Written by: Vitalik Buterin
Compiled by: Karen, Foresight News
Special thanks to the Worldcoin and Modulus Labs teams, Xinyuan Sun, Martin Koeppelmann, and Illia Polosukhin for their feedback and discussions.
Over the years, many people have asked me the question: “Where are the most fruitful intersections between cryptocurrencies and AI?” It’s a legitimate question: Cryptocurrency and AI have been two of the major depths of the past decade. (Software) technology trends, there must be some connection between the two.
On the surface, it’s easy to find synergies between the two: cryptocurrency decentralization canBalancing AI Centralization, AI is opaque, and cryptocurrency can bring transparency; AI requires data, and blockchain is good at storing and tracking data. But over the years, when people have asked me to delve into specific applications, my answer has been disappointing: Yes, there are some applications worth discussing, but not many.
In the past three years, with the rise of more powerful AI technologies such as modern LLM (Large Language Model), and not just blockchain scaling solutions, but also zero-knowledge proofs, fully homomorphic encryption, (two-party Im starting to see this change with the rise of stronger cryptographic technologies like multi-party) secure multi-party computation. There are indeed some promising applications of AI within the blockchain ecosystem, or by combining AI with cryptography, although care needs to be taken when applying AI. A particular challenge is this: in cryptography, open source is the only way to make something truly secure, but in AI, making a model (and even its training data) open greatly increases its vulnerability to adversarial machine learning attacks. This article will classify the different ways in which Crypto+AI may intersect, and explore the prospects and challenges of each classification.
From uETH BlogarticleA summary of the Crypto+AI intersection. But how can these synergies be truly realized in specific applications?
Crypto+AI four major intersections
AI is a very broad concept: you can think of AI as a set of algorithms that you create not by explicitly specifying it, but by stirring up a big computational soup and applying some kind of optimization pressure to drive the soup. An algorithm with the properties you want.
This description should never be taken lightly as it includes the process that created us humans! But this also means that AI algorithms share some common characteristics: they are very powerful, but at the same time we have certain limitations in knowing or understanding their inner workings.
There are many ways to classify artificial intelligence, and the interaction between artificial intelligence and blockchain discussed in this article (Virgil Griffith Ethereum is literally a game-changing technologyarticle), I would classify them as follows:
AI as a participant in the game (highest feasibility): In the mechanism of AI participation, the ultimate source of incentives comes from the agreement of human input.
AI as a gaming interface (high potential, but risks): AI helps users understand the cryptographic world around them and ensure that their actions (such as signed messages and transactions) match their intentions to avoid being tricked or deceived.
AI as the rules of the game (requires great caution): Blockchain, DAO and similar mechanisms directly call AI. For example, AI Judge.
AI as a Game Goal (Long-Term and Interesting): The goal in designing blockchains, DAOs, and similar mechanisms is to build and maintain an AI that can be used for other purposes, and the part using cryptography is either to better incentivize training or To prevent AI from leaking private data or being abused.
Let’s review them one by one.
AI as a game player
In fact, this category has been around for almost a decade, at least since on-chain decentralized exchanges (DEX) began to become widely used. Whenever an exchange exists, there is an opportunity to make money through arbitrage, and bots can do it better than humans.
This use case has been around for a long time, even using much simpler AI than it is today, but ultimately it is a true intersection of AI and cryptocurrency. Recently, we have often seen MEV (Maximize Extractable Value) arbitrage bots exploiting each other. Any time a blockchain application involves auctions or transactions there will be arbitrage bots.
However, AI arbitrage bots are just the first example of a larger category that I expect will soon cover many other applications. lets seeAIOmen, a demonstration of AI as a participant in a prediction market:
Prediction markets have long been the holy grail of cognitive technologies. I was excited about using prediction markets as an input to governance (future governance) back in 2014, and have tried it extensively in recent elections. But so far, prediction markets haven’t made much headway in practice for a number of reasons: the biggest players tend to be irrational, and people with the right knowledge are unwilling to spend time and place bets unless there are a lot of people involved with money, The market is often not active enough, etc.
One response to this is to point to the user experience improvements being made by Polymarket or other new prediction markets and hope that they can continue to improve and succeed where previous iterations failed. People are willing to bet tens of billions of dollars on sports, so why dont people put enough money betting on the US election or LK 99 for serious players to start getting involved? But this argument must face the fact that previous versions failed to achieve this scale (at least compared to the dreams of its proponents), so it seems that some new elements are needed to make prediction markets successful. Therefore, another response is to point out a specific feature of the prediction market ecosystem that we can expect to see in the 2020s that we did not see in the 2010s: the possibility of widespread participation of AI.
AI is willing or able to work for less than $1 an hour and has encyclopedic knowledge. If thats not enough, they can even be integrated with real-time web search functionality. If you create a market and provide a $50 liquidity subsidy, humans wont care about the bids, but thousands of AIs will easily swarm in and make the best guess they can.
