Affine Arithmetic Expression Evaluator

This module provides expression evaluation using Affine Arithmetic (AA). Affine arithmetic tracks correlations between variables, solving the "dependency problem" that causes interval arithmetic to over-approximate.

Main definitions

• AffineConfig - Configuration for affine evaluation
• AffineEnv - Variable environment mapping indices to affine forms
• evalIntervalAffine - Main evaluator: Expr → AffineForm

Performance

For expressions with repeated variables:

• Interval: x - x on [-1, 1] gives [-2, 2]
• Affine: x - x on [-1, 1] gives [0, 0] (exact!)

Affine arithmetic gives 50-90% tighter bounds for many real-world expressions, especially in neural network verification where the same inputs flow through multiple paths.

Limitations

Some transcendental functions (sin, cos, atan) fall back to interval arithmetic because affine approximations aren't yet implemented.

Configuration

structure LeanCert.Engine.AffineConfig : Type

Configuration for Affine evaluation.

• taylorDepth - Number of Taylor terms for transcendental functions
• maxNoiseSymbols - Maximum noise symbols before consolidation (0 = unlimited)

• taylorDepth : ℕ

  Number of Taylor series terms for transcendental functions

• maxNoiseSymbols : ℕ

  Max noise symbols before consolidation (0 = no limit)

instance LeanCert.Engine.instReprAffineConfig : Repr AffineConfig

Equations

• LeanCert.Engine.instReprAffineConfig = { reprPrec := LeanCert.Engine.instReprAffineConfig.repr }

def LeanCert.Engine.instReprAffineConfig.repr : AffineConfig → ℕ → Std.Format

Equations

• One or more equations did not get rendered due to their size.

instance LeanCert.Engine.instDecidableEqAffineConfig : DecidableEq AffineConfig

Equations

• LeanCert.Engine.instDecidableEqAffineConfig = LeanCert.Engine.instDecidableEqAffineConfig.decEq

def LeanCert.Engine.instDecidableEqAffineConfig.decEq (x✝ x✝¹ : AffineConfig) : Decidable (x✝ = x✝¹)

Equations

• One or more equations did not get rendered due to their size.

instance LeanCert.Engine.instInhabitedAffineConfig : Inhabited AffineConfig

Equations

• LeanCert.Engine.instInhabitedAffineConfig = { default := { } }

Variable Environment

@[reducible, inline]

abbrev LeanCert.Engine.AffineEnv : Type

Variable assignment as Affine forms

Equations

• LeanCert.Engine.AffineEnv = (ℕ → LeanCert.Engine.Affine.AffineForm)

def LeanCert.Engine.toAffineEnv (intervals : List Core.IntervalRat) : AffineEnv

Create an affine environment from rational intervals.

Each variable gets a unique noise symbol to track correlations.

Equations

• LeanCert.Engine.toAffineEnv intervals = fun (i : ℕ) => have I := intervals.getD i (LeanCert.Core.IntervalRat.singleton 0); LeanCert.Engine.Affine.AffineForm.ofInterval I i intervals.length

Main Evaluator

def LeanCert.Engine.evalIntervalAffine (e : Core.Expr) (ρ : AffineEnv) (cfg : AffineConfig := { }) : Affine.AffineForm

Evaluate expression using Affine Arithmetic.

This function recursively evaluates an expression, using:

• Exact affine operations for linear functions (add, sub, neg, scale)
• Controlled approximations for nonlinear functions (mul, sq)
• Interval fallbacks for unsupported transcendentals (sin, cos, atan)

The result is an AffineForm that can be converted to an interval via toInterval, typically giving tighter bounds than pure interval arithmetic.

