ZIP 231: Privacy Implications

aquietinvestor · May 13, 2025, 7:20pm

Shielded Labs has contracted Taylor Hornby (@earthrise) to conduct an independent audit of the privacy implications of ZIP 231. While we appreciate the range of use cases this ZIP enables, such as authenticated reply addresses, in-band digital signatures, and other cryptographic features, we believe it is important to carefully evaluate potential trade-offs before activation. Our goal is not to block or delay the ZIP. Rather, we want to contribute constructively to the process by making sure that any potential impact on user privacy is clearly understood and properly documented.

Our main concern is that allowing variable-length memos may introduce new risks by leaking data, such as memo size, which could be used to fingerprint or link transactions. The audit will focus on how this change interacts with the wallet threat model and whether it introduces attack vectors that are currently not well understood. As part of this work, Taylor will also note any areas of the existing wallet threat model that are outdated or incomplete so they can be revised in the future. The audit is expected to take approximately three days. Once it is complete, we will publish the results so the community can review and discuss the findings.

We see this as an opportunity to strengthen how privacy implications and trade-offs are evaluated during the ZIP process. Any concerns raised in the audit will include suggestions for how to achieve the goals of ZIP 231 without compromising user privacy, so the feedback remains focused on solutions rather than introducing friction. We believe this kind of independent review will help improve the development process, especially as new features are added to the protocol.

aquietinvestor · June 9, 2025, 1:35pm

Taylor has completed his independent audit of ZIP 231. His review focused on evaluating the privacy implications of memo bundles and recommending updates to the wallet threat model. The audit found the design to be cryptographically sound but identified a few areas where the proposal could unintentionally weaken user privacy.

Issue 1: Common transaction types may become distinguishable based on memo size and structure, potentially leaking whether a memo is present, its approximate length, or whether a reply address was included. The report recommends padding all memo ciphertexts to at least 512 bytes to reduce this leakage.
Issue 2: A missing domain separation between encryption formats in the v5 and v6 protocols opens the door to downgrade attacks. This can be mitigated by using separate key derivation functions for each version.
Other recommendations include specifying a safe shuffle algorithm for memo chunk ordering, using unambiguous padding, and clarifying acceptable wallet-side defenses. Taylor also makes recommendations for how to update the wallet threat model to account for additional privacy risks across several adversary types.

For more detail, please see the full audit report below.

ZIP-231-Audit-v2.pdf (264.0 KB)

Topic		Replies	Views
ZIP 314 - Privacy upgrades to the Zcash light client protocol Technology	45	3195	April 30, 2021
Zip Editors' NU7 ZIP Viability Assessment Governance	2	199	December 2, 2024
ZIP 0: Security and Privacy Considerations Governance	4	299	April 24, 2025
Media Memos Protocol (formally called ZMail) Technology	12	423	January 15, 2025
Free Webinar: Designing a Compliance Program for Privacy-Preserving Cryptocurrencies General	4	315	December 23, 2020

ZIP 231: Privacy Implications

Related topics