Mathias Lécuyer

I am an assistant professor at the University of British Columbia in Vancouver, where I am part of Systopia, UBC S&P, TrustML, and CAIDA. Prior to this, I was a postdoctoral researcher at Microsoft Research in NY. I completed my PhD at Columbia University. I work on trustworthy Artificial Intelligence (AI) systems, with a focus on auditing AI models, and developing techniques to enforce provable guarantees in models and their data ecosystems.

Office: ICICS 317
Email: mathias.lecuyer@ubc.ca

Teaching

I teach the following classes: (currentall)

CPSC 532Y: Causal Machine Learning (Fall 2024, Fall 2023, Fall 2022)
CPSC 330: Applied Machine Learning (Spring 2024, Spring 2023)
CPSC 538L: Differential Privacy - Theory and Practice (Spring 2022)

Students

Postdoctoral researchers

Bingshan Hu (with Danica Sutherland)

Graduate students

Qiaoyue Tang (PhD)
Saiyue Lyu (PhD)
Frederick Shpilevskiy (PhD)

Alumni

Mishaal Kazmi (MSc, with Ivan Beschastnikh) → PhD student at Northeastern University
Shadab Shaikh (MSc)
Alain Zhiyanov (BSc research)
Jessica Bator (BSc research)
Amir Sabzi (MSc, with Aastha Mehta) → PhD student at Princeton
Helen Chen (BSc research) → Amazon
Ryan Shar (BSc Honors thesis) → MSc CMU
Mauricio Soroco (BSc research) → PhD student at SFU
Joel Hempel (BSc research)
Eric Xiong (BSc Honors thesis) → MSc (research) University of Alberta
Frederick Shpilevskiy (BSc Honors thesis, with Margo Seltzer) → PhD student at UBC
Shiqi He (MSc, with Ivan Beschastnikh) → PhD student at the University of Michigan

Research

I work on trustworthy Artificial Intelligence (AI) systems, with a focus on enforcing provable guarantees in models and their data ecosystems. My recent contributions tackle these challenges in four broad directions.

All Publications & Preprints

Also available on my resume or Google Scholar.

