Verifiable AI without zkML: attestation vs proof, and why speed matters
zkML can mathematically prove a model ran correctly — but it takes minutes to hours per inference. For the audit trail regulators actually ask for, a signed attestation is faster, cheaper, and enough.
When people talk about making AI verifiable, the conversation usually jumps straight to zero-knowledge machine learning (zkML): cryptographic proof that a specific model produced a specific output, correctly, without revealing the model. It is genuinely impressive technology. It is also, for most real-world compliance, the wrong tool — because it is slow and expensive. Generating a zk proof for a mid-sized model can take minutes; for large models, hours, at a cost that makes per-decision logging impractical. If you need to attest every credit decision, every moderation call, every agent action in production, zkML's economics collapse.
The key realization is that most accountability requirements do not actually ask you to prove the model computed correctly. Read what regulators require — model risk management guidance like SR 11-7, or the EU AI Act's logging and traceability rules — and the demand is for an audit trail: a record of what decision was made, by which model version, on what input, when, that the operator cannot alter after the fact. That is a provenance-and-non-repudiation problem, not a correctness-proof problem. And provenance has a much cheaper, much faster solution than zkML.
That solution is attestation. At inference time, capture the model fingerprint (a hash of its weights or a version identifier), a hash of the input, the output, a timestamp, and a confidence score, then sign the bundle with a private key bound to the system. Anyone can later verify — in milliseconds — that this exact model, on this exact input, produced this exact output, and that the record is untouched, by checking the signature against the embedded public key. No re-execution, no minutes-long proof generation, no confidential model exposure. It scales to millions of decisions because signing and verifying are cheap operations. The honest trade-off is explicit: attestation proves what happened and that the record is intact; it does not prove the computation was correct in the way zkML does. For the audit trail regulators ask for, that distinction rarely matters — they want to know what the system did and to trust the record, which is exactly what attestation delivers.
One more design choice makes the difference between a record that lasts and one that quietly expires: the signature scheme. Compliance records often need to remain verifiable for years, and a classical signature (RSA, ECDSA) becomes forgeable once large quantum computers arrive — meaning an adversary could one day fabricate or repudiate historical attestations. Signing with a post-quantum scheme (ML-DSA / Dilithium-2, NIST FIPS 204) keeps the attestation verifiable across that horizon. It is resistant to known classical and quantum attacks per NIST, not unbreakable, and it is not a claim about the model's correctness — but as the practical, production-speed way to make AI accountable, a post-quantum attestation beats a proof you cannot afford to generate.
Try it yourself — live, free, verifiable in 30 seconds:
Attest your AI decisions →