Dataflow AI accelerators—such as FPGA designs generated by FINN—are vulnerable to side-channel reverse engineering due to their deployment convenience, posing significant IP leakage risks. Method: We propose the first lightweight hardware parameter extraction framework tailored for full-load dataflow accelerators. Departing from computationally intensive tsfresh-based feature engineering, our approach innovatively combines unsupervised dimensionality reduction (e.g., UMAP) with random forest classification and multi-trace averaging to enable end-to-end joint recovery of folding and quantization parameters. Results: Our method achieves >95% accuracy using only a single power trace; parameter identification takes just 337 ms, and full parameter recovery completes in 421 ms. Compared to state-of-the-art methods, it accelerates the preparation phase by 940× and the attack phase by 110×. To our knowledge, this is the first work to achieve high-accuracy, low-overhead, and robust IP parameter reverse engineering in realistic dataflow scenarios.

Dataflow neural network accelerators efficiently process AI tasks on FPGAs, with deployment simplified by ready-to-use frameworks and pre-trained models. However, this convenience makes them vulnerable to malicious actors seeking to reverse engineer valuable Intellectual Property (IP) through Side-Channel Attacks (SCA). This paper proposes a methodology to recover the hardware configuration of dataflow accelerators generated with the FINN framework. Through unsupervised dimensionality reduction, we reduce the computational overhead compared to the state-of-the-art, enabling lightweight classifiers to recover both folding and quantization parameters. We demonstrate an attack phase requiring only 337 ms to recover the hardware parameters with an accuracy of more than 95% and 421 ms to fully recover these parameters with an averaging of 4 traces for a FINN-based accelerator running a CNN, both using a random forest classifier on side-channel traces, even with the accelerator dataflow fully loaded. This approach offers a more realistic attack scenario than existing methods, and compared to SoA attacks based on tsfresh, our method requires 940x and 110x less time for preparation and attack phases, respectively, and gives better results even without averaging traces.