MaskedNet: The First Hardware Inference Engine Aiming Power Side-Channel Protection

TL;DR

This paper demonstrates that neural network inference can be vulnerable to power side-channel attacks and introduces the first hardware countermeasures using masking techniques to protect model confidentiality, with experimental validation on FPGA.

Contribution

It extends differential power analysis to neural networks and proposes novel masking-based countermeasures, including masked adder trees and ReLU units, to defend against such attacks.

Findings

First-order DPA attacks succeed with 200 traces on unprotected models.

Proposed masking countermeasures increase latency by 2.8x and area by 2.3x.

Protection effectively prevents model extraction via power analysis.

Abstract

Differential Power Analysis (DPA) has been an active area of research for the past two decades to study the attacks for extracting secret information from cryptographic implementations through power measurements and their defenses. Unfortunately, the research on power side-channels have so far predominantly focused on analyzing implementations of ciphers such as AES, DES, RSA, and recently post-quantum cryptography primitives (e.g., lattices). Meanwhile, machine-learning, and in particular deep-learning applications are becoming ubiquitous with several scenarios where the Machine Learning Models are Intellectual Properties requiring confidentiality. Expanding side-channel analysis to Machine Learning Model extraction, however, is largely unexplored. This paper expands the DPA framework to neural-network classifiers. First, it shows DPA attacks during inference to extract the secret model parameters such as weights and biases of a neural network. Second, it proposes the $\textit{first countermeasures}$ against these attacks by augmenting $\textit{masking}$. The resulting design uses novel masked components such as masked adder trees for fully-connected layers and masked Rectifier Linear Units for activation functions. On a SAKURA-X FPGA board, experiments show that the first-order DPA attacks on the unprotected implementation can succeed with only 200 traces and our protection respectively increases the latency and area-cost by 2.8x and 2.3x.