Bingshan Hu, Zhiming Huang, Tianyue H. Zhang, Mathias Lécuyer, Nidhi Hegde. Connecting Thompson Sampling and UCB: Towards More Efficient Trade-offs Between Privacy and Regret. ICML 2025. [arxiv]
Qifan Yan, Andrew Liu, Shiqi He, Mathias Lécuyer, and Ivan Beschastnikh. FedFetch: Faster Federated Learning with Adaptive Downstream Prefetching. INFOCOM 2025. [arxiv]
Pierre Tholoniat, Kelly Kostopoulou, Mosharaf Chowdhury, Asaf Cidon, Roxana Geambasu, Mathias Lécuyer, and Junfeng Yang. DPack: Efficiency-Oriented Privacy Budget Scheduling. EuroSys 2025. [arxiv]
Thomas Crasson, Yacine Nabet, Mathias Lécuyer. Training and Evaluating Causal Forecasting Models for Time-Series. Preprint 2024. [arxiv]
Saiyue Lyu, Shadab Shaikh, Frederick Shpilevskiy, Evan Shelhamer, Mathias Lécuyer. Adaptive Randomized Smoothing: Certified Adversarial Robustness for Multi-Step Defences. Spotlight, NeurIPS 2024. [NeurIPS][arXiv]
Mishaal Kazmi, Hadrien Lautraite, Alireza Akbari, Qiaoyue Tang, Mauricio Soroco, Tao Wang, Sébastien Gambs, Mathias Lécuyer. PANORAMIA: Privacy Auditing of Machine Learning Models without Retraining. NeurIPS 2024. [NeurIPS][arXiv]
Pierre Tholoniat, Kelly Kostopoulou, Peter McNeely, Prabhpreet Singh Sodhi, Anirudh Varanasi, Benjamin Case, Asaf Cidon, and Roxana Geambasu, Mathias Lécuyer. Cookie Monster: Efficient On-Device Budgeting for Differentially-Private Ad-Measurement Systems. Distinguished Artifact Honorable Mention, SOSP 2024. [arxiv]
Mishaal Kazmi, Hadrien Lautraite, Alireza Akbari, Mauricio Soroco, Qiaoyue Tang, Tao Wang, Sébastien Gambs, Mathias Lécuyer. PANORAMIA: Privacy Auditing of Machine Learning Models without Retraining. TPDP workshop 2024. [arXiv full paper]
Shadab Shaikh, Saiyue Lyu, Frederick Shpilevskiy, Evan Shelhamer, Mathias Lécuyer. Adaptive Randomized Smoothing for Certified Multi-Step Defence. MAT workshop @ CVPR 2024. [PDF][arXiv full paper]
Amir Sabzi, Rut Vora, Swati Goswami, Margo Seltzer, Mathias Lécuyer, Aastha Mehta. NetShaper: A Differentially Private Network Side-Channel Mitigation System. USENIX Security 2024. [arXiv]
Qiaoyue Tang, Frederick Shpilevskiy, Mathias Lécuyer. DP-AdamBC: Your DP-Adam Is Actually DP-SGD (Unless You Apply Bias Correction). Oral, AAAI 2024. [arXiv]
Mauricio Soroco, Joel Hempel, Xinze Xiong, Mathias Lécuyer, Joséphine Gantois. Flowering Onset Detection: Traditional Learning vs. Deep Learning Performance in a Sparse Label Context. CCAI workshop at NeurIPS 2023. [PDF][site]
Kelly Kostopoulou, Pierre Tholoniat, Asaf Cidon, Roxana Geambasu, Mathias Lécuyer. Turbo: Effective Caching in Differentially-Private Databases. SOSP 2023. [PDF, appendix][arxiv (full version)]
Qiaoyue Tang, Mathias Lécuyer. DP-Adam: Correcting DP Bias in Adam's Second Moment Estimation. RTML workshop at ICLR 2023. [arXiv]
Shiqi He, Qifan Yan, Feijie Wu, Lanjun Wang, Mathias Lécuyer, Ivan Beschastnikh. GlueFL: Reconciling Client Sampling and Model Masking for Bandwidth Efficient Federated Learning. MLSys 2023. [arXiv][code]
Ali Behrouz, Mathias Lécuyer, Cynthia Rudin, Margo Seltzer. Fast Optimization of Weighted Sparse Decision Trees for use in Optimal Treatment Regimes and Optimal Policy Design. AIMLAI Workshop 2022. [arXiv full version]
Jinkun Lin, Anqi Zhang, Mathias Lécuyer, Jinyang Li, Aurojit Panda, Siddhartha Sen. Measuring the Effect of Training Data on Deep Learning Predictions via Randomized Experiments. ICML 2022. [arXiv][code][demo]
Mathias Lécuyer, Sang Hoon Kim, Mihir Nanavati, Junchen Jiang, Siddhartha Sen, Amit Sharma, Aleksandrs Slivkins. Sayer: Using Implicit Feedback to Optimize System Policies. SoCC 2021. [PDF]
Tao Luo, Mingen Pan, Pierre Tholoniat, Asaf Cidon, Roxana Geambasu, Mathias Lécuyer. Privacy Budget Scheduling. OSDI 2021. [PDF][Long Version][Code]
Mathias Lécuyer. Practical Privacy Filters and Odometers with Rényi Differential Privacy and Applications to Differentially Private Deep Learning. Preprint 2021. [arXiv]
Mathias Lécuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, Suman Jana. Certified Robustness to Adversarial Examples with Differential Privacy. S&P 2019. [PDF][Code]
Mathias Lécuyer, Riley Spahn, Kiran Vodrahalli, Roxana Geambasu, Daniel Hsu. Privacy Accounting and Quality Control in the Sage Differentially Private ML Platform. SOSP 2019. [PDF]
Mathias Lécuyer, Riley Spahn, Kiran Vodrahalli, Roxana Geambasu, Daniel Hsu. Privacy Accounting and Quality Control in the Sage Differentially Private ML Platform. OSR 2019. [PDF]
Mathias Lécuyer, Riley B. Spahn, Roxana Geambasu, Tzu-Kuo Huang, and Siddhartha Sen. Enhancing Selectivity in Big Data. Invited paper, S&P Magazine, 2018. [PDF]
Mathias Lécuyer, Joshua Lockerman, Lamont Nelson, Siddhartha Sen, Amit Sharma, and Aleksandrs Slivkins. Harvesting Randomness to Optimize Distributed Systems. HotNets 2017. [PDF]
Mathias Lécuyer, Riley B. Spahn, Roxana Geambasu, Tzu-Kuo Huang, and Siddhartha Sen. Pyramid: Enhancing selectivity in big data protection with count featurization. S&P 2017. [PDF][Long Version][Website]
Mathias Lécuyer, Max Tucker, Augustin Chaintreau. Improving the transparency of the sharing economy. WWW 2017. [PDF][Data][Blog post]
Mathias Lécuyer, Riley Spahn, Giannis Spiliopoulos, Augustin Chaintreau, Roxana Geambasu, and Daniel Hsu. Sunlight: Fine-grained Targeting Detection at Scale with Statistical Confidence. CCS'15. [PDF][Website][The Economist, Slate]
Nicolas Viennot , Mathias Lécuyer, Jonathan Bell, Roxana Geambasu, and Jason Nieh. Synapse: New Data Integration Abstractions for Agile Web Application Development. EuroSys 2015. [PDF][Website]
Mathias Lécuyer, Guillaume Ducoffe, Francis Lan, Andrei Papancea, Theofilos Petsios, Riley Spahn, Augustin Chaintreau, and Roxana Geambasu. XRay: Increasing the Web's Transparency with Differential Correlation. USENIX Security 2014. [PDF][Website][NYT Bits, MIT Technology Review]

