OneKey × Zcash — Progress Update
Project: OneKey hardware wallet Zcash support (Unified Wallet Architecture, Transparent + Shielded)
Target device: OneKey Pro2
Grant: Zcash Community Grants #228 / Zcash Community Forum proposal
Background
This update covers progress on Milestone 1: Core Zcash Hardware Support (Transparent + Orchard, with PCZT & Clear Signing) committed under the Zcash Community Grant.
The core principles of the solution remain unchanged:
-
Unified wallet architecture: a single mnemonic manages all chains and assets; Zcash keys are derived and isolated within the unified firmware, with no separate app and no firmware splitting.
-
Keys never leave the device: only the UFVK and addresses are exported; all signing happens inside the hardware.
-
Orchard + Transparent, Sapling excluded: covering all four transaction types (transparent / shielding / deshielding / fully shielded).
-
Fully open source: all Zcash‑related code will be released to OneKey’s public repositories under the same open‑source license as the existing firmware.
Status Overview
The table below maps each Milestone 1 deliverable to its current status.
| Deliverable (Milestone 1) | Status |
|---|---|
| SE‑level cryptographic primitives (RedPallas, Orchard primitives) |  Done |
| ZIP‑32 Orchard key derivation | Done |
| Unified Address generation (Transparent + Orchard receivers) | Done |
| UFVK export (Transparent + Orchard) | Done |
| Seed fingerprint export | Done |
| Correctness verification of the above | Done |
| PCZT signing (Transparent + Orchard) |  Built, in testing |
| End‑to‑end signing of all four transaction types | In testing |
| Clear Signing (on‑device display of address / amount / fee / tx type) |  In progress |
| Documentation (derivation paths, PCZT integration protocol, signing model) | Pending |
Completed (built and correctness‑verified)
1. Secure Element foundation The Orchard cryptographic foundation on the Secure Element has been completed on the OneKey Pro2, providing support for RedPallas and the Orchard primitives so that key derivation, address generation, and signing can all run inside the secure chip. This is the prerequisite for delivering Orchard support under a “keys never leave the device” standard.
2. Key & address derivation
-
Unified Address (Transparent + Orchard): generates Unified Addresses containing both a transparent (P2PKH) receiver and an Orchard receiver.
-
UFVK export (Transparent + Orchard): only the Unified Full Viewing Key and addresses are exported; spending keys and other key material always remain on the device.
-
Seed fingerprint export: supports exporting the seed fingerprint, allowing companion software to identify and associate accounts without ever touching the seed.
3. Correctness verification The outputs of the above key derivation and address / UFVK generation have been correctness‑verified (consistent with the Zcash specifications) and reproduce reliably from a standard BIP‑39 seed. This meets the Milestone 1 acceptance criterion of “correctly deriving Orchard keys and generating Unified Addresses from a BIP‑39 seed.”
In Testing
PCZT signing (Transparent + Orchard) The PCZT (Partially Created Zcash Transaction) signing path has been built and is currently under test. Companion software constructs the unsigned PCZT; the device receives it, parses and validates its structure, signs on‑device, and returns the signed PCZT to the companion software for finalization and broadcast.
Test coverage targets all four transaction types:
-
Transparent: t‑addr → t‑addr
-
Shielding: t‑addr → Orchard (move funds into the shielded pool)
-
Deshielding: Orchard → t‑addr (move funds out of the shielded pool)
-
Fully Shielded: Orchard → Orchard
Next Steps
-
Complete and integrate Clear Signing: display recipient address(es), amount, fee, and transaction type in full on the hardware screen, requiring physical confirmation; reject any PCZT whose parsed data is incomplete or inconsistent (preserving the “sign what you see” guarantee).
-
Finalize PCZT testing: round out regression tests across the four transaction types and edge cases (malformed data, maximum input/output counts).
-
Open‑source release: once stable, merge and publish the SE‑side Orchard / UFVK / PCZT implementation to the public
OneKeyHQ/firmware-prorepository. -
Documentation: write up the derivation paths, PCZT integration protocol, and signing model.
-
Enter Milestone 2: modular separation, internal security review and third‑party security audit, and firmware‑upgrade compatibility testing (target 2026‑09‑30).
Milestones & Timeline
| Milestone | Scope | Target |
|---|---|---|
| Milestone 1 | Core hardware support (Transparent + Orchard, PCZT + Clear Signing) | 2026‑07‑01 |
| Milestone 2 | Security hardening & maintainability (internal review + external audit + regression tests) | 2026‑09‑30 |
| Milestone 3 | Production stability & migration safety (cross‑device testing, BIP‑39 migration validation, production release) | Post‑release stabilization |
Summary: The Milestone 1 cryptographic foundation and key/address derivation (UA, UFVK, seed fingerprint) are built and correctness‑verified; PCZT (Transparent + Orchard) signing is built and now in testing. Next we focus on Clear Signing and regression testing, then publish the code open source as planned.