A Note on Non-Composability of Layerwise Approximate Verification for Neural Inference
Or Zamir
TL;DR
This paper demonstrates that verifying each layer's correctness independently in neural networks does not guarantee the overall inference accuracy, due to potential adversarial errors that can manipulate the final output.
Contribution
It provides a counterexample showing the non-composability of layerwise approximate verification in neural inference, challenging assumptions in verifiable ML methods.
Findings
Layerwise verification can be circumvented by adversarial errors.
Counterexample shows equivalence of networks with different robustness.
Verifying individual layers is insufficient for overall correctness.
Abstract
A natural and informal approach to verifiable (or zero-knowledge) ML inference over floating-point data is: ``prove that each layer was computed correctly up to tolerance ; therefore the final output is a reasonable inference result''. This short note gives a simple counterexample showing that this inference is false in general: for any neural network, we can construct a functionally equivalent network for which adversarially chosen approximation-magnitude errors in individual layer computations suffice to steer the final output arbitrarily (within a prescribed bounded range).
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Explainable Artificial Intelligence (XAI) · Generative Adversarial Networks and Image Synthesis