The complete reference for Kythera — a Solana-native verifiable compute layer. Heavy computation runs off-chain in a zkVM, many proofs fold into one, and that single proof is certified on-chain in a single transaction. This is how it works, end to end.
A proof descends through five layers. Hover a layer to inspect it — the diagram is live and interactive.
Kythera lets a Solana application act on the result of a computation that could never fit on-chain — without trusting whoever produced that result.
A Solana program runs inside a compute budget of roughly 1.4M CU per transaction. An ML inference,
a sort over thousands of items, or an aggregation across a large data set simply does not fit. Today that work is
pushed onto a server, and the chain is asked to trust whatever number comes back.
Kythera removes the trust. The work runs off-chain inside a zero-knowledge virtual machine that emits a proof of correct execution. Many such proofs fold into one, and an on-chain verifier certifies that single proof for a flat, tiny cost. What lands on-chain is not a claim — it is a certificate.
Three verbs describe the whole protocol:
The key property is succinctness: the cost to check a proof is independent of the cost to produce it. Folding extends that to batches — the cost to check a thousand folded proofs equals the cost to check one.
The diagram above is the architecture. In words:
Applications submit a circuit id, an input blob and a callback. The job is queued to a pool of SP1 hosts, which run the guest program off-chain. Nothing is trusted yet — execution only produces a witness.
The SP1 v3 zkVM turns each sub-computation into a succinct proof of correct execution. One heavy job becomes a batch of small, independently-valid proofs.
Nova / SuperNova folds the batch — instance by instance — into a single Groth16 SNARK of constant size. This is where unbounded work collapses to a fixed on-chain footprint.
An Anchor program runs verify_proof on mainnet. The pairing check costs under 200K CU,
and on success it writes a ProofRecord PDA seeded by the proof hash.
Certified facts publish as Pyth-style feeds. Other programs read them in the same transaction via CPI; off-chain consumers read them through the API or SDK.
Following a single median job from request to certificate:
POST the circuit id, a base64 input and a webhook. The API returns a jobId and queues it.
An SP1 host runs the median guest program over the input, emitting a sortedness witness and sub-proofs.
The folding adapter compresses the sub-proofs into one Groth16 SNARK — about 2.3 KB, constant size.
The proof bytes go to the verifier program; the pairing check passes in ~182K CU and a ProofRecord PDA is written.
Your webhook fires with the proof hash. Any dApp now reads the certified median by subscribing to the record.
A circuit is a guest program with a typed input and output. Five ship today; the folding adapter is identical
across all of them, so adding your own is a matter of registering a builder entry under
packages/circuits/<name>.
scoring — weighted average over a fixed-length score vector.aggregation — SUM, AVG, MIN, MAX in one pass, all committed.median — median with a sortedness witness over the input multiset.sort — permutation proof; output is monotonic, multiset matches input.ml-inference — two-layer MLP forward pass, ReLU, fixed-point i32.The CLI is the human surface — you type kythera verify and read the result with your eyes. CPI
(Cross-Program Invocation) is the program surface: what a Solana program calls when it, not a human,
needs a certified fact before it acts.
Add the verifier crate with the cpi feature, which pulls in the generated helpers and turns off the
on-chain entrypoint so you do not ship a second copy of the program:
Because the call runs in the same transaction, the verification and the action it gates are atomic — either both land or neither does. That atomicity is the whole reason CPI exists: composable verified compute, with no trusted gap between checked and acted on.
Every certification writes a ProofRecord PDA seeded by [b"proof", &proof_hash]. It
stores the hash, the circuit id and the slot it landed at. The proof bytes themselves stay off-chain — the chain
keeps the certificate, not the payload.
Because each distinct proof lands at its own address, concurrent certifications never contend for the same account. External dApps subscribe to those records by hash, exactly as they would read a Pyth feed. Browse live records in the Explorer.
Folding is the reason the numbers work. Verifying 100 sub-proofs directly would cost about half a SOL; the folded proof certifies in one transaction for a fraction of a cent — and that cost is flat as the batch grows.
On-chain verification stays under 200K CU regardless of the circuit or the batch size, because the
verifier only ever checks one constant-size SNARK.
Kythera's guarantee is computational, not reputational. A valid proof exists only if the program really executed on the claimed inputs, so a dishonest host cannot forge a result — at worst it can refuse to produce one.