2025Activity report​​​‌Project-TeamPETSCRAFT

3.2.1​​ Axis 1: Explicable Privacy​​​‌ Models for PETs (‌coordinator: Adrien Boiret)‌​‌

[hidealllines=true, leftline=true, innerleftmargin=7pt, innerrightmargin=0pt,​​ innertopmargin=0.1nerbottommargin=0.1linewidth=0.5pt]

Ultimate goal: Design​​​‌ an integrated approach that‌ combines various models to‌​‌ encompass the core privacy​​ principles of GDPR.

First​​​‌ milestone: Privacy models for‌ some specific applications in‌​‌ our application fields.

There​​ are a few crucial​​​‌ privacy concepts that encompass‌ the lifecycle of personal‌​‌ data, from data collection,​​ to sharing, use and​​​‌ destruction. These privacy concepts‌ include Data Minimization2‌​‌.Data Portability,​​ or Right to be​​​‌ forgotten. Most have‌ already been translated into‌​‌ major laws on personal​​ data protection and privacy​​​‌ worldwide, such as the‌ GDPR 39 or the‌​‌ CPRA 42. These​​ privacy concepts are currently​​​‌ defined within legal and‌ philosophical frameworks (such as‌​‌ Article 5 of the​​ GDPR). However, these definitions​​​‌ are not necessarily easy‌ to translate to mathematical‌​‌ concepts. As a result,​​ their implementation, and thus​​​‌ their adoption remains relatively‌ low at this stage‌​‌ (see e.g., 41 for​​ the right to data​​​‌ portability). We consider that‌ proposing implementable and mathematically‌​‌ sound models for these​​ concepts is essential for​​​‌ proposing PETs that can‌ effectively implement them and‌​‌ lead to practical adoption.​​

Research challenges. The challenges​​​‌ hence lie in the‌ need to model the‌​‌ desired privacy properties while​​ considering both (1) the​​​‌ objectives of data processing‌ (the purpose under the‌​‌ GDPR terminology) and (2)​​ the explicability of the​​​‌ model. This second point‌ arises from our intention‌​‌ to establish a new​​ set of tools for​​​‌ individuals towards a right‌ to explicability, which is‌​‌ an essential extension of​​ informed consent better suited​​​‌ to a surveillance society‌ 49. For the‌​‌ privacy concepts under consideration,​​ the problem is complex​​​‌ as it involves reconciling‌ conflicting dimensions. For example,‌​‌ effective Data Minimization depends​​ on the values of​​​‌ an individual's data required‌ to achieve the expected‌​‌ purpose while also considering​​ the estimated sensitivity of​​​‌ different attributes. On the‌ other hand, in some‌​‌ cases, the utility of​​ processing must be fully​​​‌ preserved (e.g., a service‌ that an individual is‌​‌ entitled to should not​​ be denied due to​​​‌ excessive data minimization). Furthermore,‌ there is a concern‌​‌ that the algorithm (or​​ logic) employed for data​​​‌ minimization and explicability reasons‌ could be known, potentially‌​‌ enabling attackers to deduce​​​‌ (unexposed) personal data.

Roadmap.​ Our roadmap begins with​‌ exploring various design models​​ for different privacy concepts​​​‌ and related security properties.​ As we progress, we​‌ will integrate these models​​ into a cohesive approach​​​‌ that aligns with GDPR's​ core privacy principles, ultimately​‌ creating an integrated solution​​ for the design of​​​‌ comprehensive data protection. In​ the initial stages, we​‌ will especially focus on​​ database-related models:

1. Logic and​​​‌ tree-automata-based data models. We​ will start by examining​‌ existing tools for data​​ management and logic, focusing​​​‌ on data minimization. To​ achieve this, we will​‌ build upon the formal​​ definition proposed by Antignac​​​‌ et al. 33.​ Our initial focus will​‌ be on scenarios involving​​ social benefits, where vast​​​‌ amounts of personal data​ are collected annually from​‌ millions of individuals (e.g.,​​ solidarity income or health​​​‌ coverage requests). We will​ also consider the use​‌ of automata-based models for​​ limiting data retention and​​​‌ specifically tree-automata for verifying​ structural constraints on tree-type​‌ data structures. Such work​​ is nevertheless exploratory. We​​​‌ will benefit from the​ expertise of Adrien Boiret​‌ on the topic of​​ formal verification using automata.​​​‌
2. Time-sensitive data models. We​ will investigate consent-based data​‌ use policies in the​​ case of home monitoring​​​‌ (e.g., teleworking, parental control),​ where the need for​‌ privacy protection clashes with​​ legitimate surveillance goals. We​​​‌ will investigate database models​ for time-sensitive data management.​‌
3. Graph rewriting models. As​​ an additional formalism, we​​​‌ will examine graph rewriting​ models for expressing transformations​‌ on graphs, including pattern​​ matching and graph updates.​​​‌ Our intuition is to​ use such techniques for​‌ protecting privacy of semantically​​ rich (e.g., RDF) data​​​‌ graphs, while respecting privacy​ constraints on the exposed​‌ information (see our ongoing​​ work 45, 36​​​‌). Here, we will​ be able to leverage​‌ the expertise of Cédric​​ Eichler in graph rewriting.​​​‌

3.2.2 Axis 2: Decision​ Support for PETs (​‌coordinator: Cédric Eichler)​​

[hidealllines=true, leftline=true, innerleftmargin=7pt, innerrightmargin=0pt,​​​‌ innertopmargin=0.1nerbottommargin=0.1linewidth=0.5pt]

Ultimate goal: A​ nutriscore equivalent for PETs​‌ (PET score).

First milestone:​​ A more explicable notion​​​‌ of differential privacy.

In​ the context of privacy,​‌ user's consent is required,​​ in order to pursue​​​‌ the processing of user's​ data. Current PETs, such​‌ as cookie banners, are​​ typical examples of how​​​‌ a system can be​ both explicable and opaque,​‌ and not at all​​ helpful when it comes​​​‌ to decision support for​ the user. Android and​‌ IOS have also created​​ icons called “privacy nutrition​​​‌ labels” to represent the​ data used by their​‌ apps, but as studied​​ by 40 these present​​​‌ numerous limitations, in particular​ their difficulty to be​‌ understood and used by​​ the general public.

Indeed,​​​‌ intrinsically explicable privacy models​ (a fortiori non​‌ explicable models) do not​​ necessarily equate to being​​​‌ helpful enough to warrant​ informed consent (e.g. if​‌ the information is unstructured,​​ overwhelming, badly presented, etc.).​​​‌

We argue that it​ is impossible to obtain​‌ consent from the general​​ public if there is​​​‌ no practical explicability. Indeed,​ some privacy models are​‌ criticized for their lack​​ of explicability and usability,​​ which is a major​​​‌ obstacle to their adoption.‌ For example, existing studies‌​‌ 43, 44 question​​ the difficulty of understanding​​​‌ the right values to‌ give to $ϵ,‌‌\delta$ used in the​​ differential privacy model. Thus​​​‌ we propose to study‌ the general problem of‌​‌ explicable privacy to provide​​ decision support.

Research​​​‌ challenges. The general research‌ challenge lies in providing‌​‌ usable explicability for privacy​​ technologies, in the sense​​​‌ that any non expert‌ user should be able‌​‌ to comprehend the general​​ implications of a PET,​​​‌ and take an informed‌ decision, i.e. providing decision‌​‌ support for PETs. As​​ in the case of​​​‌ decision support in general‌ purpose information systems, this‌​‌ is challenging due to​​ several factors : (1)​​​‌ the volume of data‌ to be processed, (2)‌​‌ the impact of individual's​​ decisions on other users,​​​‌ (3) the complexity of‌ the decision support models,‌​‌ and (4) the evaluation​​ of the solutions proposed.​​​‌ The research challenges that‌ we tackle in this‌​‌ axis concern either existing​​ models (such as providing​​​‌ an explicability framework for‌ differential privacy on constrained‌​‌ data, such as RDF​​ with RDFS/OWL constraints), or​​​‌ models proposed in Axis‌ 1 (such as data‌​‌ minimization, purpose limitation, etc.)​​

Roadmap. While Axis 1​​​‌ is concerned with defining‌ privacy models, Axis 2‌​‌ seeks to confront them​​ to reality and leverage​​​‌ them to support informed‌ decision-making. We will start‌​‌ by studying the explicability​​ of existing, widespread models,​​​‌ and also the models‌ proposed in Axis 1.‌​‌

1. Improving the explicability of​​ differential privacy in the​​​‌ presence of constraints. We‌ will start by working‌​‌ on a redefinition of​​ neighborhoods (via improved metrics)​​​‌ to better reflect the‌ knowledge of adversaries, in‌​‌ order to improve the​​ explicability of differentially private​​​‌ algorithms in a context‌ of real world constraints‌​‌ on data. We will​​ start by using semantic​​​‌ constraints. For instance, if‌ we are trying to‌​‌ protect geolocalized data with​​ a geo-indistinguishability approach 38​​​‌, knowledge that an‌ individual is travelling by‌​‌ train will drastically reduce​​ their possible positions, instead​​​‌ of granting the expected‌ protection.
2. Informed data minimization.‌​‌ Relying on models for​​ data minimization developed in​​​‌ Axis 1, we will‌ inform how decisions (e.g.‌​‌ to publish or not​​ some information that may​​​‌ concern me) taken by‌ other users influence my‌​‌ own privacy decisions. For​​ instance, the decision to​​​‌ disclose the identity of‌ one's partner has varying‌​‌ privacy implications depending on​​ whether that partner chooses​​​‌ to disclose their home‌ address. Therefore, the outcome‌​‌ (here, the 'privacy cost')​​ of an individual's decision,​​​‌ is contingent on the‌ decisions made by others.‌​‌ Thus we adopt a​​ game theoretic approach, which​​​‌ is well adapted to‌ this kind of problem.‌​‌ We are developing a​​ practical explicable model for​​​‌ data minimization using such‌ an approach. This model‌​‌ can then be used​​ to obtain informed consent​​​‌ from all users. We‌ also plan on conducting‌​‌ an experimental evaluation of​​ the practicality of our​​​‌ data minimization model.
3. Informed‌ dynamic data sharing. It‌​‌ is widely acknowledged that,​​​‌ when continuously sharing data,​ each subsequent release cannot​‌ be viewed in isolation.​​ To fully comprehend the​​​‌ implications of sharing data​ with an entity, one​‌ must take into account​​ previous disclosures. These disclosures​​​‌ may have originated from​ the individual or others,​‌ as previously seen. In​​ addition to past and​​​‌ present, an informed decision​ should also consider data​‌ sharing that may reasonably​​ be expected to occur​​​‌ in the future. Telework​ is a typical application​‌ where dynamic information must​​ be considered.

