ISSN 1000-1239 CN 11-1777/TP

• 系统结构 •

### 面向深度学习加速器的安全加密方法

1. 1（武汉光电国家研究中心(华中科技大学) 武汉 430074）；2（华中科技大学计算机学院 武汉 430074）；3（加州大学圣芭芭拉分校 加利福利亚圣芭芭拉 美国 93106) (pfzuo@hust.edu.cn)
• 出版日期: 2019-06-01
• 基金资助:
国家自然科学基金项目(61772212,61821003)

### A Secure Encryption Scheme for Deep Learning Accelerators

Zuo Pengfei1,2,3, Hua Yu1,2, Xie Xinfeng3, Hu Xing3, Xie Yuan3， Feng Dan1,2

1. 1（Wuhan National Laboratory for Optoelectronics (Huazhong University of Science and Technology), Wuhan 430074）；2（School of Computer, Huazhong University of Science and Technology, Wuhan 430074）；3（University of California at Santa Barbara, Santa Barbara, California, USA 93106)
• Online: 2019-06-01
• Supported by:
This work was supported by the National Natural Science Foundation of China (61772212, 61821003).

Abstract: With the rapid development of machine learning techniques, especially deep learning (DL), their application domains are wider and wider and increasingly expanded from cloud computing to edge computing. In deep learning, DL models as the intellectual property (IP) of model providers become important data. We observe that DL accelerators deployed on edge devices for edge computing have the risk of leaking DL models stored on them. Attackers are able to easily obtain the DL model data by snooping the memory bus connecting the on-chip accelerator and off-chip device memory. Therefore, encrypting data transmitted on the memory bus is non-trivial. However, directly using memory encryption in DL accelerators significantly decreases their performance. To address this problem, this paper proposes COSA, a COunter mode Secure deep learning Accelerator architecture. COSA achieves higher security level than direct encryption and removes decryption operations from the critical path of memory accesses by leveraging counter mode encryption. We have implemented COSA in GPGPU-Sim and evaluated it using the neural network workload. Experimental results show COSA improves the performance of the secure accelerator by over 3 times compared with direct encryption and causes only 13% performance decrease compared with an insecure accelerator without using encryption.