CaptchaLa Blog

Appearance

$π$Creds: Privately Inferred Credentials

Source: arXiv:2606.03771 · Published 2026-06-02 · By Samuel Breckenridge, Dani Vilardell, Derek Leung, Andrés Fábrega, James Austgen, Farinaz Koushanfar et al.

TL;DR

Privately Inferred Credentials (𝜋Creds) address the challenge of creating decentralized, privacy-preserving verifiable credentials over unstructured and semantically rich data, which existing zero-knowledge or structured-attribute-based schemes struggle to handle. By leveraging trusted hardware enclaves (TEEs) to securely fetch authenticated data and run Large Language Models (LLMs) for semantic inference, 𝜋Creds produce privacy-preserving credentials that certify complex claims from diverse data sources such as financial transactions, health records, emails, and even proprietary software without exposing the underlying data. This combination of LLM reasoning over authenticated but unstructured data substantially expands the expressiveness of credential attestations compared to prior work.

The paper introduces two novel application-level security problems arising from this LLM use: Source-Constrained Adversarial Examples (SCAE), where a malicious prover manipulates the authenticated data sources within operational constraints to produce misleading claims, and Authenticated Covert Predicate Poisoning (ACPP), where a malicious verifier fine-tunes the LLM to leak private user information through covert channels while producing valid-looking credentials. The authors formalize these threats, develop concrete problem definitions, and empirically explore attacks on a product expertise credential derived from real Amazon transaction data. Their evaluation highlights meaningful adversarial costs and trade-offs in credential robustness and privacy under these new threat models.

Implementation-wise, 𝜋Creds combine an oracle component within a TEE that fetches authenticated data using the prover's user credentials with an LLM inference engine inside the enclave. The resulting credential contains an attestation tying the verified code and sources together and is compatible with standard verifiable credential frameworks (W3C VC). The architecture supports legacy data sources with no modification and is human-inspectable due to natural-language prompts. Overall, 𝜋Creds demonstrate a practical, flexible approach to issuing rich, privacy-preserving credentials over semantically complex, authenticated data by incorporating trusted LLM inference while identifying new security challenges intrinsic to such systems.

Key findings

  • 𝜋Creds support privacy-preserving credentials over unstructured data sources including banking, healthcare portals, email, and proprietary software without requiring any changes to the source systems.
  • The use of TEEs (Intel TDX with NVIDIA H100 GPU) enables trusted LLM inference with minimal throughput overhead compared to non-confidential modes.
  • Source-Constrained Adversarial Example (SCAE) attacks on product expertise credentials show that strategic, cost-limited manipulations of authenticated Amazon transaction histories can shift expertise scores noticeably but at a financial cost to the adversary.
  • Authenticated Covert Predicate Poisoning (ACPP) attacks fine-tuning LLMs to leak private user attributes in credential outputs are substantially limited by output validity constraints, bounding covert-channel capacity.
  • Legacy compatibility is maintained: 𝜋Creds consume standard TLS-protected web data with no vendor modifications, unlike zero-knowledge systems requiring structured signed attributes.
  • Each credential's provenance includes the web data source URL and authentication token usage (without revealing secrets), enabling human inspection and auditability.
  • Verification is decentralized: the verifier does not require interaction with the TEE or issuer after credential issuance, relying solely on embedded TEE attestation signatures.
  • The model configuration and prompts are public, enabling transparent auditing of credential semantics, contrasting with black-box zero-knowledge proofs.

Threat model

The adversary can be a malicious prover able to manipulate authenticated data sources within realistic operational constraints (e.g., performing real transactions) to induce misleading LLM inferences (SCAE). A malicious verifier can fine-tune the credential-generating LLM to encode covert channels leaking private predicate information through credential outputs (ACPP). Network-level adversaries can observe and interfere with messages but cannot breach TEE security or inject arbitrary data inside attestations. Physical attacks on TEEs are out of scope. Data sources are assumed honest and non-colluding. Verifiers and provers have no internal TEE access and only interact via defined protocols.

