Nicolas Papernot

Recent & selected older publications

A complete list of publications is available in my CV.

2023

• Proof-of-Learning is Currently More Broken Than You Think. Congyu Fang, Hengrui Jia, Anvith Thudi, Mohammad Yaghini, Christopher A. Choquette-Choo, Natalie Dullerud, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 8th IEEE European Symposium on Security and Privacy, Delft, Netherlands. conference
• Reconstructing Individual Data Points in Federated Learning Hardened with Differential Privacy and Secure Aggregation. Franziska Boenisch, Adam Dziedzic, Roei Schuster, Ali Shahin Shamsabadi, Ilia Shumailov, Nicolas Papernot. Proceedings of the 8th IEEE European Symposium on Security and Privacy, Delft, Netherlands. conference
• When the Curious Abandon Honesty: Federated Learning Is Not Private. Franziska Boenisch, Adam Dziedzic, Roei Schuster, Ali Shahin Shamsabadi, Ilia Shumailov, Nicolas Papernot. Proceedings of the 8th IEEE European Symposium on Security and Privacy, Delft, Netherlands. conference
• Learning with Impartiality to Walk on the Pareto Frontier of Fairness, Privacy, and Utility. Mohammad Yaghini, Patty Liu, Franziska Boenisch and Nicolas Papernot. preprint
• Losing Less: A Loss for Differentially Private Deep Learning. Ali Shahin Shamsabadi, Nicolas Papernot. Proceedings on Privacy Enhancing Technologies, Lausanne, Switzerland. conference
• Architectural Backdoors in Neural Networks. Mikel Bober-Irizar, Ilia Shumailov, Yiren Zhao, Robert Mullins, Nicolas Papernot. Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Vancouver, Canada. conference
• Measuring Forgetting of Memorized Training Examples. Matthew Jagielski, Om Thakkar, Florian Tramer, Daphne Ippolito, Katherine Lee, Nicholas Carlini, Eric Wallace, Shuang Song, Abhradeep Guha Thakurta, Nicolas Papernot, Chiyuan Zhang. Proceedings of the 11th International Conference on Learning Representations. conference
• Confidential-PROFITT: Confidential PROof of FaIr Training of Trees. Ali Shahin Shamsabadi, Sierra Calanda Wyllie, Nicholas Franzese, Natalie Dullerud, Sébastien Gambs, Nicolas Papernot, Xiao Wang, Adrian Weller. Proceedings of the 11th International Conference on Learning Representations. conference (+oral)
• Private Multi-Winner Voting for Machine Learning. Adam Dziedzic, Christopher A. Choquette-Choo, Natalie Dullerud, Vinith Menon Suriyakumar, Ali Shahin Shamsabadi, Muhammad Ahmad Kaleem, Somesh Jha, Nicolas Papernot, Xiao Wang. Proceedings on Privacy Enhancing Technologies, Lausanne, Switzerland. conference
• Differentially Private Speaker Anonymization. Ali Shahin Shamsabadi, Brij Mohan Lal Srivastava, Aurelien Bellet, Nathalie Vauquier, Emmanuel Vincent, Mohamed Maouche, Marc Tommasi, Nicolas Papernot. Proceedings on Privacy Enhancing Technologies, Lausanne, Switzerland. conference
• Tubes Among Us: Analog Attack on Automatic Speaker Identification. Shimaa Ahmed, Yash Wani, Ali Shahin Shamsabadi, Mohammad Yaghini, Ilia Shumailov, Nicolas Papernot, Kassem Fawaz. Proceedings of the 32nd USENIX Security Symposium. conference

