I would afraid to have CT on main chain.
There may be bug (or luck to find some number) and then creating bitcoins out of nothing. And nobody can verify.
That is the risk - the scheme relies on the security of ECDSA to protect the currency supply.There may be bug (or luck to find some number) and then creating bitcoins out of nothing. And nobody can verify.
We're already relying on ECDSA to protect our balances from overt theft, so I'm not sure how much it actually changes the security model to also rely on it to protect our balances from covert theft via counterfeiting.
The reason I'm interested in amount blinding is that my current project is working out a multi-step plan to kill graph analysis. With the right plan and without blinded amounts we can kill graph analysis, but with blinded amounts we can drive a stake through its heart to make sure it stays dead.
But indeed it isn't the ~quite~ same.
So gmaxwell means that if discrete logarithm assumption is broken such that it can solved within minutes for a newly seen public key, then your transaction broadcasted on the P2P network could in theory be replaced by the winning block miner spending it to himself. Funny since I had argued this point to him in the past when he was defending the power of the hashes to protect in a worst case outcome. Funny he now uses my argument against you.
Although you still do need to rely on the integrity of Monero's key images to ensure coins can't be double spent.
Cryptonote's Appendix A says double-spending ("Linkability") depends on the random oracle model (i.e. the cryptographic hash function) which the same assumption that CCT has. CN also a discrete logarithm assumption in the random oracle model on theft, same as for Bitcoin.
And don't expect the double-spending to be recognizable in Monero. For as long as the attacker only double-spends from rings that are not yet saturated, then he can double-spend indefinitely without detection.
So really there is no pragmatic difference in the threat of hidden inflation in CN or CCT, except perhaps you can argue that the break only needs to occur once in CCT and multitude of instances in CN or Bitcoin.
You are assuming a cryptographic break, I'm not, which is why I mentioned the cryptographic issue with key images. There is also the case of an implementation flaw that would (or at least could) be more readily apparent in a system that maintains visibility on sum(in) <= sum(out). In practice failures of mature cryptographic assumptions occur much less frequently implementation flaws. Bitcoin has had the latter (overflow bug) but not the former. Likewise Zerocash (if it existed) would have recently failed due to the latter (libsnark bug).
Anyway, a few different approaches comparable to CT in effect and performance are being looked at for Monero. One I believe does not require any protocol changes.
Also, TPTB, I disagree with your assertion that some benefit was obtained from a "front loaded" curve in Monero. In practice what happened is that the difficulty simply skyrocketed as the coin became popular. There was still no real opportunity for developers or other early adopters to vacuum up cheap coins, after the first few weeks (or more like one week, during which it wasn't even clear there was going to be an organized and effective project) at least. If the rewards had been lower the difficulty would have just been lower too.
Also, with the perpetual debasement it is debatable whether you can call the curve front-loaded, at least compared to say Bitcoin, which starts off with slower reductions but continues those reductions until the effect is to reduce later supply more quickly relative to early adopters. It is impossible to say you are even a 1% holder of "all" of Monero's supply since the supply is infinite.