Author: Vitalik; Translation: Golden Finance xiaozou
Over the years, many people have asked me a similar question, which is where I think the most productive intersection between crypto and artificial intelligence is. ? It’s a good question: cryptography and artificial intelligence are arguably the two most dominant deep (software) technology trends of the last decade, and there must be some connection between the two. It’s easy to spot synergies on the surface: crypto decentralization can balance the centralization issues of AI, AI is opaque, encryption brings transparency, AI needs data, and blockchain is great for storage and tracking data. But over the years, when people have asked me to dig deeper and talk about specific applications, my answer has always disappointed them: "Yeah, there's some depth, but not a lot."
The past three years have seen the rise of more powerful artificial intelligence in the form of modern LLMs (machine learning models), and more powerful cryptocurrencies – not just in the form of blockchain scaling solutions, but also There's the rise of ZKP, FHE, (two-party and n-party) MPC forms - and I'm starting to see changes. There are indeed some promising artificial intelligence applications in the blockchain ecosystem, or applications that combine artificial intelligence with cryptography. It is important to pay attention to how artificial intelligence is applied. One specific problem is: in cryptography, open source is the only way to ensure that something is truly secure, but in the field of artificial intelligence, open source models (even the training data are open source) greatly exacerbates the confrontation it faces. Vulnerability to machine learning attacks. This article will introduce the various possible intersections between cryptography and artificial intelligence, as well as their prospects and challenges.
Artificial intelligence is a very broad concept: you can think of "artificial intelligence" as a set of algorithms rather than specific settings, just like through Stir a big pot of magical computational soup and apply some kind of optimization pressure so that the soup gives you algorithms with the properties you want. This description should never be taken lightly: it is how we humans were first born! AI algorithms do have something in common: they are extremely powerful at what they do, but at the same time, our ability to peek behind the curtain is very limited.
There are many ways to classify artificial intelligence. This article focuses on the intersection between artificial intelligence and blockchain (described as a platform for creating "games"), so I will classify artificial intelligence here as follows:
Gamer AI (easiest to survive): In the mechanism in which the AI participates, the ultimate source of incentives comes from the human input of the protocol.
Game interface-like AI (huge potential, but also risks): AI helps users understand the cryptographic world around them and ensure their actions (e.g. signing messages and transactions) ) are consistent with their intentions and they will not be deceived.
Game rules AI (walking on thin ice): Blockchain, DAO and other similar mechanisms directly call AI. For example, "AI judge".
Game-targeted AI (long-term but interesting): designing blockchains, DAOs, and other similar mechanisms with the goal of building and maintaining an AI that can be used for other purposes, using cryptography bits to better motivate training or prevent AI from leaking private data or being abused.
Gamer AI is actually a category that has existed for nearly ten years, especially since it was added to the chain Since centralized exchanges (DEX) began to be widely used. As long as trading is involved, there will be opportunities to make money through arbitrage, and robots have an advantage over humans in arbitrage. This use case has been around for a long time, and although the AI used was much simpler than today's AI, it ended up being a true intersection between artificial intelligence and cryptocurrencies. Lately we have been seeing MEV arbitrage bots competing against each other a lot. Whenever a blockchain application involves auctions or transactions, arbitrage bots appear.
However, AI arbitrage bots are just the first example of a larger category that I expect will soon include many other applications.
Prediction markets have long been the holy grail of cognitive technologies; I was very excited about using prediction markets as governance inputs back in 2014, and they were used extensively in the last and most recent elections. But so far, prediction markets haven’t taken off much in practice, for a number of common reasons: the biggest players tend to be irrational, sensible people tend not to spend their time betting unless large amounts of money are involved, and There are markets with very shallow liquidity, and so on.
