Gergely Kovásznai a , Krisztián Gajdár b , Nina Narodytska c
3. Encoding of Binarized Neural Networks
A Binarized Neural Network (BNN) is a feedforward network where weights and activations are predominantly binary [20]. It is convenient to describe the structure of a BNN in terms of composition of blocks of layers rather than individual layers.
Each block consists of a collection of linear and non-linear transformations. Blocks are assembled sequentially to form a BNN.
Internal block. Each internal block (denoted asBlock) in a BNN performs a collection of transformations over a binary input vector and outputs a binary vector.
While the input and output of a Blockare binary vectors, the internal layers of Block can produce real-valued intermediate outputs. A common construction
of an internal Block (taken from [20]) is composed of three main operations:1 a linear transformation (Lin), batch normalization (Bn), and binarization (Bin).
Table 1 presents the formal definition of these transformations. Figure 1 shows two Blocks connected sequentially.
LIN BN BIN
x
Block 1
LIN BN BIN
Block 2
LIN ARGMAX
Output o
Figure 1. A schematic view of a binarized neural network. The internal blocks also have an additionalHardTanhlayer during the
training.
Table 1. Structure of internal and outputs blocks which stacked to-gether form a binarized neural network. In the training phase, there might be an additionalHardTanhlayer after batch normalization.
𝐴𝑘and𝑏𝑘are parameters of theLinlayer, whereas𝛼𝑘𝑖, 𝛾𝑘𝑖, 𝜇𝑘𝑖, 𝜎𝑘𝑖
are parameters of theBnlayer. The𝜇’s and𝜎’s correspond to mean and standard deviation computed in the training phase. TheBin
layer is parameter free.
Structure of𝑘thinternal block,Block𝑘:{−1,1}𝑛𝑘→ {−1,1}𝑛𝑘+1 on𝑥𝑘∈ {−1,1}𝑛𝑘 Lin 𝑦=𝐴𝑘𝑥𝑘+𝑏𝑘 , where𝐴𝑘∈ {−1,1}𝑛𝑘+1×𝑛𝑘 and𝑏𝑘,𝑦∈R𝑛𝑘+1
Bn 𝑧𝑖=𝛼𝑘𝑖
(︁𝑦𝑖−𝜇
𝑘𝑖 𝜎𝑘𝑖
)︁+𝛾𝑘𝑖, where𝛼𝑘,𝛾𝑘,𝜇𝑘,𝜎𝑘,𝑧∈R𝑛𝑘+1. Assume𝜎𝑘𝑖>0. Bin 𝑥𝑘+1= sign(𝑧)where𝑥𝑘+1∈ {−1,1}𝑛𝑘+1
Structure of output block,O:{−1,1}𝑛𝑚→[1, 𝑠]on input𝑥𝑚∈ {−1,1}𝑛𝑚 Lin 𝑤=𝐴𝑚𝑥𝑚+𝑏𝑚, where𝐴𝑚∈ {−1,1}𝑠×𝑛𝑚 and𝑏𝑚,𝑤∈R𝑠 argmax 𝑜=argmax(𝑤), where𝑜∈[1, 𝑠]
Output block. The output block (denoted as O) produces the classification decision for a given binary input vector. It consists of two layers (see Table 1).
The first layer applies a linear (affine) transformation that maps its input to a vector of integers, one for each output label class. This is followed by anargmax layer, which outputs the index of the largest entry in this vector as the predicted label.
1In the training phase, there is an additionalHardTanhlayer after batch normalization layer that is omitted in the inference phase [20].
Network of blocks. BNN is a deep feedforward network formed by assembling a sequence of internal blocks and an output block. Suppose we have𝑚−1internal blocks, Block𝑚, . . . ,Block𝑚−1 that are placed consecutively, so the output of a block is the input to the next block in the list. Let 𝑛𝑘 denote the number of input values to Block𝑘. Let 𝑥𝑘 ∈ {−1,1}𝑛𝑘 be the input to Block𝑘 and 𝑥𝑘+1 ∈ {−1,1}𝑛𝑘+1 be its output. The input of the first block is the input of the network. We assume that the input of the network is a vector of integers, which holds for the image classification task if images are in the standard RGB format.
Note that these integers can be encoded with binary values{−1,1}using a standard encoding. It is also an option to add an additionalBnBinblock beforeBlock1to binarize the input images (see Sections 3.3 and 6.1). Therefore, we keep notations uniform for all layers by assuming that inputs are all binary. The output of the last layer,𝑥𝑚∈ {−1,1}𝑛𝑚, is passed to the output blockOto obtain one of the𝑠 labels.
Definition 3.1 (Binarized Neural Network). A binarized neural network BNN: {−1,1}𝑛1 → [1, . . . , 𝑠] is a feedforward network that is composed of 𝑚 blocks, Block1, . . . ,Block𝑚−1,O. Formally, given an input 𝑥,
BNN(𝑥) =O(Block𝑚−1(. . .Block1(𝑥). . .)).
In the following sections, we show how to encode an entire BNN structure into Boolean constraints, including cardinality constraints.
