Beating the fault-tolerance bound and security loopholes for Byzantine agreement with a quantum solution

Byzantine agreement, the underlying core of blockchain, aims to make every node in a decentralized network reach consensus. Classical Byzantine agreements unavoidably face two major problems. One is $1/3$ fault-tolerance bound, which means that the system to tolerate $f$ malicious players requires at least $3f+1$ players. The other is the security loopholes from its classical cryptography methods. Here, we propose a Byzantine agreement framework with unconditional security to break this bound with nearly $1/2$ fault tolerance due to multiparty correlation provided by quantum digital signatures. \textcolor{black}{It is intriguing that quantum entanglement is not necessary to break the $1/3$ fault-tolerance bound, and we show that weaker correlation, such as asymmetric relationship of quantum digital signature, can also work.} Our work strictly obeys two Byzantine conditions and can be extended to any number of players without requirements for multiparticle entanglement. We experimentally demonstrate three-party and five-party consensus for a digital ledger. Our work indicates the quantum advantage in terms of consensus problems and suggests an important avenue for quantum blockchain and quantum consensus networks.


I. INTRODUCTION
Byzantine agreement requires solving the fundamental consensus problem initially posed in 1982 known as the Byzantine Generals Problem, which can ensure the smooth functioning of a decentralized system under the attacks of malicious players [1,2].This problem can be translated into a 'commanding general-lieutenants' model, where the commanding general is randomly selected from among all the Byzantine generals and the others become lieutenants to reach consensus on the commanding general's order.For a strict Byzantine agreement, there are two necessary interactive consistency (IC) Byzantine conditions.The first is that all loyal lieutenants obey the same order (IC 1 ), and the second is that every loyal lieutenant obeys the order of the commanding general if the commanding general is loyal (IC 2 ).Only when both conditions are satisfied can the system reach consensus.For an N -party system, however, classical Byzantine agreement (CBA) protocols [3][4][5][6][7][8][9] that tolerate f malicious players require N ≥ 3f + 1 players; namely, the fault-tolerance bound is 1/3 [10][11][12][13].Thus, the three-party consensus problem is naturally unsolvable for CBA even using the authentication classical channel [14].The other issue is the security loopholes of CBA's widely used public-key encryption and oneway hash function [15], which are seriously threatened by quantum computing [16][17][18][19][20][21][22][23].
Quantum Byzantine agreement (QBA) is a promising approach for consensus problems.For three-party consensus, the first quantum solution using a three-qutrit singlet state was proposed in 2001 [24] and was experi-mentally demonstrated using a four-photon polarizationentangled state in 2008 [25].This protocol and its subsequent protocols [26][27][28][29][30] using some special entanglement, called detectable QBA framework, unavoidably weaken the two original Byzantine conditions with extra assumptions, which leads to a certain probability of aborting the protocol.More seriously, these rudimentary solutions are restricted to the three-party scenario and can only reach a one-bit message consensus [24,25,[27][28][29][30].Some achievements have been made toward scalable multiparty QBA [31][32][33][34] but their fault tolerance is 1/3.In addition, QBA protocols require sophisticated techniques, such as multiparticle entanglement generation and distribution and entanglement swapping, which are difficult for practical implementations.Furthermore, the security of detectable QBA has not been proven rigorously [35,36].
In this Letter, different from detectable QBA, we propose a strict information-theoretical secure QBA framework that exploits the recursion structure [37] and quantum digital signatures (QDS) [38][39][40][41][42][43][44][45][46][47][48][49][50][51][52][53][54][55] to address the limitation of fault-tolerance bound and security loopholes (see Table I).It completely breaks the 1/3 fault-tolerance bound with a fault tolerance of N ≥ 2f + 1, ∀f ∈ N + while strictly obeying IC 1 and IC 2 due to multiparty correlation provided by QDS.Our work is highly adapt- FIG. 1. Schematic of a multicast round including n players with primary S. The primary S signs and then multicasts his message to the backups.The forwarder is chosen from among the backups, and unchosen backups act as verifiers.The primary, the forwarder and one of the verifiers perform a three-party QDS.The backups take turns acting as the forwarder.The arrow indicates the direction of the message delivery.
Generating and maintaining entanglement is a sticking point in experimental setups, and the ability to relax this requirement can reduce the complexity of consensus systems and serve as a foundation for further research.Furthermore, our protocol is able to achieve consensus on multiple messages.In addition, we implement proofof-principle experiments of the three-party and five-party consensus with three different QDS protocols.

A. Protocol definition
Before stating our QBA framework, we introduce the basic unit called multicast round.In a multicast round with n players, there is a primary, and the others are backups.The primary multicasts his or her message to the backups by the following operation, as shown in Fig 1 .One of the backups is selected as the forwarder, and the

Broadcasting phase
The broadcasting phase begins with d = 1 and ends with d = f .We consider a general case MR d ζ (d=1, 2, 3, • • • , f ): 1. Sign and Multicast: The primary signs and then multicasts the message m d ζ to the N − d backups via QDS as shown in Fig. 1.
2. Consistency check: If d=1, no consistency check and skip to Step 3. If 1 < d ≤ f , upon receiving the message from the primary, forwarder Rj checks the consistency between it and the message that he received from the primary at the previous depth d−1.(Rj visits the players who do not appear in route ζ.)If consistency check is passed, perform Step 3. Otherwise, he requests that this primary perform Step 1 again until he receives a consistent message.
3. Forward: Rj forwards the message to verifiers R k (R k visits the players except Rj and those who have appeared in route ζ)., respectively.

Recursion:
The forwarder Rj acts as the primary of MR d+1 ζ→R j , and then repeat the above four steps.The recursion process ends up when d = f .

Gathering phase
For the lieutenants Ri (i = 1, 2, • • • , N − 1): 1. Input: In the bottom layer d = f , Ri obtains the initial gathering list 2. Recursion: When 1≤d<f , the gathering lists at the corresponding depth and route are G d,R i ζ = Rp {m d+1,R i ζ→Rp }, where m d+1,R i ζ→Rp =majority(G d+1,R i ζ→Rp ) and Rp visits all players except those who have appeared in route ζ.

