For thousands of years, humans used bearer instruments for commerce. These were tangible objects like coins, bills and gold that change hands without intermediaries. The holder possesses the value. No bank approves the transaction. No ledger records the transfer. just two people agreeing a trade happened and walking away.
Digital currency was supposed to bring that back. value you could just hand off without asking permission. And blockchain got us closer than anything before it. Privacy coins like Zcash took it further. Shielded amounts, shielded addresses, real cryptographic privacy.
But even then, every transaction still writes to a public ledger. the contents might be encrypted, but the metadata's there. timestamps, transaction graphs, patterns to analyze. it's better, way better... but it's not the same as handing someone a coin and walking away.
So the "digital bearer" idea never really worked.
Until now. This is my attempt.
The Problem
Every transfer creates on-chain metadata
Sequential transfers reveal timing patterns
Network observers infer relationships
Each hop incurs fees and latency
Offline transfer is impossible
Zipher's Solution
Off-chain transfers leave no trace
Timing correlations eliminated
Intermediate hops are invisible
Zero fees between transfers
Works via Bluetooth, offline
How It Works
A capsule is a funded Zcash shielded address packaged as a transferable bearer instrument, like a digital $20 bill.
Create
Fund a capsule from your wallet with any amount
Transfer
Send via iMessage or Bluetooth
Verify
Recipient's app auto-checks it's unspent
Sweep
Final holder sweeps to their wallet
The Capsule Lifecycle
1
User creates capsule & specifies amount (e.g. 0.05 ZEC)
2
Zipher creates shielded transaction to capsule address
3
Capsule appears in inventory, ready to send
4
User transfers via iMessage or Bluetooth
5
Recipient receives - no blockchain transaction
6
Can pass through multiple people (all off-chain)
7
Final holder taps "Sweep" to claim funds (to their personal wallet)
A capsule can pass through unlimited hands before being swept. Alice → Bob → Carol → Dave - all off-chain. Only the first funding and final sweep touch the blockchain.
Transfer Method Privacy
Not all transfer methods are equal. Zipher will initially support two ways to send capsules and they exist on a privacy spectrum.
The Privacy Hierarchy
Maximum Privacy (Bluetooth)
Direct device-to-device transfer
No internet required
No server, no ISP, no carrier
No third party ever touches the capsule
No metadata logged anywhere
Good Privacy (iMessage)
Content is end-to-end encrypted
Apple sees metadata (sender, recipient, time)
Convenient for remote transfers
Still far better than on-chain
Why Bluetooth Is the Privacy Ceiling
When you transfer a capsule via Bluetooth, value moves between two people with zero third-party involvement.
Layer
What Bluetooth Eliminates
Network
No internet connection required
Server
No relay, no cloud, no API
ISP
Your provider sees nothing
Carrier
No cellular involvement
Platform
Apple never touches it
Blockchain
No on-chain record until sweep
The capsule travels directly from chip to chip through the air. Encrypted. Ephemeral. The only evidence it happened exists on the two devices involved.
This is the most private way to transfer cryptocurrency that exists. No other wallet, on any chain, can do this. The capsule moves like physical cash. no trail, no log, no record.
Comparison to Other "Private" Transfers
Method
Server Involved?
Metadata Logged?
Subpoena-able?
Standard Zcash tx
Yes (nodes)
Yes (on-chain)
Yes (public)
Signal message
Yes (Signal)
Minimal
Possibly
iMessage
Yes (Apple)
Yes
Yes
Bluetooth (Multipeer)
No
No
Nothing exists
What Each Method Exposes
Bluetooth (MultipeerConnectivity)
•Content: Encrypted (only recipient can read)
•Metadata: None
•Third parties: None
•Forensic trail: Device-local only
iMessage Extension
•Content: End-to-end encrypted
•Metadata: Apple sees sender, recipient, timestamp, message size
•Third parties: Apple servers relay the message
•Forensic trail: Apple logs, device logs
For maximum privacy, always prefer Bluetooth transfer when you're physically near the recipient. iMessage is convenient for remote transfers, but Apple knows it happened.
The Bottom Line
Zcash shielded transactions protect what happened on-chain.
Bluetooth protects that something happened at all.
There's no record. No log. No server. No blockchain entry until the recipient decides to settle. The capsule exists only on two devices, transferred through air, encrypted, ephemeral.
This is Zipher's core privacy advantage: capsules can move without the network knowing they moved.
Privacy Analysis
Zcash provides world-class cryptographic privacy through ZKPs. Amounts and addresses are completely hidden. But even with perfect cryptographic hiding, metadata remains visible:
•That a transaction occurred
•When it occurred (timestamp)
•Transaction size (~2KB baseline)
•Network propagation patterns
This enables sophisticated chain analysis.
