ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2019, Vol. 56 ›› Issue (6): 1161-1169.doi: 10.7544/issn1000-1239.2019.20190109

Special Issue: 2019面向人工智能的计算机体系结构专题

Previous Articles     Next Articles

A Secure Encryption Scheme for Deep Learning Accelerators

Zuo Pengfei1,2,3, Hua Yu1,2, Xie Xinfeng3, Hu Xing3, Xie Yuan3, Feng Dan1,2   

  1. 1(Wuhan National Laboratory for Optoelectronics (Huazhong University of Science and Technology), Wuhan 430074);2(School of Computer, Huazhong University of Science and Technology, Wuhan 430074);3(University of California at Santa Barbara, Santa Barbara, California, USA 93106)
  • Online:2019-06-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61772212, 61821003).

Abstract: With the rapid development of machine learning techniques, especially deep learning (DL), their application domains are wider and wider and increasingly expanded from cloud computing to edge computing. In deep learning, DL models as the intellectual property (IP) of model providers become important data. We observe that DL accelerators deployed on edge devices for edge computing have the risk of leaking DL models stored on them. Attackers are able to easily obtain the DL model data by snooping the memory bus connecting the on-chip accelerator and off-chip device memory. Therefore, encrypting data transmitted on the memory bus is non-trivial. However, directly using memory encryption in DL accelerators significantly decreases their performance. To address this problem, this paper proposes COSA, a COunter mode Secure deep learning Accelerator architecture. COSA achieves higher security level than direct encryption and removes decryption operations from the critical path of memory accesses by leveraging counter mode encryption. We have implemented COSA in GPGPU-Sim and evaluated it using the neural network workload. Experimental results show COSA improves the performance of the secure accelerator by over 3 times compared with direct encryption and causes only 13% performance decrease compared with an insecure accelerator without using encryption.

Key words: machine learning, accelerator, edge device, security, bus snooping attack

CLC Number: