Private Proving Is Here: How TEEs Made zkVM Privacy Practical in 2025

The blend of production-ready TEEs and GPU confidential computing has finally made it possible to deploy private zkVM proving on a larger scale. In this post, we’re breaking down what shifted in 2025, the specific architectures you can roll out right now, some common pitfalls to watch out for, and a straightforward 30-day pilot plan.

TL;DR for decision‑makers

• GPU TEEs (like the NVIDIA H100 and H200 in CC-mode) and CPU TEEs (such as Intel TDX, AMD SEV-SNP, and AWS Nitro Enclaves) have finally hit cloud GA and become pretty much everywhere. They feature composite attestation and KMS key-release patterns that ensure witnesses are kept sealed from start to finish. (docs.cloud.google.com)
• Networks like Succinct have introduced “Private Proving,” which lets zkVMs operate inside TEEs. This means teams can enjoy Zcash-level privacy without the need for custom circuits. (blog.succinct.xyz)

---

What changed in 2025 (and why it matters)

• Confidential GPUs have made the leap from lab demos to cloud features. Google Cloud’s A3 Confidential VM, featuring Intel TDX and a single H100 GPU, officially launched on July 31, 2025. This upgrade takes the Trusted Execution Environment (TEE) boundary all the way from the CPU to the GPU, ensuring your witness remains encrypted throughout the proving process. Check out the details here.
• Composite attestation across different vendors is really coming into its own. In June 2025, Intel Trust Authority (ITA) introduced composite CPU+GPU attestation using NVIDIA’s Remote Attestation Service (NRAS), and guess what? It’s free for users on major cloud platforms, cutting out the usual costs and policy headaches. You can read more about it here.
• NVIDIA has also beefed up GPU attestation. With NRAS v4 APIs, they now require OCSP/device identity and authentication keys starting August 15, 2025. This move aligns GPU trust more closely with enterprise security measures. More info is available here.
• AWS Nitro Enclaves are now available in every region as of October 21, 2025, which is a big win! They’ve also simplified the standard KMS “attested recipient” flows for secret release to enclaves, making them super handy for multi-cloud zk stacks. Catch the announcement here.
• On the privacy front, zk proving networks are now switching to private by default. Succinct rolled out “Private Proving” (SP1 inside a TEE, reported on the H200), paving the way for teams to manage private proofs more easily. Dive into their blog for more details here.

Net effect: you don’t have to rely on custom operations anymore to keep your witnesses private on those rented GPUs. All the essentials--attest, key-release, prove, aggregate, verify--are now available as ready-made products.

---

Why zkVM “private proving” is different from just proving off‑chain

• When you're dealing with old-school cloud setups, the host operator (and sometimes the cloud itself) can easily access witness/plaintext. That just doesn't cut it for things like financial strategies, personal identifiable information (PII), or proprietary models.
• Enter TEEs! With these, you only hand over the witness decryption keys to a trusted enclave/TD (and a GPU in CC-mode). This keeps the cloud and host OS outside your trust boundary. Plus, your compliance team gets solid proof (thanks to EAT/JWT claims) about who, what, and where ran your prover. Check out more details here!

---

The reference architecture we deploy at 7Block Labs

Here’s the most effective pattern we’re seeing right now for both startups and established enterprises.

Pattern A: GCP “CPU+GPU TEE” private prover (recommended when you need GPU TEEs)

1. First up, let's provision an A3 Confidential VM (a3-highgpu-1g). You'll get Intel TDX on the CPU and an H100 running in Confidential Computing mode. Check out the details here.
2. Next, we need to enable GPU CC-mode attestation (NRAS). This step involves validating the device identity with an ECC-384 fused key, checking for OCSP revocation, and making a note of the NRAS JWT. For more info, head over to NVIDIA's blog.
3. Now, let’s request composite attestation through Intel Trust Authority. This process will bundle those NRAS GPU claims into a single attestation token that you can tie to your policy. You can find more details here.
4. Time to secure those witness keys with an external KMS. Only release an AES session key (or envelope key) to workloads that present a fresh ITA token that matches your policies (think measurement hashes, TDX MRTD, GPU model/firmware). Learn more here.
5. Finally, run your prover (like SP1 or RISC Zero) in that attested image. Just a heads-up: your secrets will only be unsealed inside the TEE after that composite check passes. For additional insights, take a look at this blog post.

Security notes:

• With composite attestation, you can now say goodbye to relying solely on “CPU‑only” trust. If the GPU isn’t verified or has firmware that's been revoked, you can reject it outright. Check out the details here.
• Make sure to keep those NRAS tokens fresh! NVIDIA switched things up in 2025 with a new auth system (Bearer token, v4 claims). Don’t forget to track the transition to API‑key enforcement starting August 15, 2025. You can get the scoop here.

