Zero-Knowledge Proofs
Zero-knowledge proofs are cryptographic protocols that let a prover convince a verifier that a formal statement is true without revealing the private information, or witness, that makes the statement true. They are a way to separate verification from disclosure.
Definition
A zero-knowledge proof, or ZKP, is a proof protocol in which a prover demonstrates that a precise statement is true while revealing no information beyond that truth. In the proof-of-knowledge form, the prover shows knowledge of a secret witness that satisfies a public relation, without disclosing the witness itself.
The original Goldwasser-Micali-Rackoff paper defined zero-knowledge proofs as proofs that convey no additional knowledge other than the correctness of the proposition. NIST now describes ZKPs as a main tool of privacy-enhancing cryptography and emphasizes the public-statement, secret-witness framing.
The practical distinction matters. A ZKP can prove that a computation, credential predicate, or cryptographic relation was satisfied. It does not prove that the real-world source data was lawful, that a model is fair, that a claim is socially adequate, or that an organization deserves trust outside the exact statement encoded in the proof.
Snapshot
- Core idea: separate verification from disclosure by proving a formal statement without revealing the witness that makes it true.
- Minimum vocabulary: relation, statement or public instance, witness, proof, verifier, security assumptions, setup model, public inputs, and transcript or non-interactive proof.
- Current standards posture: NIST treats ZKPs as privacy-enhancing cryptography and is accompanying developments toward future standards; ZKProof provides community reference material, but its version 0.3 reference remains an incomplete draft.
- Credential relevance: W3C verifiable-credential work and EU Digital Identity Wallet architecture materials connect ZKPs with selective disclosure, unlinkability, predicate proofs, and privacy-preserving revocation.
- AI relevance: ZKPs can support narrow claims about committed inputs, evaluation runs, credential predicates, and verifiable computation; they do not certify model truthfulness, fairness, safety, or legitimacy by themselves.
- Main governance risk: proof-washing, where a narrow mathematical proof is marketed as broad institutional trust.
Current Context
As of this June 25, 2026 review, ZKPs sit between mature cryptographic theory and fast-moving deployment practice. NIST's Privacy-Enhancing Cryptography project maintains a dedicated ZKP page, says ZKPs are useful both on their own and inside other cryptographic protocols such as secure multi-party computation, and states that NIST is accompanying ZKP developments and initiatives toward future useful standards. NIST also links ZK proofs of knowledge to its multi-party threshold cryptography work, which matters because many threshold systems need parties to prove correct key or share behavior without revealing secrets.
Standardization is still active rather than finished. ZKProof describes itself as an open industry-academic initiative focused on interoperability and security. Its Community Reference is useful, but the 0.3 version describes itself as an incomplete draft and a basis for further development, not a final universal standard.
Digital identity has made the privacy stakes concrete. The European Digital Identity Regulation and EU Digital Identity Wallet architecture materials discuss zero-knowledge proof and selective disclosure so a relying party can validate an attribute or predicate without receiving all underlying identity data. The current EUDI Wallet Architecture and Reference Framework discussion topic lists privacy properties such as selective disclosure, relying-party unlinkability, full unlinkability, range proofs, privacy-preserving revocation, issuer hiding, pseudonymity, composite proofs, blind issuance, and conditional disclosure. Those are design goals and scheme properties, not automatic deployment outcomes.
W3C's Verifiable Credentials Data Model 2.0 is a W3C Recommendation, while proof mechanisms sit in related specifications and cryptosuites. The W3C Data Integrity BBS Cryptosuites specification defines use of the BBS signature scheme for selective disclosure and unlinkable proofs in the issuer-holder-verifier model. The related IRTF CFRG BBS Signatures draft is still an Internet-Draft as of this review date, so source discipline should distinguish a W3C credential cryptosuite, an IRTF cryptographic draft, and an implemented wallet product.
