I Introduction
Embedded systems are the core of Internet of Things (IoT), cyberphysical systems (CPS), sensor networks, healthcare, transportation, etc. The demand and features provided by the CPS infrastructures have been bringing more and more components together connected; wired or wireless. Therefore, the CPS security risk has been increasing quite rapidly which is reflected as new threats in recent news. The consequences of CPS attacks can be disastrous; the report says that the cyberrelated attack tookaway minimum $56 billion from USA economy in 2016 [1]. The TRNG plays a vital role in cryptography for trusted execution and trusted communications [2, 3, 4, 5, 6, 7, 8]. The effectiveness of security and privacy relies on the encryption, which solely depends on the quality of random numbers [4, 5, 6, 7, 8]. Therefore, the quality of randomness has to be ensured for the resiliency of a secure system; a weak random number can leave the system open to various attacks [9, 10].
Generally, a physical entropy source, such as thermal noise, atmospheric noise, shot noise, radio noise, flicker noise, chaos, etc. are translated into random numbers [4, 5, 6, 7]. The quality of random numbers depends on the quality of entropy source [4, 5, 6, 7, 8]. Unfortunately, the hardware generated entropy is affected by environmental variations. For example, a TRNG can generate the deterministic output at high temperature or high voltage [7]. An attacker can manipulate the operating condition to weaken the quality of the random number. The randomness of a TRNG can also be affected as device ages or as technology gets matured [7]. Besides randomness, the TRNG must possess two essential qualities: (i) lowoverhead (area and energy) and (ii) highthroughput. The TRNG output also has to be robust even at the extreme operating condition.
In this paper, we present a novel technique to generate random numbers from DRAM memory, one of the primary components of an electronic device. Note that the ubiquity of memory chips is one of the primary reasons to use it as a TRNG because no additional hardware is required [11, 12]. However, memory chips offer limited entropy because they are designed to reduce the impacts of process variations. For example, SRAMbased TRNG offers minentropy. Hence, SRAMbased TRNG requires expensive postprocessing schemes to produce highquality random numbers [13]. Rahman et al. proposed an SRAMbased TRNG but requires modification of SRAM architecture [13]. Therefore, not suitable for commercial offtheshelf SRAM chips. Ray at el. proposed a technique to generate the random number from the read noise of the flash memory [14, 15] which eliminates the requirement of the additional circuitry for those computer systems which use flash memory as the storage device. Recently, Eckert et al. [12] and Sutar et al. [16] proposed DRAMbased TRNGs using powerup states and Variable Retention Time (VRT), respectively. However, none of them are suitable for runtime applications as they need a new power cycle or enhanced DRAM refresh interval.
In this paper, we propose a DRAMbased TRNG by exploiting the inherent latency variations. Our proposed TRNG does not require any additional hardware and offers high throughput compared to other existing DRAMbased TRNGs. The major contributions of this paper are presented below.

We propose a latencybased TRNG that is acceptably fast and robust. The DRAM latency is the required time to move charge from one place to another for reliable read/write operations. At the reduced DRAM latency, we can generate random numbers from the erroneous/faulty read operation.

