Neural Network Decomposition: The Unary-Binary Framework

The fundamental insight that makes neural network verification possible is surprisingly simple: every neuron can be decomposed into two separate operations---one that combines inputs (an affine transformation) and one that applies non-linearity (an activation function). This decomposition, which we call the unary-binary framework, provides the theoretical foundation for all verification approaches.

Yet this simple decomposition has profound implications. It explains why ReLU networks cause exponential complexity in complete verification. It reveals why certain verification methods work better on specific architectures. It provides a unifying lens through which we can understand the entire landscape of neural network verification.

In this post, we’ll explore the theoretical foundations of this framework, examine how different verification methods exploit this decomposition, and understand the complexity implications that arise from separating neural network computation into its fundamental building blocks.

The Fundamental Insight: Nodes as Operations

When we think about a neural network, we typically visualize neurons arranged in layers, with each neuron computing an activation based on weighted inputs from the previous layer. But for verification purposes, this intuitive picture obscures a critical distinction.

The Two-Node Decomposition Principle

Consider a standard neuron in a feedforward network. Mathematically, it computes:

a_i = \phi\left(b + \sum_{j} w_j \cdot a_j\right)

where $\phi$ is the activation function, $w_j$ are weights, $b$ is the bias, and $a_j$ are outputs from the previous layer.

From a verification perspective, this single neuron actually performs two conceptually distinct operations:

Affine transformation (binary operation): $x_i = b + \sum_{j} w_j \cdot a_j$
Activation function (unary operation): $a_i = \phi(x_i)$

The survey paper formalizes this decomposition: “We call the basic elements within the sample neural network as nodes. We accordingly separate each neuron within hidden layers into two nodes, which perform an affine function and activation function respectively.”

This separation is not merely pedagogical---it is the foundational principle that enables formal verification. Here’s why.

Why This Decomposition Matters

The distinction between affine and activation operations has critical theoretical implications:

Binary operations (affine transformations):

Are linear by definition
Require no approximation for exact analysis
Can be composed symbolically without precision loss
Preserve bounds exactly in forward propagation

Unary operations (activation functions):

Are non-linear (except identity)
Require approximation or branching for tractable analysis
Introduce precision loss in incomplete methods
Are the source of computational complexity in verification

This asymmetry is profound: all complexity in neural network verification arises from handling unary operations (activations). The affine operations are “free” from a verification complexity perspective---they can be handled exactly and efficiently.

Theoretical Insight: The separation of neurons into two nodes transforms neural network verification from analyzing a complex composition of operations into analyzing a sequence of alternating exact linear operations and approximate non-linear operations. This decomposition enables both complete verification (by branching on activations) and incomplete verification (by approximating activations linearly).

Formal Mathematical Framework

Let’s formalize this decomposition rigorously. Consider a fully-connected feedforward neural network with $L$ layers.

Network Structure as Node Graph

Definition 1 (Node Decomposition): A neural network $f: \mathbb{R}^{d_0} \rightarrow \mathbb{R}^{d_L}$ with $L$ layers can be decomposed into a directed acyclic graph $G = (V, E)$ where:

$V = V_{in} \cup V_{aff} \cup V_{act} \cup V_{out}$ is the set of nodes
- $V_{in}$ : Input nodes (dimension $d_0$ )
- $V_{aff}$ : Affine nodes (one per hidden neuron)
- $V_{act}$ : Activation nodes (one per hidden neuron)
- $V_{out}$ : Output nodes (dimension $d_L$ )
$E$ contains directed edges representing data flow

Each neuron in layers $1, \ldots, L-1$ corresponds to two nodes: an affine node and an activation node connected sequentially.

Affine Node Computation (Binary Operation):

For affine node $i$ with $J$ incoming connections from activation nodes (or input nodes):

x_i = b_i + \sum_{j \in [J]} w_{ij} \cdot a_j

where $b_i \in \mathbb{R}$ is the bias, $w_{ij} \in \mathbb{R}$ are weights, and $a_j$ are outputs from previous activation nodes.

