zkCNN: Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy

Deep learning techniques with neural networks are developing prominently in recent years and have been deployed in numerous applications. Despite their great success, in many scenarios it is important for the users to validate that the inferences are truly computed by legitimate neural networks with high accuracy, which is referred to as the integrity of machine learning predictions. To address this issue, in this paper, we propose zkCNN, a zero knowledge proof scheme for convolutional neural networks (CNN). The scheme allows the owner of the CNN model to prove to others that the prediction of a data sample is indeed calculated by the model, without leaking any information about the model itself. Our scheme can also be generalized to prove the accuracy of a secret CNN model on a public dataset. Underlying zkCNN is a new sumcheck protocol for proving fast Fourier transforms and convolutions with a linear prover time, which is even faster than computing the result asymptotically. We also introduce several improvements and generalizations on the interactive proofs for CNN predictions, including verifying the convolutional layer, the activation function of ReLU and the max pooling. Our scheme is highly efficient in practice. It can support the large CNN of VGG16 with 15 million parameters and 16 layers. It only takes 88.3 seconds to generate the proof, which is 1264× faster than existing schemes. The proof size is 341 kilobytes, and the verifier time is only 59.3 milliseconds. Our scheme can further scale to prove the accuracy of the same CNN on 20 images.

[1]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[2]  Jonathan Katz,et al.  Mystique: Efficient Conversions for Zero-Knowledge Proofs with Applications to Machine Learning , 2021, IACR Cryptol. ePrint Arch..

[3]  Dawn Xiaodong Song,et al.  Libra: Succinct Zero-Knowledge Proofs with Optimal Prover Computation , 2019, IACR Cryptol. ePrint Arch..

[4]  Michael A. Forbes,et al.  A Zero Knowledge Sumcheck and its Applications , 2017, IACR Cryptol. ePrint Arch..

[5]  Alex Krizhevsky,et al.  Learning Multiple Layers of Features from Tiny Images , 2009 .

[6]  Refik Molva,et al.  Efficient Proof Composition for Verifiable Computation , 2018, ESORICS.

[7]  Rafail Ostrovsky,et al.  Line-Point Zero Knowledge and Its Applications , 2020, IACR Cryptol. ePrint Arch..

[8]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[9]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[10]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  Zahra Ghodsi,et al.  SafetyNets: Verifiable Execution of Deep Neural Networks on an Untrusted Cloud , 2017, NIPS.

[12]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[13]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[14]  Eli Ben-Sasson,et al.  Aurora: Transparent Succinct Arguments for R1CS , 2019, IACR Cryptol. ePrint Arch..

[15]  Justin Thaler,et al.  Time-Optimal Interactive Proofs for Circuit Evaluation , 2013, CRYPTO.

[16]  Srinath T. V. Setty,et al.  Spartan: Efficient and general-purpose zkSNARKs without trusted setup , 2020, IACR Cryptol. ePrint Arch..

[17]  Emilia Käsper Fast Elliptic Curve Cryptography in OpenSSL , 2011, Financial Cryptography Workshops.

[18]  Yoshua Bengio,et al.  Gradient-based learning applied to document recognition , 1998, Proc. IEEE.

[19]  Jonathan Katz,et al.  vSQL: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[20]  Kang Yang,et al.  Fast, Scalable, and Communication-Efficient Zero-Knowledge Proofs for Boolean and Arithmetic Circuits , 2020, IACR Cryptol. ePrint Arch..

[21]  Abhi Shelat,et al.  Verifiable ASICs , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[22]  Dawn Xiaodong Song,et al.  MIRAGE: Succinct Arguments for Randomized Algorithms with Applications to Universal zk-SNARKs , 2020, IACR Cryptol. ePrint Arch..

[23]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[24]  Weijie Wang,et al.  Doubly Efficient Interactive Proofs for General Arithmetic Circuits with Linear Prover Time , 2021, IACR Cryptol. ePrint Arch..

[25]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge with No Trusted Setup , 2019, CRYPTO.

[26]  Jonathan Katz,et al.  vRAM: Faster Verifiable RAM with Program-Independent Preprocessing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[27]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[28]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[29]  Carmit Hazay,et al.  Ligero++: A New Optimized Sublinear IOP , 2020, CCS.

[30]  Xiaodong Lin,et al.  VeriML: Enabling Integrity Assurances and Fair Payments for Machine Learning as a Service , 2019, IEEE Transactions on Parallel and Distributed Systems.

[31]  Markulf Kohlweiss,et al.  Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings , 2019, IACR Cryptol. ePrint Arch..

[32]  Kang Yang,et al.  QuickSilver: Efficient and Affordable Zero-Knowledge Proofs for Circuits and Polynomials over Any Field , 2021, IACR Cryptol. ePrint Arch..

[33]  Seunghwan Lee vCNN: Verifiable Convolutional Neural Network based on zk-SNARKs , 2020 .

[34]  Bo Chen,et al.  Quantization and Training of Neural Networks for Efficient Integer-Arithmetic-Only Inference , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[35]  Dario Fiore,et al.  LegoSNARK: Modular Design and Composition of Succinct Zero-Knowledge Proofs , 2019, IACR Cryptol. ePrint Arch..

[36]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[37]  Ion Stoica,et al.  DIZK: A Distributed Zero Knowledge Proof System , 2018, IACR Cryptol. ePrint Arch..

[38]  Dawn Song,et al.  Zero Knowledge Proofs for Decision Tree Predictions and Accuracy , 2020, CCS.

[39]  Jonathan Katz,et al.  A Zero-Knowledge Version of vSQL , 2017, IACR Cryptol. ePrint Arch..

[40]  Shumo Chu,et al.  ZEN: Efficient Zero-Knowledge Proofs for Neural Networks , 2021, IACR Cryptol. ePrint Arch..

[41]  Mary Maller,et al.  Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS , 2020, IACR Cryptol. ePrint Arch..

[42]  Richard Zippel,et al.  Probabilistic algorithms for sparse polynomials , 1979, EUROSAM.

[43]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[44]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[45]  Dawn Song,et al.  Transparent Polynomial Delegation and Its Applications to Zero Knowledge Proof , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[46]  Abhi Shelat,et al.  Full Accounting for Verifiable Outsourcing , 2017, CCS.

[47]  Alex J. Malozemoff,et al.  Mac'n'Cheese: Zero-Knowledge Proofs for Arithmetic Circuits with Nested Disjunctions , 2020, IACR Cryptol. ePrint Arch..

[48]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[49]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.