Research Bits: June 21
Side channel protection for edge AI
Researchers at the Massachusetts Institute of Technology have built a chip that can defend against power channel attacks targeting machine learning calculations in smartwatches, smartphones and tablets. Side-channel attacks involve observing one facet of the device’s operation, in this case power, to infer secrets.
“The goal of this project is to build an IC that does machine learning at the edge, so that it’s still low-power but can protect against those side-channel attacks so that we don’t lose confidentiality of these models,” said Anantha Chandrakasan, dean of the MIT School of Engineering and professor of electrical engineering and computer science at MIT. “People haven’t paid much attention to the security of these machine learning algorithms, and this proposed hardware effectively addresses that space.”
The chip is based on threshold calculation. Instead of running a neural network on real data, the data is first split into random components. The network operates on these random components individually, in random order, before accumulating the final result. In this way, the leak of information from the device is random every time.
However, the approach is more computationally expensive and requires more memory. To solve this problem, the researchers optimized the process by using a function that reduces the amount of multiplication the neural network needs to process the data. They also protect the neutral network itself by encrypting the model parameters. By grouping parameters into chunks before encrypting them, they provide more security while reducing the amount of memory needed on the chip.
“Using this special function, we can perform this operation skipping some steps with lesser impacts, which allows us to reduce overhead. We can reduce the cost, but it comes with other costs in terms of neural network accuracy. So we have to make a careful choice of the algorithm and the architectures we choose,” said Saurav Maji, a graduate student in MIT’s Department of Electrical Engineering and Computer Science.
The researchers compared their chip to a basic implementation without security hardware. In the baseline, they were able to retrieve hidden information after collecting around 1,000 power waveforms from the device. With the new hardware, even after collecting 2 million waveforms, they still couldn’t retrieve the data. The new chip also required 5.5 times more power and 1.6 times more silicon area than the reference.
“We are at the point where safety matters. We must be prepared to trade some power consumption to perform a safer calculation. It’s not a free lunch. Future research could focus on how to reduce the amount of overhead to make this calculation more secure,” Chandrakasan said.
They also tested the chip with biomedical signal data to make sure it would work in a real-life implementation. Next, they plan to apply the approach to electromagnetic side-channel attacks.
Researchers from the Gwangju Institute of Science and Technology, Purdue University and Yonsei University have designed natural physical unclonable function (PUF) tags using silk. These tags were used to create a lensless, optical (light-based), wearable (LOP-PUF) PUF module.
“When a beam of light hits the disordered silk fibers of optimum density, it causes light to diffraction. The nanostructures of the individual microfibers enhance the light intensity contrast against the background. The light diffracted is then picked up by an image sensor. Since the pattern of micro-holes is created naturally, it is unique, resulting in a unique pattern of light,” said Young Min Song, a professor at the Institute of Gwangju Science and Technology.
The researchers optimized the distance between the silk-based PUF and the image sensor to achieve the desired intensity and contrast. The assembly also included a light-reflecting mirror and three tri-color LEDs, among other components. A cooling fan has also been used to reduce thermal noise. The team processed the captured light patterns and converted them into digital format.
“To our knowledge, this is the first PUF module designed from silk, a naturally abundant biomaterial. This means we don’t need to invest time in developing complicated security keys, nature has already done that for us,” Song said.
According to the team, the average time needed to “fake” authentication was around 5*1041 years, making the LOP-PUF module a virtually tamper-proof device. It also enabled digital encryption to prevent unauthorized access.
“The digital security device we designed is inexpensive, portable, environmentally friendly and requires no pre- or post-processing. It also does not require a coherent light source or a bulky lens system. The benefits of this system are multiple,” Song said.
Random numbers of skyrmions
Researchers at Brown University propose a way to exploit skyrmions to generate true random numbers. Skyrmions are tiny magnetic anomalies that result from the spin of electrons in certain two-dimensional materials.
“There has been a lot of research into the global dynamics of skyrmions, using their motions as a basis for making calculations,” said Gang Xiao, chairman of Brown’s physics department. “But in this work, we show that purely random fluctuations in the size of skyrmions can also be useful. In this case, we show that we can use these fluctuations to generate random numbers, potentially up to 10 million digits per second.
The team fabricated magnetic thin films using a technique that produced subtle defects in the material’s atomic lattice. When skyrmions form in the material, these defects, which the researchers call pinning centers, hold the skyrmions firmly in place rather than allowing them to move as they normally would.
When a skyrmion is held in place, its size fluctuates randomly. “Each skyrmion goes back and forth between a large diameter and a small diameter,” said Kang Wang, a postdoctoral fellow at Brown. “We can measure this fluctuation, which happens randomly, and use it to generate random numbers.”
The researchers said the skyrmion’s change in size is measured by the anomalous Hall effect, which is a voltage that propagates through the material. This voltage is sensitive to the perpendicular component of the spins of the electrons. As the size of the skyrmion changes, the voltage changes to an easily measurable extent. These random voltage changes can be used to produce a string of random numbers.
By optimizing the spacing of defects in the device, the researchers estimate they can produce up to 10 million random digits per second. “It gives us a new way to generate real random numbers, which could be useful for many applications,” Xiao said. “This work also gives us a new way to harness the power of skyrmions, by examining their local dynamics as well as their global movements.”