{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T20:26:44Z","timestamp":1780345604889,"version":"3.54.1"},"reference-count":21,"publisher":"Institute of Electronics, Information and Communications Engineers (IEICE)","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEICE Trans. Fundamentals"],"published-print":{"date-parts":[[2021,1,1]]},"DOI":"10.1587\/transfun.2020cip0024","type":"journal-article","created":{"date-parts":[[2020,12,31]],"date-time":"2020-12-31T22:16:26Z","timestamp":1609452986000},"page":"152-161","source":"Crossref","is-referenced-by-count":15,"title":["Model Reverse-Engineering Attack against Systolic-Array-Based DNN Accelerator Using Correlation Power Analysis"],"prefix":"10.1587","volume":"E104.A","author":[{"given":"Kota","family":"YOSHIDA","sequence":"first","affiliation":[{"name":"Graduate School of Science and Technology, Ritsumeikan University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mitsuru","family":"SHIOZAKI","sequence":"additional","affiliation":[{"name":"Research Organization of Science and Engineering, Ritsumeikan University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Shunsuke","family":"OKURA","sequence":"additional","affiliation":[{"name":"Department of Science and Engineering, Ritsumeikan University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Takaya","family":"KUBOTA","sequence":"additional","affiliation":[{"name":"Research Organization of Science and Engineering, Ritsumeikan University"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Takeshi","family":"FUJINO","sequence":"additional","affiliation":[{"name":"Department of Science and Engineering, Ritsumeikan University"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"532","reference":[{"key":"1","doi-asserted-by":"crossref","unstructured":"[1] M. Fredrikson, S. Jha, and T. Ristenpart, \u201cModel inversion attacks that exploit confidence information and basic countermeasures,\u201d Proc. 2015 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp.1322-1333, 2015. 10.1145\/2810103.2813677","DOI":"10.1145\/2810103.2813677"},{"key":"2","unstructured":"[2] A. Salem, Y. Zhang, M. Humbert, P. Berrang, M. Fritz, and M. Backes, \u201cML-Leaks: Model and data independent membership inference attacks and defenses on machine learning models,\u201d arXiv, arXiv:1806.01246, 2018."},{"key":"3","unstructured":"[3] I.J. Goodfellow, J. Shlens, and C. Szegedy, \u201cExplaining and harnessing adversarial examples,\u201d arXiv, arXiv:1412.6572, 2014."},{"key":"4","unstructured":"[4] K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, C. Xiao, A. Prakash, T. Kohno, and D. Song, \u201cRobust physical-world attacks on deep learning models,\u201d arXiv, arXiv:1707.08945, 2017."},{"key":"5","unstructured":"[5] F. Tramer, F. Zhang, A. Juels, M.K. Reiter, and T. Ristenpart, \u201cStealing machine learning models via prediction apis,\u201d SEC&apos;16: Proc. 25th USENIX Conference on Security Symposium, pp.601-618, 2016."},{"key":"6","unstructured":"[6] B. Wang and N.Z. Gong, \u201cStealing hyperparameters in machine learning,\u201d arXiv, arXiv:1802.05351, 2018."},{"key":"7","doi-asserted-by":"crossref","unstructured":"[7] W. Hua, Z. Zhang, and G.E. Suh, \u201cReverse engineering convolutional neural networks through side-channel information leaks,\u201d Proc. 55th Annual Design Automation Conference, 2018. 10.1109\/dac.2018.8465773","DOI":"10.1145\/3195970.3196105"},{"key":"8","doi-asserted-by":"crossref","unstructured":"[8] X. Wang, R. Hou, Y. Zhu, J. Zhang, and D. Meng, \u201cNPUFort: A secure architecture of DNN accelerator against model inversion attack,\u201d Proc. 16th ACM International Conference on Computing Frontiers, pp.190-196, 2019. 10.1145\/3310273.3323070","DOI":"10.1145\/3310273.3323070"},{"key":"9","unstructured":"[9] L. Batina, S. Bhasin, D. Jap, and S. Picek, \u201cCSI neural network: Using side-channels to recover your artificial neural network information,\u201d IACR Cryptology ePrint Archive, vol.2018, p.477, 2018."},{"key":"10","doi-asserted-by":"crossref","unstructured":"[10] K. Yoshida, T. Kubota, M. Shiozaki, and T. Fujino, \u201cModel-extraction attack against FPGA-DNN accelerator utilizing correlation electromagnetic analysis,\u201d 27th IEEE International Symposium On Field-Programmable Custom Computing Machines, 2019. 10.1109\/fccm.2019.00059","DOI":"10.1109\/FCCM.2019.00059"},{"key":"11","doi-asserted-by":"crossref","unstructured":"[11] K. Yoshida, S. Okura, M. Shiozaki, T. Kubota, and T. Fujino, \u201cModel reverse-engineering attack using correlation power analysis against systolic array based neural network accelerator,\u201d IEEE International Symposium on Circuits and Systems, 2020. 