This article has been accepted for publication in IEEE Journal on Exploratory Solid-State Computational Devices and Circuits.
This is the author's version which has not been fully edited an
content may change prior to final publication. Citation information: DOI 10.1109/JXCDC.2022.3217043
Leveraging Ferroelectric Stochasticity and
In-Memory Computing for DNN IP Obfuscation
Likhitha Mankali Student Member, IEEE, Nikhil Rangarajan, Member, IEEE, Swetaki Chatterjee, Student
Member, IEEE, Shubham Kumar, Student Member, IEEE, Yogesh Singh Chauhan, Fellow, IEEE,
Ozgur Sinanoglu, Senior Member, IEEE, and Hussam Amrouch, Member, IEEE
Abstract—With the emergence of the Internet of Things (IoT),
deep neural networks (DNNs) are widely used in different
domains, such as computer vision, healthcare, social media,
and defense. The hardware-level architecture of a DNN can
be built using an in-memory computing-based design, which is
loaded with the weights of a well-trained DNN model. However,
such hardware-based DNN systems are vulnerable to model
stealing attacks where an attacker reverse-engineers and extracts
the weights of the DNN model. In this work, we propose an
energy-efficient defense technique that combines a Ferroelectric
Field Effect Transistor (FeFET)-based reconfigurable physically
unclonable function (PUF) with an in-memory FeFET XNOR to
thwart model stealing attacks. We leverage the inherent stochas-
ticity in the FE domains to build a PUF that helps to corrupt the
neural network’s weights when an adversarial attack is detected.
We showcase the efficacy of the proposed defense scheme by
performing experiments on graph-neural networks (GNNs), a
particular type of DNN. The proposed defense scheme is a first
of its kind that evaluates the security of GNNs. We investigate the
effect of corrupting the weights on different layers of the GNN on
the accuracy degradation of the graph classification application
for two specific error models of corrupting the FeFET-based
PUFs and five different bioinformatics datasets. We demonstrate
that our approach successfully degrades the inference accuracy
of the graph classification by corrupting any layer of the GNN
after a small re-write pulse.
Index Terms—Graph Neural Networks, Deep Neural Networks,
Ferroelectric Field Effect Transistor (FeFET), Model stealing
attacks, Hardware Security
I. I NTRODUCTION
The demand for Artificial Intelligence (AI) and Machine
Learning (ML) hardware for the edge computing paradigm
has burgeoned in recent times with the growth of the Internet
of Things (IoT). Deep Neural Networks (DNN) are at the
forefront of this revolution with applications in various do-
mains, including computer vision, big data, natural language
processing [1], [2] etc. However, constructing and setting
up a DNN incurs significant hardware costs and large-scale
training data, requiring considerable monetary and logistical
resources. Owing to this, cloud-based DNN applications and
Machine Learning-as-a-Service (MLaaS) have become popular
commercial models, catering to a wide range of businesses [3],
[4]. Though performing complex DNN operations is computa-
tionally expensive, in certain scenarios like remotely deployed
IoT devices or security-critical military applications, it is
preferable to have an on-board hardware DNN processing sys-
tem. Hence, from both commercial and military standpoints,
Manuscript received August 22, 2022; revised October 17, 2022; accepted
October 19, 2022.
Likhitha Mankali is with the Department of Electrical and Computer
Engineering, Tandon School of Engineering, New York University, USA
(email: lm4344@nyu.edu).
Nikhil Rangarajan and Ozgur Sinanoglu are with the Division
of Engineering, New York University Abu Dhabi, UAE (email:
nikhil.rangarajan@nyu.edu; ozgursin@nyu.edu).
Swetaki Chatterjee, Shubham Kumar, and Yogesh Singh Chauhan are with
the Department of Electrical Engineering, Indian Institute of Technology
Kanpur, Kanpur, India (email: swetakic@iitk.ac.in; shubhamp@iitk.ac.in;
chauhan@iitk.ac.in).
Hussam Amrouch is with the Department of Computer Science, University
of Stuttgart, Stuttgart, Germany (email: amrouch@iti.uni-stuttgart.de).
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
ML-as-a-Service On-chip neural core
Computing resources
Trained
Algorithm
Time-consuming model
training process
Training data
wk l
i
wi
j
wj
k
Intellectual Property Steal weights Reverse
engineer
Fig. 1: The setup and training of hardware NNs, either for a cloud-based
ML-as-a-Service model or for an on-chip neural core implementation, is
a resource-intensive and time-consuming process. This incentivizes NN IP
stealing attacks. Here, the legitimate use cases are shown in green, whereas
the malicious attack is highlighted in red.
the security of the deployed DNN hardware is of paramount
importance, the piracy of which can cause monetary loss or
result in the leaking of sensitive information.
In particular, Graph Neural Network (GNN) is a class of
DNNs specifically designed to process data relationships that
can be expressed as graphs, e.g., datasets pertaining to molec-
ular chemistry and biology, social networks, and data mining,
among others [5]. GNNs are typically utilized in applications
involving non-Euclidean graph structures of various types,
including cyclic, acyclic, directed, and undirected graphs [6].
They have recently gained traction because many relationships
in the natural world occur in graph data, and Neural Networks
(NNs) like Convolutional Neural Networks (CNNs) cannot
process such graph data accurately. CNNs process the input
data, such as images represented as tensors, and consider them
as ordered data. The change in the order of elements in a
tensor leads to a change in output of the CNN. This change
in the output with the representation order does not apply to
graphs. A graph representation does not require a fixed order;
thus, the tensor-based representation is unsuitable for graphs.
GNNs can process graph data irrespective of the order and are
capable of learning the structural features of the overall graph.
A. Hardware Security of Neural Networks
Various attacks have been proposed against the confiden-
tiality of neural network (NN) systems. These attacks aim to
reverse-engineer (RE) the hardware of NNs by stealing the
underlying model’s vital information, i.e., its weight mapping.
In such attacks, an attacker queries the NN with various inputs
and collects the corresponding output responses. Further, using
the input-output responses, an attacker can RE the weights of
the target network. Such attacks have been proposed against
different types of DNNs. In [7]–[9], researchers have proposed
an attack on black-box DNNs wherein they craft the inputs,
i.e., images to be queried in such a way that the output
predictions reveal the internal attributes of the underlying
network. There are different types of adversarial attacks that
aim to affect the confidentiality of GNNs. Such attacks either
 This article has been accepted for publication in IEEE Journal on Exploratory Solid-State Computational Devices and Circuits. This is the author's version which has not been fully edited an
content may change prior to final publication. Citation information: DOI 10.1109/JXCDC.2022.3217043

