Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.

Published byKaren Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005."— Presentation transcript:

1 Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005

2 ACM EC 20052 Overview Motivation Motivation Related Work Related Work Base Protocol Base Protocol Extensions Extensions Summary Summary

3 ACM EC 20053 Current Credit Checking Scheme I would really like that new light-saber, but I just don’t have the money. Hi Linda, I’m Bob and I would like a loan to buy a new light-saber, my SSN is 123-45-6789 Not another geek! I would like 123- 45-6789’s credit report Credit Report It looks like Bob has good credit Congratulations Bob! We can give you the loan…

4 ACM EC 20054 Problem with current scheme Problem: Linda gets to see Bob’s credit report Problem: Linda gets to see Bob’s credit report What is in a credit report? What is in a credit report? Not just a credit score Not just a credit score Information about bankruptcies, liens, and financial history Information about bankruptcies, liens, and financial history Not all lenders are credible Not all lenders are credible Malicious insiders Malicious insiders

5 ACM EC 20055 Our Goal A privacy-preserving credit checking scheme: A privacy-preserving credit checking scheme: Linda does not see Bob’s credit report Linda does not see Bob’s credit report All she learns is whether or not Bob qualified for the loan All she learns is whether or not Bob qualified for the loan To make matters more complicated: To make matters more complicated: Linda’s loan qualification criteria are confidential Linda’s loan qualification criteria are confidential The CRA should not be a bottleneck The CRA should not be a bottleneck

6 ACM EC 20056 Properties of our solution 1. Linda learns only whether or not Bob qualified for the loan 2. Bob learns only whether or not he qualified for the loan 3. Bob’s credit report is certified by CRA 4. CRA does not learn whether or not Bob qualified for the loan 5. Information flow similar to current non- private credit checking scheme

7 ACM EC 20057 Overview Motivation Motivation Related Work Related Work Base Protocol Base Protocol Extensions Extensions Summary Summary

8 ACM EC 20058 Related Work Secure Function Evaluation and Secure Multiparty Computation Secure Function Evaluation and Secure Multiparty Computation [Yao, 1982] and [Yao, 1986] [Yao, 1982] and [Yao, 1986] [Goldreich, Micali, and Wigderson, 1987] [Goldreich, Micali, and Wigderson, 1987] Many others Many others Cryptocomputing Cryptocomputing [Sander et al., 1999], [Cachin et al., 2000] [Sander et al., 1999], [Cachin et al., 2000] Minimal Model for Secure Computation Minimal Model for Secure Computation [Feige et al, 1994] [Feige et al, 1994] Privacy-Preserving Auctions and Mechanism Design Privacy-Preserving Auctions and Mechanism Design [Naor et al., 1999] [Naor et al., 1999]

9 ACM EC 20059 Review: Scrambled Circuit Evaluation [Yao, 1986] Two roles: Generator and Evaluator Two roles: Generator and Evaluator Label the wires of the circuit by w 1,…,w n Label the wires of the circuit by w 1,…,w n The generator creates two encodings for each wire call them w i [0] and w i [1] and the evaluator learns the actual encoding for each wire The generator creates two encodings for each wire call them w i [0] and w i [1] and the evaluator learns the actual encoding for each wire For each gate the generator computes gate information For each gate the generator computes gate information Example AND gate information with input wires w i, w j, and output wire w k (m is publicly known string): Example AND gate information with input wires w i, w j, and output wire w k (m is publicly known string): Enc(Enc(m||w k [a  b],w j [a]),w i [b]) Enc(Enc(m||w k [a  b],w j [a]),w i [b]) Evaluator learns encodings for input wires and computes encodings for output wires using gate information Evaluator learns encodings for input wires and computes encodings for output wires using gate information

10 ACM EC 200510 Overview Motivation Motivation Related Work Related Work Base Protocol Base Protocol Extensions Extensions Summary Summary

11 ACM EC 200511 Naïve Solutions Have Linda send CRA loan criteria and the CRA reports back yes/no: Have Linda send CRA loan criteria and the CRA reports back yes/no: CRA is bottleneck CRA is bottleneck CRA learns Linda’s criteria CRA learns Linda’s criteria A 3-party protocol between Bob, Linda, and the CRA: A 3-party protocol between Bob, Linda, and the CRA: CRA is bottleneck CRA is bottleneck Does not mimic current credit checking scheme Does not mimic current credit checking scheme CRA gives Bob digitally signed certificates and Bob inputs them into a secure protocol CRA gives Bob digitally signed certificates and Bob inputs them into a secure protocol Very expensive Very expensive

12 ACM EC 200512 Bird’s Eye View of our Scheme Bob registers off-line with CRA for private credit reports (primary difference between our scheme and current model) Bob registers off-line with CRA for private credit reports (primary difference between our scheme and current model) Linda requests the credit report from the CRA and the CRA sends it to her in a “scrambled” form Linda requests the credit report from the CRA and the CRA sends it to her in a “scrambled” form Linda and Bob engage in a secure protocol with scrambled report to determine qualification status Linda and Bob engage in a secure protocol with scrambled report to determine qualification status