We evaluate the robustness of our proposed latencybased TRNG at different operating conditions using silicon results from Samsung and Micron DDR3 DRAM modules. We also report the system throughput of our proposed latencybased TRNG.
The rest of the paper is organized as follows. In Section II, we briefly discuss the DRAM organization and operations. We also discuss existing DRAMbased TRNGs and their limitations. We describe our proposed latencybased TRNG in Section III. In Section IIIA, we characterize the DRAM cells based on their erroneous behavior at the reduced precharge latency. In Section IIIB, we propose our cell selection algorithm for generating random numbers from DRAM. We validate our proposed DRAMlatency based TRNG using commercial DDR3 modules (Section IV). We conclude our paper in Section V.
Ii Background and Existing Work
In this section, we provide a summary on DRAM organization and its operation. We also briefly discuss the existing techniques on the DRAMbased TRNG.
Iia DRAM Organization
A simplified DRAM memory system is presented in Fig. 0(a). A DRAM module follows a hierarchical organization, dividing the data lines into subsections to ensure consistent access to the DRAM module. Each module can be divided into several ranks. All ranks share the same data bus, and as a result, only one rank can be activated at a time which is chosen by a chip select pin. The number of bits that form the data bus is the same as the word size; usually a data size of 64bit. Each rank is then subdivided into multiple chips. The data bus is distributed equally among the chips. Finally, each chip can be partitioned into multiple banks, which can be accessed by using a proper bank address. The row is commonly called a wordline and the column is called a bitline. The row of a DRAM is also known as the page. Each bitline in the chip is connected to a sense amplifier. A series of sense amplifiers is known as rowbuffer. The rowbuffer contains data waiting/reading from the DRAM input and output. A DRAM bank is analogous to a 2D array of DRAM cells (Fig. 0(b)). Each bit of a 64bit word comes from such 64 individual DRAM cell array. A DRAM cell is the smallest unit of the memory module. Each cell consists of a capacitor and an access transistor (usually NMOS). Wordlines are connected to the transistor gate. This Access transistor creates a conducting path between the storage capacitor and the bitline.
IiB DRAM Operation
DRAM operations (read and write) are sensitive to different timing parameters. For a reliable operation against a wide range of operating conditions, a DRAM manufacturer specifies a set of timing parameters that need to be maintained. Failure of maintaining these timing parameters leads to faulty operation. A simplified version of DRAM read operation is shown in Fig. 2. Initially, all bitlines in a memory module are precharged to . Then an activation command ACT is sent from the memory controller to the appropriate wordline. The ACT command activates the target wordline and turns on all access transistors connected to that wordline
. At this moment, the
bitline voltage is perturbed by the cell content that is connected to the bitline through the access transistor. The bitline voltage slightly increases if the corresponding memory cell holds the logic ‘1’ (that is positively charged) or decreases slightly if the corresponding memory cell holds logic ‘0’. Then the senseamplifier senses the voltage perturbation on the bitlines and amplifies the data by increasing the intensity of the change in voltage. Afterward, the senseamplifier latches the data and converts into the proper binary value. At this moment a READ command is applied from the memory controller to read out the data from the senseamplifier. The time interval between the ACT command and READ command is called activation latency or . The time interval between the READ command and the first appearance of the read data in data is called the Column Access Strobe (CAS) latency or . Reading from DRAM is destructive because of charge leakage. Therefore, the cells must be charged back to their original states to maintain the data integrity. This procedure is called the restoration process, and total time needed from the ACT command to the end of data restoration is called the restoration time or . After a successful read operation, A precharge command, PRE is applied from the memory controller to precharge the bitline to . This command also deactivates the previously activated wordline for the next read or write operation. The time needed to precharge all bitlines to after the PRE command is called the precharge time (). When a DRAM cell holds the data, the capacitor charge, which represents the data bit, leaks over time. To assure the integrity of the stored/processed data, a periodic refresh operation is necessary to restore the capacitor charge. The time interval between two refresh operations is called the retention time. The retention time is directly linked to the leakage rate of DRAM cells.A reduction of timing parameters can improve the speed or reduce the power consumption but might suffer faulty operations. The variation of different latency parameters has following effects [16, 19]:

A reduced only affects the first accessed cache line in a row cycle.

Reduction on has a uniform effect on a row. Furthermore, the number of erroneous bits increases if the is kept decreasing.

Almost no bit error is noticed at the reduced .

