부산대학교 도서관

The embedding of a DNN model on the FPGA provides users with significant computing acceleration. However, the intellectual property (IP) of these models is at risk of being stolen since they become publicly accessible once the FPGA is delivered. Traditional cryptographic methods are unsuitable for protecting DNN models due to computational cost, additional hardware cost, or the risk of secret key and parameter leakage. In this brief, we propose an intellectual property protection scheme for DNN models based on Physical Unclonable Function (PUF), which permits only authorized FPGA boards to recover the original model and produce accurate results. We developed a prototype to protect the LeNet model using Arbiter PUF (APUF). Compared with the original model, the accuracy of the obfuscated model remains unchanged, and the additional latency accounts for 1.6% of the inference latency. For the 3rd, and 5th convolutional layers in AlexNet, the LUTs required to be obfuscated account for 0.33%, and 0.34% of the original convolutional layers, respectively. The experimental results demonstrate that the proposed scheme effectively protects DNN models. Even if an adversary can guess 106 bits of the 128-bit PUF response, the recovered DNN models, including AlexNet, DenseNet, and ResNet, fail to operate correctly. Our project is open-sourced on https://github.com/renaturation/DNN_PUF_FPGA.