Privacy preserving data systems

AI systems rely on large scale data collection and aggregation, which exposes sensitive information. I develop new theory, algorithms, and system mechanisms for Differential Privacy (DP), to make end-to-end privacy preserving systems more practical. Specifically, I have worked on new DP composition theory, system mechanisms for efficient privacy accounting and resource allocation, and new learning algoalgorithms to train DP models. Cookie Monster serves as the DP blueprint for the Privacy-Preserving Attribution (advertising measurement) API under standardization with the W3C.

Pierre Tholoniat, Kelly Kostopoulou, Peter McNeely, Prabhpreet Singh Sodhi, Anirudh Varanasi, Benjamin Case, Asaf Cidon, and Roxana Geambasu, Mathias Lécuyer. Cookie Monster: Efficient On-Device Budgeting for Differentially-Private Ad-Measurement Systems. Distinguished Artifact Honorable Mention, SOSP 2024. [paper][code]
Qiaoyue Tang, Frederick Shpilevskiy, Mathias Lécuyer. DP-AdamBC: Your DP-Adam Is Actually DP-SGD (Unless You Apply Bias Correction). Oral, AAAI 2024. [paper][code]
Kelly Kostopoulou, Pierre Tholoniat, Asaf Cidon, Roxana Geambasu, Mathias Lécuyer. Turbo: Effective Caching in Differentially-Private Databases. SOSP 2023. [paper]
Tao Luo, Mingen Pan, Pierre Tholoniat, Asaf Cidon, Roxana Geambasu, Mathias Lécuyer. Privacy Budget Scheduling. OSDI 2021. [paper][code]
Mathias Lécuyer. Practical Privacy Filters and Odometers with Rényi Differential Privacy and Applications to Differentially Private Deep Learning. Preprint 2021. [paper]
Mathias Lécuyer, Riley Spahn, Kiran Vodrahalli, Roxana Geambasu, Daniel Hsu. Privacy Accounting and Quality Control in the Sage Differentially Private ML Platform. SOSP 2019. [paper]

Explainability and transparency for AI systems

I develop techniques to better understand, explain, and audit AI systems under different threat models. For instance, PANORAMIA aims to quantify privacy leakage from AI models without access to, or control of, the training pipeline. I have also worked on measuring the impact of training data on the test-time behaviour of AI models. By framing this question as a causal inference question, I aim provide explanations that are faithful to model behaviour in manipulated settings.

