1. bookVolume 2022 (2022): Issue 1 (January 2022)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Masking Feedforward Neural Networks Against Power Analysis Attacks

Published Online: 20 Nov 2021
Page range: 501 - 521
Received: 31 May 2021
Accepted: 16 Sep 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Recent advances in machine learning have enabled Neural Network (NN) inference directly on constrained embedded devices. This local approach enhances the privacy of user data, as the inputs to the NN inference are not shared with third-party cloud providers over a communication network. At the same time, however, performing local NN inference on embedded devices opens up the possibility of Power Analysis attacks, which have recently been shown to be effective in recovering NN parameters, as well as their activations and structure. Knowledge of these NN characteristics constitutes a privacy threat, as it enables highly effective Membership Inference and Model Inversion attacks, which can recover information about the sensitive data that the NN model was trained on. In this paper we address the problem of securing sensitive NN inference parameters against Power Analysis attacks. Our approach employs masking, a countermeasure well-studied in the context of cryptographic algorithms. We design a set of gadgets, i.e., masked operations, tailored to NN inference. We prove our proposed gadgets secure against power attacks and show, both formally and experimentally, that they are composable, resulting in secure NN inference. We further propose optimizations that exploit intrinsic characteristics of NN inference to reduce the masking’s runtime and randomness requirements. We empirically evaluate the performance of our constructions, showing them to incur a slowdown by a factor of about 2–5.

Keywords

[1] J. Balasch, B. Gierlichs, V. Grosso, O. Reparaz, and F.-X. Standaert. On the Cost of Lazy Engineering for Masked Software Implementations. In International Conference on Smart Card Research and Advanced Applications, pages 64–81. Springer, 2014. Search in Google Scholar

[2] G. Barthe, S. Belaïd, F. Dupressoir, P. Fouque, B. Grégoire, P. Strub, and R. Zucchini. Strong Non-Interference and Type-Directed Higher-Order Masking. In E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, and S. Halevi, editors, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, pages 116–129. ACM, 2016. Search in Google Scholar

[3] L. Batina, S. Bhasin, D. Jap, and S. Picek. CSI NN: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel. In 28th USENIX Security Symposium (USENIX) Security 19), pages 515–532, 2019. Search in Google Scholar

[4] G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche. KECCAK specifications. Submission to nist (round 2), pages 320–337, 2009. Search in Google Scholar

[5] S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi. Towards Sound Approaches to Counteract Power-Analysis Attacks. In Annual International Cryptology Conference, pages 398–412. Springer, 1999. Search in Google Scholar

[6] J.-S. Coron. High-Order Conversion from Boolean to Arithmetic Masking. In International Conference on Cryptographic Hardware and Embedded Systems, pages 93–114. Springer, 2017. Search in Google Scholar

[7] J.-S. Coron, J. Großschädl, M. Tibouchi, and P. K. Vadnala. Conversion from Arithmetic to Boolean Masking with Logarithmic Complexity. In International Workshop on Fast Software Encryption, pages 130–149. Springer, 2015. Search in Google Scholar

[8] J.-S. Coron, E. Prouff, M. Rivain, and T. Roche. Higher-Order Side Channel Security and Mask Refreshing. In International Workshop on Fast Software Encryption, pages 410–424. Springer, 2013. Search in Google Scholar

[9] A. Dubey, R. Cammarota, and A. Aysu. BoMaNet: Boolean Masking of an Entire Neural Network. In IEEE/ACM International Conference On Computer Aided Design, ICCAD 2020, San Diego, CA, USA, November 2-5, 2020, pages 51:1–51:9. IEEE, 2020. Search in Google Scholar

[10] A. Dubey, R. Cammarota, and A. Aysu. MaskedNet: The First Hardware Inference Engine Aiming Power Side-Channel Protection. In 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 197–208, 2020. Search in Google Scholar

[11] M. Fredrikson, S. Jha, and T. Ristenpart. Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1322–1333, 2015. Search in Google Scholar

[12] M. Fredrikson, E. Lantz, S. Jha, S. M. Lin, D. Page, and T. Ristenpart. Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing. In K. Fu and J. Jung, editors, Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014, pages 17–32. USENIX Association, 2014. Search in Google Scholar

[13] K. Gandolfi, C. Mourtel, and F. Olivier. Electromagnetic Analysis: Concrete Results. In International workshop on cryptographic hardware and embedded systems, pages 251–261. Springer, 2001. Search in Google Scholar

[14] S. Gopinath, N. Ghanathe, V. Seshadri, and R. Sharma. Compiling KB-sized Machine Learning Models to Tiny IoT Devices. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 79–95, 2019. Search in Google Scholar

[15] L. Goubin. A Sound Method for Switching between Boolean and Arithmetic Masking. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 3–15. Springer, 2001. Search in Google Scholar

[16] L. Goubin and J. Patarin. DES and Differential Power Analysis—the “Duplication” Method. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 158–172. Springer, 1999. Search in Google Scholar

[17] A. Graves, A.-r. Mohamed, and G. Hinton. Speech Recognition with Deep Recurrent Neural Networks. In 2013 IEEE international conference on acoustics, speech and signal processing, pages 6645–6649. Ieee, 2013. Search in Google Scholar

[18] N. Y. Hammerla, S. Halloran, and T. Plötz. Deep, Convolutional, and Recurrent Models for Human Activity Recognition using Wearables. In Proceedings of the Twenty-Fifth International Joint Conference on Artificial Intelligence, IJCAI’16, page 1533–1540. AAAI Press, 2016. Search in Google Scholar

[19] K. He, X. Zhang, S. Ren, and J. Sun. Deep Residual Learning for Image Recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016. Search in Google Scholar

[20] Y. Ishai, A. Sahai, and D. Wagner. Private Circuits: Securing Hardware against Probing Attacks. In Annual International Cryptology Conference, pages 463–481. Springer, 2003. Search in Google Scholar

[21] C. Juvekar, V. Vaikuntanathan, and A. Chandrakasan. GAZELLE: A Low Latency Framework for Secure Neural Network Inference. In 27th USENIX Security Symposium USENIX Security 18), pages 1651–1669, 2018. Search in Google Scholar

[22] Á. Kiss, M. Naderpour, J. Liu, N. Asokan, and T. Schneider. SoK: Modular and Efficient Private Decision Tree Evaluation. Proceedings on Privacy Enhancing Technologies, 2019(2):187–208, 2019. Search in Google Scholar

[23] P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In Annual International Cryptology Conference, pages 388–397. Springer, 1999. Search in Google Scholar

[24] P. C. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Annual International Cryptology Conference, pages 104–113. Springer, 1996. Search in Google Scholar

[25] T. Krachenfels, F. Ganji, A. Moradi, S. Tajik, and J.-P. Seifert. Real-World Snapshots vs. Theory: Questioning the t-Probing Security Model. In 2021 IEEE Symposium on Security and Privacy (SP), pages 1955–1971. IEEE, 2021. Search in Google Scholar

[26] A. Krizhevsky, I. Sutskever, and G. E. Hinton. Imagenet Classification with Deep Convolutional Neural Networks. Advances in neural information processing systems, 25:1097–1105, 2012. Search in Google Scholar

[27] A. Kumar, S. Goyal, and M. Varma. Resource-efficient Machine Learning in 2 KB RAM for the Internet of Things. In D. Precup and Y. W. Teh, editors, Proceedings of the 34th International Conference on Machine Learning, volume 70 of Proceedings of Machine Learning Research, pages 1935–1944, International Convention Centre, Sydney, Australia, 06–11 Aug 2017. PMLR. Search in Google Scholar

[28] N. Kumar, M. Rathee, N. Chandran, D. Gupta, A. Rastogi, and R. Sharma. CrypTFlow: Secure TensorFlow Inference. In IEEE Symposium on Security and Privacy. IEEE, May 2020. Search in Google Scholar

[29] N. D. Lane and P. Georgiev. Can Deep Learning Revolutionize Mobile Sensing? In Proceedings of the 16th International Workshop on Mobile Computing Systems and Applications, pages 117–122, 2015. Search in Google Scholar

[30] Y. Lecun, L. Bottou, Y. Bengio, and P. Haffner. Gradient-Based Learning Applied to Document Recognition. Proceedings of the IEEE, 86(11):2278–2324, 1998. Search in Google Scholar

[31] K. Leino and M. Fredrikson. Stolen Memories: Leveraging Model Memorization for Calibrated White-Box Membership Inference. In 29th USENIX Security Symposium (USENIX Security 20), pages 1605–1622, 2020. Search in Google Scholar

[32] S. Liu, L. Liu, J. Tang, B. Yu, Y. Wang, and W. Shi. Edge Computing for Autonomous Driving: Opportunities and Challenges. Proceedings of the IEEE, 107(8):1697–1716, 2019. Search in Google Scholar

[33] S. Mangard, N. Pramstaller, and E. Oswald. Successfully Attacking Masked AES Hardware Implementations. In J. R. Rao and B. Sunar, editors, Cryptographic Hardware and Embedded Systems – CHES 2005, pages 157–171, Berlin, Heidelberg, 2005. Springer Berlin Heidelberg. Search in Google Scholar

[34] G. Manogaran, P. M. Shakeel, H. Fouad, Y. Nam, S. Baskar, N. Chilamkurti, and R. Sundarasekar. Wearable IoT Smart-Log Patch: An Edge Computing-Based Bayesian Deep Learning Network System for Multi Access Physical Monitoring System. Sensors, 19(13):3030, 2019. Search in Google Scholar

[35] P. Mohassel and Y. Zhang. SecureML: A System for Scalable Privacy-Preserving Machine Learning. In 2017 IEEE Symposium on Security and Privacy (SP), pages 19–38. IEEE, 2017. Search in Google Scholar

[36] S. C. Mukhopadhyay. Wearable Sensors for Human Activity Monitoring: A Review. IEEE sensors journal, 15(3):1321–1330, 2014. Search in Google Scholar

