Attack on a PUF-based Secure Binary Neural Network
Bijeet Basak, Nupur Patil, Kurian Polachan, Srinivas Vivek
TL;DR
This work addresses the security of PUF-based column-swapping protection for BNNs deployed on memristive crossbars by presenting a practical differential-cryptanalysis–inspired attack that recovers the PUF key bit-by-bit. It extends this to a block-based approach that captures inter-bit dependencies, significantly improving recovery efficiency and accuracy. On MNIST, the methods recover at least $85\%$ of the PUF key and restore the BNN's accuracy to roughly $93$–$94\%$ of the original, within minutes to an hour depending on block size. The results reveal a critical vulnerability in the proposed encryption scheme and motivate stronger hardware-level protections for PUF-secured BNN deployments.
Abstract
Binarized Neural Networks (BNNs) deployed on memristive crossbar arrays provide energy-efficient solutions for edge computing but are susceptible to physical attacks due to memristor nonvolatility. Recently, Rajendran et al. (IEEE Embedded Systems Letter 2025) proposed a Physical Unclonable Function (PUF)-based scheme to secure BNNs against theft attacks. Specifically, the weight and bias matrices of the BNN layers were secured by swapping columns based on device's PUF key bits. In this paper, we demonstrate that this scheme to secure BNNs is vulnerable to PUF-key recovery attack. As a consequence of our attack, we recover the secret weight and bias matrices of the BNN. Our approach is motivated by differential cryptanalysis and reconstructs the PUF key bit-by-bit by observing the change in model accuracy, and eventually recovering the BNN model parameters. Evaluated on a BNN trained on the MNIST dataset, our attack could recover 85% of the PUF key, and recover the BNN model up to 93% classification accuracy compared to the original model's 96% accuracy. Our attack is very efficient and it takes a couple of minutes to recovery the PUF key and the model parameters.