How the HaveFund Blackbox Works
One of the most important components of HaveFund, and one that distinguishes it from other platforms, is what we call the blackbox, implemented in a secure enclave using Intel® Software Guard Extensions (Intel SGX®) technology, which offers hardware-based memory encryption that isolates and protects code and data.
The blackbox mainly performs two functions. First, it calculates credit scores for loan applicants using a lender’s proprietary credit scoring policy.
Secondly, it acts as adjudicator in the HaveFund loan auctions, determining the winner (or winners, in case of a syndicated loan) from all submitted bids in line with selection criteria prescribed by the loan seller.
What these two functions have in common, and what necessitates their execution inside the blackbox, is that they involve operations to be performed on secret information owned by multiple parties, where each party does not want to divulge their information to the others.
Implementing this is a lot tougher than it sounds.
The Millionaires’ Problem
There is a classic problem in the field of cryptography called the Millionaires’ Problem, in which two millionaires, traditionally referred to as Alice and Bob, want to find out who is richer without either party revealing to each other how much money they have. This is essentially the same problem that HaveFund addresses with the blackbox.
First, think about how we would solve this in everyday life. One answer that comes to mind would be to engage an unbiased third party — say Charlie — to review both Alice’s and Bob’s accounts and tell them who is richer.
Of course, there are problems with this solution. We need to be absolutely sure Charlie is truly unbiased and not susceptible to bribery or coercion. Also, Charlie now has access to both millionaires’ data, opening the door for potential fraud, blackmail, or other forms of misuse. Finally, this process is prone to human error, and there is no way to confirm that Charlie has made the correct judgement, without bringing in even more people.
If only we had a magic box where Alice and Bob could put in their information, which would tell them which amount was higher, and nothing else.
The HaveFund blackbox is precisely this magic box that we’ve just described.
In the real world, online auctions are usually run by a centralized provider. All sellers and bidders participating in such auctions are forced to trust that the provider will not misuse their data. But there is always the possibility that the provider, or maybe a rogue employee who happens to have been entrusted with administrator rights, will take a peek at or even manipulate auction results.
But what if you don’t want anyone, not even a trusted third party, to see the information? Well you’re out of luck. Until now, that is.
So how does the blackbox actually perform its magic? To understand this, you first need to know a little bit about cryptography, or more specifically
Public Key Cryptography
This involves the generation of a matching key pair, consisting of a public key and a private key, for the participants in a transaction. As their names suggest, the public key can be given to anyone you need to transact with, but the private key must remain secret and never revealed to anyone.
Volumes could be (and have been) written about the various use cases of public key cryptography, but for our purposes, we are mainly interested in one application of this technology, namely, asymmetric encryption. Just remember this singular statement:
If someone encrypts a document using your public key, then only you, the holder of the matching private key, can decrypt it.
Think of your public key as a padlock that you can make infinite copies of, so you can send a copy to anyone you need to transact with. Your private key, which you keep safely hidden, is the only one that can open the padlock. If you send me your padlock, I can use it to lock a document in a box, which cannot be opened by myself or any other person except you.
Equipped with that information, we can now proceed with describing how the blackbox works.
Structurally, the blackbox is not that complex, and consists of only a few basic functions:
- It can create a key pair for encryption
- It can decrypt documents which were encrypted using its public key
- It can encrypt documents using someone else’s public key
- It can apply a set of instructions to perform calculations on a set of data
The secret sauce which makes all the difference of course is that it can do all of the above in a secret SGX enclave away from prying eyes. No human being is able to observe what is happening inside the enclave.
When an auction is submitted to HaveFund, the blackbox creates a key pair for that auction. The private key never leaves the enclave and is never revealed to any living soul. The public key, on the other hand, is posted on the distributed ledger for all participants to access.
Credit Score Calculation
The loan seller encrypts their loan selection criteria and the loan borrower’s data using the auction public key that the blackbox posted on the distributed ledger. Remember, the private key is safely stored inside the enclave so the data can only ever be decrypted inside the enclave.
Similarly, each potential loan buyer encrypts their credit score policy — a set of calculation instructions — using the auction public key. Again, this can only be decrypted inside the hardware enclave.
The blackbox decrypts the borrower information and the credit score policies inside the enclave, and for each interested buyer, it calculates a credit score by applying the policy (remember, this is a set of instructions) to the borrower data. The blackbox then encrypts the resulting credit score using that buyer’s public key before sending it to them, so they are the only one who can decrypt and read it.
Auction Winner Selection
Upon seeing the credit score, each potential buyer then has to decide whether they would like to submit a bid. If they decide to do so, then they encrypt their bid using the auction public key.
When the bidding period ends, the blackbox collects and decrypts all the bids inside the enclave. It then selects a winner according to the loan selection criteria that the seller posted when they initiated the auction. The seller and the winning bidder are notified of the successful result, and they can proceed with the required legal processes to set up and finalize the loan.
But wait, you’re saying, HaveFund is operated by a company, MY Innovate. Surely the system administrators have privileged access, so they can see what’s happening inside the blackbox? Maybe they can even manipulate the auctions and collude with some lenders to give them preferential treatment.
We’ve been talking about this magical enclave, which cannot be observed by anyone. Let’s delve a bit more into what this enclave actually is.
As previously mentioned, the blackbox is implemented using Intel SGX®, meaning it is hardware-protected so that even users with root or administrator access to the server cannot observe the memory or processes inside an enclave. Our solution has been developed in conjunction with our security partner IDfusion LLC, one of the world’s leading SGX experts and proponents. The kind folks at IDfusion have contributed their extensive expertise to help us build a rock-solid, leak-proof implementation of the secure enclave on top of their SRDE (Secure Runtime Development Environment).
Okay, so we’ve established that no one can see into the enclave while it’s working. But surely the operators wrote the code running inside it? Furthermore, because no one can see it, they can get away with manipulating it without anyone even knowing. Wouldn’t SGX actually backfire in this case, by preventing such malicious actions from being discovered?
This is where an aspect of SGX technology called Remote Attestation comes into play. What this does is it provides cryptographic proof that the software running inside the enclave is exactly what the developers say it is.
At any time, any alliance member can issue a challenge to the blackbox. The blackbox then creates a report that is signed by the Intel attestation service. The report contains a sort of signature of the enclave code, certified by Intel to be correct. This could then be compared with the signature of the actual code, which is released by HaveFund as open source so anyone can regenerate the signature for confirmation.
This shuts the door on any malicious entities conspiring to steal private data or manipulate the auction process.
So there you have it. That is how the blackbox works its magic. If you have any comments, questions or suggestions, please don’t hesitate to get in touch with us.