I am probably not going to ultimately use RingCT. I think we can combine CN and CCT (one timers and compact conf tx (h/t Blockstream)), radically reducing the space that is needed and then dump proof of square this way. We are still working this out, but this just might be the ticket.
What is CN?
One time rings which mix the senders identities for untraceability
Are you talking about the linkable ring signatures used in
CryptoNote, which are based on the "Traceable ring signature" by Fujisaki and Suzuki?
Apparently according to
this Monero paper (warning PDF), the LWW ring signatures (Linkable Spontaneous Anonymous Group (LSAG) signatures by Liu, Wei, and Wong) are more space efficient than the FS ring signatures.
And I believe Compact Confidential Transactions were broken.
Right now I think that is just hearsay by btctalk "Poloniex Matthew" (a btctalk newbie)
After looking into it more carefully, it seems it was broken last year but was fixed.
Here is a better link explaining the original problem. Gregory Maxwell reported on June 24, 2015 that Andrew Poelstra was able to break the cryptosystem. A day later, Mixles (Denis Lukianov), the creator of CCT, commented that he updated the paper to fix the issue but because of it the proof was slightly less compact (but still much better than CT). The thread is really long and detailed so I just skimmed it, but it seems some other minor issues came up and were addressed, and then there was a
bigger issue and it seems that was
eventually addressed. However, of the four variants of CCT available as of that last update, 1 and 2 are non-starters because they require trust, 3 seems to not be interesting for our purposes either, and 4, which is the interesting one to consider, now has much larger proofs that are close to but I suppose still half the size of a CT proof that hides all 64-bits of the amount (but if only hiding 32 bits of the balance with CT is enough from a privacy perspective, then there doesn't seem to currently be any significant proof size advantage).
Given all of the above, I feel more comfortable sticking with regular CT for now. Especially considering that LSAG signatures have been adapted to work with CT by Monero devs (see the Monero paper I linked above) and an
implementation for it already exists.