pith. sign in

arxiv: 2606.03771 · v1 · pith:Z6IE4UF5new · submitted 2026-06-02 · 💻 cs.CR

πCreds: Privately Inferred Credentials

Pith reviewed 2026-06-28 09:22 UTC · model grok-4.3

classification 💻 cs.CR
keywords verifiable credentialsprivacy-preserving inferencelarge language modelsdecentralized systemsadversarial robustnessauthenticated datasemantic reasoning
0
0 comments X

The pith

πCreds generates decentralized verifiable credentials through trusted LLM inference on authenticated unstructured data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Existing decentralized credential systems depend on zero-knowledge proofs that are complex and restricted to structured data predicates. πCreds instead uses trusted large language model inference over authenticated sources to produce privacy-preserving credentials that remain compatible with legacy systems. LLMs enable semantic reasoning that expands the claims that can be certified, such as properties of code or financial records. The paper defines two new problems to capture LLM-specific threats from data manipulation and model selection, then evaluates them on a prototype handling live user data.

Core claim

Privately Inferred Credentials (πCreds) are privacy-preserving, legacy-compatible, decentralized verifiable credentials generated by trusted LLM inference over authenticated data. This approach expands the range of certifiable claims by leveraging LLMs' semantic reasoning over unstructured data, while formalizing the Source-Constrained Adversarial Example problem for robustness against manipulated inputs and the Authenticated Covert Predicate Poisoning problem for privacy leakage through model choice. Applications include credentials over user data and a new class over proprietary software without revealing source code.

What carries the argument

Trusted LLM inference over authenticated data that performs semantic reasoning to generate credentials while aiming to preserve privacy.

If this is right

  • Credentials can certify properties of proprietary software without revealing its source code.
  • The system supports issuance over live financial, health, email, and code sources.
  • The SCAE problem formalizes robustness requirements against adversaries that alter authenticated data for incorrect credentials.
  • The ACPP problem formalizes privacy leakage risks from adversarial choice of inference models.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This approach could allow credentials based on natural-language descriptions of user behavior or records.
  • It may integrate with existing web services to issue credentials without requiring new data infrastructure.
  • The framework could extend to auditing service properties through code analysis without full disclosure.

Load-bearing premise

Trusted LLM inference can be performed on authenticated data in a way that preserves privacy and resists adversarial manipulation of inputs or model selection.

What would settle it

An experiment in which an adversary manipulates authenticated input data or model selection to obtain a misleading credential from the LLM inference process.

Figures

Figures reproduced from arXiv: 2606.03771 by Andr\'es F\'abrega, Ari Juels, Dani Vilardell, Derek Leung, Farinaz Koushanfar, James Austgen, Samuel Breckenridge.