Output
other unselected backups become verifiers.The primary, the forwarder and one of the verifiers perform a threeparty QDS to transmit the message.QDS is divided into two stages-distribution and messaging stage.The distribution stage is to distribute correlated quantum keys to the players.The messaging stage uses some classical operations and quantum keys to complete digital signatures.The messaging stage contains three steps: signing, forwarding, and verification.The primary signs the message, then sends the message and corresponding signature to the forwarder.After that, the forwarder will forward the message and signature to the verifier.Only when both the forwarder and verifier accept the signature, the signing is successful, i.e., the primary cannot deny the fact that she signed the message (nonrepudiation), and the message cannot be forged by others including the forwarder (unforgeability) (See Appendix B).For a chosen forwarder, the verifiers take turns participating in such three-party QDS.The above process will be repeated until all backups have acted as the forwarder one time.In the end, each backup records a list of n − 1 messages, consisting of one message directly from the primary and n − 2 messages forwarded by other backups.We call this list of messages broadcasting list in the later.Note that a complete multicast round consists of three steps: (i) sign and multicast, (ii) forward and (iii) verify and record.
Generally, our QBA framework consists of two phases, namely, broadcasting phase and gathering phase.Suppose there is a system of total N players including f malicious ones.The commanding general (initial primary) is denoted as S, and the lieutenants are denoted as R i , for i = 1, 2, • • • , N − 1.The flow chart of the two phases are shown in Table II.The broadcasting phase is designed for R i to exchange the message received from S with each other, and the gathering phase is designed for R i to deduce the original message of S according to the information gathered by themselves.
Broadcasting phase.The broadcasting phase consists of successive multicast rounds.For clarity, we denote the multicast round as MR d ζ , where ζ represents the route of delivering the message and d is the depth of the multicast round.The first multicast round started by the commanding general S is denoted as MR 1 S .In MR 1 S , S signs and then multicasts his message m 1 S to all the lieutenants R i .In the multicast round of next depth, MR 2  S→Ri , R i acts as a primary, and then signs and multicasts the message m 2 S→Ri , which is he received from S, to the other lieutenants.The process will be repeated until d = f .We denote a list for the lieutenants R i to record the messages received by him in MR d ζ as aforementioned broadcasting list B d,Ri ζ .In the broadcasting phase, the consistency check occurs between Step 1 and 3. Consider a general case: in MR d ζ , the primary signs and multicasts the message m d ζ to the backups, assuming that R j acts as the forwarder and R k acts as a verifier.In the multicast round at next depth d + 1, MR d+1 ζ→Rj , R j will act as a primary and R k will act as the forwarder.The messages R j delivers to R k in the two rounds, MR d ζ and MR d+1 ζ→Rj , must be consistent, because R k can check the consistency of the two messages.If the two messages are inconsistent, R k will reject them and ask R j to repeat the process until the two messages are consistent.
Gathering phase.The deterministic function we used in the gathering phase is called the majority function.It outputs the value of the majority element in the input set (see Appendix A 4).In MR

B. Brief Security analysis
The basic unit of our protocol is QDS that has been proven information-theoretically secure.However, we need to consider that malicious players collude together to disturb the normal functioning of our protocol, and figure out the fault tolerance.We adopt a perfect binary tree model and divide the multicast rounds into two kinds of tree node according to whether the primary of a multicast round is honest or not.The main idea of our security proof is to find a message deliver path that can keep the consistency of the delivered message, which we call the safe path, because the safe path in the binary tree ensures that every tree node in it has more honest backups than dishonest ones.In short, to ensure the effective existence of the safe path after f recursions, the system must have more honest players than dishonest ones, i.e., N − f > f , thus the fault tolerance is N ≥ 2f + 1 (See Appendix C).

C. Experimental implementation
We show proof-of-principle experimental implementation of our QBA framework for reaching consensus on a decentralized digital ledger, one of the most important application of blockchain.The digital ledger is a 1.10 MByte document that is a virtual transaction including time, clients, merchants, commodity and the amount.It is converted into a binary string of bits.We denote the correct message as m1, and the incorrect messages as m2, m3, and so on.
To show a high degree of adaptability of our work, we implement three-party consensus with single-bit GC01-QDS [41], one-time universal 2 hashing (OTUH) QDS [53] and OTUH-QDS without perfect keys [54], respectively.In addition, we utilize OTUH-QDS to realize the fiveparty consensus.The key idea of single-bit GC01-QDS is to first generate two pairs of raw quantum keys and then exchange half of the Bob's and Charlie's quantum keys with each other, which is called symmetrization step, to construct the correlation.On the contrary, OTUH-QDS is to first construct the three-party correlation X a = X b ⊕ X c and Y a = Y b ⊕ Y c among the quantum keys of Alice (signer), Bob (forwarder) and Charlie (verifier).Alice signs the message with X a and Y a , and then Bob and Charlie exchange their keys to complete the verification.These correlated raw quantum keys can be achieved by any quantum key generation process [56][57][58][59][60][61][62][63].Here, we utilize four-intensity decoy-state BB84 key generation process for the three QDS protocols [56].There are five independent players S and R i (i = 1, 2, 3, 4).The correlated quantum keys of different pairwise players are pre-distributed in the laboratory via fiber spool, i.e., the distribution stage of QDS is completed in the laboratory.They do not disclose any information of the their own quantum keys to others, and then bring the keys to five different buildings in Fig. 2 to simulate the real-life situation where the users are geographically separated, and then use these quantum keys to complete digital signatures, i.e., classical operations of the messaging stage are performed in the real locations.Note that, to simplify the proof-of-principle experiment, we employ the above method due to the immaturity of reallife multi-node quantum networks.It is anticipated that as quantum networks progress in maturity, enabling their widespread deployment and utilization, our QBA framework can be seamlessly integrated into practical quantum networks without the necessity of laboratory-based quantum key preparation.
S, R 1 and R 2 perform three-party consensus and all the five players perform five-party consensus.According to IC 1 and IC 2 , we consider whether S is honest or not.Here, we exemplify the three-party consensus in Fig. 3 (See Appendix D for five-party consensus and experimental details).Moreover, we show the consensus rates of our QBA framework when adopting these three QDS in Table III.OTUH-QDS, which can sign a multibit message each time, leads to much higher efficiency of QBA framework that the system can reach consensus 11.95 times per second, while single-bit GC01-QDS only reaches 4.5 × 10 −8 times consensus per second under the same security parameter.
(a) S is honest.There is only one malicious player R 2 and thus only one layer d = 1 in the three-party consensus.In MR 1 S , S sends correct message m1 via multicasting.R 1 records m1 when he acts as a forwarder, and records m1 received from R 2 when he acts as a verifier.The malicious R 2 must honestly forward m1 when he acts as a forwarder due to the unforgeability of QDS.Hence, as shown in Fig. 3(a), the gathering list of honest R 1 , which is also the broadcasting list, is Consensus rates of our QBA framework adopting different QDS in the three-party consensus.The agreement rate, CR, is defined as the number of times a system can reach consensus per second.It can be expressed as CR = SR C , where C is communication complexity of the system, and SR is the signature rate of adopted QDS.(See Appendix A 5.)
(b) S is dishonest.There is only one malicious player S. In MR 1 S , S sends conflicting messages m1 and m2 to honest R 1 and R 2 , respectively.R 1 records m1 when he acts as a forwarder, and records m2 received from R 2 when he acts as a verifier.R 2 records m2 when he acts as a forwarder, and records m1 received from R 1 when he acts as a verifier.Hence, as shown in Fig. 3(b), the gathering list of honest R 1 , which is also the broadcasting list, is Although the dishonest primary S sends conflicting messages, honest R 1 and R 2 obtain the same output ∆.That satisfies IC 2 .

