ in the following standard lemma, included for completeness.

Lemma 2.1.

Suppose $k\leq N$ . The finite horizon Kalman state estimator is the solution to optimization problem (2), and is given by

\displaystyle\hat{L}_{k}

\displaystyle=\left(A^{k}\Sigma_{0}\mathcal{O}_{N}^{\top}+\Gamma_{k}\Sigma_{w}\tau_{N}^{\top}\right)\cdot\left(\mathcal{O}_{N}\Sigma_{0}\mathcal{O}_{N}^{\top}+\tau_{N}\Sigma_{w}\tau_{N}^{\top}+\Sigma_{v}\right)\operatorname{{}^{-1}}.

Adversarially Robust State Estimation

We now modify the standard filtering problem (2) to allow adversarial perturbations to enter through sensor measurements.²²2We choose to restrict our attention to adversarial sensor measurements because it is a more direct analog to the traditional adversarial robustness literature, which considers perturbations to image data, and not to the image data-generating distribution (Szegedy et al., 2013; Goodfellow et al., 2014; Carlini and Wagner, 2016). In particular, for some $\varepsilon>0$ , the adversarially robust state estimator is defined by

\displaystyle\hat{L}_{k}(\varepsilon):=\operatorname*{argmin}_{L\in\mathbb{R}^{n\times p(N+1)}}\mathbb{E}\left[\max_{\left\|\delta\right\|_{2}\leq\varepsilon}\left\|x_{k}-L(Y_{N}+\delta)\right\|_{2}^{2}\right].

(3)

In contrast to the nominal state estimation problem, no closed form expression exists for the adversarially robust estimation problem, due to the inner maximization in (3). We show next that despite the non-convexity of the inner maximization problem, it can be solved efficiently. This allows us to apply stochastic gradient descent to solve for $\hat{L}_{k}(\varepsilon)$ . In particular, note that the objective to the minimization problem is the expectation of a point-wise supremum of convex functions in $L$ , and hence convex in $L$ itself (Boyd and Vandenberghe, 2004). Next observe that we can draw samples of $x_{0}\sim\mathcal{N}(0,\Sigma_{0})$ , $W_{N}\sim\mathcal{N}(0,I_{N}\otimes\Sigma_{w})$ , $V_{N}\sim\mathcal{N}(0,I_{N+1}\otimes\Sigma_{v})$ , and apply the solution to the inner maximization problem to solve for realizations of $\max_{\left\|\delta\right\|_{2}\leq\varepsilon}\left\|x_{k}-L(Y_{N}+\delta)\right\|_{2}^{2}$ . Taking the gradient of these realizations with respect to $L$ provides a stochastic descent direction. As the overall expression is convex in $L$ , stochastic gradient descent with an appropriately decaying stepsize converges to the optimal solution (Bottou et al., 2018).

2.3 Solving the Inner Maximization

As earlier stated, no closed-form expression exists for the adversarially robust estimation problem: indeed, even in scalar linear regression studied in (Javanmard et al., 2020), it is characterized by a recursive relationship. Furthermore, the techniques used to derive that recursion do not extend to the multi-variable case.

To address this challenge, we show how to efficiently compute solutions to the inner maximization in (3). We observe that the maximization $\max_{\left\|\delta\right\|_{2}\leq\varepsilon}\left\|x_{k}-L(Y_{N}+\delta)\right\|_{2}^{2}$ can be expanded and re-written as the following (non-convex) quadratically-constrained quadratic maximization problem:

	$\displaystyle\operatorname*{maximize}_{\delta\in\mathbb{R}^{n}}$	$\displaystyle\quad\delta^{\top}L^{\top}L\delta-2\delta^{\top}L^{\top}b$		(P)
	$\displaystyle\operatorname{subject\ to}$	$\displaystyle\quad\delta^{\top}\delta\leq\varepsilon^{2},$

where we set $b:=x_{k}-LY_{N}$ . Let $L=U\begin{bmatrix}\Sigma&0\end{bmatrix}V^{\top}\in\mathbb{R}^{n\times(N+1)p}$ be the full singular-value decomposition of $L$ , with $U\in\mathbb{R}^{n\times n}$ , $\Sigma\in\mathbb{R}^{n\times(N+1)p}$ , $V\in\mathbb{R}^{(N+1)p\times(N+1)p}$ , and $\Sigma=\mathrm{diag}(\sigma_{1},\dots,\sigma_{n})$ , $\sigma_{1}\geq\cdots\geq\sigma_{n}\geq 0$ the singular values of $L$ . We also denote the columns of $U$ and $V$ by $u_{i}$ and $v_{i}$ , respectively. It is known that (P) satisfies strong duality (Boyd and Vandenberghe, 2004) and the optimal primal-dual pair $(\delta^{*},\lambda^{*})$ can be characterized by the KKT conditions:

	$\displaystyle 2(\lambda^{}I-L^{\top}L)\delta^{}+2L^{\top}b$	$\displaystyle=0$
	$\displaystyle\lambda^{}({\delta^{}}^{\top}\delta^{*}-\varepsilon^{2})$	$\displaystyle=0$
	$\displaystyle(\lambda^{*}I-L^{\top}L)$	$\displaystyle\succeq 0.$

The KKT conditions can then be leveraged to solve for the optimal dual solution $\lambda^{*}$ and subsequently the optimal perturbation $\delta^{*}$ . The full procedure is summarized in Algorithm 1.

We note that Boyd and Vandenberghe (2004) shows how to solve (P) via semidefinite programming. Algorithm 1, however, allows us to recycle the SVD of $L$ to solve (P) for different values of $b:=x_{k}-LY_{N}$ simply by solving a root finding problem for each $b$ . This enables efficient batching when applying SGD to the outer minimization problem.

Algorithm 1 Inner Maximization Solution

given

L=U\Sigma V^{\top}\in\mathbb{R}^{n\times(N+1)p}

b\in\mathbb{R}^{n}

, perturbation bound

\varepsilon>0

\sum_{i:\sigma_{i}<\sigma_{1}}\frac{(b^{\top}u_{i})^{2}\sigma_{i}^{2}}{(\sigma_{1}^{2}-\sigma_{i}^{2})^{2}}<\varepsilon^{2}

then

c=\sqrt{\varepsilon^{2}-\sum_{i:\sigma_{i}<\sigma_{1}}\frac{(b^{\top}u_{i})^{2}\sigma_{i}^{2}}{(\sigma_{1}^{2}-\sigma_{i}^{2})^{2}}}

Set

v

as any unit vector lying in the null-space of

\left(\sigma_{1}^{2}I-\Sigma^{\top}\Sigma\right)V^{\top}

, i.e.

v\in\textbf{span}\left\{v_{i}:\sigma_{i}=\sigma_{1}\right\}

\delta^{*}=-V(\sigma_{1}^{2}I-\Sigma^{\top}\Sigma)^{\dagger}\Sigma^{\top}U^{\top}b+cv

else

solve

\sum_{i=1}^{n}\frac{(b^{\top}u_{i})^{2}\sigma_{i}^{2}}{(\lambda-\sigma_{i}^{2})^{2}}=\varepsilon^{2}

for

\lambda

, e.g. by Newton’s method

\delta^{*}=-V(\lambda^{*}I-\Sigma^{\top}\Sigma)^{-1}\Sigma^{\top}U^{\top}b

end if

return

\delta^{*}

The proof of correctness for Algorithm 1 is detailed in Section B.2.

3 Robustness-Accuracy Tradeoffs in Kalman Filtering

The Kalman state estimation problem and adversarial state estimation problem can be viewed as standard and adversarially robust risk minimization problems by defining

	$\displaystyle\operatorname{SR}(L)$	$\displaystyle:=\mathbb{E}\left[\left\\|x_{k}-LY_{N}\right\\|_{2}^{2}\right],$
	$\displaystyle\operatorname{AR}(L)$	$\displaystyle:=\mathbb{E}\left[\max_{\left\\|\delta\right\\|_{2}\leq\varepsilon}\left\\|x_{k}-L(Y_{N}+\delta)\right\\|_{2}^{2}\right].$

Our goal is to characterize robustness-accuracy trade-offs for this linear inverse problem. We refer to the set of points $(\operatorname{SR}(L),\operatorname{AR}(L))$ over all $L\in\mathbb{R}^{n\times(N+1)p}$ as the $(\operatorname{SR},\operatorname{AR})$ region. The optimal tradeoff between standard and adversarial risks is characterized via the so-called Pareto boundary of this region, which we denote $\left\{(\operatorname{SR}(L_{\lambda}),\operatorname{AR}(L_{\lambda})):\lambda\geq 0\right\}$ . Using standard results in multi-objective optimization, $L_{\lambda}$ are computed by solving the regularized optimization problem

\displaystyle L_{\lambda}

\displaystyle:=\operatorname*{argmin}_{L}\;\operatorname{SR}(L)+\lambda\operatorname{AR}(L).

(4)

Varying the regularization parameter $\lambda$ in problem (4) thus allows us to characterize the aforementioned Pareto boundary by interpolating between the solution to the standard (i.e. $L_{0}$ ) and adversarial (i.e. $L_{\infty}$ ) problems. Via our results from Section 2.3, each solution $L_{\lambda}$ to the regularized optimization problem (4) can be computed efficiently using stochastic optimization. We use these results to trace out the optimal tradeoff curves for specific examples in Section 4.

In this section, we show that the gap $\operatorname{AR}(L)-\operatorname{SR}(L)$ can be bounded in terms of the spectral properties of the observability gramian of the system, establishing a natural connection to the robust control and estimation literature (Hassibi et al., 1999; Zhou and Doyle, 1998). In particular, our results indicate the robustness-accuracy tradeoff is more severe for systems with uniformly low observability, as characterized by the Frobenius norm of the observability gramian.

3.1 Tradeoffs for Linear Inverse Problems

We note that the Kalman state estimation problem can be posed as a general linear inverse problem, where $x\sim\mathcal{N}(0,\Sigma_{x})$ , $w\sim\mathcal{N}(0,\Sigma_{w})$ , $y=Mx+w$ , and our goal is to minimize one of the following risks

	$\displaystyle\operatorname{SR}(L)$	$\displaystyle=\mathbb{E}\left[\left\\|x-Ly\right\\|_{2}^{2}\right],$
	$\displaystyle\operatorname{AR}(L)$	$\displaystyle=\mathbb{E}\left[\max_{\left\\|\delta\right\\|_{2}\leq\varepsilon}\left\\|x-L(y+\delta)\right\\|_{2}^{2}\right].$

Although no closed-form expression exists for the adversarial risk $\operatorname{AR}(L)$ exists, we show now that interepretable upper and lower bounds on the robustness-accuracy tradeoff, as characterized by the gap $\operatorname{AR}(L)-\operatorname{SR}(L)$ , can be derived. Such bounds predict the severity of the robustness-accuracy tradeoff based upon underlying properties of specific linear inverse problems. We further show that these bounds are tight in the sense that they are exact for certain classes of matrices $L$ , and strong in the sense that the lower and upper bounds differ only in higher-order terms with respect to the adversarial budget $\varepsilon$ .

Theorem 3.1.

Given any $L\in\mathbb{R}^{p\times n}$ , we have the following lower bound on $\operatorname{AR}(L)-\operatorname{SR}(L)$ :

\displaystyle\operatorname{AR}(L)-\operatorname{SR}(L)

\displaystyle\geq 2\varepsilon\;\mathbb{E}_{x,w}\left[\left\|L^{\top}(x-Ly)\right\|_{2}\right]+\varepsilon^{2}\lambda_{\min}(L^{\top}L),

(5)

and a corresponding upper bound

\displaystyle\operatorname{AR}(L)-\operatorname{SR}(L)

\displaystyle\leq 2\varepsilon\;\mathbb{E}_{x,w}\left[\left\|L^{\top}(x-Ly)\right\|_{2}\right]+\varepsilon^{2}\lambda_{\max}(L^{\top}L),

(6)

where $\lambda_{\min}(L^{\top}L)$ and $\lambda_{\max}(L^{\top}L)$ are the minimum and maximum eigenvalues of $L^{\top}L$ , respectively.

