Deep-Lock: Secure Authorization for Deep Neural Networks
Manaar Alam, Sayandeep Saha, Debdeep Mukhopadhyay, Sandip Kundu
TL;DR
Deep-Lock tackles unauthorized usage and piracy of trained DNNs by cryptographically locking each parameter $w_i$ with a per-parameter key $k_i$ derived from a master key $K$ via a key-schedule, using an S-Box based transformation. The locking operates offline (during deployment) and unlocks online per query with a supplied key $K_{input}$, via $(w_i^{bin})^{unlocked}=InvSbox((w_i^{\prime})^{bin}) \oplus k_i^{input}$. Evaluation across MNIST, Fashion-MNIST, and CIFAR-10 shows that accuracy is preserved with the correct key and degrades to random with incorrect keys, with modest overhead that can be mitigated by hardware acceleration. Compared to prior hardware-assisted obfuscation like HPNN, Deep-Lock does not modify network structure and demonstrates resilience against model fine-tuning, making it practical for both embedded and cloud-based deployments.
Abstract
Trained Deep Neural Network (DNN) models are considered valuable Intellectual Properties (IP) in several business models. Prevention of IP theft and unauthorized usage of such DNN models has been raised as of significant concern by industry. In this paper, we address the problem of preventing unauthorized usage of DNN models by proposing a generic and lightweight key-based model-locking scheme, which ensures that a locked model functions correctly only upon applying the correct secret key. The proposed scheme, known as Deep-Lock, utilizes S-Boxes with good security properties to encrypt each parameter of a trained DNN model with secret keys generated from a master key via a key scheduling algorithm. The resulting dense network of encrypted weights is found robust against model fine-tuning attacks. Finally, Deep-Lock does not require any intervention in the structure and training of the DNN models, making it applicable for all existing software and hardware implementations of DNN.