Private circuits: Securing hardware against probing attacks by Yuval Ishai et al.
Private Circuits: Securing Hardware
against Probing Attacks
Yuval Ishai1, Amit Sahai2, and David Wagner3
1 Technion — Israel Institute of Technology,
? yuvali@cs.technion.ac.il
2 Princeton University, sahai@cs.princeton.edu
3 University of California, Berkeley, daw@cs.berkeley.edu
Abstract. Can you guarantee secrecy even if an adversary can eavesdrop on your
brain? We consider the problem of protecting privacy in circuits, when faced
with an adversary that can access a bounded number of wires in the circuit. This
question is motivated by side channel attacks, which allow an adversary to gain
partial access to the inner workings of hardware. Recent work has shown that side
channel attacks pose a serious threat to cryptosystems implemented in embedded
devices. In this paper, we develop theoretical foundations for security against
side channels. In particular, we propose several efﬁcient techniques for building
private circuits resisting this type of attacks. We initiate a systematic study of the
complexity of such private circuits, and in contrast to most prior work in this area
provide a formal threat model and give proofs of security for our constructions.
Keywords: cryptanalysis, side channel attacks, provable security, secure multi-party
computation, circuit complexity.
1 Introduction
This paper concerns the following fascinating question: Is it possible to maintain se-
crecy even if an adversary can eavesdrop on your brain? A bit more precisely, can we
guarantee privacy when one of the basic assumptions of cryptography breaks down,
namely, when the adversary can gain access to the insides of the hardware that is mak-
ing use of our secrets? We formalize this question in terms of protecting privacy in
circuits, where an adversary can access a bounded number of wires in the circuit. We
initiate the study of this problem and present several efﬁcient techniques for achiev-
ing this new type of privacy. Before describing the model and our contribution in more
detail, we motivate the problem by providing some necessary background.
1.1 Background
Our understanding of cryptography has made tremendous strides in the past three de-
cades, fueled in large part by the success of analysis- and proof-driven design. Most
such work has analyzed algorithms, not implementations: typically one thinks of a
cryptosystem as a black box implementing some mathematical function and implicitly
assumes the implementation faithfully outputs what the function would (and nothing
else). However, in practice implementations are not always a true black box: partial
information about internal computations can be leaked (either directly or through side-
channels), and this may put security at risk.
? Work done in part while at Princeton University.This difference between implementations and algorithms has led to successful at-
tacks on many cryptographic implementations, even where the underlying algorithm
was quite sound. For instance, the power consumed during an encryption operation or
the time it takes for the operation to complete can leak information about intermediate
values during the computation [26,27], and this has led to practical attacks on smart-
cards. Electromagnetic radiation [34,17,35], compromising emanations [37], crosstalk
onto the power line [38,36], return signals obtained by illuminating electronic equip-
ment [3,36], magnetic ﬁelds [33], cache hit ratios [25,31], and even sounds given off
by rotor machines [24] can similarly give the attacker a window of visibility on internal
values calculated during the computation. Also of interest is the probing attack, where
the attacker places a metal needle on a wire of interest and reads off the value carried
along that wire during the smartcard’s computation [2]. In general, side channel attacks
have proven to be a signiﬁcant threat to the security of embedded devices.
The failure of proof-driven cryptography to anticipate these risks comes from an im-
plicit assumption in many4 currently accepted deﬁnitions in theoretical cryptography,
namely, the secrecy assumption. The secrecy assumption states that legitimate partic-
ipants in a cryptographic computation can keep intermediate values and key material
secret during a local computation. For instance, by modeling a chosen-plaintext attack
on the encryption scheme E as an algorithm AEk with oracle access to Ek, we implic-
itly assume that the device implementing Ek outputs only Ek(x) on input x, and does
not leak anything else about the computation of Ek(x). Thus the ‘Standard Model’ in
theoretical cryptography often takes the secrecy assumption for granted, but as we have
seen, there are a bevy of ways that the secrecy assumption can fail in real systems.
One possible reaction is to study implementation techniques that ensure the secrecy
assumption will always hold. For instance, we can consider adding large capacitors
to hide the power consumption, switch to dual-rail logic so that power consumption
will be independent of the data, shield the device in a tamper-resistant Faraday cage to
prevent information leakage through RF emanations, and so on. Many such hardware
countermeasures have been proposed in the literature. However, a limitation of such
approaches is that, generally speaking, each such countermeasure must be specially
tailored for the set of side channels it is intended to defeat, and one can only plan a
defense if one knows in advance what side channels an attacker might try to exploit.
Consequently, if the designer cannot predict all possible ways in which information
might leak, hardware countermeasures cannot be counted on to defend reliably against
side channel attacks.
This leaves reason to be concerned that hardware countermeasures may not be
enough on their own to guarantee security. If the attacker discovers a new class of
side channel attacks not anticipated by the system designer, all bets are off. Given the
wide variety of side channel attacks that have been discovered up till now, this seems
like a signiﬁcant risk: As a general rule of thumb, wherever three or four such vulner-
abilities are known, it would be prudent to assume that there may be another, similar
but unknown vulnerability lurking in the wings waiting to be discovered. In particular,
it is hard to predict what other types of side channel pitfalls might be discovered in the
4 This implicit assumption is deﬁnitely not universal. For instance, the ﬁeld of secure multi-party
computation asks for security even when some parties can be corrupted or observed.future, and as a result, it is hard to gain conﬁdence that any given implementation will
be free of side channels. This is a “risk of the unknown”, rather than a known risk5, and
risks of the unknown are the worst kind of risks to assume. Consequently, the secrecy
assumption seems optimistic, and we submit that hardware countermeasures may not
be the ﬁnal answer.
A different possible response is to design algorithms that, when implemented, will
be inherently robust against side channel attacks. For instance, Daemen and Rijmen
proposed replacing each wire of a circuit by two wires, one carrying the original bit
and the other its complement [16]; Messerges proposed “data masking”, where each
value is split into two shares using a 2-out-of-2 secret sharing scheme [28]; Goubin and
Patarin suggested a “duplication” method based on similar methods [22]; and many
other proposals can be found in the literature. However, none of those schemes have
been proven secure, and unsurprisingly, some have since been broken [12,15]. This
experience suggests that the ﬁeld needs to be put on solid theoretical foundations. For
obvious reasons, we would prefer a principled approach that has been proven secure
over an ad-hoc countermeasure.
1.2 Our Contribution
In this paper, we take on this challenge. Working in the context of Boolean circuits, we
show how to implement cryptosystems (or any algorithm) in a way that can tolerate the
presence of a large class of side channel attacks without loss of security. In particular,
we show how to transform any circuit implementing some cryptographic algorithm
into another, larger circuit that implements the same functionality but that will remain
secure even if the attacker can observe up to any t internal bits produced during the
computation within one clock cycle.
As a result, our constructions provide a generic defense against probing attacks.
They are generic in the sense that we defend against a large class of attacks. To defend
against information leakage, we do not need to know how the information might leak;
rather, we only need to predict how much information might leak or at what rate. Our
constructions are also generic in the sense that they apply to any cryptosystem of in-
terest: rather than trying to secure just, say, AES encryption, we show that any circuit
whatsoever can be made robust against probing attacks.
