Intrinsically Secure Non-Volatile Memory Using ReRAM Devices

The paper describes a device-level encryption approach for implementing intrinsically secure non-volatile memory (NVM) using resistive RAM (ReRAM). Data are encoded in the ReRAM filament morphology, making it robust to both electrical and optical probing methods. The encoded resistance states are randomized to maximize the entropy of the ReRAM resistance distribution, thus providing robustness to reverse engineering (RE) attacks. Simulations of data encryption and decryption using experimental data from Ru(BE)/ALD-HfO2 (MO)/Zr/W(TE) ReRAM devices reveals an uncorrected bit error rate (BER) < 0.02 and a maximum key entropy of ≈17.3 bits per device. A compensation procedure is also developed for maintaining BER in the presence of temperature changes.


I. INTRODUCTION
Emerging non-volatile memories (NVMs) promise a fundamental advancement in computing by allowing memory and storage systems to be combined. Integration of NVM within CMOS dies thus enables monolithic computer architectures that realize the processor and high-capacity memory/storage system on a single die [1], [2]. Promising NVM technologies include filamentary and non-filamentary resistive RAM (ReRAM) [3], [4], [5], spin transfer torque magnetic RAM (STT-MRAM) [6], and phase change memory (PCM) [7]. Some attractive features of ReRAM include: (i) logic-compatible voltages and currents, (ii) CMOS Back End of Line (BEOL) process-flow compatibility, (iii) multiple resistance states, (iv) non-volatility of states, and (v) high scalability. A large applications space for these devices has accordingly emerged, ranging from high-density storage class memory [8], [9] to multiply and accumulate (MAC) units for neuromorphic computing [10], [11]. ReRAM devices can also be used to realize various security primitives for such architectures due to their reconfigurability The associate editor coordinating the review of this manuscript and approving it for publication was Ye Zhou . and inter-device variability [12], including physical unclonable functions (PUFs) for device authentication [13], [14], true-random number generators (TRNGs) [15], reconfigurable vias enabling split manufacturing [16], switch boxes for non-volatile FPGAs [17], and programmable ''memory fingerprints'' for provable destruction of digital keys after use [18].
On-chip ReRAM modules enable a variety of emerging applications include key storage for logic locking, hyperparameter and weight storage for neuromorphic computing, and user profile and key storage for IoT sensor nodes. With the widespread deployment of ReRAM-based NVM in such application domains, several security threats including reverse engineering (RE), piracy, and tampering have emerged as major concerns at different stages of the product life-cycle. Sensitive data stored within such NVM modules has traditionally been protected by reading and writing only encrypted data blocks, with the necessary encryption and decryption operations being performed by an embedded cryptographic processor [19], [20]. However, these operations tend to add significant power, area, and cost overhead, which makes them unsuitable for ultra-low-power applications such as IoT nodes. Additionally, they are prone to data loss since VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ the key can often be revealed using techniques such as sidechannel attacks [21], [22]. Thus, there is ongoing interest in lightweight cryptographic algorithms to replace well-known encryption methods such as AES [23]. The authors in [24] compare various lightweight cryptographic algorithms and their software and FPGA-based hardware implementations, with Throughput/Area (TP/A) and energy/bit chosen as metrics to quantify suitability for IoT applications. Notably, AES implementations on FPGA provide the best energy/bit, but relatively poor TP/A. Here we propose a complementary approach in which the NVM exploits intrinsic device properties to self-encrypt all data prior to storage. The additional security provided by such self-encryption allows the cryptographic processor to use simpler algorithms, thus improving system-level energy efficiency. The device properties of ReRAM result in further improvements in system-level metrics. Firstly, ReRAM has been proven to be extremely scalable: its layout footprint is 4F 2 where F is the minimum feature size [25], [26], and 3D integration with access diodes (resulting in 1D1R architectures) can lead to further scalability by reducing the footprint to 4F 2 /L where L is the number of layers [27]. Secondly, ReRAM switching energy and read energy per bit can be in the fJ/bit range (∼0.8 fJ and ∼0.1 fJ, respectively). As a result, ReRAM-based selfencrypted NVM is promising for simultaneously achieving low TP/A and energy/bit. The rest of the paper is organized as follows. Section II describes the properties of ReRAM devices that enable selfencrypted NVM. The proposed self-encryption approach is described and analyzed in Section III, while experimental results are presented in Section IV. Finally, Section V summarizes our contributions and concludes the paper.

