One-Time Programs

  • Shafi Goldwasser
  • Yael Tauman Kalai
  • Guy N. Rothblum
Conference paper

DOI: 10.1007/978-3-540-85174-5_3

Part of the Lecture Notes in Computer Science book series (LNCS, volume 5157)
Cite this paper as:
Goldwasser S., Kalai Y.T., Rothblum G.N. (2008) One-Time Programs. In: Wagner D. (eds) Advances in Cryptology – CRYPTO 2008. CRYPTO 2008. Lecture Notes in Computer Science, vol 5157. Springer, Berlin, Heidelberg


In this work, we introduce one-time programs, a new computational paradigm geared towards security applications. A one-time program can be executed on a single input, whose value can be specified at run time. Other than the result of the computation on this input, nothing else about the program is leaked. Hence, a one-time program is like a black box function that may be evaluated once and then “self destructs.” This also extends to k-time programs, which are like black box functions that can be evaluated k times and then self destruct.

One-time programs serve many of the same purposes of program obfuscation, the obvious one being software protection, but also including applications such as temporary transfer of cryptographic ability. Moreover, the applications of one-time programs go well beyond those of obfuscation, since one-time programs can only be executed once (or more generally, a limited number of times) while obfuscated programs have no such bounds. For example, one-time programs lead naturally to electronic cash or token schemes: coins are generated by a program that can only be run once, and thus cannot be double spent.

Most significantly, the new paradigm of one-time computing opens new avenues for conceptual research. In this work we explore one such avenue, presenting the new concept of “one-time proofs,” proofs that can only be verified once and then become useless and unconvincing.

All these tasks are clearly impossible using software alone, as any piece of software can be copied and run again, enabling the user to execute the program on more than one input. All our solutions employ a secure memory device, inspired by the cryptographic notion of interactive oblivious transfer protocols, that stores two secret keys (k0,k1). The device takes as input a single bit b ∈ {0,1}, outputs kb, and then self destructs. Using such devices, we demonstrate that for every input length, any standard program (Turing machine) can be efficiently compiled into a functionally equivalent one-time program. We also show how this memory device can be used to construct one-time proofs. Specifically, we show how to use this device to efficiently convert a classical witness for any NP statement, into “one-time proof” for that statement.

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Shafi Goldwasser
    • 1
    • 3
  • Yael Tauman Kalai
    • 2
  • Guy N. Rothblum
    • 3
  1. 1.Weizmann Institute of ScienceRehovotIsrael
  2. 2.Georgia TechAtlantaUSA
  3. 3.MITCambridgeUSA

Personalised recommendations