I am an assistant professor of Computer Science at ETH Zürich where I lead the SPY Lab.
My research interests lie in Computer Security, Machine Learning and Cryptography. In my current work, I study the worst-case behavior of Deep Learning systems from an adversarial perspective, to understand and mitigate long-term threats to the safety and privacy of users.
To learn more about our lab's work, see here or take a look at our blog.
My work has been featured in The Economist, Nature, Science, Communications of the ACM, Wired and the Swiss news (in french).
I received my PhD from Stanford University under the supervision of Dan Boneh. After graduating, I spent one year at Google Brain.
Email:
Office: Universitätstrasse 6, CAB F72, CH-8092 Zürich
Current group
- Avital Shafran (Postdoc)
- Daniel Paleka (PhD Student)
- Edoardo Debenedetti (PhD Student)
- Javier Rando (PhD Student -> Anthropic)
- Michael Aerni (PhD Student)
- Jie Zhang (PhD Student)
- Kristina Nikolić (PhD Student)
- Lukas Fluri (PhD Student)
- Pura Peetathawatchai (PhD Student)
News
- I gave an impromptu Keynote at the Real World AI Security conference on "The Security Turing Test". I also posted a written version on our blog.
- I am co-chairing SaTML 2027 with Fabio Pierazzi. Submit your best work on secure and trustworthy machine learning!
- We launched a new event: the Real World AI Security conference, at Stanford on June 23–25, 2026, to hear about great work with real-world impact at the intersection of AI and security.
Some of my recorded talks
The Security Turing Test (Real World AI Security Keynote, Stanford)
Cybersecurity in the Age of LLMs (IRISA 50th anniversary)
The Weird ChatGPT Hack That Leaked Training Data (Machine Learning Street Talk with Yannic Kilcher)
Making Machine Learning FAIL (my inaugural lecture)
Un-aligning large language models (EPFL Applied Machine Learning Days)
Measuring and Enhancing the Security of Machine Learning (my "job talk")
Adversarial Examples (Machine Learning Street Talk with Yannic Kilcher and Tim Scarfe)
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware (ICLR)