Behavioral Analysis and Immunity Design of the RO-Based TRNG under Electromagnetic Interference

: True random-number generators based on ring oscillators (RO-based TRNG) are widely used in the ﬁeld of information encryption because of their simple structure and compatibility with CMOS technology. However, radiated or conducted electromagnetic interference can dramatically deteriorate the randomness of the output bitstream of the RO-based TRNG, which poses a great threat to security. Traditional research focuses on the innovation of the means of attack and the detection of circuit states. There is a lack of research on the interference mechanism and anti-interference countermeasures. In this paper, the response of the RO array to electromagnetic interference was analyzed, and the concept of synchronous locking was proposed to describe the locking scene of multiple ROs. On the basis of synchronous locking, the RF immunity of the RO-based TRNG was modeled, which can explain the degradation mechanism of bitstream randomness under RFI. Moreover, the design method of gate-delay differentiation is presented to improve the RF immunity of the RO-based TRNG at a low cost. Both transistor-level simulation and board-level measurement proved the rationality of this scheme.


Introduction
Integrated circuits under electromagnetic interference (EMI) are widely studied. The subject can be divided into the propagation of electromagnetic-interference waves and the interaction between electromagnetic interference and integrated circuits. The mechanism of the response of an integrated circuit to EMI can inspire the design of anti-interference circuits, which prevent interference damage. As a typical integrated circuit, true randomnumber generators based on a ring oscillator (RO-based TRNG) are widely used to generate secret keys in the field of security encryption because of their simple circuit structure and compatibility with CMOS technology.
RO-based TRNGs were first proposed by Sunar et al. [1]. Their randomness is generated by sampling the RO oscillating signal with random jitter, which is caused by physical noise. First, multiple oscillating signals are generated by an RO array. An exclusive OR (XOR) operation is performed between every two oscillating signals, and operations are repeated until there is only one output. Then, a D flip-flop is used to sample the XOR operation output, as shown in Figure 1a. Because jitter accumulates with time, sampling signal f s should be of a lower frequency. Wold et al. [2] proposed an improved RO-based TRNG. Compared with the original structure, only a D flip-flop was added at the output end of each RO, as shown in Figure 1b. The output bitstream of the TRNG directly met the randomness test [3] and did not need to be optimized by the post-processing program. Therefore, the improved structure was adopted in this paper to study electromagnetic interference.
Published studies show that RO-based TRNGs are quite vulnerable to EMI. The randomness of its output bitstream is severely damaged when ROs are locked and jitter is suppressed. Markettos and Moore [4] first injected a continuous wave into the power wire of an RO-based TRNG and reduced the keyspace of a secure microcontroller containing an RO-based TRNG from 264 to 3300. Bayon et al. [5,6] implemented a contactless electromagnetic-wave attack on RO-based TRNG. Compared with the conducted injectionattack method in [4], it was not limited to the low-pass filtering effect of the power-supply pin, and the interference-frequency range was greatly enhanced. The RO-based TRNG in [6] was implemented on a FPGA chip, which contained up to 50 ROs, so it was more universal and persuasive. Osuka et al. [7] coupled a sinusoidal EMI wave to a power cable through a current probe, where the power cable transmitted the interference into the chip. This could implement a long-distance interference injection, destroy the randomness of an RO-based TRNG, and leave no invasion evidence. These conducted and radiated interference methods could lock ROs and destroy the entropy source. However, the injection-locking conditions and the mechanism of randomness degradation are not clear. Some anti-interference methods based on the algorithm level were proposed [8,9], but there is still a lack of countermeasures based on the circuit-design level. The degradation of bitstream randomness is highly relevant to the status of ROs. A ring oscillator (RO) is composed of an odd number of inverters that are the minimal delay unit in the digital circuit. It is widely used in noise-waveform detection [10] and on-chip process sensing [11] because of its high sensitivity. Studies on the injection locking of ROs under EMI already exist. The authors in [12][13][14][15] injected interference from the signal port or the tail-current port of an RO, which differed from the interference-injection scene of the RO-based TRNG. ROs in the above papers also were not composed of complementary metal-oxide semiconductors (CMOS). Mureddu et al. [16] built RO circuits on an FPGA board and injected interference coupled from a delay line. Detailed experiments were carried out on different series of FPGAs. Tao Su et al. [17,18] directly injected interference from the power-supply port of CMOS inverter-based ROs and discovered and explained the injection-pulling and -locking phenomenon. In the above studies, the power-side-injecting method was closest to the real interference situation. The RO-based TRNG contains an array of ring oscillators, in which RO stages may be the same or different. This requires that we focus on the locking behavior of the whole RO array.