Methodology — deep read

The paper develops 𝜋Creds through a multi-component approach combining secure hardware, semantic NLP inference, and verifiable credential issuance:

  1. Threat Model & Assumptions: The threat model includes a hardware TEE assumed free from physical attacks, running inside a reputable cloud environment. Attackers can be malicious provers who manipulate authenticated data sources under real-world cost constraints, malicious verifiers who fine-tune LLMs maliciously, or network adversaries capable of replay/drop/inject message attacks. The data sources serve authenticated data over TLS and do not collude maliciously.

  2. Data: While the system supports any authenticated online web sources, the empirical evaluation focuses on real Amazon transaction data for product expertise credentials, among other live financial, health, email, and code sources. The paper does not disclose precise corpus size/details beyond working with real transaction records.

  3. Architecture/Algorithm: 𝜋Creds pipeline runs entirely inside a TEE enclave. The oracle module fetches authenticated data using user-supplied credentials from whitelisted sources. This data is preprocessed per-application and provided as input slots to an LLM inference engine, which is prompted with a natural-language credential-specific template designed to synthesize semantic claims. The LLM outputs a claim, which the TEE signs with an attestation proving that the data fetching and trusted inference ran as specified. The credential encodes the prompt, provenance of data sources (e.g., URLs, authentication usage), the LLM output claim, and is formatted per the W3C Verifiable Credentials 2.0 standard.

  4. Training Regime: The base LLM model is fixed and public. For threat analyses of covert channels (ACPP), the adversarial verifier fine-tunes the LLM with dataset subsets to embed covert signals. Fine-tuning specifics (epochs, batch sizes) are not fully detailed but involve standard supervised fine-tuning on datasets labeled for predicates.

  5. Evaluation Protocol: Evaluation metrics assess credential accuracy in reflecting ground truth semantic claims based on transaction data, the efficacy of SCAE attacks in shifting credential outputs given budgeted cost constraints, and the covert information leakage capacity under ACPP fine-tuning attacks. Baselines include untampered credentials and standard LLM outputs without fine-tuning. Attacks are operationalized with constrained attack spaces reflecting real source manipulation. User-level ground truth is subjective; authors discuss methodological challenges in defining it precisely.

  6. Reproducibility: The prototype 𝜋Creds system is implemented using Intel TDX + NVIDIA H100 confidential computing environments and a Flask-based microservice. Open-source code linkage is mentioned for verifying enclave images, but datasets and fine-tuning scripts are not publicly released. The system builds on published TEE and oracle frameworks (e.g., Town Crier, DECO). The full formal protocol and ideal functionality definitions appear in appendices.

One End-to-End Example: A user requests a product expertise credential by specifying financial transactional histories from Amazon and other marketplaces. The 𝜋Cred TEE-based oracle logs in to these sources using the user's credentials, fetches transaction records, and preprocesses them into slot inputs. The LLM receives these inputs along with a credential-specific prompt asking to assess espresso product expertise. It outputs an expertise rating with evidence sentences. The TEE signs this output and packages the provenance metadata into a W3C Verifiable Credential. The user can then present this credential, and the verifier confirms its TEE attestation and signature without accessing the original sensitive transaction data.

Technical innovations

  • Introducing LLM-based semantic inference inside TEEs over authenticated web data to issue privacy-preserving credentials on unstructured input.
  • Formalizing the Source-Constrained Adversarial Example (SCAE) problem capturing realistic, cost-bounded data manipulation attacks on credential soundness.
  • Characterizing the Authenticated Covert Predicate Poisoning (ACPP) threat model for adversarial LLM fine-tuning inducing covert information leakage through credential outputs.
  • Designing a credential issuance protocol that combines trusted oracle data retrieval, LLM inference, and hardware attestation yielding decentralized, human-inspectable verifiable credentials compatible with legacy data sources.

