Cores are usually discussed as a performance story. More cores, more parallelism, less latency, happier product manager. Security people, being paid to ruin everyone’s afternoon, usually hear something else: more switching activity, more leakage, more things an attacker can measure.

This paper complicates that instinct in a useful way. In Influence of Parallelism in Vector-Multiplication Units on Correlation Power Analysis, Manuel Brosch, Matthias Probst, Stefan Kögler, and Georg Sigl study a very specific question: when a neural-network accelerator processes the same input value across multiple processing elements, each with a different secret weight, what happens to correlation power analysis?1

The tempting answer is “more parallel computation leaks more.” The paper’s answer is more interesting: in this setting, more parallelism can make the target weight harder to distinguish. Not because the chip becomes magically secure. It does not. The attacker may still move to local electromagnetic probing, a different measurement setup, or a different attack model. But for global power consumption, the signal of one processing element can be buried inside the correlated activity of the others. More cores, in this narrow case, become less confession and more crowd noise.

That is the mechanism worth understanding. Without it, the result collapses into a bad slogan: parallelism helps security. The paper is more precise, and therefore more useful.

The attack is not against “AI” in general; it is against weight movement in hardware

The target is edge AI: neural networks deployed on devices where the attacker may gain physical access. The business concern is not merely that someone queries an API too many times. It is that the model is sitting on a device, executing inference, and leaking physical traces while doing so.

Correlation Power Analysis, or CPA, works by comparing measured power consumption with hypothetical power consumption. In neural-network inference, the attacker often knows or chooses the input and tries to recover the secret weight. The natural target operation is multiplication:

$$ \text{known input} \times \text{secret weight} $$

The attacker guesses possible weights, computes hypothetical intermediate values, converts those values into a power model, and checks which guess correlates most strongly with the measured trace. In older or less parallel implementations, this can be painfully effective. It is the hardware equivalent of asking the device a question and listening to its electricity answer.

The paper focuses on a vector-multiplication unit made of parallel processing elements, or PEs. Each PE performs multiply-and-accumulate operations. In a fully connected layer, multiple neurons in the same layer process the same input value at the same time, but each neuron uses its own weight. That gives the relevant dataflow:

same input x_t
   ├── PE 1: x_t × w_1,t
   ├── PE 2: x_t × w_2,t
   ├── PE 3: x_t × w_3,t
   └── ...

This is the small architectural detail that drives the whole paper. The other PEs are not just independent background noise. They are processing the same input, so their intermediate values are statistically related to the target PE’s intermediate value. For cryptographic implementations where parallel units often process different inputs, standard independence assumptions may be more appropriate. Here, they are not.

That difference matters because CPA depends on ranking hypotheses. The correct weight hypothesis must stand out. If other parallel operations produce power patterns that remain too correlated with the same input, the correct hypothesis loses its clean statistical separation. The attacker is no longer listening to one singer in a quiet room. The attacker is listening to a choir singing related melodies. Charming for music. Annoying for theft.

The first multiplication looks attractive, then quietly betrays the attacker

The paper models the PE register as the main leakage point. For the first multiplication, the register starts from zero, so the authors use a Hamming Weight model. For later multiply-and-accumulate steps, the register changes from one intermediate result to another, so they use a Hamming Distance model.

That timing choice is not a decorative implementation detail. It changes attack quality.

At time $\tau = 0$, the first multiplication appears attractive because the attacker only has to hypothesize one weight. But the paper shows that this moment is weak when multiple PEs are active. Since all PEs process the same input, their first intermediate results are linearly related through different weights. In the theoretical analysis, the maximum correlation between the target PE’s hypothetical power and another PE’s power can reach one at $\tau = 0$. Translation: the first multiplication does not give the attacker a clean fingerprint for one weight when several PEs are operating together.

Later MAC operations are better attack targets because Hamming Distance values become more distinguishable. But the price is computational. Targeting later points can require hypotheses over multiple weights. The paper notes that with a manageable hypothesis space of $2^{64}$, at most eight weights can be included. That is already not a casual weekend project, unless one’s weekend hobbies are concerning.

