๐ค AI Summary
This work systematically investigates the privacy vulnerabilities of prominent graph neural networks (GNNs)โincluding GraphSAGE, GCN, GIN, and GATโwhen applied to circuit netlist data, demonstrating their susceptibility to gradient leakage attacks that can expose sensitive information such as gate types and hardware Trojans. The study reveals that attention mechanisms tend to exacerbate information leakage, whereas invertible aggregation enhances model robustness. Through comprehensive experiments evaluating defense strategies like differential privacy, gradient clipping, secure aggregation, quantization-based compression, and adversarial training, the authors find that existing approaches offer protection only under specific conditions and often degrade model utility. These findings underscore the urgent need for more effective and robust privacy-preserving mechanisms tailored to GNN-based hardware design and security applications.
๐ Abstract
As graph neural networks (GNNs) become standard tools for critical tasks in circuit design and analysis, their security and privacy risks require careful attention. Here, we present the first comprehensive evaluation of gradient leakage attacks (GLAs) on GNNs in circuit-design and hardware-security tasks, a practical threat that has been largely overlooked. We assess state-of-the-art (SOTA) GNNs, including GraphSAGE, GCN, GIN, and GAT, trained on standard netlist benchmarks (ISCAS'85, EPFL, and TrustHub), for their fundamental vulnerability to GLAs. We find that GLAs can expose sensitive information, such as gate types and distinctive properties of hardware Trojans, which may assist adversaries in analyzing logic locking schemes or evading Trojan detection mechanisms. Our analysis shows that these risks are influenced by architectural features, with attention mechanisms (GAT) exacerbating leakage, while injective aggregation (GIN) provides comparatively stronger resilience. We further evaluate several SOTA defense techniques, including differential privacy, gradient clipping, secure aggregation, model compression with quantization, and adversarial training. We find that these techniques improve resilience only in specific settings and can also compromise model performance. Overall, our work provides key insights toward privacy-preserving GNNs and highlights the need for more robust and efficient defenses. We release our full methodology and artifacts.