Trust the Process: Zero-Knowledge Machine Learning to Enhance Trust in
Generative AI Interactions
Bianca-Mihaela Ganescu1 , Jonathan Passerat-Palmbach1, 2
1
Imperial College London
2
Flashbots
[email protected], [email protected]
arXiv:2402.06414v1 [cs.LG] 9 Feb 2024
Abstract
Generative AI, exemplified by models like transformers, has
opened up new possibilities in various domains but also raised
concerns about fairness, transparency and reliability, espe-
cially in fields like medicine and law. This paper empha-
sizes the urgency of ensuring fairness and quality in these do-
mains through generative AI. It explores using cryptographic
techniques, particularly Zero-Knowledge Proofs (ZKPs), to
address concerns regarding performance fairness and accu-
racy while protecting model privacy. Applying ZKPs to Ma-
chine Learning models, known as ZKML (Zero-Knowledge
Machine Learning), enables independent validation of AI-
generated content without revealing sensitive model informa-
tion, promoting transparency and trust. ZKML enhances AI
fairness by providing cryptographic audit trails for model pre-
dictions and ensuring uniform performance across users. We
introduce snarkGPT, a practical ZKML implementation for
transformers, to empower users to verify output accuracy and
quality while preserving model privacy. We present a series
of empirical results studying snarkGPT’s scalability and per-
formance to assess the feasibility and challenges of adopt-
ing a ZKML-powered approach to capture quality and per-
formance fairness problems in generative AI models.
Introduction
The latest developments in Generative AI have opened new
possibilities for AI to become more pervasive in multiple
fields. For example, GPT-4 can now pass internationally rec-
ognized exams in medicine and law (Nori et al. 2023; Ope-
nAI 2023). Such advancements in transformer-based mod-
els introduce new challenges, particularly in ensuring the
uniform quality and execution of these models for all users
when deployed and accessed through remote cloud APIs.
This notion is commonly known as performance fairness
(Jiang et al. 2023).
Over the past few years, the field of AI fairness has wit-
nessed substantial progress in addressing bias mitigation
within machine learning models. This collective effort has
yielded methods that strive to create fairer models, reducing
the impact of biases in various applications. This paper ex-
plores a novel algorithmic approach that complements AI
fairness strategies by focusing on ensuring the uniform per-
formance and execution of deployed AI models across users.
Copyright © 2024, Association for the Advancement of Artificial
Intelligence (www.aaai.org). All rights reserved.
We present a protocol that empowers users to engage with
remote servers hosting AI models, ensuring that the model
they interact with behind a black-box API is indeed the pre-
cise model they have requested from the provider.
The implications of this approach extend across domains,
with particular relevance in fields such as healthcare and fi-
nance, where the outcomes produced by AI models can pro-
foundly affect the well-being of end-users, especially those
belonging to underrepresented populations.
Our approach leverages zkSNARKs (Zero-Knowledge
Succinct Non-interactive ARgument of Knowledge), a cryp-
tographic tool that bolsters the integrity of computations
while preserving user privacy by not disclosing sensitive in-
formation during the verification process.
Recent developments have given rise to a burgeoning
body of research known as ZKML (Zero-Knowledge Ma-
chine Learning) (Feng et al. 2021; Lee et al. 2020; Kang
et al. 2022), which focuses on leveraging zkSNARKs to ver-
ify the integrity of the inference pass in AI models. ZKML
serves two primary purposes:
1. Verification of Model Output: In scenarios where users
submit their data to remote services hosting AI models,
ZKML provides users with a cryptographic proof that the
output they receive originates from the exact model they
have requested or paid for. This is particularly pertinent
in Generative AI applications like ChatGPT, where mul-
tiple subscription tiers promise varying levels of model
performance. Currently, users lack guarantees that the
output aligns with their subscription tier.
2. Enhancing Data Privacy: ZKML is also valuable for en-
hancing data privacy. In cases where users are unwilling
or unable to upload their data to remote third-party mod-
els, model owners can deploy models directly to users’
devices. While this deployment strategy is unproblem-
atic in scenarios like predictive text on a smartphone key-
board, more sensitive situations exist, such as financial
services’ Know Your Customer (KYC) processes. ZKML
enables model providers to confidently deploy their mod-
els to users’ devices, ensuring that the model’s predic-
tions are genuinely derived from their model and not sim-
ulated by the user using alternative software. The combi-
nation of data locality and the Zero-Knowledge property
preserves user data privacy.
 In the context of AI fairness, ZKML directly contributes
to performance fairness, ensuring that all users of a par-
ticular service experience consistent quality. Model own-
ers need not reveal their model’s weights, preserving their
valuable intellectual property. Instead, they can publish a
model fingerprint that is verified as an additional step dur-
ing user output generation. This has far-reaching implica-
tions, including addressing equality of outcomes concerns
in applications like credit scoring models, which have faced
criticism for perpetuating discrimination against underrepre-
sented communities, such as racial minorities. By employing
ZKML, banks can make their creditworthiness assessments
fully transparent and trustworthy, guaranteeing that the same
model is used for all users. Auditors can evaluate model de-
cisions alongside the proof provided by users disputing their
scores, thereby eliminating discrimination rooted in users’
backgrounds.