The incentives to do a good job on any one problem may be small, but the incentives to build an AI that can make good predictions may be millions. Note that you dont even need humans to adjudicate most issues: you can use a multi-round dispute system similar to Augur or Kleros, where the AI will also participate in the early rounds. Humans only have to react in the rare cases where a series of escalations occur and both sides have significant investment.
This is a powerful primitive because once you can make a prediction market work at such a microscale, you can reuse the prediction market primitive for many other types of problems, such as:
Is this social media post acceptable under [Terms of Use]?
What will happen to the price of stock X (see, for example, Numerai)
Is this account currently messaging me really Elon Musk?
Is this job submission acceptable on the online job marketplace?
Is the DApp on https://examplefinance.network a scam?
Is 0x 1 b 54....98 c 3 the Casinu In ERC 20 token address?
You might notice that a lot of these ideas go toward what I mentioned earlier:information defense” (info defense) direction. Broadly speaking, the question is: How do we help users distinguish between true and false information and identify fraud, without giving a centralized authority the power to decide what is right and wrong and avoid abusing that power? At a micro level, the answer could be “AI.”
But at a macro level, the question is: Who builds AI? AI is a reflection of the process by which it was created and therefore inevitably contains biases. A higher-level game is needed to judge the performance of different AIs, allowing the AI to participate in the game as a player.
This way of using AI, where the AI participates in a mechanism that ultimately gets rewarded or punished (in a probabilistic way) from humans through an on-chain mechanism, I think is well worth studying. Now is the right time to delve deeper into use cases like this, as blockchain scalability is finally taking off, making anything “micro” that was often not possible on-chain now potentially possible.
A related class of applications is moving toward highly autonomous agents, usingBlockchain for better collaboration, whether through payments or through the use of smart contracts to make trusted commitments.
AI as a gaming interface
I am hereMy techno-optimism” is the idea that there is a market opportunity for writing user-facing software that can protect users by interpreting and identifying dangers in the online world they are browsing. MetaMask’s fraud detection feature is one example that already exists.
Another example is the simulation feature of Rabby Wallet, which shows users the expected outcome of a transaction they are about to sign.
These tools have the potential to be enhanced by AI. AI can give richer, more human-readable explanations of what the DApp you are participating in is like, the consequences of the more complex operations you are signing, and whether a specific token is real (for example, BITCOIN is not just a string of characters, It is the name of a real cryptocurrency, it is not an ERC 20 token, its price is much higher than $0.045) etc. There are some projects that are beginning to develop in this direction (for example, the LangChain wallet that uses AI as the main interface). My personal view is that pure AI interfaces are probably too risky at the moment because it increases the risk of other types of errors, but AI combined with more traditional interfaces is becoming very feasible.
There is one specific risk worth mentioning. I’ll cover this in more detail below in the section on AI as a Rule of the Game, but the overall problem is with adversarial machine learning: if a user has an AI assistant inside an open source wallet, then the bad guys will have access to that AI assistant, too, They will therefore have unlimited opportunities to optimize their fraud to circumvent that wallet’s defenses. All modern AI has certain vulnerabilities, and these vulnerabilities are easy to find even during the training process with limited access to the model.
There is one particular risk worth mentioning. Ill discuss this in detail in the AI as a rule of the game section below, but the general problem is with adversarial machine learning: if users have access to an AI assistant inside an open source wallet, then bad actors will also have access to that AI assistant, so They will have unlimited opportunities to optimize their scams so as not to trigger that wallet’s defenses. All modern AI has bugs somewhere, and its not too difficult for a training process, even one with limited access to the model, to find them.
This is where “AI participating in on-chain micro-markets” works better: every individual AI faces the same risks, but you intentionally create an open ecosystem with dozens of people constantly iterating and improving.
Furthermore, each individual AI is closed: the systems security comes from the openness of the rules of the game, not the inner workings of each participant.
Summary: AI can help users understand what is going on in simple terms and can act as a real-time tutor to protect users from mistakes, but be careful when encountering malicious misleads and scammers.
AI as the rules of the game
Now, lets talk about an application that a lot of people are excited about, but which I think is the riskiest, and where we need to move with extreme caution: what I call AI is part of the rules of the game. This is related to the mainstream political elite’s excitement about “AI judges” (as can be seen, for example, on the World Government Summit websiterelated articles), and similar situations of these desires exist in blockchain applications. If a blockchain-based smart contract or DAO needs to make subjective decisions, can you have AI simply become part of the contract or DAO to help enforce those rules?
This isadversarial machine learningIt will be a very difficult challenge. Here is a simple argument:
If an AI model that plays a key role in the mechanism is closed, you cannot verify its inner workings, so it is no better than a centralized application.
