ACM ASIACCS 2026 | 1-5 June Bangalore

Main Conference

Towards Auditable Properties of AI systems via Hardware-Assisted Attestations

N. Asokan

University of Waterloo

Abstract:  Artificial Intelligence (AI) systems are taking the world by the storm. Their rapid rise in popularity has led to various jurisdictions formulating policies to regulate the building and use of systems based on AI models (“AI systems” for brevity). These are intended to help ensure desirable properties like equity, fairness, and trustworthiness of these systems. Given the rapid progress in the AI ecosystem, third parties may need to verify regulatory compliance of a system long before any formal certification. How can we arrange for such verification of relevant properties of AI systems without leaking any sensitive information?

In this talk, I will present our recent work towards this goal. I will describe our frameworks (Laminator and PAL*M) which leverage hardware-assisted trusted execution environments (TEEs) to make it possible to verify various types of properties of a machine learning (ML) pipeline that can be useful for verifying regulatory compliance. I will describe the design and implementation of the frameworks and identify some open problems and questions that require input from regulatory and legal experts in the hope of starting a conversation about what kind of technological mechanisms are needed to facilitate effective regulation of AI systems.

About the speaker: N. Asokan is a University Professor at the University of Waterloo and a visiting Wallenberg Chair at KTH Royal Institute of Technology. His primary research theme is systems security broadly, with  emphasis on hardware-assisted security, and the interplay between security/privacy and AI. Asokan is an ACM Fellow, an IEEE Fellow, and a Fellow of the
Royal Society of Canada.

For more information about Asokan’s work see his website at https://asokan.org/asokan/.

On Privacy-Preserving Quantum Computational Chemistry

Charanjit S Jutla

IBM T. J. Watson Research Center, New York , USA.

Abstract:

With the dawn of advantageous quantum computation upon us, the focus on preserving privacy of quantum workloads becomes imperative. However, in the foreseeable future, error-correction and reliability is expected to be limited. Hence,   applications maybe  limited to  quantum chemistry, as we explore in this talk.
 
Before we can address privacy issues of cloud quantum computation, it behooves us to understand how computational problems in quantum chemistry are mapped to qubit based computers. Recent works have suggested that given the noisy nature of current and future quantum computers, the most advantageous workloads are hybrid, i.e. ones that combine quantum sampling with classical high-performance computing. This leads us to study how classical FHE, quantum-FHE or quantum blind computation (QBC),  and/or other rigorous privacy-preserving mechanisms can be combined.

About the speaker: Dr. Charanjit Singh Jutla obtained his BTech from IIT Kanpur in 1985, and PhD from University of Texas at Austin in 1990. Ever since, he has been a scientist at IBM Research, New York. His interests include Complexity Theory and Cryptography. He has made fundamental contributions to authenticated encryption, pairings-based cryptography and FHE. Of late, he has been interested in Quantum Computation and Security of Quantum Computation, with focus on Computational Chemistry.

A Critical Look at Perceptual Hash Functions

Bart Preneel

KU Leuven

Abstract: Perceptual hash functions are widely used for detection of copyrighted, illegal, or abusive images at scale. Unlike cryptographic hash functions, perceptual hash functions must tolerate visually insignificant modifications while preserving distinguishability between unrelated images. This talk reviews security notions including false positives, false negatives, preimage resistance, second-preimage resistance, and collision resistance. Black-box attacks on Apple’s NeuralHash
demonstrate biased outputs and a high probability of accidental collisions, raising concerns for client-side scanning systems. White-box analyses of Microsoft’s PhotoDNA and Meta’s PDQ reveal very efficient attacks achieving both false negatives (evading detection) and false positives (implicating innocent users) with high success rates on consumer hardware. Experimental results show that currently deployed perceptual hash functions fail to provide the robustness and irreversibility claimed by designers and policy makers. The findings highlight
fundamental tensions between perceptual similarity and cryptographic security, emphasizing the need for transparency and new designs that are carefully scrutinized before planning widespread deployment in security-critical online environments.

About the speaker: Prof. Bart Preneel is full professor heading the COSIC research group at the KU Leuven (Belgium). His expertise lies in applied cryptography, cybersecurity, and privacy. He has delivered numerous invited talks across 50 countries and received several awards including the RSA Award for Excellence in Mathematics (2014), the ESORICS Outstanding Research Award
(2017) and Belgian ICT personality of the year (2025). Bart served as president of IACR (International Association for Cryptologic Research) and is a fellow of the IACR and a member of the Royal Academy of Art and Sciences Belgium and the Academia Europea. He frequently consults for industry and government about cybersecurity and privacy technologies and he has testified multiple times for the Flemish, Belgian and European Parliaments. Bart founded the mobile authentication startup nextAuth and holds roles in Approach Belgium, Tioga Capital Partners, and Nym Technologies. He is actively engaged in cybersecurity policy debates.