1998 Goodman JSSC PDF
1998 Goodman JSSC PDF
1998 Goodman JSSC PDF
mod (2)
(a)
(b)
Fig. 4. Architecture of the QRG.
Fig. 6. Critical path reduction techniques. (a) Pipelining the Y -recoder. (b)
Parallelizing the quotient estimate.
(a)
(a)
(b)
Fig. 11. (a) PWM generator block diagram. (b) PWM generator delay line.
Fig. 12. Low-voltage modified Widlar current source and PLL charge pump (dimensions in micrometers).
of the conversion. The dynamic comparator dissipates power to a maximum of 134 mW. The drop-off in efficiency at low
only during evaluations and requires no external biasing net- loads is due to the fixed overhead of the switching losses in the
works. The capacitor array utilizes common centroid layout output power switches, which were optimized for loads on the
to improve capacitor matching, and there are two rows and order of 100 mW. However, the converter was designed with
columns of dummy devices on the perimeter of the array to the ability to operate multiple outputs using the same control
enhance matching further. Due to the relatively low resolution circuitry. Hence, at light loads, the efficiency can be improved
of the converter, unit capacitor sizing was rather aggres- by using a second set of switches optimized for loads on the
sive; a 10 10 m poly-poly capacitor giving 47 fF of order of 1 mW. Efficiencies of 90% have been measured at
capacitance. loads on the order of hundreds of microwatts using a separate
stand-alone implementation of the converter that utilizes this
approach.
C. Performance In comparison to a recently reported embedded converter
Table I summarizes the characteristics of the converter [22], our implementation achieves higher efficiencies at all
controller under two different configurations. The efficiency power loads of interest for our application (e.g., 95% versus
of the converter is shown in Fig. 14 for a variety of loads up 80% @ 100 mW and 80% versus 40% @10 mW).
1806 IEEE JOURNAL OF SOLID-STATE CIRCUITS, VOL. 33, NO. 11, NOVEMBER 1998
TABLE I TABLE II
SUMMARY OF EMBEDDED DC/DC CONVERTER PERFORMANCE PROCESS DETAILS FOR THE ENCRYPTION PROCESSOR
Fig. 14. Efficiency of embedded DC/DC converter. structures used to characterize this prototype implementation
that could be eliminated in future implementations.
The encryption processor has been tested at all possible
VI. IMPLEMENTATION AND EXPERIMENTAL RESULTS
widths, at a variety of rates and supply voltages, and has been
The encryption processor was implemented using a standard found to be fully functional. At its maximum operating speed
static CMOS design style in a 0.6- m double-poly double- and width, the QRG circuit operates at a supply voltage of 2.5
metal process. Process details are given in Table II. Fig. 15 V and dissipates 134 nJ per output bit at a rate of 1 Mb/s. This
shows a microphotograph of the processor with several sec- implies a maximum power consumption of 134 mW (140 mW
tions highlighted, and Fig. 16 shows a close-up view of the if the power consumption of the DC/DC converter is included).
embedded converter. The size of the converter is somewhat Energy scalability can be seen in Fig. 17, which shows the
misleading, as a large portion of its circuitry is dedicated to test effects of both shutting down unused data paths (fixed supply)
GOODMAN et al.: ENERGY/SECURITY SCALABLE ENCRYPTION PROCESSOR 1807
Fig. 17 also demonstrates the benefits of using a variable VII. HYBRID SYSTEM
supply voltage relative to a fixed supply—the energy reduction Despite the variety of energy-reduction techniques used dur-
due to the variable supply varies between 1 at a width ing the course of the design, there may still be ultralow power
of 512 bits to 3.8 at a width of 64 bits. When variations applications (e.g., a wireless video sensor or communication
in throughput are taken into consideration, the savings can device) for which the power requirements of the processor
increase up to a factor of 5.33 at a rate of 100 kb/s (Fig. 18). may be prohibitively high. In such an application, the allotted
1808 IEEE JOURNAL OF SOLID-STATE CIRCUITS, VOL. 33, NO. 11, NOVEMBER 1998
REFERENCES
power budget for encryption may be on the order of hundreds
of microwatts at a data rate of 1 Mb/s, which is three orders [1] R. W. Brodersen, “The network computer and its future,” in 1997 IEEE
Int. Solid State Circuits Dig. Tech. Papers, 1997, pp. 32–36.
of magnitude less than the QRG implementation shown here [2] D. Brown, “Techniques for privacy and authentication in personal
(134 mW). communication systems,” IEEE Personal Commun. Mag., pp. 6–10,
Aug. 1995.
