Stumbled upon 2 issues regarding the implementation of the momentum for Fast Gradient Method adversarial attack:

• The momentum is not computed the right way (see #2382 (comment));
• The implementation relies on in-place modification of the momentum variable as a side effect, which doesn't always seem to work as expected (see #2382 (comment)). As such, I believe that the current momentum iterative attack is actually only BIM!

The first issue should be fixed by #2382, while the second should be independently investigated and fixed, as it may require some refactoring. Furthermore, it could be well-advised to add a test for a different decay value.

Edit: It looks like the tensorflow framework doesn't work with the in-place modification.

Quick notes for me when I'll fix it:

• ProjectedGradientDescent.__init__ doesn't have decay attribute (but I guess it's fine, it's in self._attack)
• TF: _compute_tf (has no decay argument) calls _compute_perturbation with decay=self.decay,
• Torch: _compute_perturbation_pytorch (name inconsistency!) doesn't have decay as argument (signature inconsistency!)
• Numpy: Rests on FastGradient. Method _compute takes decay as argument (signature inconsistency!) and calls _compute_perturbation with decay=decay.