[go: up one dir, main page]

TWI880680B - Device for executing machine learning model inference - Google Patents

Device for executing machine learning model inference Download PDF

Info

Publication number
TWI880680B
TWI880680B TW113110025A TW113110025A TWI880680B TW I880680 B TWI880680 B TW I880680B TW 113110025 A TW113110025 A TW 113110025A TW 113110025 A TW113110025 A TW 113110025A TW I880680 B TWI880680 B TW I880680B
Authority
TW
Taiwan
Prior art keywords
machine learning
learning model
memory
electronic device
processing circuit
Prior art date
Application number
TW113110025A
Other languages
Chinese (zh)
Other versions
TW202538579A (en
Inventor
藍祥予
林家慶
郭尚睿
張明清
陳維超
Original Assignee
英業達股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 英業達股份有限公司 filed Critical 英業達股份有限公司
Priority to TW113110025A priority Critical patent/TWI880680B/en
Application granted granted Critical
Publication of TWI880680B publication Critical patent/TWI880680B/en
Publication of TW202538579A publication Critical patent/TW202538579A/en

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

A device for executing machine learning inference is provided. The device includes a computer and a trusted processing circuit. The computer receives a random seed generated by an electronic device. The trusted processing circuit includes a secure circuit and a processing element array. The secure circuit has a first public key and a first private key that are embedded in the secure circuit. The secure circuit generates a proof according to the random key, the first public key and the first private key. The computer outputs the proof and the first public key to the electronic device. The electronic device determines whether to output an encrypted machine learning model to the computer. The secure circuit decrypts the encrypted machine learning model to generate a machine learning model. The processing element array executes confidential computing of an inference of the machine learning model.

Description

執行機器學習模型推論之裝置Device for performing machine learning model inference

本揭示是關於一種執行機器學習模型之裝置,特別是關於一種利用身分驗證技術執行機器學習模型之裝置。 This disclosure relates to a device for executing a machine learning model, and in particular to a device for executing a machine learning model using identity authentication technology.

隨著機器學習模型的訓練成本逐漸攀升,機器學習模型的機密保護已成為機器學習產品銷售和佈署上的重要議題。當模型提供者販售或提供機器學習模型至模型使用者時,必須僅提供使用的權限,確保他人無法輕易獲取模型的機密信息,包括模型的結構和權重。除此之外,企業在執行機器學習模型訓練或推論所使用的專業資料也具有相當的機密性,必須避免資料隨著模型的使用而有機密外洩的風險。這類提供模型至使用者但可同時保障模型機密的技術成為安全計算或機密計算。 As the training cost of machine learning models gradually increases, the confidentiality protection of machine learning models has become an important issue in the sales and deployment of machine learning products. When a model provider sells or provides a machine learning model to a model user, he must only provide the user with permission to use the model, ensuring that others cannot easily obtain the confidential information of the model, including the structure and weight of the model. In addition, the professional data used by enterprises in executing machine learning model training or inference is also quite confidential, and the risk of confidential data leakage must be avoided as the model is used. This type of technology that provides models to users while protecting the confidentiality of the models is called secure computing or confidential computing.

根據本揭示的一些實施例,提供一種執行機器學 習模型推論的裝置。裝置包含主機及可信任處理電路。主機接收電子裝置產生的隨機種子。可信任處理電路包含隱私電路。隱私電路具有內嵌的第一公鑰及第一私鑰,隱私電路根據隨機種子、第一公鑰及第一私鑰產生證明。主機輸出證明及第一公鑰至電子裝置以供電子裝置判斷是否輸出經加密的機器學習模型至主機。隱私電路解密經加密的機器學習模型以產生機器學習模型。處理元件陣列安全計算該機器學習模型的推論操作。 According to some embodiments of the present disclosure, a device for performing machine learning model inference is provided. The device includes a host and a trusted processing circuit. The host receives a random seed generated by an electronic device. The trusted processing circuit includes a privacy circuit. The privacy circuit has an embedded first public key and a first private key, and the privacy circuit generates a certificate based on the random seed, the first public key, and the first private key. The host outputs the certificate and the first public key to the electronic device for the electronic device to determine whether to output the encrypted machine learning model to the host. The privacy circuit decrypts the encrypted machine learning model to generate a machine learning model. The processing element array securely calculates the inference operation of the machine learning model.

在一些實施例中,第一公鑰註冊於資料庫中,以供電子裝置根據所接收的第一公鑰,查詢可信任處理電路是否為合法的硬體。 In some embodiments, the first public key is registered in a database so that the electronic device can query whether the trusted processing circuit is legitimate hardware based on the received first public key.

在一些實施例中,該主機包含記憶體及處理器。處理器將經加密的機器學習模型寫入記憶體。可信任處理電路更包含茫然記憶體控制器及匯流排。茫然記憶體控制器耦接記憶體,並自記憶體讀取經加密的機器學習模型。匯流排傳輸經加密的機器學習模型至該隱私電路。 In some embodiments, the host includes a memory and a processor. The processor writes the encrypted machine learning model into the memory. The trusted processing circuit further includes a blind memory controller and a bus. The blind memory controller is coupled to the memory and reads the encrypted machine learning model from the memory. The bus transmits the encrypted machine learning model to the privacy circuit.

在一些實施例中,匯流排自隱私電路傳輸機器學習模型至茫然記憶體控制器,茫然記憶體控制器根據不同於處理器的存取方式將機器學習模型寫入記憶體。 In some embodiments, the bus self-privacy circuit transmits the machine learning model to the obscure memory controller, and the obscure memory controller writes the machine learning model into the memory according to an access method different from that of the processor.

在一些實施例中,可信任處理電路更包含控制器。控制器在推論操作中要求該茫然記憶體控制器讀取機器學習模型的第一層。處理元件陣列根據輸入資料及第一層產生第一特徵。控制器根據第一特徵的大小判斷將第 一特徵存入記憶體或可信任處理電路的緩衝記憶體。 In some embodiments, the trusted processing circuit further includes a controller. The controller requires the oblivious memory controller to read the first layer of the machine learning model in the inference operation. The processing element array generates a first feature based on the input data and the first layer. The controller determines whether to store the first feature in the memory or the buffer memory of the trusted processing circuit according to the size of the first feature.

在一些實施例中,茫然記憶體控制器根據相同於處理器的存取方式將推論操作的產生的預測資料寫入記憶體。 In some embodiments, the obscure memory controller writes the prediction data generated by the inference operation to the memory in the same manner as the processor accesses it.

根據本揭示的一些實施例,提供一種執行機器學習模型推論的裝置,包含可信任處理電路及主機。可信任處理電路包含隱私電路。隱私電路具有內嵌的第一公鑰及第一私鑰。主機輸出第一公鑰至電子裝置,以供電子裝置檢查第一公鑰是否註冊於資料庫中以判斷是否傳輸經加密的機器學習模型至主機。隱私電路根據第一私鑰解密經加密的機器學習模型以產生機器學習模型。可信任處理電路安全計算機器學習模型的推論操作。 According to some embodiments of the present disclosure, a device for performing machine learning model inference is provided, comprising a trusted processing circuit and a host. The trusted processing circuit comprises a privacy circuit. The privacy circuit has an embedded first public key and a first private key. The host outputs the first public key to an electronic device for the electronic device to check whether the first public key is registered in a database to determine whether to transmit an encrypted machine learning model to the host. The privacy circuit decrypts the encrypted machine learning model according to the first private key to generate a machine learning model. The trusted processing circuit securely calculates the inference operation of the machine learning model.

在一些實施例中,隱私電路解密經加密的機器學習模型以確認使用限制狀態。當使用限制狀態包含使用次數,可信任處理電路在執行推論操作的次數大於使用次數時,禁止執行推論操作。當使用限制狀態包含使用期限,可信任處理電路在當下時間早於使用期限時禁止執行推論操作。 In some embodiments, the privacy circuit decrypts the encrypted machine learning model to confirm the usage restriction status. When the usage restriction status includes the number of uses, the trusted processing circuit prohibits the execution of the inference operation when the number of times the inference operation is performed is greater than the number of uses. When the usage restriction status includes the expiration date, the trusted processing circuit prohibits the execution of the inference operation when the current time is earlier than the expiration date.

在一些實施例中,隱私電路解密經加密的機器學習模型以確認使用限制狀態。當使用限制狀態包含限制簽章狀態。主機盲化輸入資料產生經盲化輸入資料,並傳輸經盲化輸入資料至電子裝置以執行輸入資料的盲簽章操作。主機接收電子裝置的第二公鑰以及電子裝置根據經盲化輸入資料產生的盲化簽章,並解盲盲化簽章以 產生簽章。可信任處理電路根據第二公鑰及簽章判斷是否執行對輸入資料的推論操作。 In some embodiments, the privacy circuit decrypts the encrypted machine learning model to confirm the usage restriction status. When the usage restriction status includes a restricted signature status. The host blinds the input data to generate blinded input data, and transmits the blinded input data to the electronic device to perform a blind signature operation on the input data. The host receives the second public key of the electronic device and the blind signature generated by the electronic device based on the blinded input data, and unblinds the blind signature to generate a signature. The trusted processing circuit determines whether to perform an inference operation on the input data based on the second public key and the signature.

在一些實施例中,主機包含記憶體及處理器。處理器根據第一定址方法將經加密的機器學習模型寫入記憶體。可信任處理電路更包含記憶體控制器。記憶體控制器根據與第一定址方法不同的第二定址方法將機器學習模型寫入記憶體,以避免處理器讀取機器學習模型。 In some embodiments, the host includes a memory and a processor. The processor writes the encrypted machine learning model into the memory according to a first addressing method. The trusted processing circuit further includes a memory controller. The memory controller writes the machine learning model into the memory according to a second addressing method different from the first addressing method to prevent the processor from reading the machine learning model.

10:系統 10: System

100:電子裝置 100: Electronic devices

110:可信任處理電路 110: Trusted processing circuit

111:控制器 111: Controller

112:匯流排 112: Bus

113:控制器 113: Controller

114:緩衝記憶體 114: Buffer memory

115:隱私電路 115: Privacy Circuit

116:處理元件陣列 116: Processing component array

120:主機 120: Host

121:處理器 121: Processor

122:記憶體 122: Memory

200:電子裝置 200: Electronic devices

201:處理器 201:Processor

202:記憶體 202: Memory

300:電子裝置 300: Electronic devices

301:處理器 301:Processor

302:記憶體 302: Memory

303:資料庫 303: Database

20:方法 20: Methods

S10-S14:步驟 S10-S14: Steps

S20-S24:步驟 S20-S24: Steps

S30-S32:步驟 S30-S32: Steps

S40:步驟 S40: Step

S50-S56:步驟 S50-S56: Steps

S60:步驟 S60: Step

為讓本發明之上述和其他目的、特徵、優點與實施例能更明顯易懂,所附圖式之說明如下:第1圖是根據本揭示的一些實施例的系統10的一個示意圖;第2圖是根據本揭示的一些實施例之操作第1圖所示的系統10的方法20的一個流程圖;第3圖是根據本揭示的一些實施例之對應第2圖所示的方法20的一些步驟的流程圖;以及第4圖是根據本揭示的一些實施例之對應第2圖所示的方法20的一些步驟的流程圖。 In order to make the above and other purposes, features, advantages and embodiments of the present invention more clearly understandable, the attached drawings are described as follows: FIG. 1 is a schematic diagram of a system 10 according to some embodiments of the present disclosure; FIG. 2 is a flow chart of a method 20 for operating the system 10 shown in FIG. 1 according to some embodiments of the present disclosure; FIG. 3 is a flow chart of some steps of the method 20 shown in FIG. 2 according to some embodiments of the present disclosure; and FIG. 4 is a flow chart of some steps of the method 20 shown in FIG. 2 according to some embodiments of the present disclosure.

以下將參照所附之圖式來說明本揭示的各種實施例。在圖式中,相同的標號表示相同或類似的元件或方法流程。另一方面,眾所週知的元件與步驟並未描述 於實施例中,以避免對本發明造成不必要的限制。 Various embodiments of the present disclosure will be described below with reference to the attached drawings. In the drawings, the same reference numerals represent the same or similar elements or method flows. On the other hand, well-known elements and steps are not described in the embodiments to avoid unnecessary limitations on the present invention.

關於本揭示中所使用之術語,除有特別註明外,通常具有其使用在此領域中的平常意義。然而,所屬技術領域中具有通常知識者應可理解,同樣的元件或程序可以使用不同的名詞表示。 Unless otherwise specified, the terms used in this disclosure generally have their ordinary meanings in this field. However, those with ordinary knowledge in the relevant technical field should understand that the same element or process can be represented by different terms.

關於本文中所使用之「第一」、「第二」等,並非特別指稱次序或順位的意思,亦非用以限定本發明,其僅為了區別以相同技術用語描述的元件或操作。例如,第一元件可稱為第二元件,並且相似地,第二元件可稱為第一元件。而如此的改變並不脫離本揭示實施例的範圍。 The terms "first", "second", etc. used herein do not specifically refer to order or sequence, nor are they used to limit the present invention. They are only used to distinguish between elements or operations described with the same technical terms. For example, a first element may be referred to as a second element, and similarly, a second element may be referred to as a first element. Such changes do not deviate from the scope of the disclosed embodiments.

請參考第1圖。第1圖是根據本揭示的一些實施例的系統10的一個示意圖。系統10用以執行機器學習(machine learning)模型(model)的安全計算,以確保模型提供者的模型機密和模型使用者的資料機密在執行機器學習模型的過程中不會被洩漏。 Please refer to FIG. 1. FIG. 1 is a schematic diagram of a system 10 according to some embodiments of the present disclosure. The system 10 is used to perform secure computing of a machine learning model to ensure that the model confidentiality of the model provider and the data confidentiality of the model user will not be leaked during the execution of the machine learning model.

說明而言,系統10包含模型使用者的電子裝置100、模型提供者的電子裝置200以及硬體提供者的電子裝置300。電子裝置200用以儲存機器學習模型以及提供受保護或加密的機器學習模型至電子裝置100。電子裝置100用以儲存測試資料並且執行機器學習模型對測試資料的推論。電子裝置300用以檢查電子裝置100的硬體是否具有合格的身分。 For illustration, the system 10 includes an electronic device 100 of a model user, an electronic device 200 of a model provider, and an electronic device 300 of a hardware provider. The electronic device 200 is used to store a machine learning model and provide a protected or encrypted machine learning model to the electronic device 100. The electronic device 100 is used to store test data and perform inference of the machine learning model on the test data. The electronic device 300 is used to check whether the hardware of the electronic device 100 has a qualified identity.

如第1圖所示,電子裝置100包含可信任處理 電路110以及主機120。可信任處理電路110是支持可信任執行(trusted execution)的處理電路,例如支持可信任執行的圖形處理單元(graphics processing unit)電路。在一些實施例中,可信任處理電路100是可信任神經網路處理單元(trusted neural processing unit,TNPU)。 As shown in FIG. 1, the electronic device 100 includes a trusted processing circuit 110 and a host 120. The trusted processing circuit 110 is a processing circuit that supports trusted execution, such as a graphics processing unit circuit that supports trusted execution. In some embodiments, the trusted processing circuit 100 is a trusted neural processing unit (TNPU).

根據一些實施例,可信任神經網路處理單元是安全的神經網路加速器,通過硬體確保用戶資料及模型參數的機密在不信任環境中不會洩漏。由於可信任神經網路處理單元可以根據神經網路定制,可信任神經網路處理單元針對神經網路的安全推論相對於一些方法具有較高的效率。 According to some embodiments, the trusted neural network processing unit is a secure neural network accelerator that ensures the confidentiality of user data and model parameters in an untrusted environment through hardware. Since the trusted neural network processing unit can be customized according to the neural network, the trusted neural network processing unit has a higher efficiency in secure inference of the neural network than some methods.

在一些實施例中,可信任處理電路110包含控制器(controller)111、匯流排(bus)112、控制器113、緩衝記憶體(buffer)114、隱私電路115及處理元件陣列(processing element array)116。在一些實施例中,匯流排是單晶片系統(system on a chip,SoC)匯流排。控制器113是茫然隨機存取記憶體(oblivious random access memory,ORAM)控制器。緩衝記憶體114是晶片上(on-chip)緩衝記憶體。隱私電路115包含支持安全(security)相關功能的隱私模組電路。 In some embodiments, the trusted processing circuit 110 includes a controller 111, a bus 112, a controller 113, a buffer 114, a privacy circuit 115, and a processing element array 116. In some embodiments, the bus is a system on a chip (SoC) bus. The controller 113 is an oblivious random access memory (ORAM) controller. The buffer 114 is an on-chip buffer. The privacy circuit 115 includes a privacy module circuit that supports security-related functions.

