Towards Secure and Private AI: A Framework for Decentralized Inference

TL;DR

This paper addresses security, privacy, and reliability challenges in decentralized AI inference for large multimodal foundation models. It proposes a hybrid framework combining zero-knowledge decentralised proofs (zkDPS) and Sequential Homomorphic Encryption (SHE) for critical inference, with Consensus-Based Verification (CBV) and Split Learning (SL) for general inference, complemented by hardware-backed TEEs. The framework articulates scenario-based deployment, balancing stringent protection with efficiency, and introduces innovations in hardware-software co-design such as direct inter-TEE secure channels and heterogeneous TEE scheduling. Collectively, the work advances responsible democratization of AI by enhancing inference integrity, data privacy, and fairness in distributed settings, while outlining directions to optimize real-time performance and scalability.

Abstract

The rapid advancement of ML models in critical sectors such as healthcare, finance, and security has intensified the need for robust data security, model integrity, and reliable outputs. Large multimodal foundational models, while crucial for complex tasks, present challenges in scalability, reliability, and potential misuse. Decentralized systems offer a solution by distributing workload and mitigating central points of failure, but they introduce risks of unauthorized access to sensitive data across nodes. We address these challenges with a comprehensive framework designed for responsible AI development. Our approach incorporates: 1) Zero-knowledge proofs for secure model verification, enhancing trust without compromising privacy. 2) Consensus-based verification checks to ensure consistent outputs across nodes, mitigating hallucinations and maintaining model integrity. 3) Split Learning techniques that segment models across different nodes, preserving data privacy by preventing full data access at any point. 4) Hardware-based security through trusted execution environments (TEEs) to protect data and computations. This framework aims to enhance security and privacy and improve the reliability and fairness of multimodal AI systems. Promoting efficient resource utilization contributes to more sustainable AI development. Our state-of-the-art proofs and principles demonstrate the framework's effectiveness in responsibly democratizing artificial intelligence, offering a promising approach for building secure and private foundational models.

Figures (5)

• Figure 1: Security flowchart for critical inference, where we design zkDPS (§ \ref{['subsec:zkp']}) for model verification and SHE (proprietary) for data encryption and user privacy protection.
• Figure 1: Zero-knowledge proof of circuit $10=(w_1+w_2)(w_2+1)$ between a prover (P) and a verifier (V). Hereby, the goal of the prover is to prove to the verifier that P knows a $w_1$ and $w_2$ such that the claimed result "10" is indeed calculated by the equation $(w_1+w_2)(w_2+1)$ (which is denoted by a circuit). The witness $w_1=4$ and $w_2=1$ are the secret of the prover. Zero-knowledge proof consists of a commitment process (denoted by the safe box) in the beginning, followed by several back-and-forth challenge and response processes between P and V in the interactive scenario. In the non-interactive scenario, the prover can challenge him or herself by the Fiat-Shamir heuristic and the verifier only needs to verify the last response from the prover.
• Figure 2: Security flowchart for general inference, where we design CBV (§ \ref{['subsec:cbv']}) for model verification and leverage SL (§ \ref{['subsec:sl']}) for data encryption and user privacy protection.
• Figure 2: Sum-Check protocol for $H\overset{\text{?}}{=}\sum_{(x_1,x_2,...x_v)\in \{0,1\}^v} g(x_1,x_2,...,x_v)$.
• Figure 3: Overview of our specialized TEE paradigm for decentralized AI inference.