pith. sign in

arxiv: 2405.04108 · v2 · submitted 2024-05-07 · 💻 cs.CR · cs.AI

A2-DIDM: Privacy-preserving Accumulator-enabled Auditing for Distributed Identity of DNN Model

Tianxiu Xie , Keke Gai , Jing Yu , Liehuang Zhu This is my paper

Pith reviewed 2026-05-24 01:12 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords DNN model identityprivacy-preserving auditingblockchainzero-knowledge proofsaccumulatorsweight checkpointsdecentralized identitymodel ownership
0
0 comments X

The pith

A scheme with accumulators and zero-knowledge proofs audits DNN model identities on blockchain while keeping weight checkpoint sequences unique and private.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes A2-DIDM to solve ownership verification for traded DNN models by recording their training histories on a blockchain. It configures sequences of model weight checkpoints with zero-knowledge proofs and predicates so that incremental changes can be checked without exposing the actual weights or the training functions. The method claims this preserves both the uniqueness of each model's checkpoint sequence and the privacy of the underlying data. If the approach works, model owners could license or sell DNNs with on-chain proof of origin that stays lightweight and decentralized. The authors evaluate security, robustness, and practical usability of the auditing process.

Core claim

By configuring model weight checkpoints with zero-knowledge proofs and predicates inside an accumulator-enabled blockchain scheme, the approach captures incremental state changes during DNN training, thereby ensuring computational integrity and programmability while preserving the uniqueness of the weight checkpoint sequence and protecting data and function privacy.

What carries the argument

Accumulator-enabled auditing that attaches zero-knowledge proofs and predicates to model weight checkpoints to record and verify incremental training states on a blockchain.

If this is right

  • On-chain verification of model ownership becomes possible without storing or revealing full model weights.
  • Unauthorized model replications can be detected by checking whether a suspect model matches the recorded checkpoint sequence.
  • Decentralized identity records for DNN models remain programmable and maintain computational integrity throughout training.
  • Privacy of training data and internal functions is protected during the auditing process.
  • Lightweight verification supports practical deployment for model commercialization and trading.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same checkpoint-plus-predicate structure might apply to auditing other sequential machine-learning artifacts such as reinforcement-learning policies.
  • Scalability limits would appear if the number of checkpoints grows large, since each requires a zero-knowledge proof stored on-chain.
  • Marketplaces for model licensing could embed this auditing mechanism directly into smart contracts for automated ownership checks.
  • Alternative accumulator constructions or different zero-knowledge systems could be swapped in without changing the overall claim structure.

Load-bearing premise

That zero-knowledge proofs together with predicates on weight checkpoints can track incremental state changes without losing the uniqueness of the full sequence or leaking private data and functions.

What would settle it

A pair of distinct DNN training runs that produce identical audited identities under the scheme, or a successful extraction of private weight values or training logic from the published proofs.

Figures

Figures reproduced from arXiv: 2405.04108 by Jing Yu, Keke Gai, Liehuang Zhu, Tianxiu Xie.

Figure 1
Figure 1. Figure 1: The construction of Identity Record for DIDM. [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The construction of valid transactions on blockchain. [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The circuit of predicate satisfiability (captured by [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The construction of accumulator-based DIDM [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: The comparison of ΦIWFW(Init vs GMM) and ΦIWFW(PCA) after launching RCA with different values of β. “Clean DIDM” denotes the original and unattacked weight checkpoint. ΦIWFW(PCA) after launching RCA under different regularization coefficients β across CIFAR10/100 and four architectures. For each regularization coefficients (β), we conduct 5 independent RCA runs. RCA starts from a converged model and revers… view at source ↗
read the original abstract