Overall, we​​​‌ also aim to create​ a PET score type​‌ of indicator, similar to​​ the european nutriscore, which​​​‌ is a very simple​ and understandable abstraction to​‌ help consumers make an​​ informed decision regarding the​​​‌ nutritive qualities of the​ products that they buy,​‌ and synthesized in an​​ understandable manner. Existing​​​‌ attempts, such as Apple's​ “Privacy Nutrition Labels” 40​‌, focus on the​​ amount of personal data​​​‌ an app uses. In​ contrast, we aim to​‌ introduce a PET score​​ centered on explicability to​​​‌ better inform user choices​ and enable them to​‌ control the dissemination of​​ their data (to whom,​​​‌ why, over time, etc.).​ This assessment should incorporate​‌ as much relevant information​​ as possible. Initially, we​​​‌ will assess the data​ collected and the purposes​‌ for its collection. Gradually,​​ we will include aspects​​​‌ from each axis: the​ consideration of privacy models,​‌ the level of protection​​ they provide, and the​​​‌ security of the process.​

3.2.3 Axis 3: Secure​‌ Protocols for PETs (​​coordinator: Xavier Bultel)​​​‌

[hidealllines=true, leftline=true, innerleftmargin=7pt, innerrightmargin=0pt,​ innertopmargin=0.1nerbottommargin=0.1linewidth=0.5pt]

Ultimate goal: Provide​‌ security proofs against malicious​​ adversaries of all our​​​‌ proposed privacy concepts, and​ an efficient implementation.

First​‌ milestone: Provide security proofs​​ against malicious adversaries in​​​‌ some novel PETs.

Privacy​ concepts studied in Axis​‌ 1 assume a trusted​​ environment and do not​​​‌ consider security risks: the​ only risks considered are​‌ privacy risks, which are​​ linked to the actual​​​‌ output of the operation​ performed, but not how​‌ the function or protocol​​ are robust regarding an​​​‌ external attacker.

In this​ first sub-axis, we study​‌ classical adversaries / attack​​ models, from very limited​​​‌ adversaries such as the​ honest-but-curious model, to very​‌ powerful fully malicious adversaries,​​ through realistic adversaries, such​​​‌ as covert adversaries 35​. Note that adversaries​‌ may have goals reaching​​ further than unauthorized data​​​‌ acquisition such as trying​ to influence the output​‌ of the PET, which​​ we also consider. Our​​​‌ goal is thus to​ provide formal security proofs​‌ of our functions and​​ protocols regarding realistic adversaries,​​​‌ while trying to provide​ efficient implementations of the​‌ privacy concepts considered e.g.​​ improving the complexity of​​​‌ protocols, or using lightweight​ cryptography 47.

Research​‌ challenges. While devising secure​​ and provable protocols is​​​‌ in itself a difficult​ task, we consider the​‌ original context of realistic​​ adversaries. For instance, honest-but-curious​​​‌ adversaries do not exhibit​ realistic behaviour and are​‌ mainly used to discuss​​ information leakage in presence​​​‌ of fully trusted adversaries.​ On the contrary, malicious​‌ adversaries are often lent​​ more attacking capacities than​​ a real attacker may​​​‌ have. Thus the research‌ challenge of this sub-axis‌​‌ stems from the objective​​ of building provable protocols​​​‌ for specific and finer‌ (i.e. more sophisticated) threat‌​‌ models (which first need​​ to be convincingly defined).​​​‌ This leads to a‌ twofold research challenge:

1. Building‌​‌ secure privacy protocols. There​​ are technical and scientific​​​‌ difficulty of building and‌ proving protocols to achieve‌​‌ the use cases (in​​ particular in the context​​​‌ of specific attack models).‌ Use cases may also‌​‌ need to be constrained​​ in order to be​​​‌ able to produce formal‌ proofs using our regular‌​‌ tools (security reductions, logic​​ and automata).
2. Building usable​​​‌ protocols. It is important‌ to consider the practicality‌​‌ and efficiency when designing​​ these protocols. Computational cost​​​‌ optimization is also an‌ important factor that we‌​‌ would like to include​​ when evaluating the efficiency​​​‌ of the implementation of‌ these protocols.

Roadmap. We‌​‌ already have a lot​​ of experience in building​​​‌ secure and proven protocols‌ in practical contexts (legal‌​‌ communication interception, anonymization, MapReduce,...)​​ 34, 46,​​​‌ 30, 37.‌ However, all these systems‌​‌ are not PETs, since​​ they do not assist​​​‌ the individuals concerned in‌ taking decisions regarding their‌​‌ privacy.

We plan on​​ using the approaches developed​​​‌ in these works to‌ build (i.e. ZKPK, MPC)‌​‌ and prove (i.e. security​​ reductions) protocols proposed in​​​‌ Section 4. We‌ plan on starting with‌​‌ the following two protocols​​ :

1. A high school​​​‌ harassment anonymous warning PET‌: we must propose‌​‌ and prove a protocol​​ guaranteeing anonymous whistle blowing​​​‌ and a subsequent anonymous‌ interactive process to qualify/verify‌​‌ the reported facts. Our​​ initial milestone in shaping​​​‌ our project-team's direction will‌ revolve around such a‌​‌ school harassment anonymous warning​​ PET. It seems most​​​‌ compelling to commence by‌ developing this first milestone,‌​‌ which aligns with our​​ dissemination-oriented approach but also​​​‌ with our hope to‌ address essential privacy and‌​‌ security concerns, as a​​ marker for our project-team​​​‌ work.
2. An anonymous and‌ fair conference review system‌​‌ PET: the objective​​ is to propose a​​​‌ suite of protocols to‌ build a secure and‌​‌ provable peer-reviewing system with​​ minimal information leakage, and​​​‌ no need for a‌ trusted third party, or‌​‌ similar security hypothesis.

3.2.4​​ Axis 4: Trustworthy Data​​​‌ Management for PETs (‌coordinator: Nicolas Anciaux)‌​‌

[hidealllines=true, leftline=true, innerleftmargin=7pt, innerrightmargin=0pt,​​ innertopmargin=0.1nerbottommargin=0.1linewidth=0.5pt]

Ultimate goal: A​​​‌ comprehensive library for the‌ implementation of trustworthy data-oriented‌​‌ PETs.

First milestone: A​​ set of privacy risk/impact​​​‌ assessment metrics specifically tailored‌ for various application contexts;‌​‌ the design and implementation​​ of secure evaluation algorithms​​​‌ incorporating secure hardware and‌ distributed processing techniques in‌​‌ realistic scenarios.

PETs deal​​ by nature with large​​​‌ volumes of highly personal‌ datasets when adopted. In‌​‌ the absence of a​​ trustworthy implementation, PETs' operations​​​‌ could inadvertently compromise the‌ personal data they are‌​‌ designed to protect, leading​​ to unintended consequences thus​​​‌ eroding public trust, and‌ undermining their very purpose.‌​‌ For example, a minimisation​​ PET reduces the amount​​​‌ of personal data to‌ be processed by a‌​‌ service. It could be​​​‌ implemented as a pre-processing​ service having access to​‌ all the data and​​ producing a minimal set​​​‌ shared with the service,​ hence improving its potential​‌ “PET score”. However, a​​ lack of trust in​​​‌ the implementation of the​ PET could negate its​‌ benefit, and undermine its​​ “PET score”.

Research challenges.​​​‌ The research challenges linked​ to trustworthy implementations limiting​‌ the privacy risk/impact of​​ PETs include the following:​​​‌ (1) Privacy metrics for​ PETs. Privacy risk/impact assessment​‌ metrics are usually complex​​ and specific to each​​​‌ PET. They should capture​ the potential privacy leakage​‌ and impact associated with​​ the technology's evaluation in​​​‌ various application scenarios, consider​ specific and realistic attacker​‌ models, and appropriate security​​ and privacy properties. To​​​‌ conduct a comprehensive risk​ and privacy impact analysis,​‌ it is hence crucial​​ to consider a wide​​​‌ array of factors and​ scenarios beyond these idealized​‌ models. In real-world settings,​​ the trust landscape becomes​​​‌ complex, depending on factors​ such as the PET's​‌ implementation, runtime architecture (centralized​​ or distributed), security/privacy properties,​​​‌ and accountability. (2) Privacy​ preserving evaluation for PETs.​‌ Developing algorithms and techniques​​ to minimize the identified​​​‌ privacy risk/impact metrics while​ implementing the PET is​‌ crucial. The challenge lies​​ in designing generic, secure​​​‌ and scalable computations techniques​ resorting to technologies like​‌ trusted execution environments, differential​​ privacy or cryptographic techniques,​​​‌ and providing acceptable execution​ performance. Explicability and monitoring​‌ (audit) features must also​​ be supported without compromising​​​‌ privacy.

