Papers
Topics
Authors
Recent
Search
2000 character limit reached

Trust and Split: Mechanisms & Implications

Updated 4 July 2026
  • Trust and Split is a pattern in which trust is organized by partitioning roles, epistemic states, and computational processes to confine interactions within defined boundaries.
  • It applies across domains such as asymmetric trust games, belief revision, human–AI interactions, computational trust prediction, and privacy-preserving split learning.
  • The approach redistributes trust from monolithic entities to specific interfaces, emphasizing collective validation and exposing new vulnerabilities at the split boundaries.

“Trust and split” denotes a recurrent analytical pattern in which trust is organized through separation rather than treated as a single undifferentiated relation. In the cited literature, the relevant split may be a permanent division of social roles, a partition of epistemic state space, a separation between trust and distrust as constructs, a decomposition of trust evidence into heterogeneous channels, a client–server–client partition of a neural network, a division of signing authority across key shares, or a compartmentalization of safety-critical protocol logic. Taken together, these works suggest that trust is often governed by the boundaries introduced by the split itself: who may imitate whom, which distinctions a source is trusted to make, what intermediate representations another party may observe, and which subsystems must collectively validate an action.

1. Structured separation as a trust mechanism

Across the surveyed work, trust is repeatedly formalized by restricting interaction across an interface rather than by assuming global confidence in another party. In the asymmetric multiplayer trust game, investors and trustees remain in fixed roles and imitate only within role populations, so the split preserves the meaning of trusting and reciprocating (Lim et al., 2023). In belief revision, trust is represented by state partitions or pseudometrics that determine which distinctions a reporting agent is trusted to make (Hunter, 2014). In human–AI measurement, trust and distrust are treated as distinct constructs rather than opposite ends of a single continuum (Scharowski et al., 2024). In split learning and split computing, raw data remain local while activations, gradients, or hidden states cross the cut layer, making the interface itself the locus of privacy and trust risk (Khan et al., 2023). In distributed trust infrastructures, either the private key is split across nodes or the protocol logic is split across trusted compartments so that no single component is trusted with the whole decision (Grierson et al., 2023, Messadi et al., 2022).

Domain What is split Trust consequence
Evolutionary trust game Investors and trustees are fixed roles Trust and trustworthiness coevolve without role collapse
Belief revision Reports are filtered through partitions/pseudometrics Only trusted distinctions are revised on
Human–AI measurement Trust and distrust are measured separately Low trust is not identical to distrust
Split learning Model computation is partitioned across parties Raw data stay local but intermediate signals matter
Trust infrastructure Keys or protocol logic are divided Agreement depends on collective validation

This recurring design choice does not eliminate trust requirements. A plausible implication is that it relocates them from monolithic actors to the interfaces between separated roles, channels, or components.

2. Role asymmetry in multiplayer trust games

The asymmetric NN-player trust game studies two infinite populations, one of investors and one of trustees. In each interaction, a group of NIN_I investors and NTN_T trustees is drawn, with N=NI+NTN=N_I+N_T. Each investor chooses either to invest or not to invest, and each trustee chooses to be trustworthy or untrustworthy. Social learning is role-aware: investors imitate investors and trustees imitate trustees. This asymmetry is introduced to correct two deficiencies in an earlier multiplayer model, namely that investors were forced to invest and that investors and trustees could imitate one another until one role disappeared (Lim et al., 2023).

The total invested value is aggregated nonlinearly. If kik_i investors invest, the total value is

1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}

Here w>0w>0 governs nonlinearity: $0w=1w=1 is linear, and w>1w>1 is super-linear or synergistic. Trustees share the total investment equally. An untrustworthy trustee receives

NIN_I0

whereas a trustworthy trustee receives only a fraction NIN_I1, with NIN_I2. Investors who do not invest receive NIN_I3. Institutional incentives add fees and rewards: investors pay NIN_I4 and, if investing, receive NIN_I5; trustees pay NIN_I6 and, if trustworthy, receive NIN_I7, with NIN_I8 as administrative cost. The dynamics are then governed by asymmetric replicator equations,

NIN_I9

The phase portrait depends sharply on both the payoff nonlinearity and the trustee incentive. Without incentives to trustees, NTN_T0, the system is attracted to the edge NTN_T1, so trust is not sustained. When

NTN_T2

an interior equilibrium NTN_T3 appears. Its stability is regime-dependent: for NTN_T4, NTN_T5 is asymptotically stable; for NTN_T6, it is neutrally stable and trajectories cycle around it; for NTN_T7, it is unstable and trajectories approach the heteroclinic cycle

NTN_T8

At NTN_T9, a line of equilibria appears on N=NI+NTN=N_I+N_T0, and for N=NI+NTN=N_I+N_T1 the fully cooperative state N=NI+NTN=N_I+N_T2 becomes globally asymptotically stable.

