defense 2025

LLA: Enhancing Security and Privacy for Generative Models with Logic-Locked Accelerators

You Li , Guannan Zhao , Yuhao Ju , Yunqi He , Jie Gu , Hai Zhou

Northwestern University

0 citations · 43 references · arXiv
α

Published on arXiv

2512.22307

Model Theft

OWASP ML Top 10 — ML05

AI Supply Chain Attacks

OWASP ML Top 10 — ML06

Key Finding

LLA withstands oracle-guided key optimization attacks while incurring less than 0.1% computational overhead for 7,168 key bits.

LLA (Logic-Locked Accelerators)

Novel technique introduced

We introduce LLA, an effective intellectual property (IP) protection scheme for generative AI models. LLA leverages the synergy between hardware and software to defend against various supply chain threats, including model theft, model corruption, and information leakage. On the software side, it embeds key bits into neurons that can trigger outliers to degrade performance and applies invariance transformations to obscure the key values. On the hardware side, it integrates a lightweight locking module into the AI accelerator while maintaining compatibility with various dataflow patterns and toolchains. An accelerator with a pre-stored secret key acts as a license to access the model services provided by the IP owner. The evaluation results show that LLA can withstand a broad range of oracle-guided key optimization attacks, while incurring a minimal computational overhead of less than 0.1% for 7,168 key bits.

Key Contributions

  • Hardware-software co-design where a logic-locked AI accelerator with a pre-stored secret key acts as a hardware license, preventing unauthorized model access without the correct key.
  • Software-side key embedding that triggers performance-degrading outliers in neurons and applies invariance transformations to obscure key values, resisting reverse-engineering.
  • Demonstrated resistance to oracle-guided key optimization attacks with less than 0.1% computational overhead for 7,168 key bits.

🛡️ Threat Analysis

Model Theft

Core contribution is preventing unauthorized use and theft of generative AI model IP: a hardware accelerator with a pre-stored secret key acts as a cryptographic license, and software-side key embedding with invariance transformations resists key extraction attacks — this is directly model theft defense.

AI Supply Chain Attacks

Paper explicitly frames its threat model as supply chain attacks (model theft, model corruption, and information leakage during distribution), and the hardware-software locking mechanism is designed to protect the model as it traverses an untrusted supply chain from IP owner to end user.

Details

Domains
generative
Model Types
diffusiontransformer
Threat Tags
white_boxtraining_time
Applications
generative ai modelsai hardware accelerators
Read PDF arXiv DOI

Similar Papers

defense

Serverless AI Security: Attack Surface Analysis and Runtime Protection Mechanisms for FaaS-Based Machine Learning

2026 0 cit.
AI Supply Chain AttacksModel Theft
53%
defense

Attesting Model Lineage by Consisted Knowledge Evolution with Fine-Tuning Trajectory

2026 1 cit.
Model Theft
47%
defense

Keys in the Weights: Transformer Authentication Using Model-Bound Latent Representations

2025 0 cit.
Model Theft
47%
defense

AuthenLoRA: Entangling Stylization with Imperceptible Watermarks for Copyright-Secure LoRA Adapters

2025 0 cit.
Output Integrity AttackModel Theft
44%
defense

Knowledge Distillation Detection for Open-weights Models

2025 1 cit.
Model Theft
44%
defense

Persistence of Backdoor-based Watermarks for Neural Networks: A Comprehensive Evaluation

2025 3 cit.
Model Theft
44%
defense

Lossless Copyright Protection via Intrinsic Model Fingerprinting

2026 0 cit.
Model Theft
41%
defense

Model Unmerging: Making Your Models Unmergeable for Secure Model Sharing

2025 0 cit.
Model Theft
41%