Hardware Signer
Zypher
The mathematical bridge between your agent and your signature.
Don't trust software. Trust physics.
Every hardware wallet has a software trust boundary.
Ledger / Trezor / Keystone
- USB/Bluetooth/QR = bidirectional data channel
- Firmware can be exploited to exfiltrate keys
- Trust their display, their firmware, their supply chain
- Closed-source secure element
Zypher
- Optocoupler = physically one-directional
- No firmware can reverse a photon
- Two independent displays, two MCUs
- Open-source. Audit from silicon up.
How it's built.
Each layer assembles as you scroll. Six components. Zero trust boundaries.
PCB Substrate
Custom board. Two isolated zones. No shared traces between agent and signing side.
Agent MCU (RP2040)
Receives calldata from your computer. Decodes and displays the transaction. Cannot access keys.
Signing MCU (RP2040)
Holds private key in RAM. Signs only after local display verification. Never connected to network.
Optocoupler Barrier
Three 6N137 diodes. Light travels one direction. Data in, clock in, signature out. Physics, not firmware.
Dual Displays
Each MCU has its own 3.5" IPS. You see the transaction on both sides. Auto-compare catches any mismatch.
Rust ASCII Filter
The only trusted code. 32 lines. Filters to printable ASCII only. You can read every line in 5 minutes.
The only trusted element.
32 lines of Rust. Printable ASCII filter. Read it yourself.
// Zypher ASCII filter — the ONLY trusted code path
// If a byte is not printable ASCII, it is dropped.
// No exceptions. No escape sequences. No control chars.
fn filter_ascii(input: &[u8]) -> Vec<u8> {
input
.iter()
.copied()
.filter(|&b| b >= 0x20 && b <= 0x7E)
.collect()
}
// That's it. No parsing. No state machine.
// If you can't print it, it doesn't pass.
// Verify: cargo test or read the 32 lines above.Open-source. Auditable from silicon to firmware.
How Zypher signs.
Verify it yourself.
Open-source. EVM-compatible. Any chain, any contract, any calldata.
In development · Hardware beta Q3 2026