A New Solution to Detectable Byzantine Agreement Problem∗

Document Sample
A New Solution to Detectable Byzantine Agreement Problem∗ Powered By Docstoc
					Commun. Theor. Phys. (Beijing, China) 52 (2009) pp. 1013–1015
c Chinese Physical Society and IOP Publishing Ltd                                                  Vol. 52, No. 6, December 15, 2009

A New Solution to Detectable Byzantine Agreement Problem∗

  QIN Su-Juan,1,2,† WEN Qiao-Yan,1,2 MENG Luo-Ming,1,2 and ZHU Fu-Chen3
    State key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications,
    Beijing 100876, China
    State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an 710071, China
      National Laboratory for Modern Communications, P.O. Box 810, Chengdu 610041, China

  (Received December 31, 2008)
   Abstract We present a new quantum protocol for solving detectable Byzantine agreement problem between three
   parties by employing one quantum key distribution protocol. The protocol is suggested by a special four-qubit entangled
   state instead of singlet states, which shows that singlet states are not necessary to achieve detectable Byzantine agreement.
   PACS numbers: 03.67.Hk, 03.65.Dd
   Key words: quantum protocol, detectable Byzantine agreement, entangled state

1 Introduction                                                         The definition of detectable broadcast is similar with
    Byzantine agreement problem (or broadcast), origi-             that of the Byzantine agreement problem, but the object
nally described by Lamport, Shostak, and Pease,[1] is an           condition is slightly weaker:
old information-theoretical problem in the field of fault-              D1: Either all loyal generals perform the same action
tolerant distributed computing. It concerns coordination           or all abort;
in distributed computing where some of the processors                  D2: If the commanding general is loyal, then either
might fail and has important application in practice. This         every loyal general obeys his order or aborts.
problem is often built around an imaginary commanding                  Fitzi et al.[5] presented a solution to the detectable
general who makes a decision to attack or retreat, and             broadcast problem using three-qutrit singlet states as a
must communicate the decision to his lieutenants. All the          quantum resource. Later on Iblisdir and Gisin[6] showed
actors can communicate with each other only by messen-             that two quantum key distribution channels are enough
gers (i.e. pairwise authenticated classical channels). How-        to achieve detectable broadcast. In 2003, Cabello[7] in-
ever some of these players are traitors (possibly including        troduced a four-qubit singlet state to solve this problem.
the commanding general), trying to prevent the loyal ac-           Gaertner et al.[8] then gave an experimental demonstra-
tors from reaching agreement on the decision. The object           tion on it. However we found that there was a secu-
of Byzantine agreement is to develop a communication               rity loophole[9] in the realization.[8] Note that most of the
protocol to ensure that                                            schemes[5,7−8] make use of singlet states as the quantum
    G1: All loyal generals decide upon the same decision           resource. Here, we introduce a new protocol for solving
of action;                                                         the detectable broadcast only by employing one QKD
    G2: If the commanding general is loyal, then all loyal         protocol. It uses a new four-qubit state which is different
generals agree on the commanding general’s decision.               from the pervious singlet states. Decoy states are used
    It has been proven[2−3] that there is no solution in clas-     to detect eavesdropping, and then all the correlative lists
sical setting for n < 3m+1 generals and m traitors. In the         are generated simultaneously. Our aim of this paper is
simplest form, it is not solvable for 3 generals and 1 traitor,    to point out that singlet states are not necessary for the
called 3-generals problem. With the development of quan-           detectable broadcast.
tum information, this 3-generals problem has attracted
more attention again. However, the problem is still un-            2 A New Byzatine Agreement Protocol
solvable even in quantum channels.[4] Fortunately, Ref. [5]            Now we describe our solution of the detectable Byza-
demonstrated that with the help of quantum channel, we             tine agreement problem. The initial assumptions are as
can solve a slightly weaker problem, namely, detectable            follows: (I) Three parties are involved, which tradition-
broadcast, which is also useful for many applications of           ally denoted by S the sender, i.e., commanding general
this problem.                                                      and the receivers R0 and R1 ; (II) At most only one is
   ∗ Supported by National Natural Science Foundation of China under Grant Nos. 60873191, 60903152, and 60821001, SRFDP under Grant

No. 200800131016, Beijing Nova Program under Grant No. 2008B51, Key Project of Chinese Ministry of Education under Grant No. 109014,
Beijing Natural Science Foundation under Grant No. 4072020, China Postdoctoral Science Foundation under Grant No. 20090450018, Na-
tional Laboratory for Modern Communications Science Foundation of China under Grant No. 9140C1101010601, and ISN Open Foundation
   † E-mail: qsujuan2003@163.com
1014                          QIN Su-Juan, WEN Qiao-Yan, MENG Luo-Ming, and ZHU Fu-Chen                               Vol. 52

a traitor in the three players; (III) All the parties can       2.2 Classical Procedure
communicate with each other by pairwise authenticated               The classical procedure is similar with that of Ref. [5]
classical channels and noiseless quantum channel.               as all the parties have suitable correlated lists. Let us
    The protocol is based on two phases: quantum pro-           suppose the decision of the commanding general S is m
cedure and classical procedure. The purpose of quantum          (which is a bit value 0 or 1).
procedure is generating correlative lists among the three           (i) S sends m to the two receivers R0 and R1 using
parties which will be used in the following classical pro-      classical authenticated channels. Let us denote m0 and
cedure. There are two possible outcomes in this phase:          m1 the bits received by R0 and R1 , respectively. Besides,
success or failure. In case of success, three parties have      S also sends the lists J0 and J1 which are constructed by
gotten right lists and the second phase can be started.         the positions m appears in LS to R0 and R1 respectively.
In case of failure, the whole procedure will be aborted.            (ii) R0 and R1 test the consistency of their data, re-
The second phases is fundamentally classical, since each        spectively. According to the quantum state |ϕ , we know
party has a classical list from quantum procedure which         that all the results in LR0 (LR1 ) with indices of J0 (J1 )
will prevent the traitor from demolishing the agreement         must be identical with the bit m0 (m1 ). If any set of data
of decision. Now we describe the two procedures in detail.      is inconsistent, the player sets a flag yp = ⊥; otherwise,
                                                                he sets a flag yp = mp (p = 0 or 1, denotes the flag of R0
2.1 Quantum Procedure
                                                                and R1 , respectively).
    The quantum state used in our protocol is a four-qubit          (iii) The two receivers send their flags to each other.
state which is inequivalent to singlet states of four-qubit     Then one of the following three cases will happen.
under SLOCC[10]                                                     (a) Both flags are identical (0, 1 or ⊥). R0 and R1
            1                                                   accept their flags and perform relevant action.
     |ϕ = (|0000 + |0101 + |0110 − |1111 )abcd ,          (1)
            2                                                       (b) Their flags are different and one of the flag is ⊥.
R1 generates a large number of four-qubit systems in the            Assume yp = ⊥, then Rp simply accepts the flag re-
above state. To ensure the security, R1 also prepares some      ceived from the other party, because he knows the sender
of single qubit in one of the four states (decoy states)
                           √                     √              is dishonest. In this way, two loyal receivers agree on the
|0 , |1 , |+ = (|0 + |1 )/ 2, |− = (|0 − |1 )/ 2, which         decision y1−p .
will be used to detect eavesdropping. R1 inserts each de-           (c) Both receivers claim that they received consistent
coy state into a, b, and c sequences randomly, and then         data, but their decisions are different. In this case, R1
sends all the qubits of a and b sequences to S. After S         will not change his bit y1 unless R0 convinces him that he
received all these qubits, R1 requires S to measure the         does indeed receive the bit y0 from the sender. R0 needs
decoy states randomly in X or Z basis. Without eaves-                                           /
                                                                to send R1 all the indices k ∈ L0 for which he has the
dropping, the outcomes must be identical with the initial       result y0 . R1 tests whether all these bit values in LR1
decoy states when the measurement bases are right (like         with indices k are 1 − y0 . If so, R1 changes his bit to y0 ,
the principle of BB84 protocol[11]). According to the out-      otherwise he keeps y1 unchanged.
comes of S, R1 can judge whether there are eavesdroppers
online. If the error rate exceeds a certain threshold, the      3 Analysis and Conclusions
protocol will abort. In the same way, R1 sends c sequence            So far we have described a protocol to resolve the de-
to R0 safely. The d sequence is held for himself by R1 .        tectable broadcast. Let us examine whether the above
    All the three parties measure their remaining qubits        protocol can achieve the object of detectable broadcast.
in Z basis, and get the correlative lists. Here the two-bit     We analyze it from three cases. Firstly, assume S is a
00, 11, 01 of S means 0, 1, and 2 respectively. Moreover,       traitor, trying to prevent R0 and R1 from reaching agree-
S and R0 send a set of their data to each other. If all         ment on the decision. The unique possible way for S
the set of their data are consistent, i.e. in the position      is sending different decisions to R0 and R1 respectively.
where is 0(1) in list of R0 , it can not be 1(0) in list of     However the loyal parties still can agree on the decision
S, they continue the following classical procedure. Oth-        because R0 can persuade R1 to change his decision. Sec-
erwise, they think that R1 must be the traitor and the          ondly, assume R0 is a traitor, S and R1 are loyal. R0 will
protocol will abort. Until now, the quantum procedure           tell a lie in step (iii), and then attempt to persuade R1
has finished, and each party has a list of number (denoted       to change his decision. However R0 ’s purpose will never
as LS , LR1 , LR0 respectively). Obviously, the lists satisfy   be achieved because of the following two reasons: (1) S is
the properties described in Ref. [8] except that R1 may         loyal and therefore, R1 must have gotten consistent data
know the lists of S and R0 . It is interesting that though      in step (ii); (2) R0 does not know the lists of S and R1 , so
R1 may know the lists of other parties. He can not prevent                                            /
                                                                he can not construct right indices k ∈ L0 where the values
S and R0 from reaching an agreement. We will explain            in LR1 are 1 − y0 . As a result, R1 will never change his bit
the reason in the third section.                                y1 . Thirdly, assume R1 is the traitor, S and R0 are loyal.
No. 6                              A New Solution to Detectable Byzantine Agreement Problem                              1015

