This article has been accepted for inclusion in a future issue of this journal.

Content is final as presented, with the exception of pagination.

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS 1

A New Energy-Efficient and High Throughput

Two-Phase Multi-Bit per Cycle Ring
Oscillator-Based True Random
Number Generator
Yuan Cao , Member, IEEE, Xiaojin Zhao , Senior Member, IEEE, Wenhan Zheng,
Yue Zheng , Member, IEEE, and Chip-Hong Chang , Fellow, IEEE

Abstract— Oscillator-based elementary true random number Correlation Factor (ACF) test and bias. The mean redundancy of
generator (TRNG) uses a slow jittery ring oscillator (RO) to the ten tested chips is measured to be less than 10−5 bit/symbol.
sample a fast RO. The ROs are always on but most of the
oscillatory cycles of the fast RO are not sampled into random Index Terms— True random number generator, low energy
bits. In this paper, a new lightweight TRNG design is proposed consumption, current starved ring oscillator.
to minimize the power wasted by the superfluous oscillations.
Random bits are extracted from both phases of the slow ROs to I. I NTRODUCTION
increase the throughput and the fast RO is activated only during
the narrow transition time difference between two symmetrically
designed slow ROs. The slow jittery ROs are implemented using
M ANY modern cryptographic applications rely heavily
on the unpredictable random numbers for security
enhancement [1]. Encryption keys, hash salts, Monte Carlo
current starved inverters biased in the weak inversion region
to reduce their power consumption. Their jitter amplitudes are simulations, initialization parameters, session IDs, and nonce
increased by lowering the oscillation frequency and reducing in authentication protocols are all produced based on random
the drain current of the transistors. The narrow jittery pulse number generators (RNGs). Unfortunately, most of the crypto-
generated by the differential pair of slow ROs is quantized by graphic systems do not have a reliable source of real random
the fastest three-stage RO. Two random bits from each phase of
the jittery ROs can be extracted by using a gigahertz dynamic bit stream [2]. Pseudo random number generators (PRNGs)
toggled D flip-flop counter to count the number of oscillatory are usually employed to generate random numbers at the speed
cycles of the fast RO. The proposed TRNG is fabricated in a required by modern digital computers. PRNG is essentially a
standard 65 nm 1.2 V CMOS process. Measurement results of mathematical model or formula whose output is completely
the fabricated chips show that the proposed TRNG consumes decided by its initial state, more often known as “seed”.
merely 260 µW at a bit rate of 52 Mbps. It outperforms the state-
of-art on-chip jitter-based TRNGs with the best figure-of-merit It has a finite periodicity bounded by its number of states.
of 5 pJ/bit and the smallest footprint of 366 µm2 . Its generated Albeit statistically sound and can be easily realized with digital
bit sequence passes the statistical randomness tests including logic for custom integrated circuit implementation, PRNG is
National Institute of Standards and Technology (NIST) test, Auto vulnerable for security-critical applications as the unknown
state can be easily predicted once the seed is known [2], [3].
Manuscript received February 9, 2021; revised May 12, 2021; accepted As opposed to PRNG, true random number generator (TRNG)
June 1, 2021. This work was supported in part by the Fundamental
Research Funds for Natural Science Foundation of Jiangsu Province under is a hardware security primitive that can produce independent
Grant BK20191160, in part by the Open Research of the State Key Lab- and identically distributed (i.i.d) random numbers from a
oratory of Computer Architecture under Grant CARCH201901, in part by fundamentally non-deterministic physical process. TRNG is
the QingLan Project, Changzhou Science and Technology Program under
Grant CJ20200071 and Grant 2020029, in part by the Guangdong Basis non-periodic, or more precisely, it has infinite number of states.
and Applied Basic Research Foundation under Grant 2021A1515011488, It meets the security goal of the most demanding white box
in part by the Fundamental Research Foundation of Shenzhen under cryptography as its output is unpredictable even when all the
Grant JCYJ20190808151819049, and in part by the Shenzhen-Hong Kong
Joint Innovation Foundation under Grant SGDX20190919094401725. design information such as algorithms, schematics, operations,
This article was recommended by Associate Editor M. M. Kermani. etc., are known to the adversaries [4]. TRNG is now widely
(Corresponding authors: Xiaojin Zhao; Chip-Hong Chang.) used in not only cryptography, but also Markov Chain Monte
Yuan Cao is with the College of Internet of Things Engineering, Hohai
University, Changzhou 213022, China (e-mail: [email protected]). Carlo analysis, neural network simulation, industrial labeling,
Xiaojin Zhao and Wenhan Zheng are with the College of Electronics statistical testing, gambling, election auditing, etc., where a
and Information Engineering, Shenzhen University, Shenzhen 518060, China number of deterministic PRNGs are found to exhibit artifacts
(e-mail: [email protected]).
Yue Zheng and Chip-Hong Chang are with the School of Electrical and that make them less reliable and secure than expected to
Electronic Engineering, Nanyang Technological University, Singapore 639798 generate adequate results [4], [5]. With the increase in demand
(e-mail: [email protected]). to move the applications into the resource-constrained IoT
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TCSI.2021.3087512. edges, so is the demand for lighter, faster and lower power
Digital Object Identifier 10.1109/TCSI.2021.3087512 TRNG [6].
1549-8328 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

