SMART: A Secure Magnetoelectric AntifeRromagnet-Based Tamper-Proof Non-Volatile Memory

The storage industry is moving toward emerging non-volatile memories (NVMs), including the spin-transfer torque magnetoresistive random-access memory (STT-MRAM) and the phase-change memory (PCM), owing to their high density and low-power operation. In this paper, we demonstrate, for the first time, circuit models and performance benchmarking for the domain wall (DW) reversal-based magnetoelectric-antiferromagnetic random access memory (ME-AFMRAM) at cell-level and at array-level. We also provide perspectives for coherent rotation-based memory switching with topological insulator-driven anomalous Hall read-out. In the coherent rotation regime, the ultra-low power magnetoelectric switching coupled with the terahertz-range antiferromagnetic dynamics result in substantially lower energy-per-bit and latency metrics for the ME-AFM RAM compared to other NVMs including STT-MRAM and PCM. After characterizing the novel ME-AFM RAM, we leverage its unique properties to build a dense, on-chip, secure NVM platform, called SMART: A Secure Magnetoelectric Antiferromagnet-Based Tamper-Proof Non-Volatile Memory. New NVM technologies open up challenges and opportunities from a data-security perspective. For example, their sensitivity to magnetic fields and temperature fluctuations, and their data remanence after power-down make NVMs vulnerable to data theft and tampering attacks. The proposed SMART memory is not only resilient against data confidentiality attacks seeking to leak sensitive information but also ensures data integrity and prevents Denial-of-Service (DoS) attacks on the memory. It is impervious to particular power side-channel (PSC) attacks that exploit asymmetric read/write signatures for ‘0’ and ‘1’ logic levels, and photonic side-channel attacks that monitor photo-emission signatures from the chip backside.


I. INTRODUCTION AND BACKGROUND
Conventional dynamic random-access memory (DRAM) scaling has reached a critical tipping point as the miniaturization of the DRAM cell has plateaued in recent years.Feature size scaling below the 20 nm technology node is met with numerous challenges such as shorter retention times, higher leakage currents, and increased fault rates [1].Solutions to address these concerns include improved DRAM fault detection and recovery [2], as well as architectural techniques to enhance DRAM scaling [3].
A promising solution to the memory scaling problem is to realize the main memory system using non-volatile technologies [4].Examples of emerging non-volatile memories (NVMs) include spin-transfer torque magnetoresistive random-access memory (STT-MRAM), ferroelectric random-access memory (FeRAM), resistive random-access memory (ReRAM), and phase-change memory (PCM).Interest in the commercial application of such NVMs has increased significantly.For instance, Intel's current line of 3D XPoint memory systems utilize PCM-based NVM technology [5], and IBM and Everspin's solid-state drive comes with STT-MRAM write caches [6].While NVMs offer attractive features, such as high density, low leakage, and non-volatile data retention, they also suffer from poor endurance and high access latency in their current implementation.
Memory security has come under more scrutiny over the years.This is because of attacks such as Spectre [7] and Meltdown [8], which targets the side-channels associated with speculative execution and out-of-order execution, respectively, have exposed severe vulnerabilities in a wide array of currently deployed processors and their memory architectures.In the case of NVMs, data remanence after power-down presents a severe threat to data confidentiality, as attackers aiming to steal private data can do so easily by mounting cold-boot attacks [9] or other removal attacks like stealing the memory module (DIMM) [10].Moreover, magnetic memories like STT-MRAM are highly sensitive to stray magnetic fields.As such, magnetic field-based attacks [11] can be used to corrupt the stored data or compromise the memory's functional integrity, resulting in a denial-of-service (DoS) attack.Hence, such security vulnerabilities pose a significant impediment to the pervasive and large-scale proliferation of NVMs in the memory industry.

A. RELATED WORK IN MEMORY SECURITY
Prior works on securing NVMs have focused mainly on memory encryption schemes, which are necessary to prevent attackers from exploiting data remanence in the offstate.Chhabra et al. proposed an incremental encryption scheme [12] for NVMs where only inert memory pages, which have not been accessed for several clock cycles, are encrypted selectively.The working set of the memory (which is in current use) is in plaintext and, hence, incurs no encryption overhead on access.Such a selective encryption ensures that the majority of the main memory content (but not all) remains encrypted at all times, without overly compromising the performance.However, it requires dedicated hardware, inert page prediction, and scheduling for its implementation.A sneak-path encryption (SPE) scheme was demonstrated for memristor-based NVMs in [13], wherein sneak paths in the memristor crossbar array are exploited to apply encryption pulses to change the resistances of the memory cells, and hence, encrypt the stored data.
In [10], the authors proposed DEUCE, a dual counter encryption for PCM memories, which significantly reduces the number of modified bits per writeback, to improve performance and lifetime of the memory.This scheme aims to mitigate the impact of the avalanche effect [14] occurring during memory encryption, by re-encrypting and writing back only the modified words during any write operation.Swami et al. took this concept forward and proposed SE-CRET [15], a smart encryption scheme for NVMs, which integrates word-level re-encryption and zero-based partial writes to reduce memory write operations.They also demonstrate write optimization through the use of "energy masks" (i.e., bit templates XORed with ciphertext to obtain lower energy dissipation) in the encryption XOR logic, which minimizes the bit flips in the encryption process, thereby reducing the total write energy.An advanced counter-mode encryption (ACME) was presented in [16], which utilizes the write leveling architecture inherent in PCM memories, to perform counter-write leveling.ACME helps to avoid Rowhammer-type attacks by preventing the counter associated with any single cache line from overflowing.
The impact of contactless tampering on STT-MRAMs using external magnetic fields was highlighted in [11].Using micromagnetic simulations, the authors of [11] showed how magnetic field-based attacks could corrupt the contents of STT-MRAM cells.Techniques to protect against contactless attacks proposed in [11] included (i) an on-chip sensor to detect magnetic field-based incursions, and (ii) error correction modules to compensate cell failures arising due to magnetic field attacks.However, these techniques incur large energy and area penalties due to the additional hardware imposed by the magnetic field sensor and the error correction scheme.

B. CONTRIBUTIONS
In this paper, we present an alternative to conventional NVMs such as STT-MRAM and PCM, in the form of SMART: A Secure Magnetoelectric Antiferromagnet-Based Tamper-Proof Non-Volatile Memory.SMART memory leverages the room-temperature linear magnetoelectric (ME) effect in antiferromagnets (AFMs) like chromia [17], which can be switched solely using voltage pulses, without the use of electric currents, leading to ultra-low energy (∼ pico-Joules) operation.Further, the intrinsic dynamics of AFMs is typically in the terahertz regime (∼ 10 12 Hz) [18], which could enable picosecond time-scale reversal of the AFM domain.In addition to its energy and latency benefits, SMART memory offers a significant advancement in terms of secure and tamper-proof data storage.For example, AFMs do not exhibit a magnetic signature since they do not have a net external magnetic moment, unlike ferromagnets (FM).Hence, the SMART memory cannot be probed or switched with external magnetic fields, unlike the way STT-MRAMs can.This, in turn, eliminates the possibility of magnetic field attacks undermining data integrity or aiming to induce DoS.To address the post-shutdown data remanence of SMART memory, we demonstrate an in-memory encryption scheme employing ME-AFM transistor-based controlled-NOT (CNOT) logic.We discuss the resilience of the SMART memory against attacks aiming to undermine data confidentiality and data fidelity, in both powered-on and powered-off states.The main contributions of this work can be summarized as follows: 1) We discuss the design of SMART, a secure ME-AFMbased NVM and implement its SPICE circuit model to simulate the memory performance.2) We demonstrate the resilience of SMART memory against magnetic field and temperature attacks, which can affect other NVMs like STT-MRAM.We explore the implications of various side-channel attacks on the SMART memory.3) We present an in-memory encryption scheme with ME-AFM transistor-based CNOT gates, called Memcryption, to protect the data stored in SMART memory against cold-boot and stolen DIMM attacks, while incurring low encryption latency overheads.We like to mention here that Memcryption is specifically tailored for the ME-AFMRAM, not for a generic NVM.Also, it does not secure the memory system against bus snooping attacks; such attacks are beyond the scope of this work.
In the next section, we describe the modeling, implementation and benchmarking of the proposed ME-AFM memory both at cell-and array-level, before proceeding to evaluate its security properties in Section III.

II. DEVICE MODEL AND FUNCTIONALITY A. THE MAGNETOELECTRIC EFFECT
The linear ME effect [19] represents the coupling between applied magnetic field and induced polarization or between applied electric field and induced magnetization in noncentrosymmetric crystals like chromia (Cr 2 O 3 ).Compared to the STT-based magnetization reversal of FMs requiring electric currents on the order of ∼ 10 6 A/cm 2 and incurring associated Joule heating, the ME effect provides an energyefficient, all-electrical switching of the roughness-insensitive boundary magnetization of chromia [20].Additionally, chromia is an AFM; hence, the net bulk magnetic moment (i.e., the difference of the sublattice magnetization vectors) vanishes and becomes imperceptible externally.However, the boundary magnetization is strongly coupled to the AFM order parameter.That is, the electrical switching of the AFM order results in reversal of the boundary magnetization [21], which is used to encode the information in ME-AFM memories.
The uncompensated surface moments at the (0001) surface of chromia result in an equilibrium boundary magnetization, which could be in one of the two oppositely aligned, degenerate domain states.The degeneracy between the domains is lifted through ME annealing, which allows the preferential selection of one of the states [22].That is, the ME annealing polarizes the surface and results in a single-domain surface moment.Isothermal switching between these single domain states using an electric field E and a small, symmetry-breaking DC magnetic field H has been demonstrated experimentally [22], [23].The critical condition for such ME switching is that the magnitude of the E • H product must exceed the ME threshold energy barrier, which was shown experimentally to be as low as ≈ 1 J/m 3 [24], [25].

B. ME-AFMRAM : WORKING PRINCIPLE
The chromia-based ME-AFMRAM, which is at the heart of our SMART memory, is shown in Fig. 1.Experimentally demonstrated by Kosub et al. [26], the ME-AFMRAM has a bottom gate electrode (Platinum gate in the figure) for applying the gate voltage V G and providing the necessary electric field to write data into the memory.A small, symmetry-breaking magnetic field (≈ 30 mT) is provided by the stray field of a permanent magnet.A positive voltage V G will orient the bulk order and, hence, put the surface magnetization in one domain (with surface moments pointing up), whereas a negative voltage will result in the surface magnetization relaxing to the opposite domain (with surface moments pointing down).These two states correspond to binary levels '1' (V G > 0) and '0' (V G < 0), respectively.A gate voltage of 0 V corresponds to the 'hold' mode of the memory cell.Note that the cell serves as non-volatile memory in all gate-voltage ranges, not only for V G = 0.The read-out is achieved using an anomalous Hall (AH) bar electrode setup, which discerns the boundary magnetization of chromia by sensing the proximity effect-induced magnetization in the nearby Platinum (Pt) electrode, thereby producing a proportional Hall voltage V xy (or V AHE ) [27].Traditionally, the order parameter of AFMs is read-out via an exchange bias arrangement [28] in another FM attached adjacently to the AFM surface.However, the exchange bias and the FM's hysteresis increase the coercive voltage required to overcome the ME barrier and, hence, impact the write energy negatively.To avoid this effect, Kosub et al. [26] proposed the use of an exclusively ME-AFM setup with an AH read-out of the surface magnetization, thereby eliminating the need for an FM.At the time of writing this paper, a complete physical understanding of the read-out mechanism for the boundary magnetization in chromia is lacking.While the authors in [26] have considered an AHbased read-out in their device, recent experiments by C. Binek's group at the University of Nebraska-Lincoln have revealed the contribution of spin-Hall magnetoresistance (SMR) to the read-out signal, which is currently being investigated.However, note that the magnitude of the signal levels is the same in both cases (AH versus SMR) and also the circuit models developed would remain the same, though with different input parameters.For the purposes of this paper, we consider that the read-out signal is due to the AH effect in the proximal heavy metal, as also discussed in prior experimental work.

C. PERFORMANCE MODELING
The ME reversal mechanism in chromia can be classified broadly into two categories, depending on the size of the film compared to the characteristic domain-wall (DW) width.For chromia, the typical DW width λ = A/K ∼ 50-100 nm, where A is the exchange stiffness constant and K is the uniaxial anisotropy energy [29].If the sample is much smaller than the DW width, the sample reverses via coherent rotation upon application of the ME pressure.For sample dimension comparable to the DW width, ME reversal occurs via DW nucleation and propagation, which is an incoherent switching process.For both coherent rotation and DW propagation, the reversal could be thermally activated for applied ME pressure lower than the energy barrier between the stable domain states.Otherwise, the domain reversal proceeds in the 'flow' regime [30].ME-AFMRAM devices currently fabricated have dimensions in the µm range, rendering DW propagation the favorable ME reversal mechanism.To characterize the functionality and performance of chromia ME-AFMRAM, we develop circuit models that represent DW-based reversal in both the thermally activated and the flow regimes.We also provide perspectives and future potential concerning dimensional scaling of the device, which could enable ultra-fast, coherent, rotation-based reversal.

1) DW reversal of chromia ME-AFMRAM
Consider a chromia sample, where the applied ME pressure creates a pressure difference of F = |2α ME EH| between the two domains.Here, α ME is the linear ME coefficient.
If F > F d (i.e., for DW de-pinning pressure), the DW propagates as a viscous flow with velocity given as [30] where α G is the Gilbert damping constant, γ is the gyromagnetic ratio of electron, M s is the sublattice saturation magnetization, and ξ = αMEE µ0Ms .For a mean free path of l of the DW, the time-scale of ME reversal due to viscous DW propagation is τ flow = l/ν flow .
If F < F d , the DW undergoes thermal creep to overcome the de-pinning barrier, with a time-scale [30] where kT is the thermal energy (25 meV at 300 K), , σ, and S are the energy, areal density, and surface area, respectively, of the DW.The DW de-pinning pressure is determined by the DW energy, its surface area, and the radius of the non-magnetic de-pinning center.
To write '1' ('0') into the memory cell, a positive (negative) electric field, E app , with a magnitude greater than the critical electric field, E crit , is required, in order to meet the DW propagation criteria of F > F d .In this case, the time to write data into the memory is equal to τ flow .When E app is less than E crit (i.e., F < F d ), the memory cell is in the hold mode and the retention time is specified by τ creep .For typical parameters of chromia, we find τ creep τ flow , which ensures that the memory cell is thermally stable when it is not accessed.Here, the stability of the cell is determined by τ creep , since longer data retention requires the time constant in the hold mode to be larger.The retention time of the cell can be further improved by enlarging the cell dimensions.
We construct a SPICE circuit model to functionally capture the ME reversal dynamics of chromia.The time constant for reversal of the magnetization of chromia due to an applied ME pressure is represented as R eq × C eq .Without loss of generality, the circuit model uses R eq = 1 Ω, while C eq is either τ flow or τ creep .To construct the full ME-AFMRAM cell, we combine the RC model of the ME response of chromia with the peripheral read/write circuitry in Cadence Virtuoso using the 15-nm CMOS FreePDK technology.Figure 2 shows the equivalent circuit of the ME-AFMRAM cell.The write pulse, used to charge the chromia dielectric and switch its magnetization M , is provided through the current source I int (derived from the bit line) in the write setup.For parameters of chromia listed in Table 1, and data is written into the cell after a write access latency of τ flow .When |V G | = 0 V, data is retained for a time interval of τ creep .Since τ creep is very large, the response in retention/creep mode is extremely slow as compared to write/flow mode.The transient response of the ME-AFMRAM cell is shown in Fig. 3, to highlight the write operation.The write latency of the ME-AFMRAM cell is obtained as ∼ 0.63 ns, and the energy-per-bit for one write operation is ∼ 0.063 pJ, including the energy required to charge the electrostatic capacitance of chromia.Given relative dielectric permittivity of 11 and dimensions noted in Table 1, the electrostatic capacitance of chromia is calculated as 5.8 aF.

