Abstract. In this work we present an efficient compiler that converts any circuit C into one that is resilient to tampering with 1/ poly(k) fraction of the wires, where k is a security parameter independent of the size of the original circuit |C|. Our tampering model is similar to the one proposed by Ishai et al. (Eurocrypt, 2006) where a tampering adversary may tamper with any wire in the circuit (as long as the overall number of tampered wires is bounded), by setting it to 0 or 1, or by toggling with it. Our result improves upon that of Ishai et al. which only allowed the adversary to tamper with 1/|C| fraction of the wires. Our result is built on a recent result of Dachman-Soled and Kalai (Crypto, 2012), who constructed tamper resilient circuits in this model, tolerating a constant tampering rate. However, their tampering adversary may learn logarithmically many bits of sensitive information. In this work, we avoid this leakage of sensitive information, while still allowing leakage rate that is independent of the circuit size. We mention that the result of Dachman-Soled and Kalai (Crypto, 2012) is only for Boolean circuits (that output a single bit), and for circuits that output k bits, their tampering-rate becomes 1/O(k). Thus for cryptographic circuits (that output k bits), our result strictly improves over (Dachman-Soled and Kalai, Crypto, 2012). In this work, we also show how to generalize this result to the setting of twoparty protocols, by constructing a general 2-party computation protocol (for any functionality) that is secure against a tampering adversary, who in addition to corrupting a party may tamper with 1/ poly(k)-fraction of the wires of the computation of the honest party and the bits communicated during the protocol.
Introduction
Constructing cryptographic schemes that are secure against physical attacks is a fundamental problem which has recently gained much attention in the cryptographic community. Indeed, physical attacks exploiting the implementation (rather than the functionality) of cryptographic schemes such as RSA have been known in theory for several years [41, 8] and recent works have shown that these attacks can be carried out in practice [9, 49] . There are many different types of physical attacks in the literature. For instance, Kocher et al. [42] demonstrated how one can possibly learn the secret key of an encryption scheme by measuring the power consumed during an encryption operation, or by measuring the time it takes for the operation to complete [41] . Other types of physical attacks include: inducing faults to the computation [7, 8, 42] , using electromagnetic radiation [28, 54, 53] , and several others [53, 39, 43, 31] .
Although these physical attacks have proven to be a significant threat to the practical security of cryptographic devices, until recently cryptographic models did not take such attacks into account. In fact, traditional cryptographic models idealize the parties interaction and implicitly assume that an adversary may only observe an honest partys input-output behavior. Over the past few years, a large and growing body of research has sought to introduce more realistic models and to secure cryptographic systems against such physical attacks. The vast majority of these works focus on securing cryptographic schemes against various leakage attacks (e.g. [10, 34, 47, 29, 33, 18, 50, 1, 48, 38, 15, 14, 22, 35, 30] ). In these attacks an adversary plays a passive role, learning information about the honest party through side-channels but not attempting to interfere with the honest partys computation. However, as mentioned above, physical attacks are not limited to leakage, and include active tampering attacks, where an adversary may actively modify the honest partys memory or circuit. In this work, we focus on constructing schemes that are secure even in the presence of tampering.
Our Results
We present a compiler that converts any circuit into one that is resilient to (a certain form of) tampering. Then, we generalize this result, and show how to construct a general two-party computation protocol that is secure against such tampering. We consider the tampering model of Ishai et al. [33] . Specifically, we consider a tampering adversary that may tamper with any (bounded) set of wires of the computation.
We note that our compiler that converts any circuit into a "tamper resilient" one, cannot guarantee correctness of the computation in the presence of tampering. This is the case, since the adversary may always tamper with the final output wire of the circuit. Therefore, as in [33] , we do not guarantee correctness, but instead ensure privacy. In particular, we consider circuits that are associated with a secret state. We model such circuits as standard circuits (with AND, OR, and NOT gates), with additional secret, persistent memory that contains the secret state. The circuit itself is public and its topology is fully known to the adversary, whereas the memory content is secret. Following the terminology of [33] , we refer to such circuits as private circuits. Our notion of security guarantees that the secret state of the circuit is protected even when an adversary may run the circuit on arbitrary inputs while continuously tampering with the wires of the circuit.
There are several fundamental impossibility results for tampering, which any positive result must circumvent. In the following, we discuss some of these limitations.
Class of Tampering Functions. It is not hard to see that it is impossible to construct private circuits resilient to arbitrary tampering attacks, since an adversary may modify the circuit so that it simply outputs the entire secret state in memory. Thus, we must specify a class of allowed tampering functions. As in [33] , in this we consider tampering adversaries who can tamper with individual wires [33, 23, 12] and individual memory gates [11, 29, 19] . More specifically, in each run of the circuit we allow the adversary to specify a set of tampering instructions, where each instruction is of the form: Set a wire (or a memory gate) to 0 or 1, or toggle with the value on a wire (or a memory gate). However, in contrast to [37] , where the tampering rate achieved is 1/|C|, where |C| is the size of the original circuit, we allow the adversary to tamper with any 1/ poly(k)-fraction of wires and memory gates in the circuit, where k is security parameter and poly(k) is independent of the size of the original circuit. We note that the recent work of [12] gave a construction that is resilient to constant tampering rate. However, in their construction a tampering adversary may learn logarithmically many bit on the secret state of the circuit, and their guarantee was that such an adversary learns only logarithmically many bits about the secret state. We give the guarantee that a tampering adversary does not learn anything beyond the input/output behavior. Necessity of Feedback. As noted by [29] , it is impossible to construct private circuits resilient against tampering on wires without allowing feedback into memory, i.e. without allowing the circuit to overwrite its own memory. Otherwise, an adversary may simply set to 0 or 1 one memory gate at a time and observe whether the final output is modified or not. Even if we allow feedback, and place limitations on the type of tampering we allow, it is not a priori clear how to build tamper-resilient circuits. As pointed out in [33, 12] , the fundamental problem is that the part of the circuit which is supposed to detect tampering and overwrite the memory, may itself be tampered with. Indeed, this self-destruct mechanism itself needs to be resilient to tampering.