aim to retrieve the important information of the training dataset (c) The attacker has access to the dataset that is part of the
or steal the GNN model itself. The attacks proposed in [10], original training dataset or is similar to the training dataset
[11] target membership inference which aims to find valid of GNN IP
data samples that are used for training, thus affecting the Our contributions of this work are as follows:
confidentiality of the training dataset. In [12], a link stealing (1) We exploit the randomness in FeFET devices to augment
attack has been proposed that aims to predict the existence the security of NN systems by amalgamating it with the in-
of links between two nodes in the training graph, thus, memory computation capabilities of FeFET XNOR gates.
leaking the training dataset. In [13], [14], property inference (2) We present a comprehensive analysis and modeling of the
attacks have been proposed against GNNs, which aim to infer randomness in FE domains and highlight the construction of
the properties of training datasets such as subgraphs, graph a reconfigurable PUF using this inherent randomness. This
density, etc. In [15]–[17], model extraction attacks have been FeFET-based reconfigurable PUF is pivotal to the weight
proposed against GNNs that aim to build a surrogate model corruption mechanism.
with an accuracy similar to the original GNN model that (3) To the best of our knowledge, this is the first work to
is under attack. In [16], researchers have proposed different demonstrate a defense against model piracy attacks specifically
model extractions considering different attack scenarios, such targeting GNNs.
as complete, partial, or no knowledge about the training (4) We explore the system-level implications of the GNN
dataset. However, this attack also extracts the model of GNN weight corruption on the accuracy of classification tasks and
using input and output (I/O) queries. In [15], researchers show how model piracy attacks can be foiled.
have proposed a model extraction attack that targets inductive
GNNs in an adversarial setting where they do not tamper
with the training process. The attack proposed here queries II. P RELIMINARY AND BACKGROUND
the GNN considering two scenarios – with and without the A. Introduction to Graph Neural Networks
structural information of the query graphs. In this work, we
focus on such model stealing or extraction attacks on GNNs. GNNs are rapidly gaining a large attraction and becoming
All these attacks target the software implementation of the NN the preferred network to analyze graph-based data structures.
and aim to generate adversarial examples using the knowledge GNNs use a message passing technique in which the informa-
of the extracted model. tion is passed from one node to its neighbors (i.e., connected
Several approaches have been proposed to defend against nodes). The input graph passes through various layers of the
the model extraction/stealing attacks, especially for DNNs. GNN. In each layer of the GNN, the node representation is
These techniques defend the NN architecture at the hardware- updated with the aggregation of messages from its neighbors.
level. In [19], researchers have demonstrated a technique that In this way, after passing through multiple layers, the feature
defends memristor-based NN architectures by leveraging the information of a node represents not only the node itself but its
memristor’s obsolescence effect. The continuous application of neighborhood as well. Thus, the GNN learns about the features
voltage causes an increase in memristance, which causes the of a complete graph and performs the classification. GNNs are
obsolescence effect in memristors. This solution thwarts the generally used for the applications such as graph classification,
attacker from querying the NN architecture to obtain enough node classification, and link prediction. In this work, we show
input-output pairs to replicate the target network model. But the performance of the proposed defense scheme on the Deep
this defense can be circumvented by controlling the obsoles- Graph Convolutional Neural Network (DGCNN) [18], used
cence effect through input voltage amplitude scaling. Later, for the application of graph classification. The architecture of
in [20], researchers proposed a superparamagnetic magnetic the DGCNN for graph classification is described next.
tunnel junction (s-MTJs)-based defense mechanism that lever- GNN Topology: Figure 2 demonstrates the architecture
ages the thermally-induced telegraphic switching property of of DGCNN. The DGCNN consists of three major stages. a)
s-MTJs to corrupt the weights. This defense is unlike [19], graph convolution layers (GCN), b) SortPooling layer, and c)
wherein the attacker cannot control the corruption of weights. traditional convolution and dense layers. Consider an input
However, the small retention time of s-MTJs warrants frequent graph G as an input to DGCNN ∼
with adjacency matrix A and
∼
diagonal degree matrix D where Dii = i Aij . X ∈ Rn×c is
P
refresh operations, leading to higher energy costs.
a feature vector matrix where n is the number of nodes in the
graph and c is a dimension of the feature of a single node. The
B. Key Contributions of this Work output Z of a GCN layer with non-linear activation function
In this work, we leverage two particular properties of f and weights matrix W is given by:
emerging FeFET devices to secure NN systems, namely, (i) ∼ −1
the inherent stochasticity in the spatial distribution of the Z = f (D AXW ) (1)
ferroelectric domains to corrupt the NN weights [21], and (ii)
the in-memory computation capability of FeFET to perform GCN layer gathers the information of the local neighborhood
efficient and compact XNOR-based logic-in-memory [22]. of each node and aggregates them. The updated graph with
We design a weight encryption scheme for protecting the aggregated node embeddings is propagated to the next GCN
confidentiality of hardware NNs by combining these two layer. The GCN layers help the GNN obtain the overall
effects. Specifically, we choose GNNs as the model network structural information and the nodes’ features in the graph.
to be protected, although the proposed scheme can be applied The output of the k + 1 GCN layer is given by:
to any DNN structure without loss of generality. Next, we ∼ −1
describe the threat model assumed for the target GNN. Z k+1 = f (D AZ k W k ) (2)
Threat model: Here, we outline the resources and capabilities
of the attacker considered in this work. where Z k and W k are the output and weight matrix at the pre-
th
(a) An attacker has (only) black-box access to the hardware vious GCN layer, i.e., k GCN layer. The node embeddings
GNN intellectual property (IP) that is either a part of the obtained by all GCN layers are concatenated before passing
cloud-based infrastructure or a part of an on-chip core. to the SortPooling stage. 1:K
The concatenated node embeddings
They do not have physical access to the individual internal matrix is given as Z := [Z 1 , ..., Z K ] where K is the
weights, to probe and find the programmed weights at any number of GCN layers. In Z 1:K , each row is the node’s
given instant. feature descriptor consisting of its neighborhood information,
(b) The attacker can apply any number of I/O queries to the and each column is a feature channel. SortPooling layer takes
GNN IP. an input of Z 1:K , sorts it row-wise according to the values

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in IEEE Journal on Exploratory Solid-State Computational Devices and Circuits. This is the author's version which has not been fully edited an
content may change prior to final publication. Citation information: DOI 10.1109/JXCDC.2022.3217043

(a) Input graph (b) Graph convolution layers (c) SortPooling (d) 1-D convolution (e) Dense layers
Pooling R
R
R R R
S T S T R
T
T
R P Q Q T T T T
R P
S T S S S Sort S
U U S
S
R P Q P P P
T P
S Q Q Q P
U P
R P Q U U U Q
Q
Q
U

Fig. 2: The architecture of DGCNN (adopted from [18]). Consider (a) as an input graph G to the DGCNN. G is passed through the Graph convolutional
layers as shown in (b), where the neighborhood information of each node is gathered and then aggregated. The outputs of all graph convolutional layers are
concatenated. As shown in (c), the SortPooling layer sorts and performs pooling on the graph data. Finally, the output of the SortPooling layer is passed
through 1-D traditional convolutional layers and dense layers, as shown in (d) and (e), respectively.