The welfare analysis is equally specific. Social welfare is the population-average payoff, and increasing the investor incentive always lowers this average payoff because

N=NI+NTN=N_I+N_T3

The model therefore identifies trustee-targeted incentives as the main policy lever. For N=NI+NTN=N_I+N_T4, if

N=NI+NTN=N_I+N_T5

the optimal outcome is full trust and full trustworthiness, achieved by N=NI+NTN=N_I+N_T6 and N=NI+NTN=N_I+N_T7. In large super-linear regimes, either N=NI+NTN=N_I+N_T8 or N=NI+NTN=N_I+N_T9, the threshold becomes

kik_i0

The paper also reports that numerical tests with kik_i1 and kik_i2 produce qualitatively similar dynamics. The substantive conclusion is not that nonlinearity simply amplifies cooperation, but that it changes the topology of the trust dynamics.

3. Epistemic partitions, split constructs, and compartmental trust

In belief revision, trust is modeled as a pre-processing step before revision rather than a property of the revision operator itself. For an agent kik_i3, the trust function maps a reporter kik_i4 to a state partition kik_i5. If two states lie in different cells, kik_i6 trusts kik_i7 to distinguish them; if they lie in the same cell, kik_i8 does not. A report kik_i9 is transformed by the partition closure

1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}0

and trust-sensitive revision selects the 1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}1-minimal states in that closure. The syntactic counterpart is the trust expansion 1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}2. The framework recovers standard extremes: the trivial partition yields no learning, while the unit partition yields ordinary AGM revision. To compare different degrees of trust across sources, the paper generalizes partitions to pseudometrics 1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}3 on states and selects the least threshold 1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}4 at which simultaneous trusted reports become jointly compatible (Hunter, 2014).

The psychometric literature on human–AI interaction introduces a different but related split. A pre-registered 1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}5 within-subject online experiment with 1485 participants and 2970 complete scale responses compared trustworthy and untrustworthy chatbot and autonomous-vehicle scenarios. The Trust Scale for the AI Context was largely supported as a single-factor trust measure, with 1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}6, 1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}7, 1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}8, 1wki1w={0if ki=0, 1if ki=1, 1+w+w2++wki1if ki2.\frac{1-w^{k_i}}{1-w} = \begin{cases} 0 & \text{if } k_i=0,\ 1 & \text{if } k_i=1,\ 1+w+w^2+\cdots+w^{k_i-1} & \text{if } k_i\ge 2. \end{cases}9, and reliability w>0w>00, w>0w>01. By contrast, the Trust between People and Automation scale did not fit as a single factor, with w>0w>02, w>0w>03, w>0w>04, w>0w>05; exploratory factor analysis supported a two-factor split between trust and distrust, and after removing items 4 and 12 the fit improved to w>0w>06, w>0w>07, w>0w>08, w>0w>09. The reported pattern supports the view that trust and distrust are distinct constructs that may coexist independently (Scharowski et al., 2024).

A stochastic compartmental model of trust in society makes the split explicit at the population level. The population is partitioned into trusters $0

$0

with stability depending on $0Meylahn et al., 2024). Here the skeptical middle is not incidental; it is the only channel through which trust and complete distrust can influence one another.

4. Decomposed evidence in computational trust prediction

Dynamic trust prediction in graphs extends the same logic from roles and belief states to evidence channels. TCHG argues that trust evidence should not be treated as an undifferentiated input, but decomposed into entity reliability, interaction-behavior reliability, and contextual trust. For a candidate event

w=1w=10

the evidence is partitioned as

w=1w=11

where w=1w=12, w=1w=13, and w=1w=14 correspond to those three channels. Each channel is encoded separately into a latent representation w=1w=15 and a scalar credibility strength w=1w=16. The three channels are then assigned distinct control roles over heterogeneous message passing: entity reliability governs message admission, interaction-behavior reliability modulates propagation strength, and contextual trust chooses a propagation operator through a context-conditioned soft mixture over a bank w=1w=17 (Liao et al., 15 Jun 2026).

The temporal structure is equally split. TCHG maintains independent temporal states w=1w=18, w=1w=19, and w>1w>10 with non-uniform decay

w>1w>11

using w>1w>12, w>1w>13, w>1w>14 and w>1w>15, w>1w>16, w>1w>17. This prevents rapidly changing contextual signals from overwriting slowly accumulated entity reliability. The model predicts both trust probability and uncertainty,

w>1w>18

and optimizes

w>1w>19

followed by post-hoc calibration

NIN_I00

The empirical results are reported on Epinions, Ciao, and CiaoDVD. On Epinions under the 80%-10%-10% observed-user split, TCHG reaches NIN_I01, NIN_I02, and NIN_I03; in the unobserved-user setting it still reaches NIN_I04, NIN_I05, and NIN_I06. On Ciao, it reaches NIN_I07, and on CiaoDVD NIN_I08. The ablations show that “Feature Injection Only” and “Attention Only” underperform the full model, and removing component-wise memory produces the largest degradation. The uncertainty estimates are also operational: on Epinions observed-user data, rejecting the most uncertain half of the edges raises MRR from NIN_I09 to NIN_I10 (Liao et al., 15 Jun 2026). The model therefore treats trust as a multichannel control problem rather than a single score.

