Private Proving Is Here: How TEEs Made zkVM Privacy Practical in 2025

The combination of production-grade TEEs and GPU confidential computing finally makes private zkVM proving deployable at scale. This post distills what changed in 2025, concrete architectures you can ship now, pitfalls to avoid, and a 30‑day pilot plan.

TL;DR for decision‑makers

GPU TEEs (NVIDIA H100/H200 CC‑mode) and CPU TEEs (Intel TDX, AMD SEV‑SNP, AWS Nitro Enclaves) reached cloud GA/ubiquity, with composite attestation and KMS key‑release patterns that keep witnesses sealed end‑to‑end. (docs.cloud.google.com)
Networks like Succinct rolled out “Private Proving” that runs zkVMs inside TEEs, giving teams Zcash‑class privacy without custom circuits. (blog.succinct.xyz)

What changed in 2025 (and why it matters)

Confidential GPUs became a cloud feature, not a lab demo. Google Cloud’s A3 Confidential VM with Intel TDX and a single H100 GPU became GA on July 31, 2025, extending the TEE boundary from CPU to GPU so your witness can stay encrypted throughout proving. (docs.cloud.google.com)
Cross‑vendor composite attestation matured. Intel Trust Authority (ITA) added composite CPU+GPU attestation using NVIDIA’s Remote Attestation Service (NRAS) and made the service free for users on major clouds in June 2025, removing cost and policy friction. (docs.trustauthority.intel.com)
NVIDIA hardened the GPU attestation surface (NRAS v4 APIs, OCSP/device identity, auth keys required Aug 15, 2025), aligning GPU trust with enterprise controls. (docs.nvidia.com)
AWS Nitro Enclaves reached all regions (Oct 21, 2025) and standard KMS “attested recipient” flows simplified secret release to enclaves—useful for multi‑cloud zk stacks. (aws.amazon.com)
zk proving networks turned privacy on by default: Succinct launched “Private Proving” (SP1 inside a TEE, reported on H200), giving teams a managed path to private proofs. (blog.succinct.xyz)

Net effect: you no longer need bespoke ops to keep proving witnesses private on rented GPUs. The primitives—attest, key‑release, prove, aggregate, verify—are available as products.

Why zkVM “private proving” is different from just proving off‑chain

In traditional cloud proving, the operator of the host (and sometimes the cloud) can access witness/plaintext. That’s unacceptable for financial strategies, PII, or proprietary models.
With TEEs, you only release witness decryption keys to an attested enclave/TD (and GPU in CC‑mode). The cloud and host OS stay out of the trust boundary; your compliance team gets verifiable evidence (EAT/JWT claims) of the who/what/where that ran your prover. (docs.aws.amazon.com)

The reference architecture we deploy at 7Block Labs

Below is the most practical pattern we see working today for startups and enterprises.

Pattern A: GCP “CPU+GPU TEE” private prover (recommended when you need GPU TEEs)

Provision an A3 Confidential VM (a3‑highgpu‑1g). You get Intel TDX on CPU and one H100 in Confidential Computing mode. (docs.cloud.google.com)
Enable GPU CC‑mode attestation (NRAS). Validate device identity (ECC‑384 fused key), check OCSP revocation, and record the NRAS JWT. (developer.nvidia.com)
Request composite attestation via Intel Trust Authority, which embeds the NRAS GPU claims into a single attestation token you can bind to policy. (docs.trustauthority.intel.com)
Gate witness keys with an external KMS. Only release an AES session key (or envelope key) to workloads presenting a fresh, policy‑matched ITA token (measurement hashes, TDX MRTD, GPU model/firmware). (docs.trustauthority.intel.com)
Run your prover (e.g., SP1 or RISC Zero) in the attested image; secrets are unsealed inside the TEE only after the composite check passes. (blog.succinct.xyz)

Security notes:

Composite attestation lets you reject “CPU‑only” trust if the GPU isn’t attested or is on a revoked firmware. (docs.trustauthority.intel.com)
Keep NRAS tokens fresh; NVIDIA changed auth in 2025 (Bearer token, v4 claims). Track the cutover to API‑key enforcement from Aug 15, 2025. (docs.nvidia.com)

Pattern B: AWS “enclave‑gated secrets” for CPU‑only proving or control‑plane hardening

If you don’t need a GPU TEE (e.g., CPU‑bound circuits, coordination, witness preparation), use Nitro Enclaves:

Put the witness decryption and orchestration logic inside an enclave.
Use AWS KMS “RecipientAttestation” condition keys (PCR0 or specific PCRs) to only decrypt to that enclave image hash; CloudTrail captures the attested params for audit. (docs.aws.amazon.com)
Nitro Enclaves is now available in every AWS region—handy for data residency. (aws.amazon.com)

Caveat: Nitro doesn’t provide GPU confidential computing; if you need a GPU TEE, pick GCP’s A3 Confidential or track Azure’s roadmap. (docs.cloud.google.com)