The proof of these bounds relies on turning the inner maximization of the adversarial risk into various equivalent optimization problems, and utilizing the properties of Schur complements and the S-lemma. See Section C.1 for details.

We note that when $L^{\top}\in\mathbb{R}^{n}$ , inequality (6) recovers the exact characterization of the gap $\operatorname{AR}(L)-\operatorname{SR}(L)$ provided in Javanmard et al. (2020); thus when $p=1$ , the inequality (6) is in fact an equality. We also note that the upper and lower bounds differ only in the $\mathcal{O}(\varepsilon^{2})$ terms. This leads immediately to the following result.

Corollary 3.1.

If $p\geq n$ and $L$ has orthogonal columns, then bounds (5) and (6) match.

Proof.

If $p\geq n$ and $L$ has orthogonal columns, then $\lambda_{\min}(L^{\top}L)=\lambda_{\max}(L^{\top}L)$ . ∎

The terms involving the eigenvalues of $L^{\top}L$ in our bounds also support the intuition that adversarial robustness is a form of implicit regularization, which is visualized in Figure 1. In the one-dimensional linear classification setting, this phenomenon is well-understood (Tsipras et al., 2018; Dobriban et al., 2020), where robustness to adversarial perturbations prevent a robust feature vector from relying on an aggregate of small features. We note that in the case of state estimation, we have in general $p<n$ , and thus the quadratic factor in $\varepsilon$ is $0$ in the lower bound (5).

Refer to caption — Figure 1: Optimizing for adversarial robustness induces an implicit regularization, which is visualized in this heatmap of a $2\times 5$ nominal initial state estimator $L_{\star}$ (top) and adversarially robust solution $\hat{L}(\varepsilon)$ (bottom), where $\varepsilon=5$ , $x_{0}\sim\mathcal{N}(0,I)$ , $w_{t}\sim\mathcal{N}(0,I)$ , $v_{t}\sim\mathcal{N}(0,1)$ , $A=\begin{bmatrix}1&1\\ 0&1\end{bmatrix}$ , $C=\begin{bmatrix}0,1\end{bmatrix}$ , and $N=4$ .

In the subsequent section, we will leverage bounds (5) and (6) from Theorem 3.2 to bound both the susceptibility and robustness of the Kalman Filter.

3.2 Bounding $\operatorname{AR}-\operatorname{SR}$ for State Estimation

The adversarial risk does not admit a closed-form solution in general. Upper and lower bounds on the gap between the adversarial risk and standard risk, however, still highlight the role control theoretic quantities play in robustness-accuracy tradeoffs. We make the following simplifying assumption for presentation purposes going forward.

Assumption 3.1.

$\Sigma_{0}=\sigma_{0}^{2}I$ , $\Sigma_{w}=\sigma_{w}^{2}I$ , $\Sigma_{v}=\sigma_{v}^{2}I$ . We further assume that the system matrix $A=\rho Q$ , $\rho\in[0,1]$ , is a scaled orthogonal matrix, such that $\rho$ controls the stability of the system.

As stated in 2.1, $(A,C)$ is always assumed to be observable. Generalizations of our subsequent results to generic dynamics $A$ and positive definite covariance matrices are stated and proven in Appendix C: although more notationally cumbersome, they nevertheless convey the same overall trends.

We first present a closed form for the standard risk $\operatorname{SR}(L)$ which indicates the role that observability plays in robustness-accuracy tradeoffs.

Lemma 3.1.

The standard risk may be expressed as

\displaystyle\operatorname{SR}(

\displaystyle L)=\mathbb{E}\left[\left\|x_{k}-LY_{N}\right\|_{2}^{2}\right]=\sigma_{0}^{2}\left\|A^{k}-L\mathcal{O}_{N}\right\|_{F}^{2}+\sigma_{w}^{2}\left\|\Gamma_{k}-L\tau_{N}\right\|_{F}^{2}+\sigma_{v}^{2}\left\|L\right\|_{F}^{2}.

Lemma 3.1 makes clear that the noise terms act as a regularizer: if $\sigma_{w}^{2}=\sigma_{v}^{2}=0$ , then $\min_{L}\operatorname{SR}(L)=0$ and is achieved by $L=A^{k}(W_{o}(N))^{-1}\mathcal{O}_{N}^{\top}$ . The gain of this filter has clear dependence upon the spectral properties of $W_{o}(N)$ , indicating the key role that $W_{o}(N)$ plays in the robustness-accuracy tradeoffs satisfied by an LTI system (1). We formalize this intuition next. As a first step, we specialize the lower bound in Theorem 3.1 to the dynamical system setting.

Lemma 3.2.

For any $L\in\mathbb{R}^{n\times p(N+1)}$ , the gap between $\operatorname{AR}(L)$ and $\operatorname{SR}(L)$ admits the following lower bound:

\displaystyle\operatorname{AR}(L)-\operatorname{SR}(L)\geq 2\sqrt{\frac{2}{\pi}}\frac{\varepsilon}{\sqrt{n}}\sigma_{v}\left\|L\right\|_{F}^{2}

(7)

We now turn our attention to studying the tradeoffs enjoyed by the Kalman Filter/Smoother $L=\hat{L}_{k}$ defined in Lemma 2.1. Since the Kalman estimator is the optimal estimator in the nominal setting and is commonly used in practice, instantiating Lemma 3.2 for $L=\hat{L}_{k}$ captures the susceptibility of a nominal estimator to small adversarial perturbations. To simplify notation in the subsequent results, we will denote $\sigma_{\vee}^{2}=\max\left\{\sigma_{0}^{2},\sigma_{w}^{2}\right\}$ , $\sigma_{\wedge}^{2}=\min\left\{\sigma_{0}^{2},\sigma_{w}^{2}\right\}$ and

r_{k}(\rho)=\begin{cases}k,\quad&\rho=1\\ \frac{1-\rho^{2(k+1)}}{1-\rho^{2}},\quad&\rho\neq 1.\end{cases}

(8)

With these definitions, we have the following theorem.

Theorem 3.2.

Suppose that $\hat{L}_{k}$ is the Kalman estimator from Lemma 2.1. We have the following bound on the gap between $\operatorname{AR}$ and $\operatorname{SR}$ .

\displaystyle\operatorname{AR}(\hat{L}_{k})

\displaystyle-\operatorname{SR}(\hat{L}_{k})\geq 2\sqrt{\frac{2}{\pi}}\frac{\varepsilon}{\sqrt{n}}\sigma_{v}\left\|C\right\|_{F}^{2}\left(\frac{\rho^{2k}\sigma_{0}^{2}+r_{k}(\rho)\;\sigma_{w}^{2}}{(N+1)\sigma_{\vee}^{2}\left\|W_{o}(N)\right\|_{F}+\sigma_{v}^{2}}\right)^{2}.

(9)

We see that the lower bound increases as the Frobenius norm of the observability gramian decreases. This indicates that as observability becomes uniformly low, i.e., if all eigenvalues of $W_{o}(N)$ are small, then a nominal state estimator $\hat{L}_{k}$ will have a large gap $\operatorname{AR}(\hat{L}_{k})-\operatorname{SR}(\hat{L}_{k})$ . Observe that increasing $\sigma_{w}$ will increase the lower bound shown above when $\sigma_{w}\leq\sigma_{0}$ .

We now derive an upper bound on the gap between the standard and adversarial risk for any given $L$ . This bound follows from the upper bound in Theorem 3.1.

Lemma 3.3.

For any $L\in\mathbb{R}^{n\times p(N+1)}$ , the following bound holds

\displaystyle\operatorname{AR}(L)-\operatorname{SR}(L)\leq 2\varepsilon\left\|L\right\|_{2}\left\|\Sigma^{1/2}\right\|_{F}+\varepsilon^{2}\left\|L\right\|_{2}^{2},

where $\Sigma^{1/2}$ is the symmetric square root of the covariance of $x_{k}-LY_{N}$ .

Again, we consider how this upper bound looks for the Kalman estimator $\hat{L}_{k}$ .

Theorem 3.3.

Suppose that $\hat{L}_{k}$ is the Kalman state estimator from Lemma 2.1. Then

	$\displaystyle\operatorname{AR}(\hat{L}_{k})-\operatorname{SR}(\hat{L}_{k})\leq$	$\displaystyle\;\varepsilon\left(\frac{\rho^{2k}\sigma_{0}^{2}+r_{k}(\rho)\;\sigma_{w}^{2}}{\sigma_{\wedge}^{2}\lambda_{\min}(W_{o}(N))^{1/2}}\right)$
		$\displaystyle\cdot\Bigg{[}2\sqrt{n}\left(\sigma_{\vee}^{2}+\left(\frac{\sigma_{v}}{\sigma_{\wedge}^{2}\lambda_{\min}(W_{o}(N))^{1/2}}\right)^{2}\right)^{1/2}+\varepsilon\left(\frac{1}{\sigma_{\wedge}^{2}\lambda_{\min}(W_{o}(N))^{1/2}}\right)\Bigg{]}.$

Furthermore, when $\lambda_{\min}(W_{o}(N))^{1/2}\geq\frac{\sigma_{v}}{\sigma_{\wedge}^{2}}$ , we have

	$\displaystyle\operatorname{AR}(\hat{L}_{k})-\operatorname{SR}(\hat{L}_{k})\leq$	$\displaystyle\;\varepsilon\left(\frac{\sigma_{\wedge}^{2}\lambda_{\min}(W_{o}(N))^{1/2}}{\sigma_{\wedge}^{4}\lambda_{\min}(W_{o}(N))+\sigma_{v}^{2}}\left(\rho^{2k}\sigma_{0}^{2}+r_{k}(\rho)\;\sigma_{w}^{2}\right)\right)$
		$\displaystyle\cdot\Bigg{[}2\sqrt{n}\left(\sigma_{\vee}^{2}+\sigma_{v}^{2}\left(\frac{\sigma_{\wedge}^{2}\lambda_{\min}(W_{o}(N))^{1/2}}{\sigma_{\wedge}^{4}\lambda_{\min}(W_{o}(N))+\sigma_{v}^{2}}\right)^{2}\right)^{1/2}+\varepsilon\left(\frac{\sigma_{\wedge}^{2}\lambda_{\min}(W_{o}(N))^{1/2}}{\sigma_{\wedge}^{4}\lambda_{\min}(W_{o}(N))+\sigma_{v}^{2}}\right)\Bigg{]}.$

The upper bound on the gap decreases as the minimum eigenvalue of the observability gramian increases. This indicates that as the observability of the system becomes uniformly large, the gap between standard and adversarial risk for the nominal Kalman estimator will decrease. Perhaps counter-intuitively, when observability is poor in some direction, i.e. when $\lambda_{\min}\left(W_{o}(N)\right)$ is small, increasing the sensor noise $\sigma_{v}$ will actually decrease the above upper bound, as long as $\lambda_{\min}\left(W_{o}(N)\right)\geq\frac{\sigma_{v}}{\sigma_{\wedge}^{2}}$ . This aligns with results demonstrating that injecting artificial noise can improve the robustness of state observers (Doyle and Stein, 1979), and is further consistent with our interpretation of noise as a regularizer following Lemma 3.1.

We note that since the properties of the observability gramian $W_{o}(N)$ are tied to $\rho$ , it is not immediately clear how to extract the role of stability $\rho\in[0,1]$ in either Equation 9 or Theorem 3.3. This is to be expected, as the fragility of the Kalman Filter has more to do with the observability of the system rather than its autonomous stability. For example, when $C^{\top}C=I$ , corresponding to maximal observability $W_{o}(N)=r_{k}(\rho)$ , and $k\leq\mathcal{O}(N)$ , then the dominant terms in the lower and upper bound are essentially independent of $\rho$ when $N$ is large.

4 Numerical Results

We now demonstrate that the theoretical results shown in the previous section predict the tradeoffs arising in Kalman Filtering problems.

