Experimental demonstration of a quantum protocol for Byzantine agreement and liar detection
Sascha Gaertner, Mohamed Bourennane, Christian Kurtsiefer, Adan Cabello, Harald Weinfurter
aa r X i v : . [ qu a n t - ph ] F e b Experimental Demonstration of a Quantum Protocolfor Byzantine Agreement and Liar Detection
Sascha Gaertner,
1, 2, ∗ Mohamed Bourennane, Christian Kurtsiefer, Ad´an Cabello, † and Harald Weinfurter
1, 2 Max-Planck-Institut f¨ur Quantenoptik, D-85748 Garching, Germany Fakult¨at f¨ur Physik, Ludwig-Maximilians-Universit¨at, D-80799 M¨unchen, Germany Department of Physics, Stockholm University, SE-10691 Stockholm, Sweden Department of Physics, National University of Singapore, 117542 Singapore, Singapore Departamento de F´ısica Aplicada II, Universidad de Sevilla, E-41012 Sevilla, Spain
We introduce a new quantum protocol for solving detectable Byzantine agreement (also called de-tectable broadcast) between three parties, and also for solving the detectable liar detection problem.The protocol is suggested by the properties of a four-qubit entangled state, and the classical partof the protocol is simpler than that of previous proposals. In addition, we present an experimentalimplementation of the protocol using four-photon entanglement.
PACS numbers: 03.67.Hk, 03.67.Pp, 42.50.Dv
A basic goal in distributed computing is to achievecoordination despite the failure of some of the distributedprocesses. This requires the nonfaulty components toreach an agreement. The problem of coping with suchtasks is expressed abstractly as the Byzantine GeneralsProblem, also called Byzantine Agreement (BA) [1, 2].Three divisions of the Byzantine army, each com-manded by its own general, are besieging an enemy city.The three generals A , B , and C can communicate withone another by messengers only (i.e., by pairwise authen-ticated error-free classical channels). They must decideupon a common plan of action either 0 or 1 (for instance,attack or retreat). The commanding general A decideson a plan and communicates this plan to the other twogenerals by sending B a message m AB (either 0 or 1),and by sending C a message m AC . Then, B communi-cates the plan to C by sending him a message m BC , and C communicates the plan to B by sending him a message m CB . However, one of the generals (including A ) mightbe a traitor, trying to keep the loyal generals from agree-ing on a plan. The BA problem is to devise a protocolin which (i) all loyal generals follow the same plan, and(ii) if A is loyal, then every loyal general follows the plandecided by A . From the point of view of a loyal C receiv-ing different messages from A and B , the BA problem isequivalent to the liar detection problem [3], in which C ’stask is to ascertain who is lying, A or B .The BA problem has been proven to be unsolvable[1, 2], unless each of the generals is in possession of a listof numbers unknown to the other generals, but suitablycorrelated with the lists of the other generals. There-fore, solving the BA problem can be reduced to solvingthe problem of the generation and secure distribution ofthese lists. A quantum protocol enables one to test thesecurity of the distribution, however, in case of an attack,no secret lists are available and the whole communicationhas to be aborted. Still, in this case, a variation of theBA, called detectable Byzantine agreement (DBA) or de-tectable broadcast [4] can be solved [4]. In the DBA prob- lem, conditions (i) and (ii) are relaxed so that (i’) eitherall loyal generals perform the same action or all abort,and (ii’) if A is loyal, then either every loyal general obeysthe order sent by A or aborts. Consequently, we can de-fine a protocol for solving the detectable liar detectionproblem as that one in which the possible outcomes fora loyal C receiving different messages from A and B areeither to detect who is lying or to abort [3, 5, 6].The properties of two specific entangled states havesuggested two different methods for solving the DBAproblem. The first method was inspired by the prop-erties of the three-qutrit singlet state, and it is based onlists of six combinations of numbers [4]. Such lists canalso be distributed using two quantum key distributionprotocols [7]. The second method was suggested by theproperties of a four-qubit entangled state, and it is basedon lists of four combinations of numbers [6].In this Letter we introduce a new protocol for solvingthe DBA problem. It uses simpler lists than those in[4, 7], and uses them more efficiently than in [6]. Incontrast to [7], it allows the simultaneous generation ofall lists. In addition, we present the first experimentaldemonstration of a quantum protocol for DBA and liardetection via four-photon entanglement.The protocol has two parts. The goal of the first partis to generate and distribute three lists, l A for A , l B for B , and l C for C utilizing the characteristic propertiesof a particular four-photon polarization entangled state[8, 9, 10], and to check for the security of this distribution.Once the parties have these lists, in the second part of theprotocol they use them, together with pairwise classicalcommunication, for reaching the agreement (Fig. 1). Theoption to abort will be used only in the distribution part.Thereafter, the protocol enables full BA.In detail, the lists l A , l B , and l C have the followingproperties [6]: (I) The three lists have the same length L . The elements of l A are random trits (i.e., 0, 1, or 2).The elements of l B and l C are random bits (i.e., 0 or 1).(II) At position j in these lists, we find the combinations FIG. 1: Quantum protocol for detectable Byzantine agree-ment. Three generals, A (the commanding general), B , and C , are connected by pairwise authenticated error-free classi-cal channels. In the first part of the protocol, four qubitsprepared in the state | Ψ (4) i are distributed among the par-ties and, after a classical discussion, either (a) each generalobtains a list l i , or (b) all loyal generals agree to abort. If(a) then, in the second part of the protocol, A sends B ( C ) amessage m AB ( m AC ) and a list l AB ( l AC ), and B ( C ) sends C ( B ) a message m BC ( m CB ) and a list l BC ( l CB ).
