Zcash ZEC

Claim: All spend authorization on Zcash mainnet as of 2026-05-31 uses classical ECC: ECDSA/secp256k1 for transparent addresses and RedDSA (Schnorr-variant) over Pallas/Jubjub curves for Orchard/Sapling shielded addresses. No PQC or hybrid-PQC spend authorization exists on mainnet.

Coverage basis: Mainnet proof + official protocol specification (NU6.1) + independent technical analysis

Implementation score: 0 · Evidence confidence: 0.9

Quantum blocker: Active production spend authorization remains entirely ECC/BLS/Schnorr/EdDSA-only. Cap: 40.

Transparent addresses use ECDSA identical to Bitcoin. Shielded Orchard addresses use RedDSA (rerandomizable Schnorr) over the Pallas curve. Both are quantum-vulnerable via Shor's algorithm. Quantum-recoverable wallet (targeting June 2026) and NU7 testnet QR components are in development but not on mainnet as of evaluation date.

• https://zips.z.cash/protocol/protocol.pdf
• https://github.com/zcash/zcash
• https://www.quantumcanary.org/insights/zcash-quantum-challenges-could-be-looming
• https://bmic.ai/ae/quantum-audit/zcash/
• https://blog.bitfinex.com/education/how-is-zcash-mitigating-the-risks-of-quantum-computing/

Claim: Both transparent (t-address, ECDSA public key exposed on spend) and shielded (z-address, ECC-based key derivation) address types are quantum-vulnerable. No PQ or hybrid address type exists on mainnet.

Coverage basis: Mainnet proof + official protocol specification

Implementation score: 0 · Evidence confidence: 0.9

Quantum blocker: Users can still create new quantum-vulnerable high-value accounts by default. Cap: 60.

Transparent addresses expose the public key on first spend (same as Bitcoin). Shielded Orchard addresses derive keys via ECC operations over Pallas/Jubjub. Unified Addresses route to the most private available pool but that pool remains ECC-based. No PQ address format exists or is scheduled for mainnet before NU7.

• https://zips.z.cash/protocol/protocol.pdf
• https://zcash.readthedocs.io/en/master/rtd_pages/addresses.html
• https://www.quantumcanary.org/insights/zcash-quantum-challenges-could-be-looming

Claim: Zcash uses Equihash proof-of-work consensus with no validator signatures, validator set, VRF, or finality signatures. There is no consensus-authentication layer requiring PQC migration.

Coverage basis: Protocol design — PoW chain architecture

Implementation score: 1 · Evidence confidence: 0.9

Crosslink (hybrid PoW/PoS with staking finality) is under development by Shielded Labs with testnet expected in 2026. If activated, validator authentication would become applicable and would require separate PQC assessment. This subfactor should be re-evaluated if Crosslink activates on mainnet.

• https://zips.z.cash/protocol/protocol.pdf
• https://profincognito.me/blog/privacy/zcash-protocol/

Claim: Zcash's state-integrity mechanisms — Pedersen commitments (Sapling), Sinsemilla commitments (Orchard), nullifiers, and the Halo 2 proof system — all rely on elliptic-curve discrete-log hardness and are quantum-vulnerable. A quantum adversary could forge spending proofs, enabling unauthorized fund draining or undetected ZEC inflation.

Coverage basis: Mainnet proof + official protocol specification + independent technical analysis

Implementation score: 0 · Evidence confidence: 0.9

Quantum blocker: Quantum attack can plausibly break supply integrity, state binding, or asset ownership in a critical layer. Cap: 60.

Halo 2 eliminates the trusted setup requirement but does not eliminate elliptic-curve assumptions. The Pallas curve used in Orchard is vulnerable to Shor's algorithm. Quantum compromise of proof soundness would allow forged proofs — a supply-inflation risk unique to shielded chains. Research into lattice-based commitments and hash-based signatures (SPHINCS+) is ongoing but no mainnet implementation exists.

• https://zips.z.cash/protocol/protocol.pdf
• https://www.coindesk.com/research/encryption-supremacy-zcash-and-privacy-in-the-age-of-scale
• https://bmic.ai/ae/quantum-audit/zcash/
• https://www.quantumcanary.org/insights/zcash-quantum-challenges-could-be-looming

Claim: Zcash's zk-SNARK proof systems (Groth16/BN-254 for Sapling, Halo 2/Pallas for Orchard) and note encryption (ECC key agreement) are quantum-vulnerable. Harvest-now-decrypt-later attacks could retroactively compromise shielded transaction confidentiality.

