Zero-Knowledge Machine Learning and Privacy-Preserving AI
(March–May 2025)
Zero-knowledge proofs (ZKPs) are rapidly enabling verifiable AI: cryptographically proving that a
machine learning (ML) model was run correctly without revealing private inputs or even the
model’s internal parameterskudelskisecurity.comblog.ezkl.xyz.
For example, a service provider can publicly commit to a proprietary model and then produce ZK
proofs that each inference was executed on the promised model, giving verifiers confidence
without leaking the model or datakudelskisecurity.comblog.ezkl.xyz.
This approach parallels trusted hardware (e.g. Apple’s Secure Enclave for FaceID) but
generalizes it cryptographically: apps never see the raw data, only cryptographic proof of
correct computationblog.ezkl.xyz.
ZKML thus “democratizes” on-device secure inference – enabling any ML model to run privately and verifiably on any deviceblog.ezkl.xyzkudelskisecurity.com.
Zero-Knowledge Proofs for ML Inference and Training
Zero-knowledge systems such as zk-SNARKs and zk-STARKs allow
a prover to run an ML model on secret data and generate a succinct proof attesting to the
result. Typically, the model and inputs are committed as a “public input,” while intermediate
computations remain hidden. The verifier sees only the proof (and possibly the model hash) and
checks it efficiently. A conceptual architecture is shown below: the prover (e.g. a GPU node)
runs the private data through the model to generate a
ZK proof, which is then shared with verifier nodes. Each verifier checks the proof
against the public inputs, confirming the inference without ever seeing the private input.
Figure: Conceptual pipeline for zkML
verification – private data is processed to generate a ZK proof; verifier nodes receive only
the proof (and any public inputs) and confirm correctness without learning the data or model
internals【95†】.
In practice, systems like EZKL take an ONNX-exported model and compile it into a ZK-SNARK
circuit (using e.g. Halo2)kudelskisecurity.commedium.com.
Recent performance optimizations allow EZKL to prove an MNIST-sized neural network in ~6 seconds
using 1.1GB RAMmedium.com.
Similarly, Giza’s Orion/LuminAIR framework compiles
ONNX models into Cairo/STARK circuits, enabling provable inference via StarkWare’s Winterfell
enginegithub.commedium.com.
Rust-based zkVMs like RISC Zero’s R0VM run
arbitrary code (including ML inference written in Rust/C++) and prove the execution trace with
STARK proofsmedium.comrisczero.com.
In all cases, the prover’s heavy computation is offloaded off-chain or on specialized hardware,
while on-chain verification remains cheap and privacy-preserving.
Recent Project Highlights (Q1–Q2 2025)
EZKL /
ZKonduit: In March 2025, EZKL published an audit by Trail of Bits and showcased
faster proof generation. The EZKL team reports converting PyTorch/TensorFlow models to ONNX
and proving them with zk-SNARKsmedium.comkudelskisecurity.com.
The latest release can handle an MNIST model in ~6s (Halo2 backend). Their blog emphasizes
making any ML model “run on any device privately and securely” by leveraging ZK proofsblog.ezkl.xyzmedium.com.
EZKL is being used in hackathons (e.g. image-classification contests) and illustrates
ONNX as a ZK-friendly model format.
Modulus
Labs (Tools for Humanity): Modulus has demonstrated large-scale on-chain ML
proofs. Their recent “Cost of Intelligence”
report shows proof systems capable of verifying models of up to 18 million parameters directly on-chainkudelskisecurity.comkudelskisecurity.com.
They built example applications – notably RockyBot, an on-chain trading bot, and Leela vs. the World, a chess game where all players face a verified
chess enginemedium.commedium.com.
In April 2025 Modulus/Tools-for-Humanity continues benchmarking optimized R1CS circuits
(e.g. composed SNARK/Plonky2 stacks) that reportedly outperform other general zk platforms
in speed and memorymedium.comkudelskisecurity.com.
RISC
Zero: In March–April 2025, RISC Zero pushed two major updates to its zkVM. First,
R0VM 2.0 was released on April 10,
offering “real-time” proving: for example, an
Ethereum block proof went from 35 minutes to ~44 secondsrisczero.com.
R0VM 2.0 adds 3 GB of user memory (15× increase) and drastically cuts proving cost (for a
Base chain OP Kailua benchmark, validity proof cost dropped 5×)risczero.comrisczero.com.
Second, RISC Zero announced a formal-verification effort: by collaborating with Veridise and
using the Picus automated prover, they are proving determinism of R0VM circuits (ensuring each component has exactly one
valid output)risczero.com.