Equations

• One or more equations did not get rendered due to their size.
• LeanCert.Engine.evalIntervalAffine (LeanCert.Core.Expr.const q) ρ cfg = LeanCert.Engine.Affine.AffineForm.const q
• LeanCert.Engine.evalIntervalAffine (LeanCert.Core.Expr.var idx) ρ cfg = ρ idx
• LeanCert.Engine.evalIntervalAffine (e₁.add e₂) ρ cfg = (LeanCert.Engine.evalIntervalAffine e₁ ρ cfg).add (LeanCert.Engine.evalIntervalAffine e₂ ρ cfg)
• LeanCert.Engine.evalIntervalAffine (e₁.mul e₂) ρ cfg = (LeanCert.Engine.evalIntervalAffine e₁ ρ cfg).mul (LeanCert.Engine.evalIntervalAffine e₂ ρ cfg)
• LeanCert.Engine.evalIntervalAffine e_2.neg ρ cfg = (LeanCert.Engine.evalIntervalAffine e_2 ρ cfg).neg
• LeanCert.Engine.evalIntervalAffine e_2.inv ρ cfg = (LeanCert.Engine.evalIntervalAffine e_2 ρ cfg).inv
• LeanCert.Engine.evalIntervalAffine e_2.exp ρ cfg = (LeanCert.Engine.evalIntervalAffine e_2 ρ cfg).exp cfg.taylorDepth
• LeanCert.Engine.evalIntervalAffine e_2.sinh ρ cfg = (LeanCert.Engine.evalIntervalAffine e_2 ρ cfg).sinh cfg.taylorDepth
• LeanCert.Engine.evalIntervalAffine e_2.cosh ρ cfg = (LeanCert.Engine.evalIntervalAffine e_2 ρ cfg).cosh cfg.taylorDepth
• LeanCert.Engine.evalIntervalAffine e_2.tanh ρ cfg = (LeanCert.Engine.evalIntervalAffine e_2 ρ cfg).tanh
• LeanCert.Engine.evalIntervalAffine e_2.sqrt ρ cfg = (LeanCert.Engine.evalIntervalAffine e_2 ρ cfg).sqrt
• LeanCert.Engine.evalIntervalAffine e_2.atan ρ cfg = { c0 := (-2 + 2) / 2, coeffs := [], r := (2 - -2) / 2, r_nonneg := LeanCert.Engine.evalIntervalAffine._proof_5 }
• LeanCert.Engine.evalIntervalAffine e_2.arsinh ρ cfg = default
• LeanCert.Engine.evalIntervalAffine e_2.atanh ρ cfg = default
• LeanCert.Engine.evalIntervalAffine e_2.sinc ρ cfg = { c0 := 0, coeffs := [], r := 1, r_nonneg := LeanCert.Engine.evalIntervalAffine._proof_6 }
• LeanCert.Engine.evalIntervalAffine e_2.erf ρ cfg = { c0 := 0, coeffs := [], r := 1, r_nonneg := LeanCert.Engine.evalIntervalAffine._proof_6 }

Convenience Functions

def LeanCert.Engine.evalAffineToInterval (e : Core.Expr) (ρ : AffineEnv) (cfg : AffineConfig := { }) : Core.IntervalRat

Evaluate and convert to interval

Equations

• LeanCert.Engine.evalAffineToInterval e ρ cfg = (LeanCert.Engine.evalIntervalAffine e ρ cfg).toInterval

def LeanCert.Engine.checkUpperBoundAffine (e : Core.Expr) (ρ : AffineEnv) (bound : ℚ) (cfg : AffineConfig := { }) : Bool

Check if expression is bounded above

Equations

• LeanCert.Engine.checkUpperBoundAffine e ρ bound cfg = decide ((LeanCert.Engine.evalIntervalAffine e ρ cfg).toInterval.hi ≤ bound)

def LeanCert.Engine.checkLowerBoundAffine (e : Core.Expr) (ρ : AffineEnv) (bound : ℚ) (cfg : AffineConfig := { }) : Bool

Check if expression is bounded below

Equations

• LeanCert.Engine.checkLowerBoundAffine e ρ bound cfg = decide (bound ≤ (LeanCert.Engine.evalIntervalAffine e ρ cfg).toInterval.lo)

Correctness Theorem

def LeanCert.Engine.envMemAffine (ρ_real : ℕ → ℝ) (ρ_affine : AffineEnv) (eps : Affine.AffineForm.NoiseAssignment) : Prop

Environment membership: real value is represented by the affine form

Equations

• LeanCert.Engine.envMemAffine ρ_real ρ_affine eps = ∀ (i : ℕ), (ρ_affine i).mem_affine eps (ρ_real i)

def LeanCert.Engine.evalDomainValidAffine (e : Core.Expr) (ρ : AffineEnv) (cfg : AffineConfig := { }) : Prop

Domain validity for Affine evaluation. This is defined directly in terms of evalIntervalAffine to ensure compatibility. For log, we require the argument's toInterval to have positive lower bound.

