Locking Machine Learning Models into Hardware

TL;DR

This work introduces ML Hardware Locking, a paradigm to protect on-device machine learning models by binding them to specific hardware. It catalogs soft locking approaches (sparsity- and quantisation-aware) that degrade performance on unauthorized hardware, and hard locking techniques based on device fingerprints (clock, finite-precision, and PUF) coupled with parameter transformations (AES-based, shuffling, and pre-transformed AES) to ensure destruction and indistinguishability. Empirical results show that soft locks incur negligible overhead on authorized hardware while causing notable degradation on unauthorized hardware, and hard locks can achieve strong protection with varying cracking costs, particularly on larger models. The approach is designed to complement, not replace, existing cryptographic protections and can support offline model use, governance, and IP protection in safety-critical applications, though it entails deployment trade-offs and practical limits in scalability and hardware variability.

Abstract

Modern machine learning (ML) models are expensive IP and business competitiveness often depends on keeping this IP confidential. This in turn restricts how these models are deployed; for example, it is unclear how to deploy a model on-device without inevitably leaking the underlying model. At the same time, confidential computing technologies such as multi-party computation or homomorphic encryption remain impractical for wide adoption. In this paper, we take a different approach and investigate the feasibility of ML-specific mechanisms that deter unauthorized model use by restricting the model to only be usable on specific hardware, making adoption on unauthorized hardware inconvenient. That way, even if IP is compromised, it cannot be trivially used without specialised hardware or major model adjustment. In a sense, we seek to enable cheap \emph{locking of machine learning models into specific hardware}. We demonstrate that \emph{locking} mechanisms are feasible by either targeting efficiency of model representations, making such models incompatible with quantization, or tying the model's operation to specific characteristics of hardware, such as the number of clock cycles for arithmetic operations. We demonstrate that locking comes with negligible overheads, while significantly restricting usability of the resultant model on unauthorized hardware.

Figures (16)

• Figure 1: A high-level illustration of how ML Hardware Locking functions: the locked model resists efficient, or any, deployment by adversaries on unauthorized hardware stacks. This resistance occurs because unauthorized hardware devices inherently lack support for some hardware operation or are unable to match the hardware properties of the authorized hardware.
• Figure 2: Applying soft locks to a model with $\mathit{Acc}_\text{original}$, $\textcolor{czgreen}{\Delta_{orig}}$ and $\textcolor{czred}{\Delta_{lock}}$ measure together the effectiveness of locking.
• Figure 3: Re-training sparsity-locked ResNet18 on CIFAR100
• Figure 6: Attacking soft locking by adding noise to the locked parameters.
• Figure 7: ResNet18 locking curves