THE POST-QUANTUM PROBLEM FOR ZCASH
Shielded transactions. Unshielded future.
01
Groth16 relies on elliptic curve pairings (BN254). Shor's algorithm breaks BN254. Every shielded transaction loses privacy retroactively when quantum computers arrive. Harvest now, decrypt later.
02
PQ signature size destroys bandwidth. Shielded txs are ~2KB. ML-DSA = 3,309 B, FALCON = 666 B, SLH-DSA = 17,088 B. Naive PQ addition 10x the transaction size.
03
Single cryptographic assumption. ZCash relies entirely on discrete log hardness over elliptic curves. One mathematical break = total system failure across all shielded pools.
04
No computation attestation layer. ZCash proves a transaction is valid but cannot attest to the computation that produced it. No binding between FHE output and shielded transfer.
05
Key rotation is a migration nightmare. Viewing keys and spending keys are EC-based. Rotating to PQ keys requires new key derivation, new note encryption, migration of every existing note.
THE PRIMITIVE
74 bytes. Three PQ families. Fits in a memo.
21,063 bytes of PQ signatures compressed to 74 bytes persistent.
SHA3-256 COMMITMENT
32 B
on-chain anchor
On-chain
32 B
SHA3-256 commitment
Off-chain (Cachee)
42 B
Compact receipt
Distillation
285x
21,063 B → 74 B
Ephemeral PQ signatures (21KB) are verified at attestation time and destroyed. Only the 74-byte substrate persists.
CRYPTOGRAPHIC DIVERSIFICATION
Three hardness assumptions. Not one curve.
Family 1 · MLWE Lattices
ML-DSA-65
FIPS 204 · 3,309 B sig
Family 2 · NTRU Lattices
FALCON-512
FIPS 206 · 666 B sig
Family 3 · Hash Pre-images
SLH-DSA-128f
FIPS 205 · 17,088 B sig
Three independent mathematical bets
Breaks iff MLWE lattices, NTRU lattices, AND stateless hash functions are simultaneously broken.
ZCash today: one curve (BN254). One break = total failure. Substrate: three independent families from three distinct hardness assumptions. An attacker must break all three simultaneously. The probability of independent triple failure is the product of individual break probabilities.
ZCash today
1 curve
BN254 · single point of failure
With Substrate
3
Independent assumptions
Persistent cost
74 B
All three families included
INTEGRATION · MEMO FIELD
512-byte memo. 42-byte receipt. Native fit.
Shielded transaction composition
The 42-byte compact receipt fits inside ZCash's 512-byte memo field. The 32-byte commitment can anchor in the transparent pool or publish separately.
ZCash shielded transactions include a 512-byte encrypted memo field visible only to the recipient. The substrate receipt (42 bytes) uses <9% of the memo. No protocol changes required. Groth16 proves validity. Substrate proves provenance. Both travel in the same transaction.
Memo field
512 B
Available per shielded tx
Receipt size
42 B
<9% of memo capacity
Groth16 proves
Validity
Transaction correctness
Substrate proves
Provenance
PQ computation binding
Validity + provenance in one shielded transaction. No fork. No ZIP required.
AMORTIZATION · BATCHED MERKLE
O(1/N) signing cost. Domain-separated tree.
Substrate Root (32 B on-chain)
/ \
0x01 || H(L,R)
0x01 || H(L,R)
/ \ / \
0x00 || tx_1
0x00 || tx_2
0x00 || tx_3
0x00 || tx_N
Patent pending — H33 Substrate Claims 124-125
N shielded transactions share one Substrate root. Domain separation: 0x00 for leaf nodes, 0x01 for internal nodes.
One three-family PQ signing operation covers an entire batch. Each transaction gets a Merkle inclusion proof against the root. Amortized PQ cost: O(1/N) per transaction. At batch size 1000, the PQ signing cost per shielded tx is 0.1% of an individual attestation.
Batch size 100
1% cost
Per-tx PQ signing
Batch size 1000
0.1% cost
Per-tx PQ signing
Domain separation
0x00 / 0x01
Leaf / internal prefix
PRODUCTION NUMBERS · GRAVITON4
The numbers.
Sustained throughput
--
auth/sec · 30s · Graviton4
Per-auth latency
42 µs
Full PQ pipeline
Distillation
285x
21,063 B → 74 B
Cost per auth
$3.8×10⁻¹⁰
c8g.metal-48xl on-demand
FHE batch (32 users)
943 µs
BFV inner product
Batch attest
391 µs
SHA3 + Dilithium sign/verify
ZKP cached
0.358 µs
CacheeEngine lookup
Persistent footprint
74 B
Forever. Keys grow, footprint doesn't.
1.67 million PQ attestations per second. Each one protects a shielded transaction for the post-quantum era.
ARCHITECTURE · END-TO-END FLOW
ZCash node to verified receipt.
ZCash Node
→
FHE Computation
→
Substrate Attest
→
Compact Receipt
42 B
→
Memo Field
512 B capacity
SHA3-256 Commitment
32 B
→
Transparent Anchor
or separate publish
→
Verify
=
PQ-Secured
Shielded Tx
// Substrate attestation for ZCash shielded transaction
POST /api/v1/substrate/attest
{
"payload": <SHA3-256 of FHE output bound to shielded tx>,
"computation_type": "zcash_shielded"
}
// Response: 74-byte substrate
{
"commitment": "32 bytes - anchor on-chain or publish",
"receipt": "42 bytes - embed in memo field",
"verified": true
}
// Verify independently
POST /api/v1/substrate/verify
{ "commitment": "...", "receipt": "..." }
// → { "valid": true, "families": 3, "distillation": "285x" }
THE INSURANCE PROPERTY
Keys get heavier. Footprint doesn't.
2026 PQ bundle
21 KB
ML-DSA-65 + FALCON-512 + SLH-DSA-128f
2030 PQ bundle
~56 KB
ML-DSA-87 + FALCON-1024 + SLH-DSA-256f
Persistent footprint
74 B
Today · 2030 · 2050 · forever
Memo field usage
<9%
42 B of 512 B · room to spare
Swap families. Add a fourth. Upgrade to NIST Level 5. The ZCash memo field cost stays at 42 bytes. The on-chain anchor stays at 32 bytes.
Permanent post-quantum protection that fits inside existing ZCash infrastructure.
ZCash.
h33.ai/primitive
# Install
brew tap h33ai-postquantum/tap && brew install h33
# or
cargo install h33-cli
H33.ai, Inc. · Eric Beans, CEO
SUBSTRATE · ZCASH