skip to main content
10.1145/3460120.3485379acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

zkCNN: Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy

Published: 13 November 2021 Publication History

Abstract

Deep learning techniques with neural networks are developing prominently in recent years and have been deployed in numerous applications. Despite their great success, in many scenarios it is important for the users to validate that the inferences are truly computed by legitimate neural networks with high accuracy, which is referred to as the integrity of machine learning predictions. To address this issue, in this paper, we propose zkCNN, a zero knowledge proof scheme for convolutional neural networks (CNN). The scheme allows the owner of the CNN model to prove to others that the prediction of a data sample is indeed calculated by the model, without leaking any information about the model itself. Our scheme can also be generalized to prove the accuracy of a secret CNN model on a public dataset.
Underlying zkCNN is a new sumcheck protocol for proving fast Fourier transforms and convolutions with a linear prover time, which is even faster than computing the result asymptotically. We also introduce several improvements and generalizations on the interactive proofs for CNN predictions, including verifying the convolutional layer, the activation function of ReLU and the max pooling. Our scheme is highly efficient in practice. It can support the large CNN of VGG16 with 15 million parameters and 16 layers. It only takes 88.3 seconds to generate the proof, which is 1264× faster than existing schemes. The proof size is 341 kilobytes, and the verifier time is only 59.3 milliseconds. Our scheme can further scale to prove the accuracy of the same CNN on 20 images.

Supplementary Material

MP4 File (CCS21-fp527.mp4)
zkCNN is a zero-knowledge proof scheme for the convolutional neural network prediction. This is a joint work with Xiang Xie from Matrixelements company and Yupeng Zhang, my advisor at Texas A&M University. Nowadays, the GKR-based ZKP scheme for arithmetic circuit has been achieved prover time linear to the circuit size while keeping the verifier time and the proof size sublinear. However, considering the large amount of parameters as well as computations for large CNN models, it's still unpractical to directly compile the it into an arithmetic circuit. Thus we design some special purpose protocol for convolutions and other common operations in CNN inference. Finally, our work achieves prover time less than 2mins even for VGG16, together with a very fast verifier algorithm. Comparing to other implementations, our work is 213 times faster than ZEN in terms of LeNet-5 on CIFAR-10 database and estimated to be 1264 times faster than vCNN.

