Nicolas Papernot

I am an Assistant Professor at the University of Toronto, in the Department of Electrical and Computer Engineering, the Department of Computer Science, and the Faculty of Law. I am also a faculty member at the Vector Institute where I hold a Canada CIFAR AI Chair, and a faculty affiliate at the Schwartz Reisman Institute. In addition, I am a Co-Director of the Canadian AI Safety Institute (CAISI) Research Program at CIFAR. For the 2025-2027 period, I hold an International Chair at Inria.

My research interests are at the intersection of security, privacy, and machine learning. If you would like to learn more about my research, I recommend reading the blog posts I co-authored on cleverhans.io, for example about proof-of-learning, collaborative learning beyond federation, dataset inference, machine unlearning, differentially private ML, or adversarial examples.

I was named an Alfred P. Sloan Research Fellow in Computer Science in 2022, a Member of the Royal Society of Canada College in 2023, and an AI2050 Early Career Fellow By Schmidt Sciences in 2024. I received the McCharles Prize for Early Career Research Distinction and the ACM SIGSAC Outstanding Early-Career Researcher Award, both in 2024. My research has been cited in the press: e.g., the BBC, New York Times, Popular Science, The Atlantic, the Wall Street Journal and Wired.

I am serving as Program Co-Chair of the 47th and 48th IEEE Symposium on Security and Privacy in 2026 and 2027. I co-founded and served as a Program Co-Chair of the IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) in 2023 and 2024.

Previously, I earned my Ph.D. in Computer Science and Engineering at the Pennsylvania State University, working with Prof. Patrick McDaniel and supported by a Google PhD Fellowship. Upon graduating, I joined Google Brain for a year; I continue to spend time at Google DeepMind.

Email: [email protected]

Office: Pratt 484E and SRIC (the Vector Institute lobby is on the 11th floor)

Mail/Packages: 10 King's College Road, Room SFB540, Toronto, ON M5S 3G4, Canada

CV » Bluesky » Google Scholar »

Recent & selected older publications

A complete list of publications is available in my CV.

