Yeah, I guessed you might be talking about FHE and similar stuff. But I wonder if the most basic concept still fits your description: just blind your witness and send that to the server. Then the server does the ZKP, so to speak "encrypted". This would only work directly for the simplest structures. Like a "reverse blinded signature" is the easiest one I could think of. Instead of blinding the message that the signer signs, you blind what key is being used to sign the (public) message. A signature is technically a ZKP (a zk-proof of knowledge). I have x, I give the server b+x, they sign with that: s' = k + e(b+x), I subtract eb to get s = k + ex. Notice that this is a weakness (arguably a fatal weakness) of non key-prefixed schnorr; it only works if you hash H(R,m) not H(P,R,m).