As in [33, 12] , we prove security using a simulation based definition, where we require that for any adversary who continually tampers with the circuit (as described above), there exists a simulator who simulates the adversarys view. Like in [33] , we give the simulator only black-box access to the original private circuit with no additional leakage on the secret state. This is in contrast to the work of [12] , who achieve a constant tampering rate, but where the simulator requires O(log k) bits of leakage on the secret state, where k is security parameter, in order to simulate. Thus, our result is meaningful in settings where [12] is not.
For example, 3 consider a setting where the same cryptographic key is placed on several devices, which are all obtained by an adversary. In this case, [12] does not guarantee any privacy for the cryptographic key, since O(log(k)) bits leaked from each of several devices may give enough information to reconstruct the entire cryptographic key. Another example is a setting where secrecy of an algorithm is desired in order to protect intellectual property. In this case, the secret state of the device is the algorithm and the circuit is the universal circuit. Here, the same algorithm is placed on a large number of devices and is marketed. Thus, if O(log(k)) bits are leaked from each device, then it may be possible to recover the entire algorithm.
Finally, we show how one can use our tamper-resilient compiler to achieve tamperresilient secure two-party computation. We elaborate on this result in Section 1.4, but mention here that the results of [12] do not apply to this regime. Loosely speaking, the reason is that in this setting, the secret state of the circuit consists of the private input and randomness of each party, and (even logarithmic) leakage on the input and randomness of each party may completely compromise security of the two-party computation protocol.
Our Results More Formally. We present a general compiler T that converts a circuit C with a secret state s (denoted by C s ) into a circuit T (C s ). We consider PPT adversaries A who receive access to T (C s ) and behave in the following way: A runs the circuit many times with arbitrary and adaptively chosen inputs. In addition, during each run of the circuit the adversary A may specify tampering instructions of the form "set wire w to 1","set wire w to 0", "flip value of wire w", as well as "set memory gate g to 1", "set memory gate g to 0", "flip value of memory gate g", for any wire w or memory gate g. We restrict the number of tampering instructions A may specify per run to be at most λ · σ, where λ = 1 poly(k) and σ is the size of the circuit T (C s ). Thus, in each run, A may tamper with a 1/ poly(k)-fraction of wires and memory gates. Intuitively, the theorem asserts that adversaries who may observe the input-output behavior of the circuit while tampering with at most a λ-fraction of wires and memory gates in each run, do not get extra knowledge over what they could learn from just input-output access to the circuit.
Comparison with
Ishai et al. [33] and Dachman-Soled et al. [12] Our work follows the line of work of [33, 12] . As in our work, both these works consider circuits with memory gates, and consider the same type of faults as we do. Similarly to us, they construct a general compiler that converts any private circuit into a tamper resilient one. In the following, we discuss some similarities and differences among these works.
-In our construction, as in the construction of [33] , we require the use of "randomness gates", which output a fresh random bit in each run of the circuit. 4 In contrast, the construction of [12] is deterministic.
-The constructions of [33, 12] provide information-theoretic security, while our construction requires computational assumptions. -As mentioned previously, [33] constructs tamper resilient circuits that are resilient only to local tampering: To achieve resilience to tampering with t wires per run, the circuit size blows up by a factor of at least t. In contrast, our tamper-resilient circuits are resilient to a 1/ poly(k)-fraction of tampering, where k is security parameter. Thus, our tampering rate is independent of the original circuit size. -The construction of [12] achieves a constant tampering rate, but requires O(log k) leakage on the secret state in order to simulate. As discussed above, in some settings the guarantees provided by [12] are too weak, while our construction still guarantees meaningful security. Moreover, [12] achieves constant tampering rate only for Boolean circuits that output a single bit. For circuits with k bit output, the resulting tampering-resilient circuit is only resilient to 1/k-fraction of tampering. -The tampering model of [33] allows for "persistent faults", e.g, if a value of some wire is fixed during one run, it remains set to that value in subsequent runs. We note that in our case, we allow "persistent faults" only on memory gates (and not on wires), so if a memory value is modified during one run, it remains modified for all subsequent runs.
Overview of our Construction
Intuitively, our compiler works by first applying to the circuit C s the leakage-resilient compiler T LR of Juma and Vahlis [35] . The Juma-Vahlis compiler, T LR , converts the circuit C s into two subcomputations (or modules), Mod (1) and Mod (2) , and provides the guarantee that (continual) leakage on the sub-computations Mod (1) and Mod (2) leak no information on the secret seed s. We refer the reader to [35] for the precise security guarantee. We emphasize that T LR (C s ) has no security guarantees against a tampering adversary (rather only against a leaking adversary).
Our next idea is to use the tamper-resilient compiler T TR of [12] . This compiler provides security against a (continual) tampering adversary, guaranteeing that the adversary learns at most log n bits about the secret s. In this work our goal is to remove this leakage from the security guarantee. To this end, we apply the tamper-resilient compiler T TR to each sub-computation separately, each of which is now resilient to leakage.
