Securing DNSSEC Keys via Threshold ECDSA from Generic MPC

Deployment of DNSSEC, although increasing, still suffers from many practical issues that results in a false sense of security. While many domains outsource zone management, they also have to outsource DNSSEC key management to the DNS operator, making the operator an attractive target for attackers. Moreover, DNSSEC does not provide any sort of protection in the case the operator itself decides to serve false information, for example, if it gets compromised.

[1]  Kouichi Sakurai,et al.  Two-Servers PIR Based DNS Query Scheme with Privacy-Preserving , 2007 .

[2]  Judit Bar-Ilan,et al.  Non-cryptographic fault-tolerant computing in constant number of rounds of interaction , 1989, PODC '89.

[3]  Kouichi Sakurai,et al.  Analysis of Privacy Disclosure in DNS Query , 2007, 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE'07).

[4]  Yehuda Lindell,et al.  Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody , 2018, CCS.

[5]  Ivan Damgård,et al.  Multiparty Computation from Somewhat Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[6]  Steven M. Bellovin,et al.  Using the Domain Name System for System Break-ins , 1995, USENIX Security Symposium.

[7]  Stephane Bortzmeyer,et al.  DNS Privacy Considerations , 2015, RFC.

[8]  Roland van Rijswijk-Deij,et al.  Measuring the impact of a successful DDoS attack on the customer behaviour of managed DNS service providers , 2019, CCRV.

[9]  Bruce M. Maggs,et al.  A Longitudinal, End-to-End View of the DNSSEC Ecosystem , 2017, USENIX Security Symposium.

[10]  Abhi Shelat,et al.  Threshold ECDSA from ECDSA Assumptions: The Multiparty Case , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[11]  Haya Shulman,et al.  Domain Validation++ For MitM-Resilient PKI , 2018, CCS.

[12]  Marcel Keller,et al.  MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer , 2016, IACR Cryptol. ePrint Arch..

[13]  Rosario Gennaro,et al.  Fast Multiparty Threshold ECDSA with Fast Trustless Setup , 2018, CCS.

[14]  Stephane Bortzmeyer DNS Query Name Minimisation to Improve Privacy , 2016, RFC.

[15]  Haya Shulman,et al.  One Key to Sign Them All Considered Vulnerable: Evaluation of DNSSEC in the Internet , 2017, NSDI.

[16]  Derek Atkins,et al.  Threat Analysis of the Domain Name System (DNS) , 2004, RFC.

[17]  Nigel P. Smart,et al.  Distributing Any Elliptic Curve Based Protocol , 2019, IMACC.

[18]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[19]  Javier Bustos-Jiménez,et al.  Poor Man's Hardware Security Module (pmHSM): A Threshold Cryptographic Backend for DNSSEC , 2016, LANC.

[20]  Amir Herzberg,et al.  Socket overloading for fun and cache-poisoning , 2013, ACSAC.

[21]  Fabien Laguillaumie,et al.  Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations , 2019, IACR Cryptol. ePrint Arch..

[22]  Marcel Keller,et al.  MP-SPDZ: A Versatile Framework for Multi-Party Computation , 2020, IACR Cryptol. ePrint Arch..

[23]  Abhi Shelat,et al.  Secure Two-party Threshold ECDSA from ECDSA Assumptions , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[24]  Christian Cachin,et al.  Secure distributed DNS , 2004, International Conference on Dependable Systems and Networks, 2004.

[25]  Vitaly Shmatikov,et al.  The Hitchhiker's Guide to DNS Cache Poisoning , 2010, SecureComm.

[26]  Yehuda Lindell,et al.  Fast Secure Two-Party ECDSA Signing , 2017, Journal of Cryptology.

[27]  Lawrence K. Saul,et al.  Who is .com?: Learning to Parse WHOIS Records , 2015, Internet Measurement Conference.

[28]  Vincenzo Conti,et al.  A Self-Contained Biometric Sensor for Ubiquitous Authentication , 2007 .

[29]  G. Nabil,et al.  Hardware implementation of elliptic curve digital signature algorithm (ECDSA) on Koblitz curves , 2012, 2012 8th International Symposium on Communication Systems, Networks & Digital Signal Processing (CSNDSP).

[30]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.