Pareto Curves for Adversarial Kalman Filtering

In this experiment we compute the Pareto-optimal frontier for adversarially robust Kalman filtering on systems with varying observability. We consider the system defined by the tuple $\left(A,C,\Sigma_{0},\Sigma_{w},\Sigma_{v},N\right)=\left(\begin{bmatrix}\alpha&\beta\\ -\beta&\alpha\end{bmatrix},\begin{bmatrix}1&0\end{bmatrix},I,0.1I,0.1,5\right)$ where $\alpha^{2}+\beta^{2}=1$ , and we vary $\alpha$ . As $\alpha$ approaches one the minimum eigenvalues of the observability gramian become small. In particular, for $\alpha=0.95$ , $\alpha=0.98$ , $\alpha=0.99$ , the minimum eigenvalues of the observability gramian are given by $1.22,0.81$ and $0.58$ respectively. The adversarial budget is set to $\varepsilon=0.5$ . Figure 2 shows the resulting tradeoff curves which demonstrate that as observability decreases, both $\operatorname{SR}$ and $\operatorname{AR}$ increase, as do the distance between the extremes of the Pareto curve. The results therefore support Section 3.2, where we showed shrinking the eigenvalues of $W_{o}(N)$ increases the severity of the tradeoff between $\operatorname{SR}$ and $\operatorname{AR}$ .

Tradeoffs of Kalman Smoother versus Adversarially Robust Kalman Smoother

In Figure 3, we demonstrate the impact of adversaries on the risk incurred by an estimator optimized for $\operatorname{SR}$ versus $\operatorname{AR}$ . We consider initial state estimation of a system defined by the tuple $(A,C,\Sigma_{0},\Sigma_{w},\Sigma_{v},N)=\left(\begin{bmatrix}1&\rho\\ 0&1\end{bmatrix},\begin{bmatrix}1&0\end{bmatrix},I,0.1I,0.1,5\right)$ , where we vary $\rho$ from $0.1$ to $\sqrt{10}$ , such that the eigenvalues of $W_{o}(N)$ increase as $\rho$ increases. The adversarial budget is fixed at $\varepsilon=0.5$ . Evaluating the nominal and robust estimators on this class of systems, we see that the adversarially robust smoother has significantly smaller adversarial risk compared to the nominal Kalman smoother when observability is low. As observability increases, this advantage shrinks. This suggests that considering the tradeoffs from adversarially robust state estimation is most important when observability is low.

Tradeoffs with Nonlinear State Estimators

In Figure 4, we demonstrate empirically that the fundamental tradeoffs are not overcome by using nonlinear state estimators. In particular, we consider the system defined by $(A,\Sigma_{0},\Sigma_{w},\Sigma_{v},N)=\left(\begin{bmatrix}1&1\\ 0&1\end{bmatrix},I,0.1I,0.1,5\right)$ , and $C$ as in the legend of the plots. We set the adversarial budget to $\varepsilon=0.5$ . We solve for the Pareto boundary for the linear estimator as in Figure 2. We also consider a two layer network with ten neurons per layer and ReLU activation functions. To train this network, we perform an SGD procedure similar to that used in the linear case, with the exception being that we do not solve the exact adversary corresponding to each data point, but rather apply 100 steps of projected gradient ascent to find the adversarial perturbation. Once the neural network is trained, this same approach to find the adversary is used again to estimate the adversarial risk of the resultant estimator. As a result, the tradeoff curves shown for the neural network are an under-approximation to the true values of $\operatorname{AR}$ . As such, it appears that the neural network is getting roughly the same tradeoff curves as the linear estimator, which is expected due to the fact that linear estimators are optimal in the $\mathcal{H}_{2}$ and $\mathcal{H}_{\infty}$ settings (Zhou and Doyle, 1998).

Comparison with Kalman Filter, mixed $\mathcal{H}_{2}/\mathcal{H}_{\infty}$ , and $\mathcal{H}_{\infty}$ Filters

In Figure 5, we compare the performance of the adversarially robust Kalman filter with the optimal $\mathcal{H}_{\infty}$ filter, a mixed $\mathcal{H}_{2}/\mathcal{H}_{\infty}$ filter which minimizes the $\mathcal{H}_{2}$ norm subject to a $\mathcal{H}_{\infty}$ norm bound of $1.7$ , and the nominal Kalman or $\mathcal{H}_{2}$ filter. In particular, we consider the filtering problem for a trajectory generated by the system $(A,C,\Sigma_{0},\Sigma_{w},\Sigma_{v})=\left(\begin{bmatrix}0.9&1\\ 0&0.9\end{bmatrix},\begin{bmatrix}1,0\end{bmatrix},I,0.1I,0.1\right)$ . For ease of computation, we use the stationary mixed, $\mathcal{H}_{\infty}$ , and Kalman filters (Lewis et al., 2008; Caverly and Forbes, 2019), and the adversarially robust Kalman Filter for a horizon of 10 with adversarial budget $\varepsilon=0.75$ . We consider a nominal setting, where process and state disturbances are Gaussian with covariances defined by $\Sigma_{w}$ and $\Sigma_{v}$ , and a setting to simulate sensor drift, where we have the white noise disturbances in addition to a sinusoidally varying measurement disturbance $\sin\left(\frac{2\pi k}{10}\right)$ . The $\mathcal{H}_{\infty}$ norm bound for the mixed filter was tuned to the value of $1.7$ for good performance on the sensor drift setting. As expected, the nominal Kalman filter performs best in the nominal setting with zero-mean disturbances. In the setting with sensor drift, however, the adversarially robust Kalman filter performs substantially better than the nominal and $\mathcal{H}_{\infty}$ filters, and slightly better than the mixed $\mathcal{H}_{2}/\mathcal{H}_{\infty}$ controller. In both settings, the $\mathcal{H}_{\infty}$ filter is overly conservative. Note that a key advantage of the adversarially robust controller is the interpretability of the robustness level determined by the parameter $\varepsilon$ , which directly corresponds to the power of the adversarial disturbance. This feature is not shared by other filter designs, such as the $\mathcal{H}_{\infty}$ norm bound in the mixed $\mathcal{H}_{2}/\mathcal{H}_{\infty}$ filter.

5 Conclusion

We analyzed the robustness-accuracy tradeoffs arising in Kalman Filtering. We did this in two parts. We first provided an algorithm to solve for the optimal adversarial perturbation, which can be used to trace out the Pareto boundary. We then bounded the gap between the adversarial and standard state estimation error in terms of the spectral properties of the observability gramian. These bounds extend upon the robustness-accuracy tradeoff results arising in the classification and linear regression settings. An interesting avenue of future work is to extend these results to infinite horizon filtering, and combine them with tradeoff analyses in LQR control (Lee et al., 2022) to provide an understanding of the adversarial tradeoffs in the control of partially observed linear systems. It would also be interesting to consider the adversarial tradeoffs of state estimation when adversarial state perturbations are also present.

Acknowledgements

Bruce Lee is supported by the Department of Defense through the National Defense Science & Engineering Graduate Fellowship Program. The research of Hamed Hassani is supported by NSF Grants 1837253, 1943064, 1934876, AFOSR Grant FA9550-20-1-0111, and DCIST-CRA. Nikolai Matni is funded by NSF awards CPS-2038873, CAREER award ECCS-2045834, and a Google Research Scholar award.

References

Al Makdah et al. (2020) A. A. Al Makdah, V. Katewa, and F. Pasqualetti. Accuracy prevents robustness in perception-based control. In 2020 American Control Conference (ACC), pages 3940–3946. IEEE, 2020.
Bottou et al. (2018) L. Bottou, F. E. Curtis, and J. Nocedal. Optimization methods for large-scale machine learning. SIAM Review, 60(2):223–311, 2018. doi: 10.1137/16M1080173.
Boyd and Vandenberghe (2004) S. P. Boyd and L. Vandenberghe. Convex optimization. Cambridge university press, 2004.
Carlini and Wagner (2016) N. Carlini and D. Wagner. Defensive distillation is not robust to adversarial examples. arXiv preprint arXiv:1607.04311, 2016.
Carlini and Wagner (2017) N. Carlini and D. Wagner. Towards evaluating the robustness of neural networks. In 2017 IEEE symposium on security and privacy, pages 39–57. IEEE, 2017.
Caverly and Forbes (2019) R. J. Caverly and J. R. Forbes. Lmi properties and applications in systems, stability, and control theory. arXiv preprint arXiv:1903.08599, 2019.
Chen et al. (2020) L. Chen, Y. Min, M. Zhang, and A. Karbasi. More data can expand the generalization gap between adversarially robust and standard models. In International Conference on Machine Learning, pages 1670–1680. PMLR, 2020.
Deka et al. (2020) S. A. Deka, D. M. Stipanović, and C. J. Tomlin. Dynamically computing adversarial perturbations for recurrent neural networks. arXiv preprint arXiv:2009.02874, 2020.
Dobriban et al. (2020) E. Dobriban, H. Hassani, D. Hong, and A. Robey. Provable tradeoffs in adversarially robust classification. arXiv preprint arXiv:2006.05161, 2020.
Doyle and Stein (1979) J. Doyle and G. Stein. Robustness with observers. IEEE Transactions on Automatic Control, 24(4):607–611, 1979. doi: 10.1109/TAC.1979.1102095.
Goodfellow et al. (2014) I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
Hassibi et al. (1999) B. Hassibi, T. Kailath, and A. H. Sayed. Indefinite-quadratic estimation and control: a unified approach to H $2$ and H $\infty$ theories. SIAM studies in applied and numerical mathematics, 1999.
Huang et al. (2017) S. Huang, N. Papernot, I. Goodfellow, Y. Duan, and P. Abbeel. Adversarial attacks on neural network policies. arXiv preprint arXiv:1702.02284, 2017.
Javanmard et al. (2020) A. Javanmard, M. Soltanolkotabi, and H. Hassani. Precise tradeoffs in adversarial training for linear regression. In Conference on Learning Theory, pages 2034–2078. PMLR, 2020.
Khargonekar et al. (1996) P. P. Khargonekar, M. A. Rotea, and E. Baeyens. Mixed H2/H $\infty$ filtering. International Journal of Robust and Nonlinear Control, 6(4):313–330, 1996.
Lee et al. (2022) B. D. Lee, T. T. C. K. Zhang, H. Hassani, and N. Matni. Performance-robustness tradeoffs in adversarially robust linear-quadratic control, 2022.
Lewis et al. (2008) F. L. Lewis, L. Xie, and D. Popa. Optimal and Robust Estimation: With an Introduction to Stochastic Control Theory. CRC Press, 2008.
Lutter et al. (2021) M. Lutter, S. Mannor, J. Peters, D. Fox, and A. Garg. Robust value iteration for continuous control tasks. arXiv preprint arXiv:2105.12189, 2021.
Madry et al. (2017) A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
Mandlekar et al. (2017) A. Mandlekar, Y. Zhu, A. Garg, L. Fei-Fei, and S. Savarese. Adversarially robust policy learning: Active construction of physically-plausible perturbations. In 2017 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), pages 3932–3939. IEEE, 2017.
Nakkiran (2019) P. Nakkiran. Adversarial robustness may be at odds with simplicity. arXiv preprint arXiv:1901.00532, 2019.
Petersen et al. (2008) K. B. Petersen, M. S. Pedersen, et al. The matrix cookbook. Technical University of Denmark, 7(15):510, 2008.
Pinto et al. (2017) L. Pinto, J. Davidson, R. Sukthankar, and A. Gupta. Robust adversarial reinforcement learning. In International Conference on Machine Learning, pages 2817–2826. PMLR, 2017.
Raghunathan et al. (2019) A. Raghunathan, S. M. Xie, F. Yang, J. C. Duchi, and P. Liang. Adversarial training can hurt generalization. arXiv preprint arXiv:1906.06032, 2019.
Szegedy et al. (2013) C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
Tsipras et al. (2018) D. Tsipras, S. Santurkar, L. Engstrom, A. Turner, and A. Madry. Robustness may be at odds with accuracy. arXiv preprint arXiv:1805.12152, 2018.
Xie et al. (2020) C. Xie, M. Tan, B. Gong, A. Yuille, and Q. V. Le. Smooth adversarial training. arXiv preprint arXiv:2006.14536, 2020.
Zhang et al. (2019) H. Zhang, Y. Yu, J. Jiao, E. P. Xing, L. E. Ghaoui, and M. I. Jordan. Theoretically principled trade-off between robustness and accuracy. arXiv preprint arXiv:1901.08573, 2019.
Zhou and Doyle (1998) K. Zhou and J. C. Doyle. Essentials of Robust Control. Prentice-Hall, 1998.