References

[1]
[n.d.]. Amazon Machine Learning Services. https://docs.aws.amazon.com/whitepapers/latest/aws-overview/machine-learning.html.
[2]
[n.d.]. Implementation of vCNN: Verifiable Convolutional Neural Network based on zk-SNARKs. https://github.com/snp-labs/VCNN.
[3]
[n.d.]. Implementation of ZEN: Efficient Zero-Knowledge Proof for Neural Networks. https://github.com/UCSB-TDS/ZEN.
[4]
[n.d.]. mcl. https://github.com/herumi/mcl/.
[5]
2021. TensorFlow. https://www.tensorflow.org/.
[6]
Scott Ames, Carmit Hazay, Yuval Ishai, and Muthuramakrishnan Venkitasubramaniam. 2017. Ligero: Lightweight sublinear arguments without a trusted setup. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security.
[7]
Carsten Baum, Alex J. Malozemoff, Marc Rosen, and Peter Scholl. 2020. Mac 'n' Cheese: Zero-Knowledge Proofs for Arithmetic Circuits with Nested Disjunctions. Cryptology ePrint Archive, Report 2020/1410. https://eprint.iacr.org/2020/1410.
[8]
Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. 2019. Scalable zero knowledge with no trusted setup. In Annual International Cryptology Conference. Springer, 701--732.
[9]
Eli Ben-Sasson, Alessandro Chiesa, Daniel Genkin, Eran Tromer, and Madars Virza. [n.d.]. SNARKs for C: Verifying program executions succinctly and in zero knowledge. In CRYPTO 2013.
[10]
Eli Ben-Sasson, Alessandro Chiesa, Michael Riabzev, Nicholas Spooner, Madars Virza, and Nicholas P. Ward. 2019. Aurora: Transparent Succinct Arguments for R1CS. In Advances in Cryptology -- EUROCRYPT 2019. Springer International Publishing, 103--128. https://doi.org/10.1007/978--3-030--17653--2_4
[11]
Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner. 2016. Interactive oracle proofs. In Theory of Cryptography Conference. Springer, 31--60.
[12]
Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza. [n.d.]. Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. In Proceedings of the USENIX Security Symposium, 2014.
[13]
Rishabh Bhadauria, Zhiyong Fang, Carmit Hazay, Muthuramakrishnan Venkitasubramaniam, Tiancheng Xie, and Yupeng Zhang. 2020. Ligero++: A New Optimized Sublinear IOP. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2025--2038.
[14]
B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell. [n.d.]. Bulletproofs: Short Proofs for Confidential Transactions and More. In Proceedings of the Symposium on Security and Privacy (SP), 2018, Vol. 00. 319--338.
[15]
Sean Bowe. [n.d.]. BLS12--381: New zk-SNARK Elliptic Curve Construction.
[16]
Matteo Campanelli, Dario Fiore, and Anaïs Querol. [n.d.]. LegoSNARK: Modular Design and Composition of Succinct Zero-Knowledge Proofs. In CCS 2019.
[17]
Alessandro Chiesa, Michael A. Forbes, and Nicholas Spooner. 2017. A Zero Knowledge Sumcheck and its Applications. CoRR abs/1704.02086 (2017). arXiv:1704.02086 http://arxiv.org/abs/1704.02086
[18]
Alessandro Chiesa, Yuncong Hu, Mary Maller, Pratyush Mishra, Noah Vesely, and Nicholas Ward. 2020. Marlin: Preprocessing zksnarks with universal and updatable srs. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 738--768.
[19]
Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. 2009. Introduction to Algorithms, Third Edition (3rd ed.). The MIT Press.
[20]
Graham Cormode, Michael Mitzenmacher, and Justin Thaler. [n.d.]. Practical Verified Computation with Streaming Interactive Proofs. In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference (ITCS '12).
[21]
Graham Cormode, Michael Mitzenmacher, and Justin Thaler. 2012. Practical verified computation with streaming interactive proofs. In ITCS 2012. 90--112.
[22]
Samuel Dittmer, Yuval Ishai, and Rafail Ostrovsky. 2020. Line-Point Zero Knowledge and Its Applications. Cryptology ePrint Archive, Report 2020/1446. https://eprint.iacr.org/2020/1446.
[23]
Boyuan Feng, Lianke Qin, Zhenfei Zhang, Yufei Ding, and Shumo Chu. 2021. ZEN: Efficient Zero-Knowledge Proofs for Neural Networks. Cryptology ePrint Archive, Report 2021/087. https://eprint.iacr.org/2021/087.
[24]
Amos Fiat and Adi Shamir. [n.d.]. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In Crypto 1986.
[25]
Zahra Ghodsi, Tianyu Gu, and Siddharth Garg. 2017. SafetyNets: Verifiable Execution of Deep Neural Networks on an Untrusted Cloud. In Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, December 4--9, 2017, Long Beach, CA, USA. 4672--4681.
[26]
Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. 2015. Delegating Computation: Interactive Proofs for Muggles. J. ACM 62, 4, Article 27 (Sept. 2015), 64 pages.
[27]
Jens Groth. 2016. On the Size of Pairing-Based Non-interactive Arguments. In Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8--12, 2016, Proceedings, Part II. 305--326.
[28]
Benoit Jacob, Skirmantas Kligys, Bo Chen, Menglong Zhu, Matthew Tang, Andrew Howard, Hartwig Adam, and Dmitry Kalenichenko. 2017. Quantization andTraining of Neural Networks for Efficient Integer-Arithmetic-Only Inference. arXiv:1712.05877 [cs.LG]
[29]
Julien Keuffer, Refik Molva, and Hervé Chabanne. 2018. Efficient Proof Composition for Verifiable Computation. In Computer Security - 23rd European Symposium on Research in Computer Security, ESORICS 2018, Barcelona, Spain, September 3--7, 2018, Proceedings, Part I (Lecture Notes in Computer Science, Vol. 11098). Springer, 152--171.
[30]
