Zero-Knowledge Proofs for AI Agent Verification and Privacy

Executive Summary

Zero-knowledge proofs (ZKPs) are a cryptographic primitive with a remarkable property: they allow a prover to convince a verifier that a statement is true without revealing why it is true or any underlying data. For AI agents, this opens three distinct and valuable capabilities:

Verifiable inference — an agent can prove its output was produced by a specific model running a specific computation, without exposing model weights or user inputs
Privacy-preserving identity — an agent can prove it holds certain credentials or satisfies certain policies without disclosing the credential data itself
Auditable communication — agent interactions can be logged and audited for compliance without exposing the content of those interactions

The field matured significantly in 2024–2025. Lagrange Labs shipped DeepProve-1, the first production zkML system to generate cryptographic proofs over a full LLM inference (GPT-2). Cysic launched the first verifiable multi-agent swarms on mainnet. ArXiv papers proposed ZK-based audit frameworks for the Model Context Protocol. The EU AI Act is driving enterprise demand for auditable AI pipelines.

Key takeaways:

ZK proofs are no longer theoretical for AI workloads — GPT-2 scale inference is provable today, though larger models remain impractical without specialized hardware
The primary barrier is computational overhead: proof generation is orders of magnitude slower than the underlying computation, though GPU acceleration is closing the gap rapidly
For AI agents specifically, ZKPs address the identity crisis: traditional IAM was designed for humans and static service accounts, not ephemeral autonomous agents
A ZK-based audit framework for MCP (Model Context Protocol) has been demonstrated with under 4.14% communication overhead — practical for production
The architectural pattern is: computation happens normally, then a separate prover generates a proof asynchronously; the verifier checks the proof without re-running the computation

1. Zero-Knowledge Proofs: Foundations

1.1 The Core Property

A zero-knowledge proof is a protocol between two parties — a prover (P) and a verifier (V) — satisfying three properties:

Completeness: If the statement is true and both parties follow the protocol, the verifier will be convinced
Soundness: If the statement is false, no cheating prover can convince an honest verifier (except with negligible probability)
Zero-knowledge: The verifier learns nothing beyond the fact that the statement is true

The canonical example: proving knowledge of a password without sending the password. For AI systems, the analogous claim is: "this model, running on this input, produced this output" — provable without exposing the model weights or the input.

1.2 Proof System Families

Modern ZK systems used in AI contexts fall into several families, each with different trade-offs:

System	Trusted Setup	Proof Size	Verify Time	Prover Time	Best For
Groth16	Required (per-circuit)	~200 bytes	Very fast	Moderate	Fixed ML circuits
Halo2	None (universal)	~KB	Fast	Slower	Flexible ML ops
Plonky3	None	~KB	Fast	Fast (FRI)	General compute
STARKs	None	~100KB	Moderate	Moderate	Post-quantum safety

EZKL — the dominant open-source zkML toolkit — uses Halo2 as its backend. It accepts ONNX format models (exportable from PyTorch/TensorFlow) and compiles them to Halo2 circuits, making it possible to generate proofs without deep cryptography expertise.

Lagrange's DeepProve uses a custom proving stack optimized specifically for ML workloads, achieving 1000x faster proof generation and 671x faster verification than baseline EZKL for equivalent models.

1.3 The Float-to-Field Problem

A fundamental technical challenge: ML models use floating-point arithmetic (IEEE 754), but ZK circuits operate over finite fields (modular integer arithmetic). Every real-valued operation must be converted to field operations.

The standard solution is quantization — approximating model weights and activations as fixed-point integers before circuit compilation. This introduces a small accuracy penalty (typically 0.5–2% on benchmark tasks) in exchange for ZK-provability. zkPyTorch (released March 2025) automates this conversion for PyTorch models, enabling VGG-16 inference proofs in ~2.2 seconds.

2. ZKML: Verifiable Machine Learning Inference

2.1 The Trust Problem ZKML Solves

When an AI agent calls an LLM API or runs a local model, the caller has no cryptographic guarantee that:

The claimed model was actually used (vs. a cheaper substitute)
The output wasn't tampered with in transit
The computation was complete (no early exits or corrupted weights)

For high-stakes decisions — financial, medical, legal, safety-critical — this is a significant trust gap. ZKML closes it by producing a succinct proof alongside each inference, checkable by any party in milliseconds.

