Saved in:
Bibliographic Details
Main Authors: Anchuri, Pranay, Campanelli, Matteo, Cesaretti, Paul, Gennaro, Rosario, Jois, Tushar M., Kayman, Hasan S., Ozdemir, Tugce
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.19025
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912974431584256
author Anchuri, Pranay
Campanelli, Matteo
Cesaretti, Paul
Gennaro, Rosario
Jois, Tushar M.
Kayman, Hasan S.
Ozdemir, Tugce
author_facet Anchuri, Pranay
Campanelli, Matteo
Cesaretti, Paul
Gennaro, Rosario
Jois, Tushar M.
Kayman, Hasan S.
Ozdemir, Tugce
contents When large AI models are deployed as cloud-based services, clients have no guarantee that responses are correct or were produced by the intended model. Rerunning inference locally is infeasible for large models, and existing cryptographic proof systems -- while providing strong correctness guarantees -- introduce prohibitive prover overhead (e.g., hundreds of seconds per query for billion-parameter models). We present a verification framework and protocol that replaces full cryptographic proofs with a lightweight, sampling-based approach grounded in statistical properties of neural networks. We formalize the conditions under which trace separation between functionally dissimilar models can be leveraged to argue the security of verifiable inference protocols. The prover commits to the execution trace of inference via Merkle-tree-based vector commitments and opens only a small number of entries along randomly sampled paths from output to input. This yields a protocol that trades soundness for efficiency, a tradeoff well-suited to auditing, large-scale deployment settings where repeated queries amplify detection probability, and scenarios with rationally incentivized provers who face penalties upon detection. Our approach reduces proving times by several orders of magnitude compared to state-of-the-art cryptographic proof systems, going from the order of minutes to the order of milliseconds, with moderately larger proofs. Experiments on ResNet-18 classifiers and Llama-2-7B confirm that common architectures exhibit the statistical properties our protocol requires, and that natural adversarial strategies (gradient-descent reconstruction, inverse transforms, logit swapping) fail to produce traces that evade detection. We additionally present a protocol in the refereed delegation model, where two competing servers enable correct output identification in a logarithmic number of rounds.
format Preprint
id arxiv_https___arxiv_org_abs_2603_19025
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Towards Verifiable AI with Lightweight Cryptographic Proofs of Inference
Anchuri, Pranay
Campanelli, Matteo
Cesaretti, Paul
Gennaro, Rosario
Jois, Tushar M.
Kayman, Hasan S.
Ozdemir, Tugce
Cryptography and Security
Machine Learning
68T05, 94A60
I.2.6; F.2.2
When large AI models are deployed as cloud-based services, clients have no guarantee that responses are correct or were produced by the intended model. Rerunning inference locally is infeasible for large models, and existing cryptographic proof systems -- while providing strong correctness guarantees -- introduce prohibitive prover overhead (e.g., hundreds of seconds per query for billion-parameter models). We present a verification framework and protocol that replaces full cryptographic proofs with a lightweight, sampling-based approach grounded in statistical properties of neural networks. We formalize the conditions under which trace separation between functionally dissimilar models can be leveraged to argue the security of verifiable inference protocols. The prover commits to the execution trace of inference via Merkle-tree-based vector commitments and opens only a small number of entries along randomly sampled paths from output to input. This yields a protocol that trades soundness for efficiency, a tradeoff well-suited to auditing, large-scale deployment settings where repeated queries amplify detection probability, and scenarios with rationally incentivized provers who face penalties upon detection. Our approach reduces proving times by several orders of magnitude compared to state-of-the-art cryptographic proof systems, going from the order of minutes to the order of milliseconds, with moderately larger proofs. Experiments on ResNet-18 classifiers and Llama-2-7B confirm that common architectures exhibit the statistical properties our protocol requires, and that natural adversarial strategies (gradient-descent reconstruction, inverse transforms, logit swapping) fail to produce traces that evade detection. We additionally present a protocol in the refereed delegation model, where two competing servers enable correct output identification in a logarithmic number of rounds.
title Towards Verifiable AI with Lightweight Cryptographic Proofs of Inference
topic Cryptography and Security
Machine Learning
68T05, 94A60
I.2.6; F.2.2
url https://arxiv.org/abs/2603.19025