The paper presents a protocol called ZKAUDIT that enables trustless audits of machine learning models without revealing the underlying data or model weights. The key idea is that the model provider publishes cryptographic commitments of the dataset and model weights, alongside a zero-knowledge proof certifying that the published commitments are derived from training the model. The model provider can then respond to audit requests by privately computing any function of the dataset or model and releasing the output alongside another zero-knowledge proof certifying the correct execution of the function.
To enable ZKAUDIT, the authors develop new methods of computing zero-knowledge proofs for stochastic gradient descent on modern neural networks, including techniques for high-performance softmax computation and fixed-point arithmetic. They show that ZKAUDIT can provide trustless audits of deep neural networks, including copyright, censorship, and counterfactual audits, with little to no loss in accuracy. The cost of auditing a recommender system and image classification system can be as low as $10 and $108, respectively, demonstrating the practicality of their approach.
The paper first provides background on zero-knowledge proofs and how they can be used to represent computations. It then describes the ZKAUDIT protocol in detail, including the two main steps: ZKAUDIT-T for proving the training process, and ZKAUDIT-I for executing arbitrary audit functions. The authors analyze the security of ZKAUDIT and discuss its limitations.
The bulk of the paper focuses on the technical challenges of computing zero-knowledge proofs for gradient descent, including the need for rounded division and variable-precision fixed-point arithmetic. The authors present extensive evaluations of the performance and accuracy of their techniques, comparing to prior work and demonstrating the feasibility of their approach on real-world datasets.
Finally, the paper explores several example audits that can be performed using ZKAUDIT, such as censorship detection, counterfactual analysis, copyright verification, and demographic disparity checks. The authors show that these audits can be performed at reasonable cost, highlighting the practical utility of their work.
Vers une autre langue
à partir du contenu source
arxiv.org
Questions plus approfondies