Where ZK proofs meet
on-chain AI agents.

What is ZKML?

Zero-Knowledge Machine Learning (ZKML) is the application of ZK proof systems to machine learning inference. It lets you prove that a model ran correctly on a given input and produced a given output — without revealing the model weights, the input data, or any intermediate computation.

Think of it this way: a ZK proof is a receipt. It doesn't tell you what was cooked — only that the chef followed the recipe correctly. ZKML applies this property to neural network inference.

Why it matters for on-chain AI agents

In 2026, AI agents are executing DeFi trades, generating governance votes, and routing cross-chain liquidity. The trust problem is acute: how does a smart contract know the agent's decision was legitimate?

Without ZKML, you have three bad options:

ZKML is not a perfect solution — proving time for large models is still a bottleneck, and most production implementations require quantised (integer-only) models. But it is the only path to trustless, privacy-preserving, on-chain-verifiable AI decisions.

How a proof of inference works

At the highest level, a ZKML proof answers one question: "Given input X, did this model produce output Y?" The answer is a cryptographic proof that any verifier can check without re-running the model.

Circuit-level detail

Understanding what actually happens inside the circuit separates developers who can debug ZKML integrations from those who cannot.

Arithmetic circuits and R1CS

Most ZK-SNARK backends (Groth16, PLONK, FFlonk) consume constraints in Rank-1 Constraint System (R1CS) form. Every operation in the circuit becomes a constraint of the form:

-- R1CS constraint form
-- (a · b) = c  where a, b, c are linear combinations of witness values

-- A single ReLU with input x:
-- Constraint 1: x_pos * (1 - is_negative) = x_pos   (non-negativity)
-- Constraint 2: x * is_negative + x_pos = x          (decomposition)
ReLU constraints per activation: 2
Matrix multiply (m×n weight matrix): m×n constraints
Total constraints ≈ layers × (weights + activations × 2)

Fixed-point quantisation

All values in the circuit must be field elements — integers mod a large prime p. Float32 weights are converted to fixed-point integers by multiplying by a scale factor and rounding:

const SCALE: i64 = 1 << 16;  // Q16.16 fixed-point

fn quantise(w: f32) -> i64 {
    (w as f64 * SCALE as f64).round() as i64
}

fn quantised_matmul(
    weights: &[Vec<i64>],
    input:   &[i64],
) -> Vec<i64> {
    weights.iter().map(|row| {
        let dot: i64 = row.iter().zip(input)
            .map(|(w, x)| w * x)
            .sum();
        dot / SCALE  // rescale after multiply
    }).collect()
}

Lookup tables for non-linear functions

Functions like ReLU, sigmoid, and softmax are expensive to express in raw R1CS because they require range checks and comparisons. Modern backends (PLONK, Halo2) support lookup tables — precomputed tables of valid (input, output) pairs that drastically reduce constraint count for non-linear activations:

// ReLU lookup: for every value v in [-2^15, 2^15], store max(v, 0)
fn relu_table() -> Vec<(u64, u64)> {
    (0u64..65536).map(|v| {
        let signed = v as i16;
        (v, i16::max(signed, 0) as u64)
    }).collect()
}

// Each activation now costs 1 lookup instead of 2 R1CS constraints
// For a 1000-neuron hidden layer: saves ~1000 constraints per ReLU layer

The Midnight approach — Compact & Kachina

Midnight is a privacy-first blockchain built by IOG that ships its own ZK-native smart contract language, Compact, and a proving system called Kachina. For ZKML use cases, Midnight's architecture is uniquely well-suited because it was designed from the ground up around the public/private state split that ZKML requires.

The public/private state split in practice

In Kachina's model, every Compact contract operates across two ledgers simultaneously — a public ledger visible to all, and a private ledger that exists only on the user's local machine. For a ZKML agent, this maps cleanly:

Writing a ZKML verifier in Compact

The following Compact contract accepts a ZK proof of inference and verifies that the model output exceeds a confidence threshold — without ever seeing the weights or input data.

