Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TT-SEAL: TTD-Aware Selective Encryption for Adversarially-Robust and Low-Latency Edge AI

Kyeongpil Min, Sangmin Jeon, Jae-Jin Lee, Woojoo Lee

TL;DR

TT-SEAL is presented, a selective-encryption framework for TT-decomposed networks that matches the robustness of full (black-box) encryption while encrypting as little as 4.89-15.92% of parameters across ResNet-18, MobileNetV2, and VGG-16, and drives the share of AES decryption in end-to-end latency to low single digits.

Abstract

Cloud-edge AI must jointly satisfy model compression and security under tight device budgets. While Tensor-Train Decomposition (TTD) shrinks on-device models, prior selective-encryption studies largely assume dense weights, leaving its practicality under TTD compression unclear. We present TT-SEAL, a selective-encryption framework for TT-decomposed networks. TT-SEAL ranks TT cores with a sensitivity-based importance metric, calibrates a one-time robustness threshold, and uses a value-DP optimizer to encrypt the minimum set of critical cores with AES. Under TTD-aware, transfer-based threat models (and on an FPGA-prototyped edge processor) TT-SEAL matches the robustness of full (black-box) encryption while encrypting as little as 4.89-15.92% of parameters across ResNet-18, MobileNetV2, and VGG-16, and drives the share of AES decryption in end-to-end latency to low single digits (e.g., 58% -> 2.76% on ResNet-18), enabling secure, low-latency edge AI.

TT-SEAL: TTD-Aware Selective Encryption for Adversarially-Robust and Low-Latency Edge AI

TL;DR

TT-SEAL is presented, a selective-encryption framework for TT-decomposed networks that matches the robustness of full (black-box) encryption while encrypting as little as 4.89-15.92% of parameters across ResNet-18, MobileNetV2, and VGG-16, and drives the share of AES decryption in end-to-end latency to low single digits.

Abstract

Cloud-edge AI must jointly satisfy model compression and security under tight device budgets. While Tensor-Train Decomposition (TTD) shrinks on-device models, prior selective-encryption studies largely assume dense weights, leaving its practicality under TTD compression unclear. We present TT-SEAL, a selective-encryption framework for TT-decomposed networks. TT-SEAL ranks TT cores with a sensitivity-based importance metric, calibrates a one-time robustness threshold, and uses a value-DP optimizer to encrypt the minimum set of critical cores with AES. Under TTD-aware, transfer-based threat models (and on an FPGA-prototyped edge processor) TT-SEAL matches the robustness of full (black-box) encryption while encrypting as little as 4.89-15.92% of parameters across ResNet-18, MobileNetV2, and VGG-16, and drives the share of AES decryption in end-to-end latency to low single digits (e.g., 58% -> 2.76% on ResNet-18), enabling secure, low-latency edge AI.
Paper Structure (12 sections, 11 equations, 7 figures, 3 tables, 3 algorithms)

This paper contains 12 sections, 11 equations, 7 figures, 3 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. System Context and TTD-Aware Threat Model
  3. TTD Compression for Deployed DNNs
  4. TTD-Aware Threat Model for Edge AI
  5. Limits of Selective Encryption in TT Models
  6. TT-SEAL: Proposed Method
  7. Experimental Work
  8. Prototype Processor and Evaluation Setup
  9. Evaluation
  10. Adversarial Robustness
  11. TT-SEAL Performance Analysis via Optimization
  12. Conclusion

Figures (7)

  • Figure 1: Transfer-based adversarial attack using JBDA. Blue lines: the attacker queries oracle $\boldsymbol{O(x)}$ with clean inputs, trains a substitute $\boldsymbol{F(\mathbf{x})}$, and augments data $\mathbf{x}'$ near decision boundaries. Red lines: $\boldsymbol{F}$ generates adversarial examples $\mathbf{x}_{\boldsymbol{adv}}$ that transfer to $\boldsymbol{O}$.
  • Figure 2: Substitute-model accuracy vs. selective encryption ratio in ResNet-18 with dense and TTD-compressed weights.
  • Figure 3: Relationship between $\boldsymbol{I}_{\boldsymbol{acc}}$ and substitute-model accuracy for TTD-compressed ResNet-18, MobileNetV2 and VGG-16.
  • Figure 4: Image-classification demo running on the FPGA-prototyped processor, illustrating a transfer-based misclassification: an original ship is predicted as a cat under the configured threat model.
  • Figure 5: Visualization of adversarial examples generated from the substitute of the TT-SEAL-encrypted model. As $\boldsymbol{\epsilon}$ increases, stronger perturbations are progressively added to the input image.
  • ...and 2 more figures