TorchLean: Verified Neural Networks in Lean

Robert Joseph George·May 2026Lean 4neural networksscientific computingverification

For roughly the past year, we have been building TorchLean in and around Anima Anandkumar’s group at Caltech. I have thought about it as a machine learning project, a formal methods project, and a scientific computing project. The third framing is the one that now feels most important to me.

Anima’s lab sits at the interface of AI and science. That matters for TorchLean. Scientific machine learning is not just about fitting a model and reporting a benchmark. It is about using learned models inside simulations, controllers, inverse design loops, PDE solvers, geometry pipelines, and physical decision systems. In those settings, a neural network is not merely a predictor. It becomes part of an argument about the world.

That argument can be fragile. A model can have the right weights but the wrong preprocessing. A verifier can prove a property of a graph that is not quite the graph that ran. A CUDA kernel can be faster because it fuses operations, but then someone has to say what value it is supposed to compute. A physics informed neural network can use derivatives, but those derivatives have to mean something. A controller can look stable in experiments, but safety is a statement over a region, not over the points we happened to sample.

Figure 1 · the story I have in mindfrom generated code to checked scientific claims

AI assisted coding

We can now generate scripts, models, CUDA wrappers, exporters, and verifier harnesses quickly. This is exciting, but it also creates more boundaries where local plausibility can hide global mistakes.

Theorem proving

Lean changes the status of a mathematical claim. A proof is not only a convincing explanation. It is an object checked by a small kernel.

Scientific computing

Modern science mixes models, solvers, data, hardware, finite precision, and physical interpretation. Verification is valuable because it makes the link between those layers visible.

TorchLean

The goal is to give neural networks a precise semantic home in Lean, so that the model, graph, gradient, certificate, and runtime contract can refer to one meaning.

This is why I do not see TorchLean as only a neural network verifier. I see it as infrastructure for a more theorem aware style of scientific machine learning.

Why this feels urgent now

AI systems are making it easier to produce code. Andrej Karpathy popularized the phrase “vibe coding” for a style of programming where the user describes what they want and lets an AI system fill in much of the implementation. Collins later named vibe coding its 2025 word of the year, describing it as software development that turns natural language into code with AI assistance.¹

I do not take this to mean that expertise stops mattering. I take it to mean the opposite. When more code is produced with less friction, the bottleneck shifts from writing code to knowing whether the code preserves the intended meaning. This is especially true in machine learning, where the correctness of a system often depends on tensor shapes, broadcasting conventions, masks, tokenizers, randomness, floating point, cached state, and device kernels.

At the same time, theorem proving is becoming part of mainstream mathematics and AI. DeepMind’s AlphaProof made Lean visible to a broad audience by searching for formal proofs of Olympiad problems. Terence Tao’s Lean formalization work shows the complementary direction: mathematicians using formal systems to make existing arguments more explicit and collaborative.²

My bet is that the same shift will matter even more in scientific computing. The stakes are different. We are not only asking whether a proof of a theorem is valid. We are asking whether a learned simulator, a controller, a geometry pipeline, or a numerical certificate actually means what the paper says it means.

Figure 2 · the new bottlenecksyntax gets cheaper, semantics does not

intent

The idea

A paper claim, a model sketch, a physical law, a training objective.

generation

The code

Models, wrappers, data scripts, exporters, kernels, solvers.

interfaces

The crossings

PyTorch, JSON, graph IRs, certificates, CUDA, logs.

runtime

The execution

Float32, reductions, masks, caches, library calls, state.

claim

The meaning

A statement about all inputs in a region, not only a successful run.

TorchLean is a response to this shift. It gives the ML stack a semantic object that can be named, lowered, differentiated, bounded, checked, and discussed.