// zkml_verifier.compact
// Verifies that an AI agent's inference was performed correctly
// before allowing an on-chain action (e.g. a trade execution).

pragma language_version ">=0.14.0";

import CompactStandardLibrary;

// ── Public state: what the chain knows ──────────────────
ledger {
  model_commitment:  Bytes<32>;   // SHA-256 of quantised weight tensor
  last_output:       Field;        // most recent verified inference output
  inference_count:   Uint<64>;    // total verified calls (replay protection)
  confidence_floor:  Field;        // minimum acceptable softmax confidence
}

// ── Circuit: the ZK constraint system ───────────────────
// Witnesses (private — never leave the prover)
// - model_weights: the quantised weight tensors
// - input_vector:  the agent's input features
// - layer_outputs: intermediate activation values per layer

circuit verify_inference(
  model_weights:     Vector<Field, 1024>,  // private
  input_vector:      Vector<Field, 64>,    // private
  layer_outputs:     Vector<Field, 256>,   // private
  claimed_output:    Field,                  // public output
  weight_commitment: Bytes<32>,             // public commitment
): Field {

  // 1. Verify the weight commitment matches on-chain record
  assert sha256(model_weights) == ledger.model_commitment
    "Weight commitment mismatch: model has changed or is incorrect";

  // 2. Verify layer computations (matrix multiply + ReLU)
  //    Each layer: output[i] = relu(weights[layer][i] · input)
  for i in 0..layer_outputs.length {
    assert layer_outputs[i] >= 0               // ReLU: non-negativity
      "Layer output violates ReLU constraint at index i";
  }

  // 3. Verify claimed output matches final layer computation
  assert claimed_output == layer_outputs[layer_outputs.length - 1]
    "Claimed output does not match final layer activation";

  // 4. Enforce confidence floor (agent must be sufficiently certain)
  assert claimed_output >= ledger.confidence_floor
    "Inference confidence below threshold — action blocked";

  return claimed_output;
}

// ── Transaction: called by the AI agent ─────────────────
export transaction submit_inference(
  claimed_output:    Field,
  weight_commitment: Bytes<32>,
) {
  const verified = verify_inference(
    /* witnesses supplied by prover, not visible here */
    claimed_output,
    weight_commitment,
  );

  // Update public ledger state only after proof passes
  ledger.last_output     = verified;
  ledger.inference_count = ledger.inference_count + 1;
}

Kachina & private state management

Kachina is Midnight's proving system. It was designed to bridge private computation (agent-local) and public verification (on-chain) using ZK-SNARKs. For ZKML, Kachina solves a specific problem: the model weights must influence the proof without being disclosed to the verifier.

Kachina achieves this through transcripts — ordered records of all queries the computation makes against the private state. The agent proves, in zero-knowledge, that it possesses a private state whose transcript is consistent with the public state transition. The chain verifies the proof against the circuit; it never sees the underlying private values.

Concurrency and transcript reordering

One Kachina property that matters for high-frequency AI agents: Kachina supports concurrent proof submission. Multiple agents can submit inference proofs simultaneously. The protocol optimises conflicting transcripts and allows reorderings without breaking consistency. For a DeFi research agent that needs to post dozens of on-chain decisions per block, this is not academic — it is the feature that makes the architecture scale.

SP1 (Succinct) integration

SP1 is a zkVM by Succinct Labs. It proves execution of arbitrary Rust programs, which makes it practical for ZKML: you write the inference in Rust, compile it to a guest program, and SP1 generates the proof.

[package]
name    = "zkml-inference-guest"
version = "0.1.0"
edition = "2021"

[dependencies]
sp1-zkvm = "3.0.0"             # SP1 guest SDK
ndarray  = "0.15"              # matrix ops (no_std compatible)

[profile.release]
opt-level = 3
lto       = "fat"               # critical for proof size

// src/main.rs (guest program — runs inside SP1 zkVM)
#![no_main]
sp1_zkvm::entrypoint!(main);

use sp1_zkvm::io;
use ndarray::{Array1, Array2};

fn relu(x: i64) -> i64 { i64::max(x, 0) }

pub fn main() {
    // Read private inputs from the prover
    let weights: Vec<i64> = io::read::<Vec<i64>>();
    let input:   Vec<i64> = io::read::<Vec<i64>>();
    let rows = 64usize;
    let cols = input.len();

    // Single hidden layer: output = relu(W · x)
    let w = Array2::from_shape_vec((rows, cols), weights).unwrap();
    let x = Array1::from_vec(input);
    let hidden: Vec<i64> = w.dot(&x).iter().map(|&v| relu(v)).collect();

    // Commit the output publicly — verifier will check this
    let output = hidden.iter().copied().max().unwrap_or(0);
    io::commit(&output);
}

import { ProverClient, CpuProver } from "@succinct/sp1-sdk";

const ELF = readFileSync("./target/guest.elf");

async function proveInference(weights: bigint[], input: bigint[]) {
  const client = new CpuProver();
  const stdin = new SP1Stdin();
  stdin.writeVec(weights);   // private — only prover sees this
  stdin.writeVec(input);

  const { proof, publicValues } = await client.prove(ELF, stdin);

  // publicValues contains only committed outputs — not weights/inputs
  const output = publicValues.readU64();
  return { proof, output };
}

Risc0 integration

Risc0 takes a similar zkVM approach to SP1 but uses a RISC-V ISA as its execution target. The guest program runs on a virtual RISC-V CPU, and Risc0 proves correct execution of the RISC-V bytecode.

