Ultra-low Power Encryption Engine for Wireless Implantable Medical Devices Saied Hosseini-Khayat Parvin Bahmanyar Ehsan Rahiminezhad Digital System Design Laboratory Electrical Engineering Department Ferdowsi University of Mashhad, Mashhad, Iran skhayat@um.ac.ir Mohamad Sawan, Fellow, IEEE Polystim Neurotechnologies Laboratory Department of Electrical Engineering Polytechnique Montréal Montréal, QC H3C 3A7, Canada Abstract—Wireless implantable medical devices are expected to perform cryptographic processing at an absolutely low level of power consumption. This paper presents the design of an ultra- low power ASIC core implementing the PRESENT encryption algorithm. To minimize power consumption, subthreshold CMOS logic is adopted. To implement robust combinational logic (S-Boxes) in PRESENT at subthreshold, a multiplexor-tree architecture based on CMOS transmission gates is proposed. Our post-layout simulations show that our PRESENT core consumes around 50 nW at 0.35V supply voltage at 25 kHz clock frequency, proving the feasibility of ultra-low power encryption. I. INTRODUCTION Wireless implantable medical devices (WIMDs) employ radio transmission technology to enable remote patient monitoring and treatment. However, recent research [1,2] has brought into attention the potential security hazards associated with these devices. To design secure WIMDs, we make the following important observations: • Power: Most WIMDs are battery-operated throughout their extended lifetime which may reach up to 10 years. (Note that replacing an implant normally requires surgery, which is risky, costly and inconvenient.) A back-of-the-envelope calculation suggests that for a modern small ion-lithium battery storing about 3000 Joules of energy to last about 10 years, the average power consumption of the entire WIMD must be less than 10 μW. Given that a WIMD must perform a fair amount of digital signal processing and radio transmission, the amount of power left for crypto- processing is severely limited. We aim at designing a crypto-engine that consumes less than 100 nW. • Speed: Since vital signals do not vary too fast, most WIMDs do not require high processing speeds. Among the fastest signals in body are neural action potentials which can be safely sampled and processed at round 20 kS/s. Therefore our crypto-engine clock frequency is set to 25 kHz. We have chosen to implement the light-weight block cipher PRESENT [3] as this algorithm provides an adequate level of security at minimal chip area and circuit complexity. II. PRESENT ARCHITECTURE DESCRIPTION The PRESENT block cipher is a light-weight encryption algorithm [3] for resource-constrained applications. PRESENT consists of 31 processing rounds and uses a substitution-permutation network. The data block size is 64 bits. We implement PRESENT-80, a version of PRESENT that uses a key size of 80 bits. The details of the PRESENT algorithm are fully described in [3]. Fig. 1 shows a single round of PRESENT, which consist of (a) bit-wise XOR of key and data, (b) 4-bit substitution box (the S-box), and (c) 64-bit bit shuffling (the P-box). The hardware architecture of PRESENT as implemented in our ASIC core is shown in Fig 2. It is an iterative architecture to reduce chip area. There are two distinct processing loops shown in the figure: (a) key expansion loop (shown on the right-hand side of figure), (b) data processing loop (shown on the left-hand side of figure). The key schedule loop expands the main secret key into 32 sub-keys on-the-fly. The input to this loop is the 80-bit main key. The data processing loop perform one encryption round of PRESENT. An 80-bit key is set up at the key input (almost permanently). A 64-bit plaintext is set up at the plaintext input. When the reset signal goes low, at the rising edge of the clock signal, the key register and data register are both loaded from data and key input ports through their corresponding multiplexors. Figure 1. A single round of PRESENT [3] 978-1-4673-2527-1/12/$31.00 ©2012 IEEE 150