Activation Node Computation (Unary Operation):

For activation node $i$ connected to affine node $i$ :

a_i = \phi(x_i)

where $\phi: \mathbb{R} \rightarrow \mathbb{R}$ is the activation function (e.g., ReLU, sigmoid, tanh).

Network as Functional Composition

The entire network can then be written as a composition of alternating affine and activation operations:

f(x) = A_L \circ \Phi_{L-1} \circ A_{L-1} \circ \Phi_{L-2} \circ \cdots \circ \Phi_1 \circ A_1(x)

where:

$A_\ell$ represents the affine transformation at layer $\ell$
$\Phi_\ell$ represents element-wise activation at layer $\ell$

This compositional view makes explicit that neural networks alternate between exact linear operations and non-linear operations.

Theoretical Encodings Across Verification Methods

The unary-binary decomposition manifests differently depending on how verification problems are encoded. Let’s examine three major encoding families.

SAT/LP Encoding: The Exponential Branching Problem

In SAT/LP encoding, both affine and activation nodes are encoded as constraints in propositional logic or linear programming.

Affine Node Encoding:

Affine nodes are trivially encoded as linear equations:

x_i = b_i + \sum_{j} w_{ij} \cdot a_j

This is exact---no approximation needed.

Activation Node Encoding (ReLU Example):

ReLU $a_i = \max(0, x_i)$ is piecewise-linear, requiring disjunctive encoding:

\left( x_i \leq 0 \land a_i = 0 \right) \lor \left( x_i > 0 \land a_i = x_i \right)

This introduces a logical disjunction (OR operation), which fundamentally cannot be expressed as a single linear constraint.

The Exponential Explosion:

Each ReLU node introduces one disjunction. With $n$ ReLU activation nodes, the SAT encoding generates a disjunction of $2^n$ conjunctive normal form (CNF) formulas.

Complexity Theorem: Given a neural network with $n$ ReLU activation nodes, its SAT/LP encoding creates $2^n$ CNF branches corresponding to all possible activation patterns (active/inactive combinations).

Proof sketch: Each ReLU can be in one of two modes: active ( $x_i > 0, a_i = x_i$ ) or inactive ( $x_i \leq 0, a_i = 0$ ). The $n$ ReLU nodes create $2^n$ possible activation patterns, each requiring a separate CNF formula to encode the network under that specific pattern.

This exponential branching arises entirely from unary operations (activations). The binary operations (affine transformations) contribute zero to the branching factor.

Preservation of Soundness and Completeness:

The SAT/LP encoding preserves both soundness and completeness because it faithfully encodes both affine and activation functions without approximation. However, the exponential complexity makes it intractable for networks with more than ~20 ReLU nodes.

MILP Encoding: Eliminating Exponential Branching

Mixed-Integer Linear Programming (MILP) encoding addresses the exponential branching issue through a clever encoding of activation functions.

Affine Node Encoding:

Identical to SAT/LP---affine nodes remain as linear equations:

x_i = b_i + \sum_{j} w_{ij} \cdot a_j

Activation Node Encoding (Big-M Formulation):

The key innovation is encoding ReLU using a binary integer variable $d_i \in \{0, 1\}$ plus linear constraints.

Definition 2 (Big-M Encoding of ReLU): Given a sufficiently large constant $M$ (greater than the upper bound of ReLU input), a ReLU function $a_i = \max(0, x_i)$ can be encoded as:

\begin{aligned} a_i &\geq x_i \\ a_i &\leq x_i + M \cdot d_i \\ a_i &\geq 0 \\ a_i &\leq M \cdot (1 - d_i) \end{aligned}

where $d_i = 0$ represents the ReLU in active mode ( $x_i > 0, a_i = x_i$ ), and $d_i = 1$ represents inactive mode ( $x_i \leq 0, a_i = 0$ ).

