Artificial intelligence models that can protect their inner workings from theft while maintaining nearly perfect performance have been developed by researchers in Singapore. This breakthrough addresses a critical vulnerability in AI deployment—the risk of intellectual property theft—without sacrificing the efficiency that makes these models valuable for real-world applications.
The key finding demonstrates that binarized neural networks (BNNs), a type of AI model designed for energy efficiency, can be transformed using secret keys derived from physical unclonable functions. When attackers attempt to steal these protected models without the correct keys, the model's accuracy drops dramatically—falling to as low as 15% compared to the original 96.74% performance. This renders stolen models essentially useless while legitimate users experience minimal performance impact.
The methodology relies on a clever transformation of the AI model's parameters before they're stored in specialized computing hardware called in-memory architectures. Researchers developed three protection techniques: weight swapping, weight inversion, and combinations of both across rows and columns of the neural network. The transformation uses secret keys that are never stored permanently in the hardware, making them resistant to extraction attacks. During legitimate use, the system applies reverse transformations using the secret keys to recover the original model functionality.
Results from testing on the MNIST handwritten digit recognition dataset show the effectiveness of this approach. Without protection, the baseline model achieved 96.74% accuracy. When protected using row swapping and inversion techniques with secret keys of length 392, accuracy dropped to just 9.42% for unauthorized users. Similar protection applied to columns reduced accuracy to 8.97-10.22%, while combined row and column protection maintained the security while keeping computational overhead minimal. The additional hardware required for the protection scheme—consisting mainly of multiplexers and XOR gates—added less than 1% to total power consumption.
This development matters because AI models represent significant intellectual property investments for companies, often requiring substantial computational resources to train. Current protection methods typically involve storing models in encrypted form and decrypting them during use, which introduces performance overhead that undermines the efficiency benefits of specialized AI hardware. The new approach allows AI models to operate in encrypted form throughout their entire lifecycle while maintaining near-original performance for authorized users.
The research acknowledges limitations, including the need to explore whether similar protection techniques can work for more complex neural networks beyond binarized models. Future work will investigate if encrypted inference can be extended to training processes and how the approach compares to fully homomorphic encryption in terms of privacy protection and computational cost. The current implementation focuses specifically on resistive RAM-based in-memory computing architectures, though the theoretical framework could potentially apply to other emerging memory technologies.
About the Author
Guilherme A.
Former dentist (MD) from Brazil, 41 years old, husband, and AI enthusiast. In 2020, he transitioned from a decade-long career in dentistry to pursue his passion for technology, entrepreneurship, and helping others grow.
Connect on LinkedIn