Certification of neural nets
Watermarks, cryptographic verification and other certificates of authenticity for our computation
November 25, 2024 — November 25, 2024
Certifying NNs to be what they say they are. Various interesting challenges in this domain. I am not sure if this is well-specified category in itself. Possibly at some point I will separate the cryptographic verification from other certification ideas. Or maybe some other taxonomy? TBD
1 Ownership of models
Keyword: Proof-of-learning, …
(Garg et al. 2023; Goldwasser et al. 2022; Jia et al. 2021)
TBD
2 Proof of training
E.g. Abbaszadeh et al. (2024):
A zero-knowledge proof of training (zkPoT) enables a party to prove that they have correctly trained a committed model based on a committed dataset without revealing any additional information about the model or the dataset. An ideal zkPoT should offer provable security and privacy guarantees, succinct proof size and verifier runtime, and practical prover efficiency. In this work, we present , a zkPoT targeted for deep neural networks (DNNs) that achieves all these goals at once. Our construction enables a prover to iteratively train their model via (mini-batch) gradient descent, where the number of iterations need not be fixed in advance; at the end of each iteration, the prover generates a commitment to the trained model parameters attached with a succinct zkPoT, attesting to the correctness of the executed iterations. The proof size and verifier time are independent of the number of iterations.
3 Proof of robustness
Didn’t know this was a thing, but then I met Mahalakshmi Sabanayagam who graciously explained to me Gosch et al. (2024) and Sabanayagam et al. (2024).