III. CONCLUSION AND DISCUSSION
The 1/3 fault-tolerance bound cannot be beaten for any arbitrary pairwise communication [10][11][12][13]; not even quantum channels can help solve this problem.If the nodes of a system are linked by the channels that are independent of each other, the bound is unable to be beaten.Intriguingly, when quantum entanglement is introduced into the system, it is possible to surpass this bound because quantum entanglement provides the correlation and removes the independence [24].Although detectable QBA framework is designed according to multiparticle entanglement [24][25][26][27][28][29][30], they cannot extend to more than three participants and unavoidably weaken the Byzantine conditions, because multiparticle entangled states are very hard to prepare and maintain, and these protocols do not fully utilize the correlation to protect the unforgeability and nonrepudiation of information which leads to a certain probability of failure.
Fortunately, QDS is a useful and natural tool for solving this problem.With its ability to establish multiparty correlation among players, QDS ensures both unforgeability and nonrepudiation, and thus tolerates malicious players.These two essential properties effectively curtail the malevolent activities of malicious players within the system, preventing them from indiscriminately disseminating conflicting messages.The multiparty correlation provided by QDS makes the channels no longer independent of each other.Consequently, our protocol can break the fault-tolerance bound and strictly obey the two original Byzantine conditions, which demonstrates quantum advantage in terms of Byzantine consensus.By bridging two prominent research themes, the Byzantine agreement and quantum digital signatures, our work paves the way for practical quantum blockchain and quantum consensus networks.
Appendix A: Some pre-knowledge and details of our Byzantine agreement

Blockchain
Blockchain is a decentralized digital database technology that allows secure transactions between multiple parties without the need for intermediaries [64].It was first introduced in 2008 as the underlying technology for the cryptocurrency, Bitcoin.However, its potential applications have expanded beyond just cryptocurrencies.What makes blockchain unique is that it is a distributed system, which means that it is maintained by a network of nodes that are interested in maintaining it rather than a central authority.Every participant in the network holds a copy of the blockchain, and any changes to the database require consensus among the nodes.This makes it virtually impossible for a single entity to control or manipulate the blockchain.
The potential applications of blockchain are vast and include everything from cryptocurrency, financial transactions (digital ledgers), the Internet of Things and supply chain management to digital identity verification and voting systems.Its decentralized and secure nature makes it an attractive solution for businesses and organizations looking to streamline processes, increase efficiency, and reduce costs.
Blockchain includes many cryptography tasks, such as consensus, timestamp, identity authentication, privacy protection and so on.The most important one of them is the consensus problem, known as the Byzantine general problem, which is the research topic of our work.Our work does not aim to solve all the cryptography tasks of blockchain, and we focus on the core problem, Byzantine consensus.

Byzantine general problem
The Byzantine General Problem (also called Byzantine fault tolerance problem) is a classic computer science problem that deals with the challenge of coordinating a group of distributed and autonomous entities to reach a consensus in the presence of faulty or malicious actors [1].In this problem, a group of Byzantine generals is camped outside a city and must coordinate their attack or retreat plans via messengers.However, some of the generals may be traitors who aim to sabotage the coordination, and messengers can be captured or corrupted during transmission, leading to false messages.
The challenge is to design a Byzantine agreement protocol that ensures that all loyal generals agree on a common plan of action, even in the presence of faulty or malicious actors.This problem has applications in distributed computing, cryptography, and especially blockchain technology.The Byzantine General Problem remains an active research topic in computer science and is considered a fundamental problem in distributed systems.

Two necessary interactive consistency (IC)
Byzantine condition Lamport et.al have proven that the Byzantine General Problem can be translated in a 'commanding generallieutenants' model, where the commanding general is randomly chosen from among all Byzantine generals and the others become lieutenants to reach consensus on the order of the commanding general [1].A strict Byzantine agreement must satisfy the following two interactive consistency Byzantine conditions as follows.IC 1 : All loyal lieutenants obey the same order.IC 2 : Every loyal lieutenant obeys the order he or she sends if the commanding general is loyal.These two conditions emphasize two major concerns.When the commanding general is dishonest, all loyal players output consistent values.When the commanding general is honest, all loyal players output consistent and correct values.A strict Byzantine agreement must obey these two original conditions without adding any other assumptions.However, for detectable QBA protocols to achieve three-party consensus, an extra assumption is needed: there must be a certain probability that the protocol will fail.The players must discard the outcome when the protocol fails and perform the process again until the protocol succeeds.Therefore, all detectable QBA protocols are weaker versions of the Byzantine agreement.

Majority function
The majority function we apply in our protocol aims to output the element that appears most often for an input set.For example, when the input set is In a few cases, more than one element appears most frequently in the input set, and the systems that calculate the majority function on the input set are often deliberately biased toward one of them that we set initially.For example, when the input set is , the output will be majority(M )=m 1 (m 2 ), which is determined by the biased output m 1 (m 2 ) that we set before calculation.Note that for the same input sets with different players, the majority function outputs the same value, which we will denote as ∆.

Communication Complexity and Consensus Rate
To measure the consumed resources, we define the number of times the QDS process is implemented to reach consensus as the communication complexity, denoted as C. The total communication complexity of our QBA protocol can be expressed by is the number of dishonest players and N is the number of all players.Here A 2+m n−1 represents the communication complexity at depth m + 1.In reality, we need to perform N −1 2 recursions for a real-life consensus system with unknown f , where [x] is the greatest integer less than or equal to x.
Consider the simple case that the system uses the QDS protocol which has the same signature rate, denoted as SR, in all the multicast rounds.We define the consensus rate of our QBA protocol as where C is the communication complexity of the system.CR is the important index to indicate the efficiency of QBA.To get the higher consensus rate, we need to adopt the QDS protocol that has the higher signature rate.We can find that as the increase of the total number of players and the number of malicious players, the communication complexity will increase, which leads to the decrease of the consensus rate.
Appendix B: Quantum digital signatures

Brief introduction
Quantum digital signatures with informationtheoretical security have two major properties, nonrepudiation and unforgeability.They are all divided into the two stages, distribution stage and messaging stage.The distribution stage is to distribute the correlated raw quantum keys of Alice-Bob and Alice-Charlie for the messaging stage.The correlated quantum keys can be achieved by some classical operations, such as symmetrization step used in BB84 GC01-QDS [41], MDI-QDS [44,45] and CV-QDS [50], test bits used in SARG04-QDS [40,49,51], and secret sharing used in OTUH-QDS [53,54].The messaging stage is to complete the digital signature to determine whether it is successful or not.
The brief process of messaging stage can be described as follows.Alice is a 'signer'.Bob is a 'forwarder'.Charlie is a 'verifier'.Alice signs a message with her quantum keys, and then transmits the message and corresponding signature to Bob. Bob forwards the message and corresponding signature to the verifier Charlie.Then, Bob and Charlie will check the message and corresponding signature, respectively.The process of QDS is successful when and only when both Bob and Charlie accept the message and the corresponding signature.The signature rate, SR, is defined as the number of times the palyers can perform the QDS per second.
Nonrepudiation.Nonrepudiation refers to a situation in which the signer cannot successfully dispute the authorship of his signature.This means that Alice cannot deny the fact that she signed the message if the signature is accepted by both Bob and Charlie.
Unforgeability.Unforgeability refers to a situation in which no one can forge a message and its corresponding signature.This means that if Bob forwards a forged message and signature, it will be impossible for him to successfully make Charlie accept the forged message and signature.
Note that our QBA protocol can apply any kind of QDS to ensure unconditional security and better faulttolerance performance.Here, we prefer to use the most efficient and practical QDS protocol, called one-time universal 2 hashing QDS [53], which we also use in the experiment of three-party and five-party consensus.A detailed description of the one-time universal 2 hashing QDS can be found in the next subsection.