This would make R0VM (based on RISC-V) the first formally verified zkVM, eliminating a common class of ZK
bugsrisczero.comrisczero.com.
Together these advancements push RISC Zero’s platform as one of the fastest, most secure
zkVMs for arbitrary computation, including ML inference.
GizaTech: Giza (part of StarkNet ecosystem) is building a
Cairo-based zkML stack. They provided Orion, an
ONNX runtime in Cairo for STARK proofsgithub.com
(now superseded by a more efficient engine LuminAIR). Giza’s vision is a decentralized ML marketplace: their stack includes
an ONNX-to-Cairo transpiler, a Cairo execution engine, and a “Giza Model” smart contract
factorymedium.com.
It leverages STARKs (no trusted setup) for integrity; the team emphasizes trustlessly
deploying and executing AI models on-chain and even articulates this as a “web3 Hugging
Face” for verifying AI model proofsmedium.com.
By May 2025 Giza has demoed ONNX ML primitives in Cairo and raised awareness of STARK-based
AI pipelines.
Aleo
(Leo): Aleo’s Leo is a domain-specific language for writing SNARK circuits. In
May 2025 Aleo launched a zkML hackathon
offering up to 80,000 credits for building ML algorithms (regression, decision trees, neural
nets, etc.) in Leo, or creating ZK “plugins” for frameworks like PyTorch or TensorFlowaleo.orgaleo.org.
This initiative highlights Aleo’s push into ML: by designing circuits in Leo, developers can
directly implement verifiable models and deploy them on Aleo’s privacy-preserving
blockchain. Although Leo/aleo remains a less parallelizable (trusted-setup) approach than
STARKs, it provides a streamlined ecosystem: Aleo’s recent roadmap also includes snarkOS
upgrades to make provers faster and move toward more enterprise-friendly compliance (Google
Cloud partnership for confidential infrastructuremessari.io).
In short, Aleo is grooming its stack for zkML applications ranging from private AI dApps to
market prediction services.
ZK-Friendly Model Formats and Toolchains
Many ZKML systems build on open ML formats. A common path is: train in PyTorch/TensorFlow,
export to ONNX, then compile into ZK circuits. For example, EZKL’s workflow is to define a computational graph in PyTorch, export the
model and sample inputs to an .onnx file and
.json, and feed these into EZKL to generate a
Halo2 zk-SNARK circuitmedium.com.
Similarly, Giza’s Orion provides an ONNX runtime for Cairo (using StarkWare’s STARK); ONNX
compatibility lets developers pre-train in familiar frameworks and then prove inference in
ZKgithub.comgithub.com.
Specialized libraries bridge models to ZK circuits. For
Circom (an R1CS DSL), Cathie So’s circomlib-ml offers templates for neural network layers and
activations, and her Keras2circom tool transpiles
Keras models into Circom codemedium.com.
LinearA’s Tachikoma/Uchikoma framework
similarly converts floating-point networks into integer-only traces or TVM IR for non-float
environmentsmedium.com.
In practice, most ZK compilers quantize weights and activations to finite fields. Advances like
lookup tables (Halo2, Plonky2) or custom polynomial gates are used to efficiently handle
non-linearitiesmedium.commedium.com.
Performance & Technical Tradeoffs
Prover
Overhead: Current ZK proofs of ML are still heavy. Even optimized pipelines consume
gigabytes of RAM and seconds to minutes of proving time for relatively small networks. For
instance, the Kang zkml framework needed ~5 GB RAM
and 16 s to prove an MNIST networkmedium.com,
while EZKL (with halo2 and lookup optimizations) does it in 1.1 GB and 6 smedium.com.
RISC Zero’s R0VM 2.0, by contrast, can prove an Ethereum block in ~44 s (down from 35 min),
suggesting future ML circuits (batched and SIMD-optimized) could see large speedupsrisczero.com.
However, proof generation still grows quickly with model size – making LLM-scale models
(billions of params) impractical todaykudelskisecurity.com.
Some emerging solutions attempt recursive proofs:
e.g. Zator recursively SNARKs DNNs layer-by-layer (using Nova) to handle very deep nets, though
it’s not yet production-readymedium.com.
Trusted
Setup: Many SNARK schemes require a one-time trusted setup (e.g. Groth16).
Trusted-setup SNARKs offer very short proofs and fast verification, but raise concerns about who
generated the parameters. By contrast, STARK-based systems (Plonky2, Winterfell, etc.) are
transparent (no trusted setup) but produce
larger proofs. In zkML, both paradigms are used: EZKL currently relies on Halo2 (a Plonk variant
with updatable setup), while Giza/Orion use StarkWare’s Winterfell (a STARK). The tradeoff means
proof size and gas cost vs. cryptographic assumptions. Ongoing research (e.g. Astra’s Spartan-KK) is
working to unify advantages.
zkVMs for
AI: Aside from model compilers, general-purpose ZKVMs can execute ML code as well.
