To Trust or Not to Trust: zkML as an Answer to Big Tech’s Influence on AI

Victoria Zammit and Sam Lehman
June 9, 2024
Research
To Trust or Not to Trust: zkML as an Answer to Big Tech’s Influence on AI

The past few years have brought rapid advancements in artificial intelligence (AI) and machine learning (ML) technologies, ushering in a new era of innovation and disruption. From natural language processing (NLP) and computer vision to decision-making and personalization, AI is transforming industries and revolutionizing the way we interact with technology, consume information, and innovate across industries. However, as these systems become more advanced and ubiquitous, concerns over transparency, privacy, and the potential for misuse have grown increasingly prominent. 

Modern AI has largely been enabled via large language models (LLMs) – neural network-based language models trained on vast quantities of data to mimic human behavior by performing various downstream tasks like answering questions, translating information, and summarizing large texts. Concerningly, nearly all leading LLMs are controlled by Big Tech companies. For example, Microsoft purchased a controlling stake in OpenAI (the creator of ChatGPT),1 Google has their in-house platform Gemini, and Amazon has taken a large stake in Anthropic, the creator of Claude.2 While most of these companies espouse goals of being “open source,” their products are largely permissioned, creating trust issues.3 How can we trust that their models are behaving as they should on trained data? How can users verify the transparency and integrity of these models? This lack of transparency, coupled with the ability to cheaply and easily create fake information, is dangerous to users. 

The Problem:

LLMs operate as black boxes which makes it difficult to understand how they arrive at their outputs or to verify the integrity of their decision-making processes. These models are essentially opaque systems – the intricate workings of their complex neural networks and the vast amounts of training data they are exposed to make it challenging to fully comprehend the rationale and decision processes that drive their outputs. The inherent lack of transparency and interpretability in this black box model obscures the underlying patterns and logic behind LLMs’ behaviors, hindering our ability to ensure their reliability, privacy, and accountability. 

A key privacy issue with LLMs is the risk of malicious attacks that can leak private information from the training data or model parameters. “Membership inference attacks,” or “model inversion attacks,” attempt to determine if specific data points were used to train a model based on its outputs. An attacker can carefully craft prompts to trick the model into unintentionally revealing pieces of its training data, which break the privacy of the user inputted data. These vulnerabilities highlight the need for privacy-preserving techniques in AI.

Figure 1: How malicious prompting can cause models to leak sensitive data

We’ve already seen numerous examples in which deceptive behavior can go undetected by LLMs and their existing security measures. One example is of backdoor attacks in NLP models, where advanced algorithms can inject hidden triggers or behaviors that can be activated under specific conditions. These backdoors remain dormant and hidden from detection. Once a specific condition is met that triggers an attack, the backdoors will then activate malicious or unintended actions such as manipulating the model's behavior in ways that can produce false outputs or revealing private data as mentioned before. This phenomenon poses a significant threat to the trustworthiness and reliability of AI systems. Malicious actors’ ability to exploit backdoors erodes trust in AI technologies and raises concerns about their reliability, security, and ethical use, especially when coupled with the centralization of power and control over AI models.

As AI systems continue to pervade critical domains like finance, healthcare, and governance, the importance of trust and accountability cannot be overlooked. Relying solely on the current LLMs and their existing verification methods is no longer sufficient. A solution that’s needed to address the trust problem with LLMs is one that would verify that a model is indexing from trained data and returns a correct output as intended. The world of blockchains and cryptography can provide a solution. 

The Solution:

In the relatively young field of decentralized AI, two major approaches have arisen to address the two major problems seen in the AI sector today: centralization of model inference and difficulty in verifying the correctness of model outputs. 

While not the focus of this paper, decentralized inference attempts to address the first problem by running ML models across multiple nodes in a decentralized network, preventing reliance on a single centralized provider. This can be achieved by distributing the computational workload across multiple nodes in a decentralized network. However, while decentralized inference enhances resilience and scalability, it does not inherently guarantee the integrity or correctness of the model's outputs.

