Zero-Knowledge Machine Learning (zkML)

Users can prove that a specific AI model (e.g., a credit scoring algorithm or medical diagnosis model) produced a given output from their private data, without revealing the data itself. This is critical for:

• Financial services: Proving creditworthiness without exposing personal finances.
• Healthcare: Getting a diagnosis from a proprietary model without sharing sensitive health records.
• Content moderation: Filtering harmful content without exposing the raw user data to the moderating entity.

zkML cryptographically proves that a specific, unaltered model was used for a computation. This combats model poisoning and ensures accountability. Applications include:

• AI-as-a-Service: Clients can verify the provider used the agreed-upon, audited model.
• Decentralized AI Oracles: Blockchains can trustlessly consume predictions from off-chain models, knowing the exact code that generated them.
• Reproducible Research: Scientists can prove their published results came from a specific model architecture and training run.

zkML enables trust-minimized markets for AI models and data. Model owners can monetize their work while keeping it private, and users can verify results. This facilitates:

• Model Licensing: Renting a proprietary model for inference while the weights remain encrypted.
• Federated Learning Coordination: Aggregating model updates from multiple parties in a privacy-preserving manner, with verifiable contributions.
• Data Unions: Allowing collective data to be used for training a model, with proofs that the data was used fairly and privately.

zkML allows complex, non-deterministic game logic (like AI-driven NPC behavior or procedural generation) to run off-chain and be verified on-chain. This enables:

• Provably Fair AI Opponents: Games can have intelligent adversaries without trusting the game server.
• Complex World State Transitions: Autonomous worlds can use AI to evolve environments, with proofs ensuring consensus on the results.
• Scalable Game Mechanics: Moving heavy AI computations off-chain while maintaining cryptographic guarantees of correctness.

zkML can verify biometric matches (e.g., facial recognition, fingerprint scans) without exposing the raw biometric template or scan data. This enhances privacy in:

• Decentralized Identity (DID): Proving you are the owner of a biometric-secured identity without revealing the biometrics.
• Secure Access: Gaining access to a physical or digital asset by proving a biometric match, with the proof serving as the key.
• KYC/AML Compliance: Financial institutions could verify a customer's identity against a government database without seeing or storing the customer's biometric data.

zkML can generate a succinct proof that a neural network satisfies certain formal properties (e.g., robustness to adversarial examples, fairness bounds). This is used for:

• Safety-Critical Systems: Proving an autonomous vehicle's perception model will not misclassify critical obstacles within defined parameters.
• Automated Auditing: Continuously generating proofs that a live model's behavior adheres to regulatory or ethical guidelines.
• Scalable Bug Bounties: Researchers can submit a proof of a model's vulnerability without needing to disclose the exploit publicly.

zkML primarily uses zkSNARKs (Succinct Non-Interactive Arguments of Knowledge) to create cryptographic proofs of correct ML model execution. The process involves:

• Circuit Compilation: Converting a trained model (e.g., a neural network) into an arithmetic circuit compatible with ZK proving systems.
• Proof Generation (Prover): Running private input data through the circuit off-chain to compute an inference and generate a proof of correct execution.
• Proof Verification (Verifier): The compact proof is submitted on-chain, where a smart contract verifies its validity in milliseconds, trusting the result without re-running the model.

zkML enables trust-minimized oracles by proving that off-chain AI inferences are computed correctly. This is critical for DeFi and on-chain games. For example:

• A lending protocol can use a verified credit-scoring model to assess collateral risk without exposing sensitive user data.
• An on-chain game can use a proven random number generator (RNG) from a verifiable ML model, ensuring fair and tamper-proof outcomes.
• Moderating decentralized social feeds with proven content-filtering models, removing reliance on a centralized moderator.

