Zcash publicly names every primitive in active use across transparent and shielded pools.

Every signature, every shielded-proof soundness, every note-encryption KDF input is classical-EC. No PQ primitive deployed on mainnet.

0 PQ families on mainnet. All deployed primitives are EC-DL or pairings-based; symmetric primitives weakened by Grover. Cryptographic-Diversity Cap (lattice-monoculture) does not apply because no lattice family is deployed either.

ECDSA-secp256k1 ≈ 128-bit classical, broken by Shor (no NIST PQ category); Jubjub/Pallas/Vesta ≈ 128-bit classical, Shor-break; BLS12-381 ≈ 128-bit classical, Shor-break-via-pairings. No deployed primitive maps to a NIST PQ category 1-5.

Halo 2 audited by Trail of Bits at NU5; March 2026 ZCG grant application by Veridise to formally verify the five Orchard gadgets and ZIP 224 in Lean 4, under review, $201,600 / 18 months. constant_time: librustzcash/zebrad implement constant-time arithmetic over Pasta. library_provenance: zcashd (deprecated end-of-life), zebrad (Zcash Foundation Rust node), librustzcash, halo2, multi-implementation. Cryptanalytic tier: Tier 1-2 (ECDSA classical; Halo 2 IPA Tier 3 research-grade in proof-system terms).

Transparent ZEC pool uses ECDSA-secp256k1 with full pubkey reveal at spend (P2PKH). Mempool reveal is observable. Shielded spends do not reveal a public key per se, but the spending authorization signature is RedDSA over Pallas (Orchard) or RedJubjub (Sapling), both classical-DL, Shor-forgeable. Reused transparent addresses and any Sapling/Orchard spend with publicly-revealed Halo2 verification key components lose forgery resistance post-Shor.

~9.5 years of unmoved transparent-pool ZEC at P2PKH/P2SH. Shielded pools (Sprout deprecated, Sapling, Orchard) hold notes whose spend authority is Pallas/Jubjub-bound and Shor-vulnerable. Lost coins are non-trivial (early-mining era cold storage).

Every historical Zcash signature back to genesis 2016-10-28 is forgeable post-Shor: transparent ECDSA, Sapling RedJubjub, Orchard RedDSA-Pallas. No SNARK-rescue mechanism is currently architected.

Validator gossip / RPC TLS uses standard X25519 / AES-GCM. No hybrid PQ KEM deployed.

CRITICAL. Every shielded note from 2016 onward is a ChaCha20-Poly1305 ciphertext blob stored on-chain, with the symmetric key derived via ECDH on classical curves (Jubjub for Sapling, Pallas for Orchard). A future quantum adversary executing Shor against the recipient's diversified transmission key can decrypt every historical shielded note ciphertext, recovering note value, recipient diversifier, and memo field. The 30-pt sub-score is the most significant single finding for Zcash. Mitigation pathway: Project Tachyon, proposed (not ratified, not on testnet), moves to oblivious synchronization, removing note ciphertext from the chain entirely. ML-KEM (Kyber) under active testing for note encryption.

Shielded pool (Orchard) hides sender, recipient, and amount via zk-SNARK proofs. Transparent pool exposes graph fully. Shielded-to-transparent boundary leaks amounts. ZEC has measurable but minority shielded usage; transparent activity remains common. Strong-but-not-mandatory (Monero defaults all txs to ring-sig + RingCT).

(i) Top-3 RPC: ECC-operated and Zcash Foundation nodes, plus YWallet/Zashi-bundled servers. No published fraction; community-operated nodes exist. (ii) Mempool gossip: Bitcoin-derived gossip protocol, observable to peers. (iii) Validator metadata retention: undeclared (partial, node operators are independent, no formal policy).

Until 2026-04-24, Zcash had no native cross-chain bridge. THORChain enabled native ZEC swaps starting 2026-04-24, non-custodial without wrapping. Shielded-to-transparent unshield is required to enter THORChain liquidity, leaking that amount and timing. No mainstream wrapped-ZEC bridge in production.

CRITICAL FINDING. Halo 2 IPA over Pallas/Vesta is discrete-log-secure, not PQ-secure. A future quantum adversary breaks the soundness of every historical Orchard proof and the PK encryption protecting every Sapling/Orchard note ciphertext. Result: retroactive de-anonymization of every shielded transaction back to 2016-10-28 genesis. The Sapling protocol layer adds a second exposure: BLS12-381 pairings + Groth16 are also Shor-broken. Project Tachyon's oblivious-synchronization design is the only mitigation under discussion, research-staged, no testnet.

No structural mix-network. The shielded pool itself is the anonymity set (commit-reveal-style anonymity via zk-SNARK), but is not a mix-network with cover traffic. No cMix-class IT-secure shuffling. Off-chain wallet-side mixing (Zashi default behavior, transparent-address rotation in Q4 2025 roadmap) is wallet-policy-level mitigation, not protocol-level.

Every Sapling/Orchard note encrypted with ChaCha20-Poly1305 + ECDH on classical curves (Jubjub/Pallas). Tachyon design proposes to remove note ciphertext from the chain entirely (research-staged). ML-KEM 'active testing' for note encryption. Status: 'announced research, no testnet, no mainnet.' 3/20 = announced, not yet on testnet.