We note however, that the Juma-Vahlis compiler relies on a secure hardware component. We do not want to rely on any such tamper-proof component. Therefore, we replace the tamper-proof component with a secure implementation. We describe our compiler in stages:
-First, we present a compiler (as above) that takes as input a circuit C s and outputs a compiled circuit T (1) (C s ) that consists of 4 components. We prove that T (1) (C s ) is secure against adversaries that tamper with at most a 1/ poly(k) fraction of wires overall, but do not tamper with any of the wires in the first component, where the first component corresponds to the hardware component in the [35] construction (See Section 3.1).
-Then, we show how to get rid of the tamper-proof component and allow 1/ poly(k)-fraction tampering overall (See Sections 3.2 and 5).
Extension to Tamper-Resilient Secure Two-Party Computation.
We consider the two-party computation setting, where in addition to corrupting parties, an adversary may tamper with the circuits of the honest parties and the messages sent by the honest parties. In this setting, we show how to use our construction of tamperresilient circuits to obtain a general tamper-resilient secure two-party computation protocol, where an adversary may actively corrupt parties and additionally tamper with 1/ poly(k)-fraction of wires, memory gates, and message bits overall. To achieve our result, we start with any two-party computation (2-PC) protocol that is secure against malicious corruptions, and where the total number of bits exchanged depends only on security parameter k, and not on the size of the circuit computing the functionality. Such a 2-PC protocol can be constructed from fully homomorphic encryption and (interactive) CS-proofs. In addition we assume that each message sent in the protocol is accompanied with a signature. Then, for each party and each round of the protocol, we consider the private circuit computing the next message function, where the secret state is the party's private input and randomness and the public input is the transcript. We then run (a slight modification of) our tampering compiler on each such next message circuit to obtain a circuit that is resilient to 1/ poly(k)-fraction of tampering. Since the total number of such circuits is poly(k), we achieve resilience to a 1/ poly(k)-fraction of tampering overall. We refer the reader to Section 6 for details.
Related Work
The problem of constructing error resilient circuits dates back to the work of Von Neumann from 1956 [56] . Von Neumann studied a model of random errors, where each gate has an (arbitrary) error independently with small fixed probability, and his goal was to obtain correctness (as opposed to privacy). There have been numerous follow up papers to this seminal work, including [13, 52, 51, 25, 20, 32, 26, 21] , who considered the same noise model, ultimately showing that any circuit of size σ can be encoded into a circuit of size O(σ log σ) that tolerates a fixed constant noise rate, and that any such encoding must have size Ω(σ log σ).
There has been little work on constructing circuits resilient to adversarial faults, while guaranteeing correctness. The main works in this arena are those of Kalai et al. [37] , Kleitnam et al. [40] , and Gál and Szegedy [27] . The works of [40] and [37] consider a different model where the only type of faults allowed are short-circuiting gates. [27] consider a model that allows arbitrary faults on gates, and show how to construct tamper-resilient circuits for symmetric Boolean functions. We note that [27] allow a constant fraction δ of adversarial faults per level of the circuit. Moreover, if there are less than 1/δ gates on some level, they allow no tampering at all on that level. [27] also give a more general construction for any circuit which relies on PCP's. However, in order for their construction to work, they require an entire PCP proof π of correctness of the output to be precomputed and handed along with the input to the tamper-resilient circuit. Thus, they assume that the input to the circuit is already encoded via an encoding which depends on the output value of that very circuit. We (similarly to [12] ) also use the PCP methodology in our result, but do not require any precomputations or that the input be encoded in some special format.
Recently, the problem of physical attacks has come to the forefront in the cryptography community. From the viewpoint of cryptography, the main focus is no longer to ensure correctness, but to ensure privacy. Namely, we would like to protect the honest party's secret information from being compromised through the physical attacks of an adversary. There has been much work on protecting circuits against leakage attacks [34, 47, 18, 50, 16, 24, 35, 30] . However, there has not been much previous work on constructing circuits resilient to tampering attacks. In this arena, there have been two categories of works. The works of [29, 19, 11, 44, 36, 45, 17] allow the adversary to only tamper with and/or leak on the memory of the circuit in between runs of the circuit, but do not allow the adversary to tamper with the circuit itself. We note that this model of allowing tampering only with memory is very similar to the problem of "related key attacks" (see [4, 2] and references therein). In contrast, in our work, as well as in the works of [33, 23, 12] , the focus is on constructing circuits resilient to tampering with both the memory as well as the wires of the circuit.
Faust et al. [23] consider a model that is reminiscent to the model of [33, 12] and to the model we consider here. They consider adversarial faults where the adversary may actually tamper with all wires of the circuit but each tampering attack fails independently with some probability δ. As in [12] , they allow the adversary to learn a logarithmic number of bits of information on the secret key. In addition, their result requires the use of small tamper-proof hardware components.
The Tampering Model

Circuits with Memory Gates
Similarly to [33] , we consider a circuit model that includes memory gates. Namely, a circuit consists of (the usual) AND, OR, and NOT gates, connected to each other via wires, as well as input wires and output wires. In addition, a circuit may have memory gates. Each memory gate has one (or more) input wires and one (or more) output wires. Each memory gate is initialized with a bit value 0 or 1. This value can be updated during each run of the circuit.
Each time the circuit is run with some input x, all the wires obtain a 0/1 value. The values of the input wires to the memory gates define the way the memory is updated. We allow only two types of updates: delete or unchange. Specifically, if an input wire to a memory gate has the value 0, then the memory gate is overwritten with the value 0. If an input wire to a memory gate has the value 1, then the value of the memory gate remains unchanged. We denote a circuit C initialized with memory s by C s .
