Zero knowledge machine learning, ZKML, refers to the process of running a machine learning model inside of a zero knowledge circuit, inputting machine learning data and model weights into a ZK circuit to generate a proof π. The outputted proof can be verified on a blockchain. For example, the proof may attest to the fact that a machine learning model ran on some input.
The use of Zero-Knowledge Proofs (ZKPs) in neural networks (NNs) provides a balance between privacy and transparency, depending on the desired use case.
Indeed, there are many potential ZKML applications in the future based on the above combinations of privacy preferences. Today, the concrete use cases center on model integrity. Model integrity may refer to things like reproducibility, validity, and AI fairness. Future use cases of ZKML could include fighting deepfakes with attested sensor cameras and microphones. Further down the road AI agents will serve as human surrogates who act to satisfy human intentions. ZKML will be important to integrate so users have proof that agents acted in their interests while keeping their identities and information about intentions private.
In this article, we will focus on three aspects of ZKML.
It should be noted that as an experiment I wrote this article with the help of GPT-4. I didn't use GPT-4 to source any information, but rather to help me re-order my notes on the source materials in a readable digest. I've never done this before, but I thought it would be a fun experiment. That said I did edit every line in the article.
Similar to function privacy in blockchain architectures, there exist a diversity of approaches to achieve privacy in Machine Learning models. Colloquially, ZKML is often used as a catchall to describe multiple methods of achieving privacy for ML models, it is not technically precise. That being said, as memes propogate there is often value in the information they transmit. As such let's briefly review MPC, HE, ZKPs & TEEs.
Machine Learning (ML) is an integral branch of artificial intelligence (AI) that empowers computers to learn and improve from data without explicit instructions. Serving as a cornerstone within the AI hierarchy, ML uses statistical techniques to interpret patterns, allowing computers to predict outcomes and evolve based on experiences. Deep Learning, a subset of ML, further enriches this process. Inspired by the human brain, it employs intricate neural networks that learn from unstructured data, pushing the boundaries of machine accuracy and learning capacity.
The AI hierarchy can be represented as a set of Matroyshka dolls, a reference to wooden dolls that are nested within each other decreasing in size with each new doll.
{PlaceHolder picture}
Three key aspect of machine learning include;
One of the challenges that exists in ZKML compositions is creating an efficient interaction between the Machine Learning model and the Zero Knowledge proof generation. ML models deal with floating point numbers, numbers without a fixed number of digits before and after the decimal point eg. 3.14, 4.2069, 8.888888.
On the other hand Zero Knowledge proofs deal with fixed-point number arithmetic over finite fields. Fixed-point is a method of representing fractional numbers by storing a fixed number of digits of their fractional part.
Neural network inference is typically done in floating-point arithmetic, which is extremely expensive to emulate in the prime field of arithmetic circuits. Therefore there exists a helpful mathematical technique called quantization that allows for "conversion" of a floating input from a continuous or otherwise large set of values (floating-point) to a discrete set (fixed-point). This conversion from large numbers to small integers allows for a more efficient construction of a zk-SNARK.
Having algorithms that are biased in different ways. One nice way to fix this is having a social media company they would publish a hash of the program they use for spam detection, ranking, emphasis, deemphasis. They publish the hash and pre-commit to reveal what the code is, except for the weights. In the meantime, they provide ZKPs to you that what you are running in your browser is the output of that program.
In real time this maybe isn’t as helpful, but what you know in a couple of years the program will be revealed and then people can analyze it. Realistically, it has to be delayed because algorithms have to be closed source for some time. But delay them long enough.
For this to be possible, you need to prove what you as the user see is the output of running this code. Maybe a use case of validity ML and not so much ZKML.
You may be wondering what's so special about ZKML, sounds nice in theory, but is it worth the scarce resource of attention? Indeed, here we will start with some motivations for ZKML. (cite Jason from EZKL.)
Now that we have an introductory level understanding, of ZKPs, ML, and ZKML, let's briefly review what ZKML is not. This is important because in an emergent area of research and design, there can be colloquial misconceptions.
