In S&P '21, Jia et al. proposed a new concept/mechanism named proof-of-learning (PoL), which allows a prover to demonstrate ownership of a machine learning model by proving integrity of the training procedure. It guarantees that an adversary cannot construct a valid proof with less cost (in both computation and storage) than that made by the prover in generating the proof. A PoL proof includes a set of intermediate models recorded during training, together with the corresponding data points used to obtain each recorded model. Jia et al. claimed that an adversary merely knowing the final model and training dataset cannot efficiently find a set of intermediate models with correct data points. In this paper, however, we show that PoL is vulnerable to "adversarial examples"! Specifically, in a similar way as optimizing an adversarial example, we could make an arbitrarily-chosen data point "generate" a given model, hence efficiently generating intermediate models with correct data points. We demonstrate, both theoretically and empirically, that we are able to generate a valid proof with significantly less cost than generating a proof by the prover, thereby we successfully break PoL.
翻译:在S&P'21中,Jia等人提出了一个新的概念/机制,称为学习证明(POL),使证明人能够证明培训程序的完整性,从而证明机器学习模式的所有权;它保证对手不能以低于证明人提供证据的成本(计算和储存)构建有效证据(在计算和储存方面),保证对手不能以低于证明人提供证据的成本(在计算和储存方面)构建有效证据。一个POL证据包括一套在培训期间记录的中间模型,以及用于获取每个记录模型的相应数据点。Jia等人声称,仅仅知道最后模型和培训数据集的对手无法有效地找到一套具有正确数据点的中间模型。然而,我们在本文件中表明,POL容易受到“对抗实例”的伤害!具体地说,与优化对抗性范例相似的是,我们可以将一个武断的数据点“generate”作为特定模型,从而有效地生成具有正确数据点的中间模型。我们从理论上和从经验上证明,都证明我们能够产生比证明人提供证据的成本低得多的有效证据,因此我们成功地打破了PoL。
相关内容
微信扫码咨询专知VIP会员