Andrés Fábrega

Samuel Breckenridge, Dani Vilardell, Derek Leung et al.

Decentralized verifiable credential systems have seen limited deployment in practice. Existing constructions, built on zero-knowledge proofs, are complex, application-specific, and largely restricted to predicates over structured data. We present Privately Inferred Credentials ($π$Creds): privacy-preserving, legacy-compatible, decentralized verifiable credentials generated by trusted LLM inference over authenticated data. LLMs' ability to semantically reason over unstructured data substantially expands the range of claims $π$Creds can certify over existing credential systems. The use of LLMs also introduces new application-level threats, which we formalize through two problems: the Source-Constrained Adversarial Example (SCAE) problem, which captures robustness against adversaries that manipulate authenticated data to obtain misleading credentials, and the Authenticated Covert Predicate Poisoning (ACPP) problem, which captures privacy leakage through adversarial model selection. We characterize applications of $π$Creds over user data, and a novel class of credentials over proprietary software that certifies properties of a service without revealing its source code. Our prototype supports issuing credentials over live financial, health, email, and code sources, and we empirically study the SCAE and ACPP threats on a product expertise credential over real financial data.

Mallory Knodel, Andrés Fábrega, Daniella Ferrari et al.

End-to-end encryption (E2EE) has become the gold standard for securing communications, bringing strong confidentiality and privacy guarantees to billions of users worldwide. However, the current push towards widespread integration of artificial intelligence (AI) models, including in E2EE systems, raises some serious security concerns. This work performs a critical examination of the (in)compatibility of AI models and E2EE applications. We explore this on two fronts: (1) the integration of AI "assistants" within E2EE applications, and (2) the use of E2EE data for training AI models. We analyze the potential security implications of each, and identify conflicts with the security guarantees of E2EE. Then, we analyze legal implications of integrating AI models in E2EE applications, given how AI integration can undermine the confidentiality that E2EE promises. Finally, we offer a list of detailed recommendations based on our technical and legal analyses, including: technical design choices that must be prioritized to uphold E2EE security; how service providers must accurately represent E2EE security; and best practices for the default behavior of AI features and for requesting user consent. We hope this paper catalyzes an informed conversation on the tensions that arise between the brisk deployment of AI and the security offered by E2EE, and guides the responsible development of new AI features.