2025

Secure Noise Sampling for Differentially Private Collaborative Learning. Olive Franzese, Congyu Fang, Radhika, Xiao Wang, Somesh Jha, Nicolas Papernot, Adam Dziedzic. Proceedings of the 32nd ACM Conference on Computer and Communications Security. conference
Confidential Guardian: Cryptographically Prohibiting the Abuse of Model Abstention. Stephan Rabanser, Ali Shahin Shamsabadi, Olive Franzese, Xiao Wang, Adrian Weller, Nicolas Papernot. Proceedings of the 42nd International Conference on Machine Learning, Vancouver, Canada. conference
Suitability Filter: A Statistical Framework for Model Evaluation in Real-World Deployment Settings. Angéline Pouget, Mohammad Yaghini, Stephan Rabanser, Nicolas Papernot. Proceedings of the 42nd International Conference on Machine Learning, Vancouver, Canada. conference (+spotlight)
Language Models May Verbatim Complete Text They Were Not Explicitly Trained On. Ken Ziyu Liu, Christopher A. Choquette-Choo, Matthew Jagielski, Peter Kairouz, Sanmi Koyejo, Percy Liang, Nicolas Papernot. Proceedings of the 42nd International Conference on Machine Learning, Vancouver, Canada. conference (+spotlight)
Fast Exact Unlearning of Fine-Tuning Data for LLMs. Andrei Ioan Muresanu, Anvith Thudi, Michael R. Zhang, Nicolas Papernot. Proceedings of the 42nd International Conference on Machine Learning, Vancouver, Canada. conference
Leveraging Per-Instance Privacy for Machine Unlearning. Nazanin Mohammadi Sepahvand, Anvith Thudi, Berivan Isik, Ashmita Bhattacharyya, Nicolas Papernot, Eleni Triantafillou, Daniel M. Roy, Gintare Karolina Dziugaite. Proceedings of the 42nd International Conference on Machine Learning, Vancouver, Canada. conference
Trustworthy ML Regulation as a Principal-Agent Problem. Mohammad Yaghini, Patty Liu, Andrew Magnuson, Natalie Dullerud, Nicolas Papernot. Proceedings of the 2025 ACM Conference on Fairness, Accountability, and Transparency. conference
A False Sense of Safety: Unsafe Information Leakage in Safe AI Responses. David Glukhov, Ziwen Han, Ilia Shumailov, Vardan Papyan, Nicolas Papernot. Proceedings of the 13th International Conference on Learning Representations. conference
Tighter Privacy Auditing for the Hidden State Model via Gradient-Crafting Adversaries. Tudor Ioan Cebere, Aurélien Bellet, Nicolas Papernot. Proceedings of the 13th International Conference on Learning Representations. conference
Selective Classification Via Neural Network Training Dynamics. Stephan Rabanser, Anvith Thudi, Kimia Hamidieh, Adam Dziedzic, Israfil Bahceci, Akram Bin Sediq, Hamza Sokun, Nicolas Papernot. Transactions on Machine Learning Research. journal
Inexact Unlearning Needs More Careful Evaluations to Avoid a False Sense of Privacy. Jamie Hayes, Amr Khalifa, Ilia Shumailov, Nicolas Papernot, Eleni Triantafillou. Proceedings of the 3rd IEEE Conference on Secure and Trustworthy Machine Learning. conference
Verifiable and Provably Secure Machine Unlearning. Thorsten Eisenhofer, Doreen Riepel, Varun Chandrasekaran, Esha Ghosh, Olga Ohrimenko, Nicolas Papernot. Proceedings of the 3rd IEEE Conference on Secure and Trustworthy Machine Learning. conference
Backdoor Detection through Duplicated Execution of Outsourced Training. Hengrui Jia, Sierra Wyllie, Akram Bin Sediq, Ahmed A. Ibrahim, Nicolas Papernot. Proceedings of the 3rd IEEE Conference on Secure and Trustworthy Machine Learning. conference
Architectural Neural Backdoors from First Principles. Harry Langford, Ilia Shumailov, Yiren Zhao, Robert Mullins, Nicolas Papernot. Proceedings of the 46th IEEE Symposium on Security and Privacy, San Francisco, CA. conference