This paper supplemented and discussed aspects that were not considered in existing research, and it is arranged as follows: Section 2 introduces the experimental locking conclusion of an RO with EMI on the power supply and puts forward the concept of the locking region. The theory of synchronous locking for the situation of a locked RO array was proposed to explain the overall behavior. In Section 3, the degradation mechanism of the TRNG bitstream is analyzed and verified by simulation. To improve electromagnetic immunity, the electromagnetic immunity of the RO-based TRNG was modeled. A design scheme, gate-delay differentiation, was proposed to improve immunity. Section 4 contains the PCB measurement where the gate-delay-differentiation scheme was verified to be effective. Section 5 is the conclusion.

Conical Locking Region
According to our previous research, there are two behaviors of the RO with EMI on the supply, as shown in Figure 2a: injection pulling [17] and injection locking [18]. In Figure 2b, injection pulling means that the oscillating frequency of RO f RO shifts towards a higher or lower frequency with the increase in sinusoidal interference amplitude A RFI . A shift towards a higher or lower frequency depends on the f RFI value. In Figure 2c, injection locking means that the RO is out of a frequency-shifting state, and f RO is locked to a constant value. Changing A RFI does not affect f RO . f RO_ f ree and f RO_locked represent the free-oscillating frequency and locked frequency of the RO, respectively. With massive and detailed simulation and measurement verification, an empirical injection-locking condition was summarized [18], which can be expressed by the relationship between interference period T RFI and average gate-delay τ ave : m is a positive integer indicating different locking modes. The locking strength and locking range of the RO are the largest with the mode where m is equal to two. In the following discussion, we defaulted to the fact that m was equal to two because of its high representativeness. If the mode of m = 2 has high immunity, modes with a smaller locking range are more robust. The RO consisted of an odd number of inverters, so period T RO : The RO stage is denoted as N. According to Equations (1) and (2), the relationship between f RFI and f RO_locked when the RO is locked is deduced as follows: The larger f RFI is, the larger f RO_locked is. The response curves of the RO to A RFI under different f RFI are shown in Figure 3. As shown in Equation (3), the theoretical f RO_locked can be calculated from f RFI . When the offset of f RO_locked from f RO_ f ree is small, the RO can be locked with small interference; the larger the offset is, the larger A RFI is needed to lock the RO. When even the maximal A RFI cannot lock the RO, the response curve is only determined by the pulling effect. Therefore, we can obtain a conical locking region from which we can infer the A RFI and f RFI needed to lock the ROs. Any combination of interference A RFI and f RFI outside the region cannot lock the RO. To prove the existence of the conical locking region, four 41-stage ROs were built with the SMIC-65, SMIC-130, SMIC-180, and TSMC-180 nm process libraries, respectively. The response curves of f RO to A RFI under different interference frequencies f RFI was simulated by HSPICE, and the locking regions were obtained, as shown in Figure 4. The f RO_ f ree of the four ROs were 1085, 555, 259, and 257 MHz, respectively. The locking region was approximately conical. The locked frequency with A RFI equal to 0.5 V and the interference frequency were recorded and converted into the average gate-delay and interference period, as shown in Figure 5. The dotted line represents the empirical relationship in (1), with m equal to two. The ROs of different CMOS processes occupied different positions, where the advanced SMIC-65 nm process had the minimal average gate-delay. When RO locking occurs, the average gate-delays of all ROs linearly increased with the interference period, and the curves coincided with the dotted line. When the RO was released from the locking state, it was out of the linear relationship and dominated by injection pulling, as shown by the SMIC-180 nm and TSMC-180 nm curves in Figure 5. The simulation results were consistent with those of theoretical analysis.

Synchronous Locking of the Ring Oscillator Array
In the above section, empirical Equation (1) shows the interference condition to lock an RO. This locking condition is different from traditional LC oscillator injection locking. It is the integral of multiple relationships between the period of the interference signal and the average gate-delay of the RO, whereas traditional LC locking is the harmonic relationship between frequencies. The injection-locking condition does not contain any RO stage information. This means that, as long as the gate-delay or the process, voltage, and temperature (PVT) condition of the RO are consistent, locking always appears. This is a novel and interesting locking phenomenon.
To verify the locking independent of stage, forty-one-, forty-three-, and forty-five-stage ROs of the SMIC-65, SMIC-130, SMIC-180, and TSMC-180 nm processes, respectively, were implemented and simulated by HSPICE. With the interference frequency of 43,050 MHz, the response curves of the RO to A RFI were obtained and are shown in Figure 6. The f RO_locked and τ ave values were recorded and are listed in Table 1. To emphasize the stage independent of RO locking, τ ave values are marked red. For the SMIC-65 nm RO simulation case, the free-oscillating frequencies of the three ROs were 1084, 1034, and 988 MHz, which were locked to 1050, 1001, and 957 MHz, respectively. The calculation results of the average gate-delays were 11.61 ps, which is satisfied with Equation (1), with m equal to two. Therefore, the curves of oscillating frequency vs. interference amplitude in Figure 6(a1) can be transformed into the curves of average gate-delay vs. interference amplitude in Figure 6(a2), and all the curves coincide. In the SMIC-130, SMIC-180, and TSMC-180 nm RO simulation results, it showed the same characteristic. If the intrinsic gate-delay of the RO was the same, they were pulled and locked to the same value. Therefore, this locking mechanism was independent of RO stage. An RO array scenario was considered in which the average gate-delay of each RO was the same. From the above analysis of stage-independent locking, as long as the A RFI can lock one RO of the array, it locks the other ROs regardless of stage discrepancy. In other words, the synchronous locking phenomenon occurs. For the RO array on the actual chip, the average gate-delay of each RO was slightly different due to the fluctuations of PVT condition, but this subtle difference could be overcome by intentional EMI. Lastly, with a suitable interference condition, all ROs in the array were synchronously locked.
As shown in Figure 7, the 22,550 MHz sinusoidal interference was injected into the power-supply port of a 41-stage RO. To simulate the effect of process deviation, the width of the NMOS and PMOS in the inverter was intentionally modified from the size of the SMIC-130 nm inverter standard cell INVX1 (w n = 0.42 µ, w p = 0.64 µ) to w n = 1.62 µ, w p = 2.47 µ. The response curves of each size were recorded by the simulation. Figure 7a shows that the free-oscillating frequencies of the RO with different inverter sizes were slightly different. With the increase in interference amplitude, all ROs could be locked to 550 MHz, which conformed to the conclusion of Equation (3). The more the oscillating frequency deviated from 550 MHz, the greater the interference amplitude that was required for locking. The response curves of average gate-delay to interference amplitude are shown in Figure 7b. The difference in gate-delay caused by intentional process deviation can be overcome by electromagnetic interference, and the oscillator system was synchronously locked.

RO-Based TRNG Randomness-Degradation Mechanism
Both radiated and conducted interference can suppress the jitter of ROs and degenerate the randomness of the RO-based TRNG. As shown in Figure 8, the uncertain logic value can be sampled when the oscillating signal of the RO jitters. Otherwise, the D flip-flops the certain logic, which means that the output is not random. With the RO array, the jitter range covers the whole sampling period [1]. Good-quality random bitstreams can be generated by the TRNG. When the RO-based TRNG was disturbed by intentional EMI, the ROs were locked, and the jitter was suppressed [7], as shown in Figure 8d. Therefore, the randomness of the output bitstream deteriorated.
