SwitchX: Gmin-Gmax Switching for Energy-efficient and Robust Implementation of Binarized Neural Networks on ReRAM Xbars

Memristive crossbar arrays have been employed to implement Matrix-Vector-Multiplications (MVMs) in neural networks in an analog manner. Traditionally, a crossbar (see Figure 2 (Left)), consists of a 2D array of synaptic NVM devices interfaced with DACs, Analog-to-Digital Converters (ADCs), and a write circuit to program the synapses. The synaptic devices at the cross-points are programmed to a particular value of conductance (\(G_{ij}\)). The MVM operations during inference are performed by converting the digital inputs to a neural network into analog voltages on the Read Wordlines (RWLs) using DACs, and sensing the output current flowing through the bitlines (BLs) using the ADCs [23]. For an ideal crossbar, if \(V_{in}\) is the input voltage vector, \(Iout_{ideal}\) is the output current vector and \(G_{ideal}\) is the conductance matrix, then:Non-idealities and equivalent conductance matrix: The analog nature of the computation leads to various non-idealities resulting in errors in the computation of MVMs. These include various linear resistive non-idealities in the crossbars. Figure 2 (Right) shows the equivalent circuit for a crossbar array accounting for various peripheral and parasitic non-idealities (\(Rdriver\), \(Rwire\_row\), \(Rwire\_col\), and \(Rsense\)) modeled as parasitic resistances. The cumulative effect of all the non-idealities results in the deviation of the output current from its ideal value (i.e., Equation (2)), resulting in an \(Iout_{non-ideal}\) vector. The relative deviation of \(Iout_{non-ideal}\) from its ideal value is measured by non-ideality factor (NF) [6] asThus, NF is a direct measure of crossbar non-idealities, i.e., increased non-idealities induce a greater value of NF, affecting the accuracy of the neural network mapped onto them [6, 23, 24].

In this work, we take a trained BNN model with binary weights ({–1, +1}) and map onto ReRAM crossbars using only two conductance states- \(G_{MIN}\) (HRS) and \(G_{MAX}\) (LRS) (details on mapping of negative and positive weights of the BNN along with circuit implementation have been presented in Section 4.1). From Figure 1, once the binarized weights of a BNN are mapped onto crossbars to obtain \(G_{ideal}\), we integrate the resistive interconnect non-idealities of the crossbar and synaptic device variations to convert \(G_{ideal}\) into \(G_{non-ideal}\) (see Section 4.2). This completes the mapping of the weights of the BNN onto a non-ideal crossbar. Thus, we haveUnless otherwise stated, we carry out experiments on ReRAM crossbars with \(R_{MIN} = 20 k\Omega\) and device ON/OFF ratio of 10 [17]. The resistive are non-idealities as follows: \(Rdriver = 1 k\Omega\), \(Rwire\_row = 5 \Omega\), \(Rwire\_col = 10 \Omega\) and \(Rsense = 1 k\Omega\) [6, 13, 23, 55]. The device-to-device variations in ReRAM conductances are modeled using a Gaussian distribution around the nominal device conductances with \(\sigma /\mu = 10\%\) [10, 55]. For our experiments, by performing SPICE simulations with the ReRAM device model [25], we identified that the binary analog voltages input to the ReRAM crossbars for BNN inference can be +0.1/–0.1 V to maintain linear ReRAM I-V characteristics [35]. In this work, we have assumed that the correct mapping of the BNN weights to the memristive conductances (HRS or LRS) without stuck-at-fault defects is ensured post-training [56]. We use a hardware evaluation framework in Pytorch [2, 23] to map the BNNs onto non-ideal crossbars and investigate the cumulative impact of the resistive and device-level non-idealities on networks mapped with SwitchX technique (explained in Section 4.1) on the robustness of neural networks.