Roadmap. We plan​ to pursue the following​‌ actions :

1. Implementation on​​ TEE-CPU and TEE-GPU. Our​​​‌ initial goal is to​ take a step towards​‌ a trustworthy implementation of​​ Data Minimization data algorithms​​​‌ leveraging trusted execution environment​ such as Intel SGX.​‌ Our proposal will first​​ consider simple security assumptions​​​‌ (unbreakable TEE) to more​ complex ones (including countermeasures​‌ for potential attacks through​​ side channels) to enhance​​​‌ the PETs security and​ minimize the risk of​‌ an attack.
2. The impact​​ of security on explicability.​​​‌ A longer term goal​ is to address the​‌ conflicts arising from a​​ secure data management point​​​‌ of view when balancing​ monitoring, explicability and privacy​‌ in PETs. First, we​​ will propose specific implementations​​​‌ of auditable/explicable PETs in​ applications contexts studied in​‌ previous axes (in particular,​​ Data Minimization and home​​​‌ monitoring/telework). We hope then​ to investigate new techniques​‌ for a trustworthy, generic​​ and efficient evaluation of​​​‌ auditable data-oriented PETs.

7.6.1 SAFES: A​‌ Secure and Extensible STaaS​​ Leveraging SGX

Participants: Nicolas​​​‌ Anciaux, Xinqing Li​ [correspondent], Iulian Sandu​‌ Popa, Subashiny Tanigassalame​​.

SAFES is a​​​‌ secure and extensible data​ storage service that leverages​‌ Intel Software Guard eXtension​​ (SGX). The originality of​​​‌ our approach lies in​ achieving extensibility through a​‌ set of isolated, data-oriented​​ tasks that may potentially​​​‌ run vulnerable code (i.e.,​ the code is not​‌ malicious, but presents some​​ bugs which can be​​ exploited by attackers), not​​​‌ fully trusted by the‌ data owner. These tasks‌​‌ run alongside a trusted​​ module, which controls the​​​‌ entire workflow and minimizes‌ data leakage. This prototype‌​‌ is developped as part​​ of Xinqing Li's PhD​​​‌ thesis, in the Storage-as-a-service‌ context. The code runs‌​‌ on a server equipped​​ with an Intel Xeon​​​‌ Silver 4314 processor (16‌ cores @ 2.4GHz, 64‌​‌ GB RAM, supporting SGX​​ v2). The implementation is​​​‌ written in C/C++ using‌ SGX SDK 2.24 and‌​‌ WASI.

7.6.2 LOCALLM: a​​ TEE-CPU and TEE-GPU Platform​​​‌ for LLM-based components

Participants:‌ Nicolas Anciaux, Cédric‌​‌ Eichler, Xinqing Li​​ [correspondent], Subashiny Tanigassalame​​​‌ [correspondent], Xingzi Zhang‌.

The platform is‌​‌ based on an NVIDIA​​ H100/H200 configured with Confidential​​​‌ Computing enabled (CC-ON) and‌ integrated into a TEE-GPU‌​‌ execution chain. Workloads are​​ orchestrated from a confidential​​​‌ VM (cVM) running on‌ a CPU-side TEE (AMD‌​‌ SEV-SNP), providing stronger isolation​​ and tighter control over​​​‌ sensitive data during execution.‌ In practice, this platform‌​‌ enables the secure execution​​ of large AI models​​​‌ (LLMs), as well as‌ the main building blocks‌​‌ of a chatbot pipeline​​ (e.g., retrieval, prompt orchestration,​​​‌ and inference services), within‌ a trusted environment. This‌​‌ capability opens the way​​ to hardware-based privacy-preserving architectures​​​‌ leveraging AI/LLM components, including‌ confidential chatbot designs for‌​‌ a local, sovereign, and​​ defense-in-depth secure deployment, in​​​‌ line with some recommendations‌ from the French Cybersecurity‌​‌ Agency (see Technical Position​​ Paper on Confidential Computing,​​​‌ v1.0, Oct 2025).‌

8.1.1 Privacy Attacks‌ on Matrix Profiles via‌​‌ Reconstruction Techniques (Axis 1)​​

Participants: Nicolas Anciaux,​​​‌ Adrien Boiret, José‌ María De Fuentes,‌​‌ Benjamin Nguyen, Haoying​​ Zhang [correspondent].

Matrix​​​‌ Profile (MP) is a‌ data mining structure increasingly‌​‌ used for time series​​ analysis in both academic​​​‌ and industrial contexts. Given‌ its application to sensitive‌​‌ domains such as healthcare​​ or energy monitoring, it​​​‌ is crucial to examine‌ associated privacy risks, especially‌​‌ since MPs are often​​​‌ shared or processed in​ untrusted environments like the​‌ cloud. While recent studies​​ suggest that MPs offer​​​‌ some privacy protection, this​ assumption remains largely untested.​‌ This paper analyzes the​​ privacy risks of MP​​​‌ publication through the lens​ of EU data protection​‌ law, focusing on singlingout,​​ linkability, and inference risks.​​​‌ We introduce a reconstruction​ technique based on constraint​‌ optimization, capable of recovering​​ approximate original time series​​​‌ from their MPs, leading​ to severe privacy attacks.​‌ Experiments on real-world datasets​​ reveal vulnerabilities to all​​​‌ attack types, with reconstructed​ series reaching up to​‌ 0.99 Pearson Correlation with​​ the original. This work​​​‌ will be presented at​ the PoPETS conference 16​‌.

8.1.2 LUMIA: Linear​​ Probing for Unimodal and​​​‌ MultiModal Membership Inference Attacks​ (Axis 1)

Participants: Nicolas​‌ Anciaux, Jose Maria​​ De Fuentes, Lorena​​​‌ Gonzalez Manzano, Luis​ Ibanez Lissen [correspondent].​‌

Large Language Models (LLMs)​​ are increasingly used in​​​‌ a variety of applications.​ Concerns around inferring whether​‌ data samples belong to​​ the LLM training dataset​​​‌ have grown in parallel.​ Previous efforts focus on​‌ black-to-grey-box models, thus neglecting​​ the potential benefit from​​​‌ internal LLM information. To​ address this problem, we​‌ propose the use of​​ Linear Probes (LPs) as​​​‌ a method to assess​ Membership Inference Attacks (MIAs)​‌ by examining internal activations​​ of LLMs. Our approach,​​​‌ dubbed LUMIA, applies LPs​ layer-by-layer to get fine-grained​‌ data on the model​​ inner workings. Results are​​​‌ presented in 19.​ Anotehr use of Linear​‌ probes for early LLM​​ compression in code vulnerability​​​‌ classification is analzed in​ 13. These research​‌ actions are explored in​​ partnership with COSEC as​​​‌ part of the PETSAI​ associated team.

8.1.3 Data​‌ Provenance Auditing of Fine-Tuned​​ Large Language Models with​​​‌ a Text-Preserving Technique (Axis​ 1)

Participants: Nicolas Anciaux​‌, Alexandra Bensamoun,​​ José María De Fuentes​​​‌, Cedric Eichler,​ Seifeddine Ghozzi, Lorena​‌ Gonzalez Manzano, Yanming​​ Li [correspondent].

We​​​‌ propose a system for​ marking sensitive or copyrighted​‌ texts to detect their​​ use in fine-tuning large​​​‌ language models under black-box​ access with statistical guarantees.​‌ Our method builds digital​​ “marks” using invisible Unicode​​​‌ characters organized into (“cue”,​ “reply”) pairs. During an​‌ audit, prompts containing only​​ “cue” fragments are issued​​​‌ to trigger regurgitation of​ the corresponding “reply”, indicating​‌ document usage. To control​​ false positives, we compare​​​‌ against held-out counterfactual marks​ and apply a ranking​‌ test, yielding a verifiable​​ bound on the false​​​‌ positive rate. The approach​ is minimally invasive, scalable​‌ across many sources, robust​​ to standard processing pipelines,​​​‌ and achieves high detection​ power even when marked​‌ data is a small​​ fraction of the fine-tuning​​​‌ corpus. This proposal is​ in submission 29.​‌ The project is conducted​​ in partnership with Alexandra​​​‌ Bensamoun, Professor of Law​ at University Paris-Saclay, and​‌ with COSEC (PETSAI​​).

