An important and recurring security scenario involves the need to carry out trusted computations in the context of untrusted environments. It is shown how a tamper-resistant interpreter for a programming language-currently Lisp 1.5-combined with the use of a secure coprocessor can address this problem. This solution executes the interpreter on the secure coprocessor while the code and data of the program reside in the larger memory of an associated untrusted host. This allows the coprocessor to utilize the host’s memory without fear of tampering even by a hostile host. This approach has several advantages including ease of use, and the ability to provide tamper-resistance for any program that can be constructed using the language. The language approach enabled the development of two novel mechanisms for implementing tamper resistance. These mechanisms provide alternatives to pure Merkle hash trees. Simulated relative performance of the various mechanisms is provided and shows the relative merits of each mechanism.