Ahmed E. Kosba, Dimitrios Papadopoulos, Charalampos Papamanthou, and Dawn Song. 2020. MIRAGE: Succinct Arguments for Randomized Algorithms with Applications to Universal zk-SNARKs. 2129--2146.
[31]
Alex Krizhevsky. 2012. Learning Multiple Layers of Features from Tiny Images. University of Toronto (05 2012).
[32]
Y. Lecun, L. Bottou, Y. Bengio, and P. Haffner. 1998. Gradient-based learning applied to document recognition. Proc. IEEE 86, 11 (1998), 2278--2324. https://doi.org/10.1109/5.726791
[33]
Yann LeCun and Corinna Cortes. 2010. MNIST handwritten digit database. http://yann.lecun.com/exdb/mnist/. (2010). http://yann.lecun.com/exdb/mnist/
[34]
Seunghwa Lee, Hankyung Ko, Jihye Kim, and Hyunok Oh. 2020. vCNN: Verifiable Convolutional Neural Network based on zk-SNARKs. Cryptology ePrint Archive, Report 2020/584. https://eprint.iacr.org/2020/584.
[35]
Carsten Lund, Lance Fortnow, Howard Karloff, and Noam Nisan. 1992. Algebraic Methods for Interactive Proof Systems. J. ACM 39, 4 (Oct. 1992), 859--868.
[36]
Mary Maller, Sean Bowe, Markulf Kohlweiss, and Sarah Meiklejohn. 2019. Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updateable Structured Reference Strings. Cryptology ePrint Archive, Report 2019/099. https://eprint.iacr.org/2019/099.
[37]
Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. 2013. Pinocchio: Nearly practical verifiable computation. In S&P 2013. 238--252.
[38]
Jacob T Schwartz. 1979. Probabilistic algorithms for verification of polynomial identities. In International Symposium on Symbolic and Algebraic Manipulation. Springer, 200--215.
[39]
Srinath Setty. 2020. Spartan: Efficient and general-purpose zkSNARKs without trusted setup. In Annual International Cryptology Conference. Springer, 704--737.
[40]
Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. arXiv:1409.1556 [cs.CV]
[41]
Justin Thaler. 2013. Time-Optimal Interactive Proofs for Circuit Evaluation. In Advances in Cryptology -- CRYPTO 2013, Ran Canetti and Juan A. Garay (Eds.).
[42]
Riad S Wahby, Max Howald, Siddharth Garg, Abhi Shelat, and Michael Walfish. 2016. Verifiable asics. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 759--778.
[43]
Riad S Wahby, Ye Ji, Andrew J Blumberg, Abhi Shelat, Justin Thaler, Michael Walfish, and Thomas Wies. 2017. Full accounting for verifiable outsourcing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM.
[44]
Riad S Wahby, Ioanna Tzialla, Abhi Shelat, Justin Thaler, and Michael Walfish. 2018. Doubly-efficient zkSNARKs without trusted setup. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 926--943.
[45]
Chenkai Weng, Kang Yang, Jonathan Katz, and Xiao Wang. 2020. Wolverine: Fast, Scalable, and Communication-Efficient Zero-Knowledge Proofs for Boolean and Arithmetic Circuits. Cryptology ePrint Archive, Report 2020/925. https://eprint.iacr.org/2020/925.
[46]
Chenkai Weng, Kang Yang, Xiang Xie, Jonathan Katz, and Xiao Wang. 2021. Mystique: Efficient Conversions for Zero-Knowledge Proofs with Applications to Machine Learning. Cryptology ePrint Archive, Report 2021/730. https://ia.cr/2021/730.
[47]
Howard Wu, Wenting Zheng, Alessandro Chiesa, Raluca Ada Popa, and Ion Stoica. 2018. DIZK: A Distributed Zero Knowledge Proof System. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15--17, 2018. USENIX Association, 675--692.
[48]
Tiacheng Xie, Jiaheng Zhang, Yupeng Zhang, Charalampos Papamanthou, and Dawn Song. 2019. Libra: Succinct Zero-Knowledge Proofs with Optimal Prover Computation. In Advances in Cryptology (CRYPTO).
[49]
Kang Yang, Pratik Sarkar, Chenkai Weng, and Xiao Wang. 2021. QuickSilver: Efficient and Affordable Zero-Knowledge Proofs for Circuits and Polynomials over Any Field. Cryptology ePrint Archive, Report 2021/076. https://eprint.iacr.org/2021/076.
[50]
Jiaheng Zhang, Zhiyong Fang, Yupeng Zhang, and Dawn Song. 2020. Zero Knowledge Proofs for Decision Tree Predictions and Accuracy. In CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9--13, 2020. ACM, 2039--2053.
[51]
Jiaheng Zhang, Weijie Wang, Yinuo Zhang, and Yupeng Zhang. 2020. Doubly Efficient Interactive Proofs for General Arithmetic Circuits with Linear Prover Time. Cryptology ePrint Archive, Report 2020/1247. https://eprint.iacr.org/2020/1247.
[52]
Jiaheng Zhang, Tiancheng Xie, Yupeng Zhang, and Dawn Song. [n.d.]. Transparent Polynomial Delegation and Its Applications to Zero Knowledge Proof. In S&P 2020.
[53]
Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos, and Charalampos Papamanthou. 2017. vSQL: Verifying arbitrary SQL queries over dynamic outsourced databases. In Security and Privacy (SP), 2017 IEEE Symposium on. IEEE, 863--880.
[54]
Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos, and Charalampos Papamanthou. 2017. A Zero-Knowledge Version of vSQL. Cryptology ePrint.
[55]
Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos, and Charalampos Papamanthou. 2018. vRAM: Faster verifiable RAM with program-independent preprocessing. In Proceeding of IEEE Symposium on Security and Privacy (S&P).
[56]
Lingchen Zhao, Qian Wang, Cong Wang, Qi Li, Chao Shen, Xiaodong Lin, Shengshan Hu, and Minxin Du. 2019. VeriML: Enabling Integrity Assurances and Fair Payments for Machine Learning as a Service. arXiv:1909.06961 [cs.CR]
[57]
Richard Zippel. 1979. Probabilistic algorithms for sparse polynomials. In International Symposium on Symbolic and Algebraic Manipulation. Springer, 216--226.