Why This Eliminates Exponential Branching:

The Big-M encoding transforms the disjunctive logical OR into a set of linear inequalities constrained by an integer variable. Instead of explicitly creating $2^n$ branches in the encoding, the MILP solver uses branch-and-bound internally to handle the $\{0,1\}$ variables.

The exponential complexity still exists (MILP solving is NP-hard), but it’s handled by the solver’s internal branching strategy rather than explicitly in the encoding. This provides significant practical improvements, allowing verification of networks with up to ~6,000 neurons.

Theoretical Guarantee:

MILP encoding preserves both soundness and completeness, as it exactly represents the ReLU function without approximation. The integer variable $d_i$ explicitly captures the binary activation mode.

QCQP/SDP Encoding: Quadratic Constraints

Quadratically Constrained Quadratic Programming (QCQP) and Semidefinite Programming (SDP) provide another complete encoding using quadratic constraints.

Affine Node Encoding:

Again, affine nodes are linear (no change):

x_i = b_i + \sum_{j} w_{ij} \cdot a_j

Activation Node Encoding (Quadratic Formulation):

Definition 3 (QCQP Encoding of ReLU): A ReLU function $a_i = \max(0, x_i)$ can be encoded as quadratic constraints:

\begin{aligned} a_i &\geq x_i \\ a_i &\geq 0 \\ a_i (a_i - x_i) &= 0 \end{aligned}

The key constraint $a_i (a_i - x_i) = 0$ is quadratic, encoding the fact that either $a_i = 0$ (inactive) or $a_i = x_i$ (active).

Connection to SDP:

When the QCQP is convex, it can be solved using semidefinite programming. The quadratic encoding enables analysis of quadratic relations between variables, providing tighter reasoning than linear methods.

Complexity Trade-off:

QCQP/SDP encoding preserves soundness and completeness but suffers from high computational complexity. Interior point methods for SDP have $O(n^6)$ complexity for $n$ hidden units, making this approach practical only for small networks.

Simplification Techniques by Operation Type

Now we examine how different verification methods simplify or approximate the two operation types.

Binary Operations: No Simplification Needed

Affine transformations are already linear, so complete verification methods handle them exactly without any simplification.

Exact Forward Propagation:

Given bounds $a_j \in [a_j^{\ell}, a_j^{u}]$ on previous activation outputs, the bounds on affine node $x_i$ can be computed exactly:

\begin{aligned} x_i^{\ell} &= b_i + \sum_{j} \left( \max(0, w_{ij}) \cdot a_j^{\ell} + \min(0, w_{ij}) \cdot a_j^{u} \right) \\ x_i^{u} &= b_i + \sum_{j} \left( \max(0, w_{ij}) \cdot a_j^{u} + \min(0, w_{ij}) \cdot a_j^{\ell} \right) \end{aligned}

This is interval arithmetic for affine functions---exact and efficient.

Key Property: Affine operations preserve convexity and exactness. If the input domain is a convex polytope, the output domain is also a convex polytope, and bounds can be computed without any precision loss.

Unary Operations: The Source of Approximation

Activation functions introduce non-linearity and require either branching (complete methods) or approximation (incomplete methods).

ReLU Simplification: Triangle Relaxation

For incomplete methods that avoid exponential branching, ReLU is approximated using linear relaxation.

Case Analysis Based on Bounds:

Given input bounds $x_i \in [l, u]$ for a ReLU $a_i = \max(0, x_i)$ , there are three cases:

Case 1: $l \geq 0$ (fully active)

a_i = x_i \quad \text{(exact, no approximation needed)}

Case 2: $u \leq 0$ (fully inactive)

a_i = 0 \quad \text{(exact, no approximation needed)}

Case 3: $l < 0 < u$ (crossing ReLU)

This is the unstable case requiring approximation. The tightest convex linear bounds are:

\begin{aligned} \text{Lower bound: } & a_i \geq 0 \\ \text{Upper bound: } & a_i \leq \frac{u}{u - l} (x_i - l) \end{aligned}

The upper bound is the secant line connecting $(l, 0)$ and $(u, u)$ . This is the optimal convex hull of the ReLU function over $[l, u]$ .

