Papers
Topics
Authors
Recent
Search
2000 character limit reached

VeriLLM: Decentralized LLM Verification

Updated 3 July 2026
  • VeriLLM is a decentralized protocol for LLM inference that leverages cryptographic commitments and a one-honest-verifier assumption to ensure secure and traceable operations.
  • It employs a lightweight segment verification algorithm that reduces verification compute to approximately 1% of native inference while ensuring end-to-end correctness.
  • An incentive layer with peer-prediction mechanisms and an isomorphic GPU network architecture enhances throughput and deters dishonest participation with strict economic penalties.

VeriLLM is a protocol for publicly verifiable decentralized inference of LLMs designed for permissionless environments. It achieves security under a one-honest-verifier assumption, near-negligible verification cost, and robust incentive compatibility. The framework combines cryptographic commitments, lightweight model-specific verification, peer-prediction economic mechanisms, an isomorphic inference-verification network, and a formal game-theoretic security analysis to provide end-to-end correctness guarantees against rational adversaries (Wang et al., 29 Sep 2025).

1. Cryptographic Protocol Design and Trust Model

VeriLLM operates atop a permissionless, blockchain-supported substrate. Clients submit inference requests, which are hashed and dispatched by a scheduler. Each LLM inference pipeline is divided into LL contiguous segments F1,,FLF_1,\dots,F_L, and for each segment, participants are pseudorandomly and verifiably assigned the role of Inferencer or Verifier via a public Verifiable Random Function (VRF). Each boundary hidden state Si(t)S^{(t)}_i produced by Inferencers is committed to with a Merkle root γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i) and signed, ensuring integrity and traceability.

The protocol’s guarantees depend only on the “one-honest-verifier” assumption: as long as at least one Verifier per segment/job is honest, corrupted outputs are detected except with negligible probability.

Security properties include:

  • Completeness: Honest inference and verification are accepted by the protocol with probability 1negl(λ)1-\mathrm{negl}(\lambda) (security parameter).
  • Soundness: Any materially incorrect inference is rejected with probability 1negl(λ)1-\mathrm{negl}(\lambda).
  • Trace integrity: Hidden state modifications post-commitment require breaking collision resistance or signature unforgeability.
  • Unbiased sampling: VRF-derived verifier assignments and challenge indices are unpredictable prior to commitment.
  • Task-type indistinguishability: Workers cannot determine if a job is inference or verification at runtime, neutralizing mode-adaptive adversarial strategies.

2. Lightweight Segment Verification Algorithm

VeriLLM deploys a verification algorithm explicitly tuned for transformer-style LLMs, exploiting their autoregressive and segmentable structure. Traditional verification would require recomputing the entire sequence or applying expensive zero-knowledge proof techniques. Instead, VeriLLM leverages the following insight:

Given full knowledge of the decoded output y1:Ty_{1:T}, the Verifier replaces the usual TT-step token-by-token decode with a single “batch-prefill” forward pass under the causal mask—a process that computes all hidden states at once and thus requires 1%\sim 1\% of the original inference compute. For segment ii, the Verifier receives upstream inputs F1,,FLF_1,\dots,F_L0 and reconstructs F1,,FLF_1,\dots,F_L1 with F1,,FLF_1,\dots,F_L2.

Verification pseudocode (LaTeX):

F1,,FLF_1,\dots,F_L3

The empirical cost of this process is approximately F1,,FLF_1,\dots,F_L4 of the native inference, enabling scalable decentralized deployment without the cost overheads of general-purpose proof systems.

3. Incentive Layer and Peer-Prediction Mechanisms

Central to the resiliency of VeriLLM is mitigation of “lazy” verification (free-riding verifiers submitting results without computation). This is achieved through on-chain commit-then-open procedures:

  • Commit: Verifiers must publish cryptographically committed verdicts (F1,,FLF_1,\dots,F_L5) and segment Merkle roots (F1,,FLF_1,\dots,F_L6).
  • Open: Once challenge indices are sampled via a second VRF, Verifiers must reveal the values for those indices, else automatic penalization (slashing) is enforced.