2 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS

Silicon TRNGs are attractive because they are low-cost for

mass production and easy for integration. Most silicon TRNGs
harvest natural or stochastic noise by the following four
methods. First, direct amplification of the random noise is a
widely used method to produce TRNGs. For instance, thermal
noise in semiconductor devices is a good source of randomness
as it is frequency-independent and technology-invariant [1],
[7]–[9]. However, as thermal noise is often very weak,
a wide-bandwidth and high-gain amplifier is required which
can consume significant power and area. To raise the thermal
noise to a measurable level, Matsumoto et al. [10] proposed
to add a SiN layer in a standard CMOS process. The ampli- Fig. 1. Structure and timing of oscillator-based elementary TRNG.
fier area is reduced with no quality checker employed at
the cost of an extra expensive SiN mask. Recently, another
TRNG based on thermal noise amplification is proposed by oscillators (CSROs) with a symmetric layout. The jittery phase
Bae et al. [11]. It utilizes a common-mode comparator and difference of the CSRO pair is manifested as a random pulse
the sampling uncertainty of a D flip-flop (DFF) to generate width modulated waveform. Its narrow non-deterministic pulse
true randomness. It can work at a very high speed, i.e., duration is used to trigger a fast RO into oscillation for a brief
3 Gb/s, but the power consumption is as high as 5 mW, duration. The two least significant bits of the quantized pulse
which is not suitable for IoT devices with low power budget. duration are extracted by counting the oscillatory cycles of the
Besides, an external high-speed and power-hungry clock gen- very fast RO with an ultra-high-speed counter implemented
erator is also required for sampling the asynchronous input by custom extended true single phase clock (E-TSPC) DFFs.
at 3 Gb/s. Random telegraphic noise (RTN) in single oxide This has cut down a large number of superfluous oscillations
trap of MOSFETs can also be utilized for random number from the fast RO. To further increase the jitter noise and
generation [12]–[14]. The drawback is that RTN is naturally reduce the power consumption, the CSROs are biased in the
a very slow random signal, even with all the acceleration weak inversion (subthreshold) region. The proposed TRNG is
techniques. Second, metastability in cross-coupled inverters, fabricated in a standard 65 nm 1.2 V CMOS process. The
latches and SRAMs can also be used to generate a random TRNG chip occupies an area of only 366 μm2 . Measurement
bit stream at a high bit rate [15]–[17]. The major problem results from ten chips show a high bit rate of 52 Mbps, and a
with this random source is that it necessitates a complex low power consumption of only 260 μW, resulting in Figure of
post-processing unit to eliminate the systematic bias due to Merit (FoM) of 5 pJ/b. The produced bit streams have passed
manufacturing process variations. The third entropy source all the bias, autocorrelation and National Institute of Standards
is the clock jitter of free running ring oscillators (ROs) [4], and Technology (NIST) tests.
[18]. It offers high flexibility and simplicity in its extractor The remainder of the paper is organized as follows. The
implementation. Elementary jitter-based TRNG uses the slow circuit implementation of the proposed CSRO based TRNG
jittery frequency clock to sample the fast jittery clock, but and the min-entropy analysis are presented in Section II. The
additional power-hungry clock generators are required to pro- measurement results are evaluated and discussed in Section III.
vide adequate jitter variations. Yang et al. [19] proposed a Finally, the conclusion is drawn in Section IV.
jitter-based TRNG that uses the oscillation collapse in a double
edge injected RO, which exhibits good randomness and good
process variation tolerance. The last category of TRNGs is II. R ANDOM P ULSE -W IDTH M ODULATED
based on chaotic system described by deterministic equations. O SCILLATOR -BASED TRNG
Defined using a chaotic map and a bit generation function, Jitter variance of ROs have been widely used as an entropy
these TRNGs can provide a long-term unpredictability because source for the design of TRNGs [4], [18], [24]. As shown
they are extremely sensitive to the initial conditions [20]–[22]. in Fig 1, an oscillator-based elementary TRNG typically
However, the map characteristics are also susceptible to PVT consists of a slow RO, a fast RO and a DFF as a sampler [4].
variations, resulting in degradation of randomness in real-time The fast RO is sampled by the jittery slow RO to produce
operation. The bit rate of the deterministic post-processing a random bit stream. This TRNG is flexible and easy to
functions that can generate nearly i.i.d bits from this process implement. However, it has a major drawback of a high power
is limited by its entropy rate. It turns out that the optimal bit dissipation by the superfluous oscillations of the fast RO that
generation function for achieving the highest possible entropy are not sampled into random bits. In addition, the time interval
rate from a map function is non-trivial to implement. Hence, to accumulate the jitter must be kept as short as possible
such TRNGs usually occupy large silicon area and consume to minimize jitters contributed by correlated noise sources
great power. but long enough to accumulate sufficient uncorrelated thermal
This paper presents a compact and energy-efficient noise jitters. To achieve a high throughput rate under this
jitter-based TRNG design [23]. The entropy of the pro- constraint, the fast RO must stay free running throughout
posed TRNG is extracted from the jitter noise contributed and its frequency must be much higher than that of the
by both phases of two free running current starved ring slow RO. This causes the power consumption of the TRNG

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

CAO et al.: NEW ENERGY-EFFICIENT AND HIGH THROUGHPUT TWO-PHASE MULTI-BIT PER CYCLE RO-BASED TRNG 3

Fig. 2. Building blocks of the proposed TRNG.

Fig. 4. Schematics of (a) regular inverter and (b) current starved inverter.

a larger variance than the thermal noise induced jitters may

be introduced by the correlated noises. This may degrade the
entropy of the high-order bits extracted from the quantized
pulse duration of C. If the counter length L is too long, several
higher order bits of the counter output may not very much in
multiple read cycles, as shown in the penultimate waveform
N in Fig. 3. The effect is akin to a long accumulation time of
the elementary TRNG depicted in Fig. 1. To preserve only the
dynamic entropy, only the least significant bits, the number
of which depends on the frequency of the fast regular RO
Fig. 3. Timing diagrams of the proposed TRNG.
and the jitter amplitude of the CSROs, will be retained.
To eliminate any monotonic correlation, the counter length
must be sufficiently shortened so that at least one reset will
to be dominated by the superfluous oscillatory cycles of the occur within one cycle of waveform C, as depicted in the last
fast RO. waveform N of Fig. 3. This has a similar effect as keeping
To minimize the power wasted in superfluous oscillations the accumulation time shorter in the elementary TRNG, but
by the power-hungry fast RO, this section presents a com- it poses less constraint on the throughput than using a DFF
pletely different oscillator-based TRNG architecture, as shown as sampler. In what follows, the design considerations of each
in Fig. 2. It consists of two CSROs with an identical layout, block are elaborated.
an XOR gate, a three-stage standard inverter RO (this RO is
referred to as regular RO henceforth) and an L-bit counter.
Instead of using a DFF as a sampler, the difference between the A. Symmetric Current Starved Ring Oscillators
transitions of two symmetric CSROs is turned into a random A CSRO exhibits greater jitter noise amplitude than a
pulse-width modulated signal. The timing waveforms at A, B, regular RO, as demonstrated in [23]. Each CSRO in the
C, D and N of the proposed TRNG are illustrated in Fig. 3. proposed TRNG consists of one NAND gate and eight current
The inverters in the CSROs are biased to operate in the weak starved inverters. The NAND gate is equivalent to a regular
inversion region to maximize the jitter noise, which contributes inverter with the EN signal asserted high. A nine-stage CSRO
predominantly to the random pulse duration of the waveform is formed when EN = 1. As illustrated in Fig. 4, two extra
at C. As shown in Fig. 3, when the EN signal is high, transistors are added to a regular inverter to construct a current
both CSROs start to oscillate simultaneously. The random starved inverter. Due to their low electromagnetic radiation,
pulse-width modulated waveform at node C is generated by the interference and coupling effect between the two CSROs
taking the difference, i.e., XOR, of the outputs, A and B, of the are minimized [25]. Besides, the oscillation frequency of the
two matched CSROs. The two narrow pulses of C generated CSRO is tunable by biasing the working currents of the current
in each cycle of the CSRO pairs are used to trigger the very starved inverters. The bias voltages V p and Vn control the
high-speed regular RO. The number of oscillatory cycles at charging current and discharging current, respectively, of the
node D is proportional to the stochastically varying pulse current starved inverter. The two NMOS transistors and one
width of C. If the jitter amplitude is large and the resolution of PMOS transistor in the shaded region of Fig. 4(b) are used
the pulse width quantization is high, then multiple random bits to produce the biasing voltages V p and Vn on chip, and are
can be extracted per jittery interval by counting the number of shared with other current starved inverters to minimize the
oscillatory cycles of waveform D. Ideally, the variable pulse silicon area and power consumption.
width of C is contributed by the uncorrelated noise sources of The static entropy contributed by the process variation of the
matched CSROs. Any incoherence between the two CSROs CSROs can be minimized by symmetric layout and frequency
due to the intra-die process variations or device aging will tuning. In fact, the biasing provides a mechanism to fine tune
add a static or slow temporal deviation to it. Consequently, the CSROs’ frequencies to eliminate their frequency mismatch

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

4 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS

Fig. 6. (a) The schematic and (b) the layout of the XOR gate.

