Vitalik Buterin, co-founder of Ethereum, categorizes the potential intersections between crypto and AI in his latest article, discussing the prospects and challenges of each category. The article, sourced from Vitalik Buterin’s publication and compiled, translated, and written by Foresight News, is as follows:
Title: Intersection of Crypto and AI: Categorizing Different Possibilities
Table of Contents:
1. Four Intersections of Crypto and AI
2. AI as a Game Participant
3. AI as a Game Interface
4. AI as Game Rules
5. Cryptographic Expenses
6. Black Box Adversarial Machine Learning
7. AI as Game Objectives
8. Conclusion
For many years, people have asked me a question: “Where are the most fruitful intersections between cryptocurrencies and AI?” It is a reasonable question, as both cryptocurrencies and AI have been two major deep (software) technological trends over the past decade, and there must be some connection between them.
At first glance, it is easy to identify the synergy between the two: the decentralization of cryptocurrencies can balance the centralization of AI, cryptocurrencies provide transparency while AI is opaque, and AI requires data storage and tracking, in which blockchain excels.
However, over the years, when asked to explore specific applications, my answer has often been disappointing: “Yes, there are some applications worth exploring, but not many.”
In the past three years, with the rise of more powerful AI technologies such as modern large language models (LLMs) and stronger cryptocurrency technologies beyond just blockchain scalability solutions, including zero-knowledge proofs, fully homomorphic encryption, and (two-party and multi-party) secure multi-party computation, I have started to see a shift in this landscape.
Within the blockchain ecosystem, or the integration of AI with cryptography, there are indeed promising AI applications, although caution is required when applying AI.
One particular challenge is that in cryptography, open-source is the only way to truly secure something, whereas in AI, open models (even their training data) significantly increase vulnerability to adversarial machine learning attacks. This article categorizes the different ways in which Crypto+AI can intersect and explores the prospects and challenges of each category.
Read More: AI Becomes a “First-Class Citizen” in the Cryptocurrency Field: Benefits and Front-End Applications
The article concludes with an overview of the intersections between Crypto+AI from the uETH blog, but how can we effectively achieve these synergies in specific applications?
AI is a broad concept: you can think of AI as a set of algorithms, where the algorithms you create are not explicitly specified but generated by mixing a large computational soup and applying optimization pressure to generate algorithms with the desired properties.
This description should not be underestimated, as it encompasses the process of creating us humans! However, it also means that AI algorithms have some common characteristics: they have tremendous capabilities, while our understanding or comprehension of their internal execution processes is limited.
There are many ways to classify artificial intelligence, and for the purpose of discussing the interaction between AI and blockchain (as seen in Virgil Griffith’s article “Ethereum as a Game-Changing Technology” article), I will categorize them as follows:
1. AI as a participant in the game (highest feasibility): In mechanisms where AI participates, the ultimate source of motivation comes from human input into the protocol.
2. AI as a game interface (great potential, but risks exist): AI helps users understand the surrounding crypto world and ensures that their actions (e.g., signed messages and transactions) align with their intentions to avoid deception or being tricked.
3. AI as game rules (requires extreme caution): Blockchain, DAOs, and similar mechanisms directly invoke AI, for example, an “AI judge.”
4. AI as game objectives (long-term and interesting): Designing blockchain, DAOs, and similar mechanisms with the goal of constructing and maintaining AI that can be used for other purposes, utilizing cryptographic techniques either to better incentivize training or to prevent AI leakage of private data or abuse.
Let’s review each category one by one.
In fact, this category has been around for almost a decade, at least since the widespread use of on-chain decentralized exchanges (DEX). Whenever there are exchanges, there are opportunities for arbitrage, and bots can perform arbitrage better than humans.
This use case has existed for a long time, even with much simpler AI than what we have now, but it is indeed the real intersection of AI and cryptocurrencies. Recently, we have seen frequent occurrences of MEV (Maximizing Extractable Value) arbitrage bots exploiting each other. Any blockchain application involving auctions or transactions will have arbitrage bots.
However, AI arbitrage bots are just the first example of a larger category, and I expect many other applications to be covered soon. Let’s take a look at AIOmen, a demonstration of an AI as a participant in a prediction market:
[Prediction market image]
Prediction markets have long been the Holy Grail of decision-making technologies. As early as 2014, I was excited about using prediction markets as input for governance (Future of Governance) and have extensively experimented with them in recent elections.
However, prediction markets have not made much progress in practice, and there are many reasons for this: the biggest participants are often irrational, those with correct knowledge are unwilling to spend time and bet unless there is a significant amount of money involved, and the markets are often not active enough, among others.
