Hi all,
Tommi from Rotko Networks. We just submitted a retroactive ZCG application for Zafu, our privacy-centric browser-extension wallet for Zcash. Posting here per the ZCG process so the community can weigh in before the vote.
Quick summary of what we built and shipped in the v24.x series:
Zafu is a Chrome MV3 extension, all chain state and proof generation client-side, no remote proving service. v24.1.x is the first publicly distributed beta and the listing is live on the Chrome Web Store.
Three things I think are worth your attention:
Sub-12-second client-side Halo2 proving for both Zcash Orchard and Penumbra shielded transactions. Parallel WASM with rayon plus the Chrome extension Offscreen API to host the parallel-proving context that MV3 service workers cannot run. Proving keys ship with the extension, nothing is downloaded on demand. The reason this matters: a wallet that takes a minute to send shielded sees its users default to transparent.
End-to-end FROST t-of-n multisig for Orchard. Three-round DKG (frost-core’s keys::dkg::part1/2/3), RFC 9591 two-round signing with session-bound nonces against §6.1 nonce-replay. Runs over the same QR transport as single-sig, so multisig works fully air-gapped via Zigner.
Zigner air-gap pairing. Spending keys on a dedicated offline phone, viewing keys on the host, QR codes only. PCZT (ZIP-324) over UR. Works on multisignatures as well utilizing animated QR codes as transport.
There’s also ZID, a per-site identity SDK that gives dApps wallet presence verification without enabling cross-site correlation (domain-bound HKDF over a master seed). Identity is not tied to zcash addresses whatsoever and zid library allows easy creation of end to end encrypted applications for within users of the extension.
On the budget: $38k retroactive for Q4 2025 → Q2 2026, ~$36k of which is part-time engineering compensation across two developers. Infra and tooling are the small lines. Happy to defend specifics in this thread.
On sustainability: Zafu Pro subscription tier paid in ZEC, anchored to a ring-VRF anonymous membership proof. Operational extras only, priority sync, enhanced multisig coordination, dapp integrations. No privacy or security feature is gated, free-tier users get identical chain-level guarantees and the same security model. No accounts, no KYC, no recurring billing infrastructure, the Zcash chain is the payment ledger.
What I’d find useful from this thread:
-
Anything in the deliverables that feels mis-scoped or missing for a Zcash wallet
-
FROST or Halo2 reviewers interested in eyes on the multisig before formal audit
-
General discussion, ideas and feedback
Here is a small sneak peek video of full feature set of using client side proving, multisignatures and airgap signing these more complex multisig transactions via animated qr codes.
Repos:
Beta listing: https://chromewebstore.google.com/detail/bhlogefpcebekhjpomlodifcelldoimn
WARNING: our multisig implementation is still in very alpha stage and unaudited so we do not recommend to rely any meaningful sums of money on it yet.
-Tommi, rotko.net