This work addresses the inability of existing decentralized verifiable credential systems to support semantic-level assertions over unstructured data. We propose the first framework that integrates trusted large language models (LLMs) into this domain, leveraging their semantic reasoning capabilities to generate privacy-preserving and backward-compatible credentials. Our approach combines zero-knowledge proofs, authenticated data sources, and adversarial robustness analysis to establish a novel security architecture. We formally define two new threat models—Semantic Confusion Assertion Exploits (SCAE) and Attribute Confusion Privacy Leakage (ACPP)—and demonstrate the system’s efficacy across real-world applications in finance, healthcare, email, and code analysis. The proposed framework significantly extends the expressiveness and applicability of verifiable credentials to complex, unstructured data contexts.

Decentralized verifiable credential systems have seen limited deployment in practice. Existing constructions, built on zero-knowledge proofs, are complex, application-specific, and largely restricted to predicates over structured data. We present Privately Inferred Credentials ($π$Creds): privacy-preserving, legacy-compatible, decentralized verifiable credentials generated by trusted LLM inference over authenticated data. LLMs' ability to semantically reason over unstructured data substantially expands the range of claims $π$Creds can certify over existing credential systems. The use of LLMs also introduces new application-level threats, which we formalize through two problems: the Source-Constrained Adversarial Example (SCAE) problem, which captures robustness against adversaries that manipulate authenticated data to obtain misleading credentials, and the Authenticated Covert Predicate Poisoning (ACPP) problem, which captures privacy leakage through adversarial model selection. We characterize applications of $π$Creds over user data, and a novel class of credentials over proprietary software that certifies properties of a service without revealing its source code. Our prototype supports issuing credentials over live financial, health, email, and code sources, and we empirically study the SCAE and ACPP threats on a product expertise credential over real financial data.