Good question. The answer is that if they have your address, and can break discrete logarithms, then they can compute the ivk (incoming viewing key) for that address. However, they can’t then get from the ivk to other elements in the key structure, i.e. {ak, nk, ovk, rivk, dk}, because ivk is connected to them only as the output of a perfectly hiding (and therefore post-quantum hiding) commitment in the case of Orchard, or of a plausibly post-quantum preimage-resistant hash function (BLAKE2s) in the case of Sapling.
Therefore, the discrete-log-breaking address holder can only see incoming transfers to that address (i.e. what a legitimate holder of ivk would see), not outgoing ones, and not including the addresses of the other senders provided they are not included in memos. If you are aiming for post-quantum privacy then you should not include addresses in memos, which is not an onerous additional restriction if you need to keep addresses secret anyway.
There is no other information transmitted in the protocol that, given some subset of ivks, would reveal other addresses or ivks:
- For spend authorization signatures, the key pair (ak, ask) is perfectly blinded to get the signature public key (rk, sk). Note that a discrete-log-breaking adversary is able to compute sk, but this (rk, sk, signature) reveals no information about ak. The blinding value 𝛼 is hidden as a witness of the zk proof which is perfectly zero knowledge, and therefore post-quantum zero knowledge.
- Binding signatures reveal no information about addresses. They also don’t reveal any more information about note values than the value commitments do. (Given that the value commitments are perfectly hiding and bvk is public, it can be inferred that being able to compute the signing key bsk by breaking discrete log doesn’t yield additional information beyond the fact that the Sapling or Orchard transfers balance.)
- As mentioned above, value commitments are perfectly hiding, and in any case don’t involve addresses.
- The encryption is post-quantum private when the destination address is unknown. The detail will be explained in my Zcon3 talk.
- Revealed note commitments and nullifiers also don’t give significant information to a quantum adversary. Again, detail in the talk.