Figure 1
Figure 1. Figure 1: 𝜋Creds architecture and threat models. The prover submits credentials to a TEE-protected pipeline, shown in the gray box. Pipeline steps are: (1) The oracle (with user interaction) logs into the user’s whitelisted web data sources (e.g., banks, marketplaces, hospital portals) and fetches documents; (2) An LLM processes the documents under a credential-specific prompt; (3) The LLM returns its result; and (4… view at source ↗
Figure 2
Figure 2. Figure 2: 𝜋Creds ideal functionality available to prover P and verifier V. The prompt has 𝑛 slots, one per data source, the configuration 𝜏 binds each slot to a whitelist wl𝑖 , a per-source preprocessing function 𝑓prep,𝑖, and a provenance specification 𝜌𝑖 that determines what information about the source 𝑖 is public in the credential (e.g., the endpoint queried but not au￾thentication tokens). The whitelist wl𝑖 rest… view at source ↗
Figure 4
Figure 4. Figure 4: Formulation of the Source-Constrained Adversarial l() bl Figure 4: Formulation of the Source-Constrained Adversarial [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Illustration of adversarial attack on SCAE problem. [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 7
Figure 7. Figure 7: Illustration of adversarial attack on ACPP problem [PITH_FULL_IMAGE:figures/full_fig_p007_7.png] view at source ↗
Figure 6
Figure 6. Figure 6: Formulation of the Authenticated Covert Predicate [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Example 𝜋Creds applications. Rows marked in red indicate applications we have implemented. (1) Item presence: whether a user purchased a specific item. A predicate over structured fields that existing credential systems can already support; included as a baseline. (2) Max price: the maximum price the user has paid. Also expressible as a predicate, included as a second baseline at a different output granula… view at source ↗
Figure 10
Figure 10. Figure 10: Attack success for the SCAE problem on the prod [PITH_FULL_IMAGE:figures/full_fig_p010_10.png] view at source ↗
Figure 9
Figure 9. Figure 9: 𝜋Cred audit flow for attested code. The 𝜋Cred audit and the proprietary code are both running inside TEEs. Audit (① and ②) and code deployment (③) are independent: the code can be deployed before, during, or after the 𝜋Cred is issued. is inherently noisy as transaction patterns do not uniquely deter￾mine income, but the labels give us a fixed reference against which to measure systematic deviation. Frontie… view at source ↗
Figure 11
Figure 11. Figure 11: Adversarial predicate-recovery accuracy versus [PITH_FULL_IMAGE:figures/full_fig_p011_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Formal abstraction for TEE attested execution. The [PITH_FULL_IMAGE:figures/full_fig_p014_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: The 𝜋Creds enclave program, parameterized by an oracle O for fetching data. The enclave generates two key pairs at setup: a signing pair (pksig 𝑇 ,sksig 𝑇 ) under signa￾ture scheme Σ used to authenticate issued credentials, and an encryption pair (pkenc 𝑇 ,skenc 𝑇 ) under public-key encryp￾tion scheme 𝐸 used to receive issuance requests. Both public keys are returned to the surrounding protocol and bound … view at source ↗
Figure 16
Figure 16. Figure 16: Model accuracy across deterministic tasks with [PITH_FULL_IMAGE:figures/full_fig_p016_16.png] view at source ↗
Figure 17
Figure 17. Figure 17: Mean absolute deviation from ground truth across [PITH_FULL_IMAGE:figures/full_fig_p016_17.png] view at source ↗
read the original abstract

Decentralized verifiable credential systems have seen limited deployment in practice. Existing constructions, built on zero-knowledge proofs, are complex, application-specific, and largely restricted to predicates over structured data. We present Privately Inferred Credentials ($\pi$Creds): privacy-preserving, legacy-compatible, decentralized verifiable credentials generated by trusted LLM inference over authenticated data. LLMs' ability to semantically reason over unstructured data substantially expands the range of claims $\pi$Creds can certify over existing credential systems. The use of LLMs also introduces new application-level threats, which we formalize through two problems: the Source-Constrained Adversarial Example (SCAE) problem, which captures robustness against adversaries that manipulate authenticated data to obtain misleading credentials, and the Authenticated Covert Predicate Poisoning (ACPP) problem, which captures privacy leakage through adversarial model selection. We characterize applications of $\pi$Creds over user data, and a novel class of credentials over proprietary software that certifies properties of a service without revealing its source code. Our prototype supports issuing credentials over live financial, health, email, and code sources, and we empirically study the SCAE and ACPP threats on a product expertise credential over real financial data.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces πCreds, a system for generating privacy-preserving decentralized verifiable credentials via trusted LLM inference over authenticated unstructured data. It claims this substantially expands the range of certifiable claims beyond existing ZK-based systems limited to structured predicates. The work formalizes two new threats—Source-Constrained Adversarial Example (SCAE) for robustness against manipulated authenticated inputs and Authenticated Covert Predicate Poisoning (ACPP) for privacy leakage via model selection—characterizes applications including proprietary software credentials, presents a prototype supporting financial/health/email/code sources, and empirically evaluates the formalized threats on a product-expertise credential over real financial data.

