LogoLogo
  • Nesa Docs
    • Introduction to Nesa
    • Overview of the Nesa System
      • AI Models: Repository, Standardization, Uniformity
      • Users: Why Do We Need Private Inference?
      • Node Runners: Doing Inference and Earning $NES
    • Organization of the Documentation
  • Technical Designs
    • Decentralized Inference
      • Overview
      • Model Partitioning and Deep Network Sharding
      • Dynamic Sharding of Arbitrary Neural Networks
      • Cache Optimization to Enhance Efficiency
      • BSNS with Parameter-efficient Fine-tuning via Adapters
      • Enhanced MTPP Slicing of Topological Order
      • Swarm Topology
      • Additional: Free-Riding Prevention
    • Security and Privacy
      • Overview
      • Hardware Side: Trusted Execution Environments (TEEs)
      • Software/algorithm Side: Model Verification
        • Zero-knowledge Machine Learning (ZKML)
        • Consensus-based Distribution Verification (CDV)
      • Software/algorithm Side: Data Encryption
        • Visioning: Homomorphic Encryption
        • Implementation: Split Learning (HE)
      • Additional Info
        • Additional Info: Trusted Execution Environments (TEEs)
        • Additional Info: Software-based Approaches
    • Overview of $NES
      • $NES Utility
    • The First Application on Nesa: DNA X
    • Definitions
    • Additional Information
      • Dynamic Model Versioning and Fork Management
      • Nesa's Utility Suite
      • The AI Kernel Market
      • Privacy Technology
        • Trusted Execution Environment (TEE)
        • Secure Multi-Party Computation (MPC)
        • Verifiable Random Function (VRF)
        • Zero-Knowledge Proof (ZKP)
      • The Integration of Evolutionary AI to Evolve the Nesa Ecosystem
      • Interoperability and Nesa Future Plans
  • Using Nesa
    • Getting Started
      • Wallet Setup
      • Testnet Nesa Faucet
    • Via Web
      • Your Nesa Account
      • Selecting an AI Kernel
      • Submitting a Query
    • Via SDK
    • Via IBC
    • Via NESBridge
      • On Sei
  • Run a Nesa Node
    • Prerequisites
    • Installation
    • Troubleshooting
    • FAQ
  • Links
    • nesa.ai
    • Nesa Discord
    • Nesa Twitter
    • Nesa dApp: dnax.ai
    • Nesa dApp: DNA X Docs
    • Terms of Service
    • Privacy Policy
Powered by GitBook
On this page
  1. Technical Designs
  2. Security and Privacy
  3. Software/algorithm Side: Model Verification

Zero-knowledge Machine Learning (ZKML)

Zero-Knowledge Proofs

On the algorithm side, Zero-Knowledge Proofs (ZKPs) are crucial in achieving the above objectives. They provide the means to confirm the authenticity and integrity of the models run by nodes, thereby providing trust among users and stakeholders in the decentralized system. Specifically, a ZKP allows a prover P\mathcal{P}P to convince a verifier V\mathcal{V}V that a statement is true without revealing any information beyond the statement's validity. For model verification, P\mathcal{P}P demonstrates that M\mathcal{M}M executed correctly on input xxx to produce output yyy, without revealing xxx, yyy, or θ\thetaθ.

Implementation: Zero-Knowledge Machine Learning for Private Models

Nesa supports Zero-Knowledge Machine Learning (ZKML) for selected private models such as Convolutional Neural Networks (CNNs), and we look forward to working on customized solutions for our clients. Applying ZK ML to smaller, private models offers a secure way to maintain the confidentiality of sensitive data and model parameters across decentralized systems.

To apply ZKPs to smaller, private models such as on neural networks, linear models, or decision trees, we can outline the approach as follows:

  • Model Execution: Consider a simple linear model for demonstration:

    y=w⋅x+by = \mathbf{w} \cdot \mathbf{x} + by=w⋅x+b

    where w\mathbf{w}w represents the weight vector, x\mathbf{x}x is the input vector, and (b) is the bias.

  • Proof Construction: The prover PPP constructs a proof that they have calculated yyy correctly using the model parameters w\mathbf{w}w and bbb, without revealing these parameters or the input x\mathbf{x}x. The proof must demonstrate that:

    y=w⋅x+by = \mathbf{w} \cdot \mathbf{x}+ by=w⋅x+b

    is computed correctly, aligning with the agreed-upon model structure and parameters.

  • Verification Process: The verifier VVV, upon receiving the proof, checks its validity through a verification algorithm V\mathcal{V}V that confirms whether the provided (y) is consistent with the execution of M\mathcal{M}M(x\mathbf{x}x; w\mathbf{w}w, bbb) without learning any specifics about w\mathbf{w}w, x\mathbf{x}x, or bbb.

  • Zero-Knowledge Property: The crucial aspect of ZKPs in this context is ensuring that no knowledge other than the correctness of the model execution is leaked. This is typically achieved by structuring the proof to obfuscate the details using cryptographic techniques such as commitment schemes or garbled circuits.

By leveraging ZKPs, organizations can validate the integrity of computations in sensitive applications without exposing the underlying data or model specifics, enhancing trust and security within decentralized systems. Nesa is committed to expanding its ZK ML capabilities to include more model types and customized solutions tailored to our clients' specific needs.

Visioning: Zero-Knowledge Machine Learning for Large, Public Models

First, we argue that since open foundation models' parameters are already accessible from all the parties, the verification can go in a much more efficient way other than ZKML, in which costs increases significantly with model complexity.

Specifically, in the decentralized setting, ZKPs face challenges for large language models (LLMs). The primary challenge stems from the computational complexity and scalability of ZKPs when applied to the vast parameter spaces typical of LLMs, represented by M(x;θ)=y\mathcal{M}(\mathbf{x}; \theta) = \mathbf{y}M(x;θ)=y. Generating and verifying ZKPs for models with billions of parameters can be prohibitively expensive regarding computational resources and time, making real-time verification impractical. Moreover, the dynamic nature of LLMs, which may require continuous updates and retraining, further complicates the generation of ZKPs.

Additionally, the complexity of the inference tasks performed by LLMs introduces additional challenges in formulating ZKPs. The deep layering and non-linear operations in LLMs, e.g., transformers, represented mathematically as a composition of functions M=fn∘⋯∘f1\mathcal{M} = f_n \circ \cdots \circ f_1M=fn​∘⋯∘f1​, require sophisticated ZKP schemes that can efficiently handle such complexities. Existing ZKP protocols may not readily adapt to the specific requirements of verifying LLM inference while preserving privacy guarantees.

ZKML in the Nesa System

In summary, ZKPs present an ideal and visionary approach for ensuring model integrity and establishing trust within decentralized inference systems utilizing LLMs. The theoretical appeal of ZKPs lies in their potential to verify computations without revealing the underlying data or the specific operations performed, aligning perfectly with the privacy and security requisites of LLM applications. Thus, we support ZKML for private models with the highest security ensurance.

For large public models, the realization of ZKML faces substantial challenges today, primarily due to the computational complexity, scalability issues, and the sophisticated nature of LLMs. As such, while ZKPs remain a compelling direction for future research and development, enabling their use with LLMs and other large models in decentralized systems is a goal we are actively researching and developing.

PreviousSoftware/algorithm Side: Model VerificationNextConsensus-based Distribution Verification (CDV)

Last updated 1 year ago