Equations

• LeanCert.Engine.evalDomainValidAffine (LeanCert.Core.Expr.const q) ρ cfg = True
• LeanCert.Engine.evalDomainValidAffine (LeanCert.Core.Expr.var idx) ρ cfg = True
• LeanCert.Engine.evalDomainValidAffine (e₁.add e₂) ρ cfg = (LeanCert.Engine.evalDomainValidAffine e₁ ρ cfg ∧ LeanCert.Engine.evalDomainValidAffine e₂ ρ cfg)
• LeanCert.Engine.evalDomainValidAffine (e₁.mul e₂) ρ cfg = (LeanCert.Engine.evalDomainValidAffine e₁ ρ cfg ∧ LeanCert.Engine.evalDomainValidAffine e₂ ρ cfg)
• LeanCert.Engine.evalDomainValidAffine e_2.neg ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.inv ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.exp ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.sin ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.cos ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.log ρ cfg = (LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg ∧ (LeanCert.Engine.evalIntervalAffine e_2 ρ cfg).toInterval.lo > 0)
• LeanCert.Engine.evalDomainValidAffine e_2.atan ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.arsinh ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.atanh ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.sinc ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.erf ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.sinh ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.cosh ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.tanh ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine e_2.sqrt ρ cfg = LeanCert.Engine.evalDomainValidAffine e_2 ρ cfg
• LeanCert.Engine.evalDomainValidAffine LeanCert.Core.Expr.pi ρ cfg = True

theorem LeanCert.Engine.evalDomainValidAffine_of_ExprSupported {e : Core.Expr} (hsupp : ExprSupported e) (ρ : AffineEnv) (cfg : AffineConfig := { }) : evalDomainValidAffine e ρ cfg

Domain validity is trivially true for ExprSupported expressions (which exclude log).

theorem LeanCert.Engine.evalIntervalAffine_correct (e : Core.Expr) (hsupp : ExprSupportedCore e) (ρ_real : ℕ → ℝ) (ρ_affine : AffineEnv) (eps : Affine.AffineForm.NoiseAssignment) (hvalid : Affine.AffineForm.validNoise eps) (hρ : envMemAffine ρ_real ρ_affine eps) (cfg : AffineConfig := { }) (hdom : evalDomainValidAffine e ρ_affine cfg) : (evalIntervalAffine e ρ_affine cfg).mem_affine eps (Core.Expr.eval ρ_real e)

Correctness theorem for Affine interval evaluation.

If all input variables are represented by their affine forms (via noise assignment eps), then the real evaluation of the expression is represented by the affine result.

This proves soundness: the affine form always contains the true value.

Note: Requires valid noise assignment and domain validity for log. Some transcendental cases (sin, cos, pi) use interval fallback and have separate soundness via interval bounds.

theorem LeanCert.Engine.evalIntervalAffine_toInterval_correct (e : Core.Expr) (hsupp : ExprSupportedCore e) (ρ_real : ℕ → ℝ) (ρ_affine : AffineEnv) (eps : Affine.AffineForm.NoiseAssignment) (hvalid : Affine.AffineForm.validNoise eps) (hρ : envMemAffine ρ_real ρ_affine eps) (cfg : AffineConfig := { }) (hlen : List.length eps = (evalIntervalAffine e ρ_affine cfg).coeffs.length) (hdom : evalDomainValidAffine e ρ_affine cfg) : Core.Expr.eval ρ_real e ∈ (evalIntervalAffine e ρ_affine cfg).toInterval

Corollary: The interval produced by toInterval contains the true value.

This is the key result for optimization: if we compute an affine form and convert to an interval, the interval is guaranteed to contain the true value.