πCreds: Privately Inferred Credentials
Pith reviewed 2026-06-28 09:22 UTC · model grok-4.3
The pith
πCreds generates decentralized verifiable credentials through trusted LLM inference on authenticated unstructured data.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Privately Inferred Credentials (πCreds) are privacy-preserving, legacy-compatible, decentralized verifiable credentials generated by trusted LLM inference over authenticated data. This approach expands the range of certifiable claims by leveraging LLMs' semantic reasoning over unstructured data, while formalizing the Source-Constrained Adversarial Example problem for robustness against manipulated inputs and the Authenticated Covert Predicate Poisoning problem for privacy leakage through model choice. Applications include credentials over user data and a new class over proprietary software without revealing source code.
What carries the argument
Trusted LLM inference over authenticated data that performs semantic reasoning to generate credentials while aiming to preserve privacy.
If this is right
- Credentials can certify properties of proprietary software without revealing its source code.
- The system supports issuance over live financial, health, email, and code sources.
- The SCAE problem formalizes robustness requirements against adversaries that alter authenticated data for incorrect credentials.
- The ACPP problem formalizes privacy leakage risks from adversarial choice of inference models.
Where Pith is reading between the lines
- This approach could allow credentials based on natural-language descriptions of user behavior or records.
- It may integrate with existing web services to issue credentials without requiring new data infrastructure.
- The framework could extend to auditing service properties through code analysis without full disclosure.
Load-bearing premise
Trusted LLM inference can be performed on authenticated data in a way that preserves privacy and resists adversarial manipulation of inputs or model selection.
What would settle it
An experiment in which an adversary manipulates authenticated input data or model selection to obtain a misleading credential from the LLM inference process.
Figures
read the original abstract
Decentralized verifiable credential systems have seen limited deployment in practice. Existing constructions, built on zero-knowledge proofs, are complex, application-specific, and largely restricted to predicates over structured data. We present Privately Inferred Credentials ($\pi$Creds): privacy-preserving, legacy-compatible, decentralized verifiable credentials generated by trusted LLM inference over authenticated data. LLMs' ability to semantically reason over unstructured data substantially expands the range of claims $\pi$Creds can certify over existing credential systems. The use of LLMs also introduces new application-level threats, which we formalize through two problems: the Source-Constrained Adversarial Example (SCAE) problem, which captures robustness against adversaries that manipulate authenticated data to obtain misleading credentials, and the Authenticated Covert Predicate Poisoning (ACPP) problem, which captures privacy leakage through adversarial model selection. We characterize applications of $\pi$Creds over user data, and a novel class of credentials over proprietary software that certifies properties of a service without revealing its source code. Our prototype supports issuing credentials over live financial, health, email, and code sources, and we empirically study the SCAE and ACPP threats on a product expertise credential over real financial data.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces πCreds, a system for generating privacy-preserving decentralized verifiable credentials via trusted LLM inference over authenticated unstructured data. It claims this substantially expands the range of certifiable claims beyond existing ZK-based systems limited to structured predicates. The work formalizes two new threats—Source-Constrained Adversarial Example (SCAE) for robustness against manipulated authenticated inputs and Authenticated Covert Predicate Poisoning (ACPP) for privacy leakage via model selection—characterizes applications including proprietary software credentials, presents a prototype supporting financial/health/email/code sources, and empirically evaluates the formalized threats on a product-expertise credential over real financial data.
Significance. If the privacy, robustness, and correctness claims hold, the result would meaningfully broaden practical deployment of verifiable credentials by enabling semantic claims over legacy unstructured sources without requiring application-specific ZK circuits. The formalization of SCAE and ACPP and the prototype's coverage of live data sources are concrete contributions that could inform future work on LLM-mediated credentials.
major comments (2)
- [Abstract, §4] Abstract and §4 (threat formalization): the central claim that LLM semantic reasoning 'substantially expands the range of claims πCreds can certify' is load-bearing on the correctness of the inference step itself. The manuscript formalizes and empirically studies only SCAE (adversarial data manipulation) and ACPP (model-selection leakage) but provides no mechanism, bound, or evaluation addressing inherent LLM errors such as hallucination or input inconsistency on the same authenticated data; without this, the expansion benefit cannot be isolated from the risk of issuing incorrect credentials.
