Malleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials

A signature scheme is malleable if, on input a message m and a signature σ, it is possible toefficiently compute a signature σ′ on a related message m′ = T (m), for a transformation T thatis allowable with respect to this signature scheme. Previous work considered various useful flavorsof allowable transformations, such as quoting and sanitizing messages. In this paper, we explore aconnection between malleable signatures and anonymous credentials, and give the following contri-butions: • We define and construct malleable signatures for a broad category of allowable transformationclasses, with security properties that are stronger than those that have been achieved previ-ously. Our construction of malleable signatures is generically based on malleable zero-knowledgeproofs, and we show how to instantiate it under the Decision Linear assumption.• We construct delegatable anonymous credentials from signatures that are malleable with respectto an appropriate class of transformations; we also show that our construction of malleablesignatures works for this class of transformations. The resulting concrete instantiation is thefirst to achieve security under a standard assumption (Decision Linear) while also scaling linearlywith the number of delegations.