GHZ-based Quantum Anonymous Transmission

The classical problem of Byzantine agreement (8) is about reaching agreement in a network of players out of which players may be faulty. Each player starts with an input bit and the goal is for all correct players to output the same bit agreement, under the constraint that at least for some node validity. The hardness of this task depends on the failure model of the faulty (sometimes called adversary) players. In Byzantine agreement, the faulty players are assumed to show the most severe form of failure known as Byzantine failures. In this model, faulty players behave arbitrarily, can collude and even act maliciously trying to prevent correct players from reaching agreement. Byzantine agreement is an important problem in classical distributed systems, used to guarantee consistency amongst distributed data structures.

Tags: Quantum Enhanced Classical Functionality, Multi Party Protocols, Specific Task, GHZ state, anonymous transmission

Assumptions

  • Network: The network consists of   players that are fully identified and completely connected with pairwise authenticated classical and quantum channels.
  • Timing: Synchronous and asynchronous setting are both considered.
  • Message size: The size of messages (quantum and classical) are unbounded.
  • Shared resources: The nodes do not share any prior entanglement or classical correlations.
  • Failure: At most   (synchronous) or   (asynchronous) Byzantine node failures are assumed. Byzantine failures are allowed to behave arbitrarily and collude to try and prevent the honest players from reaching agreement. The most severe model is used: Byzantine failures are adaptive, computationally unbounded and have full-information (full information of quantum states is modeled by giving a classical description of the state to the adversaries). Link failures are not considered.

Outline

File:ByzantineAgreementFig.PNG
Schematic representation of an execution of a Byzantine Agreement protocol with   nodes and   Byzantine failure. The red bits indicate the input value of each node, whereas the green bit represents the output. The solution shown satisfies the agreement and validity properties. The quantum Byzantine agreement protocol in the most strong model requires constant expected number of rounds, whereas a classical lower bound of   is known.

Here we will sketch the outline of the protocol by Ben-Or (3) that solve Byzantine Agreement using quantum resources. A very nice summary of this protocol is also presented in (1). The main idea of this protocol is for each player to classically send its proposed value/decision (a valid message) to every other player and then collaborate to determine what a majority of honest players proposed. In the case where adversaries make this difficult, a `good-enough' random coin is globally flipped (using quantum resources, explained below), which is then classically post-processed to reach agreement among the honest parties. More precisely, the protocol is outlined as follows. Each round consists of the following steps:

  • Each player transmits its input to every other player. If one player receives more than 2/3 of the same values from the other players (including his own), then he changes his input also to this value (if that player already did not have the same choice). Otherwise, the same player executes a Quantum Oblivious Common Coin subroutine and sets his input to the outcome of this routine.
  • Then each player sequentially executes two classical subroutines to bias the agreement value towards   or   (outcomes of a coin flip). This guarantees that if the non-faulty players are in agreement, then they will terminate and successfully output the correct agreement value   (not an outcome of coin flip).


Quantum Oblivious Common Coin subroutine: The heart of this protocol comes from the quantum enhanced Oblivious Common Coin. At the end of this subroutine, each player outputs a random bit, such that with a least probability value (called the fairness)   or  . Intuitively, this subroutines tosses a common coin, where all players get either heads or tails, each with fairness probability, but there may be executions where all players do not get the same output and no common coin is actually tossed. Since the players do not know whether the outcomes are all equal or not, this type of coin tossing is referred to as oblivious common coin tossing. In particular, using quantum resources, this task can be achieved in constant rounds (in the defined model). The implementation of this subroutine makes use of a weakened version of Verifiable Quantum Secret Sharing (VQSS).

Notations Used

  •   number of network nodes taking part in the anonymous transmission.
  •   quantum message which the sender wants to send anonymously
  •   the sender of the quantum message
  •   the receiver of the quantum message

Hardware Requirements

  • Network stage: (Fault-tolerant) Quantum computing network stage
  • Relevant parameters to establish one anonymous link:   round of quantum communication per node, circuit depth  ,   physical qubits per node.
  • Quantum memories, single-qubit Pauli gates and single-qubit measurements at the end nodes.
  • Trusted multipartite GHZ source.
  • Pairwise authenticated private classical channels.
  • Broadcast channel.

Properties

See Quantum Anonymous Transmission for the precise security definition. Pseudocode implements secure anonymous transmission, i.e. it hides the identities of the sender and the receiver from other nodes in the network. That is, the maximum probability that adversaries guess the identity of   or   given all the classical and quantum information they have available at the end of the protocol is no larger than the uncertainty the adversaries have about the identities of   and   before the protocol begins. More formally, the anonymous transmission protocol with the GHZ state, Pseudocode, is sender- and receiver-secure:
 
 
where   is the subset of   adversaries among   nodes and   is the register that contains all classical and quantum side information accessible to the adversaries. Note that this implies that the protocol is also traceless, since even if the adversary hijacks any   players and gains access to all of their classical and quantum information after the end of the protocol, she cannot learn the identities of   and  . For a formal argument see (6).

Pseudo Code

Receiver   is determined before the start of the protocol.   holds a message qubit  .

  1. Nodes run a collision detection protocol and determine a single sender  .
  2. A trusted source distributes  -partite GHZ state to every player,  .
  • Anonymous entanglement:
    1. Sender   and receiver   do not do anything to their part of the state.
    2. Every player  :
      1. Applies a Hadamard transform to her qubit,
      2. Measures this qubit in the computational basis with outcome  ,
      3. Broadcasts  .
    3.   picks a random bit   and broadcasts  .
    4.   applies a phase flip   to her qubit if  .
    5.   picks a random bit   and broadcasts  .
    6.   applies a phase flip   to her qubit, if  .
        and   share anonymous entanglement  .
  1.   uses the quantum teleportation circuit with input   and anonymous entanglement  , and obtains measurement outcomes  .
  2. The players run a protocol to anonymously send bits   from   to   (see Discussion for details).
  3.   applies the transformation described by   on his part of   and obtains  .

Further Information

  • To determine the sender   (Step 1) one can run either a classical collision detection protocol of (4) or a quantum collision detection protocol of (6). The quantum version of the protocol requires additional   GHZ states.
  • To determine the receiver   during the protocol one can incorporate an additional step using a classical receiver notification protocol of (4).
  • To send classical teleportation bits   (Step 5) the players can run a classical logical OR protocol of (4) or anonymous transmission protocol for classical bits with quantum resources of (6). The quantum protocol requires one additional GHZ state for transmitting one classical bit.
  • The anonymous transmission of quantum states was introduced in (6).
  • The problem was subsequently developed to consider the preparation and certification of the GHZ state (3), (5).
  • In (5), it was first shown that the proposed protocol is information-theoretically secure against an active adversary.
  • In (1) a protocol using another multipartite state, the W state, was introduced. The reference discusses noise robustness of both GHZ-based and W-based protocols and compares the performance of both protocols.
  • Other protocols were proposed, which do not make use of multipartite entanglement, but utilize solely Bell pairs to create anonymous entanglement (2).

References

  1. Lipinska et al (2018)
  2. Yang et al (2016)
  3. Bouda et al (2007)
  4. Broadbent et al (2007)
  5. Brassard et al (2007)
  6. Christandl et al (2005)

Further Information

*contributed by Victoria Lipinska