L1 Blockchain (UTXO with Transparent + Shielded Pools: Sprout [deprecated], Sapling, Orchard)

What makes Zcash quantum-vulnerable: All cryptographic primitives across Zcash's pools rely on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP) (1) . A cryptographically relevant quantum computer (CRQC) running Shor's algorithm can solve ECDLP efficiently. The consequences vary by primitive: breaking a signing scheme enables fund theft via forged spend authorization, breaking a proving system enables forged proofs and counterfeit supply, breaking an encryption scheme enables retroactive decryption of private transaction data for any known address.

Transparent t-addresses: secp256k1 ECDSA, the same curve as Bitcoin, authorizes all transparent spends using P2PKH and P2SH script types. At-rest attack: any previously spent address has its public key permanently on-chain, a CRQC derives the private key at leisure and can spend the funds. On-spend attack: theoretically possible within the 75-second block window but estimated at less than 1-in-1,300 success probability per the Google whitepaper (2)

Sprout (deprecated): Uses shared sapling trusted setup (3), EdDSA over Ed25519 for spend authorization, and SHA-256-based note commitments. EdDSA over ED25519 is ECDLP-based and is broken by a CRQC. The shared trusted setup has the same toxic waste vulnerability as Sapling. Deprecated by ZIP 211 in 2020, (4), no new deposits possible, approximately 25,424 ZEC remaining (5), a pause on the ability to spend sprout funds is proposed to be included in NU7 (6).

Sapling: Groth16 over BLS12-381 proves transaction validity and balance (1). RedDSA over Jubjub authorizes spending and underpins address unlinkability (1). ECIES over Jubjub encrypts note contents to recipients (1). All three are ECDLP-based and broken by a CRQC. Additionally, the Groth16 trusted setup produced toxic waste, a secret recoverable by a CRQC that creates a permanent backdoor enabling stealthy supply inflation, potentially undetected by the turnstile mechanism. (2)

Orchard: Halo 2 over Pallas/Vesta proves transaction validity and balance without a trusted setup (1), eliminating Sapling's backdoor. RedPallas authorizes spending and underpins address unlinkability (1). DHAES over Pallas encrypts note contents to recipients (1). All three remain ECDLP-based and broken by a CRQC. A CRQC breaking Halo 2 soundness can forge valid proofs for invalid transactions, enabling note counterfeiting, supply inflation, and fund theft.

Transparent t-addresses use P2PKH and P2SH script types. Any previously spent transparent address has its public key permanently on-chain, making it fully exposed to at-rest attack (1). Approximately 70% of circulating ZEC is in transparent addresses as of 2026 (2).

Shielded addresses (Sprout, Sapling, and Orchard) are not exposed to at-rest attacks in the conventional sense. A CRQC cannot derive spending keys from on-chain data alone because shielded transactions do not expose public key material on-chain. However, a CRQC that knows a recipient's diversified address can recover the incoming viewing key via ECDLP, enabling retroactive decryption of historical notes and address linkability. Critically, Zcash's key hierarchy limits the damage, recovery of the incoming viewing key does not give the attacker the spending key, meaning funds cannot be stolen via this vector alone. Privacy breaks but fund security is preserved unless soundness is also broken. (1)

Given the blocktime of 75s applying the Google Quantum AI paper's, at current CRQC estimates, on-spend attack is very low, 1-in-1,300 success probability. (1)

Sapling uses Groth16 over BLS12-381 with a trusted setup (Powers of Tau ceremony). The ceremony produced toxic waste, a secret scalar that a CRQC can extract, giving any attacker a permanent and reusable capability to counterfeit notes and inflate the supply. (1) The only constraint is the Turnstile mechanism (2), which monitors net value entering and exiting each shielded pool. A sophisticated attacker operating within pool balance limits may never trigger detection. ZIP-2005 explicitly states that a balance violation occurring before protocols are switched off "would not necessarily be detected." (3)

Sprout also uses Groth16 and is dependent on the Sapling MPC trusted setup (4). However, Sprout is deprecated, holds approximately 25,424 ZEC (5), and a pause on the ability to spend sprout funds is proposed to be included in NU7 (6). On-setup risk exists but is negligible given the pool size and disabling of spend of funds.

Orchard eliminates this vector entirely as Halo 2 requires no trusted setup. Transparent addresses also have no trusted setup exposure.