Pattern B: AWS “enclave‑gated secrets” for CPU‑only proving or control‑plane hardening

If you don't really need a GPU TEE--like when dealing with CPU-bound circuits, coordination tasks, or preparing witnesses--consider using Nitro Enclaves instead:

• Let’s put the witness decryption and orchestration logic inside an enclave.
• We can use the AWS KMS “RecipientAttestation” condition keys (like PCR0 or other specific PCRs) to make sure we’re only decrypting to that specific enclave image hash. Plus, CloudTrail will catch all the attested parameters for our audit trail. (docs.aws.amazon.com)
• Awesome news: Nitro Enclaves are now available in every AWS region, which is super convenient for keeping data residency in check. (aws.amazon.com)

Caveat: Nitro doesn't have GPU confidential computing on offer. If you're looking for a GPU TEE, you might want to check out GCP’s A3 Confidential or keep an eye on Azure’s roadmap. (docs.cloud.google.com)

---

Example: a private order‑book prover (SP1 inside a TEE)

Succinct’s 2025 “Private Proving” is all about running SP1 inside a TEE (you might’ve seen this mentioned in H200). This setup allows a DEX to prove state transitions while keeping orders and strategies under wraps. What’s really cool is that the time it takes to integrate has shrunk from months or even years (think custom circuits) down to just weeks thanks to Rust on a zkVM. Plus, the network is stepping up with decentralized proving capacity. For those teams working within regulations, the TEE token and GPU NRAS evidence serve as handy artifacts for audits. Check it out here: (blog.succinct.xyz)

---

Performance expectations: what we see on GPUs

• Just a heads up, confidential GPU enabling doesn’t really change the usual ZK constraints: parallelism still outshines single-proof scaling. Some independent benchmarking from Scroll prover showed that multi-proof parallelism on L40S often outperforms scaling a single proof across multiple GPUs. As for H100, its scaling really depends on how well the prover is utilized and the maturity of the software. So, don't forget to budget some time for tuning. (p2p.org)
• Prover networks are keeping an eye on real-time targets: community updates mention block proofs under 12 seconds on big 4090 clusters at around $0.086 per block. Just keep in mind to treat these figures as directional until you can replicate them on your own setup. (hozk.io)

---

On‑chain verification of TEE attestation (gas‑aware)

• zkDCAP: The teams at Phala and TOKI are working together to take Intel's SGX/TDX DCAP evidence and make it easy to verify on-chain through a zkVM, which definitely saves on gas compared to just parsing raw attestations. If you get your private proving done by TEE operators, using zk-wrapping for the attestation allows contracts to handle "provably-attested results" without having to put faith in a multisig. Check it out here.
• 2025 integrations: zkVerify and Phala have joined forces to bring on-chain verifiable TEE attestations, boasting over 20% in cost savings. This approach can scale to “TEE-backed co-processors” that feed into L1/L2 solutions. More details can be found here.

---

Security reality check: TEEs aren’t magic--defense in depth is required

Recent Academic Breaks Show Why You Must Pair TEEs with Policy and Monitoring

In recent times, we've seen academic breaks that really highlight the need for combining Teacher Evaluation Experiences (TEEs) with robust policies and proper monitoring. Here’s a closer look at why this pairing is crucial:

• Enhanced Evaluation: TEEs can give us deeper insights into teaching methods, but without strong policies in place, we might miss the bigger picture. The policies guide how these evaluations are used and ensure consistency across the board.
• Accountability: When we link TEEs to monitoring practices, we create a system of accountability. This helps teachers stay on track and makes sure that the evaluations lead to meaningful improvements in the classroom.
• Support and Development: Pairing TEEs with thoughtful policies allows for better support systems for teachers. It’s not just about evaluating performance but also about nurturing growth and development, which is essential for lasting change.
• Data Driven Decisions: With effective monitoring, we can use the data gathered from TEEs to make informed decisions. This data can highlight trends and areas for improvement, helping schools adapt and thrive.

In summary, integrating TEEs with strong policy frameworks and ongoing monitoring can transform the educational landscape, leading to more effective teaching and learning environments. Let’s not overlook the importance of this synergy!

