The reviewed record of science sign in
Pith

arxiv: 2606.04317 · v1 · pith:FRZMVQK4 · submitted 2026-06-03 · cs.CR · cs.LG· cs.SE

Toward a Generalized Defense Across Sparse, Continuous, and Structured Parameter Attacks

Reviewed by Pith2026-06-28 06:26 UTCgrok-4.3pith:FRZMVQK4open to challenge →

classification cs.CR cs.LGcs.SE
keywords parameter attacksDNN defensemodel integrityreparameterizationquantizationerror correctionrobust inferenceadversarial robustness
0
0 comments X

The pith

ParDef defends deep neural networks from unpredictable parameter attacks by combining reparameterization, quantization, and robust inference.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper seeks to establish a single defense that works against many kinds of parameter tampering even when the attacker chooses sparse, continuous, or structured changes and the defender does not know the form in advance. Current methods either demand retraining after each new attack type or suffer large accuracy drops, which is impractical for models shipped through cloud pipelines and edge devices. ParDef therefore obscures parameter directions with keyed channel reparameterization, adds error-correcting redundancy via QC-LDPC quantization, and stabilizes outputs with adaptive robust inference. Experiments on CIFAR-10, CIFAR-100, and Tiny-ImageNet with ResNet and VGG models show lower attack success rates while clean accuracy stays high and added cost stays moderate. The claim matters because models now run in partially untrusted environments where parameters can be altered after deployment and persist across all later uses.

Core claim

ParDef integrates keyed channel reparameterization to obscure sensitive parameter directions, QC-LDPC quantization to embed redundancy that supports error correction, and adaptive robust inference to stabilize predictions under uncertainty, thereby reducing the success rate of diverse parameter attacks on deep neural networks without requiring retraining or causing significant accuracy loss.

What carries the argument

ParDef, the combination of keyed channel reparameterization, QC-LDPC quantization, and adaptive robust inference that together protect model parameters against tampering.

If this is right

  • Models can be distributed through untrusted channels such as cloud storage or edge platforms and still resist parameter changes that persist across inferences.
  • Attack success rates drop across sparse, continuous, and structured parameter attacks on standard image-classification benchmarks without accuracy loss.
  • Deployment requires only moderate extra computation and no per-attack retraining when new attack variants appear.
  • The same protected model can be used in multiple environments where the defender cannot predict the exact tampering method an adversary will choose.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same three mechanisms might be applied to other model families such as transformers if the reparameterization and quantization steps can be adapted to attention weights.
  • Organizations that must update models frequently could reduce retraining costs by relying on the built-in redundancy instead of full retraining after each security incident.
  • If the keyed reparameterization proves invertible only with the secret key, it could also serve as a lightweight form of model watermarking or access control.

Load-bearing premise

The specific mix of reparameterization to hide directions, quantization with built-in error correction, and adaptive inference during use can counter a wide and changing set of parameter attacks without needing retraining or large accuracy penalties.

What would settle it

Finding one previously untested parameter attack (for example a new structured perturbation) that drives attack success above 80 percent on a ParDef-protected ResNet while clean accuracy on CIFAR-10 stays above 90 percent would show the defense does not generalize as claimed.

Figures

Figures reproduced from arXiv: 2606.04317 by Bin Duan, Guowei Yang, Zeyu Bai.

Figure 1
Figure 1. Figure 1: Overview of PARDEF. of parameter changes can cause catastrophic model failures, making parameter attacks a realistic and severe threat. Attack surface focus. We focus on at-rest (pre-load) param￾eter tampering, where an adversary modifies the serialized model checkpoint before the model is loaded for inference. We consider post-load in-memory parameter tampering (after model initialization) as out of scope… view at source ↗
Figure 2
Figure 2. Figure 2: Comparison of ASR (%) across Three Attacks. [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Layer-wise Sensitivity Analysis. and continuous attacks. This aligns with KCR’s role: keyed channel permutations disrupt consistent channel or group alignments and diffuse localized errors, so taking it away restores exploitable structure. Removing QC-LDPC primarily harms robustness to sparse attacks while only moderately af￾fecting P3A and APA. In our pipeline, the coded-quantization stage also underpins … view at source ↗
Figure 4
Figure 4. Figure 4: Impact of Hyperparameters. VII. DISCUSSION A. Parameter-Space Sensitivity Analysis [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Slow Path Rate. TABLE VII: Error-Correction Results. Dataset Model Corrected Detected Silent CIFAR-10 ResNet32 68.1% 31.5% 0.4% VGG16 70.4% 29.1% 0.5% CIFAR-100 ResNet32 66.7% 32.9% 0.4% VGG16 69.8% 29.8% 0.4% Tiny-ImageNet ResNet32 63.9% 35.6% 0.5% VGG16 65.1% 34.3% 0.6% minimal for benign inputs while increasing significantly under parameter attacks. As shown, the trigger rate on clean inputs remains con… view at source ↗
read the original abstract

Deep neural networks are increasingly deployed across heterogeneous and partially untrusted environments, where models are distributed through cloud storage, CI/CD pipelines, containerized services, and edge execution platforms. This broad deployment landscape exposes model parameters to various integrity risks. Unlike input-space adversarial attacks, parameter attacks directly tamper with the model's internal parameters and persist across all subsequent inferences. Existing defenses either require retraining, incur significant accuracy degradation, or are limited to specific attack classes. However, in real-world deployment scenarios, the forms of parameter attacks are often unpredictable. To address this challenge, we present ParDef, a generalized defense for deep neural networks against diverse types of parameter attacks. ParDef integrates keyed channel reparameterization, which obscures sensitive parameter directions, QC-LDPC quantization, which embeds redundancy and supports error correction, and adaptive robust inference, which stabilizes predictions under uncertainty. Our evaluation on CIFAR-10, CIFAR-100, and Tiny-ImageNet using ResNet and VGG models demonstrates that ParDef consistently reduces attack success rates across different parameter attacks while maintaining high model performance and incurring only moderate deployment overhead. These results highlight that ParDef is a practical and generalized defense for DNN deployments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes ParDef, a generalized defense against sparse, continuous, and structured parameter attacks on DNNs in untrusted deployment settings. It integrates three components—keyed channel reparameterization to obscure sensitive directions, QC-LDPC quantization to embed redundancy and enable error correction, and adaptive robust inference to stabilize outputs—claiming these jointly reduce attack success rates on CIFAR-10, CIFAR-100, and Tiny-ImageNet using ResNet and VGG models without retraining, while preserving accuracy and incurring only moderate overhead.

Significance. A validated generalized defense of this form would address an important gap, as existing parameter-attack mitigations are typically attack-class-specific or require retraining. The combination of reparameterization, quantization-based correction, and adaptive inference is a plausible direction if the components can be shown to interact as claimed across attack types.

major comments (2)
  1. [Abstract] Abstract: the evaluation results on CIFAR-10, CIFAR-100, and Tiny-ImageNet are asserted but no quantitative metrics (e.g., attack success rates, accuracy deltas, overhead numbers), attack implementations, baselines, or error analysis are supplied, preventing assessment of whether the data support the central claim that ParDef consistently reduces success rates across attack classes.
  2. [Methods (QC-LDPC quantization)] QC-LDPC quantization component: the description treats tampering as discrete symbol errors amenable to LDPC correction, yet provides no explicit mapping or analysis showing how small continuous floating-point perturbations are quantized into correctable discrete errors; this mapping is load-bearing for the generalization claim across sparse/continuous/structured attacks.
minor comments (2)
  1. Several novel terms (ParDef, keyed channel reparameterization, adaptive robust inference) are introduced without initial formal definitions or pointers to the sections where they are specified.
  2. [Abstract] The abstract states 'moderate deployment overhead' without indicating whether this is measured in latency, memory, or another metric, or providing the corresponding numbers.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback highlighting areas where the manuscript can be strengthened. We address each major comment below and will revise the manuscript to incorporate the suggested improvements.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the evaluation results on CIFAR-10, CIFAR-100, and Tiny-ImageNet are asserted but no quantitative metrics (e.g., attack success rates, accuracy deltas, overhead numbers), attack implementations, baselines, or error analysis are supplied, preventing assessment of whether the data support the central claim that ParDef consistently reduces success rates across attack classes.

    Authors: We agree that the abstract would benefit from explicit quantitative support. In the revised version we will expand the abstract to include representative metrics from the evaluations, such as attack success rate reductions across the three attack classes on CIFAR-10/100 and Tiny-ImageNet, accuracy retention relative to the undefended baselines, and deployment overhead figures, while briefly noting the attack implementations and comparison baselines used. revision: yes

  2. Referee: [Methods (QC-LDPC quantization)] QC-LDPC quantization component: the description treats tampering as discrete symbol errors amenable to LDPC correction, yet provides no explicit mapping or analysis showing how small continuous floating-point perturbations are quantized into correctable discrete errors; this mapping is load-bearing for the generalization claim across sparse/continuous/structured attacks.

    Authors: We acknowledge the need for an explicit mapping to support the generalization claim. We will add a new paragraph or subsection in the QC-LDPC quantization description that details the quantization procedure, the discretization of floating-point parameter values into symbols, the assumed error model for continuous perturbations, and supporting analysis showing that the perturbation magnitudes produced by the evaluated sparse, continuous, and structured attacks remain within the correction capability of the chosen QC-LDPC code. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical integration of components with no derivation chain

full rationale

The paper introduces ParDef as a composite defense combining keyed channel reparameterization, QC-LDPC quantization, and adaptive robust inference, supported solely by empirical results on CIFAR-10/100 and Tiny-ImageNet with ResNet/VGG models. No equations, parameter fittings, uniqueness theorems, or self-citations appear in the provided text that would reduce any claim to its own inputs by construction. The central claim of generalization across attack types rests on experimental attack-success-rate reductions rather than any self-referential derivation, making the work self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 4 invented entities

Only the abstract is available; no information on free parameters, background axioms, or independent evidence for the proposed techniques is present.

invented entities (4)
  • ParDef no independent evidence
    purpose: generalized defense against diverse parameter attacks
    The overall framework is introduced as the solution.
  • keyed channel reparameterization no independent evidence
    purpose: obscures sensitive parameter directions
    One of the three core techniques proposed.
  • QC-LDPC quantization no independent evidence
    purpose: embeds redundancy and supports error correction
    One of the three core techniques proposed.
  • adaptive robust inference no independent evidence
    purpose: stabilizes predictions under uncertainty
    One of the three core techniques proposed.

pith-pipeline@v0.9.1-grok · 5744 in / 1392 out tokens · 36681 ms · 2026-06-28T06:26:48.000738+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

51 extracted references · 4 canonical work pages

  1. [1]

    Imagenet classification with deep convolutional neural networks,

    A. Krizhevsky, I. Sutskever, and G. E. Hinton, “Imagenet classification with deep convolutional neural networks,” inAdvances in Neural Infor- mation Processing Systems, 2012

  2. [2]

    Learning deep structured semantic models for web search using clickthrough data,

    P.-S. Huang, X. He, J. Gao, L. Deng, A. Acero, and L. Heck, “Learning deep structured semantic models for web search using clickthrough data,” inProceedings of the 22nd ACM International Conference on Information and Knowledge Management (CIKM), 2013

  3. [3]

    Wide & deep learning for recommender systems,

    H.-T. Cheng, L. Koc, J. Harmsen, T. Shaked, and T. Chandra, “Wide & deep learning for recommender systems,” inProceedings of the 1st Workshop on Deep Learning for Recommender Systems, 2016

  4. [4]

    Deep neural networks for youtube recommendations,

    P. Covington, J. Adams, and E. Sargin, “Deep neural networks for youtube recommendations,” inProceedings of the 10th ACM Conference on Recommender Systems (RecSys), 2016

  5. [5]

    Clipper: A low- latency online prediction serving system,

    D. Crankshaw, X. Wang, G. Zhou, M. J. Franklinet al., “Clipper: A low- latency online prediction serving system,” in13th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2017

  6. [6]

    Model inversion attacks via prediction error reduction,

    D. Yu, H. Zhao, H. Zhang, Z. Chen, and X. Zhang, “Model inversion attacks via prediction error reduction,” in31st USENIX Security Sym- posium (USENIX Security), 2022

  7. [7]

    Trusted deep neural execution—a survey,

    M. F. Babar and M. Hasan, “Trusted deep neural execution—a survey,” IEEE access, vol. 11, pp. 45 736–45 748, 2023

  8. [8]

    Supply-chain attacks in machine learning pipelines: A survey of threats and mitigations,