II. DEVICE PROPERTIES
ReRAM uses emerging two-terminal devices that can be fabricated with high densities and can assume a range of resistance states based on either fast (10-100 ns) or lowvoltage (< ±1 V) pulse programming, making them attractive for scalable non-volatile data storage and neuromorphic computing [28], [29]. The basic device structure is composed of a very thin metal-oxide (MO) layer placed between a top electrode (TE) and bottom electrode (BE). On application of a high electric field, the oxide breaks down, causing the formation of a conducting filament (CF) as shown in Fig. 1(a) [30]. For simplicity, the CF is generally modeled as a cylinder of diameter < 50 nm stretching from BE towards TE.
As an example, we studied custom filamentary ReRAM devices fabricated using a Ru(BE)/ALD-HfO 2 (MO)/Zr/W(TE) stack [31]. Filamentary devices were chosen since they are more studied and their models are better understood [32], [33], [34]. Filamentary ReRAM devices also show better endurance and retention values over non-filamentary ReRAM devices [29]. The filament geometry can be controlled by compliance current and reset voltage [28], resulting in a range of resistance states as shown in Fig. 1(b) for a typical device: Widening the filament-electrode gap increases the resistance, while narrowing the gap (or widening the filament) lowers it. The processes used to reach these states are referred to as Set, Reset, and Forming. Forming is the initial operation required for soft breakdown of the MO, shifting oxygen ions toward a 'storage layer' at the TE/MO interface and creating a metal-rich filament in the MO that stretches from BE to TE (see Fig. 1(a)). Reset operations reverse this process to a significant degree, i.e., increase the resistance by retracting the filament away from TE. Set operations reduce the resistance, similar to Forming, but by a smaller amount that is determined by the compliance current (CC) used during the operation. In Fig. 1(b), the low-resistance 'Set' state (∼0.9 k ) was achieved through Forming, followed by Reset and finally Set. From here, a wide range of resistance states (2.5-250 k ) was achieved via Reset operations at various voltages (in this case, from 1 V to 2.4 V).
ReRAM-based NVM also has attractive properties for selfencryption [35]. The history-dependent voltage response of these devices allows information to be hidden in the filament geometry and later detected by inverting the state to its starting condition. Due to this unique history-dependent voltage response, device resistances can be repeatedly shifted up/down by self-limited Set and Reset operations. In this approach, the device is first electroformed with high CC, then Reset to the desired state, Set again with low CC, and finally Reset back to a desired state. Thereafter, the Set state can be successfully retrieved by careful application of appropriate set voltage without any fixed CC. Instead, the read current is governed by prior history of the Set state, which makes it self-limiting if a precise Set voltage range is used. Thus, unlike CC-based Set operations, self-limiting ones (achieved using prior Set conditions) simply shift the device state based on its current state and the voltage used, as shown in Fig. 1 In order to be self-protected, the device must also have i) maskable states from which data cannot be read without altering the device state; and ii) a final revealed state (reached by applying a key) that allows data to be read. To achieve self-encryption, an unformed ReRAM device is first put into a range of ''actual'' states using Forming, Reset, and Set operations, as shown in Fig. 1(c); the CC used during these steps controls the width of the filament, and thus the resistance. Next, a state-dependent Reset operation, denoted by P, forces each device into the same high-resistance ''masked'' state. Reverse engineering of the masked data is difficult as filament geometry changes rely on atomic-scale rearrangements. For example, we expect the data to be robust to state of the art optical attacks [36], [37], which have proven detrimental for many CMOS-based memory technologies [38]. Finally, the correct key (another programming function P −1 ) can modify the filament geometry in the masked state to reveal the data, as shown in Fig. 1(c). In this example, one can see that the two devices are first Set to states of 1 k and 500 with respective CC values, then Reset to the same state (5 k ), which is referred to as the masked state. Observe that the original data is still stored in filament morphology even though an attacker would electrically read the same masked state for both devices. The actual state can be revealed when an appropriate Set voltage is used (without CC), as the filament  [30]. Here Zr/W and Ru are the TE and BE, respectively, HfO 2 is the MO layer, and mobile oxygen ions (O 2− ) create the oxygen-poor (i.e., metal-rich) CF shown within dashed lines. (b) Multiple resistance states obtained by modulating the filament geometry of a custom anion-type ReRAM device. The device consisted of a vertical W (50 nm), Zr (10 nm), HfO 2 (8 nm), Ru (40 nm), and Ti (3 nm) stack on a SiO 2 /Si wafer. (c) An example of the basic self-encryption mechanism in ReRAM devices. Devices in two resistance states (0.5 and 1 k ) are masked to a single higher-resistance state (5 k ) by the programming sequence P. The masked states are revealed by applying the inverse programming sequence, P −1 , which serves as the key.
would track the original filament morphology governed by the history-dependent phenomenon.

