EIM-TRNG: Obfuscating Deep Neural Network Weights with Encoding-in-Memory True Random Number Generator via RowHammer

TL;DR

This paper introduces EIM-TRNG, a hardware security method that uses DRAM RowHammer-induced bit-flips as a true random number generator to protect deep neural network weights, enhancing model confidentiality and integrity.

Contribution

The paper presents a novel DRAM-based TRNG leveraging RowHammer effects for secure DNN weight encoding, a first in combining physical DRAM randomness with neural network protection.

Findings

DRAM RowHammer can generate reliable entropy for TRNGs.

Encoding neural network weights with physical randomness enhances security.

The proposed method effectively protects DNN models from tampering.

Abstract

True Random Number Generators (TRNGs) play a fundamental role in hardware security, cryptographic systems, and data protection. In the context of Deep NeuralNetworks (DNNs), safeguarding model parameters, particularly weights, is critical to ensure the integrity, privacy, and intel-lectual property of AI systems. While software-based pseudo-random number generators are widely used, they lack the unpredictability and resilience offered by hardware-based TRNGs. In this work, we propose a novel and robust Encoding-in-Memory TRNG called EIM-TRNG that leverages the inherent physical randomness in DRAM cell behavior, particularly under RowHammer-induced disturbances, for the first time. We demonstrate how the unpredictable bit-flips generated through carefully controlled RowHammer operations can be harnessed as a reliable entropy source. Furthermore, we apply this TRNG framework to secure DNN weight data by encoding via a combination of fixed and unpredictable bit-flips. The encrypted data is later decrypted using a key derived from the probabilistic flip behavior, ensuring both data confidentiality and model authenticity. Our results validate the effectiveness of DRAM-based entropy extraction for robust, low-cost hardware security and offer a promising direction for protecting machine learning models at the hardware level.