Commun. Theor. Phys. (Beijing, China) 52 (2009) pp. 1013–1015
c Chinese Physical Society and IOP Publishing Ltd Vol. 52, No. 6, December 15, 2009
A New Solution to Detectable Byzantine Agreement Problem∗
QIN Su-Juan,1,2,† WEN Qiao-Yan,1,2 MENG Luo-Ming,1,2 and ZHU Fu-Chen3
State key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications,
Beijing 100876, China
State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an 710071, China
National Laboratory for Modern Communications, P.O. Box 810, Chengdu 610041, China
(Received December 31, 2008)
Abstract We present a new quantum protocol for solving detectable Byzantine agreement problem between three
parties by employing one quantum key distribution protocol. The protocol is suggested by a special four-qubit entangled
state instead of singlet states, which shows that singlet states are not necessary to achieve detectable Byzantine agreement.
PACS numbers: 03.67.Hk, 03.65.Dd
Key words: quantum protocol, detectable Byzantine agreement, entangled state
1 Introduction The deﬁnition of detectable broadcast is similar with
Byzantine agreement problem (or broadcast), origi- that of the Byzantine agreement problem, but the object
nally described by Lamport, Shostak, and Pease, is an condition is slightly weaker:
old information-theoretical problem in the ﬁeld of fault- D1: Either all loyal generals perform the same action
tolerant distributed computing. It concerns coordination or all abort;
in distributed computing where some of the processors D2: If the commanding general is loyal, then either
might fail and has important application in practice. This every loyal general obeys his order or aborts.
problem is often built around an imaginary commanding Fitzi et al. presented a solution to the detectable
general who makes a decision to attack or retreat, and broadcast problem using three-qutrit singlet states as a
must communicate the decision to his lieutenants. All the quantum resource. Later on Iblisdir and Gisin showed
actors can communicate with each other only by messen- that two quantum key distribution channels are enough
gers (i.e. pairwise authenticated classical channels). How- to achieve detectable broadcast. In 2003, Cabello in-
ever some of these players are traitors (possibly including troduced a four-qubit singlet state to solve this problem.
the commanding general), trying to prevent the loyal ac- Gaertner et al. then gave an experimental demonstra-
tors from reaching agreement on the decision. The object tion on it. However we found that there was a secu-
of Byzantine agreement is to develop a communication rity loophole in the realization. Note that most of the
protocol to ensure that schemes[5,7−8] make use of singlet states as the quantum
G1: All loyal generals decide upon the same decision resource. Here, we introduce a new protocol for solving
of action; the detectable broadcast only by employing one QKD
G2: If the commanding general is loyal, then all loyal protocol. It uses a new four-qubit state which is diﬀerent
generals agree on the commanding general’s decision. from the pervious singlet states. Decoy states are used
It has been proven[2−3] that there is no solution in clas- to detect eavesdropping, and then all the correlative lists
sical setting for n < 3m+1 generals and m traitors. In the are generated simultaneously. Our aim of this paper is
simplest form, it is not solvable for 3 generals and 1 traitor, to point out that singlet states are not necessary for the
called 3-generals problem. With the development of quan- detectable broadcast.
tum information, this 3-generals problem has attracted
more attention again. However, the problem is still un- 2 A New Byzatine Agreement Protocol
solvable even in quantum channels. Fortunately, Ref.  Now we describe our solution of the detectable Byza-
demonstrated that with the help of quantum channel, we tine agreement problem. The initial assumptions are as
can solve a slightly weaker problem, namely, detectable follows: (I) Three parties are involved, which tradition-
broadcast, which is also useful for many applications of ally denoted by S the sender, i.e., commanding general
this problem. and the receivers R0 and R1 ; (II) At most only one is
∗ Supported by National Natural Science Foundation of China under Grant Nos. 60873191, 60903152, and 60821001, SRFDP under Grant
No. 200800131016, Beijing Nova Program under Grant No. 2008B51, Key Project of Chinese Ministry of Education under Grant No. 109014,
Beijing Natural Science Foundation under Grant No. 4072020, China Postdoctoral Science Foundation under Grant No. 20090450018, Na-
tional Laboratory for Modern Communications Science Foundation of China under Grant No. 9140C1101010601, and ISN Open Foundation
† E-mail: email@example.com
1014 QIN Su-Juan, WEN Qiao-Yan, MENG Luo-Ming, and ZHU Fu-Chen Vol. 52
a traitor in the three players; (III) All the parties can 2.2 Classical Procedure
communicate with each other by pairwise authenticated The classical procedure is similar with that of Ref. 
classical channels and noiseless quantum channel. as all the parties have suitable correlated lists. Let us
The protocol is based on two phases: quantum pro- suppose the decision of the commanding general S is m
cedure and classical procedure. The purpose of quantum (which is a bit value 0 or 1).
procedure is generating correlative lists among the three (i) S sends m to the two receivers R0 and R1 using
parties which will be used in the following classical pro- classical authenticated channels. Let us denote m0 and
cedure. There are two possible outcomes in this phase: m1 the bits received by R0 and R1 , respectively. Besides,
success or failure. In case of success, three parties have S also sends the lists J0 and J1 which are constructed by
gotten right lists and the second phase can be started. the positions m appears in LS to R0 and R1 respectively.
In case of failure, the whole procedure will be aborted. (ii) R0 and R1 test the consistency of their data, re-
The second phases is fundamentally classical, since each spectively. According to the quantum state |ϕ , we know
party has a classical list from quantum procedure which that all the results in LR0 (LR1 ) with indices of J0 (J1 )
will prevent the traitor from demolishing the agreement must be identical with the bit m0 (m1 ). If any set of data
of decision. Now we describe the two procedures in detail. is inconsistent, the player sets a ﬂag yp = ⊥; otherwise,
he sets a ﬂag yp = mp (p = 0 or 1, denotes the ﬂag of R0
2.1 Quantum Procedure
and R1 , respectively).
The quantum state used in our protocol is a four-qubit (iii) The two receivers send their ﬂags to each other.
state which is inequivalent to singlet states of four-qubit Then one of the following three cases will happen.
under SLOCC (a) Both ﬂags are identical (0, 1 or ⊥). R0 and R1
1 accept their ﬂags and perform relevant action.
|ϕ = (|0000 + |0101 + |0110 − |1111 )abcd , (1)
2 (b) Their ﬂags are diﬀerent and one of the ﬂag is ⊥.
R1 generates a large number of four-qubit systems in the Assume yp = ⊥, then Rp simply accepts the ﬂag re-
above state. To ensure the security, R1 also prepares some ceived from the other party, because he knows the sender
of single qubit in one of the four states (decoy states)
√ √ is dishonest. In this way, two loyal receivers agree on the
|0 , |1 , |+ = (|0 + |1 )/ 2, |− = (|0 − |1 )/ 2, which decision y1−p .
will be used to detect eavesdropping. R1 inserts each de- (c) Both receivers claim that they received consistent
coy state into a, b, and c sequences randomly, and then data, but their decisions are diﬀerent. In this case, R1
sends all the qubits of a and b sequences to S. After S will not change his bit y1 unless R0 convinces him that he
received all these qubits, R1 requires S to measure the does indeed receive the bit y0 from the sender. R0 needs
decoy states randomly in X or Z basis. Without eaves- /
to send R1 all the indices k ∈ L0 for which he has the
dropping, the outcomes must be identical with the initial result y0 . R1 tests whether all these bit values in LR1
decoy states when the measurement bases are right (like with indices k are 1 − y0 . If so, R1 changes his bit to y0 ,
the principle of BB84 protocol). According to the out- otherwise he keeps y1 unchanged.
comes of S, R1 can judge whether there are eavesdroppers
online. If the error rate exceeds a certain threshold, the 3 Analysis and Conclusions
protocol will abort. In the same way, R1 sends c sequence So far we have described a protocol to resolve the de-
to R0 safely. The d sequence is held for himself by R1 . tectable broadcast. Let us examine whether the above
All the three parties measure their remaining qubits protocol can achieve the object of detectable broadcast.