    M. Asmus, T. Chen, and N. Papernot, “Supply-chain attacks in machine learning pipelines: A survey of threats and mitigations,” in2023 IEEE Symposium on Security and Privacy Workshops, 2023

  9. [9]

    Weight poisoning attacks on pre- trained models,

    K. Kurita, P. Michel, and G. Neubig, “Weight poisoning attacks on pre- trained models,” inAdvances in Neural Information Processing Systems, 2020

  10. [10]

    Navigating the risks: A survey of security, privacy, and ethics threats in llm-based agents

    Y . Gan, Y . Yang, Z. Ma, P. He, R. Zeng, Y . Wang, Q. Li, C. Zhou, S. Li, T. Wanget al., “Navigating the risks: A survey of security, privacy, and ethics threats in llm-based agents,”arXiv preprint arXiv:2411.09523, 2024

  11. [11]

    Pickle’s hidden perils: A systematic study of insecure model serialization,

    Y . Wen, Y . Wang, and D. Gruss, “Pickle’s hidden perils: A systematic study of insecure model serialization,” in2024 IEEE Symposium on Security and Privacy, 2024

  12. [12]

    Morello: Security analysis of ml model registries and pipelines,

    A. Wasayet al., “Morello: Security analysis of ml model registries and pipelines,” in2022 ACM Conference on Computer and Communications Security (CCS), 2022

  13. [13]

    Ibd-psc: Input-level backdoor detection via parameter-oriented scaling consis- tency,

    L. Hou, R. Feng, Z. Hua, W. Luo, L. Y . Zhang, and Y . Li, “Ibd-psc: Input-level backdoor detection via parameter-oriented scaling consis- tency,”arXiv preprint arXiv:2405.09786, 2024

  14. [14]

    Bit-flip attack: Crushing neural network with progressive bit search,

    A. S. Rakin, Z. He, and D. Fan, “Bit-flip attack: Crushing neural network with progressive bit search,” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2019, pp. 1211–1220

  15. [15]

    Fault sneaking attack: A stealthy framework for misleading deep neural networks,

    X. Liu, Y . Li, D. Gu, and X. Liu, “Fault sneaking attack: A stealthy framework for misleading deep neural networks,” inDesign, Automation & Test in Europe Conference & Exhibition (DATE), 2019, pp. 1595– 1600

  16. [16]

    Verification of bit-flip attacks against quantized neural networks,

    Y . Zhang, L. Huang, P. Gao, F. Song, J. Sun, and J. S. Dong, “Verification of bit-flip attacks against quantized neural networks,”Proceedings of the ACM on Programming Languages, vol. 9, no. OOPSLA1, pp. 984–1014, 2025

  17. [17]

    Deep- hammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips,

    Y . Yao, Z. Zhao, J. Wang, W. Guo, Z. Liu, and Y . J. Zhang, “Deep- hammer: Depleting the intelligence of deep neural networks through targeted chain of bit flips,” in29th USENIX Security Symposium, 2020, pp. 1463–1480

  18. [18]

    Flip it once: Bfa attacks with single weight perturbation,

    Y . Zhao, A. S. Rakin, and D. Fan, “Flip it once: Bfa attacks with single weight perturbation,” inProceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2021, pp. 4586–4595

  19. [19]

    3sat: A simple self-supervised adversarial training framework,

    J. Fang, H. He, J. Sun, J. Fu, Z. Guo, Y . Liu, and W. Ma, “3sat: A simple self-supervised adversarial training framework,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 39, no. 16, 2025, pp. 16 523–16 531

  20. [20]

    Towards security threats of deep learning systems: A survey,

    Y . He, G. Meng, K. Chen, X. Hu, and J. He, “Towards security threats of deep learning systems: A survey,”IEEE Transactions on Software Engineering, vol. 48, no. 5, pp. 1743–1770, 2020

  21. [21]

    Rise of inspectron: Automated black-box auditing of cross-platform electron apps,

    M. M. Ali, M. Ghasemisharif, C. Kanich, and J. Polakis, “Rise of inspectron: Automated black-box auditing of cross-platform electron apps,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 775–792

  22. [22]

    Defending against web application attacks: Approaches, challenges and implications,

    D. Mitropoulos, P. Louridas, M. Polychronakis, and A. D. Keromytis, “Defending against web application attacks: Approaches, challenges and implications,”IEEE Transactions on Dependable and Secure Computing, vol. 16, no. 2, pp. 188–203, 2017