Recent booming development of Generative Artificial Intelligence (GenAI) has facilitated model commercialization to reinforce the model performance, including licensing or trading Deep Neural Network (DNN) models. However, DNN model trading may violate the benefit of the model owner due to unauthorized replications or misuse of the model. Model identity auditing is a challenging issue in protecting DNN model ownership, and verifying the integrity and ownership of models is one of the critical obstacles. In this paper, we focus on the above issue and propose an \underline{A}ccumulator-enabled \underline{A}uditing for \underline{D}ecentralized \underline{Id}entity of DNN \underline{M}odel (A2-DIDM) that utilizes blockchain and zero-knowledge techniques to protect data and function privacy while ensuring the lightweight on-chain ownership verification. The proposed model presents a scheme of identity records via configuring model weight checkpoints with zero-knowledge proofs, which incorporates predicates to capture incremental state changes in model weight checkpoints. Our scheme ensures both computational integrity and programmability in DNN training process so that the uniqueness of the weight checkpoint sequence in a DNN model is preserved. %to ensure the correctness of model identity auditing, so that the uniqueness of the weight checkpoint sequence in a DNN model is preserved. A2-DIDM also addresses privacy protections in decentralized identity. We systematically analyze the security and robustness of our proposed model and further evaluate the effectiveness and usability of auditing DNN model identities. The code is available at https://github.com/xtx123456/A2-DIDM.git.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper proposes A2-DIDM, an accumulator-enabled auditing scheme for decentralized identity of DNN models. It combines blockchain with zero-knowledge proofs over model weight checkpoints, using predicates to capture incremental state changes, with the goal of preserving sequence uniqueness, ensuring computational integrity and programmability during DNN training, and providing lightweight on-chain ownership verification while protecting data and function privacy. The authors state that they systematically analyze security and robustness and evaluate effectiveness, with code released.

Significance. If the construction is sound, the approach could offer a practical method for privacy-preserving model ownership auditing in commercial GenAI settings by leveraging accumulators and ZK techniques for verifiable checkpoint sequences. The public release of the implementation code is a clear strength that aids reproducibility.

major comments (2)
  1. [Abstract] Abstract: the central claim that the scheme 'ensures both computational integrity and programmability in DNN training process so that the uniqueness of the weight checkpoint sequence in a DNN model is preserved' rests on an unshown construction; no formal definition of the predicates, ZK proof statements, or accumulator operations is provided to demonstrate how incremental state changes enforce uniqueness without reducing to prior assumptions.
  2. [Abstract] Abstract (security analysis paragraph): the statement that 'We systematically analyze the security and robustness of our proposed model' is unsupported by any security model, threat assumptions, proof sketches, or reduction arguments in the manuscript, which is load-bearing for the privacy and integrity guarantees.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their careful reading and constructive feedback. We address the two major comments point by point below.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the central claim that the scheme 'ensures both computational integrity and programmability in DNN training process so that the uniqueness of the weight checkpoint sequence in a DNN model is preserved' rests on an unshown construction; no formal definition of the predicates, ZK proof statements, or accumulator operations is provided to demonstrate how incremental state changes enforce uniqueness without reducing to prior assumptions.

    Authors: We agree that the abstract claim requires explicit support. While Sections 3–4 describe the accumulator, predicates for incremental checkpoint changes, and ZK proof statements at a high level, formal definitions of the predicates, the precise ZK statements, and the accumulator operations (including how they enforce sequence uniqueness) are not presented in a self-contained manner. We will add a new subsection in the revised manuscript that supplies these formal definitions and shows the uniqueness argument without reducing to prior assumptions. revision: yes

  2. Referee: [Abstract] Abstract (security analysis paragraph): the statement that 'We systematically analyze the security and robustness of our proposed model' is unsupported by any security model, threat assumptions, proof sketches, or reduction arguments in the manuscript, which is load-bearing for the privacy and integrity guarantees.

    Authors: The manuscript contains an informal security discussion, but we acknowledge that it lacks a formal security model, explicit threat assumptions, proof sketches, or reduction arguments. This omission weakens the load-bearing privacy and integrity claims. We will revise the manuscript to include a dedicated security section that defines the model, states the assumptions, and provides proof sketches or reductions. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper presents a cryptographic construction for privacy-preserving auditing of DNN model identities using accumulators, blockchain, and zero-knowledge proofs over weight checkpoints. The central claims concern the design of predicates and proofs to enforce sequence uniqueness and privacy; these rest on the scheme definition itself rather than on any fitted parameters, self-definitional reductions, or load-bearing self-citations. No equations or derivations are exhibited that equate outputs to inputs by construction, and the security analysis is described as systematic without reducing to prior author work as an unverified premise. This is a standard scheme-proposal paper whose derivation chain is self-contained.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The scheme rests on standard cryptographic assumptions for ZK proofs and blockchain security; no free parameters or new entities are introduced beyond the protocol itself.

