Doctoral Thesis Proposal - Qi Pang

June 23, 2026  2:00PM—3:30PM

Location:
6501 - Gates and Hillman Centers

Speaker:
QI PANG, Ph.D. Student, Computer Science Department, Carnegie Mellon University
https://www.cs.cmu.edu/~qpang/

Provably Secure Approaches for Generative AI Systems: From Private Inference to Accountable Agents

Generative AI is moving into high-stakes domains such as healthcare, finance, and law, and it is evolving from static query-response models into autonomous agents that hold memory, call external tools, and communicate with one another. This shift expands the attack surface dramatically. A modern generative AI system spans several layers: the inputs a user provides, the model and the privacy guarantee it claims, the outputs it produces, and the messages its agents exchange. Each of these layers rests on a fragile trust assumption: inputs may carry sensitive personal information, outputs cannot be reliably attributed to their source, inter-agent messages can hide cryptographically undetectable payloads, and a model's advertised differential privacy guarantee may quietly fail to hold. Heuristic defenses such as input redaction, AI-text classifiers, transcript monitors, and procedural privacy audits offer little assurance against a motivated adversary, because they rest on pattern matching rather than proof.

This thesis argues that trustworthiness should be a provable, foundational property of generative AI systems, achieved by co-designing applied cryptography (secure multi-party computation, homomorphic encryption, and zero-knowledge proofs) and differential privacy with the structure of modern generative models. I develop this argument across the four layers above through four systems. BOLT (completed) protects user inputs with privacy-preserving Transformer inference that is accurate and an order of magnitude more efficient than prior work. A study of LLM watermarking (completed) establishes the fundamental trade-offs that govern output provenance and shows precisely when heuristic watermarks can be removed or forged. For inter-agent communication, I propose a study of steganographic collusion that constructs a high-capacity covert channel and a provable mechanism to disrupt it. For the model layer, I propose Noisette, a system that makes differential privacy verifiable by certifying, in zero knowledge, that the differential privacy noise was sampled correctly. Together, these systems chart a path toward generative AI that is not only powerful but also demonstrably private, accountable, and governable.

Thesis Committee

Virginia Smith (Co-chair)
Wenting Zheng (Co-chair)
Giulia Fanti
Somesh Jha (University of Wisconsin Madison)

Additional Information

Contact
Matt Stewart


Add event to Google
Add event to iCal