  23. [23]

    Bit-flip attack: Crushing neural network with progressive bit search,

    A. S. Rakin, Z. He, and D. Fan, “Bit-flip attack: Crushing neural network with progressive bit search,” inProceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2019, pp. 1211– 1220

  24. [24]

    Defending and harnessing the bit-flip based adversarial weight attack,

    Z. He, A. S. Rakin, and D. Fan, “Defending and harnessing the bit-flip based adversarial weight attack,” inCVPR, 2020

  25. [25]

    Aegis: Mitigating targeted bit-flip attacks against deep neural networks,

    J. Wang, Z. Zhang, M. Wang, H. Qiu, T. Zhang, Q. Li, Z. Li, T. Wei, and C. Zhang, “Aegis: Mitigating targeted bit-flip attacks against deep neural networks,” in32nd USENIX Security Symposium, 2023

  26. [26]

    Efficient encoding of quasi-cyclic low-density parity-check codes,

    Z. Li, L. Chen, L. Zeng, S. Lin, and W. H. Fong, “Efficient encoding of quasi-cyclic low-density parity-check codes,”IEEE Transactions on Communications, vol. 54, no. 1, pp. 71–81, 2006

  27. [27]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky, “Learning multiple layers of features from tiny images,” University of Toronto, Tech. Rep., 2009

  28. [28]

    Imagenet: A large-scale hierarchical image database,

    J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, “Imagenet: A large-scale hierarchical image database,” in2009 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). IEEE, 2009, pp. 248–255

  29. [29]

    (2026) https://github.com/beanduan22/pardef

    ParDef. (2026) https://github.com/beanduan22/pardef. [Online]. Available: https://github.com/beanduan22/ParDef

  30. [30]

    Malicious ai models undermine software supply-chain security,

    A. K. Sood and S. Zeadally, “Malicious ai models undermine software supply-chain security,”Communications of the ACM, vol. 68, no. 6, pp. 62–71, 2025

  31. [31]

    Threat modeling ai/ml with the attack tree,

    S. veria Hoseini, J. Suutala, J. Partala, and K. Halunen, “Threat modeling ai/ml with the attack tree,”IEEE Access, 2024. TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 16

  32. [32]

    A com- prehensive survey on non-invasive fault injection attacks,

    A. M. Shuvo, T. Zhang, F. Farahmandi, and M. Tehranipoor, “A com- prehensive survey on non-invasive fault injection attacks,”Cryptology ePrint Archive, 2023

  33. [33]

    Proflip: Targeted bit-flip attack with probabilistic search,

    J. Chen, A. S. Rakin, Z. He, and D. Fan, “Proflip: Targeted bit-flip attack with probabilistic search,” inProceedings of the IEEE/CVF International Conference on Computer Vision (ICCV), 2021, pp. 7708–7717

  34. [34]

    Fault injection attack on deep neural network,

    X. Liu, Y . Li, S. Chakrabarti, B. Reagen, U. Gupta, G.-Y . Wei, and D. Brooks, “Fault injection attack on deep neural network,” inICCAD, 2020

  35. [35]

    Terminal: Terminating bit-flip attack via end-to-end bit corruption detection,

    S. Hong, J. Park, A. S. Rakin, Z. He, and D. Fan, “Terminal: Terminating bit-flip attack via end-to-end bit corruption detection,” inProceedings of the 57th ACM/IEEE Design Automation Conference (DAC), 2020, pp. 1–6

  36. [36]

    Bitshield: Defending against bit-flip attacks on dnn executables,

    Y . Chen, Y . Yuan, Z. Liu, S. Hu, T. Li, and S. Wang, “Bitshield: Defending against bit-flip attacks on dnn executables,”computing, vol. 2, p. 47, 2025

  37. [37]

    Slalom: Fast, verifiable and private execution of neural networks in trusted hardware,

    F. Tram `er and D. Boneh, “Slalom: Fast, verifiable and private execution of neural networks in trusted hardware,” inInternational Conference on Learning Representations (ICLR), 2019

  38. [38]

    DarkneTZ: Towards model privacy at the edge using trusted execution environments,

