Understanding Sources of Variations in Flash Memory for Physical Unclonable Functions

Sarah Q. Xu, Wing-kei Yu, G. Edward Suh, Edwin C. Kan
School of Electrical and Computer Engineering
Cornell University
Ithaca, NY 14853 USA
{qx33, wsy5, gs272, eck5}@cornell.edu

Abstract—This paper provides detailed characterizations of physical sources behind Flash memory based Physical Unclonable Functions (FPUs). Universal process variations in Flash physical systems are identified and decomposed into layout, intrinsic, stress and bit-wise fluctuation sources. The study shows the understanding of systematic variations and noise sources are essential for improving the security and reliability of FPUs. Bit-wise variations are proven to be originated mainly from random dopant fluctuation, which is indeed truly random and impossible to clone. Overall, this paper provides a theoretical foundation for the security of FPUs whereas previous PUF studies rely only on experimental evidence for its security and entropy.

Index Terms—Physical Unclonable Function, Flash Memory, Physical Modeling, Variation Sources

I. INTRODUCTION

Physical Unclonable Functions (PUFs) is a physical one-way function that provides unique challenge-response pairs based on the intrinsic, uncontrollable but reproducible randomness of the implementing device. So far, studies on PUFs have been largely focused on experiments to demonstrate that there exist enough variations to distinguish individual chip fingerprints [1-4]. Few detailed characterizations of the physical mechanisms behind the variations have been incorporated into these studies [5].

Unfortunately, without concrete definition and modeling of the physical variation sources, it is almost impossible to generalize the experimental conclusions to a variety of different devices, circuits and systems. In particular, technologies used to implement silicon based PUFs change very quickly due to the drastic scaling of the feature size [6, 7]. Only by physical modeling of the PUF physical origins, we can guarantee that proper PUF characteristics can be extended to different technology nodes and other manufacturers.

This paper presents a semiconductor device level modeling and analysis to understand underlying physical mechanisms behind variations in Flash-memory PUFs (FPUs), and discusses their implications for designing secure and reliable protocols. To the best of our knowledge, this study is the first to underpin the physical mechanisms of FPUs.

II. OVERVIEW OF THE FLASH PUF

Unlike prior PUFs, FPUs [2, 8] do not require any custom hardware circuits, and the Open NAND Flash interface (ONFi) [9] sufficiently provides universal extraction methods for most commercial Flash chips. Experiments on producing FPUs have been successfully carried out on commercial off-the-shelf (COTS) components [2].

FPUs can be extracted based on a technique called partial or aborted programming. The initial and after-erase $V_{th}$ for a Flash device are different from cell to cell due to process variations. This difference also induces changes in Fowler-Nordheim tunneling currents ($I_{FN}$) during programming operations. Therefore, each cell will require different number of partial program pulses hence the specific program time to change state. This partial program number is sufficiently consistent in program/erase cycles for the same cell, but varies distinctively from bit to bit, page to page and chip to chip, and therefore can be considered as a unique PUF function [2, 10].

FPUs have several practical advantages over conventional PUF implementations. In addition to the wide applicability, PUF extractions do not require a power cycle compared to the PUFs based on bi-stable elements [5, 10]. Since Flash is one of the most aggressively scaled technologies, FPUF is also superior in bit capacity compared to other PUFs [11].

III. MANUFACTURING VARIATIONS

A. Layout Variations

Average page PUF is obtained by averaging the bit-level partial program pulse numbers for a particular page. This average page PUF is then plotted for every page across the same block for several blocks on various chips. Results from

\[ \text{Average Page PUF} \]

\[ \text{Page Number} \]

Figure 1. Layout variations in Flash chips introduce systematic fluctuations in average page FPUs
two identical Hynix 50nm chips are presented in Fig. 1.

A consistent systematic variation can be seen among average page FPUFs for all the blocks. A cyclic fluctuation is highly correlated among blocks in the same chip with a Pearson correlation coefficient [8] as high as 0.99. Similar fluctuation patterns have been found in other chips with the same part number, and the correlation coefficient is around 0.88.

Because this page-wise fluctuation is consistent with all the blocks and also highly correlated for various chips, the contributor of this systematic variation has to come from a universal variation source for all blocks and chips fabricated in the same manufacturing process. Since it cannot come from spatial variation alone that varies from chip to chip, it is reasonable to attribute this prominent systematic effect to the layout design.

B. Spatial Variations

In order to observe the spatial variation components [12] of the FPUFs, block averages across three similar chips are plotted in Fig. 2. Each curve represents the average partial program pulse number for over 4000 blocks throughout the chip. The fluctuation in the block average FPUF across the chip is highly correlated among all three chips, with an average correlation coefficient of 0.76. Because it is very unlikely that all three chips come from the same spatial wafer location, the high correlation should be additionally attributed to the systematic layout-induced variations.

However, there is a clear offset in the block average among three chips. This offset is not a layout systematic component and very likely comes from the die spatial location difference, which can be attributed to a spatial variation component of the manufacturing variations.

C. Intrinsic Random Variations

Flash page-level fingerprints are unique and robust enough to be used to authenticate individual chips [2, 8]. It has been reported that the average correlation coefficient for the same page is on the order of 0.97, and fingerprints extracted from different pages, either the same page from different chips or different pages from the same chip, have an average correlation coefficient around 0.0076 [2].

Previous studies [2, 8] all simply contributed this randomness to general intrinsic process variations of Flash memory, but no detailed characterization and modeling have been performed. It is crucial to understand this source of random variation in order to determine if the uniqueness and robustness of the FPUF are indeed universally applicable, and not just a phenomenon presented in the limited selection.

The predominant intrinsic variation sources in sub-100nm MOS devices include random dopant fluctuation (RDF) [6, 7, 13] and line edge roughness (LER) [7]. Due to the additional floating gate and control dielectric, Flash memory can suffer more severely from RDF and less from LER compared to conventional logic devices due to the larger effective oxide thickness (EOT). In order to analyze the physical origins of the randomness, FPUF distributions are translated to threshold voltage distributions via tunneling current during programming, and then fitted to RDF analytical models [6, 13].

Since RDF is more severe as device scales further, a device with a smaller feature size should result in a larger standard deviation, which is observed in Fig 3 for chips from three technologies of 34nm, 50nm and 90nm. According to theoretical RDF predictions [7, 13], standard deviation ratio between 90nm and 50nm devices should be around 0.7, while the standard deviation ratio between 50nm and 34nm devices is roughly 0.58. Our experimental extractions yield average ratios of 0.68 and 0.55, respectively.

D. Implications for PUF Designs

<table>
<thead>
<tr>
<th>Test Type</th>
<th>P values for FPUFs with and without systematic variations</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>FPUFs from same chip</td>
</tr>
<tr>
<td></td>
<td>With</td>
</tr>
<tr>
<td>OQSO</td>
<td>1.0000</td>
</tr>
<tr>
<td>1.0000</td>
<td>.5695</td>
</tr>
<tr>
<td>1.0000</td>
<td>.9539</td>
</tr>
<tr>
<td>DNA</td>
<td>1.0000</td>
</tr>
<tr>
<td>1.0000</td>
<td>.7040</td>
</tr>
<tr>
<td>1.0000</td>
<td>.2569</td>
</tr>
<tr>
<td>1.0000</td>
<td>.6446</td>
</tr>
<tr>
<td>1.0000</td>
<td>.4831</td>
</tr>
<tr>
<td>1.0000</td>
<td>.9977</td>
</tr>
</tbody>
</table>

Systematic variations can degrade the uniqueness and entropy of FPUFs. In order to assess the effect of the layout and design induced variations, Diehard randomness tests [14] are performed for FPUFs containing systematic components and for FPUFs with systematic component removed from their page average. The tests are performed between FPUFs from the
same chip and FPUFs created by concatenating same-page FPUFs from multiple chips with highly correlated systematic variations. QOSSO (Overlapping-Quadruples-Sparse-Occupancy) and DNA are two randomness tests that sequentially sample 10 and 2 consecutive bits from the 32-bit integer data respectively, and p values close to one suggesting data fail the specific category. Sample p-values are shown in Table 1, where each row represents test result from a different selected group of bits. By removing the systematic components from the FPUF bits, improvement on the randomness is evident in both cases of QOSSO and DNA tests.