The remainder of this paper demonstrates the viability
of our approach. In the background section, we introduce
“snarkGPT,” a verifiable ZKML pipeline. In the evaluation
section, we provide empirical results that underscore the ef-
fectiveness of our approach, specifically showcasing its ap-
plicability to a GPT2-size model.
Background
zkSNARKs
Zero-Knowledge Succinct Non-Interactive Arguments of
Knowledge (zkSNARKs) (Bitansky et al. 2017) represent
advanced cryptographic tools that allow verifying the cor-
rectness of a computation without revealing the inputs or
intermediate steps. The foundation of zkSNARKs is rooted
in a rich mathematical framework characterised by their ad-
vantageous properties, including zero-knowledge, succinct-
ness, non-interactivity, argument soundness, knowledge-
soundness, and completeness.
In the field of verifiable computing (VC), zkSNARKs of-
fer an effective solution by enabling clients to delegate com-
putationally intensive tasks to providers. After delegation,
the provider (prover) sends a concise cryptographic proof
to the client (verifier), allowing the client to verify the cor-
rectness of the computation without the need for a full re-
execution(Petkus 2019). Most notably, the size of the proof
is significantly smaller than the size of the original com-
putation. This succinct proof size is a fundamental charac-
teristic of zkSNARKs, making them suitable for situations
where executing the whole computation is not feasible, as
is the case for generative AI. Moreover, in scenarios in-
volving outsourced AI computations, zkSNARKs provide
a robust mechanism for clients to verify the correctness of
model inferences without compromising data confidentiality.
This is particularly relevant in the context of secure model
inference-as-a-service.
To describe zkSNARKs for generative AI, we can define
them formally as, given a function evaluation f (x; w) = y,
where x is a public input, w is a private input called witness
and y the output, zkSNARKs allow the prover to generate
a proof π such that the verifier that knows x, y and π can
check that the prover knows w such that f (x; w) = y (Kang
et al. 2022). For example, in the case of transformers, x can
represent an input prompt, w the model weights and y the
output of executing the model using input prompt x and
weights w.
Most zkSNARK protocols proceed in three steps (Nit-
ulescu 2020):
1. Arithmetisation: producing a system of polynomial equa-
tions over a large prime field (an arithmetic circuit)
for which finding a solution is equivalent to computing
f (x; w). Therefore, given (f, y, x, w), the circuit con-
straints are met if and only if y = f (x; w).
2. Building an information-theoretic proof system, that is,
building a proof system that guarantees soundness even
against a computationally unbounded prover. This sys-
tem usually relies on idealized components (oracles) or
is inefficient.
3. Compiling the information-theoretic proof system into an
efficient one using cryptographic tools at the cost of con-
sidering only computationally bounded adversaries.
There are two main classes of zkSNARKs: Quadratic Arith-
metic Program (QAP)-based and Polynomial Interactive Or-
acle Proof (PIOP)-based. QAP-based zkSNARKs utilize
arithmetic circuits and divisibility checks. PIOP-based zk-
SNARKs compile circuits into polynomial constraints and
employ polynomial commitment schemes. Recent years
have seen a dominance of PIOP-based SNARKs mainly due
to their increased flexibility.
This work uses one of the most popular and well-
documented PIOP-based proof systems: Halo2.
Halo2 Halo2 (hal) is an instance of a PIOP made non-
interactive via the Fiat-Shamir heuristic (Fiat and Shamir
1987). The scheme uses Plonkish arithmetisation (Gabizon,
Williamson, and Ciobotaru 2019) to represent a relation and
a satisfying witness to that relation as a low-degree polyno-
mial. Then, the constructed polynomial is fed into a polyno-
mial commitment scheme where the prover commits to the
polynomial and can evaluate it provably at arbitrary points
from the verifier. Halo2 uses the inner product argument
(Bowe, Grigg, and Hopwood 2019) as a polynomial com-
mitment scheme. However, other frameworks using Halo2
can choose to have a different commitment scheme, as is the
case of EZKL (introduced subsequently in the background
section) using KZG (Kate, Zaverucha, and Goldberg 2010).
Using Halo2, a verifier can use an accumulation scheme to
batch instances it wants to evaluate.
Plonkish arithmetisation allows polynomial constraints
with certain restricted forms of randomness and supports
custom gates and lookup arguments. Plonkish arithmetisa-
tion conceptualises the arithmetic circuit as a matrix (re-
ferred to as circuit matrix) of m columns and n rows over
a given finite field F (therefore, the cells contain elements
of F). Each column j encodes a wire and corresponds to
a Lagrange interpolation polynomial pj (X) over the pow-
ers (rows) of an nth primitive of unity ω that evaluates to
pj (ω i ) = xij . A permutation argument is used to enforce
the equality of cells.