One response to this is to point out the user experience improvements being made by platforms like Polymarket and hope that they can succeed where previous iterations failed. If people are willing to bet billions of dollars on sports, why not invest enough money in betting on the US election or LK99 to incentivize serious players to participate? But this argument must face the fact that previous versions have not achieved this scale (at least compared to the dreams of their supporters), so it seems that something new is needed to make prediction markets successful.
Thus, another response is to highlight a specific characteristic of the prediction market ecosystem that we can expect to see in the 2020s but didn’t see in the 2010s: widespread AI participation.
AI is willing or can work at a cost of less than $1 per hour and has encyclopedic knowledge. If that’s not enough, they can even be integrated with real-time web search functionality. If you create a market and provide $50 in liquidity subsidies, humans won’t care about bidding, but thousands of AI will flock and make their best guesses.
Motivation to do a good job on any given question may be small, but the motivation to create AI that can make good predictions can be in the millions. It’s worth noting that you don’t even need humans to adjudicate most issues: you can use multi-round dispute systems similar to Augur or Kleros, where AI will also participate in the early rounds. Humans only need to react in a few cases where a series of upgrades have occurred and both sides have committed significant funds.
This is a powerful primitive because once you can make “prediction markets” work at such a micro-scale, you can replicate the “prediction market” primitive for many other types of questions, such as:
– Can this social media post be accepted according to [terms of use]?
– How will the price of stock X change (e.g., see Numerai)?
– Is the account messaging me right now really Elon Musk?
– Can this task submitted on an online task market be accepted?
– Is the DApp on https://examplefinance.network a scam?
– Is 0x1b54….98c3 the address for “Casinu In” ERC20 token?
You may notice that many of these ideas are moving in the direction of what I referred to earlier as “info defense.” Broadly speaking, the question is: How do we help users distinguish between true and false information and identify fraudulent behavior without giving a centralized authority the power to decide right from wrong and risk its abuse? At the micro-level, the answer can be “AI.”
But at the macro-level, the question is: Who builds the AI? AI is a reflection of its creation process and inevitably carries biases. A higher-level game is needed to judge the performance of different AIs, allowing AI to participate as players in the game through on-chain mechanisms to obtain rewards or punishments (in a probabilistic manner). I believe it is worth researching such use cases now, as blockchain scalability has finally been achieved, making it possible to realize on-chain “micro” things that were previously often infeasible.
Related applications of this kind are evolving towards highly autonomous agents, using blockchain to cooperate better, whether through payments or by making credible commitments using smart contracts.
An idea I proposed in “My techno-optimism” is that there is a market opportunity for writing user-facing software that protects users’ interests by explaining and identifying dangers in the online world they are browsing. The fraud detection feature in MetaMask is an existing example.
[MetaMask fraud detection image]
Another example is the simulation feature of the Rabby wallet, which shows users the expected outcome of the transactions they are about to sign.
[Rabby wallet simulation image]
These tools have the potential to be enhanced by AI. AI can provide richer, more human-understandable explanations, explaining what kind of DApp you are participating in, the consequences of more complex operations you are signing, whether specific tokens are genuine (e.g., BITCOIN is not just a string of characters, it is the name of a real cryptocurrency, not an ERC20 token, and its price is far higher than $0.045), and more.
Some projects are already actively developing in this direction, such as LangChain Wallet that uses AI as a primary interface. Personally, I believe that pure AI interfaces may currently carry too much risk, as they increase the risk of other types of errors, but combining AI with more traditional interfaces is very feasible.
There is one particular risk worth mentioning. I will elaborate on this in more detail in the section on “AI as game rules” below, but the overall issue is adversarial machine learning: if there is an AI assistant within an open-source wallet, bad actors will have the opportunity to obtain that AI assistant, giving them unlimited opportunities to optimize their fraudulent behavior to bypass the defense measures of the wallet.
All modern AIs have certain vulnerabilities, and it is easy to find these vulnerabilities even with limited access to the training process, which only has access to the model.
This is where “AI participating in on-chain micro-markets” works better: each individual AI faces the same risks, but you intentionally build an open ecosystem that is iterated and improved by dozens of people.
Furthermore, each individual AI is closed: the security of the system comes from the openness of the game rules, not the internal operations of each participant.
Summary: AI can help users understand what is happening in simple language, serve as real-time tutors, and protect users from the impact of errors, but caution is needed when dealing with malicious deceivers and scammers.
Now, let’s discuss the applications that excite many people but are also the riskiest, and we need to proceed with extreme caution: AI as game rules. This is related to the excitement of mainstream political elites about “AI judges” (as seen on the “World Government Summit” website) and a similar desire for these roles in blockchain applications.
If a blockchain-based smart contract or DAO needs to make subjective decisions, can you simply let AI become a part of the contract or DAO to help enforce these rules?
This is where adversarial machine learning becomes an extremely challenging task. Below are the details on this point in the section “Black Box Adversarial Machine Learning,” but the overall question is how to make AI part of the contract or DAO to help enforce these rules.
