Proof-of-Learning is Currently More Broken Than You Think

C. Fang; Hengrui Jia; A. Thudi; M. Yaghini; Christopher A. Choquette-Choo; N. Dullerud; V. Chandrasekaran; N. Papernot

doi:10.1109/EuroSP57164.2023.00052

Proof-of-Learning is Currently More Broken Than You Think

C. Fang, Hengrui Jia, A. Thudi, M. Yaghini, Christopher A. Choquette-Choo, N. Dullerud, V. Chandrasekaran, N. Papernot

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Proof-of-Learning (PoL) proposes that a model owner logs training checkpoints to establish a proof of having expended the computation necessary for training. The authors of PoL forego cryptographic approaches and trade rigorous security guarantees for scalability to deep learning. They empirically argued the benefit of this approach by showing how spoofing - computing a proof for a stolen model - is as expensive as obtaining the proof honestly by training the model. However, recent work has provided a counter-example and thus has invalidated this observation.In this work we demonstrate, first, that while it is true that current PoL verification is not robust to adversaries, recent work has largely underestimated this lack of robustness. This is because existing spoofing strategies are either unreproducible or target weakened instantiations of PoL - meaning they are easily thwarted by changing hyperparameters of the verification. Instead, we introduce the first spoofing strategies that can be reproduced across different configurations of the PoL verification and can be done for a fraction of the cost of previous spoofing strategies. This is possible because we identify key vulnerabilities of PoL and systematically analyze the underlying assumptions needed for robust verification of a proof. On the theoretical side, we show how realizing these assumptions reduces to open problems in learning theory. We conclude that one cannot develop a provably robust PoL verification mechanism without further understanding of optimization in deep learning.

Original language	English (US)
Title of host publication	Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
Place of Publication	Los Alamitos
Publisher	IEEE Computer Society
Pages	797-816
Number of pages	20
ISBN (Electronic)	9781665465120
DOIs	https://doi.org/10.1109/EuroSP57164.2023.00052
State	Published - Jul 1 2023
Externally published	Yes

Online availability

10.1109/EuroSP57164.2023.00052

Library availability

Discover UIUC Full Text

Cite this

@inproceedings{a08f5d9f477d49529453263051cbfd4b,

title = "Proof-of-Learning is Currently More Broken Than You Think",

abstract = "Proof-of-Learning (PoL) proposes that a model owner logs training checkpoints to establish a proof of having expended the computation necessary for training. The authors of PoL forego cryptographic approaches and trade rigorous security guarantees for scalability to deep learning. They empirically argued the benefit of this approach by showing how spoofing - computing a proof for a stolen model - is as expensive as obtaining the proof honestly by training the model. However, recent work has provided a counter-example and thus has invalidated this observation.In this work we demonstrate, first, that while it is true that current PoL verification is not robust to adversaries, recent work has largely underestimated this lack of robustness. This is because existing spoofing strategies are either unreproducible or target weakened instantiations of PoL - meaning they are easily thwarted by changing hyperparameters of the verification. Instead, we introduce the first spoofing strategies that can be reproduced across different configurations of the PoL verification and can be done for a fraction of the cost of previous spoofing strategies. This is possible because we identify key vulnerabilities of PoL and systematically analyze the underlying assumptions needed for robust verification of a proof. On the theoretical side, we show how realizing these assumptions reduces to open problems in learning theory. We conclude that one cannot develop a provably robust PoL verification mechanism without further understanding of optimization in deep learning.",

author = "C. Fang and Hengrui Jia and A. Thudi and M. Yaghini and Choquette-Choo, {Christopher A.} and N. Dullerud and V. Chandrasekaran and N. Papernot",

note = "We would like to acknowledge our sponsors, who support our research with financial and in-kind contributions: Amazon, Apple, CIFAR through the Canada CIFAR AI Chair, DARPA through the GARD project, Intel, Meta, NFRF through an Exploration grant, NSERC through the COHESA Strategic Alliance, the Ontario Early Researcher Award, and the Sloan Foundation. Resources used in preparing this research were provided, in part, by the Province of Ontario, the Government of Canada through CIFAR, and companies sponsoring the Vector Institute. We would also like to thank CleverHans lab group members for their feedback.",

year = "2023",

month = jul,

day = "1",

doi = "10.1109/EuroSP57164.2023.00052",

language = "English (US)",

pages = "797--816",

booktitle = "Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023",

publisher = "IEEE Computer Society",

address = "United States",

}

TY - GEN

T1 - Proof-of-Learning is Currently More Broken Than You Think

AU - Fang, C.