On the other hand, determining RDF as the major source of FPUF variations proves that FPUFs can be extracted from any Flash processes, since it is a universal phenomenon and cannot be fully controlled or cloned by today’s fabrication technology. Extensive modeling attempts have also been conducted to recreate RDF effects [6, 15], but today’s computing power is still insufficient for carrying out 3-D “atomistic” simulations on a large statistical scale to accurately depict the RDF behavior.

IV. VARIATIONS IN THE FIELD

A. Stress-induced Variation

Previous studies [2, 3] have suggested that repetitive program and erase (P/E) cycles can alter the partial program time of Flash cells due to cyclic endurance aging effects. This stress effect can be isolated from the manufacturing variations because RDF and LER should not be directly affected by P/E stress. Fig 4(a) illustrates how page average changes as P/E cycles increase. Correlation coefficients of fresh and stressed FPUFs from the same pages are plotted in Fig 4(b). The decrease in both correlation coefficients and average partial program numbers suggest that FPUFs are becoming increasingly different as the P/E stress level rises, which is coherent with stress induced leakage current (SILC) and bias-temperature instability (BTI) [16].

B. Random Telegraph Noise

When the same PUF bits are measured multiple times, the bit-wise partial program times have non-negligible fluctuations as depicted in Fig 5. This can affect the reproducibility of FPUFs when used as crypto keys or authentication directly, but can be useful for statistical query models with noises [17].

An example of bit-wise fluctuation is analyzed via power spectral density; results are plotted in Fig 6(a). A clear 1/f² relationship can be observed, and line fitting yields an x value around 1.8. These power coefficients were then extracted for multiple bits within a page and the results are shown in Fig 6(b). The average x is around 1.7 and most of the values are within 1 to 2. This proves that bit-wise fluctuations in general display shot noise behavior. In addition, this relationship closely resembles a 1/f² characteristic, which corresponds to the random telegraph noise (RTN) behavior very well, especially for low frequencies [18].

C. Block-level Erase Effect

During the P/E experiments, significant number of bits fluctuates together in the same P/E cycle. Sample correlation coefficients on how these bits fluctuate among 5000 FPUF measurements are plotted in Fig 7. A substantial percentage of bits have fluctuation correlation coefficients around 0.5.

This suggests that bit-wise fluctuation is not purely due to RTN. Observation from the same experiments have confirmed that conventional full erase operation dynamically adjusts the erase time during each block erase, and therefore can add an undesirable global bias to the bit-wise fluctuations. An erase operation with fixed erase time was performed in order to remove the block erase bias. The resulting correlation drops significantly compared to using dynamically adjusted full erase operations, as shown in Fig 7.
D. Implications for FPUF Designs

Bit-wise fluctuation originating from RTN is globally presented in all Flash memory devices. Therefore, reduction of this variation over time will be crucial to improving the reliability and reproducibility of FPUFs.

The fluctuations are generally split into two levels caused by capture and emission of the trapped carriers [18], which provides means of reducing the FPUF variations through averaging several measurements from the same physical system. This RTN effect also illustrates the improper assumption of independence when low correlation coefficients are extracted, as the fluctuations from true randomness can mask other systematic components.

Fig. 8 illustrates the reproducibility as a function of number of averaging measurements to extract FPUF. The percentage of the partial program number variation of individual bits is drastically reduced by averaging 10 measurements. Global erase, on the other hand, can add undesirable bias. Fig. 9 illustrates how erase biasing can reduce the consistency of FPUF due to its dynamic nature.

V. CONCLUSIONS

This study illustrates the importance of characterizing and understanding the physical mechanisms behind FPUFs. Strong systematic variations can severely degrade the uniqueness and entropy of the FPUF bits, and should be properly removed in appropriate security applications. Bit-wise FPUF fluctuation is caused by inherent RTN during operations, and ways to improve FPUF designs in both uniqueness and reliability are discussed. Erase fluctuation can add undesired global biases, but can be alleviated by fixing the erase time.

REFERENCES

[6] A. Asenov, “Random dopant induced threshold voltage lowering and fluctuations in sub 0.1 micron MOSFETs: A 3-D