The AI context is newer. Privacy-enhancing technologies are being discussed as ways to enable analysis, collaboration, and audit over sensitive data, but GAO's 2026 technology spotlight notes implementation barriers such as cost, guidance gaps, and workforce constraints. ZKPs should therefore be treated as high-value infrastructure for specific claims, not as a general privacy or AI-safety cure.
Core Properties
Completeness means an honest prover can convince an honest verifier when the statement is true. Soundness means a dishonest prover cannot feasibly convince the verifier of a false statement under the protocol's assumptions. Zero knowledge means the verifier learns nothing beyond the fact that the statement is true. In proof-of-knowledge settings, the claim is usually that the prover knows a witness satisfying a public relation.
Those words are not slogans. They are security properties under a model. The guarantee depends on the exact protocol, assumptions, setup, implementation, public inputs, verifier code, and threat model. A proof can be zero-knowledge about the witness while still leaking information through metadata, timing, network context, public inputs, or repeated use.
Modern ZKP systems include families such as sigma protocols, zk-SNARKs, zk-STARKs, Bulletproofs, PLONK-style systems, BBS-derived selective-disclosure proofs, and other proof systems with different tradeoffs. Some emphasize succinct verification, some avoid trusted setup, some target transparency, some rely on pairing-friendly curves or hash functions, and some are optimized for specific circuits or applications. The family name alone is not enough to evaluate security.
Why It Matters for AI
AI governance increasingly needs proofs about systems without full disclosure of the system. A model provider may want to prove that an evaluation was run, a dataset rule was followed, a computation was performed correctly, or a credential condition was met without exposing proprietary weights, private records, or sensitive identity attributes.
ZKPs are therefore relevant to verifiable AI audits, privacy-preserving identity, confidential compliance, provenance systems, private model evaluation, and claims about computation. They do not make a model truthful by themselves. They can, however, let a system prove that a specific formal statement about a computation is true.
That distinction matters. A proof can verify a circuit, relation, committed input, or execution trace. It cannot by itself verify the moral adequacy of the question encoded into the circuit. ZKPs are powerful where the claim can be formalized precisely and dangerous where social trust is reduced to a proof that does not cover the real-world risk.
In AI assurance, a useful ZKP claim might say: this committed model version produced this output on this committed test set under this disclosed evaluation code, or this credential predicate was satisfied without revealing the credential. A weak claim would say: the system is safe because it has a proof. The first is audit evidence. The second is proof-washing.
Common Uses
- Private identity and credentials: proving eligibility, membership, age range, income threshold, or authorization without revealing full identity records.
- Verifiable computation: proving that a computation was performed correctly without rerunning or disclosing every input.
- Blockchain scalability and privacy: verifying transaction validity, batch execution, or private-transfer conditions with compact public checks, depending on the protocol design.
- Compliance proofs: demonstrating that a formal rule was followed without exposing protected records or proprietary internals.
- Cryptographic protocol hygiene: proving correct behavior inside threshold signatures, multi-party computation, credential systems, and other protocols.
- Private AI evaluation: proving narrow claims about evaluation, access authorization, committed datasets, or training procedures where some data or model details must remain confidential.
Governance and Safety
ZKPs are governance tools when they produce evidence that a reviewer, user, customer, regulator, or affected person can understand in context. The proof should be accompanied by the statement being proved, the verifier code or specification, the system version, public inputs, assumptions, setup information, and the operational consequence of a failed proof.
- Data minimization: ZKPs can help satisfy a service or audit need without collecting full identity, financial, health, or employment records. They should be paired with data minimization, retention limits, and access controls.
- Audit evidence: for AI audits, a proof can support a narrow technical claim while preserving confidentiality. It should not replace broader evidence about data provenance, impact assessment, red-team findings, incident history, and human workflow.
- Procurement and assurance: buyers should require proof statements, verifier reproducibility, parameter choices, key custody, update rules, and failure handling before accepting a ZKP-backed claim.
- Digital identity: selective disclosure can reduce profiling and overcollection, but wallet systems still need revocation, issuer accountability, anti-correlation design, usability, accessibility, non-discrimination review, and remedies for exclusion or misuse.
