Secure Multi-Domain VLSI Architecture with Hardware-Enforced Trusted Execution for Edge AI Devices

Abstract

The use of Artificial Intelligence (AI) in the edge in rapid proliferation is the prime cause of enormous security vulnerabilities since such devices are likely to be deployed in physically accessible location that are highly vulnerable to side-channel and memory injection attacks. Custom software Trusted Execution Environments (TEEs) can sometimes be prohibitively costly in terms of computational overhead and latency (TEE), and cannot be implemented on power-limited IoT hardware. The suggested paper presents an innovative design of Secure Multi-Domain VLSI which is aimed at offering hardware-enforced isolation of Edge AI workloads. The architecture has a domain physical gate-level separation of the Public, AI-Inference, and Secure-Key domains, such that sensitive model weights and biometric data are disconnected with the compromised system components. The design combines low-power Security Primitives and one Physically Unclonable Function (PUF) to generate unique keys to a device and also a high-throughput AES-GCM cryptographic engine to perform real-time data integrity. It was designed and synthesized in Verilog HDL and a then-state of the art [e.g. 28nm/45nm] CMOS technology node. As indicated in the results of the experiments, the proposed hardware-enforced TEE can implement high throughput inference at a Total Power Consumption of [X] mW or at most a [X] % of the overhead versus non-secure baseline architectures. The study offers a scalable topology of the Security-by-Design in next-generation Edge AI chip, to offer an adequate protection on a chip-silicon level and at the same time meet the high power-usage demands of battery-powered machines.