Every shielded transaction currently publishes two pieces of data on-chain permanently, an encrypted note ciphertext and an ephemeral public key used to derive the encryption key (1). The encryption itself uses ChaCha20/Poly1305, a quantum-resistant symmetric scheme, but the key is derived via ECDH from the recipient's incoming viewing key and the ephemeral private key (2). A CRQC that knows a recipient's diversified address can recover the encryption key and decrypt all historical notes to that address, including amounts and memos. (1)

All historical ciphertexts and ephemeral public keys are permanently on-chain and available to anyone who has run a full node. Nothing can retroactively remove what is already published. Historical transactions are permanently exposed for any address ever shared.

However if a diversified address was never shared or exposed, a CRQC has no ECDLP target. The ciphertext alone does not reveal which key was used.

1. Quantum Recoverability [ZIP-2005, Proposed] (1)

2. Quantum Privacy (Project Tachyon and ML-KEM) [research/design phase] (2)

3. Quantum Soundness and Legacy Protocol Shutoff [discussion/research phase] (2)

THREE TRACKS: all three must be complete for Zcash to be genuinely post-quantum.

TRACK 1: QUANTUM RECOVERABILITY (ZIP-2005, Status: Proposed May 2026)

Changes how Orchard note randomness (rcm) is derived for new v6 transactions, producing recoverable notes (leadByte 0x03 vs existing 0x02). Does NOT replace Halo 2 or make the protocol quantum-secure (1).

What it does: Creates the cryptographic preconditions for a future Recovery Protocol. If legacy Orchard is eventually switched off, users with 0x03 notes can prove ownership via a hash-based Recovery Statement rather than Halo 2 (Not yet implemented). Addresses the soundness/fund-theft problem only for migrated Orchard funds, only after the Recovery Protocol is deployed, and only if the legacy protocols are switched off before a CRQC acts.

What it does NOT do: Does not make the protocol quantum-secure. Does not address privacy of any kind (1). Does not address Sapling. Sapling funds will be permanently inaccessible when switched off (1). Does not address transparent funds. Does not specify the Recovery Protocol, design decisions intentionally left open (1). Activation height: TBD.

Critical preconditions for recovery to actually work:

1. Wallet must be updated to produce 0x03 notes (2)

2. Funds must be actively migrated into 0x03 format via wallet-initiated self-spend (1)

3. Recovery Protocol must be designed, specified, implemented, audited, and deployed

4. Legacy protocols must be switched off via network upgrade before a CRQC acts

5. CRQC must not have roadblocked or stolen recoverable notes during the pre-switch window.

Implementation status as of May 21, 2026: Proposed, expected to be implemented in Jun 2026. (1)(7)

TRACK 2: QUANTUM PRIVACY (Project Tachyon and ML-KEM, Status: Research/design, no ZIP filed)

This track addresses Zcash's remaining quantum privacy vulnerability through two efforts: migrating shielded payments to out-of-band secret distribution (Project Tachyon), and replacing ECDH key exchange with ML-KEM, supported by a PIR-based address registry.

Tachyon:

Project Tachyon introduces oblivious synchronization and proof aggregation to scale shielded transactions. A required component is moving from in-band secret distribution to out-of-band channels. Once wallets have migrated, on-chain ciphertexts can be removed from the protocol entirely. Tachyon removes ECDH-encrypted note data from the chain but does not replace ECDH as the encryption scheme. ML-KEM or another scheme is required to close the existing vector where a CRQC knowing a recipient's address could still recover the incoming viewing key via ECDLP in the off-chain channel (5)(6).

Quantum privacy benefit: Removing in-band ciphertexts eliminates the harvest-now-decrypt-later attack surface on note contents (4). This is primarily a scaling change, the quantum privacy improvement is a byproduct.

Trade-off: Users can no longer rely on the blockchain and seed phrase alone for fund recovery, view key sharing, or public donation-style addresses. Additional wallet infrastructure will be required.

ML-KEM + PIR-Based Address Registry

Replaces ECDH key exchange with ML-KEM-768. Unlike Tachyon, ML-KEM adoption is a wallet-level change and does not require a network upgrade.

Why this matters: A quantum adversary who knows a user's shielded address can solve the discrete logarithm problem to recover the incoming viewing key, decrypting incoming payments and breaking unlinkability across all diversified addresses for that wallet. ML-KEM closes this vector for future addresses.

Technical challenge: ML-KEM-768 public keys are too large compared to current address sizes. Solutions: (1) Users register their ML-KEM public key; receive a 32-byte hash as their identifier. (2) Senders retrieve the recipient's full public key via Private Information Retrieval (PIR), which prevents the registry from learning which key was queried.

