An AI model copyright protection and trusted inference method and system
By leveraging the remote verification and trusted execution environment of the hardware security module, the issues of AI model copyright protection and the credibility of the reasoning process are resolved. This enables dynamic model authorization and the generation of tamper-proof audit evidence, ensuring the model's security and reliable reasoning.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- XIAN THERMAL POWER RES INST CO LTD
- Filing Date
- 2026-03-13
- Publication Date
- 2026-06-19
AI Technical Summary
Existing technologies cannot effectively protect the copyright of AI models, prevent model piracy and tampering, and lack hardware-level security guarantees, thus failing to ensure the credibility and auditability of the reasoning process.
By using a hardware security module to generate proof information for hardware identity and platform status metrics, remote verification and dynamic control of key release are achieved, ensuring that the AI model runs in a hardware-protected trusted execution environment and generating auditable reasoning evidence.
It enables dynamic licensing and hardware binding of AI models to prevent unauthorized copying and tampering, ensures the credibility of the inference environment and the integrity of the computation results, and generates tamper-proof audit evidence.
Smart Images

Figure CN122241659A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of data processing technology, and in particular relates to AI model copyright protection and reliable reasoning methods and systems. Background Technology
[0002]
[01] Artificial intelligence models, especially large-scale deep learning models, are costly to train and have become core digital assets for enterprises and institutions. However, current AI models face serious security challenges in commercial deployment:
[02] 1. Model piracy and illegal copying: Once a model is deployed in a user's environment, it is very easy to copy and distribute it as a whole, resulting in the loss of intellectual property rights.
[0003]
[03] 2. Model tampering: Malicious attackers may tamper with deployed models, causing them to degrade in performance or produce incorrect results.
[0004]
[04] 3. Untrustworthy operating environment: The model may run on a system with malware or unauthorized configuration, and it cannot be guaranteed that the model itself will not be stolen, nor can it be guaranteed that the logic of inference calculation will not be interfered with.
[0005]
[05] 4. The reasoning process and results are not auditable: In high-risk scenarios such as medical diagnosis and financial risk control, the model's reasoning decisions must be reliable and traceable. However, there is currently a lack of effective technical means to prove that a certain reasoning is based on a specific version of the model, in a trusted environment, and based on specific input data.
[0006]
[06] Existing technologies mostly employ software encryption, license keys, or code obfuscation for protection. However, these methods have inherent drawbacks:
[07] Software encryption: The decrypted model exists in plaintext form in memory and can be directly dumped by authorized users (such as system administrators).
[0007]
[08] License control: It is easy to bypass and cannot defend against attacks on underlying system software (such as operating system kernel).
[0008]
[09] Lack of root trust: The execution of the above methods ultimately depends on a software stack that may have been compromised, and cannot provide hardware-level security guarantees.
[0009] Therefore, there is an urgent need in this field for a technical solution that can build a verifiable trust chain covering the entire process of model usage, starting from the hardware root of trust. Summary of the Invention
[0010] This invention provides a method and system for AI model copyright protection and trusted inference, which can solve the following technical problems: software encryption: decrypted models exist in plaintext form in memory and can be directly dumped by authorized users (such as system administrators). License control: easily bypassed and unable to defend against attacks on underlying system software (such as operating system kernel). Lack of root trust: the execution of the above methods ultimately depends on a potentially compromised software stack, failing to provide hardware-level security guarantees.
[0011] The technical solution provided by this invention is as follows: On the one hand, a method for AI model copyright protection and reliable reasoning is provided, including the following steps: The model provider encrypts the AI model using a first key and sends the first key to the verification service; The verification service configures access control conditions for the first key, and the access control conditions are associated with the hardware identity of the target deployment platform and the platform's trusted state requirements. When the deployment platform requests to load an encrypted AI model, a remote authentication and key release process is executed: The deployment platform utilizes its hardware security module to generate proof information containing its hardware identity identifier and current platform status measurement value; Send the proof information to the verification service; The verification service verifies the authenticity of the proof information and determines whether the hardware identity identifier and platform status metric value therein meet the access control conditions. If the conditions are met, the verification service encrypts the first key using the encryption key corresponding to the hardware security module of the deployment platform before issuing it. The deployment platform uses its hardware security module to decrypt and obtain the first key, and in a hardware-protected trusted execution environment, uses the first key to decrypt and load the AI model; In the trusted execution environment, the AI model is used to perform inference on the input data; An information record containing relevant data for this reasoning is generated, and the information record is cryptographically signed using the hardware security module to generate auditable and credible reasoning evidence.
[0012] In one optional implementation, the hardware security module is a dedicated security chip or processor security area that provides cryptographic operation functions and a protected storage area; The trusted execution environment creates an isolated computing space in system memory through the hardware isolation mechanism provided by the processor.
[0013] In one optional implementation, the access control conditions include a first authentication condition and a second authentication condition; The first verification condition is used to verify the hardware identity identifier; The second verification condition is used to verify the platform integrity metric.
[0014] In one optional implementation, the hardware identity identifier verified in the first verification condition is the digest value of the digital certificate of the endorsement key of the hardware security module.
[0015] In one optional implementation, the platform integrity metric verified in the second verification condition is stored in the platform configuration register of the hardware security module. The metric is obtained by performing cryptographic hash operations on the code executed at each stage of the deployment platform from startup to operating system kernel loading and then extending it into the register.
[0016] In one optional implementation, step S4, "encrypting the first key using a cryptographic key corresponding to the deployment platform hardware security module", includes: encrypting using the public key of the storage root key or the public key of the endorsement key of the hardware security module.
[0017] In one optional implementation, the key information in step S6 includes at least: the cryptographic digest value of the input data, the output result, the unique identifier of the AI model, and the timestamp.
[0018] In one alternative implementation, before or after the inference step in the trusted execution environment, the method further includes: The trusted execution environment performs input data formatting transformations or output result logic decisions that are logically associated with the AI model.
[0019] In one optional implementation, after generating the credible reasoning evidence in step S6, the method further includes: The step of sending the evidence to a node of a blockchain network or distributed ledger system for storage.
[0020] Furthermore, a method for AI model copyright protection and trusted reasoning is provided to implement the AI model copyright protection and trusted reasoning system method described in any of the above claims, including: A model provider device for generating and uploading an encrypted model and a first key; The verification service device is used to store keys, manage access control conditions, verify platform credentials, and control key distribution. The deployment platform device includes a hardware security module and a trusted execution environment construction unit, which are used to generate platform proof, decryption key, load and run model in trusted environment and generate trusted reasoning evidence. The model provider device, the verification service device, and the deployment platform device are connected via a network.
[0021] The method provided in this embodiment of the invention has at least the following beneficial effects: The method provided in this invention, through a mechanism of "key-model separation" and "conditional release based on hardware state," transforms the access rights to AI models from static license files into authorization dynamically bound to a specific hardware platform and its real-time trusted state. AI models cannot be decrypted and run in any other environment that does not meet the conditions (such as unauthorized hardware or system tampering), fundamentally preventing the illegal copying, distribution, and use of the models. Attached Figure Description
[0022] The above and other objects, features and advantages of this disclosure will become more apparent from the accompanying drawings, in which like reference numerals generally denote like parts.
[0023] Figure 1 The diagram illustrates the process of AI model copyright protection and trusted reasoning. Detailed Implementation
[0024] Embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be thorough and complete, and will fully convey the scope of the present disclosure to those skilled in the art.
[0025] The term "comprising" and its variations as used herein signify open inclusion, i.e., "including but not limited to". Unless otherwise stated, the term "or" means "and / or". The term "based on" means "at least partially based on". The terms "one example embodiment" and "one embodiment" mean "at least one example embodiment". The term "another embodiment" means "at least one additional embodiment". The terms "first", "second", etc., may refer to different or the same objects. Other explicit and implicit definitions may also be included below.
[0026] Please see Figure 1 On the one hand, it provides a method for AI model copyright protection and reliable reasoning, including the following steps: S1. The model provider encrypts the AI model using the first key and sends the first key to the verification service; S2. The verification service configures access control conditions for the first key. The access control conditions are associated with the hardware identity of the target deployment platform and the platform's trusted state requirements. S3. When the deployment platform requests to load the encrypted AI model, execute the remote authentication and key release process: S31. The deployment platform uses its hardware security module to generate proof information containing its hardware identity and current platform state measurement. S32. Send the verification information to the verification service; S33. Verify the authenticity of the verification information and determine whether the hardware identity identifier and platform status metric value meet the access control conditions. S34. If the conditions are met, the verification service will encrypt the first key using the encryption key corresponding to the hardware security module of the deployment platform before issuing it. S35. The deployment platform uses its hardware security module to decrypt and obtain the first key, and in a hardware-protected trusted execution environment, uses the first key to decrypt and load the AI model. S36. In a trusted execution environment, use an AI model to perform inference on the input data; An information record containing relevant data for this reasoning is generated, and the information record is cryptographically signed using a hardware security module to generate auditable and credible reasoning evidence.
[0027] The method provided in this embodiment of the invention has at least the following beneficial effects: The method provided in this invention, through a mechanism of "key-model separation" and "conditional release based on hardware state," transforms the access rights to AI models from static license files into authorization dynamically bound to a specific hardware platform and its real-time trusted state. AI models cannot be decrypted and run in any other environment that does not meet the conditions (such as unauthorized hardware or system tampering), fundamentally preventing the illegal copying, distribution, and use of the models.
[0028] This invention ensures the trustworthiness of the inference environment and process by mandating that the model run in a remotely authenticated, hardware-isolated Trusted Execution Environment (TEE). This protects the model from being exposed in system memory during runtime, preventing runtime theft; it also ensures that the inference logic is not interfered with by external malware, guaranteeing the integrity of the computation results.
[0029] This invention generates legally valid audit evidence, meaning that each inference produces an immutable chain of evidence signed by the hardware security module. This evidence not only proves the authenticity of the inference result, but more importantly, it cryptographically links the specific model version, the specific operating platform state, and the specific inputs and outputs, providing directly credible technical credentials for model copyright tracing, compliance verification (such as medical / financial regulation), and liability determination (such as autonomous driving accident analysis).
[0030] For example, a company trained an expensive autonomous driving perception model. They delivered the encrypted model to car manufacturers but hosted the decryption key on a cloud-based verification service, setting conditions: the key was only released if the onboard computer's TPM identity was A and its system software (PCR value) was secure version B. This way, even if the encrypted model was copied to other vehicles or the vehicle's system was tampered with, the model would not function. Each time the vehicle made a perception decision, a piece of evidence signed by the onboard TPM was generated, recording the image frame hash, decision result, and model version at that time, for subsequent accident analysis.
[0031] In step S1, the model provider encrypts the AI model using the first key and sends the first key to the verification service.
[0032] For example, the model's owner (such as an AI company) first locks up the AI model with a "digital lock" (first key), turning it into an encrypted file that cannot be used directly. Then, instead of giving this "key" directly to users, they deposit it in a trusted, neutral "online vault" (verification service). This achieves the separation of "assets (models)" and "access rights (keys)." The model can be publicly distributed (encrypted files), but the right to use it is centrally controlled.
[0033] For example, the first key is typically a randomly generated symmetric encryption key (such as an AES-256 key), which offers fast encryption and decryption speeds. The encryption model can be the ciphertext generated from the original model file (such as .pt, .pb format, etc.) after processing by an encryption algorithm; it cannot be deciphered without the key. The verification service can be a network service operated by the model provider or a trusted third party, responsible for subsequent authorization decisions.
[0034] In step S2, the verification service configures access control conditions for the first key, which are associated with the hardware identity of the target deployment platform and the platform's trusted state requirements.
[0035] For example, the access control conditions in this embodiment of the invention can be a set of predefined rules, stored in the verification service in data form. The hardware identity identifier can be a string that uniquely identifies the security hardware of the target device, similar to the device's "security chip ID number." The platform trust status requirements can be specific requirements for the security of the device's software stack (such as operating system version and configuration), typically manifested as a set of expected metrics. In step S3, when the deployment platform requests to load the encrypted AI model, a remote proof and key release process is executed. The hardware security module is an independent, tamper-proof hardware component (such as a TPM chip) within the device, responsible for generating cryptographic proofs and storing keys. The proof information can be a data report cryptographically signed by the hardware security module, ensuring the report's content is authentic and unaltered. It proves the platform's state at the time the report was generated.
[0036] S31. The deployment platform uses its hardware security module to generate proof information containing its hardware identity and current platform state measurement. S32. Send the verification information to the verification service; S33. Verify the authenticity of the verification information and determine whether the hardware identity identifier and platform status metric value meet the access control conditions. The present invention can verify authenticity through the above method, and verify the validity of the report signature using the public key of the hardware security module.
[0037] The system compares the identity identifiers in the report with the whitelist of conditions; it also compares the platform status metrics in the report with the preset benchmark values in the conditions.
[0038] Encrypted and then distributed: The first key is encrypted using the public key of the target platform's hardware security module (such as the EK public key), generating a "digital package" that only the platform can decrypt.
[0039] S34. If the conditions are met, the verification service uses the encryption key corresponding to the hardware security module of the deployment platform to encrypt the first key before issuing it.
[0040] The embodiments of the present invention ensure that the key and plaintext model are never exposed to vulnerable ordinary system memory at any time through the above-described method. All sensitive operations are performed within a hardware-protected isolated space.
[0041] A Trusted Execution Environment (TEE) can be an isolated computing region created through CPU hardware mechanisms (such as memory encryption and access control) that prevents external software (including operating systems) from spying on or interfering with its internal operation.
[0042] S35. The deployment platform uses its hardware security module to decrypt and obtain the first key, and in a hardware-protected trusted execution environment, uses the first key to decrypt and load the AI model. S36. In a trusted execution environment, use an AI model to perform inference on the input data.
[0043] The steps described above create a non-repudiable and tamper-proof audit log for each model usage action. This evidence proves that a certain result was indeed generated by a specific model, under a trusted environment, based on a specific input.
[0044] The information record includes structured data, containing at least the hash of the input data, the output result, the model ID, and a timestamp. The cryptographic signature is a process where a hardware security module signs the hash value of the information record using its internally protected key. Any third party can verify this signature using the corresponding public key, thereby confirming the authenticity and integrity of the record.
[0045] In one alternative implementation, the hardware security module is a dedicated security chip or processor security area that provides cryptographic operation functions and protected storage areas. Trusted Execution Environment (TEE) creates an isolated computing space in system memory through the hardware isolation mechanism provided by the processor.
[0046] This invention clarifies the hardware foundation for implementing the solution through the above-described method, providing a specific and feasible technical path. By defining the form of the hardware security module and the construction method of the trusted execution environment, the feasibility of the solution is demonstrated.
[0047] It should be noted that a Hardware Security Module (HSM) is a physical computing device responsible for securely generating, storing, and managing encryption keys and performing encryption operations. Its core feature is a "protected storage area," meaning that sensitive data such as keys are physically difficult to extract from within its internal storage.
[0048] Dedicated security chips include standalone TPM (Trusted Platform Module) or TCM (Trusted Cryptographic Module) chips.
[0049] The processor security region can be a security processor integrated inside the CPU (such as Apple's Secure Enclave).
[0050] A Trusted Execution Environment (TEE) is a secure area within the main processor, isolated from the rest of the system (called a "Rich Execution Environment" or "REE"). Its "hardware isolation mechanism" means that isolation is achieved through CPU hardware circuitry (such as memory encryption and access control), rather than solely through operating system privileges.
[0051] For example, Intel SGX allows applications to create TEEs called "Enclaves," whose memory contents are automatically encrypted by the CPU and can only be accessed by the code within the Enclave. ARM TrustZone divides the system into a "secure world" and a "normal world," with hardware ensuring memory and resource isolation between the two worlds.