2.2 Current State of the Art

Lagrange DeepProve-1 (2025): The first production-ready system to prove full GPT-2 inference. GPT-2 (124M parameters) is the "Hello World" of verifiable generative AI — small enough to be provable, large enough to be meaningful. Performance against EZKL baseline:

Proof generation: up to 158x faster
Verification: up to 671x faster
One-time setup: up to 1150x faster

zkPyTorch (March 2025): A hierarchically optimized compiler that takes PyTorch models directly and compiles them to ZK circuits. VGG-16 (a 138M parameter vision model) proves in 2.2 seconds. Represents a major usability milestone — ML engineers can generate ZK proofs without knowing any cryptography.

EZKL benchmarks: For smaller convolutional networks (~18M parameters), Modulus Labs has demonstrated on-chain proof verification. Proving times range from seconds (simple classifiers) to minutes (larger models) on CPU; GPU support added in 2025 across all major frameworks promises 5–10x speedups.

2.3 Practical Overhead Reality

The honest picture for production agents:

Model Scale	Proof Time (CPU)	Proof Time (GPU)	Practical?
Simple classifier (<1M params)	<1 second	<0.1 second	Yes
ResNet-50 (~25M params)	30–120 seconds	3–15 seconds	Selective use
GPT-2 (124M params)	Minutes	10–60 seconds	Async only
GPT-3 scale (175B params)	Not feasible	Not feasible	Research horizon

The gap between provable models and state-of-the-art LLMs remains large. The practical deployment pattern is asynchronous proof generation: the agent produces its output immediately, then a background prover generates the proof over the next seconds or minutes. Downstream consumers can wait for proof confirmation before acting on high-stakes outputs, while low-stakes operations proceed without waiting.

2.4 The End-to-End Pipeline Problem

A 2025 ArXiv paper ("A Framework for Cryptographic Verifiability of End-to-End AI Pipelines") identified that ZKML alone is insufficient — a full verifiable AI pipeline requires proofs over:

Input preprocessing (tokenization, embedding)
Model inference (the ZKML part)
Output postprocessing (decoding, sampling)
Any tool calls or retrieval steps

The paper notes: "As yet, there are no implementations of a fully verifiable pipeline, although work towards this goal has begun." Current ZKML systems prove inference in isolation; the surrounding pipeline is typically verified via other means (attestation, logging, or trusted hardware).

3. Agent Identity and ZK Credentials

3.1 Why Traditional IAM Fails for Agents

Identity and access management was designed for humans logging into systems. Its assumptions break catastrophically for autonomous AI agents:

Ephemerality: Agents spin up and down dynamically; static service accounts don't scale
Delegation chains: An agent acting on behalf of a user on behalf of an organization creates multi-hop authorization chains with no standard representation
Capability drift: Agents acquire and shed capabilities dynamically; static role assignments are too coarse
Scale: A single AI service might spawn thousands of agent instances simultaneously

ISACA's 2025 analysis called this the "Looming Authorization Crisis" for agentic AI. A 2025 ArXiv paper ("A Novel Zero-Trust Identity Framework for Agentic AI") proposes layered architecture incorporating DIDs (Decentralized Identifiers), Verifiable Credentials (VCs), and ZKPs as the three-layer solution.

3.2 Verifiable Credentials with ZK Disclosure

The W3C Verifiable Credentials standard combined with ZKPs enables selective disclosure: an agent can prove specific attributes of its identity without revealing the full credential.

Practical examples:

"I am authorized to access production databases" — without revealing which organization issued the authorization or what that authorization covers
"I have been audited and comply with ISO 27001" — without revealing the audit findings or the auditor
"My decision was made using model version X" — without exposing model weights

The cryptographic mechanism is a ZK proof of knowledge of a valid credential signature — the agent proves it holds a credential signed by a trusted issuer, without revealing the credential content.

3.3 Binding Agent Identity to Computation

The paper "Binding Agent ID: Unleashing the Power of AI Agents" (ArXiv 2512.17538) addresses a deeper problem: how to cryptographically bind an agent's identity to its actions. Without this binding, an agent could claim any identity.

