{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T00:37:31Z","timestamp":1759970251938,"version":"build-2065373602"},"reference-count":45,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2025,1,7]],"date-time":"2025-01-07T00:00:00Z","timestamp":1736208000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001659","name":"German Research Foundation (DFG)","doi-asserted-by":"publisher","award":["501300923"],"award-info":[{"award-number":["501300923"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Cryptography"],"abstract":"<jats:p>Neural networks have become pivotal in advancing applications across various domains, including healthcare, finance, surveillance, and autonomous systems. To achieve low latency and high efficiency, field-programmable gate arrays (FPGAs) are increasingly being employed as accelerators for neural network inference in cloud and edge devices. However, the rising costs and complexity of neural network training have led to the widespread use of outsourcing of training, pre-trained models, and machine learning services, raising significant concerns about security and trust. Specifically, malicious actors may embed neural Trojans within NNs, exploiting them to leak sensitive data through side-channel analysis. This paper builds upon our prior work, where we demonstrated the feasibility of embedding Trojan side-channels in neural network weights, enabling the extraction of classification results via remote power side-channel attacks. In this expanded study, we introduced a broader range of experiments to evaluate the robustness and effectiveness of this attack vector. We detail a novel training methodology that enhanced the correlation between power consumption and network output, achieving up to a 33% improvement in reconstruction accuracy over benign models. Our approach eliminates the need for additional hardware, making it stealthier and more resistant to conventional hardware Trojan detection methods. We provide comprehensive analyses of attack scenarios in both controlled and variable environmental conditions, demonstrating the scalability and adaptability of our technique across diverse neural network architectures, such as MLPs and CNNs. Additionally, we explore countermeasures and discuss their implications for the design of secure neural network accelerators. To the best of our knowledge, this work is the first to present a passive output recovery attack on neural network accelerators, without explicit trigger mechanisms. The findings emphasize the urgent need to integrate hardware-aware security protocols in the development and deployment of neural network accelerators.<\/jats:p>","DOI":"10.3390\/cryptography9010005","type":"journal-article","created":{"date-parts":[[2025,1,7]],"date-time":"2025-01-07T03:38:41Z","timestamp":1736221121000},"page":"5","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Leveraging Neural Trojan Side-Channels for Output Exfiltration"],"prefix":"10.3390","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9775-5861","authenticated-orcid":false,"given":"Vincent","family":"Meyers","sequence":"first","affiliation":[{"name":"Department of Computer Science, Karlsruhe Institute of Technology (KIT), 76131 Karlsruhe, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7583-2376","authenticated-orcid":false,"given":"Michael","family":"Hefenbrock","sequence":"additional","affiliation":[{"name":"RevoAI GmbH, 76131 Karlsruhe, Germany"}]},{"given":"Dennis","family":"Gnad","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Karlsruhe Institute of Technology (KIT), 76131 Karlsruhe, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8829-5610","authenticated-orcid":false,"given":"Mehdi","family":"Tahoori","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Karlsruhe Institute of Technology (KIT), 76131 Karlsruhe, Germany"}]}],"member":"1968","published-online":{"date-parts":[[2025,1,7]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Begg, R., Kamruzzaman, J., and Sarker, R. (2006). Neural Networks in Healthcare: Potential and Challenges: Potential and Challenges, Igi Global.","DOI":"10.4018\/978-1-59140-848-2"},{"key":"ref_2","unstructured":"McNelis, P.D. (2005). Neural Networks in Finance: Gaining Predictive Edge in the Market, Academic Press."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"362","DOI":"10.1002\/rob.21918","article-title":"A survey of deep learning techniques for autonomous driving","volume":"37","author":"Grigorescu","year":"2020","journal-title":"J. Field Robot."},{"key":"ref_4","unstructured":"Microsoft (2022). Deploy ML Models to Field-Programmable Gate Arrays (FPGAs) with Azure Machine Learning, Microsoft."},{"key":"ref_5","unstructured":"Zhu, M., Liu, L., Wang, C., and Xie, Y. (2016). Cnnlab: A novel parallel framework for neural networks using gpu and fpga-a practical study with trade-off analysis. arXiv."