BB84-KGP GC01-QDS
BB84-KGP GC01-QDS is a traditional single-bit QDS protocol proposed in 2016.In every round only one bit of message is signed.That is, possible message is m = 0 or 1.In the distribution stage, bit correlations between Alice-Bob and Alice-Charlie are realized by BB84 key generation protocol (KGP).In the messaging stage users exchange partial of their keys and compare the mismatch rate to verify the signature.Here we introduce this protocol used in our quantum consensus experiment.
Distribution stage-(i) For m = 0 or 1, Alice uses the BB84-KGP to generate four different keys of length L, A 0 , where the subscript A and B denotes she performed the KGP with Bob and Charlie, respectively, and the superscript denotes the future message to be signed, to be decided later by Alice.After BB84-KGP, Bob holds the length L strings K 0 B , K 1 B and Charlie holds the length L strings K 0 C , K 1 C .The procedure of BB84-KGP is analogous to BB84-QKD, but error correction and privacy amplification steps are removed.The shared keys are correlated with limited mismatch and secrecy leakage.
(ii) Bob and Charlie symmetrize their keys by choosing half of the bit values in their K m B , K m C and sending them as well as the corresponding positions to each other using the Bob-Charlie secret classical channel.They will only keep the bits they did not forward and those received from the other participant.Their final symmetrized keys are denoted as S m B and S m C .Bob (and Charlie) will keep a record of whether an element in S m B (S m C ) came directly from Alice or whether it was forwarded to him by Charlie (or Bob).
Messaging stage-(i) To send a signed one-bit message m, Alice sends (m, Sig m ) to the desired recipient (say Bob), where sig m = (A m B , A m C ). (ii) Bob checks whether (m, Sig m ) matches his S m B and records the number of mismatches he finds.He separately checks the part of his key received directly from Alice and the part of the key received from Charlie.If there are fewer than s a (L/2) mismatches in both halves of the key, where s a < 1/2 is a small threshold determined by the parameters and the desired security level of the protocol, then Bob accepts the message.
(iii) To forward the message to Charlie, Bob forwards the pair (m, Sig m ) that he received from Alice.
(iv) Charlie tests for mismatches in the same way, but in order to protect against repudiation by Alice he uses a different threshold.Charlie accepts the forwarded message if the number of mismatches in both halves of his key is below s v (L/2) where s v is another threshold, with 0 < s a < s v < 1/2.
The probability of a successful repudiation is and that of a successful forgery is where p e represents the unknown information of one bit in the string and can be bounded by parameters of BB84-KGP.

One-time universal2 hashing QDS
We introduce the one-time universal 2 hashing (OTUH)-QDS we applied in our quantum consensus experiment, which utilizes secret sharing, one-time hashing and one-time pad to generate and verify signatures [53].
Distribution stage-Before executing the signature, Alice, Bob and Charlie all have two sets of keys, X a,b,c and Y a,b,c , which satisfy the bit correlations The perfect bit correlation of three parties can be realized by using quantum communication, such as quantum secret sharing and quantum key distribution.Note that OTUH-QDS requires that all three participants have the bit correlations X a = X b ⊕X c and Y a = Y b ⊕ Y c before Alice signs the message, otherwise Bob and Charlie cannot successfully verify the signature.In our experiment, we use four-intensity decoystate BB84 QKD to implement this bit correlation.Alice shares the secret keys X b and Y b with Bob, and X c and Y c with Charlie via QKD.Then, Alice gets her own secret keys by XOR operation.Suppose that Alice signs a q-bit document (message), denoted as m, and sends it to 'forwarder' Bob.
Messaging stage-(i) Signing-Alice generates an irreducible polynomial [15] I(x) of degree p at random using a local quantum random number, which can be characterized by an p-bit string I a .Then she uses her key bit string X a and the irreducible polynomial I(x) to generate a random linear feedback shift register-based (LFSR-based) Toeplitz matrix [65] H pq of p rows and q columns.She acquires a 2p-bit digest Dig = (Dig 1 ||I a ).Here, Dig 1 is the digest of the q-bit document through a hash operation with Dig -Security of OTUH-QDS.This QDS protocol is naturally immune to repudiation and the probability of a successful forgery can be determined by where |m| is the length of the message.In this work, we choose p = 128 and thus even for the 2 64 -bit document it is still safe enough.
Recently, a variant of OTUH-QDS, called OTUH-QDS without perfect keys, was proposed [54].Different from OTUH-QDS that calls for sharing perfect quantum keys in the distribution stage, this variant users share keys through KGP which is consist with that in single-bit QDS.In the following we introduce OTUH-QDS without perfect keys with BB84-KGP that is used in our experiment demonstration.
Distribution stage-(i) Alice-Bob and Alice-Charlie independently implement BB84-KGP to share correlated bit strings.This KGP process is the same as that in BB84-QDS.Thereafter, Alice-Bob and Alice-Charlie perform error correction algorithms on their shared bit strings.After this step, Alice hold two strings, denoted as k A 1 and k A 2 .She obtains one string k A through XOR operation Bob and Charlie each holds one strings, denoted as k B and k C , respectively.
(ii) Alice randomly disturbs the orders of k A , and cuts the new string into P -bit subgroups.The size of P is estimated by parameters of BB84-KGP so that the security is guaranteed.Alice will publicize the new order and P , and Bob and Charlie will perform the same operation on k B and k C accordingly.
Messaging stage-The messaging stage is analogous to that in OTUH-QDS.One subgroup in the distribution stage contributes X a,b,c with length P and another two subgroups contribute Y a,b,c with length 2P .The rules of Alice, Bob and Charlie are then consistent with that in OTUH-QDS.
-Security of OTUH-QDS without perfect keys.This protocol is also naturally immune to repudiation attacks.The probability of a successful forgery is limited by where H P is the unknown information of a P -bit subgroup generated in distribution stage, and can be estimated by parameters of BB84-KGP.