Fig. 5. (a) Simulated frequency versus bias voltage V p , (b) flow chart for
matching the CSROs. depicted in Fig. 5(b) to reduce the time and cost of tuning. The
tuning of the CSRO frequency should be performed once upon
chip fabrication to eliminate the small frequency mismatch due
due to the manufacturing process variability. The small fixed to intra-die variations and during maintenance. With several
frequency mismatch between the two CSROs due to the possible implementations of low-power and low-area tunable
intra-die process variations has been significantly minimized voltage references in CMOS technology [29]–[31], these bias
by the symmetric layout [26] at design time. It can be further voltages can be made adjustable on chip easily for security
eliminated by tuning the bias voltages of the CSROs upon chip and IoT edge applications. It is noted that the randomness
fabrication. The first order estimate of the oscillation frequency contributed by the minute phase difference due to the intra-die
f 0 of the RO can be formulated as [27]: process variations, if any after tuning, is periodic and cannot be
ID counted towards the true entropy of the proposed TRNG. This
f0 = (1)
C M VD D static entropy will not affect the original jitter amplitude but
where C, M, V D D are the total load capacitance, the number extends the oscillatory duration of the regular RO by a small
of stages and power supply voltage, respectively. constant offset. Hence, the lower order bits of the quantized
The drain current I D of the CSRO operating in the sub- phase variation are still unpredictable due to the strong jitter
threshold region is given by [28]: appears in each edge of the pulse at node C. The regular RO
  will oscillate for a random number of cycles in every interval
VG S when C is high. Since the number of cycles of the regular
I D = I0 exp (2)
ξ VT RO is sufficiently high in each active interval, the counter
where I0 is a constant proportional to W/L, ξ is a non-ideality length can be shortened so that the LSBs extracted in each
factor larger than 1, VT is the thermal voltage, and VG S is the counting cycle are contributed predominantly by the jitter. The
gate to source voltage, which is equal to V D D − V p for the omitted count of the spurious oscillations of the regular RO
PMOS bias. will contribute to a small excess power consumption.
By substituting (1) into (2), the oscillation frequency can To convert the timing jitters between the two symmetrically
be written as: designed CSROs into a random pulse width modulated signal,
  an XOR gate is used. It is implemented with the minimum
I0 VD D − V p
f0 = exp (3) length transistor to minimize the parasitics and maximize the
C M VD D ξ VT drivability. The XOR gate is designed by a mirror CMOS
Fig. 5(a) shows the simulated frequency of a nine-stage logic circuit with centroid symmetric layout to ensure a fully
CSRO versus the bias voltage V p , (Vn = 1.2 − V p ). The symmetric and uniform layout. The schematic and layout of
running frequency decreases logarithmically with V p . This the XOR gate are shown in Fig. 6.
provides a means for the CSROs to adapt to the frequency mis-
match due to the intra-die process variations. Fig. 5(b) depicts
a simple control program to tune the CSROs. The two CSROs B. Pulse Width Quantizer
are coarsely tuned to a desired frequency. Two counters are To quantize the narrow random pulse width with a very high
used to count the number of cycles of the two CSROs. The resolution, the frequency of the regular RO should be made
counter outputs, N A and N B , are compared after a certain as high as possible so that it can produce many oscillatory
time t. If N A is not equal to N B , the bias of CSRO B will cycles within the very narrow jittery interval. The minimum
be adjusted until the two frequencies are almost equal. This number of stages of an RO is three. Therefore, the regular
calibration is independently applied to each chip after produc- RO is designed to have two inverters and one NAND gate.
tion. The tuned V p and Vn voltages may differ subtly between The NAND gate acts as an inverter when the XOR gate
two chips since process variations may affect the oscillation output is high. All gates are designed to operate in the
frequency of the same CSRO in each chip differently. There superthreshold region. The characteristics of the quantizer
is a tradeoff between the tuning time and tuning resolution. is simulated in Fig. 7. The total jitter στ decreases with
The longer the counting time, the finer the frequency it can the oscillation frequency of the CSRO continuously but the
measure, and the closer the frequency match when N A = N B . number of extractable random bits is discrete. Consequently,
The matching process can be automated by the procedure there is a range of frequencies for which the same number of

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

CAO et al.: NEW ENERGY-EFFICIENT AND HIGH THROUGHPUT TWO-PHASE MULTI-BIT PER CYCLE RO-BASED TRNG 5

Fig. 8. Implementation of an ultra-high-speed 2-bit E-TSPC counter and the

schematic of an E-TSPC DFF.
Fig. 7. Simulated results of quantizer characteristics.

random bits can be extracted per cycle with a given CSRO

frequency and jitter amplitude.
According to [27], the randomness R of an oscillator-based
TRNG is defined as the uncertain zones in a period as follows:
στ
R= = στ f s (4)
τ
where τ  and f s are the period and frequency, respectively,
Fig. 9. Timing diagrams of the E-TSPC DFF of asynchronous counter.
of the fast RO. The larger the value of R, the higher the
randomness that can be extracted from the jitter.
Given the oscillation period τ  of the fastest 3-stage regular
RO of the target process, the randomness can be met by a 2-bit C. Extended True Single Phase Clock (E-TSPC)
Asynchronous Counter
quantizer (L = 2) with wider frequency range of CSROs,
lower power consumption and higher bit rate than a one-bit Fig. 8 shows the implementation of a very high-speed 2-bit
or three-bit quantizer. The bit rate of a TRNG depends on the counter, where each DFF is configured as a divide-by-two
number of random bits that can be extracted per cycle and the toggle FF by feeding its Q output back to its D input.
frequency of the jittery clock, i.e., the CSROs in this case. As the oscillation frequency of the 3-stage regular RO has
Unfortunately, these are two conflicting factors because the an oscillation frequency of around 10 GHz based on our sim-
number of quantized bits in each clock phase is proportional ulation, static CMOS logic implementation is too slow. Hence,
to the jitter amplitude whereas the jitter amplitude is inversely dynamic ratioed logic is used for the DFF implementation in
proportional to the frequency of the CSRO. Once the number the divide-by-two counter, as shown in Fig. 8.
of extracted bits per clock phase is decided, the bit rate of the True single-phase clock (TSPC) is adopted to avoid the
TRNG can be determined by: Bit rate = 2 × Frequency of the clock skew problem when operating the dynamic latch at very
CSRO × Number of extracted bits per clock phase. The factor high frequency. E-TSPC is an extension of TSPC by using
2 accounts for the fact that the frequency of the XOR output only one instead of two clocked transistors per stage to further
of the two CSROs is twice the frequency of a CSRO. The jitter reduce the RC delay [32]. With reference to the schematic of
sequences at the rising and falling edges in each cycle of the the E-TSPC DFF circuit in Fig. 8 and timing diagram in Fig. 9,
CSROs contribute to the frequency doubling and the much the divide-by-two clock Q is obtained by feeding the signal
smaller duty cycle of the jittery XOR output. In order to use Q of the DFF back to the D input. Assume that Q is low
a higher L constrained by the maximum frequency f s of the initially, then D = Q will precharge E to V D D to turn off the
fast regular RO, the jitter amplitude στ2 has to be increased. PMOS transistor of the second dynamic latch. By sizing the
Due to the large reduction in CSRO frequency to increase στ2 PMOS transistor larger than its NMOS transistor, the output
for a 3-bit quantizer, it has no gain in bit rate over a 2-bit E of the first dynamic latch can be kept high while the NMOS
quantizer except the reduction in its power consumption. This transistor is turned on. Now, the voltage at node F depends on
is validated by the simulation results in Fig. 7, where the bit the clock signal C. If C is high, F is low and Q will remain
rate at f3 is approximately 5MHz × 3b × 2 = 30Mbps. This low; if C is falling, F will retain its logic state, which enables
is less than half the bit rate at f2 , which is approximately the PMOS transistor in the third stage to precharge Q more
17MHz × 2b × 2 = 68Mbps. The saving in CSRO power for quickly to V D D . The next rising edge of the clock signal causes
L = 3 is also offset by the increase in power consumption node E to switch from high to low. The state of F will be
of the regular RO and the counter due to the longer counting retained when C is still high. Node F of the second dynamic
period. The CSRO will be biased to operate near but below latch will be precharged to V D D when C is falling, which
the upper bound of the tolerable frequency range for a 2-bit in turns switches the output Q from high to low. The above
quantizer determined by the simulated τ  . process repeats with the feedback of Q to D. The ratioing of

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

6 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS

NMOS and PMOS transistors trades static power consumption Based on discrete Fourier transformation, we can have:
for speed, as indicated by the shaded regions of Fig. 9. 
γ1 (−h)e−2πih(μt +x) e−2π σ h t
2 2 2
P1,x (t) = (8)
D. Minimum Entropy of the Proposed TRNG h∈Z

The unpredictability of the random output numbers can be where P1,x (t) = P(B(t) = 1|ϕ(0) = 2π x). The Fourier
measured by its entropy [1]. The theoretical minimum (lower coefficient γ1 is expressed as:
boundary) entropy of the proposed TRNG can be derived  1
based on a phase-domain stochastic model for RO-based γ1 (h) = g1 (x)e−2πihx d x, h ∈ Z (9)
0
TRNG [33]. We only consider the white noise in this model.
Since the current of CMOS transistors in weak inversion is From (8) and (9), the Shannon entropy is given by:
much smaller than that in strong inversion, it is assumed      
H (B(t)|ϕ (0)) = −P1,x log2 P1,x − 1−P1,x log2 1− P1,x
that white noise dominates the spectrum according to [27].
4  
e−4π σ t + O e−6π σ t
2 2 2 2
We assume that the XOR gate output. We assume that the = 1− 2 (10)
XOR gate output has an initial phase ϕ(t0 ) and its future π ln (2)
phase differences at any time t > t0 are independent of the Therefore, the min-entropy for a 1-bit quantizer can be
past phase values at any time t  ≤ t. The evolution of ϕ(t0 ) written as [33]:
can be modeled by a Wiener process, i.e., a one-dimensional 4
e−4π
2σ 2t
Brownian motion as in [33] with a Gaussian distribution Hmin,1 = 1 − (11)
π 2ln (2)
N(ϕ (t0 ) + μ(t − t0 ), σ 2 (t − t0 )) for any time t > t0 , where the
mean μ and standard deviation σ represent the percentage drift The min-entropy of the proposed TRNG depends on the
and percentage volatility, respectively, of the Brownian motion. randomness quality factor Q = σ 2 t [33]. Q is defined as the
This process can be described by the following conditional accumulated jitter variance between two consecutive samples.
density of probability [33]: The parameter t is the time interval error of the accumulated
jitter, which is the deviation of the actual period from the ideal
d  
P ϕ(t) ≤ x| ϕ(t0 ) = x 0 , ϕ(t  )t  <t0 = . . . period of an oscillator. The maximum value of t is the period
dx of the XOR output of the two CSROs. A longer t implies a
1 −(x − x 0 − u(t − t0 ))2
= √ exp( ) (5) larger accumulated jitter, hence a larger entropy of the TRNG.
σ 2π(t − t0 ) 2σ 2 (t − t0 ) Equivalently, with an L-bit quantizer, the sampling resolution
 
where x 0 denotes the phase corresponding to t0 and ϕ t  t  <t is increased by 2 L−1 and ϕ(t) follows a Gaussian distribution
N(ϕ (t0 ) + 2 L−1 μ(t − t0 ), 22(L−1)σ 2 (t − t0 )). Consequently,
0
is the phase at a time t  prior to t0 . The dots (…) denotes an
arbitrary set of values. the proposed quantization method has a randomness quality
If an L-bit counter is used to quantize the phase function x factor Q L = 22(L−1) Q. The min-entropy for an L-bit quantizer
of the XOR gate output voltage, each bit of the counter output then can be written as:
is a random variable B(t) at time t. It can be expressed as: 4
e−4π 2
2 2(L−1) σ 2 t
⎧ Hmin,L = 1 − 2 (12)
⎪ 1 π ln (2)
⎪
⎪ 0, x mod 1 ∈ (0, n )
⎪
⎪ 2
⎪
⎪ 1 2
Equation (12) shows that the min-entropy of the proposed
⎪
⎪ ∈ ( , )
⎪
⎪ 1, x mod 1 TRNG is dependent on two parameters, i.e., the quality factor
⎪
⎪ 2n 2n
⎪
⎪ 2 3 Q and the number of extractable random bits L. To improve
⎨ 0, x mod 1 ∈ ( n , n ) the entropy of the TRNG, we can either increase the quality
Bn (t) = 2 2 (6)
⎪ 3 4 factor or extract more random bits. Q can be increased by
⎪
⎪ 1, x mod 1 ∈ ( n , n )
⎪
⎪ 2 2 exploiting the higher jitter variance σ 2 of CSROs biased in
⎪
⎪ ..
⎪
⎪ . the subthreshold region. Q can also be increased by extending
⎪
⎪
⎪
⎪ 2n − 1 the time interval error of the accumulated jitter at the expense
⎪
⎪ 1
⎩ 0 or 1, x mod 1 ∈ 0, n , · · · , of throughput penalty.
2 2n
where Bn (t) is the n-th bit of the counter. x mod 1 = x −x/1
III. E XPERIMENTAL R ESULTS
is the fractional part of x, where a is the largest integer less
than or equal to a. The proposed TRNG is fabricated in standard 65 nm 1.2 V
For the simple case of counter length L = 1, a probability CMOS process. Fig. 10 shows the chip microphotograph of the
function g1 (x) (or g0 (x) = 1 − g1 (x)) corresponding to fabricated TRNG and its layout. The active area of the TRNG
B(t) = 1 (or B(t) = 0) can be defined for a given value is only 366 μm2 (36.6 μm × 10 μm). Ten dies are packaged
x of phase at time t: and mounted on the PCB. The control and timing signals are
⎧ generated externally from an Altera Cyclone IV FPGA board.
⎪
⎪ x mod 1 ∈ (0, )
1
⎪
⎪ 0, A 20G sample/s high-speed real-time oscilloscope is used to
⎪
⎨ 2 observe the waveforms of the circuit. The temperature chamber
1
g1(x) = 1, x mod 1 ∈ ( , 1) (7) (Espec SU262) is used as an accurate thermal environmental
⎪
⎪ 2
⎪
⎪ 1 emulator to evaluate the TRNG performance over an operating
⎪
⎩ 0or1, x mod 1 ∈ 0,
2 temperature range of −50 to 130◦C. Power supply voltage

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

CAO et al.: NEW ENERGY-EFFICIENT AND HIGH THROUGHPUT TWO-PHASE MULTI-BIT PER CYCLE RO-BASED TRNG 7

Fig. 12. One million (1000 × 1000) full-entropy output bits generated by
the proposed TRNG at 1.2V and 27◦ C.

Fig. 10. Die micrograph and layout of the proposed TRNG test chip
fabricated in 65 nm CMOS technology.

Fig. 13. Amplitude spectrum of FFT with Hanning window on 1M measured

samples.

