160 likes | 282 Views
Randomized and Quantum Protocols in Distributed Computation . Michael Ben-Or The Hebrew University. Michael Rabin’s Birthday Celebration. Randomized Protocols. Power of Randomization Exponential speedup for known algorithms Complexity – The jury is still out on this
E N D
Randomized and Quantum Protocols in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabin’s Birthday Celebration
Randomized Protocols • Power of Randomization • Exponential speedup for known algorithms • Complexity – The jury is still out on this • Provablymore powerful in distributed computation • Natural application: Use randomization for symmetry breaking • Leader Election in anonymous networks • Dining Philosophers Problem • No deterministic solutions • Choice Coordination, Mutual Exclusion • Efficient randomized protocols • Note: No deterministic solution • No bounded-step, zero-error randomized solution
Quantum Protocols Quantum Leader Election in Anonymous Networks Tani, Kobayashi & Matsumoto A connected synchronous network of nidentical processors. Processors can send/receive quantum messages to/from neighbors. Know just a bound Non number of processors, n ≤ N. This includes many cases with no deterministic solution. No quantum cheating - No initial entanglement not allowing special initial symmetric quantum state such as
Quantum Leader Election Cont. • Each process prepares a register holding • Compute quantumly if your value is the same as all other’s. • Measure “Equal or Not” qubits. All the same value b. • If b=0 measure value register. Only those processes with value=1 remain as potential leaders. • If b=1 then global state is the symmetric state • Quantum Magic: Each process applies the same operation Unto its registerand the resulting state is a supper position on some “not all equal” states.
Quantum Leader Election Cont. Ukfor even kis(assumingkcontenders remain, initially k=n) For odd kuse Vk(on two qubits) State transforms to a superposition on “not all equal” states. Keeping just max value guarantees less remaining contenders if k>1. No need to know exact value k of remaining contenders. Letting k go down from N to 2 is good enough. After N-1 phases just one leader remains.
Randomized Protocols Cont. • Byzantine Agreement: • n processes or players, P1,…Pn, each with an input bit bi • Want all non faulty players to reach agreement on a bit b • such that • All non faulty players agree on the same b • If all Pi start with the same bithen output b=bi • We model faults by a computationally unbounded Adversary • Computer crash, no electricity – Fail-Stop fault model • Software or undetected hardware errors, incoherent or • wrong data, malicious players – Byzantine fault model
BA Deterministic Protocols • Assuming we have n players and at most tfaults • Protocols: • There are efficient deterministic t+1 rounds protocols tolerating t<n/3 Byzantine faults in the synchronous model • [PSL77-78,GM93] • Lower Bounds: • A deterministic lower bound of t+1 rounds for fail stop faults [FL82,DS81] • For Byzantine faults t<n/3 [PSL78]. • No deterministic protocols even for t=1 in the asynchronous setting [FLP82].
BA Randomized Protocols n/2 n (n-3t)/5 (n-t)/2 (n+t)/2 (n+3t)/5 0 Flip a coin Choose 1 Choose 0 prefer 0 prefer 1 Weak Global Coin • We reduce agreement to weak global coin flipping • Decide when there is a large majority of players suggesting the same valueb in {0,1}. • If the coin flip succeeds with probability p the expected number of round to reach agreement is O(1/p).
BA Randomized Protocols Adversary can react to players’ random selections: • static or adaptivefailures • private communicationorfull information about the system • fail stoporByzantinetype faults Examples: • Static, fail stop,full informationadversary: Each playerPi selects a random riin [0,n3).Declare the player with the min as theleader. Leader flips an unbiased coin. O(1)rounds protocol. • Adaptive, Byzantine, full information(even asynchronous) adversary:Use majority voting on random bits. Exp time, but just O(1)fort < O(n1/2).
BA Randomized Protocols – More Examples • Adaptive, fail-stop, full informationadversary: Majority voting gives for all t < n matching the lower bound [BB98]. • Static, Byzantine, full informationadversary: O(log n)time protocols No lower bounds! • Coin Flipping with an Adaptive Adversary? All known robust coin flipping games select an almost random leader, and then the leader flips a coin. All this is useless in the adaptive setting. Are there better games than the “Majority” game for adaptive adversaries?
BA Randomized Protocols Rabin’s fast Byzantine agreement Why not hand out random “global coins” in advance, as part of the protocol’s description – O(1) expected time. To allow adaptive, Byzantine, private communication adversary , (knows the full state of the faulty players), use a digitally signed secret sharing scheme to store those global coins, revealing them only when needed. Verifiable Secret Sharing[CGMA] and Global Random Coin protocol from scratch (using BA). Replenish the stock of shared global coins in Rabin’s protocol when needed, using available previously prepared global coins.
BA Randomized Protocols Cont. Global Coins with Adaptive, Byzantine, private comm.adversary: Each player Pi selects a random riin[0,n3).Declare the player with the min as theleader. Leader flips an unbiased coin. Problem:A bad player can choose 1 and get elected. First try: Independently for player P: EachPk, k=1…n, selects random riin[0,n3),and set r = k=1nrk (mod n3) Problem: A bad player can select rkafter other values are known and controlr. Idea: UseVerifiable Secret Sharing (VSS) Problem: VSS requires Byzantine Agreement !? Idea:[FM88] A two round “weak agreement” protocol is good enough for here O(1) time protocol.
BA Quantum Protocols Byzantine Agreement in the Quantum World Adaptive, Byzantine, full information adversary: Players have pairwise quantum channels “Full Information” in the quantum setting: The adversary knows the description of the current pure state of the system. Toy Example:Adaptive, fail-stop, full information adversary Each player prepares and a GHZ state and distributes the pieces to all nplayers.
BA Quantum Protocols At the next round all players measure all the pieces they have; a leader is selected according to the shared minimum; and the corresponding measured bit serves as the “global coin”. Cor: We get an O(1) expected round agreement protocol. By delaying the measurements until all the quantum messages have arrived the adversary has to stop messages before the outcome is known, and so effectively the adaptiveadversary isn’t stronger than the staticone.
BA Quantum Protocols Adaptive, Byzantine, full informationadversary: Idea:replace random shared secrets by a superposition on all possiblen3secrets and all possible polynomials. • This is just an encoding of the superposition of all secrets using a standard CSS quantum error correcting code. • We can use the QVSS procedure of [CGS02] replacing Byzantine agreements with the “weak agreements” of [FM88] • We get an O(1)round quantum Byzantine agreement protocol in the adaptive, Byzantine, full informationadversary model, tolerating an optimal t<n/3 faults. • Works also in the recent Self Stabilizing Byzantine agreement protocols [BDH08, HBD10].
Quantum Protocols Byzantine Agreement @30 C&O@40 Open Problems • In the asynchronous setting we can handle only t<n/4 faults, while randomized BA is possible for t<n/3. The classical “private channel” solution of [CR93] uses secret authentication codes and this can’t work here. • Quantum Choice Coordination? Bounded register, zero-error, wait free… • Quantum Mutual Exclusion? Quantum version of [R80,RK92] protocol that tolerates a full information adversary? Quantum lower bound generalizing [KMRZ93]? • Quantum protocol verification tools.