pith. sign in

arxiv: 2505.12296 · v2 · submitted 2025-05-18 · 💻 cs.CR · cs.AI· cs.LG

PoLO: Proof-of-Learning and Proof-of-Ownership at Once with Chained Watermarking

Haiyu Deng , Yanna Jiang , Guangsheng Yu , Qin Wang , Xu Wang , Baihe Ma , Wei Ni , Ren Ping Liu This is my paper

Pith reviewed 2026-05-22 14:46 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.LG
keywords proof of learningproof of ownershipchained watermarkingmodel verificationmachine learning securityprivacy preserving proofswatermark robustnessforgery resistance
0
0 comments X

The pith

PoLO uses chained watermarking to prove both that a model was trained on particular data and that the prover owns it, all in one privacy-preserving step.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents PoLO as a combined proof that simultaneously establishes proof-of-learning through training history and proof-of-ownership through embedded markers. It does this by chaining watermarks sequentially so that verification checks both aspects without needing the original training dataset or internal model weights. Evaluation results show 99 percent detection accuracy, verification costs reduced to between 1.5 and 10 percent of prior methods, and any attempt to forge the proof requiring 1.1 to 4 times more resources than honest generation. The original proof still exceeds 90 percent accuracy after removal or forgery attacks. This setup addresses the need for efficient, private verification when models are shared or deployed.

Core claim

PoLO achieves proof-of-learning and proof-of-ownership at once by embedding a chain of watermarks during the training process, where each watermark links to the previous one to record both the learning trajectory and the owner's identity. The method allows verification to confirm the chain's integrity and the owner's claim using only the final model and public parameters, without access to private training data. Experiments demonstrate that this yields 99 percent watermark detection accuracy, reduces verification cost to 1.5-10 percent of traditional approaches, and forces forgery to consume 1.1-4 times more resources, while the proof retains over 90 percent accuracy under attacks.

What carries the argument

Chained watermarking, a sequential embedding process that links successive watermarks to jointly encode training history and ownership identity for efficient verification.

If this is right

  • Verification of both training effort and ownership becomes possible at a fraction of previous computational cost.
  • Model owners can demonstrate legitimate training without revealing private datasets.
  • Forging a convincing proof now requires noticeably higher resources than honest creation.
  • Detection accuracy remains high even after common post-training modifications.
  • The same mechanism supports repeated verification without repeated access to training records.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • In distributed training settings this could let contributors prove their share of work without exposing local data.
  • Integration with public ledgers might create tamper-evident records of model provenance.
  • The approach could extend to other sequential processes like incremental fine-tuning where each stage needs separate proof.
  • Lower verification overhead might encourage more frequent ownership checks in model marketplaces.

Load-bearing premise

The chained watermarks stay intact and detectable even when an attacker tries to remove or replace them without having run the original training process.

What would settle it

A successful attack that forges a valid PoLO proof using fewer than 1.1 times the honest generation cost while keeping watermark detection accuracy above 90 percent after standard removal attempts would disprove the core efficiency and robustness claims.

Figures

Figures reproduced from arXiv: 2505.12296 by Baihe Ma, Guangsheng Yu, Haiyu Deng, Qin Wang, Ren Ping Liu, Wei Ni, Xu Wang, Yanna Jiang.

Figure 1
Figure 1. Figure 1: Why at once? PoL verifies training effort but lacks ownership tracking, while PoO ensures ownership but fails to justify training efforts. Separating PoL and PoO creates attribution risks and ownership conflicts. (ii) ML marketplaces [4]: buyers need confidence that models are genuinely trained and transferable without dispute; (iii) outsourced training [5]: organizations ensure that externally developed m… view at source ↗
Figure 2
Figure 2. Figure 2: PoLO design: The verifier 𝒱 shares a secret nonce with the prover 𝒫 to initialize watermark parameters (Λ1, 𝑘1, 𝑌1) for the first shard 𝑠1. Prior to watermark embedding, the model owner computes the watermark Λ𝑥−1 and its corresponding embedding key 𝑘𝑥−1 and selection matrix 𝑌𝑥 for shard 𝑠𝑥 using a hash function H(· ) over the previous model 𝑊𝑥−1, auxiliary information, and the secret nonce. During trainin… view at source ↗
Figure 3
Figure 3. Figure 3: Verification of chained watermarking for PoL: [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The 𝐴𝑐𝑐𝑚𝑎𝑖𝑛 comparison of the two P forge attacks with baseline - PoLO. The number followed by the dataset is the watermark size. In each subplot, the vertical lines perpendicular to the x-axis represent the completion times for each shard. accuracy 𝐴𝑐𝑐𝑚𝑎𝑖𝑛. In OFA, attackers reuse RIGA-style embedding and fine-tune all model weights with a reduced learning rate (10% of the original) to inject their waterm… view at source ↗
Figure 5
Figure 5. Figure 5: Honest training showing owner watermark embedding and accuracy progression across shards. Multi-shard attack showing sequential takeover attempts with per-shard owner watermark erasure, attacker watermark embedding, and maintained accuracy. OFA becomes economically irrational in the EMM setting, requiring cost comparable to or exceeding honest training while offering no reliable path to successful ownershi… view at source ↗
read the original abstract

