Zero-Knowledge Proofs
LP-7110
DraftAI & Media Content Provenance Standard
Framework for verifiable AI model provenance, media authenticity, and deepfake detection using FHE+ZK proofs
Abstract
LP-7110 specifies the AI & Media Content Provenance Standard, an application-level protocol built on the VDIS framework (LP-0535) that establishes verifiable provenance chains for AI models, AI-generated content, and digital media. The standard defines:
- Model Sealing: Cryptographically bind AI model weights, architecture, and training data to immutable on-chain records
- Output Attestation: Prove that specific outputs were generated by specific sealed models using ZK proofs
- Media Authentication: Seal original media (photos, video, audio) at point of capture with device attestation
- Content Lifecycle Tracking: Track edits, transformations, and derivatives with verifiable seal chains
- Deepfake Detection Anchoring: Provide ground-truth reference points for AI-based deepfake detection systems
- Regulatory Reporting: Generate compliance reports meeting EU AI Act, C2PA, and emerging standards
The protocol leverages FHE for confidential model sealing (protecting trade secrets) and ZK proofs for verifying model-output relationships without revealing model internals.
Motivation
AI Content Crisis
The proliferation of generative AI has created an urgent need for content provenance:
- Scale: Over 90% of online content will be AI-generated or AI-modified by 2028 (Europol projection)
- Quality: Modern deepfakes pass human detection 85% of the time (MIT Media Lab, 2025)
- Legal: Courts increasingly require digital evidence provenance chains
- Regulatory: EU AI Act Article 52 requires disclosure of AI-generated content; US EO 14110 demands AI transparency
Limitations of Current Approaches
| Approach | Limitation |
|---|---|
| C2PA/Content Credentials | Centralized trust anchors; no ZK privacy; no on-chain verification |
| Watermarking | Easily removed; degrades quality; not cryptographically binding |
| AI detection models | Arms race; false positives; no ground truth |
| Metadata-based | Easily forged; no cryptographic binding |
| Blockchain timestamping | Proves existence, not provenance or authenticity |
Lux Advantage
By combining A-Chain attestation (LP-7000), the Immutable Training Ledger (LP-7102), and the Data Integrity Seal (LP-0535), Lux provides:
- Cryptographic provenance: Model → training data → output, all sealed and linked
- Privacy-preserving verification: ZK proofs verify model-output relationships without exposing model weights
- Decentralized trust: No central authority; verification via Z-Chain receipts
- Cross-standard compatibility: Outputs compatible with C2PA manifests, IPTC metadata, and EXIF extensions
- Post-quantum safety: All operations use PQ-safe cryptographic primitives
Specification
Content Provenance Graph
The protocol models content provenance as a directed acyclic graph (DAG) of sealed objects:
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ TrainingData │────→│ AI Model │────→│ AI Output │
│ Seal (DATASET)│ │ Seal (MODEL) │ │ Seal (OUTPUT) │
└───────────────┘ └───────┬───────┘ └───────────────┘
│
├────→ Output Seal 2
├────→ Output Seal 3
└────→ ...