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Fasfous, N., Vemparala, M.R., Frickenstein, A., Frickenstein, L., Badawy, M., and Stechele, W. (2021, January 17\u201321). Binarycop: Binary neural network-based COVID-19 face-mask wear and positioning predictor on edge devices. Proceedings of the International Parallel and Distributed Processing Symposium Workshops (IPDPSW), Portland, OR, USA.","DOI":"10.1109\/IPDPSW52791.2021.00024"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Jokic, P., Emery, S., and Benini, L. (2018, January 6\u20138). Binaryeye: A 20 kfps streaming camera system on fpga with real-time on-device image recognition using binary neural networks. Proceedings of the International Symposium on Industrial Embedded Systems (SIES), Graz, Austria.","DOI":"10.1109\/SIES.2018.8442108"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Byma, S., Steffan, J.G., Bannazadeh, H., Leon-Garcia, A., and Chow, P. (2014, January 11\u201313). Fpgas in the cloud: Booting virtualized hardware accelerators with openstack. Proceedings of the 2014 IEEE 22nd Annual International Symposium on Field-Programmable Custom Computing Machines, Boston, MA, USA.","DOI":"10.1109\/FCCM.2014.42"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Fahmy, S.A., Vipin, K., and Shreejith, S. (December, January 30). Virtualized FPGA accelerators for efficient cloud computing. Proceedings of the 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), Vancouver, BC, Canada.","DOI":"10.1109\/CloudCom.2015.60"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Liu, Y., Xie, Y., and Srivastava, A. (2017, January 5\u20138). Neural trojans. Proceedings of the International Conference on Computer Design (ICCD), Boston Area, MA, USA.","DOI":"10.1109\/ICCD.2017.16"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Kurita, K., Michel, P., and Neubig, G. (2020, January 5\u201310). Weight Poisoning Attacks on Pretrained Models. Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, Online.","DOI":"10.18653\/v1\/2020.acl-main.249"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"4377","DOI":"10.1109\/TIFS.2021.3106169","article-title":"Stealing Neural Network Structure through Remote FPGA Side-channel Analysis","volume":"16","author":"Zhang","year":"2021","journal-title":"Trans. Inf. Forensics Secur. (TIFS)"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Moini, S., Tian, S., Szefer, J., Holcomb, D., and Tessier, R. (2020). Remote Power Side-Channel Attacks on CNN Accelerators in FPGAs. arXiv.","DOI":"10.23919\/DATE51398.2021.9473915"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Lin, L., Kasper, M., G\u00fcneysu, T., Paar, C., and Burleson, W. (2009, January 6\u20139). Trojan side-channels: Lightweight hardware trojans through side-channel engineering. Proceedings of the Cryptographic Hardware and Embedded Systems-CHES 2009: 11th International Workshop, Lausanne, Switzerland. Proceedings.","DOI":"10.1007\/978-3-642-04138-9_27"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1186\/s12859-018-2505-7","article-title":"Real-time data analysis for medical diagnosis using FPGA-accelerated neural networks","volume":"19","author":"Sanaullah","year":"2018","journal-title":"BMC Bioinform."},{"key":"ref_16","unstructured":"Warden, P. (2018). Speech Commands: A Dataset for Limited-Vocabulary Speech Recognition. arXiv."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Huegle, L., Gotthard, M., Meyers, V., Krautter, J., Gnad, D.R., and Tahoori, M.B. (2023, January 8\u201311). Power2Picture: Using Generative CNNs for Input Recovery of Neural Network Accelerators through Power Side-Channels on FPGAs. Proceedings of the 2023 IEEE 31st Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM), Marina Del Rey, CA, USA.","DOI":"10.1109\/FCCM57271.2023.00025"},{"key":"ref_18","unstructured":"Koppel, R., and Kuziemsky, C.E. (2019). Healthcare Data Are Remarkably Vulnerable to Hacking: Connected Healthcare Delivery Increases the Risks. Improving Usability, Safety and Patient Outcomes with Health Information Technology, IOS Press."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"100561","DOI":"10.1016\/j.patter.2022.100561","article-title":"Health advertising on Facebook: Privacy and policy considerations","volume":"3","author":"Downing","year":"2022","journal-title":"Patterns"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Meyers, V., Hefenbrock, M., Gnad, D., and Tahoori, M. (2024, January 6\u20139). Trained to Leak: Hiding Trojan Side-Channels in Neural Network Weights. Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), Washington DC, USA.","DOI":"10.1109\/HOST55342.2024.10545350"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"S\u00f6ll, O., Korak, T., Muehlberghuber, M., and Hutter, M. (2014, January 5\u20138). EM-based detection of hardware trojans on FPGAs. Proceedings of the International Symposium on Hardware-Oriented Security and Trust (HOST), San Jose, CA, USA.","DOI":"10.1109\/HST.2014.6855574"},{"key":"ref_22","unstructured":"Goodfellow, I., Bengio, Y., Courville, A., and Bengio, Y. (2016). Deep Learning, MIT Press."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Clements, J., and Lao, Y. (2019, January 26\u201329). Hardware trojan design on neural networks. Proceedings of the International Symposium on Circuits and Systems (ISCAS), Hokkaido, Japan.","DOI":"10.1109\/ISCAS.2019.8702493"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"191","DOI":"10.3233\/JCS-2012-0460","article-title":"Neural network trojan","volume":"21","author":"Geigel","year":"2013","journal-title":"J. Comput. Secur."},{"key":"ref_25","unstructured":"Wang, J., Hassan, G.M., and Akhtar, N. (2022). A survey of neural trojan attacks and defenses in deep learning. arXiv."