Rewards are allocated via a combination of majority and clustering payoff rules. If F1,,FLF_1,\dots,F_L7, consensus determines acceptance and honest verifiers are paid. If less than majority but a sufficiently large agreeing cluster exists, only the cluster is rewarded and dissenters are slashed. Otherwise, rewards are withheld and a zero-knowledge dispute may be initiated.

The payoff structure for a Verifier is: | | Correct | Incorrect | |-----------|----------------|---------------| | Compute honestly | F1,,FLF_1,\dots,F_L8 | F1,,FLF_1,\dots,F_L9 | | Skip compute | Si(t)S^{(t)}_i0 | Si(t)S^{(t)}_i1 |

where Si(t)S^{(t)}_i2 is the verifier payment, Si(t)S^{(t)}_i3 is compute cost, and Si(t)S^{(t)}_i4 is the slashing penalty. With proper parameterization, honest computation is a strictly dominant strategy.

4. Isomorphic Inference–Verification Network Architecture

Classic approaches statically partition roles between Inferencer and Verifier GPU workers, wasting capacity under variable load. The isomorphic architecture of VeriLLM multiplexes both roles across the same physical GPU pool, exposed by identical RPC interfaces and kernel entry points. VRF-sealed randomization of task assignment ensures role unpredictability and process indistinguishability at job boundaries.

This structure yields:

  • Full GPU utilization: Available capacity is smoothly shifted between inference and verification, increasing throughput by 10–30%.
  • Enhanced validator pool: Every worker is eligible for validation, raising the bar for attacker sampling attacks.
  • Task-type neutrality: Identical memory layout and interface remove attack vectors based on job metadata.

Throughput model: with inference load Si(t)S^{(t)}_i5 and verification fraction Si(t)S^{(t)}_i6, required GPU count is Si(t)S^{(t)}_i7, with utilization converging to Si(t)S^{(t)}_i8.

5. Game-Theoretic Security Analysis

The protocol’s equilibrium properties are established through precise Nash equilibrium arguments. Each Inferencer and Verifier chooses between correct or deviant computation. The following utility matrix (simplified, for a Verifier Si(t)S^{(t)}_i9 and Inferencer):

Inferencer γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)0 Inferencer γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)1
Verifier γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)2 γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)3 γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)4
Verifier γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)5 γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)6 γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)7

Here, γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)8 is the probability that a challenge exposes incompetence or cheating.

Key lemmas:

  • If γi(t)=MerkleRoot(Si(t))\gamma^{(t)}_i = \mathsf{MerkleRoot}(S^{(t)}_i)9 and 1negl(λ)1-\mathrm{negl}(\lambda)0 is sufficiently large, Verifier’s best response is to compute honestly.
  • If the Inferencer’s cost savings from cheating 1negl(λ)1-\mathrm{negl}(\lambda)1 is less than 1negl(λ)1-\mathrm{negl}(\lambda)2, the Inferencer favors honest inference.

Therefore, with at least one honest verifier per job, honest inferencing and verification forms a (strict) Nash equilibrium, and any rational player minimizes risk by honest participation. These arguments formalize the incentive compatibility of VeriLLM for rational but potentially adversarial participants.

6. Implementation Layer and Empirical Observations

VeriLLM achieves public verifiability at an operational overhead near 1% of native inference. Experimental deployment on standard transformer models with public segmentations supports the empirical claims of negligible slowdown for verifiers, rapid sampling/commitment via on-chain primitives, and robust validator performance under workload bursts.

Isomorphic GPU networks deliver improved throughput and pool utilization, and observed validator clustering penalizes observable free-riding rates, supporting the predicted equilibrium incentives. Twin-phase commit-then-open with VRF selection and challenge sampling resists coordinated collusion and targeted attacks.

7. Significance and Context in the Decentralized AI Landscape

VeriLLM is, as of its publication, the first decentralized inference protocol for LLMs that establishes an end-to-end, game-theoretic, and cryptographically sound verifiability framework with negligible (<2%) overhead. The system is architected for deployment in publicly auditable or on-chain settings, enabling cost-efficient, permissionless, and rationality-resilient inference infrastructure. Its engine for incentivized, lightweight post-hoc verification could form a baseline security layer for decentralized AI APIs, model-sharing platforms, and federated LLM services (Wang et al., 29 Sep 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to VeriLLM.