Our evaluation shows that PoLO achieves \textbf{99\%} watermark detection accuracy for ownership verification, while preserving data privacy and cutting verification costs to just \textbf{1.5--10\%} of traditional methods. Forging PoLO demands \textbf{1.1--4$\times$} more resources than honest proof generation, with the original proof retaining over \textbf{90\%} detection accuracy even after attacks.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript introduces PoLO, a scheme that simultaneously realizes proof-of-learning and proof-of-ownership for machine-learning models via chained watermarking. It reports 99% watermark detection accuracy for ownership verification, verification costs reduced to 1.5–10% of traditional methods, a 1.1–4× resource overhead for forging, and retention of >90% detection accuracy after attacks, all while preserving training-data privacy.

Significance. If the robustness and cost-asymmetry claims hold under realistic attack models, PoLO would provide a practical primitive for verifiable ML training and ownership in privacy-sensitive settings. The integration of two proofs into one chained construction and the reported efficiency gains are potentially valuable, but the absence of formal bounds or exhaustive adaptive-attack coverage weakens the grounding of the forgery-cost claim.

major comments (2)
  1. [§5] §5 (Evaluation): the reported >90% post-attack detection accuracy and 1.1–4× forgery overhead rest on experiments that appear limited to standard removal attacks; no results are shown for adaptive adversaries (e.g., fine-tuning or extraction optimized to erase sequential watermarks while preserving utility), which is load-bearing for the central cost-asymmetry claim.
  2. [§3.2] §3.2 (Construction): the chained-watermarking definition supplies no security reduction or explicit assumptions on the base watermarking primitive that would provably prevent an adversary from breaking the chain without the original training data or model internals; the empirical robustness therefore lacks a formal anchor.
minor comments (2)
  1. The abstract and §5 state concrete accuracy and cost figures without accompanying error bars, confidence intervals, or dataset/model details; adding these would improve reproducibility.
  2. [Table 3] Table 3 (or equivalent cost table): the baseline for the 1.5–10% verification-cost reduction should be clarified; it is unclear whether the comparison uses the most efficient existing PoO schemes or a naïve full-model verification.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the detailed and constructive feedback. We address each major comment below, acknowledging the need for stronger empirical coverage of adaptive attacks and clearer grounding of the construction. Revisions will focus on adding targeted experiments and explicit assumptions while remaining honest about the empirical nature of the current work.

read point-by-point responses

  1. Referee: [§5] §5 (Evaluation): the reported >90% post-attack detection accuracy and 1.1–4× forgery overhead rest on experiments that appear limited to standard removal attacks; no results are shown for adaptive adversaries (e.g., fine-tuning or extraction optimized to erase sequential watermarks while preserving utility), which is load-bearing for the central cost-asymmetry claim.

    Authors: We agree that the cost-asymmetry claim would be more robust with evaluation against adaptive adversaries. In the revised manuscript we will add experiments using fine-tuning and model-extraction attacks specifically tuned to remove sequential watermarks while preserving utility. These results will be reported in an expanded Section 5 with the same metrics (detection accuracy and resource overhead) to directly support the 1.1–4× forgery overhead claim. revision: yes

  2. Referee: [§3.2] §3.2 (Construction): the chained-watermarking definition supplies no security reduction or explicit assumptions on the base watermarking primitive that would provably prevent an adversary from breaking the chain without the original training data or model internals; the empirical robustness therefore lacks a formal anchor.

    Authors: The current manuscript presents a practical chained-watermarking construction evaluated empirically rather than via formal reduction. We will revise §3.2 to state explicit assumptions on the base watermarking primitive (e.g., that it resists removal when the training data and model internals remain private) and to clarify that security is argued empirically. A full security reduction is outside the scope of this work and would require additional theoretical development. revision: partial

standing simulated objections not resolved
  • A complete formal security reduction for the chained-watermarking construction against adaptive adversaries.