What TorchLean is

TorchLean is a Lean 4 codebase for neural network specification, execution, and verification. The project site describes it as connecting typed tensor and layer specifications, runnable training examples, graph IR semantics, floating point contracts, CUDA boundaries, and artifacts that Lean checkers can inspect.³

The current codebase is broader than the first paper. It includes a PyTorch shaped API, eager and compiled execution, reverse mode autograd, optimizers, logging, import and export, CUDA execution, Float32 and IEEE style semantics, IBP and CROWN style verification, and examples across vision, sequence models, generative models, reinforcement learning, PINNs, and 3D geometry certificates.⁴

But lists can obscure the point. The point is that all of these pieces should be able to refer to the same mathematical object. A TorchLean model can be user code. It can be a graph. It can be a runtime computation. It can be the target of autograd theorems. It can be the object whose bounds are checked by a verifier. Those are different views, not different meanings.

Figure 3 · one model, many viewsthe shared semantic target

User program

Typed tensor and layer code written in Lean with a PyTorch shaped surface.

Graph IR

An op tagged SSA DAG with node shapes and a denotation \(\llbracket G \rrbracket\).

Autograd

Reverse mode rules expressed as VJPs over the graph semantics.

Finite precision

Real, interval, FP32, IEEE32Exec, runtime Float32, and native CUDA floats.

\(\llbracket G \rrbracket\)the computation everyone is talking about

Verification

IBP boxes, CROWN affine bounds, margin checks, and external certificates.

CUDA

Runtime acceleration with explicit contracts around native kernels and libraries.

Modern models

GPT style text, Mamba, diffusion, RL, FNO, ViT, ResNet, and other examples.

Science claims

PDE residuals, controllers, 3D projections, robustness, and geometry checks.

The notation \(\llbracket G \rrbracket\) is the important habit. It forces us to ask which graph, which scalar semantics, which input region, and which runtime assumptions a claim is about.

The Lean view of a neural network

A neural network is a composition of tensor operations. TorchLean makes the tensor shape part of the type, so many shape errors become type errors rather than runtime surprises. At the semantic layer, tensors can be viewed as total functions over finite index sets. This is not always the fastest representation, but it is a clean reference meaning for proofs.

The graph view is equally important. A model lowers to an op tagged SSA DAG. Each node has a primitive operation, parent nodes, and an output shape. Because the graph is acyclic, evaluation is defined in topological order. Because each intermediate is assigned once, proofs and checkers can attach values, gradients, boxes, or affine forms to node IDs without ambiguity.

A typical graph level statement

For a well typed graph \(G\) over \(\R\), reverse mode backpropagation computes the adjoint derivative of the graph denotation:

\[\VJP_G(x;\bar y) = \left(D\llbracket G\rrbracket(x)\right)^\top \bar y.\]

That is the kind of statement I want ML infrastructure to make routine: not “the gradients look right,” but “this graph level algorithm computes the derivative of this denotation under these hypotheses.”

Figure 4 · the stackproofs, checkers, runtimes, and producers

SpecificationTyped tensors, shapes, layers, scalar polymorphism, pure operations.

RuntimeEager tape, compiled graph, optimizers, logging, import and export, CUDA path.

VerificationIBP, CROWN style affine bounds, margin checks, certificate checkers.

ApplicationsRobustness, PINNs, controllers, 3D geometry, text models, RL, diffusion.

ProvedInside Lean

Definitions and theorems over tensor semantics, graphs, selected derivatives, and sound checker cores.

CheckedArtifacts

External JSON or certificate data can be reloaded and checked against a small contract.

ValidatedRuntime behavior

CUDA kernels and CPU stubs are compared by tests, finite difference checks, and sanitizer runs.

NamedAssumptions

When native code, vendor libraries, Python, Julia, Arb, or CROWN producers enter, the boundary is explicit.

The goal is not to pretend every part of the modern ML stack is already proved. The goal is to make the contract precise enough that each part has a clear role.

Bugs become theorem shaped

One part of TorchLean that I like a lot is the Bug Zoo. These are small case studies for semantic bugs that pass ordinary runtime checks. The code still returns tensors, losses, or tokens, but the value no longer satisfies the intended contract.⁵

This is exactly the kind of bug I worry about in AI assisted coding. The code looks plausible. The output has the right shape. The notebook runs. But the meaning has shifted.

In TorchLean, the point is to turn these bugs into statements. Some bugs become impossible because the types rule them out. Some become checked artifacts. Some become named runtime assumptions. Some become small Lean theorems.

Figure 5 · examples of theorem shaped bugsordinary tensors are not enough

Causal attention masks

A future token can accidentally receive attention mass while all tensor shapes still look correct.

future key j > i ⇒ attentionWeight i j = 0

KV cache and RoPE

Incremental decoding can disagree with full sequence decoding if cache positions and rotary embeddings drift.

cache position contract ⇒ incremental semantics agrees with full sequence semantics

Tokenizer boundaries

The model can be correct for one tokenizer and meaningless for another. Byte token demos remove an external BPE dependency.

token ids are explicit tensors, not hidden files

Normalization state

Training statistics, inference statistics, and explicit inputs should not be silently conflated.

state is part of the contract, not an invisible side effect

Batch invariance

One sample processed alone should agree with the same sample inside a batch only under stated conditions.

single example semantics = selected batch semantics

Float and autograd boundaries

Runtime Float32 and proof facing IEEE semantics are related by a named bridge.

RuntimeFloat32MatchesIEEE32Exec ⇒ rewrite to IEEE32Exec

The Bug Zoo is not only a list of mistakes. It is a design pressure test for TorchLean: can we express the intended contract clearly enough that the bug has nowhere to hide?

A favorite example: fused attention without changing the meaning

Attention is a good example because it sits exactly where modern ML systems become both mathematical and systems heavy. The mathematical operation is scaled dot product attention. The efficient implementation may fuse scores, masking, softmax, and value multiplication so the full attention matrix is never materialized.

TorchLean’s CUDA guide describes a FlashAttention style fused attention contract. The Lean side has equality theorem names such as flashAttention_eq_scaledDotProductAttention, flashAttentionBackward_eq_scaledDotProductAttentionBackward, and cudaLoopFlashAttention_eq_scaledDotProductAttention. The guide is careful about the boundary: the fused spec denotes ordinary scaled dot product attention, while the native CUDA kernel is an FFI runtime path validated separately, not a proof of production CUDA machine code.⁶

Semantic equality, not only numerical comparison

Informally, for queries \(Q\), keys \(K\), values \(V\), and mask \(M\):

\[\Flash(Q,K,V,M) = \SDPA(Q,K,V,M)\]

where

\[\SDPA(Q,K,V,M) = \softmax\left(\frac{QK^\top}{\sqrt{d}} + M\right)V.\]

Figure 6 · fused attention as a semantic rewritewhat the theorem is really saying

Composed SDPA

scores = QKᵀ / √d

apply causal or padding mask

softmax with stable normalization

multiply by V

Fused contract

tiling metadata is scheduling

same masked attention denotation

fused forward contract

fused VJP contract

The theorem shaped breakthrough here is not “we proved every CUDA instruction.” It is that a fused, systems motivated operator can be connected to the clean mathematical operation it is meant to replace.

Why I care about scientific computing

In Anima’s group, a lot of the intellectual energy is around AI for science: neural operators, physical simulation, weather, inverse design, and models that interact with the physical world. Caltech’s AI4Science initiative, led by Anima Anandkumar and Yisong Yue, explicitly aims to bring AI researchers together with domain experts and push modern AI tools into science and engineering.⁷

This is where verification feels most alive to me. A scientific model is rarely just a function approximator. It is part of a claim: this residual is small, this controller is stable, this projected box encloses the object, this learned operator respects a numerical contract, this policy satisfies a safety condition over a region. Those claims involve math, code, data, and hardware at the same time.

TorchLean gives us a language for turning some of those claims into checkable objects. The goal is not to make every scientist prove everything manually. The goal is to make more of the scientific stack capable of carrying precise contracts by default.

Figure 7 · scientific ML claims are composite claimsthe model is only one piece

PINNs

A residual claim like \(\lvert u_t + u u_x - \nu u_{xx}\rvert \le \varepsilon\) depends on the network, derivatives, bound propagation, and numeric enclosures.