Neural networks are vulnerable to adversarial attacks in which the model gets fooled by applying precisely calculated small perturbations on the input [39]. Goodfellow et al. [15] proposed Fast Gradient Sign Method (FGSM) to generate adversarial attacks (\(X_{adv}\)) by linearization of the loss function (\(L\)) of the trained models with respect to the input (\(X\)) as shown in Equation (5).Here, \(y_{true}\) is the true class label for the input \(X\); \(\theta\) denotes the model parameters (weights, biases, and so on). The quantity \(\Delta =\epsilon ~\times ~sign(\nabla _{x} L(\theta ,X,y_{true}))\) is the net perturbation which is controlled by \(\epsilon\). It is noteworthy that gradient propagation is a crucial step in unleashing an adversarial attack. Furthermore, the contribution of a gradient to \(\Delta\) would vary for different layers of the network depending upon the activations [39]. In addition to FGSM-based attacks, multi-step variants of FGSM, such as Projected Gradient Descent (PGD) [34] have also been proposed that cast stronger attacks. The PGD attack, shown in Equation (6), is an iterative attack over \(n\) steps. In each step \(i\), perturbations of strength \(\alpha\) are added to \(X_{adv}^{i-1}\). Note, that \(X_{adv}^{0}\) is created by adding random noise to the clean input \(X\). Additionally, for each step, \(X_{adv}^{i}\) is projected on a Norm ball [34], of radius \(\epsilon\). In other words, we ensure that the maximum pixel difference between the clean and adversarial inputs is \(\epsilon\).

To build resilience against small adversarial perturbations, defense mechanisms such as gradient masking or obfuscation [40] have been proposed. Such methods construct a model devoid of useful gradients, thereby making it difficult to create an adversarial attack. Furthermore, adversarial training [15, 29, 30, 34] is the state-of-the-art and strongest-known software defense against adversarial attacks. Here, the training dataset is augmented with adversarial examples so that the network learns to predict them correctly. The authors in [3] have also shown that hardware non-idealities can intrinsically lead to defense via gradient obfuscation against adversarial perturbations, thereby making a neural network on hardware adversarially robust than baseline software models.

In this work, we explore how SwitchX mapping of BNNs on non-ideal crossbars can yield adversarial robustness when compared with Normal Mapping of BNN weights. Furthermore, we show that when SwitchX is combined with state-aware training of BNN (discussed in Section 5), it intrinsically unleashes even stronger defense on hardware than adversarial training.

For the baseline or Normal Mapping of BNNs onto crossbars, “+1” weights are mapped to \(G_{MAX}\) or LRS and “‘–1” to \(G_{MIN}\) or HRS as shown in Figure 1 (see Normal Mapping). In this work, we perform switched-mapping of the weights of a BNN onto crossbars, termed as SwitchX. As shown in Figure 1 for SwitchX, we compute the mean of the binarized weight matrix of the BNN to be mapped onto a crossbar instance. If the mean is positive-valued (mean \(\gt\) 0), we switch the mapping with “+1” values to HRS states and “–1” values to LRS states. If the mean is negative-valued or zero (mean \(\le\) 0), we do not perform any switching and conduct Normal Mapping. This approach ensures that the proportion of HRS states in a crossbar array is always higher when mapping BNN weights. As noted in Figure 1, the ideal conductance matrix \(G_{ideal}\) obtained from the switched mapping is again converted into \(G_{non-ideal}\) taking the crossbar non-idealities into account.

Circuit implementation of SwitchX for BNN inference: Figure 3 shows the manner in which BNN inference is carried out accurately on an m \(\times\) m crossbar via SwitchX approach. Standard techniques involve a dual-crossbar approach to map neural networks onto crossbars with negative weights. However, in this work, we follow a single crossbar-based approach similar to [26, 53] for mapping both positive and negative BNN weights as ReRAM conductances, thereby reducing hardware overheads. The binary digital inputs of a BNN (\(A_1\)-\(A_m\)) are converted into analog voltages (\(V_{i1}\)-\(V_{im}\)) using DACs (level-shifters producing +0.1/–0.1 V) which are input to the crossbar. The software model weights of a BNN are centered around zero, i.e., {–1, +1}. In the crossbars, the binary weights of the BNN ({–1, +1}) are mapped as {\(G_{MIN}\), \(G_{MAX}\)} synaptic conductances that are not symmetrically centered around zero. Hence, to conduct accurate BNN inference, we need to perform some transformations in hardware to ensure that the trained software weights after being mapped to conductance values still remain symmetrically centered around zero, i.e., {\(\frac{-(G_{MAX}-G_{MIN})}{2}, \frac{+(G_{MAX}-G_{MIN})}{2}\)}. To this end, an additional column of ReRAM devices with conductances of value \(G_0=\frac{(G_{MAX}+G_{MIN})}{2}\) is added (highlighted in blue) and \(R_0 = R\) is set to facilitate the transformation. Note, this is viable for the case when the ReRAM devices under consideration can be programmed to a level between \(G_{MIN}\) and \(G_{MAX}\) having a conductance equal to \(\frac{(G_{MAX}+G_{MIN})}{2}\). In case, the ReRAM devices are bimodal, we realize \(G_0=(G_{MAX}+G_{MIN})\) using a parallel combination of two devices- one in HRS state and the other in LRS state, and set \(R_0 = \frac{R}{2}\). The resulting crossbar currents are sensed by the ADC unit consisting of transconductance amplifiers (generating voltages \(V_{o1}\)-\(V_{om}\)) followed by comparators (with \(V_{REF}=0\)) to produce binarized activations. However, for weights mapped onto crossbars via SwitchX transformation, wherein HRS and LRS states are interchanged for the case when mean \(\gt\) 0, a corresponding inverse transformation is also necessary in the end to ensure the correct activations (\(X_1-X_m\)) at the output. This is done by the digital module consisting of inverters and multiplexers (highlighted in violet). The \(SEL\) signal input to the multiplexers is set to “0” for mean \(\gt\) 0 scenario to conduct switched-mapping and “1” for mean \(\le\) 0 scenario to conduct Normal Mapping to produce the correct output activations (\(X_1-X_m\)). Effectively, during SwitchX implementation, based on the value of mean, the analytical operations are governed by Equations (7) and (8).