Example: a private order‑book prover (SP1 inside a TEE)

Succinct’s 2025 “Private Proving” runs SP1 in a TEE (reported on H200), letting a DEX prove state transitions while keeping orders and strategies private. The integration timeline went from months/years (custom circuits) to weeks (Rust on a zkVM), with the network supplying decentralized proving capacity. For regulated teams, the TEE token and GPU NRAS evidence become artifacts for audit. (blog.succinct.xyz)

Performance expectations: what we see on GPUs

Confidential GPU enabling doesn’t erase the normal ZK constraints: parallelism beats single‑proof scaling. Independent benchmarking (Scroll prover) showed multi‑proof parallelism on L40S often out‑throughput scaling a single proof across many GPUs; H100 scaling depends on prover utilization and software maturity. Budget for tuning. (p2p.org)
Prover networks report real‑time targets: community updates cite sub‑12s block proofs on large 4090 clusters at ~$0.086/block; treat these as directional until replicated on your stack. (hozk.io)

On‑chain verification of TEE attestation (gas‑aware)

zkDCAP: Teams (Phala, TOKI) take Intel SGX/TDX DCAP evidence and succinctly verify it on‑chain via a zkVM, slashing gas vs raw attestation parsing. If you source private proving from TEE operators, zk‑wrapping the attestation lets contracts accept “provably‑attested results” without trusting a multisig. (phala.network)
2025 integrations: zkVerify + Phala announced on‑chain verifiable TEE attestations with 20%+ cost savings; this pattern generalizes to “TEE‑backed co‑processors” feeding L1/L2. (zkverify.io)

Security reality check: TEEs aren’t magic—defense in depth is required

Recent academic breaks show why you must pair TEEs with policy and monitoring:

Interrupt‑injection attacks (“Heckler”, “WeSee”) demonstrated ways to subvert AMD SEV‑SNP and Intel TDX VMs at the interrupt layer; patch levels, hypervisor settings, and enclave code hygiene matter. (arxiv.org)
Physical‑layer attacks (“WireTap”) against SGX DCAP (DDR4 interposer) remind us that threat models excluding physical access still face real‑world edge cases. Keep attested workloads in operator‑controlled data centers and prefer CPU/GPU combos with modern TCB recovery. (cybersecurefox.com)
Use a third‑party attestation service with audit posture (Intel Trust Authority publishes ISO 27001:2022 alignment) to separate attestation from the platform provider. (intel.com)

Mitigations we standardize:

Deny‑by‑default attestation policies; require exact measurements (image digests, MRTD), firmware minimums, and freshness nonces; fail closed. (docs.trustauthority.intel.com)
KMS key release bound to attestation (PCR/image hash) and workload identity; never ship static witness keys. (docs.aws.amazon.com)
Composite CPU+GPU attestation, with revocation checks (OCSP) on the GPU cert and fallback retries for NRAS outages. (developer.nvidia.com)
Supply‑chain signing (e.g., cosign), and logging of attested KMS calls in CloudTrail for traceability. (docs.aws.amazon.com)

Implementation details that save weeks

GCP A3 Confidential setup: You’ll need Ubuntu 24.04+ with Linux 6.8 for TDX/GPU attestation tooling; ITA’s Python client exposes get_token_v2 for composite TDX+GPU tokens. (docs.trustauthority.intel.com)
NRAS operational gotchas: move to v4 endpoints and Bearer auth early; mismatched claim versions cause opaque failures under load. (docs.nvidia.com)
Policy management: ITA now supports Reference Integrity Measurements (RIM) for TDX on GCP, simplifying policy updates as cloud images rotate. (docs.trustauthority.intel.com)
Azure parity: Azure Confidential VMs (SEV‑SNP/TDX) and guest attestation are viable for CPU‑only proving or control planes; integrate with Azure Key Vault once the TDX attestation chain is approved by your security team. (learn.microsoft.com)
AWS enclave key release: KMS “RecipientAttestation:ImageSha384” and granular PCR keys let you pin decrypt to a single enclave revision; use vendor tooling (e.g., Anjuna) to manage policies. (docs.aws.amazon.com)

“Buy vs Build” in 2025

Buy a private proving service when: you need speed to market, a managed TEE posture, and proofs for mainstream languages (Rust). Succinct’s “Private Proving” is designed for this (SP1 in TEE). (blog.succinct.xyz)
Build in‑house when: you must control hardware or sovereign cloud, or you require custom zk pipelines (e.g., recursive aggregation + custom commitments). RISC Zero Bonsai gives you a remote prover option; if you self‑host, pair it with composite attestation and KMS‑gated witnesses. (dev.risczero.com)

RFP prompts we recommend:

Which TEE(s) and GPU CC modes are supported today? Is composite CPU+GPU attestation available? (docs.trustauthority.intel.com)
How are key releases bound to attestation (which claims, which verifiers)? (docs.aws.amazon.com)
What’s the revocation/update process for GPU firmware and driver trust roots? (developer.nvidia.com)
Do you expose an on‑chain proof of TEE attestation (zkDCAP or equivalent)? (medium.com)

