Tiny MIT Chip Aims to Protect TinyML and Edge AI Data From Side-Channel Power Analysis Attacks
Designed for protecting data on edge devices from power analysis attacks, this tiny chip is small enough for embedded use.
Researchers at the Massachusetts Institute of Technology (MIT) have developed a new chip that aims to secure the Internet of Things and edge AI against power-based side-channel attacks, based on threshold computing.
Side-channel attacks, which became big news with the announcement of the Spectre and Meltdown vulnerabilities in common CPUs from Intel, AMD, and Arm, allow unauthorized applications to spy on what their supposedly-protected neighbors are doing β accessing privileged data up to and including private keys and passwords. Protecting against side-channel attacks has become an ongoing effort, but many solutions are too bulky or power-hungry to be used in the embedded arena.
"The goal of this project is to build an integrated circuit that does machine learning on the edge, so that it is still low-power but can protect against these side channel attacks so we don't lose the privacy of these models," says Anantha Chandrakasan, professor and dean of the MIT School of Engineering and senior author. "People have not paid much attention to security of these machine-learning algorithms, and this proposed hardware is effectively addressing this space."
The compact chip designed by the team is built around the concept of threshold computing, and splits data into randomized components before performing operations β meaning any information leaked via power analysis is also random. To work around the problem of an increase in computational complexity, the chip uses a function designed to reduce the amount of multiplication that takes place and cutting its power requirements while a chunk-based encryption system reduce memory needs.
It's not an approach which comes without a penalty, however. "By using this special function, we can perform this operation while skipping some steps with lesser impacts, which allows us to reduce the overhead," first author Saurav Maji explains. "We can reduce the cost, but it comes with other costs in terms of neural network accuracy. So, we have to make a judicious choice of the algorithm and architectures that we choose."
Even with the power-reducing function, the prototype chip is hungrier than its insecure equivalents: The team calculates its implementation at requiring just over half again as much silicon footprint and 5.5 times the power β but that trade-off may be worth it some applications, with the team demonstrating the chip's capabilities in a biomedical application.
The device comes as a separate research team unveils DAGguise, an approach to memory access which aims to put paid to side-channel attacks based on memory timing analysis without the performance overhead of its rivals. In theory, there's nothing to prevent both approaches being implemented in a single device.
The team's paper has not yet been made publicly available, but more details can be found on the MIT News site.