5. Privacy-preserving split computation and split learning

Split learning and split computing reframe trust as a problem of what crosses the cut layer. In standard split learning, a client computes early layers on raw data, sends the split activation to a server, and receives gradients for backpropagation. The basic privacy advantage is that raw data are not transmitted, but the trust problem persists because activation maps and gradients may still leak sensitive information. This concern is explicit in both medical time-series split learning and generative-AI split computing (Khan et al., 2023, Ohta et al., 2023).

Several systems attempt to preserve the computational benefit of splitting while reducing what the remote side can infer. In U-shaped split learning with homomorphic encryption, the client holds the early and final layers, encrypts the split activation map, and the server evaluates its middle layer on ciphertexts. For a 1D CNN on ECG signals, the encrypted U-shaped protocol reports a best test accuracy of NIN_I11, only NIN_I12 below the plaintext baseline of NIN_I13, under NIN_I14, NIN_I15, and scale NIN_I16; raw training data privacy is preserved, although the backward pass still contains a residual leakage caveat because sending NIN_I17 and NIN_I18 to the server “leads to a privacy leakage of the activation maps” (Khan et al., 2023). A related HE-based U-shaped protocol on the PTB-XL ECG dataset reports a local plaintext accuracy of NIN_I19 and a best encrypted accuracy of NIN_I20, again a NIN_I21 drop, but with large training-duration and communication costs depending on the HE parameters (Khan et al., 2023).

Function Secret Sharing extends this line by combining U-shaped split learning with two non-colluding servers. SplitHappens masks the activation map as

NIN_I22

keeps the final prediction layer on the client, and thereby hides labels and final outputs from the servers. Under a semi-honest adversary that corrupts at most one server, the paper states LIA soundness and MIA soundness: a corrupted server cannot successfully launch label inference or model inversion. On MNIST, FMNIST, and CIFAR, SplitHappens matches prior accuracy in many settings while being much faster than full FSS training; private training nevertheless remains hundreds to over NIN_I23 slower than public training, and communication costs are roughly NIN_I24–NIN_I25 higher for private methods (Khan et al., 14 Jul 2025).

Generative split computing applies a similar principle to inference rather than training. NIN_I26-Split partitions a generative model into three sub-models: head and tail on the local device, body on the cloud. Raw prompts and final outputs remain local, and only hidden-layer outputs traverse the network. On Llama-2-7b-chat-hf, caching reduces transmitted data from about NIN_I27 MB total to about NIN_I28–NIN_I29 MB total, roughly a NIN_I30 reduction, and improves throughput up to NIN_I31 tokens/s for the NIN_I32 split. For Stable Diffusion XL, INT8 affine quantization yields a NIN_I33 reduction in transmitted volume relative to FP32 and produces images with PSNR/SSIM around NIN_I34, while FP16 remains around NIN_I35 (Ohta et al., 2023). The security claim is not formal cryptographic secrecy; the paper explicitly treats resistance to inversion from hidden states as an open problem.

At the transcript level, split learning has also been defended with differential privacy. TPSL perturbs gradients along the label-separating direction rather than isotropically, using

NIN_I36

If the perturbation mechanism is NIN_I37-DP, TPSL is NIN_I38-transcript DP, with a refinement to NIN_I39-transcript DP when the perturbation is moved to the final hidden layer of the label party’s network. On Avazu, plaintext split learning yields attack AUC values near perfect label recovery, with NA AUC NIN_I40, SA AUC NIN_I41, and SDA AUC NIN_I42; under Laplace TPSL at NIN_I43, the test AUC is about NIN_I44 versus the non-private baseline NIN_I45 (Yang et al., 2022). A separate line of work introduces RNIN_I46eLU as a privacy-preserving tunnel for SplitNN, using randomized response, Laplace noise, and top-NIN_I47 clipping in both forward and backward propagation to resist property inference, data reconstruction, and feature space hijacking (Mao et al., 2023).

