A research team has built a cryptographic fingerprinting system designed to prove when a large language model has been copied or misused.
The technique, called Chain and Hash, embeds fingerprint prompts into a model during training and then cryptographically links those prompts to their expected responses. If someone takes the model, fine-tunes it, or strips out identifiers, the fingerprint is supposed to survive. The researchers identify five properties a fingerprint must have to be useful — transparency, efficiency, persistence, robustness, and unforgeability — and argue their method satisfies all five. They also tested against a specific attack vector: using meta-prompts to shift a model's output style enough to obscure a fingerprint. Random padding and varied meta-prompt configurations during training appear to close that gap.
Model theft is a real and growing problem as frontier models become more valuable — fine-tuned derivatives and leaked weights are already circulating, and current ownership claims rely mostly on legal agreements rather than technical proof. A cryptographic method that survives fine-tuning would shift that balance, giving companies something to point at in court beyond a terms-of-service violation. The framework also covers LoRA adapters, the lightweight fine-tuning technique widely used to customize open-source models.
The code is public on GitHub under Microsoft's account, which makes this easy to evaluate — and easy to attack. How long the fingerprint holds against a motivated adversary with full model access remains the real test.