The Orchard Protocol is a zero-knowledge proof system and shielded transaction protocol that forms the core privacy mechanism for the Zcash blockchain, succeeding the original Sprout and Sapling protocols. It is built using the Halo 2 proving system, which eliminates the need for a trusted setup and enables more efficient, recursive proof composition. Orchard transactions are fully shielded, meaning the sender, recipient, and transaction amount are cryptographically concealed on the public ledger, offering the highest level of financial privacy available on the network.
LABS
Glossary
Orchard Protocol
Orchard is the current shielded transaction protocol for Zcash, based on the Halo 2 proving system, which eliminated the need for a trusted setup.
Chainscore © 2026
definition
BLOCKCHAIN PRIVACY
What is Orchard Protocol?
A cryptographic protocol designed to provide enhanced privacy and scalability for shielded transactions on the Zcash blockchain.
At its technical core, Orchard utilizes Action-based transactions within a Note Commitment Tree. Each Action describes a single value transfer, and the protocol uses a Diffie-Hellman key exchange within an elliptic curve group to derive a shared secret for note encryption. This design, combined with Halo 2's succinct proofs, results in significantly smaller proof sizes and faster verification times compared to its predecessors, directly improving blockchain scalability and reducing transaction fees for users opting for privacy.
The protocol's architecture introduces the Orchard Action Circuit, a zk-SNARK circuit that validates all the cryptographic conditions of a shielded transaction without revealing any sensitive data. This circuit enforces consensus rules, ensures that no funds are created or destroyed (conservation of value), and proves that the prover knows the spending keys for the input notes. This zero-knowledge proof is then bundled into a transaction and verified by all network nodes.
For users and developers, Orchard is accessed through wallet software that supports Unified Addresses, which can contain multiple receiver types including Orchard shielded addresses. A major practical benefit is the protocol's support for Shielded Coinbase transactions, allowing miners to receive block rewards directly into a private, shielded pool, which was not possible with earlier Zcash protocols. This closes a significant privacy leak in the mining reward flow.
Orchard represents a foundational upgrade for Zcash, moving the network toward a future-proof cryptographic foundation without trusted setups. Its efficiency gains and enhanced privacy features are critical for Zcash's long-term goal of being a viable, scalable, and completely private digital cash system, influencing broader blockchain research into recursive proof systems and scalable privacy.
how-it-works
MECHANISM
How Orchard Protocol Works
An explanation of the core cryptographic mechanisms and operational flow that enable the Orchard Protocol to provide private transactions on the Zcash blockchain.
The Orchard Protocol is a zero-knowledge proof system that enables private transactions on the Zcash blockchain by utilizing a zk-SNARK (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge) construction called Halo 2. This system allows a prover to demonstrate the validity of a transaction—proving that inputs equal outputs and that the spender has the authority to spend—without revealing the sender, receiver, or transaction amount to the public blockchain. The protocol operates on a UTXO (Unspent Transaction Output) model, where private notes are cryptographically committed to a Merkle tree, and spending them requires generating a proof of membership and knowledge of the corresponding secret key.
A transaction in the Orchard Protocol involves several key components. The sender creates a note commitment for each new output, which is a cryptographic hash that gets appended to the Merkle tree. To spend an input, the sender must provide a nullifier, a unique identifier derived from the note's secret key, which prevents double-spending without revealing which specific note was spent. The entire bundle of inputs, outputs, and proofs is wrapped in an action, and the zk-SNARK proof cryptographically verifies that all actions are valid according to the protocol's rules. This proof is then verified by the network's nodes, ensuring consensus without exposing any private data.
The protocol's privacy guarantees stem from its unlinkability and unforgeability properties. Unlinkability ensures that an outside observer cannot determine if two transactions are related or if a specific output was spent in a subsequent transaction. Unforgeability, enforced by the cryptographic soundness of the zk-SNARK, ensures that only the rightful owner of a note can generate a valid spend proof. Unlike its predecessor, the Sapling protocol, Orchard does not require a trusted setup, as Halo 2 uses a recursive proof composition and inner product arguments to achieve its security without initial toxic waste, making it more trust-minimized and sustainable for long-term use.
key-features
ZKSYNC ERA
Key Features of Orchard
The Orchard Protocol is a decentralized, non-custodial liquidity protocol built on zkSync Era, designed to facilitate efficient, low-cost, and secure lending and borrowing of digital assets.
01
zkEVM Native Architecture
Orchard is built natively on zkSync Era, a ZK-Rollup leveraging a zkEVM (zero-knowledge Ethereum Virtual Machine). This provides:
- Ethereum-level security with cryptographic proofs.
- Significantly lower transaction fees compared to Ethereum L1.
- Fast finality for deposits, withdrawals, and trades.
- Full compatibility with the Ethereum tooling ecosystem.
02
Isolated Lending Pools
The protocol employs an isolated risk model where each asset market operates as a separate lending pool. This design:
- Contains risk to individual assets, preventing contagion.
- Allows for customizable risk parameters (Loan-to-Value, liquidation thresholds) per asset.
- Enables the permissionless listing of new assets with tailored parameters set by governance.
