Ultra-fast data sanitization of SRAM by back-biasing to resist a cold boot attack

Although SRAM is a well-established type of volatile memory, data remanence has been observed at low temperature even for a power-off state, and thus it is vulnerable to a physical cold boot attack. To address this, an ultra-fast data sanitization method within 5 ns is demonstrated with physics-based simulations for avoidance of the cold boot attack to SRAM. Back-bias, which can control device parameters of CMOS, such as threshold voltage and leakage current, was utilized for the ultra-fast data sanitization. It is applicable to temporary erasing with data recoverability against a low-level attack as well as permanent erasing with data irrecoverability against a high-level attack.

Although SRAM is a well-established type of volatile memory, data remanence has been observed at low temperature even for a power-off state, and thus it is vulnerable to a physical cold boot attack. To address this, an ultra-fast data sanitization method within 5 ns is demonstrated with physicsbased simulations for avoidance of the cold boot attack to SRAM. Back-bias, which can control device parameters of CMOS, such as threshold voltage and leakage current, was utilized for the ultra-fast data sanitization. It is applicable to temporary erasing with data recoverability against a low-level attack as well as permanent erasing with data irrecoverability against a high-level attack.
Static random access memory (SRAM), which is a type of volatile memory, is widely used for temporary storage of encryption keys and secret data in security systems [1][2][3] . It is commonly believed that stored data in SRAM are lost immediately and instantly when power is removed, and this is the main reason why SRAM is considered a secured memory device for high-level security applications. However, data remanence at low temperature was reported in power-off SRAM 4,5 . Recently, studies on a cold boot attack to SRAM have been reported 6,7 . If the time of data remanence is prolonged at low temperature, encryption keys and secret data can be decoded via a cold boot attack by a hacker. A method for fast erasing in SRAM is therefore necessary against the cold boot attack. A few approaches were demonstrated to prevent SRAM data from being decoded by the physical cold boot attack by use of additional circuitry including an erase transistor, storage capacitor, and charge pump. However, they sacrificed layout efficiency and increased hardware cost 8,9 . In addition, long time of 0.2 μs was needed for data erasing.
In this work, an ultra-fast data sanitization of SRAM within 5 ns is demonstrated by use of forward backbiasing against the cold boot attack. Back-bias applied to a body of a metal-oxide-semiconductor field-effect transistor (MOSFET) is utilized to delete stored data via intentional distortion of the latch state between two inverters of a SRAM cell, which also encloses two n-channel pass-gate MOSFETs.
These two inverters are cross-coupled to sustain the latch state stably as long as power is supplied. An inverter is composed of a complementary metal-oxide-semiconductor (CMOS), i.e., a pull-down n-channel MOSFET abbreviated NMOS and a pull-up p-channel MOSFET abbreviated PMOS. In the proposed data sanitization, two types of data erasing are available. One is temporary erasing by symmetric application of back-bias to two p-channel MOSFETs in each inverter. The other is permanent erasing by asymmetric application of back-bias to a PMOS in one inverter and to an NMOS in the other inverter. In the former case, data recovery is allowed after a low-level threat attempt by hacking. In the latter case, data recovery is impossible after an attempt of a high-level threat by hacking. Temporary erasing partially disturbs data reading by application of the symmetric forward back-bias during an attack and then the partially distorted data are recoverable after the cessation of the hacking attempt. In contrast, permanent erasing completely deletes remnant data by application of the asymmetric forward back-bias against the critical hacking attempt and thereafter the erased data are irrecoverable. Therefore, the user can reuse the previous data with temporal erasing, whereas one cannot do them with permanent erasing when the hacker's attack is finished. This approach with the aid of the back-biasing does not demand additional circuitry because back-biasing is commonly used for tuning CMOS characteristics, such as threshold voltage (V T ) or leakage current (I OFF ) [10][11][12] . The data sanitization mechanism is analyzed for both the permanent erasing and the temporary erasing with physics-based device simulations. The results show that the proposed back-bias scheme can provide immunity against a cold boot attack at low temperature.