(a) PFE+ (b) PFE-

(a) 10-5 (b) 50
Gate Gate 0 % (High-VTH)
40 100 % (Low-VTH)
Source Drain Source Drain 10-6

IDS (A)
30

Count
MW=1.8 V
N+ Channel N+ N+ Channel N+ 10-7
20
High-VTH
BOX BOX 10-8 10
Low-VTH
Substrate Substrate
10-9 0
-1 0 1 -0.8 -0.4 0.0 0.4 0.8
Low- VTH High- VTH VFG (V) VTH (V)

Fig. 3: Schematic representation of the FeFET in (a) low-V TH state where Fig. 4: (a) I-V characteristics of the FeFET simulated in Sentaurus TCAD
the FE domains are polarized down, and (b) high-V TH state where the FE from Synopsys after a write voltage of ±4V. (b) Distribution of V TH for from
domains are polarized up. 0 % PFE+ (high-V TH ) to 100 % PFE+ (low-V TH ).
(a) 1.0 (b)
of Z K , and returns the first m rows of sorted input where 100

m is user-defined. The output of the SortPooling layer

PK is then
0.5 80
Mean VTH (V)

PFE+ (%)
converted to a one-dimensional matrix of size m×( 1 ck )×1 60
0.0
to pass through a third stage of the DGCNN, i.e., traditional 40
CNN and dense layers. Finally, the output of dense layers is
-0.5 20
passed through a softmax layer. The output of the softmax
layer is used to determine the class of the input graph in the -1.0
0
graph classification application. 0 20 40 60 80 100 -4.0 -2.0 0.0 2.0 4.0
PFE+ (%) WV (V)

B. FeFET Device Construction and Working
Since the discovery of ferroelectricity in HfO2 in 2012,
FeFETs have gained increased attention as a potential non-
volatile memory solution from industry and academia. This
is owing to its excellent CMOS compatibility and low-power
operation [23]. The structure of a FeFET (shown in Figure 3)
is similar to that of conventional MOSFET, except for the
composition of the gate stack, where an extra Ferroelectric
(FE) layer is incorporated on top of the oxide layer. The
FE layer is composed of multiple domains which can be
either polarized down or up. The polarization describes the
orientation of the permanent electric dipoles, which arises
from the non-centrosymmetric arrangement of atoms in the
FE material. Therefore, depending on the direction of the
polarization, either up or down, a positive (QFIX+ ) or a negative
(QFIX- ) surface charge is developed respectively at the HfO2 -
SiO2 interface. The developed surface charge controls the
channel conductivity and thus the electrical characteristics
of the FeFET. For example, in an n-channel FeFET, when
the domains are polarized down, QFIX+ attracts more channel
electrons. This leads to higher conductivity and hence a lower
threshold voltage (V TH ). Conversely, for up polarized domains,
the electrons are repelled away from the channel, and hence
conductivity in the channel decreases and V TH increases as a
result. Therefore, FeFETs can have at least two distinct V TH
states, which form the basis for the usage as a memory.
To read the stored memory state, a constant read-voltage
(VREAD ) is applied to the gate of the FeFET. If the FeFET is
in the high V TH state, a low current (IOFF ) is sensed at the
drain terminal, whereas a high current (ION ) is sensed for the
low V TH state. An excellent ION to IOFF ratio is observed in
Fig. 5: (a) Change of V TH with % PFE+ and (b) plot of % PFE+ against applied
write voltage (WV) for a pulse duration of 2 µs to set it into different V TH
values and hence different stored states.
the case of FeFET, making it a lucrative option over other
emerging non-volatile memories. The FeFET is written by
applying a voltage pulse of suitable magnitude and width at the
gate terminal. A positive pulse flips the domains downwards,
thereby reducing the V TH , whereas a negative pulse flips the
domains upwards and increases the V TH .
In this work, we consider FeFET devices with 50nm n-
channel based on fully depleted silicon on insulator (FDSOI).
The gate stack comprises a 10 nm thick HfO2 layer and 0.6 nm
SiO2 layer, and the FE layer is composed of multiple domains
in which each domain has a size of 5 nm. The underlying
FDSOI device has been fully calibrated against measurements
from 14 nm FDSOI technology node [24]. The ferroelectric
material parameters, namely: remnant polarization, saturation
polarization, and coercive field, are calibrated using measured
QFE - VFE data from a metal-ferroelectric-metal capacitor [21].
The resulting drain current(IDS ) against gate voltage sweep
after programming the FeFET with a pulse of ± 4 V in
Sentaurus TCAD from Synopsys is shown in Figure 4(a).
III. I MPLEMENTATION
A. Modeling the Inherent Randomness in FeFET
It is noteworthy that not all the domains within the FE layer
switch at the same time [23]. Therefore, positive and negative
domains co-exist in the FE layer when a “weak” write voltage
pulse (i.e., a write voltage pulse with a smaller amplitude
and/or smaller width than what is needed to completely switch

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in IEEE Journal on Exploratory Solid-State Computational Devices and Circuits. This is the author's version which has not been fully edited an
content may change prior to final publication. Citation information: DOI 10.1109/JXCDC.2022.3217043

After reconfigure pulse

Domain arrangement 50 % PFE+ 48 % PFE+ PFE+ (Qfix+)

Sample 1
PFE- (Qfix-)
70 70 Iref 48% PFE+
Iref 50% PFE+
60 60
50 Vread = 0.5 V 50 Vread = 0.5 V