#![no_main]
risc0_zkvm::guest::entry!(main);

use risc0_zkvm::guest::env;

fn main() {
    // Read private witness data
    let weights: Vec<i32> = env::read();
    let input:   Vec<i32> = env::read();

    let n = input.len();
    let mut hidden = Vec::with_capacity(n);

    for i in 0..n {
        let dot: i64 = (0..n)
            .map(|j| weights[i * n + j] as i64 * input[j] as i64)
            .sum();
        hidden.push((dot >> 16).max(0) as i32);  // Q16 rescale + ReLU
    }

    // Journal = public output only (weights/input stay private)
    env::commit(&hidden);
}

Modulus Labs

Modulus Labs focuses specifically on ZKML — they build circuits for specific model architectures (primarily CNNs and small transformers) rather than a general-purpose zkVM. The tradeoff: significantly smaller proof sizes and faster proving for supported architectures, at the cost of flexibility.

Modulus's RockyML framework exports ONNX models directly to Halo2 circuits. If your model fits a supported architecture and is under ~10M parameters, Modulus's toolchain can generate the circuit automatically without you writing circuit code manually.

Troubleshooting — SP1

Troubleshooting — Risc0

Troubleshooting — Midnight Compact

Common patterns & mitigations

Non-determinism: the silent killer

The most common cause of proof failure across all three backends is non-determinism. ZK proofs require that the same inputs always produce the same intermediate values. Any source of randomness or ordering non-determinism in the guest will cause the prover to generate a witness that does not satisfy the circuit constraints.

Model size vs. proving time

Current benchmarks on commodity hardware (2026 pricing, ~$0.01/proof using cloud provers):

For on-chain DeFi agents where latency matters, target models under 1M parameters with aggressive quantisation. Research agents with longer decision cycles (daily/weekly) can tolerate medium model sizes.

Glossary

Arithmetic circuit — a computation expressed as a directed acyclic graph of addition and multiplication gates over a finite field. The fundamental representation used by ZK-SNARK backends.

Compact — Midnight's smart contract language. Compiles to ZK-SNARK circuits via the Kachina proving system. Privacy-native: distinguishes public and private state at the language level.

Field element — an integer modulo a large prime p. All values in a ZK circuit must be field elements. Float32 values must be converted to fixed-point integers before circuit use.

Kachina — Midnight's proving system. Bridges private state (agent-local) and public state (on-chain) using ZK-SNARKs and a transcript-based concurrency model.

Proof of inference — a ZK-SNARK that certifies a specific neural network, applied to a specific input, produced a specific output — without revealing the network weights or input.

Quantisation — the conversion of floating-point model weights to fixed-point integer representations. Required for ZKML because ZK circuits operate over finite fields, not floats.

R1CS (Rank-1 Constraint System) — the constraint format consumed by Groth16 and many other ZK backends. Every circuit gate becomes a constraint of the form (a · b) = c.

Witness — the private input to a ZK proof. In ZKML: the model weights, input data, and all intermediate activation values. The proof certifies the witness satisfies the circuit constraints without revealing the witness itself.

zkVM (Zero-Knowledge Virtual Machine) — a system that proves correct execution of a program (typically written in Rust) without revealing the program's private inputs. SP1 and Risc0 are both zkVMs.

ZK-SNARK — Zero-Knowledge Succinct Non-Interactive Argument of Knowledge. A proof system where: the proof is small (succinct), no back-and-forth is needed (non-interactive), and the prover demonstrates knowledge of a secret without revealing it (zero-knowledge).

Further reading

Midnight Developer Documentation — official Compact language reference, Kachina architecture, and getting-started guides.

Kachina — Foundations of Private Smart Contracts (Zindros et al., 2020) — the academic paper underlying Midnight's proving system.

SP1 by Succinct Labs — the zkVM powering the SP1 integration in this guide.

Risc0 — RISC-V based zkVM with mature on-chain verifier contracts.

Modulus Labs — ONNX-to-Halo2 circuit compiler for supported model architectures.

ZKML: Verifiable Inference for Machine Learning — foundational survey on the ZKML problem space.