Coverage basis: Mainnet proof + official protocol specification + independent technical analysis

Implementation score: 0 · Evidence confidence: 0.9

Symmetric note encryption components (ChaCha20-Poly1305) have partial quantum resistance (Grover's algorithm halves effective key length but does not break 256-bit symmetric keys). The critical vulnerability is in the public-key components: ECC key agreement for note encryption and ECC-based proof soundness. Project Tachyon's Oblivious Synchronisation aims to remove ciphertexts from the blockchain entirely, which would address harvest-now-decrypt-later, but this is a roadmap item.

• https://zips.z.cash/protocol/protocol.pdf
• https://www.coindesk.com/research/encryption-supremacy-zcash-and-privacy-in-the-age-of-scale
• https://blog.bitfinex.com/education/how-is-zcash-mitigating-the-risks-of-quantum-computing/
• https://bmic.ai/ae/quantum-audit/zcash/

Claim: Zcash P2P node identity uses classical cryptography, but P2P identity is not consensus-critical, spend-critical, bridge-critical, or custody-critical in the PoW architecture. Asset spending authorization is performed on-device and submitted as signed transactions; P2P identity does not gate fund access.

Coverage basis: Protocol design — PoW chain P2P architecture

Implementation score: 1 · Evidence confidence: 0.75

Evidence confidence is 0.75 (public code, no independent audit of P2P layer specifically). The Z3 stack (Zebra + Zaino + Zallet) includes built-in Tor support, which provides additional transport-layer privacy but does not affect the quantum-readiness assessment of this subfactor.

• https://zips.z.cash/protocol/protocol.pdf
• https://github.com/zcash/zcash

Claim: No PQC or hybrid-PQC wallet or custody path exists on mainnet. The Zodl/Zashi wallet defaults to shielded transactions (Orchard) but these remain ECC-based. Quantum-recoverable wallets are announced for June 2026 but not shipped as of evaluation date.

Coverage basis: Official announcements + mainnet state

Implementation score: 0 · Evidence confidence: 0.9

ZODL announced quantum-recoverable wallets targeting June 2026 at Consensus Miami (May 8, 2026). These wallets will provide a migration pathway but do not themselves constitute quantum resistance — funds remain ECC-vulnerable until NU7 activates on mainnet. Coinbase Custody and BitGo reportedly added ZEC support in 2025 but no PQC custody path exists.

• https://decrypt.co/367250/zcash-targeting-post-quantum-crypto-milestone-by-2027
• https://egw.news/crypto/news/34643/zcash-prepares-for-the-quantum-era-WC4u2Iutc
• https://coinmarketcap.com/cmc-ai/zcash/latest-updates/

Claim: The Zcash Protocol Specification (NU6.1, v2025.6.3) formally documents all cryptographic primitives including ECDSA/secp256k1 (transparent), RedDSA/Pallas (Orchard spend auth), Groth16/BN-254 (Sapling proofs), Halo 2/Pallas (Orchard proofs), Pedersen/Sinsemilla commitments, and ECC key agreement for note encryption.

Coverage basis: Mainnet proof + official documentation (200+ page protocol specification)

Implementation score: 1 · Evidence confidence: 0.9

The protocol specification is one of the most comprehensive in the blockchain space. It has been audited by NCC Group and QEDIT for prior upgrades. The inventory is complete and publicly accessible.

• https://zips.z.cash/protocol/protocol.pdf
• https://github.com/zcash/zips

Claim: Multiple official and third-party sources document Zcash's quantum threat model: transparent ECDSA exposure (identical to Bitcoin), shielded ECC spend authorization vulnerability, Halo 2 proof soundness vulnerability, note encryption vulnerability, and harvest-now-decrypt-later risk for shielded transactions.

Coverage basis: Official documentation + independent technical analysis + public discourse

Implementation score: 1 · Evidence confidence: 0.9

The threat model is well-documented across official ECC/ZF communications and independent analyses. The CoinDesk research piece explicitly identifies the Pallas curve vulnerability and proof-soundness risk. The Bitfinex blog post distinguishes between symmetric (partially resistant) and public-key (fully vulnerable) components.

• https://www.coindesk.com/research/encryption-supremacy-zcash-and-privacy-in-the-age-of-scale
• https://blog.bitfinex.com/education/how-is-zcash-mitigating-the-risks-of-quantum-computing/
• https://www.quantumcanary.org/insights/zcash-quantum-challenges-could-be-looming
• https://bmic.ai/ae/quantum-audit/zcash/

Claim: Pool-level value data is publicly available: approximately 30% of circulating ZEC is in shielded pools (Sapling + Orchard, both ECC-vulnerable), approximately 70% in transparent addresses (ECDSA-vulnerable). No formal risk register with per-category classification has been published, but pool-level data is sufficient for conservative estimation.

Coverage basis: On-chain pool metrics + official and third-party reporting

Implementation score: 0.75 · Evidence confidence: 0.9

Shielded pool supply grew from ~11% in early 2025 to ~30% by May 2026. A formal risk register distinguishing exchange-held, foundation-held, and retail-held value has not been published. Per QRI §7.4, pool-level data with conservative confidence bands is acceptable for privacy-preserving systems. Score reduced from 1.00 to 0.75 to reflect absence of a formal classified risk register.

• https://www.tronweekly.com/zcash-boosts-bitcoin-privacy-quantum-upgrade/
• https://egw.news/crypto/news/34643/zcash-prepares-for-the-quantum-era-WC4u2Iutc
• https://www.coindesk.com/research/inside-zcash-encrypted-money-at-planetary-scale

Claim: Zcash has a strong public evidence record: the protocol specification, ZIPs repository, librustzcash source code, Least Authority audit of NU6.1, NCC Group and QEDIT audits of prior protocol versions, and public on-chain pool analytics.

Coverage basis: Published audits + open-source code + official documentation

Implementation score: 0.75 · Evidence confidence: 0.9

Least Authority audited the NU6.1 network upgrade. The protocol specification has been audited by NCC Group and QEDIT for prior versions. No audit of any PQC or quantum-recoverability component has been published. Score is 0.75 rather than 1.00 because the evidence record for the quantum-specific components (QR construction, PQC algorithm selection) is limited to proposals and PRs in review.

• https://leastauthority.com/security-consulting/published-audits/
• https://github.com/zcash/zcash
• https://github.com/zcash/zips
• https://github.com/zcash/librustzcash
• https://zips.z.cash/protocol/protocol.pdf

Claim: 0% of circulating ZEC supply is controlled by PQC or hybrid-PQC native controls. Both transparent (ECDSA) and shielded (ECC-based zk-SNARK) pools are quantum-vulnerable. The 30% shielded pool share reflects privacy adoption, not quantum protection.

Coverage basis: On-chain pool metrics + protocol analysis

Implementation score: 0.05 · Evidence confidence: 0.9

Quantum blocker: Migration coverage cannot be measured for PQC because no PQC migration path exists on mainnet. All value is in legacy vulnerable pools.

Implementation score of 0.05 corresponds to the <25% coverage tier (raw score 1 out of 20 maximum) per QRI §9.3.1. The shielded pool is sometimes incorrectly described as quantum-resistant; it is not — it uses ECC-based proof systems and key agreement. The distinction between privacy and quantum resistance is critical here.

• https://www.tronweekly.com/zcash-boosts-bitcoin-privacy-quantum-upgrade/
• https://bmic.ai/ae/quantum-audit/zcash/
• https://blog.bitfinex.com/education/how-is-zcash-mitigating-the-risks-of-quantum-computing/

Claim: No critical wallets (exchanges, custodians, foundations, treasuries) have migrated to or are protected by PQC controls. No PQC migration path exists on mainnet.

Coverage basis: Official announcements + mainnet state

Implementation score: 0 · Evidence confidence: 0.9

Coinbase Custody and BitGo added ZEC support in 2025, but this is classical custody with no PQC path. The Zcash Foundation holds ZEC in its treasury but no PQC protection exists. Exchange infrastructure predominantly uses transparent addresses.

• https://decrypt.co/367250/zcash-targeting-post-quantum-crypto-milestone-by-2027
• https://coinmarketcap.com/cmc-ai/zcash/latest-updates/

Claim: Legacy pools are identified and measurable: transparent pool is fully on-chain observable; shielded pools are measurable at pool level. Sprout pool deprecation (burn at NU7 activation height) is planned. Sapling and Orchard pools remain active and ECC-vulnerable with no deprecation timeline.

Coverage basis: Official protocol documentation + NU7 roadmap

Implementation score: 0.75 · Evidence confidence: 0.9

Sprout pool will be deprecated in NU7 (remaining funds burned at activation height). This is a legacy cleanup measure, not a quantum protection measure. Sapling and Orchard pools are the current active pools and both remain ECC-vulnerable. Score of 0.75 reflects that pools are identified and measurable and one (Sprout) has a deprecation plan, but the primary vulnerable pools (transparent, Sapling, Orchard) have no PQC migration timeline on mainnet.

• https://zips.z.cash/
• https://profincognito.me/blog/privacy/zcash-protocol/
• https://coinmarketcap.com/cmc-ai/zcash/latest-updates/

Claim: A public multi-phase roadmap exists: (1) Quantum-recoverable wallets targeting June 2026; (2) NU7 mainnet with Orchard Quantum Recoverability targeting late 2026; (3) Full PQC transition via Project Tachyon targeting 2027. Sequencing and dependencies are publicly documented via ZIPs and official announcements.

Coverage basis: Official roadmap + ZIP specifications + public announcements

Implementation score: 0.25 · Evidence confidence: 0.6

Implementation score 0.25 (public design/proposal stage) because no mainnet activation has occurred. Evidence confidence 0.60 (formal specification + serious technical proposal) because ZIP 230 and the QR draft ZIP are formal specifications, but no mainnet proof exists. The roadmap is credible and technically detailed but remains unexecuted as of evaluation date.

• https://tachyon.z.cash/
• https://zips.z.cash/zip-0230
• https://decrypt.co/367250/zcash-targeting-post-quantum-crypto-milestone-by-2027
• https://egw.news/crypto/news/34643/zcash-prepares-for-the-quantum-era-WC4u2Iutc

Claim: ZODL/ECC announced quantum-recoverable wallets at Consensus Miami (May 2026) with public education about the quantum threat. No on-chain migration prompts, deadlines, or incentives exist on mainnet. Sprout deprecation creates a deadline for Sprout holders but not for quantum migration.

Coverage basis: Official announcements + public communications

Implementation score: 0.25 · Evidence confidence: 0.4

Public education exists through conference presentations and blog posts. No on-chain migration prompts or deadlines for quantum migration exist. Evidence confidence 0.40 (official roadmap/proposal level) because the user-facing migration infrastructure is announced but not deployed.

• https://egw.news/crypto/news/34643/zcash-prepares-for-the-quantum-era-WC4u2Iutc
• https://decrypt.co/367250/zcash-targeting-post-quantum-crypto-milestone-by-2027
• https://zechub.substack.com/p/zcash-shielded-news-vol18-128

Claim: No PQC or hybrid-PQC account creation, wallet default, or transaction path exists on mainnet. Zodl/Zashi defaults to shielded (Orchard) transactions, which improves privacy but does not provide quantum protection.

Coverage basis: Mainnet state + official documentation

Implementation score: 0 · Evidence confidence: 0.9

The shielded-by-default wallet behavior (Zodl routing users to Orchard via Unified Addresses) is a privacy improvement but not a quantum-security improvement. Orchard uses ECC-based cryptography. This is a common misconception in public discourse about Zcash's quantum readiness.

• https://www.coindesk.com/research/encryption-supremacy-zcash-and-privacy-in-the-age-of-scale
• https://coinmarketcap.com/cmc-ai/zcash/latest-updates/

Claim: Sprout pool deprecation (burn at NU7 activation) is the only enforcement mechanism planned. No enforcement mechanism for quantum migration exists. No deadline for transparent-address or Sapling/Orchard migration to PQC has been set.

Coverage basis: NU7 roadmap + ZIP specifications

Implementation score: 0.25 · Evidence confidence: 0.6

Sprout deprecation is a legacy cleanup, not a quantum migration enforcement. The NU7 v6 transaction format (ZIP 230) requires wallets to support v6 transactions by NU7 activation, which is a soft enforcement for wallet upgrades. No hard enforcement for PQC migration exists or is scheduled.

• https://profincognito.me/blog/privacy/zcash-protocol/
• https://zips.z.cash/zip-0230
• https://coinmarketcap.com/cmc-ai/zcash/latest-updates/

Claim: NU7 testnet is live with QR components. ZODL is coordinating quantum-recoverable wallet rollout. No exchange or custodian coordination for PQC migration exists on mainnet. No bridge restrictions preventing fallback to non-PQ systems exist.

Coverage basis: Official announcements + testnet evidence

Implementation score: 0.25 · Evidence confidence: 0.6

NU7 testnet launched 2026-05-22 with QR components. Community sentiment polling showed >90% support for Tachyon and Orchard QR. ZODL is coordinating wallet upgrades. However, no mainnet enforcement or exchange coordination for PQC migration exists. Evidence confidence 0.60 reflects testnet-stage coordination.