For mean \(\le\) 0,Here, the subtraction operation is needed to ensure that the trained binarized weights after being mapped to conductance values in the crossbars remain symmetrically centered around zero, i.e., {\(\frac{-(G_{MAX}-G_{MIN})}{2}, \frac{+(G_{MAX}-G_{MIN})}{2}\)}. Note, the above equation is also true for normally mapping a BNN irrespective of the value of mean [26].

For mean \(\gt\) 0,Basically, for switched-mapping in Equation (8), the additional inverse operation with respect to Equation (8) is emulated using the digital inverse transformation module (highlighted in violet in Figure 3).

Trends for non-ideality factor (NF): Figure 4 shows the variation in NF for different crossbar sizes for a given binary weight matrix with a higher proportion of “+1” values (mean \(\gt\) 0) for a fully-connected layer of a neural network and a given set of input voltages drawn randomly from a uniform distribution. It is observed that NF increases with increasing crossbar size (16 \(\times\) 16 to 64 \(\times\) 64). Further for a given crossbar size, SwitchX results in a decrease in the value of NF with respect to the case of Normal Mapping. This occurs because SwitchX increases the effective resistance of a crossbar array, thereby minimizing the effect of interconnect parasitic resistances and device-level variations, by increasing the proportion of HRS states. Thus, BNNs mapped onto crossbars via SwitchX approach would suffer less interference from non-idealities on MVM operations which would thereby lead to lesser accuracy degradation.

As discussed in Section 3.1, we use a framework in Pytorch, based on RxNN [23], to map trained BNNs onto non-ideal memristive crossbars via SwitchX technique and investigate the cumulative impact of the circuit and device-level non-idealities on their adversarial robustness. Figure 5 illustrates the overall simulation framework that is used for non-ideal crossbar evaluation using SwitchX technique. The entire platform, being based on Python, enables better integration between the software model and the simulation framework. In the platform, a Python wrapper is built that unrolls each and every convolution operation in the software BNN into MAC operations. The matrices obtained are then zero-padded (in case the size of the weight matrix is not an exact multiples of the crossbar size) and partitioned into multiple crossbar instances consisting of the binarized weights. The next stage (functional modeling) of the platform converts the binarized weights \(W\) to suitable conductance states \(G\) (HRS or LRS as marked in green and blue colors, respectively) using SwitchX approach based on proportions of “+1”s and “–1”s in the crossbar instances. Thereafter, the circuit-level parasitic non-idealities are integrated via circuit laws (Kirchoff’s laws) and linear algebraic operations written in Python [2]. This integration is similar to the numerical operations adopted in the RxNN framework, which is a recent work that accurately models circuit non-idealities while evaluating DNNs on crossbars during inference. RxNN has been shown to closely match the results obtained using SPICE models for interconnect parasitics and achieves significantly high speed up during DNN inference on non-ideal crossbars. Furthermore, the ReRAM device variations are included with gaussian profiling. The default specifications of the NVM devices as well as the values of non-idealities have been listed in Table 2, which are used for our experiments. The non-ideal synaptic conductances \(G^{\prime }\) are then integrated into the original Pytorch-based BNN model to conduct inference. This framework, thus, enables us to analyze the impact of intrinsic crossbar non-idealities on mapping BNNs with SwitchX.