2024

Beyond Labeling Oracles: What does it mean to steal ML models?. Avital Shafran, Ilia Shumailov, Murat A. Erdogdu, Nicolas Papernot. Transactions on Machine Learning Research. journal
Temporal-Difference Learning Using Distributed Error Signals. Jonas Guan, Shon Eduard Verch, Claas A Voelcker, Ethan C Jackson, Nicolas Papernot, William A Cunningham. Proceedings of the 38th Conference on Neural Information Processing Systems. conference
LLM Dataset Inference: Detect Datasets, not Strings. Pratyush Maini, Hengrui Jia, Nicolas Papernot, Adam Dziedzic. Proceedings of the 38th Conference on Neural Information Processing Systems. conference
AI models collapse when trained on recursively generated data. Ilia Shumailov, Zakhar Shumaylov, Yiren Zhao, Yarin Gal, Nicolas Papernot, Ross Anderson. Nature. journal
Augment then Smooth: Reconciling Differential Privacy with Certified Robustness. Jiapeng Wu, Atiyeh Ashari Ghomi, David Glukhov, Jesse C. Cresswell, Franziska Boenisch, Nicolas Papernot. Transactions on Machine Learning Research. journal
Gradients Look Alike: Sensitivity is Often Overestimated in DP-SGD. Anvith Thudi, Hengrui Jia, Casey Meehan, Ilia Shumailov, Nicolas Papernot. Proceedings of the 33rd USENIX Security Symposium. conference
Auditing Private Prediction. Karan Chadha, Matthew Jagielski, Nicolas Papernot, Christopher A. Choquette-Choo, Milad Nasr. Proceedings of the 41st International Conference on Machine Learning, Vienna, Austria. conference
The Fundamental Limits of Least-Privilege Learning. Theresa Stadler, Bogdan Kulynych, Michael Gastpar, Nicolas Papernot, Carmela Troncoso. Proceedings of the 41st International Conference on Machine Learning, Vienna, Austria. conference
Position Paper: Rethinking LLM Censorship as a Security Problem. David Glukhov, Ilia Shumailov, Yarin Gal, Nicolas Papernot, Vardan Papyan. Proceedings of the 41st International Conference on Machine Learning, Vienna, Austria. conference
Fairness Feedback Loops: Training on Synthetic Data Amplifies Bias. Sierra Calanda Wyllie, Ilia Shumailov, Nicolas Papernot. Proceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency. conference
From Differential Privacy to Bounds on Membership Inference: Less can be More. Anvith Thudi, Ilia Shumailov, Franziska Boenisch, Nicolas Papernot. Transactions on Machine Learning Research. journal
Decentralised, Collaborative, and Privacy-preserving Machine Learning for Multi-Hospital Data. Congyu Fang, Adam Dziedzic, Lin Zhang, Laura Oliva, Amol Verma, Fahad Razak, Nicolas Papernot, Bo Wang. eBioMedicine Volume 101. journal
Memorization in Self-Supervised Learning Improves Downstream Generalization. Wenhao Wang, Muhammad Ahmad Kaleem, Adam Dziedzic, Michael Backes, Nicolas Papernot, Franziska Boenisch. Proceedings of the 12th International Conference on Learning Representations. conference
Confidential-DPproof: Confidential Proof of Differentially Private Training. Ali Shahin Shamsabadi, Gefei Tan, Tudor Ioan Cebere, Aurélien Bellet, Hamed Haddadi, Nicolas Papernot, Xiao Wang, Adrian Weller. Proceedings of the 12th International Conference on Learning Representations. conference (+spotlight)
Exploring Strategies for Guiding Symbolic Analysis with Machine Learning Prediction. Mingyue Yang, David Lie, Nicolas Papernot. 31st IEEE International Conference on Software Analysis, Evolution and Reengineering. conference

