merkle-GPT

The Problem: LLM Weight Management Lacks Integrity Verification

The open-weight LLM ecosystem has a supply-chain security problem that nobody has formally solved. Models are downloaded from Hugging Face, fine-tuned with LoRA adapters, quantized to INT4, merged with other checkpoints, and redistributed across organizational boundaries with no cryptographic guarantees that anything along that chain is what it claims to be. Git-LFS, the de facto standard for versioning large binary files, offers no integrity proof and requires downloading the entire model to detect even a single corrupted byte. Beyond corruption, there is the subtler threat of adversarial weight injection: a malicious actor who can modify even a small slice of a model's parameters can embed backdoors that survive quantization and adapter merging, invisible to behavioral testing alone.

The incremental synchronization problem is equally costly: organizations that frequently fine-tune models and push updates to edge deployments are forced to retransmit entire multi-gigabyte checkpoints even when only a fraction of weights changed.

问题背景：LLM 权重管理缺乏完整性验证机制

开源权重 LLM 生态存在一个尚未被正式解决的供应链安全问题。Git-LFS 作为大型二进制文件版本管理的事实标准，既不提供完整性证明，也需要下载整个模型才能检测即使是一个字节的损坏。更隐蔽的威胁是对抗性权重注入：恶意行为者只需修改模型参数的一小部分，就能植入在量化和适配器合并过程中存活下来的后门，单靠行为测试根本无法发现。

Innovation: A 4-Level Merkle Tree Architecture for Model Weights

MerkleGPT introduces a 4-level hierarchical Merkle tree designed specifically for the structure of neural network weight tensors:

Level 1 — Model Root: A single SHA-256 hash representing the entire model, suitable for O(1) integrity checks at deployment time.

Level 2 — Layer Hashes: One hash per transformer layer, enabling layer-level integrity auditing without loading the full model.

Level 3 — Parameter Tensor Hashes: Individual weight matrices (attention projections, FFN weights, embeddings) each independently hashed, supporting targeted verification after LoRA merging or quantization.

Level 4 — 16 KB Chunk Hashes: Each parameter tensor is split into fixed 16 KB chunks independently SHA-256 hashed. This is the leaf level and the basis for incremental sync: only chunks whose hashes changed need to be transmitted.

The system uses deterministic tensor serialization, a SQLite registry for local metadata persistence, and boto3/S3 for remote storage. Three distinct attack types are simulated: bit-flip injection, weight substitution, and adversarial perturbation within epsilon-ball constraints.

创新点：四层 Merkle 树架构

第一层——模型根哈希：代表整个模型的单一 SHA-256 哈希値，支持部署时 O(1) 完整性检查。

第四层——16 KB 分块哈希：每个参数张量被切分为固定 16 KB 的块并独立进行 SHA-256 哈希，构成树的叶节点，也是增量同步的基础——只有哈希値发生变化的块才需要传输。

Results: Real Numbers, Honest Limitations

Tested on DistilGPT-2 through Qwen2.5-14B with 74 automated tests.

Build speed: 520-823 MB/s — fast enough to run as a post-training step.

Storage overhead: 0.42% — negligible relative to model weights.

Bandwidth savings: 50-68% over Git-LFS for typical fine-tuning updates; 76.5% for LoRA fine-tuning specifically. Honest limitation documented in README: full fine-tuning updates that modify every parameter provide zero bandwidth savings — a fundamental constraint of content-addressable sync.

Tamper detection: 100% across all three attack categories.

Target venue: IJCAI 2026.

实验结果：真实数据与诚实局限

在从 DistilGPT-2 到 Qwen2.5-14B 的多个模型上进行测试，共运行 74 个自动化测试。

构建速度：520-823 MB/s，可作为训练后步骤执行。

存储开销：0.42%。

带宽节省：相对于 Git-LFS 典型微调更新可节省 50-68% 带宽；对于 LoRA 微调特具高达 76.5%。README 中诚实记录的已知局限：修改所有参数的全量微调更新带宽节省为零。

筛改检测率：在全部三类攻击中均为 100%。

目标投稿会议：IJCAI 2026。

• Targeting IJCAI 2026 — cryptographic Merkle trees for LLM weight integrity and incremental sync
• 4-level hierarchy: Model root → Layer → Parameter tensor → 16 KB SHA-256 chunks
• Build speed 520-823 MB/s; only 0.42% storage overhead for Merkle metadata
• 50-68% bandwidth savings over Git-LFS; 76.5% for LoRA fine-tuning updates
• 100% tamper detection across 3 attack types (bit-flip, weight substitution, adversarial perturbation)
• Tested on DistilGPT-2 through Qwen2.5-14B with 74 automated tests
• Honest README documents zero savings on full fine-tuning — fundamental content-addressable sync constraint
• SQLite registry + boto3/S3 backend with deterministic tensor serialization