[37] M. Nasr, R. Shokri, and A. Houmansadr. Comprehensive Privacy analysis of Deep Learning: Passive and Active White-box Inference Attacks against Centralized and Federated Learning. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19-23, 2019, pages 739–753. IEEE, 2019. Search in Google Scholar

[38] A. Pantelopoulos and N. G. Bourbakis. A Survey on Wearable Sensor-Based Systems for Health Monitoring and Prognosis. IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), 40(1):1–12, 2009. Search in Google Scholar

[39] H. Qin, R. Gong, X. Liu, X. Bai, J. Song, and N. Sebe. Binary neural networks: A survey. Pattern Recognit., 105:107281, 2020. Search in Google Scholar

[40] M. Renauld, F. Standaert, N. Veyrat-Charvillon, D. Kamel, and D. Flandre. A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices. In Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 109–128, 2011. Search in Google Scholar

[41] Riscure. Pinata Training Target. https://www.riscure.com/product/pinata-training-target/, 2020. Search in Google Scholar

[42] M. Rivain and E. Prouff. Provably Secure Higher-Order Masking of AES. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 413–427. Springer, 2010. Search in Google Scholar

[43] D. B. Roy, S. Bhasin, S. Guilley, A. Heuser, S. Patranabis, and D. Mukhopadhyay. Leak Me If You Can: Does TVLA Reveal Success Rate. Technical report, Cryptology ePrint Archive, Report 2016/1152, 2016., 2016. Search in Google Scholar

[44] A. Salem, Y. Zhang, M. Humbert, P. Berrang, M. Fritz, and M. Backes. ML-Leaks: Model and Data Independent Membership Inference Attacks and defenses on machine learning models. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society, 2019. Search in Google Scholar

[45] T. Schneider and A. Moradi. Leakage Assessment Methodology. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 495–513. Springer, 2015. Search in Google Scholar

[46] A. Shamir. How to Share a Secret. Commun. ACM, 22(11):612–613, 1979. Search in Google Scholar

[47] R. Shokri, M. Stronati, C. Song, and V. Shmatikov. Membership Inference Attacks against Machine Learning Models. In 2017 IEEE Symposium on Security and Privacy (SP), pages 3–18. IEEE, 2017. Search in Google Scholar

[48] K. Simonyan and A. Zisserman. Very Deep Convolutional Networks for Large-Scale Image Recognition. In Y. Bengio and Y. LeCun, editors, 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings, 2015. Search in Google Scholar

[49] F.-X. Standaert. Introduction to Side-Channel Attacks. In Secure integrated circuits and systems, pages 27–42. Springer, 2010. Search in Google Scholar

[50] K. Tiri and I. Verbauwhede. A Logic Level Design Methodology for a Secure DPA Resistant ASIC or FPGA Implementation. In Proceedings Design, Automation and Test in Europe Conference and Exhibition, volume 1, pages 246–251 Vol.1, 2004. Search in Google Scholar

[51] E. Trichina, T. Korkishko, and K. H. Lee. Small Size, Low Power, Side Channel-Immune AES Coprocessor: Design and Synthesis Results. In H. Dobbertin, V. Rijmen, and A. Sowa, editors, Advanced Encryption Standard – AES, pages 113–127, Berlin, Heidelberg, 2005. Springer Berlin Heidelberg. Search in Google Scholar

[52] A. Tueno, F. Kerschbaum, and S. Katzenbeisser. Private Evaluation of Decision Trees using Sublinear Cost. Proceedings on Privacy Enhancing Technologies, 2019(1):266–286, 2019. Search in Google Scholar

[53] S. Wagh, D. Gupta, and N. Chandran. SecureNN: 3-Party Secure Computation for Neural Network Training. Proceedings on Privacy Enhancing Technologies, 2019(3):26–49, 2019. Search in Google Scholar

[54] X. Wang, Y. Han, V. C. Leung, D. Niyato, X. Yan, and X. Chen. Convergence of Edge Computing and Deep Learning: A Comprehensive Survey. IEEE Communications Surveys & Tutorials, 22(2):869–904, 2020. Search in Google Scholar

[55] H. Yu, H. Ma, K. Yang, Y. Zhao, and Y. Jin. DeepEM: Deep Neural Networks Model Recovery through EM Side-Channel Information Leakage. In 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 209–218. IEEE, 2020. Search in Google Scholar

[56] E. Yurtsever, J. Lambert, A. Carballo, and K. Takeda. A Survey of Autonomous Driving: Common Practices and Emerging Technologies. IEEE Access, 8:58443–58469, 2020. Search in Google Scholar

[57] M. Zeng, L. T. Nguyen, B. Yu, O. J. Mengshoel, J. Zhu, P. Wu, and J. Zhang. Convolutional Neural Networks for Human Activity Recognition using Mobile Sensors. In 6th International Conference on Mobile Computing, Applications and Services, pages 197–205. IEEE, 2014. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo