Trustless Audits without Revealing Data or Models (2404.04500v1)

Abstract: There is an increasing conflict between business incentives to hide models and data as trade secrets, and the societal need for algorithmic transparency. For example, a rightsholder wishing to know whether their copyrighted works have been used during training must convince the model provider to allow a third party to audit the model and data. Finding a mutually agreeable third party is difficult, and the associated costs often make this approach impractical. In this work, we show that it is possible to simultaneously allow model providers to keep their model weights (but not architecture) and data secret while allowing other parties to trustlessly audit model and data properties. We do this by designing a protocol called ZkAudit in which model providers publish cryptographic commitments of datasets and model weights, alongside a zero-knowledge proof (ZKP) certifying that published commitments are derived from training the model. Model providers can then respond to audit requests by privately computing any function F of the dataset (or model) and releasing the output of F alongside another ZKP certifying the correct execution of F. To enable ZkAudit, we develop new methods of computing ZKPs for SGD on modern neural nets for simple recommender systems and image classification models capable of high accuracies on ImageNet. Empirically, we show it is possible to provide trustless audits of DNNs, including copyright, censorship, and counterfactual audits with little to no loss in accuracy.

• The paper presents a novel trustless audit protocol that uses zero-knowledge proofs to verify model training without revealing proprietary data or model weights.
• It leverages cryptographic commitments and optimized arithmetic operations to enable efficient deep neural network audits while maintaining high training accuracy.
• Empirical results on image classification and recommender systems demonstrate that the protocol closely replicates fp32 training performance with minimal accuracy loss.

Trustless Audits without Revealing Data or Models: A Protocol for Transparent AI

Introduction

The increasing proprietary nature of Machine Learning (ML) models and datasets, juxtaposed with the societal call for algorithmic transparency, introduces a complex dilemma. The conflict is particularly palpable when stakeholders, such as copyright holders, require assurances on training data integrity but face hurdles due to businesses' reluctance to disclose sensitive information. This challenge amplifies in sectors where data secrecy is paramount, such as in healthcare. The conventional approaches to facilitate audits, including model and data revelation, multi-party computation (MPC), and trusting a third party (TTP), often prove insufficient or impractical due to trust, cost, or logistics issues.

The \sn Protocol

In addressing the aforementioned challenge, our analysis introduces \sn, a two-step protocol leveraging Zero-Knowledge Proofs (ZKPs) to facilitate trustless audits. The protocol comprises \snt (Snapshot) and \sni (Inquiry), allowing model providers to confirm specific model and data properties without disclosing either. Through cryptographic commitments and ZKPs, \sn assures the confidentiality of model weights and data while ensuring audit integrity. This approach effectively mitigates the trust and transparency conflict in using proprietary models in sensitive or regulated environments.

Technical Innovations

The implementation of \sn necessitates overcoming significant technical barriers, specifically in conducting audits on Deep Neural Networks (DNNs) using ZKPs, a feat not achieved by prior work. To this end, our contributions are multifold:

• Zero-Knowledge Proofs for Training:

We extend the capabilities of ZK-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) to cover the backward pass in gradient descent, thus enabling proofs of model training. This advancement is critical for validating the training process without revealing training data or model weights.

• Optimizations for Efficient Proofs:

Our protocol introduces optimizations including rounded division and variable precision fixed-point arithmetic for training within ZK-SNARKs. These optimizations are pivotal for maintaining high training accuracies, which previous integer-based approaches could not achieve. Additionally, we implement an optimized softmax operation essential for classification tasks, addressing a significant gap in existing literature on ZKPs for ML.

• Empirical Validation:

\sn is empirically validated on practical ML tasks, including image classification and recommender systems, demonstrating its ability to closely emulate fp32 training accuracies at manageable computational costs. Specifically, audits on real-world datasets show that \sn can replicate non-private training performance with minimal accuracy drops, affirming its practicality.

Implications and Future Directions

The \sn protocol signifies a major step towards reconciling the need for privacy and trade secret protection with the societal demand for algorithmic transparency. By enabling trustless audits, this research opens avenues for regulated industries to leverage cutting-edge AI technologies responsibly. Additionally, the success of \sn in executing ZKPs for DNN training sets a precedent for future explorations into secure, private, and transparent AI implementations.

Speculatively, expanding the capabilities and efficiencies of \sn could facilitate more widespread adoption of trustless audits across different AI domains, including LLMs. As AI continues to integrate deeply into critical societal functions, the methodologies presented in this paper provide a foundational framework for ensuring these technologies are used ethically, transparently, and responsibly.

While the immediate impact of \sn is evident in the context of trustless audits, the protocol's underlying innovations in ZKP implementations for DNNs invite further inquiry. Future research could explore extending these cryptographic techniques to other types of neural networks or machine learning paradigms, potentially unlocking new realms of secure and private AI applications.