Tampering Attacks
We consider adversaries, that can carry out the following attack: The adversary has black-box access to the circuit, and thus can repeatedly run the circuit on inputs of his choice. Each time the adversary runs the circuit with some input x, he can tamper with the wires and the memory gates. We consider the following type of faults: Setting a wire (or a memory gate) to 0 or 1, or toggling with the value on a wire (or a memory gate).
More specifically, the adversary can adaptively choose an input x i and a set of tampering instructions (as above), and he receives the output of the tampered circuit on input x i . He can do this adaptively as many times as he wishes. We emphasize that once the memory has been updated, say from s to s ′ , the adversary no longer has access to the original circuit C s , and now only has access to C s ′ . Namely, the memory errors are persistent, while the wire errors are not persistent.
We denote by TAMP A (T (C s )) the output distribution of an adversary A that carries out the above (continual) tampering attack on a compiled circuit T (C s ). We note that our tampering compiler T is randomized and so the distribution is over the coins of T . We say that an adversary A is a λ-tampering adversary if during each run of the circuit he tampers with at most a λ-fraction of the circuit. Namely, A can make at most λ · |T (C s )| tampering instructions for each run, where each instruction corresponds either to a wire tampering or to a memory gate tampering.
Remark. In this work, we define the size of a circuit C, denoted by |C|, as the number of wires in C plus the number of memory gates in C. Note that this is not the common definition (where usually the size includes also the gates); however, it is equivalent to the common definition up to constant factors.
To define security of a circuit against tampering attacks we use a simulation-based definition, where we compare the real world, where an adversary A (repeatedly) tampers with a circuit T (C s ) as above, to a simulated world, where a simulator Sim tries to simulate the output of A, while given only black-box access to the circuit C s , and without tampering with the circuit at all. We denote the output distribution of the simulator by Sim
Cs . 
Definition 1. We say that a compiler T secures a circuit
In this work we construct such a compiler that takes any circuit and converts it into one that remains secure against adversaries that tamper with λ = 1/ poly(k)-fraction of the wires in the circuit, where k is the security parameter. Our compiler is uses both the Juma-Vahlis leakage compiler [35] and the recent tampering compiler of [12] .
The Compiler
Overview of the First Construction
We start by presenting our first tampering compiler T (1) that takes as input a circuit C s , and generates a tamper-resilient version of C s which requires a tamper-proof component. In the case of no tampering, we show the correctness property:
. Moreover, we prove that the circuit T (1) (C s ) is resilient to tampering with rate 1/ poly(k), where k is the security parameter.
High-level. On a very high-level, T
(1) (C s ) works as follows.
1. Apply the Juma-Vahlis compiler T LR to the circuit C s to obtain a hardware component and two modules (Mod
PK,EncPK (s) is the sub-computation that takes as input a string x and outputs the homomorphic evaluation of C s on input x. We refer to this sub-computation as Component 2 of T (1) (C s ) and denote the output of this component by ψ comp . Then a leakage and tamper-resilient hardware is used generate a "fresh" encryption of 0, denoted by ψ rand , which is used to "refresh" the ciphertext ψ comp . We refer to the leakage resilient-hardware outputting encryptions of 0 as Component 1. Component 3 of T (1) (C s ) then takes as input ψ comp and ψ rand and outputs the re-randomized ciphertext ψ * = ψ comp + ψ rand . Finally, the second sub-computation of the Juma-Vahlis compiler,
SK , takes as input the refreshed ciphertext ψ * and decrypts it to obtain b = C s (x). This sub-computation is referred to as Component 4 of T (1) (C s ). 2. The next idea is to apply the tampering compiler of [12] , T TR , to each of the components separately. We note that this tampering compiler allows a tampering adversary learn logartihmically many bits about the secret state of the circuit. However, since we apply the compiler to Components 2, 3, 4, which inherit the leakage resilient properties of the Juma-Vahlis compiler and are thus resilient to leakage of logarithmic size, this is not a concern to us. Unfortunately, this does not quite work. The reason is that the security definition of the tamper-resilient compiler T TR allows the adversary to tamper with the input. Hence, if we simply take the components described above, then a tampering adversary may tamper with the inputs to each of the components, and may completely ruin the security guarantees of the Juma-Vahlis compiler. In particular, the refreshed ciphertext ψ * , may no longer be distributed correctly. Instead we do the following: 3. Compute the second component, i.e. the tamper-resilient circuit T TR (Mod (1) ). However, instead of outputting a single ciphertext ψ comp , the circuit T TR (Mod (1) ) will output M copies of ψ comp , where M is a (large enough) parameter that will be specified below. We will argue that for any tampering adversary, either self-destruct occurs or a majority of the copies of ψ comp are exactly correct. 4. Next apply a version of T TR to the third and fourth components, with the guarantee that now an adversary cannot tamper with the input (without causing a self destruct), since the input is replicated M times, and an adversary can only tamper with a small fraction of these wires, and the compiled circuit will check for replicas. This version of T TR turns out to be much simper than T TR since the is size of the third and fourth components depends only on the security parameter, independent of the size of C s , which turns out to simplify matters significantly.
We defer the details of the construction of T (1) (C s ) to the full version. We are now ready to state the main theorem of this section: We defer the proof of Theorem 2 to the full version.
Overview of Construction of Component 1
We now show how to construct Component 1, instead of relying on tamer-resilient hardware. Recall that our goal is to compute an encryption of 0 in a robust way so that even after tampering the output is statistically close to a fresh encryptions of 0 (assuming the output wires were not tampered with). Unfortunately, we don't quite manage to do this. Instead, we achieve a slightly weaker goal. We construct a circuit component that computes an encryption of 0, so that even after tampering, if self destruct did not occur, then the output of the computation is of the form ψ f resh + ψ rest , where ψ f resh is a fresh encryption of 0, and ψ rest is a simulatable (not necessarily fresh) encryption of 0 with "good" randomness and which is independent of ψ f resh . Moreover, one can efficiently determine when self destruct occurred. It turns out that such a component has the security guarantees needed in order to replace the hardware component in Sections 3.1.
Clearly, this component will be randomized, since ciphertexts are randomized. We note that this is the first (and only) time randomization is used by the compiled circuit. Note that the time it takes to compute a ciphertext is completely independent of the size of the underlying circuit C s , and depends only on the security parameter k. Moreover, recall that we allow the adversary to tamper with at most 1/ poly(k) wires.
The basic idea is the following: repeat the following sub-computation M times: Compute a fresh ciphertext of 0, along with a non-interactive zero-knowledge proof that it is indeed an encryption of 0 with "good" randomness. We denote the output of the i'th sub-computation by (ψ i , π i ), where ψ i ← Enc(0) and π i is the corresponding NIZK. The basic observation is that at least one of these sub-computations will not be tampered with at all (due to the limit on the tampering budget), and hence one of these (untampered) sub-computations can be thought of as a secure hardware component.
Next the idea would be to add all these ciphertext together, to compute the final
Note that if we knew that this addition computation was not tampered with, then we would be done. But clearly we do not have such a guarantee. Instead we will add a proof that this sum was computed correctly. However, in order to add a proof we need to identify the underlying language (or what exactly are we proving). Note that it is insufficient to prove that there exist ciphertexts ψ 
. This is insufficient since we will need the guarantee that at least one of these ciphetexts ψ ′ i was computed without any tampering, and thus can be thought of as a fresh encryption of 0. To enforce this, we need to prove that these ciphertexts ψ To this end, we use a signature scheme, and prove that we know a bunch of signed ciphertexts and corresponding proofs {ψ
such that all the signatures are valid, all the proofs are valid, and
where ψ is the claimed sum. More specifically, we fix an underlying signature scheme, and store in the memory of this component a pair of keys (sksig, vksig) for this signature scheme. The M sub-computations now each compute a triplet (ψ i , σ i , π i ), where ψ i ← Enc(0), σ i is a signature of ψ i , and π i is a NIZK proof that indeed ψ i is an encryption of 0 with "good" randomness. As before the size of each computation of (ψ i , σ i , π i ) depends only on the security parameter and hence we can assume that at least one of these computations is not tampered with.
Once all these triplets (ψ i , σ i , π i ) were computed, we compute ψ = ∑ M i=1 ψ i together with a succinct proof-of-knowledge that we know M triplets
is a valid signature of ψ i , and each proof π i is a valid proof that ψ i is an encryption of 0 with "good" randomness. We note that this part of the computation takes as input only the outputs of the previous M subcomputations, the verification key vksig, and the CRS. Intuitively, security seems to follow from the security of the signature scheme: Since the adversary is not given the secret key sksig during this computation, he cannot forge a signature on a new message, and hence must use the M ciphertexts output by the M sub-computations.
Unfortunately, this intuition is misleading, and there is a problem with this approach that complicates our construction. The problem is that some of the subcomputations that supposedly output a triplet (ψ i , σ i , π i ) can be completely corrupted, and instead of outputting a signature σ i may output the secret key sksig (or an arbitrary function of sksig). In such a case, during the proof that ψ = ∑ ψ ′ i , a tampering adversary, may choose the ciphertext ψ ′ i arbitrarily (and in particular, depending on the untampered ciphertext) and forge a signature. We get around such an attack by using a very specific (one-time) information-theoretically secure signature scheme.
The signature scheme we use is an information-theoretical one-time (symmetric) version Lamport's signature scheme, where there is no verification key (only a secret key which is used both for verifying and computing signatures). Recall that the secret key in Lamport's scheme consists of 2k random strings:
The reason we use this specific signature scheme is that it has an important feature, described below.
In our M subcomputations we use M independent secret keys. Namely, we store M independently generated keys Our signature scheme has the following desired property: Consider a tampering adversary, who may completely tamper with the wires of subcomputation i, and thus can set σ i to be an arbitrary function of the secret key sksig i . Our signature scheme has the guarantee that this arbitrary string σ i can (information-theoretically) be used to sign at most one message, and this message is determined by σ i . Thus, we have the guarantee that the witness {(ψ
extracted from the proof-of-knowledge has the property that if the signatures and proofs are valid and ψ = ∑ ψ ′ i , then (with overwhelming probability) the signed ciphertexts {ψ ′ i } were generated independently of the untampered ciphertext, and are all "good" encryptions of 0.
The proof system we use must be a succinct proof-of-knowledge. The reason is that we will run the verification circuit M times, and argue that most of the verification circuits cannot be tampered with. However, to argue this we use the fact that the size of each verification circuit is of size poly(k), independent of the original circuit size. To ensure that each verification circuit is indeed of size poly(k) (independent of M ) we need to use succinctness, since the verification circuit depends on the proof length.
The actual succinct proof-of-knowledge we use is universal arguments [3] , which is an interactive version of CS-proofs. Universal arguments consist of 4 messages, which we denote by (α, β, γ, δ). The verifier's messages α and γ (which are random) are stored in the memory, and the prover's messages (β and δ) are computed during the computation of the circuit.