• Interrupt-injection attacks, like “Heckler” and “WeSee,” have shown some sneaky ways to mess with AMD SEV-SNP and Intel TDX VMs right at the interrupt layer. It turns out, keeping your patch levels up to date, tuning hypervisor settings, and maintaining clean enclave code are super important. You can dive deeper into the details here: (arxiv.org)
• Physical-layer attacks, such as “WireTap,” target SGX DCAP using a DDR4 interposer. This serves as a reminder that when we talk about threat models, overlooking physical access can lead to some surprising real-world scenarios. So, it’s a good idea to keep your attested workloads in data centers you control and go for those CPU/GPU combos that have modern TCB recovery features. Check out more on this topic here: (cybersecurefox.com)
• To boost your security, consider using a third-party attestation service that has a solid audit posture. For instance, the Intel Trust Authority aligns with ISO 27001:2022, which is a great way to keep your attestation separate from the platform provider. You can learn more about it here: (intel.com)

Mitigations We Standardize:

• Deny‑by‑Default Attestation Policies: We make it a point to require specific measurements--like image digests and MRTD--as well as firmware minimums and freshness nonces. The idea here is to "fail closed" whenever possible. You can check out more about it here.
• KMS Key Release: This is tied to attestation, which includes PCR/image hash and workload identity. A key rule here? Never ship static witness keys. For more details, head over to this AWS link.
• Composite CPU+GPU Attestation: We also incorporate revocation checks (OCSP) on the GPU cert, plus fallback retries in case of NRAS outages. You can read up on this over at NVIDIA's blog.
• Supply-Chain Signing: For instance, we use tools like cosign, along with logging of attested KMS calls in CloudTrail. This approach helps us keep everything traceable. You can find more info here.

---

Implementation details that save weeks

• GCP A3 Confidential Setup: To get started, you'll want to have Ubuntu 24.04 or later, along with Linux 6.8 for the TDX/GPU attestation tools. The ITA's Python client has this handy method called get_token_v2, which you can use to grab composite TDX+GPU tokens. Check it out here: (docs.trustauthority.intel.com)
• NRAS Operational Gotchas: Make sure to switch to v4 endpoints and Bearer auth sooner rather than later. Trust me, mismatched claim versions can lead to some confusing failures, especially under heavy load. More details are available at (docs.nvidia.com).
• Policy Management: Good news! ITA now supports Reference Integrity Measurements (RIM) for TDX on GCP, which makes updating your policies a breeze as cloud images change. You can read up on this feature here: (docs.trustauthority.intel.com).
• Azure Parity: If you’re looking into Azure Confidential VMs (SEV‑SNP/TDX) and guest attestation, they work great for CPU-only proving or control planes. Just don’t forget to link up with Azure Key Vault once your security team signs off on the TDX attestation chain. More info can be found here: (learn.microsoft.com).
• AWS Enclave Key Release: With KMS's feature “RecipientAttestation:ImageSha384” and those granular PCR keys, you can pin decryption to a specific enclave revision. Plus, it’s a good idea to use vendor tools (like Anjuna) for managing your policies. Dive deeper here: (docs.aws.amazon.com).

---

“Buy vs Build” in 2025

• Buy a private proving service when: you really need to get to market quickly, want a managed TEE approach, and are looking for proofs in popular languages like Rust. Succinct’s “Private Proving” is tailor-made for this (think SP1 in TEE). Check it out here: (blog.succinct.xyz)
• Build in-house when: you need total control over your hardware or are working with a sovereign cloud setup, or if you have specific requirements for zk pipelines (like recursive aggregation and custom commitments). RISC Zero Bonsai offers a remote prover option, and if you’re self-hosting, you can complement it with composite attestation and KMS-gated witnesses. More details can be found here: (dev.risczero.com)

RFP prompts we recommend:

• What TEE(s) and GPU CC modes are you currently supporting? And is there a way to do composite CPU+GPU attestation? Check out the details here.
• How do you tie key releases to attestation? Which claims and verifiers are involved? You can find more info on that here.
• What’s the process for revoking or updating GPU firmware and driver trust roots? Get the scoop here.
• Do you provide an on-chain proof of TEE attestation, like zkDCAP or something similar? More about it here.

---

• Private payments and assets: We're talking about setting up confidential transfers where balances and links are all kept under wraps. The magic happens in a GPU TEE, and only a quick proof goes on-chain. This setup is pretty similar to what you see in "Private Proving," but we’re not diving into complicated Zcash-grade circuits. Check it out here: (blog.succinct.xyz)
• Private perps/AMMs: Imagine keeping quotes and order flow completely under wraps during the proving process. Only the validity proof and a bit of public state get shared. With composite attestation and KMS key release, we can stop front-running by those in the know. Learn more at: (docs.trustauthority.intel.com)
• zk data access from Web2: Ever thought about using TLSNotary/zkTLS to verify web data? You can do just that, then crunch the numbers in a TEE and pop a zk proof on-chain. This proves handy for compliance--like showing “balance ≥ X” without spilling the actual number. In 2025, we saw more workshops and better SDKs for zkTLS flows. Dive into the details here: (tlsnotary.org)

---

Emerging best practices (from recent engagements)

1. Treat proving like confidential AI
   Create a secure setup similar to what you'd use for protected model inference. Think composite attestation, policy-bound key release, sealed storage, and solid audit trails. Right now, the best route is GCP’s A3 Confidential VM + ITA + NRAS. Check it out here: (docs.cloud.google.com)

2) Parallelize proofs instead of just cranking up the power on one proof

It's a smart move to focus on throughput by running a bunch of 1-GPU proofs. Make sure to plan your schedule around your aggregation windows; right now, the best provers are showing improved economics when they leverage parallelism. Check out this detailed analysis on the efficiencies: (p2p.org).