在一些實施例中,主機120及電子裝置200-300是電腦主機,例如筆記型電腦、桌上型電腦或 大型電腦等。主機120、電子裝置200及300分別包含處理器121、201、301以及分別包含記憶體122、202、302。電子裝置300更包含資料庫303。 In some embodiments, the host 120 and the electronic devices 200-300 are computer hosts, such as laptops, desktop computers, or mainframe computers. The host 120, the electronic devices 200 and 300 include processors 121, 201, 301, and memories 122, 202, 302, respectively. The electronic device 300 further includes a database 303.

根據一些實施例,處理器121、201、301分別包含中央處理單元(central processing unit,CPU),或是其他可程式化之一般用途或特殊用途的微控制單元(micro control unit,MCU)、微處理器(microprocessor)、數位信號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuit,ASIC)、圖形處理器(graphics processing unit,GPU)、算數邏輯單元(arithmetic logic unit,ALU)、複雜可程式邏輯裝置(complex programmable logic device,CPLD)、現場可程式化邏輯閘陣列(field programmable gate array,FPGA)或其他類似元件或上述元件的組合。 According to some embodiments, processors 121, 201, and 301 include a central processing unit (CPU), or other programmable general-purpose or special-purpose microcontrol unit (MCU), microprocessor, digital signal processor (DSP), programmable controller, application specific integrated circuit (ASIC), graphics processing unit (GPU), arithmetic logic unit (ALU), complex programmable logic device (CPLD), field programmable gate array (FPGA), or other similar components or combinations of the above components.

記憶體122、202、302分別包含靜態隨機存取記憶體(static random access memory,SRAM)、動態隨機存取記憶體(dynamic random access memory,DRAM)、其他適合的記憶體或以上的組合。 The memories 122, 202, and 302 respectively include static random access memory (SRAM), dynamic random access memory (DRAM), other suitable memories, or a combination of the above.

在第1圖所示的實施例中,可信任處理電路110耦接主機120。主機120耦接電子裝置200。電子裝置200耦接電子裝置300。應了解到,於實施方式中,涉及「耦接」之描述,其可泛指一元件透過其他元件而間 接電氣耦合至另一元件,或是一元件無須透過其他元件而直接電氣耦合至另一元件。 In the embodiment shown in FIG. 1, the trusted processing circuit 110 is coupled to the host 120. The host 120 is coupled to the electronic device 200. The electronic device 200 is coupled to the electronic device 300. It should be understood that in the embodiment, the description involving "coupling" may generally refer to one component being indirectly electrically coupled to another component through other components, or one component being directly electrically coupled to another component without passing through other components.

舉例而言,在一些實施例中,可信任處理電路110直接耦接主機120的輸入/輸出(input/output,I/O)接口。主機120通過網際網路連接電子裝置200。電子裝置200通過網際網路連接電子裝置300。 For example, in some embodiments, the trusted processing circuit 110 is directly coupled to an input/output (I/O) interface of the host 120. The host 120 is connected to the electronic device 200 via the Internet. The electronic device 200 is connected to the electronic device 300 via the Internet.

在一些實施例中,匯流排112耦接控制器111及113、緩衝記憶體114、隱私電路115及處理元件陣列116。控制器111耦接處理器121。控制器113耦接記憶體122。處理器121耦接記憶體122。處理器201耦接記憶體202。處理器301耦接記憶體302及資料庫303。 In some embodiments, bus 112 couples controllers 111 and 113, buffer memory 114, privacy circuit 115, and processing element array 116. Controller 111 couples processor 121. Controller 113 couples memory 122. Processor 121 couples memory 122. Processor 201 couples memory 202. Processor 301 couples memory 302 and database 303.

根據一些實施例,可信任處理電路110出廠時,可信任處理電路110的身分(identity,ID)及公鑰pkt會註冊於電子裝置300。在一些實施例中,資料庫303用以儲存硬體提供者製造的所有可信任處理電路的身分及公鑰,包含可信任處理電路110的ID及公鑰pkt。在一些實施例中,資料庫303是不可竄改的資料庫,例如區塊鏈資料庫或以任何適合的工具保障的資料庫。 According to some embodiments, when the trusted processing circuit 110 leaves the factory, the identity (ID) and public key pkt of the trusted processing circuit 110 are registered in the electronic device 300. In some embodiments, the database 303 is used to store the identities and public keys of all trusted processing circuits manufactured by the hardware provider, including the ID and public key pkt of the trusted processing circuit 110. In some embodiments, the database 303 is an unalterable database, such as a blockchain database or a database secured by any suitable tool.

處理器301用以執行資料庫303的查詢操作以及電子裝置300及200間的安通訊全(secure communication)。安通訊全藉由例如加密的方式確保兩個裝置之間傳輸的資料中的機密部會洩漏。記憶體302用以執行電子裝置300的資料暫存操作。 The processor 301 is used to perform query operations of the database 303 and secure communication between the electronic devices 300 and 200. Secure communication ensures that the confidential part of the data transmitted between the two devices will not be leaked by means of encryption, for example. The memory 302 is used to perform data temporary storage operations of the electronic device 300.

處理器201用以執行分別與可信任處理電路110、主機120及電子裝置300的安全通訊。處理器201更用以加密(encrypt)儲存於電子裝置200的機器學習模型。處理器201更用以執行對電子裝置100的身分驗證方法(identification scheme)。處理器201更用以對來自電子裝置100的資料執行盲簽章(blind signature)操作。記憶體202用以執行電子裝置200的資料暫存操作。 The processor 201 is used to perform secure communication with the trusted processing circuit 110, the host 120 and the electronic device 300. The processor 201 is further used to encrypt the machine learning model stored in the electronic device 200. The processor 201 is further used to perform an identification scheme for the electronic device 100. The processor 201 is further used to perform a blind signature operation on the data from the electronic device 100. The memory 202 is used to perform data temporary storage operations on the electronic device 200.

處理器121用以執行與電子裝置200及可信任處理電路110的安全通訊。處理器201更用以傳輸資料至可信任處理電路110以執行加密的機器學習模型的安全計算。處理器201更用以要求電子裝置200執行盲簽章。 The processor 121 is used to perform secure communication with the electronic device 200 and the trusted processing circuit 110. The processor 201 is further used to transmit data to the trusted processing circuit 110 to perform secure computation of the encrypted machine learning model. The processor 201 is further used to request the electronic device 200 to perform a blind signature.

在一些實施例中,控制器111用以接收處理器121的指令。在一些實施例中,控制器111及隱私電路115用以執行分別與電子裝置200與主機120之間的安全通訊。 In some embodiments, the controller 111 is used to receive instructions from the processor 121. In some embodiments, the controller 111 and the privacy circuit 115 are used to perform secure communications with the electronic device 200 and the host 120, respectively.

匯流排112用以傳輸控制器111、控制器113、緩衝記憶體114、隱私電路115及處理元件陣列116之間的資料及訊號。 The bus 112 is used to transmit data and signals between the controller 111, the controller 113, the buffer memory 114, the privacy circuit 115 and the processing element array 116.

控制器113用以讀取及寫入記憶體122。控制器113用以保護可信任處理電路110及記憶體122間的資料存取,確保主機120無法取得控制器113寫入記憶體122的資料中的機密。具體而言,在一些實施例中, 控制器113使用不同於處理器121的存取規則(access pattern)以保護控制器113寫入記憶體122的資料中的機密。 The controller 113 is used to read and write to the memory 122. The controller 113 is used to protect the data access between the trusted processing circuit 110 and the memory 122, ensuring that the host 120 cannot obtain the confidentiality of the data written by the controller 113 to the memory 122. Specifically, in some embodiments, the controller 113 uses an access pattern different from that of the processor 121 to protect the confidentiality of the data written by the controller 113 to the memory 122.

緩衝記憶體114用以執行可信任處理電路110內部運算時的暫存操作。 The buffer memory 114 is used to perform temporary storage operations when executing internal operations of the trusted processing circuit 110.

在一些實施例中,可信任處理電路110用以儲存本身的ID、公鑰pkt及私鑰skt。可信任處理電路110以外的裝置或電路(例如主機120)無法取用私鑰skt,因此模型使用者無法取得私鑰skt。在一些實施例中,可信任處理電路110的ID、公鑰pkt及私鑰skt中的一或多者是內嵌於隱私電路115。舉例而言,在一些實施例中,可信任處理電路110的ID、公鑰pkt及私鑰skt中的一或多者是隱私電路115之物理不可仿製功能(physical unclonable function,PUF)的密碼。例如,隱私電路115包含儲存可信任處理電路110的ID、公鑰pkt及私鑰skt中的一或多者的(one-time programmable,OTP)記憶體。 In some embodiments, the trusted processing circuit 110 is used to store its own ID, public key pkt, and private key skt. Devices or circuits other than the trusted processing circuit 110 (such as the host 120) cannot access the private key skt, so the model user cannot obtain the private key skt. In some embodiments, one or more of the ID, public key pkt, and private key skt of the trusted processing circuit 110 is embedded in the privacy circuit 115. For example, in some embodiments, one or more of the ID, public key pkt, and private key skt of the trusted processing circuit 110 is the password of the physical unclonable function (PUF) of the privacy circuit 115. For example, the privacy circuit 115 includes a one-time programmable (OTP) memory storing one or more of the ID, public key pkt, and private key skt of the trusted processing circuit 110.