Controllers

A Lyapunov claim like \(V(x) \ge 0\) and \(\dot V(x) \le 0\) is a statement over a region, involving dynamics, controller semantics, gradients, and bound certificates.

3D vision

A geometry certificate can reload camera matrices and box corners, recompute projection in Lean, and check that the claimed 2D box encloses projected corners.

Neural operators

A learned operator or FNO style model needs contracts around discretization, FFT conventions, spectral multiplication, and the runtime path used to evaluate it.

Reinforcement learning

Policies are tied to environment state, randomness, rollouts, and reward conventions. Verification means stating which of those are part of the claim.

This is the broader reason I think TorchLean belongs in scientific computing. It is a way to connect learned computation to mathematical and numerical claims without hiding the interfaces.

Certificates: external tools as producers, Lean as checker

There is a pragmatic lesson from neural network verification: the strongest bound search procedures are often complex. You may want an external solver to optimize CROWN slopes, split regions, call a Python library, or produce a JSON artifact. TorchLean does not need to pretend those tools are Lean proofs. It can treat them as producers.

The verification tutorial describes a simple path: write or import a model, compile it to NN.IR.Graph, attach an input box, run a bound engine, and inspect or check output bounds. For margin properties, a lower bound on logit_true - logit_other can certify all inputs in a box when the bound stays positive.⁸

The pattern generalizes. An external tool may search. Lean checks the small statement that matters: the shapes match, the nodes match, the boxes or affine bounds are sound enough, and the final inequality follows.

Figure 8 · a toy margin certificateinteractive intuition

lower bound on true logit

upper bound on other logit

certified margin: 0.70

true

1.25

other

0.55

For a classifier, a common sufficient certificate is \(\underline z_y > \overline z_k\) for every other class \(k\). The interesting part is how the bounds were produced and checked against the graph semantics.

CUDA belongs in the story

If TorchLean only worked on tiny examples, it would be too detached from how ML is actually practiced. That is why CUDA matters. The CUDA guide says the backend is opt in, that it is a runtime backend rather than a second semantics, and that it covers float32 tensor work such as matmul, convolution, reductions, attention helpers, FFT and FNO kernels, selective scan and Mamba support, plus sanitizer and parity harnesses.⁹

The right attitude is practical. CUDA changes where supported tensor work runs. It should not silently change what the operation means. When a GPU path calls cuBLAS, cuFFT, a fused attention kernel, or a custom reduction, TorchLean keeps the Lean side meaning separate from the native runtime agreement. That way the same model API and graph can describe CPU eager execution, CUDA eager execution, and compiled verification graphs.

This is also a good example of the personal reason I care about the project. Scientific ML systems do not live in a clean theorem prover alone. They run on accelerators. They call vendor libraries. They use floating point. If theorem proving is going to matter for science, it has to meet those systems without losing precision about the contract.

Why the model zoo matters

A natural question is why TorchLean includes GPT style text models, GPT 2 style examples, Mamba, diffusion, MAE style learning, reinforcement learning, FNO examples, and a Bug Zoo if the core verification demos are smaller.

My answer is that verification should not be designed only for toy worlds. Text models bring tokenization, causal masks, caches, softmax, attention, sampling, and saved parameter packs. Mamba brings state space sequence computation and selective scan. Diffusion brings iterative sampling and scheduler conventions. RL brings policies, rollouts, environments, and randomness. FNO brings FFT conventions and spectral multiplication. These are exactly the places where semantics matter.

A small but revealing text choice

The TorchLean text demos tokenize bytes directly. Every UTF 8 byte is a token, so the vocabulary is fixed at 256. The docs say this avoids an external BPE file, tokenizer version ambiguity, and hidden cache dependencies.¹⁰ That may sound minor, but it is the kind of design choice that makes a verification claim easier to state.

Finite precision is not a footnote

Mathematical neural networks often live over \(\R\). Deployed neural networks do not. They run with Float32, library conventions, signed zeros, NaNs, subnormals, FMA behavior, reduction order, and sometimes approximate math modes.

