attack 2025

Attack on a PUF-based Secure Binary Neural Network

Bijeet Basak , Nupur Patil , Kurian Polachan , Srinivas Vivek

International Institute of Information Technology, Bangalore

1 citations · 13 references · arXiv
α

Published on arXiv

2510.24422

Model Theft

OWASP ML Top 10 — ML05

Key Finding

Recovers 85% of the PUF key and reconstructs the BNN model to 93% accuracy (vs. original 96%) in a few minutes using differential accuracy observations.

Differential PUF Key Recovery Attack

Novel technique introduced

Binarized Neural Networks (BNNs) deployed on memristive crossbar arrays provide energy-efficient solutions for edge computing but are susceptible to physical attacks due to memristor nonvolatility. Recently, Rajendran et al. (IEEE Embedded Systems Letter 2025) proposed a Physical Unclonable Function (PUF)-based scheme to secure BNNs against theft attacks. Specifically, the weight and bias matrices of the BNN layers were secured by swapping columns based on device's PUF key bits. In this paper, we demonstrate that this scheme to secure BNNs is vulnerable to PUF-key recovery attack. As a consequence of our attack, we recover the secret weight and bias matrices of the BNN. Our approach is motivated by differential cryptanalysis and reconstructs the PUF key bit-by-bit by observing the change in model accuracy, and eventually recovering the BNN model parameters. Evaluated on a BNN trained on the MNIST dataset, our attack could recover 85% of the PUF key, and recover the BNN model up to 93% classification accuracy compared to the original model's 96% accuracy. Our attack is very efficient and it takes a couple of minutes to recovery the PUF key and the model parameters.

Key Contributions

  • Demonstrates that the PUF-based BNN security scheme (column-swapping by PUF key bits) is vulnerable to a differential cryptanalysis-style attack
  • Proposes an efficient bit-by-bit PUF key recovery algorithm that observes changes in model accuracy upon key-bit flipping
  • Achieves 85% PUF key recovery and 93% classification accuracy reconstruction (vs. 96% original) on MNIST in minutes

🛡️ Threat Analysis

Model Theft

The attack's explicit goal is recovering the secret weight and bias matrices of a BNN whose IP is protected by a PUF-based column-permutation scheme. By recovering 85% of the PUF key, the attacker reconstructs a functionally equivalent clone (93% vs original 96% accuracy), directly achieving model theft.

Details

Domains
vision
Model Types
traditional_ml
Threat Tags
grey_boxinference_timetargeteddigital
Datasets
MNIST
Applications
edge ml inference on memristive crossbar hardwarebinarized neural network deployment
Read PDF arXiv DOI

Similar Papers

attack

Delving into Cryptanalytic Extraction of PReLU Neural Networks

2025 0 cit.
Model Theft
69%
attack

Double Strike: Breaking Approximation-Based Side-Channel Countermeasures for DNNs

2026 0 cit.
Model Theft
67%
attack

Is the Hard-Label Cryptanalytic Model Extraction Really Polynomial?

2025 4 cit.
Model Theft
62%
attack

Data Augmentation Techniques to Reverse-Engineer Neural Network Weights from Input-Output Queries

2025 0 cit.
Model Theft
62%
defense

Practical and Private Hybrid ML Inference with Fully Homomorphic Encryption

2025 0 cit.
Model Theft
54%
defense

IrisFP: Adversarial-Example-based Model Fingerprinting with Enhanced Uniqueness and Robustness

2026 0 cit.
Model Theft
54%
attack

Breaking SafetyCore: Exploring the Risks of On-Device AI Deployment

2025 0 cit.
Model TheftInput Manipulation Attack
53%
attack

DiMEx: Breaking the Cold Start Barrier in Data-Free Model Extraction via Latent Diffusion Priors

2026 0 cit.
Model Theft
50%