As AI hardware becomes more modular, researchers are warning that die-to-die links may become the next major attack surface.
The artificial intelligence boom has changed the way the semiconductor industry thinks about performance. For years, progress was measured by how much more could be packed into a single monolithic chip. Today, many of the most advanced AI accelerators are moving in a different direction: chiplets.
Instead of building every function on one large die, chiplet-based systems combine smaller specialized dies inside a single package. Compute, memory, I/O, and control functions can be assembled like high-performance building blocks. The model helps improve yield, shorten development cycles, and make it easier to mix technologies from different vendors or foundries.
But as chiplets become central to AI hardware, a new question is emerging: what happens when the links between those dies are not protected?
Modern AI systems move enormous amounts of sensitive data inside the package. Model weights, activations, gradients, user inputs, and control-plane data can all travel between compute dies, memory dies, and I/O chiplets. In many architectures, those die-to-die links were designed primarily for bandwidth, latency, and power efficiency. Security was often treated as an assumption rather than a built-in requirement.
That assumption is becoming harder to defend.
Chiplet systems create new trust boundaries. A package may include dies from multiple vendors, IP blocks from different design teams, and components fabricated through different parts of the global supply chain. In that environment, the phrase “inside the package” no longer automatically means “inside the same trust zone.” A compromised chiplet, malicious IP block, hardware Trojan, or side-channel attack could potentially observe, modify, or replay traffic moving across internal links.
The risk is not only theoretical. Hardware security researchers have been warning that chiplet-based integration changes the traditional security model. UCLA researchers, for example, have explored the idea of security helper chiplets as a new way to monitor hardware security in chiplet-based systems. Other academic work has examined interposer-based chiplet integration, side-channel leakage across chiplets, and physical verification methods for detecting tampering in chiplet and interposer environments.
The common theme is clear: as the chip industry moves from monolithic systems to modular multi-die systems, security has to move with it.
One of the most important areas of concern is die-to-die communication. Standards such as UCIe, or Universal Chiplet Interconnect Express, are designed to enable high-bandwidth communication between heterogeneous chiplets in a single package. That kind of standardization is essential for the future of multi-vendor chiplet ecosystems. But it also means the interface itself becomes a critical security boundary.
If an attacker can observe traffic across a die-to-die link, proprietary AI model weights may be exposed. If an attacker can modify traffic, gradients or inference data may be poisoned. If an attacker can replay old packets, control-plane operations may be manipulated in ways that conventional error-detection mechanisms cannot catch.
This is where a growing body of research is now focused: not simply making chiplets faster, but making the communication between them trustworthy.
A recent contribution by Yogesh Rethinapandian and collaborators addresses this exact issue through a Secure Communication Engine, or SCE, for UCIe die-to-die chiplet interconnects in AI accelerators. The work, recently published through the IEEE International Midwest Symposium on Circuits and Systems, proposes a lightweight hardware-friendly module that sits between the UCIe protocol layer and physical layer, encrypting and authenticating die-to-die traffic without requiring a complete redesign of the chiplet ecosystem.
“The industry has spent years securing software, memory, and cloud workloads, but die-to-die communication inside chiplet packages is still often treated as implicitly trusted,” Rethinapandian said. “As AI accelerators become more modular and multi-vendor, the interfaces between chiplets become just as important as the chiplets themselves.”
The proposed SCE framework uses ChaCha20-Poly1305 authenticated encryption, HMAC-SHA256 mutual authentication, and sliding-window replay protection. In practical terms, that means chiplets authenticate each other before communication, encrypt traffic moving across the link, verify integrity, and reject replayed packets. The design is described as a “bump-in-the-wire” approach because it can be placed transparently between existing protocol and physical layers.
What makes the research notable is not only the security model, but the performance argument. AI accelerators are extremely sensitive to throughput, and any security mechanism that significantly slows tensor movement would face resistance from industry. Rethinapandian’s work reports that for KB-scale tensor transfers common in AI workloads, the throughput impact remains below 0.01%, while power and area overhead remain below 0.4% and 0.3% of system resources respectively.
That matters because the chip industry has historically treated security and performance as competing priorities. If cryptographic protection can be added to die-to-die links with minimal throughput impact, the argument against securing those links becomes weaker.
The research also reflects a larger shift in hardware security thinking. Traditional protections such as memory encryption, secure boot, and trusted execution environments remain important, but they do not fully address the new attack surfaces created by chiplet integration. A system can secure external memory and still leave internal die-to-die traffic exposed. It can verify software and still fail to authenticate a neighboring chiplet. It can protect data in the cloud while leaving model weights visible inside an advanced package.
That is why chiplet security is increasingly becoming a Silicon Valley issue, not only an academic one. The companies pushing AI acceleration, advanced packaging, and custom silicon are also pushing the boundaries of trust. As AI models become more valuable, the data moving inside accelerators becomes more attractive to attackers. The more modular the hardware becomes, the more important it is to define where trust begins and ends.
Several paths are now emerging. Some researchers are looking at centralized security chiplets that monitor activity across a package. Others are exploring interposer-level roots of trust, tamper detection, side-channel monitoring, and secure chiplet verification. Rethinapandian’s work focuses on securing the communication layer itself, treating die-to-die links as an active security boundary rather than a passive internal wire.
Together, these efforts point toward a future in which chiplet security becomes part of the design process from the beginning. Security cannot be added only at the software layer after hardware decisions have already been made. It has to be considered in packaging, interconnects, authentication, encryption, testing, and supply-chain trust.
The timing is important. AI hardware demand continues to surge. Governments are investing heavily in domestic semiconductor capacity. Chiplet ecosystems are becoming more open and multi-vendor. At the same time, the economic value of AI models and training data is rising sharply. A single compromised link inside a package could become a path to model theft, data leakage, or silent manipulation of AI workloads.
The next frontier in AI hardware may not be only faster compute or larger memory. It may be trust.
As chiplets reshape the physical architecture of computing, the industry will have to decide whether internal communication remains an assumption or becomes a protected layer. The research momentum suggests that the answer is already shifting. In the AI era, the security of a chip may depend not only on what each die can do, but on whether the links between them can be trusted.







