Patent Grant
11620108
Many modern computer systems generate and process sensitive data. In such systems, communication needs to be secure and prevent interception of sensitive data by unauthorized recipients.
Data encryption is one technique that is often used to protect sensitive data. Data encryption algorithms and other types of algorithms for securing and protecting sensitive data often use one or more randomly generated numbers. To enhance the security of the information being protected, it is desirable for the random numbers generated for these data encryption and other algorithms to be truly random. Random number generators are often used in computer systems to generate random cryptographic keys used for encryption and many other applications where randomization and fairness are required, e.g., in electronic gambling, statistical sampling, computer simulation, and video games.
Unfortunately, the numbers generated by many conventional random number generators are not always truly random. That is, the algorithms used to generate the random numbers are often deterministic such that the generated numbers are actually pseudo-random, thereby making such numbers more susceptible to hacking attempts. If a hacker or other unauthorized user is able to recover a random number used in an encryption algorithm, it is more likely that the hacker or other unauthorized user will be able to break the encryption and recover the protected data. To help protect against this risk, many random number generators capable of generating numbers that are truly random have been developed, but these random number generators are often complex and expensive. In addition, these random number generators often use certain highly-random seed values that are not always available in certain applications. Moreover, better techniques for generating random numbers for various applications are generally desired.
The disclosure can be better understood with reference to the following drawings. The elements of the drawings are not necessarily to scale relative to each other, emphasis instead being placed upon clearly illustrating the principles of the disclosure. Furthermore, like reference numerals designate corresponding parts throughout the several views.
The present disclosure generally pertains to systems and methods for generating random numbers. In an exemplary embodiment, a random number generation system may generate one or more random numbers based on the repeated programming of a memory, such as a flash memory. In an exemplary embodiment, a control system may repeatedly store a sequence to a block of flash memory to force a plurality of cells into a random state such that, at any given instant, the values in the cells are random. The control system may be configured to identify which of the cells contain random values and then generate based on the identified values a number that is truly random (i.e., not deterministic).
As mentioned earlier, many conventional random number generators capable of generating truly random numbers are relatively complex requiring dedicated hardware for random number generation. For space-constrained and resource-constrained systems, such as Internet-of-Things (IOT) devices, for example, accommodating additional hardware resources for generating random numbers may not be feasible or desirable. Further, deployment of the existing random number generators may require changes in design of the systems, thereby increasing associated redesign costs, and may undesirably increase complexity of the system. On the other hand, exemplary random number generation systems, as disclosed herein, may leverage the existing flash memory, used in many modern systems, in order to decrease its space and cost requirements.
As known in the art, flash memory is a commonly used medium for data storage. Flash memory uses a dielectric substrate and oxide layers to form memory cells. Each cell has a substrate with drain and source terminals and two gates, a control gate and a gate known as a “floating gate.” The floating gate is surrounded by oxide and placed between the control gate and a channel in the substrate that connects the drain and source. Charge can be provided to the floating gate by applying a voltage differential to lines across the cell. A binary bit value of a cell's charge (e.g., voltage) can be determined by measuring the voltage differential across the cell. When a cell has a voltage value that exceeds a voltage threshold, the cell may be said to be “charged.” When a cell is charged, it may be assigned a binary bit value of zero. When the voltage differential measured in a cell falls below a threshold, the cell may be said to be “uncharged” or “erased.” When a cell is uncharged, it may be assigned a binary bit value of one.
