Researchers at MIT and the IBM Watson AI lab have developed a machine-learning accelerator chip which is more resilient to common types of cyber attacks. The chip is designed to protect sensitive user data, such as health records or financial information, whilst also enabling large-scale AI models to run efficiently on devices. The design of the chip incorporates several optimizations that maintain a balance between enhanced security features and overall performance with only a minor slowdown in device speed. The accuracy of computations remains unaffected by the additional security features. The chip may have potential applications in demanding AI areas like augmented reality, virtual reality, and autonomous driving.
The research team focused on a type of machine-learning accelerator known as digital in-memory compute (IMC). These chips enable computation within a device’s memory where parts of a machine learning model are stored following transfer from the main server. To reduce vulnerability to hacker attacks where data is reverse-engineered by monitoring power consumption (side-channel attacks) or bits of the model are stolen by probing communication between the accelerator and off-chip memory (bus-probing attacks), the team used a three-pronged approach.
Firstly, they split data in the IMC into random pieces to prevent a side-channel attack from reconstructing the real information. However, generating many random bits, required for this process, could necessitate too much computing. The researchers created a way to streamline computations that allowed effective data splitting but eliminated the need for random bits.
Secondly, to prevent bus-probing attacks, the team employed a lightweight cipher to encrypt the model in the off-chip memory. Only the parts of the model stored on the chip were decrypted when necessary.
Thirdly, to increase security, they created the key that decrypts the cipher directly on the chip, rather than moving it back and forth with the model. The key was generated from the random variances in the chip introduced during manufacturing.
The researchers tested their chip by trying to hack it millions of times, attempting to steal information via side-channel and bus-probing attacks. They were unsuccessful in both their attempts, while being able to steal information from an unprotected chip with just 5,000 samples. They acknowledged that their chip required a larger area and was less energy-efficient, which may make it more expensive to produce. The team expressed plans to explore strategies to reduce challenges regarding energy consumption and the chip size in the future.