03
Dynamic Interest Rate Model
Orchard uses an algorithmic interest rate model that adjusts rates based on real-time supply and demand within each pool. Key mechanics include:
- Utilization rate as the primary driver for borrowing APY.
- Kink model with variable slopes to incentivize liquidity and manage utilization.
- Real-time rate updates that respond to market conditions without governance delays.
04
Decentralized Price Oracles
Secure asset pricing is achieved through a decentralized oracle network. This system:
- Aggregates price feeds from multiple sources to resist manipulation.
- Is critical for determining collateral values, health factors, and triggering liquidations.
- Leverages zkSync's native infrastructure for efficient and low-cost on-chain verification.
05
Non-Custodial & Permissionless
Orchard is a non-custodial protocol, meaning users always retain control of their private keys and assets. It is also permissionless:
- Anyone can supply assets to earn yield.
- Eligible users can borrow assets against their collateral.
- Liquidators can participate in auctions to secure protocol solvency.
- No centralized entity can freeze or seize user funds.
06
Governance & ORCH Token
Protocol governance is decentralized via the ORCH token. Token holders can:
- Propose and vote on parameter changes (e.g., interest models, collateral factors).
- Decide on treasury management and ecosystem grants.
- Direct protocol fees, which may be distributed to stakers or used for buybacks.
- Governance ensures the protocol evolves in a decentralized, community-led manner.
evolution
ZEC SHIELDED PROTOCOLS
Evolution from Sapling to Orchard
The Zcash blockchain's shielded transaction protocols have evolved through major upgrades, each enhancing privacy, performance, and cryptographic security for users.
The Sapling protocol, activated in 2018, was a foundational leap from the original Sprout protocol, introducing significant efficiency gains. It enabled the practical use of shielded addresses by drastically reducing the memory and time required to create private transactions. Sapling's core innovation was separating the proving and spending processes, allowing the computationally intensive generation of a zero-knowledge proof (the zk-SNARK) to be performed offline, before broadcasting the transaction. This made mobile and hardware wallet support feasible and laid the groundwork for future scalability.
Orchard, activated in 2022 as part of the Network Upgrade 5 (NU5), represents the next generational shift, built on a more modern and efficient cryptographic foundation. It replaces Sapling's pairing-based cryptography with the Halo 2 proving system, which eliminates the need for a trusted setup—a significant trust minimization milestone. Orchard transactions are not only more secure but also more efficient, with smaller proofs and verification times. Furthermore, Orchard introduces a single, unified Action structure to represent all components of a transfer, simplifying the protocol's design and enabling more complex future applications like cross-chain interoperability.
The transition from Sapling to Orchard is characterized by key technical advancements: the move from a trusted setup (Powers of Tau) to a trustless proving system (Halo 2), improved performance for both proof generation and verification, and enhanced wallet usability. For users, this evolution means stronger privacy guarantees with reduced trust assumptions, faster transaction construction, and a foundation for broader DeFi and smart contract functionality within the shielded pool. While Sapling addresses remain supported, Orchard is designed to be the primary, forward-looking shielded protocol for the Zcash ecosystem.
technical-components
ORCHARD PROTOCOL
Technical Components
The Orchard Protocol is a privacy-focused, decentralized exchange (DEX) built on Solana, utilizing zero-knowledge proofs (ZKPs) to enable shielded trading and liquidity pools.
01
Zero-Knowledge Shielded Pools
The core privacy mechanism. Orchard uses zero-knowledge proofs (ZKPs) to create shielded liquidity pools. Traders deposit assets into these pools, and their balances are represented as private commitments on-chain. Trades are executed by generating a ZK proof that validates the transaction (e.g., sufficient balance, correct output) without revealing the trader's identity, wallet addresses, or the trade amount to the public ledger.
02
zk-TLS Connection Handshake
A critical networking layer for privacy. Before submitting a transaction, a user's client establishes a secure, private connection to the Orchard relayer network using a zk-TLS handshake. This process uses a ZK proof to authenticate the user's right to access the relayer without revealing their identity or IP address, preventing network-level surveillance and linking of transactions to their origin.
03
Relayer Network
A decentralized network of nodes that submit private transactions to the Solana blockchain. Users send their encrypted transactions and ZK proofs to a relayer. The relayer then pays the Solana transaction fee and broadcasts the transaction, effectively decoupling the activity from the user's wallet and paying the gas costs, which enhances privacy and usability.
04
The Action Circuit
The specific zk-SNARK circuit that defines the logic of a private transaction. This circuit encodes the rules for a valid trade within a shielded pool, including:
- Checking a valid nullifier to prevent double-spends.
- Verifying cryptographic commitments.
- Ensuring the pool's internal balance remains consistent. The proof generated by this circuit is what the Solana blockchain verifies to execute the trade.
05
Nullifiers
Mechanisms to prevent double-spending in a private system. When a user spends a private note (a commitment) from a shielded pool, the protocol generates a unique nullifier and publishes it on-chain. This nullifier acts as a public fingerprint for the spent note. The system's ZK circuit ensures the same nullifier cannot be generated twice, preventing the same funds from being spent multiple times without revealing which specific note was spent.