Also, we emphasize that our constructions are provably secure. We develop a for-
mal model of the adversary, propose deﬁnitions of security against probing attacks, and
prove that our constructions meet these deﬁnitions. This puts the ﬁeld on a principled
theoretical footing and removes fears that our proposals might be broken by cryptanal-
ysis.
OUR MODEL. Ideally, we would like to achieve security against an all-powerful at-
tacker, i.e. one that can observe every internal value produced during the computation.
However, this task is generally impossible to achieve, as follows from the impossibil-
ity of obfuscation [4]. Instead, we settle for achieving security against adversaries that
are limited in their power to observe the computation. There are many ways we could
consider limiting the adversary, but in this paper we choose a simple metric: a t-limited
adversary is one that can observe at most t wires of the circuit within a certain time
5 We thank Mark Miller for introducing us to this turn of phrase.Applies to Privacy type Size Sec. Comments
any circuit perfect O(nt
2) x4 our basic scheme
PRG circuits computational O(nt) x6 only applies to pseudorandom generators
any circuit computational O(nt
2) + ~ O(t
3) x6 derandomized version of basic scheme
any circuit statistical ~ O(nt) x5
any circuit statistical ~ O((w + t)d) x5 layered circuit of width w and depth d
Table 1. A summary of our main results. Here n denotes the size of the original circuit and t
the number of adversarial probes we wish to tolerate. All uses of O() notation hide small con-
stants. We use ~ O() to hide large constants, polylogarithmic factors, or polynomials in a security
parameter.
period (such as during one clock cycle).6 We believe this is a reasonable restriction, as
most side channels give the attacker only partial information about the computation.
In particular, in probing attacks the cost of micro-probing equipment is directly related
to the number of needles one can manipulate at one time—a station with ﬁve probes
is considerably more expensive than one with only a single probe—and so an attacker
is limited in the number of wires that can be observed at any one time. Consequently,
the value t is a good measure of the cost of a probing attack. We refer the reader to
Section 2 for a more detailed treatment of the model, in particular for the useful case
of stateful circuits which carry state information from one invocation to the next.
Our model can be compared to that of Chari, et al., who took a ﬁrst step by ana-
lyzing k-out-of-k secret sharing in a model where the attacker can obtain a noisy view
of all circuit elements [12], with applications to security against power analysis. That
work, however, did not provide security against probing attacks or other side channels
where the attacker can view any t wires of his choosing, and our constructions are quite
different from theirs. Also of relevance are works on exposure-resilient functions and
all-or-nothing transforms (e.g. [9]), which attempt to efﬁciently secure storage (but not
computation) against probing attacks, and work on oblivious RAM (cf. [21]) aimed at
protecting software by hiding the access pattern of a (trusted) CPU.
MPC ON SILICON? There is an interesting relation between the problem we study and
that of secure multi-party computation (MPC). In some sense, our contribution may
be viewed as a novel application of MPC techniques to the design of secure hardware.
We would like to stress, however, that our focus and goals are quite different from the
traditional ones in the MPC literature, and that our main results are not derived from
state-of-the-art results in this area. We refer the reader to Appendix A for a detailed
discussion of the relation between our problem and the MPC problem.
OUR RESULTS. Our basic results are as follows. We show that any circuit with n gates
can be transformed into a circuit of size O(nt2) that is perfectly secure against all prob-
ing attacks leaking up to t bits at a time (see Section 4). This general transformation
increases circuit size by a factor of O(t2), but for some speciﬁc cryptosystems we can
6 By default, we allow the adversary to adaptively move its t probes between time periods, but
not within a time period. See Section 2 for more details.do better. For PRG’s, we can ﬁnd constructions that yield an O(nt) transformed circuit
size, rather than O(nt2) (Section 6). Finally, we present statistically private transforma-
tions which signiﬁcantly improve the asymptotic efﬁciency of previous constructions,
but whose concrete efﬁciency becomes better only when t is quite large. See Table 1
for a summary of the main results. Additional results, such as a trading circuit size for
increased latency, will be included in the full version of this paper.
We do not know how practical our constructions will be. However, our results al-
ready show that the cost of security is not too high. Since many cryptosystems can be
implemented quite efﬁciently in hardware (e.g., n  103 or 104 gates), and since our
use of big-O() notation typically does not hide any large constants, it seems that se-
curity using our techniques is within the reach of modern systems. We leave a more
thorough performance analysis to others.
2 Deﬁnitions
Circuits. We will examine probing attacks in the setting of Boolean circuits. A de-
terministic circuit C is a directed acyclic graph whose vertices are Boolean gates and
whose edges are wires. We will assume without loss of generality that every gate has
fan-in at most 2 and fan-out at most 3. A randomized circuit is a circuit augmented with
random-bit gates. A random-bit gate is a gate with fan-in 0 that produces a random bit
and sends it along its output wire; the bit is selected uniformly and independently of
everything else afresh for each invocation of the circuit.
The size of a circuit (usually denoted by n) is deﬁned as the number of gates and its
depth is the length of the longest path from an input to an output. We will sometimes
consider a width-w depth-d layered circuit, where the underlying graph is a depth-d
layered graph with at most w wires connecting two adjacent layers.
A stateful circuit is a circuit augmented with memory cells. A memory cell is a
stateful gate with fan-in 1: on any invocation of the circuit, it outputs the previous input
to the gate, and stores the current input for the next invocation. Thus, memory cells
act as delay elements. We extend the usual deﬁnition of a circuit by allowing stateful
circuits to possibly contain cycles, so long as every cycle traverses at least one memory
cell. When specifying a stateful circuit, we must also specify an initial state for the
memory cells. When C denotes a circuit with memory cells and s0 an initial state for
the memory cells, we write C[s0] for the circuit C with memory cells initially ﬁlled
with s0. Stateful circuits can also have external input and output wires. For instance,
in an AES circuit the internal memory cells contain the secret key, the input wires a
plaintext, and the output wires produce the corresponding ciphertext.
We deﬁne two distinct notions of security, for stateless and stateful circuits. While
we view the stateful model as more interesting from an application point of view, the
stateless model is somewhat cleaner and solutions for this model are used as the basis
for solutions for the stateful model.
Privacyforstatefulcircuits. LetT beanefﬁcientlycomputablerandomizedalgorithm
mappinga(stateful)circuitC alongwithaninitialstates0 toa(stateful)circuitC0 along
with an initial state s0
0. We say that T is a t-private stateful transformer if it satisﬁes
soundness and privacy, deﬁned as follows:SOUNDNESS. The input-output functionality of C initialized with s0 is indistinguish-
ablefromthatofC0 initializedwiths0
0.Thisshouldholdforanysequenceofinvocations
on an arbitrary sequence of inputs. In other words, C[s0] and C0[s0
0] are indistinguish-
able to an interactive distinguisher.
