Black-box adversarial attacks are often hindered by inefficient query usage. This work reveals, for the first time, that adversarial perturbations inherently possess a low-rank structure and leverages this insight to develop a highly efficient attack method. Inspired by the LoRA framework, the proposed approach projects gradient estimates onto a low-dimensional subspace derived from a reference model and auxiliary data, substantially reducing query complexity while simultaneously improving attack success rates. Extensive experiments across diverse attack strategies, model architectures, and datasets consistently demonstrate significant performance gains, confirming the universality and effectiveness of the low-rank prior in black-box adversarial settings.

Low-Rank Adaptation (LoRA), which leverages the insight that model updates typically reside in a low-dimensional space, has significantly improved the training efficiency of Large Language Models (LLMs) by updating neural network layers using low-rank matrices. Since the generation of adversarial examples is an optimization process analogous to model training, this naturally raises the question: Do adversarial perturbations exhibit a similar low-rank structure? In this paper, we provide both theoretical analysis and extensive empirical investigation across various attack methods, model architectures, and datasets to show that adversarial perturbations indeed possess an inherently low-rank structure. This insight opens up new opportunities for improving both adversarial attacks and defenses. We mainly focus on leveraging this low-rank property to improve the efficiency and effectiveness of black-box adversarial attacks, which often suffer from excessive query requirements. Our method follows a two-step approach. First, we use a reference model and auxiliary data to guide the projection of gradients into a low-dimensional subspace. Next, we confine the perturbation search in black-box attacks to this low-rank subspace, significantly improving the efficiency and effectiveness of the adversarial attacks. We evaluated our approach across a range of attack methods, benchmark models, datasets, and threat models. The results demonstrate substantial and consistent improvements in the performance of our low-rank adversarial attacks compared to conventional methods.