The conclusion is that AI can be part of the game rules, but extreme caution is required.A Simple Argument: If an AI model that plays a critical role in a mechanism is closed, you cannot verify its internal operations, so it is no better than centralized applications. If the AI model is open, attackers can download and simulate it locally and design highly optimized attacks to deceive the model, which they can then replay on the live network.
Adversarial machine learning example. Source: researchgate.net
Now, readers who frequently read this blog (or are native to the crypto space) may have already understood what I mean and started thinking. But please wait.
We have advanced zero-knowledge proofs and other very cool cryptographic forms. We can definitely perform some cryptographic magic to hide the internal operations of the model so that attackers cannot optimize attacks while proving that the model is executing correctly and is built on a reasonable training process with a reasonable dataset.
In general, this is the thinking I advocate in this blog and other articles. However, there are two main objections when it comes to AI computation:
Cryptography overhead: Performing certain tasks in SNARKs (or MPC, etc.) is much less efficient than plain text execution. Considering that AI itself already has high computational requirements, is it feasible to perform AI computations in a cryptographic black box?
Black-box adversarial machine learning attacks: Even without understanding the internal workings of the model, there are ways to optimize attacks on AI models. If the hiding is too tight, you may make it easier for the person choosing the training data to compromise the integrity of the model through poisoning attacks.
Both of these are complex rabbit holes that need to be explored one by one.
Cryptography tools, especially general-purpose tools like ZK-SNARKs and MPC, have high overhead. Verifying Ethereum blocks directly on the client takes hundreds of milliseconds, but generating ZK-SNARKs to prove the correctness of such blocks can take hours. The overhead of other cryptographic tools like MPC may be even greater.
AI computation itself is already very expensive: The most powerful language models output words at a slightly faster rate than human reading speed, not to mention that training these models typically costs millions of dollars in computation. There is a significant difference in quality between top models and models that try to be more cost-effective in terms of training cost or number of parameters. At first glance, this is a good reason to be skeptical about wrapping AI in cryptography to add guarantees to the entire project.
However, fortunately, AI is a very special type of computation that allows for various optimizations, which cannot be achieved with more “unstructured” computation types like ZK-EVM. Let’s take a look at the basic structure of an AI model:
Typically, an AI model consists mainly of a series of matrix multiplications, with non-linear operations sprinkled among each element, such as the ReLU function (y = max(x, 0)). Asymptotically, matrix multiplication takes up most of the work. This is convenient for cryptography because many cryptographic forms can perform linear operations almost “for free” (at least when encrypting the model and not during matrix multiplication operations on inputs).
If you are a cryptographer, you may have heard of a similar phenomenon in homomorphic encryption: performing addition on encrypted ciphertexts is very easy, but multiplication is very difficult, until we found a way to perform multiplication operations with infinite depth in 2009.
For ZK-SNARKs, similar to the protocol in 2013, the overhead in proving matrix multiplication is less than 4 times. Unfortunately, the overhead of non-linear layers is still significant, and the best practical implementations show an overhead of about 200 times.
However, through further research, there is hope to significantly reduce this overhead. You can refer to Ryan Cao’s demo, which introduces a recent method based on GKR, as well as my simplified explanation of the main components of GKR.
But for many applications, not only do we want to prove the correctness of AI output computations, but we also want to hide the model. There are some simple methods for this: you can split the model so that a different set of servers redundantly store each layer, and hope that certain servers leaking certain layers will not leak too much information. But there are also surprising techniques like secure multi-party computation.
In both cases, the moral of the story is the same: the main part of AI computation is matrix multiplication, and highly efficient ZK-SNARKs, MPCs (or even FHE) can be designed for matrix multiplication, making the overall overhead of putting AI into a cryptographic framework unexpectedly low. In general, non-linear layers are the biggest bottleneck, despite their smaller size. Perhaps new technologies like query arguments (lookup) can provide assistance.
Now, let’s discuss another important issue: even if the contents of the model remain private and you can only access the model through an “API”, there are still types of attacks that can be performed. Quoting from a 2016 paper:
Therefore, attackers can train their own substitute models, make adversarial examples against the substitute models, and transfer them to the victim models with little knowledge about the victim.
Potentially, even with very limited or no access rights to the model being attacked, you can still build attacks simply by training data. As of 2023, such attacks remain a significant problem.
To effectively mitigate such black-box attacks, we need to do two things:
Truly limit who or what can query the model and the number of queries. Black boxes with unrestricted API access are insecure; black boxes with very limited API access may be secure.
While hiding the training data, ensure the integrity of the process of building the training data.