PRIVACY. We require that C0 be private against a t-limited interactive adversary. Specif-
ically, the adversary is given access to C0 initialized with s0
0 as its internal state. Then,
the adversary may invoke C0 multiple times, adaptively choosing the inputs based on
the observed outputs. Prior to each invocation, the adversary may ﬁx an arbitrary set of
t internal wires to which it will gain access in that invocation. We stress that while this
choice may be adaptive between invocations, i.e., may depend on the outputs and on
wire values observed in previous invocations, the adversary is assumed to be too slow
to move its probes while the values propagate through the circuit.7 To deﬁne privacy
against such a t-limited adversary, we require the existence of a simulator which can
simulate the adversary’s view using only a black-box access to C0, i.e., without having
access to any internal wires.8
Note that randomization is vital for stateful transformers, for otherwise it is im-
possible to hide the initial state from the adversary. However, apart from the (trusted)
randomized initialization, the circuit C0 may be deterministic.
We distinguish between three types of transformers: perfect, statistical, and compu-
tational, corresponding to the quality of indistinguishability in the soundness require-
ment and the type of emulation provided by the simulator. For the latter two types of
security, we assume that T is also given a security parameter k in terms of which the
indistinguishability is deﬁned and the complexity of T is measured.
Privacy for stateless circuits. In contrast to the stateful case, where inputs and outputs
are considered public and it is only the internal state that is hidden, privacy for stateless
circuits should keep both inputs and outputs hidden in every invocation. To make this
possible, we allow the use of a randomized input encoder I and an output decoder O, a
pair of circuits whose internal wires cannot be probed by the adversary. Both I and O
should be independent of the circuit C being transformed, and will typically require a
small number of gates to compute. Thus, they may be thought of as being implemented
by expensive tamper-resistant hardware components. A private stateless transformer
can now be deﬁned similarly to the stateful case.
LetT beanefﬁcientlycomputabledeterministicfunctionmappingastatelesscircuit
C to a stateless circuit C0, and let I;O be as above. We say that (T;I;O) is a t-private
stateless transformer if it satisﬁes soundness and privacy, deﬁned as follows:
SOUNDNESS. Theinput-outputfunctionalityofOC0I (i.e.,theiteratedapplicationof
I;C0;O in that order) is indistinguishable from that of C. Note that in the deterministic
case this implies functional equivalence.
7 Most of our constructions are in fact secure even against a fully adaptive adversary, that can
also move its probes within an invocation, as long as the total number of probes in each invo-
cation does not exceed t.
8 In a case where C is randomized, the adversary’s view should be simulated jointly with the
circuit’s outputs. This is necessary to capture information learned about the outputs.PRIVACY. We require that the view of any t-limited adversary, which attacks OC0 I
by probing at most t wires in C0, can be simulated from scratch, i.e. without access to
any wire in the circuit. As in the stateful case, the identity of the probed wires has to be
chosen in advance by the adversary.
3 Perfect Privacy for Stateless Circuits
In this section we present our ﬁrst construction for protecting privacy in stateless cir-
cuits. In the next section we will show how to use this to achieve protection for the more
useful model of stateful circuits, where the contents of memory are to be protected.
Similarly to interactive protocols for secure multi-party computation (e.g., [6,20]),
our construction makes use of a simple secret-sharing scheme. The new twist in the
circuit setting is that the atomic unit of information observable by the adversary is any
intermediate computation rather than an entire party in the protocol setting. We achieve
our result through a careful choice of intermediate computations, which allows us to
obtain privacy without losing efﬁciency. The constants involved in the result we present
here are quite small, and this construction may be of practical value. We now establish:
Theorem 1. There exists a perfectly t-private stateless transformer (T;I;O) such that
T maps any stateless circuit C of size n and depth d to a randomized stateless circuit
of size O(nt2) and depth O(dlogt).
Proof. For simplicity, we focus on the case that C is deterministic. We start by describ-
ing the construction of the transformer (T;I;O). Let9 m = 2t.
INPUT ENCODER I: Each binary input x is mapped to m + 1 binary values: First, m
random binary values r1;:::;rm are chosen using m random-bit gates. The encoding
is then these m random values together with rm+1 = x  r1    rm. The circuit I
computes the encoding of each input bit independently in this way.
OUTPUT DECODER O: Corresponding to each output bit of C will be m + 1 bits
y1;:::;ym+1 produced by T(C). The associated output bit of C computed by O will
be y1    ym+1.
CIRCUIT TRANSFORMER T: Assume without loss of generality that the circuit C con-
sists of only NOT and AND gates. We will construct a transformed circuit C0, main-
taining the invariant that corresponding to each wire in C will be m + 1 wires in C0
carrying an additive m + 1 out of m + 1 secret sharing of the value on that wire of C.
The circuit C0 is obtained by transforming the gates of C as follows.
For a NOT gate acting on a wire w, we merely take the m+1 wires w1;:::;wm+1
associated with w in C0, and put a NOT gate on w1.
Consider an AND gate in C with inputs a;b and output c. In C0, we will have
corresponding wires a1;:::;am+1 and b1;:::;bm+1. Recall that a =
P
i ai mod 2
and b =
P
i bi mod 2. Thus c = (a AND b) =
P
i;j aibj mod 2. The difﬁculty is
in computing shares of c by grouping together elements from the summation so that t
intermediate values do not reveal any information to the adversary. We now describe our
9 Note that there is a way to slightly modify this construction which requires m = t instead of
m = 2t. See below.technique for doing so: In the transformation of this gate, we ﬁrst compute intermediate
values zi;j for i 6= j. For each 1  i < j  m + 1, we introduce a random-bit gate
producing a random bit zi;j. Then we compute zj;i = (zi;j  aibj)  ajbi. Note that
individually each zi;j is distributed uniformly, but any pair zi;j and zj;i depend on ai,
aj, bi, and bj. Now, we compute the output bits c1;:::;cm in C0 of this AND gate in C
as
ci = aibi 
M
j6=i
zi;j:
In this way, each AND gate in C is expanded to a “gadget” of O(m2) gates in C0,
and the gadgets in C0 are connected in the same way that the AND gates of C are
connected. The resulting circuit, call it C0, is the transformed version of C produced by
T: i.e., we deﬁne T(C) = C0, with C0 as above. This completes the description of T.
Clearly, this construction preserves the functionality of the original circuit. To prove
t-privacy, we must show how to simulate the view of the t-limited adversary without
knowing the input values for C. The simulation will proceed by running the adversary,
and providing it with answers to its t queries. We will show that the distribution of
answers our simulation provides is identical to the distribution the adversary would
obtain in a real attack on C0.
The simplest description of the simulator is just this: Answer all adversary queries
based on the evaluation of the circuit C0 when fed uniform and independent bits as
input. In order to prove that this simulation works, we give a different description of
the simulator. We ﬁrst describe the simulator for a circuit C consisting of a single AND
gate, and then extend the proof and simulation to the general case.
SIMULATION FOR A SINGLE GATE. Let C0 be the transformed circuit, consisting of a
single gadget, with input wires faig and fbig, and outputs fcig. Recall that in a true
evaluation of C0, the ai’s and bi’s are additive secret shares with the property that any m
shares from the ai’s are distributed as uniform independent random bits, and similarly
for the bi’s. We will argue that a perfect simulation of the adversary’s query responses
is possible based on knowledge of m or fewer shares from the ai’s and the bi’s. Since
such a collection of shares is distributed uniformly, this will establish our result.