3) Don’t skip the threat model review

It’s important to remember that interrupt-injection and physical attacks are real threats. You should plan for potential rollback or firmware drift--set up your policies to enforce minimum versions and freshness nonces. Check out more details on this here.

4) Plan for Attestation Verifier Independence

It’s a good idea to bring in an external verifier, like Intel Trust Authority or Google Cloud Attestation. This way, the platform you’re using isn’t the one doing the self-validation, which keeps things more secure. Plus, starting in June 2025, ITA is going to be free for all the major cloud providers! Check out the details here.

5) Selective On-Chain Attestation

When it comes to assessing TEE trust on the chain, it’s better to use zk-wrapped attestation (zkDCAP) instead of the raw, gas-intensive evidence. For more details, check out this article on Medium.

---

30‑day pilot plan (what we’d do with your team)

Week 1: Requirements + Trust Policy

• Choose your cloud provider and region. Outline your CPU/GPU attestation policy, including measurements, firmware minimums, and the freshness window. Also, start drafting those KMS condition policies. Check out this link for more details: docs.trustauthority.intel.com.

Week 2: Skeleton Deployment

• Set up the A3 Confidential VM on GCP, switch on GPU CC-mode, connect the ITA composite attestation client, and give the policy-gated key release a whirl using a dummy witness. (docs.cloud.google.com)

Week 3: Integrate zkVM

• Launch SP1 or the RISC Zero prover within the TEE. Let's introduce multi-proof parallelism, set some SLOs, and keep track of NRAS/ITA tokens in your SIEM. You can check out more details here.

Week 4: Audit + On-Chain Glue

• You might want to consider adding zk-wrapped attestation for those on-chain consumers (we're calling it zkDCAP). Also, don’t forget to run some failure drills--like revoking GPU certs or working with outdated image hashes--to ensure everything can “fail-closed.” Check out more details on this medium.com.

---

Risks and how to talk about them with stakeholders

• “Are TEEs really secure?” No single technology is flawless, which is why we use a mix of composite attestation, revocation checks, and “attested key release” to keep any bugs from leaking sensitive data. It’s super important to have TCB recovery procedures in place and stay updated on the latest research. Check it out here.
• “Will performance take a hit in CC-mode?” You can expect performance in CC-mode to be pretty close to native GPU levels for a lot of workloads. Just remember to align your driver and firmware and consider batching to help mask any attestation delays. It’s a good idea to test this on your hardware with some small A/B experiments. More details here.
• “What about vendor lock-in?” By using standard verifiers like NRAS and ITA, along with standard KMS condition keys, you can keep things flexible across different clouds as GPU TEEs become more common. You can learn more here.

---

Final word

2025 has transformed “private proving” from just a cool research concept into something you can actually use. If your plans involve private payments, strategy-friendly DEXs, or analytics that keep compliance in mind, you can totally roll out a zkVM-based design this quarter. Just mix GPU TEEs, composite attestation, and KMS-bound key release--no need to create any new cryptography! 7Block Labs is here to help set up the reference architecture, optimize prover throughput, and provide you with the attestation evidence that auditors will be happy to see.

---

Sources and further reading

• Check out the Google Cloud A3 Confidential VM (TDX + H100) for an overview and release notes as of July 31, 2025. You can find all the details here.
• Intel Trust Authority has some cool updates on composite CPU+GPU attestation and the June 2025 updates that come with free RIM support. Dive into the specifics here.
• If you're interested in NVIDIA H100, their confidential computing and attestation features include device identity, NRAS, and OCSP. Catch all the important info here.
• AWS Nitro Enclaves now supports KMS “RecipientAttestation” along with availability across all regions. You can read more about it here.
• Succinct just launched their “Private Proving” and Prover Network, and it’s worth a look! Get the scoop here.
• There’s been some chatter about interrupt-based TEE attacks, with insights from studies like Heckler/WeSee (2024) and SGX “WireTap” (2025). Check out their findings here.
• For those curious about performance, there are throughput benchmarks and real-time proving reports available. You can check it out here.

If you're interested in having our team put together a proof-of-concept on your favorite cloud and zkVM, just let us know! Most projects can have an attested, private prover ready to go in about four weeks.