Machine learning property attestations allow provers (e.g., model providers or owners) to attest properties of their models/datasets to verifiers (e.g., regulators, customers), enabling accountability towards regulations and policies. But, current approaches do not support generative models or large datasets. We present PAL*M, a property attestation framework for large generative models, illustrated using large language models. PAL*M defines properties across training and inference, leverages confidential virtual machines with security-aware GPUs for coverage of CPU-GPU operations, and proposes using incremental multiset hashing over memory-mapped datasets to efficiently track their integrity. We implement PAL*M on Intel TDX+NVIDIA H100 and evaluate it using state-of-the-art models and datasets, showing PAL*M is efficient, incurring < 11% overhead for common operations. Finally, we use the Tamarin Prover symbolic verification tool to formally model PAL*M's property attestation protocol, confirming that its security guarantees are upheld under the defined threat model.

翻译：机器学习属性证明允许证明方（如模型提供者或所有者）向验证方（如监管机构、客户）证明其模型/数据集的属性，从而实现对法规和政策的可问责性。然而，现有方法不支持生成式模型或大规模数据集。我们提出PAL*M，一个面向大型生成模型的属性证明框架，并以大语言模型为例进行说明。PAL*M定义了涵盖训练与推理阶段的属性，利用配备安全感知GPU的机密虚拟机覆盖CPU-GPU操作，并提出基于内存映射数据集的增量多重集哈希方法以高效追踪数据完整性。我们在Intel TDX+NVIDIA H100平台上实现PAL*M，并使用最先进的模型与数据集进行评估，结果表明PAL*M具有高效性，常见操作的开销低于11%。最后，我们利用Tamarin Prover符号验证工具对PAL*M的属性证明协议进行形式化建模，确认其在所定义威胁模型下能维持安全保证。