8.2.1​‌ TELESAFE: Privacy Preserving Detection​​ of Private/Work Boundary Crossings​​​‌ in Energy Consumption Trails​ in Telework (Axis 2)​‌

Participants: Nicolas Anciaux,​​ José María De Fuentes​​, Benjamin Nguyen,​​​‌ Haoying Zhang [correspondent].‌

Teleworking has become a‌​‌ social gain following the​​ COVID-19 lock-downs. In many​​​‌ professions, remote work is‌ becoming a common practice,‌​‌ either at the employee's​​ home or in a​​​‌ shared space nearby. However,‌ this creates an implicit‌​‌ private/work-life tension as private​​ activities may be carried​​​‌ out during work time‌ and vice versa. Detecting‌​‌ boundary crossings is of​​ outmost relevance - they​​​‌ serve as evidence of‌ the workers' breaks and‌​‌ right to rest. However,​​ this must be achieved​​​‌ without excessive surveillance. Existing‌ activity recognition techniques either‌​‌ do not address the​​ border crossing problem or​​​‌ require a priori training.‌

To address this issue,‌​‌ we have developped TELESAFE,​​ a boundary crossing detector​​​‌ solution for teleworking. TELESAFE‌ does not require any‌​‌ training nor instrumentation of​​ the teleworker home and​​​‌ can be run locally‌ in resource-constrained devices. To‌​‌ illustrate its suitability, it​​ is applied on electric​​​‌ consumption trails so as‌ to enable self and‌​‌ third-party assessment (e.g., work​​ inspectors) on working conditions.​​​‌ Results on real-world datasets‌ show a Fscore over‌​‌ $90\%$ for identifying​​ private activities involving one​​​‌ or more devices with‌ usage patterns of varying‌​‌ lengths. Interestingly, TELESAFE outperforms​​ Machine and Deep-Learning approaches​​​‌ in the most complex‌ settings, without the burden‌​‌ of training. This wak​​ was presented at VLDB​​​‌ 17 and demonstrated at‌ ICDM 21.

Figure‌​‌ representing the Telesafe approach​​

8.2.2 LDP‌ Toolbox (Axis 2)

Participants:‌​‌ Haoying Zhang [Correspondent].​​

Local Differential Privacy (LDP)​​​‌ provides strong, formal privacy‌ guarantees without requiring a‌​‌ trusted curator, making it​​ a promising approach for​​​‌ privacy-preserving data collection and‌ analysis. However, despite extensive‌​‌ research, practitioners may struggle​​ to understand how to​​​‌ tune LDP parameters and‌ anticipate the impact on‌​‌ data utility and attack​​ risks for their specific​​​‌ scenarios. To address this‌ gap, we demonstrate LDP-Toolbox‌​‌ 22, the first​​ interactive, web-based toolbox (implemented​​​‌ in Python) that enables‌ practical, analytical visualization of‌​‌ trade-offs between privacy loss​​ ($ϵ$), utility​​​‌ loss, and vulnerability to‌ attacks. The toolbox supports‌​‌ exploration of these trade-offs​​ using real-world datasets from​​​‌ different domains; in this‌ demonstration, we focus on‌​‌ discrete personal attributes and​​ location-based scenarios. By providing​​​‌ intuitive, visual insights, LDP-Toolbox‌ lowers the barrier to‌​‌ deploying LDP in real​​ applications and helps bridge​​​‌ the gap between theoretical‌ guarantees and practical adoption.‌​‌ The toolbox is open-source​​ on PyPI and a​​​‌ video is available.‌

Figure representing the LDP‌​‌ Toolbox GUI

8.2.3 Usable Anonymous EMV-Compliant‌ Contactless Payments (Axis 2)‌​‌

Participants: Charles Olivier Anclin​​ [Correspondent], Xavier Bultel​​​‌.

EMV is the‌ de-facto worldwide payment system‌​‌ used by Mastercard, Visa,​​ American Express, and such.​​​‌ In-shop EMV contactless payments‌ are not anonymous or‌​‌ private: the payers' long-term​​ identification data leaks to​​​‌ Merchants or even to‌ observers. Anti-Money Laundering (AML),‌​‌ Know Your Customer (KYC)​​ and Strong Customer Authentication​​​‌ (SCA) are payment regulations‌ protecting us from illegal‌​‌ activities, but –in so​​​‌ doing– contribute chiefly to​ this lack of privacy​‌ in EMV payments. Threading​​ the tightrope of AML,​​​‌ KYC and SCA regulations,​ we provide in 20​‌ two privacy-enhancing, EMV-compatible, law-abiding​​ and practicable contactless-payments protocols:​​​‌ PrivBank and PrivProxy.

We​ do not use privacy-enhancing​‌ technology, like homomorphic encryption,​​ that would break backwards-compatibility​​​‌ with current EMV, but​ rather we do privacy​‌ by engineering design, adhering​​ to the existing EMV​​​‌ infrastructure, as is. So,​ PrivBank and PrivProxy provably​‌ achieve strong notions of​​ payers and merchant privacy,​​​‌ anonymity and unlinkability as​ seen in e-cash or​‌ shopping vouchers, whilst being​​ implementable in EMV as​​​‌ it stands.

Figure representing​ the proposed protocols

8.2.4 Cohesive database neighborhoods​​​‌ for differential privacy (Axis​ 2)

Participants: Adrien Boiret​‌, Cedric Eichler,​​ Yasmine Hayder [correspondent],​​​‌ Benjamin Nguyen, Sara​ Taki.

The Semantic​‌ Web represents an extension​​ of the current web​​​‌ offering a metadata-rich environment​ based on the Resource​‌ Description Format (RDF) which​​ supports advanced querying and​​​‌ inference. However, relational database​ (RDB) management systems remain​‌ the most widespread systems​​ for (Web) data storage.​​​‌ Consequently, the key to​ populating the Semantic Web​‌ is the mapping of​​ RDB to RDF, supported​​​‌ by standardized mechanisms. Confidentiality​ and privacy represent significant​‌ barriers for data owners​​ when considering the translation​​​‌ and subsequent utilization of​ their data. In order​‌ to facilitate acceptance, it​​ is essential to build​​​‌ privacy models that are​ equivalent and explainable within​‌ both data formats. Differential​​ Privacy (DP) has emerged​​​‌ to be the flagship​ of data privacy when​‌ sharing or exploiting data.​​ Recent works have proposed​​​‌ DP-models tailored for either​ multi-relational databases or RDF.​‌

In 15, we​​ leverage this field of​​​‌ work to study how​ privacy guarantees on RDB​‌ with foreign key constraints​​ can be transposed to​​​‌ RDF databases and vice​ versa. We consider a​‌ promising DP model for​​ RDB related to cascade​​​‌ deletion and demonstrate that​ it is sometimes similar​‌ to an existing DP​​ graph privacy model, but​​​‌ inconsistently so. Consequently, we​ tweak this model in​‌ the relational world and​​ propose a new model​​​‌ called restrict deletion. We​ show that it is​‌ equivalent to an existing​​ DP graph privacy model,​​​‌ facilitating the comprehension, design​ and implementation of DP​‌ mechanisms in the context​​ of the mapping of​​​‌ RDB to RDF. Building​ on this study of​‌ how database constraints impact​​ differential privacy, we present​​​‌ in 25 a study​ on data Privacy for​‌ knowledge graphs, in the​​ context of the PhD​​​‌ of Yasmine Hayder.

8.3.1 Cryptographic Proofs​​ for Privacy Primitives (Axis​​​‌ 3)

Participants: Xavier Bultel​, Charlene Jojon [correspondent]​‌, Benjamin Nguyen,​​ Khourédia Cissé, Haoying​​​‌ Zhang.

8.3.2 Distributed Transition‌​‌ System with Tags and​​ Value-wise Metric, for Privacy​​​‌ Analysis (Axis 3)

Participants:‌ Benjamin Nguyen [correspondent].‌​‌

In 28 we introduce​​ a logical framework named​​​‌ Distributed Labeled Tagged Transition‌ System (DLTTS), using concepts‌​‌ from Probabilistic Automata, Probabilistic​​ Concurrent Systems, and Probabilistic​​​‌ labelled transition systems. We‌ show that DLTTS can‌​‌ be used to formally​​ model how a given​​​‌ piece of private information‌ $P$ (e.g., a set‌​‌ of tuples) stored in​​ a given database $\mathrm{D‌}$ can get captured progressively‌ by an adversary A‌​‌ repeatedly querying $D$,​​ enhancing the knowledge acquired​​​‌ from the answers to‌ these queries with relational‌​‌ deductions using certain additional​​ non-private data. The database​​​‌ $D$ is assumed protected‌ with generalization mechanisms. We‌​‌ also show that, on​​ a large class of​​​‌ databases, metrics can be‌ defined 'value-wise', and more‌​‌ general notions of adjacency​​ between data bases can​​​‌ be defined, based on‌ these metrics. These notions‌​‌ can also play a​​ role in differentially private​​​‌ protection mechanisms.

8.4.1 Trusted​ Execution Environments (TEE-CPU) for​‌ Secure Data Ecosystems (Axis​​ 4)

Participants: Nicolas Anciaux​​​‌ [correspondent], Iulian Sandu​ Popa.

This work​‌ leverages the emergence of​​ Trusted Execution Environments (TEEs)​​​‌ to address the critical​ challenge of securing personal​‌ data while fostering data-driven​​ applications. A first contribution​​​‌ proposes using TEEs to​ isolate a trusted computing​‌ base running a personal​​ data management engine, from​​​‌ a component that supports​ extensible computation via extensible​‌ but unverified (and potentially​​ untrusted) user-defined functions, while​​​‌ bounding potential private data​ leakage. A second contribution​‌ proposes the Edgelet computing​​ paradigm, which leverages TEEs​​​‌ at the network edge​ to securely execute distributed​‌ queries across personal devices​​ with strong privacy and​​​‌ execution guarantees. These two​ contributions were published this​‌ year, respectively, in the​​ journals Distributed Parallel Databases​​​‌ 12 and Personal and​ Ubiquitous Computing 14.​‌ A third contribution supporting​​ our ongoing work on​​​‌ TEE-CPU is the SAFES​ platform (see 7.6.1).​‌

8.4.2 LOCALLM: TEE-CPU and​​ TEE-GPU Platform for LLM-based​​​‌ Components (Axis 4)

Participants:​ Nicolas Anciaux, Cédric​‌ Eichler, Xinqing Li​​ [correspondent], Subashiny Tanigassalame​​​‌ [correspondent], Xingzi Zhang​.

