About Me

I am a researcher at the Secure Information Technology (SIT) research group at TU Darmstadt. My research interests are in applied cryptography, privacy enhancing technologies (PETs) and Internet infrastructure security. My current focus is on cryptographic protocols and, in particular, practical aspects of secure multiparty computation. I am also interested in bridging tech-policy gap.

Recent Blog Posts

Links - Centralization

  • Clouding Up the Internet

    While there is talk of centralization of the Internet and breaking up of Big Tech, this discussion is often limited to the application layer of the Internet. What about the infrastructure? This research paper by Moura et al. at Internet Measurement Conference (IMC) 2020 discusses the centralization of the Internet based on measurement of DNS traffic sent to .nl, .nz and b-root servers. Centralization affects end-users in both good (e.g., deployment of QNAME-minimization) and bad (e.g., single point of failure) ways.

  • The De-democratization of AI

    While this paper looks at who (large firms and elite universities, they say) gets papers into top AI conferences, I found Figure 2 interesting as it has a few security and networking conferences. I wonder why, in the early 2000s, the proportion of papers with at least one author from a tech firm drops off significantly at USENIX Security. For some reason, in the appendix, the authors classify INFOCOM as a visualization conference.

Icemeltland park (2020)

Imagine you are on a holiday and you see a once in a life time event. Not only because you may not be able to see it again but also because what you see may not exist after the event. Icemeltland Park (2020) is a documentary that takes us to such an “amusement park” that is distributed across the world.

What do you get to see and experience in this “amusement park”? Glacier calving. These are locations around the world where glaciers are melting or breaking away. During this 40-minute documentary, people visit these places, take videos of glacier calving and share them online. We hear expressions of joy in the background as the landslides result in massive masses of ice crashing into the ocean. People feel lucky to have been in the moment where one of these glaciers broke away. At least one of these “lucky ones” recognized the problem and exclaimed, “Scheiße”.

Internet Governance Related Activities

This year, I have had the opportunity to participate at a few Internet governance related events.

First, a couple of fellowships. I am a NextGen@ICANN69. ICANN69 was to be held in Hamburg, Germany from 17 – 22 October 2020. It will be held online instead. I am also one of the 30 Internet Society IGF Youth Ambassadors 2020.

Second, I had the opportunity to be a part of the Youth Dialogue on Internet Governance (YOUthDIG) fellowship program. The program took the form of six webinars with discussions that were eventually turned into youth messages. The program culminated with the participation in European Dialogue on Internet Governance (EuroDIG) from 10 – 12 June 2020. It was held online (originally scheduled to take place in Trieste, Italy). EuroDIG is a platform for multi-stakeholder discussion on Internet-related public policy issues.

Limiting the Power of RPKI Authorities

This article first appeared on the APNIC Blog and RIPE Labs.

In the beginning, Internet infrastructure was not originally designed with security in mind. Luckily, this mindset has changed over the years, mainly due to the growing number of attacks, and has prompted the design of security measures such as Domain Name System Security Extensions (DNSSEC) and Resource Public Key Infrastructure (RPKI).

Unfortunately though, the deployment of these security measures has been slow and, as such, they have not yet delivered widespread security improvements. DNSSEC and RPKI rely on cryptographic signatures and, while the private keys should be held by the owners of domains and Internet name resource owners, in practice, they are outsourced to centralized authorities. In the case of RPKI, it relies on a weak threat model that can be exploited by nation-state actors.

In this post, I am going to share a joint project that my colleague, Haya Shulman, and I presented at ANRW ’20, where we propose a change to RPKI that will strengthen the threat model and prevent unilateral takedown of IP prefixes by Regional Internet Registries (RIRs).

Our design, which relies on threshold signatures — an instance of secure multiparty computation (MPC) — to distribute trust, is automated and can facilitate the deployment of RPKI while reducing or eliminating errors due to manual configurations. Our work prevents takedowns instead of detecting them after the fact. We also do not require any changes at relying parties, which makes it easier to deploy our solution.


RPKI secures interdomain routing against prefix and sub-prefix hijacks. It binds the IP address blocks with its Autonomous Systems (ASes) via cryptographic signatures, stored in Route Origin Authorizations (ROAs). ASes then apply Route Origin Validation (ROV) to identify and discard Border Gateway Protocol (BGP) announcements that contradict the information in ROAs. ASes that perform ROV filter misconfigured as well as malicious announcements attempting to hijack prefixes.