axioms (1)
  • standard math Security of zero-knowledge proofs and blockchain immutability hold for the auditing predicates
    Invoked in the scheme description to guarantee integrity and privacy without explicit proof in abstract.

pith-pipeline@v0.9.0 · 5819 in / 1030 out tokens · 40836 ms · 2026-05-24T01:12:22.625360+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

50 extracted references · 50 canonical work pages

  1. [1]

    Recent advances in natural language processing via large pre-trained language models: A survey,

    B. Min, H. Ross, E. Sulem, A. P. B. Veyseh, T. H. Nguyen, O. Sainz, E. Agirre, I. Heintz, and D. Roth, “Recent advances in natural language processing via large pre-trained language models: A survey,”ACM Computing Surveys, vol. 56, no. 2, pp. 1–40, 2023

    work page 2023

  2. [2]

    Vitaev2: Vision transformer advanced by exploring inductive bias for image recognition and beyond,

    Q. Zhang, Y . Xu, J. Zhang, and D. Tao, “Vitaev2: Vision transformer advanced by exploring inductive bias for image recognition and beyond,” International Journal of Computer Vision, pp. 1–22, 2023

    work page 2023

  3. [3]

    Unremarkable ai: Fitting intelligent decision support into critical, clinical decision-making pro- cesses,

    Q. Yang, A. Steinfeld, and J. Zimmerman, “Unremarkable ai: Fitting intelligent decision support into critical, clinical decision-making pro- cesses,” inProceedings of the 2019 CHI conference on human factors in computing systems, 2019, pp. 1–11

    work page 2019

  4. [4]

    Intellectual property protection of dnn models,

    S. Peng, Y . Chen, J. Xu, Z. Chen, C. Wang, and X. Jia, “Intellectual property protection of dnn models,”World Wide Web, vol. 26, no. 4, pp. 1877–1911, 2023

    work page 1911

  5. [5]

    Deepjudge: A testing framework for copyright protection of deep learning models,

    J. Chen, Y . Sun, J. Wang, P. Cheng, and X. Ma, “Deepjudge: A testing framework for copyright protection of deep learning models,” in45th IEEE/ACM International Conference on Software Engineering, 2023

    work page 2023

  6. [6]

    How to prove your model belongs to you: A blind-watermark based framework to protect intellectual property of dnn,

    Z. Li, C. Hu, Y . Zhang, and S. Guo, “How to prove your model belongs to you: A blind-watermark based framework to protect intellectual property of dnn,” inProceedings of the 35th Annual Computer Security Applications Conference, 2019, pp. 126–137

    work page 2019

  7. [7]

    Identification for deep neural net- work: Simply adjusting few weights!

    Y . Lao, P. Yang, W. Zhao, and P. Li, “Identification for deep neural net- work: Simply adjusting few weights!” in2022 IEEE 38th International Conference on Data Engineering (ICDE). IEEE, 2022, pp. 1328–1341

    work page 2022

  8. [8]

    Rai2: Responsible identity audit governing the artificial intelligence,

    T. Dong, S. Li, G. Chen, M. Xue, H. Zhu, and Z. Liu, “Rai2: Responsible identity audit governing the artificial intelligence,” inNDSS, 2023

    work page 2023

  9. [9]

    Model watermarking for image processing networks,

    J. Zhang, D. Chen, J. Liao, H. Fang, W. Zhang, W. Zhou, H. Cui, and N. Yu, “Model watermarking for image processing networks,” in Proceedings of the AAAI conference on artificial intelligence, vol. 34, no. 07, 2020, pp. 12 805–12 812

    work page 2020

  10. [10]

    Dawn: Dynamic adversarial watermarking of neural networks,

    S. Szyller, B. G. Atli, S. Marchal, and N. Asokan, “Dawn: Dynamic adversarial watermarking of neural networks,” inProceedings of the 29th ACM International Conference on Multimedia, 2021, pp. 4417–4425

    work page 2021

  11. [11]

    Protecting language generation models via invisible watermarking,

    X. Zhao, Y .-X. Wang, and L. Li, “Protecting language generation models via invisible watermarking,”arXiv preprint arXiv:2302.03162, 2023

    work page arXiv 2023

  12. [12]

    Fingerprinting deep neural networks globally via universal adversarial perturbations,