Count
Count
40 40

Sample 2
30 30
“0” “1” “0”
20 “1” 20
10 10
0 0
0.5 1.0 1.5 2.0 2.5 3.0 3.5 0.5 1.0 1.5 2.0 2.5 3.0 3.5
IDS (A) IDS (A)

Sample 3
10-6
50 % PFE+ 48 % PFE+
10-6
10-7 10-7

IDS (A)

IDS (A)
10-8 10-8
Sample 100 10-9 10-9
10-10
VDS = 50 mV VDS = 50 mV
10-10
10-11 10-11
-0.5 0.0 0.5 1.0 -0.5 0.0 0.5 1.0
VGS (V) VGS (V)

Fig. 6: The domain configuration and the distribution of IDS before and after reconfigure pulse. The tiles show the channel configuration and the random
distribution of the domains for a particular % PFE+ . IDS distribution for the corresponding state shows the variability due to the random distribution of domains.

all FE domains) is applied. Thus, depending on the percentage The maximum variation is observed at 50 % PFE+ , where there
of domains polarized up or down (% PFE+ ), the FeFET can be is an equal number of up and down polarized domains and thus
set into intermediate V TH states by controlling the write volt- maximum spatial variability. This variation in V TH also causes
age amplitude or pulse-width. The high V TH state corresponds a variation in IDS at a particular % PFE+ .
to 0 % PFE+ , where all the domains are polarized upwards Figure 5(a) plots the mean-V TH for each intermediate state
and vice-versa for the low V TH state (100 % PFE+ ), where with corresponding % PFE+ . In order to set the FeFET at a
all the domains are polarized downwards. For a sufficiently particular % PFE+ , we need to know the relationship between
long-channel FeFET, where domain size is much smaller than write voltage and % PFE+ . This relationship can be established
the channel dimensions, a gradual switching of the FeFET by measuring the residual polarization after a write pulse.
is observed and there can be many intermediate states of Once this value is known, it can be normalized between
polarization [21]. the minimum and maximum PFE and converted to % PFE+ .
For intermediate V TH states, the polarized domains can exist Our fixed-charge based modeling framework also measures
in any spatial orientation throughout the channel [25]. Also, the same maximum and minimum PFE , converts it into fixed
due to the stochastic switching time of the FeFET, it can charges, and distributes it among the domains according to a
not be predicted the exact domains that might be switched given % PFE+ . This allows us to link our fixed-charge based
even for the same pulse. This provides an additional source TCAD model with the already known Preisach model and
of variation in the distribution of the polarized domains along determine the write pulse magnitude and duration to set it
the channel. Thus, even for a fixed % PFE+ , we can have a into a particular % PFE+ . Figure 5(b) shows the relationship
different spatial distribution of the ferroelectric domains and between % PFE+ and write voltage for a fixed pulse width.
thus variability in the underlying channel electron density.
This can cause variability in the electrical characteristics of
the FeFET at a given intermediate state. Also, conventional B. FeFET-based Reconfigurable PUF
sources of variability in the underlying transistor, such as As discussed in the preceding section, FeFET shows varia-
Random Dopant Fluctuations, Metal Gate Work Function tion in V TH and correspondingly, the current flowing through it
Variation, and Line Edge Roughness, can cause additional even for a fixed polarization strength. This forms the basis for
variation in the electrical properties of the intermediate state. FeFET to be used as a PUF. The structure of our designed
To model the variability and randomness (inherent stochas- PUF is similar to the recently proposed 1 FeFET per cell
ticity) inside FeFET, we employ our in-hause TCAD-based reconfigurable PUF [26]. The PUF is programmed in 3 steps.
framework as in [21], [25]. It enables us to directly evaluate
the impact of random spatial fluctuation of the polarization 70 48% PFE+
through emulating the polarization charges (PFE ) with fixed Iref
50% PFE+
charges (QFIX ) at the HfO2 -SiO2 interface. In practice, each 60
52% PFE+
domain is assigned a particular QFIX depending on the polar- 50

ization. The value of QFIX can be calculated by measuring the

Count

40
residual PFE in the FE layer as 30

PFE 20
QFIX = . (3)
1.6 × 10−19 10

Here, QFIX represents the interface charge concentration (mea- 0

0.5 1.0 1.5 2.0 2.5 3.0 3.5
sured in cm− 2) at the ferroelectric layer-interfacial layer IDS (A)
interface. The sign of QFIX determines the type of charge and
thus the direction of the polarization of the domain. Fig. 7: The shift in the distribution curves for changing % PFE+ from 50%
For a given % PFE+ , the total number of domains with by a small value. Increase in % PFE+ shifts the entire distribution right and
QFIX+ (or QFIX- ) is fixed and is randomly distributed in space vice-versa for decreasing % PFE+ .
to generate a random distribution of the channel electron First, all the transistors are set to an initial high-V TH or low-
density [21]. Next, Monte-Carlo simulations are performed V TH state by setting all the domains in an upward or downward
to determine the effect of the random distribution of the do- direction. This is done by applying a high positive or negative
mains on the electrical characteristics of FeFET. Additionally, pulse. In the next step, we apply a voltage pulse of lower
variations due to the conventional sources of variability are magnitude to set it in an intermediate V TH state. The third and
simulated and combined with the inherent variations from the final step is to generate the output bits from the PUF. Because
multi-domain FeFET. The corresponding V TH distributions of of the inherent stochasticity and randomness that arises from
the FeFET for 0 % PFE+ - 100 % PFE+ is shown in Figure 4(b). the multi-domain FeFET, there exists variability in the FeFET.

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in IEEE Journal on Exploratory Solid-State Computational Devices and Circuits. This is the author's version which has not been fully edited an
content may change prior to final publication. Citation information: DOI 10.1109/JXCDC.2022.3217043

TABLE I: Reconfigure pulse magnitude and time to set into different % PFE+ . M-Line Output M-Line Output
% PFE+ Voltage (V) Time (ns) (a) (b)
45 -0.7 325 B A B A B
B
48 -0.7 145
49 -0.7 5 FeFET1 FeFET2 FeFET1 FeFET2
50 0 0
51 2.8 5 FeFET-based XNOR FeFET-based XNOR
52 2.8 190 storing A = 0 storing A = 1
55 2.8 no change A B FeFinFET1 FeFinFET2 Output
0 0 OFF OFF 1
TABLE II: Error probability for bitflip for reconfiguring to different % PFE+
at different VREAD 0 1 ON OFF 0