This is where verifiable inference comes to play. Verifiable inference creates a new primitive by providing a means to cryptographically verify that a model's outputs are correct and generated by the intended model. This approach provides both a response to a query and a proof that the computation was executed correctly on the specified model. Verifiable inference is particularly important in decentralized environments where trust cannot be assumed. By leveraging cryptographic techniques, such as zero-knowledge proofs (ZKPs), verifiable inference enables users to verify that a model has processed their data correctly and generated accurate outputs, without needing to trust the individual nodes or the network itself. 

Verifiable inference systems typically generate a cryptographic proof alongside the model's output. This proof can be verified by anyone, without revealing sensitive information about the model or the input data, therefore preserving the privacy of the user who inputted their data. The verification process confirms that the output was indeed generated by the specified model, following the intended computation without any tampering or manipulation. 

We can use a real-world example to understand how verifiable inference operates on ML models. Imagine you need to send a sensitive package using a delivery service, but you are worried about the possibility of someone tampering with your package in transit. To address this, you work with a shipping company that will add a tamper evident seal to the shipping container your package is in. This seal reliably shows if there is any attempt to open the cargo container during transit. 

Your package is like the data being processed by an ML model. When you add the tamper evident seal to the cargo container, the additional security provided symbolizes the extra cryptographic proof that helps determine if the contents inside the cargo remain untouched. The delivery service that transports the package to its destination is like the ML model that processes the data and generates output to the user. Once the package is delivered, the receiver can simply check if the tamper evident seal is still intact. If so, then they know the package has not been altered and is exactly what has been sent, but if the seal is broken, you know that the package could have been tampered with during transit.

Figure 2: Visual representation of a real-world metaphor illustrating how verifiable inference works.

This process eliminates the need to trust the delivery service itself, just as verifiable inference removes the need to trust the individual nodes in a network. Instead, the receiver only needs to verify the integrity of the tamper evident seal, much like how users can simply verify the cryptographic proof provided. The seal acts as a cryptographic proof, ensuring the package’s authenticity and preventing any undetected tampering, similar to how verifiable inference ensures that the ML model’s outputs are transparent and correct. 

Verifiable inference can ultimately create a higher level of trust, accountability, and transparency for ML models. This can create a more widespread adoption and responsible deployment of AI technologies. There are three different approaches to verifiable inference: zkML, optimistic fraud proofs, and cryptoeconomics ML. This article will focus solely on zkML, although each method has its own tradeoffs in terms of security, latency, and cost. 

zkML: An Approach for Verifiable Inference:

zkML is an emerging technology that combines the power of ML with the security and privacy guarantees of ZKPs. ZKPs are a cryptographic method that allow one party (the prover) to prove to another party (the verifier) that a given statement is true without revealing any additional information beyond the fact that the statement is true.

In the context of machine learning, zkML operates by training models on data spread across various nodes in a decentralized network. These nodes generate ZKPs about their data, allowing them to confirm the validity of the data without revealing sensitive information. This innovative approach addresses the trust and privacy concerns associated with traditional machine learning models, paving the way for a more secure, transparent, and accountable AI ecosystem.

zkML requires several steps to develop. First, the input data and model parameters (mathematical formulas on which the ML model is trained) are made private. Then, a cryptographic hash function is published, allowing for verification of the data's authenticity. The ML model is then converted into zero-knowledge circuits that can be efficiently proven. This process is called arithmetization and is ultimately verifying the model itself. Using zk-SNARKS (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), a proof is generated that the ML model is functioning as intended, without revealing the underlying model or data used for training. Finally, the model's output and the associated ZKP are verified by the end-users or verifiers, providing assurance that the computation was performed correctly and the result is trustworthy.

Figure 3: The steps for developing zkML

zkSNARKs allow achieving computational integrity - a prover can generate a zkSNARK that proves an output was correctly computed by a LLM on certain inputs, without revealing the inputs themselves. zkSNARKs provide two key properties. First, they offer succinct verification time regardless of the computation's complexity. Second, they enable selective privacy where the prover decides what parts of the computation remain private versus public. These features can help solve privacy issues with ML models outlined before. For example, zkSNARKs enable users to verify the correctness of transactions without revealing underlying data, making them the key to balancing the conflicting goals of transparency and privacy in decentralized networks. This opens up a wealth of possibilities, like confidential transactions of cryptocurrencies or verifiable computation in decentralized applications can be possible. This zkML process of generating zkSNARK proofs for ML inference enables verifying model outputs while preserving data confidentiality, allowing compliance with privacy regulations.