000 (i.e., l Aj = 0, l Bj = 0, l C j = 0), 111, or, with equalprobability, either 201 or 210. (III) Each party cannotknow other parties’ lists beyond what can be inferredfrom his own list and properties (I) and (II).The result of this first part can be that (a) all partiesagree that they have the right lists and can start thesecond part of the protocol or (b) agree to abort it.To simplify the discussion of the second part of theprotocol, note that the roles of B and C are symmetri-cal, and thus everything we say about B applies to C and vice versa. The agreement part runs as follows: (i)When A sends m AB , this message must be accompaniedby other data which must be correlated with the messageitself and, at the same time, must be known only by A .For that purpose, A also sends B a list l AB with all thepositions in l A in which the value m AB appears. Afterthat, if A is loyal he will follow his own plan.Example: if A is loyal, the message is m AB = m AC =0, and A ’s list is l A = { , , , , , , , , , . . . } , then A must also send l AB = l AC = { , , , , . . . } .When B receives m AB and l AB , only one of two thingscan happen: (ia) If l AB is of the appropriate length [i.e.,approximately L/
3, according to property (I)], and m AB , l AB , and l B do satisfy (II), then we will say that thedata (i.e., m AB , l AB , and l B ) are consistent . If the dataare consistent, then B will follow the plan m AB unless C convinces him that A is the traitor in the next stepof the protocol [see (ii)]. (ib) If m AB , l AB , and l B areinconsistent, then B ascertains that A is the traitor, and B will not follow any plan until he reaches an agreementwith C in the next step of the protocol [see (ii)]. Example: B would receive inconsistent data if hereceives the message m AB = 0 accompanied by thelist l AB = { , , , , . . . } , and B ’s list is l B = { , , , , , , , , , . . . } . This data is inconsistent be-cause l A cannot have 0 at positions and .(ii) The message m BC can be not only 0 or 1, butalso ⊥ , meaning “I have received inconsistent data.” Ifthe message is 0 or 1, it must be accompanied by otherdata which prove that m BC is the same one that B hasreceived from A ; i.e., data that B could only have ob-tained from A if m BC = m AB . For that purpose, B alsosends C a list l BC which is supposedly the same list l AB that B has received from A .When C receives m BC and l BC , he already has m AC and l AC . Then, only one of six things can happen: (iia)If m AC , l AC , and l C are consistent, and m BC , l BC , and l C are also consistent, and m AC = m BC , then C willfollow the plan m AC = m BC . (iib) If m AC , l AC , and l C are consistent, and m BC , l BC , and l C are also consistent,but C is receiving conflicting messages (0 or 1) from A and B , then C ascertains that A is the traitor and B isloyal, since A is the only one who can send consistentdata to B and C . Since the roles of B and C are sym-metrical, B also ascertains that A is the traitor and C is loyal. Then C and B will follow a previously decidedplan, for instance, 0. (iic) If m AC , l AC , and l C are consis-tent, and C is receiving m BC = ⊥ , then C will follow theplan m AC . Note that in this case there is no way for B to convince C that he has actually received inconsistentinformation from A . Therefore, following the plan m AC (even if A is the traitor) is the only option for reachingagreement with the other loyal party. (iid) If m AC , l AC ,and l C are consistent, but m BC , l BC , and l C are incon-sistent, then C ascertains that B is the traitor and A isloyal. Then C will follow the plan m AC . (iie) If m AC , l AC , and l C are inconsistent, but m BC , l BC , and l C areconsistent, then A is the traitor. Then, complementaryto case (iic), they will now follow the plan m BC . (iif)If m AC , l AC , and l C are inconsistent, and C is receiving m BC = ⊥ , this means that both C and B know that A is the traitor. Then C and B will follow the previouslydecided plan 0.The generation and distribution of the lists with prop-erties (I), (II), and (III) is achieved by distributing amongthe parties four qubits initially prepared in some spe-cific state, then making local single qubit measurementson the four qubits, and then testing (using the pairwiseclassical channels) whether