For example, RISC Zero’s zkVM targets the RISC-V ISA: one can write neural network inference in
Rust or C/C++ (using crates like ndarray) and
run it on R0VM, which generates a STARK proof of every instruction executedmedium.com.
This “bridge” (much like Nvidia’s CUDA) lets developers use mature ML libraries with minimal
changes, at the cost of heavier proofs. Similarly, Nil Foundation’s zkLLVM compiles C/C++/Rust
code (including ML kernels) into R1CS SNARKs. The advantage of zkVMs is flexibility – any code
can be proved – but the disadvantage is prover work is quadratic or worse in code size (although
STARK engines have near-linear prover time). Even so, RISC Zero’s latest R0VM 2.0 proved an
Ethereum block in seconds, hinting that optimized zkVMs may soon handle moderate-size ML tasks
in real-timerisczero.com.
Applications and Use Cases
Zero-knowledge ML unlocks new privacy-preserving AI
applications. Private inference is the
central use case: sensitive inputs (medical scans, financial records, biometrics) can be fed to
a model, with only the proof of correct inference revealedblog.ezkl.xyzkudelskisecurity.com.
For example, a hospital might prove it ran a cancer-detection model on patient data without
exposing the imageskudelskisecurity.com,
or a credit agency could prove it used a fair, approved scoring model on applicant datakudelskisecurity.com.
Worldcoin’s biometric World ID is an early
instance: users prove uniqueness from iris scans via ZK without revealing the scan itself,
balancing identity verification and privacykudelskisecurity.commedium.com.
On-chain AI
agents and oracles become possible. Developers have proposed AI-driven smart
contracts where every decision is provably correct. For example, decentralized games or trading
strategies can embed a machine learning model whose moves or trades are accompanied by a proof.
Modulus Labs demonstrated this with AI Arena and
Leela vs. The World, where a verified chess engine
and fight-game NPC take provable movesmedium.commedium.com.
In DeFi, ZKML could create verifiable oracles: an
off-chain ML model might classify weather or economic events from signed data, then publish a
proof of the predictionmedium.com.
Such proofs could automatically settle prediction markets or trigger insurance payoutsmedium.com.
There are visionary ideas for AI marketplaces: one could imagine a Kaggle-style protocol where
model creators submit encrypted models, and verifiers pay for proofs of accuracy. For instance,
a marketplace dApp might allow a data owner to verify a model’s promised performance without
ever seeing its weightsmedium.com.
Even sale of complex generative prompts could leverage ZK: a prompt engineer could prove that a
prompt generates desired images without revealing the prompt itselfmedium.com.
Some teams are already building prototypes: AI
Coliseum (hackathon project) uses ZK proofs to validate ML competition results, and zkAperçu allows minting AI-generated art with
verifiable model provenance. In Web3 identity, ZK-proofed face or voice authentication could
replace private keysmedium.com,
improving security UX.
Leading Frameworks Compared
Several competing frameworks support zkML, each with
distinct tradeoffs:
Giza
(Orion/LuminAIR) – Uses STARKs and Cairo. Giza focuses on ONNX models translated to
Cairo (via its transpiler) and proven with Winterfell. No trusted setup is needed, and it
scales to large models by leveraging STARK composition. Its Python/ONNX-centric tooling is
developer-friendly. Giza also pitches a decentralized model marketplace: models become on-chain contracts,
with proofs verifying each executionmedium.com.
The downside is STARK proofs are larger (gas-heavy) and prover work is significant, though
this is offset by constant verification cost and security assumptions.
RISC Zero
(R0VM) – A general-purpose
zkVM (STARK-based) targeting RISC-V. Developers can write Rust/C++ inference code
directly. R0VM 2.0 shows best-in-class performance (sub-minute proofs for complex
workloads)risczero.com
and offers 15× more memory than before. It requires no custom circuit coding but does entail
relatively heavy proving time. Notably, R0VM 2.0 is moving toward full formal verification
for determinismrisczero.com,
meaning extremely high security guarantees. This makes it very robust for high-stakes use
cases, but at present it’s more of a “compute layer” (like an off-chain proof co-processor)
than an easily auditable ML-specific language.
Aleo
(Leo) – A domain-specific ZK
language (PLONKish SNARKs). Leo programs compile to succinct circuits. Aleo’s UX
is tailored for privacy dApps rather than raw ML throughput. Its recent zkML hackathon
suggests using Leo to hand-code or compile ML kernels in zero-knowledgealeo.org.
