How It Works

The Watch Signs. The Phone Relays.

Keys are generated on Apple Watch and stored in its Keychain, encrypted by a key in the Secure Enclave. The watch is the signing authority. Every transaction is decoded and approved on the watch before a signature is produced.

The iPhone does not hold keys. The iPhone cannot sign. The iPhone relays data only. Even if the iPhone is fully compromised (by malware, a browser exploit, or a malicious app), the attacker cannot sign transactions or extract private keys. The keys exist only on the watch, protected by the Secure Enclave.

What You Trust

• Apple Secure Enclave: Hardware-isolated chip on the watch that stores the encryption key for your mnemonic. The key cannot be exported.
• Perpetua's implementation: The wallet software that generates keys, builds transactions, and manages signing. Security-critical code is open source.
• App Store distribution: The app is delivered through Apple's App Store. No sideloading, no direct downloads.

You do not need to trust any server, cloud service, or third-party custodian. The watch is the signing authority. The phone is transport. Even if the iPhone is fully compromised by malware, an attacker cannot sign transactions or extract private keys. The keys exist only on the watch.

Recovery

• Backups are encrypted on the watch before any data reaches the phone
• The phone never sees plaintext recovery data. It handles only opaque ciphertext
• Encryption: PBKDF2 (1,000,000 iterations) + ChaCha20-Poly1305, secured with a PIN or passphrase you choose on the watch
• Recovery is required if you lose your watch. Your Recovery Sheet or Photo Backup is the only way to restore
• Lose both the watch and the recovery material → permanent loss. There is no backdoor, no server recovery, no override

Cryptograph requires you to create and verify a backup during initial setup. There is no "skip" button.

Supply Chain Security

• Updatable wallets require trust: A compromised update can misuse legitimate key-access paths during normal use. This is true for any wallet with updatable software or firmware.
• The update mechanism is the security boundary: A hardware wallet is only as trustworthy as its latest firmware update. The device itself is not the boundary; the update path is.
• Complexity expands the attack surface: A hardware wallet includes firmware, companion apps, update channels, and dependencies. Every layer increases the trusted computing base. Complexity is a security liability.
• Perpetua keeps the critical path narrow: Keys remain on Apple Watch. Signing happens on the watch. There is no backend custody and no large host application required to manage keys.
• Independent distribution adds friction: Cryptograph is distributed through Apple's App Store, an independent third party that reviews updates. This is friction, not a guarantee, but it requires an attacker to compromise both the developer and pass external review.
• Small, inspectable code surface: Cryptograph is implemented as native code with a deliberately small dependency surface. Security-critical components are open source. The goal is not to eliminate trust, but to make it visible and easier to reason about.

Limits

• Compromised updates: Any updatable wallet must trust its update mechanism. If an attacker compromises the developer's build pipeline, a tampered version of the app can misuse legitimate key-access paths and exfiltrate secrets. Secure Enclave protects keys at rest, not against a compromised version of the app at runtime. Cryptograph reduces this risk by keeping key use narrow and visible, distributing through Apple's App Store (independent friction), and making security-critical code publicly inspectable.
• Apple platform compromise: A fundamental breach of the Secure Enclave or watchOS is out of scope. Cryptograph trusts Apple's hardware security.
• Lost recovery material: If you lose your watch and your Recovery Sheet or Photo Backup, your funds are permanently inaccessible.
• Physical coercion: Time Lock imposes delays and spend limits, but sustained coercion longer than your configured delay can eventually overcome it.

For the full technical analysis, see the Technical Security Overview.