Datasets

  • Amazon Transaction Data — size not specified — proprietary, real user transaction histories used for product expertise evaluations

Baselines vs proposed

  • Untampered credential accuracy: baseline semantic classification quality on real Amazon data — numeric values not explicitly given
  • SCAE attack with limited monetary budget: expertise score shift noticeable (quantitative delta not specified) but cost to adversary is substantial limiting attack realism
  • ACPP fine-tuned LLM covert-channel capacity: significantly constrained by output validity checking compared to unconstrained fine-tuning attacks

Figures from the paper

Figures are reproduced from the source paper for academic discussion. Original copyright: the paper authors. See arXiv:2606.03771.

Fig 1

Fig 1: 𝜋Creds architecture and threat models. The prover

Fig 2

Fig 2: 𝜋Creds ideal functionality available to prover P and

Fig 3

Fig 3 (page 2).

Fig 4

Fig 4 (page 2).

Fig 5

Fig 5 (page 2).

Fig 6

Fig 6 (page 2).

Fig 7

Fig 7 (page 2).

Fig 9

Fig 9: 𝜋Cred audit flow for attested code. The 𝜋Cred audit

Limitations

  • Ground truth for many semantic credential claims is subjective and not crisply defined, complicating attack evaluation and defense calibration.
  • The system-level security depends heavily on TEE integrity and confidentiality which remain vulnerable to sophisticated side channels and hardware attacks outside the threat model.
  • Adversarial attacks focus on certain classifiers and fine-tuning strategies; stronger or different LLM architectures may yield different robustness/privacy trade-offs not explored.
  • The prototype implementation and evaluation operate on limited datasets and specific credential types; generalizability to all LLM-enabled credential applications is unproven.
  • Dependency on cloud provider attestation infrastructure (e.g., Google Cloud) shifts trust assumptions from hardware vendors to cloud software supply chain.
  • No public release of datasets or code for model fine-tuning hampers reproducibility of empirical security evaluations.

Open questions / follow-ons

  • How to develop formal, usable frameworks for defining ground-truth and objective semantic notions for highly subjective or context-dependent LLM-issued credentials?
  • What are the practical limits of defending against ACPP-style covert-channel attacks under varied and adaptive verifier strategies beyond simple output-validity constraints?
  • How can reproducible builds and decentralized attestation frameworks reduce trust dependence on cloud providers in 𝜋Cred deployments?
  • Can learning-based defenses or robust prompting strategies significantly reduce SCAE susceptibility without sacrificing credential expressiveness?

Why it matters for bot defense

For bot-defense and CAPTCHA practitioners, 𝜋Creds illustrate a novel use of trusted LLM inference over authenticated user data to produce fine-grained, privacy-preserving attestations of user properties that go beyond simple structured predicates. This expands the design space for verifying user attributes or behaviors in complex, semantically rich environments where traditional zero-knowledge proofs or hardcoded logic fail. However, the introduced application-level attacks (SCAE and ACPP) underscore that security threats shift from pure cryptographic or system-level guarantees toward manipulations and information leakage via model inference and data provenance. These findings highlight the need for bot-defense systems integrating LLM-based assessments to carefully consider adversarial manipulation of both input data and LLM behavior. Additionally, leveraging TEEs for privacy-preserving LLM inference provides a viable architecture, but with inherent hardware trust and side-channel assumptions. Practical bot-defense systems should balance the richness of semantic attestations with monitoring for suspicious data manipulation patterns and potential model fine-tuning abuses to prevent stealthy crawler or fraudster behavior that exploits LLM semantics.

Cite

bibtex
@article{arxiv2606_03771,
  title={ $π$Creds: Privately Inferred Credentials },
  author={ Samuel Breckenridge and Dani Vilardell and Derek Leung and Andrés Fábrega and James Austgen and Farinaz Koushanfar and Ari Juels },
  journal={arXiv preprint arXiv:2606.03771},
  year={ 2026 },
  url={https://arxiv.org/abs/2606.03771}
}

Read the full paper

Last updated:

Articles are CC BY 4.0 — feel free to quote with attribution

© 2026 CaptchaLa