or not the results of thesemeasurements exhibit the required correlations.The state used in our protocol is the four-qubit state | Ψ (4) i abcd = 12 √ | i − | i − | i − | i−| i + 2 | i ) abcd , (1)where, e.g., | i abcd means | i a ⊗ | i b ⊗ | i c ⊗ | i d .This state has been observed in recent experiments[10, 11]. The protocol exploits two properties of thisstate, i.e., the fact that it is invariant under the sameunitary transformation applied to the four qubits (i.e., U ⊗ U ⊗ U ⊗ U | Ψ (4) i abcd = | Ψ (4) i abcd ), where U is anyunitary operation acting on one qubit, and the fact thatit exhibits the required perfect correlations between theresults of projection measurements on the four qubits.Specifically, if A measures qubits (a) and (b), B measuresqubit (c) and C measures qubit (d), and all of them aremeasuring in the same basis, then: if the results of themeasurements on qubits (a) and (b) are both 1 (which A will record as a single 0) —something which occurs withprobability 1 / B will record as 0) and theresult of the measurement on qubit (d) must be 0 (which C will record as 0). If the results of the measurementson qubits (a) and (b) are both 0 (which A will record asa single 1), then the result of the measurement on qubit(c) must be 1 (which B will record as 1) and the resultof the measurement on qubit (d) must be 1 (which C will record as 1). Finally, if the results of the measure-ments on qubits (a) and (b) are either 0 and 1, or 1 and0 (which A will record as a single 2), then the results ofthe measurements on qubits (c) and (d) can be either 0and 1, or 1 and 0.The distribute and test part of the protocol consists ofthe following steps: (i) A source emits a large numberof four-qubit systems in the state | Ψ (4) i . For each four-qubit system j , qubits (a) and (b) are sent to A , qubit (c)to B and qubit (d) to C . (ii) For each four-qubit system j , each of the three parties randomly chooses betweentwo projection measurements; e.g., each of them eithermeasures in the {| i , | i} basis or in the {| ¯0 i , | ¯1 i} basis[where | ¯0 i = ( | i + | i ) / √ | ¯1 i = ( | i − | i ) / √
2] andmakes a list with his results. To extract the correlatedfourfold coincidences, they do the following. For the firstone third of the experiments, C asks A and B wheneverthey have detected and in which bases they have mea-sured their qubits (50% of the cases, A speaks first, andin the other 50%, it is B who speaks first). Then, C tells A and B which events should be rejected. For the sec-ond one third of the experiments, B and C exchange theirroles, and for the last one third, A and B exchange theirroles. By exchanging the roles, they ensure that none ofthe generals can fake parts of the classical protocol with-out being discovered. After this step, each of the partieshas a list. These lists are all of the same length. A hasa list l A of trits, and each of B and C has a list, l B and l C respectively, of bits. (iii) C randomly chooses a posi-tion k C from his list l C and asks A and B to inform him,via the pairwise classical channels, about their results onthe same position k C . If all parties have measured in thesame basis, their results must be suitably correlated. Af-ter this step, each party discards the entries in their listswhich were used for this test. (iv) The parties exchangetheir roles; i.e., B randomly chooses a new position k B FIG. 2: Scheme of the experimental setup. UV-pulses pumpa beta-barium borate crystal
BBO . The degenerate down-conversion emission into the two directions, a and b , is cou-pled into optical fibers by fiber couplers F C , then passes in-terference filters F . To generate the state | Ψ (4) i , the initialemission modes are split with two nonpolarizing beam split-ters BS . Two of the photons are sent to A , one to B , and oneto C . Then, each party performs polarization measurementsby inserting a half-wave plate HW P and using a polarizingbeam splitter
