Review for NeurIPS paper: A Game Theoretic Analysis of Additive Adversarial Attacks and Defenses

The paper provides a game-theoretic analysis of additive attacks in the "No-Box" setting. Its most significant result is the proof that the FGM attack and randomized smoothing form a Nash equilibrium under the assumption of a local linearity of the decision boundary. The paper's main contribution is theoretical, its empirical evaluation is performed on the MNIST dataset for a limited number of classes. Also, the validity of some theoretical assumptions is not convincingly presented in the paper. The authors should also clarify the relationship of their work to prior game-theoretic approaches to adversarial learning, e.g., Brückner, M., Kanzow, C. and Scheffer, T., 2012.