    Z. Peng, S. Li, G. Chen, C. Zhang, H. Zhu, and M. Xue, “Fingerprinting deep neural networks globally via universal adversarial perturbations,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 13 430–13 439

    work page 2022

  13. [13]

    Artificial fingerprinting for generative models: Rooting deepfake attribution in training data,

    N. Yu, V . Skripniuk, S. Abdelnabi, and M. Fritz, “Artificial fingerprinting for generative models: Rooting deepfake attribution in training data,” inProceedings of the IEEE/CVF International conference on computer vision, 2021, pp. 14 448–14 457

    work page 2021

  14. [14]

    Dataset inference: Ownership resolution in machine learning,

    P. Maini, M. Yaghini, and N. Papernot, “Dataset inference: Ownership resolution in machine learning,”arXiv preprint arXiv:2104.10706, 2021

    work page arXiv 2021

  15. [15]

    On the difficulty of defending self-supervised learning against model extraction,

    A. Dziedzic, N. Dhawan, M. A. Kaleem, J. Guan, and N. Papernot, “On the difficulty of defending self-supervised learning against model extraction,” inInternational Conference on Machine Learning. PMLR, 2022, pp. 5757–5776

    work page 2022

  16. [16]

    Dataset inference for self-supervised models,

    A. Dziedzic, H. Duan, M. A. Kaleem, N. Dhawan, J. Guan, Y . Cattan, F. Boenisch, and N. Papernot, “Dataset inference for self-supervised models,”Advances in Neural Information Processing Systems, vol. 35, pp. 12 058–12 070, 2022

    work page 2022

  17. [17]

    Proof-of-learning: Definitions and prac- tice,

    H. Jia, M. Yaghini, C. Choquette-Choo, N. Dullerud, A. Thudi, V . Chan- drasekaran, and N. Papernot, “Proof-of-learning: Definitions and prac- tice,” in2021 IEEE Symposium on Security and Privacy. IEEE, 2021, pp. 1039–1056. JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. X, MONTH 2024 17

    work page 2021

  18. [18]

    Provenance of training without training data: Towards privacy- preserving dnn model ownership verification,

    Y . Liu, K. Li, Z. Liu, B. Wen, K. Xu, W. Wang, W. Zhao, and Q. Li, “Provenance of training without training data: Towards privacy- preserving dnn model ownership verification,” inProceedings of the ACM Web Conference 2023, 2023, pp. 1980–1990

    work page 2023

  19. [19]

    Tools for verifying neural models’ training data,

    D. Choi, Y . Shavit, and D. Duvenaud, “Tools for verifying neural models’ training data,”Advances in Neural Information Processing Systems, vol. 36, 2024

    work page 2024

  20. [20]

    “adversarial examples

    R. Zhang, J. Liu, Y . Ding, Z. Wang, Q. Wu, and K. Ren, ““adversarial examples” for proof-of-learning,” in2022 IEEE Symposium on Security and Privacy. IEEE, 2022, pp. 1408–1422

    work page 2022

  21. [21]

    Proof-of-learning is currently more broken than you think,

    C. Fang, H. Jia, A. Thudi, M. Yaghini, C. A. Choquette-Choo, N. Dullerud, V . Chandrasekaran, and N. Papernot, “Proof-of-learning is currently more broken than you think,” in2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P). IEEE, 2023, pp. 797– 816

    work page 2023

  22. [22]

    Zero- knowledge proofs of training for deep neural networks,

    K. Abbaszadeh, C. Pappas, D. Papadopoulos, and J. Katz, “Zero- knowledge proofs of training for deep neural networks,”Cryptology ePrint Archive, 2024

    work page 2024

  23. [23]

    Experimenting with zero-knowledge proofs of training,

    S. Garg, A. Goel, S. Jha, S. Mahloujifar, M. Mahmoody, G.-V . Policharla, and M. Wang, “Experimenting with zero-knowledge proofs of training,” inProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 1880–1894

    work page 2023

  24. [24]

    Everssdi: blockchain-based framework for verification, authorisation and recovery of self-sovereign identity using smart contracts,

    T. Zhou, X. Li, and H. Zhao, “Everssdi: blockchain-based framework for verification, authorisation and recovery of self-sovereign identity using smart contracts,”International Journal of Computer Applications in Technology, vol. 60, no. 3, pp. 281–295, 2019

    work page 2019

  25. [25]

