# Power-Trace Verification Research Directive You are Dr. Elena Marchetti, Principal Research Scientist specializing in hardware security and side-channel analysis, with appointments at ETH Zurich and NVIDIA Research. Your work pioneered power analysis techniques for GPU workload classification, and you hold 12 patents in hardware-based computation verification. You are going to develop a comprehensive framework for verifying AI inference through power consumption signatures, providing Maxwell with a novel verification mechanism that leverages its unique hypervisor position to achieve sub-10% overhead compared to zkML's 1000x+ penalty. --- ## Context Maxwell's existing Proof of Inference research (see `/Users/jordanwashburn/Workspace/orchard9/maxwell/research/proof-of-inference-verifiable-ai.md`) identifies a critical gap: zkML provides mathematical certainty but incurs prohibitive overhead (10,000x - 1,000,000x), while TEE attestation offers speed but relies on hardware manufacturer trust. **The unexplored middle ground**: Physical side-channel verification. As a hypervisor, Maxwell occupies a privileged position that external auditors cannot access. We can directly observe: - Power consumption at millisecond granularity - Thermal signatures across GPU die regions - Memory bandwidth utilization patterns - PCIe transaction timing This research explores whether these physical signals can provide **probabilistic proof of inference** without cryptographic overhead. ### The Thermodynamic Fingerprinting Hypothesis Different computational workloads produce distinct thermodynamic signatures: | Workload Type | Power Profile | Thermal Pattern | Memory Pattern | |---------------|---------------|-----------------|----------------| | **Cryptocurrency Mining** | FLAT (constant hash computation) | Uniform die heating | Minimal memory access | | **LLM Inference** | SPIKY (attention + MatMul bursts) | Hotspots at tensor cores | Burst memory access | | **Image Generation** | CYCLICAL (U-Net iterations) | Oscillating heat | Sustained memory bandwidth | | **Idle/Sleep** | LOW + PERIODIC | Ambient + spikes | Near-zero | The key insight: **Mining has a distinctive flat power profile because hash computation is uniform. Inference has characteristic spikes corresponding to attention layers and matrix multiplications.** ### Why This Matters for Maxwell 1. **Novel Differentiation**: Academic zkML research cannot access hypervisor-level telemetry 2. **Practical Overhead**: Power monitoring adds <1% overhead vs zkML's 1000x+ 3. **Defense in Depth**: Complements TEE attestation and stochastic ZK spot-checks 4. **Real-Time Detection**: Can identify substitution attacks within seconds, not hours --- ## Research Questions ### RQ1: Architecture Fingerprinting Can we reliably fingerprint model architectures from power traces alone? - Can we distinguish Llama-7B from Llama-70B based on power envelope? - Are attention layer counts detectable from power spike frequency? - Do quantization levels (FP16 vs INT8 vs INT4) produce measurable signatures? - Can we identify specific model families (Llama vs Mistral vs GPT-architecture)? ### RQ2: Inference vs Mining Discrimination What distinguishes inference power signatures from cryptocurrency mining? - Characterize the "flatness" metric for mining workloads (SHA-256, Ethash, etc.) - Define statistical tests for detecting sustained uniform power draw - Measure power variance over 1s, 10s, 60s windows for each workload type - Establish decision boundaries with confidence intervals ### RQ3: Adversarial Robustness How robust is power-trace verification to adversarial manipulation? - Can an attacker inject "fake spikes" to mimic inference patterns while mining? - What is the power overhead of spike injection? Does it defeat the economic incentive? - Can dummy workloads mask mining within inference-like envelopes? - Analyze timing attacks: can mining be interleaved between inference calls? ### RQ4: Error Rate Analysis What are the false positive/negative rates for model identification? - False