A new line​‌ of work started in​​ our team in 2025​​​‌ supported by our new​ confidential-computing platform (see New​‌ platforms 7.6.2), which​​ combines TEE-GPU (an NVIDIA​​​‌ H100 with CC-ON) and​ a CPU-side TEE (AMD​‌ SEV-SNP cVM) to provide​​ an end-to-end execution chain​​​‌ for privacy-preserving LLM/chatbot pipelines.​

10.1.1 Associate Teams in​‌ the framework of an​​ Inria International Lab or​​​‌ in the framework of​ an Inria International Program​‌

• Title:
  PETsAI: Privacy​​ Enhancing Technologies and Security​​​‌ in the AI era​
• Partner Institution(s):
  COSEC,​‌ University Carlos III Madrid​​ (UC3M)
• Date/Duration:
  2025-2028
• Coodinators:​​​‌
  Nicolas Anciaux and Jose​ Maria De Fuentes
• Members:​‌
  PETSCRAFT and COSEC teams​​
• Description:
  PETsAI is dedicated​​​‌ to privacy, security and​ trust in AI systems,​‌ with a particular focus​​ on LLMs, generative AI​​​‌ and Trusted Execution Environments​ (TEE, for CPUs and​‌ for GPUs).

10.1.2 Visits​​ of international scientists

10.1.3 Visits to​​ international teams

10.2.1​​​‌ PEPR Cybersécurité – iPoP‌

Participants: Benjamin Nguyen [Local‌​‌ coordinator], Subashiny Tanigassalame​​, Iulian Sandu-Popa,​​​‌ Nicolas Anciaux, Cédric‌ Eichler, Adrien Boiret‌​‌, Sara Taki,​​ Xinqing Li, Yanming​​​‌ Li.

• Title:
  Interdisciplinary‌ Project on Privacy
• Partner‌​‌ Institution(s):
  Inria (Leader), CNRS,​​ INSA Lyon, INSA Centre​​​‌ Val de Loire, Université‌ de Rennes, Université de‌​‌ Versailles et St-Quentin-en-Yvelines, Université​​ Grenoble-Alpes, EDHEC, CNIL
• Dates:​​​‌
  2022-2029
• Funding:
  5.5 million‌ euros ( 900,000 euros‌​‌ for PETSCRAFT)

Description :​​ The project's scientific program​​​‌ focuses on new forms‌ of personal information collection,‌​‌ on the learning of​​ Artificial Intelligence (AI) models​​​‌ that preserve the confidentiality‌ of personal information used,‌​‌ on data anonymization techniques,​​ on securing personal data​​​‌ management systems, on differential‌ privacy, on personal data‌​‌ legal protection and compliance,​​ and all the associated​​​‌ societal and ethical considerations.‌ This unifying interdisciplinary research‌​‌ program brings together internationally​​ recognized research teams (from​​​‌ universities, engineering schools and‌ institutions) working on privacy,‌​‌ and the French Data​​ Protection Authority (CNIL).

This​​​‌ holistic vision of the‌ issues linked to personal‌​‌ data protection will on​​ one hand let us​​​‌ propose solutions to the‌ scientific and technological challenges‌​‌ and on the other​​ help, us confront these​​​‌ solutions in many different‌ ways, in the context‌​‌ of interdisciplinary collaborations, thus​​ leading to recommendations and​​​‌ proposals in the field‌ of regulations or legal‌​‌ frameworks. This comprehensive consideration​​ of all the issues​​​‌ aims at encouraging the‌ adoption and acceptability of‌​‌ the solutions proposed by​​​‌ all stakeholders, legislators, data​ controllers, data processors, solution​‌ designers, developers all the​​ way to end-users.

10.2.2​​​‌ PEPR Santé Numérique –​ TracIA

Participants: Xavier Bultel​‌ [Local coordinator], Benjamin​​ Nguyen, Charlène Jojon​​​‌.

• Title:
  Traceability for​ trusted multi-scale data and​‌ fight against information leak​​ in daily practices and​​​‌ artificial intelligence systems in​ healthcare
• Partner Institution(s):
  Inserm​‌ Délégation Grand Ouest (Leader),​​ Institut Mines Télécom, INSA​​​‌ Centre Val de Loire,​ CHU de Rennes, CEA​‌ Paris, Université de Rennes​​
• Dates:
  2023-2028
• Funding:
  1.8​​​‌ million euros(250,000 euros for​ PETSCRAFT)

Description : In​‌ the field of health,​​ cybersecurity is at the​​​‌ heart of the challenges​ of artificial intelligence (AI)​‌ with access to distributed​​ multi-scale massive data. AI​​​‌ systems in health are​ thus identified by the​‌ EU as being high​​ risk. Cybersecurity is therefore​​​‌ imposed by many ethical​ and legislative rules: on​‌ the one hand, data​​ security must be ensured,​​​‌ whatever the transformations they​ have undergone, on the​‌ other hand, the methods​​ created and applied to​​​‌ this data must themselves​ be secure.

In this​‌ context, various important issues​​ in terms of traceability​​​‌ must be considered to​ allow a safe development​‌ of AI in health,​​ with the outsourcing of​​​‌ data and processing. On​ the one hand, it​‌ is necessary to be​​ certain of the origin​​​‌ of the data, their​ history, the way in​‌ which they were created,​​ processed, etc. The same​​​‌ questions arise for AI​ models built on this​‌ data, the latter being​​ then used in clinical​​​‌ practice. On the other​ hand, patients and healthcare​‌ professionals must be given​​ the means to manage​​​‌ their consent. The fight​ against data leaks is​‌ also essential. As defined,​​ traceability encompasses issues at​​​‌ the border between cybersecurity,​ data management and processing​‌ in compliance with the​​ consent of the patient​​​‌ and healthcare professionals; issues​ that must be addressed​‌ jointly, taking into account​​ standards.

These are the​​​‌ traceability issues that TracIA​ aims to address at​‌ the level of a​​ learning information system (LIS).​​​‌ An LIS is based​ on the massive reuse​‌ of data to extract​​ knowledge that is integrated​​​‌ into decision support systems​ then made available to​‌ doctors. These systems produce​​ data that the LIS​​​‌ can reuse to create​ new knowledge and so​‌ on. This makes it​​ possible, for example, to​​​‌ design a digital twin​ of the patient; a​‌ key objective of the​​ Digital Health research program.​​​‌ Here, TracIA aims to​ develop an innovative and​‌ effective methodology and technological​​ solutions for traceability; the​​​‌ missing bricks in the​ development of trusted AI​‌ in health to achieve​​ multiple objectives simultaneously.

10.2.3​​​‌ AMI CMA France 2030​ – CyberINSA

Participants: Benjamin​‌ Nguyen [Project PI],​​ Loïc Besnier, Adrien​​​‌ Boiret, Xavier Bultel​, Khourédia Cissé,​‌ Cédric Eichler, Yasmine​​ Hayder, Charlène Jojon​​​‌, Charles Olivier Anclin​, Sara Taki,​‌ Haoying Zhang.

• Title:​​
  Stratégie d’accélération et d’élargissement​​​‌ des formations et de​ la recherche en cybersécurité​‌ en lien avec l’INSA​​ CVL
• Partner Institution(s):
  INSA​​ Centre Val de Loire​​​‌ (Leader), Université d'Orléans, Rectorat‌ d'Orléans-Tours, Numeum
• Dates:
  2023-2028‌​‌
• Funding:
  3.4 million euros​​ (2.1 million euros for​​​‌ INSA)

Description : CyberINSA‌ project is a Compétences‌​‌ et Métiers d'Avenir France​​ 2030 project which aims​​​‌ to increase the training‌ of professionals and researcher‌​‌ in the cybersecurity field.​​ It also seeks to​​​‌ improve the awareness and‌ skills of the general‌​‌ public, and of students​​ (high school to university​​​‌ level). The project funds‌ 2 PhD sudents working‌​‌ on PETSCRAFT topics (differential​​ privacy and private analysis​​​‌ of time series), many‌ dissemination events on privacy‌​‌ and security (such as​​ Capture the Flag or​​​‌ Anonymization competitions, awareness raising‌ for high school students,‌​‌ general public podcasts, etc).​​ Part of the projet​​​‌ will fund investments in‌ infrastructures such as a‌​‌ cyberrange and a crisis​​ management simulation cell.

10.2.4​​​‌ ANR DifPriPos

Participants: Cédric‌ Eichler [Local coordinator],‌​‌ Adrien Boiret, Yasmine​​ Hayder, Benjamin Nguyen​​​‌.

• Title:
  Making PosgreSQL‌ Differentially Private for Transparent‌​‌ AI
• Partner Institution(s):
  Université​​ de Bourgogne-Franche Comté (Leader),​​​‌ INSA Centre Val de‌ Loire, INSA de Lyon,‌​‌ Inria Saclay, Dalibo
• Dates:​​
  2024-2028
• Funding:
  338,000 euros​​​‌ (138,000 euros for PETSCRAFT)‌

Description : The general‌​‌ objective is to propose​​ a "privacy preserving" tool​​​‌ for interpreting SQL queries‌ in the sense of‌​‌ differential confidentiality that can​​ be integrated into PostgreSQL.​​​‌ These queries will range‌ from the Select-Project-Join-Aggregation (SPJA)‌​‌ form to the export​​ of releases (DUMP) of​​​‌ a part of the‌ database in order to‌​‌ be able to work​​ on it as if​​​‌ it contained no sensitive‌ data. This project is‌​‌ based on the PostgreSQL​​ Anonymizer production tool developed​​​‌ by Dalibo, a member‌ of the consortium. Specifically,‌​‌ the main objective is​​ to extend the anonymization​​​‌ models already integrated in‌ this tool (pseudonymization, k-anonymization‌​‌ and addition of noise)​​ to other models verifying​​​‌ DP, existing or to‌ be built, for SPJA‌​‌ and DUMP queries, to​​ integrate them into PostgreSQL​​​‌ Anonymizer and hence to‌ prohibit individual inferences from‌​‌ such queries.

