Seculator: A Fast and Secure Neural Processing Unit

TL;DR

Seculator is a novel neural processing unit that enhances DNN security by exploiting deterministic memory access patterns, reducing storage and memory access overheads, and achieving a 16% speedup over prior architectures.

Contribution

It introduces a secure accelerator architecture that maintains only layer and tile-level state, eliminating the need for MAC caches and version number stores, thus improving performance and security.

Findings

Achieves 16% speedup over existing secure DNN architectures.

Reduces storage and memory access by maintaining only layer and tile-level state.

Eliminates the need for MAC cache and tile version number store.

Abstract

Securing deep neural networks (DNNs) is a problem of significant interest since an ML model incorporates high-quality intellectual property, features of data sets painstakingly collated by mechanical turks, and novel methods of training on large cluster computers. Sadly, attacks to extract model parameters are on the rise, and thus designers are being forced to create architectures for securing such models. State-of-the-art proposals in this field take the deterministic memory access patterns of such networks into cognizance (albeit partially), group a set of memory blocks into a tile, and maintain state at the level of tiles (to reduce storage space). For providing integrity guarantees (tamper avoidance), they don't propose any significant optimizations, and still maintain block-level state. We observe that it is possible to exploit the deterministic memory access patterns of DNNs even further, and maintain state information for only the current tile and current layer, which may comprise a large number of tiles. This reduces the storage space, reduces the number of memory accesses, increases performance, and simplifies the design without sacrificing any security guarantees. The key techniques in our proposed accelerator architecture, Seculator, are to encode memory access patterns to create a small HW-based tile version number generator for a given layer, and to store layer-level MACs. We completely eliminate the need for having a MAC cache and a tile version number store (as used in related work). We show that using intelligently-designed mathematical operations, these structures are not required. By reducing such overheads, we show a speedup of 16% over the closest competing work.