Bitflip error probability (%) 1 0 OFF ON 0

% PFE+
VREAD = 0.1 V VREAD = 0.5 V VREAD = 1 V
45 83.696 88.535 98.598
48 20.900 37.057 58.215
49 3.585 11.401 20.745
50 0 0 0
51 22.113 31.764 47.192
52 42.797 58.793 58.557
55 83.611 98.071 99.903
Owing to this variability, when the FeFET is read using a
particular VREAD , there exists variability in IDS . This gives us
a distribution of IDS . The mean of the distribution is chosen
as a reference (IREF ) and compared with IDS after reading to
generate the bits. For a device with IDS > IREF , the output
is ‘0’, else ‘1’. Thus, we can have equiprobable 0’s and 1’s
(P(0)=P(1)=0.5). To reconfigure the PUF, a positive or negative
voltage pulse can be applied. This sets the constituent FeFETs
into different intermediate V TH states such that the current
distribution completely changes. This consequently alters the
probability of 0’s and 1’s.
In order to simulate the PUF, we set the polarization in the
FE layer for each FeFET to 50 % PFE+ because the maximum
variation is observed here. This can be done by applying a
write voltage of suitable magnitude of about 2.2 V determined
from Figure 5(b). We use our variability modeling framework
to run Monte-Carlo simulations at 50 % PFE+ for FeFET to
generate the current distribution. Finally, we can read the
drain-source current (IDS ) from the bit-line by applying a
VREAD at the gate terminal for a very short duration (0.5 ns)
to not disturb the polarization state. When an m-bit challenge
in the form of address of the individual cells is input to the
FeFET, an n-bit output is generated depending on the particular
FeFET returning either “1” or “0”.
In case of any attack by the attacker, the PUF can be
reconfigured (reprogrammed) by applying a reconfiguration
pulse at the Word-Line for each FeFET parallely. This sets the
FeFETs in the PUF array to a different state of polarization.
Table I shows the magnitude and duration of the reconfigure
pulse required to change into nearby states of polarization
from 50 % PFE+ . These values are also calculated in the same
way as described in Section III-A. The corresponding change
in the distribution curves can be generated using our fixed-
charge based variability modeling framework (see Figure 6).
IREF does not change with the change in % PFE+ and thus we
no more have equiprobable 0’s and 1’s. If the % PFE+ increases,
the distribution shifts right, and the probability of getting a ‘0’
(P(0)) increases. Conversely, for the decrease in % PFE+ , P(1)
increases. Therefore, on applying the reconfiguration pulse,
the existing output bit probability from the PUF changes.
Figure 7(b) shows the overlapping distribution of the IDS
for two other polarization strengths compared to the golden
standard case of 50 % PFE+ . As IREF does not change, we
have a probability for the output bits to flip from ‘0’→‘1’
(P (1n |0p )) or ‘1’→‘0’ (P (0n |1p )). The suffix ‘n’ and ‘p’
refers to the new state after reconfiguration and the previous
state before reconfiguration respectively. The total P(error) is
the sum of P (1n |0p ) and P (0n |1p ).
1 1 OFF OFF 1
Fig. 8: FeFET-based in-memory XNOR gate construction and truth table.
Assuming that the nature of the distribution curve remains
the same (i.e- points left and right of the mean continue to
do so even on changing the % PFE+ ) we can easily calculate
the error probability. If % PFE+ increases, P (1n |0p ) remains
zero because all of FeFETs which were originally producing
an output ‘0’ will continue to do so even after reconfigure.
P(error) = P (0n |1p ) for this case. Alternatively, if % PFE+ de-
creases, P(error) = P (1n |0p ). To determine these probabilities,
we use Bayes’ Theorem as follows.
P (1n ) · P (0p |1n )
P (1n |0p ) = , (4)
P (0p )
P (0n ) · P (1p |0n )
P (0n |1p ) = . (5)
P (1p )
From our previous discussion we know P (0p ) = P (1p ) = 0.5.
P (1n ) and P (0n ) can be simply calculated as the probability
for the new distribution curve to either lie left or right of
the IREF . For calculation of P (0p |1n ) and P (1p |0n ), we
calculate the probability for the new distribution curve to
lie within IREF and the mean of the new distribution since
this defines the region that given it is ‘1′ (‘0′ ) now, what
is the probability that previously it was ‘0′ (‘1′ ). Table II
demonstrates the P(error) for changing the % PFE+ for various
VREAD . Note that our model is able to capture only device-
to-device variations and does not take into account cycle-to-
cycle variations, which are present in real devices. However,
the cycle-to-cycle variations will only add to the stochasticity
of the FeFET device. Furthermore, we have considered an
FeFET device with 100 domains and a very wide channel
device. Thus, the cycle-to-cycle variations due to switching
stochasticity will not play a huge role since the cycle-to-cycle
variations are most prominent in highly-scaled devices with a
very few domains [27].
C. In-memory Computation with FeFET XNOR
The logic-in-memory realization of a FeFET-based XNOR
Boolean function can be achieved through coupling two Fe-
FETs together [28] in which a logic value is always stored
inside in a complementary manner. The structure of a single
FeFET XNOR cell is shown in Figure 8. For instance, when
logic ‘0’ is stored, FeFET1 will be in the low V TH state and
FeFET2 will be in the high V TH state. Correspondingly the
FeFETs are in opposite configurations for storing ‘1’.
Depending on whether the value inputted to the FeFET-
based XNOR matches the stored value or not, the XNOR
output will be either ‘0’ or ‘1’. In practice, a matchline (M-
Line) is first charged to high Vdd . Then, when A = B, both
FeFETs will be OFF. Hence, no conducting path is formed
and the gate output remains at high voltage. Therefore, the
XNOR’s output provides a logic ‘1’ in such a case. Only when
A ̸= B, a conducting path is formed through the Ferroelectric
FET (FeFET) that is in low V TH state. Hence, the voltage

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in IEEE Journal on Exploratory Solid-State Computational Devices and Circuits. This is the author's version which has not been fully edited an
content may change prior to final publication. Citation information: DOI 10.1109/JXCDC.2022.3217043

ωPUF1 ωint1= ωfinal1

BL1
Driver / Controller
BL2 BLn FeFET
FeFET XNOR array
The m value of the SortPooling layer is set to 0.6. Further,
WL1
PUF
array
ωPUF1
ωint1=0
ωPUF1
ωint2=1
n the 1-D convolutional layers have 16 and 32 output channels,
respectively. Finally, the dense layer consists of 128 hidden
Challenge [ωfinal] units followed by a softmax layer as the output layer. Also,
Decoder

WL2

m-bit the GNN is trained to minimize the cross-entropy loss using

WL2m
an Adam optimizer.
n
SL1 SL2 SLn Error model: The probability for a particular bit to flip is
Reference Sense Amplifiers described in details in Section III-B. From there, we chose
n-bit Response two error models for our experiments:
{ωPUF1, ωPUF2, … ωPUFn} 1. Error Model A: This model corresponds to changing the
Fig. 9: An FeFET-based reconfigurable PUF is used in conjunction with an
state of polarization from 50 % PFE+ to 49 % PFE+ for each
in-memory XNOR array for implementing the weight corruption scheme.
FeFET in the PUF. VREAD is chosen very low at 0.1 V. As
the % PFE+ decreases in this case, the distribution shifts right
rapidly drops and the output provides logic ‘0’. Concisely, if and there exists a probability for the bits from PUF that were
and only if A ̸= B, the output is logic ‘0’. Otherwise, it is logic originally ‘0’ changing to ‘1’. The corresponding P(error) for
‘1’, which is a realization of the XNOR Boolean function. the output bits of PUF to flip is obtained from Table 2. Thus,
Further details on the FeFET-based in-memory XNOR is for every bit in [ωfinal ], if b == ’0’, the bit is flipped with the
shown in [22]. probability of 3.58%.
2. Error Model B: This model corresponds to changing
the state of polarization from 50 % PFE+ to 51 % PFE+ . As
D. Weight Corruption Scheme with the other error model, the duration and magnitude of
Figure 9 delineates the {FeFET PUF + in-memory XNOR}- the reconfigure pulse can be obtained from Table 1 and
based weight corruption architecture considered in this paper.1 VREAD = 0.1 V. As the % PFE+ increases in this case, there
Initially, the PUF array is programmed to a fixed random state exists a probability for the output bits from PUF to flip from
and the internal states of the cells of the XNOR array are ‘1’ to ‘0’. The value for this can be again obtained from Table
written accordingly, to obtain the desired final weight array 2. Thus, for every bit in [ωfinal ], if b == ’1’, the bit is flipped
[ωfinal ] that is required for the GNN task. In case of no attack, with the probability of 22.11%.
the PUF is set once and device-to-device variations do not
affect the functionality i.e., inference of GNN inference. Corruption of weights in all GNN layers
Once an attack is detected, the PUF array is reconfigured 50
(re-rolled) which changes the original n-bit response from PUF 45

Reduction in Accuracy
40
and hence, the final weights from the XNOR operation will
35
be different from the original golden weights. This weight
30
corruption ensures that the attacker is unable to steal the GNN
25
IP (weight mapping). 20
We re-program the FeFET XNOR cell array and the FeFET 15
PUF after an attack as follows. We first retrieve the golden 10
weights ωf that are stored in a tamper-proof memory [29] and ENZYMES PROTEINS D&D MUTAG NCI1
XNOR them with the re-rolled PUF weight array i.e., ωPUF new .
This gives us the ωint new values, which are then updated in the Fig. 10: Reduction in the accuracy of GNN calculated over ten trials for all
FeFET XNOR memory cells, by setting them in high or low the considered bioinformatics datasets. The weights in all the GNN layers are
XNORed with the proposed FeFET-based PUF’s error model.
VT H . Now, by performing ωint new ⊙ ωPUF new , we can obtain
the golden weights back.
PROTEINS
30
Reduction in Accuracy

IV. E XPERIMENTAL E VALUATION 25

In this section, firstly, we describe the experimental setup 20
details and then evaluate the proposed work by conducting 15
experiments on GNN. 10
5
A. Experimental Setup 1 2 3 4 1 2 1 2
GCN GCN GCN GCN -D Con-vD ConvDense Dense
The experiments have been performed on a single compute 1 1
node with AMD EPYC CPU comprising 64 cores operating at
2.25GHz, with 480GB memory. We mimic the hardware level Fig. 11: Reduction in the accuracy of GNN (average of ten trials) for
corruption of weights at a software level by implementing corruption of weights separately across GNN layers for PROTEINS dataset.
the error distribution model of the proposed FeFET-based
reconfigurable PUF. We perform experiments on five bioin- ENZYMES
formatics datasets, i.e., PROTEINS, MUTAG, ENZYMES, 50
Reduction in Accuracy

NCI1, and D&D. These datasets are represented as graphs, 40

and the classification of these graphs is useful for various
30
bioinformatics applications. We have obtained datasets for our
experiments from [30]. Next, we describe the parameters of 20
the GNN Topology and error models of the FeFET-based PUF. 10

GNN Topology. We use default parameters of the DGCNN 0

1 2 3 4 1 2 1 2
architecture [18]. The GNN consists of four GCN layers with GCN GCN GCN GCN -D Conv-D ConvDense Dense
1 1
output channel dimensions of 32, 32, 32, and 1, respectively. Error ModelA Error ModelB
Fig. 12: Comparison in the reduction in accuracy (average over ten trials) for
1 Note
that the weight corruption scheme is applicable for any standard corruption of weights separately across GNN layers for ENZYMES dataset
FeFET-based crossbar without loss of generality. for two error models.

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in IEEE Journal on Exploratory Solid-State Computational Devices and Circuits. This is the author's version which has not been fully edited an
content may change prior to final publication. Citation information: DOI 10.1109/JXCDC.2022.3217043

GCN Layer 1 GCN Layer 2 1D-Convolution Layer 1 Dense Layer 2

50 50
40 40
Reduction in Accuracy
40 40
30 30
30 30

20 20
20 20

10 10 10 10

0 0 0 0
MES EINS TAG D&D NCI1 MES EINS TAG D&D NCI1 MES EINS TAG D&D NCI1 MES EINS TAG D&D NCI1
ENZY PROT MU ENZY PROT MU ENZY PROT MU ENZY PROT MU
Error ModelA Error ModelB
Fig. 13: Reduction in accuracy (average over ten trials) for corruption of weights separately across GNN layers (first and second GCN layers, first 1-D
Convolutional layer, and second Dense layer) for all the considered bioinformatics datasets for two error models.

B. Experimental Results model or the layer to be corrupted based on the dataset the
GNN model is designed for.
Considering the probabilistic nature of the error model, we
report an average reduction in accuracy of GNN over ten TABLE III: Estimated runtime (ns) for all the GNN layers
trials for all the results. Figure 10 demonstrates the reduction
in accuracy of the GNN for all the five datasets considered GNN layer Runtime (ns)
above over ten trials when all the weights of the GNN GCN Layer 1 2.5
are corrupted.2 The reduction in accuracy is the difference GCN Layer 2 2.5
between accuracy obtained upon weight corruption and the GCN Layer 3 2.5
accuracy of the GNN with golden/original weights. It can be GCN Layer 4 2.5
observed that the reduction in accuracy varies with the trial. 1-D Conv. Layer 1 14.5
This is observed because of the difference in the number of 1-D Conv. Layer 2 14.5
bit flips and corrupted weights. This observation is further Dense Layer 1 6.5
justified by observing the effect of the GNN layer on accuracy Dense Layer 2 2.5
degradation, which is discussed next.
The defender should consider the time taken to corrupt
Effect of GNN layer: To observe the impact of corruption the weights along with accuracy degradation. The runtime of
of weights in each layer of the GNN, we corrupt the weights of corruption is important since the defender has to ensure the
each layer separately and obtain the corresponding accuracies. weights are corrupted before an adversary collects a sufficient
Figure 11 demonstrates the accuracy reduction in the GNN number of input-output pairs of GNN. The time taken for
output when weights of individual layers are corrupted one corruption of weights depends on the magnitude of reconfigure
by one, across the eight layers of GNN (four GCN layers, pulse of the proposed FeFET-based PUF. Thus, the magnitude
two 1-D convolutional layers, and two hidden layers) for of reconfigure pulse should be chosen in such a way that
the PROTEINS dataset. It can be observed that the accuracy results in accuracy degradation and thwarts the attacker from
degradation varies with the GNN layer, i.e., the accuracy collecting the inference of a sufficient number of queries.
degradation due to the corruption in the second, third, and Further, the magnitude of reconfigure pulse also determines
fourth GCN layers is low compared to corruption in other the GNN layer to be corrupted. Next, we discuss the esti-
GNN layers. Thus, a defender need not corrupt all the weights mated runtime of the GNN model considered in this work.
of the GNN and can instead choose a particular layer to be As mentioned above, we consider an in-memory compute
corrupted, which lowers the power consumption. architecture of GNN, which is built using an array of multiply
Effect of error model: As described above, we consider and accumulate (MAC) instances. Table III reports runtime
two error models for the bit flipping or corruption of weights. required for operations of each GNN layer. We consider a
To observe the effect of the error model, we compare the fixed size of MAC array, i.e., 128x128, and runtime for the
accuracy degradation between the two error models for all the operations of a single cycle of MAC array as 1ns. A defender
GNN layers in the ENZYMES dataset as shown in Fig. 12. can set the magnitude of reconfigure pulse of the PUF based
There is a difference in the accuracy reduction between the on each layer’s runtime.
two error models for a considered layer. There is no particular
trend observed between the error models. In some layers, Error C. Detecting and Thwarting Physical Attacks
ModelA has a higher accuracy reduction than Error ModelB,
whereas it is the opposite for the remaining layers. Accuracy Physical attacks can be detected in the proposed solution
degradation depends on the weights’ value because the trend using resistance/capacitance sensor arrays [31] or cryptograph-
varies for the GNN layers between Error ModelA and Error ically secure mesh structures [32]. To deter an attacker from
ModelB. frequently querying the GNN, a mesh shield can be placed
over the input-output terminals of the FeFET array. Any
Effect of dataset: Along with the difference in accuracy attempt to apply inputs through external leads will alter the
degradation with the GNN layer and error model, we also data bit sequence through the mesh wires, thus detecting the
observe the variation in accuracy degradation with the dataset. incursion.
Figure 13 demonstrates the results of the accuracy degradation We note that physical incursions like cold-boot attacks are
for the datasets - ENZYMES, PROTEINS, MUTAG, D&D, dependent on the delay between the logical turn-off of the
and NCI1 for the first and second GCN layers, first 1-D memory cell and the time it takes to physically erase its
convolutional layer, and second Dense layer. This variation remnant state [33]. Attackers can further increase this latency
is observed because of the change in weights of the GNN using cryogenic cooling to reduce the data entropy. In this
model with the dataset. Thus, a defender can choose an error scenario, the defender could try to erase all the IP information
(stored weights) upon attack detection. However, data erasure
2 Note that all the results of accuracy degradation have been calculated over incurs a write time penalty (O(µs)), which is much larger than
ten trials. the miniscule time taken to corrupt the FeFET PUF array in the

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
 This article has been accepted for publication in IEEE Journal on Exploratory Solid-State Computational Devices and Circuits. This is the author's version which has not been fully edited an
content may change prior to final publication. Citation information: DOI 10.1109/JXCDC.2022.3217043

proposed scheme (5 ns). Hence, attempting data erasure could
still leave the attacker with ample time to obtain enough input-
output data, whereas the FeFET PUF-based weight corruption
will thwart such attacks.
D. Evaluation against Model Extraction Attack
Here, we firstly discuss the methodology of the considered
attack in [17] and evaluate the proposed obfuscation scheme
against it. The steps of the attack in [17] are as follows.
(i) The attacker chooses a random network and default
weights/connections as the starting point.
(ii) The attacker then repeatedly queries the golden GNN
model to build an I/O dataset.
(iii) After a sufficient number of I/O pairs are obtained,
the random network is trained with them to be almost
similar to the original network. However, the individual
weights/connections inside this newly trained network will
be vastly different than the original network, even though
their I/O behavior is very similar.
Error ModelA
80 80
No corruption
Accuracy (%)
VI. ACKNOWLEDGEMENT
This work is supported partly by the Center for Cyber
Security (CCS) at New York University Abu Dhabi (NYUAD).
Furthermore, the authors would like to thank Kai Ni from
the Rochester Institute of Technology and Simon Thomann
from the University of Stuttgart for their valuable help in FE
modeling.
R EFERENCES
[1] K. He et al. Deep residual learning for image recognition. In CVPR,
pp. 770–778, 2016.
[2] Y. Goldberg. A primer on neural network models for natural language
processing. Journal of Artificial Intelligence Research, 57:345–420,
2016.
[3] X. Zhang et al. A survey on privacy inference attacks and defenses in
cloud-based deep neural network. Computer Standards & Interfaces,
pp. 103672, 2022.
[4] M. Xue et al. DNN intellectual property protection: Taxonomy, attacks
and evaluations. In GLSVLSI, pp. 455–460, 2021.
[5] F. Scarselli et al. The graph neural network model. IEEE transactions
on neural networks, pp. 61–80, 2008.
[6] J. Zhou et al. Graph neural networks: A review of methods and
applications. AI Open, 1:57–81, 2020.
[7] S. J. Oh et al. Towards reverse-engineering black-box neural networks.
In ICLR, 2018.
Error ModelB [8] M. Juuti et al. PRADA: Protecting against DNN model stealing attacks.
In EuroS&P, pp. 512–527, 2019.
[9] N. Papernot et al. Practical black-box attacks against machine learning.
No corruption [10] In AsiaCCS, pp. 506–519, 2017.

