Over the years , many people have asked me the question: “Where are the most fruitful intersections between cryptocurrencies and AI?” It’s a legitimate question: Cryptocurrency and AI have been two of the major depths of the past decade. (Software) technology trends, there must be some connection between the two.
On the surface, it is easy to find synergies between the two: the decentralization of cryptocurrency can balance the centralization of AI, AI is opaque, and cryptocurrency can bring transparency; AI requires data, and blockchain is good at storing and Tracking information.
But over the years, when people have asked me to delve into specific applications, my answer has been disappointing: "Yes, there are some applications worth discussing, but not many."
In the past three years, with the rise of more powerful AI technologies such as modern LLM (Large Language Model), and not just blockchain scaling solutions, but also zero-knowledge proofs, fully homomorphic encryption, (two-party I'm starting to see this change with the rise of stronger cryptographic technologies like multi-party) secure multi-party computation.
There are indeed some promising applications of AI within the blockchain ecosystem, or by combining AI with cryptography, although care needs to be taken when applying AI.
A particular challenge is this: in cryptography, open source is the only way to make something truly secure, but in AI, open access to models (and even their training materials) greatly increases their vulnerability to adversarial machine learning attacks. This article will classify the different ways in which Crypto+AI may intersect, and explore the prospects and challenges of each classification.
Extended reading: AI in the encryption field transforms into a “first-class citizen”, the advantages and front-end applications of encryption robot agents
Crypto+AI four major intersections
AI is a very broad concept: you can think of AI as a set of algorithms that you build not by explicitly specifying them, but by stirring up a big computational soup and applying some kind of optimization pressure. Soup generates algorithms with the properties you want.
This description should never be taken lightly as it includes the process that created us humans! But this also means that AI algorithms have some common characteristics: they are very powerful, and at the same time there are certain limitations in our ability to understand or understand their internal execution processes.
There are many ways to classify artificial intelligence, and for the interaction between artificial intelligence and blockchain discussed in this article (Virgil Griffith's "Ethereum is literally a game-changing technology" article ), I They will be classified as follows:
- AI as a participant in the game (highest feasibility) : In the mechanism of AI participation, the ultimate source of incentives comes from the agreement of human input.
- AI as a gaming interface (potential, but risky) : AI helps users understand the cryptographic world around them and ensure that their actions (such as signed messages and transactions) match their intentions to avoid being tricked or deceived.
- AI as the rules of the game (need to be very cautious) : Blockchain, DAO and similar mechanisms directly call AI. For example, "AI Judge".
- AI as a Game Goal (Long-Term and Interesting) : The goal in designing blockchains, DAOs, and similar mechanisms is to build and maintain an AI that can be used for other purposes, with the cryptographic part being either to better incentivize training or In order to prevent AI from leaking private information or being abused.
Let’s review them one by one.
AI as a game player
In fact, this category has been around for almost a decade, at least since on-chain decentralized exchanges (DEX) began to become widely used. Whenever an exchange exists, there is an opportunity to make money through arbitrage, and bots can do it better than humans.
This use case has been around for a long time, even using much simpler AI than it is today, but ultimately it is a true intersection of AI and cryptocurrency. Recently, we have often seen MEV (Maximize Extractable Value) arbitrage bots exploiting each other. Any time a blockchain application involves auctions or transactions there will be arbitrage bots.
However, AI arbitrage bots are just the first example of a larger category that I expect will soon cover many other applications. Let’s take a look at AIOmen , a demonstration of a prediction market with AI as a participant:
Prediction markets have long been the holy grail of cognitive technologies. I was excited about using prediction markets as an input to governance (future governance) back in 2014, and have tried it extensively in recent elections.
But so far, prediction markets haven’t made much headway in practice for a number of reasons: the biggest players tend to be irrational, and people with the right knowledge are unwilling to spend time and place bets unless there are a lot of people involved with money, The market is often not active enough, etc.
One response to this is to point to the user experience improvements being made by Polymarket or other new prediction markets and hope that they can continue to improve and succeed where previous iterations failed.
People are willing to bet tens of billions of dollars on sports, so why don't people put enough money betting on the US election or LK99 for serious players to start getting involved? But this argument must face the fact that previous versions failed to achieve this scale (at least compared to the dreams of its backers), so it seems that some new elements are needed to make prediction markets successful.
Therefore, another response is to point out a specific feature of the prediction market ecosystem that we can expect to see in the 2020s that we did not see in the 2010s: the possibility of widespread participation of AI.