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ Original Photo │────→│ Edited Photo │────→│ Published │
│ Seal (MEDIA) │ │ Seal (MEDIA) │ │ Article Seal │
│ + DeviceAttest │ │ + EditHistory │ │ (DOCUMENT) │
└───────────────┘ └───────────────┘ └───────────────┘
Model Seal Specification
Model Manifest
struct ModelManifest {
bytes32 modelId; // Unique model identifier
string modelName; // Human-readable name (e.g., "GPT-4o")
string modelVersion; // Semantic version
bytes32 weightsHash; // Poseidon2(model_weights)
bytes32 architectureHash; // Poseidon2(architecture_config)
bytes32 trainingConfigHash; // Poseidon2(training_hyperparameters)
bytes32[] datasetSealIds; // References to sealed training datasets
string framework; // Training framework (e.g., "PyTorch 2.5")
string hardwareFingerprint; // Training hardware attestation
uint64 parameterCount; // Number of parameters
string modelType; // "llm", "vision", "multimodal", "audio"
bytes safetyCard; // Model safety/alignment evaluation results
}
Model Sealing
interface IModelSeal {
/// @notice Seal an AI model with full manifest
/// @param manifest The model manifest
/// @param confidential If true, use FHE to encrypt weights hash
/// @return modelSealId The seal identifier for this model
function sealModel(
ModelManifest calldata manifest,
bool confidential
) external returns (bytes32 modelSealId);
/// @notice Register a fine-tuned model as derivative of a base model
/// @param baseSealId Seal of the base model
/// @param finetuneManifest Manifest for the fine-tuned model
/// @return derivativeSealId Seal for the fine-tuned model
function sealFineTune(
bytes32 baseSealId,
ModelManifest calldata finetuneManifest
) external returns (bytes32 derivativeSealId);
/// @notice Verify a model's integrity against its seal
/// @param modelSealId The seal to verify against
/// @param weightsHash Hash of the current model weights
/// @return intact True if the model has not been tampered with
function verifyModelIntegrity(
bytes32 modelSealId,
bytes32 weightsHash
) external view returns (bool intact);
}
Output Attestation Specification
Output Attestation
struct OutputAttestation {
bytes32 outputHash; // Poseidon2(output_content)
bytes32 modelSealId; // Which model produced this output
bytes32 inputHash; // Poseidon2(input_prompt) - optional
uint64 timestamp; // Generation timestamp
string outputType; // "text", "image", "audio", "video", "code"
bytes32 inferenceConfigHash; // Poseidon2(temperature, top_p, etc.)
bytes deviceAttestation; // TEE/SGX attestation if applicable
}
Output Sealing with ZK Proof
The key innovation: prove that an output was generated by a specific model without revealing model weights or inference details.
interface IOutputAttestation {
/// @notice Seal an AI output with model provenance
/// @param attestation The output attestation
/// @return outputSealId Seal for the output
function sealOutput(
OutputAttestation calldata attestation
) external returns (bytes32 outputSealId);
/// @notice Seal an output with ZK proof of model execution
/// @dev Proof demonstrates: "This output was produced by the sealed model
/// with the given input, without revealing model weights"
/// @param attestation The output attestation
/// @param executionProof ZK proof of correct model execution
/// @return outputSealId Seal for the verified output
function sealVerifiedOutput(
OutputAttestation calldata attestation,
bytes calldata executionProof
) external returns (bytes32 outputSealId);
/// @notice Query the full provenance chain for an output
/// @param outputSealId The output seal
/// @return modelSealId The model that produced it
/// @return datasetSealIds The training data used
/// @return isVerified Whether a ZK execution proof exists
function getProvenance(
bytes32 outputSealId
) external view returns (
bytes32 modelSealId,
bytes32[] memory datasetSealIds,
bool isVerified
);
}
Media Authentication Specification
Media Seal
struct MediaSeal {
bytes32 contentHash; // Poseidon2(raw_media_bytes)
string mediaType; // MIME type
string captureDevice; // Device identifier
bytes deviceAttestation; // Hardware attestation (TPM/Secure Enclave)
int64 captureLatitude; // GPS latitude × 1e7
int64 captureLongitude; // GPS longitude × 1e7
uint64 captureTimestamp; // UNIX timestamp of capture
bytes32 exifHash; // Hash of original EXIF data
bytes c2paManifest; // Optional C2PA manifest for interop
}
Media Lifecycle
interface IMediaAuthentication {
/// @notice Seal original media at point of capture
/// @param media The media seal with device attestation
/// @return mediaSealId Seal for the original media
function sealOriginalMedia(
MediaSeal calldata media
) external returns (bytes32 mediaSealId);
/// @notice Seal an edited version of media, linking to original
/// @param originalSealId Seal of the original media
/// @param editedContentHash Hash of the edited media
/// @param editDescription Human-readable description of edits
/// @param editToolHash Hash of the editing software/version
/// @return editedSealId Seal for the edited version
function sealEditedMedia(
bytes32 originalSealId,
bytes32 editedContentHash,
string calldata editDescription,
bytes32 editToolHash
) external returns (bytes32 editedSealId);
/// @notice Check if media is the original (unedited) version
/// @param mediaSealId The seal to check
/// @return isOriginal True if this is a point-of-capture seal
function isOriginalMedia(
bytes32 mediaSealId
) external view returns (bool isOriginal);
/// @notice Get the edit history of a media item
/// @param mediaSealId Any seal in the edit chain
/// @return sealChain Ordered list of seals from original to current
function getEditHistory(
bytes32 mediaSealId
) external view returns (bytes32[] memory sealChain);
/// @notice Flag media as AI-generated (self-attestation by creator)
/// @param mediaSealId The media seal
/// @param modelSealId The AI model that generated it
/// @param generationProof Optional ZK proof of generation
function declareAIGenerated(
bytes32 mediaSealId,
bytes32 modelSealId,
bytes calldata generationProof
) external;
/// @notice Check if media has been declared as AI-generated
/// @param mediaSealId The media seal
/// @return isAI True if declared as AI-generated
/// @return modelSealId The generating model (if declared)
function isAIGenerated(
bytes32 mediaSealId
) external view returns (bool isAI, bytes32 modelSealId);
}
Deepfake Detection Integration
Rather than performing deepfake detection on-chain (computationally infeasible), the protocol provides ground truth anchoring for off-chain detection systems:
interface IDeepfakeAnchoring {
/// @notice Register a deepfake detection model
/// @param detectorSealId Seal of the detection model itself
/// @param supportedMediaTypes Media types this detector handles
/// @param accuracy Reported detection accuracy (basis points, e.g., 9500 = 95%)
/// @return detectorId Registered detector identifier
function registerDetector(
bytes32 detectorSealId,
string[] calldata supportedMediaTypes,
uint16 accuracy
) external returns (bytes32 detectorId);
/// @notice Submit a detection result anchored to sealed media
/// @param mediaSealId The media being analyzed
/// @param detectorId The detection model used
/// @param isAuthentic True if detector considers media authentic
/// @param confidence Confidence score (basis points)
/// @param analysisHash Hash of the full analysis report
/// @return resultSealId Seal of the detection result
function submitDetectionResult(
bytes32 mediaSealId,
bytes32 detectorId,
bool isAuthentic,
uint16 confidence,
bytes32 analysisHash
) external returns (bytes32 resultSealId);
/// @notice Get all detection results for a media item
/// @param mediaSealId The media to query
/// @return results Array of detection results from registered detectors
function getDetectionResults(
bytes32 mediaSealId
) external view returns (DetectionResult[] memory results);
}
struct DetectionResult {
bytes32 resultSealId;
bytes32 detectorId;
bool isAuthentic;
uint16 confidence;
bytes32 analysisHash;
uint64 timestamp;
}
Regulatory Compliance Interface
interface IRegulatoryCompliance {
/// @notice Generate EU AI Act compliance report for a model
/// @param modelSealId The sealed model
/// @return report Structured compliance data
function generateEUAIActReport(
bytes32 modelSealId
) external view returns (ComplianceReport memory report);
/// @notice Generate C2PA-compatible manifest from media seal
/// @param mediaSealId The sealed media
/// @return manifest C2PA v2.0 compatible manifest bytes
function exportC2PAManifest(
bytes32 mediaSealId
) external view returns (bytes memory manifest);
/// @notice Verify full provenance chain meets regulatory requirements
/// @param sealId Any seal in a provenance chain
/// @param standard Regulatory standard to check against
/// @return compliant True if chain meets the standard
/// @return gaps List of missing requirements
function checkCompliance(
bytes32 sealId,
string calldata standard
) external view returns (bool compliant, string[] memory gaps);
}
struct ComplianceReport {
