Proof-of-Learning is Currently More Broken Than You Think
- URL: http://arxiv.org/abs/2208.03567v2
- Date: Mon, 17 Apr 2023 04:07:52 GMT
- Title: Proof-of-Learning is Currently More Broken Than You Think
- Authors: Congyu Fang, Hengrui Jia, Anvith Thudi, Mohammad Yaghini, Christopher
A. Choquette-Choo, Natalie Dullerud, Varun Chandrasekaran, Nicolas Papernot
- Abstract summary: We introduce the first spoofing strategies that can be reproduced across different configurations of the Proof-of-Learning (PoL) verification.
We identify key vulnerabilities of PoL and systematically analyze the underlying assumptions needed for robust verification of a proof.
We conclude that one cannot develop a provably robust PoL verification mechanism without further understanding of optimization in deep learning.
- Score: 41.3211535926634
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Proof-of-Learning (PoL) proposes that a model owner logs training checkpoints
to establish a proof of having expended the computation necessary for training.
The authors of PoL forego cryptographic approaches and trade rigorous security
guarantees for scalability to deep learning. They empirically argued the
benefit of this approach by showing how spoofing--computing a proof for a
stolen model--is as expensive as obtaining the proof honestly by training the
model. However, recent work has provided a counter-example and thus has
invalidated this observation.
In this work we demonstrate, first, that while it is true that current PoL
verification is not robust to adversaries, recent work has largely
underestimated this lack of robustness. This is because existing spoofing
strategies are either unreproducible or target weakened instantiations of
PoL--meaning they are easily thwarted by changing hyperparameters of the
verification. Instead, we introduce the first spoofing strategies that can be
reproduced across different configurations of the PoL verification and can be
done for a fraction of the cost of previous spoofing strategies. This is
possible because we identify key vulnerabilities of PoL and systematically
analyze the underlying assumptions needed for robust verification of a proof.
On the theoretical side, we show how realizing these assumptions reduces to
open problems in learning theory.We conclude that one cannot develop a provably
robust PoL verification mechanism without further understanding of optimization
in deep learning.
Related papers
- Lean-STaR: Learning to Interleave Thinking and Proving [53.923617816215774]
We present Lean-STaR, a framework for training language models to produce informal thoughts prior to each step of a proof.
Lean-STaR achieves state-of-the-art results on the miniF2F-test benchmark within the Lean theorem proving environment.
arXiv Detail & Related papers (2024-07-14T01:43:07Z) - Learn from Failure: Fine-Tuning LLMs with Trial-and-Error Data for Intuitionistic Propositional Logic Proving [41.23045212775232]
We demonstrate the benefit of training models that additionally learn from failed search paths.
Facing the lack of such trial-and-error data in existing open-source theorem-proving datasets, we curate a dataset on intuitionistic propositional logic theorems.
We compare our model trained on relatively short trial-and-error information (TrialMaster) with models trained only on the correct paths and discover that the former solves more unseen theorems with lower trial searches.
arXiv Detail & Related papers (2024-04-10T23:01:45Z) - Unlearning Backdoor Threats: Enhancing Backdoor Defense in Multimodal Contrastive Learning via Local Token Unlearning [49.242828934501986]
Multimodal contrastive learning has emerged as a powerful paradigm for building high-quality features.
backdoor attacks subtly embed malicious behaviors within the model during training.
We introduce an innovative token-based localized forgetting training regime.
arXiv Detail & Related papers (2024-03-24T18:33:15Z) - Don't Explain Noise: Robust Counterfactuals for Randomized Ensembles [50.81061839052459]
We formalize the generation of robust counterfactual explanations as a probabilistic problem.
We show the link between the robustness of ensemble models and the robustness of base learners.
Our method achieves high robustness with only a small increase in the distance from counterfactual explanations to their initial observations.
arXiv Detail & Related papers (2022-05-27T17:28:54Z) - Generating Natural Language Proofs with Verifier-Guided Search [74.9614610172561]
We present a novel stepwise method NLProofS (Natural Language Proof Search)
NLProofS learns to generate relevant steps conditioning on the hypothesis.
It achieves state-of-the-art performance on EntailmentBank and RuleTaker.
arXiv Detail & Related papers (2022-05-25T02:22:30Z) - "Adversarial Examples" for Proof-of-Learning [32.438181794551035]
Jia et al. proposed a new concept/mechanism named proof-of-learning (PoL)
PoL allows a prover to demonstrate ownership of a machine learning model by proving integrity of the training procedure.
We show that PoL is vulnerable to "adrialversa examples"
arXiv Detail & Related papers (2021-08-21T07:56:29Z) - Proof-of-Learning: Definitions and Practice [15.585184189361486]
Training machine learning (ML) models typically involves expensive iterative optimization.
There is currently no mechanism for the entity which trained the model to prove that these parameters were indeed the result of this optimization procedure.
This paper introduces the concept of proof-of-learning in ML.
arXiv Detail & Related papers (2021-03-09T18:59:54Z) - Remembering for the Right Reasons: Explanations Reduce Catastrophic
Forgetting [100.75479161884935]
We propose a novel training paradigm called Remembering for the Right Reasons (RRR)
RRR stores visual model explanations for each example in the buffer and ensures the model has "the right reasons" for its predictions.
We demonstrate how RRR can be easily added to any memory or regularization-based approach and results in reduced forgetting.
arXiv Detail & Related papers (2020-10-04T10:05:27Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.