Suppose an adversary corrupts wires w1;:::;wt in C0. We will deﬁne a set I 
[m + 1] of indices such that the joint distribution of values assigned to the wires wh
(for any speciﬁc inputs a and b to the original circuit C) can be perfectly and efﬁciently
simulated given the values of ajI := (ai)i2I and bjI. As mentioned above, the values
ajI and bjI, in turn, can be perfectly simulated by picking them uniformly and inde-
pendently at random, as long as jIj  m. Hence, it sufﬁces to describe a procedure for
constructing the set I and simulating the values of the t corrupted wires wh given ajI
and bjI. We describe such a procedure now.
1. Initially, I is empty and all wh are unassigned.
2. For every wire wh of the form ai;bi;aibi;zi;j (for any i 6= j), or a sum of values
of the above form (including ci as a special case), add i to I. Note that this coversall wires in C0 except for wires corresponding to aibj or zi;jaibj for some i 6= j.
For such wires, add both i and j to I.10
3. Now that the set I has been determined—and note that since there are at most t
wires wh, the cardinality of I can be at most m = 2t—we show how to complete
a perfect simulation of the values on wh using only the values ajI and bjI. Assign
values to the zi;j as follows:
 If i = 2 I (regardless of j), then zi;j does not enter into the computation for any
wh. Thus, its value can be left unassigned.
 If i 2 I, but j = 2 I, then zi;j is assigned a random independent value. Anal-
ysis: Note that if i < j this is what would have happened in the real circuit
C0. If i > j, however, we are making use of the fact that by construction, zj;i
will never be used in the computation of any wh. Hence we can treat zi;j as a
uniformly random and independent value.
 If both i 2 I and j 2 I, then we have access to ai;aj;bi; and bj. Thus, we
compute zi;j and zj;i exactly as they would have been computed in the actual
circuit C0; i.e., one of them (say zj;i) is assigned a random value and the other
zi;j is assigned zj;i  aibj  ajbi.
4. For every wire wh of the form ai;bi;aibi;zi;j (for any i 6= j), or a sum of values
of the above form (including ci as a special case), we know that i 2 I, and all the
needed values of zi;j have already been assigned in a perfect simulation. Thus, wh
can be computed in a perfect simulation.
5. The only types of wires remaining are wh = aibj or wh = zi;j aibj. But by Step
2, both i;j 2 I, and by Step 3, zi;j has been assigned, thus the value of wh can be
simulated perfectly.
6. Note that all ci values for i 2 I can be simulated perfectly by the argument above.
This completes the simulation and the argument of correctness.
SIMULATION FOR A GENERAL CIRCUIT. The simulation for a general transformed
circuit C0 proceeds very similarly to the above. First, examining each gadget g in C0,
we compute the set I. Note that since a total of t wires can be corrupted throughout
the circuit C0, the size of the set I will still be bounded by m. Next we perform the
simulation as above, working our way from the inputs of C0 to the outputs. Note that
by the observation in Step 6 above, we maintain the invariant that for each gadget g,
the shares of the inputs to g with indices belonging to I are perfectly simulated. Thus,
inductively, the values of all corrupted wires in C0 are simulated perfectly.
RE-RANDOMIZED OUTPUTS. We observe that as long as every output of C0 has passed
through one AND gadget (if this is not the case, we can artiﬁcially AND an output bit
with itself), then for each original output bit, the encoded outputs are m-wise indepen-
dent even given the entire encoding of the inputs. This can be used to prove that the
10 We note that by changing the construction slightly, namely by computing (ai + r)bj and rbj
where r is a fresh random value, we could have avoided increasing I by 2 indices rather than
just 1 for any single wire observed by the adversary. This would have allowed us to choose
m = t rather than m = 2t as we have chosen now.construction is in fact secure against a stronger type of adversary who may observe at
most t0 wires in each gadget, where t0 = 
(t).11
IMPROVEMENT IN RANDOMNESS USE. In the conference proceedings version of this
paper, it was incorrectly12 claimed that the same randomness (i.e., the choices of zi;j
for i < j) could be used in all the gadgets of the above construction, reducing the
number of random bits to O(t2). Instead, the randomness complexity can be reduced to
poly(t;logjCj) by following the approach of [11] for reducing the randomness com-
plexity in MPC protocols via limited independence. Concretely, this is done by ﬁrst
modifying the above construction of C0 so that the values of each t wires in C0 depend
on at most ` = poly(t) randomness gates. Then, the O(jC0j) randomness gates can be
emulated by a “locally random” low entropy source obtained by taking the exclusive-or
of t + 1 independent outputs of an `-wise independent pseudorandom generator. We
leave open the question of obtaining tighter bounds on the randomness complexity of
private circuits.
UNPROTECTED INPUTS AND OUTPUTS. We have described the construction above for
protecting all inputs and outputs. It is easy to modify the construction so that certain
inputs and outputs are unencoded, and may be observed by both the adversary and the
simulator. This is useful in the stateful model, discussed next.
4 Perfect Privacy for Stateful Circuits
In this section we show how to achieve privacy in the stateful model, as deﬁned in
Section 2. This model is perhaps much more natural and realistic than the stateless
model we considered in the previous section; however, as we show below, achieving
privacy in this model is easy once privacy has been achieved in the stateless model.
Our goal is to transform a stateful circuit C into a t-private stateful circuit C0 by
using a privacy transformer for the stateless case. We now describe the construction.
Recall that a stateless privacy transformer must encode the input in some way; we as-
sume that the output is encoded using the same encoding. We also assume that the
stateless transformer enjoys the re-randomized outputs property, namely that the output
encoding for each original output bit is t-wise independent even given all encodings of
input bits. Let us refer to the encoding of the stateless transformer as Et(x), where t is
the privacy threshold of the stateless transformer, and x is the input being transformed.
We represent each memory cell in C using the same representation. Relying on our
stateless transformer as a building block, a stateful transformer T = (TC;Ts) can pro-
ceed as follows. The memory x of C is stored in C0 in encoded form E2t(x).13 C0 will
work by considering the transformed memory E2t(x) as an input to the original circuit
C, which is transformed using the stateless 2t-privacy transformation. We also modify
11 The ratio between t and t
0 depends on the maximal fan-out of C (which we ﬁxed to 3 by
default). This dependence can be eliminated by slightly modifying the construction.
12 We thank Jean-Sebastien Coron for pointing out this error.
13 Note that the use of 2t as a threshold is critical, since the adversary could observe t bits of the
inputs to the memory at the end of one clock cycle, and then another t bits of the outputs of the
memory in the next clock cycle; in this way the adversary would observe 2t bits of the state of
the memory.C so that the next state of the memory is always an output. Then, these encoded outputs
are fed back into memory for the next clock cycle. The regular inputs and outputs of C
are unprotected, and need not be encoded. This completes the description of TC.