Practical examples you can deploy now

Private payments and assets: Issue confidential transfers (balances + links hidden) where proving happens in a GPU TEE and only a succinct proof is published on chain; this mirrors “Private Proving” use cases without building Zcash‑grade circuits. (blog.succinct.xyz)
Private perps/AMMs: Keep quotes and order flow sealed during proving; publish only the validity proof and minimal public state. Composite attestation + KMS key release prevents front‑running via infrastructure insiders. (docs.trustauthority.intel.com)
zk data access from Web2: Use TLSNotary/zkTLS to attest web data, then compute in a TEE and emit a zk proof to chain—useful for compliance proofs like “balance ≥ X” without revealing the number. 2025 saw expanded workshops and SDK maturity for zkTLS flows. (tlsnotary.org)

Emerging best practices (from recent engagements)

Treat proving like confidential AI
Build the same envelope you would for protected model inference: composite attestation, policy‑bound key release, sealed storage, and audit trails. GCP’s A3 Confidential VM + ITA + NRAS is the cleanest path today. (docs.cloud.google.com)
Parallelize proofs rather than over‑scaling a single proof
Tune for throughput (many 1‑GPU proofs) and schedule around your aggregation windows; current provers show better economics with parallelism. (p2p.org)
Don’t skip the threat model review
Interrupt‑injection and physical attacks exist. Assume rollback/firmware drift will happen; enforce minimum versions and freshness nonces in policy. (arxiv.org)
Plan for attestation verifier independence
Use an external verifier (Intel Trust Authority or Google Cloud Attestation) so the platform you run on isn’t the one validating itself; ITA went free for major clouds in June 2025. (docs.trustauthority.intel.com)
Bring attestation on‑chain selectively
If the chain needs to judge TEE trust, push zk‑wrapped attestation (zkDCAP) rather than raw, gas‑heavy evidence. (medium.com)

30‑day pilot plan (what we’d do with your team)

Week 1: Requirements + trust policy

Pick cloud and region; define CPU/GPU attestation policy (measurements, firmware minimums, freshness window). Draft KMS condition policies. (docs.trustauthority.intel.com)

Week 2: Skeleton deployment

Bring up A3 Confidential VM (GCP), enable GPU CC‑mode, wire ITA composite attestation client, and test policy‑gated key release with a dummy witness. (docs.cloud.google.com)

Week 3: Integrate zkVM

Run SP1 or RISC Zero prover inside the TEE; add multi‑proof parallelism; set SLOs; record NRAS/ITA tokens in your SIEM. (blog.succinct.xyz)

Week 4: Audit + on‑chain glue

Optionally add zk‑wrapped attestation for on‑chain consumers (zkDCAP). Perform failure drills (revoked GPU cert, outdated image hash) to validate “fail‑closed.” (medium.com)

Risks and how to talk about them with stakeholders

“Are TEEs proven secure?” No single primitive is perfect; that’s why we combine composite attestation, revocation checks, and “attested key release” so a bug doesn’t expose witness data. Maintain TCB recovery procedures and monitor research. (intel.com)
“Will performance crater in CC‑mode?” Expect near‑native GPU performance in CC‑mode for many workloads; plan for driver/firmware alignment and batching to hide attestation latency. Validate on your circuits with small A/B experiments. (docs.cloud.google.com)
“Vendor lock‑in?” Using standard verifiers (NRAS, ITA) and standard KMS condition keys keeps you portable across clouds as GPU TEEs proliferate. (docs.trustauthority.intel.com)

Final word

2025 turned “private proving” from a research diagram into a deployable pattern. If your roadmap includes private payments, strategy‑preserving DEXs, or compliance‑friendly analytics, you can ship a zkVM‑based design this quarter by combining GPU TEEs, composite attestation, and KMS‑bound key release—without inventing new cryptography. 7Block Labs can stand up the reference architecture, tune prover throughput, and help you carry the attestation evidence your auditors will actually accept.

Sources and further reading

Google Cloud A3 Confidential VM (TDX + H100), overview and release notes (July 31, 2025). (docs.cloud.google.com)
Intel Trust Authority: composite CPU+GPU attestation and June 2025 updates (free, RIM support). (docs.trustauthority.intel.com)
NVIDIA H100 confidential computing and attestation (device identity, NRAS, OCSP). (developer.nvidia.com)
AWS Nitro Enclaves: KMS “RecipientAttestation” and all‑regions availability. (docs.aws.amazon.com)
Succinct “Private Proving” and Prover Network launch. (blog.succinct.xyz)
Interrupt‑based TEE attacks and lessons: Heckler/WeSee (2024); SGX “WireTap” (2025). (arxiv.org)
Throughput benchmarks and real‑time proving reports. (p2p.org)

If you want our team to scope a proof‑of‑concept on your preferred cloud and zkVM, reach out—most projects can get to an attested, private prover in four weeks.