• https://coinmarketcap.com/cmc-ai/zcash/latest-updates/
• https://crypto.news/zcash-upgrade-trio-targets-300pecnt-speed-boost-in-nu7/
• https://zechub.substack.com/p/zcash-shielded-news-vol18-128

Claim: ML-KEM (FIPS 203) and ML-DSA (FIPS 204) have been identified as candidate algorithms for Zcash's PQC transition and are under active testing. No NIST-standardized PQC algorithm has been deployed on mainnet. Research into SPHINCS+ and lattice-based commitments is ongoing.

Coverage basis: Official roadmap + public research

Implementation score: 0.25 · Evidence confidence: 0.6

ML-KEM and ML-DSA are NIST-standardized (FIPS 203/204). Their identification as candidates is a positive signal. However, no formal ZIP specifying their integration parameters has been published as of the evaluation date. The Tachyon upgrade description mentions 'full post-quantum privacy' as a side-effect of the scalability redesign, but the specific PQC algorithm choices for spend authorization and proof systems are not yet finalized in a published ZIP.

• https://www.coindesk.com/research/encryption-supremacy-zcash-and-privacy-in-the-age-of-scale
• https://profincognito.me/blog/privacy/zcash-protocol/
• https://tachyon.z.cash/

Claim: Independent audits exist for the current ECC-based protocol: Least Authority audited NU6.1; NCC Group and QEDIT audited prior protocol versions. No independent audit of any PQC or quantum-recoverability component has been published. A quantum-resilience audit was referenced as scheduled for late 2025 but no published report has been identified.

Coverage basis: Published audit reports

Implementation score: 0.25 · Evidence confidence: 0.6

Quantum blocker: No independent audit exists for the claimed quantum-ready or quantum-recoverable system. Cap: 92 (not binding given lower caps from other blockers).

The existing audits (Least Authority NU6.1, NCC Group, QEDIT) cover the classical ECC-based protocol and are high quality. They do not cover any PQC or QR components. The Orchard QR security proofs were agreed upon in late April/early May 2026 and PRs are in review, but no external audit has been published. Score 0.25 reflects that serious audit infrastructure exists for the classical system and audits are planned/referenced for PQC components.

• https://leastauthority.com/security-consulting/published-audits/
• https://www.panewslab.com/en/articles/019e0062-5a72-7200-9021-3e5d91c0645f
• https://www.bitget.com/news/detail/12560605099951

Claim: Zcash is fully open-source across all primary repositories (zcash/zcash, zcash/zips, zcash/librustzcash). The protocol specification is publicly available. Builds are reproducible.

Coverage basis: Public GitHub repositories + protocol specification

Implementation score: 1 · Evidence confidence: 0.9

All core Zcash code is open-source under MIT/Apache licenses. The protocol specification is a formal, publicly accessible document. The transition from zcashd (deprecated 2025) to Zebra (Rust) improves code quality and auditability.

• https://github.com/zcash/zcash
• https://github.com/zcash/zips
• https://github.com/zcash/librustzcash
• https://zips.z.cash/protocol/protocol.pdf

Claim: Zcash's ZIP process and modular architecture (separate pools, versioned transaction formats, Halo 2 designed for proof system replaceability) provide a documented upgrade path. ZIP 230 (v6 transaction format) is designed to accommodate future PQC extensions.

Coverage basis: ZIP specifications + protocol design documentation

Implementation score: 0.75 · Evidence confidence: 0.9

The ZIP process provides a formal mechanism for protocol upgrades. ZIP 230 explicitly notes forward compatibility for future extensions. Halo 2's recursive proof architecture was designed with replaceability in mind. Score 0.75 rather than 1.00 because specific PQC parameter agility (algorithm selection, key size parameters, hybrid construction parameters) has not been formally specified in a published ZIP.

• https://zips.z.cash/zip-0230
• https://zips.z.cash/
• https://tachyon.z.cash/

Claim: librustzcash includes some side-channel mitigations (constant-time operations, zeroization). The FROST v3.0.0 release includes stronger zeroization. No specific PQC side-channel analysis has been published. Hardware wallet support for shielded transactions is limited.

Coverage basis: Open-source code review + FROST v3 release notes

Implementation score: 0.25 · Evidence confidence: 0.6

FROST v3.0.0 includes stronger memory zeroization. The Zebra v4.4.1 release included memory allocation fixes during block deserialization. These are positive signals for implementation security hygiene. However, no specific PQC side-channel analysis (lattice-based signature timing attacks, etc.) has been published. Hardware wallet support for shielded ZEC remains limited, which is a custody risk.

• https://github.com/zcash/librustzcash
• https://zechub.substack.com/p/zcash-shielded-news-vol18-128
• https://news.bitcoin.com/zcash-foundation-patches-2-critical-zebra-flaws-reports-817k-in-q1-spending/