There are still some technical difficulties that remain. First, everything in memory must be stored in a tamper-resilient way, with the guarantee that if something in memory is corrupted then self-destruct occurs. To this end, we store M copies of the CRS and M copies of the public key of the encryption scheme. As done in previous components, we check that all the copies are the same, and if not the component selfdestructs (i.e., the memory is overwritten with zeros). We also need to store the secret keys sksig 1 , . . . , sksig M in a robust manner, but note that since there are M such keys, simply storing M copies of each secret key is not good enough, since we allow poly(k) fraction of the memory gates to be tampered with, and in particular all of the repetitions of a single secret key sksig i can be tampered with. Instead, we compute the hash value
, where h is a collision resistant hash function, and we store M copies of h(sksig).
In the proof-of-knowledge, the statement is the tuple (ψ, CRS, PK, h(sksig)), and we prove that we know a witness We solve this problem by adding another proof-of-knowledge before this proof-ofknowledge, which ties the hands of the adversary, and causes him to "commit" to these signatures (without knowing the secret keys). More specifically, after the initial M subcomputations, we compute h(σ) Then in the next proof-of-knowledge, the instance is (ψ, CRS, PK, h(sksig), h(σ)), and we prove that we know a witness 
. , σ M ) = h(σ).
We use the fact that h is collision resistant to argue that even if the adversary uses the secret key here to forge signatures of new messages, these new signatures cannot hash to h(σ) assuming the adversary cannot find collisions in h.
We now present the details of the construction and security proof for Component 1.
Component 1:
Universal Arguments
In what follows we give the properties of the universal argument that will be useful for us. We note that the definition below slightly differs from its original form in [3] . First, we define universal arguments for any language in NTIME(T ) (i.e., any language computable by a non-deterministic Turing machine running in time T ), for any T :
N → N, whereas Barak and Goldreich (following Micali [46] ) define it for a universal non-deterministic language. Second, our proof-of-knowledge property slightly differs from the one presented in [3] , but easily follows from their original formulation.
Definition 2. Let T : N → N, and let L be any language in NTIME(T ). A universal argument for L is a 4-round argument system (P, V ) with the following properties:
1. Efficiency. There exists a polynomial p, 5 such that for any instance x ∈ {0, 1} k the time complexity of V (x) is p(k), independent of T . In particular the communication complexity is at most p(k) as well. Moreover, if x ∈ L then for any valid witness w, the runtime
For every x ∈ L and for any corresponding witness w,
Computational Soundness. For every polynomial size circuit family {P
* k } and for every x ∈ {0, 1} k \ L, Pr[(P * k (x), V (x)) = 1] = neg(k).
Proof-of-Knowledge Property. There exists a a polynomial q and a probabilistic algorithm E (an extractor) such that for every poly-size circuit family {P
* k } and for every x ∈ {0, 1} k , if Pr[(P * k (x), V (x)) = 1] ≥ ϵ then Pr[E P * n (x
) outputs a valid witness after running in time q(1/ϵ, T (k))] = 1−neg(n).
In particular, if P * succeeds in proving that x ∈ {0, 1} k ∩ L with non-negligible probability, then E can extract a corresponding witness in expected polynomial time in T (k).
A Formal Description of Component 1
We first describe the cryptographic ingredients used by Component 1.
-A one-time symmetric signature scheme Π Sign = (SigGen, Sign, Verify), defined as follows:
SigGen outputs a random string sksig which consists of k pairs of random strings
where each x ℓ,b ∈ R {0, 1} 2k is of length 2k. k .
-A non-interactive zero-knowledge (NIZK) proof system Π N IZK .
-Universal arguments, which is an interactive variant of the CS proof system. Universal arguments consist of 4 messages, which we denote by (α, β, γ, δ). The messages α and γ are sent by the verifier and are uniformly random strings.
We now describe Component 1. In what follows M is a parameter chosen as in Section 3.
Remark. For the sake of simplicity (and in an effort to focus on the new and interesting aspects of our component), in our formal description below, we do not formally define the notion of a ciphertext with "good" randomness. Intuitively, by "good" randomness we mean randomness r for which the error term in the ciphertext Enc PK (0; r) is not too big, so that one can perform homomorphic operations on it (that can later be decrypted using the secret key). We use the fact that a random string r is "good" with overwhelming probability.
In what follows, we use this notion of "good" randomness in a hand-wavy manner and assume that the sum of M ciphertext with "good" randomness is a ciphertext with "good" randomness (an assumption which of course does not hold inductively). 
Memory
In what follows, for any random variable x, we letx = x M denote M concatenated copies of x. Compute the following encodings and place in memory:
1. Place PK in memory, where PK is the public-key of the underlying (homomorphic) encryption scheme. 2. Choose a random function h key from the collision resistant family H, and place key in memory.
3. Compute h(sksig) = h key (sksig) and place h(sksig) in memory. 4. Choose a common reference string CRS for the NIZK proof system Π N IZK and place CRS in memory. 5. Choose random strings (α 1 , γ 1 ) to be the random coins of the verifier in the first universal argument, and (α 2 , γ 2 ) to be the random coins of the verifier in the second universal argument. Place α 1 , γ 1 , α 2 , γ 2 in memory. In what follows, when the circuit computation accesses one of the stored values x ∈ {PK, key, CRS, h(sksig), α 1 , γ 1 , α 2 , γ 2 }, we always assume that it is accessing the first column ofx. 
Each of the k output wires corresponding to the bits of ψ rand = ψ rand [1] , . . . , ψ rand [k] will be split into M + 2 wires, which are used later on, as specified.