The proposed solution combines:

A persistent cryptographic key pair for the agent (analogous to an SSH key)
ZK proofs that link each action to the agent's key and to the specific model/version that produced it
Commitment schemes that allow the agent to commit to its intended actions before taking them, provably consistent with its stated policy

This is the cryptographic foundation for accountable agency: not just knowing what an agent did, but provably knowing which agent did it and that the action was consistent with its authorized policy.

4. Privacy-Preserving Audit Trails

4.1 The Auditability-Privacy Tension

Autonomous agents operating in regulated environments face a fundamental contradiction:

Regulators require complete audit trails of agent actions and decisions
Users and operators require privacy for the content of those actions

Traditional approaches force a choice: full transparency (expose everything to auditors) or opacity (no meaningful audit). ZKPs dissolve this trade-off.

4.2 ZK-MCP: Auditable Agent Communication

The paper "Zero-Knowledge Audit for Internet of Agents" (ArXiv 2512.14737) proposes integrating ZKPs with the Model Context Protocol to create privacy-preserving audit trails.

The architecture:

Agent communications are committed to via cryptographic hashes (the prover knows the content; the verifier only knows the hash)
When an auditor requests verification, the agent generates a ZK proof that the committed communication satisfies specific properties (e.g., "this message complied with policy X") without revealing the message content
The auditor verifies the proof — confirming compliance without seeing the data

Performance: The paper reports total overhead below 4.14% of communication costs, with asynchronous proof generation ensuring minimal impact on real-time communication. This is production-viable.

4.3 Mutual Auditing Between Agents

An underappreciated capability: ZK auditing enables bidirectional accountability between agents. Agent A can verify that Agent B's outputs meet quality standards while Agent B verifies Agent A's usage metrics — both without either party exposing their internals to the other.

This is particularly valuable for multi-agent markets: AI agents exchanging services need to verify each other's performance without creating a data exfiltration risk. ZK proofs provide the cryptographic handshake.

4.4 Regulatory Alignment

The EU AI Act (fully applicable from August 2026) requires high-risk AI systems to maintain logs sufficient for post-hoc auditing. GDPR Article 25 requires privacy by design. These requirements conflict with naive logging.

ZK-based audit frameworks satisfy both: the audit trail exists (the commitments are public and immutable), but the content is private unless a ZK proof is generated specifically for the auditor's stated query. This is query-scoped disclosure — a fundamentally better model than the current choice between full exposure and no exposure.

5. Current Tooling Ecosystem

5.1 EZKL

The most widely used open-source zkML toolkit. Takes ONNX model files and produces:

A ZK circuit (the arithmetized version of the model)
A proving key (used by the prover to generate proofs)
A verification key (used by anyone to verify proofs)

Supports Python, JavaScript, and CLI interfaces. The main limitation is performance — Halo2-based proofs are slower than Groth16 for fixed circuits.

Repository: github.com/zkonduit/ezkl

5.2 Lagrange DeepProve

Production-focused system from Lagrange Labs, optimized for neural network workloads. Supports ONNX and GGUF formats, making it compatible with the local LLM ecosystem (llama.cpp models export as GGUF). The 1000x+ speedup over baseline EZKL makes it the current leader for LLM-scale proofs.

Repository: github.com/Lagrange-Labs/deep-prove

5.3 zkPyTorch

Released March 2025. A compiler layer that integrates directly into the PyTorch training/inference stack. Eliminates the manual ONNX export step and handles quantization automatically. Particularly notable for vision models — VGG-16 in 2.2 seconds is a significant benchmark.

5.4 Emerging Standards

Two standards are emerging for agent-to-agent economic interactions that require ZK verification:

x402 — a payment protocol for agent APIs where payment proofs are ZK-based
ERC-8004 — a proposed Ethereum standard for agent capability attestation

These signal a broader trend: ZKPs are becoming infrastructure for the agent economy, not just an academic curiosity.

6. Deployment Patterns for AI Agent Systems

6.1 Pattern: Async Proof Generation

For latency-sensitive agents, proof generation runs as a background task:

User request → Agent inference (immediate, no proof) → Return response
                ↓
         Async proof job queued
                ↓
         Proof generated (seconds to minutes)
                ↓
         Proof stored / made available for verification

Downstream consumers that need proof-of-correctness poll or subscribe for proof availability before acting on high-stakes results. This pattern works for most real-world use cases where the action taken on an inference is itself not instantaneous.

