Trust and Split: Mechanisms & Implications
- Trust and Split is a pattern in which trust is organized by partitioning roles, epistemic states, and computational processes to confine interactions within defined boundaries.
- It applies across domains such as asymmetric trust games, belief revision, human–AI interactions, computational trust prediction, and privacy-preserving split learning.
- The approach redistributes trust from monolithic entities to specific interfaces, emphasizing collective validation and exposing new vulnerabilities at the split boundaries.
“Trust and split” denotes a recurrent analytical pattern in which trust is organized through separation rather than treated as a single undifferentiated relation. In the cited literature, the relevant split may be a permanent division of social roles, a partition of epistemic state space, a separation between trust and distrust as constructs, a decomposition of trust evidence into heterogeneous channels, a client–server–client partition of a neural network, a division of signing authority across key shares, or a compartmentalization of safety-critical protocol logic. Taken together, these works suggest that trust is often governed by the boundaries introduced by the split itself: who may imitate whom, which distinctions a source is trusted to make, what intermediate representations another party may observe, and which subsystems must collectively validate an action.
1. Structured separation as a trust mechanism
Across the surveyed work, trust is repeatedly formalized by restricting interaction across an interface rather than by assuming global confidence in another party. In the asymmetric multiplayer trust game, investors and trustees remain in fixed roles and imitate only within role populations, so the split preserves the meaning of trusting and reciprocating (Lim et al., 2023). In belief revision, trust is represented by state partitions or pseudometrics that determine which distinctions a reporting agent is trusted to make (Hunter, 2014). In human–AI measurement, trust and distrust are treated as distinct constructs rather than opposite ends of a single continuum (Scharowski et al., 2024). In split learning and split computing, raw data remain local while activations, gradients, or hidden states cross the cut layer, making the interface itself the locus of privacy and trust risk (Khan et al., 2023). In distributed trust infrastructures, either the private key is split across nodes or the protocol logic is split across trusted compartments so that no single component is trusted with the whole decision (Grierson et al., 2023, Messadi et al., 2022).
| Domain | What is split | Trust consequence |
|---|---|---|
| Evolutionary trust game | Investors and trustees are fixed roles | Trust and trustworthiness coevolve without role collapse |
| Belief revision | Reports are filtered through partitions/pseudometrics | Only trusted distinctions are revised on |
| Human–AI measurement | Trust and distrust are measured separately | Low trust is not identical to distrust |
| Split learning | Model computation is partitioned across parties | Raw data stay local but intermediate signals matter |
| Trust infrastructure | Keys or protocol logic are divided | Agreement depends on collective validation |
This recurring design choice does not eliminate trust requirements. A plausible implication is that it relocates them from monolithic actors to the interfaces between separated roles, channels, or components.
2. Role asymmetry in multiplayer trust games
The asymmetric -player trust game studies two infinite populations, one of investors and one of trustees. In each interaction, a group of investors and trustees is drawn, with . Each investor chooses either to invest or not to invest, and each trustee chooses to be trustworthy or untrustworthy. Social learning is role-aware: investors imitate investors and trustees imitate trustees. This asymmetry is introduced to correct two deficiencies in an earlier multiplayer model, namely that investors were forced to invest and that investors and trustees could imitate one another until one role disappeared (Lim et al., 2023).
The total invested value is aggregated nonlinearly. If investors invest, the total value is
Here governs nonlinearity: $0
0
whereas a trustworthy trustee receives only a fraction 1, with 2. Investors who do not invest receive 3. Institutional incentives add fees and rewards: investors pay 4 and, if investing, receive 5; trustees pay 6 and, if trustworthy, receive 7, with 8 as administrative cost. The dynamics are then governed by asymmetric replicator equations,
9
The phase portrait depends sharply on both the payoff nonlinearity and the trustee incentive. Without incentives to trustees, 0, the system is attracted to the edge 1, so trust is not sustained. When
2
an interior equilibrium 3 appears. Its stability is regime-dependent: for 4, 5 is asymptotically stable; for 6, it is neutrally stable and trajectories cycle around it; for 7, it is unstable and trajectories approach the heteroclinic cycle
8
At 9, a line of equilibria appears on 0, and for 1 the fully cooperative state 2 becomes globally asymptotically stable.
