PermuteV: A Performant Side-channel-Resistant RISC-V Core Securing Edge AI Inference
Nuntipat Narkthong, Xiaolin Xu
TL;DR
This work tackles EM side-channel threats to edge AI inference by introducing PermuteV, a co-designed microarchitecture that permutes loop iterations to obscure EM emissions without modifying NN software. The solution combines a Loop Index Generator, ISA extensions, and compiler support to enable secure, low-overhead permutation on a drop-in Ibex core. FPGA experiments show PermuteV substantially increases the effort required for CEMA-based weight recovery while adding only modest hardware overhead and preserving performance. The approach offers a practical path toward scalable, hardware-assisted SCA defenses for edge AI on general-purpose microprocessors.
Abstract
Edge AI inference is becoming prevalent thanks to the emergence of small yet high-performance microprocessors. This shift from cloud to edge processing brings several benefits in terms of energy savings, improved latency, and increased privacy. On the downside, bringing computation to the edge makes them more vulnerable to physical side-channel attacks (SCA), which aim to extract the confidentiality of neural network models, e.g., architecture and weight. To address this growing threat, we propose PermuteV, a performant side-channel resistant RISC-V core designed to secure neural network inference. PermuteV employs a hardware-accelerated defense mechanism that randomly permutes the execution order of loop iterations, thereby obfuscating the electromagnetic (EM) signature associated with sensitive operations. We implement PermuteV on FPGA and perform evaluations in terms of side-channel security, hardware area, and runtime overhead. The experimental results demonstrate that PermuteV can effectively defend against EM SCA with minimal area and runtime overhead.