# Pastebin fgYB8cC8
Dear authors:

I read your recent preprint "A Simpler and Modular Construction of Linkable Ring Signature" on the IACR archive. As a researcher contributing to the Monero Research Lab (and a coauthor on the CLSAG preprint that you discuss), I noticed a major issue with the preprint that I wish to convey to you, should you choose to revise.

Your use of a fixed-base linear key image of the form $I = h^x$ is insecure (regardless of the base $h$ chosen), and not suitable for use in a deployed construction like Monero. As discussed in the CryptoNote paper on page 17 (which you cite), the use of a fixed base for key images leads to a trivial signature linking due to the one-time address construction used in the protocol. A variable base, like the use of a hashed public key, must be used in order to remove this. Note that LSAG, MLSAG, and CLSAG all require a variable-base key image for precisely this reason. While you'll notice that RingCT 3.0, Omniring, Triptych, and Triptych-2 all use a fixed-base key image, they do so non-linearly  using a verifiable random function construction that is not vulnerable to this flaw.

This does not appear to affect your security proofs, but rather indicates that the security model does not capture the one-time addresses' relationship to the key images. (The CLSAG security model also does not explicitly model this, but avoids the flaw by construction instead.)

As a result, it appears that your timing comparison data is not an accurate representation of MSLSR relative to CLSAG in practice, since the key image flaw means MSLSR could not be deployed safely in Monero without exposing its users to signature linking.