Researchers from MIT and MIT-IBM Watson AI Lab have developed a machine-learning accelerator chip with enhanced security to guard against the two most common types of cyber attacks. The chip is designed to perform computations within a device, keeping crucial data like health records, financial information, or other sensitive information private. While this added security could prove slightly more expensive and less energy-efficient, the implications for applications such as AI, augmented reality, autonomous driving, and health-monitoring apps could justify the cost.
With machine-learning models becoming increasingly involved in our daily life via smartphones and other devices, ensuring their security has never been more critical. A common type of machine-learning accelerator vulnerable to hacking is the digital in-memory compute (IMC). IMC chips perform computations within a device’s memory, breaking down towering models of information into smaller pieces to reduce the data being moved back and forth between the device and a central server.
The researchers, however, were innovative in their approach to reducing the vulnerability of such chips. On the one hand, they split data inside the IMC into random bits, ensuring a side-channel attack could not effectively piece together tangible information. For this technique to work, though, they had to find a way of simplifying multiple computations to smooth the splitting of data. On the other hand, they stopped bus-probing attacks by employing a lightweight cipher to encrypt the model stored in off-chip memory, requiring only simple computations and decrypting the model pieces only when necessary.
Additionally, the key to decrypt the cipher was generated within the chip itself instead of being moved back and forth with the model. This unique key was developed using random variations in the chip introduced during manufacturing by using a technique known as the physically unclonable function.
When the researchers tested their new chip, they played the role of hackers trying to use both side-channel and bus-probing attacks. After millions of attempted strikes, they were unsuccessful in reconstructing any actual data or extracting parts of the model or dataset, faring much better than the 5,000 samples needed to hack an unprotected chip.
While admitting that the security measure reduced the energy efficiency of the device and required a larger chip area, upping production costs, the team also highlighted that such designs would be crucial for future mobile devices. They plan to explore methods of reducing energy consumption and the size of their chip, thus making it easier and less expensive to implement on a large scale.