Contents
Introduction
Zero-Knowledge Machine Learning (ZKML) is an emerging technology that combines zero-knowledge proofs (ZKPs) with machine learning algorithms to enable privacy-preserving machine learning and verifiable AI models. It solves key privacy and trust challenges in conventional ML systems.
At its core, zero-knowledge proofs allow for the verification of truth without revealing the underlying information itself. This makes ZKP particularly valuable for applications requiring both security and privacy preservation.
For machine learning systems, ZKML creates powerful verification frameworks that ensure network nodes perform computations correctly without requiring complete visibility into the model’s internal mechanisms, which makes ZKML a critical component of the zero-knowledge ecosystem
(source: https://www.coinbase.com/en-de/blog/understanding-the-zero-knowledge-landscape)
Why Verifying Machine Learning Models Is So Hard
A key capability of ZKML is to verify whether specific ML models are generated with particular content without exposing either the input data or the model itself. This is essential for use cases like on-chain biometric authentication, private data marketplaces, proprietary model sharing, and verifiable AI-generated content.
When organizations outsource model training or utilize third-party ML services due to the computation resources constraints, critical security questions emerge:
· How can we verify that a model was trained according to specified parameters?
· How can we ensure that the authorized model is being used for inference rather than unauthorized or compromised alternatives?
When sending data to external parties for model training or fine-tuning, verification becomes particularly problematic.
Research – such as TrojAI by NIST – has demonstrated that improperly trained models may function correctly on test datasets while embedding malicious backdoors that activate only under specific circumstances. Without robust verification mechanisms, these vulnerabilities remain undetected until exploited.
ZKML offers a solution by providing cryptographic proofs that the training procedures were executed correctly according to specifications. This verification extends beyond just the training process to include data collection, filtering, and preparation – all critical components for ensuring model integrity and security.
How ZKML Ensures Model Authenticity
Imagine Alice develops a proprietary ML model after significant investment. She wants to offer services to Bob, her client, without revealing her model. Bob, on the other hand, needs assurance that he’s receiving results from the promised model (say, GPT-4 and not GPT-3).
Zero-knowledge proofs solve this trust dilemma. Alice can publicly commit to her model (without revealing its proprietary details), then provide cryptographic proofs alongside results that verify the committed model was correctly executed on Bob’s data. This gives Bob strong assurance without compromising Alice’s intellectual property rights.
ZKML provides verification that the claimed machine learning model is indeed the one being executed. This capability is particularly valuable for API-accessible models with multiple service tiers (e.g., basic versus premium versions), where users need verification they’re receiving the service level they’ve paid for.
Proving Model Integrity Without Revealing IP
Alice might need to deploy her model to Bob without exposing its parameters. ZKML can verify that the same algorithm runs consistently across different users’ data, which is critical for high-stakes applications like credit scoring and loan applications where bias prevention is essential. Functional commitments or public model parameters with private data proofs enable this consistent verification.
This approach is of particular importance in medical contexts, where patient confidentiality is legally mandated but consistency in diagnostic criteria remains essential for proper care.
Recent research, including the ExpProof framework, offers promising solutions for verifying model fairness while maintaining privacy guarantees.
ZKML in Decentralized AI and Edge Inference
Modern ML frameworks and interoperable formats like ONNX enables inference on edge devices such as mobile phones and IoT devices, without transmitting potentially sensitive data to centralized servers, improving both scalability and privacy. However, several challenges remain:
· Protecting sensitive inputs and/or model parameters from public exposure
· Safeguarding private data (personal financial information, biometrics, private media) used as model inputs
· Securing model parameters that may contain proprietary or sensitive information
Ensuring downstream entities (such as on-chain smart contracts) can verify that inputs were correctly processed to produce claimed outputs.
ZKML facilitates the deployment of models on-chain or in decentralized networks, with zero-knowledge proofs compressing model verification. For example, EZKL can take ONNX files, converting them to ZK-SNARK circuits for efficient on-chain verification. Modulus Labs shows the benchmarking proof systems for on-chain inference up to 18 million parameters. Gensyn is developing sophisticated decentralized training networks that leverage these verification capabilities.
Practical Implementations of ZKML
Despite being in early stages, ZKML is already enabling practical applications. More resources on ZKML can be found on the awesome-zkml repository on GitHub or the map of zk. Some active players are introduced here.
EZKL
EZKL is a library and command-line tool for doing inference for deep learning models and other computational graphs in a zk-snark. Zkonduit’s ezkl library allows a user to create ZK proofs of ML models exported using ONNX.
