English translation:
In his latest article, Vitalik Buterin, the co-founder of Ethereum, categorizes the various ways in which Crypto+AI could intersect and discusses the prospects and challenges of each category. The article, sourced from Vitalik Buterin’s writing, is compiled, translated, and written by Foresight News.
Table of Contents:
1. Four intersections of Crypto+AI
2. AI as a game participant
3. AI as a game interface
4. AI as game rules
5. Cryptographic expenses
6. Black-box adversarial machine learning
7. AI as a game objective
8. Conclusion
For many years, I have been asked the question, “Where are the most effective intersections between cryptocurrencies and AI?” It is a reasonable question as cryptocurrencies and AI are two major software technology trends of the past decade, and there must be some connection between the two.
At first glance, it is easy to find the synergy between the two: the decentralization of cryptocurrencies can balance the centralization of AI, cryptocurrencies bring transparency to the opaque nature of AI, and AI requires data storage and tracking, which blockchain excels at.
However, over the years, when asked to delve deeper into specific applications, my answer has often been disappointing: “Yes, there are some applications worth exploring, but not many.”
In the past three years, with the rise of more powerful AI technologies such as modern large language models (LLMs) and more powerful cryptocurrency technologies beyond just blockchain scalability solutions, such as zero-knowledge proofs, fully homomorphic encryption, and secure multi-party computation, I have started to see a change.
Within the blockchain ecosystem, or by combining AI with cryptography, there are indeed promising AI applications, albeit with caution. One particular challenge is that in cryptography, open-source is the only way to truly secure something, but in AI, open models (even their training data) greatly increase vulnerability to adversarial machine learning attacks. This article categorizes the different ways in which Crypto+AI could intersect and discusses the prospects and challenges of each category.
The first category is AI as a game participant, which has been in existence for almost a decade since the widespread use of decentralized exchanges (DEXs). Whenever there are exchanges, there is an opportunity for arbitrage, and bots can perform arbitrage better than humans. This use case has been around for a long time, even with much simpler AI than what we have now, but it truly represents the intersection of AI and cryptocurrencies. Recently, we have seen the mutual exploitation of MEV (Maximal Extractable Value) arbitrage bots. Any blockchain application involving auctions or transactions will have arbitrage bots.
However, AI arbitrage bots are just the first example of a larger category, which I expect to cover many other applications soon. Let’s take a look at the demonstration of AI as a participant in prediction markets called AIOmen.
Prediction markets have long been the holy grail of cognitive technologies. As early as 2014, I was excited about using prediction markets for governance (futarchy) and have extensively experimented with them in recent elections.
But so far, prediction markets have not made much progress in practice for various reasons: the largest participants are often irrational, those with correct insights are unwilling to spend time and bet unless there is significant money involved, and the markets are often not active enough, among other reasons.
One response to this is to point out the user experience improvements being made by platforms like Polymarket and hope that they can succeed where previous iterations have failed.
People are willing to bet billions of dollars on sports, so why don’t they put enough money into betting on the US elections or LK99 to get serious players involved? But this argument must face the fact that previous versions failed to achieve this scale (at least compared to the dreams of their supporters), so it seems that some new elements are needed for prediction markets to succeed.
Another response is to point out a specific feature of the prediction market ecosystem that we can expect to see in the 2020s, which we did not see in the 2010s: widespread AI participation.
AI is willing or capable of working for less than $1 per hour and has encyclopedic knowledge. If that’s not enough, they can even integrate with real-time web search. If you create a market and provide $50 in liquidity subsidies, humans won’t care about bidding, but thousands of AIs will flock in and make their best guesses.
Motivation to do well on any individual question may be small, but motivation to create AIs that make good predictions could be in the millions. Note that you don’t even need humans to adjudicate most questions: you can use multi-round dispute systems like Augur or Kleros, where AI will also participate in early rounds. Humans only need to react in the rare cases where a series of upgrades and significant funds on both sides have occurred.
This is a powerful paradigm because once “prediction markets” can work at such a micro scale, you can repeat the “prediction markets” primitive for many other types of questions, such as:
– Can this social media post be accepted according to the [terms of use]?
– What will be the price change of stock X? (e.g., see Numerai)
– Is the account messaging me right now really Elon Musk?
– Can the task submitted on an online task marketplace be accepted?
