IBM Put Zero-Knowledge Proofs Inside the HSM. A 2021 Patent Reads the Claim.

A zero-knowledge proof lets one party convince another that a statement is true — “I know the password,” “this transaction is valid,” “I am over eighteen” — without revealing anything beyond the truth of the statement itself. It is one of the most powerful ideas in modern cryptography. But like any cryptographic protocol, it has secret inputs, and those secrets have to live somewhere.

US11177957B2, “Hardware security modules for executing zero-knowledge proofs,” granted to International Business Machines Corporation on November 16, 2021, makes the somewhere a hardware security module. Classified under H04L 9/3218 — the CPC code for zero-knowledge protocols — the patent claims executing the proof inside the HSM, the tamper-resistant box banks and clouds already trust with their most sensitive keys.

The inventor list is itself a signal: Camenisch and Drijvers are well-known names in the academic zero-knowledge and anonymous-credential literature. That lineage suggests the claim is grounded in serious protocol design rather than a generic “do X, but in hardware” filing — the kind of patent an examiner-minded reader takes more seriously.

The strategic logic is clean. A zero-knowledge proof is only as trustworthy as the integrity of the prover's secret witness and the proving process. If both run in ordinary software on a server an attacker might compromise, the secrets are exposed and the proof's guarantees can be subverted. Pushing the proof into an HSM means the witness never leaves tamper-resistant silicon, and the proving computation itself is shielded.

Per the desk's rules: this is an issued grant, kind code B2, not a pending application; and it describes a hardware-method configuration, not a shipped product line. IBM's long history in HSMs and confidential computing is the obvious commercial backdrop.

For the systems reader, the broader pattern is convergence: zero-knowledge proofs, hardware security modules, and confidential computing are increasingly filed together, because each addresses a different layer of the same problem — proving something is true while keeping the underlying secret genuinely secret, all the way down to the hardware.