新一代硬件安全第5章 TRNG

---

title: “第5章 真随机数生成器的本征熵”
author:
date: 2023-05-18
output: word_document

Chapter 5 Intrinsic Entropy for True Random Number Generation

5.1 Chapter Introduction

True Random Number Generators (TRNGs) form an essential and indispensable part of modern security systems in various scenarios, including (1) key- and initial counter value-generation for cryptographic functions, (2) seeding unique device keys for watermarking, (3) authentication in protocols such as the blockchain, and (4) input randomization for physical security measures such as side-channel countermeasures or camouflaging [Neu19]. If the entropy source driving the TRNG is not resilient, the security guarantees concerning these applications may be compromised. Physical attacks such as those based on temperature fluctuations, under/over-volting, and frequency injection [Yan16, MM09] are capable of destroying the entropy source of the TRNG, thus rendering it useless. Hence, there is a need for a robust, reliable, and high-fidelity TRNG for on-chip implementation in security systems. In this chapter, we explore how the intrinsic entropy arising from the complex physical phenomena in emerging devices can be exploited to design such resilient TRNGs.

第5章 真随机数生成器的本征熵

5.1 章节简介

真随机数生成器(TRNG)是现代安全系统中不可或缺的重要组成部分，其使用场景包括：(1)为加密函数生成密钥和初始计数器值，(2)为数字水印生成唯一器件密钥种子，(3)为区块链等协议提供身份验证，以及(4)为旁路攻击防御或伪装等物理安全措施提供随机性输入[Neu19]。如果驱动TRNG的熵源没有抗性，将会损害与这些应用有关的安全性保证。因为基于温度波动、欠电压/过电压和频率注入等物理攻击[Yan16, MM09]能够破坏TRNG的熵源使其失效，因此需要一种健壮、可靠、高保真的TRNG，以用于安全系统中的芯片上实现。在本章中，我们探讨了如何利用新兴器件中的、复杂的物理现象产生的本征熵，来设计这种有抗性的TRNG。

We first delve into the process of generating random numbers using emerging device technologies, followed by a brief review of prior emerging device-based TRNG implementations. Finally, we present a detailed case study on a spintronics-based TRNG to provide the reader with insights on all aspects of designing a TRNG, from harnessing the entropy source to constructing the sampling circuit, testing its resilience, and benchmarking its performance.

我们首先深入研究了使用新兴器件技术生成随机数的过程，然后简要回顾了先前基于新兴器件的TRNG实现。最后，我们对基于自旋电子学的TRNG进行了详细的案例研究，为读者提供了在设计TRNG时所需的各方面考虑，包括从利用熵源到构建采样电路、测试抗性，到如何对性能进行基准测试。

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2021
N. Rangarajan et al., The Next Era in Hardware Security,
https://doi.org/10.1007/978-3-030-85792-9_5

5.2 Concepts for True Random Number Generation Using Emerging Technologies

Typically, the first step in designing a TRNG is identifying a suitable entropy source, whose randomness can be transduced into a sequence of binary digital bits. In this regard, emerging devices offer a vast array of opportunities to tap into the innate randomness found in nature’s physical processes. Quantum sources of entropy, such as vacuum state fluctuations, entangled photons, and Raman scattering, have been harvested to forge TRNGs in the past [Gab+10, Fio+07, Bus+11]. TRNGs exploiting chaos in semiconductor lasers were demonstrated in [UA+08]. The oscillatory and stochastic threshold switching in the insulator-to-metal transition in VO2 is used to implement a working TRNG model in [Jer+17]. Here, the stochastic threshold switching is enabled by small perturbations in the nanoscale domain structure of VO2. Wei et al. [Wei+16] exploit the current difference in the 1/fβ noise of Resistive Random Access Memory (RRAM) to fashion their entropy source. The spatio-temporal differences in the visible spectrum of frequencies is employed to achieve random number generation in [Lee+18].

5.2 基于新兴技术的真随机数生成器相关概念

通常，设计TRNG的第一步是确定合适的熵源，其随机性可以转换为二进制数字比特序列。在这方面，新兴器件通过挖掘自然物理过程中固有的随机性，提供了大量的机会。之前[Gab+10, Fio+07, Bus+11]中已经利用诸如真空态涨落、纠缠光子和拉曼散射等量子熵源来驱动TRNG。[UA+08]中演示了基于半导体激光器中的混沌来构建的TRNG。[Jer+17]中利用VO2从绝缘态到金属态跃迁过程中的振荡和随机阈值切换，实现了一个TRNG工作模型，这里的随机阈值切换是由VO2纳米畴结构中的小扰动实现的。Wei等人在[Wei+16]中用电阻式随机存取存储器(RRAM) $1/f\beta$ 噪声中的电流差异做熵源。[Lee+18]中利用可见频谱的时空差异来生成随机数。

Broadly, the entropy sources employed in various TRNGs can be classified as follows [Lee+18].

• Electric and electronic noise, including thermal noise, flicker noise, shot noise, and diffusion noise in semiconductor devices.
• Metastability in electronic circuits and natural phenomena, such as ring oscillators, flip flops, and magnetic systems.
• Chaos in Lorenz systems like lasers and optical cavities.
• Physical systems, encompassing photonic, and radioactive decay-based arrangements.

从广义上讲，各种TRNG中使用的熵源可以分类如下[Lee+18]：

• 电气和电子噪声，包括半导体器件中的热噪声、闪烁噪声、射粒噪声和扩散噪声。
• 电子电路和自然现象中的亚稳态，如环形振荡器，触发器，和磁性系统。
• 洛伦兹系统中的混沌，如激光器和光学腔体结构。
• 物理系统，包括基于光子和放射性衰变装置。

In constructing such emerging device-based TRNGs, there are some considerations to be accounted for.

在构建这种基于新兴器件的TRNG时，需要考虑如下因素：

1. Purity of entropy source: Presence of any correlations or bias in the source will adversely affect the quality of randomness. For instance, the TRNG driven by chaos in semiconductor lasers [UA+08] suffers from periodicity and lack of sufficient intrinsic randomness.
2. Difficulty of extracting entropy: Significant challenges in handling and extraction of the entropy source, e.g., in radioactive decay-based TRNGs [Par+20], often make it impractical.
3. Complexity of post-processing required: Most of the quantum TRNGs [Gab+10, Bus+11] require complex photo-detection and enormous postprocessing, resulting in unfeasible overheads.
4. Scalability: Optical source-based TRNGs [Fio+07] often suffer from scalability issues due to size of components involved.
5. Ease of CMOS integration: The underlying technology must be compatible with the existing CMOS framework, for economic viability.

---

1. 熵源的纯度: 熵源中任何相关性或偏差的存在都会对随机性的质量产生不利影响。例如，半导体激光器[UA+08]中混沌驱动的TRNG存在周期性，缺乏足够的内在随机性。
2. 提取熵的难度: 处理和提取熵源面临的大的挑战，例如基于放射性衰变的TRNG [Par+20]，往往不具可操作性。
3. 后处理的复杂度: 大多数量子TRNG [Gab+10, Bus+11]需要复杂的光检测和庞大的后处理操作，开销巨大不可行。
4. 可扩展性: 基于光源的TRNG [Fio+07]经常由于所涉及组件的尺寸而面临可扩展性问题。
5. 与CMOS集成的难易度: 底层技术必须与现有CMOS框架兼容，才经济上的可行性。

5.3 Review of Selected Emerging Technologies and Prior Art

In this section, we briefly review prior TRNGs, which leverage various classes of emerging devices and phenomena. The purpose of this survey is to get a better perspective of how emerging devices and materials can be moulded into a physical entropy generating contraption.

5.3 对选定的新兴技术和现有技术的回顾

在本节中，我们将简要回顾之前利用各种新兴器件和物理现象构建的TRNG，目的是为了更好地了解将新兴器件和材料、塑造成物理熵生成装置的过程。

5.3.1 Ferroelectric Field Effect Transistor

A ferroelectric field effect transistor (FeFET) is a modification of the conventional MOSFET, wherein a ferroelectric material is sandwiched between the gate electrode and the channel [KKD20]. The application of a gate voltage causes polarization of the ferroelectric domains, thus imparting memory to the device. The direction of this polarization (up or down) can either support or impede the formation of the inversion channel, thereby affecting the threshold voltage.