A. INITIAL MASKING EXPERIMENTS
Preliminary experimental results from our custom ReRAM devices demonstrate reliable data masking and de-masking. Figs. 2(a)-(b) show an example. The figures show resistance values of ReRAM versus read voltage. Binary data is stored in states 500 in (a) and 1 k in (b) ('1' and '0', respectively); both of these are 'Set' states (labeled with green markers) achieved by using two different CC. The error bar shows measurement across different devices on the same wafer. Next, these states (and hence the stored data) were masked to the same state of ∼7 k using two different reset voltages for (a) and (b), shown by 'Reset' in orange markers. Note that both devices will read the same resistance in this ''masked'' state, thus making 1 and 0 indiscernible. Next, to reveal the state, a valid user applies a precise Set voltage (originally used to set the devices). Using this technique, the masked state can be successfully revealed, as apparent from the purple markers for ''state-reveal'' in both cases. Note that CC was not necessary to reveal the state. This is because a precise set voltage leads the filament to reform in its original morphology, thus, resulting in history-dependent retrieval of the state when proper set voltage is applied. These observations were recorded from ReRAM devices fabricated using a Ru(BE)/ALD-HfO 2 (MO)/Zr/W(TE) stack, as in our earlier work [31]. Also note that failure to apply the required precise set voltage for state-reveal (as may be the case when an attacker tries trial-and-error) can permanently alter the state of the device, which can become apparent to the valid users.

B. ATTACK COMPLEXITY ANALYSIS
While promising, the data masking and de-masking capabilities shown in Fig. 2 are not sufficient for secure memory. There are two main issues. The first is that it is not possible to completely hide state information since a device will respond to an input voltage based on its history. Given a set of devices Formed to one of n states (to store data) and then Reset to mask the chosen state, anyone with hardware access can probe the devices with constant stress signals and measure the difference in responses among the devices to map them into bins, regardless of the key normally used to reveal the hidden states (i.e., data). In this case, guessing the relationship between masked and hidden states only requires O(n!) operations, which is not large since the maximum value of n for reliable data encoding is limited by device-device variability due to i) random filament morphology during write, and ii) random telegraph noise (RTS). Thus, given enough statistical information (i.e., from at least n! devices), it is relatively easy for an attacker with physical access to the memory to decode the stored data via electrical probing. One can of course encode the data prior to storage to ensure that the decoded data is not plaintext but ciphertext; however, in this case the ReRAM memory provides little additional security compared to any other storage technology. The second problem is that the de-masking function (i.e., key) is data dependent, as shown in Fig. 2(b). Since using such a 'key' requires knowledge of the data, it is not a true key. In effect, we have simply shifted the secure storage problem from one hardware device (our ReRAM) to another.
A partial solution to these issues may be obtained as follows. Instead of using the key to map the masked (secondary) device states back to the n original (primary) states, we can map them to a larger set of m tertiary states (m > n), as shown in Fig. 2(c). In this approach, we recover the data by probing the masked device with n different read voltages V Kj ; the latter constitutes the key. Due to the history-dependent nature of the device response, the final resistance (i.e., the tertiary state) can take one of m = n 2 different values. These values can then be mapped to the stored data via a simple look-up table, as shown in the figure. This approach allows the data and key to be decoupled, as desired. However, an attacker can still electrically probe the masked states of a large set of devices with a fixed read voltage to obtain n different resistance values that reveal the stored data (assumed to be ciphertext, i.e., encoded by the key prior to storage). In the next section, we describe an ReRAM data encoding approach that addresses these weaknesses. VOLUME 10, 2022 FIGURE 2. Preliminary experimental results supporting the concept of self-encryption in ReRAM: (d) a 0.5 k state is masked to a 5-10 k state and then revealed by applying the key; (e) same as (a), but for a 1 k state. The horizontal line is at 1 k . (f) Proposed self-encryption procedure for ensuring data-key independence (n = 2 and m = 4 in this example). Here M(v , t ) and K (v , t ) denote the masking and key functions, respectively. The truth table for inferring the stored data b i is also shown.

III. PROPOSED APPROACH A. THREAT MODEL
We assume that the attacker i) has physical access to the proposed NVM (which may be used, e.g., to store secure data or keys in an IoT device), and ii) can employ both electrical and optical probing methods to reverse engineer the NVM with the intent of stealing and/or tampering with the data. Available methods include i) multi-channel mixedsignal automatic testing equipment for integrated circuits, ii) nanoprobes for device-level electrical characterization, iii) nanoscale imaging methods (X-ray, scanning electron microscopy, and light microscopy), and iv) thermal cycling systems.

B. REQUIREMENTS FOR SECURE DATA STORAGE
Secure data storage relies on using a complex key comprised of a string of bits to convert the plain text message into some unreadable format. The plain text can then be retrieved by applying the reverse algorithm on the data with the same or 'symmetric' key. Other uses of cryptography are in secure data transfer over insecure connections, for which asymmetric or public-private key cryptography (e.g., an algorithm such as RSA) is commonly used. Here we focus on symmetric key encryption/ decryption, which is often implemented with the AES (Advanced Encryption Standard) algorithm with a key length of 128, 192, or 256 bits [39].
A major property of AES or any symmetric encryption algorithm is the use of a large (typically, at least 128-bit) key for converting data to the ciphertext, and then using the same key for decryption. Guessing the key and running the decryption process would take an infeasible number of guesses, and therefore time. The key itself should also be completely uncorrelated with the message being encrypted. Thus, the central issue in symmetric encryption is to create a suitable data manipulation function defined by the key. An ideal function should be complex enough mathematically to be infeasible to invert without the key, yet easy to encrypt and decrypt when the key is available. High time complexity for key guessing, ability of users to generate keys, and the use of uncoupled message/ key pairs are other requirements for ReRAM-based intrinsically secure data storage.

C. DATA STORAGE PROCEDURE
Here we propose a solution to the previously-described security problems with ReRAM-based self-encrypted NVM. For clarity, we need to clearly distinguish between the stored bit (b i ) and the resistance of the device (R j ). The goal is to store a limited number of bits per device -low enough to ensure reliable recovery of the bit. However, we should also be able to program many resistance states by varying the applied Forming voltage, which is indeed possible with our ReRAM devices (see Fig. 1(b)). Given this capability, the basic concept for secure storage is to Form the device to an (ideally) random resistance state based on the key value, as shown in Fig. 3(a), instead of one of a small set of n states as before. The figure shows that stored data (here represented by a 2-bit value b i ) is combined with the key bits k i to determine the range of resistance values s i after Forming; in particular s i = (b i ⊕ k i ) where '⊕' denotes bitwise-XOR. However, the actual Formed value within this range (denoted by R j ) is randomized by combining s i with the (scaled) output of a true random number generator (TRNG). As a result, an attacker cannot map the devices into resistance bins to guess the relationship between masked and hidden states, which greatly improves data security.
In general, we can define a suitable mapping (encoding) function R j = f (b i , k i ) between the two domains (bits and resistances), where k i is the key value. For example, a mapping function for 1-bit data and key variables can of the form , R 0 is a scaling constant, and P(m i , σ ) denotes a sample taken from one of two probability distribution functions (PDFs) defined by the TRNG; these PDFs have different mean values of (m 1 , m 2 ), but the same standard deviation of σ for simplicity. Such a function can be created by i) computing the bitwise XOR of b i and k i ; ii) using the result s i to determine the optimal values of (m 1 , m 2 ) and σ (via a lookup table); iii) using the TRNG to generate a sample from a suitable PDF; iv) scaling the TRNG output using m i and σ to generate R j for the particular device in question; and v) using another lookup table g R j to convert R j to the applied programming voltage V j for the device. This process is simple to implement in hardware: it only requires an XOR gate, a TRNG, and a DAC, all of which can be shared across multiple devices (e.g., one per column).
One of the key implementation issues is the optimal selection of parameters (mean and standard deviation) for the individual PDFs. By optimal, we mean values that make the stored resistances R j hard to reverse-engineer while also minimizing the probability of making bit errors during decoding.
where N is the number of encoded states (such that each device stores log 2 (N ) bits), and p i is the probability of each state (for random data, equal to 1/N ). We typically want to select values of m i and σ i which ensure that i) the combined PDF for R j across the array approaches a featureless (i.e., uniform) distribution over a specified range to minimize information leakage to attackers; and ii) the individual distributions P(m i , σ i ) have minimal overlap (since such overlaps cause decoding errors).
The proposed mapping process can only be defined with a certain precision because of inevitable device-device mismatch, finite precision of the write voltages, etc. Thus, in reality the mapping process can be better modeled as R j = f (b i , k i ) + R n where R n is a ''noise'' variable that is ideally uncorrelated with the data. Fig. 3(b) shows an example of typical individual and combined distributions for N = 4. The TRNG is assumed to generate bits with a uniform PDF, but the corresponding PDFs for the individual resistance states R j are somewhat broadened by the mismatch and other error sources R n , which are assumed to have a Gaussian distribution. Nevertheless, the combined PDF is nearly uniform and featureless, as desired. Note that the additive noise model used here may not always be valid; for example, correlated and multiplicative noise terms may be present in the ReRAM array. However, it should still be possible to approximate a uniform PDF by optimizing the choices of m i and σ i .