The ability to discern AI from human actions and confirm which tasks an AI has been authorized to carry out on a human's behalf is becoming increasingly critical. Various applications of ZKML discussed in this article and those not yet derived (or mistakenly omitted) can help solve this problem by fighting misinformation including deepfakes.
Deepfakes are manipulated images or videos, a specific kind of synthetic media where a person in an image or video is swapped with another person’s likeness, with the intent to deceive humans. 1 Deepfakes are becoming ubiquitous and sophisticated, contributing to the spread of misinformation. This misinformation can have significant impacts on society at large and cause disruptions with many negative externalities. Deepfake manipulations involve altering a person's appearance for social engineering purposes. For example Deepfakes can be used to
The rise of deepfakes raises a critical question: how can we verify the authenticity of visual media in the face of malicious adversaries?
-Kang, Hashimoto, Stoica, Sun in ZK-IMG: Attested Images via Zero-Knowledge Proofs to Fight Disinformation, 2022
With attested sensor cameras and microphones, humans can gain assurances about the authenticity of synthetically generated content, which they can use to make judgements about the legitimacy of the information presented to them.
Take a presidential election, for example. If Party A runs a deepfake video on Facebook that shows Party B's candidate saying things they did not say, many consumers of this content may react in a way they would not have if the deepfake did not exist. Requiring Party A to post a proof that attests to the authenticity of the audio and video used in the video would act as a filter for deepfake content.
This is particularly helpful during ongoing political campaigns, where dueling parties may claim “fake news” towards the other's marketing material. Average consumers need a tool which allows them to decipher the authenticity of the content they consume. This has implications beyond social media, but also could improve the credibility of local and national media outlets, whose credibility is often in question as they manufacture consent through salacious headlines in order to capture attention and control the masses.
One potential countermeasure against deepfakes is the use of attested cameras, which incorporate hardware that signs pixels immediately upon capture (taking a picture). This digital signature authenticates the original image, ensuring its integrity and trustworthiness.
As an example image a bomb goes off in small town in Montanna. With a digital signature the camera could prove the authenticity of the image and potentially attest to its location and time the image was captured.
However, challenges emerge when users want to edit these attested images. For instance, to crop out certain information, without revealing the original image or compromising privacy. While it is virtually impossible to fully prevent physical alterations, the goal is to increase the difficulty and cost of producing convincing deepfakes, discouraging their creation purely through software manipulation.
In response to this challenge, a new technology called ZK-img has been proposed, which attests to image edits securely and privately. ZK-img is a library for attesting to image transformations while hiding the pre-transformed image. Zk-img allows application developers to specify high level image transformation
ZK-img takes the signature of the original image as a hidden witness and outputs an edited image using ZK-SNARKs, enabling consumers to verify that the edits were done honestly without facial swaps or other deceptive manipulations. However, ZK-img isn't a standalone solution; it needs to be integrated with other technologies like decentralized signature tracking or image and proof registries.
A promising application is the creation of a Trustless Face ID system, where a user takes a photo with an attested camera, performs certain edits or cropping, and inputs this into a face ID model. The system then produces a proof that the edited face matches a previously uploaded image, ensuring authentication while preserving privacy and not revealing sensitive biometric information.
Attested Sensor Microphones can help fight against deepfakes by proving the provenance of a speakers voice. Also they could be used to prove than an AI agent is authorized to speak on behalf of a human. In an environment where AI-generated audio can mimic human voices flawlessly, we need a reliable chain of trust stretching from the initial capture of audio to its final playback.
Establishing a chain of trust from the audio capture to final playback requires trusting how the audio is captured and how the audio is edited. Attested sensor microphones have a hardware unit that cryptographically signs the audio signal as soon as it is captured. This cryptographic signature is unforgeable, even with AI tools. With this signature, anyone can verify that the audio came from a specific microphone. In order to verify that audio came from a specific individual, that person can publish the public key of the attested microphone.
There are many circumstances where you would want to privately edit the original audio from an Attested Sensore Microphone. For example, intelligence agencies can use background noise to identify your location, which compromises privacy. To preserve privacy, you may want to perform edits like removing the background noise or cutting out parts of a conversation that might contain sensitive information.
