Notsecure.
IfP2 and P3 form a malicious coalition, they can get the complete thereconstruction without letting P1 learn the information and without payingpenalty. Here’s how it works:
[if !supportLists]1. [endif]After all three made their deposit. P1 claims q by revealing T1.
[if !supportLists]2. [endif]Now, the coalition of P2 and P3 get all of T1, T2 and T3 toreconstruction.
[if !supportLists]3. [endif]Then, P3 reveal T1^T3 to claim q. So that the coalition get the q backfrom P1 (P3 can give the q to P2 for his loss) and P1 cannot reconstructionbecause lacking T2.
Howdid I get this answer:
Inthe paper of “How to Use Bitcoin to Design Fair Protocols” mentioned this kindof malicious coalition attack to the naïve 3-party reconstruction approach.It’s very similar.
Anotherway to think is that there are only two goals for attackers: one is get moneywithout learning information, the other is get information without payingpenalty. And there are only few combinations of adversaries: one maliciousparty among P1, P2 and P3, or two malicious parties’ coalition. We can considereach possibility to find the attack method.
