The ring signature is a little trickier: The cryptography itself is simple (I'll probably add a version using SECP256k1 to Sipa's libsecp256k1 once he figures out how he wants to handle hash functions for determinstic signing and schnorr signatures), but the overall implementation requires an additional spent coin set which is another utxo like data structure— this also isn't so bad, but its completely incompatible with pruning. Effectively Bitcoin full nodes just need to track the currently spendable coins in order to validate blocks, spending coins reduces the set, creating outputs increases it. Right now that data is only about 300MBytes and it grows much more slowly than the blockchain (even with people gunking it up with forever unspendable data storage outputs). In the bytecoin approach transactions create spendable coins and transactions also create spent keys, there is no 'reduces'— it grows forever. Breaking pruning is pretty big scalability hit in the long run. (Incidentally, all other cryptographic anonymity systems have similar long term scaling challenges)
As far as I understand CryptoNote, there is indeed a drawback of having to store the spent outputs in the block chain, but this is done through key images, which shouldn't be too large (I read it somewhere on forum.cryptonote.org, but couldn't find immediately to prove). In any case, there will always be full nodes capable of doing it, while some light nodes might depend on the former. There should be scalability issue at some point, but not in the short term for sure. And yes, Zerocoin has potentially the same problems.
Do you think it is possible to make a soft/hard fork with 2 key points?
1) so that the ring signature doesn't use the keys, which are, let's say, more than a year old.
2) so that key images are stored more compact like in zerocash?
That could be a solution to the scalability issue.
That maybe it's just handing a mining hardware manufacturing monopoly to a near-duopoly of multiple billion dollar CPU making companies that have patent warchests that probably preclude competition? And then there is the advantage they that botnet herders have… It's hard to say. I don't really believe "CPU mining" is actually possible— even if you somehow found a function that was suitable as a good POW but made perfect use of cpu hardware, you can usually get a factor of 2-10 in better (power, mfg) efficiency by cutting out fat (e.g. IO) and optimizing for mining use. Since mining is ideally perfect competition even 'small' advantages can push all the competition out of the market. This also applies to the R&D, a lot of CPU costs to customers are NRE— cost to Intel and AMD are much lower marginally.
I think the whole point is to make ASICs economically unviabile. It will always be possible to create a special purpose device, which is cheaper than CPU, but if the break even point is millions or billions of those devices per year, no manufacturer would even bother going into this business. I doubt you can restrict mining to CPU-only by design, but if you apply business considerations, this might actually work out.
It's not just the research, which would be costly. On the other hand, there are already billions of computers, which are suitable for CryptoNight PoW, while I'm not aware if there is any other device close to a standard CPU's speed.
Did you read about CryptoNight in general?
https://cryptonote.org/inside.php#equal-proof-of-workBy the way, the algos behind Bytecoin are somewhat complicated according to my taste. Do you know if any of your colleagues or friends are related to the coin itself or CryptoNote's research? There is a crypto-lib by Daniel Bernstein, which is used in the source code, and also Adam Back has been already writing about Bytecoin quite some time ago. Do you know them? Who else could be capable of creating Bytecoin?