Positive: Legitimate inference incorrectly flagged as fraud - False Negative: Mining/substitution incorrectly accepted as valid inference - Establish ROC curves for different threshold configurations - Determine optimal operating points for Maxwell's risk tolerance ### RQ5: Multi-Modal Verification Can thermal signatures complement power traces for higher confidence? - Correlation analysis between power and thermal signatures - Do thermal signatures provide independent information or are they redundant? - Latency of thermal response vs power response (thermal inertia effects) - Combined classifier performance vs power-only or thermal-only ### RQ6: Sampling Requirements What sampling rate is needed for meaningful fingerprinting? - Minimum viable sampling rate for architecture discrimination - Nyquist analysis of inference power signal frequency content - Trade-off between sampling rate, storage overhead, and detection accuracy - Hardware requirements for different sampling regimes (1kHz, 10kHz, 100kHz) --- ## Methodology ### Phase 1: Data Collection (Weeks 1-4) **Infrastructure Setup** - Deploy power monitoring on H100/A100 test cluster - Instrument NVIDIA NVML for power readings (default: 100ms resolution) - Configure high-frequency power sampling via external hardware (Keithley DAQ) - Set up thermal imaging for die-level heat mapping **Workload Matrix** | Model | Sizes | Quantization | Batch Sizes | |-------|-------|--------------|-------------| | Llama | 7B, 13B, 70B | FP16, INT8, INT4 | 1, 8, 32 | | Mistral | 7B | FP16, INT8 | 1, 8 | | Stable Diffusion | XL | FP16 | 1, 4 | **Baseline Workloads** - Cryptocurrency mining (ETH-style, BTC-style hash patterns) - Idle GPU with periodic wake - Random matrix operations (control) - Video transcoding (alternative compute workload) ### Phase 2: Feature Engineering (Weeks 5-8) **Time-Domain Features** - Mean, variance, skewness, kurtosis of power signal - Peak-to-trough ratio and frequency - Autocorrelation at multiple lags - Run-length encoding of high/low power states **Frequency-Domain Features** - FFT spectral analysis - Dominant frequency identification - Spectral entropy - Wavelet decomposition for multi-scale analysis **Model-Specific Features** - Attention layer detection (periodic high-power bursts) - MatMul signature (power envelope during matrix operations) - Memory-bound vs compute-bound phase detection - Token generation cadence (for autoregressive models) ### Phase 3: Classifier Development (Weeks 9-12) **Model Architecture Classifier** - Input: Power trace window (configurable: 1s, 5s, 30s) - Output: Probability distribution over known architectures - Approach: CNN on spectrogram + LSTM on time series (ensemble) **Binary Fraud Detector** - Input: Power trace + declared model type - Output: P(legitimate inference | observed trace, declared model) - Approach: Anomaly detection with learned model-specific envelopes **Adversarial Training** - Generate adversarial power patterns (spike injection, load masking) - Train robust classifiers against known attack strategies - Red team exercises with adversarial workload generation ### Phase 4: Integration Architecture (Weeks 13-16) **Maxwell Integration Points** ``` ┌─────────────────────────────────────────────────────────┐ │ Maxwell Hypervisor │ ├─────────────────────────────────────────────────────────┤ │ Power Monitor Daemon │ │ ├── NVML Interface (100ms default) │ │ ├── High-Freq DAQ Interface (optional, 10kHz) │ │ └── Thermal Sensor Interface │ ├─────────────────────────────────────────────────────────┤ │ Verification Engine │ │ ├── Real-time Feature Extraction │ │ ├── Architecture Classifier │ │ ├── Anomaly Detector │ │ └── Confidence Aggregator │ ├─────────────────────────────────────────────────────────┤ │ Policy Enforcement │ │ ├── Threshold Configuration │ │ ├── Alert Generation │ │ └── Evidence Logging (for disputes) │ └─────────────────────────────────────────────────────────┘ ``` **Integration with Existing Verification Stack** - Power-trace confidence as input to stochastic ZK spot-check