Publications

See also Google Scholar.

arXiv 2026
Scalable Delphi: Large Language Models for Structured Risk Estimation
Tobias Lorenz, Mario Fritz
paper·arXiv
LLM panels running the Delphi protocol achieve strong calibration (r=0.87–0.95) against benchmark ground truth and align closely with human expert panels, reducing elicitation time from months to minutes.
NeurIPS 2025
MIBP-Cert: Certified Training against Data Perturbations with Mixed-Integer Bilinear Programs
Tobias Lorenz, Marta Kwiatkowska, Mario Fritz
paper·arXiv·poster
MIBP-Cert uses mixed-integer bilinear programming to compute sound, deterministic robustness bounds during training, handling complex threat models including discrete and continuous data perturbations.
ICML 2025
Pixel-level Certified Explanations via Randomized Smoothing
Alaa Anani, Tobias Lorenz, Mario Fritz, Bernt Schiele
paper·arXiv·code·poster
First certification framework guaranteeing pixel-level robustness for any black-box attribution method via randomized smoothing, with new metrics for certified robustness, localization, and faithfulness.
GCPR 2024
FullCert: Deterministic End-to-End Certification for Training and Inference of Neural Networks
Tobias Lorenz, Marta Kwiatkowska, Mario Fritz
paper·arXiv·code
FullCert is the first end-to-end certifier providing deterministic robustness bounds against both training-time poisoning attacks and inference-time adversarial examples jointly.
ICML 2024
Adaptive Hierarchical Certification for Segmentation using Randomized Smoothing
Alaa Anani, Tobias Lorenz, Bernt Schiele, Mario Fritz
paper·arXiv·code
Adaptive hierarchical certification for semantic segmentation relaxes abstentions to coarser label levels, achieving higher certified information gain and lower abstain rates than flat certification.
AISec 2023
Certifiers Make Neural Networks Vulnerable to Availability Attacks
Tobias Lorenz, Marta Kwiatkowska, Mario Fritz
paper·arXiv
Fallback strategies in certified neural networks can be deliberately triggered by backdoor attacks, causing up to 100% of inputs to be rejected — a novel availability threat.
ICCV 2021
Robustness Certification for Point Cloud Models
Tobias Lorenz, Anian Ruoss, Mislav Balunović, Gagandeep Singh, Martin Vechev
paper·arXiv·code
3DCertify, the first verifier for point cloud models, certifies robustness against a wide range of semantic 3D transformations for both classification and part segmentation.
CVPR 2018
Feature Generating Networks for Zero-Shot Learning
Yongqin Xian, Tobias Lorenz, Bernt Schiele, Zeynep Akata
paper·arXiv·code 1,300+ citations
A GAN that synthesizes CNN features conditioned on class-level semantic information, enabling effective generalized zero-shot learning without labeled examples of unseen classes.