User provides a model (e.g., neural network) in ONNX format. EZKL automatically converts the model into a ZKP-compatible circuit, and generates a proof of correct model execution. Then, anyone with the verification key can verify the proof. EZKL uses Halo2 as its underlying proof system. Recently, the EZKL code was audited by Trail of Bits.
Modulus Labs (acquired by Tools for Humanity)
Modulus Labs has achieved a significant breakthrough in on-chain machine learning verification. Their paper titled “The Cost of Intelligence” presents proof systems capable of verifying machine learning models with up to 18 million parameters directly on blockchain networks.
MINA
Mina’s zkML library includes a few key components:
· A prover written in Rust for generating a zero knowledge proof from an ONNX file,
· A command-line interface (CLI) for generating a verifier for your proof and deploying it to the Mina blockchain, and
· A set of examples in Python and Rust demonstrating how to prove and verify various AI models.
Worldcoin
Worldcoin has been at the forefront of implementing ZKML in its identity verification system. Their primary ZKML application centers on their World ID platform, which uses iris scanning (via the Orb device) and zero-knowledge proofs to verify human uniqueness.
Worldcoin’s approach represents one of the most visible real-world deployments of ZKML technology, addressing the challenging balance between secure identity verification and privacy preservation in a decentralized context.
PSE
PSE (Privacy & Scaling Explorations) maintains circomlib-ml, a ZKML project that provides specialized circuit templates for machine learning operations in the circom language. This library includes a diverse array of templates for essential neural network components—convolutional layers, dense layers, and various activation functions—enabling developers to construct customized circuits for specific machine learning applications with privacy-preserving capabilities.
Key Challenges to Widespread Adoption
While zero-knowledge proofs enable verification that computational work was performed correctly, significant technical challenges remain for widespread ZKML adoption. Current cryptographic primitives lack the performance necessary to handle very large model architectures efficiently. The computational overhead of proving systems makes them impractical for state-of-the-art models like GPT-3/4 and other large language models with billions of parameters.
Distributed Systems Challenges
Implementing ZKML in decentralized networks introduces significant distributed systems challenges:
· Coordinating large networks of GPU contributors
· Efficiently breaking down ML workloads across nodes
· Managing communication between distributed components
· Handling node failures and reassigning work
· Ensuring the network functions as a unified computational substrate
Solving these challenges could potentially create ML infrastructure that’s more resilient and cost-effective than traditional cloud computing approaches.
Security Considerations in ZKML
ZKML, particularly in blockchain applications, remains an emergent field requiring cautious implementation. With few production-ready projects to date, potential attack vectors include both established vulnerabilities and largely theoretical or undiscovered threats.
AI/ML Security
Neural networks face multiple adversarial attack vectors that can compromise ZKML systems:
· Gaussian Noise Injection, Deliberately introducing statistical noise to manipulate model outputs
· Data Poisoning: Contaminating training datasets to influence model behavior
· Membership Inference Attacks (MIAs): Techniques that can reveal whether specific data was used in model training—particularly problematic when ZKML is employed specifically to maintain model and training data privacy
Effective security requires developing a comprehensive threat model that anticipates both the neural network’s vulnerabilities and potential malicious inputs.
ZKP Security
The ZK proof systems are built as multi-layered stacks that require thorough security evaluations across all components. A comprehensive security assessment must examine:
- Protocol soundness and theoretical foundations
- Cryptographic algorithm implementation integrity
- Parameter selection and configuration accuracy
- Third-party dependency security posture and update status
Our previous post shows both common vulnerabilities within ZK proof systems and the risks associated with improper implementation choices.
Conclusion: The Future of Trustworthy AI
The promise of ZKML extends beyond technical innovation to fundamental questions about how AI systems should be developed, deployed, and governed in society. By enabling rigorous verification without sacrificing privacy, ZKML may help create AI systems that are more transparent, fair, and accountable—while preserving individual data sovereignty.
As research continues to advance, ZKML may become an essential component of trusted AI infrastructure, delivering cryptographic guarantees and decentralized trust at scale. As ZK technology matures, proving larger models on less powerful machines will become increasingly viable, thanks to advancements in specialized hardware and proof system architectures.
🔍 Want to understand the security posture of your cryptographic systems?
Explore our Crypto Audit Questionnaire and learn how Kudelski Security can help you assess and strengthen your cryptographic implementations:
👉 https://resources.kudelskisecurity.com/crypto-audit-questionnaire