A simulation argument proving the correctness of this transformer proceeds very
similarly to the stateless case analyzed above. In fact, a sequence of invocations of a
stateful circuit may be unwound into a larger stateless circuit with an equivalent func-
tionality. Here, the initial state is viewed as a hidden input, and the ﬁnal state as a hidden
output. Thus, the security proof for the stateful case essentially reduces to that of the
stateless case. 14 In the “unwound” circuit, the adversary can corrupt up to t wires in
each of the concatenated circuits Q produced by the stateless transformation. The sim-
ulation proof proceeds exactly as before; the additional corruptions do not obstruct the
proof because of the re-randomization property: the outputs of one Q are t-wise in-
dependent conditioned on all the values of the inputs to Q; thus in order to provide a
full joint simulation of the entire unwound circuit, we need only be able to recover a
bounded set of inputs from each component Q. To summarize, we have shown:
Theorem 2. There exists a perfectly t-private stateful circuit transformer which maps
any stateful circuit C of size n and depth d to a randomized stateful circuit of size
O(nt2) and depth O(dlogt).
5 Statistically Private Transformers
In this section we obtain statistically-private transformers which improve the previous
constructions when the privacy threshold t is large. For the description and analysis
of these transformers, it is convenient to rely on the following notion of average-case
security.
Deﬁnition 1. A circuit transformer T = T(C;k) is said to be (statistically) p-private
in the average case if C0 = T(C;k) is statistically private against an adversary which
corrupts each wire in C0 with independent probability p. That is, the joint distribution
of the random set of corrupted wires and the values observed by the adversary can be
simulated up to a k !(1) statistical distance.
Wenotethatap-adversaryasaboveisroughlythesameasanadversarythatcorrupts
a uniformly random subset of pjC0j wires in C0. Intuitively, average-case privacy in
this sense should be easier to realize than the standard (worst-case) notion of privacy.
Indeed, the circuit transformer from the previous section with k additive shares (i.e.,
m = k) is perfectly private with respect to any adversary corrupting k=4 wires in each
gadget. It follows that the view of an adversary corrupting each wire with probability,
say, 1=(10k) can be perfectly simulated except with negligible failure probability. Thus,
we have:
Lemma 1. There exists a circuit transformer T(C;k) producing a circuit C0 of size
O(k2jCj), such that T is 
(1=k)-private in the average case.
14 One technical difference between the two models is that the inputs and outputs in the stateful
model are known to the adversary. However, these values are given to the simulator “for free”
and can thus be easily incorporated into the simulation.Incontrast,achievingworst-caseprivacyagainstanadversarycorrupting
(jC0j=k)
of the wires in C0 appears to be much harder; in particular, the constructions from
the previous section are very far from achieving this when jC0j  k. The key idea
underlying the asymptotic improvements in this section is the following reduction from
worst-case privacy to average-case privacy.
We start with an efﬁcient circuit transformer T guaranteeing p-privacy in the aver-
age case. We then transform its output C0 = T(C;k) into a larger circuit ~ C0, which in
a sense may be viewed as a “sparse” implementation of C0. The circuit ~ C0 will carry
out the same computation performed by C0 in essentially the same way, but will effec-
tively utilize only a small random subset of its wires; all remaining wires of ~ C0 will be
independent of the inputs and thus rendered useless to the adversary. We stress that the
subset of useful wires in ~ C0 will only be determined during the invocation of ~ C0 and
will therefore be independent of the set of corrupted wires. Hence, for an appropriate
choice of parameters, the (worst-case) t-privacy of ~ C0 will reduce to the average-case
p-privacy of C0.
We will describe two distinct instantiations of the above approach. The ﬁrst is some-
what simpler, but incurs an ~ O(t)  kO(1) multiplicative blowup to the circuit size (see
Remark 1). When t  k, this already provides an asymptotic improvement over the
previous solutions, which incur an O(t2) overhead. In the second construction, which
is only sketched in this abstract, we manage to avoid the dependence on t by amortizing
it over multiple gates.
Both instantiations make use of sorting networks as a building block. A sorting net-
work is a layered circuit from ` integer-valued input wires to ` integer-valued output
wires, which outputs its input sequence in a sorted order. The internal gates in a sort-
ing network are of a very special type: each such gate, called a comparator, has two
inputs and two outputs and returns its pair of inputs in a sorted order. The celebrated
AKS network [1] achieves the optimal parameters of O(`log`) size and O(log`) depth.
However, in terms of practical efﬁciency it is preferable to use simpler sorting networks,
such as Batcher’s [5], whose slightly inferior asymptotic complexity (O(`log
2 `) size
and O(log
2 `) depth) hides much smaller constants.
Agate-by-gateapproach. OurinitialconstructiontransformsthecircuitC0 = T(C;k)
to a circuit ~ C0 as follows. With each wire i of C0 there are ` wires of ~ C0 labeled
(i;1);:::;(i;`), where the parameter ` will be determined later. It is convenient to
assume that these wires can carry ternary values from the set f0;1;$g. The execution
of ~ C0 will maintain the following invariant relative to an execution of C0: if wire i of
C0 carries a value vi 2 f0;1g, then the wires (i;1);:::;(i;`) will carry the value vi
in a random position (independently of other `-tuples) and the value $ in the remaining
`   1 positions. This property can be easily initialized at the inputs level by appropri-
ately deﬁning the input encoder of ~ C0. Similarly, the output decoder of ~ C0 can be easily
obtained from that of C0.
It remains to describe how to emulate a gate of C0 while maintaining the above
invariant. Suppose that vi = vi1  vi2, i.e., the value of wire i in C0 is obtained by
applying some commutative boolean operation ‘*’ to the values of wires i1;i2. We
replace this gate in C0 with a 2`-input, `-output gadget in ~ C0, which ﬁrst routes the
values vi1;vi2 to two random but adjacent positions, and then combines them to formthe output. One should be careful, however, to implement this computation so that even
by observing intermediate values, the adversary will not be able to learn more values vi
than it is entitled to. Such an implementation for a gadget is given below.
PREPROCESSING. Let r;r1;:::;r` be `+1 uniformly random and independent integers
from the range [0;2k]. For each 1  j  `, use the values vi1;j;vi2;j (of wires (i1;j)
and (i2;j)) to form a pair (keyj;valj) such that: (1) keyj is set to rj if vi1;j = vi2;j = $
and to r otherwise; (2) valj is set to $ if both vi1;j;vi2;j are $, to a bit value b if one of
vi1;j;vi2;j is b and the other is $, and to b1  b2 if vi1;j = b1 and vi2;j = b2.
SORTING. A sorting network is applied to the above `-tuple of pairs using key as the
sorting key. Let (u1;:::;u`) denote the `-tuple of symbols valj sorted according to the
keys keyj.
POSTPROCESSING. The jth output vi;j is obtained by looking at uj;uj+1;uj+2: if
uj;uj+1 6= $ then vi;j = uj  uj+1, if uj = uj+2 = $ and uj+1 6= $ then vi;j = uj+1,
and otherwise vi;j = $.
Note that each such gadget can be implemented by a circuit of size ~ O(`k) and depth
poly(log` + logk).