Significance. If the privacy, robustness, and correctness claims hold, the result would meaningfully broaden practical deployment of verifiable credentials by enabling semantic claims over legacy unstructured sources without requiring application-specific ZK circuits. The formalization of SCAE and ACPP and the prototype's coverage of live data sources are concrete contributions that could inform future work on LLM-mediated credentials.

major comments (2)
  1. [Abstract, §4] Abstract and §4 (threat formalization): the central claim that LLM semantic reasoning 'substantially expands the range of claims πCreds can certify' is load-bearing on the correctness of the inference step itself. The manuscript formalizes and empirically studies only SCAE (adversarial data manipulation) and ACPP (model-selection leakage) but provides no mechanism, bound, or evaluation addressing inherent LLM errors such as hallucination or input inconsistency on the same authenticated data; without this, the expansion benefit cannot be isolated from the risk of issuing incorrect credentials.
  2. [§5] §5 (prototype and evaluation): the empirical study of SCAE/ACPP on financial data reports results only for adversarial robustness; no corresponding measurements or baselines are given for end-to-end credential correctness (e.g., agreement with ground-truth labels on the same inputs), which is required to substantiate the legacy-compatible claim for unstructured sources.
minor comments (2)
  1. Notation for the trusted inference oracle and the exact interface between authenticated data and LLM input should be defined earlier and used consistently when describing the prototype.
  2. The paper should clarify whether the 'trusted LLM inference' assumption includes any cryptographic or hardware-rooted attestation mechanism, as this directly affects the privacy and legacy-compatibility claims.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive feedback on our manuscript. The comments highlight important considerations around the assumptions underlying LLM-based inference. We address each major comment below, clarifying the scope of our contributions while acknowledging areas where the manuscript can be strengthened through revision.

read point-by-point responses
  1. Referee: [Abstract, §4] Abstract and §4 (threat formalization): the central claim that LLM semantic reasoning 'substantially expands the range of claims πCreds can certify' is load-bearing on the correctness of the inference step itself. The manuscript formalizes and empirically studies only SCAE (adversarial data manipulation) and ACPP (model-selection leakage) but provides no mechanism, bound, or evaluation addressing inherent LLM errors such as hallucination or input inconsistency on the same authenticated data; without this, the expansion benefit cannot be isolated from the risk of issuing incorrect credentials.

    Authors: We agree that LLM inference correctness is a foundational assumption for the claimed expansion of certifiable claims. Our work assumes a trusted inference service (as stated in the abstract and §3) that produces correct outputs for given authenticated inputs; the novel contributions are the formalization of SCAE and ACPP, which are new threats introduced specifically by the use of LLMs over authenticated unstructured data. We do not provide new mechanisms or bounds for general LLM issues such as hallucination, as these remain open research problems orthogonal to our threat models. We will revise the manuscript to more explicitly articulate this assumption as a limitation and discuss its implications for the expansion claim. revision: partial

  2. Referee: [§5] §5 (prototype and evaluation): the empirical study of SCAE/ACPP on financial data reports results only for adversarial robustness; no corresponding measurements or baselines are given for end-to-end credential correctness (e.g., agreement with ground-truth labels on the same inputs), which is required to substantiate the legacy-compatible claim for unstructured sources.

    Authors: The evaluation in §5 prioritizes the novel SCAE and ACPP threats because they represent the paper's primary technical contributions beyond existing ZK systems. End-to-end correctness metrics (e.g., agreement with ground truth) were not included as they would require extensive manual labeling of unstructured financial data, which was outside the scope of demonstrating the new threat models. We acknowledge this gap and will add a discussion of correctness assumptions plus, where feasible, baseline agreement rates on the product-expertise credential using available labels from the financial dataset. revision: yes

standing simulated objections not resolved
  • Providing formal bounds, mechanisms, or comprehensive evaluations to mitigate inherent LLM errors such as hallucination or inconsistency, which are active open problems in the broader LLM literature and beyond the scope of formalizing SCAE/ACPP.

