TAO: New Protocol Enables Verification of Neural Networks Running on Untrusted Hardware
Researchers have developed TAO, a verification protocol that allows users to confirm neural network outputs are correct even when models run on cloud GPUs or other hardware outside their control. The protocol addresses the challenge that floating-point computation on different accelerators produces slightly different results, making exact verification impractical. This matters because it could protect users from service providers secretly downgrading models or altering outputs without detection.
TAO is a tolerance-aware verification system designed to address a critical trust problem in machine learning services: when neural networks run on cloud infrastructure, users cannot easily verify that the service provider actually ran the intended model or that outputs faithfully reflect inputs. Rather than requiring bitwise-identical results across different hardware (which is impossible due to floating-point nondeterminism), TAO accepts outputs within principled tolerance ranges based on IEEE-754 error bounds and empirical calibration. The system uses a dispute resolution mechanism—a Merkle-anchored game that recursively partitions computation graphs—to identify any discrepancies, ultimately reducing verification to lightweight checks or honest-majority votes. Implemented as a PyTorch-compatible runtime with a contract layer on Ethereum's Holesky testnet, TAO adds negligible overhead (0.3% on tested models) while achieving empirical error thresholds 100–1000 times tighter than theoretical worst-case bounds, successfully defending against adversarial attacks.
What's missing
The paper does not discuss potential limitations of the honest-majority voting mechanism in the dispute game (e.g., how many independent operators are required to ensure security, or what happens if a majority of operators are compromised). Additionally, the practical deployment pathway beyond the testnet and adoption barriers for real-world ML-as-a-Service providers are not addressed.
What different sources said
- arXiv cs.AICenter
TAO: Tolerance-Aware Optimistic Verification for Floating-Point Neural Networks
Related
Gut Bacteria Enzyme Found to Break Down Heat-Processed Food Compounds, Producing Novel Biogenic Amines
Researchers have discovered that an enzyme in common gut bacteria can degrade N-epsilon-carboxymethyllysine (CML), a compound formed during thermal food processing, producing previously unknown biogenic amines. The enzyme, ornithine decarboxylase SpeC from enterobacteria, acts on CML and related modified lysine derivatives through a low-level 'underground' catalytic activity. This finding suggests a previously unrecognized communication axis between thermally processed dietary compounds and gut microbial physiology, with potential implications for host health.
Full-Length Gene Sequencing Reveals Two Distinct Bacterial Communities in Black-Legged Ticks Expanding Into Canada
Researchers used Oxford Nanopore full-length 16S rRNA gene sequencing to characterize the microbiome of Ixodes scapularis black-legged ticks collected in Nova Scotia, Canada, distinguishing between tick-adapted bacteria and environmentally acquired bacteria. The study comes as I. scapularis — the primary vector of Lyme disease — is rapidly expanding northward into Canada due to climate change. The findings suggest that environmentally derived bacteria in tick microbiomes are not mere contamination, which has implications for how tick microbiome data is collected and interpreted across surveillance studies.
Study Identifies Metabolic Link Between Cell Envelope Stress and Biofilm Formation in Bacteria
Researchers have discovered that the metabolite acetyl-CoA directly inhibits enzymes that degrade the bacterial signaling molecule c-di-GMP, connecting cell envelope biosynthesis stress to biofilm formation in Pseudomonas aeruginosa. The study found that sub-inhibitory concentrations of antibiotics targeting early peptidoglycan biosynthesis — but not other antibiotic classes — elevate c-di-GMP levels by reducing phosphodiesterase activity, with acetyl-CoA competing for the enzyme active site. Because the relevant enzyme domain is broadly conserved across bacterial species, this checkpoint mechanism may be widespread and could have implications for understanding antibiotic-induced biofilm responses.