Hoping to satisfy @fgrieu invite in comments, I try an answer coming from Monero's implementation. The source of these words is the cheatsheet I have written https://getmonero.org/library/RingsCheatsheet20210301.pdf while studying https://www.getmonero.org/library/Zero-to-Monero-2-0-0.pdf
I think the right thing is to start from non-interactive (in the Fiat-Shamir flavour) Schnorr signature for keys over elliptic curve. Let's quickly recap it.
Let's say $(x,X)$ is the private/public keys pair, where $X\triangleq xG$ with $G$ the generator point of the EC; $tx$ is the transaction/text/whichever stuff we need to sign; Signing $tx$ with $x$ means being able to generate a pair $(c,r)$ such that:
$H(tx, rG + cX)=c$
where $H$ is an hash (no matter here which one) and $c$ and $r$ are called "challenge" and "response", with the terms coming from the interactive schema. $c$ is obtained from a secret random unique $\alpha$ known only by the signer and never reused in two signatures, and the foregoing equality is equivalent to:
$rG + cX = \alpha G$
(btw, by substituting you get how $c$ is defined ;) )
So, looking at it from a bird view, we can say that verification of $tx$ signature by $x$ is a function of the signed stuff, the public key, the challenge and the response:
$f(tx, X, r, c)$
Ring signatures are about finding flavours of this schema with decoys, while still retaining just only one ACTUAL signer (from a technical point of view: needing many $X_i$ -let's say $n$- in verifying algo but single $x$ in signing algo); and all without coordination between involved key owners.
There are a challenge and a response for each $X_i$, so we have $c_i$ and $r_i$, however things are arranged so that from $c_i$ we can calculate $c_{i+1}$, with "overflow" when $i=n$ (here it is the "ring"), so:
$H(tx, r_{i}G + c_{i}X_{i})=c_{i+1}$ with $1 \le i \le n-1$
$H(tx, r_{n}G + c_{n}X_{n})=c_1$ with $i=n$
given we can regress from $c_n$ to $c_1$ the above conditions lead to the signature verification function:
$f(tx, X_i, r_i, c_1)$
But where does the "magic" come from? How is the arrangement made to have $c_i$ forming a closed chain in which given one challenge value you can calculate all the others (note we have chosen $c_1$ as special one, but that's really nothing special about it)?
Well, thanks to these facts:
- if we indicate as $c_\pi$ the challenge associated to the ACTUAL signer, $c_{\pi+1}$ is calculated from a random secret $\alpha$ known only to the ACTUAL signer (does it recall anything? ;) );
- all other $c_i$ are calculated with the above chain formula;
- all $r_i$ are just random numbers, except $r_\pi$ wich is chosen so to let $c_{\pi+1}$ to respect the chain formula as well (even if it comes from $\alpha$)
And now eventually the Key Image $X^*$! A part from being advertised in the transaction to prevent double spending, it is also part of $c_i$ calculus, and again the $\alpha$/chain formula trick is used: and it holds only if Key Image $X^*$ is obtained in a very specific way, function of the private and public keys of ACTUAL signer.
That's why you cannot just choose a random still-unused one!
I understand this is only the main line of the reasoning, missing many details, but I hope you can find them in the cheatsheet with the help of these companion words (I guess for your needs you can care only about "Non-interactive (Fiat-Shamir) Schnorr", "SAG" and "bLSAG")