Quantum Byzantine agreement explained

Byzantine fault tolerant protocols are algorithms that are robust to arbitrary types of failures in distributed algorithms. The Byzantine agreement protocol is an essential part of this task. The constant-time quantum version of the Byzantine protocol,[1] is described below.

Introduction

The Byzantine Agreement protocol is a protocol in distributed computing.It takes its name from a problem formulated by Lamport, Shostak and Pease in 1982,[2] which itself is a reference to a historical problem. The Byzantine army was divided into divisions with each division being led by a General with the following properties:

\tfrac{1}{3}

fraction).(See [3] for the proof of the impossibility result). The problem usually is equivalently restated in the form of a commanding General and loyal Lieutenants with the General being either loyal or a traitor and the same for the Lieutenants with the following properties.

\tfrac{1}{3}

fraction including the commanding General are traitors.

Byzantine failure and resilience

Failures in an algorithm or protocol can be categorized into three main types:

  1. A failure to take another execution step in the algorithm: This is usually referred to as a "fail stop" fault.
  2. A random failure to execute correctly: This is called a "random fault" or "random Byzantine" fault.
  3. An arbitrary failure where the algorithm fails to execute the steps correctly (usually in a clever way by some adversary to make the whole algorithm fail) which also encompasses the previous two types of faults; this is called a "Byzantine fault".

A Byzantine resilient or Byzantine fault tolerant protocol or algorithm is an algorithm that is robust to all the kinds of failures mentioned above. For example, given a space shuttle with multiple redundant processors, if the processors give conflicting data, which processors or sets of processors should be believed? The solution can be formulated as a Byzantine fault tolerant protocol.

Sketch of the algorithm

We will sketch here the asynchronous algorithm [1] The algorithm works in two phases:

All messages are sent and received in this round.

A coin flipping protocol is a procedure that allows two parties A and B that do not trust each other to toss a coin to win a particular object.There are two types of coin flipping protocols

cA,cB\in[0,1]

and be able to accuse anyone of cheating. The protocol is successful if A and B agree on the outcome. The outcome 0 is defined as A winning and 1 as B winning. The protocol has the following properties:

cA=cB

with

Pr(cA=cB=b)=\tfrac{1}{2}

for

a,b\in\{0,1\}

.

\tfrac{1}{2}+\epsilon

. In other words, if B is dishonest, then

Pr(cA=cB=1)\leq\tfrac{1}{2}+\epsilon

, and if A is dishonest, then

Pr(cA=cB=0)\leq\tfrac{1}{2}+\epsilon

.

\epsilon

leads to weak coin flipping with the same bias.

Verifiable secret sharing

The fail-stop protocol

Protocol quantum coin flip for player

|Coini\rangle=\tfrac{1}{\sqrt{2}}|0,0,\ldots,0\rangle+\tfrac{1}{\sqrt{2}}|1,1,\ldots,1\rangle

on

n

qubits and send the

k

th qubit to the

k

th player keeping one part
  1. Generate the state

|Leaderi\rangle=\tfrac{1}{n3/2

}\sum\nolimits_^|a,a,\ldots,a\rangle on

n

qudits (quantum-computing components consistent of multiple qubits), an equal superposition of the numbers between 1 and

n3

. Distribute the

n

qudits between all the players
  1. Receive the quantum messages from all players and wait for the next communication round, thus forcing the adversary to choose which messages were passed.
  2. Round 2: Measure (in the standard base) all

Leaderj

qubits received in round I. Select the player with the highest leader value (ties broken arbitrarily) as the "leader" of the round. Measure the leader's coin in the standard base.
  1. Set the output of the QuantumCoinFlip protocol:

vi

= measurement outcome of the leader's coin.

The Byzantine protocol

To generate a random coin assign an integer in the range [0,n-1] to each player and each player is not allowed to choose its own random ID as each player

Pk

selects a random number
i
s{
k
} for every other player

Pi

and distributes this using a verifiable secret sharing scheme.

At the end of this phase players agree on which secrets were properly shared, the secrets are then opened and each player

Pi

is assigned the value

si=\sum

i
{s
k
}\mod n

This requires private information channels so we replace the random secrets by the superposition

|\phi\rangle

n-1
=\tfrac{1}{\sqrt{n}}\sum\nolimits
a=0

|a\rangle

. In which the state is encoded using a quantum verifiable secret sharing protocol (QVSS).[5] We cannot distribute the state

|\phi,\phi,\ldots\phi\rangle

since the bad players can collapse the state. To prevent bad players from doing so we encode the state using the Quantum verifiable secret sharing (QVSS) and send each player their share of the secret. Here again the verification requires Byzantine Agreement, but replacing the agreement by the grade-cast protocol is enough.[6] [7]

Grade-cast protocol

A grade-cast protocol has the following properties using the definitions in [6] Informally, a graded broadcast protocol is a protocol with a designated player called “dealer” (the one who broadcasts) such that:

  1. If the dealer is good, all the players get the same message.
  2. Even if the dealer is bad, if some good player accepts the message, all the good players get the same message (but they may or may not accept it).

A protocol P is said to be achieve graded broadcast if, at the beginning of the protocol, a designated player D (called the dealer) holds a value v, and at the end of the protocol, every player

Pi

outputs a pair

(valuei,confidencei)

such that the following properties hold:

(\foralli,confidencei\in\{0,1,2\})

  1. If D is honest, then

valuei

= v and

confidencei

= 2 for every honest player

Pi

.
  1. For any two honest players

Pi

and

Pj,

\vertconfidencei-confidencej\vert\leq1

.
  1. (Consistency) For any two honest players

Pi

and

Pj

, if

confidencei>0

and

confidencej>0

, then

valuei=valuej

.

For

t<\tfrac{n}{4}

the verification stage of the QVSS protocol guarantees that for a good dealer the correct state will be encoded, and that for any, possibly faulty dealer, some particular state will be recovered during the recovery stage. We note that for the purpose of our Byzantine quantum coin flip protocol the recovery stage is much simpler. Each player measures his share of the QVSS and sends the classical value to all other players. The verification stage guarantees, with high probability, that in the presence of up to

t<\tfrac{n}{4}

faulty players all the good players will recover the same classical value (which is the same value that would result from a direct measurement of the encoded state).

Remarks

In 2007, a quantum protocol for Byzantine Agreement was demonstrated experimentally [8] using a four-photon polarization-entangled state. This shows that the quantum implementation of classical Byzantine Agreement protocols is indeed feasible.

Notes and References

  1. Michael Ben-Or. Avinatan Hassidim. Fast quantum byzantine agreement. STOC '05: Proceedings of the thirty-seventh annual ACM symposium on Theory of computing. 481–485. 2005. 10.1145/1060590.1060662. Baltimore, MD, USA.
  2. Lamport. Leslie. Shostak. Robert. Pease. Marshall. The Byzantine Generals Problem. ACM Transactions on Programming Languages and Systems. 4. 3. 1982. 382–401. 0164-0925. 10.1145/357172.357176. 55899582 . free.
  3. Fischer. Michael J.. Lynch. Nancy A.. Paterson. Michael S.. Impossibility of distributed consensus with one faulty process. Journal of the ACM. 32. 2. 1985. 374–382. 0004-5411. 10.1145/3149.214121. 207660233. free.
  4. Kerenidis. I.. Nayak. A.. Weak coin flipping with small bias. Information Processing Letters. 89. 3. 2004. 131–135. 0020-0190. 10.1016/j.ipl.2003.07.007. quant-ph/0206121. 14445949.
  5. Crépeau. Claude. Gottesman. Daniel. Smith. Adam. Secure multi-party quantum computation. 34th ACM Symposium on the Theory of Computing, STOC. 2002. 643–652. 10.1145/509907.510000.
  6. Book: Ben-Or. Michael. Proceedings of the thirty-eighth annual ACM symposium on Theory of computing - STOC '06. Pavlov. Elan. Vaikuntanathan. Vinod. Byzantine agreement in the full-information model in O(log n) rounds. 2006. 179–186. 10.1145/1132516.1132543. 10.1.1.296.4133. 1595931341. 6379620.
  7. Feldman. Pesech. Micali. Silvio. An Optimal Probabilistic Protocol for Synchronous Byzantine Agreement. SIAM Journal on Computing. 26. 4. 1997. 873–933. 0097-5397. 10.1137/S0097539790187084.
  8. Gaertner. Sascha. Bourennane. Mohamed. Kurtsiefer. Christian. Cabello. Adán. Weinfurter. Harald. Experimental Demonstration of a Quantum Protocol for Byzantine Agreement and Liar Detection. Physical Review Letters. 100. 7. 070504. 2008. 0031-9007. 10.1103/PhysRevLett.100.070504. 18352533. 0710.0290. 2008PhRvL.100g0504G. 30443015.