PKI multiple public keys

In all asymmetric crypto-systems I can think off, there is a 1-1 correspondence between the public key and the private key: given the private key you can uniquely determine the public key and given the public key you can uniquely determine the private key (but it should of course be computationally infeasible to determine the private key from the public key).

However given one of the usual asymmetric schemes you can easily create such a scheme: To create a private key with n public keys, just generate n public-private keypairs in the normal scheme and define the "private key" to be the collection of the private keys. When signing just sign with all the private keys, when verifying try to verify one of the signatures. Encryption is the usual operation and decrypting should try to decrypt with all the keys (one of them should work).

This is not possible with standard algorithms.

If you look at how key pairs are generated in RSA, you select a public key first by specifying the public exponent, then generate the private key.

I can't think of a use-case for multiple public keys. They are public and you can get any of them so it doesn't really improve security.