Cited By

View all
  • (2025)BatchZK: A Fully Pipelined GPU-Accelerated System for Batch Generation of Zero-Knowledge ProofsProceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3669940.3707270(100-115)Online publication date: 3-Feb-2025
  • (2025)zkDL: Efficient Zero-Knowledge Proofs of Deep Learning TrainingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.352086320(914-927)Online publication date: 2025
  • (2025)Succinct Hash-Based Arbitrary-Range ProofsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.349780620(145-158)Online publication date: 1-Jan-2025
  • Show More Cited By

Index Terms

  1. zkCNN: Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
    November 2021
    3558 pages
    ISBN:9781450384544
    DOI:10.1145/3460120
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 13 November 2021

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. convolutional neural networks
    2. machine learning
    3. zero knowledge proofs

    Qualifiers

    • Research-article

    Funding Sources

    • DARPA

    Conference

    CCS '21
    Sponsor:
    CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security
    November 15 - 19, 2021
    Virtual Event, Republic of Korea

    Acceptance Rates

    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)1,186
    • Downloads (Last 6 weeks)95
    Reflects downloads up to 15 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)BatchZK: A Fully Pipelined GPU-Accelerated System for Batch Generation of Zero-Knowledge ProofsProceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 110.1145/3669940.3707270(100-115)Online publication date: 3-Feb-2025
    • (2025)zkDL: Efficient Zero-Knowledge Proofs of Deep Learning TrainingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.352086320(914-927)Online publication date: 2025
    • (2025)Succinct Hash-Based Arbitrary-Range ProofsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.349780620(145-158)Online publication date: 1-Jan-2025
    • (2025)A zero-knowledge proof federated learning on DLT for healthcare dataJournal of Parallel and Distributed Computing10.1016/j.jpdc.2024.104992196:COnline publication date: 1-Feb-2025
    • (2025)Ceno: Non-uniform, Segment and Parallel Zero-Knowledge Virtual MachineJournal of Cryptology10.1007/s00145-024-09533-238:2Online publication date: 22-Jan-2025
    • (2024)FairProofProceedings of the 41st International Conference on Machine Learning10.5555/3692070.3694365(55682-55705)Online publication date: 21-Jul-2024
    • (2024)Trustless audits without revealing data or modelsProceedings of the 41st International Conference on Machine Learning10.5555/3692070.3694106(49808-49821)Online publication date: 21-Jul-2024
    • (2024)Privacy-preserving UCB decision process verification via zk-SNARKsProceedings of the Thirty-Third International Joint Conference on Artificial Intelligence10.24963/ijcai.2024/652(5900-5908)Online publication date: 3-Aug-2024
    • (2024)zkTaylor: Zero Knowledge Proofs for Machine Learning via Taylor Series TransformationProceedings of the 2024 2nd International Conference on Advances in Artificial Intelligence and Applications10.1145/3712623.3712646(37-41)Online publication date: 20-Dec-2024
    • (2024)EverForest: A More-Than-AI Sustainability Manifesto from an On-Chain Artificial LifeProceedings of the Halfway to the Future Symposium10.1145/3686169.3686209(1-6)Online publication date: 21-Oct-2024
    • Show More Cited By

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media