AI is willing or able to work for less than $1 an hour and has encyclopedic knowledge. If that's not enough, they can even be integrated with real-time web searches. If you build a market and provide a $50 liquidity subsidy, humans won't care about the bids, but thousands of AIs will easily swarm in and make the best guess they can.
The incentives to do a good job on any one problem may be small, but the incentives to build an AI that can make good predictions may be millions. Note that you don't even need humans to adjudicate most issues: you can use a multi-round dispute system similar to Augur or Kleros, where the AI will also participate in the early rounds. Humans only have to react in the rare cases where a series of escalations occur and both sides have significant investment.
This is a powerful primitive because once you can make a prediction market work at such a microscale, you can reuse the prediction market primitive for many other types of problems, such as:
- Is this social media post acceptable under [Terms of Use]?
- What will happen to the price of stock X (see Numerai for example)
- Is this account currently sending me messages really Elon Musk?
- Is this job submission acceptable on the online job marketplace?
- Is the DApp on https://examplefinance.network a scam?
- Is 0x1b54….98c3 the “Casinu In” ERC20 token address?
You may notice that a lot of these ideas go in the direction of what I mentioned earlier as "info defense ." Broadly speaking, the question is: How do we help users distinguish between true and false information and identify fraud, without giving a centralized authority the power to decide what is right and what is wrong and avoid abusing that power? At a micro level, the answer could be “AI.”
But at a macro level, the question is: Who builds AI? AI is a reflection of the process by which it was created and therefore inevitably contains biases. A higher-level game is needed to judge the performance of different AIs, allowing the AI to participate in the game as a player.
This way of using AI, where the AI participates in a mechanism that ultimately gets rewarded or punished (in a probabilistic way) from humans through an on-chain mechanism, I think is well worth studying. Now is the right time to delve deeper into use cases like this, as blockchain scalability is finally taking off, making anything “micro” that was often not possible on-chain now potentially possible.
A related class of applications is moving toward highly autonomous agents, using blockchains to better cooperate, whether through payments or through the use of smart contracts to make trusted commitments.
AI as a game interface
One of the ideas I proposed in My techno-optimism is that there is a market opportunity for writing user-facing software that protects users by interpreting and identifying dangers in the online world they are browsing. MetaMask’s fraud detection feature is one example that already exists.
Another example is the simulation feature of Rabby Wallet , which shows users the expected outcome of a transaction they are about to sign.
These tools have the potential to be enhanced by AI. AI can give richer, more human-readable explanations of what the DApp you are participating in is like, the consequences of the more complex operations you are signing, and whether a specific token is real (for example, BITCOIN is not just a string of characters) , it is the name of a real cryptocurrency, it is not an ERC20 token, its price is much higher than $0.045) and so on.
Some projects are beginning to develop in this direction (for example, the LangChain wallet using AI as the main interface). My personal view is that a pure AI interface may be too risky at the moment because it increases the risk of other type errors, but AI combined with more traditional interfaces becomes very feasible.
There is one specific risk worth mentioning. I’ll cover this in more detail below in the section on “AI as a Rule of the Game”, but the overall problem is with adversarial machine learning: if a user has an AI assistant inside an open source wallet, then the bad guys will have access to that AI assistant as well , so they will have unlimited opportunities to optimize their fraud to circumvent that wallet’s defenses.
All modern AI has some vulnerabilities, and these vulnerabilities are easy to find even during the training process with limited access to the model.
This is where "AI participating in on-chain micro-markets" works better: every individual AI faces the same risks, but you intentionally build an open ecosystem with dozens of people constantly iterating and improving.
Furthermore, each individual AI is closed: the system's security comes from the openness of the rules of the game, not the inner workings of each participant.
Summary: AI can help users understand what is happening in simple language, and can act as an instant mentor to protect users from mistakes, but be careful when encountering malicious misleads and scammers.
AI as the rules of the game
Now, let's talk about an application that a lot of people are excited about, but which I think is the riskiest, and where we need to move with extreme caution: what I call AI is part of the rules of the game. This is related to the mainstream political elite’s excitement about “AI judges” (for example, you can see related articles on the “World Government Summit” website), and there is a similar situation of these aspirations in blockchain applications.
If a blockchain-based smart contract or DAO requires subjective decisions to be made, can you allow AI to simply become part of the contract or DAO to help enforce those rules?
This is where adversarial machine learning will be an extremely difficult challenge. Here is a simple argument:
If an AI model that plays a key role in the mechanism is closed, you cannot verify its inner workings, so it is no better than a centralized application.
If an AI model is open, an attacker can download and simulate it locally and design a highly optimized attack to fool the model, which they can then replay over a live network.