The welfare analysis is equally specific. Social welfare is the population-average payoff, and increasing the investor incentive always lowers this average payoff because
3
The model therefore identifies trustee-targeted incentives as the main policy lever. For 4, if
5
the optimal outcome is full trust and full trustworthiness, achieved by 6 and 7. In large super-linear regimes, either 8 or 9, the threshold becomes
0
The paper also reports that numerical tests with 1 and 2 produce qualitatively similar dynamics. The substantive conclusion is not that nonlinearity simply amplifies cooperation, but that it changes the topology of the trust dynamics.
3. Epistemic partitions, split constructs, and compartmental trust
In belief revision, trust is modeled as a pre-processing step before revision rather than a property of the revision operator itself. For an agent 3, the trust function maps a reporter 4 to a state partition 5. If two states lie in different cells, 6 trusts 7 to distinguish them; if they lie in the same cell, 8 does not. A report 9 is transformed by the partition closure
0
and trust-sensitive revision selects the 1-minimal states in that closure. The syntactic counterpart is the trust expansion 2. The framework recovers standard extremes: the trivial partition yields no learning, while the unit partition yields ordinary AGM revision. To compare different degrees of trust across sources, the paper generalizes partitions to pseudometrics 3 on states and selects the least threshold 4 at which simultaneous trusted reports become jointly compatible (Hunter, 2014).
The psychometric literature on human–AI interaction introduces a different but related split. A pre-registered 5 within-subject online experiment with 1485 participants and 2970 complete scale responses compared trustworthy and untrustworthy chatbot and autonomous-vehicle scenarios. The Trust Scale for the AI Context was largely supported as a single-factor trust measure, with 6, 7, 8, 9, and reliability 0, 1. By contrast, the Trust between People and Automation scale did not fit as a single factor, with 2, 3, 4, 5; exploratory factor analysis supported a two-factor split between trust and distrust, and after removing items 4 and 12 the fit improved to 6, 7, 8, 9. The reported pattern supports the view that trust and distrust are distinct constructs that may coexist independently (Scharowski et al., 2024).
A stochastic compartmental model of trust in society makes the split explicit at the population level. The population is partitioned into trusters $0 $0 with stability depending on $0 Dynamic trust prediction in graphs extends the same logic from roles and belief states to evidence channels. TCHG argues that trust evidence should not be treated as an undifferentiated input, but decomposed into entity reliability, interaction-behavior reliability, and contextual trust. For a candidate event 0 the evidence is partitioned as 1 where 2, 3, and 4 correspond to those three channels. Each channel is encoded separately into a latent representation 5 and a scalar credibility strength 6. The three channels are then assigned distinct control roles over heterogeneous message passing: entity reliability governs message admission, interaction-behavior reliability modulates propagation strength, and contextual trust chooses a propagation operator through a context-conditioned soft mixture over a bank 7 (Liao et al., 15 Jun 2026). The temporal structure is equally split. TCHG maintains independent temporal states 8, 9, and 0 with non-uniform decay 1 using 2, 3, 4 and 5, 6, 7. This prevents rapidly changing contextual signals from overwriting slowly accumulated entity reliability. The model predicts both trust probability and uncertainty, 8 and optimizes 9 followed by post-hoc calibration 00 The empirical results are reported on Epinions, Ciao, and CiaoDVD. On Epinions under the 80%-10%-10% observed-user split, TCHG reaches 01, 02, and 03; in the unobserved-user setting it still reaches 04, 05, and 06. On Ciao, it reaches 07, and on CiaoDVD 08. The ablations show that “Feature Injection Only” and “Attention Only” underperform the full model, and removing component-wise memory produces the largest degradation. The uncertainty estimates are also operational: on Epinions observed-user data, rejecting the most uncertain half of the edges raises MRR from 09 to 10 (Liao et al., 15 Jun 2026). The model therefore treats trust as a multichannel control problem rather than a single score. Split learning and split computing reframe trust as a problem of what crosses the cut layer. In standard split learning, a client computes