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Chandrasekar, S., Lam, S.K., and Thambipillai, S. (2023, January 27\u201329). DNN Model Theft Through Trojan Side-Channel on Edge FPGA Accelerator. Proceedings of the International Symposium on Applied Reconfigurable Computing, Cottbus, Germany.","DOI":"10.1007\/978-3-031-42921-7_10"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Kocher, P., Jaffe, J., and Jun, B. (1999). Differential power analysis. CRYPTO, Springer.","DOI":"10.1007\/3-540-48405-1_25"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Gao, Y., Qiu, H., Zhang, Z., Wang, B., Ma, H., Abuadbba, A., Xue, M., Fu, A., and Nepal, S. (2024, January 20\u201322). Deeptheft: Stealing dnn model architectures through power side channel. Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP54263.2024.00250"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1023\/A:1010933404324","article-title":"Random forests","volume":"45","author":"Breiman","year":"2001","journal-title":"Mach. Learn."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Umuroglu, Y., Fraser, N.J., Gambardella, G., Blott, M., Leong, P., Jahre, M., and Vissers, K. (2017, January 22\u201324). Finn: A framework for fast, scalable binarized neural network inference. Proceedings of the International Symposium on Field-Programmable Gate Arrays (FPGA), Monterey, CA, USA. ACM\/SIGDA.","DOI":"10.1145\/3020078.3021744"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"543","DOI":"10.46586\/tches.v2023.i2.543-567","article-title":"RDS: FPGA Routing Delay Sensors for Effective Remote Power Analysis Attacks","volume":"2023","author":"Spielmann","year":"2023","journal-title":"Iacr Trans. Cryptogr. Hardw. Embed. Syst."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Shumailov, I., Zhao, Y., Bates, D., Papernot, N., Mullins, R., and Anderson, R. (2020). Sponge examples: Energy-latency attacks on neural networks. arXiv.","DOI":"10.1109\/EuroSP51992.2021.00024"},{"key":"ref_33","unstructured":"Bengio, Y., L\u00e9onard, N., and Courville, A. (2013). Estimating or Propagating Gradients Through Stochastic Neurons for Conditional Computation. arXiv."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Dubey, A., Karabulut, E., Awad, A., and Aysu, A. (2022, January 13\u201315). High-Fidelity Model Extraction Attacks via Remote Power Monitors. Proceedings of the Artificial Intelligence Circuits and Systems (AICAS), Incheon, Republic of Korea.","DOI":"10.1109\/AICAS54282.2022.9869973"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"58","DOI":"10.1109\/MDAT.2021.3063306","article-title":"An inside job: Remote power analysis attacks on FPGAs","volume":"38","author":"Schellenberg","year":"2021","journal-title":"IEEE Des. Test"},{"key":"ref_36","unstructured":"Pappalardo, A. (2025, January 02). Xilinx\/Brevitas, Available online: https:\/\/zenodo.org\/records\/13912206."},{"key":"ref_37","unstructured":"Simonyan, K., and Zisserman, A. (2014). Very deep convolutional networks for large-scale image recognition. arXiv."},{"key":"ref_38","unstructured":"Krizhevsky, A., and Hinton, G. (2009). Learning Multiple Layers of Features from Tiny Images. [Master\u2019s Thesis, University of Toronto]."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1038\/s41597-022-01721-8","article-title":"MedMNIST v2-A large-scale lightweight benchmark for 2D and 3D biomedical image classification","volume":"10","author":"Yang","year":"2023","journal-title":"Sci. Data"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"187","DOI":"10.1007\/s11554-010-0185-2","article-title":"Real-time medical video processing, enabled by hardware accelerated correlations","volume":"6","author":"Savarimuthu","year":"2011","journal-title":"J. Real-Time Image Process."},{"key":"ref_41","unstructured":"Subedar, M., Ahuja, N., Krishnan, R., Ndiour, I.J., and Tickoo, O. (2019). Deep probabilistic models to detect data poisoning attacks. arXiv."},{"key":"ref_42","unstructured":"Yasaei, R., Chen, L., Yu, S.Y., and Al Faruque, M.A. (2022). Hardware trojan detection using graph neural networks. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, IEEE."},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"102543","DOI":"10.1016\/j.sysarc.2022.102543","article-title":"Is your FPGA bitstream Hardware Trojan-free? Machine learning can provide an answer","volume":"128","author":"Palumbo","year":"2022","journal-title":"J. Syst. Archit."},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Baluta, T., Shen, S., Shinde, S., Meel, K.S., and Saxena, P. (2019, January 11\u201315). Quantitative verification of neural networks and its security applications. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK.","DOI":"10.1145\/3319535.3354245"},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"141","DOI":"10.1109\/JSSC.2022.3215670","article-title":"A Threshold Implementation-Based Neural Network Accelerator with Power and Electromagnetic Side-Channel Countermeasures","volume":"58","author":"Maji","year":"2022","journal-title":"J. Solid-State Circuits (JSSC)"}],"container-title":["Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2410-387X\/9\/1\/5\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,8]],"date-time":"2025-10-08T10:24:09Z","timestamp":1759919049000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2410-387X\/9\/1\/5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,7]]},"references-count":45,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,3]]}},"alternative-id":["cryptography9010005"],"URL":"https:\/\/doi.org\/10.3390\/cryptography9010005","relation":{},"ISSN":["2410-387X"],"issn-type":[{"type":"electronic","value":"2410-387X"}],"subject":[],"published":{"date-parts":[[2025,1,7]]}}}