- [§5] §5 (prototype and evaluation): the empirical study of SCAE/ACPP on financial data reports results only for adversarial robustness; no corresponding measurements or baselines are given for end-to-end credential correctness (e.g., agreement with ground-truth labels on the same inputs), which is required to substantiate the legacy-compatible claim for unstructured sources.
minor comments (2)
- Notation for the trusted inference oracle and the exact interface between authenticated data and LLM input should be defined earlier and used consistently when describing the prototype.
- The paper should clarify whether the 'trusted LLM inference' assumption includes any cryptographic or hardware-rooted attestation mechanism, as this directly affects the privacy and legacy-compatibility claims.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on our manuscript. The comments highlight important considerations around the assumptions underlying LLM-based inference. We address each major comment below, clarifying the scope of our contributions while acknowledging areas where the manuscript can be strengthened through revision.
read point-by-point responses
-
Referee: [Abstract, §4] Abstract and §4 (threat formalization): the central claim that LLM semantic reasoning 'substantially expands the range of claims πCreds can certify' is load-bearing on the correctness of the inference step itself. The manuscript formalizes and empirically studies only SCAE (adversarial data manipulation) and ACPP (model-selection leakage) but provides no mechanism, bound, or evaluation addressing inherent LLM errors such as hallucination or input inconsistency on the same authenticated data; without this, the expansion benefit cannot be isolated from the risk of issuing incorrect credentials.
Authors: We agree that LLM inference correctness is a foundational assumption for the claimed expansion of certifiable claims. Our work assumes a trusted inference service (as stated in the abstract and §3) that produces correct outputs for given authenticated inputs; the novel contributions are the formalization of SCAE and ACPP, which are new threats introduced specifically by the use of LLMs over authenticated unstructured data. We do not provide new mechanisms or bounds for general LLM issues such as hallucination, as these remain open research problems orthogonal to our threat models. We will revise the manuscript to more explicitly articulate this assumption as a limitation and discuss its implications for the expansion claim. revision: partial
-
Referee: [§5] §5 (prototype and evaluation): the empirical study of SCAE/ACPP on financial data reports results only for adversarial robustness; no corresponding measurements or baselines are given for end-to-end credential correctness (e.g., agreement with ground-truth labels on the same inputs), which is required to substantiate the legacy-compatible claim for unstructured sources.
Authors: The evaluation in §5 prioritizes the novel SCAE and ACPP threats because they represent the paper's primary technical contributions beyond existing ZK systems. End-to-end correctness metrics (e.g., agreement with ground truth) were not included as they would require extensive manual labeling of unstructured financial data, which was outside the scope of demonstrating the new threat models. We acknowledge this gap and will add a discussion of correctness assumptions plus, where feasible, baseline agreement rates on the product-expertise credential using available labels from the financial dataset. revision: yes
- Providing formal bounds, mechanisms, or comprehensive evaluations to mitigate inherent LLM errors such as hallucination or inconsistency, which are active open problems in the broader LLM literature and beyond the scope of formalizing SCAE/ACPP.
