Abstract
Intellectual Property (IP) thefts of trained machine learning (ML) models through side-channel attacks on inference engines are becoming a major threat. Indeed, several recent works have shown reverse engineering of the model internals using such attacks, but the research on building defenses is largely unexplored. There is a critical need to efficiently and securely transform those defenses from cryptography such as masking to ML frameworks. Existing works, however, revealed that a straightforward adaptation of such defenses either provides partial security or leads to high area overheads. To address those limitations, this work proposes a fundamentally new direction to construct neural networks that are inherently more compatible with masking. The key idea is to use modular arithmetic in neural networks and then efficiently realize masking, in either Boolean or arithmetic fashion, depending on the type of neural network layers. We demonstrate our approach on the edge-computing friendly binarized neural networks (BNN) and show how to modify the training and inference of such a network to work with modular arithmetic without sacrificing accuracy. We then design novel masking gadgets using Domain-Oriented Masking (DOM) to efficiently mask the unique operations of ML such as the activation function and the output layer classification, and we prove their security in the glitch-extended probing model. Finally, we implement fully masked neural networks on an FPGA, quantify that they can achieve a similar latency while reducing the FF and LUT costs over the state-of-the-art protected implementations by 34.2% and 42.6%, respectively, and demonstrate their first-order side-channel security with up to 1M traces.
Highlights
Illicit extraction of proprietary machine learning (ML) models has become a serious concern in the ever-growing ML industry
We address the fundamental incompatibility of neural networks to cryptographic defenses by proposing an alternative way to construct inference that works on modular arithmetic with negligible accuracy loss: less than 0.5% for binarized multi-layer perceptron (MLP) on MNIST, and less than 1% for convolutional neural network (ConvNet) on CIFAR-10 and CIFAR-100 datasets
Our MLP consists of 4 dense layers of 4096 nodes each, while the ConvNet consists of 6 conv layers with number of channels [128, 128, 256, 256, 512, 512], and 3 dense layers with 1024 nodes each, similar to the baseline binarized neural networks (BNN) architecture [CB16]
Summary
Illicit extraction of proprietary machine learning (ML) models has become a serious concern in the ever-growing ML industry. The model owner typically charges the users to use the model or purchase the device with the trained model [Sec20]. In both cases, the ML model carries a business value and should be kept confidential from the users. We introduce the basics of neural networks, BNNs, and hardware masking. These fundamentals would serve as the groundwork for the reader in understanding our proposed methods in future sections. We use bracketed subscript x[i] to index the ith bit of a scalar x, bar on the top x to represent a bit-wise inverse, superscript xi to refer to the ith share of a masked variable x, calligraphic fonts O to denote sets, and typewriter font F(.) to denote functions. We use braces in superscript wi{,kj} to index the variables in different layers of the neural network
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