Optimality Theorem: The triangle relaxation is the tightest possible convex linear approximation of ReLU over any interval $[l, u]$ with $l < 0 < u$ .

Implication: No single-neuron linear relaxation method can improve upon triangle relaxation for ReLU without sacrificing soundness. This is a fundamental barrier known as the convex barrier.

Sigmoid/Tanh Simplification: Tangent and Secant Lines

For smooth activations like sigmoid $\sigma(x) = \frac{1}{1 + e^{-x}}$ or tanh, linear approximation uses tangent and secant lines.

Slope Computation:

Given bounds $[l, u]$ for sigmoid or tanh function $g$ , compute:

\lambda = \frac{g(u) - g(l)}{u - l} \quad \text{(secant slope)}

DeepZ Approach:

Lower bound: Tangent line at lower bound: $a_i \geq g(l) + g'(l) (x_i - l)$
Upper bound: Secant line: $a_i \leq g(l) + \lambda (x_i - l)$

CROWN Tangent Line Approach:

CROWN uses two tangent lines computed via binary search to construct tighter bounds. The algorithm finds tangent points that minimize the area between the approximation and the true function, achieving $O(\log n)$ complexity.

Comparison to ReLU:

Unlike ReLU where the triangle relaxation is provably optimal, sigmoid/tanh approximations have varying tightness depending on the interval. Wider intervals lead to looser bounds, and there is no single “optimal” linear relaxation for smooth activations.

Compositional Reasoning Theory

The unary-binary decomposition enables compositional reasoning---building analysis of the full network from analysis of individual nodes.

Layer-by-Layer Propagation

Neural network analysis proceeds through alternating node types:

\text{Input} \xrightarrow{A_1} \text{Affine}_1 \xrightarrow{\Phi_1} \text{Activation}_1 \xrightarrow{A_2} \cdots \xrightarrow{\Phi_{L-1}} \text{Activation}_{L-1} \xrightarrow{A_L} \text{Output}

Forward Bound Propagation:

Start with input bounds $x_0 \in X_0$
For each layer $\ell = 1, \ldots, L$ :

a. Propagate through affine node (exact) b. Propagate through activation node (exact or approximate)
Check if output bounds satisfy property specification

This layerwise structure is fundamental to bound propagation methods like IBP, CROWN, and DeepPoly.

Symbolic Composition and Dependency Tracking

More sophisticated methods maintain symbolic expressions rather than just concrete bounds.

Symbolic Representation:

Each node can be represented as a symbolic expression in terms of input variables.

For affine node $i$ :

x_i = \sum_{k=1}^{d_0} \alpha_{ik} \cdot x_0^{(k)} + \beta_i

where $x_0^{(k)}$ are input variables, and $\alpha_{ik}, \beta_i$ are computed symbolically through the network.

Advantage of Symbolic Composition:

Symbolic dependency tracking provides tighter bounds than interval arithmetic, which loses correlation information between neurons.

Example: Consider two neurons that both depend on $x_0^{(1)}$ . Interval arithmetic treats them as independent, potentially overestimating their combined range. Symbolic composition maintains the shared dependency, yielding tighter bounds.

Dependency Loss Theorem: Interval arithmetic loses precision exponentially with network depth when neurons have correlated dependencies on input variables.

Reason: Interval arithmetic treats each neuron independently, ignoring symbolic dependencies. As layers compose, this independence assumption compounds, inflating bounds exponentially.

This is why DeepPoly (which tracks symbolic dependencies via polyhedral constraints) significantly outperforms pure interval methods.

Abstract Interpretation Framework

Abstract interpretation provides a formal mathematical framework for compositional reasoning.