處理元件陣列116用以執行機器學習模型的推論加速操作。 The processing element array 116 is used to perform inference acceleration operations of the machine learning model.

第1圖的組態係為了說明性目的而給出。基於第1圖的各種實施例屬於本揭示的預料範疇。舉例而言,第1圖所示的耦接可以無線傳輸、光學傳輸等訊號連接方式取代。例如,電子裝置100藉由無線通訊連接至電子裝置200。電子裝置200藉由無線通訊連接至電子裝 置300。 The configuration of FIG. 1 is provided for illustrative purposes. Various embodiments based on FIG. 1 are within the contemplated scope of the present disclosure. For example, the coupling shown in FIG. 1 can be replaced by signal connection methods such as wireless transmission, optical transmission, etc. For example, electronic device 100 is connected to electronic device 200 via wireless communication. Electronic device 200 is connected to electronic device 300 via wireless communication.

請參考第2圖至第4圖。第2圖是根據本揭示的一些實施例之操作第1圖所示的系統10的方法20的一個流程圖。第3圖及第4圖是根據本揭示的一些實施例之對應第2圖所示的方法20的一些步驟的流程圖。 Please refer to Figures 2 to 4. Figure 2 is a flow chart of a method 20 for operating the system 10 shown in Figure 1 according to some embodiments of the present disclosure. Figures 3 and 4 are flow charts of some steps of the method 20 shown in Figure 2 according to some embodiments of the present disclosure.

如第2圖所示,方法20包含步驟S10-S60。在一些實施例中,如第3圖所示,步驟S10包含步驟S11-S14以及步驟S20包含步驟S21-S24。在一些實施例中,如第4圖所示,步驟S30包含步驟S31-S32以及步驟S50包含步驟S51-S56。 As shown in FIG. 2, method 20 includes steps S10-S60. In some embodiments, as shown in FIG. 3, step S10 includes steps S11-S14 and step S20 includes steps S21-S24. In some embodiments, as shown in FIG. 4, step S30 includes steps S31-S32 and step S50 includes steps S51-S56.

在一些實施例中,方法20操作系統10執行安全的(secure)機器學習模型推論,藉由身分驗證方法、加密機器學習模型、盲簽章輸入資料、安全通訊及安全執行(secure execution)保障資料傳輸及機器學習模型推論的機密性。 In some embodiments, method 20 operates system 10 to perform secure machine learning model inference, and ensures the confidentiality of data transmission and machine learning model inference through identity authentication methods, encrypted machine learning models, blind signature input data, secure communication, and secure execution.

請一併參考第1圖至第3圖。步驟S10-S20執行可信任處理電路110的身分驗證方法。在步驟S10中,系統10產生可信任處理電路110的身分證明(proof)。在步驟S20中,系統10驗證可信任處理電路110的身分證明。 Please refer to Figures 1 to 3 together. Steps S10-S20 execute the identity verification method of the trusted processing circuit 110. In step S10, the system 10 generates a proof of the trusted processing circuit 110. In step S20, the system 10 verifies the proof of the trusted processing circuit 110.

如第3圖所示,在步驟S11中,處理器201執行隨機種子產生操作RandomSeed( )以產生隨機種子R。 As shown in FIG. 3, in step S11, the processor 201 executes the random seed generation operation RandomSeed() to generate a random seed R.

在步驟S12中,處理器201執行與可信任處理 電路110之間的安全通訊以輸出隨機種子R至可信任處理電路110。在一些實施例中,處理器201輸出隨機種子R至主機120,主機120輸出隨機種子R至可信任處理電路110。 In step S12, the processor 201 performs secure communication with the trusted processing circuit 110 to output the random seed R to the trusted processing circuit 110. In some embodiments, the processor 201 outputs the random seed R to the host 120, and the host 120 outputs the random seed R to the trusted processing circuit 110.

在步驟S13中,電子裝置100產生證明具有合法的可信任處理電路110之證明P。在一些實施例中,可信任處理電路110根據隨機種子R、公鑰pkt及私鑰skt執行身分驗證方法的保證(commit)操作Commit(R,pkt,skt)以產生證明P。在一些實施例中,控制器111接收處理器121的指令以要求隱私電路115執行保證操作。 In step S13, the electronic device 100 generates a certificate P proving that it has a legitimate trusted processing circuit 110. In some embodiments, the trusted processing circuit 110 performs a commit operation Commit(R, pkt, skt) of the identity verification method according to the random seed R, the public key pkt, and the private key skt to generate the certificate P. In some embodiments, the controller 111 receives an instruction from the processor 121 to request the privacy circuit 115 to perform the commit operation.

在步驟S14中,可信任處理電路110執行安全通訊輸出證明P、公鑰pkt及ID至主機120。主機120輸出輸出證明P、公鑰pkt及ID至電子裝置200。 In step S14, the trusted processing circuit 110 performs secure communication to output the certificate P, public key pkt and ID to the host 120. The host 120 outputs the certificate P, public key pkt and ID to the electronic device 200.

在步驟S21中,處理器201根據公鑰pkt、證明P及隨機種子R執行身分驗證方法的驗證(verify)操作Verify(pkt,P,R)以產生驗證結果V。處理器201根據驗證結果V判斷可信任處理電路110是否具有匹配公鑰pkt的私鑰skt。舉例於言,當驗證結果V具有第一值,例如真(True)時,處理器201判斷可信任處理電路110具有對應公鑰pkt的私鑰skt。反之,當驗證結果V具有不同於第一值的第二值,例如偽(False)時,處理器201判斷可信任處理電路110不具有對應公鑰pkt的私鑰skt。 In step S21, the processor 201 performs a verification operation Verify(pkt, P, R) of the identity verification method according to the public key pkt, the proof P and the random seed R to generate a verification result V. The processor 201 determines whether the trusted processing circuit 110 has a private key skt matching the public key pkt according to the verification result V. For example, when the verification result V has a first value, such as True, the processor 201 determines that the trusted processing circuit 110 has a private key skt corresponding to the public key pkt. On the contrary, when the verification result V has a second value different from the first value, such as False, the processor 201 determines that the trusted processing circuit 110 does not have a private key skt corresponding to the public key pkt.

在步驟S22中,處理器201執行安全通訊輸出公鑰pkt及ID至電子裝置300。在一些實施例中,當處理器201判斷可信任處理電路110具有對應公鑰pkt的私鑰skt時,處理器201輸出公鑰pkt及ID至電子裝置300。當處理器201判斷可信任處理電路110不具有對應公鑰pkt的私鑰skt時,處理器201不輸出公鑰pkt及ID至電子裝置300。 In step S22, the processor 201 performs secure communication to output the public key pkt and ID to the electronic device 300. In some embodiments, when the processor 201 determines that the trusted processing circuit 110 has a private key skt corresponding to the public key pkt, the processor 201 outputs the public key pkt and ID to the electronic device 300. When the processor 201 determines that the trusted processing circuit 110 does not have a private key skt corresponding to the public key pkt, the processor 201 does not output the public key pkt and ID to the electronic device 300.

在步驟S23中,處理器301根據公鑰pkt及ID執行檢查操作Check(pkt,ID)以產生檢查結果C。在檢查操作Check(pkt,ID)中,處理器301查詢來自處理器201的公鑰pkt及ID是否有被註冊(即是否記錄在資料庫303中的同一筆註冊資料中)。當公鑰pkt及ID有被註冊,表示具有公鑰pkt及ID的可信任處理電路有被出廠。當處理器301判斷公鑰pkt及ID有被註冊,處理器301產生具有第一值(例如True)的檢查結果C。當處理器301判斷公鑰pkt及ID沒被註冊,處理器301產生具有不同於第一值的第二值(例如False)的檢查結果C。 In step S23, the processor 301 performs a check operation Check(pkt, ID) based on the public key pkt and ID to generate a check result C. In the check operation Check(pkt, ID), the processor 301 queries whether the public key pkt and ID from the processor 201 are registered (i.e., whether they are recorded in the same registration data in the database 303). When the public key pkt and ID are registered, it means that the trusted processing circuit with the public key pkt and ID has been shipped. When the processor 301 determines that the public key pkt and ID are registered, the processor 301 generates a check result C with a first value (e.g., True). When the processor 301 determines that the public key pkt and ID are not registered, the processor 301 generates a check result C having a second value (e.g., False) different from the first value.

