A Note on Non-Composability of Layerwise Approximate Verification for Neural Inference
This addresses a critical flaw in verifiable ML inference methods for security applications, showing the approach is fundamentally non-composable and incremental in highlighting a limitation.
The paper demonstrates that verifying neural network inference by proving each layer's computation is correct up to a tolerance does not guarantee the final output's correctness, as adversarial errors in layers can arbitrarily steer the output within a bounded range.
A natural and informal approach to verifiable (or zero-knowledge) ML inference over floating-point data is: ``prove that each layer was computed correctly up to tolerance $δ$; therefore the final output is a reasonable inference result''. This short note gives a simple counterexample showing that this inference is false in general: for any neural network, we can construct a functionally equivalent network for which adversarially chosen approximation-magnitude errors in individual layer computations suffice to steer the final output arbitrarily (within a prescribed bounded range).