Zcash has demonstrated cryptosystem migration: Sprout (BCTV14 zk-SNARK) → Sapling (Groth16 + BLS12-381 + Jubjub, NU2 2018-10-28) → Orchard (Halo 2 IPA + Pasta, NU5 2022-05-31). Each was a hard fork via the Network Upgrade Pipeline. Hot-swap without hard fork is not architected, every cryptosystem transition required a new shielded pool.

No account-abstraction stack; PoW chain with viewing-keys + spending-keys architecture. Orchard ivk/ovk/dk separation supports a partial key-rotation primitive (rotate diversified addresses), but spend-authority rotation requires new note creation. Q4 2025 ECC roadmap includes 'Transparent Address Rotation Feature' (auto-generates new transparent address after each receive). Client-layer PQC path (Tachyon, ML-KEM testing) is announced research, not deployed.

Eight network upgrades executed without contested fork: Overwinter (NU1), Sapling (NU2), Blossom, Heartwood, Canopy, NU5, NU6 (2024-11-23 mainnet), NU6.1 (planned activation height 3146400, ~2025-11-23). NU7 is in candidate-selection phase (NSM, ZSAs, Crosslink under consideration). Coordination historically smooth pre-2026; ECC team resignation Jan 2026 introduces coordination uncertainty.

No hybrid PQ deployment ratified. No ZIP currently proposes co-signing with classical + PQ. Tachyon design is a structural redesign rather than a hybrid, and is research-staged. ML-KEM is in 'active testing,' not specified for any NU.

N/A by default credit (stateless schemes). All proposed PQ candidates so far (ML-KEM, ML-DSA, hash-based STARK) are stateless. No XMSS/LMS proposal in scope.

Zcash is PoW (Equihash). No BLS aggregation in consensus. Crosslink (proposed PoS-finality layer for NU7+) would change this if shipped, but is in prototype. Per v3.0.1, 4f is N/A for non-aggregating-consensus chains. Renormalized to /80 → 49/80 → 61/100.

Zero. No PQ primitive on mainnet for signatures, KEM, or proof system.

No merged PQ code in zebrad or zcashd consensus paths. Tachyon prototype work in research repos. ML-KEM testing internal at ECC.

PoW chain, no validators. Mining pools (ViaBTC ~32%, F2Pool ~16-19%) sign blocks via Equihash PoW; no signature scheme upgrade applies. N/A-equivalent under privacy-focused-chain rubric → score 0 (cannot earn PQ-key-adoption credit on a PoW chain).

VOIDED to 0 per v3.1 (5a = 0). Pre-void: ECC Q4 2025 roadmap published; Tachyon project page published. No PQ-specific dated milestone with enforcement mechanism (no NU activation height assigned to any PQ feature).

Announced PQC (trailing 12mo): Tachyon project page, blog, ECC Q4 2025 roadmap (no PQ items), ZCG formal-verification grant (defensive, not PQ), Bitfinex education article. Count ~5-6 mentions, mostly research-framed. Shipped PQC: 0 bytes signed under named PQ primitive on mainnet. Net: 11/15, Zcash is honest-research-framed, not narrative-only.

Undisclosed (no PQ signature scheme selected).

Top-3: Zashi (ECC; iOS/Android, primary), YWallet (Zcash + Ycash), Keystone hardware (Q4 2025 multisig integration). Ledger supports transparent ZEC only. None of Zashi, YWallet, or Keystone have a published PQC roadmap. Q4 2025 ECC roadmap focuses on transparent-address rotation and multisig; no PQ items.

Top: THORChain (native ZEC swaps activated 2026-04-24, non-custodial). No mainstream wrapped-ZEC bridge in production. THORChain has no published PQC roadmap. Zcash-Thorchain integration grant funded by ZCG.

Top: Coinbase Custody (transparent ZEC), Kraken, Binance, Anchorage. None publish ZEC-specific PQ MPC plans. Coinbase Quantum-Safe Custody efforts apply to BTC/ETH narratives; no Zcash-specific.

RPC: ZF-operated zebrad nodes, ECC-operated zcashd nodes (deprecated), wallet-bundled servers. No major Infura/Alchemy-class third-party RPC. HSM: Ledger transparent-only. No TEE attestation chains specific to Zcash. No PQC roadmap from any.

PoW Equihash. Top mining pools: ViaBTC ~31-32%, F2Pool ~16-19%, 2Miners ~7%, Antpool ~5%. ViaBTC has historically exceeded 51% (2024 reporting). Nakamoto coefficient ≈ 2-3 by hash rate. Concentration risk material.

Eight Network Upgrades smooth pre-2026. NU6 shipped 2024-11-23 with new dev-fund Lockbox model. NU6.1 planned 2025-11-23. NU7 in candidate selection. Post-ECC-resignation (Jan 2026) coordination capacity reduced; NU7 timeline uncertain.

Historically: ECC (CEO Josh Swihart through 2026-01-07), Zcash Foundation, Zcash Community Grants. 2026-01-07: entire ECC dev team resigned in governance clash with Bootstrap nonprofit board. ECC is regrouping under new architecture. Zcash Foundation now sole steward of trademark; Shielded Labs leads Crosslink work; QEDIT leads ZSA work. Coordination is multi-org; named-lead-with-public-mandate is partially fulfilled but disrupted.

Multiple historical dev-fund disputes (2020 ZIP-1014 vote). 2026-01 ECC mass resignation is a significant adversarial-internal-coordination event. Zcash has not coordinated a crypto change under active external attacker pressure.

None published. No quantum tripwire, no rate-limiting Hourglass equivalent, no canary cell embedded in consensus.