An increment in the refresh interval introduces data errors (retention failures).
IiC Existing DRAMbased Random Number Generators
There have been a few techniques for generating random numbers from DRAM. Eckert et al. proposed a method to produce random numbers from the startup value of DRAM [12]. At each powercycle, DRAM memory cells are initialized to a random value. With proper postprocessing technique like VonNeumann corrector or/and XORing multiple trials, the proposed method can generate random numbers. However, with this method, a new power cycle is needed to generate a new random sequence, hence, cannot be applicable to runtime operation.
Recently, Sutar et al. proposed Variable Retention Time (VRT) based technique to generate random numbers from DRAM [16]. The retention time of DRAM cell randomly toggles between high retention time and low retention time due to the VRT. By taking advantage of this phenomenon, with suitable retention time and postprocessing technique (e.g., SHA256 hashing), the proposed method can generate highquality random numbers. However, the actual retentiontime needs to be increased by order of seconds to generate a random number by exploiting the VRT [16, 20]. Therefore, the VRTbased TRNG is slow; i.e., long waiting time is required to generate a random sequence. Also, the DRAM refresh operation cannot be increased for an arbitrarily selected small region because of the granularity defined by the vendor [21]. Consequently, the VRTbased TRNG might cause unwanted data corruption in a different memory location due to long retention time.
Iii Methodology
To generate a random number from the DRAM by exploiting latency variations, at first, we characterize the DRAM cells to understand whether the latency can be used to produce random numbers. Then, we propose a cell selection algorithm to identify the most suitable DRAM cells for generating random numbers.
Iiia DRAM Cells Characterization
In our proposed method, we characterize DRAM cells at a reduced . The experimental results show that the read operations produce unreliable data at the reduced . The error patterns from such incorrect operations vary from chip to chip. The error patterns also might depend on the data to be read/written. We categorize the DRAM cells (based on the error patterns at the reduced ) into the following two major types

Measurement Invariant Cells: This type of cells produces the same error with different measurements. However, this category can be divided into two subcategories i) Pattern independent cells and ii) pattern dependent cells. With a reduced , the output of pattern independent memory cells does not depend on the data already stored in the DRAM. These cells produce faulty but the same output from measurement to measurement. Therefore, ideal candidates for physical unclonable functions (PUFs) [18, 22]. On the other hand, the output of pattern dependent cells depends on the initially written data pattern at the reduced . With proper processing, pattern dependent cells might be used as a strong PUFs [23].

Noisy Cells: The output of noisy cells varies from measurement to measurement and do not show any consistency with the initially written data pattern. Hence, this type of cells can be used to generate the true random numbers. We denote the collection of the noisy cells as .
IiiB Cell Selection for Random Number Generator
Our experimental result shows that all noisy cells cannot be used for generating random numbers. We observe that most of the noisy cells are biased to a particular value (either ‘0’ or ‘1’). These biased cells might produce a deterministic random number. Hence, to create truly random numbers, we apply a cell selection technique on noisy cells (discussed below).
IiiB1 Filtering temporally unbiased cells
From our experimental results, we notice that many of the noisy cells are biased to a specific value (either ‘0’ or ‘1’). So, for proper randomness, these type of cells need to be filtered out. At first, the contents of all noisy cells are recorded multiple times with different input patterns at the reduced . We only accept those cells, for which, the output is ‘1’ for % of the total measurements (and ‘0’ for the rest of the time) regardless of input patterns. The locations of this subset of noisy cells are saved in dataset .
IiiB2 Applying Existing postprocessign technique to generate random sequence
To entirely remove the biasness from the generated random sequence, we can apply several postprocessing techniques such as Von Neumann corrector, XORing multiple bits, cryptographic hash function, etc. [24]. We use the cryptographic hash function SHA256 [25, 26] to the sequence obtained from . The input size (block Size, ) of SHA256 hash function is 512 bit and the output size (Message Digest Size, ) is 256 bit. We split the whole random sequence into a fixed length () subsequence to feed them in the SHA256. We denote the output of the SHA256 as .
Iv Result and Analysis
We collected silicon results from Samsung and Micron DDR3 memory modules. We used SoftMC (Soft Memory Controller [27]) with a Xilinx ML605 Evaluation Kit as the test platform. To characterize the DRAM cells, we collected a total of 20set measurement data with four different 8bit input patterns: (0xFF, 0xAA, 0x55, 0x00) for each memory bank. We chose the smallest possible value of , 19% of the recommended . The smallest possible value of ensures the maximum number of incorrect outputs.
Iva Cell Characterization and Filtering Temporally Unbiased Cells
We characterized the DRAM cells according to IIIA. The result shows that, on average, 82% cells are pattern independent, 17.5% cells are noisy, and 1% cells are pattern dependent in a bank. The output varies from manufacturer to manufacturer. It was found that most of the pattern independent cells output ‘0’ in the Micron memory module. On the other hand, output ‘1’ is dominant in the Samsung module. The result also shows that noisy cells are not entirely random; instead, most of the cells are biased to a specific value (as mentioned in sec. IIIB1).
Fig. 3 represents the frequency of ‘1’ from noisy cells at different measurements for a randomly chosen memory bank (combined for all input patterns). We noticed that most of the cells are biased to a specific value (in this case, biased to logic ‘1’) which is not desirable for random number generation. With the filtering technique as described in sec. IIIB1, we only chose those cells (set ) that output ‘1’ for % of total measurements (rest of the time they produced ‘0’).
Vendor  Bank*  #Cells (MBit) 


Micron  a  15.742  2.041  130.648  
b  86.147  0.792  54.917  
c  101.092  0.784  54.331  
Samsung  a  282.423  0.795  53.102  
b  409.773  1.960  130.695 
*Size of each bank = 1GBit.
Table I presents a detailed statistics for noisy cells. First two columns of the table represent the vendor and bank label. Next two columns represent the total number of noisy cells and the number of cells under . The last column presents the average number of bits in each page. Note that, we only considered those pages which have at least one cell that lies into . In our case, all memory banks consist of an equal number of page (), and for each bank, we found that at least 92% of total memory pages contain at least one memory cell, that lies into . The results show that the number of eligible cells decreases after performing our proposed filtering. Still, we have enough cells to generate highquality random numbers.
IvB Evaluation
A goodquality TRNG has to be robust against different operating conditions. For evaluation, we have collected four sets of test data at different operating condition:

At nominal voltage and room temperature (1.5v, 25C).

With 20C change in operating temperature (T).

With 20mv change in the supply voltage (V).

With 75mv change in the supply voltage (V).
As most of the modern DDR controller’s output is bounded within 20mv [28, 29], so, for our test purpose, changing the output voltage by 20mv is reasonably sufficient. However, we changed the voltage by
75mv (in fourth dataset) and found that the random numbers generated from all of the memory banks were still robust. At nominal condition (i.e., room temperature and nominal voltage), we took two measurements for each input pattern. On the other hand, in other operating conditions, we took one measurement to validate our proposed TRNG. We perform two different tests to evaluate the effectiveness of our proposed TRNG: (i) the frequency test of individual bits with the Central Limit Theorem
[30] and (ii) the NIST test [31].IvB1 Frequency Test of individual bits with the Central Limit Theorem Test
Each bit in an ideal TRNG is analogous to a fair coin toss. Practically, the TRNG bit deviates from an equal probability of having ‘0’ or ‘1’. However, according to the Central Limit Theorem (CLT)
[30], the distribution of the outcome can be approximated with a normal distribution with
and , where andare the mean and standard deviation of individual coin toss respectively and
is the sample size. In this experiment, we took a total of eight measurements for each TRNG cells (i.e., ) at nominal voltage and room temperature. So, if the probability of having ‘1’ is equal for all TRNG cells, then, according to the CLT, the distribution of occurring ‘1’ of the TRNG cells can be approximated with a normal distribution (with and ). Fig. 4 shows the frequency histogram of occurring ‘1’ for a randomly chosen memory bank. The blue histogram is for the selected TRNG cells with our proposed filtering technique (i.e., the cells that are under the subset ). The results show that this frequency histogram is perfectly fitted with a bell curve (plotted with a green line), which signifies that our proposed TRNG produces (with such small ) highquality random bits. The mean and standard deviation of normal approximation for TRNG bits in each bank are shown in table II. The results show that for each memory bank, the , and the , which are very close to ideal TRNG (from the CLT).Vendor  Micron  Samsung  

