Protection of personal data in the Internet Age is a big worry but solutions may be lacking. A smartwatch may seem secure, but the neural network processing that health information is using private data that could still be stolen by a malicious agent through a side-channel attack - one in which secret information is gathered by indirectly exploiting a system or its hardware. In one type of side-channel attack, a hacker could monitor fluctuations in the device’s power consumption while the neural network is operating to extract protected information that “leaks” out of the device.

Current methods that can prevent some side-channel attacks are power-intensive so not feasible for devices like smartwatches, which rely on low power computation. People worry little attention about the security of these machine-learning algorithms.

“In the movies, when people want to open locked safes, they listen to the clicks of the lock as they turn it. That reveals that probably turning the lock in this direction will help them proceed further. That is what a side-channel attack is. It is just exploiting unintended information and using it to predict what is going on inside the device,” says Saurav Maji, a graduate student in MIT’s Department of Electrical Engineering and Computer Science (EECS) and lead author of a paper that tackles this issue.

Chip photo courtesy of the researchers, edited by MIT News

One solution may be better hardware. A team recently developed an integrated circuit chip that can defend against power side-channel attacks while using less energy than. The chip, smaller than a thumbnail, could be incorporated into a smartwatch, smartphone, or tablet to perform secure machine learning computations on sensor values. 

This 'machine learning on the edge' is still lower-power than current solutions but low power is relative. The new academic prototype requires 5.5 times more power and 1.6 times more silicon area than a baseline insecure implementation. Like early electric cars that could only go 10 miles, that isn't going to be enough for mass consumption but their threshold computing approach is still less energy intensive than other approaches. In threshold computing, rather than having a neural network operate on actual data, the data are first split into unique, random components. The network operates on those random components individually, in a random order, before accumulating the final result.

Using this method, the information leakage from the device is random every time, so it does not reveal any actual side-channel information, Maji says. But this approach is more computationally expensive since the neural network now must run more operations, and it also requires more memory to store the jumbled information.

So, the researchers optimized the process by using a function that reduces the amount of multiplication the neural network needs to process data, which slashes the required computing power. They also protect the neutral network itself by encrypting the model’s parameters. By grouping the parameters in chunks before encrypting them, they provide more security while reducing the amount of memory needed on the chip.

“By using this special function, we can perform this operation while skipping some steps with lesser impacts, which allows us to reduce the overhead. We can reduce the cost, but it comes with other costs in terms of neural network accuracy. So, we have to make a judicious choice of the algorithm and architectures that we choose,” Maji says.

Existing secure computation methods like homomorphic encryption offer strong security guarantees, but they incur huge overheads in area and power, which limits their use in many applications. The researchers’ proposed method, which aims to provide the same type of security, was able to achieve three orders of magnitude lower energy use. By streamlining the chip architecture, the researchers were also able to use less space on a silicon chip than similar security hardware, an important factor when implementing a chip on personal-sized devices.