The reason for this disastrous result was that the injection-locking condition of the RO was independent of the stage and only related to the gate-delay. With the same CMOS process, the gate-delays were consistent, and all ROs had to be synchronously locked once locking occurred. Even with the existing process deviation, it was overcome by EMI to achieve synchronization, according to Section 2.2.
To prove the correctness of the above explanation, a specific RO-based TRNG circuit was built using an SMIC-130 nm process library and was simulated by HSPICE in which the array consisted of two ROs of 7, 9, 11, and 13 stages, respectively. To simulate the noise environment in the actual circuit, a −28 dBm Gaussian white-noise voltage was generated in MATLAB, which was superimposed onto the DC power supply of the circuit. Noise voltage was essential to cause the oscillating signal to jitter.
The simulated oscillating parameters are shown in  Table 2, jitters were suppressed by 60%, 64%, 67%, and 70%. This phenomenon is also represented by the period-distribution histograms in Figure 9b,d. Figure 9a,c represents the bitstream output by the TRNG. Black and white pixels are used to represent zero and one, respectively. The binary images can be obtained by scanning the bitstream from left to right and from top to bottom. In the no-EMI case, the binary image was arranged in a disordered manner, which represents a certain degree of randomness. When all ROs were locked by the EMI, the binary image tended to be completely black, and the occurrence probability of zero and one was not uniform. It could not even pass the first test of the NIST Statistical Test Suite [3], which detects whether zero and one appear the same number of times, called the monobit test.

Immunity Modeling and Gate-Delay Differentiation
To solve the problem of the randomness of the RO-based TRNG deteriorating sharply due to synchronous locking, the design method of gate-delay differentiation was proposed in this paper: the average gate-delay of each RO in the TRNG was intentionally set to be different so that the locking regions of ROs were staggered from each other. This avoided all the ROs being locked in some EMI situations.
An array with four ROs was considered, composed of inverters with different gatedelays. According to the conclusion of Section 2.1, each RO had a conical locking region. Due to the difference in gate-delay, the conical locking regions of the four ROs were staggered, as shown in Figure 10a. The scattered distribution was beneficial to the EMI immunity of the RO-based TRNG: • To lock all four types of ROs, available f RFI and A RFI can only be selected in the red area, which is the overlapping area of the four conical locking regions. The required A RFI had to be greater than A 3 , and the selection of f RFI was also very harsh; • To lock three types of ROs, the available f RFI and A RFI can only be selected in the yellow area. This required that A RFI > A 2 , and the available selection range of f RFI was also small; • To lock two types of ROs, f RFI and A RFI can only be selected from the gray area. In such a case, it required A RFI > A 1 , and the selection range of f RFI was large. However, randomness did not become much worse because of only two types of ROs being locked; • To lock one type of RO, f RFI and A RFI can only be selected from the light green area, which is easy to achieve. The influence of one type of RO locked on randomness can be ignored.
In a traditional EM attack on RO-based TRNG, the gate-delays of four types of RO were the same, and there was no staggering between conical locking regions, as shown in Figure 10b. It was easy to realize synchronous locking for all ROs, which was destructive to the RO-based TRNG.
In Figure 10, we considered the locking region of the frequency. Similarly, average gate-delay τ ave , which can be converted from f RFI , also had a conical locking region. It was clearer and more appropriate to analyze the locking situation of the RO array, because the analytical method of τ ave discarded the independent factor of the RO stage, which made it easier for us to see the essence of locking. In the following simulation and test, we used the τ ave -type conical locking region to illustrate this.
To improve immunity, the gate-delay difference of each RO must be increased. The ideal situation is only one type of RO locking under any interference condition. To differentiate gate-delays, changing the channel width of transistors in the inverter, the load of each inverter, and the interconnect length are feasible because of the simplicity of implementation and low cost. Meanwhile, we can flexibly choose the implementation according to the situation: for the RO-based TRNG on application-specific integrated circuits (ASICs), changing the channel width of transistors is the first choice; for the RO-based TRNG on an FPGA, the load of each inverter and the interconnect length are appropriate. For a specific CMOS process, the response of the oscillating RO frequency to different capacitor loads and different transistor sizes can be simulated in advance. According to the response data, suitable capacitor loads and transistor size parameters can be selected and assigned for the ROs. Increasing the number of ROs with different average gate-delays matters, so that there is a smaller proportion of ROs in the locked state.