Definition 4 (Abstract Interpretation for Neural Networks): Given a neural network with $n$ nodes, an abstract interpretation defines:

Abstract domain $D^{\#}$ (e.g., intervals, zonotopes, polyhedra)
Abstraction function $\alpha: \mathcal{P}(\mathbb{R}) \rightarrow D^{\#}$ (maps concrete values to abstract elements)
Concretization function $\gamma: D^{\#} \rightarrow \mathcal{P}(\mathbb{R})$ (maps abstract elements to concrete sets)
Abstract semantic function for each operation type

Abstraction-Composition-Concretization:

Verification proceeds in three stages:

Abstraction: Map input region to abstract domain
Composition: Apply abstract semantics for each node (affine and activation) sequentially
Concretization: Map output abstract element back to concrete bounds

Soundness Guarantee:

Abstract interpretation is sound if the abstract semantics over-approximate the concrete semantics:

\alpha(f(X)) \sqsubseteq f^{\#}(\alpha(X))

where $f^{\#}$ is the abstract semantic function and $\sqsubseteq$ is the partial order in the abstract domain.

Polyhedral Abstract Domain (DeepPoly):

DeepPoly uses polyhedra as the abstract domain. Each node $i$ is abstracted as:

a_i = \langle a_i^{\leq}, a_i^{\geq}, u_i, l_i \rangle

where:

$a_i^{\leq}, a_i^{\geq}$ are polyhedral constraints (linear expressions in previous layer variables)
$u_i, l_i$ are concrete upper and lower bounds (concretization)

This polyhedral abstraction tracks symbolic dependencies while maintaining computational efficiency.

Complexity Implications of the Decomposition

The unary-binary decomposition directly determines the computational complexity of verification.

Why ReLU Causes $2^n$ Explosion in Complete Verification

Theorem (Exponential Branching): For a neural network with $n$ ReLU activation nodes, complete SAT/LP verification requires exploring $2^n$ activation patterns.

Proof:

Each ReLU node $i$ can be in one of two states:

Active: $x_i > 0 \Rightarrow a_i = x_i$
Inactive: $x_i \leq 0 \Rightarrow a_i = 0$

The network’s behavior over any input region depends on the activation pattern---the vector $(d_1, d_2, \ldots, d_n) \in \{0,1\}^n$ indicating active/inactive status for each ReLU.

There are $2^n$ possible activation patterns. Each pattern defines a linear region where the network is fully linear (all ReLUs in fixed states). To completely verify the network, we must check all $2^n$ linear regions.

Why affine operations don’t contribute:

Affine operations are already linear---they don’t bifurcate the problem. Only the piecewise-linear ReLU activations create the branching structure.

Fundamental Complexity Result: Neural network verification with ReLU activations is NP-complete. The exponential explosion in the number of linear regions is unavoidable for exact analysis.

How MILP Eliminates Explicit Branching (But Not Complexity)

MILP encoding doesn’t eliminate the exponential complexity---it delegates it to the solver’s internal branch-and-bound algorithm.

What changes:

SAT/LP encoding: Explicitly creates $2^n$ CNF branches in the problem formulation
MILP encoding: Creates one MILP problem with $n$ integer variables; solver handles branching internally

Why this helps in practice:

MILP solvers use sophisticated branching heuristics, cutting planes, and bound tightening to prune the $2^n$ search space efficiently. In practice, MILP-based verification can handle networks with thousands of ReLU nodes, whereas explicit SAT/LP enumeration fails beyond ~20 nodes.

Theoretical complexity: Still NP-hard. Worst-case $2^n$ complexity remains.

Linear Approximation: Polynomial Time, Bounded Error

Incomplete methods approximate activation functions linearly to avoid exponential branching.

Complexity:

Time: $O(nL)$ where $n$ is neurons per layer, $L$ is depth
Soundness: Preserved (over-approximation guaranteed)
Completeness: Sacrificed (may produce false positives)

Trade-off:

By linearly approximating activations, incomplete methods achieve polynomial time complexity but lose precision. Networks that are truly robust may fail verification due to loose bounds.

The Convex Barrier: Fundamental Limit of Single-Neuron Methods

Theorem (Convex Barrier): For ReLU activation over interval $[l, u]$ with $l < 0 < u$ , the triangle relaxation is the optimal convex hull. No sound single-neuron linear relaxation can be tighter.

