shown for an "improved " version of Tanh(16) model which uses more convolutional filters per layer (32 instead of 25

We chose "Distributionally Adversarial Attack" (DAA) by Zheng as it appears atop the leaderboards for Results for the original Tanh(16) model are shown in Table 1. These changes improve robustness of the model. The term "white-box" means that the adversary knows everything about the model, i.e. full ensemble with all layers Intuition indeed suggests this code should be more powerful. In general, though, we find robustness asymptotes with increasing code length; this appears related to the "rank" of the However, adversarial (and'Random" inputs) are (way) off this manifold. We don't aim to achieve carefully calibrated probability estimates; we Our results in Figures 3(a)-(c) indicate our probability estimates are still far better than those of conventional models. Some corrective action is needed (such as Platt scaling). By contrast, our approach appears well-behaved even off the training manifold. Compared to typical architectures, ours does not induce widening of the network. Reviewer's point is still well-taken, and in the revision we will reword this section to consider We were unclear about meaning of Reviewer's comment on "the relationship between adversarial constraints at Table 1: Accuracies against various attacks; "-": experiment was not run.