在步驟S24中,處理器301執行安全通訊輸出檢查結果C至電子裝置200。在一些實施例中,處理器201根據檢查結果C判斷公鑰pkt及ID是否有被註冊。當檢查結果C具有第一值(例如True)時,處理器201判斷公鑰pkt及ID有被註冊。反之,當檢查結果C具有不同於第一值的第二值(例如False)時,處理器201 判斷公鑰pkt及ID沒有被註冊。 In step S24, the processor 301 executes secure communication to output the check result C to the electronic device 200. In some embodiments, the processor 201 determines whether the public key pkt and ID are registered based on the check result C. When the check result C has a first value (e.g., True), the processor 201 determines that the public key pkt and ID are registered. On the contrary, when the check result C has a second value different from the first value (e.g., False), the processor 201 determines that the public key pkt and ID are not registered.

在一些實施例中,處理器201根據驗證結果V及檢查結果C判斷電子裝置100是否通過驗證(即是否具有合法的可信任處理電路110)。當驗證結果V及檢查結果C具有第一值(例如True)時,處理器201判斷電子裝置100通過驗證。當驗證結果V及/或檢查結果C具有第二值(例如False)時,處理器201判斷電子裝置100通過驗證。在一些實施例中,電子裝置100通過驗證表示只有可信任處理電路110具有可以解密公鑰pkt的私鑰skt。 In some embodiments, the processor 201 determines whether the electronic device 100 has passed the verification (i.e., whether it has a legitimate trusted processing circuit 110) based on the verification result V and the check result C. When the verification result V and the check result C have a first value (e.g., True), the processor 201 determines that the electronic device 100 has passed the verification. When the verification result V and/or the check result C have a second value (e.g., False), the processor 201 determines that the electronic device 100 has passed the verification. In some embodiments, the electronic device 100 passing the verification means that only the trusted processing circuit 110 has the private key skt that can decrypt the public key pkt.

請一併參考第1圖至第4圖。在步驟S30中,系統10加密機器學習模型。在一些實施例中,當步驟20中電子裝置100被判斷通過驗證時,系統10執行步驟S30。反之,當步驟20中電子裝置100被判斷不通過驗證時,系統10不執行步驟S30。 Please refer to Figures 1 to 4 together. In step S30, the system 10 encrypts the machine learning model. In some embodiments, when the electronic device 100 is judged to have passed the verification in step 20, the system 10 executes step S30. On the contrary, when the electronic device 100 is judged to have failed the verification in step 20, the system 10 does not execute step S30.

在步驟S31中,處理器201根據公鑰pkt執行加密操作Enc(pkt,M)加密電子裝置200儲存的機器學習模型M以產生經加密的機器學習模型M’。 In step S31, the processor 201 performs an encryption operation Enc(pkt,M) according to the public key pkt to encrypt the machine learning model M stored in the electronic device 200 to generate an encrypted machine learning model M'.

在一些實施例中,模型提供者決定機器學習模型M的使用限制。在加密的過程中,處理器201儲存指示機器學習模型M之使用限制的限制狀態(state)於經加密的機器學習模型M’中。 In some embodiments, the model provider determines the usage restrictions of the machine learning model M. During the encryption process, the processor 201 stores a restriction state indicating the usage restrictions of the machine learning model M in the encrypted machine learning model M'.

在一些實施例中,模型提供者決定所述輸入資料(測試資料)是否需要簽章,以限制模型使用者可以執行 推論的輸入資料。當模型提供者決定輸入資料(測試資料)需要簽章時,處理器201在步驟S31儲存包含狀態s的限制狀態於經加密的機器學習模型M’中,狀態s指示輸入資料(測試資料)需要簽章。 In some embodiments, the model provider determines whether the input data (test data) needs to be signed to limit the input data that the model user can perform inference on. When the model provider determines that the input data (test data) needs to be signed, the processor 201 stores a restriction state including state s in the encrypted machine learning model M' in step S31, and the state s indicates that the input data (test data) needs to be signed.

在一些實施例中,模型提供者決定機器學習模型M的使用次數,以限制模型使用者可以執行推論次數。當模型提供者決定機器學習模型M有使用次數限制時,處理器201在步驟S31儲存包含狀態c的限制狀態於經加密的機器學習模型M’中,狀態c指示機器學習模型M具有使用次數限制。在一些實施例中,狀態c包含機器學習模型M被限制的使用次數N。 In some embodiments, the model provider determines the number of times the machine learning model M is used to limit the number of times the model user can perform inference. When the model provider determines that the machine learning model M has a number of usage restrictions, the processor 201 stores a restriction state including state c in the encrypted machine learning model M' in step S31, and the state c indicates that the machine learning model M has a number of usage restrictions. In some embodiments, state c includes the number of times N that the machine learning model M is restricted from being used.

在一些實施例中,模型提供者決定機器學習模型M的使用時間,以限制模型使用者可以執行推論的期限。當模型提供者決定機器學習模型M有使用時間限制時,處理器201在步驟S31儲存包含狀態t的限制狀態於經加密的機器學習模型M’中,狀態t指示機器學習模型M具有使用時間限制。在一些實施例中,狀態t包含機器學習模型M被限制的使用時間T。在一些實施例中,使用時間T為機器學習模型M的使用期限。 In some embodiments, the model provider determines the usage time of the machine learning model M to limit the period during which the model user can perform inference. When the model provider determines that the machine learning model M has a usage time limit, the processor 201 stores a restriction state including a state t in the encrypted machine learning model M' in step S31, and the state t indicates that the machine learning model M has a usage time limit. In some embodiments, the state t includes the usage time T of the machine learning model M. In some embodiments, the usage time T is the usage period of the machine learning model M.

在一些實施例中,當模型提供者決定機器學習模型M沒有使用限制時,處理器201在步驟S31儲存包含狀態n的限制狀態於經加密的機器學習模型M’中,狀態n指示機器學習模型M沒有任何使用限制。 In some embodiments, when the model provider determines that the machine learning model M has no usage restrictions, the processor 201 stores the restriction state including the state n in the encrypted machine learning model M' in step S31, and the state n indicates that the machine learning model M has no usage restrictions.

在步驟S32中,處理器201執行與可信任處理 電路110之間的安全通訊以輸出經加密的機器學習模型M’至可信任處理電路110。在一些實施例中,處理器121接收經加密的機器學習模型M’並輸出經加密的機器學習模型M’至控制器111。 In step S32, the processor 201 performs secure communication with the trusted processing circuit 110 to output the encrypted machine learning model M' to the trusted processing circuit 110. In some embodiments, the processor 121 receives the encrypted machine learning model M' and outputs the encrypted machine learning model M' to the controller 111.

在步驟S40中,系統10判斷機器學習模型M的輸入資料(測試資料)是否需要簽章。在一些實施例中,處理器121根據判斷限制狀態包含狀態s(即機器學習模型M只接受被簽章的輸入資料),系統10執行步驟S50。反之,當處理器121判斷限制狀態不包含狀態s,系統10不執行步驟S50。 In step S40, the system 10 determines whether the input data (test data) of the machine learning model M needs to be signed. In some embodiments, the processor 121 executes step S50 based on the determination that the restricted state includes state s (i.e., the machine learning model M only accepts signed input data). On the contrary, when the processor 121 determines that the restricted state does not include state s, the system 10 does not execute step S50.

在步驟S50中,系統10盲簽章電子裝置100中儲存的輸入資料(測試資料)X,以產生機器學習模型M被允許使用之經簽章的測試資料。輸入資料X為模型使用者欲使用機器學習模型M推論的測試資料。 In step S50, the system 10 blindly signs the input data (test data) X stored in the electronic device 100 to generate signed test data that the machine learning model M is allowed to use. The input data X is the test data that the model user wants to use the machine learning model M to infer.

在步驟S51中,處理器121對輸入資料X執行盲簽章中的盲化(blinding)操作Blinding(X)以產生經盲化的資料X’。 In step S51, the processor 121 performs a blinding operation Blinding(X) in a blind signature on the input data X to generate a blinded data X'.