06
Integration with Solana
Orchard is built as a set of Solana programs (smart contracts) and leverages the chain's high throughput and low fees. Key integration points include:
- SPL Token Standard: All shielded assets are SPL tokens.
- State Compression: Uses Solana's Concurrent Merkle Trees for efficient storage of private commitments.
- Parallel Execution: Benefits from Solana's Sealevel runtime to process multiple private transactions concurrently.
ZEC SHIELDING EVOLUTION
Protocol Comparison: Sprout, Sapling, Orchard
A technical comparison of the three major shielded transaction protocols in Zcash, highlighting the evolution of cryptographic primitives, performance, and security.
| Feature / Metric | Sprout (2016) | Sapling (2018) | Orchard (2022) |
|---|---|---|---|
Cryptographic Backbone | zk-SNARKs (PGHR13) | zk-SNARKs (Groth16) | zk-SNARKs (Halo 2) |
Trusted Setup Required | |||
Proving Time (approx.) | ~40 seconds | ~2 seconds | < 2 seconds |
Proof Size | ~300 bytes | ~200 bytes | ~200 bytes |
Memory Requirement | High (GBs) | Moderate (~40 MB) | Low (~10 MB) |
Action Circuit Limit | 2 per transaction | Unlimited | Unlimited |
Shielded Address Format | z-addrs | z-sapling-addrs | z-orchard-addrs |
Primary Use Case | Initial private payments | Mobile & wallet privacy | Future-proof scalability & auditability |
security-considerations
ORCHARD PROTOCOL
Security & Trust Considerations
The Orchard Protocol is a privacy-focused, non-custodial bridge for transferring assets between Ethereum and Aztec Network, utilizing zero-knowledge proofs to shield transaction details. Its security model is built on cryptographic guarantees and decentralized economic incentives.
01
Zero-Knowledge Proofs (ZKPs)
The protocol's core privacy mechanism. Zero-knowledge proofs (specifically zk-SNARKs) allow a user to prove they own valid assets and authorization to withdraw them on the destination chain without revealing the asset type, amount, or the user's identity. This cryptographic guarantee ensures privacy is enforced by mathematics, not trust in an operator.
- Privacy by Default: All bridge deposits and withdrawals are private.
- Validity Proofs: Every state transition is verified on-chain, ensuring only valid actions are processed.
02
Decentralized Sequencer & Prover Network
Orchard decentralizes its critical operational roles to prevent censorship and single points of failure. A permissionless network of sequencers orders transactions, and provers generate the necessary ZK proofs.
- Economic Security: Sequencers and provers are economically incentivized (and slashed) to act honestly.
- Censorship Resistance: Users can submit transactions to any sequencer, preventing any single entity from blocking transfers.
03
Asset Custody & Bridge Design
Orchard employs a non-custodial, asset-pooling model. User funds are never held by a central custodian. Instead, assets are locked in a smart contract on Ethereum and represented as private notes on Aztec.
- Trustless Escrow: The bridge vault smart contract on Ethereum is publicly verifiable and immutable.
- Pooled Liquidity: The system uses liquidity pools, similar to an AMM, to facilitate cross-chain swaps while maintaining privacy.
04
Withdrawal Security & Fraud Proofs
To prevent fraudulent withdrawals, the system uses a challenge period and fraud proofs. After a withdrawal is proposed on Ethereum, there is a time window where any network participant can submit a cryptographic proof (a fraud proof) to challenge an invalid transaction.
- Economic Slashing: A successful fraud proof results in the slashing of the malicious sequencer/prover's stake.
- Finality Delay: This introduces a delay for full withdrawal finality, a trade-off for enhanced security.
05
Relayer Infrastructure & Privacy
To maintain privacy for users who cannot run a full node, permissionless relayers can submit transactions on their behalf. A critical consideration is preventing relayer-based privacy leaks.
- Transaction Encryption: Users encrypt transaction data with a shared secret before sending it to a relayer.
- Relayer Anonymity Set: The protocol is designed to mix transactions from many users, making it difficult to link a relayer-submitted tx to its originator.
06
Smart Contract & Cryptographic Audits
The protocol's security relies on the correctness of its zero-knowledge circuits and Ethereum smart contracts. These components have undergone rigorous, independent audits by leading security firms.
- Circuit Audits: Verification of the ZK-SNARK logic ensuring no false proofs can be generated.
- Contract Audits: Review of the bridge vault, governance, and slashing mechanisms for vulnerabilities.
- Bug Bounties: Ongoing programs to incentivize the discovery and reporting of security issues.
ORCHARD PROTOCOL
Frequently Asked Questions
Essential questions and answers about the Orchard Protocol, a foundational component of the Zcash blockchain's privacy technology.
The Orchard Protocol is a zero-knowledge proof system and shielded pool that provides transaction privacy on the Zcash blockchain. It is the third-generation shielded protocol, succeeding Sapling and Sprout, and is built using the Halo 2 proving system. Orchard enables users to send and receive ZEC with strong cryptographic privacy, hiding the sender, recipient, and transaction amount. It is the core of Zcash's most advanced privacy features, offering improved performance and security over its predecessors.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall