Zero-knowledge AI

Zero-knowledge AI

“Zero-knowledge computing” is not a precise product category. It can refer to several very different techniques:

  • a zero-knowledge proof of a statement
  • fully homomorphic encryption, or FHE
  • secure multi-party computation, or MPC
  • private information retrieval, or PIR
  • trusted execution environments, which are not zero knowledge

The company must name the technique and the exact claim it supports. Otherwise the phrase becomes privacy marketing without an auditable meaning.

Zero-knowledge proofs

A zero-knowledge proof can show that a statement or computation is valid without revealing a protected witness.

For AI, it can help prove that an output was produced by a declared model, version, or policy. That is valuable for auditability, eligibility, and “proof-carrying” workflows.

It does not automatically hide a prompt from the computer that performed ordinary inference. A proving server may still receive plaintext unless another privacy mechanism protects it.

Research on zkLLM-style proofs is promising but does not provide interactive general-chat latency. Treat ZK inference as a future assurance feature, not the first confidentiality control.

Fully homomorphic encryption

FHE lets a server compute on ciphertext without learning the plaintext input. Concrete ML documents a client-server flow where a client generates keys, sends encrypted input, and decrypts an encrypted result.

This is real and valuable. It is currently best for bounded, quantized, or hybrid workloads:

  • private classification
  • narrow risk scoring
  • simple structured decisions
  • selected tabular or tree-model inference
  • research pilots with tightly constrained neural components

It is not ready to power a responsive, frontier-quality general chat service. Research on encrypted LLM inference still reports extremely high latency. One 2026 preprint reports less than 100 seconds per output token for a Llama-3-8B configuration, which is a research achievement, not interactive chat.

Secure multi-party computation

MPC can let deliberately independent parties jointly evaluate a function on secret-shared inputs. It can be useful where two or more organizations need a narrow calculation without revealing their raw datasets to each other.

It requires purpose-built protocols, non-colluding parties, and careful treatment of communication, nonlinear operations, latency, and output leakage.

Sending fragments of a prompt to several ordinary LLM APIs is not MPC. Those APIs cannot infer over cryptographic shares.

Private information retrieval

PIR can hide which record a client retrieves from a database. It can help with a model catalog, policy lookup, threat-intelligence search, or other static retrieval problem.

It does not prevent a chosen document chunk from becoming visible if the chunk is later sent to an ordinary cloud model.

What to pursue now

Build:

  • local models and local retrieval
  • attested confidential cloud for powerful inference
  • Privacy Pass or similar opaque entitlements where appropriate
  • narrow FHE proof-of-concepts for classifiers or structured decisions
  • ZK receipts or model-version proofs for high-value audited workflows

Research:

  • MPC only with independent partners and a very narrow computation
  • FHE for selected vertical workflows
  • ZK proofs for verifiable model execution

Do not launch:

  • “zero-knowledge ChatGPT”
  • general private chat based on natural-language request splitting
  • a claim that FHE, ZK, or MPC removes all metadata, endpoint, legal, or safety risks

Confidential AI computing is the practical current route. Private AI routing explains how to keep the necessary remote route small and visible.

Sources

  1. docs.zama.ai
  2. docs.zama.ai
  3. arxiv.org
  4. arxiv.org
  5. openmined.org
  6. rfc-editor.org