Chapter 1 Background

1.1 2025: The Year of Large-Scale AI Agent Adoption

The year 2025 is widely viewed as the start of a large-scale impact of generative AI on human life. As AI technology penetrates various industries, one of the most urgent topics is how to ensure the security of AI Agents, especially for high-value and high-risk tasks like financial arbitrage, decentralized hedge funds, and automated on-chain trading. Zypher Network aims to build a “trustless trust layer” among AI Agent developers, large language models (LLMs), and end users, thereby creating a secure and verifiable AI-driven Web3 ecosystem.

The concept of AI Agents is rapidly becoming central to AI development: we are entering the AI 2.0 era—an era in which Agents can perceive environments, make autonomous decisions, and efficiently perform tasks. They can understand natural language commands, learn user preferences, and in some cases, autonomously devise solutions and carry them out.

An AI Agent fundamentally operates in a “goal-oriented” manner: once you provide a target task, the Agent automatically breaks down that target, devises an actionable plan, and continuously iterates and optimizes it based on external or internal feedback, ultimately completing the task. The general formula can be summarized as:

AI Agent = Interactive Dialogue Interface + Automated Workflow (Perception, Reasoning, Action) + Static Knowledge Base (Memory)

In many industries, AI Agents already show significant potential for practical implementation. For example:

• Autonomous driving: AI Agents perceive real-time traffic conditions and make driving decisions.

• Gaming: Intelligent NPCs that dynamically adjust game difficulty based on player performance.

• Finance and trading: Agents autonomously execute on-chain trading strategies, applicable to DeFi scenarios.

• Manufacturing, healthcare, agriculture, network security: automated production, diagnostics, data analysis, and prevention of attacks.

1.2 The AI Agent Trust Deficit

However, as AI Agents become more widespread, privacy and security issues are coming to the forefront. Most AI Agents on the market are still in a “semi-autonomous” phase: they can make decisions and execute tasks within a preset range, but once faced with higher-risk or more complex scenarios, they generally require further human intervention or oversight. In fact, this reliance on centralized AI models and human supervision mirrors the deep-seated lack of trust in AI Agents across the industry, primarily manifested in the following ways:

1. Black-Box Execution While users can submit commands to an AI Agent, they have no insight or control over the internal reasoning process. The system prompt, intermediate model parameters, and even external data sources remain completely invisible to the user. This means the user cannot tell whether commands are being tampered with during transmission or execution, whether the AI Agent is using unauthorized resources, or whether the output contains misleading or even maliciously falsified content. In high-stakes scenarios—such as on-chain trading, financial arbitrage, and medical diagnostics—this “black box” and its unverifiability can pose huge risks and potential losses.

2. Data Privacy Risks AI Agents collect and analyze various types of data to complete reasoning, which may include highly confidential information such as private keys, medical records, or personal identity data. Once such sensitive data is uploaded to a centralized AI service, users can only passively trust the service provider’s security measures. However, due to potential algorithmic vulnerabilities, human negligence, or malicious hacking attacks, data breaches or misuse can still occur, leading to irreparable damage to users.

3. Centralized Control The inference process of many AI Agents is hosted on private servers owned by one or a few cloud service providers or companies, essentially giving these platforms “life-or-death” power over user access and functionality. If, under commercial or regulatory pressure, technical malfunctions, or even internal corruption, the platform decides to restrict or censor certain AI Agent features, normal usage would be heavily disrupted. Moreover, if the platform’s operators have ulterior motives, they may tamper with model parameters, influencing the accuracy and fairness of the outputs.

4. “Pseudo-Decentralization” in Web3 AI Projects Although some AI Agent projects are branded as Web3 or blockchain-based—e.g., ElizaOS from ai16z, Virtuals Protocol, etc.—in reality, most only put identity management, governance, and economic incentives on-chain, while the core inference process still relies on centralized servers or private clouds. As a result, the fundamental question of “How can AI inference be verifiably executed on-chain or on a decentralized network?” remains unsolved, and user trust in AI Agents still boils down to “blind trust” in the platform.

5. Case Study: Security Vulnerability in Manus AI A recently popular AI Agent named Manus, renowned for its powerful document analysis and code generation capabilities, was compromised within just a few days of launch. A security researcher, Jian, used a simple query to prompt Manus to “disclose” its internal core code, including execution logic and system prompts. This event illustrates that, without cryptographic safeguards, AI Agents can be easily “phished” or reverse-engineered, leading to leakage of critical information and hacking of the underlying model logic—thus posing a serious security and trust threat.

