One-Time Programs

  • Shafi Goldwasser
  • Yael Tauman Kalai
  • Guy N. Rothblum
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5157)


In this work, we introduce one-time programs, a new computational paradigm geared towards security applications. A one-time program can be executed on a single input, whose value can be specified at run time. Other than the result of the computation on this input, nothing else about the program is leaked. Hence, a one-time program is like a black box function that may be evaluated once and then “self destructs.” This also extends to k-time programs, which are like black box functions that can be evaluated k times and then self destruct.

One-time programs serve many of the same purposes of program obfuscation, the obvious one being software protection, but also including applications such as temporary transfer of cryptographic ability. Moreover, the applications of one-time programs go well beyond those of obfuscation, since one-time programs can only be executed once (or more generally, a limited number of times) while obfuscated programs have no such bounds. For example, one-time programs lead naturally to electronic cash or token schemes: coins are generated by a program that can only be run once, and thus cannot be double spent.

Most significantly, the new paradigm of one-time computing opens new avenues for conceptual research. In this work we explore one such avenue, presenting the new concept of “one-time proofs,” proofs that can only be verified once and then become useless and unconvincing.

All these tasks are clearly impossible using software alone, as any piece of software can be copied and run again, enabling the user to execute the program on more than one input. All our solutions employ a secure memory device, inspired by the cryptographic notion of interactive oblivious transfer protocols, that stores two secret keys (k 0,k 1). The device takes as input a single bit b ∈ {0,1}, outputs k b , and then self destructs. Using such devices, we demonstrate that for every input length, any standard program (Turing machine) can be efficiently compiled into a functionally equivalent one-time program. We also show how this memory device can be used to construct one-time proofs. Specifically, we show how to use this device to efficiently convert a classical witness for any NP statement, into “one-time proof” for that statement.


Turing Machine Oblivious Transfer Hardware Device Interactive Proof Permute Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [And01]
    Anderson., R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)Google Scholar
  2. [BBBW82]
    Bennett, C.H., Brassard, G., Breidbard, S., Wiesner, S.: Quantum cryptography, or unforgeable subway tokens. In: CRYPTO 1982, pp. 267–275 (1982)Google Scholar
  3. [Bes79]
    Best, R.M.: Us patent 4,168,396: Microprocessor for executing enciphered programs (1979)Google Scholar
  4. [BFM88]
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC 1988, Chicago, Illinois, pp. 103–112 (1988)Google Scholar
  5. [BGI+01]
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. [Blu81]
    Blum, M.: Personal communication (1981)Google Scholar
  7. [Blu87]
    Blum, M.: How to prove a theorem so no-one else can claim it. In: Proceedings of ICML, pp. 1444–1451 (1987)Google Scholar
  8. [BLV06]
    Barak, B., Lindell, Y., Vadhan, S.P.: Lower bounds for non-black-box zero knowledge. J. Comput. Syst. Sci. 72(2), 321–391 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  9. [Cha82]
    Chaum, D.: Blind signatures for untraceable payments. In: CRYPTO 1982, pp. 199–203 (1982)Google Scholar
  10. [Cha83]
    Chaum, D.: Blind signature systems. In: CRYPTO 1983, pp. 153–156 (1983)Google Scholar
  11. [DHS06]
    Dvir, O., Herlihy, M., Shavit, N.: Virtual leashing: Creating a computational foundation for software protection. Journal of Parallel and Distributed Computing (Special Issue) 66(9), 1233–1240 (2006)zbMATHCrossRefGoogle Scholar
  12. [EGL85]
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)CrossRefMathSciNetGoogle Scholar
  13. [GK96]
    Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for np. J. Cryptology 9(3), 167–190 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  14. [GK05]
    Goldwasser, S., Kalai, Y.T.: On the impossibility of obfuscation with auxiliary input. In: Tardos, É. (ed.) FOCS 2005, pp. 553–562. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  15. [GLM+04]
    Gennaro, R., Lysyanskaya, A., Malkin, T., Micali, S., Rabin, T.: Algorithmic tamper-proof (atp) security: Theoretical foundations for security against hardware tampering. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 258–277. Springer, Heidelberg (2004)Google Scholar
  16. [GMR89]
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. SIAM Journal on Computing 18(1), 186–208 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  17. [GMW91]
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity, or all languages in np have zero-knowledge proof systems. Journal of the ACM 38(1), 691–729 (1991)zbMATHMathSciNetGoogle Scholar
  18. [GO96]
    Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious rams. Journal of the ACM 43(3), 431–473 (1996)zbMATHCrossRefMathSciNetGoogle Scholar
  19. [IPSW06]
    Ishai, Y., Prabhakaran, M., Sahai, A., Wagner, D.: Private circuits ii: Keeping secrets in tamperable circuits. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 308–327. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. [ISW03]
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: Securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)Google Scholar
  21. [Kat07]
    Katz, J.: Universally composable multi-party computation using tamper-proof hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115–128. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. [Ken80]
    Kent, S.T.: Protecting Externally Supplied Software in Small Computers. PhD thesis, Massachusetts Institute of Technology, Cambridge, Massachusetts (1980)Google Scholar
  23. [MN05]
    Moran, T., Naor, M.: Basing cryptographic protocols on tamper-evident seals. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 285–297. Springer, Heidelberg (2005)Google Scholar
  24. [MR04]
    Micali, S., Reyzin, L.: Physically observable cryptography (extended abstract). In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004)Google Scholar
  25. [MS08]
    Moran, T., Segev, G.: David and goliath commitments: Uc computation for asymmetric parties using tamper-proof hardware. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 527–544. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  26. [Pas03]
    Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003)Google Scholar
  27. [Rab05]
    Rabin, M.O.: How to exchange secrets with oblivious transfer. Cryptology ePrint Archive, Report 2005/187 (2005)Google Scholar
  28. [SMP88]
    De Santis, A., Micali, S., Persiano, G.: Non-interactive zero-knowledge with preprocessing. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 269–282. Springer, Heidelberg (1990)Google Scholar
  29. [SvDO+06]
    Sarmenta, L.F.G., van Dijk, M., O’Donnell, C.W., Rhodes, J., Devadas, S.: Virtual monotonic counters and count-limited objects using a tpm without a trusted os (extended version). Technical Report 2006-064, MIT CSAIL Technical Report (2006)Google Scholar
  30. [TPM07]
    Trusted computing group trusted platform module (tpm) specifications (2007)Google Scholar
  31. [Yao86]
    Yao, A.C.: How to generate and exchange secrets. In: FOCS 1986, pp. 162–167 (1986)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Shafi Goldwasser
    • 1
    • 3
  • Yael Tauman Kalai
    • 2
  • Guy N. Rothblum
    • 3
  1. 1.Weizmann Institute of ScienceRehovotIsrael
  2. 2.Georgia TechAtlantaUSA
  3. 3.MITCambridgeUSA

Personalised recommendations