Bank  a  b  c  a  b 
49.47  50.43  50.27  50.14  52.65  
21.75  20.95  21.01  20.91  20.68 
IvB2 NIST Test
We performed the NIST test [31] based on the generated sequence from the test data. For each set of test data, the generated sequences are divided into subsequences and passed through the hash function (as discussed in sec. IIIB2). In this paper, we chose SHA256 as the hash algorithm. However, other hash function also produced a satisfactory result (tested with MD2 and SHA512, passed all NIST test). The output of the hash function is concatenated and divided into ten equallength bitstreams. Then, we directly applied the NIST test suite to evaluate the randomness. Table III shows the NIST test result for randomly chosen one memory bank from each vendor. The results show that the voltage reduction affects the randomness more than the voltage increment. Therefore, we reported only the negative voltage change (i.e., the worst case). In the table, is the value, which calculated from the chisquare test and is the proportion of bit sequence that passes the corresponding test. In order to pass the randomness test, the value should be minimum of 0.0001 and the should be higher than a certain proportion (for example, for 10 test sequences, at least 8 sequences should be passed). The Table III also shows that our proposed DRAMlatency based TRNG is capable of generating random numbers at extreme operating conditions.
Vendor  Micron  Samsung  

Operating Condition 







Result Type  
Frequency  0.035174  10/10  0.350485  10/10  0.534146  10/10  0.122325  10/10  0.739918  10/10  0.534146  10/10  
BlockFrequency  0.350485  10/10  0.213309  10/10  0.534146  10/10  0.350485  10/10  0.534146  9/10  0.534146  10/10  
CumulativeSums  0.122325  10/10  0.213309  10/10  0.911413  10/10  0.534146  10/10  0.350485  10/10  0.350485  10/10  
Runs  0.739918  10/10  0.739918  10/10  0.911413  10/10  0.739918  10/10  0.213309  10/10  0.350485  10/10  
LongestRun  0.534146  10/10  0.350485  9/10  0.911413  10/10  0.534146  10/10  0.350485  10/10  0.350485  10/10  
Rank  0.739918  10/10  0.911413  10/10  0.534146  10/10  0.534146  10/10  0.350485  9/10  0.534146  9/10  
FFT  0.739918  9/10  0.534146  10/10  0.534146  10/10  0.739918  10/10  0.534146  10/10  0.534146  10/10  
NonOverlappingTemplate  0.122325  8/10  0.066882  8/10  0.122325  9/10  0.350485  8/10  0.008879  9/10  0.739918  8/10  
OverlappingTemplate  0.350485  10/10  0.534146  9/10  0.066882  10/10  0.739918  9/10  0.534146  10/10  0.350485  10/10  
Universal  —  —  —  —  —  —  0.350485  10/10  0.911413  10/10  0.350485  10/10  
ApproximateEntropy  0.350485  10/10  0.534146  10/10  0.350485  10/10  0.350485  10/10  0.350485  9/10  0.213309  10/10  
RandomExcursions  —  4/4  —  1/1  —  3/3  —  6/7  —  4/4  —  5/5  
RandomExcursionsVariant  —  4/4  —  1/1  —  3/3  —  6/7  —  4/4  —  5/5  
Serial  0.017912  10/10  0.739918  10/10  0.008879  10/10  0.739918  10/10  0.035174  10/10  0.350485  10/10  
LinearComplexity  0.534146  10/10  0.911413  10/10  0.911413  10/10  0.534146  10/10  0.739918  10/10  0.004301  10/10 
*NB. — did not perform due to insufficient data [31].
IvC Throughput Analysis
In our proposed algorithm, the cell characterization and filtering the temporally unbiased cells need to be performed once during registration (i.e., once in a full lifecycle of a DRAM). The objective of the registration step is to identify the most suitable cells for generating random numbers, i.e., . Hence, we ignore the registration process during throughput calculation. The throughput of our proposed TRNG can be calculated as follows:
(1) 