 The matrix defines a sequence of polynomial constraints,
which are multivariate polynomials over F that must eval-
uate to zero for each row. In a polynomial constraint, the
variables can refer to a cell in a given column of the current
row or another row relative to this one.
To improve performance, Halo2 can trade memory for
CPU by pre-computing and storing lookup tables for some
part of the computation. The lookup argument enforces a re-
lation between variables, where the relation is expressed as a
table. The lookup table consists of two advice columns and
two fixed columns of the matrix, where every expression in
the set of advice columns is equal to some expression in the
set of fixed columns. Therefore, the lookup argument is a
more permissive version of the permutation argument. It en-
forces that all the input-output pairs in the witness are valid
input-output pairs in the fixed columns. Lookup tables are
often leveraged to represent more complex arithmetic rela-
tionships in the circuit matrix that would otherwise be hard
to capture only with additions and multiplications. A prime
example is non-linearities in neural networks that would oth-
erwise have to be numerically approximated.
EZKL EZKL (Camuto and Morton 2022, 2023) is a Rust
library and command-line tool that allows constructing zk-
SNARKs for the inference phase of machine-learning mod-
els. EZKL uses Halo2 with KZG in the backend, with cer-
tain modifications that make the library compatible with
larger models, compared to existing solutions implementing
zkSNARKs for machine learning models. EZKL converts
pre-trained models from ONNX to Halo2 circuit matrices.
Instead of directly implementing each of the 100+ ONNX
operations individually, EZKL builds upon the tract library
(Sonos 2020), which reduces and prunes complex ONNX
graphs to compositions of a smaller set of operations. By
leveraging the Einstein summation operation, EZKL can rep-
resent numerous linear operations such as matrix multiplica-
tion, dot product, transposition, and tensor contraction with
a single operation. This approach allows EZKL to support a
wide range of models, including those with LSTM and self-
attention layers while only having to support 20 operations
as equivalent circuit constraints. Notably, EZKL improves
the memory costs of the Halo2 circuit matrix by allocating
additional columns if all of the available rows have been
filled. By the definition of Halo2, there can be arbitrarily
many columns in the circuit matrix, but the number of rows
has to be a power of 2. This comes at the cost of increasing
the proving time.
Generative AI: from GPT down to nanoGPT
Text generation within generative AI relies on advanced
models such as Transformers, introduced in 2017 (Radford
et al. 2018), which have since become foundational for lan-
guage models. The architecture consists of 12 transformer
blocks with masked multi-head self-attention. GPT-2 and
GPT-3 are improved versions with larger datasets and more
parameters.
GPT-2 largely follows the architecture of GPT-1 and has
four trained models available for use, each having a differ-
ent number of blocks and embedding sizes. Their number of
parameters are 117M, 345M, 762M and 1.5B, respectively.
GPT-3 (Radford et al. 2019) follows the same architecture as
GPT-2, with a few hyperparameters modified to improve per-
formance. The model has configurations ranging from 175M
to 175B parameters. GPT-4 extends this line of models and
accepts multiple modalities, but its authors have yet to docu-
ment its architecture thoroughly in a peer-reviewed publica-
tion.
In this work, we focus on the GPT-2 architecture (the
same as the GPT-3 architecture), as it is the latest architec-
ture in the GPT series for which a Python implementation
has been made public at the time of writing. We propose
a zkSNARK for the transformer architecture as a proof-of-
concept, using nanoGPT: a smaller version of the GPT-2 ar-
chitecture. NanoGPT’s code aims to be shorter and easier
to interpret (Karpathy 2022, 2020), but remains compatible
with the original GPT-2 and can be used to train or finetune
medium-sized GPTs.
Related work
ZKML
Previous research has proposed zkSNARK protocols or the
inference phase of smaller neural networks. Lee et al. (Lee
et al. 2020) propose a protocol for verifiable convolutional
neural networks, using QAP-based zkSNARKs for pool-
ing and ReLU, QPP (Quadratic Polynomial Program)-based
zkSNARKs for convolutions and CP(Commit-and-Prove)-
SNARKs for interconnecting the layers. They argue that
their scheme improves the key generation/proving time by
25X compared to the state-of-the-art zkSNARK scheme
(Groth 2016) for a small example of the MNIST model
consisting of a single convolutional layer with ReLU and
a single pooling layer. Moreover, for VGG16, they argue
that their scheme improves the performance by 1800X, com-
pared with (Groth 2016).
Another approach was proposed by Weng et al. (Weng
et al. 2022), for privacy-preserving and verifiable CNNs by
using a modified version of QAP - QMP (Quadratic Matrix
Program). The authors use a QMP-based arithmetic circuit
to express convolutional relations and generate zkSNARKs
proofs based on Homomorphic Encryption (HE) and collab-
orative inference, which promises to protect both the model
and the data privacy. They argue that they obtain 17.6X
faster Setup time and 13.9X faster proving time than the
QAP-based method in their experiments.