One response to this points to the user experience improvements being made by Polymarket or other emerging prediction markets, and hopes that they can succeed where they have failed before. After all, that's how the story goes, people are willing to bet tens of billions of dollars on sports events, so why not bet enough on the US election or LK99 so that the big players can get in too The field is willing. But this must be faced with the fact that, since none has previously achieved this scale (at least compared to the dreams of its proponents), something new seems to be needed to make prediction markets successful. So, a different response points to a specific feature of the prediction market ecosystem, namely that we can see something in the 2020s that we couldn’t see in the previous decade: the possibility of ubiquitous artificial intelligence.
AIs are willing to work for less than $1 an hour and possess encyclopedic knowledge—and if that’s not enough, they can even be combined with real-time web search capabilities. If you make the market and offer a $50 liquidity subsidy, humans may not care enough to bid, but thousands of AIs will move quickly and make the best predictions they can. The incentive to perform well on one problem may be small, but the incentive to have an AI make correct predictions broadly is huge. Note that you don’t even need a human to adjudicate most issues: you can use a multi-round dispute system similar to Augur or Kleros, where the AI will also participate in the earlier rounds. Humans only need to react in very rare circumstances, and that is when a series of upgrades involve significant investment for both parties.
This is a powerful primitive because once prediction markets can work at such a micro-scale, you can reuse prediction markets primitives on many other types of problems:
Is this social media post allowed to be published according to the [User Terms of Use]?
What will happen to the price of stock X?
Is the account sending me messages now really Elon Musk?
Is this job of improving efficiency in the online task market qualified?
Is this dapp with the URL https://examplefinance.network a scam?
Is 0x1b54....98c3 really the address of "Casinu Inu" ERC20 token?
You may notice that many of these ideas go in the direction of what I call "information defense." Broadly speaking, the question is: How do we help users distinguish between true and false information and detect fraud, without empowering a centralized authority to decide what is right and what is wrong, because the centralized authority may abuse its power. At a micro level, the answer could be “artificial intelligence.” But at a macro level, the question to be faced is: Who will build artificial intelligence? Artificial intelligence is a reflection of the process by which it was created and is not immune to bias. Therefore, we need a higher-level game to judge the performance of various AIs so that AI can participate in the game as a player.
This use of artificial intelligence, where artificial intelligence participates in a mechanism and is ultimately rewarded or rewarded by an on-chain mechanism that aggregates human input (how about calling it market-based decentralized RLHF?) Punishment, I think that's a direction that's really worth looking into. It’s time to look more into use cases like this, as blockchain scaling finally succeeds, making anything “small” or “micro” feasible on-chain that was often not feasible before.
A related application category is that of highly autonomous agents that use blockchains to achieve better cooperation, whether through payments or through the use of smart contracts to make trusted commitments.
An idea I once proposed in my article is that there is a market opportunity for writing user-oriented software, which can be interpreted through and protect users’ interests by identifying dangers in the online world they are browsing. An existing example is Metamask's fraud detection function:
Another example is the simulation feature of Rabby Wallet, which shows users the expected outcome of a transaction they are about to sign.
These tools may be greatly enhanced by artificial intelligence. AI can provide a richer, human-friendly explanation of what kind of dapp you are participating in, the consequences of the complex operations you are signing, and whether a specific coin is real (for example, BITCOIN is not just a string of characters; it is The name of a real cryptocurrency that is not an ERC20 token, whose price is much higher than $0.045, LLM would know this), etc. Some projects are starting to develop in this direction (such as LangChain wallet using AI as the main interface). My personal view is that an AI-only interface may be too risky at the moment because it increases the risk of other types of errors, but it is extremely feasible to use AI to complement interfaces that are biased towards traditional.
There is one specific risk worth mentioning. I’ll discuss this in detail in the Game Rules AI section below, but the general problem is with adversarial machine learning: if a user has access to an AI assistant in an open source wallet, then bad actors can also access that AI assistant. , so they will have unlimited opportunities to optimize their scams and avoid triggering wallet defenses. All modern AI has bugs, and it is not difficult to find bugs in the training process, even with limited access to the model.
This is where “artificial intelligence participation in on-chain micro-markets” comes into play: all AI capabilities are susceptible to the same risks, but you deliberately create an open ecosystem that is continuously operated by dozens of people Iterate and improve. Furthermore, each individual AI is closed-loop: the system's security comes from the openness of the game's rules, not the internal operations of each player.
Summary: Artificial intelligence can help users understand what is happening in simple language, it can serve as a real-time tutor, and it can protect users from the negative effects of errors, but if you want to use artificial intelligence directly Be careful when dealing with malicious disinformation and scammers.
Now, we have talked about applications that make many people excited, but I think this is the most dangerous place, and we need to tread carefully: I Call it "artificial intelligence becomes part of the rules of the game." This correlates with the mainstream political elite’s excitement about “AI judges” and similar aspirations in blockchain applications. If a blockchain-based smart contract or DAO requires subjective decisions to be made (eg: is a particular work product covered by an employment contract?), can you have AI be part of the contract or DAO to help enforce these? rule?
This is why adversarial machine learning will become an extremely difficult challenge. The basic two-sentence argument is as follows:
If the AI model that plays a key role in the mechanism is closed-loop, its inner workings cannot be verified, so it is no better than a centralized application. If an AI model is open source, an attacker can download it and simulate it locally and design heavily optimized attacks to fool the model and then replay it on a live network.
Now, some readers (or crypto natives) may have been ahead of me and thinking: Wait! We have amazing zero-knowledge proofs and other really cool cryptography tricks. Of course, we can do some cryptographic magic to hide the inner workings of the model so that an attacker cannot optimize the attack, while at the same time proving that the model is being executed correctly and was built using a reasonable training process on a reasonable underlying data set. of!
Generally, this is the way of thinking that I have advocated in other articles. But there are two main objections to AI-related computing:
Cryptographic overhead: Doing something inside a SNARK (or MPC...) is much less efficient than doing it transparently. Considering that AI is already very computationally intensive, is it feasible to perform AI calculations in a cryptographic black box?
Black-box adversarial machine learning attacks: There are ways to optimize attacks against AI models even without understanding the inner workings of the model. If you hide it too much, you risk making it easy for the person who selected the training data to subvert the model with a toxic attack.
Both are complex rabbit holes, so let’s explore them in turn.
Encryption tools, especially general tools like ZK-SNARKs and MPC, have high overhead. It takes hundreds of milliseconds for a client to directly verify an Ethereum block, but generating a ZK-SNARK to prove the correctness of such a block can take hours. The usual overhead of other encryption tools such as MPC may be greater. AI computing is already quite expensive: the most powerful LLMs can output individual words only slightly faster than humans can read words, not to mention the millions of dollars of computational cost that often come with training these models. There is a huge difference in quality between top models and models that try to save more training cost or number of parameters. At first glance, this is a good reason to doubt that the entire project is trying to strengthen security by wrapping AI in cryptography.
Fortunately, artificial intelligence is a type of computing with a very specific structure, which makes it adaptable to various optimizations that "unstructured" computing types like ZK-EVM cannot benefit from. Benefit from optimization. Let's take a look at the basic structure of the artificial intelligence model:
Usually, AI models mainly consist of a series of matrix multiplications interspersed with nonlinear operations of each element, such as the ReLU function (y=max(x,0)). Matrix multiplication takes up the bulk of the work: multiplying two N*N matrices takes time, while the number of nonlinear operations is much smaller. This is very convenient for cryptography, since many forms of cryptography make linear operations almost "free" (matrix multiplication is a linear operation if you only encrypt the model without encrypting its inputs).
If you are a cryptographer, you may have heard of a similar phenomenon in homomorphic encryption: performing additions on encrypted ciphertext is very simple, but performing multiplications is very difficult, until It was only in 2009 that we found a way to perform infinitely deep multiplication operations.
For ZK-SNARKs, a comparable 2013 protocol proves that matrix multiplication is less than 4 times more expensive. Unfortunately, the overhead of non-linear layers still ends up being significant, with the best implementations in practice showing overheads of around 200x. But there is hope that further research can significantly reduce this cost.
