Application of Biometric Key in Practical Secret Sharing for DNSsec Anneke Soraya Hidayat, Rosemary Koikara, Pyung-Han Kim, Kee-Young Yoo* School of Computer Science and Engineering Kyungpook National University Daegu, South Korea annekesoraya@gmail.com, rosekoikara@gmail.com, k2jbks90@gmail.com, yook@knu.ac.kr *Corresponding Author Abstract— Secret sharing is one of the branches of threshold cryptography. Secret sharing is intended to secure a secret key s among a group G with n participants. Thus, the secret key s can be reconstructed by collecting shares of t or more participants. Recently, the secret sharing concept has been applied in securing DNSsec root key. However, the idea of DNSsec root key security is based on Shamir’s (t, n)-secret sharing scheme and has implemented a smart card as a media to store the share information. To improve the system, we have considered Yang et al.’s scheme, one of the earlier practical secret sharing, to apply in DNSsec. By combining these two systems, we propose a biometrics-based practical secret sharing for DNSsec to resolve the problem with the storage media used. Also, we improve the drawbacks of Yang et al.’s scheme by producing a more efficient and asynchronous reconstruction phase compared to other secret sharing. Furthermore, it is applicable to the DNSsec system. Keywords—Practical, Secret Sharing, DNSsec, key protection I. INTRODUCTION Shamir [1] and Blakley [2] were the first scientists who introduced the scheme of secret sharing in 1979. Both the researchers proposed diverse mathematical approaches. Shamir's secret sharing scheme uses the polynomial interpolation and Lagrange interpolation. On the other hand, Blakley's secret sharing scheme takes the hypergeometric approach. Followed by Mignotte [3] and Asmuth-Bloom [4] in 1983, both of which use the Chinese Remainder Theorem (CRT). In 2009, Chao and Lin [5] proposed a secret image sharing scheme using Boolean operation, such as XOR operation. During the 35 years since secret sharing was first proposed, many mechanisms based on secret sharing schemes have been developed. Most of the secret sharing concepts can distribute only one particular secret message. However, it is infeasible and inefficient to distribute more than one share for each additional message. Also, the share size will be larger than the actual message [6]. Thus, to solve the first problem, a multi- secret sharing scheme, which permits the dealer  to distribute more than one secret message in one distribution phase, was proposed [7-8]. Furthermore, it is possible for the participants to have given fake shares during the reconstruction which leads to the second problem. The verification procedure is needed to verify each participant's share before the reconstruction phase. Verifiable Secret Sharing (VSS) concept was introduced by Chor et. Al. [9] in 1985. Their scheme provides the additional verification stage before or during the reconstruction phase. Most of the secret sharing schemes have to be generated several times once the secret has been reconstructed. Thus, Jackson et al. [10] introduced the concept of multi-use also known as practical secret sharing, where participants can maintain their shares without updating even after the secret has been reconstructed. Also, this method requires its participants to create their shares. This method solved the third and fourth problems. More practical secret sharing schemes have been proposed since then [11-13]. Most of the secret sharing scheme are aimed at applying to the practical world. Until recent times, many types of research regarding the possibilities of application of secret sharing are data protection [24], server data protection against upcoming disaster [25], and so on. A widely known secret sharing implementation in the real- world application is key protection among participants in the Domain Name System Security (DNSsec). DNSsec is aimed to replace the security problem in the previous Domain Name System (DNS). DNS is the system that maps the Internet domains to IP addresses. However, a third party can impersonate the DNS server and get information from a user computer such that it may confuse the node with another domain address [14-15]. DNSsec protects against attacks by digitally signing data to ensure that it is valid. The system does not encrypt the data. However, it gives the validity of the address, so it makes sure that the end user is connecting to the right address. The main root key in the DNSsec acts as the main key for rebooting the web under DNS server and initialize when there is a breakdown or threat to the internet. Among seven selected participants in the whole world, five participants can conduct the reboot ceremony in the assigned place somewhere in America. As told in [16-17], no one knows the exact secret sharing algorithm which being is used, except for the fact that it is based on Shamir’s secret sharing scheme. However, it has been publicly known that they use a smart card for storing shares [18-19].