This paper presents a low area, low power AES-CCM authenticated encryption IP core with silicon demonstration in 180nm standard CMOS process. The proposed AES-CCM core combines a low area 8-bit single S-box AES encryption core, improved iterative structure and other optimized circuits. The implementation results show that the proposed AES-CCM core achieves very high resource efficiency with 6.5 kgates GE and the low power consumption of 11.6 µW/MHz while meeting the requirement of the operation speed for many applications including IEEE 802.15.6 WBANs. The detail implementation and optimization results are also presented and discussed.
Introduction *
The emerging IEEE 802.15.6 wireless body area networks (WBANs) [1] tend to provide short range, wireless communications in a variety of medical and non-medical applications. Medical applications include collecting vital information of a patient continuously and forward it to a remote monitoring station for further analysis. This huge amount of data can be used to prevent the occurrence of myocardial infarction and treat various diseases such as gastrointestinal tract, cancer, asthma, and neurological disorder. WBAN can also be used to support people with disabilities. For example, retina prosthesis chips can be implanted in the human eye to see at an adequate level. Nonmedical applications include monitoring forgotten things, data file transfer, gaming, and social networking applications, etc. In gaming, sensors in WBAN can collect coordinates movements of different parts of the body and subsequently make the movement of a character in the game such as the moving soccer player or capturing the intensity of a ball in table tennis. The use of WBAN in social networking allows people to exchange digital profile or business card only by shaking hands.
For the safety reasons, this standard constrains the devices to operate with the extremely low power. Data rates, typically up to 10Mbps, can be offered to satisfy an evolutionary set of entertainment and healthcare services. Moreover, WBANs are to support a high quality of service such as the emergency messaging. Hence, it requires a strong security level for some transactions with essential information. The standard defines three levels of security. Each security level has different security properties, protection levels and frame formats. The required security level is selected during the association process, i.e., when a node is joining the network.
Advanced Encryption Standard (AES) is a highly recommended security standard for data encryption [2] . In [3] , the authors also summarized some main security requirements and introduced some techniques to protect the system from possible attacks by several modes of operation such as encryption only (AES-CTR), authentication only (AES-CBC-MAC) and encrypted authentication (AES-CCM). In IEEE 802.15.6 standard for WBANs, AES-CCM is recommended for authenticated encryption (AE) purpose [1] . Hence, the low area, low power AES-CCM hardware core is highly desired. Therefore, this work focuses on the implementation of a low area, low power AES-CCM core for WBANs to provide both message encryption and message authentication.
The main contribution of this paper is that an efficient, low area, low power AES-CCM core is proposed by combining a new single Sbox AES encryption core, an improved iterative structure, a simple control circuit and other optimized circuits in 180nm CMOS process. The rest of this paper is organized as follows. Section 2 presents an efficient single S-box AES encryption core architecture. Section 3 proposes the low area, low power AES-CCM core architecture and the implementation results. Finally, section 4 concludes the paper.
AES encryption core design
Since AES encryption block is the essential part in the AES-CCM core [2] , the choice for its architecture is very important. AES encryption core processes data in 128-bit blocks with the key lengths of 128, 192 or 256 bits. In this paper, for a low area implementation, the key length of 128-bit is chosen so that an AES encryption/decryption operation requires 10 rounds. Figure 1 shows the 128-bit AES encryption/decryption algorithms. The left hand side is the encryption flow and the right hand side is the decryption one.
Although the AES algorithm has been standardized, the efficient hardware architecture and implementation methods are the topics which many researchers are focusing on. However, with the fast development of many portable, wearable applications and devices, especially the Internet of things (IoT), the low area, low power and secure hardware implementations are highly required. Therefore, the higher power efficiency VLSI implementations are highly expected.
There are many papers in literature mentioning about AES encryption core implementation for different types of applications. For high-speed applications, AES encryption can be implemented with the roundbased implementation [4] , the pipeline architecture [5] or unrolled-round architecture [6] . However, these architectures lead to the high-power consumption. The largest part in the parallel architecture is the S-box. For the low-cost and low-power AES designs, the 8-bit architecture is often used since it can reduce hardware implementation area significantly. However, the throughput is reduced as well. These cores use one [7] or two S-boxes [8, 9] .
Moreover, some previous works, such as [10] [11] [12] [13] , have presented the implementation of low area AES encryption cores by using the 8-bit and 32-bit datapath architectures with two optimized S-boxes. W. Zhao et al. [8] presented an efficient, low energy operation AES implementation in a standard 65nm CMOS process. However, with the fast development of many portable, wearable applications and devices, especially in IoT systems, the low area, ultra-low power and secure hardware implementations with more improvements are highly required. In the IoT era, the low power and high security hardware implementation becomes an essential issue [11] .
To further improve the area efficiency of the core, in this paper, the improved single S-box architecture is proposed as in Fig. 2 in which control signals are fed to the MUX (multiplexer), DEMUX and some other simple circuits. Each round is performed in 20 cycles including 16 cycles for 16 data bytes and 4 cycles for key expansion with a shared S-box using selection signal (Sel). A simple counterbased control method is applied for this architecture with a control method as presented in Table 1 in which CNT (counter) is the value of the cycle counter register in each round and r-in is the round index ranging from 0 to 9. In the shift register and other blocks of the AES encryption core, the control signals are generated from the counter-based controller. Table 2 presents the implementation results of the 8-bit single S-box AES core with 180nm CMOS process using Synopsys Design Compiler tool. It can be seen that the single S-box AES core can achieve very low area and power consumption with the penalty of small reduction in the operation speed. Moreover, to provide more detail tradeoffs for the AES encryption core implementation, Fig. 3 presents the ASIC implementation results in the area and power consumption of the single S-box AES encryption core in 180nm CMOS process with different values of datapath width (w) in the hardware architecture in Fig. 2 . The results are obtained from post-synthesis analysis using Synopsys Design Compiler and PrimeTime tools. In this work, to achieve low area and low power consumption, the value of w=8 for the datapath width is chosen for the ASIC implementation of the proposed AES-CCM core. In this Fig. 3 , the area is estimated in the gate equivalent (GE) count of 2-input NAND gates. 
AES-CCM core design
As mentioned previously, the hardware AES-CCM design is necessary for AE operation in IEEE 802.15.6 WBANs. The existing techniques for AES-CCM implementation is mainly categorized into two groups: FPGA hardware based and software based approaches. The FPGA-based approach includes pipeline-reconfigurable AES-CCM in FPGA [14] , memoryless AES-CCM [15] , single-core reconfigurable AES [16] and unified data authentication encryption [17] . In [18] , the software implementation of AES-CCM requires more than 1000 clock cycles for each round with the iterative round computation of AES, which is much higher than FPGA implementation. However, there are few papers presented in literature concerned the efficient ASIC-based AES-CCM core design [19] [20] .
Therefore, this paper targets an efficient, low area, low power AES-CCM core for IEEE 802.15.6 WBANs. The full description of AES-CCM mechanism is presented in [2] . In this paper, we focus on the ASIC-based hardware implementation of the AES-CCM core.
With the target applications in WBANs, the proposed AES-CCM core is optimized to achieve low area and low power consumption by using 2-level iteration architecture, compact AES core and low cost finite state machine (FSM)-based controller. Figure 4 By contrast, if cnt-round is different from loop-number, the system changes Operation to Receiver state. At the Result state, it changes to Idle state when done-aes signal is low. The system also has two output signals called busy-out and done-en. The signal done-en, which informs that the authenticated encryption process has finished and already to take ciphertext out, is "1" if in Result state, otherwise it is "0". The signal busy_out, indicating that the authenticated encryption process is operating and does not allow any external impact, is high in Operation and Receiver states, otherwise it is "0". Table 3 lists the control signals generated by the FSM for the proposed AES-CCM core. The AES-CCM core architecture is shown as Fig. 5 . Based on the detail AES-CCM algorithm in [2] , the proposed AES-CCM core includes the 8-bit AES encryption block, key store unit (key-store), framing (B0&CTRi, payload-frames), message Integrity Code register (MIC-reg) and a simple FSM-based controller. Figure 6 shows the structure of two other main building blocks in the proposed AES-CCM core as well. The payload_frames block has four 16-bit registers to reduce the hardware complexity of the proposed AES-CCM core.
The implementation results are presented in Table 4 by using Synopsys Design Complier tool and compared with other designs. It can be seen that the proposed AES-CCM core has the lowest area in term of equivalent gate (GE) count. This hardware resource efficiency has to tradeoff with the reduction of speed and throughput. However, the operation speed of 85.6MHz can meet the requirement of IEEE 802.15.6 WBANs [1] . Figure 7 is the chip microphotography of the proposed AES-CCM core in 180nm CMOS technology with the core circuit dimension of 340×340µm 2 . Figure 8 presents the post-layout simulation results with a typical test case in Synopsys VCS tool. In our simulation, the following parameters are chosen as: Klen=128, Nlen=104, Tlen=32 and Plen=256. The measurement results of the fabricated chip have also confirmed the correct operation of the proposed AES-CCM core.
Conclusions
In this paper, we have presented a low area, low power AES-CCM authenticated encryption core with an efficient architecture employing the single S-box AES encryption core with optimized counter-based controller, improved 2-level iterative structure and other optimized circuits. The implementation results in the ASIC hardware platform shown that with the merit of low area and low power consumption, the proposed AES-CCM core can be employed for the emerging applications including IEEE 802.15.6 WBANs. In the future, we will implement an ASIC-based sensor node for the IEEE 802.15.6 WBAN employing the proposed AES-CCM core. 