[0052] In one optional implementation, the access control conditions include a first authentication condition and a second authentication condition. The first verification condition is used to verify the hardware identity identifier; The second verification condition is used to verify the integrity metric of the platform.
[0053] This embodiment addresses the question of "is this the authorized device?" through a first verification condition (identity verification). For example, it checks whether the identity field in the proof information submitted by the platform is in the list of authorized devices stored by the verification service. It addresses the question of "is this device's system in an authorized / secure state?" through a second verification condition (status verification). For example, it checks whether the metric submitted by the platform equals a pre-known benchmark value representing a "clean" system state. Both the first and second verification conditions must be met simultaneously, constituting two-factor authentication for enhanced security. In one alternative implementation, the hardware identity verified in the first verification condition is the digest value of the digital certificate of the endorsement key of the hardware security module.
[0054] This invention provides a stable, unique, and highly reliable platform identity identification scheme. By using the digest (such as a hash value) of an endorsement key (EK) certificate that is injected at the factory and is difficult to forge, the persistence and tamper-resistance of the identity identification are ensured, making it the optimal method for achieving precise hardware-level binding.
[0055] It's important to note that the Endorsement Key (EK) is a pair of asymmetric keys (public and private keys) injected into a hardware security module (such as a TPM) during the manufacturing process. The private key can never be exported, while the public key is contained in a digital certificate signed by the manufacturer. The EK is the hardware module's "factory ID card," unique and difficult to clone. The digest value, for privacy and ease of processing, is typically not used directly with the complete certificate; instead, its cryptographic hash value (such as SHA-256) is calculated as the identifier. This hash value is the precise technical equivalent of the "hardware fingerprint."
[0056] For example, when selling a license, the model provider records the EK certificate of the client server TPM and calculates its SHA-256 hash 0x1A2B3C..., storing it in the authorized whitelist. Subsequently, when the server requests a key, it must provide data signed with its EK private key to prove its identity.
[0057] In one alternative implementation, the platform integrity metric verified in the second verification condition is stored in the platform configuration register of the hardware security module. The metric is obtained by performing cryptographic hash operations on the code executed at each stage of the deployment platform from startup to the loading of the operating system kernel and expanding it into the register.
[0058] This invention creates a "trusted measurement chain" for the platform software state by accumulating and recording the hash value of each layer of code in the startup chain in a protected register, enabling remote parties to verify whether the platform is running the expected, tamper-proof software stack.
[0059] For example, the Platform Configuration Register (PCR) is a set of specially protected registers within hardware security modules such as TPM / TCM, specifically used to store metrics. Its key feature is the "extend" operation: new metrics are not written directly, but are concatenated with old values, hashed, and then written, thus forming a chain relationship.
[0060] The measurement process in this embodiment of the invention may include: Upon platform startup, the hardware first measures the code of the BIOS firmware and stores its hash value H (BIOS) in PCR0. Then, control is handed over to the bootloader, and the hardware measures the bootloader code, calculates H (original PCR0 value || H (bootloader)), and updates PCR0 with the result. This process continues until the operating system kernel. Ultimately, PCR0 stores the complete "fingerprint" of the entire boot chain.
[0061] For example, the verification service stores a set of "golden mirror" expected PCR values [PCR0 = expected value X, PCR1 = expected value Y, ...]. The platform reports its current PCR value, which the verification service compares. If they match, it proves that the platform is running an audited and secure version.
[0062] In one optional implementation, step S4, "encrypting the first key using the cryptographic key corresponding to the hardware security module of the deployment platform," includes: encrypting using the public key of the storage root key or the public key of the endorsement key of the hardware security module.
[0063] This invention implements a strong cryptographic binding between a key and specific hardware. The encrypted key ciphertext becomes a "hardware lock," which can only be decrypted by the target hardware security module, ensuring that even if the key is intercepted during transmission, it is useless on any other device.
[0064] The Storage Root Key (SRK) is the root key of the internal key storage system of the hardware security module and is protected by the EK. Its public key is often used to encrypt data that is about to be passed into the module.
[0065] The endorsement key (EK) is the root identity key of the hardware. The authentication service uses the SRK or EK public key, securely obtained from the target platform, to encrypt the "first key" (symmetric key). This ciphertext can only be decrypted by the specific hardware module that possesses the corresponding SRK or EK private key. This is a typical application of asymmetric encryption.
[0066] For example, the verification service queries the target platform TPM's EK public key, uses this public key to encrypt the first key (an AES-256 key) using the RSA-OAEP algorithm, and generates ciphertext. This ciphertext is gibberish to eavesdroppers on the network or other TPMs.
[0067] In one optional implementation, the key information in step S6 includes at least: the cryptographic digest value of the input data, the output result, the unique identifier of the AI model, and the timestamp.
[0068] This invention clarifies a standardized data structure for credible reasoning evidence, enabling it to possess the elements (subject, time, action, result) of valid electronic evidence from both legal and auditing perspectives. The use of digest values protects the privacy of the original input data while ensuring its immutability and relevance.
[0069] The cryptographic digest value can be a hash value (such as SHA-256) calculated from the input data (e.g., an image or a piece of text). This represents the specific input for that inference while avoiding the transmission and storage of raw sensitive data. The unique identifier can be the model version number, training iteration number, or, better yet, the cryptographic hash value of the model file. This uniquely identifies the algorithmic asset used for inference. The timestamp records the exact time the inference occurred, enabling time-series auditing and traceability.
[0070] In one alternative implementation, before or after the inference step in the trusted execution environment, the method further includes: Perform input data formatting transformations or output result logic decisions that are associated with the AI model logic within a trusted execution environment.
[0071] This invention extends the boundaries of copyright protection and trusted computing from single model inference to a complete business decision pipeline. It prevents attackers from manipulating the final output outside the TEE by tampering with data preprocessing parameters (such as normalization coefficients) or post-processing rules (such as classification thresholds and business rules), ensuring end-to-end trust from raw input to final business decision.
[0072] It's important to note that many AI models are not simply "input-model-output." For example, they may require formatting transformations to convert raw user data (such as JSON forms) into feature vectors needed by the model. If this transformation logic is tampered with (e.g., by modifying feature weights), it can severely impact the model's judgment. The model might output a score or probability, which needs to be combined with business rules (e.g., "approve loan if score > 90 and user age > 30"). This decision-making logic also needs protection.
[0073] For example, consider a credit approval system. Within the TEE (Trusted Execution Environment), not only does the credit scoring model run, but encrypted "feature engineering" code (which converts user data into model input) and "approval condition" code (such as "Approve if score > 700 and no default record"). The final output is directly an "Approve / Reject" instruction, and external systems cannot spy on or tamper with any of the intermediate steps.
[0074] In one optional implementation, after generating credible reasoning evidence in step S6, the method further includes: The step of sending evidence to nodes of a blockchain network or distributed ledger system for storage.
[0075] This invention adds decentralized, immutable, and permanently stored evidence with a trusted timestamp to credible reasoning evidence. Leveraging the inherent characteristics of blockchain, it greatly enhances the legal probative value, credibility, and non-repudiation of evidence, making it a powerful tool for judicial evidence presentation and cross-institutional auditing.
[0076] For example, the blockchain can be considered as an additional "notary layer." Once evidence is successfully submitted (transaction on-chain), it signifies consensus and confirmation across the entire network. Its existence, content, and timing (block time) can no longer be denied or modified by any single party (including the model provider, platform owner, or even the verification service).
[0077] For example, the deployment platform periodically calls the notarization interface of a smart contract deployed on an Ethereum or Hyperledger Fabric consortium blockchain to send a batch of signed reasoning evidence. This evidence is permanently recorded in the block as transaction data. Auditors or courts can independently verify the existence and content of this evidence at any time through a block explorer or on-chain query.