Circularity Check

0 steps flagged

No circularity: claims rest on external LLM assumptions and new formalizations without self-referential derivations.

full rationale

The paper introduces πCreds as a system using trusted LLM inference over authenticated data and formalizes two new threat models (SCAE and ACPP). No equations, fitted parameters, or predictions appear that reduce by construction to inputs defined within the paper. The central expansion claim relies on the external premise of LLM semantic reasoning rather than any internal derivation chain or self-citation load-bearing step. Empirical study of the formalized threats on financial data is presented as evaluation, not as a tautological renaming or ansatz smuggling. The derivation is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only; no explicit free parameters, axioms, or invented entities are stated. The central construction rests on the unelaborated premise of trusted LLM inference.

pith-pipeline@v0.9.1-grok · 5770 in / 948 out tokens · 30383 ms · 2026-06-28T09:22:22.526346+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

61 extracted references · 4 linked inside Pith

  1. [1]

    Advanced Micro Devices, Inc. 2020. AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More. White Paper. https://docs.amd.com/v/u/en- US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and- more

  2. [2]

    Apple Security Research. 2024. Private Cloud Compute. https://security.apple.c om/documentation/private-cloud-compute

  3. [3]

    Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Yan Ji, Jonas Lindstrøm, Deepak Maram, Ben Riva, Arnab Roy, Mahdi Sedaghat, and Joy Wang. 2024. zklogin: Privacy-preserving blockchain authentication with existing creden- tials. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 3182–3196

  4. [4]

    Matan Ben-Tov, Daniel Deutch, Nave Frost, and Mahmood Sharif. 2024. CaFa: cost-aware, feasible attacks with database constraints against neural tabular classifiers. In2024 IEEE Symposium on Security and Privacy (SP). IEEE, 1345– 1364

  5. [5]

    Alex Berke, Dan Calacci, Robert Mahari, Takahiro Yabe, Kent Larson, and Sandy Pentland. 2024. Open e-commerce 1.0, five years of crowdsourced US Amazon purchase histories with user demographics.Scientific Data11, 1 (2024), 491

  6. [6]

    Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning attacks against support vector machines.arXiv preprint arXiv:1206.6389(2012)

  7. [7]

    Alessandro Buldini, Carlo Mazzocca, Rebecca Montanari, and Selcuk Ulu- agac. 2025. Compact and Selective Disclosure for Verifiable Credentials. arXiv:2506.00262 [cs.CR] https://arxiv.org/abs/2506.00262

  8. [8]

    Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. 2017. Targeted backdoor attacks on deep learning systems using data poisoning.arXiv preprint arXiv:1712.05526(2017)

  9. [9]

    Jalen Chuang, Alex Seto, Nicolas Berrios, Stephan van Schaik, Christina Garman, and Daniel Genkin. 2026. Tee. fail: Breaking trusted execution environments via ddr5 memory bus interposition. In47th IEEE Symposium on Security and Privacy (IEEE S&P’26). IEEE Computer Society

  10. [10]

    Marco De Rossi, Davide Crapis, Jordan Ellis, and Erik Reppel. 2025. ERC-8004: Trustless Agents. Ethereum Improvement Proposals, no. 8004. https://eips.eth ereum.org/EIPS/eip-8004 Draft. Available: https://eips.ethereum.org/EIPS/eip- 8004

  11. [11]

    Tim Dettmers, Artidoro Pagnoni, Ari Holtzman, and Luke Zettlemoyer. 2023. Qlora: Efficient finetuning of quantized llms.Advances in neural information processing systems36 (2023), 10088–10115

  12. [12]

    Shahinaz Kamal Ezzat, Yasmine NM Saleh, and Ayman A Abdel-Hamid. 2022. Blockchain oracles: State-of-the-art and research directions.IEEE Access10 (2022), 67551–67572

  13. [13]

    Ivan Fursov, Matvey Morozov, Nina Kaploukhaya, Elizaveta Kovtun, Rodrigo Rivera-Castro, Gleb Gusev, Dmitry Babaev, Ivan Kireev, Alexey Zaytsev, and Evgeny Burnaev. 2021. Adversarial attacks on deep models for financial trans- action records. InProceedings of the 27th acm sigkdd conference on knowledge discovery & data mining. 2868–2878

