You are assuming a cryptographic break, I'm not, which is why I mentioned the cryptographic issue with key images.
Yes but my point was and is to compare relative risk of such in CN and CCT.
There is also the case of an implementation flaw that would (or at least could) be more readily apparent in a system that maintains visibility on sum(in) <= sum(out).
My point was and is that the failure would be no more apparent in CN than CCT. There is no way to distinguish in CN if a ring has been double-spent until the same set of addresses in the ring have been spent as many times are in the ring ("saturated"), but before then the double-spend was done and not seen. Thus the clever attacker could use large rings and only double-spend that particular ring once. For as long as Monero doesn't implement my suggestion to force ring groups, then not only it is (unquantified level of,
perhaps unlikely) vulnerable to combinatorial unmasking of anonymity, it is also more vulnerable to double-spending being
undetected in the
unlikely event of a cryptographic break.
In practice failures of mature cryptographic assumptions occur much less frequently implementation flaws. Bitcoin has had the latter (overflow bug) but not the former. Likewise Zerocash (if it existed) would have recently failed due to the latter (libsnark bug).
I am not arguing against that, just whether the underlying cryptographic assumptions that protect against double-spending are not different in CN vs. CCT for example.
Anyway, a few different approaches comparable to CT in effect and performance are being looked at for Monero. One I believe does not require any protocol changes.
I am aware of the proposed one that mixes all the transactions in the block. But afaics, that violates the end-to-end principle (autonomy) of one-time ring sigs.
Also, TPTB, I disagree with your assertion that some benefit was obtained from a "front loaded" curve in Monero. In practice what happened is that the difficulty simply skyrocketed as the coin became popular. There was still no real opportunity for developers or other early adopters to vacuum up cheap coins, after the first few weeks (or more like one week, during which it wasn't even clear there was going to be an organized and effective project) at least. If the rewards had been lower the difficulty would have just been lower too.
I am not arguing "a benefit per se" (people invest hopefully to benefit themselves), rather just comparing how it is not much different than an ICO (disparagingly referred to as a "premine"), except for the
differences and ramifications thereof I enumerated.
Also, with the perpetual debasement it is debatable whether you can call the curve front-loaded, at least compared to say Bitcoin
So does that mean you all won't disparage a coin launched with an ICO that also has perpetual debasement.
My point is I'd prefer we stay focused on the features and development effort on a coin.