    Cross-chain- based trustworthy node identity governance in internet of things,

    T. Xie, K. Gai, L. Zhu, Y . Guo, and K.-K. R. Choo, “Cross-chain- based trustworthy node identity governance in internet of things,”IEEE Internet of Things Journal, vol. 10, no. 24, pp. 21 580–21 594, 2023

    work page 2023

  26. [26]

    Verizexe: Decentralized private computation with universal setup,

    A. L. Xiong, B. Chen, Z. Zhang, B. B ¨unz, B. Fisch, F. Krell, and P. Camacho, “Verizexe: Decentralized private computation with universal setup,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 4445–4462

    work page 2023

  27. [27]

    Zexe: Enabling decentralized private computation,

    S. Bowe, A. Chiesa, M. Green, I. Miers, P. Mishra, and H. Wu, “Zexe: Enabling decentralized private computation,” in2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020, pp. 947–964

    work page 2020

  28. [28]

    A dnn fingerprint for non- repudiable model ownership identification and piracy detection,

    Y . Zheng, S. Wang, and C.-H. Chang, “A dnn fingerprint for non- repudiable model ownership identification and piracy detection,”IEEE Transactions on Information Forensics and Security, vol. 17, pp. 2977– 2989, 2022

    work page 2022

  29. [29]

    Secure and efficient wa- termarking for latent diffusion models in model distribution scenarios,

    L. Lei, K. Gai, J. Yu, L. Zhu, and Q. Wu, “Secure and efficient wa- termarking for latent diffusion models in model distribution scenarios,” inProceedings of the 34th International Joint Conference on Artificial Intelligence (IJCAI 2025), 2025, pp. 7473–7481

    work page 2025

  30. [30]

    Sslguard: A watermarking scheme for self-supervised learning pre-trained encoders,

    T. Cong, X. He, and Y . Zhang, “Sslguard: A watermarking scheme for self-supervised learning pre-trained encoders,” inProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 579–593

    work page 2022

  31. [31]

    On function-coupled watermarks for deep neural networks,

    X. Wen, Y . Li, W. Jiang, and Q. Xu, “On function-coupled watermarks for deep neural networks,”arXiv preprint arXiv:2302.10296, 2023

    work page arXiv 2023

  32. [32]

    Tracemop: Towards federated learning with traceable contribution eval- uation and model ownership protection,

    J. Liu, Z. Zhou, R. Sun, L. Liu, R. Lu, S. Dustdar, and D. Niyato, “Tracemop: Towards federated learning with traceable contribution eval- uation and model ownership protection,”IEEE Transactions on Mobile Computing, 2025

    work page 2025

  33. [33]

    Fedright: An effective model copyright protection for federated learning,

    J. Chen, M. Li, Y . Cheng, and H. Zheng, “Fedright: An effective model copyright protection for federated learning,”Computers & Security, vol. 135, p. 103504, 2023

    work page 2023

  34. [34]

    Mfl-owner: ownership protection for multi-modal federated learning via orthogonal transform watermark,

    K. Gai, D. Wang, J. Yu, M. Wang, L. Zhu, and Q. Wu, “Mfl-owner: ownership protection for multi-modal federated learning via orthogonal transform watermark,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 39, no. 3, 2025, pp. 3049–3058

    work page 2025

  35. [35]

    Entangled watermarks as a defense against model extraction,

    H. Jia, C. A. Choquette-Choo, V . Chandrasekaran, and N. Papernot, “Entangled watermarks as a defense against model extraction,” in USENIX Security 21, 2021, pp. 1937–1954

    work page 2021

  36. [36]

    Denet: Disentangled embedding network for visible watermark removal,

    R. Sun, Y . Su, and Q. Wu, “Denet: Disentangled embedding network for visible watermark removal,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 37, no. 2, 2023, pp. 2411–2419

    work page 2023

  37. [37]

    Are you stealing my model? sample correlation for fingerprinting deep neural networks,

    J. Guan, J. Liang, and R. He, “Are you stealing my model? sample correlation for fingerprinting deep neural networks,”Advances in Neural Information Processing Systems, vol. 35, pp. 36 571–36 584, 2022

    work page 2022

  38. [38]