If an AI model is open, an attacker can download and simulate it locally and design a highly optimized attack to fool the model, which they can then replay on a live network.
Adversarial machine learning example. Source: researchgate.net
Now, readers who are regular readers of this blog (or are crypto natives) may have caught on to what I mean and started thinking. But please wait.
We have advanced zero-knowledge proofs and other really cool forms of cryptography. We could definitely do some cryptographic magic to hide the inner workings of the model so that an attacker cant optimize the attack while alsoproveThe model is performing correctly and was built on a reasonable underlying dataset through a reasonable training process.
More often than not, this is the kind of thinking I promote in this blog and other articles. But when it comes to AI computing, there are two main objections:
Cryptographic overhead: Performing a task in SNARK (or MPC, etc.) is much less efficient than performing it in plaintext. Given that AI itself already has high computational demands, is it computationally feasible to perform AI calculations in a cryptographic black box?
Black box adversarial machine learning attacks: There are ways to optimize AI models for attacks even without understanding the inner workings of the model. If you hide it too tightly, you might make it easier for the person selecting the training data to get throughpoison attackto compromise the integrity of the model.
Both of these are complex rabbit holes that need to be explored in depth one by one.
encryption overhead
Cryptographic tools, especially general-purpose tools such as ZK-SNARK and MPC, have high overhead. It takes hundreds of milliseconds for a client to directly verify an Ethereum block, but generating a ZK-SNARK to prove the correctness of such a block can take hours. Other encryption tools, such as MPC, may have greater overhead.
AI computing itself is already prohibitively expensive: the most powerful language models can output words only slightly faster than humans can read, not to mention the millions of dollars in computational costs that typically go into training these models. There is a large difference in quality between top models and models that try to be more economical in training cost or number of parameters. At first glance, this is a good reason to be skeptical of the entire project of wrapping AI in cryptography to add assurance.
Fortunately, AI is a very special type of computing, which allows it to perform various optimizations that more unstructured computing types such as ZK-EVM cannot benefit from. Let’s take a look at the basic structure of an AI model:
Typically, AI models mainly consist of a series of matrix multiplications interspersed with nonlinear operations on each element, such as the ReLU function ( y = max(x, 0) ). Asymptotically, matrix multiplication takes up most of the work. This is really convenient for cryptography, since many forms of cryptography can perform linear operations (at least matrix multiplications on the encryption model rather than on the input) almost for free.
If youre a cryptographer, youve probably heard ofHomomorphic encryptionA similar phenomenon in: It is very easy to perform addition on encrypted ciphertext, but very difficult to perform multiplication, and it was not until 2009 that we found an infinitely deep method to do the multiplication operation.
For ZK-SNARK, something like2013 Agreement, this protocol is less than 4 times more expensive in proving matrix multiplication. Unfortunately, the overhead of non-linear layers is still significant, with the best implementations in practice showing ~200x overhead.
However, with further research, there is hope that this overhead can be significantly reduced. You can refer to Ryan Cao’sDemo, which introduces a state-of-the-art approach based on GKR, as well as my own simplified explanation of the main components of GKR.
But for many applications, we not only want to prove that the AI output is calculated correctly, but also hide the model. There are some easy ways to do this: you can split the model so that a different set of servers store each layer redundantly, and hope that some servers leaking certain layers dont leak too much data. But there are some surprisingSpecialized multi-party computation。
In both cases, the moral of the story is the same: a major part of AI computation is matrix multiplication, and very efficient ZK-SNARKs, MPCs (even FHE) can be designed for matrix multiplication, thus putting AI into cryptography The total overhead in the framework is surprisingly low. Typically, nonlinear layers are the largest bottleneck, despite their smaller size. maybe likeFind parametersNew technologies like lookups can help.
Black box adversarial machine learning
Now, lets discuss another important issue: even if the contents of the model remain private and you only have API access to the model, the types of attacks you can still perform. Quote from a 2016 articlepaper:
Many machine learning models are susceptible to adversarial examples: specially designed inputs that cause a machine learning model to produce incorrect outputs. An adversarial example that affects one model will often affect the other model, even if the two models have different architectures or were trained on different training sets, as long as both models are trained to perform the same task. Therefore, the attacker can train his own surrogate model, make adversarial examples against the surrogate model, and transfer them to the victim model with little information about the victim.
Potentially, you could even create an attack just from the training data, even if you have very limited or no access to the model you want to attack. As of 2023, these types of attacks remain a significant problem.
In order to effectively contain such black box attacks, we need to do two things:
Really limit who or what can query the model and the number of queries. A black box with unrestricted API access is not secure; a black box with very restricted API access may be secure.
While hiding training data, ensuring that the training data creation process is not corrupted is an important goal.