Earlier works [31, 39] have identified a metric termed as Adversarial Noise Sensitivity (ANS) to quantify the sensitivity of each layer of a neural network to adversarial perturbations. ANS for a layer \(l\) in a neural network, subjected to an adversarial attack, is defined in terms of an error ratio as follows:where, \(A^l\) and \(A_{adv}^l\) are respectively the clean and adversarial activation values of the layer \(l\). ANS is a simple metric to evaluate how each layer contributes to the net adversarial perturbation during the gradient propagation.

In Figure 6 we show results for a VGG16 BNN (trained using state-aware training) mapped via SwitchX, and a standard VGG16 BNN mapped normally onto 32 \(\times\) 32 crossbars (\(R_{MIN} = 20 k\Omega\) and ON/OFF ratio = 10), both adversarially perturbed using HH mode of FGSM attack. We plot the ANS values for all the convolutional layers and the final fully-connected layer (marked as FC). For the case of SwitchX-mapped BNN we observe lower ANS values implying a reduced error amplification effect [31] and hence, lesser sensitivity and better stability to the induced adversarial perturbations. However, the authors in [39] also agree that a lower value of ANS across the layers of a neural network would not necessarily imply improved adversarial robustness under all circumstances. Hence, in Section 6.2, we propose a novel graphical approach by plotting “robustness maps” to evaluate the adversarial robustness of BNNs upon SwitchX mapping onto non-ideal crossbars.

Earlier approaches to quantify adversarial robustness of neural networks have been based on Adversarial Loss (AL) metric which is the difference between the clean accuracy and the adversarial accuracy for a given value of \(\epsilon\) [2, 38, 39]. Note, clean accuracy is the natural accuracy of a neural network when not under attack. A reduction in the value of AL is said to improve the adversarial robustness of the network. However, AL is not always a suitable metric for the assessment of robustness since reduction in AL does not convey whether the cause is a decrease in clean accuracy or an increase in adversarial accuracy or both. For instance, while evaluating a network with CIFAR-10 dataset, we find the clean and the adversarial accuracies (for a particular \(\epsilon\)) to be \(10\%\) each. Then the value of AL is zero implying that the network is exceptionally robust. However, this is absurd since a \(10\%\) accuracy is random for CIFAR-10 dataset implying that the network is arbitrarily predicting and is not trained.

In this work, we evaluate robustness of the mapped BNNs on crossbars graphically as shown in Figures 7 and 8. For a specific mode of attack (SH or HH) and a given crossbar size, we plot \(\Delta ~Clean~Accuracy\), the difference between clean accuracy of the mapped network in question and the corresponding clean accuracy of the software baseline, on the x-axis. \(\Delta ~Adversarial~Accuracy\) (for a particular \(\epsilon\) value) which is the difference between the adversarial accuracy of the mapped network in question and the corresponding adversarial accuracy of the software baseline is plotted on the y-axis. We term this plot as a “robustness map”. The value of \(\Delta ~Clean~Accuracy\) is negative since BNNs when mapped on hardware suffer accuracy loss owing to non-idealities. The region bounded by the line \(y=-x\) and the y-axis denotes that the absolute increase in the adversarial accuracy is higher than the absolute degradation in the clean accuracy. If a point lies in this region closer to the y-axis, it implies greater adversarial accuracy with lower clean accuracy loss and hence, greater robustness. Therefore, this is our favorable region. As we move farther away from the y-axis in the favorable region, the robustness reduces as the neural network suffers from high loss of clean accuracy, and this has been shown by the variation in color gradient from dark to light-brown (dark shade implying higher robustness). Likewise, the region bounded by the line \(y=x\) and the y-axis is where the mapped-network is highly vulnerable to adversarial attacks and hence, the unfavorable region. Here, as we move farther away from the y-axis in the unfavorable region, the robustness reduces and the degree of unfavorability increases. This has been shown by the variation in color gradient from dark to light-yellow (darker shade implying higher robustness).

This approach to assess robustness of a network is comprehensive and accurate since, it takes into account the cumulative impact of both clean accuracy and adversarial accuracy (which is a strong function of the clean accuracy). The closer a point is to the region marked with dark-brown color, the better the robustness of the neural network. Note, in Figures 7 and 8, the circular points correspond to mappings on 16\(\times\)16 crossbars while the triangular points correspond to mappings on 32 \(\times\) 32 crossbars. All the details pertaining to the baseline software models have been listed in Table 3. Furthermore, the results in Figures 7 and 8 are for BNNs mapped onto crossbars having ReRAM device ON/OFF ratio of 10 with \(R_{MIN} = 20k\Omega\).