4. This part of the circuit computes a universal argument that proves knowledge of signatures σ 1 , . . . , σ M that hash to h(σ). More specifically, this part of the computation takes as input a witness σ 1 , . . . , σ M and the tuple (key, h(σ), α 1 , γ 1 ), and does the following: -Take α 1 to be the verifier's first message. Compute the second message β 1 of the universal argument for the following language:
is split into M wires which are used later on, as specified. This part of the computation also outputs a state STATE 1 which is passed to the next part of the computation, below.
-The next part of the computation takes as input STATE 1 and γ 1 , where γ 1 is the third message of the verifier. Compute the fourth message δ 1 for the language L 1 and statement (h(σ), key). Each bit of the output
is split into M wires which are used later on, as specified.
5. This part of the circuit computes a universal argument that ψ rand was computed "correctly". More specifically, this part of the computation takes as input a witness
and the tuple (ψ rand , key, h(σ), h(sksig), CRS, α 2 , γ 2 ) and does the following:
-Take α 2 to be the verifier's first message and compute the second message β 2 of the universal argument for the following language:
is split into M wires which are used later on, as specified. This part of the computation also outputs a state STATE 2 which is passed to the next part of the computation, below.
-The next part of the computation takes γ 2 to be the third message of the verifier, and uses STATE 2 to compute the fourth message δ 2 for the language L 2 and statement (ψ rand , h(σ), key, CRS). Each bit of the output
is split into M wires which are used later on, as specified. Segment 3: Error Cascade. This part is split into two subcomputations. The first subcomputation checks that all of the encodingsx that were placed in memory are uncorrupted. The second part propagates errors and overwrites memory.
Similar subcircuits are constructed for the remaining encodings PK, h(sksig), CRS, α 1 , γ 1 , α 2 , γ 2 with corresponding output wires [ω
All these output wires are inputs to G cas . Thus, in total, G cas has 8kM + 2M input wires (M from Segment 1, M from Segment 2 and 8k · M from Segment 3), and outputs:
The first K ′′ output wires of G cas are fed to all the memory gates. If the output of G cas is 0, then the memory gates are set to 0. Otherwise, the memory gates remain unchanged. i=K ′′ +(j−1)·M +1 ), and the other input wire of G out,j is the j-th output wire of the Circuit Computation in Segment 1, which computes the encryption ψ rand . Each AND gate G out,j has fan-out M , where the M output wires of G out,j are set to:
The final output of Component 1 is denoted by ψ * rand .
Remark. We note that the size of Component 1 is of order M · poly(k) · polylog(M · poly(k)), which can be written as M ·poly(k) (since M is poly-sized and so polylog(M) is smaller than k), due to the fact that we use the recent efficient PCP construction of Ben-Sasson et al. [5] to construct our universal arguments. We note that this implies that a 1/ poly(k)-tampering adversary cannot tamper with each of the M subcomputations at the beginning of Component 1. An important assumption throughout the analysis will be that at least one of the M subcomputations is untampered.
Notation. In the following theorem, for any λ-tampering adversary A (as defined in Definition 1), we denote by t the maximum number of times A runs the tampered circuit. 
and for (ψ f resh,1 , . . . , ψ f resh,t ) ← Enc PK (0) fresh encryptions of 0,
We defer the proof of Theorem 3 to the full version.
The Final Construction
Let T (2) (C s ) be our original compiled circuit T (1) (C s ), described in Sections 3.1, where Component 1 of T (1) (C s ), which was implemented by tamper-resilient hardware, is replaced with the Component 1 described in Sections 3.2 and 4.
We are now ready to state our main theorem. The WeakComp1 Hardware Component. We assume the existence of a hardware component WeakComp1, which computes ciphertexts ψ fresh , ψ rest and outputs M copies of ψ rand = ψ rest ⊕ ψ fresh , where ψ rest is an arbitrary "good" encryption of 0 and ψ fresh is a randomly generated encryption of 0 independent of ψ rest .
Plugging in WeakComp1. We state the following lemma, which uses the component WeakComp1 defined above in order to obtain a fully tamper-resilient circuit. We defer the proof to the full version. cas is set to 0. Note that by combining the inputs and outputs of S 1 , S 2 we obtain ψ rand,1 = ψ fresh,1 + ψ rest,1 , . . . , ψ rand,j ′ −1 = ψ fresh,j ′ −1 + ψ rest,j ′ −1 . Let this sequence of ciphertexts define the input-output behavior of the hardware component WeakComp1. Now, note that by the security properties of Component 1 (See Theorem 3 in Section 4), we are guaranteed that the following two distributions are statistically close:
,ψ f resh ) (where, loosely speaking, a draw from REAL A corresponds to a setting of the above random variables in a real execution).
To simulate the view of A, we distinguish between two cases: Simulating runs of the circuit when i < j ′ and simulating runs of the circuit when i ≥ j ′ . Consider the adversaries A 2,3,4 , which is the adversary A, restricted to tampering with only the second, third, and fourth component and interacts withT
(1) (C s ). As noted above, for runs i < j ′ , the input-output behavior of T (2) (C s ) in the presence of A is identical to the input-output behavior ofT (1) (C s ) in the presence of A 2,3,4 , where WeakComp1 is defined as above. Therefore, by the security ofT (1) (C s ) (see Lemma 1) we have that there exists a simulator Sim for runs i < j ′ that simulates the view of A. Finally, for runs i ≥ j ′ , we have that "self-destruct" already occurred and so we can perfectly simulate the view of A as follows: Return 0 unless A tampers with the output wire, in which case the circuit returns b if the tamper is "set to b", and returns 1 if the tamper is "toggle". This concludes the proof of Theorem 4.