在步驟S52中,處理器121執行與電子裝置200之間的安全通訊以輸出經盲化的資料X’至電子裝置200。 In step S52, the processor 121 performs secure communication with the electronic device 200 to output the blinded data X' to the electronic device 200.

在步驟S53中,處理器201執行盲簽章的密鑰產生操作GenSignKey以產生私鑰sks及公鑰pks。系統10根據私鑰sks及公鑰pks進行盲簽章。 In step S53, the processor 201 executes the blind signature key generation operation GenSignKey to generate the private key sks and the public key pks. The system 10 performs blind signing based on the private key sks and the public key pks.

在步驟S54中,處理器201根據私鑰sks對經 盲化的資料X’執行盲簽章中的簽章(sign)操作Sign(sks,X’)以產生盲化的簽章S’。 In step S54, the processor 201 performs the sign operation Sign(sks,X') in the blind signature on the blinded data X' according to the private key sks to generate a blinded signature S'.

在步驟S55中,處理器201執行與主機120之間的安全通訊以輸出盲化的簽章S’至主機120。 In step S55, the processor 201 performs secure communication with the host 120 to output the blinded signature S' to the host 120.

在一些實施例中,處理器201更執行與可信任處理電路110之間的安全通訊以輸出公鑰pks至可信任處理電路110。 In some embodiments, the processor 201 further performs secure communication with the trusted processing circuit 110 to output the public key pks to the trusted processing circuit 110.

在步驟S56中,處理器121對盲化的簽章S’執行盲簽章中的解盲(unblinding)操作UnBlinding(S’)以產生簽章S。 In step S56, the processor 121 performs the unblinding operation UnBlinding(S') on the blinded signature S' to generate the signature S.

如第4圖所示,當系統10於步驟S40判斷輸入資料需要簽章時,系統10執行步驟S50,並接著執行步驟S60。反之,當系統10於步驟S40判斷輸入資料需部要簽章時,系統10直接執行步驟S60。 As shown in FIG. 4, when the system 10 determines in step S40 that the input data needs to be signed, the system 10 executes step S50 and then executes step S60. Conversely, when the system 10 determines in step S40 that the input data does not need to be signed, the system 10 directly executes step S60.

在步驟S60中,系統10安全執行機器學習模型M的推論。在一些實施例中,控制器103用以執行茫然(oblivious)的讀取及寫入操作(例如使用與處理器121不同的定址方式)以實現推論的安全執行。 In step S60, the system 10 securely executes the inference of the machine learning model M. In some embodiments, the controller 103 is used to perform oblivious read and write operations (e.g., using a different addressing method from the processor 121) to achieve secure execution of the inference.

在一些實施例中,處理器121在步驟S60中將經加密的機器學習模型M’存入記憶體122中。 In some embodiments, the processor 121 stores the encrypted machine learning model M' in the memory 122 in step S60.

控制器111用以要求隱私電路115將經加密的機器學習模型M’解密為機器學習模型M。控制器113將機器學習模型M存入記憶體122中。在一些實施例中,控制器113將機器學習模型M茫然寫入記憶體122 中。 The controller 111 is used to request the privacy circuit 115 to decrypt the encrypted machine learning model M' into the machine learning model M. The controller 113 stores the machine learning model M in the memory 122. In some embodiments, the controller 113 writes the machine learning model M into the memory 122 invisibly.

在一些實施例中,處理器121將輸入資料X存入記憶體122中,輸入資料X作為控制器111執行機器學習模型M推論操作的輸入資料。 In some embodiments, the processor 121 stores the input data X in the memory 122, and the input data X serves as the input data for the controller 111 to perform the inference operation of the machine learning model M.

控制器111解密機器學習模型M’以得到機器學習模型M的限制狀態,控制器111確認機器學習模型M的限制狀態包含的狀態。 The controller 111 decrypts the machine learning model M' to obtain the restriction state of the machine learning model M, and the controller 111 confirms the state included in the restriction state of the machine learning model M.

當控制器111確認機器學習模型M的限制狀態包含狀態s時(即輸入資料需要簽章),處理器121將簽章S及公鑰pks存入記憶體122中。 When the controller 111 confirms that the restricted state of the machine learning model M includes state s (i.e. the input data needs to be signed), the processor 121 stores the signature S and the public key pks in the memory 122.

接著,控制器111執行盲簽章中的驗證操作Verify(pks,X,S)以根據公鑰pks及輸入資料X判斷簽章S是否為正確(判斷輸入資料X是否匹配簽章S)。在一些實施例中,控制器111根據公鑰pks、輸入資料X及簽章S執行驗證操作Verify(pks,X,S)以產生驗證結果。當此驗證結果具有第一值(例如True)時,控制器111判斷簽章S為正確。反之,當此驗證結果具有不同第一值的第二值(例如False)時,控制器111判斷簽章S為不正確。 Next, the controller 111 performs a verification operation Verify(pks,X,S) in the blind signature to determine whether the signature S is correct (determine whether the input data X matches the signature S) based on the public key pks and the input data X. In some embodiments, the controller 111 performs a verification operation Verify(pks,X,S) based on the public key pks, the input data X, and the signature S to generate a verification result. When the verification result has a first value (e.g., True), the controller 111 determines that the signature S is correct. Conversely, when the verification result has a second value different from the first value (e.g., False), the controller 111 determines that the signature S is incorrect.

當控制器111判斷簽章S為正確時,控制器111接著對輸入資料X執行機器學習模型M的模型推論操作Model(M,X)以產生預測(prediction)資料Y。 When the controller 111 determines that the signature S is correct, the controller 111 then performs the model inference operation Model(M,X) of the machine learning model M on the input data X to generate the prediction data Y.

當控制器111確認機器學習模型M的限制狀態包含狀態c時(即有使用次數限制),控制器111在緩衝 記憶體114中儲存一個計數值。在一些實施例中,計數值的初始值為數值「0」或「1」。控制器111每執行一次模型推論操作Model(M,X)則將計數值加上數值「1」。當計數值大於限制的使用次數N時,控制器111不再執行(禁止)模型推論操作Model(M,X)。 When the controller 111 confirms that the restricted state of the machine learning model M includes state c (i.e., there is a usage limit), the controller 111 stores a count value in the buffer memory 114. In some embodiments, the initial value of the count value is a value "0" or "1". The controller 111 adds a value "1" to the count value each time it executes the model inference operation Model(M,X). When the count value is greater than the restricted usage number N, the controller 111 no longer executes (prohibits) the model inference operation Model(M,X).

當控制器111確認機器學習模型M的限制狀態包含狀態t時(即有使用時間限制),控制器111在每次執行模型推論操作Model(M,X)前確認當下時間是否在限制的使用時間T之內。當控制器111確認當下時間早於或等於限制的使用時間T後,控制器111執行模型推論操作Model(M,X)。當控制器111確認當下時間晚於限制的使用時間T後,控制器111不再執行模型推論操作Model(M,X)。 When the controller 111 confirms that the restricted state of the machine learning model M includes state t (i.e., there is a usage time limit), the controller 111 confirms whether the current time is within the restricted usage time T before each execution of the model inference operation Model(M,X). When the controller 111 confirms that the current time is earlier than or equal to the restricted usage time T, the controller 111 executes the model inference operation Model(M,X). When the controller 111 confirms that the current time is later than the restricted usage time T, the controller 111 no longer executes the model inference operation Model(M,X).

當控制器111確認機器學習模型M的限制狀態包含狀態n時(即沒有任何限制),控制器111直接執行模型推論操作Model(M,X)。 When the controller 111 confirms that the restricted state of the machine learning model M includes state n (i.e., there is no restriction), the controller 111 directly executes the model inference operation Model(M,X).

根據一些實施例,在模型推論操作Model(M,X)中,控制器111要求控制器113自記憶體122讀取機器學習模型M的第一層(例如包含第一層的權重)。處理元件陣列116根據輸入資料X及機器學習模型M的第一層推論產生第一層的特徵。控制器111判斷第一層的特徵的大小(所佔容量)判斷將第一層的特徵存入緩衝記憶體114或記憶體122中。當第一層的特徵的大小小於一閾值時,第一層的特徵存入緩衝記憶體114。反之, 當第一層的特徵的大小大於此閾值時,第一層的特徵存入記憶體122。 According to some embodiments, in the model inference operation Model(M,X), the controller 111 requests the controller 113 to read the first layer (e.g., including the weights of the first layer) of the machine learning model M from the memory 122. The processing element array 116 generates the first layer of features according to the input data X and the first layer of the machine learning model M. The controller 111 determines the size (occupied capacity) of the first layer of features and determines whether to store the first layer of features in the buffer memory 114 or the memory 122. When the size of the first layer of features is less than a threshold, the first layer of features is stored in the buffer memory 114. On the contrary, when the size of the first layer feature is greater than this threshold, the first layer feature is stored in the memory 122.