Fig. 11. Measured output waveform of the TRNG with 13 MHz sampling
clock at 1.2V, 27 ◦ C. entropy calculated from the measured outputs implies that
the mean redundancy of the ten tested chips is less than
10−5 bit/symbol. Besides, we have also run the transient noise
variation is obtained by tuning the Keithley triple channel DC simulation with the PDK provided by the foundry in the
source. The raw data collected by the FPGA are processed Cadence Spectre environment to estimate the min-entropy of
and evaluated by the MATLAB script running on the personal the design. The simulation parameters are set as f min = 1 kHz,
computer. Fig. 11 depicts a small portion of the measured f max = 1 GHz and Scale = 1. The simulated randomness
output stream and its output clock at a sampling frequency quality factor Q is 0.0702. By substituting this value into (12),
of 13 MHz. the min-entropy is 0.9810 per bit.
Speckle-like patterns are produced by systems where ran-
A. Entropy Test dom interference occurs. Speckle pattern is a useful visual-
To achieve full-entropy, every n-bit pattern should have ization of random phenomenon that is not observable over
a uniform probability of occurrence approaching 2−n as space but in time. Fig. 12 shows the speckle pattern of these
n → ∞. The entropy H of the bit stream generated by a one million consecutive raw bits. The ‘0’ bits are represented
TRNG can be calculated by [1]: by black dots and the ‘1’ bits by white dots. If the speckle
pattern is either too faint or too dark, or exhibits any regularity,
H = −( plog2 ( p) + (1 − p)log2 (1 − p)) (13) it implies that the generated bitstream is not random.
where p is the probability that the bit takes on a specific binary
B. Fast Fourier Transform Test
value of ‘0’ or ‘1’ [34].
One million consecutive raw bits were generated by the pro- We perform the Fast Fourier Transform (FFT) with Hanning
posed TRNG at the nominal working condition (1.2 V, 27 ◦ C). window on the collected raw bit sequence of 1,000,000 bits,
With one million bits generated from each chip, the average with a sampling frequency of 13 MHz. The result in Fig. 13
entropy of ten chips is calculated to be 0.999998 by (13). Its shows a flat amplitude spectrum within half of the sampling
corresponding redundancy is defined as R = 1−H /Hmax [35], frequency, implying that there is no periodic component in the
where H is the entropy of the set of states in question output bitstream.
with a priori probabilities for each state and Hmax is the
maximum entropy for the same number of states. R measures C. Bias Test
the fractional difference between the entropy of an ensemble A bias test is used to measure the robustness of the
and its maximum possible entropy. In other words, the average proposed TRNG against process variations. It is performed

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

8 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS

TABLE II
NIST P UB 800-22 T EST R ESULTS ON THE S EQUENCE OF B ITS O BTAINED
F ROM E ACH OF THE T WO I NDEPENDENT C OUNTER O UTPUT B ITS AND
THE B INARY T WO -T UPLES G ENERATED BY THE P ROPOSED TRNG

Fig. 14. Bias test results of the TRNG output bit streams of the ten fabricated
chips.

TABLE I
NIST P UB 800-90B T EST R ESULTS

the min-entropy values computed by the non-IID estimators

of NIST 800-90B are still high and close to our theoretical
estimation. The results corroborate that the proposed TRNG
meets the entropy requirement for cryptographic applications.
Besides, the results of each of the two individual counter
output bits and their binary tuples are presented in Table II.
Each of the two independent output bits and the final two-tuple
output of the TRNG passed all the NIST 800-22 tests
(P-Val χ 2 > 0.01) without any post-processing.

E. Autocorrelation Test
with 1,000,000 samplings from the raw output of the proposed Autocorrelation function (ACF) test is a statistical tool
TRNG at the nominal condition. The bias is defined as: that can be used for testing if a random number generator
can produce independent random numbers in a sequence.
Bi as = | p0 − p1 | /2 (14) It computes the autocorrelation between every k numbers (k is
where p0 and p1 are the probabilities of occurrence of ‘0’ and the lag) starting with the i -th number (i is the index). Given
‘1’, respectively in the bit sequence. a time series y1 , . . . , yn , the ACF can be formulated as [38]:
The percentages of 1s and 0s of each bit of the counter γk
ρk = (15)
output for the ten fabricated chips are shown in Fig. 14. The γ0
percentages of ‘1’s and ‘0’s occurred in the two output bits where γk = cov(yi , yi+k ) is the covariance of the two random
of the counter are almost equal (close to 50%). The biases of variables yi and yi+k , and γ0 is the variance of the stochastic
most chips fall below 0.1%, and the maximum bias is only process. Autocorrelation of 1,000,000 consecutive bits with
0.14% for the left bit of chip number 3. This indicates that lags of 1 to 5000 shows the absence of hysteresis measured
the calibrated (by the procedure shown in Fig. 5(b)) TRNG within the 95% confidence bound of a Gaussian distribution,
chips have good robustness against process variations. as depicted in Fig. 15. The autocorrelation factor (ACF)
fluctuates between −0.002 and 0.002. The low ACF bound
D. National Institute of Standards and Technology Test demonstrates that the proposed TRNG is highly resilient to
correlation analysis attack.
NIST 800-90B [36] and 800-22 [37] randomness test suites
with the recommended settings are used for the randomness
test. 20M raw bits from each output bit of the counter are F. Temperature and Supply Rejection
collected and tested. Table I shows the test results of NIST Besides statistical tests, we also test the proposed TRNG on
800-90B. It passed the four independent and identically dis- its stability against temperature and supply voltage variations.
tributed (IID) tests and the ten non-IID tests. Although careful The tests are conducted on each chip after the frequency
symmetric layout and biasing of CSROs in the subthreshold mismatch of its CSROs has been tuned out by the proposed
region have greatly reduced the cross-coupling of two CSROs, matching process, which is performed once upon chip fabrica-
the interference cannot be totally eliminated. Nevertheless, tion. Fig. 16 and Fig. 17 present the measurement results of the

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

CAO et al.: NEW ENERGY-EFFICIENT AND HIGH THROUGHPUT TWO-PHASE MULTI-BIT PER CYCLE RO-BASED TRNG 9

Fig. 18. Setup for the locking attack by a periodical signal injection.
Fig. 15. Autocorrelation measurements of 1M consecutive bits.

Fig. 19. Measured impacts of (a) supply noise frequency, and (b) amplitude
on the FFT results of the XOR output.

Fig. 16. Measured bias of bit sequence against (a) temperature and (b) supply
voltage variations. frequency. Once locked, the RO’s natural frequency becomes
irrelevant. The jitter in the injection signal will propagate
equally to all oscillations, impairing any TRNG that compares
jitter between oscillators. It is observed that the XOR output
of the two CSROs may have a propensity to exhibit periodic
patterns with high injected noise. This may degrade the ran-
domness of the TRNG output. Fig. 19 illustrates the impacts
of injected supply noise frequency and amplitude on the FFT
results of XOR gate output. In Fig. 19(a), the frequency
is swept with the amplitude fixed at 0.4 V. The FFT peak
amplitude is the largest when the noise frequency is around
the oscillation frequency fo and it decreases when the noise
frequency is away from f o . In Fig. 19(b), the noise frequency
is set to be the same as the CSRO’s oscillation frequency fo .
When the amplitude exceeds 0.2 V, the XOR output shows a
peak above the noise floor at f o . The amplitude of this peak
Fig. 17. Measured ACF @ 95% confidence against (a) temperature and
(b) supply voltage variations. increases with the amplitude of the injected noise.
From the experiment, our TRNG can resist the frequency
injection attack when the noise amplitude is smaller than 0.2 V.
bias of the bit sequence and ACF test results, respectively with Attack with noise intensity of 0.2 V and above is not stealthy
10% V D D variations of supply voltage, and for the temperature and may increase failure rate of other functional modules in the
range between −50◦C and 130◦C. The result shows that the same chip. To protect the design from the attack over a larger
bitstream of 0.1 M bits generated by the proposed TRNG range of noise, decoupling capacitors can be placed close to
maintains a very low bias and ACF over a wide range of the power rail or around the CSROs in the layout [18]. The
working temperature and voltage fluctuations. decoupling capacitor acts as a low pass filter to filter out the
possible injection of resonance frequency in the circuitry.
G. Locking Attack by a Periodical Signal Injection
Most oscillators based TRNGs are susceptible to locking H. Bit Rate and Energy Efficiency
attack by a periodical signal injection [39]. The setup is shown The working frequency can be adjusted by the biasing
in Fig. 18. An RO can be excited to be locked at its resonance voltage V p and Vn of the current starved inverter. To test

