Resource analysis for quantum-aided Byzantine agreement with the four-qubit singlet state

In distributed computing, a Byzantine fault is a condition where a component behaves inconsistently, showing different symptoms to different components of the system. Consensus among the correct components can be reached by appropriately crafted communication protocols even in the presence of byzantine faults. Quantum-aided protocols built upon distributed entangled quantum states are worth considering, as they are more resilient than traditional ones. Based on earlier ideas, here we establish a parameter-dependent family of quantum-aided weak broadcast protocols. We compute upper bounds on the failure probability of the protocol, and define and illustrate a procedure that minimizes the quantum resource requirements. Following earlier work demonstrating the suitability of noisy intermediate scale quantum (NISQ) devices for the study of quantum networks, we experimentally create our resource quantum state on publicly available quantum computers. Our work highlights important engineering aspects of the future deployment of quantum communication protocols with multi-qubit entangled states.

In distributed computing, a Byzantine fault is a condition where a component behaves inconsistently, showing different symptoms to different components of the system.To reach consensus among the correctly functioning components, communication protocols robust to such faults must be used.
An early example of such protocols was developed by Pease et al. [1], where consensus is provided if t < n/3, where n is the number of components in the distributed system, and t is the maximum number of components exhibiting Byzantine fault.For example, if the maximum number of faulty components is 1, then at least 4 components are needed to reach consensus.We will refer to this property of the protocol as resilience.In fact, an important impossibility theorem (see, e.g., Sec.5.4 of [2]), in the framework of a standard classical model, incorporating pairwise authenticated classical communication between the components (called M aut in Ref. [2]), restricts the existence of broadcast protocols to t < n/3.
In addition to resilience, communication protocols also possess other essential properties known as bit complexity and round complexity.Bit complexity pertains to the number of communication cycles involved in the protocol, while round complexity refers to the length of messages transmitted during these cycles.Both of these properties play a critical role in the applicability of a communication protocol.For example, the protocol introduced in [1] terminates in t + 1 rounds but requires the components to send exponentially long messages during the communication cycles.The bit complexity of early protocols [1,3] has since been improved [4][5][6][7].
Quantum-aided 'weak broadcast' protocols developed in the past two decades, built upon distributed entangled quantum states [8] such as the four-qubit singlet state [9,10], are worth considering, as they surpass the above-mentioned classical impossibility theorem and hence offer a higher resilience: t faulty components are tolerated as long as t < n/2.For example, to be resilient against t = 1 faulty component, having n = 3 components is sufficient.
In this work, we build on those earlier ideas, and introduce a parameter-dependent family of quantumaided weak broadcast protocols that relies on an entangled four-qubit singlet state [9].In fact, we formalize the idea described in Sec.III. of Ref. [9], which yields this protocol family.Then, our main contributions are as follows.
(1) Proof.We prove the weak broadcast functionality of the protocol in a certain range of protocol parameters.The proof relies on considering the failure probability p f (m) as the function of the number m of resource states, and upper bounding this failure probability exponentially, that is, proving p f ≤ e −bm with a certain b > 0 as m → ∞.
(2) Tight upper bound for failure probability.We compute a tight upper bound to the failure probability of the protocol, as function of the number of quantum states used to broadcast a single classical bit.
(3) Resource optimisation.We use the tight upper bound to perform a resource optimisation, i.e., compute the answer to these questions: (i) For a given allowed failure probability, how to set the protocol parameters to minimise the number of resource states?(ii) What is the number of required resources states?
(4) Preparation of the four-qubit singlet state.Following earlier work demonstrating the suitability of noisy intermediate-scale quantum (NISQ) devices for the study of quantum networks [11], we experimentally create our resource quantum state on the public quantum-computer prototypes of IBM and IonQ, and characterise its state fidelity.
In a spirit similar to a recent study [12] of an alternative quantum-aided protocol [13], our analysis illustrates multiple engineering aspects of future deployment of such protocols in practice.
The rest of the paper is structured as follows.In Sec. 2, we define a two-parameter weak broadcast protocol based on the four-qubit singlet state.In Sec. 3, we prove the functionality of the protocol.In Sec. 4, we outline how to compute the tight upper bound for the failure probability, and discuss the resource optimisation protocol.In Sec. 5, we construct two four-qubit quantum circuits that can be used to generate the singlet state, and implement those circuits on IBM's quantum computer devices.We discuss our results and follow-up ideas, and draw conclusions, in Sec. 6.

A two-parameter Weak Broadcast protocol
Multi-party communication protocols exist for various functionalities.Two examples are broadcast and weak broadcast [2], which are defined and compared in App. A. In short, the broadcast functionality is achieved if data is distributed consistently among correctly functioning components, whereas weak broadcast allows for an 'abort' option at the receivers if the sender is an adversary.An important building block for more complex protocols is a weak broadcast protocol that is resilient up to one faulty component in the presence of 3 components.Following Ref. [2], we will denote such protocols as WBC (3,1).A key result of Ref. [2] is that WBC (3,1) can be used as a primitive, to efficiently build a broadcast protocol with n ≥ 3 components, resilient against any t < n/2 faulty components.This motivates us to define and study a protocol achieving WBC (3,1).In a distributed system with 3 components, the WBC (3,1) protocol has the following goal: the sender (S) wants to distribute a single bit x S ∈ {0, 1} of classical information to the two receivers R 0 and R 1 , in such a way that there is a consensus about the bit value even if one of the three components is an active adversary.More formally, in a WBC (3,1) protocol, the output of the receivers can take a value ⊥ (often called 'abort') besides 0 and 1, and the protocol should fulfill the conditions of 'Validity' and 'Consistency'.Validity means that if the Sender S is correct (i.e., exactly follows the prescribed protocol), then the output bit values of all correct components are equal to x S .Consistency means that if any correct component has an output y ∈ {0, 1}, then all other correct components should have an output from {y, ⊥}.(See a more detailed description in App.A.) The two-parameter WBC(3,1) protocol we define here is derived from similar protocols in earlier works [8][9][10].It prescribes communication between three components (S, R 0 , R 1 ) to achieve consensus in the sense of WBC(3,1) described above.The quantum resource of this protocol is a four-qubit singlet state [9]: In fact, we assume that to achieve WBC(3,1) with a single data bit, the parties have distributed m ∈ Z + four-qubit singlet states through public quantum channels such that the first two qubits are distributed to S, the third qubit is distributed to R 0 , and the last qubit is distributed to R 1 , as shown in Fig. 1a.(See Sec.6 for a brief discussion on the distribution.) In rough terms, the more four-qubit singlet states are used to broadcast one bit, the higher the probability of success; hence the integer m is a key quantity in assessing the performance of the protocol.
Having m singlet states distributed, the components perform measurements in the computational basis, each obtaining its own random list of bit values: S obtains m bit-pairs, while R 0 and R 1 obtain m bits each.An example for such a collection of random correlated bitstrings for m = 12 is shown in Fig. 1b, and the probability density function of the six possible outcomes of four-bit strings, derived straightforwardly from Eq. (1), is shown in Fig. 1c.We will refer to the six possible four-long bitstring outcomes as Elementary Events, and we will refer to a particular instance of this collection of random data, as shown in Fig. 1b, as an Event.In what follows, we will use Q j [α] to denote the measurement result of component j in its row α, where j ∈ (S, R 0 , R 1 ) ≡ (S, 0, 1) and α ∈ (1, 2, . . ., m) ≡ (a, b . . .).For example, in Fig. 1b, we see The Weak Broadcast protocol presented below has two real-valued parameters: 0 < µ < 1/3 and 1/2 < λ < 1.We anticipate that the protocol works well if µ and λ are close to their upper bound.
The Weak Broadcast protocol we propose is as follows.In all steps, the classical channels are assumed to be authenticated, and all the channels, the source of quantum states, and the measurements, are assumed to be perfect.
1. Invocation Phase.S sends the data bit (x S ) to be broadcasted to the other components.We denote the bits of the components R 0 and R 1 received as x 0 = x S and x 1 = x S .Now the Sender measures all its qubits (2 qubits in each distributed state) in the computational basis.For each qubit pair of S, if both measurements corresponding to state index α (see Fig. 1b) yielded x S , then S adds index α to its check set σ S .After assembling σ S , this check set is sent to both receivers.At this point, both receivers hold a bit value x j and a set σ j from the Sender.The Sender also sets its output to y S = x S .In the example of Fig. 1b, and assuming x S = 0, the check set is σ S = {b, e, f, i}.
2. Check Phase.Now both R 0 and R 1 check the consistency of their data received from S. For this, R j measures all of its qubits in the check set σ j , and if all the results differ from x j (Consistency Condition), and also the check set is large enough (Length Condition), then it accepts the message x j .For R 0 , this implies that it chooses its output to be y 0 = x 0 .For R 1 , it chooses the value of an intermediate variable ỹ1 = x 1 .The check set is large enough if the number of its elements is at least T ≡ ⌈µ • m⌉, where 0 < µ < 1/3.If R 0 finds that any of the two conditions is violated, then it sets its output to 'abort', y 0 =⊥.
If R 1 finds that any of the two conditions is violated, then it sets its intermediate value to 'abort', ỹ1 =⊥.

3.
Cross-calling Phase.R 0 sends to R 1 its output value y 0 and the check set σ 0 it received from S. R 1 receives these as y 01 and ρ 01 , respectively.We also provide a more compact and more formal definition of the protocol: The flowchart of the protocol can be seen in Fig. 2.
In what follows, we will use the label 'Weak Broadcast protocol' or simply 'Weak Broadcast' to denote the above protocol.The description above shows how the correct components behave.Our goal is to show that this protocol is secure for at most one faulty component in a certain range of the values of the parameters µ and λ.Roughly speaking (see below for the theorem), by security [2] we mean that the failure probability of the protocol, that is, the probability of not achieving weak broadcast, converges to zero as the number m of four-qubit singlet states is increased to infinity.Even though the Weak Broadcast protocol itself follows straightforwardly from earlier works [9,10], the security theorem and its proof has not been published before, to our knowledge.
We point out an important property of the above Weak Broadcast protocol, which is shared with similar earlier protocols [2,8,10,14].There is an asymmetry between the two Receivers R 0 and R 1 .In contrast to R 0 , R 1 never sends messages, thus it has no impact on the output of the other components.In particular, if R 1 is the faulty component, then the other two components will reach consensus and hence weak broadcast is guaranteed.Therefore, from now on we do not consider the case when R 1 is faulty; we restrict our attention to three other adversary configurations, which we will refer to as 'no faulty', 'S faulty', and 'R 0 faulty'.
Two key advantages of this protocol, with respect to other quantum-assisted protocols, are as follows.
(1) This protocol is based on qubits, in contrast to earlier ones based on multi-level qudits, e.g., [13,14].At this early stage of quantum communication technology, most of the experimental effort is focused on qubit-based protocols, hence we consider this as a significant advantage favoring the protocol we study.(2) The resource state of Eq. (1) is readily available experimentally [10] in terms of entangled, polarisationencoded photonic qubits, via spontaneous parametric down-conversion.

Security of Weak Broadcast
The Weak Broadcast protocol defined in Sec. 2 is based on Refs.[2,[8][9][10].Reference [2] provides a security proof of the weak broadcast protocol proposed therein.That protocol uses entangled three-qutrit states.In this work, we apply elements from there to construct a security proof for the above-defined Weak Broadcast protocol, which is based on four-qubit singlet states.Preliminaries and the theorem are presented in this section; for the proof we refer to App.E.
We start by specifying our framework.We assume that there is a complete network of pairwise authenticated classical channels among the three components, S, R 0 and R 1 .We also assume that this classical network is synchronous.In particular, (1) before the protocol, the components have already agreed on a common point in time when the protocol is to be started, and (2) all components operate according to a global clock and every message sent during a clock cycle (our protocol consists of 2 clock cycles) will arrive to the receiver by the end of the cycle.Recall also that we consider three adversary configurations: 'no faulty', 'S faulty', and 'R 0 faulty'.
Here, adversary or faulty component means an active adversary, which might act as a properly functioning component, but it might try to undermine the protocol by sending confusing information to the other components.In fact, we assume a conscious adversary following a rational strategy.We also assume that the adversary has only local information.In other words, each random bit generated from the four-qubit singlet states by a local measurement, see Fig. 1b, is known only for the component that has performed the measurement.
We also assume that there is a quantum source that distributes the four-qubit singlet states to the components as shown in Fig. 1.This distribution happens before the measurements required for the communication steps of the Weak Broadcast protocol are performed.
The protocol we describe above is a probabilistic one, since it is based on measurements of a quantum state that is the superposition of the measurement basis states.The number m of four-qubit singlet states consumed in the protocol is a parameter of the protocol, and the probability of success and failure, defined through the conditions of Validity and Consistency above (see also App.A for more details) depends on m.We denote the failure probability with p f (m).Furthermore, we call the protocol secure, if the failure probability converges to zero (p f (m) → 0) as the number of consumed states tends to infinity (m → ∞).
After these preliminaries, we state the theorem claiming the security of Weak Broadcast: Theorem: For any parameter pairs (µ, λ) fulfilling 2/9 < µ < 1/3, and the failure probability p f (m) of the Weak Broadcast protocol, defined as Protocol 1 above, converges to zero as m → ∞.In particular, in all three adversary configurations, the failure probability is upperbounded as with a, b > 0.
The proof is found in App.E. The parameter range where our proof guarantees security is shown in Fig. 3. To enable the proof, we introduce the optimal adversary strategies in App.B and prove their optimality in App.D. Then, the proof in App.E is based on the knowledge of the optimal adversary strategies.
In the spirit of Refs.[2,8], we make a remark on the complexity of the protocol: Let R q and B q be the round and bit complexities of distributing and measuring a four-qubit singlet state.Then, the Weak Broadcast protocol with a failure probability of at most 0 < ϵ ≪ 1 requires a round complexity of R = R q + 2, and a bit complexitiy of B = O(log(1/ϵ))B q .
A natural question is if using secure classical channels instead of authenticated ones brings any advantage.Here we reason that the answer is no.If the Sender is the faulty component, then even if it can eavesdrop on the communication between R 0 and R 1 , that has no effect on the outcome of the protocol.Furthermore, if R 0 is the faulty component, then S is correct, hence S sends the very same information to both receivers.Therefore, R 0 eavesdropping on the communication between S and R 1 does not gain extra information for R 0 .These imply that authenticated classical channels where eavesdropping is possible are just as useful in this case as secure channels.

Resource optimization of the Weak Broadcast protocol
In this section, our first goal is to calculate a tight upper bound for the failure probability p f (m) of the Weak Broadcast protocol.This tight upper bound will be used to estimate the resource requirements of the protocol.In particular, we will estimate the number m of singlet states that are required to achieve weak broadcast with a small failure probability, say, 5%.This analysis is similar in spirit to Ref. [12], which was carried out for a different quantum-aided multi-party communication protocol [13].
First, we derive the tight upper bound of the failure probability of the Weak Broadcast protocol as function of µ and λ.We obtain analytical results, and cross-check those against Monte-Carlo simulations.Then, we optimize the protocol in the µ-λ parameter plane.That is, we identify the parameter values that require the least resources, i.e., the smallest number of four-qubit singlet states such that the failure probability is guaranteed to be below the desired failure probability threshold.

Tight upper bound for the failure probability -analytical results
We analyse the resource requirement of the Weak Broadcast protocol is as follows.We can fix the parameter values µ and λ, and the target failure threshold p f,t ; e.g., µ = 0.272, λ = 0.94, and p f,t = 0.05.The target failure threshold p t,f = 0.05 means that the user can tolerate at most 5% failure probability.This is an arbitrarily chosen small number here; we envision that in future applications of such probabilistic consensus protocols, the user must specify such a desired level of tolerance against statistical errors.The method we describe and exemplify here is applicable irrespective of the specific value of p f,t .In this setting, the resource requirement of the protocol is characterized by the minimal number m min (µ, λ, p f,t ) ∈ Z + of four-qubit singlet states required to suppress the failure probability p f below the threshold p f,t .
A natural way to compute m min would be to identify the optimal adversary strategies for the S faulty and R 0 faulty configurations, i.e. those strategies that maximize the failure probability.We do not complete this task here.Instead, we identify optimal incomplete strategies, which are incomplete in the sense that they provide a description of the adversary's behavior for certain Events but not for others.Using these optimal incomplete strategies, we can compute tight upper bounds on the failure probabilities p f (m), and can use those upper bounds to compute an upper bound m min,↑ of the minimal resource requirement.
For the no faulty configuration, we derive the exact result p To evaluate these analytical formulas, we carry out numerical summation.The results, for a fixed value of protocol parameters, are shown in the three panels of Fig. 4, corresponding to the three adversary configurations.See caption for parameter values.All three panels show that the failure probability p f exhibits a decreasing trend as we increase the number of fourqubit singlet states, as expected.From the data, we can read off the minimum number of states required to suppress the upper bound of the failure probability below p f,t = 0.05: these are 143, 246 and 280, respectively, for the three adversary configurations.Our upper bound m min,↑ of the minimal resource requirement of this protocol for p f,t = 0.05 is the maximum of those three integers, that is, m min,↑ = 280.In these simulations, we randomly generate, on a classical computer, the lists of correlated 4-bit strings measured by the components (i.e., the Events, see Fig. 1b).For the no faulty configuration, we evaluate for each random Event if the protocol leads to failure or weak broadcast.Then, we express the failure probability as the ratio N f /N of the number N f of failures and the number N of random Events.The resulting failure probability as function of m is shown as the red crosses in Fig. 4a.Data corresponds to N = 10, 000 random Events.
For the S faulty and R 0 faulty adversary configurations, our simulation corresponds to the upper-bound calculation described in the previous subsection.For example, for the S faulty configuration, we use the optimal incomplete strategy described in App.B, and do the following steps.(1) We generate a random Event.
(2) We check if the random Event is in the domain of the optimal incomplete strategy.(3a) If the Event is not in the domain, then we assume failure.(3b) If the Event is in the domain, then we evaluate the protocol such that S is acting according to its adversary strategy; this leads to either failure or weak broadcast.(4) After repeating these steps for N different random Events, we express the failure-probability upper bound as the ratio N f /N of the number N f of failures and the number N of random Events.These results are shown as the red crosses in Fig. 4b and c, for the S faulty and R 0 faulty configurations, respectively.Data corresponds to N = 10, 000 random Events.
In Fig. 4a, b, and c, the results of the Monte-Carlo simulations (red crosses) are in excellent agreement with the exact results (green circles).We interpret the small differences between the Monte-Carlo result and the exact result as statistical fluctuations of the Monte-Carlo result.For example, estimating the failure probability p = 0.2 from N = 10, 000 samples has a statistical error of p(1 − p)/N ≈ 0.4 %.

Optimization in the parameter space
In the previous subsections, we computed the resource requirements of the Weak Broadcast protocol for fixed values of the parameters µ and λ, and for a fixed value of the target failure threshold p f,t .A natural next step is the optimisation of the protocol: finding the optimal parameter values λ and µ, which minimize the resource requirements, such that it is guaranteed that the failure probability is kept below the target failure threshold p f,t .Even though we do not know the failure probabilities of the best adversary strate-gies, we do know tight upper bounds for the failure probability, using which we can carry out the optimization.In particular, we will minimize the function m min,↑ (µ, λ, p f,t ) in the (µ, λ) parameter plane, with the specific value of the target failure threshold p f,t = 0.05.We expect that future deployment of such communication protocols will require similar optimization procedures.
We perform this optimization in two steps, as follows.We use the analytical formulas discussed in section 4.1.For a rough optimization in the (µ, λ) parameter space, we consider the rectangle in Fig. 5a, and the grid of parameter pairs shown there.For each point (box) of the grid, we evaluate the failureprobability upper bound p ↑ (m) for m = 290, 300, and color the box as blue or green, respectively, according to the minimal m within this set where p f,↑ < p f,t = 0.05.This procedure results in the pattern in Fig. 5a, which suggest a finer optimization focusing on the area of the dark blue rectangle of Fig. 5a.Note that grey boxes correspond to parameter values µ, λ lying outside the green zone of Fig. 3.
The results of this finer optimization are shown in Fig. 5b.The procedure is analogous to the rough optimization, with the difference that here the set of m values is m = 270, 271, . . ., 300. Figure 5b reveals a 'sweet rectangle', a rectangle of points where using 280 four-qubit singlet states is sufficient to achieve weak broadcast with at most 5 % error.We emphasize that for an error threshold different from 5 %, this optimization must be repeated, and might yield different optimal values for the parameters µ and λ.

Robustness of the optimized protocol against physical errors
In the previous subsections, we assumed that the Weak Broadcast protocol functions perfectly, i.e., we neglected physical errors.Such errors are expected to increase the failure probability of the protocol; in this subsection, we estimate this increase.
To simplify the error analysis, we use a phenomenological error model, based on three key assumptions: (1) We assume that the process of generating and measuring the distributed four-qubit singlet state is affected by physical errors, and the effect of those is described by a modified measurement statistics over the 16 computational basis states, i.e., a noisy measurement statistics that is slightly different from the ideal one defined by Eq. (1).(2) We assume that a slight rearrangement of the measurement statistics among the six 'useful' computational basis states (those involved in Eq. (1)) is harmless, but 'leakage' of the noisy statistics to the 10 remaining 'useless' computational basis states is harmful.In particular, we call the probability weight of the noisy statistics on the useless states the noise strength q. (3) We assume a pessimistic scenario, where even a single leak- age event implies the failure of the protocol.
According to these assumptions, the failure probability of the protocol in the noisy case reads where P is the probability that there is at least one leakage event, which is expressed as: In Sec.4.3 we concluded that in order to reach a target failure probability p f,t = 5%, consuming m ≈ 300 four-qubit singlet states is sufficient.Consider now the situation that the user of the protocol can accommodate an extra 1% failure probability due to physical errors not taken into account so far.Based on Eq. (5), we find that the extra failure probability is kept below 1% as long as the noise strength fulfills q < 3.3 × 10 −5 .

Achievable failure probability in the presence of physical errors
In the ideal, noiseless case, for a fixed parameter point (µ, λ) in the green region of Fig. 3, the failure probability p f of the Weak Broadcast protocol tends to zero as m tends to infinity.This is no longer the case in the noisy case described by Eqs.(4) and (5), since P (q, m) expressed in Eq. ( 5) is a monotonically increasing function of m for 0 < q < 1.
However, since the estimate p n f for the noisy failure probability, see Eq. (4), is a sum of a decreasing and an increasing function of m (for a fixed q), it is reasonable to expect the existence of an optimal m where p n f is minimised.For example, µ = 0.272, λ = 0.94, and q = 10 −4 , we have numerically found a minimal failure probability of p n f = 5.5%, corresponding to an optimal number of four-qubit singlet states of m = 423.It is straightforward to incorporate this simple noise description into the optimisation process introduced in Sec.4.3.
To summarize, in this section, we have outlined and implemented resource optimization procedures for the Weak Broadcast protocol.This illustrates the engineering aspects of the deployment of future quantumaided distributed systems.Furthermore, we provided a simple noise analysis, which illustrated that a finite noise implies a nonzero achievable failure probability for the Weak Broadcast protocol.In other words: the noise strength has to be kept below an upper bound determined by the target failure probability.
5 Four-qubit singlet state on IBM Q and IonQ devices An important goal in the field of quantum communication is to advance the hardware technology and thereby to enable the practical deployment of quantum-aided multi-party communication [10,15,16].With this goal in mind, we studied the preparation of the resource states of the Weak Broadcast protocol, i.e., four-qubit singlet states, on NISQ hardware [17], namely using superconducting qubits of IBM Q [18] and trapped ion qubits of IonQ [19].
Both superconducting and trapped ion qubits have already been shown to be promising candidates for implementing quantum networks [11].Quantum network functionalities using superconducting qubits housed in spatially separated cryogenic systems have been experimentally demonstrated recently [20, 21], while scalable remote entanglement between trapped ions has been achieved via photon and phonon interactions [22-24], raising the hope that entangled states prepared on-chip on quantum processors can be used as resources in quantum networks.
In fact, one way to prepare a distributed four-qubit singlet state is to prepare it locally, and then make use of Bell pairs pre-shared via quantum links [20,21,23,24] to perform quantum teleportation to distribute the four-qubit state.For such a scheme, which, to our knowledge, has not yet been realised, an analysis of local state-preparation fidelity provides an upper bound of the fidelity of the distributed state.This motivates us to do experiments on state-of-the-art quantum computing hardware, composed of locally connected qubits, and test the precision of state preparation of the four-qubit singlet state.
In the rest of this section, we identify two quantum circuits that prepare the four-qubit singlet state and report the results of the state preparation experiments using those circuits.To characterize the quality of our experimental state preparation, we use three quantities.The first one is the classical fidelity F c , that is the fidelity between (i) the probability distribution P exp of bitstrings obtained experimentally by doing computational-basis measurements, and (ii) the ideal probability distribution P id of measured bitstrings, following from Eq. (1) and shown in Fig. 1c: The second figure of merit for state preparation is the quantum state fidelity F q .We obtain this by performing quantum state tomography at the end of the circuit, reconstructing the density matrix ρ exp from the experimental data, and evaluating the fidelity between this state and the ideal four-qubit singlet state ρ id = |ψ⟩ ⟨ψ|: The third figure of merit we evaluate is the 'noise strength' q defined in Sec.4.4.

Loop Circuit
First, we need to identify a quantum circuit that prepares the four-qubit singlet state.We rely on CNOT as the two-qubit gate.On today's noisy devices, CNOT is 'expensive' in the sense that its gate error is greater than the single-qubit gate errors.Therefore, a second target for our circuit search is to minimize the number of CNOTs.A third aspect is related to the incomplete connectivity of IBM Q devices: we pay special attention to devices that host a chain of four qubits with linear connectivity.
A four-qubit circuit that prepares the four-qubit singlet state |ψ⟩, which we call the Loop Circuit, is depicted in Fig. 6.It includes 5 CNOT gates that define a loop topology among the four qubits.We found the Loop Circuit using a combination of random circuit search and gradient descent: We assembled random circuits using CNOTs and single-qubit gates from the set {I, X, T, S, H}; searching through approximately 10 7 such instances, we selected the one whose output state had the maximal overlap with the four-qubit singlet state.Then, for the selected instance, we replaced all the one-qubit gates with generic threeparameter single-qubit gates, and performed gradient descent in this multi-dimensional parameter space, to maximize the quantum state fidelity F q between the output state of the circuit and the four-qubit singlet state.
First, we implement this circuit on IonQ's trapped ion quantum computer, which has full connectivity and hence can support the Loop Circuit without further compilation.These devices have smaller readout and gate error rates compared to IBM Q devices.The experiments were run through the AWS Braket cloud service [25].We achieved a classical fidelity F c = 0.8923, and a quantum fidelity of F q = 0.885.For reference, the classical fidelity between a uniform bitstring distribution and the ideal bitstring distribution is 1/ √ 3 ≈ 0.58.On the other hand, the quantum fidelity of the ideal four-qubit singlet state and the fully mixed four-qubit state is ≈ 0.0625.Hence we conclude that both the classical and quantum fidelities provided by IonQ hardware are much closer to the ideal one than to random noise.From the experiment on the IonQ hardware, we have inferred a noise strength (as defined in 4.4) of q = 0.105.

Linear Circuit
The publicly available IBM Q backends (as of August 2023) have four-qubit segments with linear topology, but do not have four-qubit segments with the loop topology.Therefore, we have compiled the Loop Circuit to linear topology, to be able to run it on IBM Q backends.We call the result the Linear Circuit; it contains 9 CNOT gates, and we show it in Fig. 7.We used the Qiskit framework to implement the measurements and carry out a readout error mitigation procedure (see Refs. [26,27] for theoretical details).
We implemented the Linear Circuit on all available IBM Q devices that support a chain of four qubits in a linear connectivity.The results of the measurements are presented in App.F. As for the classical fidelity, our best results were obtained from the qubit chain 3-2-4-1 on IBMQ Manila, yielding F c = 0.875.When we use readout error mitigation, then the best result is found on the qubit chain 1-3-2-5 on IBM Perth, with F mitig c = 0.996.
In terms of quantum fidelity, the best performing arrangement is the 3-2-4-1 qubit chain on IBMQ Manila.Without readout error mitigation, the fidelity is F q = 0.757, whereas readout error mitigation improves this to F mitig q = 0.895.The best quantum fidelity after readout error mitigation is found on the qubit chain 1-3-2-4 on IBMQ Quito, with F mitig q = 0.931.As a reference, the quantum fidelity of the ideal four-qubit singlet state and the fully mixed four-qubit state is ≈ 0.0625.
To conclude, we identified two circuits that can be used to prepare the four-qubit singlet state.We performed measurements on IonQ and IBM Q devices, to quantify the quality of state preparation.Our results reveal that the noise level of these devices is low enough that the singlet state can be prepared to a good approximation.A more practical question is if a typical resource state prepared by these means has sufficient fidelity to enable a few-percent failure probability of the Weak Broadcast protocol, consuming a few hundred of those resource states?This is not yet the case in our experiments: taking a typical state preparation error of 1%, the noisy failure probability (see Eqs. (4) and (5)) grows above our example target p f,t = 5% already for m = 5 resource states.However, we expect that two orders of magnitude improvement in this state preparation fidelity procedure is required to meet the above target.

Conclusion and outlook
In this work, we introduced a two-parameter family of quantum-aided weak broadcast protocols, and proved their security in a certain range of its parameters.We computed a tight upper bound m min,↑ on the number of resource quantum states required to suppress the failure probability of the protocol below a given target failure probability threshold.We optimized the protocol, that is, we located the parameter range where the resource requirements, as indicated by m min,↑ , are minimal.We have experimentally implemented the preparation and characterization of our four-qubit resource state on real qubits: in the superconducting quantum processors of IBM and the ion-trap quantum processors of IonQ.Our work illustrates the engineering aspects of future deployments of such protocols in practice.The methods and results of this work can be utilized in future research toward multi-party quantum communication in distributed systems.
Let us note that throughout the theoretical part of this work, we assumed that the four-qubit singlet state |ψ⟩ of Eq. ( 1) is prepared and distributed through public quantum channels to the three components of the distributed system.The role of these entangled states is to provide random bits that are correlated among the different components.The same functionality cannot be substituted by a source of correlated classical random bits, distributed through public channels.In this case, the adversary can eavesdrop on the classical channel transmitting the random bits from the source to the components, and hence the criterion that each component knows only its own measurement outcomes can be violated.In the quantum case, considered in this work, the eavesdropping can be detected by sacrificing a fraction of the four-qubit singlet state in a distribute-and-test procedure of the protocol, similar to the procedures described in preceding work [9,10,14].We leave it for future work to elaborate the quantitative details of such a distribute-and-test procedure.Naturally, such a distribute-and-test procedure will require extra resources, beyond those estimated in our work.
The above observation points toward further important follow-up tasks to this work.For example, an attack against the protocol could be based on the adversary gaining control over the source, or over the measurement devices generating the correlated random bits.A further difficulty is posed by physical errors of the source, the quantum channels, and the measurement devices, as highlighted by our experiments presented in Sec. 5. We anticipate that the effect of these imperfections on the protocol will be studied in a framework similar to that of device-independent quantum key distribution [28,29].Some of these issues have already been discussed [8][9][10], but a quantitative study is, to our knowledge, still missing.

Code and Data
The code and the data we used in this study are available at Zenodo [30].Interested readers can access the A Broadcast, weak broadcast, and their truth tables In Sec. 2, we introduced the broadcast and the weak broadcast functionalities of multi-party communication protocols.Here, we recall their definitions [2].Furthermore, we show their tabular representations ('truth tables'), for the case of n = 3 components and at most t = 1 faulty component.Definition 1. (broadcast) A protocol among n components such that one distinct component S (the Sender) holds an input value x S ∈ {0, 1}, and all other components (the receivers) eventually decide on an output value in {0, 1} is said to achieve broadcast if the protocol guarantees the following conditions: Validity: if the Sender is correct then all correct components decide on y = x S .
Consistency: all correct components decide on the same output.
The truth table of the broadcast functionality is shown in Table 1, for the special case when the number of components is n = 3, and resilience is expected up to t = 1 faulty component.
In the definition of the second functionality, weak broadcast, the conditions of broadcast are relaxed to some extent, and in addition to 0 and 1, a third output value called 'abort' (⊥) is also allowed.As discussed in the main text, the weak broadcast functionality is important because it can be used as a building block to achieve broadcast [2].Definition 2. (weak broadcast) A protocol among n components such that one distinct component S (the Sender) holds an input value x S ∈ {0, 1} and all other components eventually decide on an output value in {0, 1, ⊥} is said to achieve weak broadcast if the protocol guarantees the following conditions: Validity: if the Sender is correct then all correct components decide on y = x S .
Consistency: if any correct component decides on an output y ∈ {0, 1} then all correct components decide on a value in {y, ⊥}; that is, either they choose the value y or choose abort.2, for the special case when the number of components is n = 3, and resilience is expected up to t = 1 faulty component.In the main text, this special case is denoted by WBC (3,1).Note that the above definition of weak broadcast does not include the case when both receivers chose abort in the S faulty scenario.However, this scenario should be considered as weak broadcast, because it means that both receivers found that S is a faulty component.Also, note that a faulty S can always make the receivers output abort by sending conflicting messages.Because of this, we consider these scenarios as weak broadcast.Another alternative solution to this would be to modify the Consistency condition of the definition of weak broadcast.To do this, one needs to allow for an y ∈ {0, 1 ⊥}.

B Adversary strategies against the Weak Broadcast protocol
In this section, we define adversary strategies, and propose an S faulty strategy and an R 0 faulty strategy.We prove that the strategies proposed here are optimal, i.e., they maximise the failure probability, in App.D.
As a preliminary for this section, recall that in Sec. 2, we defined the Elementary Events as the possible correlated random outcomes of the measurement of the four-qubit singlet state |ψ⟩ of Eq. (1).There are six such outcomes, 0011, 1100, 1010, 0101, 1001, and 0110.It follows from Eq. (1) that the probabilities of 0011 and 1100 are 1/3, whereas the probabilities of the remaining four bitstrings are 1/12.Furthermore, we have denoted the number of four-qubit singlet states, available for the weak broadcast of a single bit from S, as m.In Sec. 2, we defined an Event as the random configuration of the m bitstrings measured on the m distributed four-qubit singlet states by the three components.Fig. 8a shows an example of an Event for m = 12 (actually, this is the same Event as in Fig. 1b).The first column is the index of the singlet state, and columns 2-4 show the qubit measurement outcomes (Elementary Events) obtained by the three components.Note that the number of possible different Events is 6 m , and for a given m, it is straightforward to calculate the occurence probability of each possible Event.For example, the Event in Fig. 8 occurs with probability (1/3) 8 (1/12) 4 .

B.1 S faulty
For concreteness, and without the loss of generality, here we assume that the faulty S is a conscious adversary, which wants to reach failure of Weak Broadcast such that receiver R 0 outputs y 0 = 0 and receiver R 1 outputs y 1 = 1.Hence, the message sent by S to R 0 is x 0 = 0, whereas the message sent by S to R 1 is x 1 = 1.

Let us first formalize what we mean by an adversary strategy (of S).
To this end, we introduce two natural classifications of the Events; a finer, global classification, and a coarser, local one.Here, the term 'local' refers to the property that the classification is based only on the information available to the adversary sender S.
We define the global count list of an Event as the list of the six non-negative integers that count the frequencies of the six different measurement outcomes of the Event.The set of the global count lists will be denoted as GCL.That is, an element of GCL is g = (g 1 , g 2 , g 3 , g 4 , g 5 , g 6 ) = (m 0011 , m 0101 , m 0110 , m 1001 , m 1010 , m 1100 ). ( Note that for a certain Event, the adversary S does not know the corresponding global count list g, as S knows only the first two bit values of each row of the Event.
Clearly, for any g ∈ GCL it holds that 6 i=1 g i = m.Furthermore, we will denote the counting function that associates an element of GCL to an Event as Note that this function is not injective, since in general, multiple Events are mapped to a single global count list g ∈ GCL.In fact, for any g ∈ GCL, the number of Events that are mapped to g via G is where the bracket on the right hand side denotes the multinomial coefficient.An adversary strategy of the sender S describes how S uses its own local information to act during the protocol.More precisely, the strategy is a procedure, according to which the adversary S selects the check sets σ 0 and σ 1 , to be sent to R 0 and R 1 , respectively, in the Invocation Phase.Locally, the sender S cannot distinguish between the outcomes 0101 and 0110, as S knows only the first two bits of these bitstrings.Similarly, S cannot distinguish between the outcomes 1010 and 1001.These imply that the basis of an adversary strategy of S is provided by the four non-negative integers (g 1 , g 2 +g 3 , g 4 +g 5 , g 6 ) = (m 0011 , m 0101 +m 0110 , m 1001 +m 1010 , m 1100 ).
For our purposes, it is sufficient to use an even coarser local classification, which does not distinguish between the local bit pairs 01 and 10 of the sender S.This coarser classification is defined by the map Here, LCL S is the set of local count lists for the S faulty scenario, which is implicitly defined as the range of L S , containing triplets of non-negative integers, such that ℓ 1 + ℓ 2 + ℓ 3 = m.The term local count list hence refers to the integer triplets ℓ ∈ LCL S .Because of the sum rule ℓ 1 + ℓ 2 + ℓ 3 = m, a local count list ℓ is represented by two of its elements, e.g., ℓ 1 and ℓ 3 , and hence the set LCL S can be visualised in a two-dimensional plot.This is illustrated for the case m = 12 in Fig. 9, where each non-grey square (i.e., orange and blue squares) represents a local count list.
The adversary strategy of S describes how the behavior of S is derived from the local information S has.For our purposes, it is sufficent to regard the local count list ℓ associated to the Event as the local information possessed by S. We define an adversary strategy of S as a function ζ S that maps the local count list of S to a list of 6 non-negative integers, Here, k  Our purpose in this work is to analyse the failure probability of certain strategies.For this purpose, it is sufficient to define a strategy by the numbers above: how many indices from each class are included in each check set.It is not necessary to specify which indices are included from each class, because the failure probability is independent of the specific choice.Nevertheless, in the examples considered in this work, we assume that S includes the 'smallest' indices from each class, in alphabetical order of the indices (see Fig. 8).
We call a strategy, as defined in Eq. ( 12), a complete strategy, if its domain is the complete LCL S ; otherwise, we call it an incomplete strategy.For a complete strategy, the failure probability p f is a well-defined real number p f ∈ [0, 1].From now on, we will deal with incomplete strategies, and hence we will not be able to compute the specific failure probability; however, we can derive a relatively tight upper bound for the failure probability.
In what follows, we will often consider sequences of strategies: such a strategy sequence is a function that specifies a strategy for each m.A natural notation for a strategy in such a sequence ζ S,m ; note that we will often suppress the m, and call such a sequence of strategies simply as a strategy.In general, for different strategies in a given sequence, the domain and the failure probability (or the failure-probability upper bound, for incomplete strategies) are different.
In this work, we focus on a sequence of optimal incomplete adversary strategies of S. This is given as where with ⌈.⌉ denoting the ceiling function.E.g., for µ = 0.26, λ = 0.94, and m = 1200, these are T = 312 and Q = 19.Recall that T , originally defined in the Weak Broadcast protocol in Sec. 2, is the minimal check set length that satisfies the Length Conditions of the Weak Broadcast protocol.Integer Q is the minimal number of inconsistent indices in ρ 01 that implies the violation of the Consistency Condition of the Cross-check Phase, in the case when the length of the check set is |ρ 01 | = T .Note that Eq. ( 13) contains two implicit restrictions on the domain of ζ S .First, the adversary S can include T − Q indices of 0011 outcomes in its check set σ 0 only if the number ℓ 1 of 0011 outcomes is sufficient, that is, if Second, the adversary S can include Q indices of mixed outcomes in its check set σ 0 only if the number ℓ 2 of mixed outcomes is sufficient, that is, if Besides these two restrictions, we further restrict the domain of ζ by requiring The above 3 conditions define the domain D(ζ) of the strategy ζ.With this extra condition, the incomplete strategy ζ of Eq. ( 13) is optimal in its domain D(ζ), which will be proven in App.D.1.The domain D(ζ) is shown as the orange region in Fig. 9, and the conditions Eqs. (16), (17), and (18) are depicted as the blue, black, and red lines in Fig. 9, respectively.How can the strategy ζ in Eq. ( 13) lead to failure?This is exemplified by a specific instance of the Weak Broadcast protocol in Fig. 8, for m = 12.To be specific, we consider a Weak Broadcast protocol with parameter values µ = 0.26 and λ = 0.94.The adversary strategy derived from the optimal strategy of Eq. ( 13) using these values of µ, λ and m can be written as since T = 4 and Q = 1.
The table in Fig. 8a shows an Event for m = 12.The local information of S, i.e., the information S possesses, is denoted by boldface characters in Fig. 8a: S knows the indices of the four-qubit singlet states used in the protocol, it knows its own measurement outcomes (bit-pairs), and it also knows the measurement outcomes of R 0 and R 1 for those rows where S measured 00 or 11.The information S does not possess is denoted by italic characters in Fig. 8a.
The above example sheds light on why the strategy ζ S in Eq. ( 13) is efficient (in fact, optimal in its domain) in achieving failure.In more general terms, its efficiency is reasoned as follows.According to this strategy, the adversary sender S tries to send a check set σ 0 such that R 0 finds it convincingly long (that is, the Length Condition of the Check Phase is satisfied) and consistent (that is, the Consistency Condition of the Check Phase is satisfied); but when sent over to R 1 as ρ 01 , then R 1 finds it inconsistent (Consistency Condition of the Cross-Check Phase is violated), resulting in failure via y 0 = 0 and y 1 = 1.This is achieved by the strategy ζ S of Eq. (13), if each of the Q rows chosen from the mixed class by S contain bit 1 at R 0 and bit 0 at R 1 .If at least a single one of these rows contains bit 0 at R 0 and bit 1 at R 1 , then R 0 finds the check set σ 0 inconsistent with the data bit x 0 = 0 and hence produces an output y 0 =⊥, leading to Weak Broadcast (see Table 2, row 8 or row 17).

