**Tamper Resilient Circuits: The Adversary at the Gates**

*Aggelos Kiayias and Yiannis Tselekounis*

**Abstract: **We initiate the investigation of {\em gate}-tampering attacks against
cryptographic circuits. Our model is motivated by the plausibility of
tampering directly with circuit gates and by the increasing use of {\em tamper
resilient gates} among the known constructions that are shown to be resilient
against {\em wire-tampering} adversaries. We prove that gate-tampering is {\em
strictly} stronger than wire-tampering. On the one hand, we show that there is
a gate-tampering strategy that perfectly simulates any given wire-tampering
strategy. On the other, we construct families of circuits over which it is
impossible for any wire-tampering attacker to simulate a certain gate-tampering
attack (that we explicitly construct). We also provide a tamper resilience
impossibility result that applies to both gate and wire tampering adversaries
and relates the amount of tampering to the depth of the circuit. Finally, we
show that defending against gate-tampering attacks is feasible by appropriately
abstracting and analyzing the circuit compiler of Ishai et al.
\cite{Ishai:2006a} in a manner which may be of independent interest.
Specifically, we first introduce a class of compilers that, assuming certain
well defined tamper resilience characteristics against a specific class of
attackers, can be shown to produce tamper resilient circuits against that
same class of attackers. Then, we describe a compiler in this class for which
we prove that it possesses the necessary tamper-resilience characteristics
against gate-tampering attackers.

**Category / Keywords: **tamper resilient circuits, attack modeling

**Original Publication**** (with minor differences): **IACR-ASIACRYPT-2013

**Date: **received 1 Dec 2013

**Contact author: **tselekounis at sians org

**Available format(s): **PDF | BibTeX Citation

**Version: **20131201:163537 (All versions of this report)

**Short URL: **ia.cr/2013/797

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]