(An) energy-efficient design of secure convolutional neural network accelerator

Abstract

Due to their excellent performance, tremendous progress has been made in the development of convolutional neural network (CNN) algorithms and efficient CNN accelerators for edge devices. At the same time, security concerns about CNN processing have increased regarding user privacy and safety. Because of the employment of the user’s private data, the security of the CNN execution environment becomes critical and needs proper countermeasures from the hardware level. In this thesis, the security environment of the CNN accelerator is analyzed. Then, to enhance the security of the CNN accelerator, two research works are presented. First, an efficient data ciphering system embedded in a CNN accelerator is proposed. For the protection of the private data and the CNN model, data regarding CNN processing must be encrypted. However, the number of operations of CNN and security workloads constantly changes during execution, thereby varying their relative ratio. To efficiently support various convolution/AES workloads, CREMON is suggested, which is a reconfigurable system to perform CNN inference and data ciphering. It introduces the cryptography reconfigurable processing element (CRPE), appropriate workload mapping, and dataflow. A test chip with the proposed scheme was implemented and tested for performance verification. As a result, the CREMON prototype chip achieved state-of-the-art performance/area efficiency for AES and improved energy efficiency by up to 44.1% in processing CNN/AES workloads. Although CNN processing data are efficiently encrypted, there remains a threat of CNN model reverse engineering. Model reverse engineering is hazardous as its success could facilitate other types of attacks. In previous model reverse engineering methods, the most powerful leverage point is the read-after-write (RAW) dependency in the memory access of feature map, which is inherent in layer-by-layer CNN dataflow. By monitoring RAW, layer boundaries are detected and exploited to estimate the size of CNN layers. Therefore, we propose SeCNN that is an architectural methodology for a secure CNN accelerator to mitigate problems from RAW and memory access patterns. By observing a dynamic variation of non-zero value density in each CNN inference, we utilize fused-layer CNN processing to minimize RAW and sparse CNN techniques to expand the CNN architecture exploration space. Besides, for further security and processing efficiency, two novel methods are suggested: the non-zero balancing and TSeCNN. First, non-zero balancing methods reduce imbalances among several cores of SeCNN hardware to fuse layers deeper with given memory constraints. In addition, for the condition where on-chip memory capacity is too limited to form meaningful pyramids, TSeCNN alleviates the on-chip memory condition by manually dividing secure pyramids and processing them in a time-multiplexing manner. As a result, the SeCNN increases the complexity of searching possible architecture candidates in the extreme, thereby making the attack infeasible. Simultaneously, the proposed architecture with our suggested methods does not only enhances security but also reduces external memory access by 79%.