Methods
For the simulations of a SRAM cell, MOSFETs with a high-k gate dielectric and a metal gate for a 32 nm technology node were modeled with the aid of a SILVACO ATLAS TCAD simulator 13 . The detailed parameters of the NMOS were set by referring to 14 . Thereafter those of the PMOS were regenerated as a counter-part of the NMOS. Based on the device-level simulations, a conventional cell of six transistor-SRAM (6 T-SRAM) was constructed using ATLAS mixed-mode TCAD simulations to confirm the behaviors of the SRAM data sanitization by forward back-biasing. It is well known that the 6 T-SRAM is composed of two pull-up PMOS, two pull-down NMOS, and two pass-gate NMOS. In detail, the gate length (L G ), the gate width (W G ), and the equivalent oxide thickness (EOT) of the gate dielectric are 45 nm, 1 μm and 1.53 nm, respectively in the device level simulations with single MOSFET. The doping concentration of the source (N source ), drain (N drain ), and substrate (N sub ) was set as 1 × 10 20 cm −3 , 1 × 10 20 cm −3 , and 3 × 10 18 cm −3 , respectively. The dopant polarity for the PMOS was opposite to that for the NMOS. Various physical models, such as Schockley-Read-Hall (SRH), bandgap narrowing (BGN), Fermi-Dirac (FERMI), non-local band-to-band tunneling (BTBT), trap-assisted tunneling (TAT), and Cryogenic (CRYO) were used for accurate physics-based simulations. As a result, transfer characteristics (I D -V G ) of the NMOS and PMOS modulated by forward back-bias (V BS ) were obtained, as shown in Fig. 1a and b. Note that the forward V BS of the NMOS is 1 V and the forward V BS of the PMOS is -1 V. This bias mode is opposite to that of the conventional back-bias scheme that usually relies on a reverse mode. Under the forward back-biasing, both NMOS and PMOS were turned on regardless of V G . Figure 1a and b also show that the I D -V G characteristics of the NMOS and the PMOS were influenced by temperature (T). As T is lowered, the subthreshold slope (SS) becomes steeper and the off-state current (I OFF ), referred to as leakage current, tends to be decreased. When a cold boot attack was attempted at 173 K, remnant data were read even at a power-off state owing to the improved SS and suppressed I OFF 6,7 . It is inferred that the cold boot attack can be avoided by intentionally heating up the SRAM far above room temperature when the hacking attempt is sensed. However, it is practically difficult to apply heat to the SRAM. Moreover, this approach is not effective because the shift of V T by temperature change, expressed as dV T /dT, is very small. It was found that dV T /dT was 0.94 mV/K for the NMOS and -0.72 mV/K for the PMOS from Fig. 1a and b. These values are comparable to the experimental data reported in 15,16 . As an example, ΔT (= T high -T 300K ) of 426 K is required to make a ΔV T of 0.4 V that can distort the I D -V G . This means that high temperature (T high ) of 726 K is needed to induce the ΔV T of 0.4 V solely by temperature at room temperature. Such high temperature can provoke serious damage to the package of a SRAM chip or a PCB board owing to melting. In contrast, a ΔV T of 0.4 V is achievable by the back-bias of below 0.8 V. This reveals that the forward back-biasing is more effective than increment of temperature to avoid the cold boot attack. www.nature.com/scientificreports/ Using the modeled CMOS, a SRAM cell was designed to examine the feasibility of data sanitization by forward back-biasing. The behaviors of the SRAM sanitization were verified using a SILVACO ATLAS mixedmode TCAD simulation. The 6 T-SRAM was composed of two pull-up PMOS, two pull-down NMOS, and two pass-gate NMOS. The word-line (V WL ) voltage of the pass-gate MOSFETs was low for turning them off and isolating the storage node (SN) and bit-lines (BLs). The W G of the MOSFET comprising the SRAM cell was set as 80 nm referring to 17 . The supply voltage (V DD ) for SRAM operation was set to 1 V. For permanent erasing, asymmetric forward back-bias was applied to the NMOS of the left inverter and the PMOS of the right inverter or vice versa, as depicted in Fig. 1c. Note that the magnitude of the forward back-bias is the same for the NMOS and the PMOS, whereas they have opposite voltage polarity. In this case, the initial data state can be reset to '0' or '1' . For temporary erasing, symmetric forward back-bias was applied to the PMOS of both inverters or the NMOS of both inverters, as depicted in Fig. 1d. In this case, the latch state locked in both inverters can be distorted when initially off-state PMOSs or NMOSs are turned on not by gate bias but by the applied back-bias, as shown in Fig. 1a and b.