B.2 R 0 faulty
For concreteness, and without the loss of generality, here we assume that the correct sender S sends the message x S = x 0 = x 1 = 0 to the receivers.Furthermore, we assume that the faulty R 0 is a conscious adversary, which wants to reach failure of Weak Broadcast such that the correct R 1 has an output bit value y 1 = 1 that conflicts with the output bit value of x S = 0 of S.
We start by formalizing what we mean by an adversary strategy of R 0 .Similarly to the S faulty configuration, our starting point is the set GCL of global count lists, see Eq. (8).The adversary strategy of the receiver R 0 describes how R 0 uses its own local information to act during the protocol.Then, locally, the receiver R 0 can distinguish between three types of outcomes.First, if the third bit of the outcome, i.e., the bit R 0 has measured, carries the value '1', and the index of the outcome is sent from S to R 0 in the check set σ 0 , then R 0 can identify the outcome as 0011.Second, if the third bit of the outcome carries the value '1', and the index of the outcome is not included in σ 0 , then R 0 identifies the outcome as 'either 0110 or 1010'.In any other case, i.e., if the third bit of the outcome carries the value of '0', then R 0 identifies the outcome as 'either 0101, or 1001, or 1100'.It is natural to denote the frequency of each type of outcome in a given Events as m 0011 , m XX10 , and m XX0X .
This threefold classification of the Events according to R 0 's local information is therefore defined by the map Here, LCL R is the set of local count lists for the R 0 faulty scenario, which is implicitly defined as the range of L R , containing triplets of non-negative integers, such that ℓ 1 + ℓ 2 + ℓ 3 = m.The term local count list hence refers to the integer triplets ℓ ∈ LCL R .Because of the sum rule ℓ 1 + ℓ 2 + ℓ 3 = m, a local count list ℓ is represented by two of its elements, e.g., ℓ 1 and ℓ 2 , and hence the set LCL R can be visualised in a two-dimensional plot.This is illustrated for the case m = 12 in Fig. 10, where each non-grey square represents a local count list.
The adversary strategy of R 0 describes the procedure to assemble the check set ρ 01 , based on the local information R 0 has.Hence, we define an adversary strategy of R 0 as a function ζ R that maps the local count list of R 0 to a list of 3 non-negative integers: Here, k 0011 ≤ ℓ 1 indicates how many of the 0011 indices does R 0 include in the check set ρ 01 sent to R 1 in the Cross-calling Phase.Similarly, k XX10 ≤ ℓ 2 indicates the number of XX10 indices to be included in ρ 01 , and k XX0X ≤ ℓ 3 indicates the number of XX0X indices to be included in ρ 01 .
Similarly to the case of the S adversary strategy discussed above, here it is also sufficient to define a strategy by the 'k' numbers above in Eq. (21): how many indices from each class are included in each check set.It is not necessary to specify which indices are included from each class, because the failure probability is independent of the specific choice.Nevertheless, in the examples considered in this work, we assume that R 0 includes the 'smallest' indices from each class, in alphabetical order of the indices (see Fig. 11).
We call a strategy, as defined in Eq. (21), a complete strategy, if its domain is the complete LCL R ; otherwise, we call it an incomplete strategy.From now on, we deal with incomplete strategies, and hence we will not be able to compute the specific failure probability; however, we will derive an upper bound for the failure probability.
We consider the incomplete strategy defined as where n min is the smallest non-negative integer such that ℓ 2 + n min ≥ T .That is, The above definition of ζ R contains an implicit assumption on the domain of ζ R : the strategy can be followed only if the value of n min , as defined in Eq. (23), is not greater than ℓ 3 .More precisely, if ℓ 2 < T , then T −ℓ 2 ≤ ℓ 3 must hold.Formulating this in terms of ℓ 1 and ℓ 2 : if ℓ 2 < T , then ℓ 1 ≤ m − T must hold.As ℓ 2 ≥ T implies ℓ 1 ≤ m − T , we conclude that the domain of the above strategy is defined by In Fig. 10, this domain D(ζ R ) is illustrated for a specific choice of parameters (see caption).There, the domain D(ζ R ) of the strategy is shown as the union of the orange, blue and pink regions, whereas the green region is the complement D(ζ R ) of the domain.Furthermore, the condition (24) is depicted as the red line.We claim that the incomplete strategy ζ R is optimal on its domain.This will be proven in App.D.2.How can the strategy ζ R of Eq. ( 22) lead to failure?This is exemplified by a specific instance of the Weak Broadcast protocol in Fig. 11, for m = 12.To be specific, we consider a Weak Broadcast protocol with parameter values µ = 0.26 and λ = 0.94.The table in Fig. 11a shows an Event for m = 12.The local information possessed by R 0 is denoted by boldface characters in Fig. 11a (cf. the second paragraph of this section); the information hidden from R 0 is denoted as italic.
Based on the local information R 0 has, it classifies the indices α ∈ {1, . . ., m} ≡ {a, b, . . ., l} of the Event into the three classes defined above: 0011, XX10, XX0X.In the example of Fig. 11a, these classes can be identified as the corresponding check sets: 0011 = {b, e, f, i}, XX10 = {d, g}, and XX0X = {a, c, h, j, k, l}.This implies m 0011 ≡ ℓ 1 = 4, m XX10 ≡ ℓ 2 = 2, and m XX0X ≡ ℓ 3 = 6.This local count list ℓ = (4, 2, 6) is in the domain D(ζ R ) of the incomplete strategy ζ R ; in fact, it is in the orange region of Fig. 10.Hence R 0 can follow the incomplete strategy ζ R , which results in the communication and decision steps depicted in Fig. 11b.There, the sender S and the receiver R 1 follow the Weak Broadcast protocol, and their output bit values are x S = 0 and y 1 = 1, respectively, implying failure of the Weak Broadcast protocol.
The above example sheds light on why the strategy ζ R in Eq. (21) is efficient (in fact, optimal in its domain) in achieving failure.In more general terms, its efficiency is reasoned as follows.According to this strategy, the adversary receiver R 0 sends a false data bit value (y 01 = 1 ̸ = 0 = x S ) and tries to 'back it up' by a check set ρ 01 that is convincingly long (that is, the Length Condition of the Cross-Check Phase is satisfied) and consistent (that is, to achieve that the Consistency Condition of the Cross-Check Phase is satisfied).This is achieved by the strategy ζ R of Eq. (21), if the number of consistent indices is large enough; hence it is reasonable for R 0 to include all indices that are certainly consistent with the bit value y 01 = 1 (red indices in Fig. 11), and include the minimal amount of indices which are only potentially consistent with the bit value y 01 = 1 (these are the two blue indices in Fig. 11b), such that the Length Condition is satisfied.