in Z basis, and get the correlative lists. Here the two-bit We analyze it from three cases. Firstly, assume S is a
00, 11, 01 of S means 0, 1, and 2 respectively. Moreover, traitor, trying to prevent R0 and R1 from reaching agree-
S and R0 send a set of their data to each other. If all ment on the decision. The unique possible way for S
the set of their data are consistent, i.e. in the position is sending diﬀerent decisions to R0 and R1 respectively.
where is 0(1) in list of R0 , it can not be 1(0) in list of However the loyal parties still can agree on the decision
S, they continue the following classical procedure. Oth- because R0 can persuade R1 to change his decision. Sec-
erwise, they think that R1 must be the traitor and the ondly, assume R0 is a traitor, S and R1 are loyal. R0 will
protocol will abort. Until now, the quantum procedure tell a lie in step (iii), and then attempt to persuade R1
has ﬁnished, and each party has a list of number (denoted to change his decision. However R0 ’s purpose will never
as LS , LR1 , LR0 respectively). Obviously, the lists satisfy be achieved because of the following two reasons: (1) S is
the properties described in Ref.  except that R1 may loyal and therefore, R1 must have gotten consistent data
know the lists of S and R0 . It is interesting that though in step (ii); (2) R0 does not know the lists of S and R1 , so
R1 may know the lists of other parties. He can not prevent /
he can not construct right indices k ∈ L0 where the values
S and R0 from reaching an agreement. We will explain in LR1 are 1 − y0 . As a result, R1 will never change his bit
the reason in the third section. y1 . Thirdly, assume R1 is the traitor, S and R0 are loyal.
No. 6 A New Solution to Detectable Byzantine Agreement Problem 1015
In this case, as R1 is the source of quantum state, he can two honest parties can always agree on the decision, which
know the lists of S and R0 . Even so, he can not keep exactly is the ﬁnal object of detectable broadcast.
the loyal generals from making an agreement. On the one In conclusion, we have introduced a new quantum state
hand, R0 must receive consistent data from S (y0 = ⊥), to resolve a fundamental problem in fault-tolerant dis-
because they have established suitable correlative lists in tributed computation. The main theoretical advantage of
quantum procedure (any inconsistent relation can be de- the introduced protocol over the presented in Refs. [5,7–8]
tected in their comparison step of quantum phase). On is that it requires a simper quantum state instead of singlet
the other hand, R0 will never change his ﬂag y0 as R1 al- states, which shows that singlet states are not necessary
most never talks during the classical procedure. Anyway, for the solution of detectable broadcast.
References  S. Iblisdir and N. Gisin, Phys. Rev. A 70 (2004) 034306.
 L. Lamport, R. Shostak, and M. Pease, ACM Trans. on  A. Cabello, Phys. Rev. A 68 (2003) 012304.
Programming Language and Systems 4 (1982) 382.  S. Gaertner, M. Bourennane, C. Kurtsiefer, A. Cabello,
 M. Fischer, N. Lynch, and M. Paterson, Journal of the and H. Weinfurter, Phys. Rev. Lett. 100 (2008) 070504.
ACM 32 (1985) 374.  F. Gao, F.Z. Guo, Q.Y. Wen, and F.C. Zhu, Phys. Rev.
 M. Fischer, N. Lynch, and M. Merritt, Distributed Com- Lett. 101 (2008) 208901.
puting 1 (1986) 26.  D. Li, X. Li, H. Huang, and X. Li, Phys. Rev. A 76 (2007)
 M. Fitzi, J. Garay, U. Maurer, and R. Ostrovsky, In pro- 052311.
ceedings of Crypto’01, Lecture Notes In Computer Sci-
ence 2139 (2001) 80.  C.H. Bennett and G. Brassard, In Proceedings of IEEE
 M. Fitzi, N. Gisin, and U. Maurer, Phys. Rev. Lett. 87 International Conference on Computers, Systems and
(2001) 217901. Signal Processing, Bangalore, India (1984) pp. 175–179.