TY - GEN
T1 - ZKML
T2 - 19th European Conference on Computer Systems, EuroSys 2024
AU - Chen, Bing Jyue
AU - Waiwitlikhit, Suppakit
AU - Stoica, Ion
AU - Kang, Daniel
N1 - Publisher Copyright:
© 2024 ACM.
PY - 2024/4/22
Y1 - 2024/4/22
N2 - Machine learning (ML) is increasingly used behind closed systems and APIs to make important decisions. For example, social media uses ML-based recommendation algorithms to decide what to show users, and millions of people pay to use ChatGPT for information every day. Because ML is deployed behind these closed systems, there are increasing calls for transparency, such as releasing model weights. However, these service providers have legitimate reasons not to release this information, including for privacy and trade secrets. To bridge this gap, recent work has proposed using zero-knowledge proofs (specifically a form called ZK-SNARKs) for certifying computation with private models but has only been applied to unrealistically small models. In this work, we present the first framework, ZKML, to produce ZK-SNARKs for realistic ML models, including state-of-the-art vision models, a distilled GPT-2, and the ML model powering Twitter's recommendations. We accomplish this by designing an optimizing compiler from TensorFlow to circuits in the halo2 ZK-SNARK proving system. There are many equivalent ways to implement the same operations within ZK-SNARK circuits, and these design choices can affect performance by 24×. To efficiently compile ML models, ZKML contains two parts: gadgets (efficient constraints for low-level operations) and an optimizer to decide how to lay out the gadgets within a circuit. Combined, these optimizations enable proving on a wider range of models, faster proving, faster verification, and smaller proofs compared to prior work.
AB - Machine learning (ML) is increasingly used behind closed systems and APIs to make important decisions. For example, social media uses ML-based recommendation algorithms to decide what to show users, and millions of people pay to use ChatGPT for information every day. Because ML is deployed behind these closed systems, there are increasing calls for transparency, such as releasing model weights. However, these service providers have legitimate reasons not to release this information, including for privacy and trade secrets. To bridge this gap, recent work has proposed using zero-knowledge proofs (specifically a form called ZK-SNARKs) for certifying computation with private models but has only been applied to unrealistically small models. In this work, we present the first framework, ZKML, to produce ZK-SNARKs for realistic ML models, including state-of-the-art vision models, a distilled GPT-2, and the ML model powering Twitter's recommendations. We accomplish this by designing an optimizing compiler from TensorFlow to circuits in the halo2 ZK-SNARK proving system. There are many equivalent ways to implement the same operations within ZK-SNARK circuits, and these design choices can affect performance by 24×. To efficiently compile ML models, ZKML contains two parts: gadgets (efficient constraints for low-level operations) and an optimizer to decide how to lay out the gadgets within a circuit. Combined, these optimizations enable proving on a wider range of models, faster proving, faster verification, and smaller proofs compared to prior work.
UR - http://www.scopus.com/inward/record.url?scp=85191953184&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85191953184&partnerID=8YFLogxK
U2 - 10.1145/3627703.3650088
DO - 10.1145/3627703.3650088
M3 - Conference contribution
AN - SCOPUS:85191953184
T3 - EuroSys 2024 - Proceedings of the 2024 European Conference on Computer Systems
SP - 560
EP - 574
BT - EuroSys 2024 - Proceedings of the 2024 European Conference on Computer Systems
PB - Association for Computing Machinery
Y2 - 22 April 2024 through 25 April 2024
ER -