defense 2025

PermuteV: A Performant Side-channel-Resistant RISC-V Core Securing Edge AI Inference

Nuntipat Narkthong , Xiaolin Xu

Northeastern University

0 citations · 41 references · arXiv
α

Published on arXiv

2512.18132

Model Theft

OWASP ML Top 10 — ML05

Key Finding

PermuteV effectively defeats Correlation Electromagnetic Analysis (CEMA) attacks targeting NN weights with minimal area and runtime overhead compared to prior shuffling-based defenses (13.7%–41.8% overhead).

PermuteV

Novel technique introduced

Edge AI inference is becoming prevalent thanks to the emergence of small yet high-performance microprocessors. This shift from cloud to edge processing brings several benefits in terms of energy savings, improved latency, and increased privacy. On the downside, bringing computation to the edge makes them more vulnerable to physical side-channel attacks (SCA), which aim to extract the confidentiality of neural network models, e.g., architecture and weight. To address this growing threat, we propose PermuteV, a performant side-channel resistant RISC-V core designed to secure neural network inference. PermuteV employs a hardware-accelerated defense mechanism that randomly permutes the execution order of loop iterations, thereby obfuscating the electromagnetic (EM) signature associated with sensitive operations. We implement PermuteV on FPGA and perform evaluations in terms of side-channel security, hardware area, and runtime overhead. The experimental results demonstrate that PermuteV can effectively defend against EM SCA with minimal area and runtime overhead.

Key Contributions

  • PermuteV: a RISC-V core with a Loop Index Generator (LIG) module that randomly permutes loop iteration order to obfuscate EM side-channel signatures during NN inference
  • Custom RISC-V ISA extensions enabling efficient hardware-accelerated permutation with no extra instructions vs. sequential loops
  • LLVM compiler extension that automatically generates permuted loop code, requiring no manual software modifications from developers

🛡️ Threat Analysis

Model Theft

EM side-channel attacks (CEMA) against edge devices explicitly aim to extract neural network model weights and architecture — model IP theft. PermuteV is a hardware-level countermeasure defending against this extraction; ML05 explicitly includes 'side-channel attacks to extract model parameters' and their defenses.

Details

Threat Tags
physicalinference_timeblack_box
Datasets
MAC operation EM traces (FPGA evaluation)
Applications
edge ai inferenceneural network model protectioniot/embedded systems
Read PDF arXiv DOI

Similar Papers

benchmark

Influence of Parallelism in Vector-Multiplication Units on Correlation Power Analysis

2026 0 cit.
Model Theft
67%
defense

CITED: A Decision Boundary-Aware Signature for GNNs Towards Model Extraction Defense

2026 0 cit.
Model Theft
60%
defense

A PUF-Based Approach for Copy Protection of Intellectual Property in Neural Network Models

2026 0 cit.
Model Theft
60%
defense

Robust GNN Watermarking via Implicit Perception of Topological Invariants

2025 0 cit.
Model Theft
60%
defense

DivQAT: Enhancing Robustness of Quantized Convolutional Neural Networks against Model Extraction Attacks

2025 0 cit.
Model Theft
60%
defense

Make Shuffling Great Again: A Side-Channel Resistant Fisher-Yates Algorithm for Protecting Neural Networks

2025 0 cit.
Model Theft
56%
defense

Integrated Security Mechanisms for Weight Protection in Memristive Crossbar Arrays

2025 2 cit.
Model Theft
56%
defense

Efficient and Encrypted Inference using Binarized Neural Networks within In-Memory Computing Architectures

2025 0 cit.
Model Theft
56%