Implication:

Methods that approximate each ReLU independently (DeepZ, Fast-Lin, CROWN) cannot exceed triangle relaxation tightness for individual neurons. To improve beyond this barrier, verification methods must use:

Multi-neuron analysis (PRIMA, k-ReLU): Analyze multiple ReLUs jointly
Complete methods (branch-and-bound): Avoid approximation by branching

This convex barrier explains why verification precision plateaus for single-neuron methods and why multi-neuron methods provide tighter bounds despite higher computational cost.

Connection to Verification Tools and Methods

The unary-binary decomposition manifests across the entire verification landscape. Let’s examine how different tools exploit this framework.

Complete Verifiers: Exact Handling of Both Operation Types

Reluplex and Marabou (LP-based):

Affine nodes: Encoded as linear equations in simplex tableau
ReLU nodes: Handled via piecewise-linear pivoting and splitting
- If ReLU bounds are conclusive ( $l \geq 0$ or $u \leq 0$ ), treat as linear
- If crossing ( $l < 0 < u$ ), split into two sub-problems (branch-and-bound)
Complexity: Exponential in number of crossing ReLUs; practical up to ~300 nodes

MILP-based (MIPVerify, Sherlock):

Affine nodes: Linear constraints in MILP
ReLU nodes: Big-M encoding with integer variables
Solver: Gurobi/CPLEX handles $\{0,1\}$ variables via branch-and-bound internally
Complexity: NP-hard; practical up to ~6,000 nodes with modern solvers

Incomplete Verifiers: Exact Affine, Approximate Activation

Abstract Interpretation (AI2, DeepZ, DeepPoly):

Affine nodes: Exact symbolic propagation (polyhedra preserve affine exactly)
Activation nodes: Linear relaxation (triangle for ReLU, tangent/secant for sigmoid)
Abstract domain:
- Intervals (early methods)
- Zonotopes (DeepZ): Symmetric polytopes, efficient for affine operations
- Polyhedra (DeepPoly): Most expressive, tracks symbolic dependencies
Complexity: Polynomial ( $O(nL)$ for DeepPoly)

Bound Propagation (CROWN, Fast-Lin):

Affine nodes: Exact backward propagation of linear bounds
Activation nodes: Triangle relaxation, optimized via dual formulation
Key insight: Propagate bounds backward through affine layers (exact) to tighten activation bounds (approximate)

SDP-Based Methods: Quadratic Encoding for Activations

Approaches (Raghunathan et al., Dathathri et al.):

Affine nodes: Linear constraints in SDP
Activation nodes: Quadratic encoding $a_i(a_i - x_i) = 0$
Solving: Semidefinite programming (interior point methods)
Complexity: $O(n^6)$ via SDP solvers; practical only for small networks (fewer than 100 neurons)

Design Patterns Emerging from Decomposition

Across all verification methods, we observe consistent patterns:

Affine operations are handled exactly: No approximation needed; all methods treat affine transformations precisely
Activation operations determine method class:
- Complete methods → branch/split on activations
- Incomplete methods → linearly approximate activations
Compositional structure is universal: All methods propagate bounds layer-by-layer through alternating affine and activation nodes
Precision-efficiency trade-off centers on activations: Tighter activation bounds → better verification but higher cost

Practical Implications for Practitioners

Understanding the unary-binary decomposition provides actionable guidance for practitioners.

