ZK-APEX: Zero-Knowledge Approximate Personalized Unlearning with Executable Proofs

Alex Davidson; Hamed Haddadi; Mohammad M Maheri; Sunil Cotterill

arxiv: 2512.09953 · v2 · submitted 2025-12-09 · 💻 cs.CR · cs.AI· cs.LG

ZK-APEX: Zero-Knowledge Approximate Personalized Unlearning with Executable Proofs

Mohammad M Maheri , Sunil Cotterill , Alex Davidson , Hamed Haddadi This is my paper

Pith reviewed 2026-05-17 00:07 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.LG

keywords machine unlearningzero-knowledge proofspersonalized modelsedge computingprivacyHalo2Vision Transformerapproximate unlearning

0 comments

The pith

ZK-APEX lets providers verify that edge devices have removed targeted data from personalized models using zero-knowledge proofs.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces ZK-APEX as a zero-shot approximate personalized unlearning technique that works directly on already-personalized models. It applies sparse masking from the provider combined with a lightweight Group OBS compensation step on the client that uses a blockwise empirical Fisher matrix to adjust for curvature. Halo2 zero-knowledge proofs then let the provider confirm the transformation occurred correctly without seeing any private client data or parameters. Experiments on Vision Transformer classification and the OPT125M generative model trained on code show that personalization accuracy is largely recovered while the targeted information is removed, and proof generation finishes in roughly two hours with under one gigabyte of memory. This addresses the practical problem that clients may ignore or falsely claim compliance with deletion requests in distributed edge settings where retraining or direct inspection is infeasible.

Core claim

ZK-APEX performs approximate personalized unlearning by first applying sparse masking on the provider side and then a small Group OBS compensation update on the client side that uses the blockwise empirical Fisher matrix to produce a curvature-aware adjustment, after which Halo2 zero-knowledge proofs attest that the correct transformation was applied, recovering nearly all personalization accuracy on Vision Transformer tasks and around seventy percent on OPT125M code data while keeping proof generation two hours, memory under one gigabyte, and proof size around four hundred megabytes.

What carries the argument

Sparse masking paired with Group OBS compensation via blockwise empirical Fisher matrix, attested by Halo2 zero-knowledge proofs that verify the unlearning step without exposing private parameters.

If this is right

Providers gain the ability to enforce data deletion requests on distributed personalized models without direct access to client devices or data.
Unlearning remains practical on edge hardware because the client-side compensation is lightweight and the proofs avoid full retraining.
Personalized models can maintain high utility after unlearning, as shown by near-complete accuracy recovery on classification tasks and seventy percent recovery on generative code tasks.
Verification becomes feasible at scale because proof generation is over ten million times faster than retraining-based alternatives with manageable memory and proof sizes.
The same framework can apply to other model architectures if the compensation step generalizes beyond the tested Vision Transformers and OPT models.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The approach could extend to federated learning environments where multiple clients personalize the same base model and deletion requests must be audited centrally.
Combining this method with differential privacy mechanisms might further strengthen guarantees against residual data leakage.
Optimizing the Halo2 circuit for smaller proof sizes could make verification viable on even more constrained mobile hardware.
The blockwise Fisher approximation might be replaced by other curvature estimates if they preserve the low-overhead property while improving unlearning effectiveness.

Load-bearing premise

The sparse masking and Group OBS compensation step using the blockwise empirical Fisher matrix removes enough influence from the targeted samples for the unlearning to be effective, and the Halo2 proof system correctly attests to the transformation without accepting invalid proofs.

What would settle it

A membership inference attack or targeted data reconstruction experiment that succeeds at high rates on the model after ZK-APEX unlearning, or a verifier that accepts a proof for an incorrect unlearning transformation.

Figures

Figures reproduced from arXiv: 2512.09953 by Alex Davidson, Hamed Haddadi, Mohammad M Maheri, Sunil Cotterill.

**Figure 1.** Figure 1: Provider sends a public mask removing forget-set associated weights, the client performs local compensation [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗

**Figure 2.** Figure 2: Structure of the ZK-SNARK circuit used for verification. The circuit enforces linear constraints corresponding [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗

**Figure 3.** Figure 3: Effect of Fisher block size. Larger block sizes improve curvature stability during unlearning [PITH_FULL_IMAGE:figures/full_fig_p021_3.png] view at source ↗

**Figure 4.** Figure 4: Effect of damping coefficient. Moderate damping yields the best trade-off between numerical stability and precision in curvature compensation [PITH_FULL_IMAGE:figures/full_fig_p021_4.png] view at source ↗