Appendix A Kalman Filtering State Space Solution

Consider the setting defined in Section 2.1, i.e. we have a dynamical system which progresses according to

	$\displaystyle x_{t+1}$	$\displaystyle=Ax_{t}+w_{t}$
	$\displaystyle y_{t}$	$\displaystyle=Cx_{t}+v_{t}$

with $x_{0}\sim{}\mathcal{N}(0,\Sigma_{0})$ , $w_{t}\overset{\mathrm{i.i.d.}}{\sim}\mathcal{N}(0,\Sigma_{w})$ , $v_{t}\overset{\mathrm{i.i.d.}}{\sim}\mathcal{N}(0,\Sigma_{v})$ . Consider estimating state $x_{k}$ given measurements $y_{0},\dots,y_{k}$ . The minimum mean square estimator is given by

\hat{x}_{k}=\min_{z}\mathbb{E}\left[\left\|z-x_{k}\right\|_{2}^{2}|y_{0},\dots,y_{k}\right].

This can be written as an integral

\min_{z}\int_{\mathbb{R}^{n}}\left\|z-x_{k}\right\|_{2}^{2}f(x_{k}|y_{0},\dots,y_{k})dx_{k},

where $f$ denotes the conditional density of $x_{k}$ given the measurements. The objective is convex in $z$ , and thus we can find the minimizer by setting the gradient with respect to $z$ to zero. In particular, we have

	$\displaystyle\frac{d}{dz}\int_{\mathbb{R}^{n}}\left\\|z-x_{k}\right\\|_{2}^{2}f(x_{k}\|y_{0},\dots,y_{k})$	$\displaystyle=\int_{\mathbb{R}^{n}}\frac{d}{dz}\left\\|z-x_{k}\right\\|_{2}^{2}f(x_{k}\|y_{0},\dots,y_{k})dx_{k}$
		$\displaystyle=\int_{\mathbb{R}^{n}}2(z-x_{k})f(x_{k}\|y_{0},\dots,y_{k})dx_{k}$
		$\displaystyle=0,$

where dominated convergence theorem permits the exchange of integration and differentiation. Therefore, the state estimate may be expressed

\hat{x}_{k}=\int_{\mathbb{R}^{n}}x_{k}f(x_{k}|y_{0},\dots,y_{k})dx_{k}=\mathbb{E}\left[x_{k}|y_{0},\dots y_{k}\right].

Thus we can determine the state estimates $\hat{x}_{k}$ as the mean of the conditional distribution $f(x_{k}|y_{0},\dots y_{k})$ . This may be computed recursively. In particular, let $x_{k}|y_{0:k}$ be the random variable with probability density function $f(x_{k}|y_{0},\dots y_{k})$ . Then for all $k$ , we have that $x_{k}|y_{0:k}=\mathcal{N}(\hat{x}_{k}^{+},P_{k}^{+})$ where

$\displaystyle x_{0}^{-}$	$\displaystyle=0$	(10)
$\displaystyle P_{0}^{-}$	$\displaystyle=\Sigma_{0}$
$\displaystyle\hat{x}_{k}^{+}$	$\displaystyle=x_{k}^{-}+P_{k}^{-}C^{\top}\left(CP_{k}^{-}C^{\top}+\Sigma_{v}\right)^{-1}\left(y_{k}-C\hat{x}_{k}^{-}\right)$
$\displaystyle P_{k}^{+}$	$\displaystyle=P_{k}^{-}-P_{k}^{-}C^{\top}\left(CP_{k}^{-}C^{\top}+\Sigma_{v}\right)CP_{k}^{-}$
$\displaystyle\hat{x}_{k+1}^{-}$	$\displaystyle=A\hat{x}_{k}^{+}$
$\displaystyle P_{k+1}^{-}$	$\displaystyle=A^{\top}P_{k}^{+}A+\Sigma_{w}.$

To see that this is the case, recall that $x_{0}\sim\mathcal{N}(0,\Sigma_{0})$ , by assumption. Now suppose that $x_{k}|y_{0:k-1}\sim\mathcal{N}(\hat{x}_{k}^{-},P_{k}^{-})$ . Observe that

\begin{bmatrix}x_{k}|y_{0:k-1}\\ y_{k}\end{bmatrix}\sim\mathcal{N}\left(\begin{bmatrix}\hat{x}_{k}^{-}\\ C\hat{x}_{k}^{-}\end{bmatrix},\begin{bmatrix}P_{k}^{-}&P_{k}^{-}C^{\top}\\ CP_{k}^{-}&CP_{k}^{-}C^{\top}+\Sigma_{v}\end{bmatrix}\right)

Thus

	$\displaystyle x_{k}\|y_{0:k}$	$\displaystyle\sim\mathcal{N}\left(x_{k}^{-}+P_{k}^{-}C^{\top}\left(CP_{k}^{-}C^{\top}+\Sigma_{v}\right)^{-1}\left(y_{k}-C\hat{x}_{k}^{-}\right),P_{k}^{-}-P_{k}^{-}C^{\top}\left(CP_{k}^{-}C^{\top}+\Sigma_{v}\right)CP_{k}^{-}\right)$
		$\displaystyle=\mathcal{N}(x_{k}^{+},P_{k}^{+})$

Now, given $x_{k}|y_{0:k}\sim\mathcal{N}(x_{k}^{+},P_{k}^{+})$ , observe that $x_{k+1}|y_{0:k}=Ax_{k}|y_{0:k}+w_{k}\sim\mathcal{N}(A^{\top}x_{k}^{+},A^{\top}P_{k}^{+}A+\Sigma_{w})=\mathcal{N}(x_{k+1}^{-},P_{k}^{-})$ .

Using the equations in (10), we can write the Kalman filter as a state space system with inputs $y_{t}$ . In particular, if $P_{k}^{-}$ and $P_{k}^{+}$ are defined as in (10), we can let $K_{k}=P_{k}^{-}C^{\top}\left(CP_{k}^{-}C^{\top}+\Sigma_{v}\right)^{-1}$ . Then we may express our state estimates using the following time varying system.

\displaystyle\hat{x}_{k+1}

\displaystyle=(A-K_{k}CA)\hat{x}_{k}+K_{k}y_{k}.

Appendix B Proofs from Section 2

B.1 Proof of Lemma 2.1

Lemma 2.1: Suppose $k\leq N$ . The finite horizon Kalman state estimator is the solution to optimization problem (2), and is given by

\displaystyle\hat{L}_{k}

\displaystyle=\left(A^{k}\Sigma_{0}\mathcal{O}_{N}\operatorname{{}^{\top}}+\Gamma_{k}\Sigma_{w}\tau_{N}\operatorname{{}^{\top}}\right)\left(\mathcal{O}_{N}\Sigma_{0}\mathcal{O}_{N}\operatorname{{}^{\top}}+\tau_{N}\left(I_{N}\otimes\Sigma_{w}\right)\tau_{N}\operatorname{{}^{\top}}+\left(I_{N+1}\otimes\Sigma_{v}\right)\right)^{-1}.

Proof: We know $\operatorname{SR}(L)$ is convex in $L$ , thus we may take the derivative of $\operatorname{SR}(L)$ with respect to $L$ and set it to $0$ to solve for $\hat{L}_{k}$ . Matrix derivatives can be found in Petersen et al. (2008).

B.2 Proof of Correctness for Algorithm 1

Recalling the optimization problem

	$\displaystyle\operatorname*{maximize}_{\delta\in\mathbb{R}^{n}}$	$\displaystyle\quad\delta^{\top}L^{\top}L\delta-2\delta^{\top}L^{\top}b$		(P)
	$\displaystyle\operatorname{subject\ to}$	$\displaystyle\quad\delta^{\top}\delta\leq\varepsilon^{2},$

and the corresponding KKT conditions:

	$\displaystyle 2(\lambda^{}I-L^{\top}L)\delta^{}+2L^{\top}b$	$\displaystyle=0$
	$\displaystyle\lambda^{}({\delta^{}}^{\top}\delta^{*}-\varepsilon^{2})$	$\displaystyle=0$
	$\displaystyle(\lambda^{*}I-L^{\top}L)$	$\displaystyle\succeq 0.$

The third condition implies that $\lambda^{*}\geq\sigma_{1}^{2}$ . We assume $\sigma_{1}>0$ , otherwise the problem is trivial. Then using the SVD of $L$ to re-arrange the first stationarity condition, we get

\displaystyle(\lambda^{*}I-\Sigma^{\top}\Sigma)V^{\top}\delta^{*}

\displaystyle=\Sigma^{\top}U^{\top}b.

Maximizing a convex function over a convex set achieves its maximum on the boundary; it suffices to search over $\delta^{\top}\delta=\varepsilon^{2}$ . We now consider two cases: $\lambda^{*}>\sigma_{1}^{2}$ and $\lambda^{*}=\sigma_{1}^{2}$ .

•

In the first case $\lambda^{*}>\sigma_{1}^{2}$ , we know $\lambda^{*}I-\Sigma^{\top}\Sigma$ must be invertible, and thus

	$\displaystyle\delta^{*}$	$\displaystyle=-V(\lambda^{*}I-\Sigma^{\top}\Sigma)^{-1}\Sigma^{\top}U^{\top}b$
	$\displaystyle\varepsilon^{2}={\delta^{}}^{\top}\delta^{}$	$\displaystyle=b^{\top}U\Sigma(\lambda^{*}I-\Sigma^{\top}\Sigma)^{-2}\Sigma^{\top}U^{\top}b$
		$\displaystyle=\sum_{i=1}^{\min\left\{n,(N+1)p\right\}}\frac{(b^{\top}u_{i})^{2}\sigma_{i}^{2}}{(\lambda^{*}-\sigma_{i}^{2})^{2}},$

where $u_{i}$ are the columns of $U$ . By 2.1, we know $n<(N+1)p$ . Observe that

\displaystyle f(\lambda)

\displaystyle:=\sum_{i=1}^{n}\frac{(b^{\top}u_{i})^{2}\sigma_{i}^{2}}{(\lambda-\sigma_{i}^{2})^{2}},

is a strictly monotonically decreasing function when $\lambda>\sigma_{1}^{2}$ , and converges to $0$ when $\lambda\to\infty$ . This implies there is a unique $\lambda^{*}$ such that $f(\lambda^{*})=\varepsilon^{2}$ , which can be numerically solved for in various ways, such as bisection. Such methods can be initialized by setting the left boundary to $\lambda_{\ell}:=\sigma_{1}^{2}$ , corresponding to $f(\lambda_{\ell})=\infty$ , and the right boundary to a precomputable over-estimate $\lambda_{r}$ such that $f(\lambda_{r})<\varepsilon^{2}$ . As an example, one such crude over-estimate can be derived by observing

$\displaystyle\sum_{i=1}^{n}\frac{(b^{\top}u_{i})^{2}\sigma_{i}^{2}}{(\lambda-\sigma_{i}^{2})^{2}}$	$\displaystyle\leq\left(\sum_{i=1}^{n}\left(b^{\top}u_{i}\right)^{2}\right)\frac{\sigma_{1}^{2}}{\left(\lambda-\sigma_{1}^{2}\right)^{2}}$	Hölder’s inequality
	$\displaystyle=\left\\|b\right\\|^{2}/\left(c^{2}\sigma_{1}^{2}\right)\leftarrow\varepsilon^{2}$	$\displaystyle U\text{ orthogonal; set }\lambda=(1+c)\sigma_{1}^{2}$
$\displaystyle\implies\lambda_{r}$	$\displaystyle:=\left(1+\frac{\left\\|b\right\\|}{\varepsilon\sigma_{1}}\right)\sigma_{1}^{2}.$

Therefore, bisection can solve for $\lambda^{*}$ up to a desired tolerance $\delta$ in at most $\left\lceil\log_{2}\left(\frac{\lambda_{r}-\lambda_{\ell}}{\delta}\right)\right\rceil=\left\lceil\log_{2}\left(\frac{\left\|b\right\|}{\varepsilon\sigma_{1}\delta}\right)\right\rceil$ iterations, which is linear bit-complexity over problem parameters. Since $f(\lambda)$ enjoys favorable regularity properties such as monotonicity, strict convexity, and smoothness on an open interval around $\lambda^{*}$ , more advanced root-finding methods such as variants of Newton’s method or the secant method can be employed for superlinear convergence.

•

Now we consider the case where $\lambda^{*}=\sigma_{1}^{2}$ . In this case, $\delta^{*}$ will no longer be unique, and will come in the form

\displaystyle\delta^{*}

\displaystyle=-V(\sigma_{1}^{2}I-\Sigma^{\top}\Sigma)^{\dagger}\Sigma^{\top}U^{\top}b+cv,

where ^† denotes the Moore-Penrose pseudoinverse, and $v$ is any unit vector lying in the null-space of $\left(\sigma_{1}^{2}I-\Sigma^{2}\right)V^{\top}$ , which is precisely characterized in this case by

\displaystyle\ker\left(\left(\sigma_{1}^{2}I-\Sigma^{2}\right)V^{\top}\right)

\displaystyle=\textbf{span}\left(\left\{v_{i}:\sigma_{i}^{2}=\sigma_{1}^{2}\right\}\right),

with $v_{i}$ denoting the $i$ th column of $V$ . To find the appropriate scaling $c$ , we observe

	$\displaystyle{\delta^{}}^{\top}\delta^{}$	$\displaystyle=b^{\top}U\Sigma\left((\sigma_{1}^{2}I-\Sigma^{\top}\Sigma)^{\dagger}\right)^{2}\Sigma^{\top}U^{\top}b+c^{2}$
		$\displaystyle=\sum_{i:\sigma_{i}<\sigma_{1}}\frac{(b^{\top}u_{i})^{2}\sigma_{i}^{2}}{(\sigma_{1}^{2}-\sigma_{i}^{2})^{2}}=\varepsilon^{2}$
	$\displaystyle c$	$\displaystyle=\sqrt{\varepsilon^{2}-\sum_{i:\sigma_{i}<\sigma_{1}}\frac{(b^{\top}u_{i})^{2}\sigma_{i}^{2}}{(\sigma_{1}^{2}-\sigma_{i}^{2})^{2}}}.$

Combining our precise characterization of $\ker\left(\left(\sigma_{1}^{2}I-\Sigma^{\top}\Sigma\right)V^{\top}\right)$ using the columns of $V$ , and the formula for $c$ , we can extract an optimal perturbation vector $\delta^{*}$ . Therefore, we have demonstrated that (P), as well as extracting its optimal solution, can be solved to arbitrary precision.

Appendix C General Statements and Proofs for Section 3

C.1 Proof of Theorem 3.1

Theorem 3.1 Given any $L\in\mathbb{R}^{p\times n}$ , we have the following lower bound on $\operatorname{AR}(L)-\operatorname{SR}(L)$ :

\displaystyle\operatorname{AR}(L)-\operatorname{SR}(L)

\displaystyle\geq 2\varepsilon\;\mathbb{E}_{x,w}\left[\left\|L^{\top}(x-Ly)\right\|_{2}\right]+\varepsilon^{2}\lambda_{\min}(L^{\top}L),

and a corresponding upper bound

\operatorname{AR}(L)-\operatorname{SR}(L)\leq 2\varepsilon\;\mathbb{E}_{x,w}\left[\left\|L^{\top}(x-Ly)\right\|_{2}\right]+\varepsilon^{2}\lambda_{\max}(L^{\top}L),

where $\lambda_{\min}(L^{\top}L)$ and $\lambda_{\max}(L^{\top}L)$ are the minimum and maximum eigenvalues of $L^{\top}L$ , respectively.

Proof: First recall the definitions of SR and AR:

	$\displaystyle\operatorname{SR}(L)$	$\displaystyle=\mathbb{E}\left[\left\\|x-Ly\right\\|_{2}^{2}\right]$
	$\displaystyle\operatorname{AR}(L)$	$\displaystyle=\mathbb{E}\left[\max_{\left\\|\delta\right\\|_{2}\leq\varepsilon}\left\\|x-L(y+\delta)\right\\|_{2}^{2}\right].$

Given fixed $x,y$ , let us define the quantity $d(L):=x-Ly$ . Writing out the inner maximization of AR we have:

\displaystyle\max_{\left\|\delta\right\|_{2}\leq\varepsilon}\left\|x-L(y+\delta)\right\|_{2}^{2}

\displaystyle=\max_{\left\|\delta\right\|_{2}\leq\varepsilon}\left\|d(L)-L\delta\right\|_{2}^{2}.

Observe that this is equivalent to the problem

	$\displaystyle\operatorname*{minimize}_{s}\quad$	$\displaystyle s$		(P1)
	$\displaystyle\operatorname{subject\ to}\quad$	$\displaystyle s-\left\\|d(L)-L\delta\right\\|_{2}^{2}\geq 0\text{ for all }\delta^{\top}\delta\leq\varepsilon^{2}.$

We now recall the S-lemma for quadratic functions.

Lemma C.1 (S-lemma).

Given quadratic functions $p(x),q(x):\mathbb{R}^{n}\to\mathbb{R}$ , suppose there exists $x$ such that $p(x)>0$ . Then,

p(x)\geq 0\implies q(x)\geq 0\text{ for all }x

if and only if

\exists t\geq 0\text{ such that }q(x)\geq tp(x)\text{ for all }x.

Using this lemma, we set $p(\delta)=\varepsilon^{2}-\delta^{\top}\delta$ , $q(\delta)=s-\left\|d(L)-L\delta\right\|_{2}^{2}\geq 0$ . We observe that trivially, there exists $\delta=0$ such that $p(\delta)>0$ . Now given feasible $s$ for (P1), we observe that by our constraints, any $\delta$ such that $p(\delta)\geq 0$ immediately implies $q(\delta)\geq 0$ . By the S-lemma, this is equivalent to the existence of some $t\geq 0$ such that

q(\delta)-tp(\delta)=s-\left\|d(L)-L\delta\right\|_{2}^{2}-t(\varepsilon^{2}-\delta^{\top}\delta)\geq 0

for all $\delta$ . Therefore, we can re-write the optimization problem (P1) into

	$\displaystyle\operatorname*{minimize}_{s}\quad$	$\displaystyle s$		(P2)
	$\displaystyle\operatorname{subject\ to}\quad$	$\displaystyle\exists t\geq 0\text{ s.t. }s-\left\\|d(L)-L\delta\right\\|_{2}^{2}-t(\varepsilon^{2}-\delta^{\top}\delta)\geq 0\text{ for all }\delta.$

Re-arranging the terms in the quadratic expression, we get:

	$\displaystyle s-\left\\|d(L)-L\delta\right\\|_{2}^{2}-t(\varepsilon^{2}-\delta^{\top}\delta)$	$\displaystyle=s-\left(\delta^{\top}L^{\top}L\delta-2d(L)^{\top}L\delta+\left\\|d(L)\right\\|_{2}^{2}\right)-t(\varepsilon^{2}-\delta^{\top}\delta)$
		$\displaystyle=\delta^{\top}\left(tI-L^{\top}L\right)\delta+2d(L)^{\top}L\delta+\left(s-t\varepsilon^{2}-\left\\|d(L)\right\\|_{2}^{2}\right).$

Now we recall a property of Schur complements.

Lemma C.2 (Schur Complement).

Given $p(x)=x^{\top}Px+b^{\top}x+c$ , we have

	$\displaystyle p(x)\geq 0\;\forall\;x$	$\displaystyle\iff\begin{bmatrix}P&b\\ b^{\top}&c\end{bmatrix}\succeq 0$
		$\displaystyle\iff P\succeq 0,\;c-b^{\top}P^{\dagger}b\geq 0.$

Applying this to (P2), we see the constraints can be re-written

		$\displaystyle\exists t\geq 0\text{ s.t. }s-\left\\|d(L)-L\delta\right\\|_{2}^{2}-t(\varepsilon^{2}-\delta^{\top}\delta)\geq 0\text{ for all }\delta$
	$\displaystyle\iff\quad$	$\displaystyle\exists t\geq 0,\;tI-L^{\top}L\succeq 0,\;s-t\varepsilon^{2}-\left\\|d(L)\right\\|_{2}^{2}-d(L)^{\top}L(tI-L^{\top}L)^{\dagger}L^{\top}d(L)\geq 0$
	$\displaystyle\iff\quad$	$\displaystyle\exists t\geq\lambda_{\max}(L^{\top}L),\;s-t\varepsilon^{2}-\left\\|d(L)\right\\|_{2}^{2}-d(L)^{\top}L(tI-L^{\top}L)^{\dagger}L^{\top}d(L)\geq 0.$

Therefore, we get the optimization problem

	$\displaystyle\operatorname*{minimize}_{s,t}\quad$	$\displaystyle s$
	$\displaystyle\operatorname{subject\ to}\quad$	$\displaystyle t\geq\lambda_{\max}(L^{\top}L)$
		$\displaystyle s-t\varepsilon^{2}-\left\\|d(L)\right\\|_{2}^{2}-d(L)^{\top}L(tI-L^{\top}L)^{\dagger}L^{\top}d(L)\geq 0.$

However, this is clearly equivalent and has the same optimal value as the following problem

	$\displaystyle\operatorname*{minimize}_{t}\quad$	$\displaystyle t\varepsilon^{2}+\left\\|d(L)\right\\|_{2}^{2}+d(L)^{\top}L(tI-L^{\top}L)^{\dagger}L^{\top}d(L)$
	$\displaystyle\operatorname{subject\ to}\quad$	$\displaystyle t\geq\lambda_{\max}(L^{\top}L).$

Notice that so far we are simply considering equivalent formulations to the original optimization. The ensuing step is where the lower and upper bounds (5) and $\eqref{eq: s-lemma upper bound}$ arise. Recall the Neumann series, where since $t\geq\lambda_{\max}(L^{\top}L)$ , we have

	$\displaystyle(tI-L^{\top}L)^{-1}$	$\displaystyle=\frac{1}{t}\left(I-\frac{1}{t}L^{\top}L\right)^{-1}$
		$\displaystyle=\frac{1}{t}\left(I+\frac{1}{t}L^{\top}L+\frac{1}{t^{2}}\left(L^{\top}L\right)^{2}+\cdots\right).$

From the Neumann series, we see that we can upper and lower bound the inverse using geometric series of the largest and smallest eigenvalues of $L^{\top}L$ , respectively,

\displaystyle\frac{1}{t-\lambda_{\min}(L^{\top}L)}I\preceq(tI-L^{\top}L)^{-1}\preceq\frac{1}{t-\lambda_{\max}(L^{\top}L)}I

From now on, we will deal with the inverse, since instead of the pseudo-inverse we can take the infimum of the above problem, which is bounded from below. Let us consider the lower bound first. The upper bound follows using the exact same analysis. We have

	$\displaystyle t\varepsilon^{2}+\left\\|d(L)\right\\|_{2}^{2}+d(L)^{\top}L(tI-L^{\top}L)^{-1}L^{\top}d(L)$	$\displaystyle\geq t\varepsilon^{2}+\left\\|d(L)\right\\|_{2}^{2}+d(L)^{\top}L\left(\frac{1}{t-\lambda_{\min}(L^{\top}L)}I\right)L^{\top}d(L)$
		$\displaystyle=t\varepsilon^{2}+\left\\|d(L)\right\\|_{2}^{2}+\frac{1}{t-\lambda_{\min}(L^{\top}L)}\left\\|L^{\top}d(L)\right\\|_{2}^{2}.$

Therefore, we have

\displaystyle\max_{\left\|\delta\right\|_{2}\leq\varepsilon}\left\|x-L(y+\delta)\right\|_{2}^{2}

\displaystyle\geq\left\|d(L)\right\|_{2}^{2}+\min_{t>\lambda_{\max}(L^{\top}L)}t\varepsilon^{2}+\frac{1}{t-\lambda_{\min}(L^{\top}L)}\left\|L^{\top}d(L)\right\|_{2}^{2}.

We now make a second relaxation:

	$\displaystyle\left\\|d(L)\right\\|_{2}^{2}+\min_{t>\lambda_{\max}(L^{\top}L)}t\varepsilon^{2}+\frac{1}{t}\left\\|L^{\top}d(L)\right\\|_{2}^{2}$	$\displaystyle\geq\left\\|d(L)\right\\|_{2}^{2}+\min_{t\geq 0}t\varepsilon^{2}+\frac{1}{t-\lambda_{\min}(L^{\top}L)}\left\\|L^{\top}d(L)\right\\|_{2}^{2}$
		$\displaystyle=\left\\|d(L)\right\\|_{2}^{2}+2\varepsilon\left\\|L^{\top}d(L)\right\\|_{2}+\varepsilon^{2}\lambda_{\min}(L^{\top}L),$

which we get by deriving the unconstrained minimizer $t^{*}=\frac{\left\|L^{\top}d(L)\right\|_{2}}{\varepsilon}+\lambda_{\min}(L^{\top}L)$ . Now putting expectations on both sides of the inequality, we get

\displaystyle\operatorname{AR}(L)

\displaystyle\geq\operatorname{SR}(L)+2\varepsilon\;\mathbb{E}\left[\left\|L^{\top}(x-Ly)\right\|_{2}\right]+\varepsilon^{2}\lambda_{\min}(L^{\top}L).

$\blacksquare$

In the subsequent full statements of the corresponding results in the paper, we do not make 3.1, and instead consider general observable $(A,C)$ , where $\rho(A)\leq 1$ , and positive definite noise covariances $\Sigma_{0},\Sigma_{w},\Sigma_{v}\succ 0$ .

C.2 General Statement of Lemma 3.1

Lemma 3.1. The standard risk may be expressed as

	$\displaystyle\operatorname{SR}(L)$	$\displaystyle:=\mathbb{E}\left[\left\\|x_{k}-LY_{N}\right\\|_{2}^{2}\right]$
		$\displaystyle=\left\\|\left(A^{k}-L\mathcal{O}_{N}\right)\Sigma_{0}^{1/2}\right\\|_{F}^{2}+\left\\|\left(\Gamma_{k}-L\tau_{N}\right)\left(I_{N}\otimes\Sigma_{w}\right)^{1/2}\right\\|_{F}^{2}+\left\\|L\left(I_{N+1}\otimes\Sigma_{v}\right)^{1/2}\right\\|_{F}^{2}.$

Proof: This follows simply by expanding the norm inside the expectation, and noticing that since $x_{0}$ , $W_{N}$ , $V_{N}$ are defined to be zero-mean Gaussian random vectors, their cross terms vanish. More precisely, we have

	$\displaystyle\mathbb{E}\left[\left\\|x_{k}-LY_{N}\right\\|_{2}^{2}\right]$	$\displaystyle=\mathbb{E}\left[\operatorname{\mathrm{tr}}\left((x_{k}-LY_{N})(x_{k}-LY_{N})^{\top}\right)\right]$
		$\displaystyle=\mathbb{E}\bigg{[}\operatorname{\mathrm{tr}}\bigg{(}\left(A^{k}-L\mathcal{O}_{N}\right)x_{0}x_{0}^{\top}\left(A^{k}-L\mathcal{O}_{N}\right)^{\top}+\left(\Gamma_{k}-L\tau_{N}\right)W_{N}W_{N}^{\top}(\Gamma_{k}-L\tau_{N})^{\top}$
		$\displaystyle\quad+LV_{N}V_{N}^{\top}L^{\top}\bigg{)}\bigg{]}+0$
		$\displaystyle=\left\\|\left(A^{k}-L\mathcal{O}_{N}\right)\Sigma_{0}^{1/2}\right\\|_{F}^{2}+\left\\|\left(\Gamma_{k}-L\tau_{N}\right)\left(I_{N}\otimes\Sigma_{w}\right)^{1/2}\right\\|_{F}^{2}+\left\\|L\left(I_{N+1}\otimes\Sigma_{v}\right)^{1/2}\right\\|_{F}^{2}.$

$\blacksquare$

C.3 General Statement of Lemma 3.2

Lemma 3.2. For any $L\in\mathbb{R}^{n\times p(N+1)}$ , the gap between $\operatorname{AR}(L)$ and $\operatorname{SR}(L)$ admits the following lower bound:

	$\displaystyle\operatorname{AR}(L)-\operatorname{SR}(L)$	$\displaystyle\geq 2\sqrt{\frac{2}{\pi}}\frac{\varepsilon}{\sqrt{n}}\operatorname{\mathrm{tr}}\bigg{(}\bigg{(}L^{\top}\Big{(}S\Sigma_{0}S^{\top}+T\left(I_{N}\otimes\Sigma_{w}\right)T^{\top}+L\left(I_{N+1}\otimes\Sigma_{v}\right)L^{\top}\Big{)}L\bigg{)}^{1/2}\bigg{)}$
		$\displaystyle\geq 2\sqrt{\frac{2}{\pi}}\frac{\varepsilon}{\sqrt{n}}\sigma_{\min}(\Sigma_{v})^{1/2}\left\\|L\right\\|_{F}^{2}$		(11)

where $S:=A^{k}-L\mathcal{O}_{N}$ , $T:=\Gamma_{k}-L\tau_{N}$ .

Proof: Applying the lower bound (5), we have

\displaystyle\operatorname{AR}(L)

\displaystyle\geq\operatorname{SR}(L)+2\varepsilon\;\mathbb{E}\left[\left\|L^{\top}(x_{k}-LY_{T})\right\|_{2}\right].

Then to derive the lower bound (C.3), we observe that the random vector

	$\displaystyle z$	$\displaystyle=L^{\top}(x_{k}-LY_{T})$
		$\displaystyle=L^{\top}\left(Sx_{0}-TW_{T}+LV_{T})\right),$

is a zero-mean Gaussian with covariance

\displaystyle\Sigma

\displaystyle=L^{\top}\left(S\Sigma_{0}S^{\top}+T\Sigma_{w}T^{\top}+L\Sigma_{v}L^{\top}\right)L.

We can also write $z=\Sigma^{1/2}w$ where $w\sim\mathcal{N}(0,I)$ . Consider the diagonalization of $\Sigma^{1/2}=VSV^{\top}$ . Then

	$\displaystyle\mathbb{E}\left[\left\\|z\right\\|_{2}\right]$	$\displaystyle=\mathbb{E}\left[\left\\|VSV^{\top}w\right\\|_{2}\right]$
		$\displaystyle=\mathbb{E}\left[\left\\|\sum_{i}s_{i}w_{i}v_{i}\right\\|_{2}\right],$

where $v_{i}$ is the $i$ th row of $V$ and $s_{i}$ is the $i$ th singular value of $\Sigma^{1/2}$ . We have that

\displaystyle\left\|\sum_{i}s_{i}w_{i}v_{i}\right\|_{2}^{2}=\sum_{i}s_{i}^{2}w_{i}^{2}v_{i}^{\top}v_{i}=\sum_{i}s_{i}^{2}w_{i}^{2}

We have by equivalence of norms, $\sqrt{\sum_{i=1}^{n}x_{i}^{2}}\geq n^{-1/2}\sum_{i=1}^{n}{\left|x_{i}\right|}$ . Therefore,

\displaystyle\sqrt{\sum_{i=1}^{n}s_{i}^{2}w_{i}^{2}}\geq\frac{1}{\sqrt{n}}\sum_{i=1}^{n}s_{i}{\left|w_{i}\right|},

and thus

\displaystyle\mathbb{E}\left[\left\|z\right\|_{2}\right]

\displaystyle\geq\frac{1}{\sqrt{n}}\mathbb{E}\left[\sum_{i=1}^{n}s_{i}|w|_{i}\right]=\frac{1}{\sqrt{n}}\mathbb{E}\left[{\left|w\right|}\right]\sum_{i=1}^{n}s_{i}

where $w\sim\mathcal{N}(0,1)$ . The quantity $\mathbb{E}\left[{\left|w\right|}\right]$ is the expected value of a folded standard normal, which is $\sqrt{\frac{2}{\pi}}$ , while $\sum_{i=1}^{n}s_{i}=\operatorname{\mathrm{tr}}\left(\Sigma^{1/2}\right)$ . Putting this together, we have that

\displaystyle\operatorname{AR}(L)-\operatorname{SR}(L)

\displaystyle\geq 2\sqrt{\frac{2}{\pi}}\frac{\varepsilon}{\sqrt{n}}\operatorname{\mathrm{tr}}\bigg{(}\bigg{(}L^{\top}\Big{(}S\Sigma_{0}S^{\top}+T\left(I_{N}\otimes\Sigma_{w}\right)T^{\top}+L\left(I_{N+1}\otimes\Sigma_{v}\right)L^{\top}\Big{)}L\bigg{)}^{1/2}\bigg{)}.

From the above bound, we may now derive a cruder lower bound from which we can observe a dependence on the singular values of the observability grammian, $W_{o}(N)$ . In particular, begin with the expression above, and note that the terms involving $\Sigma_{0}$ and $\Sigma_{w}$ are positive definite to achieve a lower bound in terms of $L$ :

		$\displaystyle 2\sqrt{\frac{2}{\pi}}\frac{\varepsilon}{\sqrt{n}}\operatorname{\mathrm{tr}}\left(\left(L\operatorname{{}^{\top}}\left(S\Sigma_{0}S\operatorname{{}^{\top}}+T\left(I_{N}\otimes\Sigma_{w}\right)T\operatorname{{}^{\top}}+L\left(I_{N+1}\otimes\Sigma_{v}\right)L\operatorname{{}^{\top}}\right)L\right)^{1/2}\right)$
	$\displaystyle\geq\;$	$\displaystyle 2\sqrt{\frac{2}{\pi}}\frac{\varepsilon}{\sqrt{n}}\sigma_{\min}\left(\Sigma_{v}\right)^{1/2}\operatorname{\mathrm{tr}}\left(\left(L\operatorname{{}^{\top}}LL\operatorname{{}^{\top}}L\right)^{1/2}\right)$
	$\displaystyle=\;$	$\displaystyle 2\sqrt{\frac{2}{\pi}}\frac{\varepsilon}{\sqrt{n}}\sigma_{\min}\left(\Sigma_{v}\right)^{1/2}\left\\|L\right\\|_{F}^{2}.$

which completes the proof of inequality (C.3). $\blacksquare$

Introducing additional notation to express the Kalman estimator will be helpful in subsequent sections. Let

$\displaystyle\bar{\Sigma}$	$\displaystyle:=\begin{bmatrix}\Sigma_{0}&\\ &I_{N}\otimes\Sigma_{w}\end{bmatrix}$	(12)
$\displaystyle H$	$\displaystyle:=\begin{bmatrix}I&&&&\\ A&I&&&\\ \vdots&&\ddots&&\\ A^{N}&A^{N-1}&\ldots&I\end{bmatrix}\bar{\Sigma}^{1/2}$
$\displaystyle H_{k}$	$\displaystyle:=E_{k}^{\top}H=\begin{bmatrix}A^{k}&A^{k-1}&\dots&I&0&\dots&0\end{bmatrix}\bar{\Sigma}^{1/2}$
$\displaystyle M$	$\displaystyle:=H^{\top}\left(C^{\top}\otimes I\right)=\bar{\Sigma}^{1/2}\begin{bmatrix}\mathcal{O}_{N}^{\top}\\ \left(\mathcal{Z}\mathcal{O}_{N}\right)^{\top}\\ \vdots\\ \left(\mathcal{Z}^{N}\mathcal{O}_{N}\right)^{\top}\end{bmatrix},$

where $\mathcal{Z}\in\mathbb{R}^{p(N+1)\times p(N+1)}$ is a block downshift operator, with blocks of size $m$ . With this notation, the Kalman estimator given in Lemma 2.1 may be rewritten more compactly as

\hat{L}_{k}=H_{k}M\left(M^{\top}M+\Sigma_{v}\right)^{-1}.

C.4 General Statement of Theorem 9

Theorem 9. Suppose that $\hat{L}_{k}$ is the Kalman estimator from Lemma 2.1. Then we have the following bound on the gap between $\operatorname{AR}$ and $\operatorname{SR}$ .