From these examples, it is clear that even though AI Agents have gained initial recognition in technology and markets, they still face serious challenges regarding data privacy and secure execution. For users, they must unconditionally trust a certain centralized entity yet have no way, via “verifiable” mechanisms, to confirm the reliability of the process or results. If these systems malfunction or get attacked, the damage could be far more severe than with traditional software. These issues are precisely what drive Zypher Network to utilize zero-knowledge proof (ZKP) technology to explore decentralized trusted computing. Only by fundamentally detaching AI Agent execution and verification from centralized black boxes can we properly balance security and efficiency, thus bridging the trust gap in users’ minds.

1.3 Zero-Knowledge Proof (ZKP): The Ultimate Form of AI Trust

1.3.1 ZKPs vs. Trusted Execution Environment (TEE)

In building trustworthy AI Agents, zero-knowledge proofs (ZKPs) are often regarded as the “ultimate form” of security. Compared to traditional hardware isolation schemes, ZKPs harness decentralization and cryptographic security to address trust and privacy issues for AI Agents in a more flexible, stable manner.

TEE Approach

One approach to AI security is to use a Trusted Execution Environment (TEE), such as Intel SGX or ARM TrustZone. These hardware sandboxes establish an isolated, secure zone within the processor to protect sensitive data and logic from external tampering or interception. However, TEEs have the following shortcomings:

1. Centralized Risk

• TEEs depend on specific hardware vendors (e.g., Intel, ARM) for proprietary technology and key management. If a vendor experiences a security breach or fails to uphold trust, the entire TEE ecosystem can be compromised. Recent years have seen numerous attacks on Intel SGX, including side-channel exploits like Spectre, Meltdown, and Foreshadow, all undermining hardware sandbox security.

• In this model, users can only passively trust the vendor’s “credibility.” If the vendor discontinues support or experiences a breakdown, the AI Agent’s security collapses at its root.Limited Flexibility

1. Limited Flexibility

• TEEs usually focus on fixed workflows, lacking the adaptability needed by AI Agents for dynamic learning and scheduling.

• For AI inference logic requiring frequent updates or multiple versions, TEE’s closed environment and upgrade difficulties can lead to high maintenance costs.

1. Restricted Scalability

• TEE-based isolation is enforced on the hardware layer, making it challenging to unify computing resources on a global scale. Enlisting thousands or more participating nodes for secure computation typically involves dealing with hardware uniformity, supply chains, and licensing issues.

• For large-scale parallel AI inference or multi-node decentralized networks, TEEs prove insufficient.

Zero-Knowledge Proof (ZKP) Advantages

In contrast, ZKPs are designed with higher degrees of decentralization and cryptographic security:

1. Verifiable AI Inference Results

• By compiling the AI model or inference process into a ZK circuit, once the AI Agent completes its inference, it generates a cryptographic proof (Proof). A verifier need only check this proof to confirm inference correctness, without needing to peek at the model’s private parameters or intermediate data.

• In scenarios requiring stringent privacy (e.g., healthcare data analysis, on-chain financial transactions), ZKPs allow third parties to trust in the correctness of results without exposing sensitive information.

1. Decentralized AI Execution

• ZKPs operate over decentralized networks, removing dependence on specific hardware or centralized servers. Multiple nodes can cooperatively validate proofs, reducing reliance on individual vendors or cloud environments.

• This is especially beneficial for global deployments and multi-party application scenarios, as ZKPs offer strong scalability and anti-censorship. Any node can either verify or generate proofs.

1. Ensuring AI Agent Adheres to Preset Rules

• By embedding “compliance checks” or “constraints” into ZK circuits, AI Agents must follow specified rules while reasoning or making decisions. Otherwise, a valid proof cannot be produced.

• This approach makes AI Agent outputs more controllable, reducing possible algorithmic misconduct or model bias at the cryptographic level, ensuring fairness and security.

1. Elasticity and Flexibility

• Since ZKPs are fundamentally based on mathematics and cryptography, as long as the circuit compilation and proof scheme are robust, upgrading or iterating an AI model is not restricted by any hardware framework.

• Project teams and developers can flexibly switch among different ZKP solutions (e.g., Plonk, Groth16, Risc0 zkVM) without altering the underlying hardware.