2022

• Verifiable and Provably Secure Machine Unlearning. Thorsten Eisenhofer, Doreen Riepel, Varun Chandrasekaran, Esha Ghosh, Olga Ohrimenko, Nicolas Papernot. preprint
• Washing The Unwashable: On The (Im)possibility of Fairwashing Detection. Ali Shahin Shamsabadi, Mohammad Yaghini, Natalie Dullerud, Sierra Wyllie, Ulrich Aïvodji, Aisha Alaagib Alryeh Mkean, Sébastien Gambs, Nicolas Papernot. Proceedings of the 36th Conference on Neural Information Processing Systems. conference
• Dataset Inference for Self-Supervised Models. Adam Dziedzic, Haonan Duan, Muhammad Ahmad Kaleem, Nikita Dhawan, Jonas Guan, Yannis Cattan, Franziska Boenisch, Nicolas Papernot. Proceedings of the 36th Conference on Neural Information Processing Systems. conference
• In Differential Privacy, There is Truth: on Vote-Histogram Leakage in Ensemble Private Learning. Jiaqi Wang, Roei Schuster, Ilia Shumailov, David Lie, Nicolas Papernot. Proceedings of the 36th Conference on Neural Information Processing Systems. conference
• On the Limitations of Stochastic Pre-processing Defenses. Yue Gao, Ilia Shumailov, Kassem Fawaz, Nicolas Papernot. Proceedings of the 36th Conference on Neural Information Processing Systems. conference
• Selective Classification Via Neural Network Training Dynamics. Stephan Rabanser, Anvith Thudi, Kimia Hamidieh, Adam Dziedzic, Nicolas Papernot. preprint
• On the Difficulty of Defending Self-Supervised Learning against Model Extraction. Adam Dziedzic, Nikita Dhawan, Muhammad Ahmad Kaleem, Jonas Guan, Nicolas Papernot. Proceedings of the 39th International Conference on Machine Learning. conference
• Unrolling SGD: Understanding Factors Influencing Machine Unlearning. Anvith Thudi, Gabriel Deza, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 7th IEEE European Symposium on Security and Privacy, Genoa, Italy. conference
• On the Necessity of Auditable Algorithmic Definitions for Machine Unlearning. Anvith Thudi, Hengrui Jia, Ilia Shumailov, Nicolas Papernot. Proceedings of the 31st USENIX Security Symposium. conference
• Increasing the Cost of Model Extraction with Calibrated Proof of Work. Adam Dziedzic, Muhammad Ahmad Kaleem, Yu Shen Lu, Nicolas Papernot. Proceedings of the 10th International Conference on Learning Representations. conference (+spotlight)
• A Zest of LIME: Towards Architecture-Independent Model Distances. Hengrui Jia, Hongyu Chen, Jonas Guan, Ali Shahin Shamsabadi, Nicolas Papernot. Proceedings of the 10th International Conference on Learning Representations. conference
• Hyperparameter Tuning with Renyi Differential Privacy. Nicolas Papernot, Thomas Steinke. Proceedings of the 10th International Conference on Learning Representations. conference (+outstanding paper award)
• Is Fairness Only Metric Deep? Evaluating and Addressing Subgroup Gaps in Deep Metric Learning. Natalie Dullerud, Karsten Roth, Kimia Hamidieh, Nicolas Papernot, Marzyeh Ghassemi. Proceedings of the 10th International Conference on Learning Representations. conference
• Bad Character Injection: Imperceptible Attacks on NLP Models. Nicholas Boucher, Ilia Shumailov, Ross Anderson, Nicolas Papernot. Proceedings of the 43rd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
• Towards More Robust Keyword Spotting for Voice Assistants. Shimaa Ahmed, Ilia Shumailov, Nicolas Papernot, Kassem Fawaz. Proceedings of the 31st USENIX Security Symposium. conference

2021 & earlier

• Manipulating SGD with Data Ordering Attacks. Ilia Shumailov, Zakhar Shumaylov, Dmitry Kazhdan, Yiren Zhao, Nicolas Papernot, Murat A. Erdogdu, Ross Anderson. Proceedings of the 35th Conference on Neural Information Processing Systems. conference
• Data-Free Model Extraction. Jean-Baptiste Truong, Pratyush Maini, Robert Walls, Nicolas Papernot. Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Nashville, TN. conference
• Proof-of-Learning: Definitions and Practice. Hengrui Jia, Mohammad Yaghini, Christopher A. Choquette-Choo, Natalie Dullerud, Anvith Thudi, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
• Entangled Watermarks as a Defense against Model Extraction. Hengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 30th USENIX Security Symposium. conference
• Sponge Examples: Energy-Latency Attacks on Neural Networks. Ilia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, Ross Anderson. Proceedings of the 6th IEEE European Symposium on Security and Privacy, Vienna, Austria. conference
• CaPC Learning: Confidential and Private Collaborative Learning. Christopher A. Choquette-Choo, Natalie Dullerud, Adam Dziedzic, Yunxiang Zhang, Somesh Jha, Nicolas Papernot, Xiao Wang. Proceedings of the 9th International Conference on Learning Representations. conference
• Dataset Inference: Ownership Resolution in Machine Learning. Pratyush Maini, Mohammad Yaghini, Nicolas Papernot. Proceedings of the 9th International Conference on Learning Representations. conference (+spotlight)
• Chasing Your Long Tails: Differentially Private Prediction in Health Care Settings. Vinith Suriyakumar, Nicolas Papernot, Anna Goldenberg, Marzyeh Ghassemi. Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency. conference
• Machine Unlearning. Lucas Bourtoule, Varun Chandrasekaran, Christopher A. Choquette-Choo, Hengrui Jia, Adelin Travers, Baiwu Zhang, David Lie, Nicolas Papernot. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
• Analyzing and Improving Representations with the Soft Nearest Neighbor Loss. Nicholas Frosst, Nicolas Papernot, Geoffrey Hinton. Proceedings of the 36th International Conference on Machine Learning, Long Beach, CA. conference
• Deep k-Nearest Neighbors: Towards Confident, Interpretable and Robust Deep Learning. Nicolas Papernot and Patrick McDaniel. technical report
• Scalable Private Learning with PATE. Nicolas Papernot, Shuang Song, Ilya Mironov, Ananth Raghunathan, Kunal Talwar, Ulfar Erlingsson. Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada. conference
• Towards the Science of Security and Privacy in Machine Learning. Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael Wellman. Proceedings of the 3rd IEEE European Symposium on Security and Privacy, London, UK. conference
• Semi-supervised Knowledge Transfer for Deep Learning from Private Training Data. Nicolas Papernot, Martin Abadi, Ulfar Erlingsson, Ian Goodfellow, and Kunal Talwar. Proceedings of the 5th International Conference on Learning Representations, Toulon, France. conference (+best paper)
• Practical Black-Box Attacks against Machine Learning. Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z.Berkay Celik, and Ananthram Swami. Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security, Abu Dhabi, UAE. conference
• Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. technical report
• The Limitations of Deep Learning in Adversarial Settings. Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, and Ananthram Swami. Proceedings of the 1st IEEE European Symposium on Security and Privacy, Saarbrucken, Germany. conference

