GHZ-based Quantum Anonymous Transmission

The classical problem of Byzantine agreement (8) is about reaching agreement in a network of ${\displaystyle n}$ players out of which ${\displaystyle t}$ players may be faulty. Each player starts with an input bit ${\displaystyle b_{i}}$ and the goal is for all correct players to output the same bit ${\displaystyle d}$ agreement, under the constraint that ${\displaystyle d=b_{i}}$ at least for some node ${\displaystyle i}$ validity. The hardness of this task depends on the failure model of the faulty (sometimes called adversary) players. In Byzantine agreement, the faulty players are assumed to show the most severe form of failure known as Byzantine failures. In this model, faulty players behave arbitrarily, can collude and even act maliciously trying to prevent correct players from reaching agreement. Byzantine agreement is an important problem in classical distributed systems, used to guarantee consistency amongst distributed data structures.

Tags: Quantum Enhanced Classical Functionality, Multi Party Protocols, Specific Task, GHZ state, anonymous transmission

Assumptions

• Network: The network consists of ${\displaystyle n}$ players that are fully identified and completely connected with pairwise authenticated classical and quantum channels.
• Timing: Synchronous and asynchronous setting are both considered.
• Message size: The size of messages (quantum and classical) are unbounded.
• Shared resources: The nodes do not share any prior entanglement or classical correlations.
• Failure: At most ${\displaystyle t<n/3}$ (synchronous) or ${\displaystyle t<n/4}$ (asynchronous) Byzantine node failures are assumed. Byzantine failures are allowed to behave arbitrarily and collude to try and prevent the honest players from reaching agreement. The most severe model is used: Byzantine failures are adaptive, computationally unbounded and have full-information (full information of quantum states is modeled by giving a classical description of the state to the adversaries). Link failures are not considered.

Outline

File:ByzantineAgreementFig.PNG

Schematic representation of an execution of a Byzantine Agreement protocol with ${\displaystyle n=5}$ nodes and ${\displaystyle t=1}$ Byzantine failure. The red bits indicate the input value of each node, whereas the green bit represents the output. The solution shown satisfies the agreement and validity properties. The quantum Byzantine agreement protocol in the most strong model requires constant expected number of rounds, whereas a classical lower bound of ${\displaystyle {\Omega }({\sqrt {n/\log(n)}})}$ is known.

Here we will sketch the outline of the protocol by Ben-Or (3) that solve Byzantine Agreement using quantum resources. A very nice summary of this protocol is also presented in (1). The main idea of this protocol is for each player to classically send its proposed value/decision (a valid message) to every other player and then collaborate to determine what a majority of honest players proposed. In the case where adversaries make this difficult, a `good-enough' random coin is globally flipped (using quantum resources, explained below), which is then classically post-processed to reach agreement among the honest parties. More precisely, the protocol is outlined as follows. Each round consists of the following steps:

• Each player transmits its input to every other player. If one player receives more than 2/3 of the same values from the other players (including his own), then he changes his input also to this value (if that player already did not have the same choice). Otherwise, the same player executes a Quantum Oblivious Common Coin subroutine and sets his input to the outcome of this routine.
• Then each player sequentially executes two classical subroutines to bias the agreement value towards ${\displaystyle 0}$ or ${\displaystyle 1}$ (outcomes of a coin flip). This guarantees that if the non-faulty players are in agreement, then they will terminate and successfully output the correct agreement value ${\displaystyle d}$ (not an outcome of coin flip).

Quantum Oblivious Common Coin subroutine: The heart of this protocol comes from the quantum enhanced Oblivious Common Coin. At the end of this subroutine, each player outputs a random bit, such that with a least probability value (called the fairness) ${\displaystyle 0}$ or ${\displaystyle 1}$. Intuitively, this subroutines tosses a common coin, where all players get either heads or tails, each with fairness probability, but there may be executions where all players do not get the same output and no common coin is actually tossed. Since the players do not know whether the outcomes are all equal or not, this type of coin tossing is referred to as oblivious common coin tossing. In particular, using quantum resources, this task can be achieved in constant rounds (in the defined model). The implementation of this subroutine makes use of a weakened version of Verifiable Quantum Secret Sharing (VQSS).

Notations Used

• • ${\displaystyle n:}$ number of nodes
  • ${\displaystyle t:}$ number of failures
  • ${\displaystyle p:}$ fairness of the Oblivious Common Coin
  • ${\displaystyle k:}$ security parameter of the VQSS scheme used to implement the Oblivious Common Coin
  • ${\displaystyle b_{i}:}$ input bit of player ${\displaystyle i}$
  • ${\displaystyle d:}$ the agreement value at the end of the protocol

Relevant Parameters

The number of players ${\displaystyle n}$ and the number of failures ${\displaystyle t}$ are previously introduced parameters of the agreement protocol. The Quantum Oblivious Common Coin protocol has a single parameter ${\displaystyle k}$ (used in Verified Quantum Secret Sharing scheme), but it is unclear from the works (1), (3) how this influences the guarantees of the protocol. Also note that the fairness ${\displaystyle p}$ of the Quantum Oblivious Common Coin is not a parameter, but rather a result of the specific implementation of the protocol. The global Byzantine Agreement protocol can then tolerate up to ${\displaystyle t<\left\lfloor {pn}\right\rfloor }$. The Quantum Oblivious Common Coin subroutine proposed by (3) has ${\displaystyle p>{\frac {1}{3}}}$ (synchronous case, ${\displaystyle p>{\frac {1}{4}}}$ asynchronous case).

