This is called a Linkable Spontaneous Anonymous Group Signature (LSAG).
I describe below an EC implementation of an LSAG called a linkable ring signature.
A ring signature proves that the private key holder of one of a set of declared public keys has signed a message, but it is impossible to know which key holder did it. This is called Signer Ambiguity.
This can be extended to the concept of a "linkable ring signature". The ring is signed such that a "key image" is also declared as part of the signature. The key image is the scalar multiplication of the signer's private key on a public key created by extracting a point from the hash of the signer's public key. key image = private key * hash_to_ec_point(public key)
. The construction of the ring signature proves that the key image is formed from the same private and public key owned by the real signer, without an observer being able to tell whom the key image belongs to.
The real signer can prove they were the real signer by providing a signature (such as a simple Schnorr signature) proving they know the private key for the key image that was declared as part of the original linkable ring signature.
For an implementation example, see "Back’s Linkable Spontaneous Anonymous Group (bLSAG) signatures". I've included the algebra below, excerpted from Zero to Monero section 3.4.