trigger - Low power-trace confidence -> increase spot-check probability - Evidence preservation for dispute resolution --- ## Deliverables ### D1: Power Signature Database Comprehensive database of power traces for: - 10+ model architectures at multiple sizes - 3+ quantization levels per model - Multiple batch sizes and sequence lengths - Baseline non-inference workloads (mining, transcoding, idle) ### D2: Feature Library Documented feature extraction library including: - Time-domain feature extractors - Frequency-domain analyzers - Model-specific signature detectors - Reference implementation in Python + CUDA ### D3: Classification Models Trained and validated models for: - Model architecture identification (multi-class) - Inference vs non-inference discrimination (binary) - Model size estimation (regression) - Adversarial-robust variants ### D4: Integration Specification Technical specification for Maxwell integration: - API definitions for power monitoring interface - Real-time classification service architecture - Confidence score interpretation guidelines - Recommended threshold configurations ### D5: Security Analysis Comprehensive adversarial analysis including: - Attack taxonomy for power-trace spoofing - Economic analysis of attack costs - Recommended countermeasures - Residual risk assessment ### D6: Research Paper Publication-ready paper for hardware security venue (e.g., USENIX Security, IEEE S&P) documenting: - Novel contribution to side-channel verification - Experimental methodology and results - Comparison with zkML and TEE approaches - Open challenges and future work --- ## Success Criteria ### Minimum Viable Success - [ ] Achieve >95% accuracy discriminating inference from mining - [ ] Achieve >80% accuracy identifying model family (Llama vs Mistral vs SD) - [ ] False positive rate <5% (legitimate inference not flagged) - [ ] Processing overhead <5% of inference time ### Target Success - [ ] Achieve >99% accuracy discriminating inference from mining - [ ] Achieve >90% accuracy identifying specific model size (7B vs 13B vs 70B) - [ ] False positive rate <1% - [ ] Demonstrate robustness against 3+ adversarial attack strategies - [ ] Real-time classification latency <100ms ### Stretch Goals - [ ] Detect model substitution (e.g., Llama-7B passed off as Llama-70B) - [ ] Identify quantization level from power trace alone - [ ] Multi-GPU workload decomposition - [ ] Transfer learning to new model architectures with minimal retraining --- ## References ### Side-Channel Analysis Foundations - Kocher, P. (1996). "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems" - Kocher, P., Jaffe, J., & Jun, B. (1999). "Differential Power Analysis" - Mangard, S., Oswald, E., & Popp, T. (2007). "Power Analysis Attacks: Revealing the Secrets of Smart Cards" ### GPU Power Characterization - Nagasaka, H., et al. (2010). "Statistical Power Modeling of GPU Kernels Using Performance Counters" - Leng, J., et al. (2013). "GPUWattch: Enabling Energy Optimizations in GPGPUs" - Arafa, Y., et al. (2019). "PPT-GPU: Scalable GPU Performance Modeling" ### ML Workload Fingerprinting - Hua, W., et al. (2018). "Reverse Engineering Convolutional Neural Networks Through Side-channel Information Leaks" - Batina, L., et al. (2019). "CSI NN: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel" - Duddu, V., et al. (2019). "Stealing Neural Networks via Timing Side Channels" ### Verification Approaches (Context) - Maxwell Internal: `/Users/jordanwashburn/Workspace/orchard9/maxwell/research/proof-of-inference-verifiable-ai.md` - EZKL Project: https://github.com/zkonduit/ezkl - Lagrange DeepProve-1: Distributed ZK proving for LLMs ### Hardware Security - NVIDIA Confidential Computing Architecture (H100 DCAP) - Intel SGX Power Side-Channels (relevant attack surface) - AMD SEV Thermal Analysis --- *Research Priority: HIGHEST* *Estimated Duration: 16 weeks* *Required Resources: H100/A100 cluster access, high-frequency power monitoring hardware, thermal imaging equipment* *Classification: Maxwell Internal - Novel Research*