Depending on the application, malleability in cryptography can be viewed as either a flaw or –as in the case of homomorphic primitives—a feature.  In most previous settings, malleability has been an all-or-nothing property: either all malleability is prevented, or we can make no guarantees whatsoever on how the adversary may transform what he is given.  However, in many cases one would like to allow some malleability while guaranteeing that that is all that an adversary can do; we call this controlled malleability.  We consider this notion in terms of proof systems, encryption schemes, and signatures. We will discuss how to construct these objects, concretely based on DLIN in the pairing setting, or more generically based on any publically verifiable SNARG.  Finally, we will discuss applications to verifiable shuffles and delegatable anonymous credentials.

 This is joint work with Markulf Kohlweiss, Anna Lysyanskaya, and Sarah Meiklejohn.