In some flash memory architectures, multiple flash cells can be programmed or erased by providing voltage to a word line shared by the cells. A single-level-cell (SLC) architecture has a single binary value stored to each cell. Typically, in such architectures, a flash memory cell has sufficient margin between the threshold voltage at which the cell is considered programmed (e.g., logic value zero) and the threshold voltage at which the cell is considered uncharged (e.g., logic value one) to permit reading the cell's value, as depicted by
A multi-level-cell (MLC) architecture has multiple values, such as four binary values stored in each cell. In such an architecture, the charge placed on the floating gate can take more than two levels (charge or no charge). Thus, if the charge placed on the floating gate takes four levels, two bits of information can be stored into a single cell. The techniques described herein may be applied to either SLC or MLC architectures. That is, either type of cell may be forced to a random state by repeated programming, as will be described in more detail below, and in such state, the value in the cell randomly changes whether the charge in the cell represents a single binary value or multiple binary values. For simplicity of illustration, it will be assumed that that flash memory described hereafter is an SLC architecture, unless indicated otherwise, but it should be emphasized that similar techniques may be used to generate random numbers in MLC architectures.
It has been observed that read noise levels increase substantially when a cell of flash memory is repeatedly programmed or erased a sufficient number of times to cause the cell to enter a random state. During such repeated programming, the cell's binary bit value is repeatedly programmed to the same logic value. For example, a flash memory cell may be programmed when a reference voltage is provided so that its logic value is zero.
As noted above, in a flash memory cell operating normally, a read operation at the flash memory cell is performed, and after this programming, there may be sufficient margin between voltage values corresponding to logic state zero and logic state one that read noise does not affect read accuracy of the state for the flash cell. However, when the same cell is repeatedly programmed a sufficient number of times (e.g., 100-200 program operations), the cell may enter a random state, and read noise may be increased significantly. In this regard, the state of the cell read during a read operation may change from logic zero to logic one, even though the cell is actually programmed, and should read logic zero.
It has further been observed that, when a cell is in a random state, margin between the threshold voltage for a cell reading “programmed” (logic zero) and threshold voltage for the cell's reading “erased” (logic one) may be reduced or eliminated, as can be seen in
Note that read noise present in a cell may vary with time and at random levels. The read noise present in a flash memory cell in a random state may vary according to a statistical distribution. In this regard, read noise in such cell may vary randomly over time causing a read operation of the cell's binary bit value vary according to the associated statistical distribution. For example, read noise levels may vary so that the read noise present may be sufficient to affect the bit value read for the cell at various times, but insufficient to change the bit value at other times. This random variation in read noise results in random variations of bit values read from a cell in random state and may depend on the read time, as depicted by
The device 100 may include, but is not limited to, smartphones, mobile devices, tablets, personal digital assistants, personal computers or other devices, and the flash memory 110 may be a memory card, a Universal Service Bus flash drive, a solid state drive or other types of flash memory. In an exemplary embodiment, the flash memory 110 may be a multilevel cell NAND flash architecture, although in other embodiments other types of devices 100 and other types of flash memory 110 may be possible.
The control system 120 may also include a communication interface 165, such as a cellular radio, for communicating data with external devices. In particular, the communication interface 165 may be configured to use a random number sequence from the RN generation logic 130 for encryption or decryption of data communicated by the interface 165. In other embodiments, other uses of the random number sequence are possible.
The control system 120 of the device 100 may include a conventional operating system 162 stored in the memory 161. Such operating system 162 may be configured to manage the hardware and software resources of the device 100 using techniques known in the art.
The device 100 further includes a memory unit 150 that includes the memory controller 140 and the flash memory 110. In an exemplary embodiment, the memory unit 150 may be internal to the device 100, such as a removable flash memory card inserted into the device 100 or flash memory permanently integrated into the device 100 during manufacturing. In some embodiments, the memory unit 150 may be externally connected to the device 110. As an example, the memory unit 150 may be a universal service bus flash drive (“USB flash drive”) externally connected to the device 110. In other embodiments, other configurations of the memory unit 150 are possible.