接著,控制器111要求控制器113自記憶體122讀取機器學習模型M的第二層,處理元件陣列116根據機器學習模型M的第一層的特徵及機器學習模型M的第二層推論產生第二層的特徵。相似於前段所述操作,控制器111判斷第二層的特徵的大小判斷將第二層的特徵存入緩衝記憶體114或記憶體122中。 Next, the controller 111 requests the controller 113 to read the second layer of the machine learning model M from the memory 122, and the processing element array 116 generates the second layer features according to the first layer features of the machine learning model M and the second layer inference of the machine learning model M. Similar to the operation described in the previous paragraph, the controller 111 determines the size of the second layer features and stores the second layer features in the buffer memory 114 or the memory 122.

控制器111針對機器學習模型M剩餘的層重複執行相似於上述的操作以產生每一層的特徵以及預測資料Y。 The controller 111 repeatedly performs operations similar to the above for the remaining layers of the machine learning model M to generate features and prediction data Y for each layer.

控制器111要求控制器113以無加密的形式(例如不使用茫然寫入操作)將預測資料Y存入記憶體122。當控制器111完成模型推論操作Model(M,X)時,控制器111產生結束訊號至處理器121,結束訊號指示模型推論操作Model(M,X)結束。 The controller 111 requests the controller 113 to store the prediction data Y in the memory 122 in an unencrypted form (e.g., without using a blind write operation). When the controller 111 completes the model inference operation Model(M,X), the controller 111 generates an end signal to the processor 121, indicating that the model inference operation Model(M,X) is terminated.

應理解,第2圖至第4圖所示方法20的步驟,除特別敘明其順序者外,均可依實際需要調整其前後順序,甚至可同時或部分同時執行。可在由第2圖至第4圖所示之步驟之前、在其期間及在其之後提供額外操作,且可替代或消除以上所述操作中的一些而獲得方法20之額外實施例。 It should be understood that the steps of method 20 shown in Figures 2 to 4, except for those specifically described in order, can be adjusted in order according to actual needs, and can even be performed simultaneously or partially simultaneously. Additional operations can be provided before, during, and after the steps shown in Figures 2 to 4, and some of the operations described above can be replaced or eliminated to obtain additional embodiments of method 20.

綜上所述,本揭示提供了一種執行機器學習模型推論之系統與方法。本揭示提供的系統加密模型提供者 的機器學習模型以保護模型中的機密。此外,系統執行對模型使用者的可信任處理電路的身分驗證方法確保只有此可信任處理電路可以解密經加密的機器學習模型。本揭示提供的系統更支持安全通訊以及安全計算以確保模型的機密不會外洩。 In summary, the present disclosure provides a system and method for performing machine learning model inference. The system provided by the present disclosure encrypts the machine learning model of the model provider to protect the confidentiality of the model. In addition, the system performs an identity verification method for the trusted processing circuit of the model user to ensure that only this trusted processing circuit can decrypt the encrypted machine learning model. The system provided by the present disclosure further supports secure communication and secure computing to ensure that the confidentiality of the model will not be leaked.

以上概述了若干實施例的特徵,以便熟習此項技術者能夠更好地理解本案的一實施例的各個態樣。熟習此項技術者應當理解,他們可以容易地將本案的一實施例用作設計或修改其他製程及結構的基礎,以實現本文所引入實施例的相同目的及/或實現本文所引入實施例的相同優點。熟習此項技術者還應認識到,這些等效結構並不背離本案的一實施例的精神及範疇,且這些等效結構可以在不背離本案的一實施例的精神及範疇的情況下在本文中進行各種更改、替換及變更。 The features of several embodiments are summarized above so that those skilled in the art can better understand the various aspects of an embodiment of the present invention. Those skilled in the art should understand that they can easily use an embodiment of the present invention as a basis for designing or modifying other processes and structures to achieve the same purpose and/or the same advantages of the embodiments introduced herein. Those skilled in the art should also recognize that these equivalent structures do not deviate from the spirit and scope of an embodiment of the present invention, and these equivalent structures can be variously modified, replaced and altered herein without departing from the spirit and scope of an embodiment of the present invention.

10:系統 10: System

100:電子裝置 100: Electronic devices

110:可信任處理電路 110: Trusted processing circuit

111:控制器 111: Controller

112:匯流排 112: Bus

113:控制器 113: Controller

114:緩衝記憶體 114: Buffer memory

115:隱私電路 115: Privacy Circuit

116:處理元件陣列 116: Processing component array

120:主機 120: Host

121:處理器 121: Processor

122:記憶體 122: Memory

200:電子裝置 200: Electronic devices

201:處理器 201:Processor

202:記憶體 202: Memory

300:電子裝置 300: Electronic devices

301:處理器 301:Processor

302:記憶體 302: Memory

303:資料庫 303: Database

Claims (10)