Mishaal Kazmi, Hadrien Lautraite, Alireza Akbari, Qiaoyue Tang, Mauricio Soroco, Tao Wang, Sébastien Gambs, Mathias Lécuyer. PANORAMIA: Privacy Auditing of Machine Learning Models without Retraining. NeurIPS 2024. [paper][code]
Jinkun Lin, Anqi Zhang, Mathias Lécuyer, Jinyang Li, Aurojit Panda, Siddhartha Sen. Measuring the Effect of Training Data on Deep Learning Predictions via Randomized Experiments. ICML 2022. [paper][code, images]

Adversarial robustness

AI models show a worrying susceptibility to adversarial attacks, in which an attacker applies imperceptible changes to the input to arbitrarily influence a target model. My work laid the foundations for Randomized Smoothing (RS), the only technique to provably ensure robustness that scales to the largest AI models. Recently, I have extended RS to input-adaptive multi-step defences. RS is still an active area of research (my foundational paper has more than a thousand citations), and serves as a building block for other AI safety tools, such as to enforce fairness guarantees, or create robust watermarks and unlearnable examples.

Saiyue Lyu, Shadab Shaikh, Frederick Shpilevskiy, Evan Shelhamer, Mathias Lécuyer. Adaptive Randomized Smoothing: Certified Adversarial Robustness for Multi-Step Defences. Spotlight, NeurIPS 2024. [paper][code]
Mathias Lécuyer, Vaggelis Atlidakis, Roxana Geambasu, Daniel Hsu, Suman Jana. Certified Robustness to Adversarial Examples with Differential Privacy. S&P 2019. [paper][code]

Causal machine learning

AI models often inform downstream decisions, using repeated forecasts on different values of a controllable feature (e.g., the price of a good) to select the best outcome (e.g., the demand yielding the highest revenue). This decision procedure implicitly assumes that models will generalize to actions outside of the training distribution. This is often not the case, leading to poor performance. I develop and evaluate causal AI models, that generalize better when forecasting the effect of actions outside of the training distribution. This project is already deployed at a company.

Thomas Crasson, Yacine Nabet, Mathias Lécuyer. Training and Evaluating Causal Forecasting Models for Time-Series. Preprint 2024. [preprint]

Recent Invited Talks

Adversarial Robustness and Privacy Measurements using Hypothesis-tests. PrivSec Lab, LATECE, UQAM, Montréal (May 2025).
Adversarial Robustness and Privacy Measurements using Hypothesis-tests. International Laboratory and Learning Systems, Montréal (May 2025).
Adversarial Robustness and Privacy Measurements using Hypothesis-tests. CrySP, University of Waterloo (Apr 2025).
Adversarial Robustness and Privacy Measurements using Hypothesis-tests. CleverHans Lab for security and privacy of machine learning, Vector Institute and UoT (Apr 2025).
Adversarial Robustness and Privacy Measurements using Hypothesis-tests. Joint SRI and Vector AI Safety Reading Group, Toronto (Apr 2025).
Adaptive Randomized Smoothing: Certified Adversarial Robustness for Multi-Step Defences. Mathematics of Machine Learning, Canadian Mathematical Society Winter meeting (Dec 2024).
Security and Privacy in the age of Foundation Models. MSRA Vancouver Talk Series (Aug 2024).
PANORAMIA: Efficient Privacy Auditing of Machine Learning Models without Retraining. BIRS workshop on Statistical Aspects of Trustworthy Machine Learning (Feb 2024). [video].
[Tutorial] Privacy as hypothesis testing: linking Differential Privacy, membership attacks, and privacy audits. Canadian AI, Responsible AI Track, Montréal (June 2023).
DP-AdamBC: your DP-Adam is actually DP-SGD (unless you apply Bias Correction). Bridge the gap: Differential Privacy and Statistical Analysis, Amii Workshop, Edmonton (May 2023).

Service

Program Committees: Security & Privacy (Oakland) (2026 Associate Chair, 2023, 2022), SaTML (2025 Distinguished Reviewer Award, 2024), ICML(2025, 2022, 2020), NeurIPS (2024, 2021), OSDI (2023), USENIX Security (2021, 2020), MLSys (2021), Eurosys (2020), SoCC (2019), Systems for ML workshop (2019, 2018).
Reviewer: Journal of Machine Learning Research (2019), ACM Transactions on Internet Technology (2016).

For outreach activities, see my resume.