Research group

Current students and postdocs

• Pascale Gourdeau: Postdoctoral Fellow (starting Fall 2023, co-advised with Shai Ben-David)
• Casey Meehan: Postdoctoral Fellow (starting Fall 2023)
• Andy Liu: Engineering Science student (starting Fall 2023)
• Mark Thomas: MSc student (starting Fall 2023) Vector Scholarship in AI
• Karan Chadha: Google Brain Intern (starting Summer 2023, co-hosted with Matthew Jagielski)
• Haonan Duan: PhD student (started Fall 2021, co-advised with Chris Maddison)
• Camille Bruckmann: Engineering Science student (Fall 2022 - Summer 2023)
• Si Cheng (Steven) Zhong: Engineering Science student (Fall 2022 - Summer 2023)
• Franziska Boenisch: Postdoctoral Fellow (Fall 2022 - Summer 2023)
• David Glukhov: MS student (started Fall 2022, co-advised with Vardan Papyan) OGS Scholar
• Anvith Thudi: PhD student (started Fall 2022, co-advised with Chris Maddison) Vanier Scholar
• Patty Liu: Research Intern (started May 2022)
• Aditi Misra: Engineering Science student (started Fall 2021)
• Sierra Wyllie: Engineering Science student (started Summer 2021)
• Muhammad Ahmad Kaleem: Engineering Science student (started Summer 2021)
• Emmy Fang: MS student (started Fall 2021, co-advised with Bo Wang) DeepMind Scholar
• Adam Dziedzic: Postdoctoral Fellow (Fall 2020 - Summer 2023)
• Mohammad Yaghini: PhD student (started Fall 2020) Meta PhD Fellow
• Stephan Rabanser: PhD student (started Fall 2020)
• Jonas Guan: PhD student (started Fall 2020)
• Jiaqi Wang: MASc student (started Fall 2020, co-advised with David Lie) OGS Scholar
• Nick Jia: PhD student (started Fall 2020) Vector Scholarship in AI, Mary H. Beatty Fellow, OGS Scholar
• Mingyue Yang: PhD student (started Winter 2020, co-advised with David Lie)

Past students and postdocs

• Shimaa Ahmed: Research Intern (Summer 2022) currently PhD student at University of Wisconsin-Madison
• Roy Rinberg: Research Intern (Summer 2022) currently Masters student at Columbia University
• Avital Shafran: Research Intern (Summer 2022) currently PhD student at the Hebrew University of Jerusalem
• Thorsten Eisenhofer: Research Intern (Summer 2022) currently PhD student at Ruhr University Bochum
• Yannis Cattan: Research Intern (Summer 2022) currently Masters student at ENS Paris-Saclay (MVA)
• Roei Schuster: Postdoctoral Fellow (2021-2022) currently CTO at Context AI
• Ilia Shumailov: Postdoctoral Fellow (started Fall 2021, co-advised with Kassem Fawaz) currently Junior Research Fellow at University of Oxford
• Hongyu (Charlie) Chen: Engineering Science student (Fall 2021 - Summer 2022) currently Machine Learning Engineer at Cohere.ai
• Aisha Alaagib: Research Intern (Summer 2021) currently Research Intern at MILA
• Armin Ale: Engineering Science student (Summer 2021 - Summer 2022) currently Software Engineer at Intel
• Ali Shahin Shamsabadi: Research Intern (Winter 2021 - Fall 2021) currently Research Associate at the Turing Institute
• Natalie Dullerud: MS student (Fall 2020 - Summer 2022) currently PhD Student at Stanford
• Steven Xia: Undergraduate student (Fall 2020 - Summer 2021, co-advised with Shurui Zhou) currently PhD student at UIUC
• Jin Zhou: Engineering Science student (Fall 2020 - Summer 2021) currently PhD student at Cornell
• Lucy Lu: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at Stanford
• Marko Huang: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at University of Toronto
• Gabriel Deza: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at UC Berkeley
• Tejumade Afonja: Research Intern (Summer 2020) currently PhD student at Saarland University
• Milad Nasr: Google Brain Intern (Summer 2020, co-hosted with Nicholas Carlini) currently Research Scientist at Google Brain
• Lorna Licollari: Research Intern (Summer 2020) currently Engineering Science student at University of Toronto
• Pratyush Maini: Research Intern (Summer 2020) currently PhD student at CMU
• Yunxiang Zhang: Research Intern (Spring 2020) currently PhD student at Chinese University of Hong Kong
• Saina Asani: Research Assistant (Winter 2020 - Summer 2020) currently AI Researcher at Huawei
• Laura Zhukas: Undergraduate Student Researcher (Fall 2019) currently BASc student at the University of Waterloo
• Christopher Choquette-Choo: Engineering Science student (Fall 2019 - Summer 2020) currently Research Engineer at Google Brain
• Baiwu Zhang: MEng student (Fall 2019 - Summer 2020) currently ML Engineer at Twitter
• Varun Chandrasekaran: Visiting PhD student (Fall 2019) currently Assistant Professor at UIUC
• Vinith Suriyakumar: MS student (Fall 2019 - Summer 2021, co-advised with M. Ghassemi and A. Goldenberg) currently PhD student at MIT
• Lucas Bourtoule: MASc student (started Fall 2019) currently Cybersecurity Software Engineer at Mithril Security
• Adelin Travers: PhD student (Fall 2019 - Summer 2021, co-advised with David Lie) currently Senior Pentester at Verizon
• Hadi Abdullah: Google Intern (Summer 2019, co-hosted with Damien Octeau) currently Researcher at Visa Research
• Matthew Jagielski: Google Brain intern (Summer 2019) currently Research Scientist at Google Brain

Information for prospective graduate students and postdocs

• If you are interested in joining my research group as a graduate student, apply to the CS or ECE (select "software systems" field) program. Unfortunately, I cannot respond to all prospective graduate students, so the best time is to contact me after you submitted your application.
• If you are interested in joining my research group as a postdoc, please send me an email directly with your CV and research statement.

Research Talks

Upcoming

Here is a list of talks I will be giving. Feel free to reach out if you will be attending one of these events and would like to meet.

• 6/2023 - National Yang Ming Chiao Tung University lecture
• 6/2023 - University of Toronto panel
• 6/2023 - ElementAI
• 6/2023 - Schwartz Reisman Institute for Technology and Society panel

Past Recorded Talks

These video resources are a good overview of my research interests.

Blog Posts

Here is a list of blog posts discussing some of the research questions I'm interested in:

• We need a 21st century framework for 21st century problems
• Can stochastic pre-processing defenses protect your models?
• Are adversarial examples against proof-of-learning adversarial?
• How to Keep a Model Stealing Adversary Busy?
• All You Need Is Matplotlib
• How to deploy machine learning with differential privacy? (DifferentialPrivacy.org)
• Arbitrating the integrity of stochastic gradient descent with proof-of-learning
• Beyond federation: collaborating in ML with confidentiality and privacy
• Is this model mine?
• Why we should regulate information about persons, not personal information
• To guarantee privacy, focus on the algorithms, not the data
• Teaching Machines to Unlearn
• In Model Extraction, Don’t Just Ask How?: Ask Why?
• How to steal modern NLP systems with gibberish?
• The academic job search for computer scientists in 10 questions
• How to know when machine learning does not know
• Machine Learning with Differential Privacy in TensorFlow
• Privacy and machine learning: two unexpected allies?
• The challenge of verification and testing of machine learning
• Is attacking machine learning easier than defending it?
• Breaking things is easy

Teaching

• [Fall 2023] ECE421H: Introduction to Machine Learning (see Quercus for course details)
• [Fall 2022] ECE1784H/CSC2559H: Trustworthy Machine Learning
• [Fall 2022] ECE421H: Introduction to Machine Learning (see Quercus for course details)
• [Fall 2021] ECE1784H/CSC2559H: Trustworthy Machine Learning
• [Fall 2021] ECE421H: Introduction to Machine Learning (see Quercus for course details)
• [Fall 2020] ECE421H: Introduction to Machine Learning (see Quercus for course details)
• [Fall 2020] ECE1513H: Introduction to Machine Learning (see Quercus for course details)
• [Winter 2020] ECE1513H: Introduction to Machine Learning (see Quercus for course details)
• [Fall 2019] ECE1784H: Trustworthy Machine Learning