5.3.1铁电场效应晶体管

铁电场效应晶体管(FeFET)是传统MOSFET的改进型，其中铁电材料夹在栅极和沟道[KKD20]之间。施加栅极电压可引起铁电畴的极化，使器件具备记忆功能。这种极化方向(上或下)可以支持或阻碍反转沟道的形成，从而影响阈值电压。

This tunability of the inversion channel, by switching the polarization charge in the ferroelectric layer, is utilized by Mulaosmanovic et al. [MMS17] to build a TRNG. The operation of their TRNG is as follows. The circuit is built using a single FeFET device, with a polysilicon/TiN/HfO2/SiON gate stack. The application of a positive gate voltage orients the ferroelectric polarization downward and sets the device into low-VT state, whereas a negative gate voltage causes upward polarization and resets the device to its high-VT state (Fig. 5.1). On reducing the dimensions of the FeFET device, such that the channel length is on the order of the ferroelectric domain size, the switching process from one state to the other becomes extremely sharp and unpredictable. This stochastic switching occurs close to the ferroelectric coercive voltage, wherein the pulse width at which the abrupt switching occurs exhibits variability. The randomness in the ferroelectric switching is attributed to the variability in the nucleation-driven polarization reversal of the domains. By tuning the pulse width for a 50% probability of switching from high to low-VT state, equiprobable random numbers can be generated. The high- or low-VT states are converted to binary digits by sampling the drain current levels and then using a comparator setup.

Mulaosmanovic等人在[MMS17]中利用反转沟道的这种可调谐性，通过切换铁电层中的极化电荷来构建TRNG。其工作原理如下：

• 通过具有多晶硅/TiN/HfO2/SiON栅叠层的单个FeFET器件构建电路。
• 通过施加正栅极电压可使铁电向下极化，并将器件置为低VT状态，施加负栅极电压可导致向上极化，并将器件重置为高VT状态（图5.1）。
• 通过缩小FeFET器件的尺寸，使沟道长度与铁电畴尺寸相当，可使从一个状态切换到另一个状态的过程变得非常突然和不可预测。这种随机状态切换发生在铁电矫顽电压附近，突变发生时的脉冲宽度表现出易变性。铁电切换的随机性要归因于铁电畴由成核作用驱动的极化反转的易变性。
• 通过调整脉冲宽度，以 50% 的概率从高 VT 状态切换到低 VT 状态，可以生成等概率随机数。
• 通过对漏极电流电平进行采样，然后使用比较器装置，可将高VT或低VT状态转换为二进制数字。

The FeFET-based TRNG proposed in this work can be highly scalable owing to its 1-transistor structure, and offers advantages like low power operation and CMOS compatibility. However, it would be prone to process and temperature variability since the margins for the 50% switching threshold are limited.

上述[MMS17]中提出的基于FeFET的TRNG由于其单晶体管结构而具有高度可扩展性，并具有低功耗运行和兼容CMOS等优点。然而，由于50%切换阈值的裕度是有限的，因此容易受工艺和温度变化影响。

Fig. 5.1 Schematic of the ferroelectric switching based-TRNG. The gate pulse width is tuned to achieve 50% switching probability, thereby resulting in a random VT state. After the switching process, the drain current at that final VT state is sampled and converted to a digital bit

图5.1 基于铁电切换的TRNG的原理图。调整栅极脉冲宽度以实现50％切换概率，以致生成随机VT状态。在切换过程之后，对处于最终VT状态的漏电流进行采样并转换为数字比特

Fig. 5.2 Circuit construction of the diffusive memristor-based TRNG. A voltage divider arrangement with a series resistor is used to read the output voltage. The sampling circuit consists of a comparator, an AND gate, and a counter

图5.2 基于扩散忆阻器的TRNG的电路结构。使用具有串联电阻器的分压器装置来读取输出电压。采样电路由比较器、与门和计数器组成

5.3.2 Diffusive Memristor

Hao Jiang et al. demonstrated in [Jia+17] a novel TRNG based on the stochastic switching behavior in diffusive memristors. Their Ag:SiO2 diffusive memristor is a volatile device, which functions on the basis of the stochastic diffusion dynamics of metal atoms in the memristive channel. The application of a voltage pulse turns the device ON and switches it to a low-resistance state. However, the delay incurred in this process is random and uncontrollable. The device is turned OFF when the bias is removed, and the channel relaxes back to the high-resistance state. The innate stochasticity prevalent in the switching delay of the memristor is exploited as the entropy source.

5.3.2扩散忆阻器

Hao Jiang等人在[Jia+17]中展示了一种基于扩散性忆阻器随机切换行为的新型TRNG。他们提出的Ag:SiO2扩散性忆阻器是一种挥发性器件，其原理基于金属原子在忆阻沟道中的随机扩散动力学。施加电压脉冲可使器件导通，并将其切换到低电阻状态。然而，这个过程中产生的延迟是随机且不可控的。当移除偏置时，器件关闭，沟道弛豫回高电阻状态。可利用忆阻器切换延迟固有的随机性作为熵源。

The TRNG circuit (Fig. 5.2) is area-efficient and is composed of (1) the diffusive memristor for the entropy, and (2) a sampling circuit constructed with a comparator, AND gate, and a counter. The memristive device itself consists of a Pt/Ag/Ag:SiO2/Pt stack, where a 5 nm Ag reservoir layer is placed between the Ag:SiO2 channel and the top electrode. The working of their TRNG circuit is as follows. A voltage bias $V_{in}$ above the threshold voltage (0.5 V) causes Ag atoms to randomly detach from the Ag reservoir layer and diffuse toward the bottom Pt electrode. After arbitrary time, enough Ag atoms have detached and migrated to form a conductive channel, thus switching the device ON. Since the detaching process of Ag atoms is a random phenomenon, the time taken for the onset of conduction is random as well.

TRNG电路(图5.2)是面积-有效的，其由(1)用于熵的扩散忆阻器和(2)由比较器、与门和计数器组成的采样电路组成。该忆阻器件本身由Pt/Ag/Ag:SiO2/Pt堆叠组成，其中5nm的 Ag 储层位于Ag:SiO2沟道和顶部电极之间。TRNG电路的工作原理如下：高于阈值电压(0.5 V)的电压偏置$V_{in}$导致 Ag 原子从 Ag 储层随机分离并向底部 Pt 电极扩散。在任意时间后，足够的 Ag 原子分离并迁移形成导电沟道，从而打开器件（器件转为 ON 状态）。由于 Ag 原子的分离过程是一种随机现象，因此开始导电的时间也是随机的。

As the device turns ON, the output voltage ($V_{out}$) between the memristor and series resistor rises. When this output voltage increases beyond a preset reference, the comparator output ($V_{comp}$) goes high and stays high until the input voltage pulse $V_{in}$ to the memristor is cut-off. A random delay time to reach the ON state ensures that the pulse width of $V_{comp}$ is random. Hence, AND-ing this $V_{comp}$ with a (higher frequency) clock signal produces a waveform with arbitrary number of clock cycles encompassed within the random pulse width of $V_{comp}$. The AND-ed signal $V_{AND}$ is sent to a counter, whose output $V_{count}$ flips at each rising edge of $V_{AND}$, and settles at “1” or “0” when $V_{in}$ goes low. The bit on which the counter settles is random due to the random pulse width of $V_{comp}$, which in turn causes a random number of clock pulses to be sent to the counter.

当器件打开时，忆阻器和串联电阻之间的输出电压($V_{out}$)上升。当输出电压超过预设基准时，比较器的输出($V_{comp}$)升高并保持高电平，直到输入电压脉冲$V_{in}$到忆阻器的沟道被切断。到达 ON 状态的延迟时间的随机性保证了$V_{comp}$的脉冲宽度是随机的。因此，将这个$V_{comp}$与(更高频率的)时钟信号进行“与”运算，会产生一个波形，$V_{comp}$的随机脉冲宽度内包含任意数量的时钟周期。“与”运算后的信号$V_{AND}$被送到一个计数器，其输出$V_{count}$在$V_{AND}$的每一个上升沿翻转，当$V_{in}$变低时稳定在“1”或“0”。由于$V_{comp}$的随机脉冲宽度，计数器的位是随机的，这反过来又导致随机数量的时钟脉冲被发送到计数器。

The entropy source in this TRNG is shown to be sufficiently robust even at elevated temperatures, and requires minimal post-processing. The normally OFF and volatile nature of the diffusive memristor implies that no reset stage is required, hence reducing the energy consumption. However, this particular TRNG implementation suffers from poor bitrate (maximum ∼300 Kbps) and endurance (∼ 107 cycles).

该TRNG中的熵源即使在高温下也显示出足够的健壮性，并且只需要很少的后处理操作。通常情况下，扩散性忆阻器的OFF态和易失性意味着不需要重启阶段，因此可降低功耗。然而，这种特殊的TRNG实现存在比特率(最高到 300 Kbps)和续航时间(~ $10^7$个周期)较差的问题。

5.3.3 Spin Dice
The spin dice, introduced by Fukushima et al. [Fuk+14], was one of the first spintronics-based scalable TRNGs, built by extracting the stochastic nature of spintransfer torque (STT) switching. Here, the STT mechanism, [RS08, LZ03, XZS05], predicted by J. Slonczewski and L. Berger, is used as the fundamental mechanism to control the magnetization state of the nanomagnet.

5.3.3 自旋骰子

福岛等人在[Fuk+14]中引入的自旋骰子，是最早提出的基于自旋电子学的可扩展TRNG之一，它是通过提取自旋转扭矩(STT)切换的随机性质来构建的。本文采用J. Slonczewski和L. Berger[RS08, LZ03, XZS05]预测的STT机制，作为控制纳磁体磁化状态的基本机制。

The flipping of magnetization state is inherently probabilistic due to (1) the presence of thermal noise in nanomagnets and (2) the existence of two equivalent basins of attraction in the energy landscape of nanomagnets that make the dynamical evolution of magnetization extremely sensitive to its initial state. As a consequence, a nanomagnet brought to an unstable initial state will relax to a final magnetization orientation that appears to be unpredictable. Depending on the relative polarizations of the input spin current and the magnetization vector, two cases of magnetization reversal can occur: (1) damping switching [Ber+03] and (2) precessional switching [dAq05, Liu+10]. In the case of damping switching, the spin current entering the nanomagnet is polarized in the plane of the nanomagnet. The magnetization oscillates around the local minimum with a slowly increasing amplitude, and at some point the projection on the easy axis abruptly switches to the opposite value. In precessional switching, the magnetization is pushed along the path of the steepest ascent, and a very short duration of the spin current can induce switching.

磁化态的翻转本质上具有概率性，是因为(1)纳磁体中存在热噪声，(2)纳磁体能级相图中存在两个等效的引力盆地，使得磁化动态演变对其初始态极其敏感。因此，进入不稳定初始态的纳磁体将弛豫回似乎不可预测的最终磁化方向。根据输入自旋电流和磁化矢量的相对极化方向，可以发生两种磁化反转情况:(1)阻尼切换[Ber+03]和(2)进动切换[dAq05, Liu+10]。在阻尼切换的情况下，进入纳磁体的自旋电流在纳磁体的平面上发生极化，磁化强度围绕局部极小值附近振荡，振幅缓慢增加，直到在某一点上，易磁化轴上的投影值突然取反。在进动切换中，磁化沿着最陡的上升路径推进，并且极短的自旋电流持续时间就可以诱导切换。

Fig. 5.3 Perpendicularly magnetized MTJ (p-MTJ) stack and circuit schematic used to construct spin dice

图5.3 用于构建自旋骰子的垂直磁化MTJ（p-MTJ）堆叠和电路原理图

The setup in [Fuk+14] consists of top-free perpendicularly magnetized Magnetic Tunnel Junctions (p-MTJs), constructed using a synthetic antiferromagnetic bottom reference layer. Such p-MTJs have been shown to exhibit a wide magnetic field range for the bistable states around zero magnetic field and low switching current densities. Their p-MTJ stack is composed of a 2 nm FeB free layer, a 1 nm MgO barrier, and a CoPt/Ru/CoPt reference layer. The stack is fabricated as a nanopillar with a cross-section of 70 × 200 nm2 and a magnetoresistance ratio of 100%. Figure 5.3 illustrates the spin dice p-MTJ stack as well as the circuit schematic for generating random bits. The working of the spin dice is as follows. A current pulse from the pulse circuit is applied to the p-MTJ to perturb it from its initial state. The pulse width and amplitude of this current pulse are carefully tuned to achieve a switching probability of 50% for the considered free layer. The final state of the free ferromagnet is obtained by measuring the resistance of the p-MTJ stack, which is converted to a digital bit using a comparator circuit. Further details on the STT switching of MTJ circuits, and their subsequent read-out and digital sampling are presented in Sect. 5.4.2.

[Fuk+14]中的装置其顶部是自由垂直磁化磁性隧道结(p-MTJs)，底部是合成反铁磁参考层。这种p-MTJ已被证明在零磁场和低切换电流密度附近的双稳态中表现出了宽磁场范围。其p-MTJ堆叠由2nm的FeB层自由层、1nm的MgO屏蔽层和CoPt/Ru/CoPt参考层组成。该堆叠被制成纳米柱，其横截面为70 × 200 $n{m}^2$，磁阻比为100%。图5.3给出了自旋骰子p-MTJ堆叠以及产生随机比特的电路原理图。自旋骰子的工作原理如下：对p-MTJ施加来自脉冲电路的电流脉冲，使其从初始态开始扰动。该电流脉冲的脉冲宽度和幅度经过仔细调制，以实现所考虑的自由层50%的切换概率。通过测量p-MTJ堆叠的电阻可得到自由铁磁体的最终态，p-MTJ堆叠使用比较器电路将其转换为数字位。有关MTJ电路的STT切换及后续读数和数字采样的更多详细信息，请参见 5.4.2小节。

Although the spin dice offers a stable operation with high integration density, it is prone to issues arising from temperature fluctuations and process variations. The damping switching mechanism inherently has a very narrow bistable region, and small deviations in the operating temperature or the input current pulse can change the switching probability from the required 50%. This can significantly deteriorate the randomness of the TRNG. Hence, the spin dice requires temperature compensation and additional post-processing to high quality of randomness.

虽然自旋骰子提供高集成密度的稳定运行，但它容易受温度波动和工艺变化问题的影响。阻尼切换机制本身具有非常窄的双稳态区域，工作温度或输入电流脉冲的微小偏差可能会改变切换所需的50%概率，这会显著降低TRNG的随机性。因此，自旋骰子需要额外的温度补偿和后处理，以实现高质量的随机性。

5.4 Case Study: Precessional Nanomagnet Switching for TRNG

Having explored the operation of prior emerging device-based TRNG implementations, we now look at another spintronics TRNG in much more detail. Through this case study, we shed light on the process of designing an emerging device-based TRNG from scratch, including (1) the selection and evaluation of a viable entropy source, (2) moulding the entropy source into a system-level TRNG implementation, and finally (3) testing its randomness and performance.

5.4 案例研究: 用于TRNG的进动纳磁切换

经过对先前出现的基于器件的TRNG实现运用的探索之后，我们现在更深入地研究另一种自旋电子学TRNG。本节的案例研究将演示从头开始、设计一个基于新兴器件的TRNG的过程，包括(1)选择和评估可行的熵源，(2)将熵源建模成一个系统级的TRNG实现，最后(3)测试它的随机性和性能。

The spintronics-based TRNG in [RPR17] leverages the inherent stochasticity of the precessional magnetization dynamics in thin-film nanomagnets. Here, similar to spin dice, the STT mechanism is used to induce nanomagnet switching. The time-dependent evolution of the magnetization in a thin-film nanomagnet, under the influence of STT, is obtained using the stochastic Landau–Lifshitz–Gilbert– Slonczewski (s-LLGS) equation [ARR16]. Readers are referred to Appendix 1 for further details on the s-LLGS dynamics.

[RPR17]中基于自旋电子学的TRNG利用了纳磁薄膜中进动磁化动力学的固有随机性。这里，类似于自旋骰子，STT机制可被用来诱导纳磁切换。利用随机Landau-Lifshitz-Gilbert-Slonczewski (s-LLGS)方程[ARR16]，可得到纳磁薄膜在STT影响下磁化强度随时间的演变规律。读者可以参考本章附录1了解s-LLGS动力学的更多细节。

Precessional switching is excited in the multilayer structure shown in Fig. 5.4a, where the polarizing magnet is orthogonal to the free layer (implementation details presented in Sect. 4.3). Sample magnetization reversal trajectories corresponding to damping and precessional switching mechanisms obtained by solving the s-LLGS equation are shown in Fig. 5.4b,c.

在图5.4（a）所示的多层结构中可激发进动切换，其中极化磁体方向与自由层正交(实现细节见第4.3节)。如图5.4（b）、（c）所示，通过求解s-LLGS方程可得到阻尼和进动切换机制对应的采样磁化反转轨迹。

Fig. 5.4 (a) MTJ stack arrangement used in the precessional switching-based TRNG circuit. (b) and © are sample magnetization trajectories for damping and precessional switching, respectively. In precessional switching, the magnetization is pushed out-of-plane (OOP) before relaxing to an in-plane stable orientation ($\pm \widehat{m_x}$)

图5.4（a）基于进动切换的TRNG电路中使用的MTJ堆叠装置。（b）、（c）分别是用于阻尼和进动切换的采样磁化轨迹。在进动切换中，磁化被推出面外（OOP），然后弛豫回面内稳定方向。（$\pm \widehat{m_x}$）

Note here that the precessional switching mechanism is more prone to stochasticity than damping switching. In the case of damping switching, the magnetization traverses from one equilibrium point to the other under the effect of STT, through the saddle point, without ever leaving the plane of the thin-film nanomagnet (x-y plane). However, in precessional switching, the magnetization is assisted out of the plane by the STT, which is a high energy region in the energy landscape of the nanomagnet. This causes precessional switching to be inherently more chaotic, and this chaos coupled with the multistability, fine entanglement of the basins of attraction, and extreme sensitivity to the initial conditions results in a probabilistic switching mechanism even in the absence of thermal fluctuations [dAq+15, BSM13]. Hence, as compared to the spin dice described in Sect. 5.3.3, which operates on the damping switching mechanism [Fuk+14], the precessional switching-based TRNG has negligible dependence on thermal effects and can be operated over a wide range of temperature as well as the strength of the STT effect.

请注意，进动切换机制比阻尼切换更容易产生随机性。阻尼切换场景，在STT的作用下，磁化通过鞍点，从一个平衡点穿越到另一个平衡点，而不离开纳磁薄膜所在平面(x-y平面)。但在进动切换场景，STT是纳磁体的能级相图中的一个高能区域，助推磁化向平面外。这使得进动切换本质上更加混沌，这种混沌再耦合多重稳定性、引力盆地的精细纠缠和对初始条件的极端敏感性，即使在没有热波动的情况下，也会得到（可用于TRNG）概率切换机制[dAq+15, BSM13]。因此，与5.3.3节中描述的基于阻尼切换机制的自旋骰子[Fuk+14]相比，基于进动切换的TRNG对热效应的依赖可以忽略不计，其可以在很宽的温度范围内工作，也可以在STT强效应下工作。

5.4.1 Entropy Source

Solving the s-LLGS equation with no applied field or spin current results in six stationary points: two stable minimum energy equilibrium points at $m=\pm \hat{x}$, two saddle points at $m=\pm \hat{y}$, and two unstable maximum energy points at $m=\pm \hat{z}$. The energy portrait of precessional switching projected on the $m_x-m_y$ plane is shown in Fig. 5.5a. In this figure, the shaded regions (low energy) are the regions where the magnetic free energy is below the energy of the saddle points, while in the elliptical white (high energy) region, the energy is above the energy of the saddle points [BMS03]. The energy portrait is also demonstrated by the simulation of magnetic relaxations when the magnetization vector is initialized at different directions in Fig. 5.5b. The red dots inside the ellipse $(1+D)m_x^2+m_y^2=1$correspond to initializations that relax toward one equilibrium point, and the green dots correspond to relaxation toward the other.

5.4.1 熵源

在没有外加场或自旋电流的情况下求解 s-LLGS 方程会产生六个稳态点：$m=\pm \hat{x}$ 处两个稳态的最小能量平衡点，$m=\pm \hat{y}$ 处的两个鞍点，$m=\pm \hat{z}$ 处的两个不稳定最大能点。在$m_x-m_y$平面上投影的进动切换能量图谱如图5.5（a）所示。在图中，阴影区域(低能量)为自由磁能低于鞍点能量的区域，而椭圆白色区域(高能量)为自由磁能高于鞍点能量的区域[BMS03]。图5.5（b）中磁化矢量在不同方向初始化时的磁弛豫模拟也展示了能量图谱。椭圆内的红点$(1+D)m_x^2+m_y^2=1$对应于向一个平衡点弛豫的初始化，绿点对应于向另一个平衡点弛豫的初始化。

Fig. 5.5 (a) High energy and low energy regions on $m_x-m_y$ plane. (b) Result of relaxation of magnetization for different initial magnetization states on $m_x-m_y$ plane. Green dots and red dots are the relaxed states corresponding to m = xˆ and m = −xˆ, respectively. Here, the ratio of the anisotropy field and the saturation magnetization is unity, and the Gilbert damping constant α = 0.01

图5.5（a）$m_x-m_y$平面上的高能和低能区域。（b）$m_x-m_y$平面上不同初始磁化状态的磁化弛豫结果。绿点和红点是分别对应于$m=\hat{x}$和$m=-\hat{x}$的弛豫状态。这里，各向异性场和饱和磁化强度的比值为1，吉尔伯特阻尼常数$\alpha =0.01$

The precessional switching mechanism of a nanomagnet subject to the STT effect is a two step process. In the first step, the magnetization undergoes out-of-plane precession due to the spin current polarized in $\hat{\mathbf{z}}$ direction, and enters the high energy region. In the second step, the spin current is switched off after the magnetization has completed a quarter precession around $\hat{\mathbf{z}}$, and the magnetization undergoes relaxation oscillations toward one of the equilibrium points. Since dissipative effects result in a decrease of the magnetic free energy, the time evolution of relaxations within any shaded region inevitably leads to the equilibrium point inside that region. But for our case, the magnetization relaxation starts in the white region, so depending on the initial conditions it may settle to one of the two stable points in the shaded regions. The number of green and red dots inside the high energy region in Fig. 5.5b is roughly the same, resulting in a 50% probability of relaxation to either stable state.

受STT效应影响的纳磁体的进动切换机制是一个分两步的过程: 1、由于自旋电流在$\hat{\mathbf{z}}$方向极化，磁化向面外进动，进入高能区。2、在磁化完成围绕$\hat{\mathbf{z}}$的四分之一进动后，自旋电流关闭，并且磁化经历了朝向其中一个平衡点的弛豫振荡。由于耗散效应会导致自由磁能的衰减，因此任何阴影区域内弛豫演进时间都不可避免地趋向该区域内的平衡点。但在本例中，磁化弛豫从白色区域开始，所以根据初始条件，它可能在阴影区域的两个稳定点之一稳定下来。图5.5(b)中高能区内的绿点和红点数量大致相同，导致弛豫到任一稳定状态的概率为50%。

5.4.2 Implementation
The precessional switching-based TRNG device is constructed from an MTJ arrangement as shown in Fig. 5.4a. The MTJ stack consists of a magnetic polarizer whose equilibrium magnetization vector is oriented in the perpendicular direction, while the free and fixed magnetic layers have their equilibrium magnetization vectors oriented in the plane of the film. A non-magnetic copper spacer separates the free layer from the polarizer, while an MgO tunnel barrier is used to separate the free and fixed layers. The free layer is a CoFeB ferromagnet while the fixed layer is composed of a CoFeB/Ru/CoFeB stack. The material and geometrical parameters of the MTJ stack used for simulations in this case study are listed in Table 5.1.

5.4.2 实现

基于进动切换的TRNG器件由MTJ装置构成，如图5.4(a)所示。MTJ层由一个磁极化器组成，其平衡磁化矢量在垂直方向上，而自由和固定磁层的平衡磁化矢量在薄膜平面上。非磁性铜隔离器将自由层与偏振器分开，而MgO隧道势垒用于分离自由层和固定层。自由层为CoFeB铁磁，固定层由CoFeB/Ru/CoFeB堆叠构成。表5.1列出了本案例研究中用于模拟的MTJ堆叠的材料和几何参数。

On applying a bias to the MTJ stack, a current flows through the bottom layer, which polarizes the spins in the incoming current and orients them orthogonal to the magnetization of the free ferromagnet. This polarized spin current then causes the free ferromagnet magnetization to precess out-of-plane and reach the bistable region. Here, the magnetization vector sees two equivalent basins of attraction on both sides, and could switch to either configuration with a 50% probability, as shown in Fig. 5.6.

在MTJ堆叠上施加偏置，电流流经底层，使进入电流中的自旋极化，并使其方向与自由铁磁体的磁化方向正交。这种极化自旋电流使得自由铁磁体的磁化向面外进动并到达双稳区。此时磁化矢量的两侧出现两个等效的引力盆地，并且可以以50%的概率切换到任一配置，如图5.6所示。

Table 5.1 Geometrical and material parameters of the MTJ stack

表5.1 MTJ堆叠的几何与材料参数

Fig. 5.6 The magnetization of the central free layer (green), taken out-of-plane into the bistable region through the application of electric current, can switch to either of the two equilibria with an equal probability

图5.6 通过施加电流，从面外进入双稳态区域的中心自由层（绿色）的磁化可以以相等的概率切换到两个平衡中的任何一个

Fig. 5.7 (a) TRNG circuit. RE and WE are the read and write enable signals, respectively. The sampling circuit consists of a sense amplifier and a D flip-flop (b) XOR ladder of TRNG units. Each of the M’s is an individual TRNG circuit

图5.7（a）TRNG电路。RE和WE分别是读取和写入使能信号。采样电路由一个读出放大器和一个D触发器组成（b）TRNG单元的XOR梯形图。每个M框都是一个单独的TRNG电路

Depending on whether the final magnetization of the free ferromagnet is parallel or anti-parallel with respect to the top reference layer magnetization, the device enters its low-resistance (LR) or high-resistance (HR) mode of operation, respectively. Now, a read bias ($V_{read}$) applied on the potential divider configuration of transistor T1 and the MTJ will result in a high or low voltage level, respectively, at the output node ($V_{out}$) connected to the sampling circuit. This output voltage is compared with a reference voltage, and the corresponding bit (1 or 0) is produced by the sampling circuit (Fig. 5.7a). The reference voltage is chosen to lie between the high and low voltage levels generated from the MTJ stack. This provides sufficient low and high noise margins for signal detection even in the presence of mismatch in the differential pair transistors of the sense amplifier in the sampling circuit.

根据自由铁磁体的最终磁化方向相对于顶部参考层是平行还是反平行，器件分别进入低电阻(LR)或高电阻(HR)工作模式。在晶体管T1和MTJ的电位分压器配置上施加读偏置($V_{read}$)，可在与采样电路相连接的输出节点($V_{out}$)上，分别输出高或低电压电平。将该输出电压与参考电压进行比较，可由采样电路产生相应的比特位(1或0)(图5.7a)。参考电压可选择在MTJ堆叠产生的高低电压电平之间。这样即使在采样电路中的感测放大器的差分对晶体管中存在不匹配的情况下，也可为信号检测提供了足够的高低噪声裕度。

It is customary to XOR the outputs of two TRNG units with one another to augment the Shannon entropy, since XOR has the property of entropy accumulation [Mat93] (Fig. 5.7b). This ensures the swellness of the random bits produced and also makes the TRNG more robust and less vulnerable to corruption of any single entropy source. Even if any of the entropy sources fail, the XORed output will still be random enough to be used in applications requiring a high quality of randomness. Note that the binary sequences generated by the individual TRNG units are uncorrelated, since the entropy sources (driven by thermal noise) for the individual units are uncorrelated themselves.

通常将两个TRNG单元的输出相互异或以增加香农熵，因为异或具有熵积累的性质Mat93。这确保了产生的随机比特的膨胀性，也使TRNG更健壮，更不容易受到任一熵源失效的影响。即使某一熵源失效，TRNG异或输出仍然是足够随机的，此性质可用于需要高质量随机性的应用。请注意，由单个TRNG单元生成的二进制序列是不相关的，因为单个单元的熵源(由热噪声驱动)本身也是不相关的。

To simulate the circuit-level behavior of the precessional switching-based TRNG circuit, physics-based models of the ferromagnets, interfaces, and the complete MTJ device are developed in SPICE. The SPICE circuit implementation of a nanomagnet subject to thermal effects and spin torque is shown in Fig. 5.8. This circuit models the magnetization of the nanomagnet in one particular direction (x, y, or z), and the other two magnetization directions are implemented similarly. The magnetization $m_i$ is modeled as the node voltage of a capacitor, and the effective field inside the nanomagnet is represented as a dependent current source. Detailed circuit derivations can be found in prior works [Bon+14, MNY12]. The MTJ SPICE model is integrated with the CMOS circuitry in 45 nm technology to obtain the full TRNG circuit. BSIM4 Level 54 models are used for the transistors in the circuit. Convergence to the implicit midpoint Stratonovich solution of the s-LLGS equation [ARR16] is obtained through the trapezoidal SPICE solver, with a minute time step (1 fs). Further, the layout for the circuit is constructed to obtain the postlayout area.

为了模拟基于进动切换的TRNG电路的电路级行为，可在SPICE中开发铁磁体、接口和完整MTJ器件的物理模型。受热效应和自旋扭矩影响的纳磁铁的SPICE电路实现如图5.8所示。该电路模拟纳磁铁在一个特定方向(x, y或z)的磁化，其他两个磁化方向也可类似地实现。磁化强度$m_i$被建模为电容器的节点电压，纳磁体内部的有效场被表示为依赖的电流源。详细的电路推导可以在之前[Bon+14, MNY12]中找到。MTJ SPICE模型与45纳米技术的CMOS电路集成，可获得完整的TRNG电路。电路中的晶体管采用BSIM4 Level 54型号。通过梯形SPICE求解器可得到s-LLGS方程[ARR16]隐式中点Stratonovich解的收敛，时间步长为（1 fs）。此外，可构造电路的布局以获得后布局区域。

Fig. 5.8 SPICE implementation of the nanomagnet in one specific direction. Here, $m_i$ is treated as a voltage, while the magnetic fields acting on the nanomagnet are represented through a voltage source $H_{eff}$. The effect of STT on the nanomagnet is modeled using the current source, f . See [Bon+14] for implementation details

图5.8 纳磁体在一个特定方向上的SPICE实现。此处$m_i$视为电压，作用在纳磁体上的磁场由电压源$H_{eff}$表示，STT对纳磁体的影响用电流源f建模，可参阅[Bon+14]了解实现细节

5.4.3 Benchmarking Randomness and Performance

After determining the entropy source and designing the TRNG circuit, it is crucial to test the quality of random numbers generated from the circuit. A simple preliminary test to evaluate whether the TRNG meets the expected standards is to analyze the autocorrelation of the bit streams generated. For the precessional switching-based TRNG in Sect. 5.4.2, the autocorrelation of samples of 10,000 bits extracted from a large bit stream (one million bits), churned out by the TRNG at 300 K, is investigated. Figure 5.9, which highlights the results of this analysis, shows that the average autocorrelation of the samples at various lags (ranging from 1 to 50) is negligible. This preliminary study gives a sense of whether the TRNG is indeed functioning as expected, with further comprehensive NIST randomness tests to follow.

5.4.3 随机性和性能基准

在确定了熵源并设计了TRNG电路之后，测试电路产生的随机数的质量是至关重要的。评估TRNG是否满足预期标准的一个初步的简单测试是：分析生成的比特流的自相关值。对第5.4.2节中提出的基于进动切换的TRNG，这里研究了在300 K时，从TRNG生成的大比特流(一百万比特)中采样10,000比特得出的自相关值。图5.9突出显示了该分析的结果，显示在不同滞后(从1到50)时采样的平均自相关性可以忽略不计。这项研究初步考察了TRNG是否如预期工作，随后还需要做进一步全面的NIST随机性测试。

Fig. 5.9 Average autocorrelation of 10 bit streams (10,000 bits long) generated by the proposed TRNG at 300 K, at various lags

图5.9 待分析的TRNG在300k时产生的10比特流(10,000比特长)在各种滞后条件下的平均自相关值

5.4.3.1 NIST Tests for Randomness

The NIST’s SP 800-22 statistical test suite for the validation of RNGs [Ruk+01] is used to test bit streams of a million bits. This test suite comprises 15 different tests to evaluate various aspects of randomness for the TRNG considered (See Appendix 2). Each of these tests has an associated figure-of-merit called a p-value, whose expressions can be found in [Ruk+01]. The bit streams to be evaluated are generated from a CUDA-C LLGS solver, which models a nanomagnet switching under the action of STT through the precessional switching mechanism. Further, this test is performed for bit streams generated from all process and temperature corners to appraise the PVT performance of the TRNG. A total of 10 binary sequences are tested for each scenario. The results from these tests for nominal process and ±10% process variability at 300, 200, and 400 K are shown in Fig. 5.10, highlighting the fact that the device operation is insensitive to variations around the nominal process conditions. Here, the ±10% process variation is considered in the thickness of the free ferromagnet. For a thin-film nanomagnet, variations in the thickness would represent the worst case scenario since this is the dimension that has the most impact on the energetics of the magnet, as compared to variability in the length or width, or in the CMOS process. The generated bit streams (10/10 proportion of sequences) pass all the NIST tests for the various process and temperature corners, where a pass is deemed to be a p-value ≥ 0.01, implying 99% confidence levels. For the tests which produce multiple p-values, although individually all of them are above 0.01, the plots in Fig. 5.10 only show the average p-value. Hence, the precessional switching-based TRNG is very robust and reliable, and can operate within a temperature range of 200–400 K and process variations of +10% to −10% without any distortions in the entropy. The entropy source itself is not dependent on thermal effects, and could operate outside of 200–400 K as well; however, the analysis is limited to this range since any physical on-chip TRNG would be functioning well within these limits.