How Chain Analysis Works
Chain analysis firms exploit timing correlations. When Alice pays Bob, who pays Carol, who pays Dave, each on-chain transaction creates a timestamp. And analysts use Bayesian inference to link them:
13:45:22
Shielded tx from Alice (2.3 KB)
13:51:17
Shielded tx from Bob (2.3 KB) — 5m 55s later
13:56:03
Shielded tx from Carol (2.3 KB) — 4m 46s later
Using pattern analysis across thousands of txs, firms assign 30-50% confidence that this is a single payment chain.
Zipher Eliminates Timing Correlation
Standard Zcash Flow
Alice
on-chain
Bob
on-chain
Carol
on-chain
Dave
4 transactions • 3 timing correlations • Pattern analysis possible
Zipher Flow
Alice funds
on-chain
OFF-CHAIN
Bob→Carol→Dave
on-chain
Dave sweeps
2 transactions • 0 timing correlations • No pattern exists
4
Transactions (Standard Zcash)
VS
2
Transactions (Zipher)
Metric
Standard Zcash
Zipher
Transactions visible
4
2
Timing correlations
3
0
Network broadcasts
4
2
Linkage probability
30-50%
~0%
Chain analysis sees two apparently unrelated transactions, hours apart. No timing pattern. No way to determine intermediate hops. Bob and Carol are invisible.
Technical Architecture
This section explains why some of the design choices exist. Particularly the ones that might seem restrictive at first glance. Understanding the cryptographic foundation helps the rest of the system make sense.
ZIP32 Derivation Path
Zipher uses ZIP32 hierarchical key derivation at a non-standard path:
Same phrase always produces same wallet, but derivation is incompatible with standard BIP39/ZIP32 wallets due to the custom salt. This is intentional, as it prevents double-spend attacks via external wallets. More on this below.
Why Phrases Can't Work in Other Wallets
This is the part that might feel like vendor lock-in. That is not the goal. It's the core security model.
If recovery phrases worked in standard Zcash wallets like Zashi or ZecWallet:
1
You create capsules in Zipher
2
You import phrase into Zashi
3
Zashi shows individual capsule addresses
4
You send someone a capsule via Bluetooth
5
You sweep that same capsule in Zashi (double-spend!)
6
Recipient's sweep fails - they got scammed
The custom salt makes this impossible. Same 12 words, but different derivation = different addresses. Zashi can't see the capsules, can't sweep them, can't double-spend.
Salt Recovery Guarantee
The closed ecosystem raises an important question: what happens to your capsules if Zipher ceases to exist?
I'm committed to ensuring users are never locked out of their funds. The custom derivation salt will be escrowed using a deadman's switch mechanism that automatically releases it if Zipher becomes inactive for an extended period.
Possible mechanisms (to be finalized):
•Shamir's Secret Sharing distributed across trusted parties (Zcash Foundation, community members, etc.)
•Encrypted deposit on IPFS with time-locked decryption key
•Multisig arrangement with ecosystem stakeholders
The complete derivation specification, including salt string, HKDF parameters, and ZIP32 path structure will be published to IPFS and GitHub regardless of Zipher's operational status. This ensures any developer can build a recovery tool if needed.
The exact escrow mechanism is TBD and I welcome community input on the best approach. What matters is the commitment: if Zipher disappears, the salt becomes public, and anyone can build a recovery tool. User funds should never be trapped.
Capsule File Format (.zpr)
capsule.zpr
Zipher Capsule File Format
~2.1 KB
Header
Unencrypted
Magic bytes
File type identifier
Version
Format version (v1)
Capsule ID
Unique identifier
Timestamp
Creation time
Amount
ZEC value
Encrypted Payload
AES-256-GCM
Spending Key
Capsule private key
Derivation Path
ZIP32 path index
Funding TX ID
On-chain reference
Note Commitments
Zcash note data
Integrity
Verification
SHA256 Checksum
Data integrity
Ed25519 Signature
Authenticity proof
Only the recipient can decrypt the payload. The header allows verification without exposing the spending key.
The .zpr format is designed for security and portability. The unencrypted header allows recipients to verify basic properties (amount, timestamp) before decryption, while the encrypted payload ensures only the intended recipient can access the spending key.
iOS Security Integration
Secure Enclave Protection
•Master seed encrypted by hardware-backed P256 key
•Encryption key never leaves Secure Enclave
•Seed decrypted briefly in memory only during key derivation
•Memory zeroized immediately after use
•Significantly harder to extract than standard Keychain storage
Technical Note: The Secure Enclave only supports P256 curve operations natively. Zcash uses the Jubjub curve for Sapling keys, so Zcash key derivation happens in software from the SE-protected seed. This is pretty standard - SE protects your entropy, and derived keys exist in memory only as long as needed.