The main technical bottleneck is the computational overhead of generating ZK proofs for complex models. Key considerations include:

• Proof Generation Time: Can be orders of magnitude slower than a standard model inference, requiring specialized provers.
• Circuit Size: Larger, more accurate models create massive circuits, increasing proving cost and time.
• Hardware Acceleration: Projects like zkMatrix and Cysic are developing dedicated hardware (ASICs/FPGAs) to accelerate these proofs, aiming to make zkML practical for real-time applications.

zkML can provide selective privacy, protecting either the model, the input data, or both.

• Private Inputs, Public Model: A user proves they have a valid driver's license (input) against a known model without revealing the license details.
• Private Model, Public Inputs: A company can prove its proprietary trading algorithm made a correct prediction without revealing the model's weights.
• This enables applications in private identity verification, confidential DeFi strategies, and protecting intellectual property in on-chain AI agents.

zkML introduces a fundamental shift in how blockchains trust external computation.

Traditional Oracle (e.g., Chainlink):

• Relies on economic security and consensus among a decentralized network of nodes.
• Trust assumption: A majority of nodes are honest.

zkML Oracle:

• Relies on cryptographic security (ZK-proofs).
• Trust assumption: The cryptographic primitives (elliptic curves) are secure and the circuit correctly represents the model.
• Provides verifiable correctness of the computation itself, not just data delivery.

The ecosystem is rapidly evolving with specialized tools and infrastructure:

• EZKL: A library for compiling PyTorch/TensorFlow models into ZK circuits for proof generation.
• Giza: A platform for building, deploying, and proving ML models on-chain.
• Modulus Labs: A research lab building zkML applications, demonstrating verifiable AI for games and DeFi.
• RISC Zero: A general-purpose zkVM that can execute and prove arbitrary code, including ML models written in Rust.
• Worldcoin: Uses zkML for privacy-preserving proof of personhood, verifying uniqueness without biometric data.

zkML relies on zero-knowledge proofs (ZKPs), specifically zk-SNARKs or zk-STARKs, to generate a cryptographic proof of a computation. The prover runs the ML model (e.g., a neural network) and generates a proof that the output is correct according to the model's architecture and weights. This proof is then verified on-chain, ensuring computational integrity without exposing the underlying data.

A primary use case is protecting proprietary machine learning models. A service can prove a prediction was made by their specific, high-value model (e.g., for credit scoring or medical diagnosis) without ever publishing the model's weights or architecture. This enables monetization of private models on public blockchains while maintaining a competitive advantage and preventing model theft or replication.

zkML enables trust-minimized AI agents and oracles. For example:

• A DeFi protocol can use a verifiably fair price feed from an ML model.
• An on-chain game can have an AI opponent whose moves are provably generated by a specific model.
• A DAOs can make decisions based on provably uncensored sentiment analysis. This moves computation off-chain for efficiency but anchors trust on-chain via the proof.

Converting ML operations (matrix multiplications, non-linear activations like ReLU) into arithmetic circuits for ZKPs is computationally intensive. Key optimizations include:

• Quantization: Reducing numerical precision of model weights.
• Lookup Arguments: Efficiently handling non-polynomial functions.
• Parallel Proof Generation: Using GPUs/FPGAs to speed up proving times, which can currently take minutes to hours for complex models.

Several frameworks are pioneering zkML development:

• EZKL: A library for compiling PyTorch/TensorFlow models into ZKP circuits.
• Giza: A platform for deploying and proving ML models on-chain.
• Modulus Labs: A research group focusing on zkML for on-chain gaming and DeFi. These tools abstract the complex cryptography, allowing ML developers to focus on model design.

zkML intersects with several key Web3 concepts:

• FHE (Fully Homomorphic Encryption): Both protect data privacy, but FHE allows computation on encrypted data, while zkML proves correctness of computation on private data.
• Optimistic ML: An alternative where results are assumed correct and only challenged in disputes, offering faster but slower-to-finalize verification.
• Decentralized Physical Infrastructure (DePIN): zkML can verify work done by decentralized GPU networks for AI training or inference.