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

10 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS

TABLE III
P ERFORMANCE C OMPARISON W ITH O THER S TATE - OF - THE -A RT TRNG D ESIGNS

Fig. 20. Energy efficiency and power consumption versus clock rate.

the energy efficiency, V p and Vn are each connected to an

input pad. Fig. 20 shows the changes in energy efficiency and
power consumption versus bit rate. The power consumption is
Fig. 21. Comparisons of (a) energy per bit, and (b) bit rate versus area.
relatively constant and increases very slowly when the bit rate
is below 10 Mbps. This is because the power consumption
is dominated by other components of the TRNG circuit among all the oscillator jitter-based TRNG designs. Besides,
instead of the CSROs when they are operating at 2.5 MHz its energy-efficiency is highly competitive based on its FoM
(for a bit rate of 10 MHz) or lower frequency. As energy of 5 pJ/bit. The performance in terms of area and speed can be
efficiency is inversely proportional to bit rate, there is room further improved if more advanced process such as 40 nm [19]
for improving the energy efficiency by operating the CSROs is used for prototyping the proposed design. We also plotted
at a higher frequency. However, the margin for improvement the bit-energy efficiency (pJ/b) and bit rate (bps) against
in energy efficiency will reduce when the CSRO frequency the area in the top and bottom point charts, respectively of
exceeds 2.5 MHz. Eventually, when the frequency of the Fig. 21. The proposed design has the highest bit rate and
CSRO exceeds 13 MHz, the jitter noise has reduced to an lowest bit energy consumption among all jitter-based TRNGs.
extent that only one random bit of the 2-bit counter can be It also occupies the minimum area among all designs in
sampled by the three-stage regular RO. The proposed TRNG comparison, which is very attractive for resource-constrained
can work at a bit rate of 2 × 13 MHz × 2 bits = 52 Mbps IoT and energy-constrained portable devices. Moreover, not
with a power consumption of 260 μW. The energy efficiency all TRNGs can pass all the NIST tests without any post
is calculated to be 5 pJ/b. The throughput and energy efficiency processing like ours. Typically, jitter-based TRNGs without
reported in our preliminary design in [23] were obtained supply decoupling capacitor can be vulnerable to frequency
from pre-layout simulation with standard buffer inverter load, attack but not all designs in comparison have experimentally
whereas the results reported in this section were obtained evaluated their inherent resistances against periodic signal
by physical measurements from actual fabricated chips. This injection locking attack. In Table III, ‘Yes’, ‘No’ and ‘NA’
TRNG is implemented as a stand-alone chip with the output in frequency attack resistance refer to the inherent resilience
of the TRNG core directly driving the IO pad. Besides the up to certain level of noise injection, vulnerable and unknown
parasitic capacitances and resistances, the higher capacitive (not tested), respectively.
load of the IO pads also contributed to the reduced throughput
and increased power consumption. IV. C ONCLUSION
In this paper, a new energy-efficient oscillator-based TRNG
I. Performance Comparison is proposed. It extracts the randomness from the jitter noise of
The performances of the proposed TRNG are summarized CSROs. The jitter noise is boosted by lowering the oscillation
and compared with state-of-the-art TRNGs in Table III. frequency and reducing the charging and discharging currents
The proposed TRNG shows the highest bit rate of 52 Mbps of the CSRO. A three-stage regular RO with a fast oscillation