一種執行機器學習模型推論的裝置,包含: 一主機,用以接收一電子裝置產生的一隨機種子;以及 一可信任處理電路,包含: 一隱私電路,具有內嵌的一第一公鑰及一第一私鑰,該隱私電路用以根據該隨機種子、該第一公鑰及該第一私鑰產生一證明, 其中該主機更用以輸出該證明及該第一公鑰至該電子裝置以供該電子裝置判斷是否輸出一經加密的機器學習模型至該主機, 其中該隱私電路更用以解密該經加密的機器學習模型以產生一機器學習模型;以及 一處理元件陣列,用以安全計算該機器學習模型的一推論操作。 A device for performing machine learning model inference, comprising: a host for receiving a random seed generated by an electronic device; and a trusted processing circuit, comprising: a privacy circuit having an embedded first public key and a first private key, the privacy circuit for generating a certificate based on the random seed, the first public key and the first private key, wherein the host is further used to output the certificate and the first public key to the electronic device for the electronic device to determine whether to output an encrypted machine learning model to the host, wherein the privacy circuit is further used to decrypt the encrypted machine learning model to generate a machine learning model; and an array of processing elements for securely computing an inference operation of the machine learning model. 如請求項1所述的裝置,其中該第一公鑰註冊於一資料庫中,以供該電子裝置根據所接收的該第一公鑰,查詢該可信任處理電路是否為合法的硬體。The device as described in claim 1, wherein the first public key is registered in a database so that the electronic device can query whether the trusted processing circuit is legitimate hardware based on the received first public key. 如請求項1所述的裝置,其中該主機包含: 一記憶體;以及 一處理器,用以將該經加密的機器學習模型寫入該記憶體, 其中該可信任處理電路更包含: 一茫然記憶體控制器,耦接該記憶體,並用以自該記憶體讀取該經加密的機器學習模型;以及 一匯流排,用以傳輸該經加密的機器學習模型至該隱私電路。 The device as described in claim 1, wherein the host comprises: a memory; and a processor for writing the encrypted machine learning model into the memory, wherein the trusted processing circuit further comprises: a blind memory controller coupled to the memory and for reading the encrypted machine learning model from the memory; and a bus for transmitting the encrypted machine learning model to the privacy circuit. 如請求項3所述的裝置,其中該匯流排更用以自該隱私電路傳輸該機器學習模型至該茫然記憶體控制器, 其中該茫然記憶體控制器更用以根據不同於該處理器的一存取方式將該機器學習模型寫入該記憶體。 The device as described in claim 3, wherein the bus is further used to transmit the machine learning model from the privacy circuit to the obscure memory controller, wherein the obscure memory controller is further used to write the machine learning model into the memory according to an access method different from that of the processor. 如請求項4所述的裝置,其中該可信任處理電路更包含: 一控制器,用以在該推論操作中要求該茫然記憶體控制器讀取該機器學習模型的一第一層, 其中該處理元件陣列更用以根據一輸入資料及該第一層產生一第一特徵, 其中該控制器更用以根據該第一特徵的大小判斷將該第一特徵存入該記憶體或該可信任處理電路的一緩衝記憶體。 The device as described in claim 4, wherein the trusted processing circuit further comprises: A controller for requesting the oblivious memory controller to read a first layer of the machine learning model in the inference operation, wherein the processing element array is further used to generate a first feature according to an input data and the first layer, wherein the controller is further used to determine whether to store the first feature in the memory or a buffer memory of the trusted processing circuit according to the size of the first feature. 如請求項4所述的裝置,其中該茫然記憶體控制器更用以根據相同於該處理器的一存取方式將該推論操作的產生的一預測資料寫入該記憶體。A device as described in claim 4, wherein the obscure memory controller is further used to write a prediction data generated by the inference operation into the memory according to an access method similar to that of the processor. 一種執行機器學習模型推論的裝置,包含: 一可信任處理電路,包含: 一隱私電路,具有內嵌的一第一公鑰及一第一私鑰;以及 一主機,用以輸出該第一公鑰至一電子裝置,以供該電子裝置檢查該第一公鑰是否註冊於一資料庫中以判斷是否傳輸一經加密的機器學習模型至該主機, 其中該隱私電路更用以根據該第一私鑰解密該經加密的機器學習模型以產生一機器學習模型;以及 其中該可信任處理電路用以安全計算該機器學習模型的一推論操作。 A device for performing machine learning model inference, comprising: A trusted processing circuit, comprising: A privacy circuit, having a first public key and a first private key embedded therein; and A host, for outputting the first public key to an electronic device, so that the electronic device can check whether the first public key is registered in a database to determine whether to transmit an encrypted machine learning model to the host, wherein the privacy circuit is further used to decrypt the encrypted machine learning model according to the first private key to generate a machine learning model; and wherein the trusted processing circuit is used to securely calculate an inference operation of the machine learning model. 如請求項7所述的裝置,其中該隱私電路更用以解密該經加密的機器學習模型以確認一使用限制狀態; 其中當該使用限制狀態包含一使用次數,該可信任處理電路在執行該推論操作的次數大於該使用次數時,禁止執行該推論操作;以及 其中當該使用限制狀態包含一使用期限,該可信任處理電路在當下時間早於該使用期限時禁止執行該推論操作。 The device as described in claim 7, wherein the privacy circuit is further used to decrypt the encrypted machine learning model to confirm a usage restriction state; wherein when the usage restriction state includes a usage count, the trusted processing circuit prohibits the execution of the inference operation when the number of times the inference operation is executed is greater than the usage count; and wherein when the usage restriction state includes a usage limit, the trusted processing circuit prohibits the execution of the inference operation when the current time is earlier than the usage limit. 如請求項7所述的裝置,其中該隱私電路更用以解密該經加密的機器學習模型以確認一使用限制狀態; 其中當該使用限制狀態包含一限制簽章狀態,該主機更用以盲化一輸入資料產生一經盲化輸入資料,並傳輸該經盲化輸入資料至該電子裝置以執行該輸入資料的一盲簽章操作; 其中該主機更用以接收該電子裝置的一第二公鑰以及該電子裝置根據該經盲化輸入資料產生的一盲化簽章,並解盲該盲化簽章以產生一簽章;以及 其中該可信任處理電路根據該第二公鑰及該簽章判斷是否執行對該輸入資料的該推論操作。 A device as described in claim 7, wherein the privacy circuit is further used to decrypt the encrypted machine learning model to confirm a usage restriction state; wherein when the usage restriction state includes a restricted signature state, the host is further used to blind an input data to generate a blinded input data, and transmit the blinded input data to the electronic device to perform a blind signature operation on the input data; wherein the host is further used to receive a second public key of the electronic device and a blinded signature generated by the electronic device based on the blinded input data, and unblind the blinded signature to generate a signature; and wherein the trusted processing circuit determines whether to perform the inference operation on the input data based on the second public key and the signature. 如請求項7所述的裝置,其中該主機包含: 一記憶體;以及 一處理器,用以根據一第一定址方法將該經加密的機器學習模型寫入該記憶體, 其中該可信任處理電路更包含: 一記憶體控制器,用以根據與該第一定址方法不同的一第二定址方法將該機器學習模型寫入該記憶體,以避免該處理器讀取該機器學習模型。 A device as described in claim 7, wherein the host comprises: a memory; and a processor for writing the encrypted machine learning model into the memory according to a first addressing method, wherein the trusted processing circuit further comprises: a memory controller for writing the machine learning model into the memory according to a second addressing method different from the first addressing method to prevent the processor from reading the machine learning model.
TW113110025A 2024-03-18 2024-03-18 Device for executing machine learning model inference TWI880680B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW113110025A TWI880680B (en) 2024-03-18 2024-03-18 Device for executing machine learning model inference

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW113110025A TWI880680B (en) 2024-03-18 2024-03-18 Device for executing machine learning model inference

Publications (2)

Publication Number Publication Date
TWI880680B true TWI880680B (en) 2025-04-11
TW202538579A TW202538579A (en) 2025-10-01

Family

ID=96141760

Family Applications (1)

Application Number Title Priority Date Filing Date
TW113110025A TWI880680B (en) 2024-03-18 2024-03-18 Device for executing machine learning model inference

Country Status (1)

Country Link
TW (1) TWI880680B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110268406A (en) * 2017-02-09 2019-09-20 微软技术许可有限责任公司 password security
CN110730159A (en) * 2019-09-03 2020-01-24 东南大学 TrustZone-based secure and trusted hybrid system starting method
CN109218260B (en) * 2017-07-03 2020-11-06 深圳市中兴微电子技术有限公司 A trusted environment-based authentication protection system and method
CN113595714A (en) * 2020-04-30 2021-11-02 第一资本服务有限责任公司 Contactless card with multiple rotating security keys
TW202236131A (en) * 2021-03-02 2022-09-16 雲想科技股份有限公司 Digital signature private key verification method to ensure that the correlation between the private key and the issued document cannot be maliciously tampered with
US20230101547A1 (en) * 2021-09-30 2023-03-30 Robert Bosch Gmbh Method of preventing capture of an ai module and an ai system thereof
TWI809900B (en) * 2021-05-27 2023-07-21 新唐科技股份有限公司 Method, system and integrated circuit for provisioning an electronic device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110268406A (en) * 2017-02-09 2019-09-20 微软技术许可有限责任公司 password security
CN109218260B (en) * 2017-07-03 2020-11-06 深圳市中兴微电子技术有限公司 A trusted environment-based authentication protection system and method
CN110730159A (en) * 2019-09-03 2020-01-24 东南大学 TrustZone-based secure and trusted hybrid system starting method
CN113595714A (en) * 2020-04-30 2021-11-02 第一资本服务有限责任公司 Contactless card with multiple rotating security keys
TW202236131A (en) * 2021-03-02 2022-09-16 雲想科技股份有限公司 Digital signature private key verification method to ensure that the correlation between the private key and the issued document cannot be maliciously tampered with
TWI809900B (en) * 2021-05-27 2023-07-21 新唐科技股份有限公司 Method, system and integrated circuit for provisioning an electronic device
US20230101547A1 (en) * 2021-09-30 2023-03-30 Robert Bosch Gmbh Method of preventing capture of an ai module and an ai system thereof

Similar Documents

Publication Publication Date Title
US10771264B2 (en) Securing firmware
TWI740409B (en) Verification of identity using a secret key
CN109313690B (en) Self-contained encrypted boot policy verification
US12105806B2 (en) Securing communications with security processors using platform keys
US9875368B1 (en) Remote authorization of usage of protected data in trusted execution environments
Kong et al. PUFatt: Embedded platform attestation based on novel processor-based PUFs
JP7406013B2 (en) Securely sign configuration settings
JP2022527757A (en) Generating the ID of a computing device using a physical duplication difficulty function
TW202147100A (en) Integrated circuit, system for securely managing a plurality of keys used for data security and method performed by integrated circuit
US11070380B2 (en) Authentication apparatus based on public key cryptosystem, mobile device having the same and authentication method
KR20090033191A (en) System and method for controlling information supplied from a memory device
TW202137199A (en) Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium
JP2025513976A (en) SRAM Physical Unclonable Function (PUF) memory for generating keys based on device ownership
CN101019368B (en) Method of delivering direct proof private keys to devices using a distribution CD
KR20210095038A (en) Address decryption for memory storage
TWI388985B (en) Method and storage device for controlling data access in a storage device
Karageorgos et al. Chip-to-chip authentication method based on SRAM PUF and public key cryptography
TW201209710A (en) Microprocessor, method of protection and method of revoking first password
TWI880680B (en) Device for executing machine learning model inference
TWI859091B (en) System and method for executing machine learning model inference
US20240073033A1 (en) Method of updating device certificate and device for driving the method
US20240111853A1 (en) Certificate update method and certificate update system of device driving the same
TW202538579A (en) Device for executing machine learning model inference
KR20090034332A (en) Control Systems and Methods Using Identity Objects
CN114091027B (en) Information configuration method, data access method, related device and equipment