Figure 7 shows the robustness maps for BNNs based on VGG16 network with CIFAR-100 dataset for both SH and HH modes of attack. Figure 7(a) and (b) pertain to FGSM attack with \(\epsilon\) varying from 0.05 to 0.3 with step size of 0.05. We find that SwitchX imparts greater clean accuracy (\(\sim\)3% for 32 \(\times\) 32 crossbar) as well as better adversarial accuracies on hardware for both modes of attack, with the points corresponding to SwitchX situated closer to the dark-brown portion favorable region than the corresponding points for Normal Mapping. This is a consequence of the reduction in non-ideality factor in case of SwitchX with respect to Normal Mapping as discussed in Section 3.1. Note, the points for 32 \(\times\) 32 crossbars are situated farther from the favorable region than the corresponding points for 16 \(\times\) 16 crossbars. This is owing to greater non-idealities that exist in case of a 32 \(\times\) 32 crossbar than a 16 \(\times\) 16 crossbar (Figure 4). We further observe that the points for SwitchX BNN for a given crossbar size are more closely packed than the corresponding points for Normal BNN. This implies that even on increasing the perturbation strength (\(\epsilon\)), lesser adversarial loss is observed in case of SwitchX BNN.

Figure 7(c) and (d) also present similar results but for a PGD attack with \(\epsilon\) varying from 2/255 to 32/255 with step size of 2/255. In this case, the robustness is very high for SH mode of attack as compared to HH mode of attack, with points corresponding to 16 \(\times\) 16 crossbars situated inside the favorable region. Similar to the case of FGSM attack, SwitchX outperforms a Normal BNN in terms of robustness for both modes of attack. Here, points for different \(\epsilon\) values, given a style of mapping and crossbar size, are more closely packed than the corresponding points of FGSM attack. This implies that hardware non-idealities interfere more with PGD attacks than FGSM attacks resulting in lesser accuracy degradation.

Effect of varying \(R_{MIN}\) of ReRAM devices: Previous works such as [3, 6] have shown that the impact of resistive crossbar non-idealities (or NF) decreases upon increasing \(R_{MIN}\) of memristive devices. To this end, we plot robustness maps in Figure 9(a) to compare Normal and SwitchX BNNs upon increasing \(R_{MIN}\) from 20 \(k\Omega\) to 50 \(k\Omega\). We find that for both Normal and SwitchX BNNs, data points corresponding to \(R_{MIN} = 50 k\Omega\) (triangle) are closer to the favorable region than for \(R_{MIN} = 20 k\Omega\) (circle) for the same ON/OFF ratio of 10, signifying reduced impact of non-idealities on the crossbar-mapped network models. Further, for \(R_{MIN} = 50 k\Omega\), SwitchX BNNs show performance improvement in terms of robustness over Normal BNNs (\(\sim\)1% improvement in clean accuracy and adversarial accuracies for HH based FGSM attack on 32 \(\times\) 32). Also, in Figure 9(a), we increase \(R_{MIN}\) from 20 \(k\Omega\) to 50 \(k\Omega\) and reduce the device ON/OFF ratio to 5 (diamond-shaped points). We find that even at a lower ON/OFF ratio of 5, SwitchX BNN outperforms the corresponding Normal BNN in terms of robustness. Another important observation from Figure 9(a) is that robustness of a neural network on non-ideal crossbars is a stronger function of \(R_{MIN}\) than \(R_{MAX}\). This is because for both SwitchX and Normal BNNs, improvement in robustness is greater on traversing from the circular to the diamond-shaped points than from the diamond-shaped points to the triangular points.