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

CAO et al.: NEW ENERGY-EFFICIENT AND HIGH THROUGHPUT TWO-PHASE MULTI-BIT PER CYCLE RO-BASED TRNG 11

frequency, together with a high-speed E-TSPC DFF based [17] S. Srinivasan, S. Mathew, V. Erraguntla, and R. Krishnamurthy,
asynchronous counter are used to quantize the jitter into a “A 4Gbps 0.57pJ/bit process-voltage-temperature variation tolerant all-
digital true random number generator in 45 nm CMOS,” in Proc. 22nd
random sequence of bits. The power hungry regular RO is Int. Conf. VLSI Design, Jan. 2009, pp. 301–306.
only active during the narrow jittery phase of the CSRO [18] Q. Tang, B. Kim, Y. Lao, K. K. Parhi, and C. H. Kim, “True ran-
pair, which reduces superfluous oscillations significantly. The dom number generator circuits based on single- and multi-phase beat
frequency detection,” in Proc. IEEE Custom Integr. Circuits Conf.,
proposed TRNG is fabricated in standard 65 nm 1.2 V CMOS San Jose, CA, USA, Sep. 2014, pp. 1–4.
technology. Our measurement results show that the prototyped [19] K. Yang, D. Blaauw, and D. Sylvester, “An all-digital edge racing true
TRNG can generate random bit stream at a high bit rate random number generator robust against PVT variations,” IEEE J. Solid-
State Circuits, vol. 51, no. 4, pp. 1022–1031, Apr. 2016.
of 52 Mbps by consuming only 5 pJ per random bit without [20] T. Stojanovski, J. Pihl, and L. Kocarev, “Chaos-based random number
any post processing. Its simplicity and energy efficiency make generators—Part II: Practical realization,” IEEE Trans. Circuits Syst. I,
it attractive to resource-constrained IoT devices. Reg. Papers, vol. 38, no. 3, pp. 281–288, Mar. 2001.
[21] F. Pareschi, G. Setti, and R. Rovatti, “Implementation and testing of
high-speed CMOS true random number generators based on chaotic
systems,” IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 57, no. 12,
R EFERENCES pp. 3124–3137, Dec. 2010.
[22] M. Kim, U. Ha, K. J. Lee, Y. Lee, and H.-J. Yoo, “A 82-nW chaotic
[1] S. K. Mathew et al., “μRNG: A 300-950 mV, 323 Gbps/W all-digital map true random number generator based on a sub-ranging SAR ADC,”
full-entropy true random number generator in 14 nm FinFET CMOS,” IEEE J. Solid-State Circuits, vol. 52, no. 7, pp. 1953–1965, Jul. 2017.
IEEE J. Solid-State Circuits, vol. 51, no. 7, pp. 1695–1704, Jul. 2016. [23] Y. Cao, C.-H. Chang, Y. Zheng, and X. Zhao, “An energy-efficient true
[2] J. Kelsey, B. Schneier, D. Wagner, and C. Hall, “Cryptanalytic attacks on random number generator based on current starved ring oscillators,”
pseudorandom number generators,” in Proc. Int. Workshop Fast Softw. in Proc. Asian Hardw. Oriented Secur. Trust Symp. (AsianHOST),
Encryption. Paris, France: Springer, Mar. 1998, pp. 168–188. Oct. 2017, pp. 37–42.
[3] M. Dichtl, “How to predict the output of a hardware random number [24] T. Amaki, M. Hashimoto, and T. Onoye, “A process and temperature
generator,” in Proc. Workshop Cryptograph. Hardw. Embedded Syst., tolerant oscillator-based true random number generator with dynamic
vol. 2779, 2003, pp. 181–188. 0/1 bias correction,” in Proc. IEEE Asian Solid-State Circuits Conf. (A-
[4] M. Sipcevic and C. K. Koc, “True random number generators,” in Open SSCC), Singapore, Nov. 2013, pp. 133–136.
Problems in Mathematics and Computational Science, C. K. Koc, Ed. [25] Y. Cao, X. Zhao, W. Ye, Q. Han, and X. Pan, “A compact and low power
Cham, Switzerland: Springer, 2014, pp. 275–315. RO PUF with high resilience to the EM side-channel attack and the SVM
[5] D. Hurley-Smith, C. Patsakis, and J. Hernandez-Castro, “On the modelling attack of wireless sensor networks,” Sensors, vol. 18, no. 2,
unbearable lightness of FIPS 140-2 randomness tests,” IEEE p. 322, Jan. 2018.
Trans. Inf. Forensics Security, early access, Apr. 17, 2020, doi: [26] H. Song, The Arts of VLSI Circuit Design. Bloomington, IN, USA:
10.1109/TIFS.2020.2988505. Xlibris, 2011.
[27] U. Guler and G. Dundar, “Modeling CMOS ring oscillator performance
[6] K. Lee, S. Lee, C. Seo, and K. Yim, “TRNG (true random number
as a randomness source,” IEEE Trans. Circuits Syst. I, Reg. Papers,
generator) method using visible spectrum for secure communication on
vol. 61, no. 3, pp. 712–724, Mar. 2014.
5G network,” IEEE Access, vol. 6, pp. 12838–12847, 2018.
[28] B. Razavi, Design of Analog CMOS Integrated Circuits. New York, NY,
[7] C. S. Petrie and J. A. Connelly, “A noise-based IC random number
USA: McGraw-Hill, 2001.
generator for applications in cryptography,” IEEE Trans. Circuits Syst. I,
[29] N. Modak, B. Chatterjee, A. Anvesha, and M. S. Baghini, “A 120 nW,
Fundam. Theory Appl., vol. 47, no. 5, pp. 615–621, May 2000.
tunable, PVT invariant voltage reference with 80 dB supply noise
[8] R. Brederlow, R. Prakash, C. Paulus, and R. Thewes, “A low-power rejection,” in Proc. IEEE Int. Symp. Nanoelectronic Inf. Syst., Dec. 2015,
true random number generator using random telegraph noise of single pp. 181–184.
oxide-traps,” in IEEE Int. Solid-State Circuits Conf. (ISSCC) Dig. Tech. [30] Q.-C. Chen and L.-H. Wang, “A 100nW 6PPM/◦ C voltage reference
Papers, Sacramento, CA, USA, Feb. 2006, pp. 536–537. with all MOS transistors,” in Proc. Int. Conf. Commun. Problem-Solving
[9] F. Tehranipoor, P. Wortman, N. Karimian, W. Yan, and J. A. Chandy, (ICCP), Sep. 2016, pp. 1–2.
“DVFT: A lightweight solution for power-supply noise-based TRNG [31] I. Lee, D. Sylvester, and D. Blaauw, “A subthreshold voltage reference
using dynamic voltage feedback tuning system,” IEEE Trans. Very Large with scalable output voltage for low-power IoT systems,” IEEE J. Solid-
Scale Integr. (VLSI) Syst., vol. 26, no. 6, pp. 1084–1097, Jun. 2018. State Circuits, vol. 52, no. 5, pp. 1443–1449, May 2017.
[10] M. Matsumoto, S. Yasuda, R. Ohba, K. Ikegami, T. Tanamoto, and [32] X. P. Yu, M. A. Do, W. M. Lim, K. S. Yeo, and J.-G. Ma, “Design and
S. Fujita, “1200μm2 physical random-number generators based on SiN optimization of the extended true single-phase clock-based prescaler,”
MOSFET for secure smart-card application,” in IEEE Int. Solid-State IEEE Trans. Microw. Theory Tech., vol. 54, no. 11, pp. 3828–3834,
Circuits Conf. (ISSCC) Dig. Tech. Papers, Feb. 2008, pp. 414–624. Nov. 2006.
[11] S.-G. Bae, Y. Kim, Y. Park, and C. Kim, “3-Gb/s high-speed true [33] M. Baudet, D. Lubicz, J. Micolod, and A. Tassiaux, “On the security of
random number generator using common-mode operating comparator oscillator-based random number generators,” J. Cryptol., vol. 24, no. 2,
and sampling uncertainty of D flip-flop,” IEEE J. Solid-State Circuits, pp. 398–425, Oct. 2010.
vol. 52, no. 2, pp. 605–610, Feb. 2017. [34] T. M. Cover and J. A. Thomas, Elements of Information Theory.
[12] A. Mohanty, K. B. Sutaria, H. Awano, T. Sato, and Y. Cao, “RTN in New York, NY, USA: Wiley, 1991.
scaled transistors for on-chip random seed generation,” IEEE Trans. [35] Claude Shannon & Information Theory—Redundancy. Accessed:
Very Large Scale Integr. (VLSI) Syst., vol. 25, no. 8, pp. 2248–2257, May 2, 2021. [Online]. Available: https://cs.stanford.edu/people/
Aug. 2017. eroberts/courses/soco/projects/1999-00/information-theory/redundancy_
[13] R. Govindaraj, S. Ghosh, and S. Katkoori, “CSRO-based reconfigurable 5.html
true random number generator using RRAM,” IEEE Trans. Very Large [36] NIST. (Apr. 2019). Sp 800-90b, Entropy Sources Used for
Scale Integr. (VLSI) Syst., vol. 26, no. 12, pp. 2661–2670, Dec. 2018. Random Bit Generation. [Online]. Available: https://csrc.nist.gov/
[14] L. T. Clark, S. B. Medapuram, and D. K. Kadiyala, “SRAM circuits publications/detail/sp/800-90b/final
for true random number generation using intrinsic bit instability,” [37] A. Rukhin et al., “A statistical test suite for random and pseudorandom
IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 26, no. 10, number generators for cryptographic applications,” NIST, Gaithersburg,
pp. 2027–2037, Oct. 2018. MD, USA, NIST Special Publication 800-22, 2010.
[15] C. Tokunaga, D. Blaauw, and T. Mudge, “True random number generator [38] M. N. Nounou and B. R. Bakshi, “Multiscale methods for denoising and
with a metastability-based quality control,” in IEEE Int. Solid-State compression,” in Wavelets in Chemistry (Data Handling in Science and
Circuits Conf. (ISSCC) Dig. Tech. Papers, Sacramento, CA, USA, Technology), vol. 22, B. Walczak, Ed. Amsterdam, The Netherlands:
Feb. 2007, pp. 404–405. Elsevier, 2000, ch. 5, pp. 119–150. [Online]. Available: https://www.
[16] J. Holleman, S. Bridges, B. P. Otis, and C. Diorio, “A 3 μw CMOS sciencedirect.com/science/article/pii/S0922348700800301
true random number generator with adaptive floating-gate offset can- [39] A. T. Markettos and S. W. Moore, The Frequency Injection Attack on
cellation,” IEEE J. Solid-State Circuits, vol. 43, no. 5, pp. 1324–1336, Ring-Oscillator-Based True Random Number Generators (Lecture Notes
May 2008. in Computer Science). Berlin, Germany: Springer, 2009, pp. 317–331.