Colluding attack
Colluding attacks are the most serious problem in decentralized quantum digital signatures involving multiple participants [51].A colluding attack means that there are more than two malicious nodes colluding together to disturb the normal functioning of a system.In our quantum Byzantine agreement, due to complete decentralization, colluding attacks appear as the number of malicious nodes increases.In a three-party QDS, if the sender and forwarder are dishonest, they can collude together to make another node believe the forged message and the corresponding signature.In the broadcasting phase of our QBA protocol, this will lead to inconsistency of the delivered messages of the two adjacent multicast rounds without prejudice to the rule of coherence, as we can see in Lemma 1 and Lemma 2. It allows dishonest players to deliver inconsistent messages in the system only under colluding attacks.

Appendix C: Security analysis
In our QBA protocol, the performance of honest (dishonest) players follows the same rule.Therefore, the players can be divided into two groups, the honest and dishonest.Also, the elements of a gathering list can be divided in the same way.Therefore, we can simplify the protocol with a perfect binary tree model where one tree node represents the set of multicast rounds with honest or dishonest primaries.The left (right) child tree node represents the multicast rounds with honest (dishonest) primaries of the next depth.In what follows, when we say a tree node is honest(dishonest), it means that the primaries in this tree node is honest (dishonest).And we can obtain the important Lemma 1 and Lemma 2.
Lemma 1 Suppose that B is a right child tree node of a parent node A who is honest, and C is the left child tree node of B. The messages delivered in C are consistent with those of A, which protects the consistency of the delivered messages.
Proof 1 As shown in Fig. 4(A), each primary of the honest node A multicasts m1 to the backups.In this case, the dishonest forwarders cannot forward any messages except m1 due to the unforgeability of the QDS, and each verifier receives m1.Then, the coherence check guarantees that each primary of dishonest B must deliver m1 to the honest forwarders in MR d+1 ζ A →B .Therefore, the messages multicast by the honest primaries of C in MR d+2 ζ A →B→C are m1, where ζ A marks the route before and containing A.
Lemma 2 Suppose that B is a right child tree node of a parent node A who is honest, and E is the right child tree node of B. The message multicast in E can be inconsistent with those of A, which disrupts the consistency of the delivered messages.
Proof 2 As shown in Fig. 4(B), each primary of the honest node A multicasts m1 to backups.Then, each primary of the dishonest node B can only deliver m1 to the honest backups.However, the primaries of the dishonest B can execute the colluding attack together with the dishonest forwarders, and they can deliver any conflicting messages to the verifiers.After forwarding the different messages, these dishonest forwarders in MR d+1 ζ A →B (ζ A marks the route before and containing A), who are also the dishonest primaries of E, can multicast these conflicting messages without compromising consistency.The consistency of the delivered messages is completely disrupted.
By Lemma 1 and Lemma 2, we find that on the route that avoids consecutively choosing the right child, the consistency of the delivered messages can be protected in the broadcasting phase.With this idea, we denote a special route as a safe path in the binary tree as follows.Definition 1 The safe tree node, denoted by P, is defined as the first honest tree node in the message delivery route from the top to the bottom layer, as shown in Fig. 5(A).Note that in the safe tree node, at least half of the backups are honest.Then, we continuously choose the left child node layer-by-layer until we reach an intermediate tree node.The intermediate node is defined as the tree node that has an equivalent number of honest and dishonest backups of depth d , denoted by Q.As shown in Fig. 5(C), from the intermediate tree node Q (depth d ), we choose the right child K of Q (d + 1), the left child J of K (d + 2), the right child T of J (d + 3), the right child of T (d + 4), and so on.That is, the right and left child tree nodes are chosen in turn layer-by-layer until the ending tree node O of the penultimate depth is reached.This path from the safe tree node P, passing through the intermediate tree node Q, to reach the ending tree node O is defined as the safe path.

Depth
(n'-3,n') (n'-2,n'-1) (n',n'-1) The case in which the initial primary is honest.By the definition of a safe path, the honest initial primary is a safe node, denoted by P, and there is only one safe path in the whole process.(B) The case where the initial primary is dishonest and there is more than one safe path.The safe tree nodes are denoted by P, P , P and so on.(C) Illustration of the part of the safe path from the intermediate tree node Q to the ending tree node.The other tree nodes in the safe path are denoted by K, J, T and so on.

Lemma 3
The safe path ensures that the honest players in the safe tree node can reach consensus on their outputs.
Proof 3 In the broadcasting phase, by Lemma 1, the consistency of the message from the safe node's primaries can be protected.Considering one of the rounds of the safe tree node, the honest primary multicasts the message m1.For simplicity, the following discussion only analyses the route starting with this round.The analysis for the other rounds of the safe node is similar.On the safe path, the honest players in the subsequent rounds will receive and then multicast the message m1.
In the gathering phase, the message deducing process analyzed below demonstrates the consistency of the final outputs.From the safe tree node P to the intermediate tree node Q, more than half of the elements from the left (honest) child node appear in the gathering lists of each tree node.From the intermediate tree node Q to the ending tree node, if a tree node is honest, then in each gathering list of this node, the number of elements from the left child node is the same as that of the right child; if a tree node is dishonest, then in each gathering list of this node, the honest child node contributes one more element than the dishonest child node.Note that the output of each tree node in the safe path is determined by the tree nodes that are also on the safe path.Thus, all other branches in the binary tree can be ignored.
Our aim is to prove that in each tree node from the ending tree node to the safe tree node, more than half of the elements of each gathering list are always consistent, and thus the outputs of each node are always consistent during the recursion gathering process.We consider the two situations in Fig. 6: (A) the ending tree node O is honest, and (B) the ending tree node O is dishonest.We denote the left (right) child tree node of O as O L (O R ).
(a).The ending tree node O is honest.We first analyze the outputs from the initial gathering lists of O L and O R .The message of O L is m1, which is also the message that is multicast in the safe node.In the bottom layer, each backup has the same gathering list where all the elements are m1, which is obtained directly from the bottom broadcasting list.Thus, the honest backups of O L have the same output.The primaries of O R multicast m1 to the honest backups.Since the honest backups contribute one element more than the dishonest backups in each gathering list, message m1 is the majority.Thus, each honest backup of O R has the same output m1.That is, the outputs from O L and O R are all m1.Then, the honest backups of the ending tree node O have the same output deduced from their consistent gathering lists.
Considering the consistent outputs of the ending tree node, consistency can always be held on the safe path.Suppose that node U is the dishonest parent tree node of O at d = f − 2. The output of each gathering list of U is determined by elements from O. Thus, the outputs are also m1.On the safe path, the parent tree node of U has at least half of the elements, which are m1, in each gathering list.Moreover, for a certain backup's gathering list, there is also one element from the backup himself or herself, which is the message he or she received directly from the corresponding primary.This element is also m1 by Lemma 1.Therefore, more than half of the elements in each gathering list are m1, and the output is m1.Following the above process until the intermediate tree node Q is reached, we can see that all the outputs of the tree nodes on the safe path are m1.Finally, the honest backups of node Q have the same output m1.
In the tree nodes from P to Q, for each gathering list, more than half of the elements are m1.Finally, in the safe tree node P, all honest players in each round will reach consensus.(b).The ending tree node O is dishonest.The output of O is determined by the elements from O L .We find that these elements are all m1 since O L is honest.Thus, the backups in the ending tree node O have the same output m1.Similar to the analysis in (a), each backup of the intermediate node Q outputs m1.Therefore, all the honest players in the safe tree node P have consistent outputs m1.
Theorem 1 For an n-player system with f malicious players, our QBA protocol can reach consensus with a fault tolerance of N ≥ 2f + 1.

Proof 4
We start with N = 2f + 1.We analyze it according to whether the initial primary is honest or dishonest.
(a).The initial primary is honest.By Definition 1, the root tree node is not only the safe tree node but also the immediate tree node.By Lemma 3, all honest players in the initial round can reach consensus, which satisfies the Byzantine conditions IC 1 and IC 2 .
(b).The initial primary is dishonest.As shown in Fig. 5(B), the dishonest initial primary S can arbitrarily deliver different messages to different forwarders at depth 1.At depth 2, the left (honest) child tree node is a safe tree node that starts a safe path.The primaries of the right (dishonest) child tree node M can execute colluding attacks and deliver conflicting messages as described in Lemma 2. The left child tree node P of M is another safe tree node that starts another safe path.Similarly, the tree node P is also a safe tree node that starts another safe path, and so on.
One of the honest player's outputs in the initial round is m 1 By Proof 3, although the outputs of the tree node P may be different, the honest players reach consensus on each of these outputs since P is a safe tree node.Thus, in the gathering list G 1 S , the f + 1 elements from the safe tree node P are consistent among the honest backups.Next, we discuss the f − 1 elements of the list G 1 S from node M, as shown in Fig. 5(B).Similar to the above process, we can find that all honest backups reach consensus on the f elements from the safe tree node P , so we must consider the f − 2 elements of the list G 2 S→B from node V, and so on.After we continuously choose the right child tree node at the next depth, the dishonest backups of the tree nodes will continuously be reduced by one while the number of honest backups will not change.When we reach depth f , in the dishonest leaf node, only the primary is dishonest and all the backups are honest.Thus, there are no colluding attacks.Although the outputs of different rounds may be different, the backups of the same round can obtain consistent outputs.In the dishonest parent of this leaf node, each gathering list has one element from the this dishonest leaf node (right child node) and f − 1 elements from the honest leaf node (left child node).The left child node is also a safe node and these f − 1 elements are also consistent.Thus each honest backup of this dishonest parent tree node also obtains a consistent output.Following the above recursion process, we find that the honest backups in each round of the above path always have the same gathering lists.The consistent outputs from each safe node indirectly or directly lead to the eventual consistency of the elements that make up each gathering list of d = 1.In the initial round, the elements in a list may be different from each other, but the gathering lists of the honest players are the same, regardless of the messages delivered by the dishonest primary.Finally, all the honest players reach consensus and output consistent messages, which satisfies the condition IC 2 .
In summary, we prove that our protocol can satisfy the two Byzantine conditions, IC 1 and IC 2 , to reach Byzantine agreement when N ≥ 2f + 1.
If N ≤ 2f , then the safe paths appear too late in the binary tree model.The consistency of the delivered messages cannot be guaranteed in the tree nodes before the safe path.For example, when N = 2f and the initial primary is honest.The root tree node is honest, but the number of honest backups is f − 1 and the number of dishonest backups is f .Therefore, the root tree node is no longer a safe tree node.In fact, the minimum depth at which we can find a safe tree node is d = 4 in the binary tree.There are two safe nodes, denoted as P 1 and P 2 , that begin their safe paths at d = 4. P 1 and P 2 can be found by the following steps.P 1 : After choosing the right child tree node twice, the left tree node at depth 4 is P 1 .P 2 : First choosing the left child of the root tree node first, and then choosing the right tree node, finally the left tree node at depth 4 is P 2 .By Lemma 2, the message multicast in P 1 can conflict with the message delivered by the initial primary.Suppose the messages multicast by the initial primary are m1 and the conflicting messages delivered by dishonest players are m2.Then the backups of tree node P 1 will consistently output m2.The backups of the tree node P 2 will still consistently output m1.After several rounds of counting, the numbers of messages m1 and m2 in his or her own gathering list for the initial round are f − 1 and f , respectively.Then, all the honest backups in the initial round will output m2, while the honest initial primary outputs m1.Therefore, they cannot reach consensus.When N < 2f , the situation will undoubtedly worsen.
Appendix D: Experiment

Experimental details
We experimentally implement the three-party consensus utilizing GC01-QDS [41], OTUH-QDS [53], and OTUH-QDS without perfect keys [54], respectively, and implement the five-party consensus with OTUH-QDS.Here, we utilize four-intensity decoy-state BB84 key generation process for the three QDS protocols [56].There are five independent users S and R i (i = 1, 2, 3, 4) located at five different buildings, A, B, C, D and E in Fig. 7A, respectively.The correlated quantum keys of different pairwise users are pre-distributed in the laboratory via a fibre spool.The five users bring their own secret keys.The main parameters of these ten links in the five-party consensus using BB84 OTUH-QDS are shown in Fig. 7B.We choose player S, R 1 and R 2 to perform three-party consensus and choose all five nodes to perform five-party consensus.The decentralized digital ledger is shown in Fig. 8, which is reached consensus on by the users in the experiment.The digital ledger is converted into a binary string of bits.We denote this correct message as m1, and the incorrect messages as m2, m3, and so on.
Then we introduce the detailed information of the experimental setup to generate the secret keys as shown in Fig. 7C.The master laser generates phase-randomized 1.6 ns-wide laser pulses with a repetition rate of 100 MHz at 1550.12 nm.The system frequency is 100 MHZ, but due to the 400 ns dead time every 10 us, the effective fre-  quency of optical pulse is 96 MHz.Two pairs of pulses with relative phases 0 and π at a 2 ns time delay generated by an asymmetric interferometer are injected into two slave lasers through the optical circulator, respectively.By controlling the trigger electrical signal of two slave lasers, Alice randomly prepares quantum states in the Z (time) and X (phase) bases by using 400 ps-wide slave laser pulses.The programmable delay chip with a 10 ps timing resolution is used to calibrate the time consistency.The spectral consistency is naturally satisfied because of the laser seeding technique [66].A 50 GHz nominal bandwidth fiber Bragg grating is used to remove extra spurious emission and precompensate for the pulse broadening in the fiber transmission.The 2 nswide synchronization pulses with repetition rates of 100 kHz are transmitted via the quantum channel using multiplexed wavelength division.The intensities are set as µ = 0.40, ν = 0.20, ω = 0.4 and 0 with the corresponding probabilities p µ = 0.60, p ν = 0.20, p ω = 0.15 and p 0 = 0.05, respectively.If trigger signal is not provided to the slave laser, the vacuum state is generated .The amplitude modulator generates two different intensities, and the intensity of ω is double that of ν (ω = 2ν) since it has two pulses in the X basis.
At the receiving end, a 30:70 biased beam splitter is used to perform passive basis detection after a wavelength division demultiplexer.A probability of 30% is measured in the phase basis and the probability of 70% is used to receive in the time basis.A Faraday-Michelson interferometer is used for the phase measurement, in which phase drift is compensated in real time by using the phase shifter.The total insertion losses of the time and phase bases are 4.25 and 8 dB, respectively.The efficiency of single-photon detectors is 20% at a 160 dark count per second.To decrease the after-pulse probability, we set the dead times to 10 µs for the links.
x (x) denotes the upper (lower) bound of the observed value x.Using the decoy-state method for finite sample

