Michael BenOr The Hebrew University Michael Rabins Birthday Celebration Randomized Protocols Power of Randomization Exponential speedup for known algorithms Complexity The jury is still out ID: 247664
Download Presentation The PPT/PDF document "Randomized and Quantum Protocols in Dist..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Randomized and Quantum Protocols in Distributed Computation
Michael Ben-OrThe Hebrew University
Michael Rabin’s Birthday CelebrationSlide2
Randomized Protocols
Power of Randomization
Exponential
speedup for known algorithms
Complexity – The jury is still out on thisProvably more powerful in distributed computation Natural application: Use randomization for symmetry breakingLeader Election in anonymous networksDining Philosophers ProblemNo deterministic solutionsChoice Coordination, Mutual ExclusionEfficient randomized protocolsNote: No deterministic solution No bounded-step, zero-error randomized solutionSlide3
Quantum Protocols
Quantum Leader Election in
Anonymous
Networks
Tani, Kobayashi & MatsumotoA connected synchronous network of n identical processors. Processors can send/receive quantum messages to/from neighbors.Know just a bound N on number of processors, n ≤ N. This includes many cases with no deterministic solution.No quantum cheating - No initial entanglement not allowing special initial symmetric quantum state such as Slide4
Each
process prepares a register holding Compute
quantumly
if your value is the same as all other’s.
Measure “Equal or Not” qubits. All the same value b. If b=0 measure value register. Only those processes with value=1 remain as potential leaders. If b=1 then global state is the symmetric state Quantum Magic: Each process applies the same operation Un to its register
and the resulting state is a supper position on some “
not all equal
” states.
Quantum Leader
Election Cont.Slide5
Quantum Leader
Election Cont.
U
k
for even k is (assuming k contenders remain, initially k=n)For odd k use Vk (on two qubits)
No need to know exact value
k
of remaining contenders.
Letting
k
go down from N
to 2 is good enough
.After N-1 phases just one leader remains.
State transforms to a superposition
on “not all equal” states. Keeping just max value guarantees less remaining contenders if k>1
.Slide6
Byzantine Agreement:
n processes or players,
P
1
,…Pn, each with an input bit bi Want all non faulty players to reach agreement on a bit b such that All non faulty players agree on the same b If all Pi start with the same bi then output b=biWe model faults by a computationally unbounded Adversary Computer crash, no electricity – Fail-Stop fault model
Software or undetected hardware errors, incoherent or
wrong data, malicious players –
Byzantine
fault model
Randomized
Protocols Cont. Slide7
Assuming we have
n players and at most t
faults
Protocols:There are efficient deterministic t+1 rounds protocols tolerating t<n/3 Byzantine faults in the synchronous model [PSL77-78,GM93]Lower Bounds:A deterministic lower bound of t+1 rounds for fail stop faults [FL82,DS81]For Byzantine faults t<n/3 [PSL78]. No deterministic protocols even for t=1 in the asynchronous setting [FLP82].
BA Deterministic Protocols Slide8
Weak Global Coin
We reduce agreement to weak global coin flippingDecide when there is a large majority of players suggesting the same value
b
in
{0,1}.If the coin flip succeeds with probability p the expected number of round to reach agreement is O(1/p).0n(n-t)/2
(
n
+
t
)/2
(
n+3t
)/5
(n-3
t)/5
Choose 1
Choose 0
prefer 1
prefer 0
Flip a coin
n
/2
BA Randomized
ProtocolsSlide9
Adversary can react to players’ random selections:static or adaptive
failures
private communication or full information about the systemfail stop or Byzantine type faultsExamples: Static, fail stop, full information adversary:Each player Pi selects a random ri in [0,n3). Declare the player with the min as the
leader
. Leader flips an unbiased coin.
O
(1)
rounds protocol.Adaptive, Byzantine, full information
(even asynchronous) adversary:
Use majority voting on random bits. Exp time, but just
O(1
)
for
t
<
O
(
n
1/2
).
BA Randomized
ProtocolsSlide10
Adaptive
, fail-stop, full information
adversary:
Majority voting gives for all
t < nmatching the lower bound [BB98].Static, Byzantine, full information adversary: O(log n) time protocols No lower bounds! Coin Flipping with an Adaptive Adversary? All known robust coin flipping games select an almost random leader, and then the leader flips a coin. All this is useless in the adaptive setting. Are there better games than the “Majority” game for adaptive adversaries?
BA Randomized
Protocols – More ExamplesSlide11
BA Randomized
Protocols
Rabin’s fast Byzantine agreement
Why not hand out random “
global coins” in advance, as part of the protocol’s description – O(1) expected time.To allow adaptive, Byzantine, private communication adversary , (knows the full state of the faulty players), use a digitally signed secret sharing scheme to store those global coins, revealing them only when needed.Verifiable Secret Sharing [CGMA] and Global Random Coin protocol from scratch (using BA).Replenish the stock of shared global coins in Rabin’s protocol when needed, using available previously prepared global coins.Slide12
Global Coins with
Adaptive, Byzantine, private comm.
adversary:
Each player Pi selects a random ri in [0,n3). Declare the player with the min as the leader. Leader flips an unbiased coin.Problem: A bad player can choose 1 and get elected.First try:Independently for player P: Each Pk , k=1…n, selects random
r
i
in
[0,n3
), and setr =
k=1
n r
k (mod n3)
Problem:
A bad player can select
r
k
after other values are known and control
r
.
Idea:
Use
Verifiable Secret Sharing (VSS)
Problem:
VSS
requires Byzantine Agreement !?
Idea
:[FM88] A two round “weak agreement” protocol is good enough for here
O(1
) time protocol.
BA Randomized
Protocols
Cont.Slide13
Byzantine Agreement in the Quantum World
Adaptive,
Byzantine
,
full information adversary:Players have pairwise quantum channels “Full Information” in the quantum setting: The adversary knows the description of the current pure state of the system.Toy Example: Adaptive, fail-stop, full information adversaryEach player preparesand a GHZ state and distributes the pieces to all n players.BA Quantum ProtocolsSlide14
At the next round all players measure all the pieces they have; a leader is selected according to the shared minimum; and the corresponding measured bit serves as the “global coin”.
Cor
: We get an O(1) expected round agreement protocol. By delaying the measurements until all the quantum messages have arrived the adversary has to stop messages before the outcome is known, and so effectively the adaptive adversary isn’t stronger than the static one.BA Quantum ProtocolsSlide15
Adaptive
, Byzantine, full information adversary:
Idea:
replace random shared secrets by a superposition on all possible n3 secrets and all possible polynomials.This is just an encoding of the superposition of all secrets using a standard CSS quantum error correcting code.We can use the QVSS procedure of [CGS02] replacing Byzantine agreements with the “weak agreements” of [FM88]We get an O(1) round quantum Byzantine agreement protocol in the adaptive, Byzantine, full information adversary model, tolerating an optimal t<n/3 faults.Works also in the recent Self Stabilizing Byzantine agreement protocols [BDH08, HBD10].BA Quantum ProtocolsSlide16
Open Problems
In the asynchronous setting we can handle only t<n/4
faults, while
randomized BA
is possible for t<n/3. The classical “private channel” solution of [CR93] uses secret authentication codes and this can’t work here.Quantum Choice Coordination? Bounded register, zero-error, wait free…Quantum Mutual Exclusion? Quantum version of [R80,RK92] protocol that tolerates a full information adversary? Quantum lower bound generalizing [KMRZ93]? Quantum protocol verification tools.Byzantine Agreement @30 C&O@40Quantum Protocols