Two-Message Witness Indistinguishability and Secure Computation in the Plain Model from New Assumptions Saikrishna Badrinarayanan 1(B ) , Sanjam Garg 2 , Yuval Ishai 1,3 , Amit Sahai 1 , and Akshay Wadia 1 1 UCLA, Los Angeles, USA {saikrishna,sahai}@cs.ucla.edu, akshaywadia@gmail.com 2 UC Berkeley, Berkeley, USA sanjamg@berkeley.edu 3 Technion, Haifa, Israel yuvali@cs.technion.ac.il Abstract. We study the feasibility of two-message protocols for secure two-party computation in the plain model, for functionalities that deliver output to one party, with security against malicious parties. Since known impossibility results rule out polynomial-time simulation in this setting, we consider the common relaxation of allowing super-polynomial simu- lation. We first address the case of zero-knowledge functionalities. We present a new construction of two-message zero-knowledge protocols with super- polynomial simulation from any (sub-exponentially hard) game-based two-message oblivious transfer protocol, which we call Weak OT. As a corollary, we get the first two-message WI arguments for NP from (sub-exponential) DDH. Prior to our work, such protocols could only be constructed from assumptions that are known to imply non-interactive zero-knowledge protocols (NIZK), which do not include DDH. We then extend the above result to the case of general single-output functionalities, showing how to construct two-message secure computa- tion protocols with quasi-polynomial simulation from Weak OT. This implies protocols based on sub-exponential variants of several stan- dard assumptions, including Decisional Diffie Hellman (DDH), Quadratic Residuosity Assumption, and N th Residuosity Assumption. Prior works on two-message protocols either relied on some trusted setup (such as a common reference string) or were restricted to special functionalities such as blind signatures. As a corollary, we get three-message protocols for two-output functionalities, which include coin-tossing as an interest- ing special case. For both types of functionalities, the number of messages (two or three) is optimal. Finally, motivated by the above, we further study the Weak OT prim- itive. On the positive side, we show that Weak OT can be based on any semi-honest 2-message OT with a short second message. This sim- plifies a previous construction of Weak OT from the N th Residuosity Assumption. We also present a construction of Weak OT from Wit- ness Encryption (WE) and injective one-way functions, implying the first c  International Association for Cryptologic Research 2017 T. Takagi and T. Peyrin (Eds.): ASIACRYPT 2017, Part III, LNCS 10626, pp. 275–303, 2017. https://doi.org/10.1007/978-3-319-70700-6_10