Efficacy of SwitchX combined with state-aware training: Figure 8 shows the robustness maps for BNNs based on VGG16 network with CIFAR-10 dataset for both SH and HH modes of FGSM attack. Here, we find that there is a significant benefit in terms of improvement in clean accuracy (\(\sim\)10%) and adversarial accuracies (\(\sim\)2–5%) due to SwitchX for a 32 \(\times\) 32 crossbar with respect to Normal Mapping. Similar to the case for CIFAR-100 dataset, we find that SwitchX outperforms a Normal BNN in terms of robustness for both modes of attack. We now analyze cases when SwitchX is combined with state-aware training as well as adversarial training. The results for FGSM attack are summarized:

Owing to low leakage of the memristive devices, the \(V.I\) power consumption in the crossbars constitutes a significantly large portion of the overall power expended in low-precision BNN inference on ReRAM crossbars [8, 18, 27]. Thus, in this section, we show an interesting by-product of SwitchX mapping, whereby we can also reduce the crossbar power consumption compared to normally mapped BNNs (shown in Figure 12). Here, the simulations for estimating the \(V.I\) power consumed by the crossbars during BNN inference has been performed using ReRAM devices with \(R_{MIN} = 20 k\Omega\) and ON/OFF ratio of 10 using the NeuroSim tool [41], and the analog voltages input to the crossbar are +0.1/–0.1 V (obtained via SPICE simulations as specified in Section 3.1).

Trends for energy-efficiency in crossbars: Figure 13 shows a plot of the power savings observed when randomly generated binary weight matrices with a higher proportion of “+1” values are mapped via SwitchX onto crossbars of sizes ranging from 16 \(\times\) 16, to 128 \(\times\) 128. Here, input voltages to the crossbars are drawn from a uniform distribution. The case of “90% HRS states” implies that 10% of the values in the BNN weight matrix were “–1”, while “75% HRS states” implies that 25% of the values were “–1”, i.e., the weight matrix is less non-uniformly distributed than the former. Similarly, “60% HRS states” implies that 40% of the values in the BNN weight matrix were “–1”. We find that the power savings (\(\sim\)7–34% on 64 \(\times\) 64 crossbars) increase when the distribution of BNN weights becomes more non-uniform (from “60% HRS states” to “90% HRS states”) for different crossbar sizes. A more non-uniform distribution would imply greater proportion of HRS states on SwitchX mapping, thereby translating into greater crossbar power savings owing to lower dot-product currents. Note, state-aware training in BNNs increases the non-uniformity in the distribution of HRS-LRS synapses in crossbars when mapped using SwitchX.

From Figure 12(a) (data shown for a 16 \(\times\) 16 crossbar), we find that standalone SwitchX approach leads to \(\sim\)9% power-savings on an average with respect to Normal BNN for a VGG16 network with CIFAR-100 dataset. While for CIFAR-10 dataset, there is \(\sim\)8% power saving for standalone SwitchX, it increases to \(\sim\)22% when SwitchX is combined with state-aware training. Furthermore, on carrying out similar experiments on 32 \(\times\) 32 crossbars, we obtain \(\sim\)21% power savings on combining SwitchX with state-aware training (data not shown for brevity). For CIFAR-100 dataset, we obtain \(\sim\)19% power savings on 16 \(\times\) 16 crossbars on combining SwitchX with state-aware training. Figure 12(b) shows the layer-wise normalized average power consumption by the network with CIFAR-100 and CIFAR-10 dataset. We find that overall for each convolutional layer of the network, the power consumed by the SwitchX BNN is lesser than the Normal BNN. Furthermore, this reduction becomes even more significant between “conv7” and “conv8” layers when SwitchX is combined with state-aware training (for CIFAR-10 dataset). This result is in accordance with Figure 13 which shows that the power savings on crossbar arrays increase significantly when the HRS-LRS state-distribution becomes more non-uniform.

In Section 2, we have specified that there are several previous works on neural network implementations on RRAM crossbar-arrays, such as [51, 57], where the key goal is to obtain high energy-efficiency and not adversarial robustness. Although recently, [12] proposed a RRAM device noise-aware training methodology to generate BNN models that help improve natural as well as adversarial robustness on crossbars with device variations, it does not take into account the impact of circuit-level resistive non-idealities such as crossbar-interconnect parasitics. Also, the noise-aware training methodology in [12] does not translate to any benefits in terms of energy-efficiency for BNNs on crossbars. However, our SwitchX mapping strategy has an interesting by-product of improving crossbar energy-efficiency in addition to providing better adversarial robustness (see Section 6.3). In Table 4, we quantitatively compare our results with some of the prior works on BNNs implemented on crossbars, including [12], to put our work in context. Since the scope of this work is primarily to improve the adversarial robustness of BNNs on non-ideal crossbars, we do not achieve the best of energy-efficiency. However, we obtain significantly better robustness against stronger white-box adversarial attacks compared to [12] even upon the consideration of resistive crossbar non-idealities, which have a larger disruptive effect on the performance of neural networks.