– Is the DApp on https://examplefinance.network a scam?
– Is 0x1b54….98c3 the address of the “Casinu In” ERC20 token?
You might notice that many of these ideas are moving in the direction of what I previously called “info defense.” Broadly, the question is: how do we help users distinguish true information from false and identify fraudulent behavior without giving a centralized authority the power to decide right from wrong, which can be easily abused? At the micro level, the answer can be “AI.”
But at the macro level, the question is: who builds the AI? AI is a reflection of the process that created it and is inevitably biased. A higher-level game is needed to judge the performance of different AIs, allowing AI to participate as players in the game.
This way of using AI, where AI participates in a mechanism and ultimately derives incentives or penalties (probabilistically) from human inputs through an on-chain mechanism, is something worth researching. Now is an appropriate time to delve deeper into such use cases as blockchain scalability has finally been achieved, making anything previously unfeasible on-chain now possible at the micro level.
Related applications are evolving towards highly autonomous agents that collaborate better using blockchain, either through payments or through trusted commitments made using smart contracts.
One idea I proposed in “My techno-optimism” is that there is a market opportunity for user-facing software that protects users’ interests by explaining and identifying dangers in the online world they are browsing. The scam detection feature in MetaMask is an existing example.
Another example is the simulation feature of the Rabby wallet, which shows users the expected outcome of the transactions they are about to sign.
These tools have the potential to be enhanced by AI. AI can provide richer and more human-understandable explanations, explaining what kind of DApp the user is engaging with, the consequences of more complex operations they are signing, whether specific tokens are genuine (e.g., BITCOIN is not just a string of characters, it is the name of a real cryptocurrency, not an ERC20 token, and its price is far above $0.045), and more.
Some projects are already moving full speed in this direction, such as LangChain wallet that uses AI as the primary interface. Personally, I believe that pure AI interfaces may currently carry too much risk as they increase the risk of other types of errors, but combining AI with more traditional interfaces is very feasible.
There is one specific risk worth mentioning. I will go into more detail about this in the section on “AI as game rules,” but the general problem is adversarial machine learning. If there is an AI assistant in an open-source wallet, bad actors will also have the opportunity to obtain that AI assistant, giving them unlimited opportunities to optimize their fraudulent behavior to bypass the wallet’s defenses.
All modern AIs have vulnerabilities, and it is relatively easy to find these vulnerabilities even with limited access to the training process, just as it is easy to find vulnerabilities in any model.
This is where “AI participating in on-chain micro-markets” works better: each individual AI faces the same risks, but you intentionally create an open ecosystem iterated and improved upon by dozens of people.
Additionally, each individual AI is siloed: the system’s security comes from the openness of the game rules, not from the internal workings of each participant.
In summary, AI can help users understand what is happening in simple language, act as an instant tutor, and protect users from being influenced by mistakes, but caution is needed when encountering malicious deceivers and scammers.
Now, let’s discuss the applications that many people are excited about but that I believe are the riskiest, and we need to proceed extremely cautiously: AI as game rules. This relates to the excitement of mainstream political elites about “AI judges” and similar desires in blockchain applications.
If a blockchain-based smart contract or DAO needs to make subjective decisions, can you simply make AI part of the contract or DAO to help enforce these rules?
This is where adversarial machine learning becomes an extremely challenging problem. Here’s where “AI as game rules” will face a daunting challenge. The following is a detailed discussion of this in the next section, but the overall issue is adversarial machine learning: if there is an AI assistant within an open-source wallet, bad actors also have the opportunity to obtain that AI assistant, giving them unlimited opportunities to optimize their fraudulent behavior to bypass the wallet’s defenses.
All modern AI models have vulnerabilities, and even with limited access to the training process, it’s relatively easy to find these vulnerabilities.
In conclusion, AI can help users understand what is happening in simple language, act as an instant tutor, and protect users from being influenced by mistakes, but caution is needed when encountering malicious deceivers and scammers.A Simple Argument:
If a key AI model in a mechanism is closed, you cannot verify its internal operations, so it is not better than centralized applications.
If an AI model is open, attackers can download and simulate it locally, design highly optimized attacks to deceive the model, and then replay the model on the Internet.
Adversarial machine learning example. Source: researchgate.net
Now, readers who often read this blog (or are native to encryption) may have understood my meaning and started thinking. But please wait.
