Make Shuffling Great Again: A Side-Channel Resistant Fisher-Yates Algorithm for Protecting Neural Networks

TL;DR

This paper introduces a secure version of the Fisher-Yates shuffling algorithm to protect embedded neural networks from side-channel attacks, combining masking and modular arithmetic techniques to eliminate vulnerabilities.

Contribution

The authors design an SCA-resistant Fisher-Yates algorithm by integrating masking techniques, effectively preventing side-channel leakage in neural network implementations.

Findings

The proposed algorithm effectively resists correlation power analysis attacks.

Memory overhead is doubled compared to the largest network layer.

Time overhead is minimal, ranging from 0.49% to 4% depending on layer size.

Abstract

Neural network models implemented in embedded devices have been shown to be susceptible to side-channel attacks (SCAs), allowing recovery of proprietary model parameters, such as weights and biases. There are already available countermeasure methods currently used for protecting cryptographic implementations that can be tailored to protect embedded neural network models. Shuffling, a hiding-based countermeasure that randomly shuffles the order of computations, was shown to be vulnerable to SCA when the Fisher-Yates algorithm is used. In this paper, we propose a design of an SCA-secure version of the Fisher-Yates algorithm. By integrating the masking technique for modular reduction and Blakely's method for modular multiplication, we effectively remove the vulnerability in the division operation that led to side-channel leakage in the original version of the algorithm. We experimentally evaluate that the countermeasure is effective against SCA by implementing a correlation power analysis attack on an embedded neural network model implemented on ARM Cortex-M4. Compared to the original proposal, the memory overhead is $2\times$ the biggest layer of the network, while the time overhead varies from $4\%$ to $0.49\%$ for a layer with $100$ and $1000$ neurons, respectively.