2023 & earlier

Robust and Actively Secure Serverless Collaborative Learning. Olive Franzese, Adam Dziedzic, Christopher A. Choquette-Choo, Mark R. Thomas, Muhammad Ahmad Kaleem, Stephan Rabanser, Congyu Fang, Somesh Jha, Nicolas Papernot, Xiao Wang. Proceedings of the 37th Conference on Neural Information Processing Systems. conference
Training Private Models That Know What They Don’t Know. Stephan Rabanser, Anvith Thudi, Abhradeep Thakurta, Krishnamurthy Dvijotham, Nicolas Papernot. Proceedings of the 37th Conference on Neural Information Processing Systems. conference
Have it your way: Individualized Privacy Assignment for DP-SGD. Franziska Boenisch, Christopher Mühl, Adam Dziedzic, Roy Rinberg, Nicolas Papernot. Proceedings of the 37th Conference on Neural Information Processing Systems. conference
Flocks of Stochastic Parrots: Differentially Private Prompt Learning for Large Language Models. Haonan Duan, Adam Dziedzic, Nicolas Papernot, Franziska Boenisch. Proceedings of the 37th Conference on Neural Information Processing Systems. conference
Proof-of-Learning is Currently More Broken Than You Think. Congyu Fang, Hengrui Jia, Anvith Thudi, Mohammad Yaghini, Christopher A. Choquette-Choo, Natalie Dullerud, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 8th IEEE European Symposium on Security and Privacy, Delft, Netherlands. conference
Reconstructing Individual Data Points in Federated Learning Hardened with Differential Privacy and Secure Aggregation. Franziska Boenisch, Adam Dziedzic, Roei Schuster, Ali Shahin Shamsabadi, Ilia Shumailov, Nicolas Papernot. Proceedings of the 8th IEEE European Symposium on Security and Privacy, Delft, Netherlands. conference
When the Curious Abandon Honesty: Federated Learning Is Not Private. Franziska Boenisch, Adam Dziedzic, Roei Schuster, Ali Shahin Shamsabadi, Ilia Shumailov, Nicolas Papernot. Proceedings of the 8th IEEE European Symposium on Security and Privacy, Delft, Netherlands. conference
Losing Less: A Loss for Differentially Private Deep Learning. Ali Shahin Shamsabadi, Nicolas Papernot. Proceedings on Privacy Enhancing Technologies, Lausanne, Switzerland. conference
Architectural Backdoors in Neural Networks. Mikel Bober-Irizar, Ilia Shumailov, Yiren Zhao, Robert Mullins, Nicolas Papernot. Proceedings of the 2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Vancouver, Canada. conference
Measuring Forgetting of Memorized Training Examples. Matthew Jagielski, Om Thakkar, Florian Tramer, Daphne Ippolito, Katherine Lee, Nicholas Carlini, Eric Wallace, Shuang Song, Abhradeep Guha Thakurta, Nicolas Papernot, Chiyuan Zhang. Proceedings of the 11th International Conference on Learning Representations. conference
Confidential-PROFITT: Confidential PROof of FaIr Training of Trees. Ali Shahin Shamsabadi, Sierra Calanda Wyllie, Nicholas Franzese, Natalie Dullerud, Sébastien Gambs, Nicolas Papernot, Xiao Wang, Adrian Weller. Proceedings of the 11th International Conference on Learning Representations. conference (+oral)
Private Multi-Winner Voting for Machine Learning. Adam Dziedzic, Christopher A. Choquette-Choo, Natalie Dullerud, Vinith Menon Suriyakumar, Ali Shahin Shamsabadi, Muhammad Ahmad Kaleem, Somesh Jha, Nicolas Papernot, Xiao Wang. Proceedings on Privacy Enhancing Technologies, Lausanne, Switzerland. conference
Differentially Private Speaker Anonymization. Ali Shahin Shamsabadi, Brij Mohan Lal Srivastava, Aurelien Bellet, Nathalie Vauquier, Emmanuel Vincent, Mohamed Maouche, Marc Tommasi, Nicolas Papernot. Proceedings on Privacy Enhancing Technologies, Lausanne, Switzerland. conference
Tubes Among Us: Analog Attack on Automatic Speaker Identification. Shimaa Ahmed, Yash Wani, Ali Shahin Shamsabadi, Mohammad Yaghini, Ilia Shumailov, Nicolas Papernot, Kassem Fawaz. Proceedings of the 32nd USENIX Security Symposium. conference
Washing The Unwashable: On The (Im)possibility of Fairwashing Detection. Ali Shahin Shamsabadi, Mohammad Yaghini, Natalie Dullerud, Sierra Wyllie, Ulrich Aïvodji, Aisha Alaagib Alryeh Mkean, Sébastien Gambs, Nicolas Papernot. Proceedings of the 36th Conference on Neural Information Processing Systems. conference
On the Necessity of Auditable Algorithmic Definitions for Machine Unlearning. Anvith Thudi, Hengrui Jia, Ilia Shumailov, Nicolas Papernot. Proceedings of the 31st USENIX Security Symposium. conference
Increasing the Cost of Model Extraction with Calibrated Proof of Work. Adam Dziedzic, Muhammad Ahmad Kaleem, Yu Shen Lu, Nicolas Papernot. Proceedings of the 10th International Conference on Learning Representations. conference (+spotlight)
A Zest of LIME: Towards Architecture-Independent Model Distances. Hengrui Jia, Hongyu Chen, Jonas Guan, Ali Shahin Shamsabadi, Nicolas Papernot. Proceedings of the 10th International Conference on Learning Representations. conference
Hyperparameter Tuning with Renyi Differential Privacy. Nicolas Papernot, Thomas Steinke. Proceedings of the 10th International Conference on Learning Representations. conference (+outstanding paper award)
Bad Character Injection: Imperceptible Attacks on NLP Models. Nicholas Boucher, Ilia Shumailov, Ross Anderson, Nicolas Papernot. Proceedings of the 43rd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
Manipulating SGD with Data Ordering Attacks. Ilia Shumailov, Zakhar Shumaylov, Dmitry Kazhdan, Yiren Zhao, Nicolas Papernot, Murat A. Erdogdu, Ross Anderson. Proceedings of the 35th Conference on Neural Information Processing Systems. conference
Proof-of-Learning: Definitions and Practice. Hengrui Jia, Mohammad Yaghini, Christopher A. Choquette-Choo, Natalie Dullerud, Anvith Thudi, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
Entangled Watermarks as a Defense against Model Extraction. Hengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 30th USENIX Security Symposium. conference
Sponge Examples: Energy-Latency Attacks on Neural Networks. Ilia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, Ross Anderson. Proceedings of the 6th IEEE European Symposium on Security and Privacy, Vienna, Austria. conference
CaPC Learning: Confidential and Private Collaborative Learning. Christopher A. Choquette-Choo, Natalie Dullerud, Adam Dziedzic, Yunxiang Zhang, Somesh Jha, Nicolas Papernot, Xiao Wang. Proceedings of the 9th International Conference on Learning Representations. conference
Dataset Inference: Ownership Resolution in Machine Learning. Pratyush Maini, Mohammad Yaghini, Nicolas Papernot. Proceedings of the 9th International Conference on Learning Representations. conference (+spotlight)
Machine Unlearning. Lucas Bourtoule, Varun Chandrasekaran, Christopher A. Choquette-Choo, Hengrui Jia, Adelin Travers, Baiwu Zhang, David Lie, Nicolas Papernot. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
Analyzing and Improving Representations with the Soft Nearest Neighbor Loss. Nicholas Frosst, Nicolas Papernot, Geoffrey Hinton. Proceedings of the 36th International Conference on Machine Learning, Long Beach, CA. conference
Scalable Private Learning with PATE. Nicolas Papernot, Shuang Song, Ilya Mironov, Ananth Raghunathan, Kunal Talwar, Ulfar Erlingsson. Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada. conference
Towards the Science of Security and Privacy in Machine Learning. Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael Wellman. Proceedings of the 3rd IEEE European Symposium on Security and Privacy, London, UK. conference
Semi-supervised Knowledge Transfer for Deep Learning from Private Training Data. Nicolas Papernot, Martin Abadi, Ulfar Erlingsson, Ian Goodfellow, and Kunal Talwar. Proceedings of the 5th International Conference on Learning Representations, Toulon, France. conference (+best paper)
Practical Black-Box Attacks against Machine Learning. Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z.Berkay Celik, and Ananthram Swami. Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security, Abu Dhabi, UAE. conference
Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. technical report
The Limitations of Deep Learning in Adversarial Settings. Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, and Ananthram Swami. Proceedings of the 1st IEEE European Symposium on Security and Privacy, Saarbrucken, Germany. conference

