Mixing whether it be done by centralized exchanges or by large anonymity sets increase the threat of domino cascade
Exchanges are just an example of a commerce transaction...
Incorrect. The distinction is an exchange acts (by its Terms Of Service) as an unallocated pool for all participants thus it warrants that every coin in the pool is fungible, whereas without explicit anonymity mixing a vendor spends a traceable coin on a transparent block chain and the trail of culpability stays only with that coin, not mixed with all the other coins spent to that vendor.
Blacklisting entire anonymity sets is legally and politically plausible
It is largely useless, since you are blacklisting coins that might well have already been spent...
...because you would be blacklisting many and even most coins after some rounds of mixing.
I am contemplating you imply effectively that rings may so radically cross-mixed that blacklisting anything blacklists everything.
Note the algorithm I did for the bounty. If that algorithm is worthy, then appears to be the mixing is going need to be much less overlapping otherwise anonymity is lost. So we might discover that blacklisting is viable for Cryptonote because either we mitigate which means less ring overlap, or some of the rings are de-anonymized.
Thus I maintain, "the jury is out, we need more study".
There is a very narrow window of opportunity to actually know whether coins are unspent, before they are used by anyone in a mix. And once they are used, it is only a short time from there before exponential spreading means they are then mixed all over the place and downstream blacklisting is impractical.
A significant feature of ring signatures is the spender decides (i.e. has autonomy of) what to mix with, thus the authorities can make the spenders culpable for mixing with blacklisted anonymity sets. If blacklisting one coin blacklists the entire block chain then as new coins are mined, spenders might choose not to mix them at all.
If we are speculating, then heck the US Justice department is attacking UBS and the entire nation of Switzerland, surely they aren't afraid to attack all the users of a $5 million market cap anonymous coin, or even all the users of a $10 billion market cap coin.
This is why I stated upthread IMO the key issue is what can the authorities actually enforce. If the miners are too decentralized and anonymous (and note mining is not even anonymous in XMR) and spenders have no control over whom they mix with, who will the authorities attack?
I thought about it in April when rpietila first asked me about Bitmonero, and I liked the non-simultaneity (autonomy) and the cryptographic clarity (e.g. no dubiously underspecified DRK masternodes, but which has hence potentially become muddled, but jury is out), but every other aspect I disliked about ring signatures (as I
enumerated upthread). Now with the algorithm I presented for the bounty, I am thinking the spender is not even fully autonomous to choose the public keys in his/her ring, but we don't have yet a working characterization of that algorithm thus, "the jury is out, we need more study".
because with a crack on private keys only the attacker can double-spend his coins
Or did you mean "without?"
Correct.
That being the case, what you said is untrue. Anyone can double spend, simply by spending on whatever fork does not survive...
I've already covered my proposed solution to this in detail in the Longest Chain Rule thread in the Developers subforum. I don't want to repeat what I've already argued there about how to handle forks. Apparently gmaxell disagreed with me, but he refused to tell me why. Also I've done some additional thinking about that hence, but my thoughts are not loaded in my mind at the moment and I don't want to go digging right now.