AI/ ai · security · llm · open-source

Microsoft Proposes a Cryptographic Way to Prove LLM Ownership

A new fingerprinting framework ties model outputs to cryptographic proofs, aiming to make AI model theft easier to detect and prosecute.

A research team has built a cryptographic fingerprinting system designed to prove when a large language model has been copied or misused.

The technique, called Chain and Hash, embeds fingerprint prompts into a model during training and then cryptographically links those prompts to their expected responses. If someone takes the model, fine-tunes it, or strips out identifiers, the fingerprint is supposed to survive. The researchers identify five properties a fingerprint must have to be useful — transparency, efficiency, persistence, robustness, and unforgeability — and argue their method satisfies all five. They also tested against a specific attack vector: using meta-prompts to shift a model's output style enough to obscure a fingerprint. Random padding and varied meta-prompt configurations during training appear to close that gap.

Model theft is a real and growing problem as frontier models become more valuable — fine-tuned derivatives and leaked weights are already circulating, and current ownership claims rely mostly on legal agreements rather than technical proof. A cryptographic method that survives fine-tuning would shift that balance, giving companies something to point at in court beyond a terms-of-service violation. The framework also covers LoRA adapters, the lightweight fine-tuning technique widely used to customize open-source models.

The code is public on GitHub under Microsoft's account, which makes this easy to evaluate — and easy to attack. How long the fingerprint holds against a motivated adversary with full model access remains the real test.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →