[madars]

> a trusted initial accumulator that can ruin the anonymity for everyone forever

This is false: even if somebody compromises the initial setup (which, if implemented using the proposed MPC protocol, would require compromising every single participant; compromising n-1 parties doesn't do anything), the system continues to enjoy the same zero-knowledge guarantees. Compromised setup or not, in Zerocash the anonymity set is all participants of the system.

[plasticmachine]

On further consideration I agree with you. Knowledge of the accumulator would merely allow for the arbitrary creation of forged spends that appear valid, but the rest of the system would still remain opaque (much to its detriment in this instance).

Also there is nothing so suggest that a clever MPC will solve the collusion problem. Of course the participants will make claims about their honesty, but if ZeroCoin is worth massive amounts of money the temptation to seek collusion will be there.

Of course, whilst it's true that some participants might stick to their proverbial guns, what is going to prevent a motivated state-level attacker from monitoring as many participants as they can during the computation? Then they only need to compromise the handful that they couldn't monitor, and for that they have rubberhose cryptanalysis.

[ewillbefull]

The way you phrase it makes it seem like the parties involved are perpetually at risk of being compromised, as though they must retain and store the secrets necessary for parameter generation forever. When in fact it will be done once, and well in advance of any significant value in the currency which would incentivize crazy government yatta yatta.