Power-Based Attacks on Spatial DNN Accelerators
Ge Li, Mohit Tiwari, and Michael Orshansky
TL;DR
This paper demonstrates that realistic spatial DNN accelerators are vulnerable to power analysis attacks, with novel techniques able to extract models even from more complex 2D array architectures.
Contribution
It provides the first comprehensive analysis of power-based attacks on realistic 8-bit spatial DNN accelerators, revealing vulnerabilities and proposing advanced attack methods.
Findings
1D array fully broken with 20K traces
2D array more secure but still vulnerable with 460K traces
Template-based DPA can fully extract models from 2D array with 40K traces
Abstract
With proliferation of DNN-based applications, the confidentiality of DNN model is an important commercial goal. Spatial accelerators, that parallelize matrix/vector operations, are utilized for enhancing energy efficiency of DNN computation. Recently, model extraction attacks on simple accelerators, either with a single processing element or running a binarized network, were demonstrated using the methodology derived from differential power analysis (DPA) attack on cryptographic devices. This paper investigates the vulnerability of realistic spatial accelerators using general, 8-bit, number representation. We investigate two systolic array architectures with weight-stationary dataflow: (1) a 3 1 array for a dot-product operation, and (2) a 3 3 array for matrix-vector multiplication. Both are implemented on the SAKURA-G FPGA board. We show that both architectures are…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptographic Implementations and Security · Advanced Memory and Neural Computing · Quantum-Dot Cellular Automata