To complete the description of ~ C0, we describe a (simpler) gadget replacing each
random bit gate z in C0. As in the gate gadget, the random bit gadget has ` inputs
and ` outputs. The jth input is a random bit zj. A random selector r 2 [`] is used for
determining which zj will appear in the output. Speciﬁcally, the jth output is set to zj
if r = j and to $ otherwise. The cost of implementing this gadget is smaller than that
of the gate gadget. Hence, the entire circuit ~ C0 has size ~ O(`kn) and depth comparable
to that of C0 (up to polylog factors).
We now establish the relation between the worst-case privacy of ~ C0 and the average-
case privacy of C0.
Lemma 2. Suppose that C0 is p-private in the average case. Then the circuit ~ C0, con-
structed with ` = O(t=p4), is statistically t-private in the worst case.
Proof sketch: It is convenient to make the adversary slightly stronger by assuming
that it may actually probe t logical, rather than boolean, wires (i.e., each such wire may
contain an integer, a ternary symbol, or a bit). For each compromised wire of ~ C0, the
adversary can either see some random integer ri, a $ symbol, or an actual value vi of
the ith wire of C0.15 In the latter case, we say that vi has been observed. Let S denote
the set of indices i such that vi has been observed. Note that S is a random variable,
where the probability is over the execution of ~ C0.
We will argue that for any ﬁxed index set S0, and for ` chosen as in the lemma,
we have Pr[S0  S]  pjS0j. Thus, an adversary attacking any ﬁxed set of t wires in
~ C0 is not better off than an adversary corrupting each wire of C0 independently with
probability p.
To make this argument, we pick a subset S1  S0 such that: (1) jS1j  jS0j=4;
(2) each value in S1 is observed with probability (at most) p4; and (3) the events of
15 In fact, depending on the exact implementation there may be wires of ~ C
0 containing informa-
tion on two values vi. We ignore this technicality as it does not change the analysis in any
substantial way.observing different values in S1 are independent. This will make the probability of
observing all values in S1 at most (p4)jS0j=4 = pjS0j as required.
We pick S1 to be a maximal matching in the subgraph of C0 induced by the wires
in S0. Since the degree of each vertex in this graph is at most 4, we have jS1j  jS0j=4.
It remains to show that S1 satisﬁes properties (2) and (3) above.
To prove (2) it sufﬁces to show that for any ﬁxed wire of ~ C0, the probability that this
wire contains a useful value (i.e., contributes to S) is O(1=`). (Property (2) would then
follow, since by taking the union over all t compromised wires of ~ C0, the probability
of observing a value of C0 is O(t=`)  p4.) This clearly holds for input wires, by
deﬁnition of the input encoder, and is maintained through all internal wires in the circuit
by a symmetry argument. (In the case of gate gadgets, the argument relies on the fact
that each val entry inside a sorting network contains one of the gadget’s inputs, rather
than some arbitrary combination of these inputs; due to the randomness of the sorting
keys, the randomness of the positions of the useful entries is maintained).
It remains to argue that the independence property (3) holds. This follows from the
fact that no two wires in S1 are adjacent to a common gate in C0 and from the fact that
each gadget in ~ C0 uses fresh randomness to shufﬂe its entries. u t
Combining Lemma 2 with Lemma 1, we have:
Theorem 3. There exists a statistically t-private stateless transformer (~ T; ~ I; ~ O), such
that ~ T(C;k) transforms a circuit C of size n to a circuit ~ C0 of size n  ~ O(t)  kO(1)
(where k is a statistical security parameter). The depth of ~ C0 is the same as that of C,
up to polylog factors.
Remark 1. Throughout this section, we view kO(1) and polylog(t) as being small in
comparison to t, and therefore do not attempt to optimize the exact dependence on such
factors. We note that all occurrences of kO(1) in the complexity of our constructions
(e.g., in Theorem 3) can be replaced by polylog(k) while still satisfying our asymptotic
notion of statistical security.
The above construction (and in particular the analysis of Lemma 2) crucially relies
on the assumption that the adversary chooses in advance which t wires to corrupt, inde-
pendently of the values it observes while invoking ~ C0. However, for using this construc-
tion in the stateful case we need a somewhat stronger security guarantee. Indeed, since
the adversary is allowed to move its t probes before each invocation based on the values
it observes in previous invocations, it may gradually build more and more knowledge
about the locations of useful values in ~ C0. To get around this problem and guarantee
sufﬁcient independence between different invocations, it sufﬁces to re-randomize each
`-tuple of wires representing the new content of a memory cell by applying a perfectly
t-private computation of a random cyclic shift. Using our basic construction, this can be
done using ~ O(`t2) additional gates. When the size of the circuit is much larger than the
number of states and t, the amortized cost per gate of this randomization step is small.
The above discussion is captured by the following theorem.
Theorem 4. Thereexistsastatisticallyt-privatestatefultransformer ~ T,suchthat ~ T(C;k)
maps a circuit C of size n with s memory cells to a circuit ~ C0 of size ~ O(nt+st3)kO(1).
The depth of ~ C0 is the same as that of C, up to polylog factors.Amortizing the cost over multiple gates. The previous construction is redundant in
the sense that it uses a separate gadget, of size 
(t), for each gate in the circuit. We
brieﬂy sketch a modiﬁcation of this construction which amortizes the additional cost
over multiple gates, effectively eliminating the dependence on t. For the description
and analysis of this construction, it is convenient to assume that the circuit is layered
(see Section 2), and use the following modiﬁed notion of average-case security for the
layered case.
Deﬁnition 2. Let T = T(C;k) be a layered circuit transformer producing a layered
circuit C0 of width w. Then, T is said to be (statistically) p-secure in the average case
if C0 = T(C;k) is statistically secure against an adversary which corrupts a random
subset of pw wires in each layer of C0.
As before, we will use an average-case p-secure C0 to build a worst-case t-secure
~ C0. However, instead of representing each wire of C0 by an `-tuple of wires, we will
now represent an entire layer of C0 by a corresponding layer in ~ C0 consisting of ` =
max(w;t=p) wires. These wires will contain a random permutation of the w values of
C0 in ` random positions and the symbol $ in all other positions. Note that typically
w > t=p, in which case there are no useless $ entries in this list. However, the above
choice of ` guarantees that by looking at any ﬁxed set of t positions in the list the
adversary will observe a random subset containing at most a p-fraction of the values.
Each value of C0 is represented by a pair containing its index and its value. This
representation naturally deﬁnes the input encoder and output decoder. It remains to
show how the above representation can be maintained between subsequent layers. As
before, we also need to ensure that each intermediate level in the computation of ~ C0
contains a random permutation of the useful values, where the randomness of these
permutations is independent for levels that are sufﬁciently far apart. To achieve this,
we use an `-input, `-output gadget whose inputs represent the jth level wires in C0 and
whoseoutputsrepresentthe(j+1)thlevelwires.Thehigh-levelideaisasbefore,except
that we now need to jointly route w=2 pairs of wires to random adjacent positions, and
then combine each pair in the right way.
