pith. sign in
Pith Number

pith:2BPKAW4J

pith:2026:2BPKAW4J7YS7LGJE6T77C52M5N
not attested not anchored not stored refs pending

Committed SAE-Feature Traces for Audited-Session Substitution Detection in Hosted LLMs

Ziyang Liu

A Merkle-tree commitment to per-position sparse-autoencoder feature traces lets verifiers detect silent model substitution in hosted LLMs even when the provider knows the audit rules in advance.

arxiv:2604.18179 v2 · 2026-04-20 · cs.CR · cs.AI

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{2BPKAW4J7YS7LGJE6T77C52M5N}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

Of 17 attackers spanning same-family lifts, cross-family substitutes, and rank-<=128 adaptive LoRA, all are rejected at a shared, scale-stable threshold; the same attackers all evade a matched SVIP-style parallel-serve baseline. A white-box end-to-end attack that backpropagates through the frozen SAE encoder does not close the margin, and a feature-forgery attacker that never runs M_hon is bounded in closed form by an intrinsic-dimension argument.

C2weakest assumption

That a public named-circuit probe library calibrated with cross-backend noise produces feature traces sufficiently distinctive across models and that the fixed-threshold joint-consistency z-score rule remains reliable when the provider knows the protocol in advance.

C3one line summary

A Merkle-committed SAE feature-trace protocol detects model substitutions in hosted LLMs at a stable threshold where parallel-probe baselines fail, including against adaptive LoRA attackers.

Receipt and verification
First computed 2026-05-26T01:03:30.670111Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

d05ea05b89fe25f59924f4fff1774ceb5e2457537afa7d677a167b32e477028b

Aliases

arxiv: 2604.18179 · arxiv_version: 2604.18179v2 · doi: 10.48550/arxiv.2604.18179 · pith_short_12: 2BPKAW4J7YS7 · pith_short_16: 2BPKAW4J7YS7LGJE · pith_short_8: 2BPKAW4J
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/2BPKAW4J7YS7LGJE6T77C52M5N \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: d05ea05b89fe25f59924f4fff1774ceb5e2457537afa7d677a167b32e477028b
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "5f511eb5d3842017c46d86ea7b4b1cfeb2542f964a4d0e5314a1e51b4a3bccd4",
    "cross_cats_sorted": [
      "cs.AI"
    ],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-04-20T12:34:56Z",
    "title_canon_sha256": "019529845fe4b5c7bbd0dbb2d9a8630d20cc7b8b3299d45284ac36a878cfd2c4"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2604.18179",
    "kind": "arxiv",
    "version": 2
  }
}