How difficult it is to find 128-bit hash collision, sane hash function assumed? For example sha256 truncated to 128 bits. On a quick thought it feels pretty much impossible.
So yeah if you care about the security of a crypto currency, this 2^64 collision attack is very doable and unacceptable. The rule of thumb in crypto is to aim at making attacks cost at least 2^128.
The good news here is that a Zcash team member found this weakness in the Zcash protocol and it's being fixed before it ships.
Kudos to the Zcash team for employing aggressive internal security auditing.
And anyone doing an early release will need to handle the initial parameter selection which has to be done publicly/securely to convince people that the private key toxic waste (that would theoretically allow counterfeiting) wasn't retained.
They are planning a secure multiparty computation that never creates the private key in usable form provided that at least one of the n parties follows the procedure correctly. This again relies on expert consensus that the process is secure.
On a side note, this is likely to produce some fun spectacle: I fully expect someone involved will try to verify they destroyed their private key share by live streaming the generation process then immediately and totally destroying the equipment involved.
People will probably wait for the official Zcash launch because they trust the Zcash team to launch a secure network and (importantly) to maintain the network going forward. In some ways this is like a Schnelling point, where people will wait for the official network because their expect other people will wait for the official network, and so on.
(I haven't followed all details of Zcash, and remain unconvinced that it would actually be a good thing if Zcash succeeded - note that Bitcoin hasn't so much brought a new libertarian era of free thought as ransomware, hacking and old-fashioned crooks.)
