In a keybase grincoin.teams.node_dev#research discussion, phyro wondered whether MW could have built in protection against rogue key attacks on kernel aggregation and I thought that since
sum of UTXO commitments ==
sum of kernel commitments + kerneloffset * G + (height+1) * 60e9 * H
the former being rogue-key-proof (because utxo range proofs are also proofs of knowledge of blinding factor) should make the latter rogue-key-proof as well.
So one may not need to store all the public excesses after all.
I hope some cryptographer like Andrew Poelstra or Dan Boneh can weigh in on this…