As noted above, the memory controller 140 may be configured to control the flash memory 110. For example, the memory controller 140 may be responsive to instructions from other components, such as RN generation logic 130, for performing various tasks such as read, write, erase, or other operations on the flash memory 110. Further, the memory controller 140 may be configured to control access to the flash memory 110 and may allocate space (e.g., blocks) of the flash memory 110 to other resources of the device 100, such as applications (e.g., the RN generation logic 130) stored in memory 161. The memory controller 140 may be implemented in hardware or a combination of hardware, software, and/or firmware. As an example, the memory controller 140 may comprise one or more processors programmed with instructions for performing its functions as described in more detail herein.
The RN generation logic 130 may be implemented in hardware, software, firmware or any combination thereof. In the exemplary control system 120, illustrated by
As noted earlier, the RN generation logic 130 may be configured to generate random numbers from the flash memory 110. In this regard, the RN generation logic 130 may transmit instructions to the memory controller 140 for repetitively programing a block of the flash memory 110 with the same number sequence to force cells of the flash memory 110 to a random state. The RN generation logic 130 may also transmit instructions to the memory controller 140 for reading the values in the block of flash memory 110. The RN generation logic 130 then analyzes the values read by the memory controller 140 and returned to the RN generation logic 130 to determine which of the cells have been forced to a random state. Based on random values read from such cells, the RN generation logic 130 generates a random number sequence. Exemplary techniques for generating such a random number sequence will be described in more detail below.
In this regard, the RN generation logic 130 may initially request from the operating system 162 allocation of a block of flash memory 110 to be used for random number generation. Through such allocation, other resources of the device 100 may be prevented from accessing the block of flash memory 110 and interfering with the random number generation process.
After allocation of the block of flash memory 110 to the RN generation logic 130, the logic 130 may instruct the memory controller 140 to erase the allocated block of flash memory 110. The RN generation logic 130 may be configured to then write a number sequence on the erased memory block for a desired number of times (indicated as ‘N’) (e.g., between 100 and 200 times or otherwise) in order to force at least some of the cells of the memory block into a random state. In this regard, the RN generation logic 130 may submit to the memory controller 140 N number of consecutive write requests having the same memory address and same value to be written, and in response the memory controller 140 may perform the requested write operations. Thus, the same number sequence may be written to the same block of flash memory 110. As an example, the block may be programmed using an alternate pattern of programed cells and erased cells (i.e., logic 0-1-0-1-0-1 . . . ) or “checker board” pattern, and repeated for N times. By performing the write operations, the same logic value may be written repeatedly to each cell for N times. In other embodiments, a different programming pattern may be used for the memory block.
As mentioned earlier, due to this repeated programming of the block of flash memory 110, a plurality of cells in the block may enter a “random state” such that the values stored in such cells (referred to hereinafter as “failed bits”) may change randomly or fluctuate over time. The RN generation logic 130 is configured to identify the failed bits (i.e., the cells that have entered a random state and thus have values that change over time). In this regard, the RN generation logic 130 may be configured to read the block of flash memory 110 by submitting one or more read quests to the memory controller 140, which then retrieves the values stored in the memory cells and returns those values to the RN generation logic 130. The RN generation logic 130 then compares the values read from the block of flash memory 110 to the number sequence previously written to the block to determine which values have changed. The RN generation logic 130 may do this read and compare multiple times, and any cell that provides a value that has changed for any of the reads relative to the value previously written to it may be identified as having a failed bit (i.e., the cell has entered a random state).
In some embodiments, the RN generation logic 130 may be configured to determine a fail bit count, indicative of the number of the cells in the memory block that have been identified as entering a random state after programming of the cells for N times. The RN generation logic 130 may be configured to compare the fail bit count to a threshold. Such threshold may be established to ensure that a minimum length of random bits, as may be desired, are provided by a read operation for the block of flash memory 110. In this regard, if the fail bit count is less than the threshold, then the RN generation logic 130 may be configured to continue writing the same number sequence (relative to the number sequence previously written, as described above) to the block of flash memory 110 until the failed bit count exceeds the threshold value, thereby ensuring that a minimum number of cells have been forced to a random state.