10.2.5 ANR​​ PrivaSIQ

Participants: Xavier Bultel​​​‌ [Local coordinator], Charlene‌ Jojon, Khourédia Cissé‌​‌, Benjamin Nguyen.​​

• Title:
  Privacy-preserving secure communications​​​‌ despite subversions, interceptions, and‌ quantum adversaries
• Partner Institution(s):‌​‌
  Université de Limoges (Leader),​​ INSA Centre Val de​​​‌ Loire, Ecole Polytechnique, Université‌ de Clermont-Auvergne, Cryspen
• Dates:‌​‌
  2024-2028
• Funding:
  745,000 euros​​ (145,000 euros for PETSCRAFT)​​​‌

Description : Secure channels‌ are essential for interactive‌​‌ communications – over the​​ Internet, in secure payments,​​​‌ mobile communications, or IoT‌ communications – and non-interactive‌​‌ ones – such as​​ secure messaging. Unfortunately, whereas​​​‌ protocol-security is at the‌ forefront of today’s digital‌​‌ communications, much less interest​​ has been paid to​​​‌ user privacy. Yet, user-privacy‌ is a fundamental human‌​‌ right – and in​​ fact much more fragile​​​‌ than security in the‌ context of communications.

Threats‌​‌ to user-privacy in secure-channel​​ establishment abound, at all​​​‌ levels. In this project,‌ our goal is to‌​‌ specifically tackle the following​​ threats: - Interception: Privacy​​​‌ with respect to person-in-the-middle‌ adversaries (exterior to the‌​‌ communication and aiming to​​​‌ track, deanonymize, or identify​ an endpoint of the​‌ channel); - Subversion: Providing​​ privacy-enhancing countermeasures against mass-surveillance​​​‌ attacks; - Quantum adversaries:​ Designing protocols that preserve​‌ both user-privacy and security​​ against powerful quantum adversaries.​​​‌

10.2.6 ANR DATAIA PhD​ Fellowship

Participants: Nicolas Anciaux​‌ [coordinator], Alexandra Bensamoun​​, Cédric Eichler,​​​‌ Yanming Li.

• Title:​
  COMPLY-LLM: Compliance and Large​‌ Language Models: Detecting Privacy​​ and Copyright Violations.
• Dates:​​​‌
  2025-2027
• Funding:
  75,000 euros​ (1/2 PhD grant)

10.2.7​‌ ANR PEPR Cybersecurity Additionnal​​ PhD Grant

Participants: Nicolas​​​‌ Anciaux [coordinator], Cédric​ Eichler.

• Title:
  LOCALLM​‌ : Design of secure,​​ sovereign, and privacy-preserving LLM-based​​​‌ systems leveraging trusted computing​ for GPUs.
• Dates:
  2026-2029​‌
• Funding:
  120,000 euros (1​​ PhD grant)

11.1.1 Scientific​​​‌ events: selection

11.1.2 Invited talks

• Benjamin​ Nguyen : Table ronde​‌ "Expérimentations, encadrement CNIL et​​ perspectives post-JOP 2024",​​​‌ avec Sarah ARTOLA (Juriste​ au service de l’économie​‌ numérique et du secteur​​ financier de la CNIL),​​​‌ Fabrice MATTATIA (DPO Ministère​ de l'Intérieur et des​‌ Outre-Mer), Administrateur AFCDP), Valentine​​ POYLO (DPO Groupe –​​​‌ SNCF), Nicolas DESPALLES (SURETE​ FERROVIAIRE Responsable innovation –​‌ SNCF), Jean-Jacques LEMARECHAL (DPO​​ Groupe – RATP), Benjamin​​​‌ NGUYEN (Professeur à l’INSA​ CVL - Personne qualifiée​‌ du comité d’évaluation), Blaise​​ ROUHAN (DSI business unit​​​‌ Sûreté RATP), animée par​ Nicolas SAMARCQ (Administrateur AFCDP),​‌ Assemblée Générale de l'AFCDP​​ (Association Française des Correspondants​​​‌ aux Données Personnelles),​ Paris, June 25, 2025.​‌
• Benjamin Nguyen : Retour​​ sur le rapport du​​​‌ comité d'évaluation article 10​ de la loi n°2023-380​‌ du 19 mai 2023​​ relative aux jeux Olympiques​​​‌ et Paralympiques de 2024​ et portant diverses autres​‌ dispositions, Workshop "Quel​​ avenir pour les données​​​‌ personnelles face à l’IA"​, EDHEC, Paris, 2025-04-03​‌
• Cédric Eichler : The​​ technological state of the​​​‌ art of AI and​ its societal impacts,​‌ panel at Workshop "Bridging​​ AI Development and Governance"​​​‌, EDHEC, Paris, 2025-04-03​
• Nicolas Anciaux : Table​‌ ronde "Méthodes mixtes et​​ croisées pour l'étude de​​​‌ la cybersécurité", Rencontres Sécurité​ Informatique et Sciences Humaines​‌ et Sociales, 9-10​​ janvirer 2025, Paris, organisé​​ conjointement par les GDR​​​‌ "Sécurité Informatique" et "Internet,‌ IA et Société" du‌​‌ CNRS.
• Nicolas Anciaux :​​ Invited talk "Non-biased Membership​​​‌ Inference Attacks Assessment on‌ LLMs with Ex-Post Dataset‌​‌ Construction" at the Workshop​​ for ELSA and ELLIS​​​‌ members, 17-21 March‌ 2025, Bertinoro University Center‌​‌ (CEUB), Bertinoro, Italy.
• Nicolas​​ Anciaux : Panel "On​​​‌ the privacy issues of‌ modern AI models", Cybercamp‌​‌ UC3M May 2025,​​ Madrid, 5-6 May 2025.​​​‌ Other panelists: Nicholas Carlini‌ and Xavier Rondo, from‌​‌ Anthropic AI.
• Nicolas Anciaux​​ : Invited talk about​​​‌ "Large Language Models: cybersecurity‌ and privacy risks", Cybercamp‌​‌ UC3M June 2025 about​​ Disruptive technologies in cybersecurity​​​‌, Madrid, 10-11 June‌ 2025.
• Nicolas Anciaux :‌​‌ Plenary session "LLMs and​​ Privacy: from risk assessment​​​‌ to privacy enhancing tools",‌ at Journées Nationales 2025‌​‌ du GDR Sécurité Informatique​​, 23-25 juin 2025,​​​‌ Caen.
• Nicolas Anciaux :‌ Expert session "LLMs et‌​‌ vie privée : des​​ enjeux d'évaluation aux outils​​​‌ de protection", at BIG‌ DATA & AI PARIS‌​‌ SUMMIT, 1-2 Oct.​​ 2025, Parc des Expositions,​​​‌ Porte de Versailles, Paris.‌

11.1.3 Scientific expertise

• Benjamin‌​‌ Nguyen : member of​​ the Scientific Advisory Board​​​‌ of the GDR Sécurité‌.
• Benjamin Nguyen :‌​‌ Co-president of the jury​​ of the 9th edition​​​‌ of CNIL-Inria Privacy Award.‌
• Nicolas Anciaux : Member‌​‌ of the jury of​​ the 9th edition of​​​‌ CNIL-Inria Privacy Award.
• Nicolas‌ Anciaux : Member of‌​‌ PhD Award Committee of​​ the "Bases de Données​​​‌ Avancées (BDA)" in 2025‌
• Nicolas Anciaux : Vice-president‌​‌ of the Recruitment Admissibility​​ Jury for CRCN-ISFP positions​​​‌ at Inria Saclay 2025‌
• Nicolas Anciaux : Member‌​‌ of the Recruitment Admissibility​​ Jury for CRCN-ISFP positions​​​‌ at Inria Paris 2025‌
• Benjamin Nguyen : Member‌​‌ of the PR selection​​ committee, INSA Centre Val​​​‌ de Loire.
• Benjamin Nguyen‌ : Member of the‌​‌ MCF and PR selection​​ committee, Ecole Polytechnique.
• Xavier​​​‌ Bultel , MCF Selection‌ comittee, Université d'Amiens, reference‌​‌ 27 MCF ODYSSEE 252540.​​
• Cédric Eichler , MCF​​​‌ Selection comittee, ISIMA, reference‌ 27 MCF ODYSSEE 1128.‌​‌
• Cédric Eichler , MCF​​ Selection comittee, University of​​​‌ Lille, reference 27 McF‌ ODYSSEE 252227 and 252480.‌​‌

11.1.4 Research administration

• Nicolas​​ Anciaux : Head of​​​‌ Science Inria Saclay (Délégué‌ Scientifique) since October 2025‌​‌
• Nicolas Anciaux : Member​​ of ENS Paris-Saclay Scientific​​​‌ Council since November 2025‌
• Nicolas Anciaux : Member‌​‌ of Inria Evaluation Committee​​
• Nicolas Anciaux : Member​​​‌ of University Paris Saclay‌ "Commission Recherche" (CR), "Conseil‌​‌ Académique" (CAC)
• Nicolas Anciaux​​ : Member of University​​​‌ Paris Saclay Graduate School‌ "Informatique et Sciences du‌​‌ Numérique" (GS-ISN) since November​​ 2025
• Nicolas Anciaux :​​​‌ Member of University Paris‌ Saclay CODIREV
• Nicolas Anciaux‌​‌ : Vice-head of Science​​ Inria Saclay (Délégué Scientifique​​​‌ Adjoint) until September 2025‌
• Benjamin Nguyen : Elected‌​‌ member of the Scientific​​ Committee of INSA Centre​​​‌ Val de Loire.

