Slashing Mechanism

One of the most established security mechanisms are Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge (zk-SNARKs). However, zkML is impractical for large machine learning inference tasks (e.g. LLMs, Image Generation, etc.) (see Table 1) [6]. Additionally, zk- SNARKS also have costly memory requirements and high service costs. For instance, the memory consumption for generating an arithmetic circuit in a zk-SNARK for the 7 billion parameter Llama model is in the order of terabytes, if not petabytes [6]. Specifically, the proof generation time is a significant limitation, which is why we utilize optimize fault proofs. In this, we design a system to incentivize desired behavior to mitigate potentially invalid results.

.	Optimistic Proof	zkML
Model size	Arbitrary size	Small/Limited
Proof Type	Fraud Proof	zk-SNARK (validity proof)
Proof Speed	Delayed due to challenges	Quick/No delays
Security	crypto-economic security	ZK/Cryptographic

Table 1: Tradeoffs for existing inference verification techniques

We utilize fault proofs to protect users from misbehaving service providers in a slashing mechanism similar to that of Ethereum’s Proof-of-Stake model. In this optimistic system, users are able to challenge the results of an inference. Additionally, the Smart AI system will also randomly initiate challenges. While a challenge is running, the challenged provider is temporarily barred from accepting tasks. We use a method similar to [7] and the interactive bisection scheme in [8] to determine the validity of the challenger’s claim. Since the inference can be represented as a directed acyclic graph (DAG), we can fix the source of randomness to produce deterministic inference processes. Then, a single service provider is assigned to recompute each layer of the node in the topological order of the model DAG. Note that using multiple providers to verify the challenged inference requires full trust since 1-of-𝑛 dishonest parties nullifies the correctness of the proof. If at any point there is a discrepancy between the challenged inference and the recomputed inference, the challenger and service providers are rewarded and the challenged service provider is punished. Punishments result in nefarious providers being removed from the network with prejudice and the invalid transaction being reversed. The user’s task will then be returned to the auction with higher priority.