Using this approach, we can obtain the following theorem:
Theorem 5. There exists a statistically t-secure stateless transformer (~ T; ~ I; ~ O), such
that ~ T(C;k) transforms a layered circuit C of width w and depth d to a circuit ~ C0 of
width ~ O(maxw;t)  kO(1) and depth d  polylog(w;t;k).
An analogous theorem for the stateful model can be derived similarly to Theorem 4.
6 A PRG secure against probing attacks
Next, we will show how to build a deterministic, stateful circuit that will produce pseu-
dorandom output and remain secure even in the presence of probing attacks. In essence,
we will be building a PRG that resists probing attacks. Because the resulting circuit is
deterministic, this is helpful if true randomness is expensive.
The basic construction is as follows. Let G : f0;1g ! f0;1g(2t+1)+ be a PRG.
We will build a deterministic stateful circuit C0[s0
0] with (2t+1) bits of internal mem-
ory, no inputs, and  bits of output. C0[s0
0] will be understood as a secure translation ofthe 0-input -output stateless randomized circuit C whose outputs are each fed by a dif-
ferent random-bit gate. The initial random seed s0
0 will be chosen uniformly at random,
and the behavior of the circuit C0[s0
0] on any one invocation is deﬁned as follows:
1. Let s = (s1;:::;s2t+1) denote the current state of the memory cells.
2. Set u := G(s1)    G(s2t+1). Deﬁne s0;y by parsing u as u = (s0;y).
3. Replace the current state of the memory cells with s0, and output y.
It is crucial that the circuit C0[s0
0] contain 2t + 1 disjoint copies of G, executing in
parallel and sharing no wires or gates. Our construction is related to the method for
distributed pseudorandomness generation with proactive security from [10]. For lack of
space, the proof of Theorem 6 is omitted here.
Theorem 6. If G is a secure PRG, then the stateful deterministic circuit C0[s0
0] deﬁned
above is a computationally t-private transformation of the circuit C deﬁned above.
Application: eliminating randomness gates. One application for our PRG construc-
tion is in eliminating randomness for the stateful circuit transformer of Section 4. Our
basic solution for the stateless model, as described earlier, relies on the use of random
bit gates within the transformed circuit T(C). An appealing consequence of our probe-
resistant PRG is that it allows to dispense with on-line randomness generation: an initial
random seed can be coded into the initial state by T and (deterministically) “refreshed”
at each invocation of the circuit.
SupposeourtransformedcircuitT(C)usesrandom-bitgates.LetCr beastateless
randomized circuit consisting of  independent random-bit gates, each connected to a
different output of Cr. If C0
r[s0
0] is any deterministic stateful circuit that is a secure
translation of Cr, then we can replace the random-bit gates of T(C) with the probe-
resistant PRG C0
r[s0
0]. For instance, the deterministic, stateful PRG of Theorem 6 will
do the job nicely. In this way, we can derandomize C0 and obtain an efﬁcient stateful,
deterministic circuit that is computationally t-private and not too much larger than the
original circuit.
7 Concluding Remarks
Wehavedevelopedtheoreticalfoundationsfortheproblemofsecuringhardwareagainst
side channel attacks, and initiated a systematic study of this problem within our frame-
work. In this initial study we restricted our attention to side channels that can be mod-
elled by probing attacks, i.e. whose information leakage depends on a limited number
of physical wires. It would be interesting to extend our framework and results to a wider
class of realistic attacks. A step in this direction is taken by Micali and Reyzin [29], who
put forward a very general model for side channel attacks.
Another natural extension of the problem studied in this work is to allowing ad-
ditional protection against fault attacks [7,27]. Similarly to our problem, solutions to
this more general problem can be based on existing protocols from the MPC literature.
However, even the most efﬁcient of these (e.g., [23]) are still quite inefﬁcient to im-
plement on hardware. Obtaining better solutions in this setting, possibly under relaxed
notions of security, remains an interesting challenge.Acknowledgements. We wish to thank Jean-Sebastien Coron, David Molnar and anony-
mous referees for helpful comments. We also thank an anonymous referee for suggest-
ing the use of the brain metaphor. Amit Sahai acknowledges support from an Alfred P.
Sloan Foundation Research Fellowship.
References
1. M. Ajtai , J. Komlos , E. Szemeredi. An O(nlogn) sorting network. In Proceedings of the
15th STOC, pp. 1-9, 1983.
2. R. Anderson, M. Kuhn, “Tamper Resistance—A Cautionary Note,” USENIX E-Commerce
Workshop, USENIX Press, 1996, pp.1–11.
3. R. Anderson, M. Kuhn, “Soft Tempest: Hidden Data Transmission Using Electromagnetic
Emanations,” Proc. 2nd Workshop on Information Hiding, Springer, 1998.
4. B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang. On
the (im)possibility of obfuscating programs. CRYPTO 2001, 2001.
5. K. Batcher. Sorting Networks and their Applications. In Proc. AFiPS Spring Joint Confer-
ence, Vol. 32, 1988, pp. 307-314.
6. M. Ben-Or, S. Goldwasser, and A. Widgerson. Completeness theorems for non-
cryptographic fault-tolerant distributed computation. In Proc. of 20th STOC, 1988.
7. D. Boneh, R.A. Demillo, R.J. Lipton, “On the Importance of Checking Cryptographic Pro-
tocols for Faults,” EUROCRYPT’97, Springer-Verlag, 1997, pp.37–51.
8. R. Canetti. Security and composition of multiparty cryptographic protocols. In J. of Cryp-
tology, 13(1), 2000.
9. R. Canetti, Y. Dodis, S. Halevi, E. Kushilevitz and A. Sahai. Exposure-Resilient Functions
and All-or-Nothing Transforms. In EUROCRYPT 2000, pages 453-469.
10. R. Canetti and A. Herzberg. Maintaining Security in the Presence of Transient Faults. In
CRYPTO 1994, pages 425-438.
11. R. Canetti, E. Kushilevitz, R. Ostrovsky, and A. Ros´ en. Randomness versus Fault-Tolerance.
J. Cryptology 13(1), 2000.
12. S. Chari, C.S. Jutla, J.R. Rao, P. Rohatgi, “Towards Sound Approaches to Counteract Power-
Analysis Attacks,” CRYPTO’99, Springer-Verlag, 1999, pp.398–412.
13. D. Chaum, C. Crepeau, and I. Damg˚ ard. Multiparty unconditional secure protocols. In Proc.
of 20th STOC, 1988.
14. R. Cramer, I. Damg˚ ard, and U. Maurer. General secure multi-party computation from any
linear secret-sharing scheme. In Proc. of EUROCRYPT ’00.
15. J.-S. Coron, L. Goubin, “On Boolean and Arithmetic Masking against Differential Power
Analysis,” CHES’00, Springer-Verlag, pp.231–237.
16. J. Daemen, V. Rijmen, “Resistance Against Implementation Attacks: A Comparative Study
of the AES Proposals,” AES’99, Mar. 1999.
17. K. Gandolﬁ, C. Mourtel, F. Olivier, “Electromagnetic Analysis: Concrete Results,”
CHES’01, LNCS 2162, Springer-Verlag, 2001.