Now, readers who are regular readers of this blog (or are crypto-natives) may have caught on to what I mean and started thinking. But please wait.
We have advanced zero-knowledge proofs and other really cool forms of cryptography. We could certainly do some cryptographic magic to hide the inner workings of the model so that an attacker cannot optimize the attack, while at the same time proving that the model is performing correctly and was built on a reasonable base set of data through a reasonable training process.
More often than not, this is the kind of thinking I promote in this blog and other articles. But when it comes to AI computing, there are two main objections:
- Cryptographic overhead : Performing a task in SNARK (or MPC, etc.) is much less efficient than performing it in plaintext. Given that AI itself already has high computational demands, is it computationally feasible to perform AI calculations in a cryptographic black box?
- Black-box adversarial machine learning attacks : There are ways to optimize attacks on AI models even without understanding the inner workings of the model. If you hide it too tightly, you could make it easier for someone who selects the training material to compromise the integrity of the model through a poisoning attack .
Both of these are complex rabbit holes that need to be explored in depth one by one.
encryption overhead
Cryptographic tools, especially general-purpose tools such as ZK-SNARK and MPC, have high overhead. It takes hundreds of milliseconds for a client to directly verify an Ethereum block, but generating a ZK-SNARK to prove the correctness of such a block can take hours. Other encryption tools, such as MPC, may have greater overhead.
AI computing itself is already prohibitively expensive: the most powerful language models can output words only slightly faster than humans can read, not to mention the millions of dollars in computational costs that typically go into training these models. There is a huge difference in quality between top models and models that try to be more economical in training cost or number of primers. At first glance, this is a good reason to be skeptical of the entire project of wrapping AI in cryptography to add new guarantees.
Fortunately, AI is a very special type of computing, which allows it to perform various optimizations that more "unstructured" computing types such as ZK-EVM cannot benefit from. Let’s take a look at the basic structure of an AI model:
Typically, AI models mainly consist of a series of matrix multiplications interspersed with nonlinear operations on each element, such as the ReLU function (y = max (x, 0) ). Asymptotically, matrix multiplication takes up most of the work. This is really convenient for cryptography, since many forms of cryptography can perform linear operations (at least matrix multiplications on the encryption model rather than on the input) almost "for free".
If you're a cryptographer, you've probably heard of a similar phenomenon in homomorphic encryption : it's very easy to perform additions on encrypted ciphertext, but very hard to do multiplications, and it wasn't until 2009 that we found an infinitely deep way to do it Multiplication operation.
For ZK-SNARK, similar to the 2013 protocol , the protocol is less than 4 times more expensive in proving matrix multiplications. Unfortunately, the overhead of non-linear layers is still significant, with the best implementations in practice showing ~200x overhead.
However, with further research, there is hope that this overhead can be significantly reduced. You can refer to Ryan Cao's presentation , which introduces a recent approach based on GKR, and my own simplified explanation of the main components of GKR.
But for many applications, we not only want to prove that the AI output is calculated correctly, but also hide the model. There are some easy ways to do this: you can split the model so that a different set of servers store each layer redundantly, and hope that certain servers leaking certain layers don't leak too much data. But there are also some surprising specialized multi-party computations .
In both cases, the moral of the story is the same: a major part of AI computation is matrix multiplication, and very efficient ZK-SNARKs, MPCs (even FHE) can be designed for matrix multiplication, thus putting AI into cryptography The total overhead in the framework is surprisingly low. Typically, nonlinear layers are the largest bottleneck, despite their smaller size. Perhaps new technologies like lookups can help.
Black box adversarial machine learning
Now, let's discuss another important issue: even if the contents of the model remain private and you only have "API access" to the model, you can still perform the types of attacks. To quote a 2016 paper :
Many machine learning models are susceptible to adversarial examples: specially designed inputs that cause a machine learning model to produce incorrect outputs. An adversarial example that affects one model will often affect the other model, even if the two models have different architectures or were trained on different training sets, as long as both models are trained to perform the same task.
Therefore, the attacker can train his own surrogate model, make adversarial examples against the surrogate model, and transfer them to the victim model with little information about the victim.
Potentially, you can even build an attack just from the training material, even if you have very limited or no access permissions to the model you want to attack. As of 2023, these types of attacks remain a significant problem.
In order to effectively contain such black box attacks, we need to do two things:
- Really limit who or what can query the model and the number of queries. A black box with unlimited API access is not secure; a black box with very restricted API access might be secure.
- While hiding training data, ensuring that the training data creation process is not corrupted is an important goal.
