Why Confidential Computing is Inevitable for Decentralized AI
Introduction
In the past year, the rapid advances in LLM and talks about upcoming Artificial General Intelligence (AGI) have captured the imagination of millions around the world. It is clear that AI is already transforming the ways we work, learn, create, and communicate, and will do so even more in the coming years, unlocking amazing possibilities for humankind.
Naturally, the Web3 industry is on the forefront of innovation. Searching for “AI” on CoinMarketCap reveals over 80 projects in the category, and the number is growing.
Indeed, the existing Web2 AI solutions are centralized, monopolistic, non-transparent and prone to censorship. Companies like OpenAI can grab enormous amounts of monopoly power, essentially controlling how we think.
In his recent seminal piece on Blockchain and AI, Vitalik talks about the promises and challenges of the intersection between AI and blockchain. In the article, Vitalik proposed a simple Venn diagram showing the synergies between AI and blockchain, which we mostly subscribe to.
The benefits of putting AI on chain are clear:
- Self Sovereignty: Users can own their own data
- Lower costs: blockchains can create an efficient market for AI computing, preventing monopolistic pricing
- Enhanced monetization: using tokens as means of exchange for services
- Innovation: the open nature and composability of Web3 allows developers to innovate quicker
Despite these benefits, challenges like data privacy, model transparency, and integration complexity remain. Nonetheless, the industry is progressing, gaining traction and popularity.
Leading AI Projects in Web3
Let’s look at some of the leading players in the space.
BitTensor
Bittensor is currently the largest AI project in terms of market cap.
BitTensor is an open-source protocol that aims to create a decentralized, incentivized network for machine learning. It allows AI models to collaborate and share their knowledge while maintaining ownership and control over their data.
BitTensor network consists of multiple Subnets, each of which is dedicated to specific tasks or domains. Miners inside each subnet execute AI tasks, while subnet validators evaluate their performance and assign varying weights according to their performance. Miners and validators are incentivized, with each subnet potentially having its own incentivisation mechanism. Each miner can have multiple computational nodes, or neurons.
Bittensor currently has 36 subnets, and boasts over 86K active accounts.
In terms of confidentiality, it seems that the miners and neurons get full access to user requests.
Also, payments for computations are registered on a transparent blockchain, so the usage of different computing services by an individual wallet can be observed by anyone.
RNDR
The Render Network is the first decentralized GPU rendering platform, empowering artists to scale GPU rendering work on-demand to high performance GPU Nodes around the world. It is primarily used for rendering video content.
RNDR allows owners of GPU hardware to earn RNDR coins by offering their computing power to creators around the world. The nodes offer a single kind of workload — the Octane rendering software, with Cinema 4D rendering coming soon.
Smart contracts are used to pay for rendering. Originally, RNDR was deployed on Ethereum and is currently migrating to Solana.
RNDR whitepaper addresses the need for privacy and lists several provisions like breaking jobs down into multiple parts and encrypting content on disk. However, it seems like the Nodes can get full access to the assets they are rendering. Also, all transactions are available on-chain and can be observed.
Fetch.ai
Fetch.ai is “the first open network for AI agents”. Through its Agentverse product, Fetch AI creates an easy way for anyone to create and deploy an AI agent. At the time of this writing, almost 50,000 AI agents are deployed on the network. By default, all agents are public (i.e. their protocol is published
The agents can be queried in multiple ways, including a convenient chat interface branded DeltaV.
The code of the published agents is apparently visible to the nodes that run them, as well as the end users’ queries.
Since computation requests and payments are done on-chain, the information on model usage is also fully transparent.
Akash
Akash is a generic computing marketplace for multiple purposes. Providers offer their computing
Users can rent CPU or GPU instances and choose from over 400 templates to be deployed on the rented instances, ranging from game servers to GPU/CPU miners to GPT AI models such as llama, OpenGPT and image generation AI like Stable Diffusion. Users can also deploy their own custom Docker images.
Payment is done with Akash’s native token — AKT on Akash chain.
Akash has over 70 Providers supplying computing resources onchain, with a total capacity of 15K CPUs and 400 GPUs.
Workloads are run on the providers’ machines, and thus the providers can theoretically access both code and data of the workloads.
Since payment is all on-chain, the metadata of resource usage is also fully transparent
SingularityNet
SingularityNET is a decentralized platform that allows AI algorithms to collaborate and scale. SingularityNET Platform is an open and decentralized network of AI services made accessible through the Blockchain. Developers publish their services to the SingularityNET network, where they can be used by anyone with an internet connection. Developers are able to charge for the use of their services using the native AGIX token on Cardano blockchain.
Singularity operates an AI marketplace where providers can publish their own self-hosted services. Currently, over 80 services are published, ranging from speech recognition to music synthesis and other AI use cases.
As with previous projects, service providers apparently get full access to users’ requests. Also, all the usage metadata is transparent on-chain.
iExec
iExec is building a decentralized cloud computing market where digital assets and data, including AI models can be monetized.
iExec operates a marketplace where users can give computing tasks to decentralized applications. The iExec blockchain is used to facilitate bidding and task management.
iExec supports Confidential Computing applications by allowing developers to build apps on Intel SGX, and managing access to data through Secret Management Service (SMS). Users can authorize certain apps to access certain datasets without the data being exposed. Also, using remote attestation allows the user to verify the authenticity of an application.
iExec runs its own iExec Sidechain, used for recording all payments, deployments and other activities.
Phala
Phala builds an AI coprocessor for Web3, allowing developers to create AI-Agent contracts that live on the Phala blockchain and perform various tasks.
The AI agents can implement arbitrary functionality and interact with other blockchains or 3rd party services over the Internet. For example, they can orchestrate AI services like OpenAI or LangChain, or implement their own AI functionality.
Phala network uses TEE workers to ensure complete data protection and computation verifiability. The Phala roadmap also includes the ability for developers to deploy encrypted code / binaries so that the node operators cannot have access to it.
Phala operates its own chain in the Polkadot ecosystem, but its computation is blockchain agnostic. The chain is used to organize the network and handle resource payments.
Marlin
Marlin is a verifiable computing protocol featuring TEE and ZK-based coprocessors to delegate complex workloads over a decentralized cloud. It allows smart contract based protocols, web or mobile clients to rent individual compute instances or deploy serverless functions over a decentralized pool of globally distributed nodes.
Marlin offers four distinct services:
- Marlin Cloud for renting regular GPU and CPU instances
- Oyster Cloud for renting confidential computing instances.
- Oyster Serverless for serverless functions
- Kalypso for outsourcing generating ZK proofs
At the time of writing, the Oyster Cloud offers an inventory of over 1,500 instances to be rented.
Using confidential computing instances guarantees that the node operators don’t get exposure to the information that end users pass to the services running on them. However, attestations can be verified on-chain to guarantee that responses are received from the correct model or executable.
Marlin utilizes Amazon Nitro enclaves that allow loading encrypted images, thus protecting the actual binary from any possible analysis by the node operator (AWS in this case).
As a coprocessor, requests can be placed and transactions can be recorded on any blockchain that users prefer. Oyster relay contracts are currently available on Arbitrum, Polygon and Linea.
Transparency Challenges
After reviewing several of the leading Decentralized AI players, we can say that there are a lot of challenges related to protecting the confidentiality of users and developers.
First, most of the projects expose user queries to the node operators. While this is much better than centralized companies, it is still a big privacy risk. After all, if someone has all my AI queries, they can learn a lot about my person. Even if we assume that the node operators are independent, each one may have part of the queries, or they may even collude to reconstruct the whole.
Phala, iExec and Marlin are addressing this by using Trusted Execution Environments (TEEs), one of the DeCC technologies. This guarantees that node operators are never exposed to the actual data being passed to the services. It is an important improvement in user data protection, and an important application of DeCC technology.
The non-DeCC services also expose the node operator to the actual binaries that can be potentially disassembled and trade secrets can be exposed.
And finally, all the reviewed services maintain a ledger of all purchases and usage on transparent blockchain. This also poses a significant risk. Consider two competing companies solving advanced problems with the help of a Web3 Decentralized AI service. Both can observe which services the other is using, for how long and how for how much. This may expose critical competitive intelligence and hint about the directions each company is taking. Companies are usually very protective about their R&D direction, and will find it hard to subscribe to services that expose them.
The table below summarizes the state of data protection in Web3 AI today:
DeCC Has the Solution
DeCC provides solutions for those problems. By utilizing Trusted Execution Environments, projects like Phala, Marlin and iExec are able to protect a significant part of crucial user information and data.
We believe that the endgame is an end-to-end protected Decentralized AI where neither code, nor user data, nor usage metadata is available for observation.
This can only be achieved by utilizing DeCC technologies across all the layers, both on-chain and off-chain.
Secret Network provides a standalone blockchain that can be used as a confidential ledger for recording Decentralized AI transactions without compromising on user data protection. Secret Confidential Computing Layer can also be utilized to create cross-chain data protection solutions.
DeCC is Inevitable
As AI’s role in our lives is growing, we expect the demand for Decentralized AI to grow significantly. The new generations of users are less willing to relinquish control over their intelligence (artificial and consequently regular) to monopolistic multinationals that may abuse their power
However, without proper data protection on all levels, it is hard to imagine how individual users and businesses may fully embrace Decentralized AI. DeCC has answer, and we are already seeing pioneering projects utilize it to promote safe and available AI for all.
More work will need to be done, and as an industry we have all the right tools and capabilities.
Truly competitive Decentralized AI needs confidential features all the way.
DeCC is inevitable.
Note: we thank the Phala, Marlin and iExec teams for review and feedback on this article.
The information on other projects was gathered from what is available on their respective websites, and may be incomplete.
About Secret Network
Secret Network is a layer 1 DeCC chain. Mainnet since 2020, Secret is one of the OG Confidential Computing chains. We offer a rich on-chain development ecosystem, as well as cross-chain infrastructure that allows builders on any chain to get confidential computing features easily and securely.
Secret Confidential Computing Layer offers easy-to-integrate cross-chain development primitives and allows EVM developers to add data protection and privacy to their solutions.
Learn more and join the privacy conversation by connecting with our official accounts.
