Artificial Intelligence (AI) experience growing popularity in edge devices. The increasing usage of AI on edge devices enlarges the relevance of security of the Intellectual Property (IP) stored within the algorithm. As an attacker can gain physical access to the device, hardware attacks such as Side-Channel Analysis (SCA) must be considered [1]. SCA uses physical quantities like the power consumption to extract valuable information about the AI algorithm.

A common technique to counter SCA is masking [2], which introduces random numbers to make intermediate results and the power consumption independent of secret values.

In this work an existing FPGA implementation of a neural network accelerator should be extended to execute different types of neural networks.

Start: Anytime

References

[1] Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). USENIX Association, USA, 515–532.

[2] Athanasiou, Konstantinos & Wahl, Thomas & Ding, A. & Fei, Yunsi. (2022). Masking Feedforward Neural Networks Against Power Analysis Attacks. Proceedings on Privacy Enhancing Technologies. 2022. 501-521. 10.2478/popets-2022-0025.

• VHDL
• Python

Neural Networks are inevitable in everyday life. Speech and face recognition as well as driverless cars are just some examples where Artificial Neural Networks (ANN) are used. Training a deep ANN is very time-consuming and computational expensive. Thus, the intellectual property stored in an ANN is an asset worth to protect. Additionally, implementations on edge devices need to be power-efficient whilst maintaining a high throughput. [1] or [2] are examples for frameworks aiming to fulfill these requirements.

A side-channel attack can be used to extract the network parameters such as the number or type of layers, as well as weights and bias values. In [3, 4] side-channel attacks on different implementations of ANNs are performed. 

In this work, a side-channel attack on autogenerated implementations of different ANNs should be performed. This includes a detailed analysis of the side-channel properties of the different implementations.

 Start of Thesis: Anytime

References:

[1] M. Blott, T. B. Preußer, N. J. Fraser, G. Gambardella, K. O’brien, Y. Umuroglu, M. Leeser, and K. Vissers, “Finn-r: An end-to-end deep-learning framework for fast exploration of quantized neural networks,” ACM Transactions on Reconfigurable Technology and Systems (TRETS), vol. 11, no. 3, pp. 1–23, 2018.
[2] Y. Umuroglu and M. Jahre, “Streamlined deployment for quantized neural networks,” arXiv preprint arXiv:1709.04060, 2017.
[3] L. Batina, S. Bhasin, D. Jap, and S. Picek, “{CSI}{NN}: Reverse engineering of neural network architectures through electromagnetic side channel,” in 28th {USENIX} Security Symposium ({USENIX} Security 19), pp. 515–532, 2019.
[4] A. Dubey, R. Cammarota, and A. Aysu, “Bomanet: Boolean masking of an entire neural network," arXiv preprint arXiv:2006.09532, 2020.

• VHDL/Verilog Knowledge
• Sichere Implementierung Kryptographischer Verfahren (SIKA)
• Python Skills

Artificial Intelligence (AI) experience growing popularity in edge devices. The increasing usage of AI on edge devices enlarges the relevance of security of the Intellectual Property (IP) stored within the algorithm. As an attacker can gain physical access to the device, hardware attacks such as Side-Channel Analysis (SCA) must be considered [1]. SCA uses physical quantities like the power consumption to extract valuable information about the AI algorithm.

A common technique to counter SCA is masking [2], which introduces random numbers to make intermediate results and the power consumption independent of secret values.

In this work an existing FPGA implementation of a neural network accelerator should be extended to execute different types of neural networks.

Start: Anytime

References

[1] Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. CSI NN: reverse engineering of neural network architectures through electromagnetic side channel. In Proceedings of the 28th USENIX Conference on Security Symposium (SEC'19). USENIX Association, USA, 515–532.

[2] Athanasiou, Konstantinos & Wahl, Thomas & Ding, A. & Fei, Yunsi. (2022). Masking Feedforward Neural Networks Against Power Analysis Attacks. Proceedings on Privacy Enhancing Technologies. 2022. 501-521. 10.2478/popets-2022-0025.

• VHDL
• Python

Neural Networks are inevitable in everyday life. Speech and face recognition as well as driverless cars are just some examples where Artificial Neural Networks (ANN) are used. Training a deep ANN is very time-consuming and computational expensive. Thus, the intellectual property stored in an ANN is an asset worth to protect. Additionally, implementations on edge devices need to be power-efficient whilst maintaining a high throughput. [1] or [2] are examples for frameworks aiming to fulfill these requirements.