In terms of the former, the project that has probably done the most in this regard is Worldcoin, an early version of which I analyzed in detail here (as well as other protocols). Worldcoin uses AI models extensively at the protocol level to (i) convert iris scans into short "iris codes" that are easy to compare for similarity, and (ii) verify that the objects it scans are in fact humans.
The main defense Worldcoin relies on is that it does not allow anyone to simply call the AI model: instead, it uses trusted hardware to ensure that the model only accepts input digitally signed by the orb camera.
This approach is not guaranteed to work: It turns out that you can conduct adversarial attacks on biometric AI through things like physical patches or jewelry worn on your face.
But our hope is that if you combine all the defenses, including hiding the AI model itself, severely limiting the number of queries, and requiring each query to be authenticated in some way, then adversarial attacks will become very difficult, so that Make the system more secure.
This leads to the second question: how do we hide the training data?
This is where " democratically managed AI by a DAO " might actually make sense: we could build an on-chain DAO to manage who is allowed to submit training data (and the required representations of the data itself), who can make queries, and who can number, and uses cryptography techniques such as MPC to encrypt the entire AI build and execution process from the training input of each individual user to the final output of each query. This DAO can simultaneously satisfy the popular goal of compensating people who submit information.
It needs to be reiterated that this plan is very ambitious and there are many aspects that would prove it to be unrealistic:
- For such a completely black-box architecture, the encryption overhead may still be too high to compete with traditional closed "trust me" approaches.
- The truth may be that there is no good way to decentralize the training material submission process and prevent poisoning attacks.
- A multi-party computing setup may have its security or privacy guarantees violated due to collusion among participants: after all, this has happened time and time again on cross-chain bridges.
One of the reasons I didn't start this section with the warning "don't be an AI judge, that's dystopia" is that our society is already highly dependent on unaccountable centralized AI judges: algorithms that decide which types of posts and Political views are promoted and demoted, and even censored, on social media.
I do think that expanding this trend further at this stage is a pretty bad idea, but I don’t think that more experimentation with AI by the blockchain community will be the main reason for making the situation worse.
There are actually some very basic and low-risk ways that crypto can improve even existing centralized systems, and I'm pretty confident about that. One simple technique is delayed-release verification AI: when a social media site uses AI-based post ranking, it can release a ZK-SNARK that proves the hash value of the model that generated the ranking. The website could promise to make its AI model public after a certain delay, such as a year.
Once a model is made public, users can check the hash value to verify that the correct model was released, and the community can test the model to verify its fairness. The release delay will ensure that by the time the model is released, it is already out of date.
So the question is not whether we can do better compared to the centralized world, but how good we can do it. However, for a decentralized world, caution is needed: if someone built a prediction market or stablecoin that used an AI oracle, and then someone discovered that the oracle was hackable, there would be a large amount of money that could be lost. Disappeared instantly.
AI as a game target
If the above techniques for building scalable decentralized private AI, whose contents are black boxes unknown to anyone, can actually work, then this could also be used to build scalable, decentralized private AI that has utility beyond blockchain. AI. The NEAR Protocol team is making this a core goal of their ongoing work.
There are two reasons for doing this:
If "trustworthy black-box AI" could be built by using some combination of blockchain and multi-party computation to perform the training and inference processes, many applications whose users worry about system bias or deception could benefit. Many have expressed a desire for democratic governance of the AI we rely on; cryptography and blockchain-based technologies may be the way to achieve this.
From an AI security perspective, this would be a technology that builds decentralized AI while having a natural emergency stop switch and limiting queries that attempt to use the AI for malicious behavior.
It’s worth noting that “using cryptographic incentives to encourage making better AI” can be achieved without completely falling down the rabbit hole of using full encryption with cryptography: approaches like BitTensor fall into this category.
in conclusion
As blockchain and AI continue to develop, application cases at the intersection of the two are also increasing, and some of these use cases are more meaningful and robust.
Overall, those underlying mechanisms basically remain the same design, but individual participants become AI application cases, and mechanisms that are effectively executed at a more micro level are the most immediately promising and easiest to implement.
The most challenging are those applications that attempt to use blockchain and cryptography to build “singletons”: single decentralized trusted AI that certain applications rely on for some purpose.
These applications have the potential to both function and improve AI security while avoiding the risks of centralization.
But the underlying assumptions can also fail in many ways. Therefore, caution is required when deploying these applications, especially in high-value and high-risk environments.
I look forward to seeing more constructive attempts at AI use cases in all of these areas, so we can see which use cases are truly feasible at scale.