Research group

Current students and postdocs

Andrei Muresanu: MSc student (Starting Fall 2025)
Arielle Zhang: PhD student (Starting Fall 2025)
Angela Sha: MSc student (Starting Fall 2025)
Sierra Wyllie: MSc student (Starting Fall 2025, co-advised with Moritz Hardt)
Yufei (Celina) Chen: Research Intern (Summer 2025)
Hanna Foerster: Visiting PhD student (Summer 2025)
Augustin Godinot: Visiting PhD student (Spring - Summer 2025)
Carter Luck: Research Intern (Winter 2025 - Summer 2025)
Olive Franzese: Postdoctoral Fellow (started Winter 2025)
Jiaqi Wang: PhD student (started Fall 2024, co-advised with David Lie) NSERC Postgraduate Scholar
Michael Menart: Postdoctoral Fellow (started Fall 2024, co-advised with Aleksandar Nikolov)
Tom Blanchard: MASc student (started Fall 2024)
Ashmita Bhattacharyya: Engineering Science student (Spring 2024 - Summer 2026)
David Glukhov: PhD student (started Winter 2023, co-advised with Vardan Papyan)
Emmy Fang: PhD student (started Fall 2023, co-advised with Bo Wang) OGS Scholar, DiDi Award, CS 50th Anniversary Graduate Scholar, Canada Graduate Scholar
Pascale Gourdeau: Postdoctoral Fellow (started Fall 2023, co-advised with Shai Ben-David) NSERC Fellow
Haonan Duan: PhD student (started Fall 2021, co-advised with Chris Maddison)
Anvith Thudi: PhD student (started Fall 2022, co-advised with Chris Maddison) Vanier Scholar
Mohammad Yaghini: PhD student (started Fall 2020) Meta PhD Fellow
Stephan Rabanser: PhD student (started Fall 2020)
Jonas Guan: PhD student (started Fall 2020, co-advised with William Cunningham)
Nick Jia: PhD student (started Fall 2020) Vector Scholarship, Mary H. Beatty Fellow, OGS Scholar
Mingyue Yang: PhD student (started Winter 2020, co-advised with David Lie)

