We present the notion of
, which is an extension of the ring signature [RST01, BKM06]. By using an anonymizable signature, anyone who has a signed message can convert the signature into an anonymous signature. In other words, one can leave a signed message with an appropriate agent who will later anonymize the signature.
A relinkable ring signature [SHK09] is also an extension of the ring signature by which the ring forming ability can be separated from the signing ability. In the relinkable ring signature, an agent who has a special key given by the signer can modify the membership of existing ring signatures. However, the relinkable ring signature has two problematic limitations; a signer cannot select an agent according to the worth of the signature, because there exists the unique key to modify the membership for each public key, and we cannot achieve perfect anonymity even if the agent is honest.
The proposed anonymizable signature can free one from these limitations. In the anonymizable signature scheme, each signature can be anonymized without any secret but the signature itself. Thus, the signer can delegate signature anonymization to multiple agents signature by signature. Moreover, the anonymizable signature can guarantee unconditional anonymity and be used for anonymity-sensitive purposes, e.g., voting. After providing the definition of the anonymizable signature, we also give a simple construction methodology and a concrete scheme that satisfies perfect anonymity and computational unforgeability under the gap Diffie-Hellman assumption with the random oracle model.