To provide an adequate level of security while satisfying [3] A. Aziz and W. Diffie, “Privacy and authentication for wireless local
these strict power requirements, we propose the use of the area networks,” IEEE Personal Commun. Mag., pp. 25–31, 1994.
hybrid system shown in Fig. 21. In this system, the strong [4] J. Goodman and A. P. Chandrakasan, “Low power scalable encryption
for wireless systems,” ACM Wireless Networks, pp. 55–70, Jan. 1998.
pseudorandom output of the QRG is used to periodically reini- [5] V. Gutnik and A. P. Chandrakasan, “Embedded power supply for low
tialize a much more power efficient, but less secure, cipher. power DSP,” IEEE Trans. VLSI Syst., vol. 5, pp. 425–435, Dec. 1997.
Very power-efficient ciphers can be constructed using the well- [6] L. Blum, M. Blum, and M. Shub, “A simple unpredictable pseudo-
random number generator,” SIAM J. Comput., vol. 15, no. 2, pp.
developed theory of linear feedback shift registers (LFSR’s) 364–383, May 1986.
[24]–[26]. However, the power efficiency of these ciphers [7] U. V. Vazirani and V. V. Vazirani, “Efficient and secure pseudo-random
number generation,” in Advances in Cryptology—Proc. CRYPTO ’84,
comes at the cost of a firm security guarantee—numerous 1985, pp. 193–202.
proposed LFSR-based ciphers that were thought to be secure [8] R. L. Rivest, A. Shamir, and L. M. Adleman, “A method for obtaining
have been successfully attacked (e.g., [27] and [28]). digital signatures and public-key cryptosystems,” Commun. ACM, vol.
21, no. 2, pp. 120–126, Feb. 1979.
Reinitialization of the LFSR-based cipher with the sequence [9] A. M. Odlyzko, “The future of integer factorization,” CryptoBytes, RSA
output by the QRG augments the security of the LFSR-based Laboratories, vol. 1, pp. 5–12, Summer 1995.
cipher as it has been shown that, without the ability to factor [10] A. K. Lenstra, H. W. Lenstra, Jr., M. S. Manasse, and J. M. Pollard,
“The number field sieve,” in Proc. 22nd Ann. ACM Symp. Theory of
the modulus , the pseudorandom output of the QRG is Computing, 1990, pp. 564–572.
indistinguishable from a truly random source [6]. Hence, an [11] N. Takagi, “A radix-4 modular multiplication hardware algorithm for
attacker is forced continually to restart their attack at the modular exponentiation,” IEEE Trans. Comput., vol. 41, pp. 949–956,
Aug. 1992.
beginning of each initialization period, and the amount of
M N
[12] H. Orup and P. Kornerup, “A high-radix hardware algorithm for
data exposed for any given successful attack is minimized. calculating the exponential E Modulo ,” in Proc. 10th IEEE Symp.
Computer Arithmetic, 1991, pp. 51–57.
In addition, by partitioning the system in this way, only the [13] H. Morita, “A fast modular-multiplication algorithm based on a higher
power-efficient cipher needs to operate at the 1-Mb/s data rate. radix,” in Advances in Cryptology—Proc. CRYPTO ‘89, 1990, pp.
The QRG can operate at a greatly reduced rate on the order 387–399.
[14] P. Montgomery, “Modular multiplication without trial division,” Math.
of several kilobits per second. For example, in a video sensor Computation, vol. 44, pp. 243–264, 1987.
application, if the key were updated every frame (i.e., 30- [15] A. P. Chandrakasan, S. Sheng, and R. W. Brodersen, “Low-power
Hz refresh rate), and each update required 100 bits of key CMOS digital design,” IEEE J. Solid-State Circuits, vol. 27, pp.
473–484, Apr. 1992.
information, then the power consumption of the QRG would be [16] T. Barber, P. Carvey, and A. P. Chandrakasan, “Designing for wireless
LAN communications,” IEEE Circuits Devices Mag., vol. 12, no. 4, pp.
nJ/bit bits V Hz W (8) 29–33, 1996.
[17] A. P. Chandrakasan, A. Burstein, and R. W. Brodersen, “A low-power
The power consumption of the LFSR-based cipher has chipset for a portable multimedia I/O terminal,” IEEE J. Solid-State
been measured to be 15 W at a data rate of 1 Mb/s and Circuits, vol. 29, pp. 1415–1428, Dec. 1994.
[18] Powermill User’s Manual, Synopsys Technologies, 1998.
supply voltage of 1 V. Combining these results gives a total [19] G.-Y. Wei and M. Horowitz, “A low power switching power supply for
estimated hybrid system power consumption less than 100 self-clocked systems,” in Proc. 1996 Int. Symp. Low Power Electronics
W, which is well within the allotted power budget. and Design, 1996, pp. 313–318.
