Yeah that’s a big downside. But people are working on privacy-preserving inference—it’s sort of an emerging subfield in private ML. The idea is to break the model up into a private part (which requires very little compute to run) and a shareable part (which is totally useless if you don’t have the private part). Then verifiers could just do re-computation on the private part, without knowing anything about the function of the actual model—just that it’s a small program and many of them are being run in isolation.
Yeah that’s a big downside. But people are working on privacy-preserving inference—it’s sort of an emerging subfield in private ML. The idea is to break the model up into a private part (which requires very little compute to run) and a shareable part (which is totally useless if you don’t have the private part). Then verifiers could just do re-computation on the private part, without knowing anything about the function of the actual model—just that it’s a small program and many of them are being run in isolation.
Cool!