There are some Limitations. For example, attested microphones don’t allow you to perform edits on the audio, including edits like noise reduction or cutting out sensitive information. Also, attested microphones are still early in development. However there are some promising results coming out of the latest Eth CC hackathon!
Prompts are the initial input to models, guiding their responses or actions. Creating effective prompts can be challenging. They require a clear understanding of the task at hand, as well as insights into how the AI model will interpret and respond to them. A poorly crafted prompt can lead to incorrect or irrelevant responses, while a well-thought-out prompt can drive optimal outputs. This underlines the value in generating and utilizing prompts effectively.
In order to enhance the value and provenance of prompts, the concept of 'Proof of Prompts' has been introduced. This involves taking hidden inputs and using these to generate a ZK-SNARK, which produces an output. This method ensures that the results derived from the prompt are valid and truthful without revealing the input information. You can imagine Prompt NFTs selling on an order-book based marketplace accruing speculative value based on their perceived usefulness.
Moreover, this approach adds a layer of versatility to prompt usage. Once a prompt has been purchased, it can be modified for a wide range of use cases, while still preserving the original intent and truthfulness. This adaptability broadens the applicability of a single prompt, maximizing its value. It also enables the users to tailor the prompt to their specific needs without worrying about compromising the integrity of the original prompt or the results derived from it. This unique combination of authenticity, privacy, and flexibility makes the 'Proof of Prompts' approach a promising development in the effective usage of prompts.
ZKaggle is a decentralized bounty platform for hosting, verifying, and paying out bounties, with the added benefit of privacy preservation.
WorldCoin etc.
It’s clear that even tech savy crypto users have struggled to use public blockchains. Many stop at a Centralized exchange because it’s just easier to interface with, provides some privacy, and often offers better liquidity than decentralized exchanges. Also, the trust assumptions are relatively straight forward. In order for crypto to scale to one billion users we need a better user experience onchain. One such emergent idea is LLMs as a wallet interface.
For example, ChatGPT gained 1 billion users faster than any modern technology in the history of the world. I think it’s clear that users like ChatGPT, in the same way they like soft-confirmations from a centralized rollup sequencer. Good UX is hard to argue with. Given the ease of use and path towards mass adoption, what would a ChatGPT type of interface look like and why would it need ZKML?
User: I’d like to swap 100,000,000 SHIB for ETH. Get me the best price. I’d like my funds stored in my Ethereum wallet.
ChatGPT: Do you have any specific execution preferences?
User: What?
ChatGPT: What price would you like me to purchase ETH at?
User: The best current market rate
ChatGPT: what is the most you are willing to pay in fees?
User: $0.01
ChatGPT: I will send your trade to Zk-Shib chain for execution and then move funds back to your Ethereum account via IBC
User: What?
ChatGPT: I will fulfill your request and ETH will be in your account ~ 2 seconds after you confirm.
User: Great!
ChatGPT: Do you confirm?
User: Yes
ChatGPT: Your account now has 1000 ETH on Ethereum. For integrity review, here is a link to the block explorer. Here is a ZKP you check to ensure I have executed your tx as specified and fulfilled your order at the best available price. Here is a snapshot of your wallet
address:
0xmyWallet69
account owner: apriori0x
Token Balances: 1000 ETH. 2200 DAI, 500,0000,000 SHIB.
NFT Balances: 1 coolCat, 300 Bad Kids
ChatGPT: If there are any other intentions you have please let me know. I can also provide real time price data as well as simulate your intents.
User: Thank you!
In our toy example the user is a new user who has some intention but is unclear how to express it. With a simple interactive conversation the User is able to gain confidence and express their preferences.
Some other abstractions that may help include Centralized exchange plug-in to help users reach the Security domain of choice.Also, fiat on-ramps which abstract away dealing with the users bank directly, simply having the user provide banking credentials and a proof of identity. An easier path to implementation maybe through something like Apple Pay or Cash App.
It is clear that given the ease of use, this type of front-end user interface will likely win the market and onboard new users faster than anything we’ve seen to date in crypto.
[1]: Kang, Hoshimoto, Stoica, Sun, ZK-IMG: Attested Images via Zero-Knowledge Proofs to Fight Disinformation, [pg 2, section 2].
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe