Ninedifferentdebiasing algorithms (and a baseline) have been evaluated with this dataset using the popular ResNet-18 network[36]. CelebA contains faces of celebrities with several binary task labelsandtwoprotected labels(genderandyouth). Table 3showsthe prediction results from a biased binary classifier and its bias values using the seven metrics. Without losing generality, we consider "Sport" the positive class in the binary classifier. Following the DP formula in Appendix A.2, for the "Sport" class, thePPRfemale is 45.0% (90 /200), andPPRmale is65.0%

Fairness and robustness are two important goals in the desig n of modern distributed learning systems. Despite a few prior works attemp ting to achieve both fairness and robustness, some key aspects of this direction remain underexplored. In this paper, we try to answer three largely unnoticed and un addressed questions that are of paramount significance to this topic: (i) What mak es jointly satisfying fairness and robustness difficult?

A.1 Fullexperimentalresults In this section we provide the full experimental results that extend the results demonstrated in the Section 4.2. Table 8 demonstrates the evaluation on 16 robustly trained CIFAR10 models from RobustBench [28] that was summarized in the Table 2. We consider four configurations of the attack for each of the models. SA and AA correspond to the update size schedules proposed by Andriushchenko et al.[1]and Croce and Hein[2]respectively. "Uni" denotes sampling the color fortheupdateuniformly. A.2 Meta-trainingtheControllers The meta-training of controllers was described in Section 3 and Section 4.1.

A very promising direction in the field of black-box adversarial attacks are randomized search schemes for crafting adversarial examples [1, 23, 24]. Combining random search with specific update proposal distributions allows to achieve state-of-the-art black-box efficiency for different threat models such as` and `2 [1], `1 [25], `0, adversarial patches, and adversarial frames [24].

Federated Dropout) and reduces the gap between model-heterogeneous and model-homogeneous FL, especially under the large-model large-dataset regime.

We define an easy and hard split.