bytes32 modelSealId;
string modelName;
uint64 parameterCount;
bool hasTrainingDataProvenance;
bool hasSafetyEvaluation;
bool hasHumanOversight;
bool hasTransparencyDisclosure;
string riskLevel; // "minimal", "limited", "high", "unacceptable"
bytes32[] datasetSealIds;
bytes32[] outputSampleSealIds;
}
Gas Schedule
| Operation | Gas Cost | Notes |
|---|---|---|
sealModel | 100,000 | Includes manifest hashing + seal creation |
sealModel (confidential) | 175,000 | FHE encryption of weights hash |
sealFineTune | 120,000 | Includes base model lineage verification |
sealOutput | 50,000 | Standard output attestation |
sealVerifiedOutput | 50,000 + proof_gas | ZK execution proof verification |
sealOriginalMedia | 75,000 | Includes device attestation verification |
sealEditedMedia | 60,000 | Edit chain extension |
declareAIGenerated | 30,000 | AI generation declaration |
submitDetectionResult | 40,000 | Detection result anchoring |
generateEUAIActReport | 20,000 | Read-only report generation |
exportC2PAManifest | 15,000 | C2PA format conversion |
Rationale
Why ZK Proofs for Model-Output Binding
The most critical innovation in this standard is the ability to prove "output X was generated by model Y" without revealing model Y's weights. This is essential because:
- Trade Secrets: Model weights are the core IP of AI companies; they cannot be published for verification
- Regulatory Need: EU AI Act requires output traceability, creating a tension with IP protection
- ZK Resolution: ZK proofs resolve this tension -- prove the relationship without the exposure
The proof circuit works by:
- Taking model weights hash as private input
- Taking model seal commitment as public input
- Proving that
Poseidon2(weights) == committed_hashANDmodel(input) == output - Verifying via LP-0510 STARK verification
Why Separate from LP-0535
LP-0535 provides the general-purpose data sealing primitive. LP-7110 adds domain-specific semantics for AI and media that would be inappropriate in the base protocol:
- Model manifests with ML-specific fields
- Output attestation with inference configuration
- Media seals with device attestation and GPS data
- Deepfake detection integration
- Regulatory compliance reporting
This layered approach keeps the base protocol simple while enabling rich application semantics.
C2PA Interoperability
The Coalition for Content Provenance and Authenticity (C2PA) is the emerging industry standard for content credentials. LP-7110 is designed to be complementary, not competing:
- Media seals can import C2PA manifests during creation
- Media seals can export C2PA-compatible manifests for distribution
- The key difference: LP-7110 provides decentralized, on-chain verification where C2PA relies on centralized trust anchors
Backwards Compatibility
This LP introduces new A-Chain/Z-Chain interfaces that extend the LP-0535 seal protocol. All operations use LP-0535 seal primitives internally, ensuring full compatibility with the base receipt and seal infrastructure.
Existing A-Chain attestation (LP-7000) and training ledger (LP-7102) records are compatible and can be referenced by model seals.
Test Cases
Model Provenance Tests
| Test | Description | Expected |
|---|---|---|
TestSealModel | Seal a model with full manifest | Model seal created, weights hash recorded |
TestSealModelConfidential | Seal model with FHE-encrypted weights | Weights hash not visible in plaintext |
TestSealFineTune | Register fine-tuned model from base | Derivative lineage established |
TestVerifyModelIntegrity | Check model against seal | Integrity confirmed |
TestVerifyTamperedModel | Check modified model against seal | Integrity violation detected |
Output Attestation Tests
| Test | Description | Expected |
|---|---|---|
TestSealOutput | Seal output with model reference | Output seal created with provenance |
TestSealVerifiedOutput | Seal output with ZK execution proof | Verified provenance chain |
TestGetProvenance | Query full provenance DAG | Model + dataset seals returned |
TestCrossModelProvenance | Output from model trained on another model's outputs | Multi-hop provenance tracked |
Media Authentication Tests
| Test | Description | Expected |
|---|---|---|
TestSealOriginalMedia | Seal photo at capture with device attestation | Original media seal created |
TestSealEditedMedia | Seal edited version of photo | Edit chain extended |
TestGetEditHistory | Query edit chain | Ordered seal list returned |
TestDeclareAIGenerated | Flag media as AI-generated | AI flag set with model reference |