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

12 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS

[40] K. Yang et al., “A 28 nm integrated true random number generator Wenhan Zheng received the B.Eng. and
harvesting entropy from MRAM,” in Proc. IEEE Symp. VLSI Circuits, M.Eng. degrees from the College of Electronics
Honolulu, HI, USA, Jun. 2018. and Information Engineering, Shenzhen University,
[41] V. R. Pamula, X. Sun, S. Kim, F. U. Rahman, B. Zhang, and Shenzhen, China, in 2017 and 2020, respectively.
V. S. Sathe, “An all-digital true-random-number generator with inte- He is currently working as a Research Engineer
grated de-correlation and bias correction at 3.2-to-86 MB/S, 2.58 PJ/Bit with Huawei Technologies Corporation, Shenzhen.
in 65-nm CMOS,” in Proc. IEEE Symp. VLSI Circuits, Jun. 2018, His research interests include hardware security,
pp. 1–2. true random number generator, physical unclonable
[42] E. Kim, M. Lee, and J.-J. Kim, “8.2 8Mb/s 28Mb/mJ robust true- function, and digital circuits and systems.
random-number generator in 65 nm CMOS based on differential ring
oscillator with feedback resistors,” in IEEE Int. Solid-State Circuits Conf.
(ISSCC) Dig. Tech. Papers, San Francisco, CA, USA, Feb. 2017.
[43] K. Yang, D. Fick, M. B. Henry, Y. Leea, D. Blaauw, and D. Sylvester, “A
23 Mb/s 23 pJ/b fully synthesized true-random-number generator in 28
nm and 65 nm CMOS,” in IEEE Int. Solid-State Circuits Conf. (ISSCC)
Dig. Tech. Papers, Sacramento, CA, USA, Feb. 2014, pp. 280–281.
[44] T.-K. Kuan, Y.-H. Chiang, and S.-I. Liu, “A 0.43pJ/bit true random
number generator,” in Proc. IEEE Asian Solid-State Circuits Conf. (A- Yue Zheng (Member, IEEE) received the B.Eng.
SSCC), Nov. 2014, pp. 33–36. degree from Shanghai University (SHU) in 2015,
[45] S. K. Mathew et al., “2.4 Gbps, 7 mW all-digital PVT-variation and the Ph.D. degree from Nanyang Technological
tolerant true random number generator for 45 nm CMOS high- University (NTU) in 2020. From March 2019 to
performance microprocessors,” IEEE J. Solid-State Circuits, vol. 47, June 2019, she was a Visiting Scholar with Kyoto
no. 11, pp. 2807–2821, Nov. 2012. University. She is currently a Research Fellow with
NTU, Singapore. Her areas of research include
hardware security, physical unclonable function,
authentication protocols, and logic locking. She
Yuan Cao (Member, IEEE) received the B.S.
was a Review Committee Member, a Mini-Tutorial
degree from Nanjing University in 2008, the M.E.
Co-Speaker, and the Special Session Co-Chair of
degree from The Hong Kong University of Science
ISCAS 2021. She is an active member of CAS Society. She has been serving
and Technology in 2010, and the Ph.D. degree
as a Reviewer for ISCAS, AsianHOST, IEEE T RANSACTIONS ON C IRCUITS
from Nanyang Technological University in 2015.
AND S YSTEMS —I: R EGULAR PAPERS , and IEEE T RANSACTIONS ON V ERY
From 2015 to 2017, he worked with Advantest. From
L ARGE S CALE I NTEGRATION (VLSI) S YSTEMS , since 2016. She currently
2017 to 2018, he was a Research Fellow with NTU.
serves as the Co-Chair of the Hardware Security Track of VLSI-SoC 2021.
He is currently a Full Professor with the College of
IoT, Hohai University. Since December 2019, he has
been a Visiting Professor with Hamad Bin Khalifa
University. He has over 60 peer-reviewed conference
and journal publications. His research interests include TRNG, PUF, PQC,
and analog/mixed-signal VLSI designs. Two of his papers have been selected
as the Finalist of the Best Paper Award for AsianHOST’2017 and Asian-
HOST’2019. He has served as an Organizing/a Technical Committee Member Chip-Hong Chang (Fellow, IEEE) received the
in various IEEE conferences, such as AsianHOST, ASHES, DSP, and CTC. B.Eng. (Hons.) degree from the National University
He has edited one IET Materials, Circuits and Devices book series 66 entitled of Singapore in 1989, and the M.Eng. and Ph.D.
Frontiers in Hardware Security and Trust. degrees from Nanyang Technological University
(NTU), Singapore, in 1993 and 1998, respectively.
He served as a Technical Consultant in industry
Xiaojin Zhao (Senior Member, IEEE) received prior to joining the School of Electrical and Elec-
the B.Sc. degree in microelectronics and applied tronic Engineering (EEE) of NTU in 1999, where he
mathematics from Peking University, Beijing, China, is currently an Associate Professor. He holds joint
in 2005, and the Ph.D. degree in electrical and elec- appointments with the university as an Assistant
tronic engineering from The Hong Kong University Chair of Alumni of the School of EEE from 2008 to
of Science and Technology (HKUST), Hong Kong, 2014, the Deputy Director of the Center for High Performance Embedded
China, in 2010. Systems from 2000 to 2011, and the Program Director of the Center for
From 2010 to 2011, he was a Post-Doctoral Integrated Circuits and Systems from 2003 to 2009. He has edited and
Research Associate with HKUST. In 2012, he joined coedited five books, published 13 book chapters, more than 100 international
Shenzhen University, Shenzhen, China, where he is journal papers (∼80 are IEEE) and more than 180 refereed international
currently an Associate Professor with the College of conference papers (mostly IEEE), and delivered over 40 colloquia. His current
Electronics and Information Engineering. In 2014, he was a Visiting Scholar research interests include hardware security and trustable computing, artificial
with IMEC, Leuven, Belgium. He has published 94 international journal intelligence security, low-power and fault-tolerant computing, residue number
articles and peer-reviewed conference papers (mostly in IEEE). His research systems, and application-specific digital signal processing algorithms and
interests include CMOS monolithic polarization image sensor, gas sensor, and architectures.
the Internet of Things (IoT) sensors’ related hardware security techniques Dr. Chang is an IET fellow, and a Distinguished Lecturer of IEEE Circuits
(physical unclonable function and true random number generator). and Systems Society (2018-2019). He serves as an Associate Editor for
Dr. Zhao has served as an organizing/a technical committee member in IEEE T RANSACTIONS ON C OMPUTER -A IDED D ESIGN OF I NTEGRATED
various IEEE conferences. He also serves as a Technical Committee Member C IRCUITS AND S YSTEMS from 2016 to 2019, IEEE A CCESS from 2013 to
for the IEEE Circuits and Systems Society (CASS) on Sensory Systems 2019, IEEE T RANSACTIONS ON C IRCUITS AND S YSTEMS —I: R EGULAR
and the IEEE Circuits and Systems Society (CASS) on VLSI Systems and PAPERS from 2010 to 2013, Integration, IEEE T RANSACTIONS ON V ERY
Applications. He was a co-recipient of the Best Student Paper Award from L ARGE S CALE I NTEGRATION (VLSI) S YSTEMS from 2013 to 2015, Jour-
the IEEE EDSSC’2018, Shenzhen, China, and the Outstanding Student Paper nal of Hardware and System Security (Springer) from 2016 to 2020, and
Award from the IEEE MEMS’2020, Vancouver, BC, Canada. He has one Microelectronics Journal from 2014 to 2020. He currently serves as a Senior
paper selected as the cover page of the IEEE E LECTRON D EVICE L ETTERS Area Editor of IEEE T RANSACTIONS ON I NFORMATION F ORENSIC AND
(EDL) in 2020 and two papers selected as the Finalist of the Best Paper S ECURITY. He also serves an Associate Editor for IEEE T RANSACTIONS ON
Award for AsianHOST’2017, Beijing, and AsianHOST’2019, Xi’an, China. C IRCUITS AND S YSTEMS —I: R EGULAR PAPERS , IEEE T RANSACTIONS ON
He has served as the Vice Chair and the Chair for the IEEE Electron Devices V ERY L ARGE S CALE I NTEGRATION (VLSI) S YSTEMS , and IEEE T RANS -
and Solid-State Circuits (EDSSC) Shenzhen Joint Chapter from 2015 to ACTIONS ON I NFORMATION F ORENSIC AND S ECURITY . He guest edited
2019. He also serves as the Chair for the IEEE Circuits and Systems (CAS) several special issues and served in the organizing and technical program
Shenzhen Chapter. committee of more than 70 international conferences (mostly IEEE).

Authorized licensed use limited to: National University of Singapore. Downloaded on July 04,2021 at 18:32:42 UTC from IEEE Xplore. Restrictions apply.