    F. Mo, A. S. Shamsabadi, K. Katevas, S. Demetriou, I. Leontiadis, A. Cavallaro, and H. Haddadi, “DarkneTZ: Towards model privacy at the edge using trusted execution environments,” inProceedings of the 18th International Conference on Mobile Systems, Applications, and Services (MobiSys), 2020, pp. 161–174

  39. [39]

    Intel® software guard extensions (intel® sgx) support for dynamic memory management inside an enclave,

    F. McKeen, I. Alexandrovich, I. Anati, D. Caspi, S. Johnson, R. Leslie- Hurd, and C. Rozas, “Intel® software guard extensions (intel® sgx) support for dynamic memory management inside an enclave,” p. 10, 2016

  40. [40]

    Sok: Understanding the prevailing security vulnerabilities in trustzone-assisted tee systems,

    D. Cerdeira, N. Santos, P. Fonseca, and S. Pinto, “Sok: Understanding the prevailing security vulnerabilities in trustzone-assisted tee systems,” inIEEE Symposium on Security and Privacy (SP’20). IEEE, 2020, pp. 1416–1432

  41. [41]

    Privacy risk in machine learning: Analyzing the connection to overfitting,

    S. Yeom, I. Giacomelli, M. Fredrikson, and S. Jha, “Privacy risk in machine learning: Analyzing the connection to overfitting,” pp. 268– 282, 2018

  42. [42]

    Toward confidential cloud computing,

    M. Russinovich, M. Costa, C. Fournet, D. Chisnall, A. Delignat-Lavaud, S. Clebsch, K. Vaswani, and V . Bhatia, “Toward confidential cloud computing,”Communications of the ACM, vol. 64, no. 6, pp. 54–61, 2021

  43. [43]

    Cryptanalytic extraction of neural network models,

    N. Carlini, M. Jagielski, and I. Mironov, “Cryptanalytic extraction of neural network models,”arXiv preprint arXiv:2107.04252, 2021

  44. [44]

    Polynomial time cryptanalytic extraction of neural network models,

    A. Shamiret al., “Polynomial time cryptanalytic extraction of neural network models,”arXiv preprint, 2023

  45. [45]

    A review on machine learning for channel coding,

    H. L. M. Kee, N. Ahmad, M. A. M. Izhar, K. Anwar, and S. X. Ng, “A review on machine learning for channel coding,”IEEE Access, vol. 12, pp. 89 002–89 025, 2024

  46. [46]

    Memory system optimization for fpga-based implementation of quasi-cyclic ldpc codes decoders,

    X. Chen, J. Kang, S. Lin, and V . Akella, “Memory system optimization for fpga-based implementation of quasi-cyclic ldpc codes decoders,” IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 58, no. 1, pp. 98–111, 2010

  47. [47]

    Training data-efficient image transformers & distillation through attention,

    H. Touvron, M. Cord, M. Douze, F. Massa, A. Sablayrolles, and H. J ´egou, “Training data-efficient image transformers & distillation through attention,” inInternational conference on machine learning. PMLR, 2021, pp. 10 347–10 357

  48. [48]

    Advanced Encryption Standard (AES) Key Wrap Algorithm,

    J. Schaad and R. Housley, “Advanced Encryption Standard (AES) Key Wrap Algorithm,” Tech. Rep. 3394, Sep. 2002

  49. [49]

    A secure and reliable bootstrap architecture,

    W. A. Arbaugh, D. J. Farber, and J. M. Smith, “A secure and reliable bootstrap architecture,” inProceedings of the IEEE Symposium on Security and Privacy (S&P), 1997, pp. 65–71

  50. [50]

    An exploratory study of attestation mechanisms for trusted execution en- vironments,

    J. M ´en´etrey, C. G ¨ottel, M. Pasin, P. Felber, and V . Schiavoni, “An exploratory study of attestation mechanisms for trusted execution en- vironments,”arXiv preprint arXiv:2204.06790, 2022

  51. [51]

    Intel trust domain extensions (TDX) architec- ture specification,

    Intel Corporation, “Intel trust domain extensions (TDX) architec- ture specification,” https://www.intel.com/content/www/us/en/developer/ tools/trust-domain-extensions/documentation.html, 2023. Bin Duanreceived the master’s degree from South- east University, China. He is currently pursuing the Ph.D. degree with the School of Electrical Engi- neering and ...