**Figure 5.** Figure 5: Effect of sparsity ratio. Higher sparsity enhances proof efficiency while maintaining strong unlearning performance. 21 [PITH_FULL_IMAGE:figures/full_fig_p021_5.png] view at source ↗

read the original abstract

Machine unlearning aims to remove the influence of specific data points from a trained model to satisfy privacy, copyright, and safety requirements. In real deployments, providers distribute a global model to many edge devices, where each client personalizes the model using private data. When a deletion request is issued, clients may ignore it or falsely claim compliance, and providers cannot check their parameters or data. This makes verification difficult, especially because personalized models must forget the targeted samples while preserving local utility, and verification must remain lightweight on edge devices. We introduce ZK APEX, a zero-shot personalized unlearning method that operates directly on the personalized model without retraining. ZK APEX combines sparse masking on the provider side with a small Group OBS compensation step on the client side, using a blockwise empirical Fisher matrix to create a curvature-aware update designed for low overhead. Paired with Halo2 zero-knowledge proofs, it enables the provider to verify that the correct unlearning transformation was applied without revealing any private data or personalized parameters. On Vision Transformer classification tasks, ZK APEX recovers nearly all personalization accuracy while effectively removing the targeted information. Applied to the OPT125M generative model trained on code data, it recovers around seventy percent of the original accuracy. Proof generation for the ViT case completes in about two hours, more than ten million times faster than retraining-based checks, with less than one gigabyte of memory use and proof sizes around four hundred megabytes. These results show the first practical framework for verifiable personalized unlearning on edge devices.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces ZK-APEX, a zero-knowledge approximate personalized unlearning framework that applies sparse masking on the provider side combined with a Group OBS compensation step on the client using a blockwise empirical Fisher matrix, then attests the transformation via Halo2 proofs. It reports recovery of nearly all personalization accuracy on ViT classification tasks and approximately 70% on OPT-125M generative models trained on code data, with proof generation completing in about two hours (more than 10 million times faster than retraining), under 1 GB memory, and proof sizes around 400 MB, positioning this as the first practical verifiable unlearning system for edge devices.

Significance. If the effectiveness and verification claims hold, the work provides a meaningful contribution to privacy-preserving machine learning by enabling verifiable unlearning on personalized edge models without requiring retraining or data access. The use of Halo2 for executable, zero-knowledge proofs of the unlearning transformation is a concrete strength that supports auditability in distributed settings. The reported speed-up over retraining-based verification is notable, though the edge practicality depends on whether the resource profile can be reconciled with typical device constraints.

major comments (2)

[Abstract] Abstract: The central claim that ZK-APEX constitutes the 'first practical framework for verifiable personalized unlearning on edge devices' is load-bearing yet directly undercut by the concrete resource numbers supplied (proof generation ~2 hours, proof size ~400 MB, memory <1 GB). These figures are typically prohibitive for representative edge hardware (mobile SoCs, IoT nodes) without additional scaling arguments, circuit optimizations, or actual deployment benchmarks on target platforms.
[Experimental Results] Experimental evaluation (implied by accuracy recovery statements): The reported recovery of 'nearly all' personalization accuracy on ViT tasks and '~70%' on OPT-125M lacks error bars, exact unlearning metrics (e.g., membership-inference success rates or forgetting scores), and direct baseline comparisons to alternatives such as full retraining or other approximate unlearning methods. This absence weakens the ability to assess whether the sparse masking plus Group OBS step sufficiently removes targeted sample influence while preserving utility.

minor comments (2)

[Method] Clarify the precise definition and hyperparameters of the 'Group OBS compensation scale' and the chosen sparsity mask, including how they are selected or tuned, as these appear as free parameters in the update rule.
[Abstract] The abstract states 'zero-shot' unlearning but the description involves a client-side compensation step; reconcile this terminology for consistency.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive and detailed feedback on our manuscript. We address each major comment below and indicate the planned revisions to improve clarity and rigor.

read point-by-point responses

Referee: [Abstract] Abstract: The central claim that ZK-APEX constitutes the 'first practical framework for verifiable personalized unlearning on edge devices' is load-bearing yet directly undercut by the concrete resource numbers supplied (proof generation ~2 hours, proof size ~400 MB, memory <1 GB). These figures are typically prohibitive for representative edge hardware (mobile SoCs, IoT nodes) without additional scaling arguments, circuit optimizations, or actual deployment benchmarks on target platforms.

Authors: We appreciate this observation on the load-bearing nature of the practicality claim. The reported figures accurately reflect our Halo2 implementation for the evaluated models. While proof generation remains substantially faster than retraining, we acknowledge that 2-hour runtimes and 400 MB proofs exceed the capabilities of many low-power mobile SoCs. In the revision we will qualify the abstract claim to 'the first practical framework for verifiable personalized unlearning in distributed edge settings with moderate computational resources' and add a dedicated paragraph discussing hardware requirements, potential circuit optimizations, and the distinction between client-side unlearning (lightweight) and provider-side verification. This is a partial revision because the empirical results themselves will not change. revision: partial
Referee: [Experimental Results] Experimental evaluation (implied by accuracy recovery statements): The reported recovery of 'nearly all' personalization accuracy on ViT tasks and '~70%' on OPT-125M lacks error bars, exact unlearning metrics (e.g., membership-inference success rates or forgetting scores), and direct baseline comparisons to alternatives such as full retraining or other approximate unlearning methods. This absence weakens the ability to assess whether the sparse masking plus Group OBS step sufficiently removes targeted sample influence while preserving utility.