Circularity Check

0 steps flagged

No significant circularity detected in PoLO construction or claims

full rationale

The paper proposes a novel chained-watermarking construction for simultaneous proof-of-learning and proof-of-ownership. Performance figures (99% detection accuracy, 1.5-10% verification cost, 1.1-4x forgery overhead, >90% post-attack retention) are stated as evaluation outcomes rather than predictions derived from fitted parameters or self-referential equations. No self-definitional loops, fitted-input-as-prediction patterns, or load-bearing self-citations that reduce the central claims to their own inputs appear in the provided text. The robustness argument rests on the explicit construction and reported tests against standard attacks; these do not collapse into ansatzes or uniqueness theorems imported from the same authors. The derivation chain is therefore self-contained as an original scheme whose security and efficiency properties are asserted via design and measurement, not by constructional equivalence to the inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The abstract supplies no explicit free parameters, axioms, or invented entities; all performance claims rest on unstated assumptions about watermark robustness and attack models.

pith-pipeline@v0.9.0 · 5616 in / 1124 out tokens · 29018 ms · 2026-05-22T14:46:15.475178+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

42 extracted references · 42 canonical work pages · 1 internal anchor

  1. [1]

    Asset management in ma- chine learning: State-of-research and state-of-practice.ACM Computing Surveys, 55(7):1–35, 2022

    Samuel Idowu, Daniel Strüber, and Thorsten Berger. Asset management in ma- chine learning: State-of-research and state-of-practice.ACM Computing Surveys, 55(7):1–35, 2022

    work page 2022

  2. [2]

    Moderating model marketplaces: platform gov- ernance puzzles for ai intermediaries.Law, Innovation and Technology, 16(2):341– 391, 2024

    Robert Gorwa and Michael Veale. Moderating model marketplaces: platform gov- ernance puzzles for ai intermediaries.Law, Innovation and Technology, 16(2):341– 391, 2024

    work page 2024

  3. [3]

    Ironforge: An open, secure, fair, decentralized federated learning.TNNLS, 36(1):354–368, 2025

    Guangsheng Yu, Xu Wang, Caijun Sun, Qin Wang, Ping Yu, Wei Ni, and Ren Ping Liu. Ironforge: An open, secure, fair, decentralized federated learning.TNNLS, 36(1):354–368, 2025

    work page 2025

  4. [4]

    Golden grain: Building a secure and decentralized model marketplace for mlaas.TDSC, 19(5):3149–3167, 2022

    Jiasi Weng, Jian Weng, Chengjun Cai, Hongwei Huang, and Cong Wang. Golden grain: Building a secure and decentralized model marketplace for mlaas.TDSC, 19(5):3149–3167, 2022

    work page 2022

  5. [5]

    Split unlearning.CCS, 2025

    Guangsheng Yu, Yanna Jiang, Qin Wang, Xu Wang, Baihe Ma, Caijun Sun, Wei Ni, and Ren Ping Liu. Split unlearning.CCS, 2025

    work page 2025

  6. [6]

    Dataset ownership verification in contrastive pre-trained models.ICLR, 2025

    Yuechen Xie, Jie Song, Mengqi Xue, Haofei Zhang, Xingen Wang, Bingde Hu, Genlang Chen, and Mingli Song. Dataset ownership verification in contrastive pre-trained models.ICLR, 2025

    work page 2025

  7. [7]

    Artificial intelligence act, article 53 — transparency obligations for general-purpose ai models, 2024

    European Union. Artificial intelligence act, article 53 — transparency obligations for general-purpose ai models, 2024. Consolidated text

    work page 2024

  8. [8]

    Copyright Office

    U.S. Copyright Office. Section 512 of title 17: Limitations on liability relating to material online (dmca safe harbor), 2024. Official DMCA §512 guidance

    work page 2024

  9. [9]

    Eu rules for general-purpose ai models start to apply, bringing more transparency, safety and accountability, 2024

    European Commission. Eu rules for general-purpose ai models start to apply, bringing more transparency, safety and accountability, 2024

    work page 2024

  10. [10]

    Proof-of-learning: Definitions and practice

    Hengrui Jia, Mohammad Yaghini, et al. Proof-of-learning: Definitions and practice. SP, 2021

    work page 2021

  11. [11]

    Ad- versarial examples

    Rui Zhang, Jian Liu, Yuan Ding, Zhibo Wang, Qingbiao Wu, and Kui Ren. “Ad- versarial examples” for proof-of-learning.SP, 2022

    work page 2022

  12. [12]