Nanjing University
FIG. 8.The digital ledger for transmission in the experiment.We convert the digital ledger into a binary string of bits.The binary string of bits are the actual message we transmit in the experiment.We denote the correct string as m1, and denote the conflicting messages delivered by dishonest players as m2, m3 and so on.
sizes, the expected number of vacuum events s zz * 0 and single-photon events s zz * 1 can be expressed as and respectively.Here n z(x) k is the count of k (k ∈ {µ, ν, ω}) intensity pulse measured in the Z(X) basis, and x * is the expected value of observed value x.We use the variant of the Chernoff bound [67] to obtain the lower and upper bounds, , where β = ln 22 ε .The expected value of the number of single-photon events s xx * 1 in χ ω can be given by where γ U (n, k, λ, ) = a. Single-bit GC01-QDS In BB84-KGP GC01-QDS, the unknown information to the attacker is given by where h(x) According to the H, we can obtain the signature rate where k = 96 MHz is the effective repetition rate, |m| is the length of the message, 2N is the minimum number of pulses required to securely sign a one-bit message according to the set security parameter.
b. OTUH-QDS The length of the final key, which is ε cor -correct and ε sec -secret, can be expressed by [56] = s zz 0 +s zz (D7) and the signature rate of BB84-KGP OTUH-QDS can be expressed as where p = 128 and t is the time of sending pulses using 96 MHZ repetition rate.

c. OTUH-QDS without perfect keys
In OTUH-QDS without perfect keys based on BB84-KGP, Alice and Bob (Alice and Charlie) form the n Zlength raw key bit from the random bits under the Z basis.We can estimate parameters in a selected P -bit group, i.e., the lower bound of number of vacuum events and single-photon events under the Z basis s zz 0,P and s zz 1,P , and the upper bound of the phase error rate of the singlephoton events in the Z basis φ According to the H P and the set security parameter, we can obtain the signature rate where P is the minimum number with the condition satisfied, where is upper bound of the failure probability of the QDS protocol.

Results
The schematic diagram of our protocol is shown in Fig. 9.According to the two Byzantine conditions, we consider the two situations in which the initial primary is honest and dishonest.All honest players can obtain consistent outputs regardless of whether the initial primary is honest.Especially when the initial primary is honest, all honest users can obtain the correct outputs m1.The experimental results are shown in Fig. 10.The main program of our protocol including classical communication and computation is realized based on GoLand.Each participant independently executes the program on their own personal computer and reaches the consistent output independently.The environment of each player is in OS Win 10, CPU i7-1165G7 @ 2.80 GHz, RAM 16.0 GB.Additionally, we provide the pseudocode for our protocol according to the broadcasting and gathering phases, as shown in Algorithm 1 and Algorithm 2. Below we will illustrate the experimental results and their decucing process in detail.
(a) The commanding general S is honest in three-party consensus.There is only one malicious player R 2 (f = 1) and there is only one layer d = 1 in the three-party consensus.In MR 1 S , S sends correct message m1 via multicast processs.R 1 records m1 when he (she) acts as a forwarder, and records m1 received from R 2 when he (she) acts as a verifier.The malicious node R 2 must honestly forward m1 when he (she) acts as a forwarder because of the unforgeability of QDS.Hence, as shown in Fig. 10A, the gathering list of honest R 1 , which is also the broadcasting list, is , which is consistent with the initial message sent by the honest primary S.This result satisfies IC 1 .
(b) The commanding general S is dishonest in three-party consensus.There is only one malicious player S (f = 1) and there is only one layer d = 1 in the three-party consensus.In MR 1 S , S sends conflicting messages m1 and m2 to honest R 1 and R 2 , respectively, via multicast processs.R 1 records m1 when he (she) acts as a forwarder, and records m2 received from R 2 when he (she) acts as a verifier.R 2 records m2 when he (she) acts as a forwarder, and records m1 received from R 1 when he (she) acts as a verifier.Hence, as shown in Fig. 10B, the gathering list of honest R 1 , which is also the broadcasting list, is G

． ． ．
The output in the multicast round with primary  The results of the multicast processes at depth d = 2 are shown in Fig. 10D.In MR 2 S→R1 , because of the honest primary R 1 and Lemma 1, every one must forward the correct message m 1 , and the broadingcast list of honest R 2 is B 2,R2 S→R1 = {m1, m1, m1}.In MR 2 S→R2 , because of the honest primary R 2 and Lemma 1, every one must forward the correct message m1, and the broadingcast list of honest R 1 is B where the message m 2,R1 S→R1 is deriectly received from S when R 1 acts as the forwarder.
R 1 deduced that m 2,R1 S→R2 is the message that R 2 received from S, m 2,R1 S→R3 is the message that R 3 received from S, and m 2,R1 S→R4 is the message that R 4 received from S. Then, m 2,R1 S→R1 , m 2,R1 S→R2 , m 2,R1 S→R3 and m 2,R1 S→R4 constitute the gathering list of R 1 at depth d = 1, where G where the message m 2,R2 S→R2 is deriectly received from S when R 2 acts as the forwarder.
R 2 deduced that m 2,R2 S→R1 is the message that R 1 received from S, m 2,R2 S→R3 is the message that R 3 received from S, and m 2,R2 S→R4 is the message that R 4 received from S. Then, m 2,R2 S→R1 , m 2,R2 S→R2 , m 2,R2 S→R3 and m 2,R2 S→R4 constitute the gathering list of R where the message m 2,R1 S→R1 is deriectly received from S when R 1 acts as the forwarder.
R 1 deduced that m 2,R1 S→R2 is the message that R 2 received from S, m 2,R1 S→R3 is the message that R 3 received from S, and m 2,R1 S→R4 is the message that R 4 received from

4 .
Verify and record: Forwarder Rj and verifier R k verify the message and corresponding signature.When both of them accept, the signature is successful and they add this valid message m d ζ to their own broadcasting lists B d,R j ζ and B d,R k ζ d ζ , the gathering list held by the lieutenant R i , denoted as G d,Ri ζ , is used for R i to deduce the message delivered by the primary of MR d ζ .In the bottom layer d = f , R i directly sets his or her own gathering list to G f,Ri ζ , m f,Ri ζ becomes an element of the gathering list of d = f − 1. Considering general case where 1 ≤ d < f , all elements of R i 's gathering list G d,Ri ζ are deduced from the lists G d+1,Ri ζ→Rp in multicast round MR d+1 ζ→Rp (R p visits all players who do not appear in route ζ).When p=i, this element is directly set as the message that R i received from the primary in MR d ζ .With the recursive process, the gathering phase ends up when d = 1, and then R i outputs m 1,Ri S =majority(G 1,Ri S ) as the final decision.Note that the broadcasting lists record the messages that are the lieutenants themselves actually received during the broadcast phase, and the gathering lists record the messages that are the lieutenants deduced according to the information of the previous depth.Only when d = f , the gathering lists are the same as the broadcasting lists, i.e., G f,Ri ζ =B f,Ri ζ .

FIG. 2 .
FIG. 2. Experimental implementation.The five players bring their own pre-distributed correlated quantum keys to five different buildings, and then perform the classical operations of the messaging stage.A-S, B-R1, C-R2, D-R4 and E-R5.In the messaging stage, the messages and corresponding signatures can be transmitted via authenticated classical channel.

1 =
H pq • m, and I a is an p-bit string for generating the irreducible polynomial in the LFSR-based Toeplitz matrix.Then, Alice encrypts the digest with her key bit string Y a to obtain the 2p-bit signature Sig = Dig ⊕ Y a .She sends the document and signature {Sig, m} to Bob. (ii) Forwarding-Bob transmits {Sig, m} as well as his key bit strings {X b , Y b } to Charlie to inform Charlie that he has received the signature.Then, Charlie forwards his key bit strings {X c , Y c } to Bob. Bob obtains two new key bit strings {K X b = X b ⊕ X c , K Y b = Y b ⊕ Y c } by the XOR operation.(iii) Verification-Bob exploits K Y b to obtain an expected digest and a string I b via XOR decryption.He utilizes K X b and I b to establish an LFSR-based Toeplitz matrix and acquires an actual digest via a hash operation.Bob will accept the signature if the actual digest is equal to the expected digest.Then, he informs Charlie of the result.If Bob announces that he accepts the signature, Charlie creates two new key bit strings {K Xc = X b ⊕ X c , K Yc = Y b ⊕ Y c } using his original key and the key sent by Bob.He employs K Yc to acquire an expected digest and a variable I c via XOR decryption.Charlie obtains an actual digest via a hash operation, where the hash function is an LFSR-based Toeplitz matrix generated by K Xc and I c .Charlie accepts the signature if the two digests are identical.

FIG. 5 .
FIG. 5.The perfect binary tree model of our protocol and the safe path.The green (orange) nodes in the tree represent the multicast rounds with honest (dishonest) primaries.Beside each node, the left number indicates the number of honest backups of this tree node, and the right number indicates the number of dishonest backups.The safe paths are represented by the red arrows.(A) and (B) illustrate the safe path before reaching the intermediate tree node.(A)The case in which the initial primary is honest.By the definition of a safe path, the honest initial primary is a safe node, denoted by P, and there is only one safe path in the whole process.(B) The case where the initial primary is dishonest and there is more than one safe path.The safe tree nodes are denoted by P, P , P and so on.(C) Illustration of the part of the safe path from the intermediate tree node Q to the ending tree node.The other tree nodes in the safe path are denoted by K, J, T and so on.

FIG. 7 .
FIG.7.Overview of experimental implementation.A. The five users are located in different buildings of Nanjing University.Each of them independently owns the quantum keys pre-distributed in the laboratory via four-intensity decoy-state quantum key generation processing; the keys are used for the subsequent QDS processes in our QBA protocol.The users perform our QBA protocol to reach consensus for a decentralized digital ledger.B. Main parameters of the quantum key generation links used in the laboratory for the five-party consensus experiment.QBER: quantum bit error rate.C. Experimental setup of the four-intensity decoy-state quantum key generation system with a time-phase encoding.We take node A and B as an example.A uses a master laser, two slave lasers and an asymmetric interferometer to prepare optical pulses in the Z and X bases.An intensity modulator is used for the decoy-state modulating.Before passing through a set of filters, a monitor and an attenuator are utilized to regulate the photon number per pulse.B uses a biased beam splitter for the passive basis detection.The pulses either go directly to the time detector or pass through an asymmetric interferometer.A synchronization signal is distributed from node A to B through a wavelength division multiplexed quantum channel.BS: beam splitter; Circ: circulator; IM: intensity modulator; FBG: fibre Bragg grating; Att: attenuator; DWDM: dense wavelength division multiplexer; FM: Faraday mirror; PS: phase shifter; SPD: single-photon detector.
D3) Additionally, the expected number of bit errors t xx * 1 associated with the single-photon event in χ ω is t xx 1 ≤ m x ω − t xx 0 , where t xx 0 = e −ω pω 2p0 n x * 0 .For a given expected value x * , the upper and lower bounds of the observed value are given by x = x * + β 2 + 2βx * + β 2 4 and x = x * − √ 2βx * , respectively.Using random sampling without replacement, the phase error rate in the Z basis is

FIG. 9 .
FIG. 9. Schematic diagram of the protocol.A. The broadcasting phase and gathering phase.The initial primary is S and the other players are denoted as Ri, for i = 1, 2, • • • , n − 1.In the broadcasting phase, the message is broadcast layer by layer via multicast rounds at different depths until d = f .The number of players participating in each multicast round at depth d is n − d + 1.In the gathering phase, each player Ri independently deduces the messages layer-by-layer from the lowest to highest depth until d = 1 and then outputs the final outcome mS.B. Flow chart of the broadcasting phase and gathering phase.Note that the initial value of d in the flow chart is set as d = 0.

FIG. 10 .
FIG.10.Experimental results for three-party and five-party consensus.We use 'F' to represent 'forwarder' and 'V' to represent 'verifier' in the tables of lists.Each column of a table is a broadcasting list for the corresponding player.In the bottom layer d = f , Ri sets his or her gathering list asG f,R i ζ =B f,R i ζand performs the gathering phase to deduce the final output.A. The multicast rounds of d = 1 in three-party consensus with an honest primary.B. The multicast rounds at d = 1 in three-party consensus with a dishonest primary.∆=majority(m1, m2).C(D).The multicast rounds at d = 1 (d = 2) in five-party consensus with an honest initial primary.E(F).The multicast rounds at d = 1 (d = 2) in five-party consensus with a dishonest initial primary.∆1=majority(m41, m42, m43) and ∆2=majority(m1, m2, m3, ∆1).

TABLE I .
Comparison between our work and detectable QBA framework.D-QBA: Detectable QBA.N/A: not applicable.IC1 & IC2: two interactive consistency Byzantine conditions.

TABLE II .
Protocol Definition.
Results of the three-party consensus.We use 'F' to represent 'forwarder' and 'V' to represent 'verifier'.Each column of a table is the broadcasting list for the corresponding player.(a) The multicast round at d = 1 with honest S.