2) Anomalous Hall read-out
To evaluate the read cycle, we set the signals WE to 0 and RE to 1 in Fig. 2. The read setup is designed to sense the boundary magnetization of chromia through an    the write pulse is positive, and for writing a '0' the write pulse is negative.In this simulation, a series of '1's (0.3 V) and '0's (-0.3 V) are being written to the cell, and then finally '0' is retained once Write Enable is switched off.
AH arrangement, which transduces the magnetization into a voltage signal.This transduction process is modeled using a voltage-controlled voltage source (VCVS).Typically, a heavy metal such as Pt is used to sense the proximity effectinduced moment from the coupled chromia layer [26].
The AH voltage sensed from the Hall bar arrangement is given as [31] V where µ 0 is the vacuum permeability, R s is the AH coefficient, I Hall is the Hall bias current, t Hall is the thickness of the Hall layer and M z is the proximity effect-induced magnetization.In the case of Pt/Cr 2 O 3 , R s is only about ∼ 5 pΩm/T for t Pt = 10 nm and T = 300 K [32].This results in an AH signal V AHE ∼ 0.3 µV, considering a Hall bias of 2 mA and a magnetoelectric node voltage V ME = 0.3 V.The Hall signal can be raised to ∼ 1 µV by increasing V app to 1 V, and further enhanced by applying a larger Hall bias.However, doing so would negatively impact the energy consumed in the read operation.Sensing such a low µVrange AH signal would require sophisticated instrumentation sense amplifiers that are area-and power-prohibitive (e.g., 2.5 mm 2 area and ∼mW-range power [33]).
This problem can be addressed by exploring other material systems with much higher interfacial spin-orbit coupling (SOC), resulting in larger AH coefficients.In [34], a Pt/Co/Pt tri-layer is shown to exhibit R s ∼ 7.3 × 10 −10 Ωm/T at 300 K for t Co ∼ 10 nm, resulting in V AHE ∼ 43.8 µV at a Hall bias of 2 mA and V ME = 0.3 V. Magnetic semiconductors like EuTiO 3 possess higher R s ∼ 8 × 10 −9 Ωm/T for t EuTiO3 = 25 nm [35].However, AH signals in such samples have been detected only at very low temperatures, of 2K, at which the ME effect in Cr 2 O 3 vanishes.
The Hall signal could be improved in a topological insulators (TI) due to the presence of high SOC-enhanced surface states.For example, the Bi 2 Se 3 /LaCoO 3 stack considered in [36] demonstrates R s as high as ∼ 1.59 µΩm/T at 100 K for t Bi2Se3 ∼ 20 nm.This results in a substantial improvement in the AH signal generated (i.e., ∼ 47.7 mV).The AH effect in the Bi 2 Se 3 /LaCoO 3 interface is ascribed to the exchange coupling between the Bi 2 Se 3 layer and the ferromagnetic LaCoO 3 layer via the proximity effect, and is enhanced by the high interfacial SOC.Similarly, the (BiSb) 2 Te 3 /TIG system considered in [37] achieves a mVrange AH signal, though much closer to room temperature.A comparison of R s /t in various material systems is illustrated in Fig. 4. As can be inferred, TIs are an ideal material candidate to implement the AH read-out layer with Cr 2 O 3 due to the potential of a ∼mV-range AH signal, which can be easily read-out using a normal current latch sense amplifier [38], i.e., without the need for sophisticated sensing equipment.