5.4.3.1 NIST随机性测试

NIST用于验证 RNG 的SP 800-22统计测试套件[Ruk+01]，可用于测试规模到百万比特的比特流。该测试套件包括15个不同的测试项，用于评估所考察的TRNG随机性的各个方面(见附录2)。每个测试都有一个相关的品质因数（figure-of-merit），称为p值，其表达式可在[Ruk+01]中找到。待评估的比特流由CUDA-C LLGS求解器生成，该求解器通过进动切换机制模拟了STT作用下的纳磁体切换。此外，还对所有工艺和温度角产生的比特流进行了测试，以评估TRNG的PVT性能。每个测试场景各测试10组二进制序列。图5.10 展示了在300k、200k和400k下标称工艺和±10%工艺变化的测试结果，明确表明器件运行对标称工艺条件周围的变化不敏感。在这里，自由铁磁体的厚度考虑了±10%的工艺变化。对于纳磁薄膜，厚度的变化代表了最坏的情况，因为与长度或宽度变化或CMOS工艺相比，这是对磁体能量学影响最大的因素。TRNG生成的比特流(10/10 比例序列)通过了各种工艺和温度角条件下的所有NIST测试，其中p值≥0.01视为通过，意味着99%的置信水平。对于可产生多个p值的测试集，可能有部分测试大于0.01，不过图5.10的曲线只显示平均p值。因此，基于进动切换的TRNG非常健壮和可靠，其可以在200-400 K的温度范围内工作，也可以在+10%到-10%的工艺变化范围内工作，而不会造成熵的任何畸变。熵源本身不依赖于热效应，也可以在200-400k以外运行，但在这里，分析仅限于此范围，因为任何物理片上TRNG都可以在此范围内正常工作。

Fig. 5.10 NIST test suite results for the TRNG at 300 K for different process corners. The individual tests are (1) Frequency (monobit), (2) Block frequency, (3) Runs, (4) Longest runs of 1’s, (5) Binary matrix rank, (6) DFT, (7) Non-overlapping template, (8) Overlapping template, (9) Maurer’s universal, (10) Linear complexity, (11) Serial, (12) Approximate entropy, (13) Cumulative sums, (14) Random excursions, and (15) Random excursions variant. (a) 300 K, nominal process. (b) 300 K, +10% process. © 300 K, −10% process. (d) 200 K, nominal process. (e) 200 K, +10% process. (f) 200 K, −10% process. (g) 400 K, nominal process. (h) 400 K, +10% process. (i) 400 K, −10% process

图5.10 NIST 测试套件在300K不同工艺角下TRNG的测试结果。其中：(1)频率测试(单比特)，(2)块内频数测试，(3)游程测试，(4)单块最长运行测试，(5)二元矩阵秩测试，(6)离散傅里叶变换测试，(7)非重叠模块匹配测试，(8)重叠模块匹配测试，(9)Maurer的通用统计测试，(10)线性复杂度测试，(11)序列测试，(12)近似熵测试，(13)累加和测试，(14)随机游动测试，(15)随机游动状态频数测试。(a) 300k，标称工艺。(b) 300 K，+10%工艺。© 300 K，-10%工艺。(d) 200k，标称工艺。(e) 200k， +10%工艺。(f) 200k，-10%工艺。(g) 400k，标称工艺。(h) 400k， +10%工艺。(i) 400k，-10%工艺

5.4.3.2 Performance Metrics

The most significant metrics that characterize the performance of a TRNG are (1) the number of random bits it can produce in unit time or its bit-rate, (2) the energy required to produce a single random bit, (3) its average power consumption, and (4) its on-chip area for a given technology node. In this section, the performance metrics for the precessional switching-based TRNG described in this case study, are quantified.

5.4.3.2 性能指标

表征TRNG性能的最重要指标是(1)在单位时间内或比特率内可以产生的随机比特数，(2)产生单个随机比特所需的能量，(3)平均功耗，以及(4)给定技术节点的片上面积。本节案例研究中描述的基于进动切换的TRNG的性能指标是可量化的。

In the damping switching mechanism, the injected spin current has a polarization that is collinear to the initial magnetization and easy axis of the ferromagnet. Hence, the initial STT originating from this spin current is very small, and it builds up as the angle between the spins and the magnetization vector increases. This results in a sluggish and gradual switching and, therefore, the bit-rate of such a device operating on damping switching is low. For the precessional switching-based TRNG, since the spin current is applied with spins polarized orthogonal to the initial magnetization vector of the ferromagnet, the STT generated is large; hence, the switching is rapid as compared to the damping switching mechanism.

在阻尼切换机制中，注入的自旋电流具有与铁磁体初始磁化强度和易轴共线的极化方向。因此，自旋电流产生的初始STT非常小，并且随着自旋与磁化矢量之间角度的增加而增加，导致切换是缓慢和渐进的。因此，这种基于阻尼切换的器件的比特率很低。对于基于进动切换的TRNG，由于施加自旋电流的自旋极化方向与铁磁体初始磁化矢量正交，因此产生的STT较大，与阻尼切换机制相比，这种切换是高速的。

Fig. 5.11 Magnetization reversal of ${\hat{m}}_x$ of the free nanomagnet at 300 and 200 K. Also shown are the magnetization vectors ${\hat{m}}_y$ and ${\hat{m}}_z$, which undergo precessional oscillations

图5.11 自由纳磁体在300K 和200K时的磁反转 以及 正经历进动振荡的磁化矢量${\hat{m}}_y$ 和 ${\hat{m}}_z$

Table 5.2 Performance metrics of the precessional switching-based TRNG at various temperatures. The temperature is varied only for the thermal field of the MTJ free ferromagnet and not for the CMOS circuit. Hence for a fixed bias, the power does not vary with temperature

表5.2 基于进动切换的TRNG在不同温度下的性能指标。温度只对MTJ自由铁磁体的热场有变化，而对CMOS电路没有变化。因此，对于固定偏压，功率不随温度变化

The temporal evolution of the magnetization of the free ferromagnet is shown in Fig. 5.11. The average switching delay of the free ferromagnet magnetization at 300 K and the total delay of the TRNG device after the sampling process are 3.29 and 3.41 ns, respectively. The CMOS post-processing takes only about 3% of the total delay, while the main limitation in performance stems from the nanomagnet dynamics. The various performance metrics of the TRNG at different temperatures are listed in Table 5.2. The obtained bitrate of 293 Mbps (at 300 K) is significantly higher than that of the Spin Dice [Fuk+14] (0.6 Mbps) and the metastable ring oscillator-based TRNG [Vas+08] (140 Mbps). Further, the considered device is inherently stochastic due to the precessional dynamics and, hence, requires minimal post-processing after the random bit is generated. In contrast, the damping switching-based designs [Fuk+14] require additional post processing to ensure high quality of randomness due to their small operating range (current bias) and susceptibility to process and temperature variations on the chip.

自由铁磁体磁化强度随时间的演变如图5.11所示。300k时自由铁磁体磁化的平均切换延迟和采样后TRNG器件的总延迟分别为3.29 和 3.41ns。CMOS后处理仅占总延迟的3%左右，而性能的主要限制源于纳磁体动力学。TRNG在不同温度下的各项性能指标参见表5.2。这里得出的比特率为293 Mbps(在300 K时)，显著高于自旋骰子[Fuk+14] (0.6 Mbps)和基于亚稳环振荡器的TRNG [Vas+08] (140 Mbps)。此外，由于进动动力学所考虑的器件本身是随机的，因此，在随机比特生成后，需要很少的后处理操作。相比之下，基于阻尼切换的设计[Fuk+14]，因为它们的工作范围小(电流偏置)，并且对芯片上的工艺和温度变化敏感，因此需要额外的后处理操作以确保高质量的随机性。

5.5 Closing Remarks

TRNGs are a crucial aspect of modern computing and communication systems, and form the cornerstone for numerous security and cryptographic solutions. The design of an efficient, robust, and reliable on-chip TRNG is vital for secure processor architectures and security chips. This chapter introduces the process of constructing such a TRNG from emerging device-based entropy sources. The types of entropy sources and the factors involved in choosing a suitable source are first identified. This is followed by a brief review of seminal emerging device-based TRNGs and a case study detailing the stepwise implementation of a spintronics TRNG. The insights gained from this chapter are intended to provide the reader with an understanding of the intricacies of designing a TRNG system as well as a notion of what constitutes a good TRNG implementation.

5.5 结束语

TRNG是现代计算和通信系统的一个重要方面，也是许多安全和加密解决方案的基石。设计高效、稳健、可靠的片上TRNG对于安全处理器架构和安全芯片至关重要。本章介绍了从基于新兴器件的熵源构建此类TRNG的过程。本章首先介绍了熵源的类型和选择合适的熵源所涉及的因素，随后简要回顾了一些开创性的基于新兴器件的TRNG，并详细介绍了自旋电子学TRNG的实现步骤。本章的内容旨在让读者了解设计TRNG系统的复杂性，以及什么样的实现是好的TRNG实现。

Appendix 1
The dynamics and performance of the majority of spin-based devices are modeled using the stochastic Landau–Lifshitz–Gilbert–Slonczewski (s-LLGS) equation. This equation describes the temporal evolution of the magnetization vector, M, of a monodomain nanomagnet under the effects of magnetic fields, STT, and thermal noise [Slo96, RS08, SZ02]. Mathematically, the s-LLGS equation is given as

附录1

大多数基于自旋的器件的动力学和性能是使用随机Landau-Lifshitz-Gilbert-Slonczewski（s-LLGS）方程建模的。该方程描述了单畴纳磁体的磁化矢量M在磁场，STT和热噪声[Slo96，RS08，SZ02]影响下的随时间演变的过程。在数学上，（s-LLGS）方程表示为：

where $H_{eff}$ is the effective magnetic field experienced by the nanomagnet, α is the dimensionless Gilbert damping constant, I s is the applied spin current, q is the elementary charge, and other quantities are as defined previously.

其中$H_{eff}$是纳磁体经历的有效磁场，$\alpha$是无量纲吉尔伯特阻尼常数，$I_s$是施加的自旋电流，$q$是基本电荷，其他量如前所述。

The first term on the right hand side (RHS) in Eq. (5.1) is the conservative precessional torque that governs the precession of the magnetization vector around the effective field acting on the nanomagnet. This effective field comprises the magnetocrystalline anisotropy field, the shape anisotropy field, and the external applied field. A Langevin field hr = hxxˆ + hyyˆ + hzzˆ, representing Gaussian white noise, is added into the effective field in the s-LLGS equation to model thermal noise. The second term on the RHS in (5.1) is the Gilbert damping torque, which is responsible for damping the precessions of the magnetization vector and eventually relaxing it to one of its stable states [dAq05]. The final term on the RHS in Eq. (5.1) is the Slonczewski spin torque arising from the deposition of spin angular momentum by the itinerant electrons of the spin-polarized current. For simplicity of analysis, Eq. (5.1) is often transformed into its dimensionless form, expressed as

方程（5.1）右值（RHS）的第一项是守恒的进动力矩，它控制作用在纳磁体上的有效场周围磁化矢量的进动。该有效场包括磁晶各向异性场、形状各向异性场和外部施加场。将表示高斯白噪声的Langevin场$h_r=h_x\hat{x}+h_y\hat{y}+h_z\hat{z}$添加到s-LLGS方程中的有效场中，以对热噪声进行建模。方程（5.1）右值第二项是吉尔伯特阻尼力矩，它负责阻尼磁化矢量的进动，并最终弛豫回其稳定态之一[dAq05]。方程右值最后一项是Slonczewski自旋矩，由自旋极化电流的流动电子的自旋角动量沉积产生。为了简化分析，方程（5.1）通常被转换为其无量纲形式，表示为：

where we have the normalized quantities $m=\frac{M}{M_s}$、$m=\frac{H_{e}ff}{M_s}$ 和 $i_s=\frac{I_s}{I}$ Here,
the scaling factor, I , for spin current is defined as $I=q\gamma {\mu }_0{M}_s{N}_s$. The time scale is normalized using the factor $(\gamma \mu 0Ms{)}^{-1}$. The advantages of the normalized equation
Eq. (5.2) over Eq. (5.1) are: (a) it is easier to deal with normalized quantities in terms of numerical complexity, and (b) normalized entities are mathematically well behaved under the application of a numerical scheme. The explicit form of Eq. (5.2)
obtained by decoupling $dm/dt$ is given as

其中$m=\frac{M}{M_s}$、$m=\frac{H_{e}ff}{M_s}$ 和 $i_s=\frac{I_s}{I}$是标量，自旋电流的比例因子I定义为$I=q\gamma {\mu }_0{M}_s{N}_s$。时间尺度使用因子$(\gamma \mu 0Ms{)}^{-1}$进行标准化。这里（5.2）优于（5.1），原因是：（a）在数值复杂性方面标量更容易处理，以及（b）在应用数值格式时，标准化实体在数学上表现良好。对 $dm/dt$ 去耦，可得到方程（5.2）的如下形式：

To model the thermal field in s-LLGS, it in expressed in terms of the Wiener process as $H_T(t)dt=\nu dW(t)$ [Aqu+06], where $W(t)$ is the Wiener process, and $\nu =\sqrt{\frac{2\alpha K_{b}T}{{\mu }_0{M}_s^{2}V}}$
[Sun06, MNY12]. Here, $K_{b}T$ is the thermal energy. The statistical properties of this thermal field discussed by Brown and Kubo are given as [Bro63,KH70]
(1) The mean thermal field: $⟨H_{T,i}(t)⟩=0$,
(2) The correlation between the components of $H_T(t)$ defined over a time interval $\tau$ ,

为了对s-LLGS中的热场进行建模，可用Wiener过程将其表示为 $H_T(t)dt=\nu dW(t)$ [Aqu+06]，其中 $W(t)$ 为Wiener过程，$\nu =\sqrt{\frac{2\alpha K_{b}T}{{\mu }_0{M}_s^{2}V}}$ [Sun06, MNY12]。$K_{b}T$为热能。Brown和Kubo讨论的这个热场的统计性质可表示为 [Bro63,KH70]：
(1) 平均热场 $⟨H_{T,i}(t)⟩=0$，
(2) 在时间间隔$\tau$ 上定义的$H_T(t)$ 分量之间的相关性，

where ${\delta }_{ij}$ is the Kronecker delta function. To simulate the thermal effects numerically, the model is discretized in time

其中${\delta }_{ij}$是Kronecker delta方程，为了对热效应进行数值模拟，对模型进行时间离散化：

where $\Delta W(t)=W(t+\Delta t)-W(t)$. The normalized standard deviation of the thermal field is given by
其中 $\Delta W(t)=W(t+\Delta t)-W(t)$，热场的标准化偏差由下式给出：

where $\Delta t$ is the time step of the numerical method used and $t’ = (γμ_0M_s)t $. We then have
其中 $\Delta t$ 是所用数值方法的时间步长，且 $t’ = (γμ_0M_s)t $，可得：

where the normalized thermal field $h_T=H_T/M_s$, and $\xi t\sim N(0,1)$ is a standard Gaussian vector.
Now, the total normalized effective field is given as
其中 $h_T=H_T/M_s$ 是标准化后的热场，$\xi t\sim N(0,1)$是标准高斯矢量，标准化后的完整的有效场如下；

Appendix 2
A brief description of the various tests encompassed in the NIST SP 800-22 statistical test suite [Ruk+01] is given below.

1. Frequency (Monobit) Test: Evaluates proportion of ones and zeroes in the entire sequence.
2. Frequency Test within a Block: Divides entire sequence into n-bit blocks and then evaluates proportion of ones within each n-bit block.
3. Runs Test: Evaluates the number of uninterrupted runs of identical bits in the sequence.
4. Test for the Longest-Run-of-Ones in a Block: Determines the longest uninterrupted sequence of ones in n-bit blocks.
5. Binary Matrix Rank Test: Constructs disjoint sub-matrices of the entire sequence and then evaluates their rank.
6. Discrete Fourier Transform (DFT) Test: Detects periodic features and peaks in the DFT spectrum of the sequence.
7. Non-overlapping Template Matching Test: Matches the sequence against m-bit target string templates in a non-overlapping fashion and returns the number of such occurrences.
8. Overlapping Template Matching Test: Matches the sequence against m-bit target string templates in an overlapping fashion and returns the number of such occurrences.
9. Maurer’s Universal Statistical Test: Identifies similar patterns in the sequence and then evaluates the number of bits between such matching patterns.
10. Linear Complexity Test: Calculates the length of a linear feedback shift register for the sequence.
11. Serial Test: Determines the frequency of all possible overlapping n-bit patterns in the sequence.
12. Approximate Entropy Test: Determines the frequency of all possible overlapping n-bit and (n+1)-bit patterns in the sequence and compares them against statistics for an ideal random sequence.
13. Cumulative Sums Test: Converts the sequence of ones and zeroes to (1,−1) and then calculates the maximum excursion (from 0) of a random walk defined by the cumulative sum of the new sequence.
14. Random Excursions Test: Evaluates the number of states having K visits in the cumulative sum random walk defined in the previous test.
15. Random Excursions Variant Test: Evaluates the number of visits to various states in the cumulative sum random walk defined in the previous tests.

附录2

NIST SP 800-22统计测试套件[Ruk+01]中包含的各项测试简述如下：

1. 频率测试(单比特)：计算整个序列中1和0的比例。
2. 块内频数测试：将整个序列划分为多个n位的块，然后分别计算每个块中的1的占比。
3. 游程测试：计算序列中连续比特出现次数。
4. 单块最长游程测试：计算之前n位块中的比特1最长游程。
5. 二元矩阵秩测试：构造序列的不相交子矩阵，然后计算矩阵的秩。
6. 离散傅立叶变换（DFT）测试：检测序列的DFT频谱中的周期性特征和峰值。
7. 非重叠模板匹配测试：以非重叠的方式将序列与m位目标字符串模板匹配，并计算此类字符串出现的次数。
8. 重叠模板匹配测试：以重叠的方式将序列与m位目标字符串模板匹配，并计算此类字符串出现的次数。
9. Maurer的通用统计测试：识别序列中的相似模式，然后计算这些匹配模式中间的比特数。
10. 线性复杂度测试：计算序列的线性反馈移位寄存器的长度。
11. 序列测试：确定序列中所有可能重叠的n位模式的频率。
12. 近似熵测试：确定序列中所有可能重叠的n位和（n+1）位模式的频率，并与理想随机序列的统计数据进行比较。
13. 累加和测试：将（1，0）的序列转换为（1，−1），然后计算由新序列的累加和定义的随机游动的最大偏移（从0开始）。
14. 随机游动测试：计算在先前测试中定义的累加和随机游动中，有K次访问的状态的数量。
15. 随机游动变量测试：计算在先前测试中定义的累积和随机游动中，对不同状态的访问次数。

References

[Aqu+06] M. d’Aquino et al., Midpoint numerical technique for stochastic Landau-LifshitzGilbert dynamics. J. Appl. Phys. 99(8), 08B905 (2006)

[ARR16] S. Ament, N. Rangarajan, S. Rakheja, A practical guide to solving the stochastic Landau-Lifshitz-Gilbert-Slonczewski equation for macrospin dynamics. Preprint. arXiv:1607.04596 (2016)

[Ber+03] G. Bertotti et al., Comparison of analytical solutions of Landau–Lifshitz equation for “damping” and “precessional” switchings. J. Appl. Phys. 93(10), 6811–6813 (2003)

[BMS03] G. Bertotti, I.D. Mayergoyz, C. Serpico, Critical fields and pulse durations for precessional switching of thin magnetic films. IEEE Trans. Magn. 39(5), 2504–2506 (2003)

[Bon+14] P. Bonhomme et al., Circuit simulation of magnetization dynamics and spin transport. IEEE Trans. Electron Dev. 61(5), 1553–1560 (2014)

[Bro63] W.F. Brown Jr, Thermal fluctuations of a single-domain particle. J. Appl. Phys. 34(4), 1319–1320 (1963)

[BSM13] G. Bertotti, C. Serpico, I.D. Mayergoyz, Probabilistic aspects of magnetization relaxation in single-domain nanomagnets. Phys. Rev. Lett. 110(14), 147205 (2013) References 121

[Bus+11] P.J. Bustard et al., Quantum random bit generation using stimulated Raman scattering. Opt. Exp. 19(25), 25173–25180 (2011)

[dAq+15] M. d’Aquino et al., Analysis of reliable sub-ns spin-torque switching under transverse bias magnetic fields. J. Appl. Phys. 117(17), 17B716 (2015)

[dAq05] M. d’Aquino, Nonlinear magnetization dynamics in thin-films and nanoparticles. PhD thesis. Università degli Studi di Napoli Federico II, 2005

[Fio+07] M. Fiorentino et al., Secure self-calibrating quantum random-bit generator. Phys. Rev. A 75(3), 032334 (2007)

[Fuk+14] A. Fukushima et al., Spin dice: A scalable truly random number generator based on spintronics. Appl. Phys. Exp. 7(8), 083001 (2014)

[Gab+10] C. Gabriel et al., A generator for unique quantum random numbers based on vacuum states. Nat. Photonics 4(10), 711–715 (2010)

[Ike+10] S. Ikeda et al., A perpendicular-anisotropy CoFeB–MgO magnetic tunnel junction. Nat. Mater. 9(9), 721–724 (2010)

[Jer+17] M. Jerry et al., Stochastic insulator-to-metal phase transition-based true random number generator. IEEE Electron Dev. Lett. 39(1), 139–142 (2017)

[Jia+17] H. Jiang et al., A novel true random number generator based on a stochastic diffusive memristor. Nat. Commun. 8(1), 1–9 (2017)

[KH70] R. Kubo, N. Hashitsume, Brownian motion of spins. Prog. Theor. Phys. Suppl. 46, 210–220 (1970)

[KKD20] A.I. Khan, A. Keshavarzi, S. Datta, The future of ferroelectric field-effect transistor technology. Nat. Electron. 3(10), 588–597 (2020)

[Lee+18] K. Lee et al., TRNG (True Random Number Generator) method using visible spectrum for secure communication on 5G network. IEEE Access 6, 12838–12847 (2018)

[Liu+10] H. Liu et al., Ultrafast switching in magnetic tunnel junction based orthogonal spin transfer devices. Appl. Phys. Lett. 97(24), 242510 (2010)

[LZ03] Z. Li, S. Zhang, Magnetization dynamics with a spin-transfer torque. Phys. Rev. B 68(2), 024404 (2003)

[Mat93] M. Matsui, Linear cryptanalysis method for DES cipher, in Workshop on the Theory and Application of of Cryptographic Techniques (Springer, Berlin, 1993), pp. 386–397

[MM09] A.T. Markettos, S.W. Moore, The frequency injection attack on ring-oscillator-based true random number generators, in International Workshop on Cryptographic Hardware and Embedded Systems (Springer, Berlin, 2009), pp. 317–331

[MMS17] H. Mulaosmanovic, T. Mikolajick, S. Slesazeck, Random number generation based on ferroelectric switching. IEEE Electron Dev. Lett. 39(1), 135–138 (2017)

[MNY12] S. Manipatruni, D.E. Nikonov, I.A. Young, Modeling and design of spintronic integrated circuits. IEEE Trans. Circuits Syst. I Regul. Pap. 59(12), 2801–2814 (2012)

[Neu19] D. Neustadter. True random number generators for heightened security in any SoC (2019). https://www.synopsys.com/designware-ip/technical-bulletin/true-random-number-generator-security-2019q3.html

[Par+20] K.H. Park et al., High rate true random number generator using beta radiation, in AIP Conference Proceedings, vol. 2295. 1 (AIP Publishing LLC, 2020), p. 020020

[RPR17] N. Rangarajan, A. Parthasarathy, S. Rakheja, A spin-based true random number generator exploiting the stochastic precessional switching of nanomagnets. J. Appl. Phys. 121(22), 223905 (2017)

[RS08] D.C. Ralph, M.D. Stiles, Spin transfer torques. J. Magn. Magn. Mater. 320(7), 1190– 1216 (2008)

[Ruk+01] A. Rukhin et al., NIST special publication 800-22. A statistical test suite for random and pseudorandom number generators for cryptographic applications (2001)

[Slo96] J.C. Slonczewski, Current-driven excitation of magnetic multilayers. J. Magn. Magn. Mater. 159(1), L1–L7 (1996). ISSN: 0304-8853. https://doi.org/10. 1016/0304-8853(96)00062-5. http://www.sciencedirect.com/science/article/pii/ 0304885396000625

[Sun06] J.Z. Sun, Spin angular momentum transfer in current-perpendicular nanomagnetic junctions. IBM J. Res. Dev. 50(1), 81–100 (2006)

[SZ02] M.D. Stiles, A. Zangwill, Anatomy of spin-transfer torque. Phys. Rev. B 66(1), 014407 (2002)

[UA+08] A. Uchida, K. Amano et al., Fast physical random bit generation with chaotic semiconductor lasers. Nat. Photonics 2(12), 728–732 (2008)

[Vas+08] I. Vasyltsov et al., Fast digital TRNG based on metastable ring oscillator, in International Workshop on Cryptographic Hardware and Embedded Systems (Springer, Berlin, 2008), pp. 164–180

[Wei+16] Z. Wei et al., True random number generator using current difference based on a fractional stochastic model in 40-nm embedded ReRAM, in 2016 IEEE International Electron Devices Meeting (IEDM) (IEEE, Piscataway, 2016), pp. 4–8

[XZS05] J. Xiao, A. Zangwill, M.D. Stiles, Macrospin models of spin transfer dynamics. Phys. Rev. B 72(1), 014446 (2005)

[Yan16] C.A.O. Yang, Securing hardware random number generators against physical attacks. KU Leuven (2016). https://www.esat.kuleuven.be/cosic/publications/thesis-272.pdf