Hardware Requirements

• Network stage: (Fault-tolerant) Quantum computing network stage
• Relevant network stage parameters: Required number of qubits ${\displaystyle q}$.
• Benchmark values: The number of qubits ${\displaystyle q}$ required is precisely known for a finite instance of the protocol. This is calculated in (1) for ${\displaystyle n=5}$. They pick the smallest possible security parameter ${\displaystyle k=2}$ (of the VQSS scheme) and start calculating the required resources. Summarizing they find that each node requires ${\displaystyle \sim 200}$ operational qubits, on which quantum circuits of depth ${\displaystyle \sim 2000}$ must be run. The consumed number of Bell pairs is 648 and the total classical communication cost is 21240 bits. It is not entirely clear if these are the expected costs or the cost per round.
• In more asymptotic sense it is known that the required number of qubits per node grows rapidly with the number of nodes ${\displaystyle n}$, making it therefore, demanding on qubit requirements.

Properties

The protocol-

• solves the problem in ${\displaystyle O(1)}$ expected number of rounds, in particular independent of ${\displaystyle n}$ and ${\displaystyle t}$, whereas classically a lower bound of ${\displaystyle \Omega ({\sqrt {n/\log(n)}})}$ is known (3), (6);
• tolerates ${\displaystyle t\leq n/3}$ (synchronous) or ${\displaystyle t\leq n/4}$ (asynchronous) Byzantine failures;
• reaches agreement (each player outputs the same bit) under the validity condition (the agreement value was proposed by at least one player) and is guaranteed to terminate eventually (infinite executions occur almost never - i.e. have probability measure zero).

Pseudo Code

Receiver ${\displaystyle R}$ is determined before the start of the protocol. ${\displaystyle S}$ holds a message qubit ${\displaystyle |\psi \rangle }$.

1. Nodes run a collision detection protocol and determine a single sender ${\displaystyle S}$.
2. A trusted source distributes ${\displaystyle N}$-partite GHZ state to every player, ${\displaystyle |GHZ\rangle ={\frac {1}{\sqrt {2}}}(|0^{N}\rangle +|1^{N}\rangle )}$.

• Anonymous entanglement:

1. 1. Sender ${\displaystyle S}$ and receiver ${\displaystyle R}$ do not do anything to their part of the state.
   2. Every player ${\displaystyle j\in [N]\setminus \{S,R\}}$:
      1. Applies a Hadamard transform to her qubit,
      2. Measures this qubit in the computational basis with outcome ${\displaystyle m_{j}}$,
      3. Broadcasts ${\displaystyle m_{j}}$.
   3. ${\displaystyle S}$ picks a random bit ${\displaystyle b\in _{R}\{0,1\}}$ and broadcasts ${\displaystyle b}$.
   4. ${\displaystyle S}$ applies a phase flip ${\displaystyle Z}$ to her qubit if ${\displaystyle b=1}$.
   5. ${\displaystyle R}$ picks a random bit ${\displaystyle b'\in _{R}\{0,1\}}$ and broadcasts ${\displaystyle b'}$.
   6. ${\displaystyle R}$ applies a phase flip ${\displaystyle Z}$ to her qubit, if ${\displaystyle b\oplus \bigoplus _{j\in [N]\setminus \{S,R\}}m_{j}=1}$.
      ${\displaystyle S}$ and ${\displaystyle R}$ share anonymous entanglement ${\displaystyle |\Gamma \rangle _{SR}={\frac {1}{\sqrt {2}}}(|00\rangle +|11\rangle )}$.
2. ${\displaystyle S}$ uses the quantum teleportation circuit with input Failed to parse (unknown function "\ket"): {\displaystyle \ket{\psi}} and anonymous entanglement ${\displaystyle |\Gamma \rangle _{SR}}$, and obtains measurement outcomes ${\displaystyle m_{0},m_{1}}$.
3. The players run a protocol to anonymously send bits ${\displaystyle m_{0},m_{1}}$ from ${\displaystyle S}$ to ${\displaystyle R}$ (see Discussion for details).
4. ${\displaystyle R}$ applies the transformation described by ${\displaystyle m_{0},m_{1}}$ on his part of Failed to parse (unknown function "\ket"): {\displaystyle \ket{\Gamma}_{SR}} and obtains Failed to parse (unknown function "\ket"): {\displaystyle \ket{\psi}} .

Further Information

• To determine the sender ${\displaystyle S}$ (Step 1) one can run either a classical collision detection protocol of (4) or a quantum collision detection protocol of (6). The quantum version of the protocol requires additional ${\displaystyle (\left\lceil \log N\right\rceil +1)}$ GHZ states.
• To determine the receiver ${\displaystyle R}$ during the protocol one can incorporate an additional step using a classical receiver notification protocol of (4).
• To send classical teleportation bits ${\displaystyle m_{0},m_{1}}$ (Step 5) the players can run a classical logical OR protocol of (4) or anonymous transmission protocol for classical bits with quantum resources of (6). The quantum protocol requires one additional GHZ state for transmitting one classical bit.
• The anonymous transmission of quantum states was introduced in (6).
• The problem was subsequently developed to consider the preparation and certification of the GHZ state (3), (5).
• In (5), it was first shown that the proposed protocol is information-theoretically secure against an active adversary.
• In (1) a protocol using another multipartite state, the W state, was introduced. The reference discusses noise robustness of both GHZ-based and W-based protocols and compares the performance of both protocols.
• Other protocols were proposed, which do not make use of multipartite entanglement, but utilize solely Bell pairs to create anonymous entanglement (2).

References

1. Lipinska et al (2018)
2. Yang et al (2016)
3. Bouda et al (2007)
4. Broadbent et al (2007)
5. Brassard et al (2007)
6. Christandl et al (2005)

Further Information