I am trying to figure out what form a possible attack could potentially be.
This brings me some enjoyment as well, doing security engineering. I've a wicked mind, the whole world looks broken to me. There are cracks in everything, and all these candy colored pots of gold everywhere are just free for the taking with no barrier other than these darned ethical handcuffs that keep me from grabbing them all.
It is so easy to design something that simply works, and so rare to design something that can't be broken simply, but those things are simply beautiful things.
I don't know if I understood the latest posts right, but:
Suppose that, in his private netwoek, the attacker has tricked the Monero protocol to lower the difficulty to 1/2 of what would be appropriate for his hashpower. So he is capable of generating blocks with 30 sec mean gap, instead of 60 sec.
However, if the attacker finds a solution after t seconds, instead of posting it right away, he keeps mining for another t seconds. Then, among all solutions that he found, he posts the one with the smallest hash.
That way, the private blockchain still has 1 block every 60 seconds on average, so the protocol will not raise the difficulty. However, the complemented hashes will be higher than normal on average. So, the alternate blockchain, while just as long as the legitimate one, will probably have a greater "weight".
Would this attack (or a variation thereof) work?
Afaics, smooth is correct. There is no way to build a chain of hashes that has a greater sum of their modular additive inverses than your hashrate can generate, i.e. that metric is invariant w.r.t. to the difficulty level . Thus as long as forks are measured by that metric, the longer one will always be the one with the greater hashrate (except for small probabilities of success with less hashrate) regardless the relative difficulty rates.
Yes, the TW will fail against Monero's code in that context.
The next context was "Will it fail fast?" Essentially, if a TW were launched, even though it is doomed to not be the longest chain, would the time it takes to make that determination by the honest nodes (and thus not doing so much hashing) allow dishonest nodes to continue building on the TW chain, or even to just build on the good chain but win more blocks by essentially denying hashes to nodes busy with making this determination?
The distributed checkpointing allows for the ability to get all the honest nodes back to work even if there is a novel form of attack based on any type of chain forking attack, not just the TW, and further allows for self service of the solution.