Results
Permanent erasing. Figure 2 shows the results of permanent erasing by use of forward back-biasing at room temperature. Figure 2a and b show the bit line voltage (V Q ) and bit bar line voltage (V QB ) when '0' was stored initially. Note that V Q and V QB have contrasted voltage levels for the same data state. For example, V Q and V QB have 0 V and 1 V for the data state '0' , respectively. V Q and V QB are changed by the applied forward backbias (|V BS |). When positive V BS was forwardly applied to the NMOS of the left inverter and negative V BS was forwardly applied to the PMOS of the right inverter with the same magnitude of more than 0.9 V (Fig. 1c), the initial V Q of 0 V was changed to 1 V and the initial V QB of 1 V was changed to 0 V. Therefore, the initial '0' was pulled up to a final '1' . Figure 2c and d show V Q and V QB when '1' was stored initially. With the same forward back-biasing, as shown in Fig. 2a and b, V Q was maintained as 1 V and V QB also remained at 0 V. Hence the initial '1' was sustained as final '1' . As a consequence, stored data were reset to '1' en bloc, regardless of the initial data www.nature.com/scientificreports/ state. Figure 3a and b show simplified data diagrams and corresponding circuits for the permanent erasing. The erased states to '1' were sustained even after the back-biasing was removed, as shown in Fig. 3a. In contrast, '0' and '1' were reset to '0' en bloc, as another permanent erasing when the forward back-bias was applied to the PMOS of the left inverter and the NMOS of the right inverter, as shown in Fig. 3b. A body terminal in a MOSFET can serve as a secondary gate (pseudo-gate), while an actual gate terminal can operate as a primary gate. Herein when an initially off-state MOSFET in an inverter was turned on by the applied back-bias, the latch state in the cross-coupled inverters was notably distorted. Figure 4 explains how the latch state is distorted and thereby data are permanently erased to state '1' . The configuration of a 6 T-SRAM cell was intentionally modified to analyze the distortion of the latch state. Figure 4a and b show the modified circuit configuration and its input-output voltage transfer curve (VTC) with the back-biasing. Two positive feedback lines, I and II, are separately removed from the conventional 6 T-SRAM cell. Thereafter, forward back-bias was applied to the modified cell in order to extract the distorted VTC of V Q and V QB . V Q ' and V QB ' were defined as the output voltage through two inverters that receive input V Q and V QB , respectively. In the case where positive feedback line I is removed, shown in Fig. 4a, the blue rectilinear dashed-line in the VTC graph shows how V Q is changed, when data '0' was initially stored in the modified VTC graph. The initial V Q of 0 V (data '0') was pulled up to 1 V (data '1') by the removal of positive feedback line I. The red vertical dashed-line in the VTC graph shows how V Q is changed, when data '1' was initially stored. The initial V Q of 1 V (data '1') was maintained by the removal of positive feedback line I. Therefore, the permanent data erasing can proceed by making both data '0' and '1' into '1' . In the case of removing positive feedback line II, shown in Fig. 4b, the blue rectilinear dashedline in the VTC graph shows how V QB is changed, when data '0' was initially stored. The initial V QB of 1 V (data '0') was pulled down to 0 V (data '1') by the removal of positive feedback line II. The red vertical dashed-line in the VTC graph shows how V QB is changed, when data '1' was initially stored. The initial V QB of 0 V (data '1') was maintained by removing positive feedback line II. Therefore, the permanent data erasing can also proceed by making both data '0' and '1' into '1' . While the other permanent data erasing shown in Fig. 3b is not explained, it similarly works as described above. In this case, all the data of '0' and '1' can be reset to '0' .