Circularity Check
No circularity: claims rest on external LLM assumptions and new formalizations without self-referential derivations.
full rationale
The paper introduces πCreds as a system using trusted LLM inference over authenticated data and formalizes two new threat models (SCAE and ACPP). No equations, fitted parameters, or predictions appear that reduce by construction to inputs defined within the paper. The central expansion claim relies on the external premise of LLM semantic reasoning rather than any internal derivation chain or self-citation load-bearing step. Empirical study of the formalized threats on financial data is presented as evaluation, not as a tautological renaming or ansatz smuggling. The derivation is therefore self-contained against external benchmarks.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Advanced Micro Devices, Inc. 2020. AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More. White Paper. https://docs.amd.com/v/u/en- US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and- more
2020
-
[2]
Apple Security Research. 2024. Private Cloud Compute. https://security.apple.c om/documentation/private-cloud-compute
2024
-
[3]
Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Yan Ji, Jonas Lindstrøm, Deepak Maram, Ben Riva, Arnab Roy, Mahdi Sedaghat, and Joy Wang. 2024. zklogin: Privacy-preserving blockchain authentication with existing creden- tials. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 3182–3196
2024
-
[4]
Matan Ben-Tov, Daniel Deutch, Nave Frost, and Mahmood Sharif. 2024. CaFa: cost-aware, feasible attacks with database constraints against neural tabular classifiers. In2024 IEEE Symposium on Security and Privacy (SP). IEEE, 1345– 1364
2024
-
[5]
Alex Berke, Dan Calacci, Robert Mahari, Takahiro Yabe, Kent Larson, and Sandy Pentland. 2024. Open e-commerce 1.0, five years of crowdsourced US Amazon purchase histories with user demographics.Scientific Data11, 1 (2024), 491
2024
-
[6]
Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning attacks against support vector machines.arXiv preprint arXiv:1206.6389(2012)
Pith/arXiv arXiv 2012
-
[7]
Alessandro Buldini, Carlo Mazzocca, Rebecca Montanari, and Selcuk Ulu- agac. 2025. Compact and Selective Disclosure for Verifiable Credentials. arXiv:2506.00262 [cs.CR] https://arxiv.org/abs/2506.00262
arXiv 2025
-
[8]
Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. 2017. Targeted backdoor attacks on deep learning systems using data poisoning.arXiv preprint arXiv:1712.05526(2017)
Pith/arXiv arXiv 2017
-
[9]
Jalen Chuang, Alex Seto, Nicolas Berrios, Stephan van Schaik, Christina Garman, and Daniel Genkin. 2026. Tee. fail: Breaking trusted execution environments via ddr5 memory bus interposition. In47th IEEE Symposium on Security and Privacy (IEEE S&P’26). IEEE Computer Society
2026
-
[10]
Marco De Rossi, Davide Crapis, Jordan Ellis, and Erik Reppel. 2025. ERC-8004: Trustless Agents. Ethereum Improvement Proposals, no. 8004. https://eips.eth ereum.org/EIPS/eip-8004 Draft. Available: https://eips.ethereum.org/EIPS/eip- 8004
2025
-
[11]
Tim Dettmers, Artidoro Pagnoni, Ari Holtzman, and Luke Zettlemoyer. 2023. Qlora: Efficient finetuning of quantized llms.Advances in neural information processing systems36 (2023), 10088–10115
2023
-
[12]
Shahinaz Kamal Ezzat, Yasmine NM Saleh, and Ayman A Abdel-Hamid. 2022. Blockchain oracles: State-of-the-art and research directions.IEEE Access10 (2022), 67551–67572
2022
-
[13]