  14. [14]

    Ivan Fursov, Alexey Zaytsev, Nikita Kluchnikov, Andrey Kravchenko, and Evgeny Burnaev. 2020. Gradient-based adversarial attacks on categorical sequence models via traversing an embedded world. InInternational Conference on Analysis of Images, Social Networks and Texts. Springer, 356–368

  15. [15]

    Stefan Gast, Hannes Weissteiner, Robin Leander Schröder, and Daniel Gruss

  16. [16]

    In Network and Distributed System Security (NDSS) Symposium 2025

    CounterSEVeillance: Performance-counter attacks on AMD SEV-SNP. In Network and Distributed System Security (NDSS) Symposium 2025

  17. [17]

    Salah Ghamizi, Maxime Cordy, Martin Gubri, Mike Papadakis, Andrey Boystov, Yves Le Traon, and Anne Goujon. 2020. Search-based adversarial testing and improvement of constrained credit scoring systems. InProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 1089–1100

  18. [18]

    Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. InInternational Conference on Learning Representations (ICLR)

  19. [19]

    Intel Corporation. 2025. Intel Trust Domain Extensions (Intel TDX). White Paper. https://cdrdv2.intel.com/v1/dl/getContent/690419

  20. [20]

    Ari Juels and Farinaz Koushanfar. 2024. Props for machine-learning security. arXiv preprint arXiv:2410.20522(2024)

  21. [21]

    Klim Kireev, Bogdan Kulynych, and Carmela Troncoso. 2023. Adversarial ro- bustness for tabular data through cost and utility awareness. InNetwork and Distributed System Security (NDSS) Symposium

  22. [22]

    Simon Lermen, Daniel Paleka, Joshua Swanson, Michael Aerni, Nicholas Carlini, and Florian Tramèr. 2026. Large-scale online deanonymization with LLMs.arXiv preprint arXiv:2602.16800(2026)

  23. [23]

    Deepak Maram, Harjasleen Malvai, Fan Zhang, Nerla Jean-Louis, Alexander Frolov, Tyler Kell, Tyrone Lobban, Christine Moy, Ari Juels, and Andrew Miller

  24. [24]

    In2021 IEEE Symposium on Security and Privacy (SP)

    Candid: Can-do decentralized identity with legacy compatibility, sybil- resistance, and accountability. In2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1348–1366

  25. [25]

    Frank McKeen, Ilya Alexandrovich, Ittai Anati, Dror Caspi, Simon Johnson, Rebekah Leslie-Hurd, and Carlos Rozas. 2016. Intel®software guard extensions (Intel®SGX) support for dynamic memory management inside an enclave. In HASP. 1–9

  26. [26]

    Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions and software model for isolated execution.. InHASP. 10

  27. [27]

    Dominik Meier, Jan Philip Wahle, Paul Röttger, Terry Ruas, and Bela Gipp. 2025. TrojanStego: Your Language Model Can Secretly Be A Steganographic Privacy Leaking Agent. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing. 27232–27249

  28. [28]

    Apoorve Mohan, Mengmei Ye, Hubertus Franke, Mudhakar Srivatsa, Zhuoran Liu, and Nelson Mimura Gonzalez. 2024. Securing ai inference in the cloud: Is cpu- gpu confidential computing ready?. In2024 IEEE 17th International Conference on Cloud Computing (CLOUD). IEEE, 164–175

  29. [29]

    Milad Nasr, Nicholas Carlini, Chawin Sitawarin, Sander V Schulhoff, Jamie Hayes, Michael Ilie, Juliette Pluto, Shuang Song, Harsh Chaudhari, Ilia Shumailov, et al

  30. [30]

    The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections.arXiv preprint arXiv:2510.09023 (2025)

  31. [31]

    Sergey Nazarov and Ari et al. Juels. 2021. Chainlink 2.0: Next steps in the evolution of decentralized oracle networks. https://research.chain.link/whitep aper-v2.pdf Whitepaper

