Cascading Robustness Verification (CRV)
- CRV is a framework that certifies adversarial robustness by cascading multiple incomplete verifiers in a fixed, efficiency-aware order.
- It addresses single verifier limitations by combining complementary LP-based and SDP-based relaxations to reduce false negatives and bridge training–verification misalignment.
- The method employs stepwise relaxation and redundant constraint pruning to significantly reduce runtime while maintaining verified robust accuracy.
Cascading Robustness Verification (CRV) is a framework for certifying adversarial robustness of neural networks by combining multiple incomplete verifiers in a fixed, efficiency-aware cascade. In the formulation introduced in "Cascading Robustness Verification: Toward Efficient Model-Agnostic Certification" (Maleki et al., 4 Feb 2026), CRV is model-agnostic in the sense that its correctness and robustness guarantees are independent of the model’s training process, and its central decision rule is that an input is certifiably robust if at least one verifier in the cascade certifies it. The framework was proposed to address two coupled problems in post-hoc robustness certification: the computational cost of tight relaxations, and the underestimation of robustness that arises when a single incomplete verifier yields loose bounds or is misaligned with the training method.
1. Formal certification setting
For a classifier with logits and predicted label
robustness under an perturbation budget is evaluated on
The paper considers a one-hidden-layer ReLU network
with and , and defines, for each incorrect class , the worst-case logit margin
subject to 0 and 1. An input 2 is certifiably robust if 3 for all 4 (Maleki et al., 4 Feb 2026).
Because the ReLU constraints make the feasible set non-convex, solving the exact problem is NP-hard. Complete methods such as MILP and SMT can provide exact answers but are typically prohibitively slow for non-toy networks. Incomplete verifiers replace the non-convex constraints with convex relaxations and instead solve
5
where 6 is a convex relaxation of the original constraints. Certification then uses the implication
7
This construction yields no false positives, because 8 upper bounds 9, but it can yield false negatives. The paper formalizes the resulting partition of the dataset into true positives 0, true negatives 1, and false negatives 2, with 3. In this setting, robustness certification is conservative: failure to certify does not imply non-robustness.
2. Metric interpretation and the single-verifier problem
The paper distinguishes between True Robust Accuracy (TRA),
4
and verified robust accuracy,
5
Thus 6 is a lower bound on 7, and for attack success rate 8 from a strong empirical attack such as PGD,
9
The paper’s stated objective is therefore not merely to increase a reported 0, but to tighten the interval 1 so that post-hoc certification better approximates true robustness (Maleki et al., 4 Feb 2026).
Two limitations of single incomplete verifiers are emphasized. The first is loose bounds 2 false negatives: if a relaxation is coarse, many truly robust inputs remain uncertified, and 3 can significantly underestimate 4. The second is training–verification misalignment, also described as “verification-specific behavior”: a model trained with one surrogate, such as LP-based, IBP, or SDP-based training, can verify poorly under a different relaxation even when its true robustness has not changed. The paper gives the concrete example that an SDP-trained model may verify poorly under LP-based certification, while an LP-trained model may verify poorly under SDP relaxations. On this account, a single 5 value measured with a single verifier is not a verifier-independent robustness metric.
The motivating claim behind CRV is that different verifiers have complementary strengths. Some are cheap and loose, others are tight and expensive; some align better with one training procedure, others with another. CRV addresses this by aggregating certifications across verifiers rather than treating one verifier as definitive.
3. Cascade structure and model-agnostic certification
CRV organizes verifiers 6 in a fixed order from least to most expensive. For each input, the cascade runs 7 first and halts immediately if 8 certifies robustness; otherwise it proceeds to 9, and continues until some verifier certifies the input or all verifiers fail. The decision rule is therefore a logical OR over verifier outputs: if the true-positive sets of the constituent verifiers are 0, then CRV certifies the union 1 (Maleki et al., 4 Feb 2026).
This construction is described as model-agnostic because it treats the network as a fixed function and does not assume that the model was trained using any of the constituent verifiers. In the paper’s terminology, CRV is a post-hoc verifier that can aggregate LP-based, SDP-based, and other verification methods without binding evaluation to the model’s training surrogate. The order is fixed a priori rather than input-dependent. Remark 1 guides ordering by relaxation type and typical complexity: leanest relaxations first, richer relaxations later.
The paper concretely instantiates CRV with two verifier families. The first is LP-cert, an LP-based relaxation derived from convex outer approximations of the adversarial polytope. It is fast and scalable but typically looser. The second is SDP-cert, a semidefinite relaxation that encodes ReLU and input constraints as quadratic constraints and lifts them to an SDP. For 2 input bounds 3 and 4, the input constraint is written as
5
while ReLU is encoded by
6
The resulting SDP relaxation is tighter but substantially more computationally expensive. In the reported experiments, CRV typically orders these as 7 LP-cert and 8 SDP-cert.
4. Stepwise Relaxation and Fast Stepwise Relaxation
Within a single verifier 9, the paper introduces the Stepwise Relaxation Algorithm (SR) as an internal cascade over progressively tighter submethods 0. The 1-th submethod uses feasible set
2
which yields nested feasible sets
3
SR runs the loosest submethod first and halts as soon as one submethod certifies the input; otherwise it continues to tighter variants (Maleki et al., 4 Feb 2026).
