The linkable ring signature requires two additional point multiplications and a point addition per round.

a = add(sbmul(t), multiply(y, c))
b = add(multiply(M, t), multiply(tag, c))

The problem is that the hacky multiply function returns an Ethereum address rather than a point.

Point addition can be performed by providing a witness of those points and verifying they hash to the same result.

e.g.

a = add(sbmul(t), multiply(y, c))
x = hackymul(Tag, c)
y = hackymul(M, t)
assert point_to_addr(W[i]) == x
assert point_to_addr(W[i+]) == y
b = add(x, y)

This means the total number of parameters required for a ring signature of N participants is:

• 4*N + 1

Where 2*N for the witnesses, N for the public keys, N for the t values and one initial seed value.

So, a ring of 10 keys requires 31 inputs of 32 bytes each, in addition to the public keys.