where is the length of the hashed output (Message Digest Size) of the hash function, is the time required to read data of length from DRAM (where is the input block size of the hash function), and is the time required to hash the input bit sequence of length . We used existing standard SHA256. A complete benchmark of different cryptographic hash functions based on their performance can be found at [32]. An efficient cryptographic hash function like SHA256 can hash a 512bit long sequence with a speed of 3.78 cycle/byte (AMD EPYC 7601, 64x2.2GHz) [32]. With a single core, it would take only 242 cycles ( 0.11s, neglecting overhead cycles) to hash the complete 512bit block message. Furthermore, DRAM operations also consumes time. The results show that (from table I), each page produces 84.7 random bit on average (). So, to produce a 512bit as the input of the SHA256 hash function, we need on average 6 pages. In our evaluation board, with a single read cycle, to read a full 8KByte page, it takes on average 91.2s. So according to the equation 1, our system level throughput is around 0.47Mbps, which is comparable with the performance of many popular hardwarebased random numbers [5, 14, 33]. Note that, with our experimental setup, we were only able to read the memory module with an average speed of 720Mbps (400MHz system clock frequency), although, the maximum throughput of the memory module is almost double than that. An efficient implementation of DRAM controller can improve the overall performance of our proposed random number generator. Moreover, instead of reading a full page from the memory module, reading a selective location of cells can also increase the throughput.
V Conclusion
In these paper, we presented a methodology to generate highquality random number using the inherent DRAM latency variations. At first, we characterized the DRAM cells at the reduced precharge latency, , for selecting a set of cells that can be used to generate robust random numbers. The proposed hardware characterization and cell selection algorithm offer robust and highthroughput random numbers. The results show that our proposed postprocessing algorithm passes all NIST tests at extreme operating conditions without requiring any modification in the DRAM architecture.
Vi Acknowledgment
We thank ETH Zürich and CMU for the SoftMC software.
References
 [1] “Cyberattacks took $56B from U.S. economy in ’16: Report”, American Banker, 16 February 2018
 [2] Rahman, Md Tauhidur, Domenic Forte, Quihang Shi, Gustavo K. Contreras, and Mohammad Tehranipoor. “CSST: an efficient secure splittest for preventing IC piracy.” In Test Workshop (NATW), 2014 IEEE 23rd North Atlantic, pp. 4347. IEEE, 2014.
 [3] K. T. Nguyenet al., “Survey on secure communication protocols for the Internet of Things,” Ad Hoc Networks, vol. 32, pp. 1731, 2015.
 [4] B. Yang et al., “Onchip jitter measurement for true random number generators,” Asian Hardware Oriented Security and Trust Symp., 2017.
 [5] B. Sunar et al., “A Provably Secure True Random Number Generator with BuiltIn Tolerance to Active Attacks,” IEEE Transactions on Computers, vol. 56, no. 1, pp. 109–119, 2007.
 [6] A. P. Johnson et al., “An Improved DCMBased Tunable True Random Number Generator for Xilinx FPGA,” IEEE Transactions on Circuits and Systems II: Express Briefs, vol. 64, no. 4, pp. 452456, 2017.
 [7] Rahman, Md Tauhidur, Kan Xiao, Domenic Forte, Xuhei Zhang, Jerry Shi, and Mohammad Tehranipoor. “TITRNG: Technology independent true random number generator.” In Proceedings of the 51st Annual Design Automation Conference, pp. 16. ACM, 2014.
 [8] Lampert, Ben et al., “Robust, lowcost, auditable random number generation for embedded system security.” In Proceedings of ACM Conference on Embedded Network Sensor Systems, pp. 1627, 2016.
 [9] Z. Gutterman and D. Malkhi, “Hold Your Sessions: An Attack on Java SessionId Generation,” Lecture Notes in Computer Science Topics in Cryptology CTRSA 2005, pp. 4457, 2005.