In this case, as R1 is the source of quantum state, he can      two honest parties can always agree on the decision, which
know the lists of S and R0 . Even so, he can not keep           exactly is the final object of detectable broadcast.
the loyal generals from making an agreement. On the one             In conclusion, we have introduced a new quantum state
hand, R0 must receive consistent data from S (y0 = ⊥),          to resolve a fundamental problem in fault-tolerant dis-
because they have established suitable correlative lists in     tributed computation. The main theoretical advantage of
quantum procedure (any inconsistent relation can be de-         the introduced protocol over the presented in Refs. [5,7–8]
tected in their comparison step of quantum phase). On           is that it requires a simper quantum state instead of singlet
the other hand, R0 will never change his flag y0 as R1 al-       states, which shows that singlet states are not necessary
most never talks during the classical procedure. Anyway,        for the solution of detectable broadcast.

References                                                       [6] S. Iblisdir and N. Gisin, Phys. Rev. A 70 (2004) 034306.
 [1] L. Lamport, R. Shostak, and M. Pease, ACM Trans. on         [7] A. Cabello, Phys. Rev. A 68 (2003) 012304.
     Programming Language and Systems 4 (1982) 382.              [8] S. Gaertner, M. Bourennane, C. Kurtsiefer, A. Cabello,
 [2] M. Fischer, N. Lynch, and M. Paterson, Journal of the           and H. Weinfurter, Phys. Rev. Lett. 100 (2008) 070504.
     ACM 32 (1985) 374.                                          [9] F. Gao, F.Z. Guo, Q.Y. Wen, and F.C. Zhu, Phys. Rev.
 [3] M. Fischer, N. Lynch, and M. Merritt, Distributed Com-          Lett. 101 (2008) 208901.
     puting 1 (1986) 26.                                        [10] D. Li, X. Li, H. Huang, and X. Li, Phys. Rev. A 76 (2007)
 [4] M. Fitzi, J. Garay, U. Maurer, and R. Ostrovsky, In pro-        052311.
     ceedings of Crypto’01, Lecture Notes In Computer Sci-
     ence 2139 (2001) 80.                                       [11] C.H. Bennett and G. Brassard, In Proceedings of IEEE
 [5] M. Fitzi, N. Gisin, and U. Maurer, Phys. Rev. Lett. 87          International Conference on Computers, Systems and
     (2001) 217901.                                                  Signal Processing, Bangalore, India (1984) pp. 175–179.