Zcash’s quantum-risk planning is moving from specification work toward wallet implementation after ZIP 2005, a proposal focused on making Orchard funds recoverable in a post-quantum transition, was merged as “Proposed.” The development was highlighted by Zcash cryptographer Sean Bowe, who said the measure is intended as an early buffer against future soundness problems rather than a complete post-quantum upgrade.
Bowe wrote on X that “Zcash Quantum Recoverability ZIP 2005” has been merged as proposed. “Our first major buffer against quantum soundness problems is now headed toward wallet integration. As wallets update to support the ZIP, user funds will migrate. No network upgrade necessary for this step.”
ZIP 2005 Brings Quantum Recovery to Wallets
ZIP 2005 targets Orchard, Zcash’s current shielded protocol, by changing how Orchard notes are constructed so that funds can later be recovered if the existing shielded protocol must be disabled because of a quantum or discrete-log-breaking threat. The proposal does not claim to make Zcash quantum-secure on its own. Instead, it is designed to support a smoother transition to a future protocol that could use post-quantum components.
The ZIP’s abstract states: “This ZIP proposes a change to the construction of Orchard[ZSA] notes, designed to improve Zcash’s long-term resilience against a significant potential threat to its security from quantum computers. It does not by itself make the protocol secure against quantum adversaries, but is intended to support a smoother transition to future versions of Zcash designed to be so. Specifically, if it were necessary to disable the current Orchard[ZSA] shielded protocol in order to prevent a discrete-log-breaking adversary from stealing or forging funds, this change would make it possible to use a Recovery Protocol to recover existing Orchard funds.”
The proposal was authored by Zodl app cryptographers Daira-Emma Hopwood and Jack Grigg, known in the Zcash ecosystem for work on protocol design and shielded transaction systems. Bowe said the work took “well over a year” and began before what he described as recent panic in the crypto world over quantum risk. The ZIP frames the issue around the possibility that practical quantum computers, or any attack capable of finding discrete logarithms on elliptic curves used by Zcash, could allow an adversary to steal funds or create arbitrary inflation.
No Network Upgrade Needed as Orchard Funds Move
A key practical point is that ZIP 2005 does not require a Zcash network upgrade at this stage. Bowe said wallet support is the next step, and that as wallets adopt the ZIP, user funds can migrate. The ZIP similarly emphasizes that the required changes to current libraries and wallets are small, while the recovery mechanism itself would be introduced later if needed.
The proposal explains why Orchard is the focus and why Sapling, Zcash’s older shielded pool, is not receiving the same treatment. “If the Orchard[ZSA] protocol needed to be disabled for this reason, the Sapling protocol would need to be disabled as well, which would make all Sapling funds inaccessible. Sapling funds should be migrated to Orchard in order to take advantage of this change.” The authors add that they do not propose a similar change for Sapling in order to reduce overall protocol complexity and analysis effort.
Technically, ZIP 2005 defines a new Orchard note plaintext format with lead byte 0x03 and changes how pre_rcm is computed by including all note fields. The ZIP states that this prevents an adversary, under the proposal’s random-oracle assumptions, from varying a note field without producing a different rcm, which supports an argument that the commitment scheme can be post-quantum binding if the later Recovery Protocol checks the new derivation. The proposal also extends the same broad technique to the function used to derive Orchard incoming viewing keys, with specific paths for existing Orchard keys, FROST distributed key generation, and hardware wallets.
The wallet-facing design is intended to preserve current usability while preparing for a future recovery path. The ZIP says: “This proposal is implementable at low risk, and required changes to existing libraries and wallets are small. It is compatible with Memo Bundles and/or ZSAs.” It also states that the approach should not require regeneration of existing non-multisignature keys or addresses, and should remain compatible with FROST threshold multisignatures, hardware wallets, and the combination of both.
For hardware wallet users, the proposal includes a requirement that recovery should not require exposing the pre-quantum spend authorizing key to theft. For FROST and hardware-wallet cases, the ZIP describes use of an alternative “quantum spending key” and “quantum intermediate key,” with the future Recovery Protocol checking the relevant derivations and proof of knowledge. That design is aimed at making recovery possible without forcing today’s protocol to choose a specific post-quantum proving system or commitment tree hash.
ZIP 2005 marks an incremental but significant step in Zcash’s long-term quantum planning: not a full post-quantum migration, but a wallet-level preparation path for Orchard funds. Its immediate significance is operational rather than consensus-level, since wallet and library updates can begin without a network upgrade. The clearest near-term implication for users is the direction set by the proposal itself: Sapling funds would need to move to Orchard to benefit from the recovery design if a future quantum transition becomes necessary.
AI Transparency Note: This article was prepared with the assistance of an AI system based on the sources listed and was reviewed, edited, and approved by a human editor before publication. All quotes, data points, and factual claims are intended to be grounded in the cited source material; however, errors cannot be ruled out entirely.