Authors: We agree that the current presentation would be strengthened by greater statistical detail and explicit baselines. In the revised manuscript we will report error bars from repeated runs, include membership-inference attack success rates and other standard forgetting scores as quantitative unlearning metrics, and add direct comparisons to full retraining as well as representative approximate unlearning methods. These additions will appear in the experimental evaluation section and will allow readers to better judge the trade-off between forgetting and utility preservation. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected in derivation chain

full rationale

The paper presents ZK-APEX as a composite method: provider-side sparse masking plus client-side Group OBS compensation using a blockwise empirical Fisher matrix computed directly from the client's private data, followed by Halo2 proof generation to attest the transformation. These components are defined in terms of external inputs (client data, chosen mask, standard Fisher approximation) rather than being self-referential or fitted to the target unlearning metric. Accuracy recovery figures on ViT and OPT-125M are reported as empirical measurements, not quantities forced by construction from the update rule itself. No load-bearing step reduces the claimed performance or verifiability to a self-citation chain or renamed input; the derivation remains self-contained against the stated assumptions.

Axiom & Free-Parameter Ledger

2 free parameters · 2 axioms · 0 invented entities

The framework rests on standard assumptions from approximate unlearning and zero-knowledge literature plus a small number of tunable choices for masking and compensation; no new physical entities are postulated.

free parameters (2)

masking sparsity level
Chosen on provider side to trade off unlearning strength against utility preservation.
Group OBS compensation scale
Small step size applied after masking to restore local performance.

axioms (2)

domain assumption Blockwise empirical Fisher matrix provides a usable curvature approximation for the unlearning update.
Invoked to justify the compensation step on the client side.
standard math Halo2 proof system is sound and complete for the arithmetic circuit encoding the unlearning transformation.
Required for the verification guarantee.

pith-pipeline@v0.9.0 · 5595 in / 1492 out tokens · 45704 ms · 2026-05-17T00:07:28.053678+00:00 · methodology

discussion (0)

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

AgenTEE: Confidential LLM Agent Execution on Edge Devices
cs.CR 2026-04 unverdicted novelty 7.0

AgenTEE isolates LLM agent runtime, inference, and apps in independently attested cVMs on Arm-based edge devices, achieving under 5.15% overhead versus commodity OS deployments.

Reference graph

Works this paper leans on

4 extracted references · 4 canonical work pages · cited by 1 Pith paper

[1]

URLhttps://openreview.net/forum?id=MwBxNUl9AV. P. Regulation. Regulation (eu) 2016/679 of the european parliament and of the council.Regulation (eu), 679(2016): 10–13, 2016. S. Seo, D. Kim, and B. Han. Revisiting machine unlearning with dimensional alignment. In2025 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV), pages 3206–3215. IEE...

work page arXiv 2016
[2]

Form the selectorE M = [ei]i∈M and extractw p,M =E ⊤ M θp (privately)

work page
[3]

Compute the Group-OBS update (closed form): δw=−C −1 p EM E⊤ M C −1 p EM −1 wp,M

work page
[4]

Assemble the unlearned model:θ u ←θ p +δw. Proof generation (client):Produce a ZK-SNARK π attesting that private witnesses θp, θu, δw, λM , Cp satisfy the linear KKT certificates: (Assembly)θ u =θ p +δw, (Mask feasibility)E ⊤ M δw+w p,M = 0, w p,M =E ⊤ M θp, (KKT stationarity)C p δw+E M λM = 0, and that these openings matchCom(θ p),Com(C p), and defineCom...

work page

[1] [1]

URLhttps://openreview.net/forum?id=MwBxNUl9AV. P. Regulation. Regulation (eu) 2016/679 of the european parliament and of the council.Regulation (eu), 679(2016): 10–13, 2016. S. Seo, D. Kim, and B. Han. Revisiting machine unlearning with dimensional alignment. In2025 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV), pages 3206–3215. IEE...

work page arXiv 2016

[2] [2]

Form the selectorE M = [ei]i∈M and extractw p,M =E ⊤ M θp (privately)

work page

[3] [3]

Compute the Group-OBS update (closed form): δw=−C −1 p EM E⊤ M C −1 p EM −1 wp,M

work page

[4] [4]

Assemble the unlearned model:θ u ←θ p +δw. Proof generation (client):Produce a ZK-SNARK π attesting that private witnesses θp, θu, δw, λM , Cp satisfy the linear KKT certificates: (Assembly)θ u =θ p +δw, (Mask feasibility)E ⊤ M δw+w p,M = 0, w p,M =E ⊤ M θp, (KKT stationarity)C p δw+E M λM = 0, and that these openings matchCom(θ p),Com(C p), and defineCom...

work page