SafeTPU: A Verifiably Secure Hardware Accelerator for Deep Neural Networks

Abstract

We present Safe-TPU, a framework for secure computations of Deep Neural Networks (DNNs) in untrusted hardware corrupted by Trojans or fault injection attacks. This work leverages previous advances on interactive proof (IP) systems for verifying, at run-time, the correctness of a neural network’s computations, and makes three new contributions: (1) We present a Trojan resilient DNN hardware accelerator based on interactive proofs; (2) We introduce new protocol enhancements that significantly reduce the space and time required to generate proofs; and (3) we propose an implementation of Safe-TPU with high parallelism and reuse of existing resources already deployed in the baseline DNN accelerator. We prototype Safe-TPU on an FPGA and analyze its security guarantees. Experimentally, we show that Safe-TPU’s area overhead is small (28%) over the baseline DNN accelerator and is 3.15× faster than state-of-the-art, while at the same time, Safe-TPU guarantees to catch, with high probability, any incorrect computations.