Past students and postdocs

Angéline Pouget: Visiting Masters student (Spring 2024 - Fall 2024) currently Research Engineer at Google
Andrew Magnuson: Engineering Science student (Winter 2024 - Fall 2024) currently Engineering Science student at the University of Toronto
Ziwen Han: Undergraduate student (Fall 2023 - Summer 2024) currently Research Engineer at Scale AI
Tudor Cebere: Visiting PhD student (Fall 2023 - Winter 2024) currently PhD student at INRIA
Andy Liu: Engineering Science student (Fall 2023 - Summer 2024) currently ASICs Engineer at Qualcomm
Berivan Isik: Visiting PhD student (Summer 2023) currently Research Scientist at Google
Karan Chadha: Google Brain Intern (Summer 2023, co-hosted with Matthew Jagielski) currently Research Scientist at Meta
Camille Bruckmann: Engineering Science student (Fall 2022 - Summer 2023) currently Software Engineer at Microsoft
Si Cheng (Steven) Zhong: Engineering Science student (Fall 2022 - Summer 2023) currently MS student at University of Toronto
Franziska Boenisch: Postdoctoral Fellow (Fall 2022 - Summer 2023) currently Assistant Professor at CISPA Helmholtz Center for Information Security
Shimaa Ahmed: Visiting PhD student (Summer 2022) currently Staff Research Scientist at Visa Research
Roy Rinberg: Research Intern (Summer 2022) currently PhD student at Harvard University
Patty Liu: Engineering Science student (May 2022 - August 2023) currently PhD student at Princeton University
Mark Thomas: Research Intern (Summer 2022) currently MS student at the University of Toronto
Avital Shafran: Visiting PhD student (Summer 2022) currently PhD student at the Hebrew University of Jerusalem
Thorsten Eisenhofer: Visiting PhD student (Summer 2022) currently Assistant Professor at CISPA Helmholtz Center for Information Security
Yannis Cattan: Research Intern (Summer 2022) currently Masters student at ENS Paris-Saclay (MVA)
Roei Schuster: Postdoctoral Fellow (2021-2022) currently CTO at Context AI
Ilia Shumailov: Postdoctoral Fellow (started Fall 2021, co-advised with Kassem Fawaz) currently Research Scientist at Google DeepMind and Junior Research Fellow at Oxford
Aditi Misra: Engineering Science student (Fall 2021 - Spring 2024) currently Quantitative Researcher at Squarepoint
Hongyu (Charlie) Chen: Engineering Science student (Fall 2021 - Summer 2022) currently Machine Learning Engineer at Cohere.ai
Muhammad Ahmad Kaleem: Engineering Science student (Summer 2021 - Summer 2023) currently Engineering Science student at University of Toronto
Aisha Alaagib: Research Intern (Summer 2021) currently Research Intern at MILA
Armin Ale: Engineering Science student (Summer 2021 - Summer 2022) currently Software Engineer at Intel
Ali Shahin Shamsabadi: Research Intern (Winter 2021 - Fall 2021) currently Privacy Researcher at Brave
Adam Dziedzic: Postdoctoral Fellow (Fall 2020 - Summer 2023) currently Assistant Professor at CISPA Helmholtz Center for Information Security
Natalie Dullerud: MS student (Fall 2020 - Summer 2022) currently PhD Student at Stanford
Steven Xia: Undergraduate student (Fall 2020 - Summer 2021, co-advised with Shurui Zhou) currently PhD student at UIUC
Jin Zhou: Engineering Science student (Fall 2020 - Summer 2021) currently PhD student at Cornell
Lucy Lu: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at Stanford
Marko Huang: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at University of Toronto
Gabriel Deza: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at UC Berkeley
Tejumade Afonja: Research Intern (Summer 2020) currently PhD student at Saarland University
Milad Nasr: Google Brain Intern (Summer 2020, co-hosted with Nicholas Carlini) currently Research Scientist at Google Brain
Lorna Licollari: Research Intern (Summer 2020) currently Engineering Science student at University of Toronto
Pratyush Maini: Research Intern (Summer 2020) currently PhD student at CMU
Yunxiang Zhang: Research Intern (Spring 2020) currently PhD student at Chinese University of Hong Kong
Saina Asani: Research Assistant (Winter 2020 - Summer 2020) currently AI Researcher at Huawei
Laura Zhukas: Undergraduate Student Researcher (Fall 2019) currently BASc student at the University of Waterloo
Christopher Choquette-Choo: Engineering Science student (Fall 2019 - Summer 2020) currently Research Engineer at Google Brain
Baiwu Zhang: MEng student (Fall 2019 - Summer 2020) currently ML Engineer at Twitter
Varun Chandrasekaran: Visiting PhD student (Fall 2019) currently Assistant Professor at UIUC
Vinith Suriyakumar: MS student (Fall 2019 - Summer 2021, co-advised with M. Ghassemi and A. Goldenberg) currently PhD student at MIT
Lucas Bourtoule: MASc student (started Fall 2019) currently Security Engineer at Trail of Bits
Adelin Travers: PhD student (Fall 2019 - Summer 2021, co-advised with David Lie) currently Senior ML Assurance Engineer at Trail of Bits
Hadi Abdullah: Google Intern (Summer 2019, co-hosted with Damien Octeau) currently Researcher at Visa Research
Matthew Jagielski: Google Brain intern (Summer 2019) currently Research Scientist at Google Brain

Information for prospective graduate students and postdocs

If you are interested in joining my research group as a graduate student, apply to the CS or ECE (select "software systems" field) program. Unfortunately, I cannot respond to all prospective graduate students, so the best time is to contact me after you submitted your application.
If you are interested in joining my research group as a postdoc, please send me an email directly with your CV and research statement.

Research Talks

Upcoming

Here is a list of talks I will be giving. Feel free to reach out if you will be attending one of these events and would like to meet.

5/2025 - Secure GenAI Agent Workshop at IEEE SP 2025
5/2025 - Columbia University

Past Recorded Talks

These video resources are a good overview of my research interests.

Machine Unlearning

Randomization in Trustworthy ML

Trustworthy ML

Deepfakes

Lecture on ML security and privacy

Privacy-preserving ML

Adversarial examples

Blog Posts

Here is a list of blog posts discussing some of the research questions I'm interested in:

Teaching

[Fall 2023] ECE421H: Introduction to Machine Learning (see Quercus for course details)
[Fall 2022] ECE1784H/CSC2559H: Trustworthy Machine Learning
[Fall 2022] ECE421H: Introduction to Machine Learning (see Quercus for course details)
[Fall 2021] ECE1784H/CSC2559H: Trustworthy Machine Learning
[Fall 2021] ECE421H: Introduction to Machine Learning (see Quercus for course details)
[Fall 2020] ECE421H: Introduction to Machine Learning (see Quercus for course details)
[Fall 2020] ECE1513H: Introduction to Machine Learning (see Quercus for course details)
[Winter 2020] ECE1513H: Introduction to Machine Learning (see Quercus for course details)
[Fall 2019] ECE1784H: Trustworthy Machine Learning