After the failed bit count exceeds the threshold value, the RN generation logic 130 may be configured to generate a random number sequence using the failed bits. In this regard, the RN generation logic 130 may be configured to take bit values read from the cells identified as having entered a random state and combine (e.g., concatenate) these bit values into a random number sequence defining a value that is truly random. If desired, the RN generation logic 130 may be configured to perform one or more other operations such as applying debasing algorithms to a string of random bits to ensure that the string has a substantially equal number of logic 0's relative to logic 1's. However, such additional processing is unnecessary.
In some embodiments, the random number generation logic 130 may be configured to read the programmed block of the flash memory 110 multiple times in order to generate a random number sequence of desired bit length (indicated by ‘x’). That is, for each read operation, the RN generation logic 130 obtains additional random bits that may be combined (e.g., concatenated) with random bits from previous read operations to increase the bit length of the random number sequence being generated. The RN generation logic 130 may continue adding random bits until the desired bit length is achieved.
Note that, for cells that have entered a random state, read noise can cause the value in the cell to change in a random manner in response to performance of the read operation. Thus, when a failed bit is read, noise from the read operation may change the bit value helping to improve the randomness of the random number sequence being generated. If desired, the RN generation logic 130 may identify a cell as entering a random state when the value read from the cell changes from one read operation to another regardless of the value originally written to the cell. In addition, it should be emphasized that the process described above is exemplary, and other techniques may be used to generate a random number sequence from cells that have been forced to a random state by repetitive write operations.
Once a random number sequence of a desired bit length is achieved, it may be used for any purpose as may be desired. As an example, the RN generation logic 130 may provide the random number sequence to communication interface 165 (
During operation, the RN generation logic 130 may transmit a request to the operation system 162 to allocate a space (e.g., a block) in the memory 110 for performing tasks related to the generation of random number sequence. In response, the operating system 162 may allocate a block of memory 110 to the RN generation logic 130. The RN generation logic 130 may then erase the block of the flash memory 110 of the device, as shown by block 171 of
After writing the same sequence N times, the random number generation logic 130 determines the fail bit count indicative of the number of cells that have entered a random state due to repetitive programming, as shown by block 173 of
After determining the fail bit count, the logic 130 checks if the fail bit count is greater than a predefined threshold, as shown by block 174 of
On the other hand, if the fail bit count does not exceed the threshold, the logic 130 performs blocks 172-174 again until the fail bit count exceeds the threshold value and the RN generation logic 130 may then proceed to generate random numbers in block 175.
Then, using the remaining identified values, which are from cells having entered a random state, the RN generation logic 130 may generate one or more random numbers, as shown by block 183 of
Once a random number is generated, the RN generation logic 130 may output the generated random number, as shown by block 184 of
Accordingly, the system described herein is able to leverage the randomness of the flash memory through repeated programming to provide a number that is truly random. In this regard, existing hardware of devices, like cellphones, may be retrofitted with random number generation functionality in order to generate random numbers that are truly random by simply downloading and running the RN generation logic 130 without having to modify the hardware resources of the devices. That is, true random number generation may be provided without having to add expensive or bulky hardware. Thus, the overall cost to provide random number generation can be reduced or mitigated while achieving a robust algorithm for generating a number that is truly random.