3) Coherent rotation-based reversal
The ∼ns-range write latency of the ME-AFMRAM cell can be improved drastically if the chromia order can be switched through coherent rotation.In this case, the entire chromia sample undergoes reversal homogeneously, rather than following the incoherent DW propagation.For F d > 4K, the order parameter switches via damping of gyromagnetic precessions [30].However, if F d < 4K, magnetization could switch due to thermal activation.Here, the switching time is exponentially dependent on the energy barrier of the sample.
In any case, it is thermal activation that leads to retention errors.
To realize coherent rotation in chromia, the applied ME pressure must exceed 4K = 2.92×10 4 J/m 3 .For a magnetic field of 0.5 T and α ME = 3.1 ps/m, the electric field required for coherent rotation is 1.18×10 10 V/m.Unfortunately, such a high electric field could lead to dielectric breakdown of chromia, given that the breakdown strength of chromia is ∼ 2 × 10 8 V/m [52].A potential solution to this challenge is to reduce the effective anisotropy of the sample such that the required threshold electric field scales down.This can be achieved through a variety of techniques, including substitutional alloying and the application of mechanical strain [53].It is estimated that the write latency of a strainaugmented ME-AFMRAM cell can reach as low as a few 10's of ps.A comparison of the current state-of-the-art in ME-AFMRAM technology and its future potential versus trends in other emerging storage devices is presented in Fig. 5.
Toyoki [28] Kosub [26] d im e n s io n a l s c a li n g strain-assisted coherent rotation CBRAM FIGURE 5: Benchmarking the ME-AFMRAM cell considered in this work against current state-of-the-art ME-AFMRAM technology, and trends in other emerging non-volatile storage devices from [39].Some important data points in this plot, representing the advances in various NVMs, include [40]- [42] for STT-MRAM, [43]- [45] for CBRAM, [46]- [48] for RRAM, and [49]- [51] for PCM, respectively.The future potential of ME-AFMRAM lies in achieving ultra-fast, coherent rotation-based reversal (sub-100 ps write delay and fJ write energy) through a combination of dimensional scaling and strain-augmentation.

4) Material and geometrical parameters of the chromia ME-AFMRAM cell
The simulation parameters used in our SPICE models for the chromia ME-AFMRAM are listed in the following Table 1.

Parameter Value
Ref.  a standard tool for estimating the performance metrics of emerging NVMs [57].The organization of this 64KB memory, as leveraged from [57], is shown in Fig. 6.The internal architecture of the ME-AFMRAM cell array, along with the peripheral decoders, drivers and sense amplifiers, constructed at the 15-nm CMOS node, is highlighted in Fig. 7.The total write latency of the 64KB ME-AFMRAM, including the parasitics and peripheral latency (133.9 ps) and the dominant cell switching time (∼630 ps), is obtained as 763.9 ps from NVSim [57].The write latency can be improved by an order of magnitude via coherent rotation of the order parameter.The total read latency of the chip, obtained from NVSim [57], is ∼2.3 ns.This includes contributions from the sense amplifier (1.45 ns), bit-line parasitics (3.5 ps), decoders and other peripherals (∼150 ps), and the dominant AH measurement delay in the Bi 2 Se 3 layer (∼0.7 ns) [63].State-of-the-art pulsed AH measurement schemes like [63] are capable of operating in the GHz regime.

Saturation magnetization of
The output bit-line sensing can be achieved using a conventional current latch amplifier if a large-SOC material such as a TI is used to generate an AH signal in the range of tens of mV.The read/write endurance of the ME-AFMRAM is expected to be similar to that of STT-MRAM.A comparison of the performance metrics of the

III. APPLICATION AS SECURE MEMORY
After conducting cell-and array-level modeling and benchmarking of the chromia-based ME-AFMRAM, we continue with the implementation of the proposed SMART memory using the ME-AFMRAM.

A. THREAT MODEL
First, we discuss the threat model, defining the strengths and capabilities of attackers, as well as the objectives and consequences of a successful attack.Most but not all attack scenarios presented here are specific to NVMs.
• Attackers can launch cold-boot attacks [9].During power-down, there is some latency after the powerdown sequence initiates until the moment when memory contents are completely secured.An attacker might use this gap to read out memory contents.To cir-VOLUME 4, 2020 cumvent such attacks, memory encryption is typically employed [12], [16].• Attackers could leverage properties like sensitivity to magnetic fields and temperature fluctuations to corrupt the data or induce a DoS [11].They may forcibly write specific data patterns to memory, which accelerates aging and causes memory failures.• With access to failure analysis equipment, attackers can also resort to advanced invasive attacks.The majority of such attacks target at the back-end-of-line (BEOL), approaching from the top-most metal layer, which is also referred to as front-side attacks.Various countermeasures have been proposed to protect the frontside, which include protective meshes, shields, and sensors [64], [65].In any case, bus snooping attacks are considered beyond the scope of this work.• Power-dissipation signatures when reading/writing '0' and '1' within the NVM can be exploited for sidechannel attacks to infer the data, through techniques like differential power analysis (DPA) [66] and correlation power analysis (CPA) [67].

