Loading…

PIPP: A Practical PUF-Based Intellectual Property Protection Scheme for DNN Model on FPGA

The embedding of a DNN model on the FPGA provides users with significant computing acceleration. However, the intellectual property (IP) of these models is at risk of being stolen since they become publicly accessible once the FPGA is delivered. Traditional cryptographic methods are unsuitable for p...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on circuits and systems. II, Express briefs Express briefs, 2024-02, Vol.71 (2), p.912-916
Main Authors: Li, Dawei, Ren, Yangkun, Liu, Di, Guo, Yuxiao, Guan, Zhenyu, Liu, Jianwei
Format: Article
Language:English
Subjects:
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The embedding of a DNN model on the FPGA provides users with significant computing acceleration. However, the intellectual property (IP) of these models is at risk of being stolen since they become publicly accessible once the FPGA is delivered. Traditional cryptographic methods are unsuitable for protecting DNN models due to computational cost, additional hardware cost, or the risk of secret key and parameter leakage. In this brief, we propose an intellectual property protection scheme for DNN models based on Physical Unclonable Function (PUF), which permits only authorized FPGA boards to recover the original model and produce accurate results. We developed a prototype to protect the LeNet model using Arbiter PUF (APUF). Compared with the original model, the accuracy of the obfuscated model remains unchanged, and the additional latency accounts for 1.6% of the inference latency. For the 3rd, and 5th convolutional layers in AlexNet, the LUTs required to be obfuscated account for 0.33%, and 0.34% of the original convolutional layers, respectively. The experimental results demonstrate that the proposed scheme effectively protects DNN models. Even if an adversary can guess 106 bits of the 128-bit PUF response, the recovered DNN models, including AlexNet, DenseNet, and ResNet, fail to operate correctly. Our project is open-sourced on https://github.com/renaturation/DNN_PUF_FPGA .
ISSN:1549-7747
1558-3791
DOI:10.1109/TCSII.2023.3309105