Fast Quantum Byzantine Agreement

The classical problem of Byzantine agreement (8) is about reaching agreement in a network of players out of which players may be faulty. Each player starts with an input bit and the goal is for all correct players to output the same bit agreement, under the constraint that at least for some node validity. The hardness of this task depends on the failure model of the faulty (sometimes called adversary) players. In Byzantine agreement, the faulty players are assumed to show the most severe form of failure known as Byzantine failures. In this model, faulty players behave arbitrarily, can collude and even act maliciously trying to prevent correct players from reaching agreement. Byzantine agreement is an important problem in classical distributed systems, used to guarantee consistency amongst distributed data structures.

Tags: Quantum Enhanced Classical Functionality, Multi Party Protocols, Specific Task, consensus task, failure resistant distributed computing

Assumptions

  • Network: The network consists of   players that are fully identified and completely connected with pairwise authenticated classical and quantum channels.
  • Timing: Synchronous and asynchronous setting are both considered.
  • Message size: The size of messages (quantum and classical) are unbounded.
  • Shared resources: The nodes do not share any prior entanglement or classical correlations.
  • Failure: At most   (synchronous) or   (asynchronous) Byzantine node failures are assumed. Byzantine failures are allowed to behave arbitrarily and collude to try and prevent the honest players from reaching agreement. The most severe model is used: Byzantine failures are adaptive, computationally unbounded and have full-information (full information of quantum states is modeled by giving a classical description of the state to the adversaries). Link failures are not considered.

Outline

File:ByzantineAgreementFig.PNG
Schematic representation of an execution of a Byzantine Agreement protocol with   nodes and   Byzantine failure. The red bits indicate the input value of each node, whereas the green bit represents the output. The solution shown satisfies the agreement and validity properties. The quantum Byzantine agreement protocol in the most strong model requires constant expected number of rounds, whereas a classical lower bound of   is known.

Here we will sketch the outline of the protocol by Ben-Or (3) that solve Byzantine Agreement using quantum resources. A very nice summary of this protocol is also presented in (1). The main idea of this protocol is for each player to classically send its proposed value/decision (a valid message) to every other player and then collaborate to determine what a majority of honest players proposed. In the case where adversaries make this difficult, a `good-enough' random coin is globally flipped (using quantum resources, explained below), which is then classically post-processed to reach agreement among the honest parties. More precisely, the protocol is outlined as follows. Each round consists of the following steps:

  • Each player transmits its input to every other player. If one player receives more than 2/3 of the same values from the other players (including his own), then he changes his input also to this value (if that player already did not have the same choice). Otherwise, the same player executes a Quantum Oblivious Common Coin subroutine and sets his input to the outcome of this routine.
  • Then each player sequentially executes two classical subroutines to bias the agreement value towards   or   (outcomes of a coin flip). This guarantees that if the non-faulty players are in agreement, then they will terminate and successfully output the correct agreement value   (not an outcome of coin flip).


Quantum Oblivious Common Coin subroutine: The heart of this protocol comes from the quantum enhanced Oblivious Common Coin. At the end of this subroutine, each player outputs a random bit, such that with a least probability value (called the fairness)   or  . Intuitively, this subroutines tosses a common coin, where all players get either heads or tails, each with fairness probability, but there may be executions where all players do not get the same output and no common coin is actually tossed. Since the players do not know whether the outcomes are all equal or not, this type of coin tossing is referred to as oblivious common coin tossing. In particular, using quantum resources, this task can be achieved in constant rounds (in the defined model). The implementation of this subroutine makes use of a weakened version of Verifiable Quantum Secret Sharing (VQSS).

Notations Used

    •   number of nodes
    •   number of failures
    •   fairness of the Oblivious Common Coin
    •   security parameter of the VQSS scheme used to implement the Oblivious Common Coin
    •   input bit of player  
    •   the agreement value at the end of the protocol

Relevant Parameters

The number of players   and the number of failures   are previously introduced parameters of the agreement protocol. The Quantum Oblivious Common Coin protocol has a single parameter   (used in Verified Quantum Secret Sharing scheme), but it is unclear from the works (1), (3) how this influences the guarantees of the protocol. Also note that the fairness   of the Quantum Oblivious Common Coin is not a parameter, but rather a result of the specific implementation of the protocol. The global Byzantine Agreement protocol can then tolerate up to  . The Quantum Oblivious Common Coin subroutine proposed by (3) has   (synchronous case,   asynchronous case).

Hardware Requirements

  • Network stage: (Fault-tolerant) Quantum computing network stage
  • Relevant network stage parameters: Required number of qubits  .
  • Benchmark values: The number of qubits   required is precisely known for a finite instance of the protocol. This is calculated in (1) for  . They pick the smallest possible security parameter   (of the VQSS scheme) and start calculating the required resources. Summarizing they find that each node requires   operational qubits, on which quantum circuits of depth   must be run. The consumed number of Bell pairs is 648 and the total classical communication cost is 21240 bits. It is not entirely clear if these are the expected costs or the cost per round.
  • In more asymptotic sense it is known that the required number of qubits per node grows rapidly with the number of nodes  , making it therefore, demanding on qubit requirements.

Properties

The protocol-

  • solves the problem in   expected number of rounds, in particular independent of   and  , whereas classically a lower bound of   is known (3), (6);
  • tolerates   (synchronous) or   (asynchronous) Byzantine failures;
  • reaches agreement (each player outputs the same bit) under the validity condition (the agreement value was proposed by at least one player) and is guaranteed to terminate eventually (infinite executions occur almost never - i.e. have probability measure zero).

Pseudo Code

See Algorithm 1 and Algorithm 2 in (1) for a precise pseudocode.

Further Information

  • The protocol (3) is based on the classical protocol of (7), where the classical Oblivious Common Coin is replaced by a Quantum version, which is based on the Verifiable Quantum Secret Sharing Scheme presented in (4). The protocol of (7) also runs in constant expected time, but can only deal with limited-information adversaries. This means that the adversaries can not read communication between honest parties and read their internal state. The classical lower bound in the same model of   is proven in (6).
  • The work (3) also provides a protocol in a weaker failure model known as fail-stop failures. Here the nodes will crash and stop working indefinitely (stop responding). Another protocol in the same model is presented in (2).
  • Another weakened version of the problem, known as detectable byzantine agreement, is solved with quantum resources in (5) (and following works). In detectable byzantine agreement, the protocol is also allowed to abort (upon detecting failures) instead of reaching agreement.

References

  1. TNM (2017)
  2. LS (2010)
  3. BH (2005)
  4. CGS (2002)
  5. FGM (2001)
  6. JB (1998)
  7. FM (1997)
  8. LSP (1982)
*contributed by Bas Dirke