A side-channel attack can be used to extract the network parameters such as the number or type of layers, as well as weights and bias values. In [3, 4] side-channel attacks on different implementations of ANNs are performed. 

In this work, a side-channel attack on autogenerated implementations of different ANNs should be performed. This includes a detailed analysis of the side-channel properties of the different implementations.

 Start of Thesis: Anytime

References:

[1] M. Blott, T. B. Preußer, N. J. Fraser, G. Gambardella, K. O’brien, Y. Umuroglu, M. Leeser, and K. Vissers, “Finn-r: An end-to-end deep-learning framework for fast exploration of quantized neural networks,” ACM Transactions on Reconfigurable Technology and Systems (TRETS), vol. 11, no. 3, pp. 1–23, 2018.
[2] Y. Umuroglu and M. Jahre, “Streamlined deployment for quantized neural networks,” arXiv preprint arXiv:1709.04060, 2017.
[3] L. Batina, S. Bhasin, D. Jap, and S. Picek, “{CSI}{NN}: Reverse engineering of neural network architectures through electromagnetic side channel,” in 28th {USENIX} Security Symposium ({USENIX} Security 19), pp. 515–532, 2019.
[4] A. Dubey, R. Cammarota, and A. Aysu, “Bomanet: Boolean masking of an entire neural network," arXiv preprint arXiv:2006.09532, 2020.

• VHDL/Verilog Knowledge
• Sichere Implementierung Kryptographischer Verfahren (SIKA)
• Python Skills

Die Vorlesung Sichere Implementierung kryptographischer Verfahren (SIKA) wird durch eine Übung begleitet, in der vier Programmieraufgaben durchgeführt werden. Zur Unterstützung der Studierenden, zur Betreuung des Seitenkanalmessplatzes und zum Testen der Abgabe-Umgebung wird ein/e Tutor/in gesucht.

Die Programmierübungen beinhalten die Implementierung von AES in C und die Entwicklung verschiedener Angriffe auf RSA und AES in Python. Im Rahmen des Differential Power Analysis(DPA)-Angriffs wird der Stromverbrauch einer Implementierung mit dem Oszilloskop aufgezeichnet. Für die Abgabe und Auswertung der Progammieraufgaben wird dabei die Coderunner-Umgebung aus Moodle verwendet.

Im Rahmen der Tätigkeit können für die Unterstützung bei den Progammieraufgaben feste Sprechzeiten am Lehrstuhl für Sicherheit in der Informationstechnik eingerichtet werden. Zum Testen der Coderunner-Umgebung sollten die Aufgaben jeweils eine Woche vor dem Übungstermin eigenständig gelöst und abgegeben werden, um mögliche Probleme der Umgebung aufzudecken.

Zeitraum und Stundenanzahl:

Ab 01. November 2023 bis 31. Januar 2024 mit 6-12 Stunden pro Woche, geringfügige Anpassung des Zeitraums, der Stundenzahl und Absprache von flexiblen Arbeitszeiten sind möglich.

• Programmierkenntnisse in C und Python
• Grundverständnis im Umgang mit Messgeräten, z.B. Oszilloskop
• Idealerweise Belegung der SIKA-Vorlesung in einem vorhergehenden Semester
• Eigenständige Arbeitsweise

Physical Unclonable Functions (PUFs) exploit manufacturing process variations to generate unique signatures. PUF and error-correcting codes can be joined together to reliably generate cryptographically strong keys. However, the implementation of error-correcting codes is prone to physical attacks like side-channel attacks. Side-channel attacks exploit the information leaked during the computation of secret intermediate states to recover the secret key. Therefore, the implementation of error-correcting codes must also involve the implementation of proper countermeasures against side-channel attacks.

The goal of this thesis is to evaluate the side-channel resistance of a secure implementation of error-correcting codes for PUFs on FPGA. The thesis consists of the following steps:

• Get familiar with currently available implementations of error-correcting codes for PUFs
• Adapt and improve current implementations (VHDL)
• Develop a measurement setup for side-channel analysis (Matlab/Python)
• Perform side-channel analysis using the state-of-the-art EMF measurement equipment in our lab (Oscilloscope knowledge + Matlab/Python required)

 The ideal candidate should have:

• Previous experience in field of digital design (VHDL/Vivado/Xilinx FPGA)
• Basic knowledge on using lab equipment (e.g Oscilloscope,...)
• Basic knowledge in statistics
• Good programming skills in Matlab/Python
• Attendance at the lecture “Secure Implementation of Cryptographic Algorithms” is advantageous