Extension to Tamper-Resilient Two Party Computation
In this section, we consider a two-party computation setting, where in addition to corrupting parties, an adversary may tamper with the circuits of the honest parties and the messages sent by the honest parties. As usual, we restrict the adversary to tampering with a λ = 1/ poly(k)-fraction of wires, memory gates, and message bits overall.
Our security definition follows the standard ideal/real paradigm, which requires that the view of the (real world) adversary, who may tamper with λ-fraction of wires, memory gates and message bits, can be simulated by a simulator in the ideal world without tampering. We emphasize that the ideal world we consider is the "standard" ideal world, whereas in the real world we allow the adversary tampering power.
We note that we allow both parties a tamper-free input-dependent preprocessing phase, which does not require interaction and can be done individually, offline by each party. This phase allows the parties to prepare their tamper-resilient circuits and place their private inputs in memory, while no tampering occurs.
Our approach is quite simple. We begin with any two-party computation (2-PC) protocol secure against malicious corruptions, where the communication complexity depends only on security parameter, k, and not on the size of the circuit computing the functionality. Such a 2-PC protocol can be constructed from any fully homomorphic encryption scheme and succinct argument system (such as universal arguments [46, 3] ).
For each party P b , b ∈ {0, 1} and each round i of the protocol, we consider the circuit Next
, which has the (secret) values x b and r b hardwired into it (corresponding to the input and the random coins of Party P b ). It takes as input the current transcript TRANS and it outputs the next message for party P b . We run (a slight modification of) our tampering compiler T (2) 
) on each such circuit to obtain a circuit which outputs the poly(k)-bit next message for party P b at round i. By the security guarantees of T (2) (see Theorem 4), the compiled circuit T (2) (Next
) is resilient to 1/ poly(k)-fraction of tampering. Since the total number of such circuits is poly(k), we are ultimately resilient to a λ = 1/ poly(k)-fraction of tampering.
This idea does not quite work, since the adversary may tamper with the messages sent between the two parties, which may render the resulting protocol insecure. To get around this, we add signatures to our protocol. Namely, we assume each player is associated with a verification key. This key can be transmitted via an error-correcting code in the beginning of the protocol, and we require that the length of this key be a large enough poly(k) so that an adversary cannot cause this message to decode to a different key (using his tampering budget). Each time a player sends a message, he will sign his message together with the entire transcript so far. Intuitively, each party must sign the entire transcript to protect against a tampering adversary who gets signatures σ 1 , . . . , σ z on z protocol messages m 1 , . . . , m z , and then forwards a transcript to an honest party which is a permutation of the z messages m 1 , . . . , m z .
Overview of The Model: Tamper-Resilient 2-PC
We consider the setting where two parties P 0 , with input x 0 , and P 1 , with input x 1 interact to compute a functionality f : {0, 1} * × {0, 1} * → {0, 1} * × {0, 1} * , where f = (f 0 , f 1 ). P 0 wishes to obtain f 0 (x 0 , x 1 ) and P 1 wishes to obtain f 1 (x 0 , x 1 ) . In what follows, for the sake of simplicity of notation we assume that f 0 = f 1 = f , though our results extend trivially to the case where f 0 and f 1 differ.
Our security definition follows the ideal/real paradigm. We emphasize that our ideal model is identical to the standard ideal model, while our real model is stronger that the standard ideal model since we consider adversaries A who may corrupt one or more parties P 0 , P 1 and may also behave as a λ-tampering adversary on the honest parties' circuits (which the honest party may prepare via input-dependent pre-processing).
The random variable IDEAL f,Sim (x 0 , x 1 ) is defined as the output of both parties in the ideal execution computing functionality f (where Sim controls the malicious party and chooses its output). If both parties are honest, then IDEAL f,Sim (x 0 , x 1 ) is defined as the output of both parties in the above ideal execution along with the output of Sim.
The random variable REAL Π TAMP ,A (x 0 , x 1 ) is defined as the output of both parties after running Π TAMP with inputs (x 0 , x 1 ), where the honest party outputs the output of the protocol, and the malicious party controlled by A may output an arbitrary function of its view. If both parties are honest then REAL Π TAMP ,A (x 0 , x 1 ) is defined as the output of both honest parties, together with the output of A, which may be an arbitrary function of its view (i.e., of the transcript). 
Achieving Tamper-Resilient 2-PC
Fix any two-party functionality f . We assume the existence of a secure (against active corruptions) two-party protocol Π MPC (f ) for computing f , where the total communication complexity is ℓ(k), where k is security parameter, and ℓ(·) is a fixed polynomial, independent of the size of the circuit which computes the functionality f . It is well-known that such a two-party protocol can be constructed from fully homomorphic encryption and CS-proofs.
To simplify our exposition, we construct our protocol in the public key model. Here, each party P 0 , P 1 publishes a verification key vksig 0 , vksig 1 for a digital signature scheme Π Sign = (SigGen, Sign, Verify), while storing the corresponding secret key sksig 0 , sksig 1 . We note that such a protocol in the public key model can easily be converted to a protocol in the standard model. We defer the details to the full version.
Let r denote the number of rounds in the two-party protocol Π MPC described above. For i ∈ [r] let Next 0,i STATE denote the circuit that has the secret state STATE = (x 0 , r 0 , vksig 0 , vksig 1 , sksig 0 ) hardwired into it, where x 0 and r 0 are the input and randomness of party P 0 , (vksig 0 , sksig 0 ) are the verification and signing keys of P 0 , and vksig 1 and the verification key of P 1 
