Line of Sight

Being able to provably monitor AI usage has far-reaching implications, ranging from allowing Rightsholders to participate in the value generated using their works, to enabling Defenders to manage the proliferation of dual-use capabilities across jurisdictions. Yet these practices, together with the other ones embedded in the virtuality.network, all build on a common technical basis. This is the infrastructure that will provide third-parties with cryptographic guarantees on what capabilities have been consumed, in what quantities, and in what circumstances, all without having to publish model weights or disclose algorithmic improvements. We are excited to share that we have line of sight on the technology that will enable such verifiable monitoring of AI usage, also referred to as virtual embassies. Below, we provide a rundown of key emerging building blocks:

• Sealed Computation. This is a family of cryptographic protocols motivated by the following question: How can we guarantee that an inference workload was executed in a controlled setting, without having to publish the workload? By proving that an arbitrary workload was carried out within the bounds of a specific machine, we lay the foundation for issuing a broad range of further claims about it. For instance, we may prove that it has been carried out in a specific region, or that it has been properly monitored during execution, or that it has consumed particular AI capabilities. By building on advances in trusted computing, such proofs are resilient against both malicious infrastructure providers and malicious workload providers (up to Operational Capacity 4). An initial overview of this family of cryptographic protocols can be found in a dedicated resource on the topic.

• Phantom Kernels. If sealed computation provides a means for cryptographically binding an entire family of claims to an inference workload, phantom kernels are emerging as a critical building block for metering capability consumption in particular. Previously, we have experimented with instrumenting kernels to maintain a running summary of their own memory operations as they run, enabling accurate segmentation of the memory layout into objects of interest, such as feed-forward parameters or key-value caches. However, we have reason to believe that memory activity can be accurately determined prior to kernel launch, by carrying out symbolic execution on the kernel assembly. This means that one could determine how entire memory ranges are to be used by thousands of parallel threads before they even run, by tracing how thread coordinates map to memory addresses in bulk. Not having to burden the workload with injected trackers would radically reduce overhead.

• Ursa Virtual. We expect many practices implemented by the virtuality.network to be region-specific. Similar to how most licensing of intellectual property is inherently territorial, and similar to how arms controls vary from one jurisdiction to another, we expect robust geolocation of workloads and client devices to be essential in supporting the consortium. Ursa Virtual would be a constellation of verifiable beacon servers which can help running processes orient themselves in the world through delay-based trilateration. Based on physical limits on the speed of data transfers, coupled with beacons whose integrity can be attested, Ursa Virtual would be a piece of infrastructure which enables accurately binding workloads to regions, as well as tracking capability consumption per user jurisdiction. By occasionally switching its beacons into receivers at known locations, it may help calibrate how coordinates are estimated based on packet delays.

• Miscellanea. The above appear to be the main substantial components of virtual embassies. Indeed, other ideas need to be incorporated, and their implementations optimized, yet these are more familiar engineering challenges. Activations located using phantom kernels may need to be reduced in dimensionality to make it easier for virtual embassies to store reference neural signatures per capability. The robustness of memory layout reconstruction may be improved by learning from diverse inference workloads. Authorizing Rightsholders or Defenders to populate registries with neural signatures of engaging with art or malware might end up relying on their existing TLS certificates. Enabling embassies built for different CPU architectures or cloud platforms to have their integrity attested despite having different measurements may be solved by compiling them for several platforms upfront. Despite being important questions, all of these feel closer to mundane engineering compared to the more conceptual components above.

To pull together these threads, we now have a clear line of sight to the technical maturity of virtual embassies, the core pieces of infrastructure which will support the practices of the virtuality.network. Having derisked a number of prerequisites for cryptographically proving claims about unknown inference workloads, we gradually move from open-ended exploration towards more focused implementation as we assume the role of the first Host in the consortium. We will continue sharing frequent updates on this line of work all the way to mainstream usage.