{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:20:05Z","timestamp":1772040005022,"version":"3.50.1"},"reference-count":36,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2022,4,28]],"date-time":"2022-04-28T00:00:00Z","timestamp":1651104000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation","award":["1901446"],"award-info":[{"award-number":["1901446"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["J. Emerg. Technol. Comput. Syst."],"published-print":{"date-parts":[[2022,7,31]]},"abstract":"\n With proliferation of DNN-based applications, the confidentiality of DNN model is an important commercial goal. Spatial accelerators, which parallelize matrix\/vector operations, are utilized for enhancing energy efficiency of DNN computation. Recently, model extraction attacks on simple accelerators, either with a single processing element or running a binarized network, were demonstrated using the methodology derived from\n differential power analysis (DPA)<\/jats:bold>\n attack on cryptographic devices. This article investigates the vulnerability of realistic spatial accelerators using general, 8-bit, number representation.\n <\/jats:p>\n We investigate two systolic array architectures with weight-stationary dataflow: (1) a 3 \u00d7 1 array for a dot-product operation and (2) a 3 \u00d7 3 array for matrix-vector multiplication. Both are implemented on the SAKURA-G FPGA board. We show that both architectures are ultimately vulnerable. A conventional DPA succeeds fully on the 1D array, requiring 20K power measurements. However, the 2D array exhibits higher security even with 460K traces. We show that this is because the 2D array intrinsically entails multiple MACs simultaneously dependent on the same input. However, we find that a novel template-based DPA with multiple profiling phases is able to fully break the 2D array with only 40K traces. Corresponding countermeasures need to be investigated for spatial DNN accelerators.<\/jats:p>","DOI":"10.1145\/3491219","type":"journal-article","created":{"date-parts":[[2022,2,2]],"date-time":"2022-02-02T22:15:29Z","timestamp":1643840129000},"page":"1-18","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["Power-based Attacks on Spatial DNN Accelerators"],"prefix":"10.1145","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1075-6859","authenticated-orcid":false,"given":"Ge","family":"Li","sequence":"first","affiliation":[{"name":"The University of Texas at Austin, Austin, Texas, USA"}]},{"given":"Mohit","family":"Tiwari","sequence":"additional","affiliation":[{"name":"The University of Texas at Austin, Austin, Texas, USA"}]},{"given":"Michael","family":"Orshansky","sequence":"additional","affiliation":[{"name":"The University of Texas at Austin, Austin, Texas, USA"}]}],"member":"320","published-online":{"date-parts":[[2022,4,28]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/TASLP.2014.2339736"},{"key":"e_1_3_1_3_2","doi-asserted-by":"crossref","first-page":"309","DOI":"10.1007\/3-540-44709-1_26","volume-title":"Cryptographic Hardware and Embedded Systems \u2014 CHES 2001","author":"Akkar Mehdi-Laurent","year":"2001","unstructured":"Mehdi-Laurent Akkar and Christophe Giraud. 2001. An implementation of DES and AES, secure against some attacks. In Cryptographic Hardware and Embedded Systems \u2014 CHES 2001, \u00c7etin K. Ko\u00e7, David Naccache, and Christof Paar (Eds.). Springer Berlin, 309\u2013318."},{"key":"e_1_3_1_4_2","first-page":"515","volume-title":"28th USENIX Security Symposium (USENIX Security\u201919)","author":"Batina Lejla","year":"2019","unstructured":"Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2019. CSI NN: Reverse engineering of neural network architectures through electromagnetic side channel. In 28th USENIX Security Symposium (USENIX Security\u201919). USENIX Association, Santa Clara, CA, 515\u2013532. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/batina."},{"key":"e_1_3_1_5_2","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1007\/978-3-540-28632-5_2","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2004","author":"Brier Eric","year":"2004","unstructured":"Eric Brier, Christophe Clavier, and Francis Olivier. 2004. Correlation power analysis with a leakage model. In Cryptographic Hardware and Embedded Systems - CHES 2004, Marc Joye and Jean-Jacques Quisquater (Eds.). Springer Berlin, 16\u201329."},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-56877-1_7"},{"key":"e_1_3_1_7_2","volume-title":"Cryptographic Hardware and Embedded Systems - CHES 2002","author":"Chari Suresh","year":"2003","unstructured":"Suresh Chari, Josyula R. Rao, and Pankaj Rohatgi. 2003. Template attacks. In Cryptographic Hardware and Embedded Systems - CHES 2002, Burton S. Kaliski, etin K. Ko\u00e7, and Christof Paar (Eds.). Springer Berlin, pages13\u201328."},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/TASL.2011.2134090"},{"key":"e_1_3_1_9_2","doi-asserted-by":"crossref","unstructured":"Anuj Dubey Rosario Cammarota and Aydin Aysu. 2019. MaskedNet: The First Hardware Inference Engine Aiming Power Side-Channel Protection. (2019). arxiv:cs.CR\/1910.13063.","DOI":"10.1109\/HOST45689.2020.9300276"},{"key":"e_1_3_1_10_2","unstructured":"Vasisht Duddu Debasis Samanta D. Vijay Rao and Valentina E. Balas. 2018. Stealing Neural Networks via Timing Side Channels. (2018). arxiv:cs.CR\/1812.11720."},{"key":"e_1_3_1_11_2","unstructured":"Kaiming He Xiangyu Zhang Shaoqing Ren and Jian Sun. 2015. Deep Residual Learning for Image Recognition. (2015). arxiv:cs.CV\/1512.03385."},{"key":"e_1_3_1_12_2","unstructured":"Andrew G. Howard Menglong Zhu Bo Chen Dmitry Kalenichenko Weijun Wang Tobias Weyand Marco Andreetto and Hartwig Adam. 2017. MobileNets: Efficient Convolutional Neural Networks for Mobile Vision Applications. (2017). arxiv:cs.CV\/1704.04861."},{"key":"e_1_3_1_13_2","unstructured":"Xing Hu Ling Liang Lei Deng Shuangchen Li Xinfeng Xie Yu Ji Yufei Ding Chang Liu Timothy Sherwood and Yuan Xie. 2019. Neural Network Model Extraction Attacks in Edge Devices by Hearing Architectural Hints. (2019). arxiv:cs.CR\/1903.03916."},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3195970.3196105"},{"key":"e_1_3_1_15_2","unstructured":"Matthew Jagielski Nicholas Carlini David Berthelot Alex Kurakin and Nicolas Papernot. 2019. High Accuracy and High Fidelity Extraction of Neural Networks. (2019). arxiv:cs.LG\/1909.01838."},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/3140659.3080246"},{"key":"e_1_3_1_17_2","doi-asserted-by":"crossref","unstructured":"H. Kung and R. L. Picard. 1984. One-dimensional systolic arrays for multidimensional convolution and resampling.","DOI":"10.1007\/978-3-642-47523-8_2"},{"key":"e_1_3_1_18_2","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1109\/HST.2019.8741026","volume-title":"IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","author":"Li G.","year":"2019","unstructured":"G. Li, V. Iyer, and M. Orshansky. 2019. Securing AES against localized EM attacks through spatial randomization of dataflow. In IEEE International Symposium on Hardware Oriented Security and Trust (HOST). 191\u2013197."},{"key":"e_1_3_1_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCSII.2010.2048400"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.5555\/1208234"},{"key":"e_1_3_1_21_2","doi-asserted-by":"crossref","unstructured":"Nicolas Papernot Patrick McDaniel Ian Goodfellow Somesh Jha Z. Berkay Celik and Ananthram Swami. 2016. Practical Black-box Attacks against Machine Learning. (2016). arxiv:cs.CR\/1602.02697.","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_1_22_2","doi-asserted-by":"crossref","first-page":"424","DOI":"10.1007\/11502760_29","volume-title":"Fast Software Encryption","author":"Prouff Emmanuel","year":"2005","unstructured":"Emmanuel Prouff. 2005. DPA attacks and S-Boxes. In Fast Software Encryption, Henri Gilbert and Helena Handschuh (Eds.). Springer Berlin, 424\u2013441."},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-65981-7_12"},{"key":"e_1_3_1_24_2","doi-asserted-by":"crossref","unstructured":"Matthieu Rivain and Emmanuel Prouff. 2010. Provably secure higher-order masking of AES. In Cryptographic Hardware and Embedded Systems CHES 2010 Stefan Mangard and Fran\u00e7ois-Xavier Standaert (Eds.). Springer Berlin 413\u2013427.","DOI":"10.1007\/978-3-642-15031-9_28"},{"key":"e_1_3_1_25_2","doi-asserted-by":"crossref","unstructured":"Joshua Saxe and Konstantin Berlin. 2015. Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features. (2015). arxiv:cs.CR\/1508.03096.","DOI":"10.1109\/MALWARE.2015.7413680"},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4419-8080-9_11"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1146\/annurev-bioeng-071516-044442"},{"key":"e_1_3_1_28_2","first-page":"3","volume-title":"IEEE Symposium on Security and Privacy (SP)","author":"Shokri R.","year":"2017","unstructured":"R. Shokri, M. Stronati, C. Song, and V. Shmatikov. 2017. Membership inference attacks against machine learning models. In IEEE Symposium on Security and Privacy (SP). 3\u201318."},{"key":"e_1_3_1_29_2","unstructured":"Vivienne Sze Yu-Hsin Chen Tien-Ju Yang and Joel Emer. 2017. Efficient Processing of Deep Neural Networks: A Tutorial and Survey. (2017). arxiv:cs.CV\/1703.09039."},{"key":"e_1_3_1_30_2","first-page":"354","volume-title":"Cryptographic Hardware and Embedded Systems \u2013 CHES 2005, 7th International Workshop","author":"Tiri Kris","unstructured":"Kris Tiri, David Hwang, Alireza Hodjat, Bo cheng Lai, Shenglin Yang, Patrick Schaumont, and Ingrid Verbauwhede. Prototype IC with WDDL and differential Routing - DPA resistance assessment. In Cryptographic Hardware and Embedded Systems \u2013 CHES 2005, 7th International Workshop. Springer, 354\u2013365."},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC.2016.151"},{"key":"e_1_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISSCC.2009.4977309"},{"key":"e_1_3_1_33_2","first-page":"601","volume-title":"25th USENIX Security Symposium (USENIX Security\u201916)","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction APIs. In 25th USENIX Security Symposium (USENIX Security\u201916). USENIX Association, 601\u2013618. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity16\/technical-sessions\/presentation\/tramer."},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.23919\/DATE.2017.7927142"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCSII.2020.2973007"},{"key":"e_1_3_1_36_2","volume-title":"29th USENIX Security Symposium (USENIX Security\u201920)","author":"Yan Mengjia","year":"2020","unstructured":"Mengjia Yan, Christopher W. Fletcher, and Josep Torrellas. 2020. Cache telepathy: Leveraging shared resource attacks to learn DNN architectures. In 29th USENIX Security Symposium (USENIX Security\u201920). USENIX Association, Boston, MA. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/yan."},{"key":"e_1_3_1_37_2","doi-asserted-by":"crossref","first-page":"318","DOI":"10.1109\/FCCM.2019.00059","volume-title":"IEEE 27th Annual International Symposium on Field-programmable Custom Computing Machines (FCCM)","author":"Yoshida K.","year":"2019","unstructured":"K. Yoshida, T. Kubota, M. Shiozaki, and T. Fujino. 2019. Model-extraction attack against FPGA-DNN accelerator utilizing correlation electromagnetic analysis. In IEEE 27th Annual International Symposium on Field-programmable Custom Computing Machines (FCCM). 318\u2013318."}],"container-title":["ACM Journal on Emerging Technologies in Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3491219","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3491219","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:09:19Z","timestamp":1750183759000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3491219"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,28]]},"references-count":36,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2022,7,31]]}},"alternative-id":["10.1145\/3491219"],"URL":"https:\/\/doi.org\/10.1145\/3491219","relation":{},"ISSN":["1550-4832","1550-4840"],"issn-type":[{"value":"1550-4832","type":"print"},{"value":"1550-4840","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,4,28]]},"assertion":[{"value":"2020-11-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-04-28","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}