Challenges with zkML

While zkML is a promising technology with immense potential, it is still in its nascent stages. Researchers and companies like EZKL, Modulus Labs, Giza, are actively working to overcome the challenges associated with zkML, such as performance overhead, the lack of real-world adoption, and the complexity of designing such systems.

One of the most significant challenges facing zkML is the computational complexity of the arithmetization process. Arithmetization, which involves converting an ML model into zero-knowledge circuits, is computationally intensive and can result in prohibitively large circuits for more complex models. We can analyze metrics for the following zero-knowledge proof schemes: zkCNN, Plonky2, and Halo2. For starters, proving a model using zkCNN’s approach4, a ZKP scheme for convolutional neural networks, can incur a computational cost up to 1000 times higher than the actual inference time. This immense overhead is partly due to the complex nature of ZKPs, which require meticulous verification of each step in the computation. Additionally, generating zkSNARKs proofs can be extremely resource-intensive. Benchmarks have shown that proof generation for large models can take several hours and consumes vast amounts of memory. Specifically, Plonky25, while being one of the fastest in terms of proving time, also exhibits high memory usage, often doubling the peak RAM consumption compared to other systems like Halo2. The complex architecture of zkML creates the need for specialized hardware and computing resources to handle larger scale computations. This makes zkML currently impractical for real-time applications where low latency and efficient resource usage are critical. 

Another challenge is the lack of apparent use cases that hinder widespread adoption of zkML in real-world applications. This is primarily due to the performance overhead and the complexity involved in implementing the intricate mathematical and cryptographic techniques in zkML systems. While protocols such as Worldcoin’s iris verification model and AI Arena’s gameplay verification have demonstrated the feasibility of zkML in very specific use cases, these applications are still in the experimental phase. The high costs and time associated with proof generation may limit the scalability and practical ability of zkML in more dynamic scenarios that capture widespread adoption. 

Last, while zkML provides strong privacy guarantees by not revealing the model or input data, it can also limit the flexibility and adaptability of ML models. Any changes to the model architecture or training data necessitate regenerating the ZKPs, which is both time consuming and resource intensive. This rigidity makes it difficult to update or improve models dynamically, which may be a crucial requirement for some real-world applications. From a cost standpoint, generating ZKPs for complex models show a rise from $0.072 per match to $5.40 per match when incorporating zkSNARKs for verifiable inference. This cost is a substantial barrier for broader adoption, especially for applications requiring frequent and rapid model inferences. 

Despite its immense potential, zkML still faces significant hurdles hindering widespread adoption. The computationally intensive arithmetization and proof generation result in substantial overhead, making zkML currently impractical for real-time, low-latency applications. Certain ZKP schemes like zkCNN, Plonky2, and Halo2 demonstrate some feasibility but also issues like slower inference and high memory usage. The apparent lack of compelling use cases, rigidity of having to regenerate proofs for model changes, and high costs present additional barriers to scalability. Overcoming the computational complexity while improving flexibility and reducing costs is crucial for unlocking zkML's full potential.

Ending Synthesis:

As AI continues to dominate, the need for trust, transparency, and verifiability in these powerful systems becomes paramount. Verifiable inference, specifically via zkML, has emerged as a promising solution to address the challenges over privacy and integrity of LLMs. However, the path to widespread adoption of zkML is not without obstacles. The immense computational complexity and overhead associated with arithmetization and proof generation currently deem zkML impractical for real-time applications that demand low latency and efficient resource usage. Additionally, the lack of apparent use cases and inherent complexity involved in implementing zkML systems have hindered its widespread adoption. 

Despite these challenges, the potential benefits of verifiable inference are too significant to ignore. By providing strong privacy guarantees and enabling the verification of model integrity, zkML can pave the way for more responsible and trustworthy AI use. With further development and perhaps more collaborative efforts between researchers, pioneers, and industry leaders to improve the efficiency of zkML, the future of verifiable, decentralized AI can be realized. We’ve already seen the great advancements with Polygon’s work on Plonky3. Plonky3 aims to provide a faster proving system for zkSTARK (Zero-Knowledge Succinct Transparent Argument of Knowledge) proofs. zkSTARKs are a proof scheme for more complex computations and require longer proving times and larger proof sizes. However, we mentioned before that more complex computations are needed for real-world applications and use cases. Plonky3 contains optimizations for newer CPU specifications that hope to improve the proving overhead required. Through their improved architecture, Plonky3 is directly addressing both challenges – tackling both computational capacities and costs as well as opening avenues for more robust use cases. This strategic collaboration illuminates how protocols are continuing to push the frontier on zkML.

Ultimately, the future of verifiable inference and trustless AI hinges on a collective commitment to continuous innovation and collaboration for pursuing a world in which we have strong, scalable use cases for verified ML models. While the challenges surrounding computational complexity and adoption hurdles are significant, the potential benefits of these technologies are compelling. As we look ahead, we can envision a future where the development of specialized provers for distinct steps of the zkML pipeline, such as data preprocessing, model training, and inference, enables a more optimized approach to privacy and efficiency in LLMs. While navigating this era of transformative AI capabilities, the industry must remain steadfast in its unwavering pursuit of responsible development to unlock the vast potential of these technologies while preserving privacy and integrity essential to their deployment. Only through such continuous innovation can we envision a future with strong, scalable use cases for verified ML models. ✦

https://www.bloomberg.com/news/articles/2023-01-23/microsoft-makes-multibillion-dollar-investment-in-openai 

https://www.aboutamazon.com/news/company-news/amazon-anthropic-ai-investment 

Meta stands as the lone giant among Big Tech committed to an open source framework with LLaMA.

4 This ZKP scheme allows the owner of the CNN model to prove to others that the prediction of a data sample is indeed calculated by the model, without leaking any information about the model itself.

Plonky3 is an ongoing effort which aims to further improve on the speed and efficiency of recursive zero-knowledge proofs. Its new cryptographic library contains optimizations for newer CPU specifications.

Legal Disclosure: This document, and the information contained herein, has been provided to you by Hyperedge Technology LP and its affiliates (“Symbolic Capital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Symbolic Capital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsement of any of the digital assets or companies mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Certain statements in this document reflect Symbolic Capital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Symbolic Capital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Symbolic Capital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Symbolic Capital and, Symbolic Capital, does not assume responsibility for the accuracy of such information. Affiliates of Symbolic Capital may have owned or may own investments in some of the digital assets and protocols discussed in this document. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. This document provides links to other websites that we think might be of interest to you. Please note that when you click on one of these links, you may be moving to a provider’s website that is not associated with Symbolic Capital. These linked sites and their providers are not controlled by us, and we are not responsible for the contents or the proper operation of any linked site. The inclusion of any link does not imply our endorsement or our adoption of the statements therein. We encourage you to read the terms of use and privacy statements of these linked sites as their policies may differ from ours. The foregoing does not constitute a “research report” as defined by FINRA Rule 2241 or a “debt research report” as defined by FINRA Rule 2242 and was not prepared by Symbolic Capital Partners LLC. For all inquiries, please email info@symbolic.capital. © Copyright Hyperedge Capital LP 2024. All rights reserved.

The past few years have brought rapid advancements in artificial intelligence (AI) and machine learning (ML) technologies, ushering in a new era of innovation and disruption. From natural language processing (NLP) and computer vision to decision-making and personalization, AI is transforming industries and revolutionizing the way we interact with technology, consume information, and innovate across industries. However, as these systems become more advanced and ubiquitous, concerns over transparency, privacy, and the potential for misuse have grown increasingly prominent. 

Modern AI has largely been enabled via large language models (LLMs) – neural network-based language models trained on vast quantities of data to mimic human behavior by performing various downstream tasks like answering questions, translating information, and summarizing large texts. Concerningly, nearly all leading LLMs are controlled by Big Tech companies. For example, Microsoft purchased a controlling stake in OpenAI (the creator of ChatGPT),1 Google has their in-house platform Gemini, and Amazon has taken a large stake in Anthropic, the creator of Claude.2 While most of these companies espouse goals of being “open source,” their products are largely permissioned, creating trust issues.3 How can we trust that their models are behaving as they should on trained data? How can users verify the transparency and integrity of these models? This lack of transparency, coupled with the ability to cheaply and easily create fake information, is dangerous to users. 

The Problem:

LLMs operate as black boxes which makes it difficult to understand how they arrive at their outputs or to verify the integrity of their decision-making processes. These models are essentially opaque systems – the intricate workings of their complex neural networks and the vast amounts of training data they are exposed to make it challenging to fully comprehend the rationale and decision processes that drive their outputs. The inherent lack of transparency and interpretability in this black box model obscures the underlying patterns and logic behind LLMs’ behaviors, hindering our ability to ensure their reliability, privacy, and accountability. 

A key privacy issue with LLMs is the risk of malicious attacks that can leak private information from the training data or model parameters. “Membership inference attacks,” or “model inversion attacks,” attempt to determine if specific data points were used to train a model based on its outputs. An attacker can carefully craft prompts to trick the model into unintentionally revealing pieces of its training data, which break the privacy of the user inputted data. These vulnerabilities highlight the need for privacy-preserving techniques in AI.

Figure 1: How malicious prompting can cause models to leak sensitive data

We’ve already seen numerous examples in which deceptive behavior can go undetected by LLMs and their existing security measures. One example is of backdoor attacks in NLP models, where advanced algorithms can inject hidden triggers or behaviors that can be activated under specific conditions. These backdoors remain dormant and hidden from detection. Once a specific condition is met that triggers an attack, the backdoors will then activate malicious or unintended actions such as manipulating the model's behavior in ways that can produce false outputs or revealing private data as mentioned before. This phenomenon poses a significant threat to the trustworthiness and reliability of AI systems. Malicious actors’ ability to exploit backdoors erodes trust in AI technologies and raises concerns about their reliability, security, and ethical use, especially when coupled with the centralization of power and control over AI models.

As AI systems continue to pervade critical domains like finance, healthcare, and governance, the importance of trust and accountability cannot be overlooked. Relying solely on the current LLMs and their existing verification methods is no longer sufficient. A solution that’s needed to address the trust problem with LLMs is one that would verify that a model is indexing from trained data and returns a correct output as intended. The world of blockchains and cryptography can provide a solution. 

The Solution:

In the relatively young field of decentralized AI, two major approaches have arisen to address the two major problems seen in the AI sector today: centralization of model inference and difficulty in verifying the correctness of model outputs. 

While not the focus of this paper, decentralized inference attempts to address the first problem by running ML models across multiple nodes in a decentralized network, preventing reliance on a single centralized provider. This can be achieved by distributing the computational workload across multiple nodes in a decentralized network. However, while decentralized inference enhances resilience and scalability, it does not inherently guarantee the integrity or correctness of the model's outputs.

This is where verifiable inference comes to play. Verifiable inference creates a new primitive by providing a means to cryptographically verify that a model's outputs are correct and generated by the intended model. This approach provides both a response to a query and a proof that the computation was executed correctly on the specified model. Verifiable inference is particularly important in decentralized environments where trust cannot be assumed. By leveraging cryptographic techniques, such as zero-knowledge proofs (ZKPs), verifiable inference enables users to verify that a model has processed their data correctly and generated accurate outputs, without needing to trust the individual nodes or the network itself. 

Verifiable inference systems typically generate a cryptographic proof alongside the model's output. This proof can be verified by anyone, without revealing sensitive information about the model or the input data, therefore preserving the privacy of the user who inputted their data. The verification process confirms that the output was indeed generated by the specified model, following the intended computation without any tampering or manipulation. 

We can use a real-world example to understand how verifiable inference operates on ML models. Imagine you need to send a sensitive package using a delivery service, but you are worried about the possibility of someone tampering with your package in transit. To address this, you work with a shipping company that will add a tamper evident seal to the shipping container your package is in. This seal reliably shows if there is any attempt to open the cargo container during transit. 

Your package is like the data being processed by an ML model. When you add the tamper evident seal to the cargo container, the additional security provided symbolizes the extra cryptographic proof that helps determine if the contents inside the cargo remain untouched. The delivery service that transports the package to its destination is like the ML model that processes the data and generates output to the user. Once the package is delivered, the receiver can simply check if the tamper evident seal is still intact. If so, then they know the package has not been altered and is exactly what has been sent, but if the seal is broken, you know that the package could have been tampered with during transit.

Figure 2: Visual representation of a real-world metaphor illustrating how verifiable inference works.

This process eliminates the need to trust the delivery service itself, just as verifiable inference removes the need to trust the individual nodes in a network. Instead, the receiver only needs to verify the integrity of the tamper evident seal, much like how users can simply verify the cryptographic proof provided. The seal acts as a cryptographic proof, ensuring the package’s authenticity and preventing any undetected tampering, similar to how verifiable inference ensures that the ML model’s outputs are transparent and correct. 

Verifiable inference can ultimately create a higher level of trust, accountability, and transparency for ML models. This can create a more widespread adoption and responsible deployment of AI technologies. There are three different approaches to verifiable inference: zkML, optimistic fraud proofs, and cryptoeconomics ML. This article will focus solely on zkML, although each method has its own tradeoffs in terms of security, latency, and cost. 

zkML: An Approach for Verifiable Inference:

zkML is an emerging technology that combines the power of ML with the security and privacy guarantees of ZKPs. ZKPs are a cryptographic method that allow one party (the prover) to prove to another party (the verifier) that a given statement is true without revealing any additional information beyond the fact that the statement is true.

In the context of machine learning, zkML operates by training models on data spread across various nodes in a decentralized network. These nodes generate ZKPs about their data, allowing them to confirm the validity of the data without revealing sensitive information. This innovative approach addresses the trust and privacy concerns associated with traditional machine learning models, paving the way for a more secure, transparent, and accountable AI ecosystem.

zkML requires several steps to develop. First, the input data and model parameters (mathematical formulas on which the ML model is trained) are made private. Then, a cryptographic hash function is published, allowing for verification of the data's authenticity. The ML model is then converted into zero-knowledge circuits that can be efficiently proven. This process is called arithmetization and is ultimately verifying the model itself. Using zk-SNARKS (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), a proof is generated that the ML model is functioning as intended, without revealing the underlying model or data used for training. Finally, the model's output and the associated ZKP are verified by the end-users or verifiers, providing assurance that the computation was performed correctly and the result is trustworthy.

Figure 3: The steps for developing zkML

zkSNARKs allow achieving computational integrity - a prover can generate a zkSNARK that proves an output was correctly computed by a LLM on certain inputs, without revealing the inputs themselves. zkSNARKs provide two key properties. First, they offer succinct verification time regardless of the computation's complexity. Second, they enable selective privacy where the prover decides what parts of the computation remain private versus public. These features can help solve privacy issues with ML models outlined before. For example, zkSNARKs enable users to verify the correctness of transactions without revealing underlying data, making them the key to balancing the conflicting goals of transparency and privacy in decentralized networks. This opens up a wealth of possibilities, like confidential transactions of cryptocurrencies or verifiable computation in decentralized applications can be possible. This zkML process of generating zkSNARK proofs for ML inference enables verifying model outputs while preserving data confidentiality, allowing compliance with privacy regulations.

Challenges with zkML

While zkML is a promising technology with immense potential, it is still in its nascent stages. Researchers and companies like EZKL, Modulus Labs, Giza, are actively working to overcome the challenges associated with zkML, such as performance overhead, the lack of real-world adoption, and the complexity of designing such systems.

One of the most significant challenges facing zkML is the computational complexity of the arithmetization process. Arithmetization, which involves converting an ML model into zero-knowledge circuits, is computationally intensive and can result in prohibitively large circuits for more complex models. We can analyze metrics for the following zero-knowledge proof schemes: zkCNN, Plonky2, and Halo2. For starters, proving a model using zkCNN’s approach4, a ZKP scheme for convolutional neural networks, can incur a computational cost up to 1000 times higher than the actual inference time. This immense overhead is partly due to the complex nature of ZKPs, which require meticulous verification of each step in the computation. Additionally, generating zkSNARKs proofs can be extremely resource-intensive. Benchmarks have shown that proof generation for large models can take several hours and consumes vast amounts of memory. Specifically, Plonky25, while being one of the fastest in terms of proving time, also exhibits high memory usage, often doubling the peak RAM consumption compared to other systems like Halo2. The complex architecture of zkML creates the need for specialized hardware and computing resources to handle larger scale computations. This makes zkML currently impractical for real-time applications where low latency and efficient resource usage are critical. 

Another challenge is the lack of apparent use cases that hinder widespread adoption of zkML in real-world applications. This is primarily due to the performance overhead and the complexity involved in implementing the intricate mathematical and cryptographic techniques in zkML systems. While protocols such as Worldcoin’s iris verification model and AI Arena’s gameplay verification have demonstrated the feasibility of zkML in very specific use cases, these applications are still in the experimental phase. The high costs and time associated with proof generation may limit the scalability and practical ability of zkML in more dynamic scenarios that capture widespread adoption. 

Last, while zkML provides strong privacy guarantees by not revealing the model or input data, it can also limit the flexibility and adaptability of ML models. Any changes to the model architecture or training data necessitate regenerating the ZKPs, which is both time consuming and resource intensive. This rigidity makes it difficult to update or improve models dynamically, which may be a crucial requirement for some real-world applications. From a cost standpoint, generating ZKPs for complex models show a rise from $0.072 per match to $5.40 per match when incorporating zkSNARKs for verifiable inference. This cost is a substantial barrier for broader adoption, especially for applications requiring frequent and rapid model inferences. 

Despite its immense potential, zkML still faces significant hurdles hindering widespread adoption. The computationally intensive arithmetization and proof generation result in substantial overhead, making zkML currently impractical for real-time, low-latency applications. Certain ZKP schemes like zkCNN, Plonky2, and Halo2 demonstrate some feasibility but also issues like slower inference and high memory usage. The apparent lack of compelling use cases, rigidity of having to regenerate proofs for model changes, and high costs present additional barriers to scalability. Overcoming the computational complexity while improving flexibility and reducing costs is crucial for unlocking zkML's full potential.

Ending Synthesis:

As AI continues to dominate, the need for trust, transparency, and verifiability in these powerful systems becomes paramount. Verifiable inference, specifically via zkML, has emerged as a promising solution to address the challenges over privacy and integrity of LLMs. However, the path to widespread adoption of zkML is not without obstacles. The immense computational complexity and overhead associated with arithmetization and proof generation currently deem zkML impractical for real-time applications that demand low latency and efficient resource usage. Additionally, the lack of apparent use cases and inherent complexity involved in implementing zkML systems have hindered its widespread adoption. 

Despite these challenges, the potential benefits of verifiable inference are too significant to ignore. By providing strong privacy guarantees and enabling the verification of model integrity, zkML can pave the way for more responsible and trustworthy AI use. With further development and perhaps more collaborative efforts between researchers, pioneers, and industry leaders to improve the efficiency of zkML, the future of verifiable, decentralized AI can be realized. We’ve already seen the great advancements with Polygon’s work on Plonky3. Plonky3 aims to provide a faster proving system for zkSTARK (Zero-Knowledge Succinct Transparent Argument of Knowledge) proofs. zkSTARKs are a proof scheme for more complex computations and require longer proving times and larger proof sizes. However, we mentioned before that more complex computations are needed for real-world applications and use cases. Plonky3 contains optimizations for newer CPU specifications that hope to improve the proving overhead required. Through their improved architecture, Plonky3 is directly addressing both challenges – tackling both computational capacities and costs as well as opening avenues for more robust use cases. This strategic collaboration illuminates how protocols are continuing to push the frontier on zkML.

Ultimately, the future of verifiable inference and trustless AI hinges on a collective commitment to continuous innovation and collaboration for pursuing a world in which we have strong, scalable use cases for verified ML models. While the challenges surrounding computational complexity and adoption hurdles are significant, the potential benefits of these technologies are compelling. As we look ahead, we can envision a future where the development of specialized provers for distinct steps of the zkML pipeline, such as data preprocessing, model training, and inference, enables a more optimized approach to privacy and efficiency in LLMs. While navigating this era of transformative AI capabilities, the industry must remain steadfast in its unwavering pursuit of responsible development to unlock the vast potential of these technologies while preserving privacy and integrity essential to their deployment. Only through such continuous innovation can we envision a future with strong, scalable use cases for verified ML models. ✦

https://www.bloomberg.com/news/articles/2023-01-23/microsoft-makes-multibillion-dollar-investment-in-openai 

https://www.aboutamazon.com/news/company-news/amazon-anthropic-ai-investment 

Meta stands as the lone giant among Big Tech committed to an open source framework with LLaMA.

4 This ZKP scheme allows the owner of the CNN model to prove to others that the prediction of a data sample is indeed calculated by the model, without leaking any information about the model itself.

Plonky3 is an ongoing effort which aims to further improve on the speed and efficiency of recursive zero-knowledge proofs. Its new cryptographic library contains optimizations for newer CPU specifications.

Legal Disclosure: This document, and the information contained herein, has been provided to you by Hyperedge Technology LP and its affiliates (“Symbolic Capital”) solely for informational purposes. This document may not be reproduced or redistributed in whole or in part, in any format, without the express written approval of Symbolic Capital. Neither the information, nor any opinion contained in this document, constitutes an offer to buy or sell, or a solicitation of an offer to buy or sell, any advisory services, securities, futures, options or other financial instruments or to participate in any advisory services or trading strategy. Nothing contained in this document constitutes investment, legal or tax advice or is an endorsement of any of the digital assets or companies mentioned herein. You should make your own investigations and evaluations of the information herein. Any decisions based on information contained in this document are the sole responsibility of the reader. Certain statements in this document reflect Symbolic Capital’s views, estimates, opinions or predictions (which may be based on proprietary models and assumptions, including, in particular, Symbolic Capital’s views on the current and future market for certain digital assets), and there is no guarantee that these views, estimates, opinions or predictions are currently accurate or that they will be ultimately realized. To the extent these assumptions or models are not correct or circumstances change, the actual performance may vary substantially from, and be less than, the estimates included herein. None of Symbolic Capital nor any of its affiliates, shareholders, partners, members, directors, officers, management, employees or representatives makes any representation or warranty, express or implied, as to the accuracy or completeness of any of the information or any other information (whether communicated in written or oral form) transmitted or made available to you. Each of the aforementioned parties expressly disclaims any and all liability relating to or resulting from the use of this information. Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Symbolic Capital and, Symbolic Capital, does not assume responsibility for the accuracy of such information. Affiliates of Symbolic Capital may have owned or may own investments in some of the digital assets and protocols discussed in this document. Except where otherwise indicated, the information in this document is based on matters as they exist as of the date of preparation and not as of any future date, and will not be updated or otherwise revised to reflect information that subsequently becomes available, or circumstances existing or changes occurring after the date hereof. This document provides links to other websites that we think might be of interest to you. Please note that when you click on one of these links, you may be moving to a provider’s website that is not associated with Symbolic Capital. These linked sites and their providers are not controlled by us, and we are not responsible for the contents or the proper operation of any linked site. The inclusion of any link does not imply our endorsement or our adoption of the statements therein. We encourage you to read the terms of use and privacy statements of these linked sites as their policies may differ from ours. The foregoing does not constitute a “research report” as defined by FINRA Rule 2241 or a “debt research report” as defined by FINRA Rule 2242 and was not prepared by Symbolic Capital Partners LLC. For all inquiries, please email info@symbolic.capital. © Copyright Hyperedge Capital LP 2024. All rights reserved.