D. DATA RECOVERY PROCEDURE
In order to recover the stored data from the measured resistance R j , we apply a different de-mapping (decoding function), i.e., b i = h(R j , k i ) where k i is the key value, as before. This function can also be implemented using analogous hardware. For example, in the 1-bit case, we can use and R th is a global threshold value that may be considered part of the key and can also be adapted with time (e.g., to compensate for temperature variations). Such a mapping function can be implemented simply by using a comparator (to evaluate d i ), and an XOR gate, as shown in Fig. 3(c). Note that the output bit is generated with a finite bit error rate (BER) due to the non-zero probability that device mismatch or readout errors cause overlap between the stored states, as shown in Fig. 3(b). Error control coding (ECC) bits can be added to the stored data to detect and correct these errors, analogous to that used in other commercial memory technologies such as optical discs [40] and NOR/NAND flash [41]; methods for implementing ECC are discussed later.

E. INCREASING SECURITY TO REVERSE ENGINEERING ATTACKS
The self-encryption procedure shown in Fig. 3 can be further optimized to ensure greater resilience to reverse engineering attacks. One approach is to increase the complexity of the mapping function R j = f (b i , k i ). In our earlier example (shown in Fig. 3(b), for simplicity we assumed an ordered mapping between the encoded data s i and the corresponding PDFs (resistance ranges). However, it is possible to further increase the entropy of the combined PDF (assuming the ''noise'' variable R n is small enough) by using a randomized mapping function with multi-segment PDFs ranges, as shown in Fig. 4. In this example, each 2-bit data value (s i = [0..3]) corresponds to a color-coded PDF with two disjoint segments, with each segment having a random mean and variance; note that these global variables can be considered to be part of the key. The resulting combined PDF has a nearly ideal distribution, as shown on the figure.
Implementing such generalized mapping functions requires slightly more complicated hardware. The encoding circuit now requires multiple uniformly-distributed random variables to define the resistance of each device, so additional TRNGs will be required. Similarly, the comparator in the decoding circuit (see Fig. 3(c)) has to be replaced by a moderate-resolution analog-to-digital converter (ADC).

F. KEY COMPLEXITY ANALYSIS
Complexity and security of the key used by our self-encryption procedure is evaluated based on a few theoretical assumptions. The key consists of two parts: the symmetric key k i used to recover each hidden data bit and the mean and variance values of all PSD regions (segmented by the R th thresholds) used for random selection of the reset voltage. Selecting those mean and variance values can be reduced to selecting threshold positions from a pool of all accessible resistance states. The number of possibilities can be computed as C(m − 1, n) where m is the number of distinct resistance states and n is the number of R th thresholds. Since all the resulting regions are encoded to log 2 (N )-bit data for each device with no repetition occurring between two adjacent regions, the possibilities for the data can be counted based on the condition that N possibilities are available for the first region and N − 1 possibilities for all the remaining regions. Attackers thus need an average of N × (N − 1) n attempts to correctly guess the mapped data for a total of n regions.
We assume that n PSD thresholds R th are used to divide the ReRAM resistance range into n+1 regions of N -bit states with no identical states for adjacent regions. To get the correct i-bit symmetric key k i and recover a total of i-bits of encrypted data stored within an entire memory block, an attacker will require an average of G(n) guesses, where G n is given by Here n is the number of thresholds (i.e., R th values); N is the number of encoded states given that log 2 (N )-bit data are stored on each device; m is the number of distinct resistance states, and i is the number of input data bits to be encoded. Here, C(m − 1, n) is the number of ways to choose n thresholds from the resistance states m. The equation shows that the security level of ReRAM-based secure data storage increases when either the number of thresholds or the data size increases. Finally, the complexity of the symmetric key can be exponentially improved by distributing data bits across multiple ReRAM devices. For example, suppose that each data bit defines the parity of a random r-bit number. When such numbers are stored in the NVM instead of the actual data bits, the average attack complexity increases to [G(n)] r . This makes the encrypted data much more robust to attacks, albeit at the cost of lower storage density.