 [10] J. Kelsey et al., “Cryptanalytic Attacks on Pseudorandom Number Generators,” Fast Software Encryption Lecture Notes in Computer Science, pp. 168188, 1998.
 [11] K. Xiao et al., “Bit selection algorithm suitable for highvolume production of SRAMPUF,” 2014 IEEE International Symposium on HardwareOriented Security and Trust (HOST), Arlington, VA, 2014, pp. 101106.
 [12] C. Eckert et al., “DRNG: DRAMbased random number generation using its startup value behavior,” IEEE International Midwest Symposium on Circuits and Systems (MWSCAS), 2017.
 [13] Rahman, M. Tauhidur, Domenic Forte, Xiaoxiao Wang, and Mark Tehranipoor. “Enhancing noise sensitivity of embedded SRAMs for robust true random number generation in SoCs.” In HardwareOriented Security and Trust (AsianHOST), IEEE Asian, pp. 16. IEEE, 2016.
 [14] B. Ray and A. Milenkovic, “True Random Number Generation Using Read Noise of Flash Memory Cells,” IEEE Transactions on Electron Devices, vol. 65, no. 3, pp. 963–969, 2018.
 [15] P. Poudel et al., “Microcontroller TRNGs Using Perturbed States of NOR Flash Memory Cells,” IEEE Transactions on Computers, 2018.
 [16] S. Sutar et al., “DPUF: An Intrinsically Reconfigurable DRAM PUF for Device Authentication and Random Number Generation,” ACM Transactions on Embedded Computing Systems, vol. 17, no. 1, 2017.
 [17] Rahman, M. Tauhidur et al., ”Systematic Correlation and Cell Neighborhood Analysis of SRAM PUF for Robust and Unique Key Generation.” Journal of Hardware and Systems Security 1, no. 2 (2017): 137155.
 [18] B. M. S. B. Talukder et al., “LDPUF: Exploiting DRAM Latency Variations to Generate Robust Device Signatures,” 2018, arXiv:1808.02584.
 [19] Kevin K. Chang et al., “Understanding Latency Variation in Modern DRAM Chips: Experimental Characterization, Analysis, and Optimization,” SIGMETRICS Perform. Eval. Rev. 44, 1 (June 2016), 323336.
 [20] H. Kim et al., “Characterization of the Variable Retention Time in Dynamic Random Access Memory,” IEEE Transactions on Electron Devices, vol. 58, no. 9, pp. 2952–2958, 2011.
 [21] JEDEC, ”DDR3 SDRAM Standard,” July 2012.
 [22] J. S. Kim et al., “The DRAM Latency PUF: Quickly Evaluating Physical Unclonable Functions by Exploiting the LatencyReliability Tradeoff in Modern Commodity DRAM Devices,” 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA), 2018.
 [23] Q. Tang et al., “A DRAM based physical unclonable function capable of generating Challenge Response Pairs per 1Kbit array for secure chip authentication,” IEEE Custom Integrated Circuits Conference, 2017.
 [24] S.H. Kwok et al., “A comparison of postprocessing techniques for biased random number generators,” in IFIP International Workshop on Information Security Theory and Practices. Springer, 2011, pp. 175190.
 [25] Q. H. Dang, “Secure Hash Standard,” NIST, 2015.
 [26] S. S. Thomsen and L. R. Knudsen, “Cryptographic Hash Functions,” 2009.
 [27] H. Hassan et al., “SoftMC: A Flexible and Practical OpenSource Infrastructure for Enabling Experimental DRAM Studies,” IEEE International Symposium on High Performance Computer Architecture, 2017, pp. 241252.
 [28] www.nxp.com/docs/en/datasheet/MC34716.pdf, accessed 19 July 2018.
 [29] www.ti.com/product/tps51916/datasheet, accessed 19 July 2018.
 [30] T. H. Wonnacott and R. J. Wonnacott, “Introductory statistics,” New York: Wiley, 1969.
 [31] L. Bassham et al., “A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications,” NIST, 2010.
 [32] Daniel J. B. and T. Lange (editors), “eBACS: ECRYPT Benchmarking of Cryptographic Systems,” https://bench.cr.yp.to, accessed 19 July 2018.
 [33] N. Torii et al., “ASIC implementation of random number generators using SR latches and its evaluation,” EURASIP Journal on Information Security, vol. 2016, no. 1, 2016.
Comments
There are no comments yet.