Guarding Machine Learning Hardware Against Physical Side-Channel Attacks

TL;DR

This paper develops and optimizes hardware defenses, including Boolean masking and shuffling, to protect machine learning models on edge devices from physical side-channel attacks, demonstrating effective security with manageable overheads.

Contribution

It introduces the first Boolean masking-based defense for ML hardware, optimizing it for area and latency, and combines it with shuffling to enhance security against side-channel attacks.

Findings

Masking overhead ranges from 4.7× to 5.4× in area-delay.

First-order security achieved with millions of traces.

Shuffle defense impedes second-order attacks.

Abstract

Machine learning (ML) models can be trade secrets due to their development cost. Hence, they need protection against malicious forms of reverse engineering (e.g., in IP piracy). With a growing shift of ML to the edge devices, in part for performance and in part for privacy benefits, the models have become susceptible to the so-called physical side-channel attacks. ML being a relatively new target compared to cryptography poses the problem of side-channel analysis in a context that lacks published literature. The gap between the burgeoning edge-based ML devices and the research on adequate defenses to provide side-channel security for them thus motivates our study. Our work develops and combines different flavors of side-channel defenses for ML models in the hardware blocks. We propose and optimize the first defense based on Boolean masking. We first implement all the masked hardware blocks. We then present an adder optimization to reduce the area and latency overheads. Finally, we couple it with a shuffle-based defense. We quantify that the area-delay overhead of masking ranges from 5.4$\times$ to 4.7$\times$ depending on the adder topology used and demonstrate first-order side-channel security of millions of power traces. Additionally, the shuffle countermeasure impedes a straightforward second-order attack on our first-order masked implementation.