    On the necessity of auditable algorithmic definitions for machine unlearning

    Anvith Thudi, Hengrui Jia, Ilia Shumailov, and Nicolas Papernot. On the necessity of auditable algorithmic definitions for machine unlearning. InUSENIX Security, 2022

    work page 2022

  13. [13]

    Choquette-Choo, Natalie Dullerud, Varun Chandrasekaran, and Nicolas Papernot

    Congyu Fang, Hengrui Jia, Anvith Thudi, Mohammad Yaghini, Christopher A. Choquette-Choo, Natalie Dullerud, Varun Chandrasekaran, and Nicolas Papernot. Proof-of-learning is currently more broken than you think. InEuroSP, 2023

    work page 2023

  14. [14]

    Rethinking White-Box water- marks on deep learning models under neural structural obfuscation

    Yifan Yan, Xudong Pan, Mi Zhang, and Min Yang. Rethinking White-Box water- marks on deep learning models under neural structural obfuscation. InUSENIX Security, pages 2347–2364, 2023

    work page 2023

  15. [15]

    Towards under- standing and enhancing security of proof-of-training for dnn model ownership verification

    Yijia Chang, Hanrui Jiang, Chao Lin, Xinyi Huang, and Jian Weng. Towards under- standing and enhancing security of proof-of-training for dnn model ownership verification. InUSENIX Security, 2025

    work page 2025

  16. [16]

    Proof-of-Learning with Incentive Security

    Zishuo Zhao, Zhixuan Fang, Xuechao Wang, Xi Chen, and Yuan Zhou. Proof-of- learning with incentive security.arXiv preprint arXiv:2404.09005, 2024

    work page internal anchor Pith review Pith/arXiv arXiv 2024

  17. [17]

    Zero-knowledge proofs of training for deep neural networks

    Kasra Abbaszadeh, Christodoulos Pappas, Jonathan Katz, and Dimitrios Pa- padopoulos. Zero-knowledge proofs of training for deep neural networks. In CCS, page 4316–4330, 2024

    work page 2024

  18. [18]

    Bitcoin: A peer-to-peer electronic cash system.Satoshi Nakamoto, 2008

    Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system.Satoshi Nakamoto, 2008

    work page 2008

  19. [19]

    Proof-of-stake sidechains

    Peter Gaži, Aggelos Kiayias, and Dionysis Zindros. Proof-of-stake sidechains. In SP, pages 139–156, 2019

    work page 2019

  20. [20]

    Multi-certificate attacks against proof-of-elapsed-time and their countermeasures

    Huibo Wang, Guoxing Chen, Yinqian Zhang, and Zhiqiang Lin. Multi-certificate attacks against proof-of-elapsed-time and their countermeasures. InNDSS, 2022. 13

    work page 2022

  21. [21]

    Simple proofs of space-time and rational proofs of storage

    Tal Moran and Ilan Orlov. Simple proofs of space-time and rational proofs of storage. InCRYPTO, pages 381–409, 2019

    work page 2019

  22. [22]

    Exploring unfairness on proof of authority: Order manipulation attacks and remedies

    Qin Wang, Rujia Li, Qi Wang, Shiping Chen, and Yang Xiang. Exploring unfairness on proof of authority: Order manipulation attacks and remedies. InAsiaCCS, pages 123–137, 2022

    work page 2022

  23. [23]

    Confidential-profitt: confidential proof of fair training of trees.ICLR, 2022

    Ali Shahin Shamsabadi et al. Confidential-profitt: confidential proof of fair training of trees.ICLR, 2022

    work page 2022

  24. [24]

    Veriml: Enabling integrity assurances and fair payments for machine learning as a service

    Lingchen Zhao, Qian Wang, Cong Wang, Qi Li, Chao Shen, and Bo Feng. Veriml: Enabling integrity assurances and fair payments for machine learning as a service. TPDS, 2021

    work page 2021

  25. [25]

    Dilum Bandara, and Shiping Chen

    Qin Wang, Guangsheng Yu, Yilin Sai, H.M.N. Dilum Bandara, and Shiping Chen. Is your AI truly yours? leveraging blockchain for copyrights, provenance, and lineage.IEEE TSC, 2025

    work page 2025

  26. [26]

    Explanation as a watermark: Towards harmless and multi-bit model ownership verification via watermarking feature attribution.NDSS, 2025