In contrast to RISC Zero, Aleo’s approach can yield very small proofs and fast on-chain
verification (important for high-volume dApps) at the cost of requiring a cryptographic
setup ceremony. Leo’s strong typing and high-level syntax make it relatively easy to express
model logic, but it lacks built-in ML library support. Tooling improvements (snarkOS v0.10)
aim to improve prover speed and reduce setup friction, making Aleo more competitive for
serious ML workloads.
Modulus
(R1CS pipelines) – Modulus Lab’s toolkit currently uses optimized R1CS SNARKs (a mix of PLONK and custom
schemes). Their benchmarks indicate extremely efficient provers per model size, due to
highly hand-tuned circuits (e.g. using GKR/sumcheck techniques)medium.com.
Modulus’s models have proven effective up to 18M parameterskudelskisecurity.comkudelskisecurity.com.
In practice, they export ONNX or custom networks into R1CS constraints and apply recursive
SNARK techniques (Plonky2+GKR) to balance proof size and generation timemedium.com.
This yields small proofs (trusted setup required) and fast verification, which is ideal for
smart contracts. The downside is heavy engineering: building an R1CS pipeline often requires
low-level circuit work and careful optimizations.
Each framework represents a different point on the design
spectrum: generality vs. specialization, SNARK vs. STARK, ease-of-use vs. raw efficiency. RISC
Zero and Giza aim for broad applicability (any code/model), Modulus aggressively optimizes for
scale, and Aleo Leo offers a more polished developer platform. Ongoing work (e.g. Nil’s zkLLVM,
Jasper’s Spacetime) and new proof systems (Halo2+HALO, TurboPlonk, SHARP) continue to blur these
lines.
Implications for Web3, Security, and Compliance
Web3
Infrastructure: ZKML opens new dimensions for blockchain applications. Smart
contracts can integrate provable AI oracles, enabling autonomous DeFi protocols that adapt to
real-world data without trusting off-chain oraclesmedium.com.
Decentralized AI marketplaces can emerge: for example, Giza and others envision on-chain “model
store” contracts where models are public inputs and users pay for inference with proof. Identity
systems (like Worldcoin or Proof-of-Humanity) can incorporate richer biometrics while preserving
privacykudelskisecurity.com.
Even blockchain consensus could be influenced by ML agents whose decisions are verifiable.
Cybersecurity: From a security standpoint, ZKML mitigates some
AI-specific risks. It ensures model integrity: one
can cryptographically prove that no malicious backdoors were introduced in training by attesting
to the entire training pipeline and model architecturekudelskisecurity.comkudelskisecurity.com.
Inference can be audited: for instance, a model owner can use ZK proofs to guarantee that the
deployed model matches the promised configuration (preventing “model poisoning” or
substitution). Verifiers need not trust third parties or hardware enclaves: even an adversarial
verifier learns nothing beyond the validity of the result. This is especially crucial in
scenarios like autonomous vehicles or finance, where proving adherence to specified AI behavior
is a security requirement.
Enterprise
Compliance: ZKML aligns well with privacy and audit regulations (GDPR, HIPAA, SOX,
etc.). An enterprise can prove to regulators or auditors that an AI-driven decision process
complied with data policies without exposing user data. For example, a loan processor might
prove it used an approved credit model on applicant data without releasing the data or model
(ensuring fairness and privacy)kudelskisecurity.com.
By publicly committing to model parameters and proving correct operation, companies can
demonstrate algorithmic accountability. In
sensitive sectors (healthcare, finance), ZKML provides a path to reconcile “black-box” AI with
the need for transparency: proofs can certify that certain protected attributes did not
influence decisions or that inputs came from verified sources. In short, zero-knowledge AI acts
as a cryptographic audit trail for ML: it preserves data confidentiality while giving third
parties (auditors, consumers, or regulators) the proofs they need to trust AI systems.
Conclusion: In the past quarter, zkML has moved from theory into
early practice. Advances in optimized proving systems (EZKL, Modulus) and powerful zkVMs (RISC
Zero R0VM 2.0) have made private, verifiable AI on-chain a nearer-term reality. Leading projects
and funding flows (e.g. Tools for Humanity) underscore industry confidence. For Web3 developers
and AI engineers, these tools mean new options: one can now prove the correctness of model inference almost as easily as running
the model itself. While hurdles remain (proof costs, model scaling, trusted setup), the
integration of ZK and ML promises more secure, private, and compliant AI services — a crucial
development as AI’s societal impact growskudelskisecurity.comblog.ezkl.xyz.