6. Verifiability, robustness, and provenance in partially trusted collaborative learning

Privacy-preserving splitting does not by itself guarantee honest computation. Verifiable split learning addresses this by attaching Groth16 zk-SNARK proofs to both directions of the protocol. The split network is written as

NIN_I48

and an external Prover Entity generates proofs that the client-side smashed activation and the server-side backward vector were correctly computed. A Verifying Entity checks those proofs before the receiving worker accepts the message. Invalid or missing proofs are discarded, and a client is excluded from the round if verification fails. In the paper’s comparison, blockchain logging is lightweight because it only records updates, timestamps, and metadata, but it remains unverifiable: it does not prove that the client-side activation or server-side gradient was computed correctly (Alaa et al., 3 Nov 2025).

Robustness against active attacks introduces another trust dimension. SecureSplit is a server-side defense against backdoor attacks in split learning, where malicious clients alter embeddings to implant hidden triggers. The defense first reshapes the embedding space by

NIN_I49

then computes the coordinate-wise median NIN_I50 and an adaptive radius

NIN_I51

with NIN_I52, retaining embeddings satisfying

NIN_I53

On CIFAR-10 under VILLAIN, SecureSplit reports NIN_I54 and NIN_I55, versus NIN_I56 for TrMean, NIN_I57 for Multi-Krum, and NIN_I58 for VFLIP. The paper further reports that as poison rate increases from NIN_I59 to NIN_I60, SecureSplit keeps ASR below NIN_I61 across the range, and it remains robust as trigger magnitude increases from NIN_I62 to NIN_I63 (Dou et al., 20 Jan 2026).

Client-cooperative split learning treats trust as partial and economically consequential. CliCooper assumes a data client with private dataset NIN_I64 and true labels NIN_I65, trainer clients NIN_I66 that process successive model segments, and a fully trusted verifier NIN_I67. Privacy is provided by secret label expansion

NIN_I68

and by DP-protected activations

NIN_I69

Ownership and training provenance are enforced through dynamic chained watermarking: each trainer’s watermark is derived from the predecessor’s activation digest and identity information, then embedded by minimizing

NIN_I70

The experiments report that CliCooper reduces the success rate of clustering attacks to NIN_I71, decreases inversion-reconstruction similarity from NIN_I72 to NIN_I73, and limits model-extraction-based surrogates to about NIN_I74 accuracy, comparable to random guessing; watermark extraction accuracy remains above NIN_I75 (Deng et al., 9 Mar 2026). Here the split is not merely computational. It is also a provenance chain.

7. Split-key trust infrastructures and compartmentalized consensus

Outside machine learning, trust-by-splitting appears in cryptographic infrastructures and Byzantine agreement. In segmented or isolated networks where external PKI cannot be assumed, a leaderless multi-domain trust infrastructure uses Pedersen distributed key generation so that each node contributes a secret polynomial, receives a signing share NIN_I76, and the domain collectively obtains a group public key

NIN_I77

Threshold signing then produces partial responses

NIN_I78

that are aggregated into a final signature NIN_I79. The paper evaluates DKG for NIN_I80 to NIN_I81 nodes with threshold NIN_I82: Round 1 rises from NIN_I83 ms to NIN_I84 ms, while Round 2 rises from NIN_I85 ms to NIN_I86 ms. By contrast, distributed signing remains under NIN_I87 ms across the tested sizes in a NIN_I88-of-NIN_I89 scheme. The aggregation method has communication complexity NIN_I90 and expected termination in roughly NIN_I91 rounds (Grierson et al., 2023). The split private key turns consensus into a collective cryptographic act.

SplitBFT compartmentalizes trust inside each replica rather than across a signing group. Starting from PBFT’s standard NIN_I92 baseline, it places safety-critical logic into three SGX-protected compartments: preparation, confirmation, and execution. The host environment is untrusted; enclaves themselves may also be Byzantine; and faults are assumed independent across compartment types. Safety-critical transitions occur only after the relevant quorum certificates have been checked across compartment boundaries. Applied to PBFT, the preparation compartment handles PrePrepare and NewView, the confirmation compartment handles Prepare, Commit, and ViewChange, and the execution compartment waits for a quorum of Commits, executes requests, and maintains application state. On Azure SGX-enabled VMs, SplitBFT reaches about NIN_I93–NIN_I94 of PBFT throughput on a key-value workload and NIN_I95–NIN_I96 on a blockchain workload without batching; with batching, the figures are about NIN_I97 and NIN_I98, respectively (Messadi et al., 2022). The architecture does not reduce the replica count. It instead changes the fault model by splitting a replica into smaller trusted compartments.

These literatures do not present a single unified theory, but they converge on a common operational lesson. Splitting can preserve the semantics of trust, limit what another party can learn, force collective authorization, and make correctness auditable. It can also create new attack surfaces at the very interfaces it introduces. The central problem is therefore not simply whether to trust, but how trust is redistributed when roles, evidence, computation, or authority are split.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Trust and Split.