Ivan Fursov, Matvey Morozov, Nina Kaploukhaya, Elizaveta Kovtun, Rodrigo Rivera-Castro, Gleb Gusev, Dmitry Babaev, Ivan Kireev, Alexey Zaytsev, and Evgeny Burnaev. 2021. Adversarial attacks on deep models for financial trans- action records. InProceedings of the 27th acm sigkdd conference on knowledge discovery & data mining. 2868–2878
2021
-
[14]
Ivan Fursov, Alexey Zaytsev, Nikita Kluchnikov, Andrey Kravchenko, and Evgeny Burnaev. 2020. Gradient-based adversarial attacks on categorical sequence models via traversing an embedded world. InInternational Conference on Analysis of Images, Social Networks and Texts. Springer, 356–368
2020
-
[15]
Stefan Gast, Hannes Weissteiner, Robin Leander Schröder, and Daniel Gruss
-
[16]
In Network and Distributed System Security (NDSS) Symposium 2025
CounterSEVeillance: Performance-counter attacks on AMD SEV-SNP. In Network and Distributed System Security (NDSS) Symposium 2025
2025
-
[17]
Salah Ghamizi, Maxime Cordy, Martin Gubri, Mike Papadakis, Andrey Boystov, Yves Le Traon, and Anne Goujon. 2020. Search-based adversarial testing and improvement of constrained credit scoring systems. InProceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 1089–1100
2020
-
[18]
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. InInternational Conference on Learning Representations (ICLR)
2015
-
[19]
Intel Corporation. 2025. Intel Trust Domain Extensions (Intel TDX). White Paper. https://cdrdv2.intel.com/v1/dl/getContent/690419
2025
-
[20]
Ari Juels and Farinaz Koushanfar. 2024. Props for machine-learning security. arXiv preprint arXiv:2410.20522(2024)
arXiv 2024
-
[21]
Klim Kireev, Bogdan Kulynych, and Carmela Troncoso. 2023. Adversarial ro- bustness for tabular data through cost and utility awareness. InNetwork and Distributed System Security (NDSS) Symposium
2023
-
[22]
Simon Lermen, Daniel Paleka, Joshua Swanson, Michael Aerni, Nicholas Carlini, and Florian Tramèr. 2026. Large-scale online deanonymization with LLMs.arXiv preprint arXiv:2602.16800(2026)
arXiv 2026
-
[23]
Deepak Maram, Harjasleen Malvai, Fan Zhang, Nerla Jean-Louis, Alexander Frolov, Tyler Kell, Tyrone Lobban, Christine Moy, Ari Juels, and Andrew Miller
-
[24]
In2021 IEEE Symposium on Security and Privacy (SP)
Candid: Can-do decentralized identity with legacy compatibility, sybil- resistance, and accountability. In2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1348–1366
-
[25]
Frank McKeen, Ilya Alexandrovich, Ittai Anati, Dror Caspi, Simon Johnson, Rebekah Leslie-Hurd, and Carlos Rozas. 2016. Intel®software guard extensions (Intel®SGX) support for dynamic memory management inside an enclave. In HASP. 1–9
2016
-
[26]
Frank McKeen, Ilya Alexandrovich, Alex Berenzon, Carlos V Rozas, Hisham Shafi, Vedvyas Shanbhogue, and Uday R Savagaonkar. 2013. Innovative instructions and software model for isolated execution.. InHASP. 10
2013
-
[27]
Dominik Meier, Jan Philip Wahle, Paul Röttger, Terry Ruas, and Bela Gipp. 2025. TrojanStego: Your Language Model Can Secretly Be A Steganographic Privacy Leaking Agent. InProceedings of the 2025 Conference on Empirical Methods in Natural Language Processing. 27232–27249
2025
-
[28]
Apoorve Mohan, Mengmei Ye, Hubertus Franke, Mudhakar Srivatsa, Zhuoran Liu, and Nelson Mimura Gonzalez. 2024. Securing ai inference in the cloud: Is cpu- gpu confidential computing ready?. In2024 IEEE 17th International Conference on Cloud Computing (CLOUD). IEEE, 164–175
2024
-
[29]
Milad Nasr, Nicholas Carlini, Chawin Sitawarin, Sander V Schulhoff, Jamie Hayes, Michael Ilie, Juliette Pluto, Shuang Song, Harsh Chaudhari, Ilia Shumailov, et al
-
[30]
The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections.arXiv preprint arXiv:2510.09023 (2025)
Pith/arXiv arXiv 2025
-
[31]
Sergey Nazarov and Ari et al. Juels. 2021. Chainlink 2.0: Next steps in the evolution of decentralized oracle networks. https://research.chain.link/whitep aper-v2.pdf Whitepaper
2021
-
[32]
NVIDIA Corporation. 2023. NVIDIA H100 Tensor Core GPU Architecture: Confidential Computing. https://images.nvidia.com/aem-dam/en-zz/Solutions/d ata-center/HCC-Whitepaper-v1.0.pdf. Whitepaper WP-11459-001. Accessed: 2026-05-19
2023
-
[33]
NVIDIA Corporation. 2024. Confidential Computing Solutions. https://www. nvidia.com/en-us/data-center/solutions/confidential-computing/. Accessed: 2025-05-05
2024
-
[34]
Opacity Network. 2026. Opacity Network – Verified Data Network. https: //docs.opacity.network. zkTLS-based AVS on EigenLayer. Uses MPC-TLS and ZKPs for privacy-preserving data verification from Web2 to Web3. Accessed: 2026-03-23
2026
-
[35]
Opaque Systems. 2026. Opaque – Confidential AI Platform for Trusted AI. https://www.opaque.co. Multi-party confidential analytics and AI on encrypted data within TEEs. Co-founded by Prof. Raluca Ada Popa (UC Berkeley). Accessed: 2026-03-23
2026
-
[36]
Nicolas Papernot, Patrick McDaniel, Ananthram Sinha, and Michael P Wellman
-
[37]
In2018 IEEE European Symposium on Security and Privacy (EuroS&P)
SoK: Security and privacy in machine learning. In2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 399–414
-
[38]
Rafael Pass, Elaine Shi, and Florian Tramer. 2016. Formal Abstractions for At- tested Execution Secure Processors. Cryptology ePrint Archive, Paper 2016/1027. https://eprint.iacr.org/2016/1027
2016
-
[39]
Phala Network. 2026. Private AI Inference – Confidential LLM Serving. https: //phala.com/solutions/private-ai-inference. GPU TEEs with Intel TDX and AMD SEV for hardware-level memory encryption during inference. Accessed: 2026-03-23
2026
-
[40]
Proxying is Enough
Reclaim Protocol. 2026. Reclaim Protocol – Cryptographic Verification for Identity, Education, Employment & Travel. https://www.reclaimprotocol.org. zkTLS using the proxy model (“Proxying is Enough”). Over 2500 data sources, 3M+ verifications. Accessed: 2026-03-23
2026
-
[41]
Michael Rosenberg, Jacob White, Christina Garman, and Ian Miers. 2023. zk-creds: Flexible anonymous credentials from zksnarks and existing identity infrastruc- ture. In2023 IEEE Symposium on Security and Privacy (SP). IEEE, 790–808
2023
-
[42]
Martin Schanzenbach, Thomas Kilian, Julian Schütte, and Christian Banse. 2019. ZKlaims: Privacy-preserving attribute-based credentials using non-interactive zero-knowledge techniques.arXiv preprint arXiv:1907.09579(2019)
arXiv 2019
-
[43]
Benedict Schlüter and Shweta Shinde. 2025. RMPocalypse: How a Catch-22 Breaks AMD SEV-SNP. InProceedings of the 2025 on ACM SIGSAC Conference on Computer and Communications Security (CCS ’25). Association for Computing Machinery. 13
2025
-
[44]
Ryan Sheatsley, Ben Hoak, Ethan Pauley, Yannick Beugin, Michael J Weisman, and Patrick McDaniel. 2021. On the robustness of domain constraints. InACM CCS
2021
-
[45]
Thibault Simonetto, Salah Ghamizi, and Maxime Cordy. 2024. Constrained adaptive attack: Effective adversarial attack against deep neural networks for tabular data.Advances in Neural Information Processing Systems37 (2024), 27817– 27849
