Tony (Lipeng) He
Student, software engineer, founder, and researcher at the University of Waterloo.
I'm pursuing a Master of Mathematics (Research/Thesis) degree in Computer Science at UWaterloo. I am grateful to be advised by N. Asokan.
I'm part of Secure Systems Group (SSG), Cryptography, Security, and Privacy (CrySP) Lab, and the Cybersecurity and Privacy Institute (CPI). I also worked with Jian Liu at ABC Lab, Zhejiang University. Currently, my office is located in the William G. Davis Computer Research Centre, DC 3333B, M3.
I'm in pursuit of knowledge, experience, and the various other beautiful things life has to offer. I strive to live deliberately. Before research, I spent some years doing software engineering. In the limit of my life, I am also trying to be a pianist, writer, podcaster, designer, and entrepreneur[1].
[1] Retrograde Labs is a research-backed startup building the trust layer for agentic AI. I strive to do the kind of research that not only helps us identify failure modes and address problems & bottlenecks, but can also be turned into something useful in production, and something that is able to withstand the test of the market and real customers. At Retrograde Labs, I build, grow, and scale products that apply research ideas in real-world workflows.
TL;DR: I study how AI safety and security break in deployed systems, and how to build defenses that survive those conditions.
My research focuses on Trustworthy Machine Learning, with an emphasis on LLM robustness of and the security & privacy of agentic AI systems. I study failures that appear when models are fine-tuned, approximated, compressed, connected to tools, exposed to external content, or placed in multi-agent, and other production ML pipeline settings. I care about issues such as data leakage, prompt injection, unsafe tool use, brittle safety behavior, and systems that cannot explain or audit what happened.
I develop effective and efficient adversarial attacks, as well as principled defenses, drawing on applied cryptography, theoretical machine learning, and systems security to characterize and mitigate emerging threats.
I am especially interested in agents that retrieve information, call tools, write code, or act on private context. These systems need stronger guarantees around provenance, permissions, policy, and auditability before people can safely delegate important work to them.
To ensure AI's transformative potential reaches as much of the society as possible in the most impactful way, with safety as the unlock that guarantees the world will benefit from AI.
SoK: Colluding Adversaries in Machine Learning Pipelines
Understanding and Preserving Safety in Fine-Tuned LLMs
Locket: Robust Feature-Locking Technique for Language Models
Safety at One Shot: Patching Fine-Tuned LLMs with A Single Instance
Activation Approximations Can Incur Safety Vulnerabilities Even in Aligned LLMs: Comprehensive Analysis and Defense
LookAhead: Preventing DeFi Attacks via Unveiling Adversarial Contracts
Secure Transformer Inference Made Non-interactive
On the Atomicity and Efficiency of Blockchain Payment Channels
Revealing and Benchmarking the Safety Risks in Blockchain Agents
StructEval: Benchmarking LLMs' Capabilities to Generate Structural Outputs
FedVLP: Visual-aware Latent Prompt Generation for Multimodal Federated Learning
A Survey of Multimodal Federated Learning: Background, Applications, and Perspectives
Defending against Adaptive Prompt Injection Attacks via Reasoning-enabled Task Alignment
Backdooring Bias in Large Language Models
From Detection to Diagnosis: Lightweight Federated Prompt Learning for Interpretable Industrial Anomaly Analysis
Token-by-Token Manipulation: Inference-Time Jailbreaking on Production LLMs via Autoregressive Harmful Guidance
Cybersecurity and Privacy Institute (CPI) Graduate Student Conference 2026
Cybersecurity and Privacy Institute (CPI) Graduate Student Conference 2025
Program Committee Member
USENIX Security Symposium 2026
Artifact Evaluation
Program Committee Member
Privacy Enhancing Technologies Symposium (PoPETs/PETS) 2026
Artifact Evaluation
Program Committee Member
ACM Conference on Computer and Communications Security (CCS) 2025, 2026
Artifact Evaluation
Invited Reviewer
IEEE Transactions on Dependable and Secure Computing (TDSC)
Student Member
Association for Computing Machinery (ACM)
lipenghe@acm.org
Directed Reading Program (DRP) Mentor
AI Safety and Security Challenges in LLM-based Autonomous Agents (Spring 2026)
Women in Mathematics (WiM)
University of Waterloo Graduate Scholarship
CAD 4,000
University of Waterloo
AWS Startup Activate Credits (Portfolio)
USD 25,000
Amazon, Y Combinator
Lambda Research Grant Program
USD 5,000; Principal Investigator: N. Asokan
λ (Lambda) AI
David R. Cheriton Graduate Scholarship
CAD 10,000
University of Waterloo
International Master's Award of Excellence (IMAE)
CAD 7,500
University of Waterloo
University of Waterloo
Teaching Assistant (TA)
CS 436 Networks and Distributed Computer Systems
University of Waterloo
Instructional Apprentice (IA)
CS 135 Designing Functional Programs
University of Waterloo
Instructional Support Assistant (ISA)
CS 135 Designing Functional Programs
University of Waterloo
Research Assistant (URA)
Cryptography, Security, and Privacy (CrySP) Lab
Zhejiang University
Research Assistant
ABC Lab, Institute of Cyberspace Research
Retrograde Labs
Co-Founder
Accelerating frontier scientific discovery and commercialization
Bluelet AI
Co-Founder & CTO
Agentic AI and data platform solutions for talent acquisition and matching
BioRender
Full Stack Software Engineer
SaaS, Y Combinator W18
Toronto, ON
Safyre Labs
Back End Software Engineer
E-Commerce Platform, Supply Chain
North York, ON
Robinhood
Front End Software Engineer
Bitbuy (Cryptocurrency Exchange), TSX: WNDR
Toronto, ON
University of Waterloo
Master's Degree (Research/Thesis)
Computer Science
University of Waterloo
Honours Bachelor's Degree (Co-op)
Mathematics (Minor in Computing)
Nanyang Technological University
Exchange Student (GEM Trailblazer)
Mathematical Sciences
New Article Everytime I Publish :)