This work addresses the vulnerability of image sensors to visual data leakage during imaging by proposing SecurePix, a CMOS-compatible secure pixel architecture based on ferroelectric field-effect transistors (FeFETs). SecurePix enables pixel-level symmetric-key encryption directly in the analog domain, achieving the first non-volatile in-pixel analog encryption. By leveraging the multi-domain polarization states of FeFETs to modulate pixel transfer characteristics, the design ensures strong security while maintaining hardware efficiency. Implemented in a 45 nm CMOS process and validated via HSPICE simulations, each SecurePix occupies only 2.33 × 3.01 μm². Encrypted images from MNIST and CIFAR-10 datasets reduce ResNet-18 classification accuracy to 9.58% and 6.98%, respectively, with per-pixel energy-delay products of 17 μW·μs for programming and 1.25 μW·μs for sensing.

Ensuring end-to-end security in image sensors has become essential as visual data can be exposed through multiple stages of the imaging pipeline. Advanced protection requires encryption to occur before pixel values appear on any readout lines. This work introduces a secure pixel sensor (SecurePix), a compact CMOS-compatible pixel architecture that performs true in-pixel encryption using a symmetric key realized through programmable, non-volatile multidomain polarization states of a ferroelectric field-effect transistor. The pixel and array operations are designed and simulated in HSPICE, while a 45 nm CMOS process design kit is used for layout drawing. The resulting layout confirms a pixel pitch of 2.33 x 3.01 um^2. Each pixel's non-volatile programming level defines its analog transfer characteristic, enabling the photodiode voltage to be converted into an encrypted analog output within the pixel. Full-image evaluation shows that ResNet-18 recognition accuracy drops from 99.29 percent to 9.58 percent on MNIST and from 91.33 percent to 6.98 percent on CIFAR-10 after encryption, indicating strong resistance to neural-network-based inference. Lookup-table-based inverse mapping enables recovery for authorized receivers using the same symmetric key. Based on HSPICE simulation, the SecurePix achieves a per-pixel programming power-delay product of 17 uW us and a per-pixel sensing power-delay product of 1.25 uW us, demonstrating low-overhead hardware-level protection.