What problem does this paper attempt to address?

### Problems the Paper Aims to Solve This paper aims to address the issue of client data confidentiality in outsourced computing. Specifically: 1. **Shortcomings of Existing Solutions**: - Encryption technologies (such as fully homomorphic encryption) can protect data, but their overhead is very high, even with hardware acceleration. - Trusted execution environments (such as Intel SGX, Arm TrustZone, etc.) provide isolated execution environments but are still susceptible to side-channel attacks, and the code executed internally is considered trustworthy, which is not realistic in some cases. 2. **Goals**: - Propose a new framework called Dolma, which applies dynamic information flow tracking (DIFT) to the matrix multiplication accelerator Gemmini to ensure client data confidentiality even in the presence of malware and server-side side-channel attacks. - Optimize the DIFT logic through hardware implementation, significantly reducing the area overhead compared to general-purpose processor architectures. - Integrate Dolma with the BliMe framework to achieve end-to-end security guarantees. ### Main Contributions 1. **Design and Implementation of Dolma**: - Proposed a minimal extension for the matrix multiplication hardware accelerator to efficiently perform DIFT and ensure client data confidentiality. - Implemented Dolma on the RISC-V Chipyard system and evaluated its performance. 2. **Performance Overhead**: - Tested with real machine learning workloads, showing that Dolma has very low overhead compared to the unprotected baseline (performance overhead of 4.4%, resource usage overhead of 16.5%). - Significantly reduced performance overhead compared to state-of-the-art encryption solutions. 3. **Resource Usage and Scalability**: - Demonstrated the resource usage overhead of Dolma and proved its feasibility and scalability in large-scale configurations. 4. **Security Verification**: - Extended the existing BliMe F* model to include modeling of accelerator operations and provided machine-verified security proofs. Through these contributions, the paper demonstrates how to achieve efficient and secure data confidentiality computing on hardware accelerators, thereby addressing key issues in existing outsourced computing solutions.

Data-Oblivious ML Accelerators using Hardware Security Extensions

SHAPER: A General Architecture for Privacy-Preserving Primitives in Secure Machine Learning.

A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware

Customizing Trusted AI Accelerators for Efficient Privacy-Preserving Machine Learning

Locking Machine Learning Models into Hardware

Preventing Neural Network Model Exfiltration in Machine Learning Hardware Accelerators

Computation on Encrypted Data using Data Flow Authentication

Efficient maliciously secure two-party mixed-protocol framework for data-driven computation tasks

Obsidian: Cooperative State-Space Exploration for Performant Inference on Secure ML Accelerators

Guarding Machine Learning Hardware Against Physical Side-channel Attacks

Sharing without Showing: Secure Cloud Analytics with Trusted Execution Environments

DarKnight: An Accelerated Framework for Privacy and Integrity Preserving Deep Learning Using Trusted Hardware

Secure Multiparty Computation Using Secure Virtual Machines

SESAME: Software defined Enclaves to Secure Inference Accelerators with Multi-tenant Execution

Efficient Privacy-Preserving Machine Learning with Lightweight Trusted Hardware

Perun: Secure Multi-Stakeholder Machine Learning Framework with GPU Support

HOACS: Homomorphic Obfuscation Assisted Concealing of Secrets to Thwart Trojan Attacks in COTS Processor

A Multi-Layer Parallel Hardware Architecture for Homomorphic Computation in Machine Learning

HWGN2: Side-channel Protected Neural Networks through Secure and Private Function Evaluation

Privacy and Integrity Preserving Training Using Trusted Hardware