Therefore, we verified the design method of gate-delay differentiation with HSPICE using the RO-based TRNG circuit in Section 3.1. Two implementation strategies for differentiating gate-delay are shown in Table 3: Case 1 is changing the inverter size, and Case 2 is changing the capacitor load of the inverter. Although increasing the size of the inverter and capacitance load slowed down the circuit and caused additional power consumption, these shortcomings were tolerable compared with the goal of improving immunity.   Table 3, which led to different gate-delays. The simulation results are shown in Figure 11. In Figure 11a, the conical locking regions are shown to be staggered. Only when the A RFI > 0.36 V could all ROs in the array be locked. To observe the output bitstream of RO-based TRNG, some representative interferences were selected to realize the locking of 0, 1, 2, 3, and 4 types of RO, respectively; see Table 4 for the interference and jitter information. The jitters of locked ROs, which are marked as red, were much lower than those of unlocked ROs.
Interference seemed to result in two kinds of consequences: one was suppressing jitter, as we know, and the other was intensifying it. In the unlocked state, as shown in the black data, the larger the A RFI was, the more severe the jitter was; in the locked state, as shown in the red data, the larger A RFI was, the more strongly the jitter was suppressed.
Bitstream binary images were obtained, as shown in Figure 11(b1-b5). When there were three or more types of ROs locked, output bitstreams showed strong regularity, and the randomness of the RO-based TRNG was greatly reduced. However, the required A RFI was also large. When only one or two types of RO were locked, the randomness hardly changed. This agreed well with our theoretical analysis. To obtain the quantization results of the randomness, the bitstream was tested in the NIST suite. When three or four types of ROs were locked, the p-value was far less than 0.01, which shows that the randomness was seriously damaged.  For Case 2, each inverter of the 7-, 9-, 11-, and 13-stage RO was loaded with 0, 0.13, 0.28, and 0.44 fF capacitors, respectively. The simulation results are shown in Figure 12, which were very similar to those of Case 1. Detailed jitter and interference information is shown in Table 5. Adding different capacitor loads can also stagger the locking regions of the ROs to improve electromagnetic immunity.  To prove that the design method of gate-delay differentiation to improve the immunity did not depend on the CMOS process, the RO-based TRNG built with SMIC 65-nm was simulated by HSPICE. The circuit setting was the same as Case 2 in the above experiment. To simulate such a situation, the corresponding average gate-delays of ROs loaded with 0, 0.037, 0.074, and 0.111 fF capacitors were 11.90, 12.25, 12.59, and 12.94 ps. According to Equation (1), these ROs could be locked by the interference of 41,700, 40,300, 39,300, and 38,300 MHz, respectively. This suggested that if the inverters in TRNG were loaded with the same capacitors as above, all the ROs would be locked synchronously, and the randomness deteriorated, as shown in Figure 13(c1-c4). If each inverter of the 7-, 9-, 11-, and 13-stage RO was loaded with 0, 0.037, 0.074, and 0.111 fF capacitors, respectively, the locking regions were staggered, as shown in Figure 13a. The same interference conditions above could not lock all the ROs synchronously, and the randomness of the bitstream did not become worse, which can be seen in Figure 13(b1-b4). The results proved that the improvement of immunity was independent of the CMOS process.