The underlying monotonicity argument is elementary but central. If two maximization problems share the same objective and 4, then the optimal values satisfy 5. Applied to verification, tighter relaxations have fewer false negatives and certify a superset of the robust inputs certified by looser relaxations. The paper states this as Corollary 1: if 6, then 7 and 8.
Theorem 2 gives the key guarantee for SR: the robust accuracy of SR equals the robust accuracy of the tightest submethod alone. In other words, early exits do not change which inputs are ultimately certified relative to always running the tightest relaxation; they only reduce computation. In the reported SDP instantiation, three SDP-based submethods are used: 9 is the full SDP-cert, 0 drops one linear ReLU constraint and the quadratic ReLU constraint, and 1 drops an additional constraint from 2. On MNIST/Grad-NN at 3, 4 achieves 88% 5 in 328.98 min, while SR achieves the same 88% 6 in 231.43 min, approximately 30% faster.
The paper further defines Fast Stepwise Relaxation (FSR), which adds two pragmatic heuristics: redundant-constraint pruning and early termination via thresholding. Before solving, constraints whose feasible region is contained in others, or whose tightening is negligible, are removed. Then, if a submethod’s incremental improvement on a small subset falls below a threshold such as 5%, that submethod is skipped for the full dataset. Empirically, FSR yields up to ~53% speedup over the tightest SDP version, with negligible loss 7 in certified bounds or 8.
5. Guarantees, runtime accounting, and reported results
Theorem 1 states the principal certification guarantee of CRV: 9 Hence CRV certifies at least as many inputs as the best individual verifier in the cascade. Its total verification cost is written as
0
so later, more expensive stages are only applied to inputs not already certified by earlier stages. The same logic applies within SR for a single verifier (Maleki et al., 4 Feb 2026).
The empirical evaluation uses MNIST, 1 perturbations with 2, and two two-layer fully connected networks with 500 hidden nodes: Grad-NN, trained with an SDP-based regularization, and LP-NN, trained with LP-based robust training. Certification is strictly post hoc and independent of the training procedure.
| Setting | SDP-cert | CRV-FSR |
|---|---|---|
| Grad-NN, 3 | RA = 88%, 328.98 min | RA = 88%, 111.34 min, 66.16% speedup |
| LP-NN, 4 | RA = 88%, 328.98 min | RA = 88%, 34.55 min, 89.5% speedup |
At 5, the misalignment phenomenon is explicit. For Grad-NN, LP-cert reports 42% 6, whereas SDP-cert reports 88% 7; CRV, CRV-SR, and CRV-FSR all recover 88% 8 while reducing runtime to 190.8 min, 134.23 min, and 111.34 min, respectively. For LP-NN, LP-cert reports 82% 9 and SDP-cert 88% 0; CRV reaches 88% 1 in 59.22 min, CRV-SR in 41.66 min, and CRV-FSR in 34.55 min. PGD success rates at 2 are 10% for Grad-NN and 12% for LP-NN, so 3 lies between 4 and 5, which places the interval at 6 for Grad-NN.
Across 7, the paper reports that CRV, CRV-SR, and CRV-FSR achieve 8 close to or higher than SDP-cert, with runtime reductions roughly 40–90% depending on model and perturbation size. At larger 9, certification becomes harder and 0 drops for all methods, but CRV-FSR still reports substantial verified accuracy, including 36% at 1 for Grad-NN and 78% for LP-NN. Runtime is described as non-monotonic: intermediate budgets can force many inputs into the tightest stages, whereas very large budgets can allow many inputs to be rejected early as clearly non-robust.
6. Scope, distinctions, and terminology
Within robustness verification, CRV is positioned against both complete methods and single-verifier incomplete methods. Complete methods remain exact but expensive; incomplete methods scale but incur false negatives. The stated innovation of CRV is not only an engineering speedup but an explicit critique of the robustness metric obtained from a single incomplete verifier: a verifier-dependent 2 can be heavily biased by bound looseness and by training–verification misalignment. The paper also states several limitations: CRV cannot exceed the joint capability of the included verifiers, ordering is fixed and not input-adaptive, the experiments focus on relatively small networks and MNIST, and scaling to large CNNs or Transformers may require more sophisticated relaxations and verifiers (Maleki et al., 4 Feb 2026).
A distinct cautionary result in the literature concerns cascading ensembles of certifiably robust classifiers. "On the Perils of Cascading Robust Classifiers" shows that such ensembles can be unsound because the routing mechanism that selects among base models is itself non-robust: the ensemble may claim local robustness at 3 even though a nearby 4 causes the cascade to switch models and change its prediction (Mangal et al., 2022). CRV in (Maleki et al., 4 Feb 2026) addresses a different object: it aggregates multiple incomplete verifiers to certify a single fixed model, rather than composing predictions from multiple models. This distinction is central when interpreting the term cascade.
The acronym CRV is also used in unrelated contexts. In control-software verification, it denotes conditionally relevant variables in a formal method for identifying which variables can affect safety under single event upset (Ganesha et al., 10 May 2025). In LLM interpretability, it denotes Circuit-based Reasoning Verification, a white-box classifier over attribution-graph features for step-level chain-of-thought error detection (Zhao et al., 10 Oct 2025). In the adversarial-robustness literature considered here, however, CRV refers specifically to Cascading Robustness Verification as a model-agnostic, verifier-composition framework for certified robustness (Maleki et al., 4 Feb 2026).