Regarding the former, the project that has done the most in this regard is probably Worldcoin, and I have analyzed its early versions (as well as other protocols) here in detail. Worldcoin extensively uses AI models at the protocol level to (i) convert iris scans into short “iris codes” that are easy to compare for similarity, and (ii) verify that the scanned object is actually human.
The main defense mechanism that Worldcoin relies on is not allowing anyone to simply call the AI model: instead, it uses trusted hardware to ensure that the model only accepts inputs digitally signed by an orb camera.
This approach does not guarantee effectiveness: it turns out that you can perform adversarial attacks on biometric identification AI by attaching physical patches or wearing jewelry on your face.
But our hope is that if we combine all defense measures, including hiding the AI model itself, strictly limiting the number of queries, and requiring each query to be authenticated in some way, then adversarial attacks will become very difficult, making the system more secure.
This leads to the second question: how do we hide the training data?
This is where “AI governed by DAOs” can actually make sense: we can create an on-chain DAO to manage who is allowed to submit training data (and the assertions required for the data itself), who can make queries and how many, and use cryptographic techniques like MPC to encrypt the entire AI build and execution process from the training inputs of each individual user to the final output of each query. This DAO can also fulfill the popular goal of compensating those who submit data.
It should be emphasized that this plan is very ambitious and there are many aspects that can prove it to be impractical:
For this fully black-box architecture, the cryptographic overhead may still be too high to compete with the traditional closed “trust me” approach.
It may be the case that there is no good way to decentralize the process of submitting training data and prevent poisoning attacks.
Multi-party computation devices may compromise their security or privacy guarantees due to collusion among participants, as this has happened repeatedly on cross-chain bridges.
One of the reasons I did not warn “don’t be an AI judge, it’s a dystopia” at the beginning of this section is that our society is already heavily reliant on unaccountable centralized AI judges: deciding what type of algorithmic posts and political views are promoted or demoted on social media, and even subject to censorship.
I do think that further exacerbating this trend at the current stage is a rather bad idea, but I don’t believe that the blockchain community experimenting more with AI will be the main reason to make things worse.
In fact, encryption technology has some very basic and low-risk ways to improve even existing centralized systems, and I am very confident in that. One simple technique is delayed-release verifiable AI: when a social media website uses AI-based post rankings, it can release a ZK-SNARK proving the hash value of the model that generated the ranking. The website can commit to publicly releasing its AI model after a certain delay (e.g., one year).
Once the model is released, users can check the hash value to verify if the correct model was released, and the community can test the model to verify its fairness. The delayed release ensures that the model is already outdated when it is released.
Therefore, the problem is not whether we can do better than the centralized world, but how much better we can do. However, caution is needed for the decentralized world: if someone builds a prediction market or stablecoin that relies on an oracle AI, and someone discovers that the oracle is attackable, a large sum of money could disappear in an instant.
If the techniques mentioned above for building scalable decentralized private AIs (whose contents are a black box unknown to anyone) actually work, then they can also be used to build practical AIs that go beyond blockchains. The NEAR Protocol team is making this a core goal of their ongoing work.
There are two reasons for doing this:
If “trusted black box AIs” can be established by using combinations of blockchain and multi-party computation to execute the training and inference processes, many applications that users are concerned about biases or deception in can benefit. Many express a desire for democratic governance of the AI we rely on; cryptographic and blockchain-based technologies may be a path to achieve this goal.
From the perspective of AI security, this would be a technology to build decentralized AIs with a natural emergency stop switch and the ability to limit queries attempting malicious behavior using AI.
It is worth noting that “using cryptographic incentives to encourage better AI” can be achieved without fully falling into the rabbit hole of using cryptography to fully encrypt everything: methods like BitTensor belong to this category.
With the development of blockchain and AI, the number of cross-domain applications between the two is also increasing, some of which have more meaningful and robust use cases.
Overall, those underlying mechanisms remain largely unchanged, but individual participants become the use cases for AI and mechanisms that effectively execute at a more granular level are the ones with the most immediate prospects and the easiest to implement.
The most challenging ones are those attempting to build “singletons” (single decentralized trusted AIs) using blockchain and cryptographic techniques: applications that rely on a single decentralized trusted AI for a specific purpose. These applications have the potential to be functional and improve AI security while avoiding centralization risks.
But the underlying assumptions may also fail in many ways. Therefore, caution is especially needed when deploying these applications in high-value and high-risk environments.
I look forward to seeing more constructive attempts at AI use cases in all of these areas, so that we can see which use cases are truly feasible at scale.
Related Reports
Vitalik’s Analysis of “FTX Shutdown and OpenAI Governance Crisis”: Transparency and Accountability to the Public are Vital!
2023 Statistics: Google Searches for “AI” Far Surpass Bitcoin and Cryptocurrency! China Most Interested in Artificial Intelligence
2024, the Year of AI Tokens? A Glimpse of 10 Low Market Cap AI Projects