6.2 Pattern: Tiered Verification

Not all agent outputs warrant the same verification cost. A tiered approach:

Tier 0 (No proof): Internal, low-stakes computations (auto-complete, ranking, filtering)
Tier 1 (Hash commitment): Medium-stakes: output is committed, proof generated on demand if disputed
Tier 2 (Async ZK proof): High-stakes: proof generated for every output, available within minutes
Tier 3 (Sync ZK proof): Critical: verification required before any action is taken (small models only, or specialized hardware)

Most enterprise deployments in 2026 use Tier 0/1 for operational workflows and Tier 2 for financial, medical, and compliance-relevant outputs.

6.3 Pattern: Proof-of-Policy Compliance

Rather than proving the full inference, agents can prove more specific, policy-relevant properties:

"This response did not include information from documents marked CONFIDENTIAL"
"This financial recommendation stayed within the client's stated risk tolerance"
"This action was authorized by a human with appropriate credentials before execution"

These "policy proofs" are smaller and faster to generate than full inference proofs. They're the near-term practical deployment path for regulated industries.

7. Limitations and Open Problems

7.1 The Model Size Gap

The gap between provable model sizes (~200M parameters today with specialized hardware) and state-of-the-art frontier models (~100B+ parameters) is roughly 3 orders of magnitude. Even assuming proof generation time scales linearly (it doesn't — it's worse), closing this gap requires years of hardware and algorithm improvement.

Practical implication: For the foreseeable future, verifiable AI inference applies to smaller specialized models (classifiers, domain-specific transformers, distilled models) rather than frontier general-purpose LLMs.

7.2 Circuit Complexity and Non-Standard Operations

ZK circuits are static arithmetic circuits. Dynamic operations — variable-length attention, conditional execution paths, tool calls mid-inference — complicate circuit design significantly. Modern attention mechanisms use softmax (requiring complex approximations in finite fields) and layer normalization (another approximation challenge).

Each non-standard operation requires custom circuit design and adds to proving time. The research frontier is developing efficient circuit gadgets for these operations.

7.3 Key Management for Agent Credentials

ZK credential systems require each agent instance to hold a cryptographic key pair. For ephemeral agents (spun up for a single task), key generation, distribution, revocation, and rotation must be automated and auditable. This is the same key management problem that plagues certificate infrastructure, now applied to potentially millions of agent instances.

7.4 Proof Inflation in Multi-Agent Chains

A chain of N agents, each generating proofs, produces N proofs. Verifying the entire chain requires verifying all N proofs. For long agent pipelines, this creates verification overhead that scales with chain length. Proof aggregation (combining multiple proofs into one) is an active research area — Plonky2/Plonky3 support recursive proof composition, which can compress a chain of N proofs into a single proof of constant size.

Implications for AI Agent Development

Zero-knowledge proofs represent a qualitative shift in what it means to build trustworthy AI agents. The previous generation of "trustworthy AI" relied on:

Process controls (who can deploy what)
Model cards and documentation
Post-hoc auditing and logging
Human oversight of critical decisions

ZKPs add a cryptographic layer that is fundamentally different in character: mathematical guarantees, not institutional ones. An agent that produces a ZK proof of its inference cannot have produced a different output without the proof failing — no process failure, human error, or institutional corruption can invalidate the guarantee.

The near-term (2026–2027) practical applications for agent builders:

Use ZK credentials for agent authentication — replace API keys with verifiable credentials for agent-to-agent communication; the infrastructure (DIDs, VCs, ZKP libraries) is mature enough to deploy
Implement commitment-based audit trails — even without full inference proofs, committing to agent outputs cryptographically enables on-demand disclosure without storing everything in plaintext
Adopt EZKL or zkPyTorch for specialized models — if your agent uses domain-specific classifiers or small transformers for specific decisions, ZK proofs are practical today
Design for async proof generation — architecture that can attach proofs to outputs asynchronously is much easier to add proofs to than synchronous pipelines
Watch DeepProve — Lagrange is targeting medium-scale LLMs next; the gap between provable and deployable is closing faster than most practitioners expect

The trend line is clear: within 3–5 years, "verifiable AI" will be a standard requirement for agents operating in high-stakes domains, not an optional cryptographic curiosity.