Comment by maccard

Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.