18. R. Gennaro, M. O. Rabin, and T. Rabin. Simpliﬁed VSS and fast-track multiparty computa-
tions with applications to threshold cryptography. In Proc. of 17th PODC, 1998.
19. O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. JACM,
33(4):792–807, October 1986.
20. O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game (extended ab-
stract). In Proc. of 19th STOC, 1987.
21. O. Goldreich and R. Ostrovsky. Software Protection and Simulation on Oblivious RAMs.
JACM 43(3): 431-473, 1996.
22. L. Goubin, J. Patarin, “DES and Differential Power Analysis—The Duplication Method,”
CHES’99, Springer-Verlag, 1999, pp.158–172.23. M. Hirt and U. Maurer. Robustness for free in unconditional multi-party computation. In
Proc. of CRYPTO ’01.
24. D. Kahn, The Codebreakers, The MacMillan Company, 1967.
25. J. Kelsey, B. Schneier, D. Wagner, “Side Channel Cryptanalysis of Product Ciphers,” ES-
ORICS’98, LNCS 1485, Springer-Verlag, 1998.
26. P. Kocher, “Timing Attacks on Implementations of Difﬁe-Hellman, RSA, DSS, and Other
Systems,” CRYPTO’96, Springer-Verlag, 1996, pp.104–113.
27. P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis,” CRYPTO’99, Springer-Verlag,
1999, pp.388–397.
28. T.S. Messerges, “Securing the AES Finalists Against Power Analysis Attacks,” FSE’00,
Springer-Verlag, 2000.
29. S. Micali and L. Reyzin. A model for physically observable cryptography. Manuscript, 2003.
30. R. Ostrovsky and M. Yung. How to withstand mobile virus attacks. In Proc. of 10th PODC,
1991.
31. D. Page, “Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel,” Tech. report
CSTR-02-003, Computer Science Dept., Univ. of Bristol, June 2002.
32. B. Pﬁtzmann, M. Schunter and M. Waidner, “Secure Reactive Systems”, IBM Technical
report RZ 3206 (93252), May 2000.
33. J.-J. Quisquater, D. Samyde, “Eddy current for Magnetic Analysis with Active Sensor,” Es-
mart 2002, Sept. 2002.
34. J.-J. Quisquater, D. Samyde, “ElectroMagnetic Analysis (EMA): Measures and Counter-
Measures for Smart Cards,” Esmart 2001, LNCS 2140, Springer-Verlag, 2001.
35. J.R. Rao, P. Rohatgi, “EMpowering Side-Channel Attacks,” IACR ePrint 2001/037.
36. US Air Force, Air Force Systems Security Memorandum 7011—Emission Security Counter-
measures Review, May 1, 1998.
37. W. van Eck, “Electromagnetic Radiation from Video Display Units: An Eavesdropping
Risk,” Computers & Security, v.4, 1985, pp.269–286.
38. D. Wright, Spycatcher, Viking Penguin Inc., 1987.
39. A. C. Yao. How to generate and exchange secrets. In Proc. of 27th FOCS, 1986.
A Relation with Secure Multi-Party Computation
The problem studied in this paper is closely related to the problem of secure multi-
party computation (MPC), introduced and ﬁrst studied in [39,20,6,13] and extensively
studied thereafter. We begin by explaining the relation between the problems, and then
highlight some important differences.
THE MPC MODEL. In the most basic setting for secure MPC, n parties are connected
by a complete network of point-to-point channels. Initially, each party holds a local
input and an independent random input. The parties’ goal is to evaluate some publicly
known function f of their inputs while hiding their inputs from each other. To this
end, they interact via a prescribed protocol. The protocol proceeds in round, where at
each round each party may send a message to every other party based on its input, its
random input, and messages received in previous rounds. The protocol terminates at
some predetermined round, in which all parties should output the correct value of f. A
protocol as above is said to be t-private if for any set T of at most t parties, the entire
view of T (consisting of their inputs, random inputs, and received messages) reveals
no more information about the other parties’ inputs than what follows from their own
inputs and the value of f. Note that the latter information captures what must inevitably
be learned. To better correspond to our circuit model, it is convenient to consider aslightly modiﬁed MPC model in which each of the n inputs is initially secret-shared
among the parties (say, using n out of n additive sharing), and the output produced by
the protocol is also secret-shared in a similar fashion. This allows to realize a stronger
and simpler privacy requirement: every collusion of t players learns nothing from their
interaction with the remaining players.
RELATION TO PRIVATE CIRCUITS. To illustrate the relation between the MPC model
and our circuit model, we focus on the stateless case and ignore some unimportant
technicalities. First, we show that any t-private protocol corresponds to some t-private
circuit computing the same function. Consider the following “hardware implementa-
tion” of an n-party protocol as above. In each round of interaction, each player’s local
computation is implemented by a separate sub-circuit. When the players interact, each
message bit is translated into a wire connecting the corresponding sub-circuits. Note
that the t-privacy of the protocol guarantees t-privacy also in the circuit model. In-
deed, if an adversary can violate the circuit’s privacy by probing t wires, then it could
have also violated the protocol’s privacy by corrupting some t players who “own” these
wires.16 The converse relation also holds. Suppose that we are given a t-private circuit
computing the function f where the fan-in of each gate is at most 2. We use the circuit
to deﬁne a protocol, in which each gate is owned by a distinct player. The circuit is
evaluated by the players in a bottom-up fashion, starting with the encoded inputs and
ending with an encoded output, where for each wire a message is sent from its source
player to its destination players, and for each gate a local computation is performed by
the corresponding player. It is not hard to see that if the circuit is 2t-private, then the
corresponding protocol is t-private. Indeed, a protocol-adversary corrupting t players
learns content of at most 2t wires in the circuit.
In light of the above, one might expect to obtain the best solutions to our problem
via efﬁcient hardware implementations of state-of-the-art protocols from the MPC liter-
ature. However, this is not really the case. For instance, the BGW protocol [6] (as well
as subsequent optimizations [18,14]) requires each player to evaluate a degree-t poly-
nomial on (t) points for each gate of the circuit being evaluated. Consequently, the
stateless circuit transformer that can be derived from this protocol is signiﬁcantly less
efﬁcient than our transformer. This state of affairs stems from some major differences
in the underlying optimization goals. First, the MPC literature puts much emphasis on
tolerating a constant fraction of corrupted players, whereas in our setting the number of
corruptions is viewed as being independent of the number of “players” (in particular, we
are willing to settle for tolerating a miniscule fraction of corruptions). Second, the MPC
setting typically views the communication complexity and the round complexity as the
most important resources to optimize, placing the time complexity only as a third-order
optimization goal. In contrast, the main optimization criterion in our case is the size of
a circuit, which roughly (but not exactly) corresponds to the time complexity of the un-
derlying protocol. Finally, our main (stateful) model is quite nonstandard from the MPC
point of view, as it involves extra ingredients such as a one-time trusted precomputation
(via the circuit transformer), a mobile adversary (as in [30,10]), and on-line inputs and
outputs (as in [32,8]). To conclude, the problem we are posing is quite different from
that of implementing standard MPC protocols at the hardware level.
16 Note that a wire corresponding to a message bit is owned by more than one player.