AU - Jia, Hengrui

AU - Thudi, A.

AU - Yaghini, M.

AU - Choquette-Choo, Christopher A.

AU - Dullerud, N.

AU - Chandrasekaran, V.

AU - Papernot, N.

N1 - We would like to acknowledge our sponsors, who support our research with financial and in-kind contributions: Amazon, Apple, CIFAR through the Canada CIFAR AI Chair, DARPA through the GARD project, Intel, Meta, NFRF through an Exploration grant, NSERC through the COHESA Strategic Alliance, the Ontario Early Researcher Award, and the Sloan Foundation. Resources used in preparing this research were provided, in part, by the Province of Ontario, the Government of Canada through CIFAR, and companies sponsoring the Vector Institute. We would also like to thank CleverHans lab group members for their feedback.

PY - 2023/7/1

Y1 - 2023/7/1

N2 - Proof-of-Learning (PoL) proposes that a model owner logs training checkpoints to establish a proof of having expended the computation necessary for training. The authors of PoL forego cryptographic approaches and trade rigorous security guarantees for scalability to deep learning. They empirically argued the benefit of this approach by showing how spoofing - computing a proof for a stolen model - is as expensive as obtaining the proof honestly by training the model. However, recent work has provided a counter-example and thus has invalidated this observation.In this work we demonstrate, first, that while it is true that current PoL verification is not robust to adversaries, recent work has largely underestimated this lack of robustness. This is because existing spoofing strategies are either unreproducible or target weakened instantiations of PoL - meaning they are easily thwarted by changing hyperparameters of the verification. Instead, we introduce the first spoofing strategies that can be reproduced across different configurations of the PoL verification and can be done for a fraction of the cost of previous spoofing strategies. This is possible because we identify key vulnerabilities of PoL and systematically analyze the underlying assumptions needed for robust verification of a proof. On the theoretical side, we show how realizing these assumptions reduces to open problems in learning theory. We conclude that one cannot develop a provably robust PoL verification mechanism without further understanding of optimization in deep learning.

AB - Proof-of-Learning (PoL) proposes that a model owner logs training checkpoints to establish a proof of having expended the computation necessary for training. The authors of PoL forego cryptographic approaches and trade rigorous security guarantees for scalability to deep learning. They empirically argued the benefit of this approach by showing how spoofing - computing a proof for a stolen model - is as expensive as obtaining the proof honestly by training the model. However, recent work has provided a counter-example and thus has invalidated this observation.In this work we demonstrate, first, that while it is true that current PoL verification is not robust to adversaries, recent work has largely underestimated this lack of robustness. This is because existing spoofing strategies are either unreproducible or target weakened instantiations of PoL - meaning they are easily thwarted by changing hyperparameters of the verification. Instead, we introduce the first spoofing strategies that can be reproduced across different configurations of the PoL verification and can be done for a fraction of the cost of previous spoofing strategies. This is possible because we identify key vulnerabilities of PoL and systematically analyze the underlying assumptions needed for robust verification of a proof. On the theoretical side, we show how realizing these assumptions reduces to open problems in learning theory. We conclude that one cannot develop a provably robust PoL verification mechanism without further understanding of optimization in deep learning.

UR - http://www.scopus.com/inward/record.url?scp=85168119729&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85168119729&partnerID=8YFLogxK

U2 - 10.1109/EuroSP57164.2023.00052

DO - 10.1109/EuroSP57164.2023.00052

M3 - Conference contribution

SP - 797

EP - 816

BT - Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023

PB - IEEE Computer Society

CY - Los Alamitos

ER -

Proof-of-Learning is Currently More Broken Than You Think

Abstract

Online availability

Library availability

Related links

Fingerprint

Cite this