early layers on raw data, sends the split activation to a server, and receives gradients for backpropagation. The basic privacy advantage is that raw data are not transmitted, but the trust problem persists because activation maps and gradients may still leak sensitive information. This concern is explicit in both medical time-series split learning and generative-AI split computing (Khan et al., 2023, Ohta et al., 2023). Several systems attempt to preserve the computational benefit of splitting while reducing what the remote side can infer. In U-shaped split learning with homomorphic encryption, the client holds the early and final layers, encrypts the split activation map, and the server evaluates its middle layer on ciphertexts. For a 1D CNN on ECG signals, the encrypted U-shaped protocol reports a best test accuracy of 11, only 12 below the plaintext baseline of 13, under 14, 15, and scale 16; raw training data privacy is preserved, although the backward pass still contains a residual leakage caveat because sending 17 and 18 to the server “leads to a privacy leakage of the activation maps” (Khan et al., 2023). A related HE-based U-shaped protocol on the PTB-XL ECG dataset reports a local plaintext accuracy of 19 and a best encrypted accuracy of 20, again a 21 drop, but with large training-duration and communication costs depending on the HE parameters (Khan et al., 2023). Function Secret Sharing extends this line by combining U-shaped split learning with two non-colluding servers. SplitHappens masks the activation map as 22 keeps the final prediction layer on the client, and thereby hides labels and final outputs from the servers. Under a semi-honest adversary that corrupts at most one server, the paper states LIA soundness and MIA soundness: a corrupted server cannot successfully launch label inference or model inversion. On MNIST, FMNIST, and CIFAR, SplitHappens matches prior accuracy in many settings while being much faster than full FSS training; private training nevertheless remains hundreds to over 23 slower than public training, and communication costs are roughly 24–25 higher for private methods (Khan et al., 14 Jul 2025). Generative split computing applies a similar principle to inference rather than training. 26-Split partitions a generative model into three sub-models: head and tail on the local device, body on the cloud. Raw prompts and final outputs remain local, and only hidden-layer outputs traverse the network. On Llama-2-7b-chat-hf, caching reduces transmitted data from about 27 MB total to about 28–29 MB total, roughly a 30 reduction, and improves throughput up to 31 tokens/s for the 32 split. For Stable Diffusion XL, INT8 affine quantization yields a 33 reduction in transmitted volume relative to FP32 and produces images with PSNR/SSIM around 34, while FP16 remains around 35 (Ohta et al., 2023). The security claim is not formal cryptographic secrecy; the paper explicitly treats resistance to inversion from hidden states as an open problem. At the transcript level, split learning has also been defended with differential privacy. TPSL perturbs gradients along the label-separating direction rather than isotropically, using 36 If the perturbation mechanism is 37-DP, TPSL is 38-transcript DP, with a refinement to 39-transcript DP when the perturbation is moved to the final hidden layer of the label party’s network. On Avazu, plaintext split learning yields attack AUC values near perfect label recovery, with NA AUC 40, SA AUC 41, and SDA AUC 42; under Laplace TPSL at 43, the test AUC is about 44 versus the non-private baseline 45 (Yang et al., 2022). A separate line of work introduces R46eLU as a privacy-preserving tunnel for SplitNN, using randomized response, Laplace noise, and top-47 clipping in both forward and backward propagation to resist property inference, data reconstruction, and feature space hijacking (Mao et al., 2023). Privacy-preserving splitting does not by itself guarantee honest computation. Verifiable split learning addresses this by attaching Groth16 zk-SNARK proofs to both directions of the protocol. The split network is written as 48 and an external Prover Entity generates proofs that the client-side smashed activation and the server-side backward vector were correctly computed. A Verifying Entity checks those proofs before the receiving worker accepts the message. Invalid or missing proofs are discarded, and a client is excluded from the round if verification fails. In the paper’s comparison, blockchain logging is lightweight because it only records updates, timestamps, and metadata, but it remains unverifiable: it does