This application claims priority to U.S. Provisional Application No. 62/672,992, entitled “Flash Memory based Random Number Generation” and filed on May 17, 2018, which is incorporated herein by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 7035964 | Kohler | Apr 2006 | B1 |
| 7136303 | Smith | Nov 2006 | B2 |
| 7491948 | Gordon et al. | Feb 2009 | B2 |
| 8199590 | Novosel | Jun 2012 | B1 |
| 8331128 | Derhacobian | Dec 2012 | B1 |
| 8335098 | Shen | Dec 2012 | B2 |
| 8861250 | Wu | Oct 2014 | B1 |
| 9530512 | Ray et al. | Dec 2016 | B2 |
| 9543028 | Ray et al. | Jan 2017 | B2 |
| 9705320 | Petrick | Jul 2017 | B1 |
| 10403366 | Tabrizi | Sep 2019 | B1 |
| 10509132 | Ray et al. | Dec 2019 | B1 |
| 10878922 | Ray | Dec 2020 | B1 |
| 11101009 | Ray | Aug 2021 | B1 |
| 11164642 | Ray et al. | Nov 2021 | B1 |
| 20040041197 | Jong et al. | Mar 2004 | A1 |
| 20040191989 | Ngo | Sep 2004 | A1 |
| 20060083060 | Riva Reggiori | Apr 2006 | A1 |
| 20080232162 | Kuan | Sep 2008 | A1 |
| 20090165086 | Trichina | Jun 2009 | A1 |
| 20100140488 | Visconti | Jun 2010 | A1 |
| 20100240156 | Suhail | Sep 2010 | A1 |
| 20140026653 | Del Signore et al. | Jan 2014 | A1 |
| 20140037086 | Seol | Feb 2014 | A1 |
| 20140098605 | Long | Apr 2014 | A1 |
| 20140146607 | Nagai | May 2014 | A1 |
| 20150095550 | Khan | Apr 2015 | A1 |
| 20150169247 | Wang | Jun 2015 | A1 |
| 20150193204 | Lin | Jul 2015 | A1 |
| 20150268934 | Anderson | Sep 2015 | A1 |
| 20170032843 | Ilani | Feb 2017 | A1 |
| 20170046129 | Cambou | Feb 2017 | A1 |
| 20170090873 | Clark | Mar 2017 | A1 |
| 20170110199 | Li | Apr 2017 | A1 |
| 20170269992 | Bandic | Sep 2017 | A1 |
| 20180287793 | Khatib Zadeh | Oct 2018 | A1 |
| 20190294500 | Hara | Sep 2019 | A1 |
| 20200081689 | Huang | Mar 2020 | A1 |
| 20200204367 | Miller | Jun 2020 | A1 |
| Entry |
|---|
| Y. Wang, W. Yu, S. Wu, G. Malysa, G. E. Suh and E. C. Kan, “Flash Memory for Ubiquitous Hardware Security Functions: True Random Number Generation and Device Fingerprints,” 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, 2012, pp. 33-47, doi: 10.1109/SP.2012.12. (Year: 2012). |
| B. Ray and A. Milenković, “True Random Number Generation Using Read Noise of Flash Memory Cells,” in IEEE Transactions on Electron Devices, vol. 65, No. 3, pp. 963-969, Mar. 2018, doi: 10.1109/TED.2018.2792436. (Year: 2018). |
| P. Poudel, B. Ray and A. Milenkovic, “Microcontroller TRNGs Using Perturbed States of NOR Flash Memory Cells,” in IEEE Transactions on Computers, vol. 68, No. 2, pp. 307-313, Feb. 1, 2019, doi: 10.1109/TC.2018.2866459. (Year: 2019). |
| “Why do most of the non-volatile memories have logical 1 as the default state?” Retrieved on [Aug. 19, 2021]. Retrieved from the Internet <https://electronics.stackexchange.com/questions/179701/why-do-most-of-the-non-volatile-memories-have-logical-1-as-the-default-state> (Year: 2015). |
| Prabhu, Pravin et al. “Extracting Device Fingerprints from Flash Memory by Exploiting Physical Variations.” TRUST (2011). (Year: 2011). |
| Irom, et al, “Single Event Effect and Total Ionizing Dose Results of Highly Scaled Flash Memories,” Radiation Effects Data Workshop (REDW), 2013 IEEE, pp. 1-4, Jul. 2013. |
| Number | Date | Country | |
|---|---|---|---|
| 62672992 | May 2018 | US |