So the attacker faces a trade-off:

Attack timing Why it helps Why it hurts
First multiplication, $\tau = 0$ Small hypothesis space; one weight is enough Poor distinguishability under same-input parallelism
Later MAC step, such as $\tau = 3$ or $\tau = 7$ Better separation between hypotheses Larger hypothesis space or reliance on already-known earlier weights
Sequential recovery after early weights Reduces later hypothesis complexity Still depends on obtaining clean earlier leakage

This is the first important mechanism: the obvious target is not necessarily the useful target.

Parallel PEs do not just add noise; they change the correlation landscape

The authors first build an idealized theoretical model. They strip away constant power and environmental noise, leaving the data-dependent and operation-dependent parts of power consumption. This is intentionally favorable to the attacker. If the attack fails in the clean model, the real world is unlikely to rescue it.

The idealized total power is treated as the sum of the target PE’s leakage and the leakage from all other PEs. The interesting part is that the leakage from other PEs is not independent. Because the same input is multiplied by different weights across PEs, the power traces of parallel PEs are statistically dependent.

This leads to the paper’s central mathematical move. Since the usual simplification based on statistical independence does not apply, the authors empirically study how the correct hypothesis’s correlation changes as the number of PEs increases. They find an exponential-style decay:

$$ \rho_{\downarrow,\tau}(n_{PE}) = a \cdot e^{-b \cdot n_{PE}} + c $$

The parameters depend on the implementation and the attack timing $\tau$. For example, for selected target times, the paper reports:

$$ \rho_{\downarrow,\tau=0}(n_{PE}) = 0.369 \cdot e^{-0.637 \cdot n_{PE}} + 0.534 $$
$$ \rho_{\downarrow,\tau=3}(n_{PE}) = 0.439 \cdot e^{-0.456 \cdot n_{PE}} + 0.431 $$
$$ \rho_{\downarrow,\tau=7}(n_{PE}) = 0.482 \cdot e^{-0.507 \cdot n_{PE}} + 0.393 $$

The precise coefficients are less important than the shape. As more PEs operate in parallel, the correct hypothesis’s correlation drops rapidly and then levels off. It does not decline forever because the register bit-width limits the possible power-consumption values. Hardware, always eager to ruin elegant infinity.

In simulation, the first multiplication becomes unreliable around ten parallel PEs: the correct hypothesis’s correlation falls below that of incorrect hypotheses. For later MAC operations, the boundary moves to about fifteen PEs. The paper then reframes this in SNR terms. It reports that an average SNR of at least about 0.045 is needed for successful retrieval, with roughly 0.1 needed in worse cases involving early timing or many PEs. Later discussion ties the theoretical fifteen-PE boundary in their setting to an SNR around 0.02.

The exact SNR number should not be treated as a universal procurement threshold. It is a measurement-context number. The useful lesson is directional and architectural: once enough same-input PEs operate together, global power CPA loses the clean separation it needs.

The FPGA experiment turns the theory into a less generous reality

The experimental section is the main evidence, not an implementation appendix wearing a lab coat.

The authors implement configurable PE arrays on a NewAE CW305 board with a Xilinx Artix-7 FPGA. The setup uses eight-bit weights and inputs, a 32-bit register for intermediate results, a 1 MHz FPGA clock for measurement clarity, a shunt resistor in the voltage supply line, 20 dB amplification, and a PicoScope sampling at 625 MHz. The weights remain fixed across measurements; inputs vary randomly. This creates the classic CPA setting: stable secret, changing known input, many traces.

The experiment first shows that CPA works when the design is simple enough. Targeting $\tau = 0$ is not useful in practice because loading the next input dominates the measured trace. The attack therefore moves to $\tau = 1$, the transition from the first intermediate result to the second. At that point, two weights must be hypothesized, so the attacker evaluates $2^{16}$ hypotheses. For a single PE, the correct hypothesis rises above all others, and the paper reports that around 20,000 traces are sufficient for the correct hypothesis to become larger than all incorrect hypotheses.

That matters because it proves the setup is not broken. The authors are not saying CPA never works. They show that it works in the low-parallelism case, then watch it fail as parallelism increases.

When the number of PEs increases, the practical boundary arrives earlier than the theoretical one. The theory suggests success up to about fifteen PEs under idealized conditions. On the FPGA, the authors conclude that from the eight-PE mark onward, no correct weight values can be extracted using global power consumption. At that point, incorrect hypotheses can show higher correlations than correct ones.

The paper explains the gap plainly: the theoretical model ignores noise and physical effects. Real hardware includes other resources on the circuit, measurement noise, and trace contamination. Even with one PE, the measured correlation is lower than the simulation’s perfect value. For example, the paper reports measured correlations around $0.79$ at $n_{PE}=1, \tau=1$ and around $0.6$ at $n_{PE}=1, \tau=7$, while the idealized simulation would give $\rho = 1$ for one PE. It also reports that incorrect hypotheses are much more competitive in practice, with one example around $0.77$ versus about $0.2$ in simulation.

This is the second important mechanism: real hardware does not merely shift the theoretical curve downward. It also narrows the gap between correct and incorrect hypotheses. The attack fails not because the correct signal disappears completely, but because it stops being uniquely identifiable.

The evidence stack is stronger when separated by purpose

The paper uses several tests. They do not all serve the same role. Reading them as one blob would be efficient, and also wrong.

Paper component Likely purpose What it supports What it does not prove
Idealized power model Mechanism construction Shows why same-input PE arrays differ from independent-noise assumptions Does not capture real measurement noise
Simulation over PE counts Main theoretical evidence Shows exponential-style correlation decay and approximate success boundaries Does not guarantee practical attack success or failure
SNR analysis Boundary abstraction Links attack success to measurable signal quality, not only PE count Does not create a universal SNR threshold across devices
FPGA CPA at $\tau = 1$ Main practical evidence Shows CPA works on low-parallelism hardware, then fails near eight PEs under global power Does not rule out local EM or invasive measurement setups
FPGA comparison with Eq. (7) Model validation Shows the simulated decay curve approximates measured behavior Does not mean all accelerators share the same coefficients
Normally distributed weights Robustness/sensitivity test Suggests results are not an artifact of uniform random weights Does not cover every trained model distribution
MNIST-trained layer appendix Robustness/sensitivity test Shows similar behavior with trained weights from an MLP layer Does not establish all network types or dataflows behave identically

The appendices are especially easy to overread. The normally distributed weight experiment and the trained-MNIST-layer experiment are useful robustness checks. They support the claim that the behavior is not merely an artifact of uniform random weights. They are not a second thesis about trained-model security in all forms. Good appendix, not magic wand.

The business value is countermeasure budgeting, not free security

For an edge-AI vendor, this paper’s value is not “we can stop caring about side channels.” That would be a charmingly fast route to a breach review.

The business value is better triage.

Physical model extraction has a cost structure. Masking can provide stronger formal protection, but it requires hardware and calculation changes and consumes randomness. Shuffling can be easier and less randomness-heavy, but it depends on execution not being fully parallel and mainly works by disrupting trace alignment. Local EM defenses, packaging choices, probe resistance, and tamper assumptions add more complexity.

The paper gives engineering teams a way to ask a sharper question before paying for all countermeasures everywhere:

What kind of parallelism does this accelerator use,
and does the assumed attacker rely on global power or global EM?

If the design processes the same input value through many PEs with distinct weights, and the attacker is limited to global power consumption, then sufficient parallelism may already reduce CPA feasibility. In the paper’s idealized model, fifteen or more PEs become the theoretical boundary. In the FPGA experiment, practical failure appears around eight PEs. That gap should make managers less confident in both directions: do not assume the theoretical number is enough, but also do not assume every global-power attack remains practical just because the model contains valuable weights.

A useful review checklist would look like this:

Security review question Why it matters
Do multiple PEs process the same input at the same time? This is the dependency pattern studied in the paper
How many distinct weights are processed in parallel for that same input? PE count drives correlation decay and attack feasibility
Is the likely leakage through PE registers? The paper’s model focuses on register-stored intermediate results
Is the attacker limited to global power or global EM? The result is strongest for global measurement, not local probing
Can a local EM probe isolate one or a few PEs? Local measurement may restore SNR and bypass the crowd-noise effect
Are inputs mixed, distinct, or partly shared across PEs? Mixed input processing is explicitly left as future work
Is the deployment in a critical sector? Masking may still be justified even when global CPA looks weak

This is where the misconception should be retired. Parallel hardware is not automatically leakier in the way a simple mental model suggests. In this architecture, parallelism can make global CPA harder because the attacker cannot isolate the target PE’s contribution cleanly. The correction is not “parallelism is security.” The correction is: dataflow determines whether parallelism amplifies leakage or buries it.

Small difference. Large budget implications.

Where the result applies—and where it stops

The paper is careful about scope, and the scope matters.

The result applies best to vector-multiplication units where several PEs process the same input value at the same time using different secret weights, with intermediate results stored in registers. It is particularly relevant to fully connected layers and similar same-input parallel patterns in edge-AI accelerators. The authors also discuss related accelerator designs where the same-input assumption appears plausible.

It does not automatically transfer to every systolic array or every neural-network accelerator. If PEs process different inputs simultaneously, the statistical relationship changes. The paper explicitly contrasts its setting with cryptographic implementations and accelerator designs where simultaneously processed inputs are independent. In those cases, increasing measurements may recover enough SNR for CPA to succeed.

Nor does the paper defeat local EM measurement. The authors repeatedly distinguish global power or global EM from localized probing. If an attacker can measure one PE, or a small number of PEs, the crowd becomes smaller. In the FPGA discussion, the authors suggest that local EM measurements capable of resolving four or fewer PEs may be needed once global power fails around the eight-PE range. That is not a minor caveat. It is the difference between “not attackable from this channel” and “not attackable.”

Finally, the paper assumes a passive attacker. It does not analyze fault injection, tampering, memory dumping, training-time compromise, software extraction, or invasive lab attacks. The result is about one family of side-channel attacks under one hardware-leakage pattern. That is already useful. It does not need to pretend to be a universal shield. Universal shields are usually PowerPoint products.

The strategic lesson: architecture is part of the security boundary

For AI leaders, this paper belongs in a category that is becoming more important: hardware-aware model security. Model confidentiality is not only a question of encryption, API throttling, watermarking, or legal contracts. Once models run on physical devices, architecture becomes part of the attack surface.

The direct finding is technical: in same-input vector-multiplication units, the correct CPA hypothesis loses distinguishability as more PEs operate in parallel. Simulations suggest a theoretical boundary around fifteen PEs; FPGA measurements show practical failure already around eight PEs under global power measurement. Exponential-style equations approximate the correlation decay and help estimate where global CPA becomes unattractive.

The business inference is narrower but valuable: edge-AI accelerator teams should evaluate side-channel defenses based on actual dataflow and measurement assumptions. Low-parallelism designs still deserve serious CPA countermeasures. Same-input high-parallelism designs may already resist global power CPA enough that masking is not always the first economic choice—unless local EM, critical-sector assurance, or stronger adversaries are in scope.

The uncertainty is also clear. Mixed-input PE arrays, local probing, device-specific measurement conditions, and alternative leakage sources can change the answer. Security review should therefore move from generic fear to architecture-specific diagnosis.

That is the better takeaway. Parallelism is not a security feature by default. But in the right dataflow, it can become an accidental bodyguard: not elegant, not formally sufficient, but inconvenient enough to matter.

And in hardware security, inconvenience is often where the bill starts to change.

Cognaptus: Automate the Present, Incubate the Future.


  1. Manuel Brosch, Matthias Probst, Stefan Kögler, and Georg Sigl, “Influence of Parallelism in Vector-Multiplication Units on Correlation Power Analysis,” arXiv:2601.05828, 2026, https://arxiv.org/abs/2601.05828↩︎