\displaystyle\operatorname{AR}(\hat{L}_{k})-\operatorname{SR}(\hat{L}_{k})\geq 2\sqrt{\frac{2}{\pi}}\frac{\varepsilon}{\sqrt{n}}\sigma_{\min}\left(\Sigma_{v}\right)\left\|C\right\|_{F}^{2}\left(\frac{\sigma_{\min}\left(A^{k}\Sigma_{0}{A^{k}}^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}{A^{k-i}}^{\top}\right)}{(N+1)\left\|\bar{\Sigma}\right\|_{2}^{2}\left\|W_{o}(N)\right\|_{F}+\left\|\Sigma_{v}\right\|_{2}}\right)^{2}.

Proof: We begin by writing the Kalman estimator using the notation defined in (12)

L_{k}=H_{k}M\left(M^{\top}M+I_{N+1}\otimes\Sigma_{v}\right)^{-1}.

Suppose the rank of $M$ is $m$ . Then the singular value decomposition of $M$ can be taken to be

U\begin{bmatrix}S&0\\ 0&0\end{bmatrix}V^{\top}=M

where $S=\operatorname{diag}\left(\begin{bmatrix}s_{1}&s_{2}&\dots s_{m}\end{bmatrix}\right)$ with $s_{1}\geq s_{2}\geq\dots\geq s_{m}\geq 0$ , while $U\in\mathbb{R}^{n(N+1)\times n(N+1)}$ and $V\in\mathbb{R}^{p(N+1)\times p(N+1)}$ . We can now lower bound the Frobenius norm of $L_{k}$ as follows.

\displaystyle\left\|L_{k}\right\|_{F}^{2}\geq\left\|H_{k}M\right\|_{F}^{2}\sigma_{\min}\left\{\left(M^{\top}M+\Sigma_{v}I\right)^{-1}\right\}^{2}.

Note that $\sigma_{\min}\left\{\left(M^{\top}M+\Sigma_{v}I\right)^{-1}\right\}\geq\sigma_{\min}\left\{\left(M^{\top}M+\left\|\Sigma_{v}\right\|_{2}I\right)^{-1}\right\}$ . Therefore

$\displaystyle\left\\|L_{k}\right\\|_{F}^{2}$	$\displaystyle\geq\sigma_{\min}\left\{\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\left\\|\Sigma_{v}\right\\|_{2}I\right)^{-2}\right\}\left\\|H_{k}M\right\\|_{F}^{2}$	(13)
	$\displaystyle=\sigma_{\min}\left\{\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\left\\|\Sigma_{v}\right\\|I\right)^{-2}\right\}\left\\|H_{k}H^{\top}\left(C^{\top}\otimes I\right)\right\\|_{F}^{2}$
$\displaystyle=\sigma_{\min}\left\{\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\left\\|\Sigma_{v}\right\\|_{2}I\right)^{-2}\right\}$	$\displaystyle\left\\|\begin{bmatrix}A^{k}\Sigma_{0}C^{\top}&\ldots&A^{k}\Sigma_{0}\left(A^{N}\right)^{\top}C^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{N-i}\right)^{\top}C^{\top}\end{bmatrix}\right\\|_{F}^{2}$

Now observe that

\sigma_{\min}\left\{\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\left\|\Sigma_{v}\right\|I\right)^{-2}\right\}=\frac{1}{\left(s_{1}^{2}+\left\|\Sigma_{v}\right\|_{2}\right)^{2}}

(14)

Also note that $s_{1}=\left\|M\right\|_{2}\leq\left\|\bar{\Sigma}^{1/2}\right\|_{2}\left\|\bar{\Sigma}^{-1/2}M\right\|_{F}$ . We have that

\displaystyle\left\|\bar{\Sigma}^{-1/2}M\right\|_{F}^{2}=\left\|\begin{bmatrix}\mathcal{O}_{N}^{\top}\\ \left(\mathcal{Z}\mathcal{O}_{N}\right)^{\top}\\ \vdots\\ \left(\mathcal{Z}^{N}\mathcal{O}_{N}\right)^{\top}\end{bmatrix}\right\|_{F}^{2}\leq\sum_{i=0}^{N}\left\|\mathcal{Z}^{i}\mathcal{O}_{N}\right\|_{F}^{2}\leq(N+1)\left\|\mathcal{O}_{N}\right\|_{F}^{2}.

Then

\displaystyle s_{1}\leq\left\|\bar{\Sigma}^{1/2}\right\|_{2}\sqrt{N+1}\left\|\mathcal{O}_{N}\right\|_{F}

(15)

When $k\geq 0$ , we have

	$\displaystyle\left\\|\begin{bmatrix}A^{k}\Sigma_{0}C^{\top}&\ldots&A^{k}\Sigma_{0}\left(A^{N}\right)^{\top}C^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{T-i}\right)^{\top}C^{\top}\end{bmatrix}\right\\|_{F}^{2}$
	$\displaystyle\geq\left\\|\left(A^{k}\Sigma_{0}\left(A^{k}\right)^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{k-i}\right)^{\top}\right)C^{\top}\right\\|_{F}^{2}$
	$\displaystyle\geq\sigma_{\min}\left(A^{k}\Sigma_{0}\left(A^{k}\right)^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{k-i}\right)^{\top}\right)^{2}\left\\|C\right\\|_{F}^{2}.$

In conjunction with (13), (14), and (15), this leads to (9). $\blacksquare$

C.5 Proof of Lemma 3.3

Lemma 3.3. For any $L\in\mathbb{R}^{n\times p(N+1)}$ , the following bound holds

\displaystyle\operatorname{AR}(L)-\operatorname{SR}(L)\leq 2\varepsilon\left\|L\right\|_{2}\left\|\Sigma^{1/2}\right\|_{F}+\varepsilon^{2}\left\|L\right\|_{2}^{2}

where $\Sigma^{1/2}$ is the symmetric square root of the covariance of $x_{k}-LY_{N}$ .

Proof: By Theorem 3.1,

\displaystyle\operatorname{AR}(L)-\operatorname{SR}(L)\leq 2\varepsilon\mathbb{E}\left[\left\|L(x_{t}-LY_{N})\right\|_{2}\right]+\varepsilon^{2}\lambda_{\max}\left(L^{\top}L\right)\leq 2\varepsilon\left\|L\right\|_{2}\mathbb{E}\left[\left\|x_{t}-LY_{N}\right\|_{2}\right]+\varepsilon^{2}\left\|L\right\|_{2}^{2}

We can upper bound $\mathbb{E}\left[\left\|x_{t}-LY_{N}\right\|_{2}\right]$ by bounding the expectation of the euclidean norm of a normal random variable. In particular, let $w$ be a $n$ dimensional standard normal random variable, so that $\mathbb{E}\left[\left\|x_{t}-LY_{N}\right\|_{2}\right]=\mathbb{E}\left[\left\|\Sigma^{1/2}w\right\|_{2}\right]$ , where $\Sigma$ is defined as the covariance of $x_{k}-LY_{N}$ , and $\Sigma^{1/2}$ is its symmetric square root. Let $US^{1/2}U\operatorname{{}^{\top}}:=\Sigma^{1/2}$ be the eigenvalue decomposition of $\Sigma^{1/2}$ so that

\displaystyle\left\|\Sigma^{1/2}z\right\|_{2}

\displaystyle=\left\|US^{1/2}U\operatorname{{}^{\top}}w\right\|_{2}

Now define $z=U\operatorname{{}^{\top}}w$ . We have that $z\sim N(0,I)$ . Then the above quantity equals $\sqrt{\left\|US^{1/2}w\right\|_{2}^{2}}$ . Jensen’s inequality tells us that

\displaystyle\mathbb{E}\left[\sqrt{\left\|US^{1/2}w\right\|_{2}^{2}}\right]\leq\sqrt{\mathbb{E}\left[\left\|US^{1/2}w\right\|_{2}^{2}\right]}=\sqrt{\mathbb{E}\left[w\operatorname{{}^{\top}}S^{1/2}w\right]}=\left\|S^{1/2}\right\|_{F}=\left\|\Sigma^{1/2}\right\|_{F},

from which the theorem follows. $\blacksquare$

C.6 General Statement of Theorem 3.3

Theorem 3.3. Suppose that $\hat{L}_{k}$ is the Kalman state estimator given by Lemma 2.1. Then the gap between $\operatorname{AR}(\hat{L}_{k})$ and $\operatorname{SR}(\hat{L}_{k})$ is upper bounded by

	$\displaystyle\operatorname{AR}(\hat{L}_{k})-\operatorname{SR}(\hat{L}_{k})$	$\displaystyle\geq\varepsilon\left(\frac{{\left\\|A^{k}\Sigma_{0}\left(A^{k}\right)^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{k-i}\right)^{\top}_{2}\right\\|_{2}}}{\sigma_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}\right)$
		$\displaystyle\quad\times\left(2\sqrt{n}\left(\left\\|\bar{\Sigma}\right\\|_{2}+\left(\frac{\sqrt{\left\\|\Sigma_{v}\right\\|_{2}}}{\sigma_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}\right)^{2}\right)^{1/2}+\varepsilon\left(\frac{1}{\sigma_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}\right)\right).$

Furthermore, if $\lambda_{\min}(W_{o}(N))^{1/2}\geq\sigma_{v}/\sigma_{\min}\left(\bar{\Sigma}\right)$ , and defining $\kappa=\frac{\lambda_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}{\lambda_{\min}(W_{o}(N))\sigma_{\min}\left(\bar{\Sigma}\right)^{2}+\sigma_{v}}$ , we get the bound

	$\displaystyle\operatorname{AR}(\hat{L}_{k})-\operatorname{SR}(\hat{L}_{k})$	$\displaystyle\leq\varepsilon\left(\kappa\sqrt{\left\\|A^{k}\Sigma_{0}\left(A^{k}\right)^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{k-i}\right)^{\top}_{2}\right\\|_{2}}\right)$
		$\displaystyle\quad\times\left(2\sqrt{n}\left(\sigma_{\max}(\bar{\Sigma})^{2}+\sigma_{\min}(\Sigma_{v})\kappa^{2}\right)^{1/2}+\varepsilon\kappa\right)$

Proof: By Lemma 3.3, upper bounding the gap between $\operatorname{AR}(L_{k})$ and $\operatorname{SR}(L_{k})$ reduces to upper bounding $\left\|\Sigma^{1/2}\right\|_{F}$ and $\left\|L_{k}\right\|_{2}$ . First consider $\left\|\Sigma^{1/2}\right\|_{F}$ . Equivalence of norms tells us that

\displaystyle\left\|\Sigma^{1/2}\right\|_{F}\leq\sqrt{n}\left\|\Sigma^{1/2}\right\|_{2}=\sqrt{n}\left\|\Sigma\right\|_{2}^{1/2}.

(16)

Recalling the notation defined in (12), the Kalman filter may be expressed as $L_{k}=H_{k}M\left(M^{\top}M+\Sigma_{v}\right)^{-1}$ . We may also express $\Sigma$ in terms of this notation: $\Sigma=\left(H_{k}-L_{k}M\right)\bar{\Sigma}\left(H_{k}-L_{k}M\right)^{\top}+L_{k}\left(I\otimes\Sigma_{v}\right)L_{k}\operatorname{{}^{\top}}$ . To upper bound the spectral radius of this, we can leverage triangle inequality and submultiplicativity

	$\displaystyle\left\\|\Sigma\right\\|_{2}$	$\displaystyle\leq\left\\|\left(H_{k}-L_{k}M\right)\bar{\Sigma}\left(H_{k}-L_{k}M\right)^{\top}\right\\|_{2}+\left\\|L_{k}\left(I\otimes\Sigma_{v}\right)L_{k}\operatorname{{}^{\top}}\right\\|_{2}$
		$\displaystyle\leq\left\\|\bar{\Sigma}\right\\|_{2}\left\\|H_{k}-L_{k}M\right\\|_{2}^{2}+\left\\|\Sigma_{v}\right\\|_{2}\left\\|L_{k}\right\\|_{2}^{2}.$

Note that $H_{k}-L_{k}M=H_{k}-H_{k}M\left(M^{\top}M+\Sigma_{v}\right)^{-1}M=H_{k}\left(I-M\left(M^{\top}M+\Sigma_{v}\right)^{-1}M^{\top}\right)$ . Then by submultiplicativity,

\displaystyle\left\|H_{k}\left(I-M\left(M^{\top}M+\Sigma_{v}\right)^{-1}M^{\top}\right)\right\|_{2}\leq\left\|H_{k}\right\|_{2}\left\|I-M\left(M^{\top}M+\Sigma_{v}\right)^{-1}M^{\top}\right\|_{2}\leq\left\|H_{k}\right\|_{2}.