But for many applications, we not only want to prove that the AI output is computationally correct, we also want to hide the model. There are some simple ways to achieve this: you can split the model and have the layers redundantly stored by a different set of servers, hoping that some servers leaking data from certain layers won't leak too much data. But there are some particularly effective ways of doing multi-party computations.
In both cases, the spirit of the story is Same: the most important part of AI computation is matrix multiplication, so very efficient ZK-SNARKs or MPCs (or even FHE) can be created, so the total overhead of putting the AI into a cryptographic box is very low. In general, non-linear layers are the biggest bottleneck, despite their smaller size; perhaps newer techniques like Lookup Arguments will help.
Now, let us discuss another major issue: if the content of the model is private and you only have the "API" to the model Access" permissions, what types of attacks can you perform? Let me quote an article from 2016:
Many machine learning models are susceptible to adversarial examples: specially designed inputs that cause the machine learning model to produce incorrect outputs. Adversarial examples that can affect one model will often affect the other model, even if the two models are architected differently or trained on different training sets, as long as both models are trained to perform the same task. Therefore, an attacker might train his own surrogate model, hone adversarial examples against the surrogate model, and then use them in a victim model with little knowledge of the victim model.
Possibly, you can even create only the training data attack, it does not matter if you have very limited or no access to the model you are trying to attack. As of 2023, these types of attacks will still be a big problem.
In order to effectively reduce this type of black box attack, we need to do two things:
Really limit who can query the model and how much can be queried. A black box with unrestricted API access is not secure; a black box with very limited API access may be secure.
Hide training data while ensuring that the process used to create the training data is not corrupted.
The project that did the most on the first thing is probably Worldcoin. Worldcoin uses artificial intelligence models extensively at the protocol level to convert iris scans into short “iris codes” that are easy to compare for similarity, as well as verify that the object it scans is actually a person. The main defense Worldcoin relies on is that it does not allow anyone to easily call the AI model, but instead uses trusted hardware to ensure that the model only accepts input that is digitally signed by the orb camera.
This approach doesn’t necessarily work: It turns out you can run adversarial attacks on biometric AI, in the form of physical patches or jewelry you can wear on your face:
< p>
But the hope is that if you combine all the defenses together, you can hide artificial With the smart model itself, greatly limiting the query volume, and requiring each query to be authenticated in some way, you can make attacks difficult enough that the system can be secure. This brings us to the next thing: how do we hide the training data? This may be where "democratic governance AI DAOs" come in: we can create an on-chain DAO, and the governance determines the following process: who is allowed to submit training data (what data-related proof is required), who is allowed to query, how much content to query, and Use encryption technology like MPC to encrypt the entire AI creation and running pipeline (from each user’s training input to the final output of each query). The DAO can also compensate those who submitted the data at the same time.
It needs to be reiterated that this plan is ambitious and in many ways probably unrealistic:
The encryption overhead may still be too high for this kind of all-black-box architecture to compete with traditional closed "trust me" approaches.
The result may be that there is no good way to decentralize the training data submission process and prevent toxic attacks.
The security or privacy guarantees of multi-party computing tools may be compromised due to collusion among participants: after all, this has been the case time and time again with cryptocurrency cross-chain bridges.
The reason I didn’t start this section with a bigger red warning label telling you “Don’t be an AI judge, it’s dystopian” is that One reason is that our society already relies heavily on unaccountable centralized AI judges: for example, the algorithms that decide which posts and political opinions on social media surface or are drowned out (or even censored). I do think it’s a very bad idea to expand this trend further at this stage, but I don’t think more experimentation with AI by the blockchain community will make the situation worse.
The fact is that there are some very low-risk fundamental ways for cryptography to make these existing centralized systems better, and I'm very confident in that. There is a simple technique to verify AI by delaying publishing: when a social media site ranks posts based on AI, it can publish a ZK-SNARK that proves the hash of the model that generated that ranking. The site may promise to unveil its AI model in a year. Once a model is published, users can check hashes to verify that the correct model was published, and the community can run tests on the model to verify its fairness. The release delay will ensure that by the time the model is made public, it is already out of date.
So the question is not whether we can do better compared to the centralized world, but how much better. However, as with the decentralized world, it is important to be cautious: if someone built a prediction market or stablecoin that used an AI oracle, and it turned out that the oracle was hackable, a huge amount of money would be lost. Funds can disappear in an instant.
If the above technology is used to create a scalable decentralized private AI, its content is a black box unknown to anyone and can be used in actual applications. run, then this could also be used to create AI with utility beyond blockchain. The NEAR Protocol team is making this a core goal of their ongoing work.
There are two reasons for doing this:
If you Many applications that worry about the system being biased or deceiving themselves could benefit from “trustworthy black box AI” that can be created by running training and inference processes using blockchain and MPC. Many have expressed expectations for the democratic governance of systemically important AI that we will rely on; cryptography and blockchain-based technologies may be the way to achieve this.
From an AI security perspective, this would be a technology for creating decentralized AI that would also have a natural kill switch that would limit those trying to use artificial intelligence Intelligent query of malicious behavior.
It’s also worth noting that “using cryptographic incentives to incentivize the creation of better AI” can be done without full encryption using cryptography: BitTensor et al. Practices fall into this category.
Both blockchain and artificial intelligence are becoming increasingly powerful, and more and more use cases are emerging at the intersection of the two fields. However, some of these use cases are more meaningful and powerful than others. Typically, use cases tend to be the most promising and easiest to get right when the underlying mechanics continue to be as crudely designed as before, but the individual players become AI, allowing the mechanics to operate effectively on a more microscopic scale. of.
Trying to use blockchain and cryptography to create "single instance" applications will face the greatest challenge, which is creating a single decentralized trusted entity that some application will rely on to achieve a certain goal. AI. These applications are promising in terms of functionality and improved AI security, avoiding the centralization risks associated with more mainstream practices. But there are many ways in which the underlying assumptions can fail; therefore, caution is required, especially when deploying these applications in high-value and high-risk environments.
I look forward to seeing more attempts at constructive use cases for AI across all of these intersections, so we can know which use cases are actually feasible.
Explore the groundbreaking Jupiter LFG Launchpad, the collaborative brainchild of Jupiter and Both Ovols. Discover how the visionary Meow and the Jupiter DAO are reshaping the blockchain landscape with a meticulously crafted token strategy, a discerning selection process, and a commitment to excellence in the Beta phase.
MiyukiExplore the transformative Kepler hardfork on BNB Smart Chain. Delve into the significant updates and Ethereum compatibility upgrades set to redefine blockchain efficiency and security.
MiyukiCleanSpark Inc., a U.S.-based Bitcoin miner, is gearing up for a significant move into the cryptocurrency market with the launch of its own trading desk in 2024. The company aims to leverage its substantial Bitcoin holdings, seizing opportunities in the burgeoning crypto landscape.
Huang BoIn the realm of evolving AI technology, WeHead boldly introduces the WeHead GPT Edition, priced at an astounding $5,000. This AI assistant stands apart by providing a physical face for users to engage with, sparking intriguing discussions about the future of AI companionship and the practicality of humanizing technology.
Xu LinRepubliK partners with TON to integrate familiar social media aspects into a user-friendly Web3 platform, emphasizing engagement and flexibility.
AlexCoinbase Global Inc. has expanded its services internationally by adding spot crypto trading. This move aims to attract global users wary of U.S. regulatory uncertainty, offering new trading options and fostering market growth.
Sanya
JinseFinanceCreators today face many difficult challenges. From problematic and fickle algorithms and overly aggressive, subjective censorship to shadow banning, chargebacks, ...
BitcoinistSome cryptocurrency investors benefit from insider information about when exchanges will list tokens.
FtftxOpenSea's NFT empire just got bigger with its latest acquisition, while virtual influencer Rae created an NFT collection to promote girls' education, and online chess players can now turn memorable games into NFTs via chess.com.
Cointelegraph