  32. [32]

    NVIDIA Corporation. 2023. NVIDIA H100 Tensor Core GPU Architecture: Confidential Computing. https://images.nvidia.com/aem-dam/en-zz/Solutions/d ata-center/HCC-Whitepaper-v1.0.pdf. Whitepaper WP-11459-001. Accessed: 2026-05-19

  33. [33]

    NVIDIA Corporation. 2024. Confidential Computing Solutions. https://www. nvidia.com/en-us/data-center/solutions/confidential-computing/. Accessed: 2025-05-05

  34. [34]

    Opacity Network. 2026. Opacity Network – Verified Data Network. https: //docs.opacity.network. zkTLS-based AVS on EigenLayer. Uses MPC-TLS and ZKPs for privacy-preserving data verification from Web2 to Web3. Accessed: 2026-03-23

  35. [35]

    Opaque Systems. 2026. Opaque – Confidential AI Platform for Trusted AI. https://www.opaque.co. Multi-party confidential analytics and AI on encrypted data within TEEs. Co-founded by Prof. Raluca Ada Popa (UC Berkeley). Accessed: 2026-03-23

  36. [36]

    Nicolas Papernot, Patrick McDaniel, Ananthram Sinha, and Michael P Wellman

  37. [37]

    In2018 IEEE European Symposium on Security and Privacy (EuroS&P)

    SoK: Security and privacy in machine learning. In2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 399–414

  38. [38]

    Rafael Pass, Elaine Shi, and Florian Tramer. 2016. Formal Abstractions for At- tested Execution Secure Processors. Cryptology ePrint Archive, Paper 2016/1027. https://eprint.iacr.org/2016/1027

  39. [39]

    Phala Network. 2026. Private AI Inference – Confidential LLM Serving. https: //phala.com/solutions/private-ai-inference. GPU TEEs with Intel TDX and AMD SEV for hardware-level memory encryption during inference. Accessed: 2026-03-23

  40. [40]

    Proxying is Enough

    Reclaim Protocol. 2026. Reclaim Protocol – Cryptographic Verification for Identity, Education, Employment & Travel. https://www.reclaimprotocol.org. zkTLS using the proxy model (“Proxying is Enough”). Over 2500 data sources, 3M+ verifications. Accessed: 2026-03-23

  41. [41]

    Michael Rosenberg, Jacob White, Christina Garman, and Ian Miers. 2023. zk-creds: Flexible anonymous credentials from zksnarks and existing identity infrastruc- ture. In2023 IEEE Symposium on Security and Privacy (SP). IEEE, 790–808

  42. [42]

    Martin Schanzenbach, Thomas Kilian, Julian Schütte, and Christian Banse. 2019. ZKlaims: Privacy-preserving attribute-based credentials using non-interactive zero-knowledge techniques.arXiv preprint arXiv:1907.09579(2019)

  43. [43]

    Benedict Schlüter and Shweta Shinde. 2025. RMPocalypse: How a Catch-22 Breaks AMD SEV-SNP. InProceedings of the 2025 on ACM SIGSAC Conference on Computer and Communications Security (CCS ’25). Association for Computing Machinery. 13

  44. [44]

    Ryan Sheatsley, Ben Hoak, Ethan Pauley, Yannick Beugin, Michael J Weisman, and Patrick McDaniel. 2021. On the robustness of domain constraints. InACM CCS

  45. [45]

    Thibault Simonetto, Salah Ghamizi, and Maxime Cordy. 2024. Constrained adaptive attack: Effective adversarial attack against deep neural networks for tabular data.Advances in Neural Information Processing Systems37 (2024), 27817– 27849

  46. [46]

    Jones, et al

    Manu Sporny, Ted Thibodeau Jr., Ivan Herman, Gabe Cohen, Michael B. Jones, et al. 2025.Verifiable Credentials Data Model v2.0. W3C Recommendation REC- vc-data-model-2.0. World Wide Web Consortium (W3C). https://www.w3.org/T R/vc-data-model/

