$\pi$Creds: Privately Inferred Credentials

This paper introduces $\pi$Creds, a privacy-preserving decentralized credential system that leverages trusted LLMs to infer verifiable claims from unstructured authenticated data while formally addressing new adversarial threats like Source-Constrained Adversarial Examples and Authenticated Covert Predicate Poisoning.

The Gist

Imagine you want to prove to a friend that you are an expert in home espresso making. Currently, the only way to do this digitally is to show a rigid, pre-made certificate that says "Over 18" or "Balance > $100." But what if you wanted to prove your expertise based on your actual history: the specific machines you bought, the beans you tried, and the years you've spent grinding them?

Existing digital ID systems are like robotic librarians. They can only check if a book is on a specific shelf (structured data). They can't read the book, understand the story, or tell you if the author is actually a genius. They are stuck with hard-coded rules.

$\pi$Creds (Privately Inferred Credentials) is a new system that replaces the robotic librarian with a super-smart, private detective.

The Core Idea: The Private Detective

Instead of you handing over your entire bank statement or email history (which would be a privacy nightmare), you hire a trusted detective who works inside a secure, soundproof vault (called a Trusted Execution Environment or TEE).

1. The Vault: You give the detective your login keys to your bank, email, or shopping accounts.
2. The Investigation: The detective goes into the vault, logs into your accounts, and reads your history.
3. The Brain: Inside the vault, a powerful AI (a Large Language Model) acts as the detective's brain. It reads your messy, unstructured data (like a long list of receipts or emails) and figures out the story: "Wow, this person has bought 50 espresso machines over 3 years; they are definitely an expert."
4. The Verdict: The detective writes a single, sealed note saying "Expertise Level: 9/10."
5. The Result: You get this note. The vault never shows your actual receipts to the person checking the note. They just see the final verdict.

Why is this a big deal?

• It speaks human: Unlike old systems that need data to be perfectly formatted (like a spreadsheet), this AI can read messy text, PDFs, and emails.
• It's flexible: You can ask it to prove anything: "Is this person good at coding?" "Did they actually buy a house?" "Is this software safe?"
• It's private: The person checking the credential doesn't see your data, only the conclusion.

The Two New Villains (Threats)

Because we are using a smart AI instead of a simple robot, two new types of troublemakers appear. The paper calls them SCAE and ACPP.

1. The "Fake Expert" (SCAE - Source-Constrained Adversarial Example)

Imagine you want to trick the detective into thinking you are an espresso expert, even though you aren't.

• The Old Way: You can't just fake a receipt. The detective checks the bank directly.
• The New Threat: You can buy real espresso machines. If you spend $100 on coffee gear, the detective sees the real receipts and says, "Expert!"
• The Paper's Finding: This is a real problem. If you are willing to spend real money to buy the right things, you can "game" the system. However, the paper found that it costs you real money to do this. You can't just type fake numbers; you have to actually go out and buy the items. It's like trying to fake being a marathon runner by actually running every day for a month—it's possible, but expensive and hard.

2. The "Spy in the Room" (ACPP - Authenticated Covert Predicate Poisoning)

Imagine the detective is hired by a company that wants to know your gender, but you only asked for an "Expertise Score."

• The Threat: The company hires a slightly "tweaked" version of the AI. The AI still gives you a valid score (e.g., "8/10"), but it sneaks a secret message into the number. Maybe it always gives men an even number (8) and women an odd number (7).
• The Paper's Finding: The paper tested this. They found that because the AI has to give a "correct" score (it can't just lie), it's very hard to hide a secret message. The "channel" for the secret is very narrow. It's like trying to whisper a secret in a crowded room while shouting a valid answer; the noise makes it hard to hear the whisper. The stricter the rules on what a "good" score looks like, the harder it is to spy.

A Special Use Case: The "Black Box" Software

The paper also suggests a cool new use for this: Software Auditing.
Imagine a company has a secret recipe for a cake (their software code). They want to prove to you that the cake doesn't have poison (bugs or backdoors), but they won't show you the recipe.

• How $\pi$Creds helps: The company puts their secret recipe into the secure vault. The AI detective reads the secret recipe, checks for poison, and issues a certificate: "This code is safe."
• The Result: You get a guarantee that the software is safe without ever seeing the secret recipe.

Summary

$\pi$Creds is a system that uses a private AI inside a digital vault to read your messy, real-world data and give you a verified, private certificate about your skills or history.

• Good: It handles complex, real-world data (like emails and receipts) that old systems can't.
• Bad: You can try to trick it by spending real money to change your data, or a sneaky AI provider might try to hide secrets in the answers.
• Verdict: The paper shows that while these tricks are possible, they are difficult and expensive to pull off, making the system a promising step forward for private digital trust.

Technical Summary

Technical Summary: 𝜋Creds: Privately Inferred Credentials

Problem Statement

Decentralized verifiable credential systems have historically been limited by their reliance on zero-knowledge proofs (ZKPs) and structured data. While effective for simple predicates (e.g., "age > 18"), these systems struggle with unstructured data (e.g., bank statements, medical records, social media posts) and lack the semantic reasoning required to derive complex claims like "product expertise" or "code safety" without revealing the underlying data. Existing solutions require hard-coded logic for each data source and format, making them inflexible and unable to handle semantic relationships across divergent data sources. Furthermore, the use of Large Language Models (LLMs) for credential issuance introduces novel application-level threats: malicious actors could manipulate authenticated data to generate misleading credentials, or malicious model providers could encode covert channels to leak private information through model outputs.

Methodology

The paper proposes 𝜋Creds (Privately Inferred Credentials), a system that generates privacy-preserving, legacy-compatible, decentralized credentials via trusted LLM inference over authenticated data.

System Architecture

The core workflow operates within a Trusted Execution Environment (TEE) (specifically Intel TDX with NVIDIA H100 GPUs in the prototype) to ensure the confidentiality and integrity of both data retrieval and inference. The process involves four parties: the TEE, data sources, a prover, and a verifier.

1. Oracle Fetch: The TEE acts as an oracle, logging into whitelisted user data sources (e.g., banks, marketplaces) using user-provided credentials to fetch documents.
2. Private Inference: An LLM processes the fetched documents within the TEE using a specific prompt to generate a claim.
3. Attestation: The TEE signs the resulting claim with a hardware-backed key, embedding a remote attestation that verifies the code and configuration used.
4. Verification: The verifier checks the TEE attestation and the signature. No interaction with the TEE is required post-issuance.

Security Formalization

The authors identify two critical application-level threat models distinct from standard system-level security:

1. Source-Constrained Adversarial Example (SCAE): This models an adversary who manipulates authenticated data sources (e.g., making strategic purchases) to induce a misleading LLM output. Unlike standard adversarial examples, the perturbation is constrained by the real-world cost of modifying the data source and the requirement that the data remains consistent with the source's authentication logic.
2. Authenticated Covert Predicate Poisoning (ACPP): This models an adversary (a verifier or model provider) who fine-tunes a model to encode sensitive information (e.g., gender, specific purchases) into the credential output. The attack is constrained by the requirement that the output must remain a "valid" claim within the ground-truth set (i.e., it must pass the prover's audit) and that the fine-tuning data must appear legitimate.

Key Contributions

1. The 𝜋Creds Protocol: A complete issuance and verification workflow combining oracles with LLM inference. The system is formalized in the Universal Composability framework, ensuring soundness (faithful execution) and privacy (data not exposed beyond the output).
2. Threat Modeling: The formalization of SCAE and ACPP problems, providing a framework to analyze robustness against strategic data manipulation and privacy leakage via adversarial model selection.
3. Novel Applications: The paper characterizes applications for user data (e.g., product expertise, creditworthiness) and introduces a novel class of credentials for software. This allows a service to attest to properties of its proprietary code (e.g., "no hardcoded API keys") without revealing the source code, by having an LLM audit the code inside a TEE.
4. Empirical Evaluation: A prototype implementation supporting financial, health, email, and code sources. The authors empirically study SCAE and ACPP on a "product expertise" credential using real Amazon transaction data.

Results

• Baseline Accuracy: Using open-source models (e.g., Qwen2.5-7B-Instruct), the system achieves high accuracy on semantic tasks. For product expertise, the mean absolute deviation from a "frontier-model consensus" ground truth was 0.45 points on a 10-point scale.
• SCAE Evaluation: Source authentication imposes a real cost on adversaries. With a budget of $20 (approx. 5% of average spending), an attack shifted the expertise score by a mean of 1.24 points. At $100 (20% of spending), the shift was 1.75 points. While the attack is bounded by cost, a modest budget can still significantly alter the credential's score, indicating vulnerability to motivated manipulation.
• ACPP Evaluation: The study tested covert channels using score parity (even/odd numbers) to encode sensitive predicates (gender, purchase of a specific item).
  • Unconstrained: Without output constraints, the adversary achieved near-perfect recovery of the hidden predicate.
  • Constrained: When the output was forced to remain within a valid tolerance range (±5 points), recovery accuracy dropped to near-chance levels (55–65% for demographic, 45–55% for behavioral).
  • Conclusion: The requirement for the output to remain a "valid" claim significantly limits the capacity of covert channels, though more expressive credentials (e.g., free-text justifications) would be more vulnerable.

Significance and Claims

The paper claims that 𝜋Creds represents a significant step forward by enabling semantic reasoning over unstructured data in a privacy-preserving manner, a capability lacking in current ZKP-based systems. By leveraging LLMs within TEEs, the system supports legacy-compatible data sources without requiring modifications to banks or marketplaces.

The authors position the work as an initial exploration rather than a definitive security verdict. They emphasize that:

• The formalization of SCAE and ACPP provides a starting point for systematic security analysis of LLM-based credentials.
• The empirical results serve as a demonstration of how these threats can be operationalized, showing that while source authentication and output constraints provide some defense, motivated adversaries can still influence outcomes.
• The application to proprietary software auditing offers a concrete path to bootstrapping trust in closed-source agents (e.g., in the context of ERC-8004 standards) without revealing source code.

The paper concludes that while LLMs introduce new attack surfaces, the combination of TEEs, source authentication, and constrained output spaces offers a viable, albeit imperfect, foundation for the next generation of decentralized, privacy-preserving credentials.