TinyML runs machine-learning inference on microcontrollers with kilobytes of memory. These devices are deployed in the field where attackers have physical access — they can probe buses, dump flash and run side-channel attacks. A Hardware Security Module (HSM) — or its embedded cousin, a secure element / trusted-execution root of trust — protects the device's secrets and the ML model itself, which is valuable intellectual property.
Working principle
A hardware root of trust stores keys in tamper-resistant memory and performs cryptographic operations inside the secure boundary, so private keys never appear in general memory. At boot it performs secure / measured boot, verifying firmware signatures before execution. Model weights can be stored encrypted and decrypted only inside the protected region, defeating cloning. Countermeasures (masking, constant-time code) blunt power and electromagnetic side-channel attacks.
| Threat | Countermeasure |
|---|---|
| Key extraction | Keys sealed in tamper-resistant HW |
| Firmware tampering | Secure / measured boot + signing |
| Model cloning (IP theft) | Encrypted weights, on-device decrypt |
| Power / EM side-channel | Masking, constant-time operations |
ConstraintSecurity must fit a milliwatt, kilobyte budget: full HSMs are too large, so embedded secure elements and ISA security extensions (e.g. Arm TrustZone-M, RISC-V PMP) provide a proportionate root of trust.
Applications
- Securing keyword-spotting and predictive-maintenance sensors
- Protecting proprietary edge ML models from theft
- Authenticated, attestable IoT fleets
References & further reading
- Banbury et al., “Benchmarking TinyML Systems (MLPerf Tiny),” 2021.
- Kocher et al., “Differential Power Analysis,” CRYPTO 1999.
- GlobalPlatform / TCG specifications for embedded roots of trust, 2023.