ZEN is an optimizing compiler for verifiable neural net-
works using zkSNARKs, introduced by Feng et al. (Feng
et al. 2021). It proposes two privacy-preserving, verifi-
able inference schemes for neural networks, ZENacc and
ZENinf er , which promise to provide privacy guarantees
for both the model and the data. The authors also introduce
two optimizations for R1CS: R1CS friendly quantization,
which they argue "brings up to 73.9× savings in R1CS con-
straints for a convolution layer and up to 8.4× reduction for
fully connected kernel without any additional accuracy loss"
((Feng et al. 2021), page 2), and Stranded encoding of R1CS
Constraints, which they argue "leads to up to 2.2× improve-
ment in R1CS constraints for convolution kernel and 3.4×
improvement for fully connected kernel" ((Feng et al. 2021),
page 2).
Kang et al. (Kang et al. 2022) followed the steps of EZKL
and also constructed Halo2 proofs for verifying the infer-
ence phase of a machine learning model. They propose an
ImageNet-scale (Deng et al. 2009) zkSNARK using Halo2
and present three protocols for verifying the ML model ac-
curacy, verifying the ML model predictions and trustless re-
trieval of items matching a predicate, respectively. They ar-
gue that they can achieve up to 79% accuracy on ImageNet-
scale while simultaneously taking as few as 10s and 5,952
bytes to verify and that the zkSNARK can be scaled down
to take as few as 0.7s to verify at 59% accuracy. Comparing
their results to (Lee et al. 2020), (Weng et al. 2022), (Feng
et al. 2021) and (Liu, Xie, and Zhang 2021), they claim that
the proving time for the prior work is at least 10X higher
than their Halo2 method and up to 1,000X higher.
Fairness
Fairness has garnered significant attention within the field
of machine learning, encompassing a wide range of investi-
gations into the unintended behaviours exhibited by machine
learning models (Barocas, Hardt, and Narayanan 2017). The
literature has extensively explored various facets of fairness,
including the concepts of group fairness and performance
fairness. The former strives to mitigate model bias with re-
spect to specific protected attributes (Du et al. 2021; Gálvez
et al. 2021; Chu et al. 2021), while the latter necessitates the
uniformity of performance distributions across different re-
cipients (Zhang, Kou, and Wang 2020; Deng, Kamani, and
Mahdavi 2020; Pentyala et al. 2022). This section concen-
trates on the notion of performance fairness.
Performance fairness has garnered particular prominence
within Federated Learning, wherein client data originat-
ing from multiple sources exhibits high heterogeneity and
spans geographical diversity. Mohri et al. introduced an
initial framework for optimizing the performance of the
poorest-performing device through a minimax optimization
scheme (Mohri, Sivek, and Suresh 2019). Subsequently, the
q-FedAvg algorithm was introduced by Li et al. (Li et al.
2020), offering a more flexible optimization objective tai-
lored to achieve varying degrees of fairness. More recently,
Ditto was introduced as an approach to engender fairness by
enabling the learning of personalized models (Li et al. 2021).
As we can see, the works mentioned above primarily cen-
tre on narrowing the performance gap across heterogeneous
clients. This pursuit aligns with our approach, which is com-
plementary. Our method empowers clients to identify and
conscientiously report performance fairness disparities with-
out compromising the sensitivity and confidentiality of their
private data.
A provably fair GPT prototype: SNARKGPT
This section describes ZKML in the context of performance
fairness and how zkSNARKs can ensure that all clients
of a generative AI service are treated equally. We demon-
strate the practical viability of this solution by introducing
snarkGPT, a verifiable ZKML pipeline for the GPT-2 model,
and suggest an accompanying protocol to capture potential
fairness deviations.
A protocol fostering performance fairness
In the context of remote service hosting generative AI mod-
els, we set the challenge for a provider to instil confidence
in consumers regarding the uniform quality and execution of
the models it serves.
Starting from a simple case, we question how a premium
user (or institution) of ChatGPT can obtain the guarantee
that they use the premium version of the model at all times
and not a cheaper version sometimes. With the growing pop-
ularity of ChatGPT, it is unclear how the service deals with
the high number of requests. At the moment of writing, the
only option for paying users is to trust that OpenAI always
serves the premium model to premium users.
One option is for the model provider to share the
model weights. However, this poses problems. Sharing these
weights means leaking substantial intellectual property en-
capsulated within these models, and not all users may have
the necessary computing power to use these weights effec-
tively (Butler 2023).
We believe that a promising solution to the lack of guar-
antees in these cases is using zkSNARKs, which can prove,
beyond a reasonable doubt, the correct execution of a com-
putation. Indeed, as discussed in the related work section,
previous work has proposed zkSNARKs solutions for veri-
fying the correct execution and accuracy of other machine
learning models, such as CNNs, DNNs and ImageNet-scale.
One possible ZKML protocol is as follows:
1. The provider of a generative AI model publishes a com-
mitment (for example, a hash) to the model weights using
a Credible Commitment Device (Kalai et al. 2010) (for
instance in a public domain).
2. A client can then send some input data to the provider
and ask the provider to evaluate the model on that input
data.
3. The provider generates the output of the model evaluated
on the client’s data, as usual, and generates a zkSNARK.
The proof takes as parameters the weights of the model
(private), the client’s input data (public) and the output of
the model (public). The zkSNARK enables anyone to val-
idate the correct execution of the model with significantly
smaller costs. The proof attests that the model produces
the reported output given the parameters above and the
public commitment to the model.
4. The client can then run a verification protocol to accept
or reject the proof without access to the model weights.
To evaluate the viability of ZKML to equip generative AI
with performance fairness and quality guarantees, we intro-
duce "snarkGPT", a zkSNARK prototype for the GPT-2 ar-
chitecture in the following sections.
nanoGPT adaptations
The architecture of the nanoGPT model is illustrated in
table 1. The model takes in as input an input prompt, which
Table 1: The architecture of the nanoGPT model (Karpathy Empirical feasibility evaluation
2022).
Overview
Layer Parameters Role This part of the study aims to shed light on the feasibility
Token vocabulary Creates token embeddings of our cryptographic solution for complementing fairness in
Embedding size, for the input sequence. machine learning models, specifically focusing on nanoGPT.
embedding As the time and memory costs for the verifier are constant in
size Halo2, we evaluate the performance of our proposed method
Positional block size, Creates positional embed- based on the time and memory costs for the prover, who
Embedding embedding dings for the input sequence. has to generate the zkSNARK proof. The server hosting the
size model would bear the burden of generating the proof when
Dropout dropout Takes as input the token and the user wants to obtain quality guarantees for the service
rate positional embeddings and they’re consuming. Our experiments provide empirical ev-
zeroes rate% random ele- idence of the overhead and challenges in adopting ZKML
ments. as a de facto approach to improve performance fairness in a
List number of The model’s hidden layer- client-server setting.
[Transformer layers s/transformer blocks. Takes We first test to what extent we can scale up two of the
Blocks] as input the token and po- main components of our nanoGPT architecture when gener-
sitional embeddings after ating the proof: the number of layers and the size of the em-
dropout. beddings. We consider these parameters in our tests because
Layer Nor- embedding Applies Layer Normaliza- they are core parameters of the self-attention mechanism. To
malisation size tion to the output of the be able to focus on the parameters we select to increase, we
hidden layers, as described choose relatively small values for the rest of the parameters
in (Ba, Kiros, and Hinton for simplicity. More specifically, we set the vocabulary size
2016). to 65, the block size to 64, the number of heads to 4, the
Language embedding A linear layer with weights batch size to 1 and the dropout rate to 0. All our tests are per-
Modelling size, tied to the input embedding. formed using a fixed version of the EZKL framework (com-
Head (Lin- vocabulary mit 8f122bf 1). We perform all our experiments on a machine
ear Layer) size with the following specifications: Intel i7-9700K CPU, 3.60
GHz / 4.90 GHz, 64 GB 3600 MHz RAM and 200 GB Swap
area in NVMe SSD.
We are also interested in how the circuit size (the log num-
ber of rows pre-allocated for the Halo2 circuit matrix to rep-
can be empty, and generates text based on the input sequence. resent the model) influences the time and memory costs for
Anchoring this setting to a medical diagnosis, a patient’s the prover. Therefore, in our tests, we create multiple proofs
symptoms represent the input prompt, and the medical pre- for the same nanoGPT model configuration using EZKL,
scription represents the generated text. To achieve quality wherein we systematically vary the logarithmic dimensions
guarantees, we must adapt the nanoGPT model to make it allocated to the matrix representation of the circuit. We ex-
compatible with zkSNARKs. pect that a larger matrix will result in significantly higher
proving costs.
First, since zkSNARKs operate over finite fields, all
model values must be mapped to a value in the chosen finite Scaling Up the Model
field. In the self-attention mechanism of transformers, the el- Tables 2 and 3 present a detailed breakdown of the run-
ements in the upper-triangular portion of the self-attention time incurred during proof generation for varying embed-
matrix are set to − inf to eliminate the information that fol- ding sizes and layers, respectively. As shown in Tab. 2, the
lows in the sequence. − inf is not a valid element of a finite computational demands appear to increase nonlinearly with
field. Therefore, we set the elements in the upper-triangular the size of the embeddings. For instance, the proof gener-
portion of the self-attention matrix to the smallest value ation time increases from ∼5 minutes for an embedding
covered in the Halo2 lookup table. More specifically, let size of 64 to ∼20 minutes for an embedding size of 144.
B be the lookup table’s logarithmic size. The lookup table Similarly, an augmentation in the number of layers corre-
stores all values in the given finite field between −2B−1 + 1 sponds to an increase in the time required for proof genera-
and 2B−1 − 1. Thus, we zero out the elements in the self- tion. These combined results emphasize the complex factors
attention matrix by setting them to −2B−1 + 1. Then, we re- that must be considered when optimizing the architecture
move all optimizations that are not compatible with ONNX of generative AI models within cryptographic frameworks.
