How do you trust Zerocash, when the NSA could serve the creators of the setup parameters with a national security gag order on the eve of the public ceremony?
There are other advanced technical means that might be used to intercept the setup parameters even at such a ceremony, e.g. the NSA can reprogram the microcode of CPUs using built in backdoors and there is technology for jumping the air gap and intercepting the computations inside the computer.
And we will never know if the money supply is being inflated away since the money supply is invisible.
Potentially there is an alternative means of employing Zerocash in an altcoin which could ameliorate the above problem.
If a new Zerocash instance was created periodically, users were allowed to mint instance coins and then unmint (cash out) within a fixed period of time for each instance, then it would clear if the output cash out money supply was greater than the input minted money supply.
Since the creator of the setup parameters is unable to break the anonymity, anyone could create the setup parameters and if the money supply doesn't match after the instance is terminated, then that entity would no longer be trusted.
However there are still several things I don't like about this:
1. The complex unvetted new crypto could still potentially be broken by cryptanalysis over time. (and all the public history of anonymity would then suddenly be revealed to the adversary)
2. What to do if an instance's output money supply doesn't match the input? Ban all those coins? Yuk!
3. The entire thing rests on building reputations and reputation is a slippery slope to centralized hell: