区块链作业3.3: 安全计算

Notsecure.

IfP2 and P3 form a malicious coalition, they can get the complete thereconstruction without letting P1 learn the information and without payingpenalty.  Here’s how it works:

[if !supportLists]1.    [endif]After all three made their deposit. P1 claims q by revealing T1.

[if !supportLists]2.    [endif]Now, the coalition of P2 and P3 get all of T1, T2 and T3 toreconstruction.

[if !supportLists]3.    [endif]Then, P3 reveal T1^T3 to claim q. So that the coalition get the q backfrom P1 (P3 can give the q to P2 for his loss) and P1 cannot reconstructionbecause lacking T2.

Howdid I get this answer:

Inthe paper of “How to Use Bitcoin to Design Fair Protocols” mentioned this kindof malicious coalition attack to the naïve 3-party reconstruction approach.It’s very similar.

Anotherway to think is that there are only two goals for attackers: one is get moneywithout learning information, the other is get information without payingpenalty. And there are only few combinations of adversaries: one maliciousparty among P1, P2 and P3, or two malicious parties’ coalition. We can considereach possibility to find the attack method.