Keychain Storage
•Restore timestamp stored securely
•Cannot be modified without device compromise
•Survives app deletion (time-lock persists)
Security Model
With the technical foundation covered, here's how Zipher actually prevents double-spending. Four layers of defense:
1
7-Day Restore Time-Lock
All wallet restores trigger a 7-day lock. Recipients have a full week to sweep before the sender could potentially restore and attempt fraud.
2
Controlled Transfer Surfaces
Capsules can only be sent via iMessage or Bluetooth. No file export, email, or cloud storage options. While not cryptographically enforced (a jailbroken device could extract files), this design prevents accidental duplication through normal app usage.
3
Closed Ecosystem
Recovery phrases are incompatible with other Zcash wallets by design. Prevents importing to external wallets to double-spend.
4
Continuous Auto-Verification
App automatically queries the Zcash network on receipt and every time opened. Detects double-spends within seconds of occurring.
The blockchain is always the source of truth. No matter what happens off-chain, the final sweep either succeeds (funds are yours) or fails (someone already swept).
Attack Prevention Example
9:00 AM
Alice sends capsule to Bob via Bluetooth
9:05 AM
Alice deletes app
9:10 AM
Alice restores wallet from 12 words → 🔒 Locked for 7 days
9:15 AM
Bob opens app, verifies capsule ✅
9:20 AM
Bob sweeps capsule → SUCCESS
Day 7
Alice's lock expires, tries to sweep → FAILS
Trust Model
Now that the tech and security foundations are clear, here's how it actually feels to use Zipher day-to-day.
Like physical cash, capsules require recipient verification. You check a $100 bill before accepting it; Zipher automatically verifies capsules are unspent.
How Verification Works
When you receive a capsule:
1.Capsule appears in your Zipher wallet
2.App queries Zcash network (~2 seconds)
3.Status displayed: ✅ Green (unspent) or 🔴 Red (spent)
4.You decide when to sweep based on trust
5.App re-verifies every time you open it
Verification shows the current blockchain state when network is available. it's a point-in-time snapshot. The status can change between verification and sweep. For transactions with strangers, always complete the sweep and wait for confirmation before releasing goods. The UI will advise users of this practice.
Trust Levels
Strangers (Low Trust)
Craigslist / Facebook Marketplace
Sweep immediately after verification
Wait for sweep confirmation
Don't hand over goods until confirmed
Friends & Family (High Trust)
Can hold capsule for days/weeks
Sweep whenever convenient
App re-checks each time opened
Social trust model applies
Real-World Scenarios
Craigslist Laptop Sale ($500)
1
Meet in person, inspect laptop
2
Buyer sends capsule via Bluetooth
3
Seller's app auto-verifies: ✅ Unspent
4
Seller taps "Sweep" immediately
5
Seller waits for sweep confirmation
6
Only after confirmation: Seller hands over laptop
For marketplace transactions: verification shows "unspent right now". only a confirmed sweep means "yours forever." Never release goods until sweep is confirmed on-chain.
Splitting Dinner with Friends ($30 each)
1
Alice pays the full bill
2
Three friends send capsules via Bluetooth
3
Alice's app verifies all three: ✅ ✅ ✅
4
Alice sweeps later that evening
Backup & Recovery
This is where it gets tricky. Off-chain bearer transfers create a double-spend problem that doesn't exist in normal crypto. The sender still has their 12 words after sending a capsule, so what stops them from restoring and sweeping it themselves?
There are different ways to approach this. Here's what I landed on for now.
The Current Approach
12
Words to Backup
7
Days Restore Lock
100%
Self-Custodial
Standard 12-word recovery phrase - familiar to anyone who's used a crypto wallet. Write it down on paper, keep it safe. Same phrase always regenerates the same wallet in Zipher.
7-day time-lock on restore - this is the key tradeoff. When you restore a wallet from your 12 words, you can see everything immediately, but you can't do anything for 7 days. No sweeping, no sending, no creating capsules.
This gives recipients a full week to sweep any capsules you sent them before you could possibly access them again.
Creating Your Wallet
1
Install Zipher and tap "Create New Wallet"
2
App generates 12 random words from BIP39 wordlist
3
Write them down on paper
4
App verifies you wrote them correctly
5
Done - your wallet is created and backed up
Same phrase always produces same wallet in Zipher
No cloud storage required
Fully self-custodial
Does NOT work in other Zcash wallets (intentional — see Technical Architecture)
The 7-Day Time-Lock
During 7-Day Lock
View balance and history
See all capsules
Verify capsule status
Monitor verification
After 7 Days
Sweep capsules
Send capsules
Create new capsules
Full functionality
The lock uses Zcash blockchain timestamps (not device time). It cannot be bypassed by changing device settings. This is intentional.
