Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FairProof : Confidential and Certifiable Fairness for Neural Networks

Chhavi Yadav, Amrita Roy Chowdhury, Dan Boneh, Kamalika Chaudhuri

TL;DR

FairProof tackles publicly verifiable fairness for confidential neural networks by coupling a local individual fairness certification for fully-connected ReLU networks with a cryptographic protocol that commits to the model and proves certificate correctness via succinct zero-knowledge proofs. It reduces the certification problem to robust verification using GeoCert, and introduces a ZKP-friendly lower bound $\epsilon_{LB}$ to enable efficient online verification while maintaining model confidentiality and uniformity. The approach is implemented in Gnark and validated on standard datasets, showing feasible certificate generation times and small proof sizes, enabling practical deployment under confidentiality constraints. Overall, FairProof demonstrates a viable path toward transparent, privacy-preserving fairness verification in high-stakes ML deployments.

Abstract

Machine learning models are increasingly used in societal applications, yet legal and privacy concerns demand that they very often be kept confidential. Consequently, there is a growing distrust about the fairness properties of these models in the minds of consumers, who are often at the receiving end of model predictions. To this end, we propose \name -- a system that uses Zero-Knowledge Proofs (a cryptographic primitive) to publicly verify the fairness of a model, while maintaining confidentiality. We also propose a fairness certification algorithm for fully-connected neural networks which is befitting to ZKPs and is used in this system. We implement \name in Gnark and demonstrate empirically that our system is practically feasible. Code is available at https://github.com/infinite-pursuits/FairProof.

FairProof : Confidential and Certifiable Fairness for Neural Networks

TL;DR

FairProof tackles publicly verifiable fairness for confidential neural networks by coupling a local individual fairness certification for fully-connected ReLU networks with a cryptographic protocol that commits to the model and proves certificate correctness via succinct zero-knowledge proofs. It reduces the certification problem to robust verification using GeoCert, and introduces a ZKP-friendly lower bound to enable efficient online verification while maintaining model confidentiality and uniformity. The approach is implemented in Gnark and validated on standard datasets, showing feasible certificate generation times and small proof sizes, enabling practical deployment under confidentiality constraints. Overall, FairProof demonstrates a viable path toward transparent, privacy-preserving fairness verification in high-stakes ML deployments.

Abstract

Machine learning models are increasingly used in societal applications, yet legal and privacy concerns demand that they very often be kept confidential. Consequently, there is a growing distrust about the fairness properties of these models in the minds of consumers, who are often at the receiving end of model predictions. To this end, we propose \name -- a system that uses Zero-Knowledge Proofs (a cryptographic primitive) to publicly verify the fairness of a model, while maintaining confidentiality. We also propose a fairness certification algorithm for fully-connected neural networks which is befitting to ZKPs and is used in this system. We implement \name in Gnark and demonstrate empirically that our system is practically feasible. Code is available at https://github.com/infinite-pursuits/FairProof.
Paper Structure (17 sections, 11 theorems, 11 equations, 24 figures, 1 table, 8 algorithms)

This paper contains 17 sections, 11 theorems, 11 equations, 24 figures, 1 table, 8 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries & Setting
  3. How to Certify Individual Fairness?
  4. FairProof: Verification of the Individual Fairness Certificate
  5. Evaluation
  6. Model Fairness
  7. Performance of FairProof
  8. Related Work
  9. Conclusion
  10. Acknowledgements
  11. Background Cntd.
  12. Polytopes
  13. Individual Fairness Certification Cntd.
  14. Correctness of FairProof
  15. Security Proof
  16. ...and 2 more sections

Key Result

Theorem 3.1

Given a data point $x^*$ and a neural network $f$, Alg. alg:IF provides a lower bound $\epsilon_{LB}$ of the correct individual fairness parameter of $x^*$.

Figures (24)

  • Figure 1: Pictorial Representation of FairProof
  • Figure 2: A neural network with ReLU activations partitions the input space into polytopes.
  • Figure 3: Connection between robustness & fairness for $n=2$ and one sensitive feature $S$ with values $\{a,b,c\}$. Final fairness certificate is the minimum of $\{\epsilon_a, \epsilon_b, \epsilon_c\}$. Red color denotes decision boundary.
  • Figure 4: GeoCert's behavior on point $x^*$. Colored facets are in the priority queue; red and solid black lines denote boundary and non-boundary facets respectively. Algorithm stops when the minimum distance facet is a boundary facet (rightmost).
  • Figure 5: Projection of $x^*$ onto the hyperplane $H$ containing facet $\mathcal{F}$ gives a lower bound on the $\ell_2$ distance between $x^*$ and $\mathcal{F}$, i.e., $d_{proj}(x^*,\mathcal{F})\leq d_{\ell_2}(x^*,\mathcal{F})$.
  • ...and 19 more figures

Theorems & Definitions (15)

  • Definition 1: Local Individual Fairness
  • Theorem 3.1
  • Theorem 4.1
  • Lemma A.1
  • Theorem C.1: Correctness of GeoCert Geocert
  • Theorem C.3
  • proof
  • Theorem C.4: Correctness of FairProof
  • proof
  • Lemma D.1: Soundness of VerifyPolytope
  • ...and 5 more