We can further upper bound $\left\|H_{k}\right\|_{2}$ in terms of system properties. In particular, we have

\displaystyle\left\|H_{k}\right\|_{2}=\sqrt{\left\|H_{k}\right\|_{2}^{2}}=\sqrt{\left\|H_{k}H_{k}^{\top}\right\|_{2}}=\sqrt{\left\|A^{k}\Sigma_{0}\left(A^{k}\right)^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{k-i}\right)^{\top}_{2}\right\|_{2}}.

Thus

\displaystyle\left\|\Sigma\right\|_{2}\leq\left\|\bar{\Sigma}\right\|_{2}\left\|H_{k}\right\|_{2}^{2}+\left\|\Sigma_{v}\right\|_{2}\left\|L\right\|_{2}^{2}\leq\left\|\bar{\Sigma}\right\|_{2}\left\|A^{k}\Sigma_{0}\left(A^{k}\right)^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{k-i}\right)^{\top}_{2}\right\|_{2}+\left\|\Sigma_{v}\right\|_{2}\left\|L\right\|_{2}^{2}.

(17)

Next we obtain a bound on $\left\|L_{k}\right\|_{2}$ . As in the proof of Theorem 9, we will assign $m:=\operatorname{rank}(M)$ and take the singular value decomposition of $M$ to be $U\begin{bmatrix}S&0\\ 0&0\end{bmatrix}V^{\top}$ where $S=\operatorname{diag}\left(\begin{bmatrix}s_{1}&\dots&s_{m}\end{bmatrix}\right)$ with $s_{1}\geq s_{2}\geq\dots\geq s_{m}\geq 0$ , while $U\in\mathbb{R}^{n(N+1)\times n(N+1)}$ and $V\in\mathbb{R}^{p(N+1)\times p(N+1)}$ .

	$\displaystyle\left\\|L_{k}\right\\|_{2}$	$\displaystyle=\left\\|H_{k}M\left(M^{\top}M+\Sigma_{v}\right)^{-1}\right\\|_{2}\leq\left\\|H_{k}\right\\|_{2}\left\\|M\left(M^{\top}M+\sigma_{\min}\left(\Sigma_{v}\right)\right)^{-1}\right\\|_{2}$
		$\displaystyle=\left\\|H_{k}\right\\|_{2}\left\\|U\begin{bmatrix}S&\\ &0\end{bmatrix}V^{\top}\left(V\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\sigma_{\min}(\Sigma_{v})\right)V^{\top}\right)^{-1}\right\\|$
		$\displaystyle=\left\\|H_{k}\right\\|_{2}\left\\|U\begin{bmatrix}S&\\ &0\end{bmatrix}\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\sigma_{\min}(\Sigma_{v})\right)^{-1}V^{\top}\right\\|_{2}$
		$\displaystyle=\left\\|H_{k}\right\\|_{2}\left\\|S(S^{2}+\sigma_{\min}(\Sigma_{v}))^{-1}\right\\|_{2}$
		$\displaystyle\leq\left\\|H_{k}\right\\|_{2}\max_{1\leq k\leq m}\frac{s_{k}}{s_{k}^{2}+\sigma_{\min}(\Sigma_{v})}.$

A simple bound on the last maximization would be

\displaystyle\max_{1\leq k\leq m}\frac{s_{k}}{s_{k}^{2}+\sigma_{\min}(\Sigma_{v})}

\displaystyle\leq\max_{1\leq k\leq m}\frac{s_{k}}{s_{k}^{2}}\leq\frac{1}{s_{m}}

(18)

Note that $s_{m}\geq\lambda_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)$ , so $\frac{1}{s_{m}}\leq\frac{1}{\lambda_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}$ . Then

\displaystyle\left\|L_{k}\right\|_{2}\leq\frac{\left\|H_{k}\right\|_{2}}{\lambda_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}\leq\frac{\sqrt{\left\|A^{k}\Sigma_{0}\left(A^{k}\right)^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{k-i}\right)^{\top}_{2}\right\|_{2}}}{\lambda_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}.

(19)

Then the first half of the theorem follows by combining the result of Lemma 3.3 with (16), (17) and (19).

However, if $\lambda_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)\geq\sigma_{v}$ , then the maximum (18) is attained at

	$\displaystyle\max_{1\leq k\leq m}\frac{s_{k}}{s_{k}^{2}+\sigma_{\min}(\Sigma_{v})}$	$\displaystyle=\frac{s_{m}}{s_{m}^{2}+\sigma_{v}}$
		$\displaystyle\leq\frac{\lambda_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}{\lambda_{\min}(W_{o}(N))\sigma_{\min}\left(\bar{\Sigma}\right)^{2}+\sigma_{v}}.$

Therefore, when $\lambda_{\min}(W_{o}(N))^{1/2}\geq\sigma_{v}/\sigma_{\min}\left(\bar{\Sigma}\right)$ , we have the more precise bound

	$\displaystyle\left\\|L_{k}\right\\|_{2}$	$\displaystyle\leq\left\\|H_{k}\right\\|_{2}\frac{\lambda_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}{\lambda_{\min}(W_{o}(N))\sigma_{\min}\left(\bar{\Sigma}\right)^{2}+\sigma_{v}}$
		$\displaystyle\leq\sqrt{\left\\|A^{k}\Sigma_{0}\left(A^{k}\right)^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{k-i}\right)^{\top}_{2}\right\\|_{2}}\frac{\lambda_{\min}(W_{o}(N))^{1/2}\sigma_{\min}\left(\bar{\Sigma}\right)}{\lambda_{\min}(W_{o}(N))\sigma_{\min}\left(\bar{\Sigma}\right)^{2}+\sigma_{v}},$

which leads to the second half of the theorem.

$\blacksquare$

	$\displaystyle\frac{d}{dz}\int_{\mathbb{R}^{n}}\left\\|z-x_{k}\right\\|_{2}^{2}f(x_{k}\|y_{0},\dots,y_{k})$	$\displaystyle=\int_{\mathbb{R}^{n}}\frac{d}{dz}\left\\|z-x_{k}\right\\|_{2}^{2}f(x_{k}\|y_{0},\dots,y_{k})dx_{k}$
		$\displaystyle=\int_{\mathbb{R}^{n}}2(z-x_{k})f(x_{k}\|y_{0},\dots,y_{k})dx_{k}$
		$\displaystyle=0,$

		$\displaystyle\exists t\geq 0\text{ s.t. }s-\left\\|d(L)-L\delta\right\\|_{2}^{2}-t(\varepsilon^{2}-\delta^{\top}\delta)\geq 0\text{ for all }\delta$
	$\displaystyle\iff\quad$	$\displaystyle\exists t\geq 0,\;tI-L^{\top}L\succeq 0,\;s-t\varepsilon^{2}-\left\\|d(L)\right\\|_{2}^{2}-d(L)^{\top}L(tI-L^{\top}L)^{\dagger}L^{\top}d(L)\geq 0$
	$\displaystyle\iff\quad$	$\displaystyle\exists t\geq\lambda_{\max}(L^{\top}L),\;s-t\varepsilon^{2}-\left\\|d(L)\right\\|_{2}^{2}-d(L)^{\top}L(tI-L^{\top}L)^{\dagger}L^{\top}d(L)\geq 0.$

$\displaystyle\left\\|L_{k}\right\\|_{F}^{2}$	$\displaystyle\geq\sigma_{\min}\left\{\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\left\\|\Sigma_{v}\right\\|_{2}I\right)^{-2}\right\}\left\\|H_{k}M\right\\|_{F}^{2}$	(13)
	$\displaystyle=\sigma_{\min}\left\{\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\left\\|\Sigma_{v}\right\\|I\right)^{-2}\right\}\left\\|H_{k}H^{\top}\left(C^{\top}\otimes I\right)\right\\|_{F}^{2}$
$\displaystyle=\sigma_{\min}\left\{\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\left\\|\Sigma_{v}\right\\|_{2}I\right)^{-2}\right\}$	$\displaystyle\left\\|\begin{bmatrix}A^{k}\Sigma_{0}C^{\top}&\ldots&A^{k}\Sigma_{0}\left(A^{N}\right)^{\top}C^{\top}+\sum_{i=1}^{k}A^{k-i}\Sigma_{w}\left(A^{N-i}\right)^{\top}C^{\top}\end{bmatrix}\right\\|_{F}^{2}$

	$\displaystyle\left\\|L_{k}\right\\|_{2}$	$\displaystyle=\left\\|H_{k}M\left(M^{\top}M+\Sigma_{v}\right)^{-1}\right\\|_{2}\leq\left\\|H_{k}\right\\|_{2}\left\\|M\left(M^{\top}M+\sigma_{\min}\left(\Sigma_{v}\right)\right)^{-1}\right\\|_{2}$
		$\displaystyle=\left\\|H_{k}\right\\|_{2}\left\\|U\begin{bmatrix}S&\\ &0\end{bmatrix}V^{\top}\left(V\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\sigma_{\min}(\Sigma_{v})\right)V^{\top}\right)^{-1}\right\\|$
		$\displaystyle=\left\\|H_{k}\right\\|_{2}\left\\|U\begin{bmatrix}S&\\ &0\end{bmatrix}\left(\begin{bmatrix}S^{2}&\\ &0\end{bmatrix}+\sigma_{\min}(\Sigma_{v})\right)^{-1}V^{\top}\right\\|_{2}$
		$\displaystyle=\left\\|H_{k}\right\\|_{2}\left\\|S(S^{2}+\sigma_{\min}(\Sigma_{v}))^{-1}\right\\|_{2}$
		$\displaystyle\leq\left\\|H_{k}\right\\|_{2}\max_{1\leq k\leq m}\frac{s_{k}}{s_{k}^{2}+\sigma_{\min}(\Sigma_{v})}.$

Adversarial Tradeoffs in Robust State Estimation

Abstract

1 Introduction

1.1 Related Work

2 Adversarially Robust Kalman Filtering

2.1 State Estimation and Observability

Assumption 2.1.

Definition 2.1.

2.2 Kalman Filtering and Smoothing

Standard State Estimation

Lemma 2.1.

Adversarially Robust State Estimation

2.3 Solving the Inner Maximization

3 Robustness-Accuracy Tradeoffs in Kalman Filtering

3.1 Tradeoffs for Linear Inverse Problems

Theorem 3.1.

Corollary 3.1.

Proof.

3.2 Bounding AR−SR\operatorname{AR}-\operatorname{SR} for State Estimation

Assumption 3.1.

Lemma 3.1.

Lemma 3.2.

Theorem 3.2.

Lemma 3.3.

Theorem 3.3.

4 Numerical Results

Pareto Curves for Adversarial Kalman Filtering

Tradeoffs of Kalman Smoother versus Adversarially Robust Kalman Smoother

Tradeoffs with Nonlinear State Estimators

Comparison with Kalman Filter, mixed ℋ2/ℋ∞\mathcal{H}_{2}/\mathcal{H}_{\infty}, and ℋ∞\mathcal{H}_{\infty} Filters

5 Conclusion

Acknowledgements

References

Appendix A Kalman Filtering State Space Solution

Appendix B Proofs from Section 2

B.1 Proof of Lemma 2.1

B.2 Proof of Correctness for Algorithm 1

Appendix C General Statements and Proofs for Section 3

C.1 Proof of Theorem 3.1

Lemma C.1 (S-lemma).

Lemma C.2 (Schur Complement).

C.2 General Statement of Lemma 3.1

C.3 General Statement of Lemma 3.2

C.4 General Statement of Theorem 9

C.5 Proof of Lemma 3.3

C.6 General Statement of Theorem 3.3

3.2 Bounding $\operatorname{AR}-\operatorname{SR}$ for State Estimation

Comparison with Kalman Filter, mixed $\mathcal{H}_{2}/\mathcal{H}_{\infty}$ , and $\mathcal{H}_{\infty}$ Filters