Scan to download
Home
Article
Flash
Token Unlock
Hot Projects
Specials
Columns
ETF
Knowledge Base
Calendar
Activity
Tools

Zypher Research: zkPrompt - Trustless AI's Secure Interaction Protocol

Zypher Research
2025-04-30 11:20:26
Collection
Abstract: Felix (Chief Research Scientist of Zypher Network) combines AI and blockchain technology to launch the zkPrompt system with the Zypher Network team. The zkPrompt system is a protocol based on zero-knowledge proofs, ensuring that the responses from user interactions with LLM are authentic and tamper-proof. It involves four parties: the user, Prover, Proxy, and LLM service provider, with the Prover generating proofs to verify the integrity of the responses. Compared to ZKML, the system has lower overhead, assuming the LLM is trustworthy, with a focus on constraining the Prover. Proxy signatures and on-chain verification prevent forgery, supporting hash on-chain to protect privacy. It is applicable in scenarios such as financial AI and on-chain asset management, contributing to a trustworthy decentralized AI ecosystem.

In the zkPrompt protocol, system interaction involves four participants: User, Prover, Proxy, and LLM service provider.

Protocol Background and Comparison

The core idea of zkPrompt is similar to zkTLS [1], which integrates zero-knowledge proofs into the TLS communication process to ensure data integrity and authenticity. In the zkPrompt system, the user initiates a request to the LLM through the Prover, which then forwards the request to the LLM service provider via a third-party Proxy.

The LLM processes the request and returns the response to the Prover through the Proxy, which then relays it back to the user. The entire TLS communication occurs only between the Prover, Proxy, and LLM service provider. Since the user does not directly participate in this communication, there may be concerns about the Prover tampering with the response content. To address this trust issue, zkPrompt requires the Prover to generate a zero-knowledge proof, demonstrating that the response returned was indeed generated by the LLM and has not been tampered with, thereby achieving a high level of tamper-resistance security.

The implementation of this protocol can significantly enhance the credibility and security of AI Agents, unlocking high-value application scenarios such as on-chain asset management, hedging strategies, financial AI assistants, and payment systems, all of which rely on highly trustworthy AI systems.

Design Advantages

Compared to existing ZKML frameworks like Ezkl [2], zkPrompt significantly reduces system overhead. For example, generating a ZK proof for a simple GPT-2 model in Ezkl may take several hours, making it nearly impractical for deployment with large model services like OpenAI or DeepSeek.

We propose a more pragmatic trust model: the system does not require users to verify the internal execution process of the LLM but assumes that large LLM service providers are trustworthy, focusing instead on ensuring that the Prover does not tamper with the output. This design reflects real-world needs—mainstream LLM service providers have inherent trustworthiness due to their reputation and broad user base, while Prover nodes are typically invisible to users and more likely to become attack points, thus requiring stringent constraints.

Trust and Security Model

We assume that there is no collusion between the Proxy and the Prover. To further strengthen this assumption, it is recommended to decentralize the Proxy in real deployments to avoid single points of trust or failure.

To simplify the initial implementation, we temporarily assume that the user's Prompt and final response are recorded on-chain in plaintext (privacy protection methods will be explained in subsequent sections).

Technical Challenges and Core Solutions

The main technical challenge is that the Prover can forge ciphertext. Even if the user sees a certain ciphertext, they cannot determine whether it was actually obtained from the LLM through a TLS session or simply forged and encrypted locally by the Prover.

To address this issue, we introduce the Proxy Signature Mechanism: when the Proxy receives the encrypted response from the LLM, it will sign the ciphertext and upload both the ciphertext and the signature on-chain. Subsequently, the Prover provides a zero-knowledge proof to demonstrate the following statement:

The plaintext obtained by decrypting the ciphertext is indeed the response returned by the LLM.

The core of this proof lies in verifying the correctness of the symmetric decryption process, which can be efficiently implemented using existing results such as Dubhe [3].

Verification Process

Since the LLM's response typically includes the user's Prompt, the verifier (such as a miner) only needs to complete the following checks:

  1. Verify that the Proxy's signature on the ciphertext is valid;
  2. Check that the decrypted plaintext contains the user's original Prompt;
  3. Verify the zero-knowledge proof provided by the Prover.

After completing these steps, the miner can confirm that the Prover honestly returned the true response from the LLM.

