Lipschitz-Based Robustness Certification Under Floating-Point Execution
arXiv:2603.13334v1 Announce Type: new Abstract: Sensitivity-based robustness certification has emerged as a practical approach for certifying neural network robustness, including in settings that require verifiable guarantees. A key advantage of these methods is that certification is performed by concrete numerical computation (rather than symbolic reasoning) and scales efficiently with network size. However, as with the vast majority of prior work on robustness certification and verification, the soundness of these methods is typically proved with respect to a semantic model that assumes exact real arithmetic. In reality deployed neural network implementations execute using floating-point arithmetic. This mismatch creates a semantic gap between certified robustness properties and the behaviour of the executed system. As motivating evidence, we exhibit concrete counterexamples showing that real arithmetic robustness guarantees can fail under floating-point execution, even for previo
arXiv:2603.13334v1 Announce Type: new Abstract: Sensitivity-based robustness certification has emerged as a practical approach for certifying neural network robustness, including in settings that require verifiable guarantees. A key advantage of these methods is that certification is performed by concrete numerical computation (rather than symbolic reasoning) and scales efficiently with network size. However, as with the vast majority of prior work on robustness certification and verification, the soundness of these methods is typically proved with respect to a semantic model that assumes exact real arithmetic. In reality deployed neural network implementations execute using floating-point arithmetic. This mismatch creates a semantic gap between certified robustness properties and the behaviour of the executed system. As motivating evidence, we exhibit concrete counterexamples showing that real arithmetic robustness guarantees can fail under floating-point execution, even for previously verified certifiers, with discrepancies becoming pronounced at lower-precision formats such as float16. We then develop a formal, compositional theory relating real arithmetic Lipschitz-based sensitivity bounds to the sensitivity of floating-point execution under standard rounding-error models, specialised to feed-forward neural networks with ReLU activations. We derive sound conditions for robustness under floating-point execution, including bounds on certificate degradation and sufficient conditions for the absence of overflow. We formalize the theory and its main soundness results, and implement an executable certifier based on these principles, which we empirically evaluate to demonstrate its practicality.
Executive Summary
This article addresses a critical gap in neural network robustness certification by bridging the semantic gap between certified robustness properties derived from real arithmetic and the actual floating-point execution of deployed neural networks. The authors develop a formal, compositional theory that relates real arithmetic Lipschitz-based sensitivity bounds to the sensitivity of floating-point execution under standard rounding-error models. They derive sound conditions for robustness under floating-point execution and provide empirical evaluation of a certifier based on these principles. This work has significant implications for the practical and policy considerations of neural network deployment.
Key Points
- ▸ The authors identify a critical gap in neural network robustness certification due to the mismatch between real arithmetic and floating-point execution.
- ▸ A formal, compositional theory is developed to relate real arithmetic Lipschitz-based sensitivity bounds to floating-point execution.
- ▸ Sound conditions for robustness under floating-point execution are derived, including bounds on certificate degradation and sufficient conditions for the absence of overflow.
Merits
Strength
The work addresses a critical gap in neural network robustness certification and provides a comprehensive theory to bridge the semantic gap between real arithmetic and floating-point execution.
Demerits
Limitation
The theory is specialized to feed-forward neural networks with ReLU activations, which may not be applicable to other types of neural networks.
Expert Commentary
This article is a significant contribution to the field of neural network robustness certification. The authors have identified a critical gap in existing methods and have developed a comprehensive theory to bridge this gap. The work is well-motivated and well-executed, with a clear and concise presentation of the results. The empirical evaluation of the certifier is particularly impressive, as it demonstrates the practicality of the method. However, as with any work, there are limitations to consider. The theory is specialized to feed-forward neural networks with ReLU activations, which may not be applicable to other types of neural networks. Nevertheless, the work has significant implications for the practical and policy considerations of neural network deployment.
Recommendations
- ✓ Further research should be conducted to extend the theory to other types of neural networks.
- ✓ The method should be integrated into existing neural network development pipelines to ensure widespread adoption.
