Existing flatness-enhancement methods suffer from inconsistent flatness definitions, heuristic attack designs, and a lack of theoretical grounding and optimization guarantees, thereby limiting the efficacy and efficiency of black-box transfer attacks. To address this, we propose the Neighborhood-Conditional Sampling (NCS) framework: (i) it introduces a novel max-min bilevel optimization to explicitly maximize flatness; (ii) it designs a zero-overhead momentum-based prior-gradient inversion approximation (PGIA); and (iii) it unifies multiple state-of-the-art attacks as special cases. We theoretically establish that NCS’s flatness regularization and neighborhood sampling operate synergistically. Empirically, NCS achieves significantly higher transfer success rates while maintaining lightweight computation—only 50% of the cost of current SOTA methods. As a plug-and-play module, NCS is universally applicable for enhancing diverse adversarial attacks.

Transfer-based attacks craft adversarial examples utilizing a white-box surrogate model to compromise various black-box target models, posing significant threats to many real-world applications. However, existing transfer attacks suffer from either weak transferability or expensive computation. To bridge the gap, we propose a novel sample-based attack, named neighborhood conditional sampling (NCS), which enjoys high transferability with lightweight computation. Inspired by the observation that flat maxima result in better transferability, NCS is formulated as a max-min bi-level optimization problem to seek adversarial regions with high expected adversarial loss and small standard deviations. Specifically, due to the inner minimization problem being computationally intensive to resolve, and affecting the overall transferability, we propose a momentum-based previous gradient inversion approximation (PGIA) method to effectively solve the inner problem without any computation cost. In addition, we prove that two newly proposed attacks, which achieve flat maxima for better transferability, are actually specific cases of NCS under particular conditions. Extensive experiments demonstrate that NCS efficiently generates highly transferable adversarial examples, surpassing the current best method in transferability while requiring only 50% of the computational cost. Additionally, NCS can be seamlessly integrated with other methods to further enhance transferability.