Measurement
In this section, the measurement of the design method for gate-delay differentiation to verify its feasibility is described. On a printed circuit board (PCB), the 7-, 9-, 11-, and 13stage RO circuits were built with the single inverter chip SN74LVC1G04DBVR. Some design considerations were as follows: For the convenience of controlling the gate-delays of the ROs and the consistency of A RFI reaching the power-supply port of each inverter, inverters in the same RO were arranged in a circle, and the spacing between adjacent inverters was strictly equal. The wiring length from the interference injection SMA connector to the power-supply port of the inverter should be equal. In order to not affect the uniform load of the ROs, an inverter was applied at the output port of each inverter in the bottom layer to isolate the oscillating circuit from the observation circuit. The circuit structure is shown in Figure 14. The D flip-flops and the XOR-tree circuits were implemented on an XC7A100t chip (Xilinx Artix-7 FPGA). The test platform is shown in Figure 15. The PC controlled the interference source to generate an interference wave with a specific frequency and amplitude, which was injected into the RO array board through a power amplifier, an isolator, and an attenuator. The attenuator was mainly used to weaken the reflection wave caused by the board and protect the amplifier. Similarly, the PC also controlled the oscilloscope and FPGA for data acquisition.  For the control group, each inverter in the RO array was loaded with a 120 pF capacitor. Under the same load, the free oscillation frequencies of the 7-, 9-, 11-, and 13-stage ROs were 21.11, 16.55, 13.26, and 11.21 MHz, respectively. The average gate-delays were 3.38, 3.38, 3.43, and 3.43 ns, which were almost equal. Interference was applied to measure the locking region of each RO, as shown in Figure 16. The locking cones of the four ROs were almost coincidental on the vertical gate-delay axis, which was consistent with the theoretical analysis in Section 2. For this condition, it was very easy to inject interference to lock all ROs in the array and drastically degrade the randomness of the TRNG. There were many interference frequencies and amplitudes from which to choose. Three kinds of interference were selected for comparison: no interference, 0.9 V and 145 MHz, and 0.9 V and 150 MHz. The bitstream is shown in Figure 17. The latter two kinds of interference could easily lock all ROs. Binary images show that, when all ROs were locked, the output bitstream of the TRNG presented a certain regularity. A discrete Fourier transform (DFT) test in the NIST suite was carried out to detect the periodicity of the bitstream. The p-value was far less than 0.01, which represents the latter two conditions that destroy the randomness of the TRNG output. For the experience group, we changed the load-capacitance values of the inverters in the four ROs as shown in Table 6. The free-oscillating frequencies of the 7-, 9-, 11-, and 13-stage ROs were 14.28, 13.81, 13.00, and 12.82 MHz, respectively. The average gate-delays were 5.00, 4.02, 3.50, and 3.00 ns, which were quite different. According to theoretical analysis, the locking regions of each RO were staggered in the vertical axis, as shown in Figure 18. It was impossible to lock all four types of ROs within a reasonable range of interference amplitude. At most, two kinds of ROs could be locked. In the range of soft failure caused by EMI, it was impossible to reduce the TRNG randomness. The immunity was greatly improved.  To prove the above conjectures, the amplitude of the injected interference was maintained at 0.9V, and interference frequencies of 95, 125, 133, 143, 154, and 167 MHz were selected, corresponding to the serial number marked in Figure 18. In addition to the 133 and 154 MHz cases, only one type of RO could be realized. The TRNG binary images are shown in Figure 19. The randomness of the bitstream was greatly improved compared with in the latter two cases of all ROs locked in Figure 17, which was also confirmed by NIST testing. Therefore, we verified the effectiveness of the design method of gate-delay differentiation.

Conclusions
This study analyzed the injection locking of an RO array under an EMI wave. Synchronous locking was proposed to summarize the response of an RO array in the RO-based TRNG, which could explain the randomness-deterioration mechanism of the bitstream.
To improve the EM immunity of the RO-based TRNG, the design method of gate-delay differentiation was proposed: by reasonably increasing the gate-delay difference of each RO, the locking regions were staggered, and the situation of most ROs being locked was avoided. The specific implementation methods of changing transistor sizes and capacitance loads were successfully verified by HSPICE simulations and PCB measurements. RO-based TRNG chips could be fabricated in CMOS processes, and the effectiveness of the above implementation methods can be verified in more detail.
Enriching the design method of gate-delay differentiation, the locking phenomenon of a single RO having inverter gates with different propagation delays is our future study direction. This can enrich our understanding of the locking phenomenon and inspire anti-interference research of RO-based TRNGs. We could also integrate the method with electronic design automation (EDA) tools to guide the immunity design of TRNGs.

Conflicts of Interest:
The authors declare no conflict of interest.