Defense Dilemma (K*)

Paper Theorem 7.3 · Lean module MoF_19_OptimalDefense

The defense designer faces a fundamental trade-off when picking the defense's Lipschitz constant $K$ .

Statement

::: theorem Defense dilemma. Assume $f$ is differentiable at the boundary point $z$ with gradient norm $G = ∥ \nabla f (z) ∥$ , and let $ℓ$ be the defense-path Lipschitz constant. Set

K^{⋆} = \frac{G}{ℓ} - 1.

Then exactly one of the two horns must hold:

If $K < K^{⋆}$ : $G > ℓ (K + 1)$ , so the persistent steep region of T3 is non-empty and the defense fails on a positive-measure set.
If $K \geq K^{⋆}$ : $ℓ (K + 1) \geq G$ , so the T2 ε-robust bound $τ - ℓ (K + 1) δ$ becomes loose enough that the theorem can no longer rule out the defense from succeeding on the steep region — but the defense's Lipschitz constant has now grown so large that the band of barely-touched points around $z$ widens correspondingly. :::

The shape of the trade-off

The dilemma is sharpest precisely when the alignment surface is anisotropic ( $ℓ ≪ L$ ). In the isotropic case $ℓ = L$ and $K^{⋆} \leq 0$ , which means horn (1) is vacuous and only the band trade-off remains.

Why $K^{⋆} = G / ℓ - 1$

It's a one-line algebraic rearrangement of the transversality condition:

G > ℓ (K + 1) ⟺ K < \frac{G}{ℓ} - 1 = K^{⋆} .

So $K^{⋆}$ is exactly the value of $K$ at which the steep region collapses.

Behavior across the dilemma

$K$ regime	Steep region $S$	$ε$ -robust band	Net failure
$K = 0$ (constant)	maximal	maximal	both maxed
$K \in (0, K^{⋆})$	non-empty	shrinks linearly	T3 dominates
$K = K^{⋆}$	empty	maximal	T2 dominates
$K > K^{⋆}$	empty	grows with $K$	T2 dominates with wider band

In Lean

lean

-- Threshold value: K* = G/ℓ - 1
def K_star (G ℓ : ℝ) (hℓ : 0 < ℓ) : ℝ := G / ℓ - 1

-- The two horns
theorem optimal_K_dichotomy
    (G L : ℝ) (hL : 0 < L) :
    (∀ K, K < K_star G L hL → ∃ S, …)   -- horn (1): persistent region
    ∧
    (∀ K, K_star G L hL ≤ K → ∃ band, …) -- horn (2): wide band

-- Existence of an "optimal" K, taken from the boundary
theorem optimal_K_exists : …

Lean's statement is parameterized over generic positive reals $(G, L)$ ; instantiating $L \mapsto ℓ$ recovers the defense-path version above.

What this means in practice

There is no $K$ that escapes both tiers:

small $K$ → narrow band but a positive-measure persistent unsafe region;
large $K$ → no provable persistent region but a wide near-threshold band the defense cannot push far below $τ$ .

The dilemma is one of the cleanest concrete consequences of the trilemma: even if you somehow discovered the model's Lipschitz constants exactly, you would still face this irreducible trade-off in defense design.

Pipeline Degradation — what happens when $K$ becomes $K^{n}$ along an agent tool-chain.
Volume bounds — explicit lower bounds for both the band and the persistent region.

Defense Dilemma (K*) ​

Statement ​

The shape of the trade-off ​

Why K⋆=G/ℓ−1 ​

Behavior across the dilemma ​

In Lean ​

What this means in practice ​

Next ​