Abstract. Anonymous authentication primitives, e.g., group or ring signatures, allow one to realize privacy-preserving data collection applications, as they strike a balance between authenticity of data being collected and privacy of data providers. At PKC 2021, Diaz and Lehmann

defined group signatures with User-Controlled Linkability (UCL) and

provided an instantiation based on BBS+ signatures. In a nutshell, a

signer of a UCL group signature scheme can link any of her signatures:

linking evidence can be produced at signature time, or after signatures

have been output, by providing an explicit linking proof.

In this paper, we introduce Ring Signatures with User-Controlled

Linkability (RS-UCL). Compared to group signatures with usercontrolled linkability, RS-UCL require no group manager and can be

instantiated in a completely decentralized manner. We also introduce

a variation, User Controlled and Autonomous Linkability (RS-UCAL),

which gives the user full control of the linkability of their signatures.

We provide a formal model for both RS-UCL and RS-UCAL and

introduce a compiler that can upgrade any ring signature scheme to

RS-UCAL. The compiler leverages a new primitive we call Anonymous

Key Randomizable Signatures (AKRS)—a signature scheme where the

verification key can be randomized—that can be of independent interest. We also provide different instantiations of AKRS based on Schnorr

signatures and on lattices. Finally, we show that an AKRS scheme can

additionally be used to construct an RS-UCL scheme