Master Thesis project proposal 

“Designing and implementing a HSM-Based Architecture for Yivi's Transition to an EUDI Wallet with enhanced security against high-potential attackers” 

Context and motivation 

Background 

Yivi is a privacy-preserving digital identity platform that has successfully launched passport credentials in production using IRMA/Idemix protocols based on zero-knowledge proof (ZKP) schemes. With the introduction of the EU Digital Identity (EUDI) Wallet regulation (eIDAS 2.0), Yivi aims to evolve into a compliant EUDI wallet while maintaining its strong privacy guarantees. 

Strategic challenge 

Yivi faces a fundamental architectural challenge: transitioning from a ZKP-focused architecture to a cryptographically agile system that supports multiple credential formats (SD-JWT VC, ISO 18013-5 mDL, IRMA) and protocols (OpenID4VP, ISO 18013-5) while significantly strengthening security against high-potential attackers as required by eIDAS regulation. 

The Keyshare Protocol Problem 

Yivi's current keyshare protocol (https://docs.yivi.app/keyshare-protocol) requires fundamental renewal to: 

• Support multiple credential formats beyond IRMA/Idemix 

• Provide hardware-backed key security using HSMs 

• Meet eIDAS assurance level High requirements 

• Protect against nation-state level attackers 

• Maintain Yivi's privacy-first principles 

Research objectives 

Primary objective 

Prototype a renewed keyshare protocol architecture for Yivi that enables cryptographic agility, HSM-based security, and EUDI wallet compliance while preserving privacy guarantees, based on the Split-ECDSA (SECDSA, Verheul (2024) approach. 

Specific research questions 

RQ1: Architecture design 

How can Yivi's keyshare protocol be redesigned to support multiple cryptographic schemes (IRMA/Idemix, ECDSA, EdDSA, ECDH-MAC) while maintaining a unified security model? 

RQ2: HSM Integration 

What HSM-based architecture patterns can provide hardware-bound key security for Yivi while remaining implementable on standard PKCS#11 HSMs without vendor lock-in? 

RQ3: Security enhancement 

How can Split-ECDSA (SECDSA) or similar cryptographic techniques be adapted to Yivi's architecture to achieve: 

• Verifiable sole control under high attack potential 

• Protection against PIN brute-force even with compromised devices 

• Publicly verifiable transaction transparency 

RQ4: Protocol compatibility 

How can the renewed keyshare protocol interface with both: 

• IRMA credentials and protocols 

• EUDI wallet protocols (OpenID4VP, ISO 18013-5) 

RQ5: Privacy Preservation 

How can cryptographic agility be achieved without compromising Yivi's unique privacy properties, particularly unlinkability across credential presentations? 

Student profile

We are looking for a motivated university-level student in Computer Science, Cyber Security or a closely related discipline. You have a strong affinity with cryptography, digital identity, and privacy-preserving technologies, and you are eager to apply academic knowledge to a real-world, high-impact use case. You work independently, think analytically, and are comfortable exploring complex technical concepts.

Thesis benefits

• Professional supervision from specialists in cryptography, identity management, and EUDI Wallet technologies

• Regular feedback and technical sparring sessions throughout the thesis process

• Access to technical documentation, development environments, and research materials relevant to the assignment

• A monthly thesis compensation of €500 (based on a 40-hour commitment; exceptions possible)

• Flexible working arrangements, including hybrid work options

• Opportunities to publish or present your research within the organization

• Real-world impact: your work may directly contribute to the integration of Yivi as an EUDI Wallet

References 

Academic 

• SECDSA: Mobile signing and authentication under classical ``sole control'' https://eprint.iacr.org/2021/910 

• Privacy-Preserving Credentials: Camenisch et al https://eprint.iacr.org/2014/468.pdf 

Other 

• What is Yivi https://docs.yivi.app/what-is-yivi

• IRMAGO https://github.com/privacybydesign/irmago 

• EUDI Wallet ARF: EU Commission - Regulatory framework https://eudi.dev/2.5.0/architecture-and-reference-framework-main/ 

Contact 

Primary contact person 

Dibran Mulder, CTO Caesar Groep & Yivi 

+31 (0)6 39 30 61 18 

d.mulder@caesar.nl 

Address: 

Janssoniuslaan 80 

3528 AJ Utrecht

Websites:

https://yivi.app 

https://caesar.nl