Accuracy (%)

70 70 B. Wu et al. Adapting membership inference attacks to gnn for graph

Layer 1 Layer 1 classification: Approaches and implications. In IEEE International
60 Layer 2 60 Layer 2 Conference on Data Mining, pp. 1421–1426, 2021.
50 Layer 3 50 Layer 3 [11] X. He et al. Node-level membership inference attacks against graph
neural networks, 2021.
40 40 [12] X. He et al. Stealing links from graph neural networks. In USENIX
Security Symposium, pp. 2669–2686, 2021.
29 59 354 650 9461242153718332129242527203016 29 59 354 650 9461242153718332129242527203016 [13] Z. Zhang et al. Inference attacks against graph neural networks. In
I/O Queries I/O Queries USENIX Security Symposium, pp. 4543–4560, 2022.
[14] X. Wang and W. H. Wang. Group property inference attacks against
graph neural networks, 2022.
Fig. 14: Accuracy (%) of recovered (surrogate) model for a GNN with no [15] D. DeFazio and A. Ramesh. Adversarial model extraction on graph
corruption and corruption in each individual layer w.r.t I/O queries for error neural networks, 2019.
models A and B [16] B. Wu et al. Model extraction attacks on graph neural networks:
Taxonomy and realisation. In AsiaCCS, pp. 337–350, 2022.
Here, we discuss the attack’s results on the GNN model [17] Y. Shen et al. Model stealing attacks against inductive graph neural
with weight corruption. We launch the attack in [17] for networks. In IEEE Symposium on Security and Privacy (SP), pp. 1175–
the PubMed dataset. The original GNN model has 3 hidden [18] 1192, 2022.
M. Zhang et al. An end-to-end deep learning architecture for graph
layers with a dimension of 256. We consider four scenarios to classification. In AAAI, 2018.
compare the results, i.e., (i) with no corruption in the original [19] C. Yang et al. Thwarting replication attack against memristor-based
GNN model, (ii) corruption in the weights of layer 1 of the [20] neuromorphic computing system. IEEE TCAD, pp. 2192–2205, 2020.
D. Rajasekharan et al. SCANet: Securing the weights with
original GNN model, (iii) corruption in the weights of layer 2 superparamagnetic-MTJ crossbar array networks. IEEE Trans. Neural
of the original GNN model, and (iv) corruption in the weights Netw. Learn. Syst., 2021. Publisher Copyright: IEEE.
of layer 3 of the original GNN model. Fig. 14 demonstrates [21] Proper K. Ni et al. On the Channel Percolation in Ferroelectric FET Towards
Analog States Engineering. In IEDM, pp. 15.3.1–15.3.4, 2021.
the accuracy of the recovered (surrogate) model for Error [22] M. Yayla et al. Reliable binarized neural networks on unreliable beyond
ModelA and ModelB w.r.t to the number of I/O queries. We von-neumann architecture. IEEE TCAS I, 2022.
observe that without corruption, the accuracy has increased [23] HfO H. Mulaosmanovic et al. Ferroelectric field-effect transistors based on
2 : a review. Nanotechnology, 32(50):502002, sep 2021.
with the increase in the number of I/O queries, whereas for [24] Q. Liu et al. High performance UTBB FDSOI devices featuring 20nm
the corrupted models, the accuracy of the recovered model gate length for 14nm node and beyond. In IEDM, pp. 9.2.1–9.2.4, 2013.
[25] S. Chatterjee et al. Comprehensive Variability Analysis in Dual-Port
remains the same, i.e., in the range of ∼ 40%. FeFET for Reliable Multi-Level-Cell Storage. IEEE Transactions on
Electron Devices, pp. 1–8, 2022.
[26] X. Guo et al. Exploiting FeFET switching stochasticity for low-power
V. C ONCLUSION reconfigurable physical unclonable function. In ESSCIRC, pp. 119–122,
2021.
In this work, we propose a design-for-trust technique to [27] H. Mulaosmanovic et al. Random number generation based on ferro-
protect the IP of neural networks (NNs) against model stealing [28] electric switching. IEEE Electron Device Letters, 39(1):135–138, 2018.
K. Ni et al. Ferroelectric ternary content-addressable memory for one-
or replication attacks that reverse-engineer the weights of shot learning. Nature Electronics, 2(11):521–529, 2019.
the NN model. In the proposed solution, an FeFET-based [29] M. Yasin et al. Provably-secure logic locking: From theory to practice.
reconfigurable PUF is integrated with an in-memory FeFET In Proceedings of the 2017 ACM SIGSAC Conference on Computer and
Communications Security, CCS ’17, pp. 1601–1618, New York, NY,
XNOR array to corrupt the weights of the NN when an USA, 2017. Association for Computing Machinery.
attack is detected. The corrupted weights result in accuracy [30] M. Zhang et al. Deep graph convolutional neural network (dgcnn), 2018.
degradation and thus, the attacker fails to obtain sufficient [31] P. Tuyls et al. Read-proof hardware from protective coatings. In
International Workshop on Cryptographic Hardware and Embedded
number of input-output pairs for model stealing attacks. We Systems, pp. 369–383. Springer, 2006.
perform experiments on GNNs for the application of graph [32] J.-M. Cioranesco et al. Cryptographically secure shields. In IEEE
classification on different bioinformatics datasets. We are able International Symposium on Hardware-Oriented Security and Trust
(HOST), pp. 25–31. IEEE, 2014.
to successfully corrupt the weights of the GNN model and [33] J. A. Halderman et al. Lest we remember: cold-boot attacks on
degrade the accuracy of graph classification. Further, we encryption keys. Communications of the ACM, 52(5):91–98, 2009.
showcase an extensive analysis of the effect of layer-by-layer
corruption of the GNN weights on its output accuracy. We also
discuss various physical attack scenarios against the proposed
defense scheme and explain how they are circumvented.

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/