Group signatures allow user data to be collected while preserving the user’s privacy but still ensuring it originates from a group member. However, the correlation of data by user is useful for processing data. Therefore, the linkability, i.e. whether signatures can be linked by user, must balance utility and privacy. We first introduce a new variant of group signature scheme that provides a more flexible and privacy-friendly form of linkability. When created, all signatures are fully unlinkable, but can be made linkable via an oblivious centrally trusted entity known as the converter. The conversion takes a batch of group signatures and blindly transforms signatures originating from the same user into a consistent representation. We formally define the requirements for this new type of group signature scheme and provide an efficient instantiation that provably satisfies these requirements.

Our original model captures a setting where the entity collecting and processing data is the same. Therefore, when defining security, the data collector is assumed to only submit honest inputs to the converter. The outputs of the converter do not provide any assurance that data originated from a group member. We therefore extend the previous model to remove this assumption and allow authentication to be preserved after data is converted. To provide a provably secure construction in this stronger model we use controlled-malleable NIZKs, which allow proofs to be mauled in a controlled manner. This allows signatures to be blinded, while still ensuring they can be verified during conversions.