  47. [47]

    Kirk Swidowski, Daniel Moghimi, Josh Eads, Erdem Aktas, and Jia Ma. 2026. Security Assessment of Intel TDX with support for Live Migration.arXiv preprint arXiv:2602.11434(2026)

  48. [48]

    Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. InInternational Conference on Learning Representations (ICLR)

  49. [49]

    Tinfoil. 2026. Tinfoil – Verifiably Private AI Powered by Secure Enclaves. https: //tinfoil.sh. Accessed: 2026-03-23

  50. [50]

    Venice AI. 2026. Venice – Private AI for Unlimited Creative Freedom. https: //venice.ai. Accessed: 2026-03-23

  51. [51]

    Charles Westphal, Keivan Navaie, and Fernando E Rosas. 2026. Hide and Seek in Embedding Space: Geometry-based Steganography and Detection in Large Language Models.arXiv preprint arXiv:2601.22818(2026)

  52. [52]

    Luca Wilke, Florian Sieck, and Thomas Eisenbarth. 2024. TDXdown: Single- stepping and instruction counting attacks against Intel TDX. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 79–93

  53. [53]

    Xiang Xie, Kang Yang, Xiao Wang, and Yu Yu. 2024. Lightweight authentication of web data via garble-then-prove. InProceedings of the 33rd USENIX Conference on Security Symposium(Philadelphia, PA, USA)(SEC ’24). Article 110, 18 pages

  54. [54]

    Yuanyuan Yuan, Zhibo Liu, Sen Deng, Yanzuo Chen, Shuai Wang, Yinqian Zhang, and Zhendong Su. 2025. Ciphersteal: Stealing input data from tee-shielded neural networks with ciphertext side channels. In2025 IEEE Symposium on Security and Privacy (SP). IEEE, 4136–4154

  55. [55]

    Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine Shi. 2016. Town Crier: An authenticated data feed for smart contracts. InACM CCS

  56. [56]

    Fan Zhang, Ethan Cecchetti, Ari Juels, and Elaine Shi. 2020. DECO: Liberating web data using decentralized oracles for TLS. InACM CCS

  57. [57]

    Lianmin Zheng, Wei-Lin Chiang, Ying Sheng, Siyuan Zhuang, Zhanghao Wu, Yonghao Zhuang, Zi Lin, Zhuohan Li, Dacheng Li, Eric Xing, et al. 2023. Judging llm-as-a-judge with mt-bench and chatbot arena.Advances in neural information processing systems36 (2023), 46595–46623

  58. [58]

    Chen Zhu, W Ronny Huang, Hengduo Li, Gavin Taylor, Christoph Studer, and Tom Goldstein. 2019. Transferable clean-label poisoning attacks on deep neural nets. InInternational conference on machine learning. PMLR, 7614–7623

  59. [59]

    Jianwei Zhu, Hang Yin, Peng Deng, Aline Almeida, and Shunfan Zhou. 2024. Confidential computing on NVIDIA Hopper GPUs: a performance benchmark study.arXiv preprint arXiv:2409.03992(2024)

  60. [60]

    zkPass. 2026. zkPass – Private Data Protocol. https://zkpass.org. Decentralized oracle protocol using zkTLS with 3P-TLS and hybrid ZK (VOLE-in-the-Head). Accessed: 2026-03-23

  61. [61]

    Setup”, 𝜏) ) broadcast(eid, 𝜏,pk sig 𝑇 ,pk enc 𝑇 , 𝜎att) ◦On receiving(eid, 𝜏,pk sig 𝑇 ,pk enc 𝑇 , 𝜎att)via broadcast: store locally. ◦On(“Issue

    Andy Zou, Zifan Wang, Nicholas Carlini, Milad Nasr, J Zico Kolter, and Matt Fredrikson. 2023. Universal and transferable adversarial attacks on aligned language models.arXiv preprint arXiv:2307.15043(2023). A Artifact The artifact is available at https://anonymous.4open.science/r/picr eds. It comprises four components, each reproducing a main result of th...