In terms of the former, the project that has probably done the most in this regard is Worldcoin, an early version of which I analyzed in detail here (as well as other protocols). Worldcoin uses AI models extensively at the protocol level to (i) convert iris scans into short iris codes that are easy to compare for similarity, and (ii) verify that the objects it scans are in fact humans.
The main defense Worldcoin relies on is that it does not allow anyone to simply call the AI model: instead, it uses trusted hardware to ensure that the model only accepts input digitally signed by the orb camera.
This approach is not guaranteed to work: It turns out that you can conduct adversarial attacks on biometric AI through things like physical patches or jewelry worn on your face.
Wearing something extra on your forehead can evade detection or even impersonate someone else. Source: https://arxiv.org/pdf/2109.09320.pdf
But our hope is that if you combine all the defenses, including hiding the AI model itself, severely limiting the number of queries, and requiring each query to be authenticated in some way, then adversarial attacks will become very difficult, so that Make the system more secure.
This leads to the second question: how do we hide the training data? This is where “democratically managed AI by a DAO” might actually make sense: we could create an on-chain DAO that manages who is allowed to submit training data (and the required representations of the data itself), who can make queries, and who can query them number, and uses cryptography techniques such as MPC to encrypt the entire AI creation and running process from the training input of each individual user to the final output of each query. This DAO can simultaneously satisfy the popular goal of compensating people who submit data.
It needs to be reiterated that this plan is very ambitious and there are many aspects that would prove it to be unrealistic:
For such a completely black-box architecture, the encryption overhead may still be too high to compete with traditional closed trust me approaches.
The truth may be that there is no good way to decentralize the training data submission process and prevent poisoning attacks.
Multi-party computing devices may have their security or privacy guarantees compromised due to collusion among participants: after all, this has happened time and time again on cross-chain bridges.
One of the reasons I didn’t start this section with the warning “don’t be an AI judge, that’s dystopia” is that our society already relies heavily on centralized AI judges who are unaccountable: algorithms that decide what types of posts and political opinions Being promoted and demoted on social media and even censored.
I do think that expanding this trend further at this stage is a pretty bad idea, but I don’t think that more experimentation with AI by the blockchain community will be the main reason for making the situation worse.
There are actually some very basic and low-risk ways that crypto can improve even existing centralized systems, and Im pretty confident about that. One such simple technique is delayed-release verification AI: when a social media site uses AI-based ranking of posts, it can publish a ZK-SNARK that proves the hash of the model that generated that ranking. The website could promise to make its AI model public after a certain delay, such as a year.
Once a model is made public, users can check hashes to verify that the correct model was published, and the community can test the model to verify its fairness. Release delays will ensure that by the time the model is released, it is already out of date.
So the question is not whether we can do better compared to the centralized world, but how good we can do it. However, for a decentralized world, caution is needed: if someone built a prediction market or stablecoin that used an AI oracle, and then someone discovered that the oracle was hackable, there would be a large amount of money that could be lost. Disappeared instantly.
AI as a game target
If the above techniques for creating scalable decentralized private AI, whose contents are black boxes unknown to anyone, can actually work, this could also be used to create systems with utility beyond blockchain. AI. The NEAR Protocol team is using this as a basis for their ongoing workCore target。
There are two reasons for doing this:
If trusted black box AI could be created by using some combination of blockchain and multi-party computation to run the training and inference processes, then many applications whose users worry about bias or deception in the system could benefit. Many people have expressed concerns about the AI we rely ondemocratic governancedesire; cryptography and blockchain-based technologies may be the way to achieve this goal.
From an AI security perspective, this would be a technology that creates decentralized AI that also has a natural emergency stop switch and can limit queries that attempt to use the AI for malicious behavior.
It’s worth noting that “using cryptographic incentives to encourage making better AI” can be achieved without completely falling down the rabbit hole of using cryptography to fully encrypt: something likeBitTensor Such methods fall into this category.
in conclusion
As blockchain and AI continue to develop, application cases at the intersection of the two are also increasing, and some of these use cases are more meaningful and robust.
Generally speaking, those underlying mechanisms basically remain the same design, but individual participants become AI application cases. The mechanisms that operate effectively at a more micro level are the most immediately promising and easiest to implement.
The most challenging are those applications that attempt to use blockchain and cryptography to create “singletons”: single decentralized trusted AI that certain applications rely on for some purpose.
These applications have the potential to both function and improve AI security while avoiding the risks of centralization.
But the underlying assumptions can also fail in many ways. Therefore, caution is required when deploying these applications, especially in high-value and high-risk environments.
I look forward to seeing more constructive attempts at AI use cases in all of these areas, so we can see which use cases are truly feasible at scale.
source:https://vitalik.eth.limo/general/2023/11/27/techno_optimism.html#dacc
IOS
Android