(flash attention (Dao et al. 2022)) nor EZKL (array slicing, ZKML practitioners must balance the model’s representa-
cube operation). Note that these operations are only used tional capacity with a tractable computational efficiency. In
in the nanoGPT python code to accelerate computing self-
attention on GPU. Removing them has thus no impact on 1
https://github.com/zkonduit/ezkl/commit/
the accuracy of the model. 8f122bf2eb5794b681364eb182d7cdd8a7350fe4
other words, the findings highlight the need for a nuanced ap-
proach that considers both the sophistication of the model’s
representation and the practical constraints imposed by zk-
SNARKs.
Circuit Matrix Size Impact on Proof Generation
Table 4 illustrates the impact of the (logarithmic) size of the
circuit matrix representation of the nanoGPT model on proof
generation time and memory costs. That is, the number of
rows we have to pre-allocate in memory for the circuit ma-
trix representation when using EZKL and Halo2. As illus-
trated, the runtime exhibits a non-linear progression, initially
improving from 3 minutes and 55 seconds to 3 minutes and
11 seconds as the logarithmic size increases from 14 to 18.
However, beyond this point, there is a notable rise in runtime,
with a substantial increase observed for a matrix logarithmic
size of 24 and 25. The increased runtime for larger circuit
matrices aligns with our expectations. Suppose we allocate
significantly more rows in the matrix than needed for the
number of polynomial constraints. In that case, those rows
will be filled with 0s and still be used in the process (as each
column describes a wire in the circuit), adding overhead.
Similarly, an upward trend in memory cost is apparent as
the logarithmic size of the circuit matrix increases. This is
expected, as the entire matrix representation of the circuit
is generated and stored in RAM when generating the proof.
Notably, the memory cost experiences a more significant es-
calation than the runtime, reaching 148 GB for a matrix loga-
rithmic size of 25. This finding underscores the intricate con-
siderations involved in managing memory resources when
dealing with larger circuit matrices.
Generalisation beyond GPT architectures
In this section, we present the empirical results of our inves-
tigation into the relationship between a model’s architecture,
the number of parameters and the number of constraints gen-
erated within zkSNARK proofs. The number of constraints
directly reflects the proving costs. It is thus crucial in our
context to understand how generalizable our results are to
other models beyond generative LLMs.
Experimental Setup To assess the generality of the
parameter-constraint relationship, we designed experiments
based on a model configuration previously examined in
Modulus Labs (Labs 2023). This configuration consists of
multiple Multi-Layer Perceptron (MLP) layers, each com-
prising a linear layer, the Rectified Linear Unit (RELU) acti-
vation function, and a scaling-down factor. We selected this
setup to assess if the observed parameter-constraint correla-
tion extends to transformer models like nanoGPT.
Results Our empirical findings reveal a striking contrast
in constraint generation between nanoGPT and the Modu-
lus Labs MLP model. Specifically, while the number of con-
straints (M) in the zkSNARK proof for the Modulus Labs
model roughly aligns with the number of parameters (N)
in the model, our nanoGPT model exhibits a significantly
higher M / N ratio, ranging from approximately 58X to 85X
more constraints than parameters. These observations are
summarized in Table 5.
Notably, transformers such as nanoGPT exhibit a pro-
nounced M / N ratio increase. For instance, with an embed-
ding size of 64, the M / N ratio approximates 64. In practical
terms, a one-million-parameter model generates a stagger-
ing 64 million constraints, while a 250,000-parameter model
still generates 16 million constraints. In stark contrast, a four-
layer convolutional network with 3,047 parameters gener-
ates merely 13,152 constraints, yielding an M / N ratio of
approximately 4.
Factors Impacting Constraint Generation We recog-
nize that the time and memory costs associated with zk-
SNARK proof generation depend not only on the number of
parameters but also on various architectural and methodolog-
ical factors. Specifically, the M / N ratio within a ZK-circuit
is influenced by 1) the specific gates and constraints chosen
to represent neural network layers; 2) the network architec-
ture, as we have seen from the difference between transform-
ers and other types of networks; 3) the chosen proof system
and its embedded features, such as lookup arguments that
may yield fewer constraints than those without.
Addressing the challenge of minimizing this M / N ratio
in zkSNARK proof generation remains an open area of re-
search and exploration. Our findings underscore the need for
innovative architectural designs and proof methodologies to
enhance the efficiency and practicality of our cryptographic
solution for fairness in machine learning models.
Conclusion
This work introduced a pioneering approach that leverages
Zero-Knowledge Machine Learning (ZKML) to address the
critical issues of performance fairness and reliability in gen-
erative AI models. By harnessing zkSNARKs, our proto-
col empowers users to confidently engage with AI models
through remote cloud APIs, ensuring that the model they in-
teract with aligns precisely with their expectations.
The practical viability of our proposal is demonstrated
through "snarkGPT," a verifiable ZKML pipeline for GPT2-
like models. Our empirical evaluations indicate the effective-
ness of our approach, particularly in scaling up the model
and its generalization beyond GPT architectures. We showed
how snarkGPT could be inserted in an end-to-end protocol
where the user could obtain a proof of correct execution
alongside the model’s regular output and verify it in constant
time regardless of the input size or model complexity.
This paper lays the foundation for a new era of transparent
and reliable AI, emphasizing ZKML as a vital component
in guaranteeing quality and achieving performance fairness.
By leveraging ZKML, we bridge the gap between AI model
providers and users, ensuring that AI is a truly equitable and
transparent tool for all.
 Table 2: Runtime during proof generation for nanoGPT configured with different embedding sizes.

embeddings size 64 80 96 112 128 144

Runtime for proof 5m 2s 6m 7s 8m 33s 11m 46s 16m 9s 20m 28s
generation

Table 3: Runtime during proof generation for nanoGPT configured with different layer configurations.

number of layers 4 8 12 16 20
Runtime for proof generation 5m 2s 8m 30s 12m 19s 17m 4s 29m 9s

Table 4: Time and memory costs incurred during proof generation for nanoGPT for different sizes of the circuit matrix.

log size of the circuit 14 16 18 20 22 24 25

matrix
Runtime for proof 3m 55s 3m 26s 3m 11s 3m 34s 4m 40s 9m 53s 14m 26s
generation
Memory cost for 44 GB 45 GB 46 GB 49 GB 63 GB 118 GB 148 GB
proof generation

Table 5: The results of generating a zkSNARK proof for our nanoGPT model versus the Modulus Labs model.

Number of parameters Runtime Memory cost Number of Constraints

0.2 M 5m 2s 63 GB 17 M
0.31 M 6m 7s 76 GB 24 M
nanoGPT 0.45 M 8m 33s 108 GB 34 M
0.79 M 11m 46s 132 GB 45 M
1.01 M 16m 9s 173 GB 58 M
0.2 M 0.2 M
0.31 M 0.3 M
MLP 0.45 M ∼1m 30s ∼26 GB 0.45 M
0.79 M 0.8 M
1.01 M 1M
 References
???? The halo2 Book. https://zcash.github.io/halo2/. Ac-
cessed: 2023-01-25.
Ba, J. L.; Kiros, J. R.; and Hinton, G. E. 2016. Layer nor-
malization. arXiv preprint arXiv:1607.06450.
Barocas, S.; Hardt, M.; and Narayanan, A. 2017. Fairness in
machine learning. NIPS tutorial, 1: 2.
Bitansky, N.; Canetti, R.; Chiesa, A.; Goldwasser, S.; Lin,
H.; Rubinstein, A.; and Tromer, E. 2017. The hunting of the
SNARK. Journal of Cryptology, 30(4): 989–1066.
Bowe, S.; Grigg, J.; and Hopwood, D. 2019. Recursive
Proof Composition without a Trusted Setup. Cryptology
ePrint Archive, Paper 2019/1021. https://eprint.iacr.org/
2019/1021.
Butler, A. 2023. Building Trust in AI with Zero-knowledge
proofs (ZKP).
Camuto, A. D.; and Morton, J. 2022. EZKL. https://github.
com/zkonduit/ezkl. Accessed: 2023-06-19.
Camuto, A. D.; and Morton, J. 2023. What is EZKL? https:
//docs.ezkl.xyz/. Accessed: 2023-06-19.
Chu, L.; Wang, L.; Dong, Y.; and et al. 2021. Fedfair:
Training fair models in cross-silo federated learning. arXiv
preprint arXiv:2109.05662.
Dao, T.; Fu, D. Y.; Ermon, S.; Rudra, A.; and Ré, C. 2022.
FlashAttention: Fast and Memory-Efficient Exact Attention
with IO-Awareness. arXiv:2205.14135.
Deng, J.; Dong, W.; Socher, R.; Li, L.-J.; Li, K.; and Fei-
Fei, L. 2009. Imagenet: A large-scale hierarchical image
database. In 2009 IEEE conference on computer vision and
pattern recognition. Ieee.
Deng, Y.; Kamani, M. M.; and Mahdavi, M. 2020. Distribu-
tionally robust federated averaging. In NeurIPS, volume 33,
15111–15122.
Du, W.; Xu, D.; Wu, X.; and Tong, H. 2021. Fairness-aware
agnostic federated learning. In SDM, 181–189. SIAM.
Feng, B.; Qin, L.; Zhang, Z.; Ding, Y.; and Chu, S.
2021. ZEN: An optimizing compiler for verifiable, zero-
knowledge neural network inferences. Cryptology ePrint
Archive.
Fiat, A.; and Shamir, A. 1987. How to prove yourself: Prac-
tical solutions to identification and signature problems. In
Advances in Cryptology—CRYPTO’86: Proceedings 6, 186–
194. Springer.
Gabizon, A.; Williamson, Z. J.; and Ciobotaru, O. 2019.