G. INTEGRATED ERROR CORRECTION METHODS
In this section, we address the issue of bit errors due to overlapping PDFs in the masked state. Assuming Gaussian PDFs, the resulting BER is proportional to erfc( R/R n ) where R is the distance between the mean values of adjacent PDFs and R n is their standard deviation. Erasure coding can be used to detect and correct these inevitable errors. Erasure coding is a data protection method in which data is encoded into separate data and parity blocks that are then stored across locations or storage nodes. It is compute intensive but has much lower storage overhead than replication-based data protection methods such as RAID or mirroring [42]. Reed-Solomon (RS) codes are the most popular erasure codes; they use matrix multiplications in a Galois Field (GF(2 w ) for w-bit words) for encoding and decoding [43]. The large computational overhead of these matrix operations can be reduced by using Cauchy-type RS (CRS) codes, which use 1-bit words to replace integer multiplications with simple bitwise XOR operations in GF(2) [44]. CRS erasure coding can be efficiently implemented within ReRAM crossbar arrays by exploiting their ability to perform in-memory matrix-vector multiply and add operations [45]. A (k, m) erasure code encodes data blocks (k words long) into longer blocks ((k + m) words long) by adding m parity words, which allows up to m word errors to be detected, and up to t/2 word errors to be corrected. Assuming w bits per word, the encoding process can be written as the matrix-vector multiplication c = G T d where d is the kw-bit original data vector, c is the (k +m)w-bit encoded data vector, and G T is the (k +m)w×kw-bit generator matrix. The first kw rows of G T are an identity matrix (such that the original data bits remain unchanged), so only the last mw rows (denoted by the sub-matrix BG T ) are needed during encoding. In the case of CRS codes, BG T is a binary matrix, as shown in Fig. 5. Similarly, the decoding operation can be written as s = H T c, where H is the (k +m)w×mw-bit parity matrix (which can be easily derived from BG T ) and s is the syndrome vector that encodes the locations of word errors.
The two main operations required for CRS matrix-vector multiplications (MVMs) are dot products and summations. Implementing the summations in GF(2) using ReRAM is the main problem; simply adding up device currents (as in a traditional MVM unit) does not work. Here we propose a time-multiplexed approach to solve this problem, as shown in Fig. 6 for the encoding step. In our method, a single bit of the input data vector d is fed into the ReRAM array on each clock cycle, with the other bits held at zero. The array computes the dot products, after which the current flowing in each column is sensed, compared with a threshold, and XOR-ed with the output from the previous cycle to compute the GF (2) summation. The required circuitry is simple, as shown in the figure, and can be used for both encoding and decoding; however, mw clock cycles are now required to compute the output vector, which results in reduced speed compared to a fully-parallel MVM.

H. TEMPERATURE-DEPENDENT ERROR CORRECTION
In this section, the effect of temperature variations on memory decryption performance is evaluated. Here, the High Resistance State (HRS) device model from [46] is used to predict the compliance current density and ReRAM resistance states at different reset voltages and device temperatures. This model indicates that density of the current flowing through the filament in the HRS state can be defined as a function of device temperature as follows [46]: where n trap = 1 12 cm −3 is the local trap density; q = 1.6 × 10 −19 C is the elementary electric charge; µ = 10cm 2 /V · S is the electron mobility; φ B , the barrier height of the defects through the re-oxidized HfO2 in HRS, is 0.259 eV; i = 1.77 × 10 −12 F/cm is the permittivity of the material; k is Boltzmann's constant; T is the device temperature in Kelvin; and E i can be expressed as: Here, V read = 0.2 V is the voltage applied when reading the resistance value from the ReRAM device and t reox is the thickness of the re-oxidized filament. The value of t reox at different reset voltages can be approximated by a linear function of the reset voltage. For the devices studied, the function t reox = −0.33V reset + 0.42 (shown in red) fits the measured data at reset voltages from −1.5 V to 4 V, as shown in Fig. 8(a) [46]. The current that flows through a filament with a cross-sectional area A is then calculated as I = J × A, and the temperature-dependent resistance states are computed based on Ohm's law, i.e., R = V read /I . This ReRAM device model is used to estimate the readout resistance at various reset voltages and device temperatures. The resistance state is expressed as the ratio of resistance at a certain temperature to a reference temperature of 25 • C, the temperature at which memories are assumed to be encoded. Since temperature variations can induce memory decryption errors, one potential method to compensate for the adverse effect is to use an on-die temperature sensor to keep track of the device temperature when the NVM is being read. The readout resistance values can then be corrected by applying the inverse of the estimated resistance ratio to the decryption algorithm used by the NVM at the measured temperature.