Privacy Protection Design

If the user wishes to hide the Prompt and response content, the following scheme can be adopted:

After sending the Prompt and receiving the response, the user uploads its hash value on-chain instead of the plaintext. Let:

  • H1 = Hash(Prompt)
  • H2 = Hash(Response)

Assuming that the substring [I:J] in the response corresponds exactly to the Prompt.

At this point, the Proxy uploads the ciphertext of the response on-chain, and the Prover uses the plaintext response W as a Witness to generate the following ZK proof:

  • Hash(W) = H2
  • Hash(W[I:J]) = H1
  • Decrypt(Ciphertext) = W

The verifier only needs to confirm the validity of the Proxy's signed ciphertext and verify the ZK proof provided by the Prover to be assured that the response indeed originated from the LLM and has not been tampered with—without revealing any plaintext content.

Author Bio:

Felix Chief Research Scientist at Zypher Network

Felix is a researcher in the core AI team at Zypher Network, focusing on next-generation multimodal large models and trustworthy AI systems. He is currently dedicated to developing zero-knowledge proof (ZK)-based model compression methods to enhance the generalization ability and security of AI Agents in decentralized environments.

Before joining Zypher, Felix participated in various cutting-edge AI projects at Microsoft Research Asia and the University of California, Berkeley, accumulating rich research experience. His research findings have been published in top conferences on artificial intelligence and cybersecurity, including NeurIPS, S&P, CCS, Usenix Security, and NDSS.

Felix is currently a PhD candidate at the National University of Singapore, with research interests covering efficient model inference optimization, decentralized AI architecture, model robustness, and cryptography. With a solid background in the intersection of AI and blockchain, he is committed to driving the innovative integration of AI and ZK technology at Zypher, contributing to the development of a trustworthy, unified, and secure decentralized AI ecosystem.

References:

[1] Detailed introduction to zkTLS:
++Https://Www.Blocmates.Com/Articles/What-Is-Zktls-A-Complete-Guide++

[2] Ezkl project homepage:
++Https://Github.Com/Zkonduit/Ezkl++

[3] Dubhe: A concise zero-knowledge proof for standard AES and its applications:
++Https://Homes.Luddy.Indiana.Edu/yh33/Mypub/Dubhe.Pdf++

Project Introduction and Analysis

Project Introduction and Analysis

Introducing you to the cutting-edge projects in the cryptocurrency market.
Topic or theme
Related tags
zkPrompt LLM zero-knowledge proof Trustless AI
ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
Zypher Research

Zypher Research

Zypher Games' research institute explores how ZKP and AI technologies can assist in the development of on-chain games.
Zypher Research: Nova - Reshaping the Future of ZK Games (1)
Zypher Research: Nova - Reshaping the Future of ZK Games (1)
Zytron Pioneer (Linea Layer 3): The most suitable Layer 3 for ZK-driven games
Zytron Pioneer (Linea Layer 3): The most suitable Layer 3 for ZK-driven games
Mention the project
Zypher Network

Zypher Network

Trustless agent and application ZK computing layer
Related tags
zkPrompt LLM zero-knowledge proof Trustless AI
Related reading
After James Wynn's over $100 million liquidation, why does Zhao Changpeng strongly support Web3 dark pool trading?
After James Wynn's over $100 million liquidation, why does Zhao Changpeng strongly support Web3 dark pool trading?
The privacy public chain Zyra is officially launched: incubated by the Dinar Maker Foundation, reconstructing Web3 infrastructure with zk-SNARK
The privacy public chain Zyra is officially launched: incubated by the Dinar Maker Foundation, reconstructing Web3 infrastructure with zk-SNARK
The mining is imminent, understand the new zkVM project Nockchain in one article | CryptoSeed
The mining is imminent, understand the new zkVM project Nockchain in one article | CryptoSeed
Space and Time Mainnet Launch: Opening a New Era of Data-Driven Cryptographic Applications with ZK Verification
Space and Time Mainnet Launch: Opening a New Era of Data-Driven Cryptographic Applications with ZK Verification
Copyright © 2023
About Us
Media Kit
Apply for a column
Disclaimer
RSS LINK
Recruitment
Qiong ICP No. 2021009392
Qiong ICP No. 2021009392
ChainCatcher Building the Web3 world with innovators
Open the app