Plonk: Permutations over lagrange-bases for oecumenical
noninteractive arguments of knowledge. Cryptology ePrint
Archive.
Gálvez, B. R.; Granqvist, F.; van Dalen, R.; and Seigel, M.
2021. Enforcing fairness in private federated learning via
the modified method of differential multipliers. In NeurIPS
Workshop Privacy in Machine Learning.
Groth, J. 2016. On the Size of Pairing-based Non-interactive
Arguments. Cryptology ePrint Archive, Paper 2016/260.
https://eprint.iacr.org/2016/260.
Jiang, M.; Roth, H. R.; Li, W.; Yang, D.; Zhao, C.; Nath,
V.; Xu, D.; Dou, Q.; and Xu, Z. 2023. Fair Federated Medi-
cal Image Segmentation via Client Contribution Estimation.
(arXiv:2303.16520). ArXiv:2303.16520 [cs].
Kalai, A. T.; Kalai, E.; Lehrer, E.; and Samet, D. 2010. A
commitment folk theorem. Games and Economic Behavior,
69(1): 127–137.
Kang, D.; Hashimoto, T.; Stoica, I.; and Sun, Y. 2022.
Scaling up Trustless DNN Inference with Zero-Knowledge
Proofs.
Karpathy, A. 2020. Karpathy/minGPT: A minimal pytorch
re-implementation of the openai GPT (generative pretrained
transformer) training. https://github.com/karpathy/minGPT.
Accessed: 2023-06-19.
Karpathy, A. 2022. Karpathy/nanoGPT: The simplest,
fastest repository for training/finetuning medium-sized
GPTs. https://github.com/karpathy/nanoGPT. Accessed:
2023-06-19.
Kate, A.; Zaverucha, G. M.; and Goldberg, I. 2010.
Constant-size commitments to polynomials and their appli-
cations. In Advances in Cryptology-ASIACRYPT 2010: 16th
International Conference on the Theory and Application of
Cryptology and Information Security, Singapore, December
5-9, 2010. Proceedings 16, 177–194. Springer.
Labs, M. 2023. The Cost of Intel-
ligence. https://drive.google.com/file/d/
1tylpowpaqcOhKQtYolPlqvx6R2Gv4IzE/view. Accessed:
2023-06-19.
Lee, S.; Ko, H.; Kim, J.; and Oh, H. 2020. vCNN: Verifiable
convolutional neural network based on zk-SNARKs. Cryp-
tology ePrint Archive.
Li, T.; Hu, S.; Beirami, A.; and Smith, V. 2021. Ditto: Fair
and robust federated learning through personalization. In
ICML, 6357–6368.
Li, T.; Sanjabi, M.; Beirami, A.; and Smith, V. 2020. Fair
resource allocation in federated learning. In ICLR.
Liu, T.; Xie, X.; and Zhang, Y. 2021. zkCNN: Zero Knowl-
edge Proofs for Convolutional Neural Network Predictions
and Accuracy. Cryptology ePrint Archive, Paper 2021/673.
https://eprint.iacr.org/2021/673.
Mohri, M.; Sivek, G.; and Suresh, A. T. 2019. Agnostic
federated learning. In International Conference on Machine
Learning, 4615–4625. PMLR.
Nitulescu, A. 2020. zk-SNARKs: A Gentle Introduction.
Technical report, Technical report.
Nori, H.; King, N.; McKinney, S. M.; Carignan, D.; and
Horvitz, E. 2023. Capabilities of gpt-4 on medical challenge
problems. arXiv preprint arXiv:2303.13375.
OpenAI. 2023. GPT-4 Technical Report. arXiv:2303.08774.
Pentyala, S.; Neophytou, N.; Nascimento, A.; De Cock,
M.; and Farnadi, G. 2022. Privfairfl: Privacy-preserving
group fairness in federated learning. arXiv preprint
arXiv:2205.11584.
Petkus, M. 2019. Why and How zk-SNARK Works.
arXiv:1906.07221.
Radford, A.; Narasimhan, K.; Salimans, T.; Sutskever, I.;
et al. 2018. Improving language understanding by genera-
tive pre-training.
Radford, A.; Wu, J.; Child, R.; Luan, D.; Amodei, D.;
Sutskever, I.; et al. 2019. Language models are unsupervised
multitask learners. OpenAI blog, 1(8).
Sonos. 2020. Tract: Tiny, no-nonsense, self-contained, ten-
sorflow and ONNX inference. Accessed: 2023-06-19.
Weng, J.; Weng, J.; Tang, G.; Yang, A.; Li, M.; and Liu, J.
2022. pvCNN: Privacy-Preserving and Verifiable Convolu-
tional Neural Network Testing. CoRR, abs/2201.09186.
Zhang, D. Y.; Kou, Z.; and Wang, D. 2020. Fairfl: A fair
federated learning approach to reducing demographic bias in
privacy-sensitive classification models. In Big Data, 1051–
1060. IEEE.