Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A2-DIDM: Privacy-preserving Accumulator-enabled Auditing for Distributed Identity of DNN Model

Tianxiu Xie, Keke Gai, Jing Yu, Liehuang Zhu, Kim-Kwang Raymond Choo

TL;DR

The paper addresses the challenge of protecting intellectual property during DNN model trading by enabling privacy-preserving, auditable distributed identity for DNNs (DIDM). It introduces A2-DIDM, an accumulator-enabled auditing framework that combines blockchain, zkSNARKs, and cryptographic predicates to record incremental weight checkpoint updates as Identity Records (IRs) and verify them on-chain with constant cost. Key contributions include the IR construction, predicate design to ensure uniqueness of training histories, an accumulator-based SNARK proving system, and theoretical security/efficiency analyses plus implementation and evaluation on real DNN training scenarios. The work demonstrates that model ownership auditing can be made private and verifiable at low on-chain overhead, supporting trustworthy model commercialization while protecting sensitive training data and parameters.

Abstract

Recent booming development of Generative Artificial Intelligence (GenAI) has facilitated an emerging model commercialization for the purpose of reinforcement on model performance, such as licensing or trading Deep Neural Network (DNN) models. However, DNN model trading may trigger concerns of the unauthorized replications or misuses over the model, so that the benefit of the model ownership will be violated. Model identity auditing is a challenging issue in protecting intellectual property of DNN models and verifying the integrity and ownership of models for guaranteeing trusts in transactions is one of the critical obstacles. In this paper, we focus on the above issue and propose a novel Accumulator-enabled Auditing for Distributed Identity of DNN Model (A2-DIDM) that utilizes blockchain and zero-knowledge techniques to protect data and function privacy while ensuring the lightweight on-chain ownership verification. The proposed model presents a scheme of identity records via configuring model weight checkpoints with corresponding zero-knowledge proofs, which incorporates predicates to capture incremental state changes in model weight checkpoints. Our scheme ensures both computational integrity of DNN training process and programmability, so that the uniqueness of the weight checkpoint sequence in a DNN model is preserved, ensuring the correctness of the model identity auditing. In addition, A2-DIDM also addresses privacy protections in distributed identity via a proposed method of accumulators. We systematically analyze the security and robustness of our proposed model and further evaluate the effectiveness and usability of auditing DNN model identities.

A2-DIDM: Privacy-preserving Accumulator-enabled Auditing for Distributed Identity of DNN Model

TL;DR

The paper addresses the challenge of protecting intellectual property during DNN model trading by enabling privacy-preserving, auditable distributed identity for DNNs (DIDM). It introduces A2-DIDM, an accumulator-enabled auditing framework that combines blockchain, zkSNARKs, and cryptographic predicates to record incremental weight checkpoint updates as Identity Records (IRs) and verify them on-chain with constant cost. Key contributions include the IR construction, predicate design to ensure uniqueness of training histories, an accumulator-based SNARK proving system, and theoretical security/efficiency analyses plus implementation and evaluation on real DNN training scenarios. The work demonstrates that model ownership auditing can be made private and verifiable at low on-chain overhead, supporting trustworthy model commercialization while protecting sensitive training data and parameters.

Abstract

Recent booming development of Generative Artificial Intelligence (GenAI) has facilitated an emerging model commercialization for the purpose of reinforcement on model performance, such as licensing or trading Deep Neural Network (DNN) models. However, DNN model trading may trigger concerns of the unauthorized replications or misuses over the model, so that the benefit of the model ownership will be violated. Model identity auditing is a challenging issue in protecting intellectual property of DNN models and verifying the integrity and ownership of models for guaranteeing trusts in transactions is one of the critical obstacles. In this paper, we focus on the above issue and propose a novel Accumulator-enabled Auditing for Distributed Identity of DNN Model (A2-DIDM) that utilizes blockchain and zero-knowledge techniques to protect data and function privacy while ensuring the lightweight on-chain ownership verification. The proposed model presents a scheme of identity records via configuring model weight checkpoints with corresponding zero-knowledge proofs, which incorporates predicates to capture incremental state changes in model weight checkpoints. Our scheme ensures both computational integrity of DNN training process and programmability, so that the uniqueness of the weight checkpoint sequence in a DNN model is preserved, ensuring the correctness of the model identity auditing. In addition, A2-DIDM also addresses privacy protections in distributed identity via a proposed method of accumulators. We systematically analyze the security and robustness of our proposed model and further evaluate the effectiveness and usability of auditing DNN model identities.
Paper Structure (21 sections, 1 theorem, 17 equations, 4 figures, 4 tables, 2 algorithms)

This paper contains 21 sections, 1 theorem, 17 equations, 4 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Commitment Scheme
  4. Non-interactive Zero Knowledge Arguments
  5. Definitions and Models
  6. Threat Model for A2-DIDM
  7. Distributed Identity Construction of DNN Model
  8. Identity Record and Transaction Design
  9. Predicate Design
  10. Distributed Identity for DNN Model
  11. Accumulator-based Audit for DIDM
  12. Theoretical Analysis
  13. Security of Commitment Scheme
  14. Security of Accumulator Scheme for A2-DIDM
  15. Security of IR and Predicates
  16. ...and 6 more sections

Key Result

Lemma 4.1

We suppose that the running time of the simulator $\mathcal{S}$, with the given parameters $\lambda$, $p$, $n$, $k$$\in$$\mathbb{N}$, is bounded by the size function $I(\lambda,p,n,k)$ as follows: Specifically, we note that for any $\lambda$, $p$, $n$, $k$, the ratio of accumulator verifier circuit size to index size, denoted as $S_{\mathsf{AVer}}^{*}(\lambda,n,I,k)/I$, is monotonically decreasin

Figures (4)

  • Figure 1: The construction of Identity Record for DIDM.
  • Figure 2: The construction of valid transactions on blockchain.
  • Figure 3: The construction of two zkSNARK provers and zkSNARK verifier. $\textit{R}$ denotes the binary relationship for SNARK provers. F denotes the $\mathsf{DIDM.PredCommit}(\cdot,\cdot)$ function that computes predicate commitment. V denotes the SNARK verifier that genetate a bit value $0$ or $1$ to represent the verification result.
  • Figure 4: The construction of A2-DIDM provers and verifiers. Red boxes are accumulator prover, verifier and decider, which are differet from Figure \ref{['fig3']}. The yellow and blue lines are to distinguish the input of external zkSNARK prover, and have no practical meaning. F and R are the same as those in Figure \ref{['fig3']}.

Theorems & Definitions (4)

  • Definition 3.1
  • Definition 4.1
  • Lemma 4.1
  • proof