Paper 2026/1433

Shuffled-ArgMax: Securing ArgMax Decisions Against Side-Channel-Guided Fault Injection in Edge-AI IoT Devices

Le Wu, School of Integrated Circuits, Beijing National Research Center for Information Science and Technology, Tsinghua University, Beijing, China
Liji Wu, School of Integrated Circuits, Beijing National Research Center for Information Science and Technology, Tsinghua University, Beijing, China
Yuyang Pan, Beijing UnionPay Card Technology Co., Ltd, Beijing, China
Xiangmin Zhang, School of Integrated Circuits, Beijing National Research Center for Information Science and Technology, Tsinghua University, Beijing, China
Jian Wu, Beijing Pairui Micro Technology Co., Ltd, Beijing, China
Abstract

Edge-AI Internet-of-Things (IoT) devices increasingly perform local neural-network inference in physically accessible environments. While prior physical attacks on neural networks mainly focus on model extraction, parameter recovery, or intermediate computation, the final decision stage remains insufficiently studied. This paper investigates the physical security of ArgMax-based decision logic, which converts output scores into the final class label in many edge-AI deployments. We show that a sequential ArgMax implementation can expose deterministic power-trace patterns associated with loop iterations and conditional maximum updates. These patterns can be used to recover decision-related timing information and guide voltage fault injection, enabling targeted redirection of the final inference result. We implement the attack on a real MCU-based edge-AI platform using an STM32F407VG device running an X-CUBE-AI-deployed convolutional neural network. Under dual-point voltage fault injection, the unprotected ArgMax achieves targeted redirection to all non-original classes in the MNIST case study. To mitigate this threat, we propose Shuffled-ArgMax, a lightweight software-level defense that combines randomized traversal, loop-integrity checking, and redundant decision verification. Experimental results show that, under the same attack setting, Shuffled-ArgMax reduces the targeted redirection success rate from 56.92% to 0%, demonstrating strong resilience against targeted misclassification attacks. Meanwhile, it introduces only a small end-to-end runtime overhead relative to the complete DNN inference.

Note: Initial version.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
ArgMaxside-channel analysisvoltage fault injectiontargeted misclassificationlightweight countermeasure
Contact author(s)
wul22 @ mails tsinghua edu cn
lijiwu @ mail tsinghua edu cn
panyuyang @ bctest com
zhxm @ mail tsinghua edu cn
wujian @ ahcx cloud
History
2026-07-16: approved
2026-07-13: received
See all versions
Short URL
https://ia.cr/2026/1433
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2026/1433,
      author = {Le Wu and Liji Wu and Yuyang Pan and Xiangmin Zhang and Jian Wu},
      title = {Shuffled-{ArgMax}: Securing {ArgMax} Decisions Against Side-Channel-Guided Fault Injection in Edge-{AI} {IoT} Devices},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/1433},
      year = {2026},
      url = {https://eprint.iacr.org/2026/1433}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.