P BS and single-photon avalanche detectors. from his list and repeats step (iii) ; then A chooses a newposition k A , etc. C starts the process all over again untila large number of tests have been performed.This part of the protocol has only two possible out-comes: Depending on the observed quantum error ratio(QER), defined as the ratio of incorrect/all four-photondetection events, the loyal generals decide to abort or usethe lists l A , l B , and l C to reach the agreement.In the experimental implementation, the physicalqubits are polarized photons, and the states | i and | i ,correspond, respectively, to the vertical and horizontallinear polarization states, | V i and | H i . To prepare thestate | Ψ (4) i , we have used the emission of four photonsproduced in the second order of perturbation of the type-II process of spontaneous parametric down-conversion[8, 9, 10]. The experimental setup is shown in Fig. 2. Wehave used UV-pulses of a frequency doubled mode-lockedTitan:Sapphire laser (pulse length 130 fs and repetitionrate 82 MHz) to pump a 2 mm thick beta-barium bo-rate (BBO) crystal at a wavelength of 390 nm and withan average power of 750 mW. The pump beam has beenfocused to a waist of 100 µ m inside the crystal. Thedegenerate down-conversion emission into the two char-acteristic type-II crossing directions, a and b , has beencoupled into single mode optical fibers (length 2 m) toprecisely define the spatial emission modes. After thefibers, the down-conversion light has passed interferencefilters with a bandwidth of 3 nm. To generate the four-photon state | Ψ (4) i , the initial emission modes have beensplit with two nonpolarizing beam splitters. We have se-lected those events in which one photon is detected ineach of the resulting four outputs ( a , b , c , and d ) of thebeam splitters.The polarization measurements have been performedby inserting half-wave plates in each of the four modes.For measuring in the polarization bases {| H i , | V i} and { ( | H i + | V i ) / √ , ( | H i−| V i ) / √ } , the orientations of thehalf-wave plates have been randomly switched between 0 ◦ and 22 . ◦ respectively. The switching of the wave plateshas been controlled by random number generators. Theregistration time for a fixed setting has been 1 s. Thefour photons have been detected, after passing polariz-ing beam splitters, by eight passively quenched single-photon Si-avalanche photodiodes and registered with aneight-channel multiphoton coincidence counter, which al-lows an efficient registration of the 16 relevant fourfoldcoincidences [12]. When more than one four-photon coin-cidence has been recorded in the same time window, onlythe first one has been used. To translate the detectionevents into bit values, we have associated a single-photondetection in the reflected (transmitted) output port ofthe polarization beam splitters with the bit value 0 (1).All the detection events and the basis settings have beenregistered with a personal computer.To generate the lists, the parties have performed 48184measurements in 17 hours. To extract the fourfold coin-cidences in each time window, each party has asked theother parties whenever they detected a photon. Afterremoving those entries where they have not registered aphoton, they have obtained lists l A , l B and l C with 12043entries containing 3000 correlated bits/trits with a QERof 5 . A has obtained a QER of 3 . B . C . TABLE I: Part of the lists l A , l B , and l C obtained experimen-tally. Numbers in italics are events which should not occur inan ideal case.Position l A l B l C Position l A l B l C sible with present technology.The authors thank N. Gisin and M. ˙Zukowski for use-ful conversations. This work was supported by DFG,the Swedish Research Council (VR), the Spanish MECProject No. FIS2005-07689, and the EU 6FP programQAP. ∗ Electronic address: [email protected] † Electronic address: [email protected][1] M. Pease, R. Shostak, and L. Lamport, J. ACM , 228(1980).[2] L. Lamport, R. Shostak, and M. Pease, ACM Trans. Pro-gramming Languages and Syst. , 382 (1982).[3] A. Cabello, Phys. Rev. Lett. , 100402 (2002).[4] M. Fitzi, N. Gisin, and U. Maurer, Phys. Rev. Lett. ,217901 (2001).[5] A. Cabello, J. Mod. Opt. , 1049 (2003).[6] A. Cabello, Phys. Rev. A , 012304 (2003).[7] S. Iblisdir and N. Gisin, Phys. Rev. A , 034306 (2004).[8] H. Weinfurter and M. ˙Zukowski, Phys. Rev. A ,010102(R) (2001).[9] M. Eibl et al. , Phys. Rev. Lett. , 200403 (2003).[10] S. Gaertner et al. , Appl. Phys. B , 803 (2003).[11] M. Bourennane et al. , Phys. Rev. Lett. , 107901(2004).[12] S. Gaertner, C. Kurtsiefer, and H. Weinfurter, Rev. Sci.Instrum.76