Comment by maccard
4 hours ago
Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.
You likely need one other step beyond a plain ring signature, often called a linkable ring signature. If you use only a plain ring signature I could get one authenticated key and setup a site that gives away an unlimited number of access tokens with it, and you can't identify which key is doing so in order to kick it out.
A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.