11.2.1 Teaching​​​‌

• Nicolas Anciaux : "Databases"‌ (ENSTA, Master 1, 25h,‌​‌ CSC-4IN06-TA) and "Databases Security"​​ (ENSTA, Master 2, 30h,​​​‌ CSC-5CY03-TA)
• Xinqing Li :‌ "Databases" (ENSTA, Master 1,‌​‌ 14h, CSC-4IN06-TA), "Introduction to​​​‌ Databases" (UVSQ, L2, 36H,​ LSIN408)
• Lucas Biéchy :​‌ Statistics" (ENSTA, L3, 11h,​​ STA1), "Probability" (ENSTA, L3,​​​‌ 11h, PRB1)
• Haoying Zhang​ : "Databases" (ENSTA, Master​‌ 1, 15h, CSC-4IN06-TA)
• Yasmine​​ Hayder : Complexity and​​​‌ Computability, INSA 4A (16h​ TD),Object-Oriented Programming INSA 3A​‌ (28h CM/TD), Algorithms and​​ Complexity INSA 3A (30h​​​‌ CM/TD)
• Khourédia Cissé :​ Cryptography, INSA 3A (21h20​‌ TD), Error Correcting Codes,​​ INSA 4A (21h20 TD/TP),​​​‌ Object-Oriented Programming, INSA 3A,​ (21h20 TD)
• Charlene Jojon​‌ : Shell Programming, INSA​​ 3A, (4h TD), Linux​​​‌ Systems Administration, INSA 3A​ (21h20 TD).
• Benjamin Nguyen​‌ : Advanced Databases, INSA​​ 4A (10h40 CM 10h40​​​‌ TD), Privacy (10h40 CM​ 10h40 TD), Anonymization competition​‌ (40h TD), Cybersecurity Projects​​ (30h TD), Java ,​​​‌ INSA 3A (10h40 TD)​
• Adrien Boiret : Réseaux,​‌ INSA 2A (10h40 CM),​​ INSA 3A (6h40 CM​​​‌ 20h00 TD 16h00 TP)​ and (10h40 CM), INSA​‌ 4A (8h00 CM 8h00​​ TD 44h00 TP), Calculabilité,​​​‌ INSA 4A (10h40 CM),​ Projet d'application, INSA 3A​‌ (12h00 TD), Etude bibliographique,​​ INSA 4A (2h40 TD)​​​‌
• Xavier Bultel : Cryptography,​ INSA 4A (21h20 CM,​‌ 10h40 TD), Error-Correcting Codes​​ INSA 4A (21h20 CM,​​​‌ 10h40 TD), Advanced Cryptography,​ INSA 4-5A (16h00 CM​‌ 16h00 TD), POO C++,​​ INSA 4A (10h40 CM,​​​‌ 10h40 TD), Operating System​ INSA 3A (12h00 TP),​‌ Initiation to Research, M1​​ UO (4h30 CM), Application​​​‌ Project, INSA 3A (22h40)​
• Cédric Eichler : Object​‌ Oriented Programing, INSA 3A​​ (16h20 CM, 22h40 TD,​​​‌ 16h TP), Cybersecurity projects​ INSA 4A (56h TD),​‌ Introduction to virtualization and​​ cloud computing INSA 5A​​​‌ (2h40 CM)

11.2.2 Supervision​

We supervise the following​‌ Ph.D. students:

• Lucas Biechy​​ , since oct. 2024​​​‌ (PEPR Cyber, iPoP, Nicolas​ Anciaux, Adrien Boiret and​‌ Cedric Eichler)
• Khourédia Cissé​​ , since nov. 2024​​​‌ (ANR PrivaSIQ, Xavier Bultel​ and Benjamin Nguyen)
• Yasmine​‌ Hayder , since feb.​​ 2024 (AMI CMA CyberINSA,​​​‌ Adrien Boiret, Benjamin Nguyen​ and Cedric Eichler)
• Charlène​‌ Jojon , since oct.​​ 2023 (PEPR Santé Numérique,​​​‌ Xavier Bultel and Benjamin​ Nguyen)
• Xinqing Li ,​‌ since oct. 2023 (PEPR​​ Cyber, iPoP, Iulian Sandu​​​‌ Popa, Nicolas Anciaux)
• Yanming​ Li , since apr.​‌ 2025 (DATAIA & PEPR​​ Cyber, iPoP, Nicolas Anciaux,​​​‌ Alexandra Bensamoun and Cédric​ Eichler)
• Haoying Zhang ,​‌ since sept. 2023 (AMI​​ CyberINSA, Benjamin Nguyen and​​​‌ Nicolas Anciaux)

11.2.3 Juries​

Ph.D. defenses juries :​‌

• Andreas ATHANASIOU (Institut Polytechnique​​ de Paris, Nicolas Anciaux​​​‌ , President of the​ jury), 2025-06-06.
• Qiyang LI,​‌ (IMT Atlantique, Benjamin Nguyen​​ , Reviewer), 2025-12-17
• Ala​​​‌ Eddine LAOUIR, (Université de​ Lorraine, Benjamin Nguyen ,​‌ Jury member, 2025-11-26
• Oualid​​ ZARI, (Eurecom, Benjamin Nguyen​​​‌ , Reviewer), 2025-01-14
• Luis​ IBANEZ-LISSEN, (Universidad Carlos III​‌ de Madrid, Cédric Eichler​​ , reviewer), 2025-12-12

11.2.4​​​‌ Official responsabilities in higher​ education structures

• Cedric Eichler​‌ , Head of the​​ "Security of Embedded Systems​​​‌ and Cloud" M2 at​ INSA (between 13 and​‌ 20 students), until 31-08-2025​​
• Cedric Eichler , responsible​​​‌ for the transition of​ the curriculum to a​‌ competency-based approach in the​​ Cybersecurity Department at INSA,​​​‌ until 31-08-2025

11.3.1 Specific​​ official responsibilities in science​​​‌ outreach structures

• Lucas Biechy‌ was member of the‌​‌ Mediation group at Inria​​ Saclay for academic year​​​‌ 2024-2025 (until August 2025).‌
• Benjamin Nguyen is local‌​‌ coordinator for the Chiche!​​ Un.e. scientifique, une classe​​​‌ ! program for INSA‌ Centre Val de Loire.‌​‌

11.3.2 Productions (articles, videos,​​ podcasts, serious games, ...)​​​‌

• Podcasts presenting the work‌ of the PhD students‌​‌
• Development of the cardgame​​ Cyberrealms to learn about​​​‌ cybersecurity.

11.3.3 Participation in‌ Live events

PETSCRAFT members‌​‌ have participated in several​​ scientific mediation events.

• Nicolas​​​‌ Anciaux : Animation of‌ three Mini conférences to‌​‌ children (CM1, CM2 students)​​ about privacy issues in​​​‌ the digital ecosystem, Fête‌ de la Science U.‌​‌ Paris Saclay, ENS Paris​​ Saclay, 3 Oct. 2025.​​​‌
• Nicolas Anciaux : Animation‌ of a "Chiche!" classe,‌​‌ Lycée polyvalent Pierre Corneille,​​ La Celle-Saint-Cloud, 20 Oct.​​​‌ 2025.
• Nicolas Anciaux :‌ Seminar "LLMs and Privacy:‌​‌ From Risk Assessment to​​ Privacy-Enhancing Tools", Seminars for​​​‌ the Department's Students series,‌ ENS Paris-Saclay, 21 Nov.‌​‌ 2025.
• Stand at the​​ Fête de la Science​​​‌ in Bourges on Cryptography‌ : presentation of Zero‌​‌ Knowledge Proofs, TOR (Onion​​ routing) and organisation of​​​‌ cryptographic games. (11 and‌ 12 october 2025, Xavier‌​‌ Bultel , Charlene Jojon​​ , Khourédia Cissé ,​​​‌ Yasmine Hayder , 216‌ participants).
• Many workshops on‌​‌ Digital Hygene to High​​ School Students (since oct.​​​‌ 2024, approx 5000 students,‌ Loic Besnier ).
• Collège‌​‌ Édouard Vaillant: Cryptography workshops,​​ Yasmine Hayder , Khourédia​​​‌ Cissé , Charlène Jojon‌ , Xavier Bultel ,‌​‌ Loic Besnier , April​​ 23, 2025, Vierzon, France.​​​‌
• Cybersecurity: Paths of Women‌ Experts, Yasmine Hayder ,‌​‌ Khourédia Cissé , May​​ 15, 2025, Bourges, France.​​​‌
• Cybersecurity Bootcamp for middle‌ and high school girls,‌​‌ Khourédia Cissé , Yasmine​​ Hayder , Loic Besnier​​​‌ , October 14–15, Bourges,‌ France.
• Scientific participants to‌​‌ Maths.en.Jeans with Lycée Marguerite​​ de Navarre. (27 february​​​‌ 2025 and 11 december‌ 2025) Benjamin Nguyen ,‌​‌Xavier Bultel , and​​ conference on Zero knowledge​​​‌ proofs by Xavier Bultel‌ , Bourges, France.
• "Journée‌​‌ Enseignement de la Discipline​​ Informatique" : Leading a​​​‌ one-day workshop for secondary‌ school teachers (lecture on‌​‌ anonymous signatures, cryptographic puzzles,​​ and guided exercises in​​​‌ programming attacks on simple‌ ciphers). 06/06/2025. Xavier Bultel‌​‌ , Orléans, France