C Failure probabilities
In this section, we compute the exact failure probability for the 'no faulty' adversary configuration, and compute tight upper bounds of the failure probabilities for the adversary configurations 'S faulty' and 'R 0 faulty'.These results allow future users of the protocol to allocate resources sparingly.In fact, these results are analysed, and are used to optimize the protocol, in the main text.

C.1 No faulty
In this subsection, we consider the no faulty configuration.Without the loss of generality, assume that the data bit sent by S is x S = 0.Then, we have the following exact result for the failure probability p f , which we denote as p Recall the definition T = ⌈µm⌉, introduced in the Weak Broadcast protocol, Sec. 2. Recall also that T is the minimal check set length that satisfies the Length Conditions.
To derive this result, it is sufficient to note that the protocol leads to failure only if the Length Condition of the Check Phase evaluates as False, that is, if the number of 0011 outcomes is less than the minimal check set length that satisfies the Length Conditions; i.e. if the following condition holds: Since the Elementary Event 0011 is generated with a probability of 1/3, the probability of Eq. ( 26) holding true can be expressed by the binomial formula Eq. (25).This concludes the proof.Note that the analysis generalises straightforwardly to the case when the message of the sender S is x S = 1, and yields the same result for p

C.2 S faulty
Here, we provide an upper bound p f,↑ for the failure probability in the S faulty configuration.To express this upper bound, recall that T = ⌈µm⌉ is the minimal check set length that satisfies the Length Conditions, which was introduced in Eq. (14).Also recall that the integer Q was defined in Eq. (15).Here we use its exact definition, that is, Q = T − ⌈T λ⌉ + 1.With these notations, the upper bound p with In the derivation of this upper bound, first we express the upper bound formally for a general incomplete strategy, and then we apply it to the S faulty strategy defined above.
Assume that we have identified an incomplete strategy ζ that is optimal in its domain D(ζ) ⊂ LCL S .An upper bound of the failure probability of this strategy can be expressed as In words, the formula (29) for the upper bound is interpreted as follows: the random Event either produces a local count list ℓ that is in the domain of the strategy ζ, and then we compute the corresponding failure probability exactly (first sum); or, the Event produces a local count list ℓ that is outside the domain of the strategy ζ, and then we assume a worst-case scenario, i.e., that failure happens with unit probability (second sum).
Using the normalization condition we see that Eq. ( 29) can be reformulated as Note that these considerations suggest that for a given incomplete strategy, a lower bound p f,↓ of failure probability can also be expressed, by assuming a best-case scenario, i.e., zero failure probability, for Events that produce local count lists that are outside of the domain of the strategy.Formally, this lower bound is expressed as p To evaluate the upper bound p (S) f,↑ of the failure probability for this optimal partial strategy ζ via Eq.(31), we first express Recall that ℓ = (ℓ 1 , ℓ 2 , ℓ 3 ) is determined by two of its components, e.g., ℓ 1 and ℓ 3 , because ℓ 1 + ℓ 2 + ℓ 3 = m.Equation (33) is a straighforward consequence of the fact that the probability of a 0011 outcome, the probability of a mixed outcome (0101 or 0110 or 1001 or 1010), and the probability of a 1100 outcome, are all equal to 1/3.Finally, we express the failure probability of ζ on its domain, which is This follows from the fact that S includes Q mixed indices in its check set σ 0 , and this leads to failure only if all the Q corresponding mixed outcomes contain a '1' at R 0 .Inserting Eqs.(33) and (34) into Eq.(31), we obtain the result Eq. ( 28), which concludes our derivation.Note also that the first term of Eq. ( 28) is in fact the failure-probability lower bound of our specific strategy ζ, in line with the general expression in Eq. (32).

C.3 R 0 faulty
Here, we provide an upper bound p (R) f,↑ for the failure probability in the R 0 faulty configuration.Again, recall that T = ⌈µm⌉ (original definition in Eq. ( 14)) and Q = T − ⌈T λ⌉ + 1 (original definition in Eq. (15).With these notations, the failure-probability upper bound reads: where The result (35) is valid both for the x S = 0 and the x S = 1 scenario.In what follows, we derive this result.The derivation follows the 3-step scheme outlined in the S faulty case below Eq. (28).
Assume that we have identified an incomplete strategy ζ that is optimal on its domain D(ζ) ⊂ LCL R .An upper bound of the failure probability of this strategy can be expressed as shown in Eqs.(29).A lower bound can also be expressed as Eq.(32).
For our optimal incomplete strategy ζ, the formula for the failure-probability upper bound, Eq. (29), can be structured further, according to the three regions (orange, pink, blue) in Fig. 10: (v) The failure probability of the strategies ζ ′ B 'above the line' defined in (iii), that is, strategies with (T ′ , Q ′ ) = (T + n, Q + n ′ ) (where n ≥ 0 and n ′ ≥ n), decrease as n ′ is increased.Indeed, as n ′ is increased, the check set size remains unchanged (T + n), but the number of 'guessed' indices (Q + n ′ ) is increased, and hence the failure probability (1/2) Q+n ′ decreases.This trend is depicted in Fig. 12a by the vertical arrows.
This concludes the proof that the strategy ζ = (T − Q, Q, 0; 0, 0, m 1100 ) is indeed optimal on its domain.

D.2 R 0 faulty
Here, we prove that the R 0 adversary strategy ζ = (0, m XX10 , n min ) defined above is optimal on its domain.
(i) Increasing the first strategy parameter k 0011 from zero decreases the failure probability, as it lowers the chance of the Consistency Condition of the Cross-check Phase evaluating as True.
(ii) Consider the alternative strategies ζ ′ = (0, k XX10 , k XX0X ), with k XX10 = m XX10 −n and k XX0X = n min +n ′ , with n, n ′ ≥ 0. The alternative strategies are dysfunctional (p f = 0) 'below the line' of the (k XX10 , k XX0X ) plane defined by n = n ′ , i.e., for n > n ′ .This is because for such a strategy, the check set size |ρ 01 | is below the minimum size T required to satisfy the Length Conditions.These dysfunctional strategies are shown as the red circles in Fig. 12b.
(iii) The alternative strategies along the line n = n ′ , shown in Fig. 12b as the line of diagonal arrows, have a decreasing failure probability as n is increased.Along this line, the check set size |ρ 01 | is fixed to the minimum size T , but the number n min + n ′ of guessed indices increases, and hence the probability of satisfying the Consistency Condition of the Cross-check Phase decreases.This trend is depicted in Fig. 12b by the diagonal arrows.
(iv) Consider the alternative strategies 'above the line' of the (k XX10 , k XX0X ) plane defined by n = n ′ , i.e., above the line of diagonal arrows in Fig. 12b.These are the strategies of the form ζ = (0, m XX10 − n, n min + n ′ ) with n ′ ≥ n.For a fixed n, the failure probability of these strategies decreases as n ′ is increased.This is because increasing n ′ by 1 increases the check set size |ρ 01 | by 1, and hence the right hand side of the Consistency Condition of the Check Phase by 1, and at the same time, increases the minimum number of lucky indices needed to satisfy that Consistency Condition, leading to a decrease of the failure probability.This trend is depicted in Fig. 12b by the horizontal arrows.
This concludes the proof that the strategy ζ = (0, m XX10 , n min ) is indeed optimal on its domain

E Security proof
In this Appendix, we derive asymptotic (m → ∞) upper bounds for the failure probability for generic adversary strategies.