TestIsAIGenerated | Query AI generation status | Correct flag returned |
Deepfake Detection Tests
| Test | Description | Expected |
|---|---|---|
TestRegisterDetector | Register detection model | Detector registered with accuracy |
TestSubmitDetectionResult | Submit analysis result | Result sealed and anchored |
TestMultipleDetectors | Multiple detectors analyze same media | All results queryable |
Compliance Tests
| Test | Description | Expected |
|---|---|---|
TestEUAIActReport | Generate compliance report | All fields populated |
TestC2PAExport | Export media seal as C2PA manifest | Valid C2PA v2.0 format |
TestComplianceCheck | Check provenance against EU AI Act | Compliance status + gaps |
Reference Implementation
Implementation locations:
A-Chain (AI attestation layer):
vms/attestation/content/
├── model_seal.go // Model sealing and verification
├── output_attestation.go // Output sealing with ZK proofs
├── media_authentication.go // Media sealing and lifecycle
├── deepfake_anchoring.go // Detection result integration
├── compliance.go // Regulatory compliance reporting
├── c2pa_interop.go // C2PA manifest import/export
├── provenance_graph.go // DAG traversal and queries
├── content_test.go // Unit tests
└── content_integration_test.go // Integration tests
Z-Chain (proof verification):
precompile/contracts/contentproof/
├── execution_proof.go // ZK execution proof verification
├── media_proof.go // Media authenticity proofs
└── contentproof_test.go // Tests
Security Considerations
Model Weight Confidentiality
Confidential model seals use FHE to encrypt the weights hash. The security of model IP depends on:
- FHE key management (LP-203, K-Chain)
- Threshold decryption prevents single-party compromise
- ZK proofs never require decryption of the weights hash
Device Attestation Trust
Media seals with device attestation depend on the trustworthiness of the capture device's secure enclave. Known limitations:
- Rooted/jailbroken devices can forge attestations
- Emulated devices can produce valid-looking attestations
- Mitigation: Cross-reference with multiple signals (GPS, network time, device reputation)
Deepfake Detection Arms Race
The deepfake detection integration does NOT claim to solve deepfake detection. It provides:
- Ground truth for original media (sealed at capture)
- Auditable detection results from multiple registered detectors
- Temporal ordering of detection claims
Detection accuracy is the responsibility of the registered detector models, not the protocol.
AI-Generated Content Disclosure
Self-declaration of AI-generated content (declareAIGenerated) is voluntary. Malicious actors will not self-declare. The protocol's value is in:
- Enabling honest actors to transparently declare AI content
- Providing verifiable provenance for those who participate
- Creating a growing "verified authentic" corpus for comparison
- Supporting regulatory compliance for responsible AI developers
Cross-Standard Metadata Leakage
When exporting to C2PA or other formats, care must be taken not to include metadata that was intended to be private. The compliance interface strips FHE-encrypted fields before export.
Economic Impact
Enterprise Value Proposition
| Segment | Value | Mechanism |
|---|---|---|
| AI Governance | Reduced regulatory risk | Automated compliance reporting |
| Media & News | Restored audience trust | Verifiable content provenance |
| Cyber Insurance | Faster claims processing | Sealed evidence chains |
| Legal & Forensics | Court-admissible proofs | Cryptographic evidence |
| Brand Protection | Counterfeit detection | Original media verification |
Fee Model
Content provenance sealing is expected to process high volumes at low per-unit cost:
- Single media seal: ~$0.02
- Model seal: ~$0.05 (larger manifest)
- Batch output sealing: ~$0.005/output (at 1000+ batch)
- Compliance report: ~$0.01
Open Questions
-
ZK Execution Proof Feasibility: Full model execution proofs (proving
model(input) = output) are currently prohibitively expensive for large models. Near-term, TEE attestation (LP-5075) may serve as a bridge. Should we define a hybrid TEE+ZK pathway? -
Deepfake Detector Incentives: How should detection model operators be incentivized for accurate results? Stake-and-slash on accuracy claims?
-
C2PA Governance Alignment: Should Lux seek formal C2PA membership to influence cross-standard compatibility?
-
Media Capture SDK: Should LP-7110 define a reference SDK for camera/device integration, or leave this to implementers?
Copyright
Copyright and related rights waived via CC0.