3.1. Encoding of internal blocks
Each internal block is encoded separately as proposed in [7, 31]. Here we follow the encoding by Narodystkaet al. Let 𝑥∈ {−1,1}𝑛𝑘 denote the input to the kth block, 𝑜∈ {−1,1}𝑛𝑘+1 the output. Since the block consists of three layers, they are encoded separately as follows:
Lin. The first layer applies a linear transformation to the input vector 𝑥. Let𝑎𝑖
denote the𝑖throw of the matrix 𝐴𝑘 and 𝑏𝑖 the𝑖th element of the vector𝑏𝑘. We get the constraints
𝑦𝑖=⟨𝑎𝑖,𝑥⟩+𝑏𝑖, for all𝑖∈[1, 𝑛𝑘+1].
Bn. The second layer applies batch normalization to the output𝑦of the previous layer. Let 𝛼𝑖, 𝛾𝑖, 𝜇𝑖, 𝜎𝑖 denote the 𝑖th element of the vectors 𝛼𝑘,𝛾𝑘,𝜇𝑘,𝜎𝑘, respectively. Assume𝛼𝑖̸= 0. We get the constraints
𝑧𝑖=𝛼𝑖𝑦𝑖−𝜇𝑖
𝜎𝑖
+𝛾𝑖, for all𝑖∈[1, 𝑛𝑘+1].
Bin. The third layer applies binarization to the output𝑧of the previous layer, by implementing thesignfunction as follows:
𝑜𝑖=
⎧⎨
⎩
1, if𝑧𝑖≥0,
−1, if𝑧𝑖<0, for all𝑖∈[1, 𝑛𝑘+1].
The entire block can then be expressed as the constraints
𝑜𝑖=
⎧⎨
⎩
1, if ⟨𝑎𝑖,𝑥⟩ ∘rel𝐶𝑖,
−1, otherwise, for all𝑖∈[1, 𝑛𝑘+1], (3.1) where
𝐶𝑖 =−𝜎𝑖
𝛼𝑖
𝛾𝑖+𝜇𝑖−𝑏𝑖
∘rel =
⎧⎨
⎩
≥, if𝛼𝑖>0,
≤, if𝛼𝑖<0.
Let us recall that the input variables 𝑥𝑗 and the output variables 𝑜𝑖 take the values−1and1. We need to replace them with the Boolean variables𝑥(b)𝑗 , 𝑜(b)𝑖 ∈ {0,1}in order to further translate the constraints in (3.1) to the Boolean constraints
𝑛𝑘
∑︁
𝑗=1
𝑙𝑖𝑗∘rel𝐷𝑖 ⇔ 𝑜(b)𝑖 , for all𝑖∈[1, 𝑛𝑘+1], where
𝑙𝑖𝑗 =
⎧⎨
⎩
𝑥(𝑏)𝑗 , if𝑗 ∈𝑎+𝑖 ,
¬𝑥(𝑏)𝑗 , if𝑗 ∈𝑎−𝑖 , 𝐷𝑖 =
⎧⎨
⎩
⌈𝐶𝑖′⌉+|𝑎−𝑖 |, if𝛼𝑖>0,
⌊𝐶𝑖′⌋+|𝑎−𝑖 |, if𝛼𝑖<0, 𝐶𝑖′ =(︁
𝐶𝑖+∑︁
𝑗
𝑎𝑖𝑗
)︁/2,
𝑎+𝑖 ={𝑗 |𝑎𝑖𝑗 >0}, 𝑎−𝑖 ={𝑗 |𝑎𝑖𝑗 <0}. For further details on the derivation, see [31].
3.2. Encoding of the output block
The output block consists of aLinlayer followed by anArgMaxlayer. To encode ArgMax, we need to encode an ordering relation over the outputs of the linear layer, and therefore we introduce the Boolean variables𝑑(b)𝑖𝑖′ such that
⟨𝑎𝑖,𝑥⟩+𝑏𝑖 ≥ ⟨𝑎𝑖′,𝑥⟩+𝑏𝑖′ ⇔ 𝑑(b)𝑖𝑖′, for all𝑖, 𝑖′∈[1, 𝑠].
These constraints can be further translated into Boolean constraints, as proposed by Narodystkaet al. in [31] and supplemented by us as follows:
𝑛𝑚
Finally, to encodeArgMax, we have to pick the row in the matrix(𝑑𝑖𝑖′)which contains only1s, as it can be encoded by the Boolean constraint
∑︁
𝑖′
𝑑(b)𝑖𝑖′ =𝑠 ⇔ 𝑜(b)𝑖 , for all𝑖∈[1, 𝑠].
3.3. Encoding of the input binarization block
In our paper, and also in [31], experiments on checking adversarial robustness under the 𝐿∞ norm are run on grayscale input images that are binarized by an additionalBnBin block before Block1. We now propose how this BnBinblock can be encoded to Boolean constraints.
Let 𝛼0,𝛾0,𝜇0,𝜎0 denote the parameters of the Bn layer. Since adversarial robustness is about to be checked, the input 𝑥∈N𝑛1 consists of constants, while the perturbation 𝜏 ∈[−𝜖, 𝜖]𝑛1 consists of integer variables and the output𝑜(b) ∈ {0,1}𝑛1 consists of Boolean variables. The BnBin block can be encoded by the constraints
The constraints in (3.2) further translate to 𝑥𝑖+𝜏𝑖−𝜇𝑖+𝜎𝑖𝛾𝑖
Then (3.3) translates to
𝜏𝑖∘rel𝐵𝑖 ⇔ 𝑜(b)𝑖 , (3.4)
where
𝐵𝑖=
⎧⎨
⎩
⌈𝐵𝑖′⌉, if𝛼𝑖>0,
⌊𝐵𝑖′⌋, if𝛼𝑖<0, 𝐵′𝑖=𝜇𝑖−𝑥𝑖−𝜎𝑖𝛾𝑖
𝛼𝑖
.
Since𝜏𝑖is in the given range[−𝜖, 𝜖], we can represent it as abit-vectorof a given bit-width. In order to applyunsigned bit-vector arithmetic, we translate the domain of 𝜏𝑖 into [0,2𝜖]. Thus, we can represent 𝜏𝑖 as a bit-vector variable of bit-width 𝑤=⌈log2(2𝜖+ 1)⌉and apply unsigned bit-vector arithmetic to (3.4) as follows:
𝜏𝑖[𝑤]∘urel(𝐵𝑖+𝜖)[𝑤] ⇔ 𝑜(b)𝑖 , (3.5) where∘urel denotes the corresponding unsigned bit-vector relational operatorbvuge orbvule, respectively, and the bound𝐵𝑖+𝜖is represented as a bit-vector constant of bit-width 𝑤. For the syntax and semantics of common bit-vector operators, see [24].
The constraints in (3.5) are not even needed to add in certain cases:
• if𝐵𝑖≤ −𝜖, then assign 𝑜(b)𝑖 to 1 if𝛼𝑖>0, and to 0 if𝛼𝑖 <0;
• if𝐵𝑖> 𝜖, then assign𝑜(b)𝑖 to 0 if 𝛼𝑖>0, and to 1𝛼𝑖<0.
Some further constraints are worth to add to restrict the domain of𝜏𝑖: 𝜏𝑖[𝑤]
≥u0[𝑤]
𝜏𝑖[𝑤]
≤u(2𝜖)[𝑤]
𝜏𝑖[𝑤]
≥u(𝜖−𝑥𝑖)[𝑤], if𝑥𝑖< 𝜖 𝜏𝑖[𝑤]
≤u(𝜖+ max𝑥−𝑥𝑖)[𝑤], if𝑥𝑖>max𝑥−𝜖
(3.6)
wheremax𝑥 is the highest possible value for the input values in𝑥.2
In our tool, all the bit-vector constraints in (3.5) and (3.6) are bit-blasted into CNF.
3.4. Encoding of BNN properties
In this paper, we focus on the properties defined in Section 2, namely adversarial robustness and network equivalence.
2In our experiments, the input represents pixels of grayscale images, thereforemax𝑥= 255.
3.4.1. Adversarial robustness
We assume that the BNN consists of an input binarization block, internal blocks and an output block. Let BNN(︀
𝑥+𝜏,𝑜(b))︀
denote the encoding of the whole BNN over the perturbated input 𝑥+𝜏 and the output 𝑜(b). Note that 𝑥∈N𝑛1 is an input from the the training or test set, therefore its ground truth labelℓ(𝑥)is given.
On the other hand, the perturbation𝜏 ∈[−𝜖, 𝜖]𝑛1 consists of integer variables. The output𝑜(b)∈ {0,1}𝑠 consists of Boolean variables. Basically, we are looking for a satisfying assignment for the perturbation variables𝜏 such that the BNN outputs a label different from ℓ(𝑥). Thus, checking adversarial robustness translates into checking the satisfiability of the following constraint:
BNN(︀
𝑥+𝜏,𝑜(b))︀
∧ ¬𝑜(b)ℓ(𝑥).
3.4.2. Network equivalence
We want to check if two BNNs classify binarized inputs completely the same. There-fore we assume that those BNNs do not haveBnBinblocks, or if they do, then they apply the sameBnBinblock. Therefore, let BNN1(︀
𝑥(b), 𝑜(b)1 )︀and BNN2(︀
𝑥(b), 𝑜(b)2 )︀
denote the encoding of the internal blocks and the output block of the two BNNs, respectively, over the same binary input 𝑥(b). Checking the equivalence of those BNNs translates into checking the satisfiability of the following constraint:
BNN1(︀
𝑥,𝑜(b)1 )︀
∧BNN2(︀
𝑥,𝑜(b)2 )︀
∧𝑜(b)1 ̸=𝑜(b)2 .
We translate the inequality 𝑜(b)1 ̸=𝑜(b)2 over vectors of Boolean variables into
¬(︀
𝑜(b)1,1⇔𝑜(b)2,1)︀
∨ · · · ∨ ¬(︀
𝑜(b)1,𝑠 ⇔𝑜(b)2,𝑠)︀
which can then be further translated to a set of clauses by using Tseitin transfor-mation.