[0078] Furthermore, a method for AI model copyright protection and trusted reasoning is provided to implement any of the aforementioned AI model copyright protection and trusted reasoning system methods, including: A model provider device for generating and uploading an encrypted model and a first key; The verification service device is used to store keys, manage access control conditions, verify platform credentials, and control key distribution. The deployment platform device includes a hardware security module and a trusted execution environment construction unit, which are used to generate platform proof, decryption key, load and run model in trusted environment and generate trusted reasoning evidence. The model provider device, the verification service device, and the deployment platform device communicate with each other via a network.
[0079] The various embodiments of this disclosure have been described above. These descriptions are exemplary and not exhaustive, nor are they limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles, practical application, or technical improvements to the embodiments in the market, or to enable others skilled in the art to understand the embodiments disclosed herein.
Claims
1. A method for copyright protection and reliable reasoning of AI models, characterized in that, Includes the following steps: The model provider encrypts the AI model using a first key and sends the first key to the verification service; The verification service configures access control conditions for the first key, and the access control conditions are associated with the hardware identity of the target deployment platform and the platform's trusted state requirements. When the deployment platform requests to load an encrypted AI model, a remote authentication and key release process is executed: The deployment platform utilizes its hardware security module to generate proof information containing its hardware identity identifier and current platform status measurement value; Send the proof information to the verification service; The verification service verifies the authenticity of the proof information and determines whether the hardware identity identifier and platform status metric value therein meet the access control conditions. If the conditions are met, the verification service encrypts the first key using the encryption key corresponding to the hardware security module of the deployment platform before issuing it. The deployment platform uses its hardware security module to decrypt and obtain the first key, and in a hardware-protected trusted execution environment, uses the first key to decrypt and load the AI model; In the trusted execution environment, the AI model is used to perform inference on the input data; An information record containing relevant data for this reasoning is generated, and the information record is cryptographically signed using the hardware security module to generate auditable and credible reasoning evidence.
2. The method according to claim 1, characterized in that, The hardware security module is a dedicated security chip or processor security area that provides cryptographic operation functions and a protected storage area. The trusted execution environment creates an isolated computing space in system memory through the hardware isolation mechanism provided by the processor.
3. The method according to claim 1, characterized in that, The access control conditions include a first authentication condition and a second authentication condition. The first verification condition is used to verify the hardware identity identifier; The second verification condition is used to verify the platform integrity metric.
4. The method according to claim 3, characterized in that, The hardware identity identifier verified in the first verification condition is the digest value of the digital certificate of the endorsement key of the hardware security module.
5. The method according to claim 3, characterized in that, The platform integrity metric verified in the second verification condition is stored in the platform configuration register of the hardware security module. The metric is obtained by performing cryptographic hash operations on the code executed at each stage of the deployment platform from startup to the loading of the operating system kernel and then extending it into the register.
6. The method according to claim 1, characterized in that, Step S4 involves encrypting the first key using a cryptographic key corresponding to the hardware security module of the deployment platform, including: encrypting it using the public key of the storage root key or the public key of the endorsement key of the hardware security module.
7. The method according to claim 1, characterized in that, The key information mentioned in step S6 includes at least: the cryptographic digest value of the input data, the output result, the unique identifier of the AI model, and the timestamp.
8. The method according to claim 1, characterized in that, Before or after the inference step in the trusted execution environment, the following are also included: The trusted execution environment performs input data formatting transformations or output result logic decisions that are logically associated with the AI model.
9. The method according to claim 1, characterized in that, After generating the credible reasoning evidence in step S6, the method further includes: The step of sending the evidence to a node of a blockchain network or distributed ledger system for storage.
10. An AI model copyright protection and trusted reasoning system, characterized in that, The method for implementing the AI model copyright protection and trusted reasoning method according to any one of claims 1 to 9 includes: A model provider device for generating and uploading an encrypted model and a first key; The verification service device is used to store keys, manage access control conditions, verify platform credentials, and control key distribution. The deployment platform device includes a hardware security module and a trusted execution environment construction unit, which are used to generate platform proof, decryption key, load and run model in trusted environment and generate trusted reasoning evidence. The model provider device, the verification service device, and the deployment platform device are connected via a network.