In order to resist a cold boot attack, the proposed data erasing by forward back-biasing must be available in a low temperature environment. Therefore, it was confirmed that permanent data erasing was achievable at low temperatures down to 173 K 6,7 . The abovementioned cryogenic (CRYO) model was used for accurate physicsbased low temperature simulations. Figure 5a and b show V Q and V QB when data '0' was initially stored, and Fig. 5c and d exhibit V Q and V QB when data '1' was initially stored for various temperatures ranging from 173 to 298 K. The data was reset to '1' by the forward back-biasing even at T of 173 K. This is because ΔT (= T room -T low ) of 125 K (= 298 K -173 K) makes a small positive ΔV T of 0.12 V and ΔV BS (= V BS,GND -V BS,FWD ) of -1 V (= 0 V -1 V) induces a large negative ΔV T of 0.66 V in an NMOS; i.e., the V T change by the forward back-biasing overwhelms the V T change by the temperature. Supplementary Fig. S1a shows how the erasing time varies according to the load capacitance (C L ) connected to each inverter in a SRAM cell. It corresponds to bit-line capacitance, which tends to be decreased as a technology www.nature.com/scientificreports/ node is advanced. Referring to 16 , C L is 117 fF at a 70 nm technology node. The erasing time is increased by prolonged RC delay, as C L is increased. Therefore, the erasing time can be increased with larger C L in larger array architecture. However, as the technology node advances, fast data sanitization is possible due to reduced C L . For example, the ultra-fast data sanitization within 5 ns is feasible for C L of 1 pF, which is larger than nominal C L below 100 fF 18 at the 32 nm node. It is worth noting that the erasing time can be further shortened by increment  www.nature.com/scientificreports/ of |V BS |. Supplementary Fig. S1b shows the erasing time influenced by C L for various temperatures. Ultra-fast erasing within 5 ns is also achievable even at 173 K ( Supplementary Fig. S2a). This implies that the proposed bask-biasing scheme can resist the cold boot attack. Meanwhile, if |V BS | is larger than the built-in potential (~ 0.8 V) of the p-n junction at the source and drain, a forward junction current (I j,FWD ) is flown 18 . From the simulation, I j,FWD values of 0.29 mA and 2.13 mA were flown for |V BS | of 0.9 V and 1 V, respectively. Accordingly, power consumption for the permanent erasing was extracted as 0.58 mW and 4.26 mW for the |V BS | of 0.9 V and 1 V, respectively. However, the energy consumption for the permanent erasing could be reduced to an order of pJ. This is because shorter time than 5 ns is sufficient to delete the data in the ultra-fast sanitization.
Temporary erasing. Figure 6 shows the results of the temporary erasing with forward back-biasing at room temperature. Figure 6a and b show V Q and V QB when '0' and '1' were respectively stored. They were modulated by the applied V BS . When negative V BS (i.e., forward back-biasing) applied to both PFETs in two inverters was increased, the voltage margin (V margin ) between V Q and V QB was narrowed. Note that the minimal V margin for normal reading operation in SRAM is 0.25 V to distinguish '0' and '1' 19 . From the simulation, the corresponding value was 0.22 V at a |V BS | of 0.93 V. Thus, the latched data state in the SRAM cell is seriously distorted to the point of being illegible because its V margin is smaller than 0.25 V. Figure 6c shows a simplified data diagram of the temporary erasing. When V margin is small enough to be indistinguishable, a hacker cannot read the data. On the other hand, unreadable data by temporary erasing can be promptly recovered to their original states by removing the back-bias after the threat of the attack has disappeared. Figure 6d shows the erasing time of the temporary erasing, which was affected by C L . The data sanitization could be accomplished within 15 ns, which is sufficiently fast. The slight difference between temporary erasing time and permanent erasing time is attributed to the different back-bias scheme. Recall that symmetric back-biasing was applied for the temporary erasing and asymmetric back-biasing was applied for the permanent erasing. This results in a dissimilar RC delay affecting the time to distort the stored data in SRAM.
Like the permanent erasing by the aforementioned asymmetric back-biasing, the temporary erasing can also partially disturb the latch state by symmetric back-biasing. However, the level of the disturbance in the temporary erasing is small compared with that in the case of permanent erasing. Figure 7 shows how much the latch state is disturbed by the temporary erasing and thereby data become temporarily unreadable. Figure 7a and b show the modified circuit configuration and its input-output VTC with the back-biasing. Being done at Fig. 4, two positive feedback lines I and II were also individually removed from the conventional 6 T-SRAM cell, as depicted in each circuit diagram of Fig. 7. Thereafter, forward back-bias was applied to the modified SRAM cell in order to extract the distorted VTC of V Q and V QB . V Q ' and V QB ' were defined as the output voltage through the modified cross-coupled inverters that receive input V Q and V QB , respectively. Referring to the VTC graph from Fig. 7a, the blue rectilinear dashed-line shows how much V Q is changed, when data '0' was initially stored. The initial V Q of 0 V (data '0') was pulled up to 0.73 V by removing positive feedback line I. The red vertical dashed-line in the VTC graph shows how V Q is changed, when data '1' was initially stored. The initial V Q of 1 V (data '1') was pulled down to 0.95 V by the removed positive feedback line I. Likewise, referring to the VTC graph in Fig. 7b, The temporary erasing at low temperature was also investigated with simulations to confirm whether it can resist the cold boot attack. Figure 8a and b show V Q and V QB depending on the temperature, when a |V BS | of 0.93 V was applied. This is the condition where the temporary erasing worked at room temperature. As the temperature was decreased to 173 K, V margin was notably widened to nearly 1 V again. Thus, data sanitization by the temporary erasing could not be accomplished. This vulnerability to low temperature can be mitigated by increasing |V BS |. Figure 8c and d show V Q and V QB as a function of |V BS | at 173 K. As |V BS | was increased, V margin narrowed. Temporary erasing time within 5 ns was also achievable even at 173 K ( Supplementary Fig. S2b). Conclusively, it is confirmed that the temporary erasing as well as the permanent erasing can resist the cold boot attack by the forward back-biasing.
It should be noted that the proposing data sanitization requires a new layout scheme in order to separately apply the back-bias. Supplementary Fig. S3a shows a conventional layout of high-density 6 T-SRAM. According to the conventional 6 T-SRAM layout, two pull-up (PU) PFETs share the same N-type well so that it is impossible to provide different back-bias for each PU PFET. In order to provide back-bias to only one of the PU PFET, the layout innovation is required. Supplementary Fig. S3b shows a possible layout innovation to realize individual back-biasing by using two N-type wells, which are separated by a slim P-type well. In addition, as shown in Supplementary Fig. S3a, pull-down (PD) NFET and pass-gate (PG) NFET share the same P-type well. Therefore, if the back-bias is applied to the P-type well, the back-bias will influence on the PG and PD NFET together because they are located in the same well. One of the solutions is to apply negative voltage to the GND node rather than to apply positive voltage to the P-type well for the back-biasing. More specifically, if the GND is divided to GND1 and GND2 as shown in the Supplementary Fig. S3b, two PD NFETs can be biased individually. The cross-sections of conventional layout of high-density 6 T-SRAM and possible layout innovation to realize proposed data sanitization scheme are shown in Supplementary Fig. S4. In a layout point of view, a concern to the proposed SRAM cell to allow the back-biasing is a slim p-type well that has a width in a range of 80 nm, which is close to a lithographic limit in a 32 nm technology node. Supplementary Fig. S5 compares a footprint area between a conventional layout and the proposed layout in a 6 T-SRAM cell. According to 21 , the area of SRAM cell in the 32 nm technology is 0.74 μm × 0.27 μm. Therefore, the area of the proposed SRAM cell is expected to be increased to 10.8% compared with the conventional one owing to an additional 80 nm well width. The well-proximity effect (WPE) may provoke an V T shift in a proposed cell transistor. But, it is simply compensated  www.nature.com/scientificreports/ for an invariant noise margin by employment of channel V T implantation, which has commonly used in CMOS fabrication. Table 1 shows the area comparison among various implementations for SRAM sanitization [22][23][24] . Each implementation has a different cell size according to a sanitization type. Note that the proposed approach has the smallest number of transistors with the reduced normalized cell size.
To generate the back-bias, a controller should detect whether the SRAM is under attack. Supplementary  Fig. S6 shows a strategy to detect the cold boot attack, which will be served as a trigger to enable the data sanitization. As soon as the cold boot attack is attempted by lowering temperature of a SRAM chip to a cryogenic level, such threatening should be detected prior to actual hacking. Herein, a CMOS temperature-to-pulse generator can be used to sense the lowering of ambient temperature, as shown in Supplementary Fig. S7. A delay time is induced between two transmission lines when the ambient temperature is changed, and a XOR gate generates  www.nature.com/scientificreports/ pulses according to the mismatch in the two lines 25 . By connecting the output of the CMOS temperature-topulse generator to a back-bias terminal, the data in the SRAM cell can be instantly erased when a rapid cooling is attempted by liquid nitrogen. In this way, the back-bias for SRAM data sanitization can be applied automatically.

Discussion
For a security system, ultra-fast data sanitization for SRAM was demonstrated with forward back-biasing, which did not require any extra circuit. The simulation study confirmed that this strategy could resist the cold boot attack. The latch states in SRAM were distorted by the forward back-biasing in order to reset data or make data unreadable against hacking. The level of the distortion was modulated by various back-biasing schemes. Symmetric back-biasing to two PMOS supported recoverable temporary erasing. Furthermore, asymmetric backbiasing to the PMOS in one inverter and to the NMOS in the other inverter facilitated irrecoverable permanent erasing. According to the level of the hacking threat, either permanent erasing or temporary erasing can be chosen by an end user. Based on the physics-based ATLAS device simulations, the possibility of data sanitization at low temperature down to 173 K in order to resist a cold boot attack was confirmed. In the meanwhile, the direct demonstration of the sanitization with a fully fabricated SRAM chip is planned for the justification of actual security hardware in future.

Data availability
Scientific Reports requires the inclusion of a data availability statement with all submitted manuscripts, as this journal requires authors to make available materials, data, and associated protocols to readers.