10.1109\/iscas45731.2020.9180580","DOI":"10.1109\/ISCAS45731.2020.9180580"},{"key":"12","unstructured":"[12] A. Dubey, R. Cammarota, and A. Aysu, \u201cMaskedNet: The first hardware inference engine aiming power side-channel protection,\u201d arXiv, arXiv:1910.13063, 2019."},{"key":"13","unstructured":"[13] N.P. Jouppi, C. Young, N. Patil, D. Patterson, G. Agrawal, R. Bajwa, S. Bates, S. Bhatia, N. Boden, A. Borchers, R. Boyle, P. Cantin, C. Chao, C. Clark, J. Coriell, M. Daley, M. Dau, J. Dean, B. Gelb, T.V. Ghaemmaghami, R. Gottipati, W. Gulland, R. Hagmann, C.R. Ho, D. Hogberg, J. Hu, R. Hundt, D. Hurt, J. Ibarz, A. Jaffey, A. Jaworski, A. Kaplan, H. Khaitan, A. Koch, N. Kumar, S. Lacy, J. Laudon, J. Law, D. Le, C. Leary, Z. Liu, K. Lucke, A. Lundin, G. MacKean, A. Maggiore, M. Mahony, K. Miller, R. Nagarajan, R. Narayanaswami, R. Ni, K. Nix, T. Norrie, M. Omernick, N. Penukonda, A. Phelps, J. Ross, M. Ross, A. Salek, E. Samadiani, C. Severn, G. Sizikov, M. Snelham, J. Souter, D. Steinberg, A. Swing, M. Tan, G. Thorson, B. Tian, H. Toma, E. Tuttle, V. Vasudevan, R. Walter, W. Wang, E. Wilcox, and D.H. Yoon, \u201cIn-datacenter performance analysis of a tensor processing unit,\u201d arXiv, arXiv:1704.04760, 2017."},{"key":"14","doi-asserted-by":"crossref","unstructured":"[14] Z. Yang, L. Wang, D. Ding, X. Zhang, Y. Deng, S. Li, and Q. Dou, \u201cSystolic array based accelerator and algorithm mapping for deep learning algorithms,\u201d IFIP International Conference on Network and Parallel Computing, pp.153-158, 2018. 10.1007\/978-3-030-05677-3_16","DOI":"10.1007\/978-3-030-05677-3_16"},{"key":"15","doi-asserted-by":"publisher","unstructured":"[15] H.T. Kung \u201cWhy systolic architectures?,\u201d IEEE Computer 15.1, pp.37-46, 1982. 10.1109\/mc.1982.1653825","DOI":"10.1109\/MC.1982.1653825"},{"key":"16","doi-asserted-by":"publisher","unstructured":"[16] E. Brier, C. Clavier, and F. Olivier, \u201cCorrelation power analysis with a leakage model,\u201d Conference on Cryptographic Hardware and Embedded Systems, LNCS, vol.3156, pp.16-29, 2004. 10.1007\/978-3-540-28632-5_2","DOI":"10.1007\/978-3-540-28632-5_2"},{"key":"17","doi-asserted-by":"crossref","unstructured":"[17] T. Unterluggauer and E. Wenger, \u201cPractical attack on bilinear pairings to disclose the secrets of embedded devices,\u201d 9th International Conference on Availability, Reliability and Security, 2014. 10.1109\/ares.2014.16","DOI":"10.1109\/ARES.2014.16"},{"key":"18","doi-asserted-by":"crossref","unstructured":"[18] D. Jauvart, J.J.A. Fournier, N. El Mrabet, and L. Goubin, \u201cImproving side-channel attacks against pairing-based cryptography,\u201d Risks and Security of Internet and Systems, LNCS, vol.10158, pp.199-213, 2017. 10.1007\/978-3-319-54876-0_16","DOI":"10.1007\/978-3-319-54876-0_16"},{"key":"19","unstructured":"[19] R. Gilad-Bachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing, \u201cCryptoNets: Applying neural networks to encrypted data with high throughput and accuracy,\u201d International Conference on Machine Learning, pp.201-210, 2016."},{"key":"20","unstructured":"[20] B. Reagen, W. Choi, Y. Ko, V. Lee, G.-Y. Wei, H.-H.S. Lee and D. Brooks, \u201cCheetah: Optimizations and methods for PrivacyPreserving inference via homomorphic encryption,\u201d arXiv, arXiv:2006.00505, 2020."},{"key":"21","unstructured":"[21] K. Tiri and I. Verbauwhede, \u201cA logic level design methodology for a secure DPA resistant ASIC or FPGA implementation,\u201d 2004 Design, Automation and Test in Europe Conference and Exposition (DATE2004), vol.1, pp.246-251, IEEE Computer Society, 2004. 10.1109\/date.2004.1268856"}],"container-title":["IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.jstage.jst.go.jp\/article\/transfun\/E104.A\/1\/E104.A_2020CIP0024\/_pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,1,2]],"date-time":"2021-01-02T03:37:38Z","timestamp":1609558658000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.jstage.jst.go.jp\/article\/transfun\/E104.A\/1\/E104.A_2020CIP0024\/_article"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,1]]},"references-count":21,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021]]}},"URL":"https:\/\/doi.org\/10.1587\/transfun.2020cip0024","relation":{},"ISSN":["0916-8508","1745-1337"],"issn-type":[{"value":"0916-8508","type":"print"},{"value":"1745-1337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,1,1]]}}}