A. DATA ENCODING AND DECODING
The self-encryption approach described in the previous sections was verified using experimental data from the Ru(BE)/ALD-HfO 2 (MO)/Zr/W(TE) ReRAM devices described in Section II. Fig. 7(a) shows photographs of the fabricated ReRAM devices, each of which has dimensions of 50 µm × 50 µm. Simulations of device-level encoding and decoding based on the experimental data were performed using a high-level language (Python). Our main goals were to evaluate i) the entropy achieved after data encryption, and ii) the BER of the recovered data. The original experimental results were acquired by resetting a total of 15 custom ReRAM devices to different resistance states using 14 different voltage levels. All devices were initially electroformed using a voltage sweep from 0 to 2.5 V with a compliance of 60 µA. Thereafter, first Reset was performed by sweeping from 0 to −2.4 V. Next, Set was performed at 1000 µA. Finally, multiple resistance states were obtained by resetting with different voltages, as shown in the legend of Fig. 7(b). This figure shows histograms of the measured resistance for each reset voltage. Each histogram was fitted to a Gaussian distribution at different reset voltages, and alternating distributions were removed to reduce inter-state overlap. Thus, only 6 voltage-resistance mapping distributions were ultimately used for key design and encryption. Uncertainty in the mapping distributions (for example, due to resistance measurement errors or mismatches between the 15 ReRAM devices that were studied) was modeled using a Monte Carlo method, i.e., repeating each data encoding experiment 50 times subject to random changes in the mean and standard deviation of each distribution. Specifically, each mean value was varied within a range of −5 k to 5 k , while each standard deviation was scaled by a factor ranging from 0.8× to 1.2×.
Each distribution was mapped to a n-bit binary number based on the preset thresholds R th . Groups of n bits were then encoded by randomly sampling one resistance state from the distribution corresponding to that n-bit number. One pattern of R th values is shown in Fig. 7(c); in this case 4 thresholds are used to segment the available resistance range into 5 bins of alternating binary numbers for encoding single bits (i.e., N = 2 states). In an ideal case, thresholds are placed only at the intersections of adjacent distributions so as to minimize BER after using the chosen reset voltage to program the devices to the desired masked resistance states. Successful encoding of the input data results in a distribution of readout resistance states. The encryption was assumed to be implemented at room temperature, i.e., at 25 • C. These states were analyzed for a varying number of thresholds by using histograms. As an example, Fig. 7(d) shows the distribution of the resistance states when 3 R th thresholds are applied. Visually, this distribution is close to an ideal uniform distribution with no obvious patterns that can be manipulated by attackers during RE attacks.
Quantitatively, the security of the encoded resistance states can be evaluated by using the entropy of the distribution. For this purpose, we calculated the entropy of the simulated distribution for a varying number of thresholds (i.e., R th values) and compared the result to the entropy of an ideal (i.e., uniform) distribution. The entropy H (X ) of a discrete random variable X with outcomes of x 1 , x 2 , . . . ., x n which occur with probabilities of P(x 1 ), P(x 2 , . . . ., P(x n ) is defined as Assuming that P(x n ) is calculated based on the probability density functions that fit the encoded set of resistance states, the measured entropy (including error bars) of the resistance states stored on the devices is shown in Fig. 7(e) as a function of the number of thresholds. Here, the error rates are evaluated based on 50 encryption trials with different random generator seeds. The same method of quantifying simulation errors is used for all the simulation procedures that follow. The entropy of the resistance states is approximately 91% − 97% of the entropy of a uniform distribution. These results indicate that the complexity of guessing the masked resistance states is close to the maximum possible value (i.e., the number of guesses required to decode data from a uniform distribution). In addition, we calculated the BER of data decryption (including error bars) for a varying number of thresholds (i.e., R th values) to evaluate the accuracy of our data encryption method. Bit errors occur when ReRAM devices are reset to unexpected resistance states due to overlaps between distributions. The results in Fig. 7(f) demonstrate that the accuracy of data recovery is over 94.4% ±1.8% (i.e., BER < 5.6% ± 1.8%) when less than 6 thresholds are configured for data encryption. Thus, a modest amount of error correction is sufficient for reliable data storage when 1-5 threshold values are used.

B. KEY COMPLEXITY
By using the simulation parameters of our model, we can also calculate how many guesses are required, on average, for attackers to hack the key information. The experimental data in Fig. 7(b) reveals that the resistance states have an average standard deviation (e.g., due to device mismatch) of σ R ≈ 4.42 k , resulting in a total of m ≈ 34 distinct states over the available range from 1.4-150 k . Thus, a total of C(33, 4) = 4.092 × 10 4 threshold positions are available within each device to store 1 bit data (N = 2) using n = 4 thresholds. Thus, the estimated number of key guesses G(n) for each device (i = 1) is approximately 1.6368 × 10 5 , which corresponds to a key entropy of 17.3 bits. This term is the unique contribution of the proposed device-level encryption method. In addition, key entropy also increases with the data block size i, as seen from eqn. (1). As a result, using larger blocks will further increase G(n) and thus make reverse engineering of the encoded data practically infeasible.

C. EFFECTS OF TEMPERATURE CHANGES
The temperature-dependent HRS ReRAM model was also employed to predict the joint effect of device temperature and reset voltage on resistance states read from the ReRAM devices at 0.2 V. The temperature values were swept from −5 • C to 70 • C and the applied reset voltage applied was varied from −1.1 V to −2.4 V. A 2-D heat map of the ratio of resistance at various temperature to that at 25 • C for a reset voltage range of −1.1 V to −2.4 V is shown in Fig. 8(b). The results indicate that a ReRAM device behaves similarly to a semiconductor in the HRS state, i.e., the readout resistance decreases monotonically as the temperature increases. For our devices, the predicted resistance states at different temperatures vary over a relatively modest range with reference to the resistance at 25 • C (from 0.85× to 1.15×). The same memory encryption procedure as explained before was then used for simulation. For clarity, we denote the ambient temperature during memory read and write operations as T read and T write , respectively. The ReRAM device temperature, denoted by T d , remains approximately equal to T read during the read process since the latter dissipates negligible power within the device. However, it transiently exceeds T write during the write process since reprogramming the resistance states dissipates a significant amount of power, leading to self-heating [47].
The distributions of the readout resistance states for different values of T read were analyzed through histograms for a varying number of thresholds (i.e., R th values). Figs. 8(c)-(d) demonstrate the distributions of the resistance states at the minimum and maximum read temperatures (−5 • C and 70 • C, respectively), when 3 thresholds are applied for both cases. It is interesting to compare these resistance state distributions to the distribution when no temperature changes are considered (an example of which is shown Fig. 7(c)). Changes in T read have little effect on the overall shape of the distribution; both distributions in Figs. 8(c)-(d) remain close to the ideal (i.e., uniform) distribution. Specifically, their entropy is approximately 89.7% ±3% to 95.3% ±1.4% of the uniform distribution for different R th , which is similar to the entropy at the reference temperature. However, due to the change in absolute resistance values with temperature, the BER of data decryption at both temperature extrema is significantly increased, as shown in the blue curves of Figs. 8(e)-(f). Fortunately, adjusting the R th values with temperature can effectively restore BER to its original values, as shown in the red curves. These results suggest that temperature compensation is necessary to obtain acceptable BER values when the temperature varies between ReRAM read and write operations (i.e., T read differs from T write ).
To further evaluate the effects of ReRAM self-heating on memory encryption, we acquired new voltage-resistance mapping distributions averaged over different values of device temperature, T d , by integrating the device temperature coefficient from −5 • C to 70 • C over the distributions in Fig. 7(b). Specifically, the data generated for each temperature value in this range are combined for each reset voltage and plotted using new sets of histograms. The newly generated histograms are again fitted by Gaussian distributions with alternating distributions removed to minimize interstate overlaps. Since resistance data at all the write temperature conditions are now fitted by Gaussian distributions for each reset voltage, only 5 distributions remain, as shown in Fig. 9(a). The distributions of the readout resistance are then analyzed through histograms for a varying number of thresholds (i.e., R th values). Figs. 9(b)-(c) illustrate the histograms of the resistance states at T read = −5 • C with and without read temperature compensation. Even though the histograms in Figs. 9(b)-(c) seem to have less random distributions as compared with those in Figs. 8(c)-(d), they are still very close to uniformly distributed resistance states in terms of entropy. Specifically, they exhibit relative entropy values of 87% ±2% (considering the error bars) compared to a uniform distribution for a varying number of thresholds, as demonstrated in Fig. 9(d). As in Fig. 8 (which did not consider the effect of T d variations during write operations), the BER for data decryption at both read temperature extrema (T read = −5 • C and 70 • C) increases significantly when the device temperature coefficient is considered, as shown in the blue curves of Figs. 9(e)-(f). However, R th values can still be adjusted based on the observed value of T read to effectively reduce BER to values close to those obtained without T read changes, as shown in the red curves. These results suggest that the BER obtained after T read compensation is low enough for high-quality data encryption even self-heating effects are considered.

V. CONCLUSION
We have described a self-encryption technique that is designed to provide low-overhead data protection for emerging ReRAM-based NVM technologies. The proposed approach exploits the intrinsic device physics of ReRAM devices to hide the stored data, making it well-suited for energy-constrained platforms such as IoT devices. Specifically, it relies on storing data in the filament morphology of ReRAM, which is difficult to reverse engineer as the changes take place at the atomic level. Simulations using experimental data from Ru(BE)/ALD-HfO 2 (MO)/Zr/W(TE) ReRAM devices shows that device-level encryption can provide significant key entropy (up to ≈ 17.3 bits). In addition, temperature compensation enables low-BER data decoding over a broad temperature range (−5 • C to 70 • C in our simulations) even when self-heating effects during ReRAM write operations are considered. Future work will focus on i) integrating the ReRAM devices with access transistors to realize complete NVM blocks; and ii) developing low-power peripheral circuitry to perform read/write operations that implement the proposed encryption/decryption procedure.

ACKNOWLEDGMENT
Dr. Rashmi Jha would like to acknowledge CHEST/IUCRC funded by the National Science Foundation at the University of Cincinnati for research support.