Attack on a PUF-based Secure Binary Neural Network

TL;DR

This paper demonstrates a vulnerability in a PUF-based security scheme for Binarized Neural Networks, showing that an attack can recover most of the secret keys and significantly degrade model accuracy.

Contribution

The paper introduces a differential cryptanalysis-inspired attack that effectively recovers PUF keys and model parameters in a secure BNN scheme, exposing its security flaws.

Findings

Recovered 85% of PUF key bits

Achieved 93% accuracy on MNIST after attack

Attack duration was only a few minutes

Abstract

Binarized Neural Networks (BNNs) deployed on memristive crossbar arrays provide energy-efficient solutions for edge computing but are susceptible to physical attacks due to memristor nonvolatility. Recently, Rajendran et al. (IEEE Embedded Systems Letter 2025) proposed a Physical Unclonable Function (PUF)-based scheme to secure BNNs against theft attacks. Specifically, the weight and bias matrices of the BNN layers were secured by swapping columns based on device's PUF key bits. In this paper, we demonstrate that this scheme to secure BNNs is vulnerable to PUF-key recovery attack. As a consequence of our attack, we recover the secret weight and bias matrices of the BNN. Our approach is motivated by differential cryptanalysis and reconstructs the PUF key bit-by-bit by observing the change in model accuracy, and eventually recovering the BNN model parameters. Evaluated on a BNN trained on the MNIST dataset, our attack could recover 85% of the PUF key, and recover the BNN model up to 93% classification accuracy compared to the original model's 96% accuracy. Our attack is very efficient and it takes a couple of minutes to recovery the PUF key and the model parameters.