Search papers, labs, and topics across Lattice.
This paper demonstrates the non-composability of layerwise approximate verification for neural network inference. It shows that even if each layer's computation is verified to be within a tolerance $δ$, adversarial errors in individual layers can accumulate to arbitrarily steer the final output. The counterexample highlights a fundamental limitation of layerwise verification approaches for ensuring reliable neural network inference.
Layerwise verification of neural network inference is fundamentally flawed: even tiny, permissible errors can be chained together to completely hijack the final output.
A natural and informal approach to verifiable (or zero-knowledge) ML inference over floating-point data is: ``prove that each layer was computed correctly up to tolerance $δ$; therefore the final output is a reasonable inference result''. This short note gives a simple counterexample showing that this inference is false in general: for any neural network, we can construct a functionally equivalent network for which adversarially chosen approximation-magnitude errors in individual layer computations suffice to steer the final output arbitrarily (within a prescribed bounded range).
