{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,9]],"date-time":"2026-05-09T16:39:20Z","timestamp":1778344760227,"version":"3.51.4"},"reference-count":81,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"3","license":[{"start":{"date-parts":[[2026,3,1]],"date-time":"2026-03-01T00:00:00Z","timestamp":1772323200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2026,3,1]],"date-time":"2026-03-01T00:00:00Z","timestamp":1772323200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,3,1]],"date-time":"2026-03-01T00:00:00Z","timestamp":1772323200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"MIT MTL-Samsung Semiconductor Research Fund"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. VLSI Syst."],"published-print":{"date-parts":[[2026,3]]},"DOI":"10.1109\/tvlsi.2025.3650411","type":"journal-article","created":{"date-parts":[[2026,1,12]],"date-time":"2026-01-12T22:05:19Z","timestamp":1768255519000},"page":"953-966","source":"Crossref","is-referenced-by-count":1,"title":["Securing DNN Acceleration From Off-Chip Memory Vulnerabilities With Low-Overhead Authenticated Encryption"],"prefix":"10.1109","volume":"34","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6406-9515","authenticated-orcid":false,"given":"Kyungmi","family":"Lee","sequence":"first","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, Cambridge, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-8777-2748","authenticated-orcid":false,"given":"Gaurab","family":"Das","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, Cambridge, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5212-2072","authenticated-orcid":false,"given":"Donghyeon","family":"Han","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, Cambridge, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5977-2748","authenticated-orcid":false,"given":"Anantha P.","family":"Chandrakasan","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, Cambridge, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"GPT-4 Technical Report","year":"2024"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1002\/rob.21918"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1038\/s41592-020-01008-z"},{"key":"ref4","article-title":"Intriguing properties of neural networks","author":"Szegedy","year":"2013","journal-title":"arXiv:1312.6199"},{"key":"ref5","article-title":"Towards deep learning models resistant to adversarial attacks","author":"Madry","year":"2017","journal-title":"arXiv:1706.06083"},{"key":"ref6","first-page":"497","article-title":"Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks","volume-title":"Proc. USENIX Secur. Symp.","author":"Hong"},{"key":"ref7","first-page":"1463","article-title":"DeepHammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips","volume-title":"Proc. USENIX Secur. Symp.","author":"Yao"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00130"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/CICC60959.2024.10529033"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/ISSCC42614.2022.9731598"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1109\/ESSCIRC59616.2023.10268746"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3613424.3614273"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA53966.2022.00025"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/3489517.3530439"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/3400302.3415649"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.23919\/VLSITechnologyandCir57934.2023.10185228"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/isscc49661.2025.10904812"},{"key":"ref18","first-page":"45","article-title":"Lest we remember: Cold boot attacks on encryption keys","volume-title":"Proc. 17th USENIX Secur. Symp. (USENIX Secur.)","volume":"43","author":"Halderman"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/ICCAD51958.2021.9643512"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/tcad.2019.2915318"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1016\/j.microrel.2021.114116"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP43922.2022.9747337"},{"key":"ref23","article-title":"Intel SGX explained","author":"Costan","year":"2016","journal-title":"Cryptol. ePrint Archive"},{"key":"ref24","article-title":"A memory encryption engine suitable for general purpose processors","author":"Gueron","year":"2016","journal-title":"Cryptol. ePrint Archive"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/3342195.3387532"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-01004-0_1"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/3470496.3527418"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1007\/s00145-021-09398-9"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2021.3061314"},{"key":"ref30","article-title":"T-BFA: Targeted bit-flip adversarial weight attack","author":"Rakin","year":"2020","journal-title":"arXiv:2007.12336"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2020.3040846"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/JSSC.2016.2616357"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/JPROC.2017.2761740"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/ISPASS.2019.00042"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA59077.2024.00024"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3575693.3575747"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/JSSC.2019.2915203"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/DSD.2015.14"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.46586\/tosc.v2020.iS1.5-30"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-09234-3_4"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.46586\/tosc.v2020.i1.43-120"},{"issue":"1","key":"ref42","doi-asserted-by":"crossref","first-page":"60","DOI":"10.46586\/tosc.v2020.iS1.60-87","article-title":"Xoodyak, a lightweight cryptographic scheme","volume":"2020","author":"Daemen","year":"2020","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2018.i2.218-241"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.46586\/tosc.v2020.iS1.208-261"},{"key":"ref45","article-title":"Tinyjambu: A family of lightweight authenticated encryption algorithms (version 2)","author":"Wu","year":"2021"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/HST.2018.8383893"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/cvpr.2016.90"},{"key":"ref48","article-title":"Trustzone: Integrated hardware and software security","author":"Alves","year":"2004"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/MCSE.2022.3163817"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.6028\/nist.fips.197"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-38e"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2003.1183547"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2006.22"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2007.16"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1145\/3173162.3177155"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2018.00041"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA56546.2023.10071003"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/micro50266.2020.00015"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO50266.2020.00062"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/3623652.3623672"},{"key":"ref61","doi-asserted-by":"crossref","DOI":"10.6028\/NIST.SP.800-232","article-title":"Ascon-based lightweight cryptography standards for constrained devices: Authenticated encryption, hash, and extendable output functions","volume-title":"NIST","author":"Turan","year":"2025"},{"key":"ref62","article-title":"MobileViT: Light-weight, general-purpose, and mobile-friendly vision transformer","volume-title":"Proc. Int. Conf. Learn. Represent.","author":"Mehta"},{"key":"ref63","article-title":"OPT: Open pre-trained transformer language models","author":"Zhang","year":"2022","journal-title":"arXiv:2205.01068"},{"key":"ref64","volume-title":"NVIDIA A100 Datasheet","year":"2021"},{"key":"ref65","volume-title":"Block Sparse Attention","author":"Guo","year":"2024"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1109\/iccv.2017.155"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/3079856.3080254"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1145\/3445814.3446702"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-48405-1_25"},{"key":"ref70","first-page":"3403","article-title":"SoK: Neural network extraction through physical side channels","volume-title":"Proc. 33rd USENIX Secur. Symp.","author":"Horv\u00e1th"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1145\/3530054"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/3677320"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/host45689.2020.9300276"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.23919\/DATE51398.2021.9474072"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1109\/JSSC.2016.2611678"},{"key":"ref76","first-page":"5661","article-title":"Posthammer: Pervasive browser-based rowhammer attacks with postponed refresh commands","volume-title":"Proc. 34th USENIX Conf. Secur. Symp.","author":"de Ridder"},{"key":"ref77","first-page":"5679","article-title":"ECC.fail: Mounting rowhammer attacks on DDR4 servers with ECC memory","volume-title":"Proc. 34th USENIX Secur. Symp. (USENIX Secur.)","author":"Kamadan"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00020"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/3152701.3152709"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00104"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516660"}],"container-title":["IEEE Transactions on Very Large Scale Integration (VLSI) Systems"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/92\/11411923\/11343916.pdf?arnumber=11343916","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T20:47:40Z","timestamp":1772138860000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11343916\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3]]},"references-count":81,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.1109\/tvlsi.2025.3650411","relation":{},"ISSN":["1063-8210","1557-9999"],"issn-type":[{"value":"1063-8210","type":"print"},{"value":"1557-9999","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3]]}}}