Master Thesis project proposal

“Designing and implementing a HSM-Based Architecture for Yivi's Transition to an EUDI Wallet with enhanced security against high-potential attackers”

Context and motivation

Background

Yivi is a privacy-preserving digital identity platform that has successfully launched passport credentials in production using IRMA/Idemix protocols based on zero-knowledge proof (ZKP) schemes. With the introduction of the EU Digital Identity (EUDI) Wallet regulation (eIDAS 2.0), Yivi aims to evolve into a compliant EUDI wallet while maintaining its strong privacy guarantees.

Strategic challenge

Yivi faces a fundamental architectural challenge: transitioning from a ZKP-focused architecture to a cryptographically agile system that supports multiple credential formats (SD-JWT VC, ISO 18013-5 mDL, IRMA) and protocols (OpenID4VP, ISO 18013-5) while significantly strengthening security against high-potential attackers as required by eIDAS regulation.

The Keyshare Protocol Problem

Yivi's current keyshare protocol (https://docs.yivi.app/keyshare-protocol) requires fundamental renewal to:

• Support multiple credential formats beyond IRMA/Idemix

• Provide hardware-backed key security using HSMs

• Meet eIDAS assurance level High requirements

• Protect against nation-state level attackers

• Maintain Yivi's privacy-first principles

Research objectives

Primary objective

Prototype a renewed keyshare protocol architecture for Yivi that enables cryptographic agility, HSM-based security, and EUDI wallet compliance while preserving privacy guarantees, based on the Split-ECDSA (SECDSA, Verheul (2024) approach.

Specific research questions

RQ1: Architecture design

How can Yivi's keyshare protocol be redesigned to support multiple cryptographic schemes (IRMA/Idemix, ECDSA, EdDSA, ECDH-MAC) while maintaining a unified security model?

RQ2: HSM Integration

What HSM-based architecture patterns can provide hardware-bound key security for Yivi while remaining implementable on standard PKCS#11 HSMs without vendor lock-in?

RQ3: Security enhancement

How can Split-ECDSA (SECDSA) or similar cryptographic techniques be adapted to Yivi's architecture to achieve:

• Verifiable sole control under high attack potential

• Protection against PIN brute-force even with compromised devices

• Publicly verifiable transaction transparency

RQ4: Protocol compatibility

How can the renewed keyshare protocol interface with both:

• IRMA credentials and protocols

• EUDI wallet protocols (OpenID4VP, ISO 18013-5)

RQ5: Privacy Preservation

How can cryptographic agility be achieved without compromising Yivi's unique privacy properties, particularly unlinkability across credential presentations?

Student profile

We are looking for a motivated university-level student in Computer Science, Cyber Security or a closely related discipline. You have a strong affinity with cryptography, digital identity, and privacy-preserving technologies, and you are eager to apply academic knowledge to a real-world, high-impact use case. You work independently, think analytically, and are comfortable exploring complex technical concepts.

Thesis benefits

• Professional supervision from specialists in cryptography, identity management, and EUDI Wallet technologies

• Regular feedback and technical sparring sessions throughout the thesis process

• Access to technical documentation, development environments, and research materials relevant to the assignment

• A monthly thesis compensation of €500 (based on a 40-hour commitment; exceptions possible)

• Flexible working arrangements, including hybrid work options

• Opportunities to publish or present your research within the organization

• Real-world impact: your work may directly contribute to the integration of Yivi as an EUDI Wallet

References

Academic

• SECDSA: Mobile signing and authentication under classical ``sole control'' https://eprint.iacr.org/2021/910

• Privacy-Preserving Credentials: Camenisch et al https://eprint.iacr.org/2014/468.pdf

Other

• What is Yivi https://docs.yivi.app/what-is-yivi

• IRMAGO https://github.com/privacybydesign/irmago

• EUDI Wallet ARF: EU Commission - Regulatory framework https://eudi.dev/2.5.0/architecture-and-reference-framework-main/

Contact

Primary contact person

Dibran Mulder, CTO Caesar Groep & Yivi

+31 (0)6 39 30 61 18

[email protected]

Address:

Janssoniuslaan 80

3528 AJ Utrecht

Websites:

https://yivi.app

https://caesar.nl