Doctoral Thesis Proposal - Qi Pang
June 23, 2026 2:00PM—3:30PM
Location:
6501
-
Gates and Hillman Centers
Speaker:
QI PANG,
Ph.D. Student, Computer Science Department, Carnegie Mellon University
https://www.cs.cmu.edu/~qpang/
Generative AI is moving into high-stakes domains such as healthcare, finance, and law, and it is evolving from static query-response models into autonomous agents that hold memory, call external tools, and communicate with one another. This shift expands the attack surface dramatically. A modern generative AI system spans several layers: the inputs a user provides, the model and the privacy guarantee it claims, the outputs it produces, and the messages its agents exchange. Each of these layers rests on a fragile trust assumption: inputs may carry sensitive personal information, outputs cannot be reliably attributed to their source, inter-agent messages can hide cryptographically undetectable payloads, and a model's advertised differential privacy guarantee may quietly fail to hold. Heuristic defenses such as input redaction, AI-text classifiers, transcript monitors, and procedural privacy audits offer little assurance against a motivated adversary, because they rest on pattern matching rather than proof.
This thesis argues that trustworthiness should be a provable, foundational property of generative AI systems, achieved by co-designing applied cryptography (secure multi-party computation, homomorphic encryption, and zero-knowledge proofs) and differential privacy with the structure of modern generative models. I develop this argument across the four layers above through four systems. BOLT (completed) protects user inputs with privacy-preserving Transformer inference that is accurate and an order of magnitude more efficient than prior work. A study of LLM watermarking (completed) establishes the fundamental trade-offs that govern output provenance and shows precisely when heuristic watermarks can be removed or forged. For inter-agent communication, I propose a study of steganographic collusion that constructs a high-capacity covert channel and a provable mechanism to disrupt it. For the model layer, I propose Noisette, a system that makes differential privacy verifiable by certifying, in zero knowledge, that the differential privacy noise was sampled correctly. Together, these systems chart a path toward generative AI that is not only powerful but also demonstrably private, accountable, and governable.
Thesis Committee
Virginia Smith (Co-chair)
Wenting Zheng (Co-chair)
Giulia Fanti
Somesh Jha (University of Wisconsin Madison)
Contact
Matt Stewart