B. MAGNETIC FIELD AND TEMPERATURE ATTACKS
STT-MRAMs have FM-based MTJs as their basic building blocks.FMs possess a macroscopic magnetization (or magnetic signature) that can be probed or inferred with using an external magnetic field.Hence, magnetic fields can be used to infer or tamper with the stored data or even cause malfunctions in STT-MRAMs [11].Stray magnetic fields as small as 10 mT could cause an unintended bit flip in STT-MRAM cells.Figure 8 shows the magnetic field-induced bit flip in a representative FM, obtained by solving the Landau-Lifshitz-Gilbert equation for the FM dynamics [68].AFMs, on the other hand, exhibit no external magnetic signature since their equal and opposite sublattice moments cancel each other out.Hence, the bulk order parameter cannot be affected by external magnetic fields.To switch the bulk order, staggered fields (opposite sign on opposite sublattices) must be applied on both the sublattice moments, as illustrated in Fig. 9 inset.However, an external, homogeneous magnetic field is unable to provide such a staggered field arrangement, and hence, ends up canting the sublattice moments in a way wherein the torque due to the external field is exactly balanced by the exchange torque exerted by one sublattice moment on the other [69].Since external magnetic fields are unable to reorient the AFM order parameter, the SMART ME-AFMRAM is expected to be resistant to magnetic field attacks described in [11].We note that switching the ME-AFM surface magnetization state using a combination of E and H fields would require an exact knowledge of the write cycles and the prior state of the surface, as well as means to control the electric field explicitly, which is to be concealed from an attacker.
With regards to temperature fluctuation-based attacks, an adversary might increase the ambient temperature of the ME-AFMRAM in an attempt to alter the stored data.Note that the Néel temperature of pure chromia is 308 K [70], above which the AFM ordering is destroyed.Hence, the attacker may corrupt the memory by heating it above the Néel temperature.To counter this, we consider Borondoped chromia, whose Néel temperature is demonstrated experimentally to be ∼ 400 K [71].Hence, Boron-doped chromia can increase the resilience of SMART memory against temperature fluctuations.That is because such larger temperature fluctuations (above 400 K) are easier to detect, and countermeasures like interception of such attacks become more feasible.The of a magnetic field is unable to switch the AFM order parameter, even when increasing the field magnitude.Inset: (a) an external, homogeneous magnetic field may cant the sublattice moments, but it is incapable of rotating the AFM order; (b) staggering fields on the sublattice moments produce staggered tangential torques, which can reorient the AFM order.

C. DATA CONFIDENTIALITY ATTACKS
As with all NVMs, data remanence in the SMART memory could be exploited by attackers to steal sensitive information.The most effective countermeasure against such data confidentiality attacks, including cold-boot and stolen memory-modules attacks, is to encrypt the data using a secure encryption scheme before storing it in the memory.Advanced memory encryption techniques like counter mode encryption (CME) use block ciphers such as Advanced Encryption Standard (AES) to encrypt a seed using a secret key, in order to generate a one-time pad (OTP).The seed for each write on a memory line consists of a secret key, the line address, and a counter value associated with that line, which is incremented with each subsequent write to the same line.Hence, the generated OTP is unique for each line address, and also for each write operation to the same address.The OTP is then XOR-ed with the plaintext to obtain the ciphertext, which is stored in the non-volatile main memory.Note that the secret key used in the AES core is considered inaccessible to the attacker.Directly applying XOR-based CME scheme to the SMART memory would result in large encryption overheads.This is because the CME scheme is tailored for NVMs like PCM and STT-MRAM, whose write time is on the order of ∼ns.The access latency of ME-AFMRAM is sub-ns for DW-based propagation and few 10's of ps for coherent rotation.A general encryption scheme for SMART memory, switching either via DW propagation or coherent rotation, must be such that the overall memory access latency is not adversely affected.Existing encryption solutions based on CMOS XOR gates with 10's of ps delay are rendered ineffective as their time is comparable to the memory write time, resulting in idle clock cycles.Here, we propose to use in-memory encryption, or Memcryption, using bitwise CNOT (i.e., controlled-NOT) gates constructed from ME-AFM-based logic.By tying the encryption pulse to the control signals of CNOT gates, one can achieve such Memcryption.Spin devices like the ME-AFM transistor [72] are able to implement polymorphic logic gates, which can provide inverting or non-inverting functionality based on a control signal [73], [74].Hence, the ME-AFM transistor is used to realize the CNOT gate.Further, the ME-AFM transistor is shown to exhibit delays as small as ∼ 10 ps, which is substantially faster than CMOS XOR gates and compatible with the SMART memory writetimes.Such homogeneity in the technology and materials by using only ME-AFM for both the memory cells and the CNOT gates will ease the fabrication.In Memcryption, we embed ME-AFM transistor-based CNOT gates directly in the data path connected to the memory array; hence, the encryption is in-memory, as opposed to prior works using a separate encryption block.This integration of encryption and memory array is not detrimental to the memory density since ME-AFM transistors have a footprint that is substantially smaller than that of CMOS XOR gates.Figure 10 contrasts our Memcryption scheme with prior CME techniques.

Address
The SMART memory architecture with Memcryption is shown in Fig. 11.A trusted 128-bit key, provided and stored within a secure processing module (SPM) along with the processor, is concatenated with the memory address and used as seed for AES.The AES core, which is to be integrated on the NVM chip,1 thus produces an encryption pulse whose bits are used as the control bits for the CNOT gates of the in-memory encryption layer.Depending on the control bits, the encryption layer flips bits selectively in the plaintext before performing a memory-write.During decryption, the same encryption pulse is generated again and used to perform bitwise CNOT operations on the ciphertext (read from memory), to obtain the plaintext.
A comparison of the Memcryption scheme versus CME (when also applied to ME-AFMRAM) is presented in Table 3.The array considered is a 128-bit ME-AFMRAM, while the AES and CMOS peripherals are synthesized using the 15nm NanGate technology.We observe that Memcryption with SMART memory has a better encryption latency than CME, which utilizes regular CMOS XORs.We also note that Memcryption helps reduce the encryption latency but is similar to CME with respect to the energy overheads.That is because energy dissipation is dominated by the AES core in any case.We also reiterate that Memcryption is tailored specifically as a memory-side scheme for ME-AFMRAM, to achieve low encryption latency, owing to the homogeneous delays of the memory array and the encryption layer.However, it may not serve well as an efficient implementation for any generic NVM.
With regards to the reliability and lifetime of the ME-AFMRAM used to construct the SMART memory, its endurance is comparable to that of STT-MRAM.However, it also suffers from the same errors that plague the STT-MRAM, i.e., faults in the peripheral CMOS circuitry including the access transistors [76].To address these faults

D. POWER SIDE-CHANNEL ATTACKS
Asymmetric read/write characteristics in NVMs like STT-MRAM make them susceptible to side-channel attacks which exploit the different signatures incurred when reading/writing '1's and '0's bits.STT-MRAMs employ MTJs with a fixed FM reference layer, with another free layer either oriented parallel or anti-parallel to that reference layer.Depending on the relative orientation of these two layers, the MTJ falls into a low or high resistance state; the low or high state corresponds to logic '0' or logic '1' state, respectively.Hence, the currents drawn for read/write operations are different depending on reading/writing a '0' or a '1'.Thus, an attacker could attach a resistor in a voltage-divider configuration with the MTJ cell, monitor the voltage drops across that resistor, and perform DPA to recover the data being written to or read from the cell.In fact, such an attack was showcased against an STT-MRAMbased cache in [81].
For the SMART memory, recall that writing is achieved using electrical fields, not currents.Further, the electricfield magnitude required for writing '0's and '1's is equivalent; see write voltage and polarization voltage traces in Fig. 3.This is because there is no reference layer or tunneling magnetoresistance in the ME-AFMRAM, which would cause asymmetricity.As for the read operation, the proximity effect-induced moment in the Pt electrode is slightly different for reading '0' or '1'.However, this imbalance in the Hall signals can be compensated for by introducing appropriate offsets in the Hall measurement setup, as demonstrated in [26].Hence, the SMART memory can achieve symmetric signatures for both read and write and for both '0→1' and '1→0' transitions, thus thwarting any DPA-based power side-channel attacks.

E. PHOTONIC SIDE-CHANNEL AND BACKSIDE ATTACKS
Leveraging the photonic side-channel (PSC) to circumvent the security guarantees provided by cryptographic algorithms like AES and RSA has been demonstrated recently [82], [83].Simple Photonic Emission Analysis (SPEA) or Differential Photonic Emission Analysis (DPEA) can be carried out using photo-emission equipment available for similar cost as that of power-analysis equipment.The essence of the PSC is to observe photo-emissions emanating for switching of CMOS transistors.For SRAM-or DRAMbased memories, this emission can then be correlated with the data being programmed into the memory.In [82], the PSC was found to originate when kinetic energy gained by charge carriers in the transistor channel is transferred to photons, which are visible through photo-detectors.In [83], the authors leveraged this information to perform a sidechannel attack, ultimately recovering the full AES key.Modern-day chips use several metal layers, which interfere with the emission of photons from the frontside of any integrated circuit (IC); therefore, a natural direction is to observe the photon emission from the backside of ICs.
While CMOS-based memory technologies like SRAM and DRAM are prone to such PSC attacks, the SMART memory is AFM-based and involves no photonic emissions emanating from transistor channels.Data read-out in the SMART memory can only be accomplished through an AH measurement setup.Further, even if an advanced attacker is able to isolate the SMART memory cell and gain access to the AH setup from the frontside, they would only be able to recover the encrypted ciphertext (as described in Sec.III-C).