TorchLean therefore separates numeric roles. Real semantics are useful for reference proofs and calculus. Interval domains are useful for enclosures. \(\texttt{FP32}\) and related round on real models are useful for error envelopes. \(\texttt{IEEE32Exec}\) gives an executable IEEE style binary32 semantics inside Lean. Runtime Float32 and native CUDA floats are useful for speed, but they enter through named bridges and assumptions.

This may feel like bookkeeping, but it is central to the project. A claim about real arithmetic, a claim about a proof oriented rounded model, a claim about an executable Float32 model, and a claim about a GPU run are not automatically the same claim. TorchLean tries to make the relation part of the statement.

The vision

I do not think the future is that every ML researcher writes long Lean proofs by hand before running an experiment. That would be the wrong lesson. The future I want is one where more of the stack becomes checkable by construction.

Models should carry shape contracts. Transformations should carry semantic contracts. Runtime boundaries should be named. Certificates should be small enough to check. Scientific claims should be connected to the computation that produced them. AI generated code should have places where its meaning is tested, not only its syntax.

TorchLean is one step toward that. It is a place to put neural networks, graphs, gradients, finite precision, CUDA boundaries, verification artifacts, and scientific examples under a common discipline. The project is public because I think this needs to become an ecosystem, not a private artifact.

What I hope TorchLean becomes

A shared substrate for theorem aware machine learning: not a replacement for PyTorch, CUDA, CROWN, or scientific solvers, but a Lean based layer where their claims can be stated, checked, and related to a precise model semantics.

Trying it

The repository builds as a normal Lean and Lake project. The public README lists the basic commands and maintained CLI entry points.¹¹

git clone https://github.com/lean-dojo/TorchLean.git
cd TorchLean
lake build

lake exe torchlean --help
lake exe verify --help

For verification examples:

lake exe verify -- torchlean-crown-ops --dtype float
lake exe verify -- torchlean-robustness --dtype float
lake exe verify -- margin-cert
lake exe verify -- abcrown-leaf

For CUDA, build with CUDA explicitly and then use runtime flags:

lake build -R -K cuda=true
lake exe -K cuda=true torchlean mlp --cuda --steps 20
lake exe -K cuda=true nn_tests_suite

Closing thought

The reason TorchLean still feels exciting to me after a year is that it sits between several things I care about: machine learning systems, theorem proving, numerical computing, and science. Each field has its own notion of correctness. TorchLean asks whether those notions can be made to meet around one object: the neural network as a precise semantic object.

That is the story I want the project to tell. We are not only verifying networks because verification is nice. We are trying to build a world where learned computation can enter scientific arguments with a meaning that is explicit, checkable, and shared.

Notes and references

Collins Dictionary, “The Collins Word of the Year 2025 is... vibe coding”. Collins describes vibe coding as software development that turns natural language into code using AI and notes Karpathy’s role in popularizing the term.
Google DeepMind, “AI achieves silver medal standard solving International Mathematical Olympiad problems”; Terence Tao, “Formalizing the proof of PFR in Lean4 using Blueprint”; Lean, official project page.
TorchLean homepage, Formalizing Neural Networks in Lean.
LeanDojo TorchLean page, TorchLean: Formalizing Neural Networks in Lean; GitHub repository, lean-dojo/TorchLean.
TorchLean examples, Bug Zoo Walkthrough.
TorchLean guide, FlashAttention style fused attention; TRUST_BOUNDARIES.md.
Caltech, AI4Science @ Caltech. The site describes the initiative led by Anima Anandkumar and Yisong Yue as bringing AI researchers together with domain experts across science and engineering.
TorchLean examples, Verification Bounds.
TorchLean guide, GPU and CUDA Boundaries.
TorchLean examples, Text Models Walkthrough.
GitHub repository, lean-dojo/TorchLean.
TorchLean preprint, arXiv:2602.22631. I treat the paper as the starting point, and the current site and repository as the source of truth for the broader public codebase described here.