We have advanced zero-knowledge proofs and other very cool cryptographic forms. We can certainly perform some encryption magic to hide the internal operations of the model so that attackers cannot optimize the attacks while proving that the model is executing correctly and is built on a reasonable training process and a reasonable base dataset.
This is usually the thinking I advocate in this blog and other articles. However, there are two main objections when it comes to AI calculations:
Cryptography overhead: Performing a task in SNARK (or MPC, etc.) is much less efficient than performing it in plaintext. Considering that AI itself already has high computational requirements, is it feasible to perform AI calculations in a cryptographic black box?
Black-box adversarial machine learning attacks: Even without understanding the internal workings of the model, there are ways to optimize attacks on AI models. If the hiding is too strict, you may make it easier for the person choosing the training data to compromise the integrity of the model through poisoning attacks.
Both of these are complex rabbit holes that need to be explored one by one.
Cryptography tools, especially general tools such as ZK-SNARK and MPC, are expensive. Verifying Ethereum blocks directly on the client side takes hundreds of milliseconds, but generating ZK-SNARK to prove the correctness of such blocks may take several hours. The overhead of other encryption tools (such as MPC) may be even greater.
AI computation itself is already very expensive: the most powerful language models output words at a speed only slightly faster than human reading speed, not to mention that training these models usually costs millions of dollars in computing costs. The quality difference between top models and models that try to save on training costs or parameter counts is significant. At first glance, this is a good reason to doubt the whole project of wrapping AI in cryptography to add guarantees.
However, fortunately, AI is a very special type of computation that allows it to be optimized in various ways, which cannot be benefited from by more “unstructured” computation types like ZK-EVM. Let’s take a look at the basic structure of an AI model:
Usually, an AI model mainly consists of a series of matrix multiplications, interspersed with non-linear operations for each element, such as the ReLU function (y = max (x, 0)). Asymptotically, matrix multiplication accounts for most of the work. This is convenient for cryptography because many cryptographic forms can perform linear operations almost “for free” (at least matrix multiplication operations during encryption modeling instead of input).
If you are a cryptographer, you may have heard of a similar phenomenon in homomorphic encryption: performing addition on encrypted ciphertext is very easy, but multiplication is very difficult until 2009 when we found a way to perform multiplication operations of infinite depth.
For ZK-SNARK, similar to the 2013 protocol, the cost of proving matrix multiplication is less than 4 times. Unfortunately, the cost of non-linear layers is still high, and the best implementations in practice show a cost of about 200 times.
However, through further research, there is hope to significantly reduce this overhead. You can refer to Ryan Cao’s demonstration, which introduces a new method based on GKR, and my own simplified explanation of the main components of GKR.
But for many applications, we not only want to prove the correctness of AI output calculations but also want to hide the model. There are some simple methods for this: you can split the model so that a different set of servers redundantly store each layer, and hope that leaking certain layers of certain servers will not leak too much data. But there are also surprising techniques like secure multi-party computation.
In both cases, the moral of the story is the same: the main part of AI computation is matrix multiplication, and highly efficient ZK-SNARKs, MPCs (or even FHE) can be designed for matrix multiplication, so the overall cost of putting AI into a cryptographic framework is unexpectedly low. In most cases, the non-linear layers are the biggest bottleneck, despite their smaller size. Perhaps new technologies like query arguments (lookup) can provide assistance.
Now, let’s discuss another important issue: even if the content of the model remains private and you can only access the model through “API access,” there are still types of attacks that can be performed. Quoting a paper from 2016:
Therefore, attackers can train their own substitute models, create adversarial examples against the substitute models, and transfer them to the victim models with little information about the victims.
Potentially, even with very limited or no access permissions to the model being attacked, you can still establish an attack simply by training data. As of 2023, such attacks are still a major problem.
To effectively curb such black-box attacks, we need to do two things:
Truly limit who or what can query the model and the number of queries. A black box with unrestricted API access is unsafe; a black box with very limited API access may be safe.
While hiding the training data, ensuring the integrity of the training data creation process is an important goal.
As for the former, the project that has done the most in this regard may be Worldcoin, and I have analyzed its early versions (as well as other protocols) in detail here. Worldcoin widely uses AI models at the protocol level to (i) convert iris scans into short “iris codes” that are easy to compare for similarity, and (ii) verify that the scanned objects are actually human.
