1 / 21

Privacy-Preserving Credit Checking

Privacy-Preserving Credit Checking. Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005. Overview. Motivation Related Work Base Protocol Extensions Summary. Current Credit Checking Scheme.

london
Download Presentation

Privacy-Preserving Credit Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005

  2. Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005

  3. Current Credit Checking Scheme I would really like that new light-saber, but I just don’t have the money. I would like 123-45-6789’s credit report Credit Report It looks like Bob has good credit Not another geek! Congratulations Bob! We can give you the loan… Hi Linda, I’m Bob and I would like a loan to buy a new light-saber, my SSN is 123-45-6789 ACM EC 2005

  4. Problem with current scheme • Problem: Linda gets to see Bob’s credit report • What is in a credit report? • Not just a credit score • Information about bankruptcies, liens, and financial history • Not all lenders are credible • Malicious insiders ACM EC 2005

  5. Our Goal • A privacy-preserving credit checking scheme: • Linda does not see Bob’s credit report • All she learns is whether or not Bob qualified for the loan • To make matters more complicated: • Linda’s loan qualification criteria are confidential • The CRA should not be a bottleneck ACM EC 2005

  6. Properties of our solution • Linda learns only whether or not Bob qualified for the loan • Bob learns only whether or not he qualified for the loan • Bob’s credit report is certified by CRA • CRA does not learn whether or not Bob qualified for the loan • Information flow similar to current non-private credit checking scheme ACM EC 2005

  7. Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005

  8. Related Work • Secure Function Evaluation and Secure Multiparty Computation • [Yao, 1982] and [Yao, 1986] • [Goldreich, Micali, and Wigderson, 1987] • Many others • Cryptocomputing • [Sander et al., 1999], [Cachin et al., 2000] • Minimal Model for Secure Computation • [Feige et al, 1994] • Privacy-Preserving Auctions and Mechanism Design • [Naor et al., 1999] ACM EC 2005

  9. Review: Scrambled Circuit Evaluation [Yao, 1986] • Two roles: Generator and Evaluator • Label the wires of the circuit by w1,…,wn • The generator creates two encodings for each wire call them wi[0] and wi[1] and the evaluator learns the actual encoding for each wire • For each gate the generator computes gate information • Example AND gate information with input wires wi, wj, and output wire wk (m is publicly known string): • Enc(Enc(m||wk[ab],wj[a]),wi[b]) • Evaluator learns encodings for input wires and computes encodings for output wires using gate information ACM EC 2005

  10. Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005

  11. Naïve Solutions • Have Linda send CRA loan criteria and the CRA reports back yes/no: • CRA is bottleneck • CRA learns Linda’s criteria • A 3-party protocol between Bob, Linda, and the CRA: • CRA is bottleneck • Does not mimic current credit checking scheme • CRA gives Bob digitally signed certificates and Bob inputs them into a secure protocol • Very expensive ACM EC 2005

  12. Bird’s Eye View of our Scheme • Bob registers off-line with CRA for private credit reports (primary difference between our scheme and current model) • Linda requests the credit report from the CRA and the CRA sends it to her in a “scrambled” form • Linda and Bob engage in a secure protocol with scrambled report to determine qualification status ACM EC 2005

  13. Assumptions • Bounded Credit Report Size • Accurate CRA • Single CRA • Criteria are of one of two forms • Comparison against threshold • Single binary value • Known Criteria • Policy is of form: • If t out of n criteria are satisfied then yes • Semi-honest model ACM EC 2005

  14. Base Protocol (Simplified version) • Setup: Bob registers with the CRA and they establish a shared encryption key k • Loan Request: Bob requests a loan from Linda • Linda Obtains Credit Report: • The CRA generates two random values r0 and r1 for each attribute of the credit report • Example attributes: • Has Bob been bankrupt • Is the 5th bit of Bob’s debt true? • It sends Linda r0,r1,Enc(rBob’s value,k), attribute meaning ACM EC 2005

  15. Base Protocol (cont.) • Determining Loan Qualification: • Linda builds a circuit to compute loan qualification with: • Input wire encodings being r0 and r1 for each attribute • Output wire encodings being k0 and k1 • She sends Bob: the gate information and Enc(rBob’s value,k) for each attribute • Bob decrypts the values and evaluates the circuit and obtains kBob’s status • Obtaining Result: Bob sends kBob’s status to Linda and she learns if he qualified for the loan or not ACM EC 2005

  16. Oblivious Circuits • Bob learns topology of circuit for Linda’s criteria • Topologies can be constructed for large class of criteria • Binary tree • Generic comparison • Universal circuits [Valiant, 1976] • Arbitrary n-ary gates (exponential communication) • Circuits can easily be constructed for our assumptions ACM EC 2005

  17. Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005

  18. Extensions • Pre-computing circuits for criteria • More general types of loan qualification policies • Weighted threshold • Combinatorial circuits • Multiple CRAs • What if they have conflicting information ACM EC 2005

  19. Extensions • Malicious parties: • Borrower: As long as pseudorandom function is secure then scheme is secure against malicious borrower • Lender: • Can create a malformed circuit • 4 outputs instead of 2 • One that does not always evaluate correctly • Can abort after result has been learned • Solution: • Using digital signatures, we “tie the lender’s hands” • Borrower behaves the same way as a loan failure if circuit is malformed ACM EC 2005

  20. Overview • Motivation • Related Work • Base Protocol • Extensions • Summary ACM EC 2005

  21. Summary • Current credit checking scheme reveals credit report to lenders • We introduced protocols for a private credit checking scheme • However: • The only person with motivation for this is the borrower • Privacy may not yet be enough motivation for enough borrowers to make such a scheme profitable • Future Work: • Incorporate other data (salary) • Interface issues ACM EC 2005

More Related