Debugging Verification Failures

When verification fails to certify a network:

Check activation crossing rate: How many ReLUs are in the crossing case ( $l < 0 < u$ )? High crossing rate → loose triangle bounds
Analyze bound propagation: Are bounds exploding through layers? May indicate dependency loss in interval arithmetic
Identify bottleneck nodes: Which activation nodes contribute most to bound looseness? Consider refining those nodes

Choosing Verification Methods Based on Network Structure

The operation decomposition reveals when different methods excel:

Few crossing ReLUs (fewer than 100): Complete methods (Marabou, MILP) are practical
Many crossing ReLUs (more than 1000): Incomplete methods (DeepPoly, CROWN) are necessary
Smooth activations (sigmoid, tanh): Linear approximation quality depends on bound width; consider certified training to narrow bounds
Deep networks: Symbolic methods (DeepPoly) avoid dependency loss better than pure interval arithmetic

Architecture Design for Verifiability

The decomposition framework guides architecture choices:

For easier complete verification:

Minimize unstable ReLUs: Use certified training to reduce crossing ReLUs
Sparse architectures: Fewer neurons → fewer activation nodes → smaller $2^n$ explosion
Shallow networks: Reduce depth to minimize bound propagation errors

For tighter incomplete verification:

Prefer ReLU over smooth activations: Triangle relaxation is optimal; sigmoid/tanh have varying quality
Avoid very wide layers: Bound propagation through wide affine transformations can inflate bounds
Lipschitz constraints: Regularize during training to keep activation functions in regions where linear approximation is tight

Understanding Method Limitations from Theoretical Framework

The decomposition reveals fundamental limitations:

Why CROWN plateaus: Single-neuron triangle relaxation hits convex barrier; cannot improve without multi-neuron analysis
Why depth hurts interval methods: Dependency loss compounds through affine layers without symbolic tracking
Why MILP scales better than SAT: Solver’s internal branching is more efficient than explicit $2^n$ enumeration, but both face same worst-case complexity

Conclusion: The Unifying Power of Decomposition

The unary-binary operation framework is more than a technical detail---it’s the foundational insight that makes neural network verification tractable. By separating neurons into affine (binary) and activation (unary) nodes, we transform an opaque compositional function into a sequence of exact linear operations and approximate/branched non-linear operations.

This decomposition explains:

Why ReLU networks have $2^n$ linear regions
Why MILP encoding eliminates explicit branching but not complexity
Why single-neuron methods hit the convex barrier
Why symbolic methods outperform interval arithmetic
How abstract interpretation unifies verification approaches

For researchers, this framework provides a unifying lens to understand the entire verification landscape. For practitioners, it offers actionable guidance on method selection, debugging, and architecture design.

The next time you design a neural network for a safety-critical application, remember: verification is fundamentally about handling two operation types---exact affine and approximate activation. Design your network to make the latter tractable, and verification becomes achievable.

The Fundamental Insight: Nodes as Operations

The Two-Node Decomposition Principle

Why This Decomposition Matters

Formal Mathematical Framework

Network Structure as Node Graph

Network as Functional Composition

Theoretical Encodings Across Verification Methods

SAT/LP Encoding: The Exponential Branching Problem

MILP Encoding: Eliminating Exponential Branching

QCQP/SDP Encoding: Quadratic Constraints

Simplification Techniques by Operation Type

Binary Operations: No Simplification Needed

Unary Operations: The Source of Approximation

ReLU Simplification: Triangle Relaxation

Sigmoid/Tanh Simplification: Tangent and Secant Lines

Compositional Reasoning Theory

Layer-by-Layer Propagation

Symbolic Composition and Dependency Tracking

Abstract Interpretation Framework

Complexity Implications of the Decomposition

Why ReLU Causes 2n2^n2n Explosion in Complete Verification

How MILP Eliminates Explicit Branching (But Not Complexity)

Linear Approximation: Polynomial Time, Bounded Error

The Convex Barrier: Fundamental Limit of Single-Neuron Methods

Connection to Verification Tools and Methods

Complete Verifiers: Exact Handling of Both Operation Types

Incomplete Verifiers: Exact Affine, Approximate Activation

SDP-Based Methods: Quadratic Encoding for Activations

Design Patterns Emerging from Decomposition

Practical Implications for Practitioners

Debugging Verification Failures

Choosing Verification Methods Based on Network Structure

Architecture Design for Verifiability

Understanding Method Limitations from Theoretical Framework

Conclusion: The Unifying Power of Decomposition

Why ReLU Causes $2^n$ Explosion in Complete Verification