Paper 2026/1433
Shuffled-ArgMax: Securing ArgMax Decisions Against Side-Channel-Guided Fault Injection in Edge-AI IoT Devices
Abstract
Edge-AI Internet-of-Things (IoT) devices increasingly perform local neural-network inference in physically accessible environments. While prior physical attacks on neural networks mainly focus on model extraction, parameter recovery, or intermediate computation, the final decision stage remains insufficiently studied. This paper investigates the physical security of ArgMax-based decision logic, which converts output scores into the final class label in many edge-AI deployments. We show that a sequential ArgMax implementation can expose deterministic power-trace patterns associated with loop iterations and conditional maximum updates. These patterns can be used to recover decision-related timing information and guide voltage fault injection, enabling targeted redirection of the final inference result. We implement the attack on a real MCU-based edge-AI platform using an STM32F407VG device running an X-CUBE-AI-deployed convolutional neural network. Under dual-point voltage fault injection, the unprotected ArgMax achieves targeted redirection to all non-original classes in the MNIST case study. To mitigate this threat, we propose Shuffled-ArgMax, a lightweight software-level defense that combines randomized traversal, loop-integrity checking, and redundant decision verification. Experimental results show that, under the same attack setting, Shuffled-ArgMax reduces the targeted redirection success rate from 56.92% to 0%, demonstrating strong resilience against targeted misclassification attacks. Meanwhile, it introduces only a small end-to-end runtime overhead relative to the complete DNN inference.
Note: Initial version.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Preprint.
- Keywords
- ArgMaxside-channel analysisvoltage fault injectiontargeted misclassificationlightweight countermeasure
- Contact author(s)
-
wul22 @ mails tsinghua edu cn
lijiwu @ mail tsinghua edu cn
panyuyang @ bctest com
zhxm @ mail tsinghua edu cn
wujian @ ahcx cloud - History
- 2026-07-16: approved
- 2026-07-13: received
- See all versions
- Short URL
- https://ia.cr/2026/1433
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2026/1433,
author = {Le Wu and Liji Wu and Yuyang Pan and Xiangmin Zhang and Jian Wu},
title = {Shuffled-{ArgMax}: Securing {ArgMax} Decisions Against Side-Channel-Guided Fault Injection in Edge-{AI} {IoT} Devices},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/1433},
year = {2026},
url = {https://eprint.iacr.org/2026/1433}
}