210 likes | 363 Vues
Privacy-Preserving Credit Checking. Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005. Overview. Motivation Related Work Base Protocol Extensions Summary. Current Credit Checking Scheme.
 
                
                E N D
Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005
Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005
Current Credit Checking Scheme I would really like that new light-saber, but I just don’t have the money. I would like 123-45-6789’s credit report Credit Report It looks like Bob has good credit Not another geek! Congratulations Bob! We can give you the loan… Hi Linda, I’m Bob and I would like a loan to buy a new light-saber, my SSN is 123-45-6789 ACM EC 2005
Problem with current scheme • Problem: Linda gets to see Bob’s credit report • What is in a credit report? • Not just a credit score • Information about bankruptcies, liens, and financial history • Not all lenders are credible • Malicious insiders ACM EC 2005
Our Goal • A privacy-preserving credit checking scheme: • Linda does not see Bob’s credit report • All she learns is whether or not Bob qualified for the loan • To make matters more complicated: • Linda’s loan qualification criteria are confidential • The CRA should not be a bottleneck ACM EC 2005
Properties of our solution • Linda learns only whether or not Bob qualified for the loan • Bob learns only whether or not he qualified for the loan • Bob’s credit report is certified by CRA • CRA does not learn whether or not Bob qualified for the loan • Information flow similar to current non-private credit checking scheme ACM EC 2005
Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005
Related Work • Secure Function Evaluation and Secure Multiparty Computation • [Yao, 1982] and [Yao, 1986] • [Goldreich, Micali, and Wigderson, 1987] • Many others • Cryptocomputing • [Sander et al., 1999], [Cachin et al., 2000] • Minimal Model for Secure Computation • [Feige et al, 1994] • Privacy-Preserving Auctions and Mechanism Design • [Naor et al., 1999] ACM EC 2005
Review: Scrambled Circuit Evaluation [Yao, 1986] • Two roles: Generator and Evaluator • Label the wires of the circuit by w1,…,wn • The generator creates two encodings for each wire call them wi[0] and wi[1] and the evaluator learns the actual encoding for each wire • For each gate the generator computes gate information • Example AND gate information with input wires wi, wj, and output wire wk (m is publicly known string): • Enc(Enc(m||wk[ab],wj[a]),wi[b]) • Evaluator learns encodings for input wires and computes encodings for output wires using gate information ACM EC 2005
Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005
Naïve Solutions • Have Linda send CRA loan criteria and the CRA reports back yes/no: • CRA is bottleneck • CRA learns Linda’s criteria • A 3-party protocol between Bob, Linda, and the CRA: • CRA is bottleneck • Does not mimic current credit checking scheme • CRA gives Bob digitally signed certificates and Bob inputs them into a secure protocol • Very expensive ACM EC 2005
Bird’s Eye View of our Scheme • Bob registers off-line with CRA for private credit reports (primary difference between our scheme and current model) • Linda requests the credit report from the CRA and the CRA sends it to her in a “scrambled” form • Linda and Bob engage in a secure protocol with scrambled report to determine qualification status ACM EC 2005
Assumptions • Bounded Credit Report Size • Accurate CRA • Single CRA • Criteria are of one of two forms • Comparison against threshold • Single binary value • Known Criteria • Policy is of form: • If t out of n criteria are satisfied then yes • Semi-honest model ACM EC 2005
Base Protocol (Simplified version) • Setup: Bob registers with the CRA and they establish a shared encryption key k • Loan Request: Bob requests a loan from Linda • Linda Obtains Credit Report: • The CRA generates two random values r0 and r1 for each attribute of the credit report • Example attributes: • Has Bob been bankrupt • Is the 5th bit of Bob’s debt true? • It sends Linda r0,r1,Enc(rBob’s value,k), attribute meaning ACM EC 2005
Base Protocol (cont.) • Determining Loan Qualification: • Linda builds a circuit to compute loan qualification with: • Input wire encodings being r0 and r1 for each attribute • Output wire encodings being k0 and k1 • She sends Bob: the gate information and Enc(rBob’s value,k) for each attribute • Bob decrypts the values and evaluates the circuit and obtains kBob’s status • Obtaining Result: Bob sends kBob’s status to Linda and she learns if he qualified for the loan or not ACM EC 2005
Oblivious Circuits • Bob learns topology of circuit for Linda’s criteria • Topologies can be constructed for large class of criteria • Binary tree • Generic comparison • Universal circuits [Valiant, 1976] • Arbitrary n-ary gates (exponential communication) • Circuits can easily be constructed for our assumptions ACM EC 2005
Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005
Extensions • Pre-computing circuits for criteria • More general types of loan qualification policies • Weighted threshold • Combinatorial circuits • Multiple CRAs • What if they have conflicting information ACM EC 2005
Extensions • Malicious parties: • Borrower: As long as pseudorandom function is secure then scheme is secure against malicious borrower • Lender: • Can create a malformed circuit • 4 outputs instead of 2 • One that does not always evaluate correctly • Can abort after result has been learned • Solution: • Using digital signatures, we “tie the lender’s hands” • Borrower behaves the same way as a loan failure if circuit is malformed ACM EC 2005
Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005
Summary • Current credit checking scheme reveals credit report to lenders • We introduced protocols for a private credit checking scheme • However: • The only person with motivation for this is the borrower • Privacy may not yet be enough motivation for enough borrowers to make such a scheme profitable • Future Work: • Incorporate other data (salary) • Interface issues ACM EC 2005