Ring signatures are similar to group signatures, but do not have group managers. Another key difference is that a "ring" can be formed at signing time with whoever's keys you like - you don't have a fixed "group" like in a group signature.
Signatures cannot be "linked" unless you are specifically using a linkable ring signature scheme. Moreover, the signer's identity is hidden in the ring and cannot be identified, by design, just like in a group signature. Most schemes have that verification can be done by anyone (publicly verifiable). And signers can create the ring and sign on their own without anyone else's participation. So this meets all your requirements, ignoring the last (that they are based on elliptic curves).
The first ring signature construction was the one by Rivest, Shamir and Tauman. Their scheme uses RSA keys. Abe, Ohkubo, and Suzuki gave a scheme in which is able to use a mixture of RSA and DL-type keys. Appendix A of their paper shows how you can construct a ring signature with just schnorr signature public keys, which can be adapted to the elliptic curve setting (and use EC-schnorr).
Specifically, let's say each party in the ring has a public key $Y_i = [x_i]G$, and participant $k$ wants to generate a signature on behalf of them all. Let the order of $G$ be $p$, and let $H$ be a hash function whose codomain is $\mathbb{Z}/p\mathbb{Z}$. The signer will choose a random value $\alpha$, and random values $c_i$ for all the other ring members. The signer will then create an "aggregate key"
$$
K = [\alpha]G + \sum_{i \neq k} [c_i]Y_i \, .
$$
Then, the signer will compute the hash $c = H(Y_0, Y_1, \ldots, Y_n, M, K)$ for message $M$. Compute
$$
c_k = c - \sum_{i \neq k} c_i \pmod{p},
$$
so that all the $c_i$ including $c_k$ sum to $c$ (the hash).
Finally, let $s = \alpha - c_k \cdot x_k \bmod{p}$. The signature is $(s, c_0, \ldots, c_n)$. To verify, simply recompute the aggregate key and the hash as follows:
$$
K' = [s]G + \sum_i [c_i]Y_i\\
c' = H(Y_0, Y_1, \ldots, Y_n, M, K')
$$
and check that $c' = \sum_i c_i \pmod{p}$.
You can see that performing the protocol honestly will let $K' = K$ because
$$
K' = [s]G + \sum_i [c_i]Y_i \\
= [\alpha]G - [c_k \cdot x_k]G + \sum_i [c_i]Y_i\\
= [\alpha]G - [c_k]Y_k + \sum_i [c_i]Y_i\\
= [\alpha]G + \sum_{i \neq k} [c_i]Y_i = K.
$$
Then verification works regardless of which $k$ was the signer, as required, and anyone can verify the signature given the set of public keys $Y_i$, the message $M$, the signature $(s, c_i)$, and the public parameters $(G, p, E, \ldots)$.