This work exposes a critical security vulnerability in PUF-protected binary neural networks (BNNs): adversaries can recover the PUF key and sensitive BNN parameters (e.g., weights and biases) by observing fine-grained changes in model accuracy. We innovatively adapt differential cryptanalysis to hardware–model co-security, proposing the first bit-wise PUF key reconstruction method based on accuracy differentials. Our attack is efficiently implemented on memristor crossbar arrays, enabling rapid parameter recovery. Experiments on MNIST demonstrate recovery of 85% of the PUF key bits and reconstruction of a surrogate BNN achieving 93% classification accuracy—comparable to the original model’s 96%—within minutes. This work not only reveals fundamental physical-layer weaknesses in existing PUF-BNN deployments but also establishes a novel side-channel attack paradigm tailored to hardware-accelerated neural network inference.

Binarized Neural Networks (BNNs) deployed on memristive crossbar arrays provide energy-efficient solutions for edge computing but are susceptible to physical attacks due to memristor nonvolatility. Recently, Rajendran et al. (IEEE Embedded Systems Letter 2025) proposed a Physical Unclonable Function (PUF)-based scheme to secure BNNs against theft attacks. Specifically, the weight and bias matrices of the BNN layers were secured by swapping columns based on device's PUF key bits. In this paper, we demonstrate that this scheme to secure BNNs is vulnerable to PUF-key recovery attack. As a consequence of our attack, we recover the secret weight and bias matrices of the BNN. Our approach is motivated by differential cryptanalysis and reconstructs the PUF key bit-by-bit by observing the change in model accuracy, and eventually recovering the BNN model parameters. Evaluated on a BNN trained on the MNIST dataset, our attack could recover 85% of the PUF key, and recover the BNN model up to 93% classification accuracy compared to the original model's 96% accuracy. Our attack is very efficient and it takes a couple of minutes to recovery the PUF key and the model parameters.