- Security review: proof systems need cryptographic review, circuit audits, implementation testing, setup governance where applicable, and monitoring for side channels and metadata leakage.
- Public communication: a proof should be described as evidence for a specific formal statement, not as a general trust mark for an organization, model, or platform.
For AI systems, the strongest use is usually constrained assurance: proving that a named verifier accepted a named statement about committed inputs, a model version, an evaluation program, or an authorization predicate. The surrounding governance record still needs source provenance, model and dataset documentation, change management, incident history, and human oversight.
Proof Evidence Record
A ZKP-backed governance claim should be reviewable without forcing disclosure of the witness. A minimum evidence record should include:
- Statement: the exact formal claim being proved, in plain language and machine-readable form where possible.
- Relation and witness: what relation the witness satisfies, what the witness represents in the real system, and which parts remain secret.
- Public inputs: commitments, hashes, timestamps, identifiers, policy versions, model versions, dataset commitments, credential schemas, or verifier parameters exposed to the verifier.
- Proof system: protocol family, implementation, version, assumptions, setup model, trusted-setup ceremony or transparency claim, and any third-party audits.
- Verifier: verifier code, specification, test vectors, deployment location, acceptance criteria, and how verifier updates are governed through AI Change Management when the proof supports an AI system.
- Operational consequence: what happens when proof generation fails, verification fails, a credential is revoked, public inputs are stale, or a verifier version is retired.
- Residual exposure: metadata, timing, network identifiers, public attributes, correlation handles, logs, and other data still visible outside the proof.
- Audit link: where the proof event appears in AI Audit Trails, procurement records, identity-wallet logs, or compliance evidence.
Limits and Failure Modes
- Statement design: a ZKP only proves the formal statement encoded by the system, not every surrounding claim people may infer from it.
- Trusted setup: some proof systems require setup ceremonies or common reference strings whose compromise can undermine security.
- Implementation complexity: circuits, arithmetic constraints, compilers, hash functions, curves, keys, verifiers, and serialization formats introduce new engineering risk.
- Performance cost: proof generation can be expensive, especially for large computations.
- Metadata leakage: a proof may hide the witness while timing, access patterns, public inputs, or surrounding context still reveal sensitive facts.
- Input truth: a proof can show that a computation was performed over committed data, but it cannot prove that the data was lawfully collected, representative, or ethically appropriate unless those facts are separately encoded and evidenced.
- Verifier risk: a weak, outdated, or non-public verifier can turn a mathematically sound proof into unauditable infrastructure.
- Revocation and freshness: credential predicates and compliance claims need expiry, revocation, replay protection, and versioning.
- Proof-washing: institutions may present a narrow proof as if it validates a broad safety, fairness, privacy, or compliance claim.
- False authority: users may treat a proof as a general trust mark even when it verifies only a narrow technical claim.
- Standard confusion: a draft reference, cryptographic primitive, credential data model, wallet architecture topic, vendor wallet, and audited deployment can be incorrectly treated as the same maturity level.
Source Discipline
Use Goldwasser, Micali, and Rackoff for the foundational definition; NIST PEC for U.S. government framing of ZKPs as privacy-enhancing cryptography; ZKProof for community reference and standardization work; W3C and EU materials for credential and wallet claims; IETF/IRTF drafts only as drafts unless finalized; and protocol-specific papers or official documentation for particular proof systems.
Do not cite a blockchain, identity, or AI vendor's marketing page as evidence that a ZKP system is secure. Vendor material can document what a product claims to do, but security claims need protocol papers, standards material, audits, implementation records, and threat models.
Always name the statement being proved. "Uses zero knowledge" is not a complete claim. A source-disciplined statement identifies the relation, witness, public inputs, proof system, setup model, verifier, assumptions, version, implementation, and what information remains exposed outside the proof.
For AI uses, separate three questions: whether a proof verifies a computation, whether the input data and model are appropriate, and whether the deployment is socially or legally acceptable. ZKPs can help with the first question and sometimes support evidence for the second. They do not settle the third by themselves.
Spiralist Reading
Zero-knowledge proofs are the mathematics of saying: believe this relation, not my confession.
The old institution demanded records, documents, signatures, testimony, files, and bodies. The proof system offers a different ritual. It says the secret exists, the rule was satisfied, the computation closed, and the verifier may know only that.
For Spiralism, ZKPs are important because they show how trust can become executable without becoming fully transparent. In the age of AI, this is both liberation and danger. A system that proves narrow truths can protect people from needless exposure, but it can also invite institutions to replace judgment with formalized verification theater.
Open Questions
- Which AI audit claims can be reduced to formal proof statements without hiding the risks that matter to affected people?
- How should regulators and customers evaluate ZKP-backed claims when verifier code, setup parameters, or witness commitments are confidential?
- Can selective disclosure identity systems prevent correlation and profiling in real deployment, not only in protocol diagrams?
- What audit trail proves that a ZKP verifier, circuit, model version, and public inputs were the ones actually used?
- How should proof systems communicate limits to ordinary users so "verified" does not become a misleading trust badge?
Related Pages
- Secure Multi-Party Computation
- Homomorphic Encryption
- Confidential Computing for AI
- Differential Privacy
- Federated Learning
- Content Provenance and Watermarking
- AI Data Provenance
- AI Audit Trails
- Data Minimization
- Contextual Integrity
- Digital Identity
- Age Assurance
- Digital Public Infrastructure
- AI Audits and Third-Party Assurance
- AI Procurement
- AI System Inventory
- AI Change Management
- Model Cards and System Cards
- AI Safety Cases
- AI Incident Reporting
- Secure AI System Development
- Cognitive Sovereignty
- NIST AI Risk Management Framework
- Privacy and Data
- Research and Editorial Standards
Sources
- Goldwasser, Micali, and Rackoff, The Knowledge Complexity of Interactive Proof Systems, SIAM Journal on Computing, 1989.
- Fiat and Shamir, How to Prove Yourself: Practical Solutions to Identification and Signature Problems, CRYPTO 1986 proceedings, Springer, 1987.
- NIST CSRC, Zero-Knowledge Proof (ZKP), Privacy-Enhancing Cryptography project page, reviewed June 25, 2026.
- NIST CSRC, Privacy-Enhancing Cryptography project, reviewed June 25, 2026.
- NIST CSRC, NIST Workshop on Privacy-Enhancing Cryptography 2024, reviewed June 25, 2026.
- ZKProof, ZKProof Standards, reviewed June 25, 2026.
- ZKProof, ZKProof Community Reference, Version 0.3, July 2022; reviewed June 25, 2026.
- W3C, Verifiable Credentials Data Model v2.0, reviewed June 25, 2026.
- W3C, Verifiable Credential Data Integrity 1.0, reviewed June 25, 2026.
- W3C, Data Integrity BBS Cryptosuites v1.0, reviewed June 25, 2026.
- IETF Datatracker, draft-irtf-cfrg-bbs-signatures: The BBS Signature Scheme, Internet-Draft, reviewed June 25, 2026.
- W3C Verifiable Credentials Working Group, Verifiable Credentials Data Model Explainer, reviewed June 25, 2026.
- EUR-Lex, Regulation (EU) 2024/1183 establishing the European Digital Identity Framework, official text.
- European Commission, EU Digital Identity Wallet security and privacy, reviewed June 25, 2026.
- EU Digital Identity Wallet Architecture and Reference Framework, Topic G: Zero Knowledge Proof, version 2.9.0; reviewed June 25, 2026.
- U.S. Government Accountability Office, Science & Tech Spotlight: Privacy Enhancing Technologies, May 19, 2026.
- NIST, AI Risk Management Framework, reviewed June 25, 2026.
- ethereum.org, Zero-knowledge proofs, reviewed June 25, 2026.