Why This Approach?
It's not perfect. A 7-day wait after a legitimate phone loss is annoying. But the alternatives have their own tradeoffs, (i.e more complexity, more infrastructure or weaker security guarantees.)
This felt like the right balance for a mobile-first, self-custodial wallet: simple backup that people already understand, with a time-lock that makes fraud impractical without adding servers or trusted third parties.
That said, this isn't set in stone. The 7-day parameter could be adjusted based on community feedback and real-world usage patterns.
Use Cases
Optimal For
Splitting dinner ($20-100)
Tipping service workers ($5-50)
Informal loans to family ($50-500)
Cross-border remittances ($100-2000)
Private purchases ($50-1000)
Craigslist/marketplace transactions
Not Optimal For
Long-term storage (use hardware wallet)
Large amounts (keep under $2000)
Business audit trails
Recurring automated payments
Situations requiring immediate restore
Known Limitations
1.Restore Time-Lock - Legitimate restores require 7-day wait. You can view everything but cannot interact with capsules. This is intentional.
2.Recipient Counterparty Risk - Between receiving and sweeping, sender could theoretically attempt double-spend. Mitigated by 7-day lock + immediate sweep for strangers.
3.Closed Ecosystem - Recovery phrases only work in Zipher. Necessary for security, but full derivation spec will be published and salt will be released if Zipher ceases operation.
4.iOS Only (Initially) - Requires Secure Enclave. Android and web coming in 2026.
5.Small-to-Medium Amounts - Designed for spending money ($5-500 typical), not wealth storage.
6.Point-in-Time Verification -Verification shows current blockchain state. For transactions with strangers, always wait for sweep confirmation before releasing goods. The green checkmark means "unspent right now" — only a confirmed sweep means "yours forever."
7.Blockchain Timestamp Flexibility - Like Bitcoin, Zcash allows ~2 hour timestamp flexibility. Theoretical timestamp manipulation would require significant mining resources and is not a practical attack vector for typical capsule amounts.
Development Roadmap
Zipher is designed to grow beyond Apple's ecosystem. Here's the path forward:
Q1 2026
iOS Release
Planned
App Store launch with full functionality. Bluetooth transfers, iMessage extension, complete self-custody.
TestFlight
App Store
Multipeer
iMessage
Q3 2026
Android Release
Planned
Native Android app using Nearby Connections API for device-to-device transfers. Cross-platform capsule format ensures iOS ↔ Android compatibility.
Nearby Connections
Cross-platform .zpr
Q4 2026
Web Wallet
Planned
Browser-based wallet for verify and sweep operations. Capsule creation restricted to native apps for security.
Verify
Sweep
Read-only
2027
Full Interoperability
Planned
Unified protocol specification. Any platform can send to any platform. Community-driven development of additional clients.
Protocol spec
Open standard
The roadmap focuses on expanding access while maintaining security. Web wallets intentionally cannot create capsules. This prevents browser-based attacks on the Secure Enclave security model.
Why This Matters
For Users
First practical "hand someone crypto" - zero intermediate fees, works offline, full self-custody
For Zcash
Novel ZIP32 usage without protocol changes - reduces on-chain congestion, expands use cases
For Privacy
Eliminates timing correlation - optional perfect metadata privacy via Bluetooth
For Adoption
Familiar cash mental model - solves real problems like splitting bills and marketplace sales
A Public Good
Public Good
Zipher has no business model. There are no fees, no tokens, no premium tiers, no data collection, no ads. The code will be open-sourced. The goal is not to make money. The goal is to build infrastructure that should exist. Privacy is a right, not a product. This is a tool for everyone, funded by passion and community support.
Conclusion
Zipher demonstrates that Zcash's exceptional cryptographic privacy foundation can be extended with true bearer instrument properties while maintaining complete self-custody.
2
On-chain Transactions (vs N)
0
Intermediate Fees
7
Days Restore Protection
12
Words to Backup
What Works
Off-chain transfer, on-chain settlement
Perfect privacy through tx elimination
Zero fees for intermediate hops
No infrastructure requirements
Non-custodial throughout
Cash-like user experience
What's Required
Closed ecosystem (for security)
Recipient verification (automatic)
7-day restore wait (prevents fraud)
Small-to-medium amounts
Writing down 12 words on paper
Zipher builds on Zcash's world-class privacy to create something no other system provides: cryptocurrency that actually works like handing someone money.