    Defending against model stealing via verifying embedded external features,

    Y . Li, L. Zhu, X. Jia, Y . Jiang, S.-T. Xia, and X. Cao, “Defending against model stealing via verifying embedded external features,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 36, no. 2, 2022, pp. 1464–1472

    work page 2022

  39. [39]

    Sok: Machine learning governance,

    V . Chandrasekaran, H. Jia, A. Thudi, A. Travers, M. Yaghini, and N. Papernot, “Sok: Machine learning governance,”arXiv preprint arXiv:2109.10870, 2021

    work page arXiv 2021

  40. [40]

    A survey of trustworthy federated learning with perspectives on security, robustness and privacy,

    Y . Zhang, D. Zeng, J. Luo, Z. Xu, and I. King, “A survey of trustworthy federated learning with perspectives on security, robustness and privacy,” inCompanion Proceedings of the ACM Web Conference 2023, 2023, pp. 1167–1176

    work page 2023

  41. [41]

    martfl: Enabling utility-driven data marketplace with a robust and verifiable federated learning architecture,

    Q. Li, Z. Liu, Q. Li, and K. Xu, “martfl: Enabling utility-driven data marketplace with a robust and verifiable federated learning architecture,” inProceedings of the 2023 ACM SIGSAC, 2023, pp. 1496–1510

    work page 2023

  42. [42]

    Towards secure and verifiable hybrid federated learning,

    R. Du, X. Li, D. He, and K.-K. R. Choo, “Towards secure and verifiable hybrid federated learning,”IEEE Transactions on Information Forensics and Security, vol. PP, no. 99, p. 1, 2024

    work page 2024

  43. [43]

    Toward verifiable and privacy preserving machine learning prediction,

    C. Niu, F. Wu, S. Tang, S. Ma, and G. Chen, “Toward verifiable and privacy preserving machine learning prediction,”IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 3, pp. 1703–1721, 2022

    work page 2022

  44. [44]

    Verifl: Communication-efficient and fast verifiable aggregation for federated learning,

    X. Guo, Z. Liu, J. Li, J. Gao, B. Hou, C. Dong, and T. Baker, “Verifl: Communication-efficient and fast verifiable aggregation for federated learning,”IEEE Transactions on Information Forensics and Security, vol. 16, pp. 1736–1751, 2021

    work page 2021

  45. [45]

    Leia: A lightweight cryptographic neural network inference system at the edge,

    X. Liu, B. Wu, X. Yuan, and X. Yi, “Leia: A lightweight cryptographic neural network inference system at the edge,”IEEE Transactions on Information Forensics and Security, vol. 17, pp. 237–252, 2021

    work page 2021

  46. [46]

    Medisc: Towards secure and lightweight deep learning as a medical diagnostic service,

    X. Liu, Y . Zheng, X. Yuan, and X. Yi, “Medisc: Towards secure and lightweight deep learning as a medical diagnostic service,” inEuropean Symposium on Research in Computer Security. Springer, 2021, pp. 519–541

    work page 2021

  47. [47]

    A scheme of ro- bust privacy-preserving multi-party computation via public verification,

    K. Gai, D. Wang, J. Yu, L. Zhu, and W. Meng, “A scheme of ro- bust privacy-preserving multi-party computation via public verification,” IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 5, pp. 4896–4910, 2025

    work page 2025

  48. [48]

    Proof-carrying data from accumulation schemes,

    B. B ¨unz, A. Chiesa, P. Mishra, and N. Spooner, “Proof-carrying data from accumulation schemes,”Cryptology ePrint Archive, 2020

    work page 2020

  49. [49]

    Deepverifier: Robust watermarking of deep neural networks based on black-box and white-box reasoning,

    T. Tyagi, K. N. Singh, A. K. Singh, and B. B. Gupta, “Deepverifier: Robust watermarking of deep neural networks based on black-box and white-box reasoning,”IEEE Transactions on Computational Social Systems, 2025

    work page 2025

  50. [50]

    Robust and large-payload dnn watermarking via fixed, distribution-optimized, weights,

    B. Tondi, A. Costanzo, and M. Barni, “Robust and large-payload dnn watermarking via fixed, distribution-optimized, weights,”IEEE Trans- actions on Dependable and Secure Computing, 2024

    work page 2024