IV. CONCLUSION
In this paper, we present SMART: A Secure Magnetoelectric Antiferromagnet -Based Tamper-Proof Non-Volatile Memory, by utilizing the unique properties of ME-AFMs.The ME-AFMRAM, which is at the core of the SMART memory, has an access latency of sub-1 ns (for DW-based switching) down to only 10's of ps (for rotation switching) with an energy-per-bit of ∼ 0.13 pJ.Besides its superior performance as compared to prior NVMs like STT-MRAM and PCM, the SMART memory exhibits no sensitivity to external magnetic fields, which makes it resilient to magnetic field-based data tampering and denial of memory service attacks that commonly plague other ferromagnetsbased NVMs.To solve the security vulnerability of data remanence (after power-down) in the SMART memory, we demonstrate a new encryption technique called Memcryption.This scheme employs emerging ME-AFM-based logic to implement a CNOT-centric in-memory encryption, which is particularly tailored to reduce the encryption and decryption latency in the SMART memory.Further, symmetric read and write signatures for '0' and '1' bits render prominent side-channel attacks like the differential power attack futile against the SMART memory.Advanced photonic side-channel attacks, which are powerful threats against any CMOS IC by observing all internal transistor activity from the frontside or backside, are ineffective against the SMART memory due to the fundamentally different switching mechanism as well as the proposed Memcryption safeguard.

FIGURE 1 :
FIGURE 1: Chromia-based magnetoelectric antiferromagnetic random-access memory.Data (1/0) is written by applying a voltage (+/−) to the bottom gate electrode.Read-out is achieved using an anomalous Hall bar electrode placed on top, by applying a Hall bias.

FIGURE 2 :
FIGURE 2:Equivalent circuit for the chromia ME-AFMRAM cell.I int , derived from the bit line, writes data on to the node V ME .The time constant of the write operation is τ flow (τ creep ) if the applied voltage is greater (smaller) than the critical voltage.Read-out is achieved through an AH setup, modeled with a voltage-controlled voltage source.C EL is the electrostatic capacitance of the chromia dielectric.

FIGURE 3 :
FIGURE 3:Transient simulations showing write operations on the chromia ME-AFMRAM cell.Note that for writing a '1' the write pulse is positive, and for writing a '0' the write pulse is negative.In this simulation, a series of '1's (0.3 V) and '0's (-0.3 V) are being written to the cell, and then finally '0' is retained once Write Enable is switched off.

FIGURE 4 :
FIGURE 4: Comparison of the AH coefficient per unit thickness and AH signal magnitude in different material systems.The AH signal V AHE is calculated for a Hall bias of 2 mA and a magnetoelectric node voltage V ME ∼ 0.3 V. TIs with high interfacial SOC exhibit greater AH coefficients and can generate large AH signals, capable of being detected by conventional current sense amplifiers.

FIGURE 7 :
FIGURE 7: Construction of the ME-AFMRAM cell array used in the memory architecture.The signals BL i,in serve to write data into the cells when Write Enable (WE) is on, and signals BL i,out serve to read data from the cells when Read Enable (RE) is on.
Trajectory for magnetic fieldinduced switching of a FM.
Components for magnetic fieldinduced switching of a FM.

FIGURE 8 :
FIGURE 8:The FMs in an STT-MRAM can be switched easily using external magnetic fields.
FIGURE 9:The of a magnetic field is unable to switch the AFM order parameter, even when increasing the field magnitude.Inset: (a) an external, homogeneous magnetic field may cant the sublattice moments, but it is incapable of rotating the AFM order; (b) staggering fields on the sublattice moments produce staggered tangential torques, which can reorient the AFM order.

FIGURE 10 :
FIGURE 10: (a) CME uses AES to generate an OTP, using the memory line address, a counter, and a secret key.The encryption and decryption is performed outside the nonvolatile main memory (NVMM).(b) Memcryption uses a secret key and the line address as seed for AES, to generate an encryption pulse.That pulse is used to control the bitwise operation of CNOT gates, and is embedded in the data path within the NVMM.

TABLE 1 :
Simulation parameters considered for the ME-AFMRAM cell.

TABLE 2 :
Performance [57]arison of various memory technologies, from[58]-[62].The write and read latencies for ME-AFMRAM (DW model) are quoted for a 64KB memory with a 128-bit word line, simulated using NVSim[57].The energy-per-bit metric is for a single bit write onto a cell.ME-AFMRAM with other memory technologies at the chiplevel is presented in Table2.It can be seen that the ME-AFMRAM offers some competitive advantages over other NVMs as well as over conventional memory systems.

L1 cache L2 cache SMART NVMM SPM key CPU Address bus Data bus enc. pulse B 0 -B n Decoder ME-AFMRAM array B 0 B n WE RE CNOT encryption layer cell ECP AES key FIGURE 11:
[79]T memory architecture Memcryption.The CNOT layer for decryption is not shown for simplicity.andensure the correctness of the stored data, standard error correction techniques for NVMs[77]like the error correction pointer (ECP) and other advanced schemes based on ECP, including "Pay-As-You-Go"[78]and "Zombie memory"[79], can be implemented memory-side and integrated on the ME-AFMRAM array.The ECP memory can be realized using homogeneous spintronics technology, including the STT-MRAM or the ME-AFMRAM itself, or by leveraging heterogeneous spin-CMOS integration.

TABLE 3 :
Comparison for latency and energy when applying the CME and Memcryption schemes to a 128-bit ME-AFMRAM array.The baseline latency for the unencrypted array is ∼ 100 ps.