2022-04780 - PhD Position F/M Guess What I’m Learning: Side-Channel Analysis of Edge AI Training Accelerators
Le descriptif de l’offre ci-dessous est en Anglais

Type de contrat : CDD

Niveau de diplôme exigé : Bac + 5 ou équivalent

Fonction : Doctorant

A propos du centre ou de la direction fonctionnelle

The Inria Rennes - Bretagne Atlantique Centre is one of Inria's eight centres and has more than thirty research teams. The Inria Center is a major and recognized player in the field of digital sciences. It is at the heart of a rich R&D and innovation ecosystem: highly innovative PMEs, large industrial groups, competitiveness clusters, research and higher education players, laboratories of excellence, technological research institute, etc.

Contexte et atouts du poste

Host team: The project will be held in the TARAN (formerly CAIRN) team of the IRISA/INRIA laboratory. The TARAN team, with more than 35 members from Inria, UR1, and ENS Rennes, has participated in several national and European R&D projects (H2020 ARGO, FP7 Alma, FP7 Flextiles) and has strong industrial collaborations (e.g., Safran, Thales, Alcatel, Orange, STMicroelectronics, Technicolor, and various SMEs). TARAN has recognized experience in several domains related to the project, such as embedded system design, fault tolerance, safety-critical systems, computing architectures, design tools for specialized hardware architectures.

Acquiring new skills: As a new member of the TARAN team, you will be integrated in a research group with excellent prestige and deep knowledge of embedded systems. The TARAN research group can provide you with a more solid understanding and knowledge of computer architectures and hardware design. For instance, the host team has high-quality papers published using RISC-V-based processors and dedicated hardware designs, subjects that you will be able to learn much more about and increase my background in this area.

Principales activités

Summary: The importance of data privacy in Deep Learning (DL) systems is without doubt. However, recent studies have shown how to use side-channels to guess key parameters or recover inputs from DL model inference running on accelerators. For example, input images of a DL model were estimated from collected power traces without knowing the detailed model parameters [1]. However, this thesis goes further than current practice by studying if private information can be retrieved during training phase, if it is possible to disrupt the training quality, and how to secure training accelerators. The objective is to study training-time, side-channel analysis, hardware attacks and required countermeasures, focusing on fault injections in edge AI accelerators.


As Deep Learning is computationally intensive and power hungry, the use of dedicated and customized hardware accelerators is imposing. This is the case for FPGAs, increasingly adopted to build highly customized and flexible DL accelerators [2–4], including the recent trend on approximate Deep Neural Network (DNN) implementations [5].

The convergence of edge computing and AI brings Edge Intelligence [6], which moves the bulk of intel- ligent data processing from the core of the network to the edge, closer to where data is produced and resides. This therefore reduces latency and increases privacy [7].

However, the connectivity and accessibility of these edge devices enable both local and remote attacks, unveiling an enormous attack surface with large potential impacts on security, safety and privacy. In the context of DL hardware security, recent works are reporting increasing attacks to DNN implemen- tations [8, 9]. These include Side-Channel Analysis (SCA) attacks [9, 10], either using power consump- tion [1, 11–17] or Electromagnetic (EM) emanations [18–20], and Fault Injection (FI) attacks [21–29]. In the former case, the objective of the attack is to compromise confidentiality, enabling the recovery of secret DL assets (like models and private data inputs) that jeopardize privacy and enable counterfeiting by model reverse engineering. In the latter, the objective is to compromise both integrity, altering the expected performance through misclassifications and controlled behaviours, and availability, rendering the system useless through denied access or reduced quality or performance [30]. Physical SCA and FI attacks to AI-enabled edge devices are particularly worrying given their higher accessibility and exposure to attackers [31].

Distributed training at the edge can be traced back to 2016 [32], where a decentralized Stochastic Gradient Descent (SGD) method is proposed to solve a large linear regression problem. More recently it has evolved to the concept of collaborative or federative learning, which is based on the same general principle but is more efficient [33]. Other techniques for edge training are to train or retrain models on single edge devices, taking advantage of modern training features such as transfer learning, incremental learning, and continuous learning. In all these approaches, local data are processed on each edge device, which prevents the devices from revealing private data to the cloud. However, the server should neither trust edge devices completely, since these can be attacked and forced into abnormal behaviors, which can poison training data. This would thus result in inadequate model updates, and hence in a low-quality trained model. For example, in a backdoor-attacked face recognition-based authentication system, attackers could mislead systems to identify them as a person who can access a building through impersonation [34],[6].

The described scenario is helping rise general concerns on AI trust, which calls for a major research effort to protect critical infrastructures and sensitive data that rely on AI-based processing. As a consequence, protecting DNN implementations is a key concern to keep their models and internal data private and secure from attacks, as this has a large potential for major impacts on privacy, safety and secret corporate IP. To help unlock the full potential of AI and enable efficient and secure deployments, our objective is to build secure DL hardware accelerators for edge and cloud systems, hence resistant to both local and remote hardware attacks.

Objectives of the Thesis

The main goals of this thesis are (1) to investigate the implementation vulnerabilities against SCA and FI attacks of custom, reduced-precision hardware implementations of DNN accelerators built in FPGAs and (2) to develop adequate countermeasures to build secure accelerators.

On the FI case, the objective is to investigate how these attacks can impact the integrity and availability of the system (accuracy, training/inference time, energy consumption). We will especially focus on electromagnetic FI using the facilities at the Laboratoire Haute Sécurité (LHS) at Inria Rennes. On the SCA case our objective is to understand how the attacks can impact the confidentiality of the system by revealing key secret information like training/inference inputs and by enabling reverse engineering of DL models and architectures. For local attacks, we focus on capturing power/EM side-channel leakage traces.

As mentioned, we will in particular focus on hardware security of DL accelerators at training time, especially in (semi-)supervised, cooperative edge scenarios, through a holistic approach that combines training methodologies, algorithms and design of custom accelerators in FPGA.

Training-time attacks to DNNs have not focused on hardware vulnerabilities, but on datasets to com- promise the training, like software adversarial attacks that contaminate the training dataset to increase the misclassification probability at inference time [35]. As already mentioned, security-enhanced edge training includes research on how to secure the communication protocols to avoid data to be corrupted in a federated-learning setting [36–38]. The hardware is assumed to be secured and fault-free. However, when this assumption fails, data and/or model computation can be corrupted, hence harming the global model training result.


This work will take place in the Taran team from IRISA/Inria, in collaboration with CentraleSupélec (Rubén Salvador, IETR) and Inria LHS (Ronan Lashermes).



The recruited person is expected to develop complex processor architectures leveraging C++ and High-Level Synthesis. We also expect to have prototype implementations of the developed techniques on FPGA and ASIC.

Desired skills include:

Computer architecture, hardware design, VLSI circuit design. Basic knowledge in compilers.
Familiarity with the C/C++ language or other languages. Familiarity with FPGA/ASIC design and/or High-Level Synthesis. Optimization methods

Mostly importantly, we seek highly motivated and active researchers.


  • Subsidized meals
  • Partial reimbursement of public transport costs
  • Possibility of teleworking ( 90 days per year) and flexible organization of working hours
  • partial payment of insurance costs


monthly gross salary amounting to 1982 euros for the first and second years and 2085 euros for the third year