13 ACM EC 200513 Assumptions Bounded Credit Report Size Bounded Credit Report Size Accurate CRA Accurate CRA Single CRA Single CRA Criteria are of one of two forms Criteria are of one of two forms Comparison against threshold Comparison against threshold Single binary value Single binary value Known Criteria Known Criteria Policy is of form: Policy is of form: If t out of n criteria are satisfied then yes If t out of n criteria are satisfied then yes Semi-honest model Semi-honest model

14 ACM EC 200514 Base Protocol (Simplified version) Setup: Bob registers with the CRA and they establish a shared encryption key k Setup: Bob registers with the CRA and they establish a shared encryption key k Loan Request: Bob requests a loan from Linda Loan Request: Bob requests a loan from Linda Linda Obtains Credit Report: Linda Obtains Credit Report: The CRA generates two random values r 0 and r 1 for each attribute of the credit report The CRA generates two random values r 0 and r 1 for each attribute of the credit report Example attributes: Example attributes: Has Bob been bankrupt Has Bob been bankrupt Is the 5 th bit of Bob’s debt true? Is the 5 th bit of Bob’s debt true? It sends Linda r 0,r 1,Enc(r Bob’s value,k), attribute meaning It sends Linda r 0,r 1,Enc(r Bob’s value,k), attribute meaning

15 ACM EC 200515 Base Protocol (cont.) Determining Loan Qualification: Determining Loan Qualification: Linda builds a circuit to compute loan qualification with: Linda builds a circuit to compute loan qualification with: Input wire encodings being r 0 and r 1 for each attribute Input wire encodings being r 0 and r 1 for each attribute Output wire encodings being k 0 and k 1 Output wire encodings being k 0 and k 1 She sends Bob: the gate information and Enc(r Bob’s value,k) for each attribute She sends Bob: the gate information and Enc(r Bob’s value,k) for each attribute Bob decrypts the values and evaluates the circuit and obtains k Bob’s status Bob decrypts the values and evaluates the circuit and obtains k Bob’s status Obtaining Result: Bob sends k Bob’s status to Linda and she learns if he qualified for the loan or not Obtaining Result: Bob sends k Bob’s status to Linda and she learns if he qualified for the loan or not

16 ACM EC 200516 Oblivious Circuits Bob learns topology of circuit for Linda’s criteria Bob learns topology of circuit for Linda’s criteria Topologies can be constructed for large class of criteria Topologies can be constructed for large class of criteria Binary tree Binary tree Generic comparison Generic comparison Universal circuits [Valiant, 1976] Universal circuits [Valiant, 1976] Arbitrary n-ary gates (exponential communication) Arbitrary n-ary gates (exponential communication) Circuits can easily be constructed for our assumptions Circuits can easily be constructed for our assumptions

17 ACM EC 200517 Overview Motivation Motivation Related Work Related Work Base Protocol Base Protocol Extensions Extensions Summary Summary

18 ACM EC 200518 Extensions Pre-computing circuits for criteria Pre-computing circuits for criteria More general types of loan qualification policies More general types of loan qualification policies Weighted threshold Weighted threshold Combinatorial circuits Combinatorial circuits Multiple CRAs Multiple CRAs What if they have conflicting information What if they have conflicting information

19 ACM EC 200519 Extensions Malicious parties: Malicious parties: Borrower: As long as pseudorandom function is secure then scheme is secure against malicious borrower Borrower: As long as pseudorandom function is secure then scheme is secure against malicious borrower Lender: Lender: Can create a malformed circuit Can create a malformed circuit 4 outputs instead of 2 4 outputs instead of 2 One that does not always evaluate correctly One that does not always evaluate correctly Can abort after result has been learned Can abort after result has been learned Solution: Solution: Using digital signatures, we “tie the lender’s hands” Using digital signatures, we “tie the lender’s hands” Borrower behaves the same way as a loan failure if circuit is malformed Borrower behaves the same way as a loan failure if circuit is malformed

20 ACM EC 200520 Overview Motivation Motivation Related Work Related Work Base Protocol Base Protocol Extensions Extensions Summary Summary

21 ACM EC 200521 Summary Current credit checking scheme reveals credit report to lenders Current credit checking scheme reveals credit report to lenders We introduced protocols for a private credit checking scheme We introduced protocols for a private credit checking scheme However: However: The only person with motivation for this is the borrower The only person with motivation for this is the borrower Privacy may not yet be enough motivation for enough borrowers to make such a scheme profitable Privacy may not yet be enough motivation for enough borrowers to make such a scheme profitable Future Work: Future Work: Incorporate other data (salary) Incorporate other data (salary) Interface issues Interface issues

Download ppt "Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005."

Similar presentations

Private Inference Control

Private Inference Control
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Controlled Functional Encryption Muhammad Naveed, Shashank Agrawal, Manoj Prabhakaran, Xiaofeng Wang, Erman Ayday, Jean-Pierre Hubaux, Carl A. Gunter.

Controlled Functional Encryption Muhammad Naveed, Shashank Agrawal, Manoj Prabhakaran, Xiaofeng Wang, Erman Ayday, Jean-Pierre Hubaux, Carl A. Gunter.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.

Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

Similar presentations

Ads by Google