[20] A. Dancy and A. P. Chandrakasan, “Ultra low power control circuits for
PWM converters,” in Proc. IEEE Power Electronics Specialists Conf.,
VIII. CONCLUSION 1997, pp. 21–27.
[21] R. J. Proebsting, “Speed enhancement techniques for CMOS circuits,”
Security must become an integral part of wireless systems U.S. Patent 4 985 643.
if the technology is going to be trusted by the mainstream [22] T. Kuroda et al., “Variable supply-voltage scheme for low-power high-
speed CMOS digital design,” IEEE J. Solid-State Circuits, vol. 33, pp.
user. However, providing security in an energy-efficient man- 454–462, Mar. 1998.
ner requires the development of dynamically reconfigurable [23] J. Montanaro et al., “A 160-MHz, 32-b, 0.5-W CMOS RISC micro-
architectures that can adapt to the time-varying data rates and processor,” IEEE J. Solid-State Circuits, vol. 31, pp. 1703–1714, Nov.
1996.
quality requirements inherent in wireless systems. These time- [24] S. W. Golomb, Shift Register Sequences. San Francisco, CA: Holden-
varying properties make wireless systems an ideal application Day, 1967.
GOODMAN et al.: ENERGY/SECURITY SCALABLE ENCRYPTION PROCESSOR 1809
[25] D. Coppersmith, H. Krawczyk, and Y. Mansour, “The shrinking gener- Anantha P. Chandrakasan (S’87–M’95) received
ator,” in Advances in Cryptology—Proc. CRYPTO ‘93, 1994, pp. 22–39. the B.S., M.S., and Ph.D. degrees in electrical
[26] C. G. Gunther, “Alternating step sequences controlled by de Bruijn engineering and computer science (EECS) from the
sequences,” in Advances in Cryptology—Proc. EUROCRYPT ‘87, 1988, University of California, Berkeley, in 1989, 1990,
pp. 5–14. and 1994, respectively.
[27] T. Beth and F. C. Piper, “The stop-and-go generator,” in Advances in He is an Associate Professor of EECS at the
Cryptology: Proc. EUROCRYPT ‘84, pp. 88–92. Massachusetts Institute of Technology, Cambridge.
[28] P. R. Geffe, “How to protect data with ciphers that are really hard to He was an Assistant Professor of EECS there from
break,” Electronics, vol. 46, pp. 99–101, Jan. 1973. 1994 to July 1998. He held the Analog Devices
Career Development Chair from 1994 to 1997. His
research interests include ultralow-power implemen-
tation of custom and programmable digital signal processors, wireless sensors
James Goodman received the B.A.Sc. degree in and multimedia devices, emerging technologies, and CAD tools for VLSI. He
electrical engineering from the University of Water- is a coauthor of Low Power Digital CMOS Design (Norwell, MA: Kluwer
loo, Canada, in 1994. He received the S.M. degree Academic) and a coeditor of Low Power CMOS Design (New York: IEEE
in electrical engineering and computer science from Press). He has been a member of the Technical Program Committee of various
the Massachusetts Institute of Technology, Cam- conferences, including ISSCC, VLSI Circuits Symposium, DAC, ISLPED, and
bridge, in 1996, where he currently is pursuing the ICCD. He was a Technical Program Cochair of the 1997 ISLPED and VLSI
Ph.D. degree. Design ’98. He is a General Cochair of the 1998 ISLPED and the Signal
His current research interests are energy-efficient Processing Subcommittee Chair for ISSCC ’99.
reconfigurable architectures for implementing cryp- Dr. Chandrakasan is a member of the Design and Implementation of Signal
tographic algorithms and protocols, as well as low- Processing Systems Technical Committee of the Signal Processing Society. He
power asynchronous design. He has held a variety of was a General Cochair of the 1998 IEEE Computer Society Annual Workshop.
industrial positions as both a student and a full-time Engineer with companies He is a Program Cochair for the 1998 IEEE Workshop on Signal Processing
such as Bell-Northern Research, Ltd., CAE Electronics, Ltd., and DY-4 Systems.
Electronics, Inc., working on a variety of projects ranging from virtual-reality
hardware engines to real-time CASE tools.
Abram P. Dancy received the S.B. and M.Eng. degrees in electrical engi-
neering and computer science from the Massachusetts Institute of Technology,
Cambridge, in 1996.
The focus of his research was the development of high-efficiency power
supplies for ultralow-power applications. He joined Synqor, Hudson, MA,
in 1997, where he currently is developing power supplies for a variety of
applications.