    Shuo Shao, Yiming Li, Hongwei Yao, et al. Explanation as a watermark: Towards harmless and multi-bit model ownership verification via watermarking feature attribution.NDSS, 2025

    work page 2025

  27. [27]

    Deepeclipse: How to break white-box dnn-watermarking schemes.USENIX Security, 2024

    Alessandro Pegoraro and others Segna. Deepeclipse: How to break white-box dnn-watermarking schemes.USENIX Security, 2024

    work page 2024

  28. [28]

    REFIT: A unified watermark removal framework for deep learning systems with limited data.AsiaCCS, 2021

    Xinyun Chen et al. REFIT: A unified watermark removal framework for deep learning systems with limited data.AsiaCCS, 2021

    work page 2021

  29. [29]

    Watermark removal scheme based on neural network model pruning

    Wenwen Gu. Watermark removal scheme based on neural network model pruning. InMLNLP, page 377–382, 2023

    work page 2023

  30. [30]

    Unmarker: A universal attack on defensive image watermarking

    Andre Kassis and Urs Hengartner. Unmarker: A universal attack on defensive image watermarking. InSP, volume 2, page 8, 2025

    work page 2025

  31. [31]

    Robust model watermarking for image processing networks via structure consistency.TPAMI, 2024

    Jie Zhang et al. Robust model watermarking for image processing networks via structure consistency.TPAMI, 2024

    work page 2024

  32. [32]

    Promptcare: Prompt copyright protection by watermark injection and verification.SP, 2024

    Hongwei Yao, Jian Lou, et al. Promptcare: Prompt copyright protection by watermark injection and verification.SP, 2024

    work page 2024

  33. [33]

    Detecting voice cloning attacks via timbre water- marking

    Chang Liu, Jie Zhang, et al. Detecting voice cloning attacks via timbre water- marking. InNDSS, 2024

    work page 2024

  34. [34]

    Embedding watermarks into deep neural networks.ICML, 2017

    Yusuke Uchida, Yuki Nagai, et al. Embedding watermarks into deep neural networks.ICML, 2017

    work page 2017

  35. [35]

    A robustness-assured white-box watermark in neural networks.TDSC, 2023

    Peizhuo Lv, Pan Li, Shengzhi Zhang, Kai Chen, Ruigang Liang, Hualong Ma, Yue Zhao, and Yingjiu Li. A robustness-assured white-box watermark in neural networks.TDSC, 2023

    work page 2023

  36. [36]

    Riga: Covert and robust white-box watermarking of deep neural networks

    Tianhao Wang and Florian Kerschbaum. Riga: Covert and robust white-box watermarking of deep neural networks. InWWW, 2021

    work page 2021

  37. [37]

    FedIPR: Ownership verification for federated deep neural network models.TPAMI, 2022

    Bowen Li, Lixin Fan, et al. FedIPR: Ownership verification for federated deep neural network models.TPAMI, 2022

    work page 2022

  38. [38]

    Fedtracker: Furnishing ownership verification and traceability for federated learning model.TDSC, 2024

    Shuo Shao, Wenyuan Yang, Hanlin Gu, Zhan Qin, Lixin Fan, and Qiang Yang. Fedtracker: Furnishing ownership verification and traceability for federated learning model.TDSC, 2024

    work page 2024

  39. [39]

    Ipremover: A generative model inversion attack against deep neural network fingerprinting and watermarking

    Wei Zong, Yang-Wai Chow, Willy Susilo, et al. Ipremover: A generative model inversion attack against deep neural network fingerprinting and watermarking. AAAI, 2024

    work page 2024

  40. [40]

    Collusion resistant watermarking for deep learning models protection

    Sayoko Kakikura, Hyunho Kang, et al. Collusion resistant watermarking for deep learning models protection. InICACT, 2022

    work page 2022

  41. [41]

    Secure watermark for deep neural networks with multi-task learning.arXiv preprint arXiv:2103.10021, 2021

    Fangqi Li and Shilin Wang. Secure watermark for deep neural networks with multi-task learning.arXiv preprint arXiv:2103.10021, 2021

    work page arXiv 2021

  42. [42]

    Fail” or “Success

    Cynthia Dwork, Aaron Roth, et al. The algorithmic foundations of differential privacy.Foundations and trends®in theoretical computer science, 9(3–4):211–407, 2014. APPENDIX 1 Notation (Tab.6) Note on chain integrity (Algorithm 1, Else branch).When the watermark detection rate has not yet reached 𝜂𝐺, the algorithm continues training from the current weight...

    work page 2014