The main defense measure relied upon by Worldcoin is not allowing anyone to simply call the AI model: instead, it uses trusted hardware to ensure that the model only accepts inputs digitally signed by orb cameras.
This approach is not guaranteed to be effective: it has been proven that you can launch adversarial attacks against biometric recognition AI by using physical patches or wearing jewelry on your face.
Wearing something extra on the forehead can evade detection and even impersonate others. Source: https://arxiv.org/pdf/2109.09320.pdf
However, our hope is that if we combine all defense measures, including hiding the AI model itself, strictly limiting the number of queries, and requiring some form of authentication for each query, then adversarial attacks will become very difficult, making the system more secure.
This brings us to the second question: how do we hide the training data?
This is where “AI Managed by DAOs” can actually make sense: we can create an on-chain DAO to manage who is allowed to submit training data (and the statements required for the data itself), who can make queries and the number of queries, and use cryptographic techniques such as MPC to encrypt the entire AI building and execution process from the training input of each individual user to the final output of each query. This DAO can simultaneously fulfill the popular goal of compensating those who submit data.
It should be reiterated that this plan is very ambitious and there are many aspects that can prove it to be impractical:
For this completely black-box architecture, the encryption overhead may still be too high to compete with the traditional closed “trust me” approach.
It may be that there is no good way to decentralize the training data submission process and prevent poisoning attacks.
Multi-party computation devices may compromise their security or privacy guarantees due to collusion among participants: after all, this has happened repeatedly on cross-chain bridges.
One reason I didn’t warn at the beginning of this section “Don’t be an AI judge, that’s a dystopia” is that our society already heavily relies on unaccountable centralized AI judges: deciding which types of algorithmic posts and political views are promoted and demoted on social media, and even subject to censorship.
I do believe that further amplifying this trend at the current stage is a rather bad idea, but I don’t think the blockchain community experimenting more with AI will be the main reason to make things worse.
In fact, cryptographic techniques have some very basic and low-risk ways to improve or even replace existing centralized systems, and I am very confident in this. One simple technique is the delayed release of verified AI: when a social media website uses AI-based post ranking, it can release a ZK-SNARK proving the hash value of the model that generates the ranking. The website can promise to publicly disclose its AI model after a certain delay (e.g. one year).
Once the model is released, users can check the hash value to verify if the correct model has been released, and the community can test the model to verify its fairness. The delay in release will ensure that the model is already outdated when it is released.
Therefore, the problem is not whether we can do better than the centralized world, but how well we can do. However, caution is needed in the decentralized world: if someone builds a prediction market or stablecoin using an oracle AI, and then someone discovers that the oracle is attackable, a large sum of funds may disappear in an instant.
If the techniques mentioned above for building scalable decentralized private AIs (whose contents are black boxes known to no one) actually work, then this can also be used to build AI with practicality beyond blockchain. The NEAR Protocol team is making this a core goal of their ongoing work.
There are two reasons for doing this:
If a “trusted black box AI” can be established by using a combination of blockchain and multi-party computation to execute the training and inference process, many applications that users are concerned about the existence of bias or deception can benefit from it. Many people express a desire for democratic governance of the AI we rely on; cryptographic and blockchain-based technologies may be a way to achieve this goal.
From an AI security perspective, this would be a technique to establish decentralized AI that has a natural emergency stop switch and can restrict queries attempting malicious behavior using AI.
It is worth noting that “using cryptographic incentives to encourage the creation of better AI” can be achieved without fully falling into the rabbit hole of using cryptography to completely encrypt: methods like BitTensor belong to this category.
As blockchain and AI continue to develop, the intersection of the two fields is also increasing, some of which have more meaningful and robust use cases.
Overall, the underlying mechanisms remain fundamentally unchanged, but individual participants become the use cases for AI, and the mechanisms that effectively execute at a more micro level are the ones with the most immediate prospects and the easiest to implement.
The most challenging are those attempting to build “singletons” (single decentralized trusted AI) using blockchain and cryptographic techniques. These applications have the potential to functionally improve AI security while avoiding centralization risks.
But the underlying assumptions may fail in many ways. Therefore, caution is needed, especially when deploying these applications in high-value and high-risk environments.
I look forward to seeing more constructive attempts at AI applications in all of these areas, so that we can see which use cases are truly scalable.