not prove that the client-side activation or server-side gradient was computed correctly (Alaa et al., 3 Nov 2025). Robustness against active attacks introduces another trust dimension. SecureSplit is a server-side defense against backdoor attacks in split learning, where malicious clients alter embeddings to implant hidden triggers. The defense first reshapes the embedding space by 49 then computes the coordinate-wise median 50 and an adaptive radius 51 with 52, retaining embeddings satisfying 53 On CIFAR-10 under VILLAIN, SecureSplit reports 54 and 55, versus 56 for TrMean, 57 for Multi-Krum, and 58 for VFLIP. The paper further reports that as poison rate increases from 59 to 60, SecureSplit keeps ASR below 61 across the range, and it remains robust as trigger magnitude increases from 62 to 63 (Dou et al., 20 Jan 2026). Client-cooperative split learning treats trust as partial and economically consequential. CliCooper assumes a data client with private dataset 64 and true labels 65, trainer clients 66 that process successive model segments, and a fully trusted verifier 67. Privacy is provided by secret label expansion 68 and by DP-protected activations 69 Ownership and training provenance are enforced through dynamic chained watermarking: each trainer’s watermark is derived from the predecessor’s activation digest and identity information, then embedded by minimizing 70 The experiments report that CliCooper reduces the success rate of clustering attacks to 71, decreases inversion-reconstruction similarity from 72 to 73, and limits model-extraction-based surrogates to about 74 accuracy, comparable to random guessing; watermark extraction accuracy remains above 75 (Deng et al., 9 Mar 2026). Here the split is not merely computational. It is also a provenance chain. Outside machine learning, trust-by-splitting appears in cryptographic infrastructures and Byzantine agreement. In segmented or isolated networks where external PKI cannot be assumed, a leaderless multi-domain trust infrastructure uses Pedersen distributed key generation so that each node contributes a secret polynomial, receives a signing share 76, and the domain collectively obtains a group public key 77 Threshold signing then produces partial responses 78 that are aggregated into a final signature 79. The paper evaluates DKG for 80 to 81 nodes with threshold 82: Round 1 rises from 83 ms to 84 ms, while Round 2 rises from 85 ms to 86 ms. By contrast, distributed signing remains under 87 ms across the tested sizes in a 88-of-89 scheme. The aggregation method has communication complexity 90 and expected termination in roughly 91 rounds (Grierson et al., 2023). The split private key turns consensus into a collective cryptographic act. SplitBFT compartmentalizes trust inside each replica rather than across a signing group. Starting from PBFT’s standard 92 baseline, it places safety-critical logic into three SGX-protected compartments: preparation, confirmation, and execution. The host environment is untrusted; enclaves themselves may also be Byzantine; and faults are assumed independent across compartment types. Safety-critical transitions occur only after the relevant quorum certificates have been checked across compartment boundaries. Applied to PBFT, the preparation compartment handles These literatures do not present a single unified theory, but they converge on a common operational lesson. Splitting can preserve the semantics of trust, limit what another party can learn, force collective authorization, and make correctness auditable. It can also create new attack surfaces at the very interfaces it introduces. The central problem is therefore not simply whether to trust, but how trust is redistributed when roles, evidence, computation, or authority are split.4. Decomposed evidence in computational trust prediction
5. Privacy-preserving split computation and split learning
6. Verifiability, robustness, and provenance in partially trusted collaborative learning
7. Split-key trust infrastructures and compartmentalized consensus
PrePrepare and NewView, the confirmation compartment handles Prepare, Commit, and ViewChange, and the execution compartment waits for a quorum of Commits, executes requests, and maintains application state. On Azure SGX-enabled VMs, SplitBFT reaches about 93–94 of PBFT throughput on a key-value workload and 95–96 on a blockchain workload without batching; with batching, the figures are about 97 and 98, respectively (Messadi et al., 2022). The architecture does not reduce the replica count. It instead changes the fault model by splitting a replica into smaller trusted compartments.