A compact true random number generator (RNG) integrated circuit with adjustable probability is presented. Hot-electron injection is used in a floating-gate MOSFET to program the probability. Measurements show no cross-correlation between adjacent RNG circuits, allowing multiple RNGs to be easily integrated.
Introduction: Random number generation is indispensable in cryptography, scientific computing and stochastic computing. In cryptography, the quality of randomness of the generator is critical for security [1] . The pseudo-RNG generates sequences using a deterministic algorithm, so the sequence inevitably repeats and becomes predictable. A true RNG is nondeterministic and unpredictable, often relying on the randomness of physical noise. IC-compatible, true-RNG circuits are increasingly required in system-on-chip solutions for secure communication and stochastic computation. Noise amplification with thresholding, oscillator sampling, discrete-time chaos and metastability have all been used previously in IC-based RNGs [2, 3] . In this Letter, we present a new, true-RNG IC using the competition between noise sources. The circuit is very compact with less than 20 transistors. We use hot-electron injection in floating-gate MOSFETs in a negative feedback configuration to cancel fabrication mismatch and set the probability close to 50%. In the results to follow, we demonstrate high-quality randomness and robustness against interference by observing bit sequences generated by fabricated chips.
Circuit design: The core of our RNG is a clocked, cross-coupled differential pair comparator, as shown in Fig. 1 , with input voltages V iþ and V iÀ . The same circuit has previously been used in an adaptive comparator for offset cancellation [4] . When V clk is logic high, V oþ ' V oÀ . When V clk becomes logic low, transistor M5 shuts off, V oþ and V oÀ are nearly equal and the circuit is in its metastable state. If V gþ is significantly higher than V gÀ , V oþ increases rapidly and V oÀ decreases rapidly. This positive feedback leaves V oþ close to V c and V oÀ close to ground. If V gþ is significantly lower than V gÀ , the opposite happens. When V gþ is very close in value to V gÀ , thermal noise and 1=f noise that produce fluctuations in the drain currents of M1 and M2 will dictate the outcome. The final result depends on the sign of the imbalance, V oþ ÀV oÀ , which triggers positive feedback after transistor M5 shuts off.
I bias
M5

Fig. 1 RNG circuits: clocked comparator (left), dynamic buffer (right)
Fabrication mismatch in an uncompensated circuit would likely permanently bias the circuit to one solution. In this circuit, floatinggate inputs to a p-FET differential pair allow the mismatch to be compensated for [4] . Since there is no direct electrical connection to the floating gate, its potential is determined by capacitive coupling to nearby nodes and charge stored on the node. The voltage at the floating gate can be modified with fine resolution by hot-electron injection or tunnelling mechanisms. The circuit uses a nominal power supply of 5 V, which is sufficient for injection, and a 15 V supply for tunnelling used only during initialisation.
By controlling the common-mode voltage of the floating gates, we operate the circuit such that hot-electron injection occurs only on the side where the output voltage is close to ground. When one floating gate is higher in voltage than the other, the comparator output on that side will be pulled low. Over multiple clock cycles hot-electron injection works in negative feedback to equilibrate the floating-gate voltages. This is the equilibrium point around which the circuit operates as an RNG. We use a dynamic buffer, driven by the complement of the same clock, to convert the voltage at V oþ or V oÀ into a digital signal.
The RNG has been fabricated in a commercially-available 0.5 mm CMOS technology with two polysilicon layers and three metal layers. One RNG occupies an area of only 1.83 Â 10 À2 mm 2 . The layout was not optimised for minimum size, but special attention was paid to make the layout as symmetrical as possible. The RNG is surrounded by a guard ring to reduce interference from neighbouring circuits. There are eight RNGs in the fabricated chip.
Statistical tests: For the first test of randomness and independence, we examined the autocorrelation and cross-correlation of generated bit sequences with inputs V iþ and V iÀ connected to ground. The experiments match the theory closely, i.e. an independent, identically distributed (i.i.d.) random bit sequence with probability p of 1 has an autocorrelation function R(n) ¼ p for n ¼ 0, and R(n) ¼ p 2 for n 6 ¼ 0, and its power spectrum density (PSD) is flat across all frequencies except for a DC component from the nonzero mean. Two i.i.d. sequences with probability p have a cross-correlation function R(n) ¼ p 2 for all n and the cross-spectral density is also flat across all frequencies except for a DC component. Fig. 2 shows the PSD of one bit sequence. Fig. 3 shows the autocorrelation of one sequence and cross-correlation of two sequences. Existing methods can readily remove small biases in the probability [1] caused by injection mismatch. An exclusive-OR (XOR) of multiple independent random sequences will exponentially converge to an equal probability of 0 and 1 and simultaneously eliminate slight anti-correlation between adjacent bits, caused by kickback noise in the comparator and visible in Fig. 3 for n ¼ 1. [5] . 20 sequences of 10 6 bits from the XOR of four RNGs were evaluated against all 16 tests. They passed all tests with a significance level of 0.01 except for the overlapping template matching test, missing 3 of 148 templates by a small margin (0.90 pass rate against a 0.92 threshold).
Adjustable probability: The probability of the bit sequence can be adjusted by tuning the DC input voltage applied between V iþ and V iÀ while the circuit is operating near the metastable state. Fig. 4 shows the probability as a function of the input offset voltage. At each offset voltage, sequences of 10 5 bits are collected and partitioned into ten sub-sequences from which the mean and standard deviation of the probability are computed. It is reasonable to model the circuit as having a fixed threshold voltage, above which fluctuations trigger positive feedback. The probability of a Gaussian random variable being larger than a fixed value is an error function of its mean value. The probability of obtaining a '1' in the sequence thus closely matches an error function. Input offset can be biased to produce very low probabilities (measured as low as 0.004% in Fig. 4) that historically have been difficult to obtain reliably.
Interference: To test the robustness of the RNG, we evaluated its performance against several common sources of interference such as power supply noise digital noise and substrate noise. We use the difference Dd between the PSD value at DC and the maximum value in the band excluding DC as an indicator of the interference noise power that is coupled into the PSD of the random bit sequence. The measured value without intentionally adding interference is 36 dB (Fig. 2) . We injected sinusoidal signals of different frequencies (10 Hz, 100 Hz and 1 kHz) and amplitudes (1, 5 and 10 mV) onto the power supply voltage. The lowest Dd were 33, 26 and 21 dB for amplitudes 1, 5 and 10 mV, respectively. We used an on-chip shift register as one example of a digital circuit to evaluate the impact of nearby digital circuitry on the RNGs. The lowest Dd observed was 27 dB. We also injected noise into the substrate by driving 10 Hz, 100 Hz and 1 kHz square waves (amplitudes up to 2 V) through ESD-protected pads. The interference from these square waves was negligible, with the lowest Dd at 33 dB.