This remains in the research and design phase. No ZIP has been filed and no activation height has been set.

What This Track Does Not Do: Does not retroactively protect historical transactions or previously shared addresses. Does not address soundness (counterfeiting/theft risk).

TRACK 3: QUANTUM SOUNDNESS (Halo 2 replacement, Status: Unsolved research problem)

What it does: Replaces Halo 2 with a post-quantum recursive SNARK. A CRQC breaking discrete log hardness over Pallas/Vesta breaks Halo 2 soundness, enabling proof forgery, note counterfeiting, arbitrary supply inflation, and fund theft. Replacing the proof system closes this vector. It is also the activation event for the Recovery Protocol from Track 1.

Current state: No proof system selected, no Zcash-specific implementation exists. LatticeFold+ is the leading research candidate to replace Halo 2 (5).

Timeline: No ZIP filed, no proof system selected, no activation height set.

Unaddressed Component as of May 2026:

TRANSPARENT FUNDS (~70% of circulating ZEC): No fix across any track, outside of migrating to recoverable note format in orchard pool. Separate problem analogous to Bitcoin's challenge.

No PQ signature scheme has been definitively selected or deployed yet for mainnet.

1. Quantum recoverability (Track 1): No PQ scheme needed. (1)

2. Quantum privacy (Track 2): ML-KEM under active testing for note encryption key encapsulation to replace ECDH key exchange. (2)

3. Quantum Soundness (Track 3): LatticeFold+ in discussion to replace Halo 2 proof. (2)

Mar 5 2025: Daira-Emma Hopwood presents Post-Quantum Zcash at ZconVI, public analysis of all three quantum attack vectors.

Mar 31 2025: ZIP-2005, Quantum Recoverability, published by Daira-Emma Hopwood and Jack Grigg.

Apr 2 2025: Sean Bowe publishes Tachyon blog, introduces oblivious synchronization and out-of-band payments.

Apr 28 2026: ZIP-2005 reaches Proposed status.

Upcoming / Target Dates

Jun 2026: Quantum-recoverable wallet support targeting deployment of ZIP-2005 (5)

2026+: ML-KEM integration targeting Tachyon shielded pool, contingent on PIR registry shipping first (6)

Post 2027+: No date determined yet for quantum soundness / fully post-quantum

1. Quantum Recoverability (ZIP-2005 wallet support): ~June 2026 (1). Note: wallet shipping ≠ network activation. Activation height TBD (2).

2. Post-quantum privacy (Tachyon + ML-KEM): No definitive target completion date shared yet.

3. Post-quantum soundness / Fully "Quantum Proof": Likely sometime after 2027. No credible timeline.

Track 1: (Quantum Recoverability) ZIP-2005:

a) Phase 1 (Targeted for June 2026): No network upgrade or consensus change required. Wallets update to produce 0x03 notes for internal/change addresses immediately. (1)(2)

b) Phase 2 (pre-NU7, small targeted node release): A minimal node software release, not a full coordinated network upgrade, will set the constant ZIP2005ActivationHeight. After this block height nodes will enforce the new allowedLeadBytes rules. (1)

c) NU7 / v6 Transaction: Once NU7 activates, v6 transactions will require the recoverable 0x03 format for all Orchard note plaintexts. ZIP-2005 is a hard prerequisite for NU7. (1)

d) Full Quantum Recoverability (Future Step: No Timeline): Phases 1 and 2 only prepare the notes. Actual recovery of funds will require an additional Recovery Protocol plus a post-quantum proof system. That event has no scheduled date.

Track 2: Quantum Privacy (Tachyon + ML-KEM):

No ZIP filed yet for any component. Work is still in research and early design phase. Tachyon requires one or more dedicated network upgrades. ML-KEM requires the off-chain PIR registry infrastructure to ship first and is a wallet-level change requiring no network upgrade.

Track 3: Post-Quantum Soundness and Legacy Protocol Switch-Off:

Requires selecting, implementing, auditing, and deploying a post-quantum proof system. Once ready, a network upgrade will switch the protocol to the new PQ proofs and permanently disable legacy shielded protocols. No timeline or activation height set.

Note: Zcash protocol changes are governed by the ZIP process and activated at a predetermined block height once node software implementing the upgrade achieves sufficient adoption. Community sentiment polling informs but does not determine inclusion.