ZKTorch: Efficient ML Zero-Knowledge Proofs

• ZKTorch is an open-source end-to-end system that converts ML models into cryptographic blocks for verifiable and weight-private inference.
• It compiles diverse ML architectures into 61 basic cryptographic blocks via a rule-based pipeline that optimizes and fuses operations for reduced proof sizes and faster proving times.
• The system aggregates thousands of SNARK proofs using a novel parallel extension of the Mira accumulation scheme, achieving up to 6× speedup in proving time for real-world applications.

ZKTorch is an open-source end-to-end proving system for ML inference that enables zero-knowledge proofs (ZKPs) of model correctness without revealing proprietary model weights. ZKTorch achieves performance gains and practical scalability by compiling arbitrary ML architectures into a directed acyclic graph of basic cryptographic blocks, each validated with tailored protocols, and aggregates proofs using a novel parallel extension of the Mira accumulation scheme. Its approach addresses inefficiencies in prior circuit-compiled and specialized cryptographic ML proving systems, reducing proof sizes and improving proving times by significant factors, and enabling verifiable, weight-private ML inference in real-world applications (Chen et al., 9 Jul 2025).

1. System Architecture and Objectives

ZKTorch is designed to convince a verifier that an ML model's inference was executed correctly, while keeping the model weights confidential—a requirement in applications where transparency is demanded but the model owner’s intellectual property must be preserved. The system supports a wide range of ML models, including convolutional neural networks (CNNs), recurrent neural networks (RNNs), and modern transformers, by decomposing the computational graph into a set of 61 basic blocks, each corresponding to standard ML operations (e.g., matrix multiplication, addition, non-linear lookups).

The system’s objectives are twofold:

• Generality: Support for diverse and evolving ML architectures without requiring custom protocol development for each new model family.
• Efficiency: Achieve small proof sizes and manageable proving times for large models, overcoming the prohibitive overhead of previous approaches.

2. Compilation to Basic Cryptographic Blocks

ZKTorch processes ML models expressed in formats such as ONNX by applying a rule-based compilation and transpilation pipeline. This pipeline optimizes the original layer graph, for example by fusing reshape–transpose subgraphs or collapsing multiple lookup operations, to obtain a leaner directed acyclic graph that can be implemented via the following classes of basic cryptographic blocks:

• Arithmetic blocks: Fundamental operations such as addition, multiplication, and division, validated via algebraic relations over polynomial commitments.
• Shape operations: Operations such as concatenation and permutation of tensors.
• Nonlinear lookups: Table-based representation for non-linear activation functions and similar components.

The validation of these blocks is typically performed by leveraging the homomorphic properties of polynomial commitments. For an addition block, for instance, the prover demonstrates that $f + g = h$ holds for vectors $f$, $g$, and $h$ by checking $[f(\tau)]_1 + [g(\tau)]_1 = [h(\tau)]_1$ at a secret point $\tau$.

Model compilation results in a series of commitments and proof statements which are then aggregated, forming the core of the ZKP protocol.

3. Parallel Mira-Based Proof Accumulation

A notable innovation in ZKTorch is the generalization of the Mira accumulation scheme for proof aggregation. Accumulation enables thousands of block-wise SNARK proofs to be folded into a single, succinct proof, minimizing both communication and verification overhead.

Whereas previous schemes required sequential aggregation (time complexity $O(N)$ for $N$ proofs), ZKTorch introduces a parallel reduction protocol. Each SNARK proof, regarded as an "accumulator" with an associated flag, can be aggregated using a random linear combination (RLC) mechanism:

$v'' := \gamma \cdot v + v'$

$$E'' := E' + \sum_{j=1}^{d-1} \gamma^j \cdot E_j + \gamma^d \cdot E$$

Here, $v$, $v'$, $E$, and $E'$ represent vectors of commitments and values, and $\gamma$ is sampled based on the current accumulation context. Parallel accumulation enables a tree-structured proof aggregation, dramatically reducing overall proving time.

4. Performance Benchmarks and Comparative Analysis

Empirical results indicate that ZKTorch achieves at least a $3\times$ reduction in proof size compared to specialized ZK protocols (such as zkCNN, Mystique, and pvCNN) and up to a $6\times$ speedup in proving time relative to general-purpose ZKML frameworks. For example, proving times for transformer-scale models transition from thousands of seconds (in prior frameworks) down to approximately one-sixth of that value with ZKTorch, while final proof artifacts are also at least $3\times$ more compact.

These improvements arise from both the block-level optimization of the model graph and the parallelized proof aggregation strategy.

5. Real-World Applications and Practical Implications

ZKTorch directly addresses the need for verifiable yet weight-private ML inference, supporting use cases such as:

• Trustless audits: In fields like finance or healthcare, stakeholders can verify model outputs without learning anything about the model’s proprietary internal parameters.
• Privacy-preserving inference services: Enables deployment of ML-powered web services where users receive cryptographically guaranteed predictions without exposing sensitive inference or model data.
• Regulatory compliance and transparency: Facilitates compliance with regulatory requirements for algorithmic accountability in industries with stringent audit demands.

The system's ability to support a broad class of models and to scale to large modern architectures positions it as a practical candidate for deployment in industry scenarios where both privacy and verifiability are paramount.

6. Limitations and Future Work

ZKTorch currently supports 61 common ML layers. Extension to new, emerging architectures and further complex operations will require additional research, particularly to optimize the compiler and to introduce more advanced transformation rules for leaner block graphs.

Other anticipated directions include:

• Optimized hardware support: Leveraging GPU-based provers to further accelerate block-level and accumulation proof generation.
• Expanded domain support: Adapting the framework for verifiable training, iterative updates, or more specialized machine learning protocols.
• Integration with ZK ecosystems: Interfacing ZKTorch with broader zero-knowledge infrastructure, including new elliptic curve pairings and succinct ZK libraries.

7. Broader Impact and Future Landscape

By making verifiable and weight-private ML inference feasible for large, practical models, ZKTorch occupies a critical space in the intersection of cryptography and artificial intelligence. It offers a generalizable, efficient mechanism for balancing transparency and confidentiality—a task increasingly demanded by regulators, enterprises, and the public as AI-driven systems proliferate. Future research is expected to continue optimizing both cryptographic efficiency and ML model compatibility, potentially enabling real-time, scalable zkML services and expanding the scope of privacy-preserving, verifiable machine learning (Chen et al., 9 Jul 2025).