International​​​‌ journals

• 11 articleS.‌Siva Anantharaman, S.‌​‌Sabine Frittella and B.​​Benjamin Nguyen. Distributed​​​‌ Transition System with Tags‌ and Value-wise Metric, for‌​‌ Privacy Analysis.Transactions​​ on Data Privacy19​​​‌2May 2026,‌ 57-80HAL
• 12 article‌​‌R.Robin Carpentier,​​ I.Iulian Sandu Popa​​​‌ and N.Nicolas Anciaux‌. Enabling secure data-driven‌​‌ applications: an approach to​​ personal data management using​​​‌ trusted execution environments.‌Distributed and Parallel Databases‌​‌431December 2025​​, 51HALDOI​​​‌back to text
• 13‌ articleL.Luis Ibanez-Lissen‌​‌, L.Lorena Gonzalez-Manzano​​, J. M.Jose​​​‌ Maria de Fuentes and‌ N.Nicolas Anciaux.‌​‌ LPASS: Linear Probes as​​ Stepping Stones for vulnerability​​​‌ detection using compressed LLMs‌.Journal of information‌​‌ security and applications93​​June 2025, 104125​​​‌HALDOIback to‌ text
• 14 articleL.‌​‌Ludovic Javet, N.​​Nicolas Anciaux, L.​​​‌Luc Bouganim and P.‌Philippe Pucheral. Edgelet‌​‌ Computing: Enabling Privacy-Preserving Decentralized​​ Data Processing at the​​​‌ Network Edge.Personal‌ and Ubiquitous Computing29‌​‌February 2025, 45-75​​HALDOIback to​​​‌ text
• 15 articleS.‌Sara Taki, A.‌​‌Adrien Boiret, C.​​Cédric Eichler and B.​​​‌Benjamin Nguyen. Consistently‌ mapping Differential Privacy paradigms‌​‌ between relational databases and​​ RDF.Transactions on​​​‌ Large-Scale Data- and Knowledge-Centered‌ Systems2025. In‌​‌ press. HALback to​​ text
• 16 articleH.​​​‌Haoying Zhang, N.‌Nicolas Anciaux, B.‌​‌Benjamin Nguyen, F.​​Fabien Girard, J.​​​‌Jose Maria de Fuentes‌ and A.Adrien Boiret‌​‌. Privacy Attacks on​​ Matrix Profiles via Reconstruction​​​‌ Techniques.Proceedings on‌ Privacy Enhancing Technologies2026‌​‌. In press. HAL​​back to textback​​​‌ to text
• 17 article‌H.Haoying Zhang,‌​‌ M.Mariem Brahem,​​ N.Nicolas Anciaux,​​​‌ B.Benjamin Nguyen and‌ J.Jose Maria de‌​‌ Fuentes. TELESAFE: Detecting​​ Private/Work Boundary Crossings in​​​‌ Energy Consumption Trails in‌ Telework.Proceedings of‌​‌ the VLDB Endowment (PVLDB)​​1862025,​​​‌ 14In press. HAL‌back to text

International‌​‌ peer-reviewed conferences

• 18 inproceedings​​X.Xavier Bultel,​​​‌ C.Céline Chevalier,‌ C.Charlène Jojon,‌​‌ D.Diandian Liu and​​ B.Benjamin Nguyen.​​​‌ Cryptographic Commitments on Anonymizable‌ Data.EuroS&P 2025‌​‌ - 10th IEEE European​​ Symposium on Security and​​​‌ PrivacyVenice, ItalyJune‌ 2025HALback to‌​‌ textback to text​​
• 19 inproceedingsL.Luis​​​‌ Ibanez-Lissen, L.Lorena‌ Gonzalez-Manzano, J. M.‌​‌Jose Maria de Fuentes​​, N.Nicolas Anciaux​​​‌ and J.Joaquin Garcia-Alfaro‌. LUMIA: linear probing‌​‌ for unimodal and multiModal​​ membership inference attacks leveraging​​​‌ internal LLM states.‌ESORICS 2025 : 30th‌​‌ European Symposium on Research​​ in Computer Security30th​​​‌ European Symposium on Research‌ in Computer Security (ESORICS)‌​‌16053Lecture Notes in​​ Computer ScienceToulouse, France​​​‌arXivJanuary 2025,‌ 186-206HALDOIback‌​‌ to text
• 20 inproceedings​​C.Charles Olivier-Anclin,​​​‌ I.Ioana Boureanu,‌ L.Liqun Chen,‌​‌ C.Christopher Newton,​​​‌ T.Tom Chothia,​ A.Anna Clee,​‌ A.Andreas Kokkinis and​​ P.Pascal Lafourcade.​​​‌ Who Pays Whom? Anonymous​ EMV-Compliant Contactless Payments.​‌34th USENIX Security Symposium​​ 2025Seattle, United States​​​‌August 2025HALback​ to text
• 21 inproceedings​‌H.Haoying Zhang,​​ N.Nicolas Anciaux,​​​‌ B.Benjamin Nguyen and​ J. M.José Maria​‌ de Fuentes. TELESAFE:​​ Monitoring Energy Consumption for​​​‌ Work-Life Boundaries in Telework​.ICDM 2025 -​‌ IEEE International Conference on​​ Data MiningWashington DC,​​​‌ United StatesNovember 2025​HALback to text​‌back to text
• 22​​ inproceedingsH.Haoying Zhang​​​‌, A. K.Abhishek​ K Mishra and H.​‌Héber H. Arcolezi.​​ Demo: Exploring Utility and​​​‌ Attackability Trade-offs in Local​ Differential Privacy.CCS​‌ '25: Proceedings of the​​ 2025 ACM SIGSAC Conference​​​‌ on Computer and Communications​ SecurityCCS 2025 -​‌ ACM SIGSAC Conference on​​ Computer and Communications Security​​​‌Taipei, TaiwanACMNovember​ 2025, 4728 -​‌ 4730HALDOIback​​ to textback to​​​‌ text

National peer-reviewed Conferences​

• 23 inproceedingsM.Marina​‌ Buitrago-Perez, J.Jose​​ Maria de Fuentes,​​​‌ O.Ofelia Tejerina,​ L.Lorena Gonzalez-Manzano,​‌ N.Nicolas Anciaux and​​ L.Luis Ibanez-Lissen.​​​‌ XAI for safe AI:​ technical-legal misconceptions and misalignments​‌.JNIC 2025 -​​ Jornadas Nacionales de Investigación​​​‌ en CiberseguridadZaragoza, Spain​June 2025HAL

Conferences​‌ without proceedings

• 24 inproceedings​​L.Lucas Biéchy,​​​‌ N.Nicolas Anciaux,​ A.Adrien Boiret and​‌ C.Cédric Eichler.​​ Conformal Prediction for LLMs​​​‌ in the Black-Box Model​.Atelier sur la​‌ protection de la vie​​ privée (APVP 2025)Chasseneuil-du-Poitou,​​​‌ FranceJune 2025HAL​
• 25 inproceedingsY.Yasmine​‌ Hayder, A.Adrien​​ Boiret, C.Cédric​​​‌ Eichler and B.Benjamin​ Nguyen. I knew​‌ you knew: Differential privacy​​ for knowledge graphs under​​​‌ semantic-aware attacks.Atelier​ sur la protection de​‌ la vie privée (APVP​​ 2025)Chasseneuil-du-Poitou, FranceJune​​​‌ 2025HALback to​ text
• 26 inproceedingsY.​‌Yanming Li, C.​​Cédric Eichler, N.​​​‌Nicolas Anciaux, H.​Héber H. Arcolezi and​‌ J. M.José Maria​​ de Fuentes. bench-MIA:​​​‌ Towards automatic multi-lever benchmark​ construction for MIA evaluation​‌.APVP 2025 -​​ 15ème Atelier sur la​​​‌ protection de la vie​ privéeChasseneuil-du-Poitou, France2025​‌HAL

Scientific book chapters​​

• 27 inbookN.Nicolas​​​‌ Anciaux and B.Benjamin​ Nguyen. Techniques de​‌ calcul renforçant la vie​​ privée : un enjeu​​​‌ dans l'ère de la​ société de surveillance.​‌Le calcul à découvert​​CNRS ÉditionsJanuary 2025​​​‌HALback to text​

Reports & preprints

• 28​‌ reportS.Siva Anantharaman​​, S.Sabine Frittella​​​‌ and B.Benjamin Nguyen​. Distributed Transition System​‌ with Tags and Value-wise​​ Metric, for Privacy Analysis​​​‌.Laboratoire d'Informatique Fondamentale​ d'OrléansFebruary 2025HAL​‌back to text
• 29​​ reportY.Yanming Li​​​‌, S.Seifeddine Ghozzi​, C.Cédric Eichler​‌, N.Nicolas Anciaux​​, A.Alexandra Bensamoun​​​‌ and L.Lorena Gonzalez​ Manzano. Data Provenance​‌ Auditing of Fine-Tuned Large​​ Language Models with a​​ Text-Preserving Technique.Inria;​​​‌ Insa2025HALback‌ to text