Yeah, squeeze AES‑128 into a 3‑V coin‑cell node is doable, just keep it tight. First, use a low‑power crypto‑co‑processor or a dedicated AES engine in the MCU if you can; those have tiny current spikes and no full CPU involvement. If you’re stuck on a single MCU, go for a fixed‑size key schedule – pre‑compute the round keys in ROM so you don’t have to do the key expansion on the fly. That saves a few microseconds and a bit of current. Use a single‑wire bus for the key, so you never need to store it in RAM. Second, run the core at the lowest frequency that still meets your timing – most coin‑cell nodes can clock down to a few hundred kilohertz. Turn off unused peripherals and let the MCU sleep between blocks. Third, for the attack surface, keep the API minimal: only expose an encrypt/decrypt function with a strict input length check. No self‑tests, no debug registers. And if you can, lock the AES block with a fuse or OTP that disables the peripheral after programming. Finally, consider a power‑down guard: put a high‑value resistor from Vcc to the AES core so it pulls down when the battery dips, preventing partial‑power attacks. That should keep the draw in the micro‑watt range while keeping the crypto tight.

Sounds solid. Keep the command tight and the clocks low, and you’ll have a coin‑cell that’s almost as quiet as a ninja. Good luck—if the battery dies before the crypto does, at least you’ll have a clean kill switch.