2024
-
[46]
Jones, et al
Manu Sporny, Ted Thibodeau Jr., Ivan Herman, Gabe Cohen, Michael B. Jones, et al. 2025.Verifiable Credentials Data Model v2.0. W3C Recommendation REC- vc-data-model-2.0. World Wide Web Consortium (W3C). https://www.w3.org/T R/vc-data-model/
2025
-
[47]
Kirk Swidowski, Daniel Moghimi, Josh Eads, Erdem Aktas, and Jia Ma. 2026. Security Assessment of Intel TDX with support for Live Migration.arXiv preprint arXiv:2602.11434(2026)
arXiv 2026
-
[48]
Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. InInternational Conference on Learning Representations (ICLR)
2014
-
[49]
Tinfoil. 2026. Tinfoil – Verifiably Private AI Powered by Secure Enclaves. https: //tinfoil.sh. Accessed: 2026-03-23
2026
-
[50]
Venice AI. 2026. Venice – Private AI for Unlimited Creative Freedom. https: //venice.ai. Accessed: 2026-03-23
2026
-
[51]
Charles Westphal, Keivan Navaie, and Fernando E Rosas. 2026. Hide and Seek in Embedding Space: Geometry-based Steganography and Detection in Large Language Models.arXiv preprint arXiv:2601.22818(2026)
arXiv 2026
-
[52]
Luca Wilke, Florian Sieck, and Thomas Eisenbarth. 2024. TDXdown: Single- stepping and instruction counting attacks against Intel TDX. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 79–93
2024
-
[53]
Xiang Xie, Kang Yang, Xiao Wang, and Yu Yu. 2024. Lightweight authentication of web data via garble-then-prove. InProceedings of the 33rd USENIX Conference on Security Symposium(Philadelphia, PA, USA)(SEC ’24). Article 110, 18 pages
2024
-
[54]
Yuanyuan Yuan, Zhibo Liu, Sen Deng, Yanzuo Chen, Shuai Wang, Yinqian Zhang, and Zhendong Su. 2025. Ciphersteal: Stealing input data from tee-shielded neural networks with ciphertext side channels. In2025 IEEE Symposium on Security and Privacy (SP). IEEE, 4136–4154
2025
-
[55]
Fan Zhang, Ethan Cecchetti, Kyle Croman, Ari Juels, and Elaine Shi. 2016. Town Crier: An authenticated data feed for smart contracts. InACM CCS
2016
-
[56]
Fan Zhang, Ethan Cecchetti, Ari Juels, and Elaine Shi. 2020. DECO: Liberating web data using decentralized oracles for TLS. InACM CCS
2020
-
[57]
Lianmin Zheng, Wei-Lin Chiang, Ying Sheng, Siyuan Zhuang, Zhanghao Wu, Yonghao Zhuang, Zi Lin, Zhuohan Li, Dacheng Li, Eric Xing, et al. 2023. Judging llm-as-a-judge with mt-bench and chatbot arena.Advances in neural information processing systems36 (2023), 46595–46623
2023
-
[58]
Chen Zhu, W Ronny Huang, Hengduo Li, Gavin Taylor, Christoph Studer, and Tom Goldstein. 2019. Transferable clean-label poisoning attacks on deep neural nets. InInternational conference on machine learning. PMLR, 7614–7623
2019
-
[59]
Jianwei Zhu, Hang Yin, Peng Deng, Aline Almeida, and Shunfan Zhou. 2024. Confidential computing on NVIDIA Hopper GPUs: a performance benchmark study.arXiv preprint arXiv:2409.03992(2024)
arXiv 2024
-
[60]
zkPass. 2026. zkPass – Private Data Protocol. https://zkpass.org. Decentralized oracle protocol using zkTLS with 3P-TLS and hybrid ZK (VOLE-in-the-Head). Accessed: 2026-03-23
2026
-
[61]
Andy Zou, Zifan Wang, Nicholas Carlini, Milad Nasr, J Zico Kolter, and Matt Fredrikson. 2023. Universal and transferable adversarial attacks on aligned language models.arXiv preprint arXiv:2307.15043(2023). A Artifact The artifact is available at https://anonymous.4open.science/r/picr eds. It comprises four components, each reproducing a main result of th...
Pith/arXiv arXiv 2023
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.