A core promise of zkML is verifying that a specific, private model was used. However, the circuit representation of the model must be proven to be a correct compilation of the original source code (e.g., a PyTorch graph). Malicious provers could use a model extraction attack to infer parameters from the circuit or prove a different, backdoored model if the circuit is not properly constrained and audited.

The underlying zk-SNARK or zk-STARK proof system must be cryptographically sound. This includes:

• Resistance to adaptive soundness attacks where a prover chooses inputs after seeing the challenge.
• Security of elliptic curve pairings or hash functions against quantum attacks.
• Correct implementation of the polynomial commitment scheme (e.g., KZG, FRI) without logical bugs that could allow forging proofs.

zkML proves computation over private data, but the proof itself or its metadata can leak information. Proof verification is deterministic; repeated proofs for similar inputs could allow statistical analysis. Furthermore, the circuit structure (e.g., number of layers, operations) may reveal model architecture details the owner wishes to keep confidential, requiring careful circuit design.

The security guarantee is conditional on at least one honest participant in the proving process. In practice, users often rely on a centralized prover service. This introduces risks:

• Denial-of-Service (DoS) if the prover is unavailable.
• Censorship if the prover refuses to generate proofs.
• Economic attacks if proving costs are manipulated. Decentralized prover networks are an active area of research to address this.

Security often conflicts with practicality. Proof generation time and cost are significant barriers. To make proving feasible, developers may use approximations, lower precision arithmetic, or smaller security parameters, which can weaken cryptographic assurances. The choice between a transparent (STARKs) or trusted setup (SNARKs) system involves a direct trade-off between these performance metrics and trust assumptions.

The cryptographic primitive that enables zkML. A Zero-Knowledge Proof allows one party (the prover) to convince another (the verifier) that a statement is true without revealing any information beyond the statement's validity. Core properties are:

• Completeness: A true statement is always accepted.
• Soundness: A false statement is almost always rejected.
• Zero-Knowledge: The verifier learns nothing beyond the statement's truth. zkML uses ZKPs to prove the correct execution of a machine learning model.

The broader field of proving the correctness of a computation's output. Verifiable computation is the goal; ZKPs are a specific, privacy-preserving method to achieve it. In zkML, this means generating a cryptographic proof that a specific model, given specific inputs, produced a specific output, without needing to re-run the model. This is crucial for trustless inference on blockchains, where nodes cannot be trusted to execute complex ML models honestly.

A primary use case for zkML. It allows users to verify:

• Model Authenticity: The inference was performed by a specific, unaltered model (e.g., a known, audited AI agent).
• Input Integrity: The proof is bound to specific, often private, input data.
• Execution Fidelity: The model was executed correctly, without tampering or hardware faults. This creates tamper-proof audit trails for AI-driven decisions in DeFi, gaming, or identity systems.

The two dominant proof systems used in zkML implementations.

• zk-SNARKs (Succinct Non-Interactive Argument of Knowledge): Require a trusted setup but produce very small, fast-to-verify proofs. Used by projects like zkML.guru and EZKL.
• zk-STARKs (Scalable Transparent Arguments of Knowledge): No trusted setup, with larger proof sizes but faster prover times and post-quantum security considerations. Used by StarkWare and Cartesi. The choice involves trade-offs between setup trust, proof size, and generation speed.

The act of running a machine learning model's forward pass directly within a smart contract. On-chain inference is typically prohibitively expensive due to gas costs. zkML offers an alternative: off-chain inference with on-chain verification. The model runs off-chain, generating a ZKP of the result, and only the small proof is submitted to the chain for cheap, trustless verification. This enables complex AI logic in dApps without exorbitant costs.

Developer toolkits that abstract the complexity of generating ZKPs for ML models.

• EZKL: A library for compiling PyTorch or ONNX models into ZK circuits, supporting Halo2 proof systems.
• Orion: A framework from zkMatrix focused on verifiable ML for large language models (LLMs).
• Cairo & Giza: StarkNet's language and an associated ML framework for building verifiable models. These frameworks handle the conversion of model weights and operations into arithmetic circuits for proof generation.