E.1 No faulty
Without the loss of generality, we assume that S sends the message x S = 0.
The protocol will achieve consensus, y 0 = y 1 = x S = 0, if the number of 0011 outcomes in the event is at least T , cf. the exact failure-probability result of Eq. (25).The probability of achieving consensus, i.e., that a random event contains the outcome 0011 with frequency m 0011 is where X j are binary (Bernoulli) random variables, taking values 0 or 1, with probability p = 1/3 for the latter.This implies that Recall that µ < 1/3; hence, the failure probability p f can be upper bounded by the Chernoff bound as That is, in the absence of an adversary, the failure probability of the Weak Broadcast protocol is subject to an upper bound that decreases exponentially as m increases.
Recall that the general form of the Chernoff bound used to derive this result is where X is the expectation value of the sum variable X.

E.2 S faulty
The security proof for the S faulty adversary configuration will be based on the tight failure-probability upper bound calculation presented in App.C.2.
Our goal is here is to derive an exponentially decaying upper bound for the failure probability.To this end, we restrict the domain of the S faulty adversary strategy ζ, defined in C. When is ζ r indeed a restriction of ζ? Conditions (16) and (18) are automatically satisfied if Eq. (46) holds.However, Eq. (17) demands Q ≤ ℓ 2 ; this is also guaranteed if λ ≥ 1/2.
Since D(ζ r ) ⊂ D(ζ), and D(ζ) is optimal on its domain, the restricted strategy ζ r is also optimal on its domain.
In the spirit of Eq. (29), the failure-probability upper bound can be expressed using the restricted strategy ζ r as follows: p f (m) ≤ It is straightforward to exponentially upper bound the first term using the fact that which is independent of ℓ.Therefore, we have  Table 3: Preparation and benchmarking of the four-qubit singlet state on IBM Q prototype quantum computers.We prepared the state |ψ⟩ of Eq. (1) using the linear circuit shown in Fig. 7.The first column indicates the quantum computer ('backend') used; the second column shows the date of the measurement; the third column represents the layout mapping the physical qubits of the backend to the virtual qubits of the linear circuit.The fourth (fifth) column, Fc (F mitig c ), shows the classical fidelity, Eq. (6), of the ideal distribution (Fig. 1c) and the distribution generated by the backend, without (with) readout error mitigation.The sixth (seventh) column, Fq (F mitig q ), shows the quantum state fidelity, Eq. (7), of |ψ⟩ and the output density matrix of the linear circuit, as inferred from quantum state tomography without (with) readout error mitigation.Measured 'noise strength' values q (as defined in Sec.(4.4)) without (with) readout error mitigation are indicated in column 8 (9).Best values are colored red.

Figure 1 :
Figure 1: Using a four-qubit singlet state for weak broadcast.(a) Yellow circles indicate the four qubits of the singlet state |ψ⟩ in Eq. (1).In the protocol, the qubits are distributed: qubits 1 and 2 are with the Sender (S), qubit 3 is with R0, and qubit 4 is with R1.(b) Example of measurement outcomes from m = 12 four-qubit singlet states.Such a table of data is called an Event.(c) Probability density function of the six possible outcomes when the four-qubit singlet state |ψ⟩ is measured.

4 .
Cross-check Phase.R 1 evaluates the following three conditions and if all of them are true, then it outputs the value received from R 0 , that is, y 1 = y 01 ; otherwise it outputs its intermediate value, y 1 = ỹ1 .The three conditions: (i) Confusion Condition: y 01 is different from ỹ1 , and none of them is ⊥.(ii) Length Condition: The size of the check set ρ 01 is at least T ≡ ⌈µ • m⌉, similarly to the Length Condition of the Check Phase above.(iii) Consistency Condition: For a large fraction of the indices in ρ 01 , R 1 measures the bit value opposite to y 01 .The tolerance parameter defining this fraction is λ, assumed to fulfill 1/2 < λ < 1; that is, this condition is true if the number of indices in ρ 01 where R 1 measures the bit opposite to y 01 is greater or equal to λT + |ρ 01 | − T .Note that this Consistency Condition is less stringent than the one in the Check Phase.

Figure 2 :
Figure 2: Flowchart showing the classical communication part of the protocol.Arrows with symbols in brakets show the use of the classical communication channels.Further arrows denote the decision-making processes of the components.

Figure 4 :
Figure 4: Failure probability of the Weak Broadcast protocol for the three adversary configurations.(a) 'No faulty' configuration.Exact results (green circles) and Monte-Carlo results (red crosses) for the failure probability.(b)'S faulty configuration.(c) 'R0 faulty' configuration.In (b) and (c), the failure-probability upper bound is shown.Parameters (all panels): µ = 0.272 and λ = 0.94.Simulation results are obtained from N = 10, 000 random Events for each m. (Fig. 1b shows a single random Event for m = 12.)

4. 2
Tight upper bound for the failure probability -Monte-Carlo simulations To test our analytical calculations described in the previous subsection, here we use Monte-Carlo simulations to compute the failure probability p

Figure 5 :
Figure 5: Optimization of the Weak Broadcast protocol in the (µ, λ) parameter space, for a fixed target failure threshold.Both panels indicate the resource requirement, i.e., number of four-qubit singlet states, to achieve failure probability below the target failure threshold p th = 0.05.Grey boxes indicate parameter points that are outside of the guaranteed range of the protocol (i.e., are outside of the green range in Fig. 3).(a) Rough optimization.Dark pixels indicate the more economical region in the parameter space.(b) Fine optimization: zoom-in of (a).Dark pixels ('sweet rectangle') indicate the most economical region in the parameter space.

Figure 6 :
Figure 6: Loop Circuit, a 5-CNOT circuit that prepares the four-qubit singlet state of Eq. (1).The decimal fractions present in the circuit map to -0.73304, 2.67908 and 1.5708.

Figure 7 :
Figure 7: Linear Circuit, a 9-CNOT circuit that prepares the four-qubit singlet state of Eq. (1).The decimal fractions present in the circuit map to 0.83776, 0.46251 and 1.5708.

Figure 8 :
Figure 8: An example for a Sender (S) adversary strategy, which causes failure of Weak Broadcast in this particular random instance (Event).(a) Random bits resulting from the measurement of m = 12 four-qubit singlet states.Boldface (italic) denotes the information possessed by (hidden from) S. (b) Flowchart of the communication and decision events in case of a faulty S and correct R0 and R1, for the Event in (a) and the adversary strategy ζ = (3, 1, 0; 0, 0, ℓ3).For this random instance, the strategy S leads to failure of Weak Broadcast, as the two receivers have different output values, y0 ̸ = y1.

≤ ℓ 1
indicates how many of the 0011 indices does S include in the check set σ 0 sent to R 0 in the Invocation phase.Similarly, k (0) mixed ≤ ℓ 2 indicates the number of mixed-outcome (01XX and 10XX) indices to be included in σ 0 , and k (1) 1100 ≤ ℓ 3 indicates the number of 1100 indices to be included in σ 1 , etc. Accepted in Quantum 2024-03-21, click title to verify.Published under CC-BY 4.0.

Figure 9 :
Figure 9: Local count lists and the domain of an incomplete strategy of an adversary Sender (S faulty configuration).Each non-grey square depicts a local count list in case of m = 12.Orange region depicts the domain D(ζ) of the optimal incomplete adversary strategy ζ, for parameter values µ = 0.272, and λ = 0.94.The strategy ζ is defined in Eq. (13), whereas the domain D(ζ) is defined via Eqs.(16), (17), and (18), depicted as the blue, black, and red lines, respectively.Blue region depicts those local count lists where the incomplete strategy ζ is not defined.

Figure 10 :
Figure 10: Local count lists and the domain of an incomplete optimal strategy of an adversary receiver R0 (R0 faulty configuration).Each non-grey square depicts a local count list in the case of m = 12.The union of orange, blue and pink regions depicts the domain D(ζ) of the optimal incomplete strategy ζ, for parameter values µ = 0.272 and λ = 0.94.The strategy ζ is defined in Eq. (22), whereas the domain is defined by Eq. (24).Green region depicts local count list where the incomplete strategy ζ is not defined.

Figure 11 :
Figure 11: An example for a Receiver (R0) adversary strategy, which causes failure of Weak Broadcast in this particular random instance (Event).(a) Random bits resulting from the measurement of m = 12 four-qubit singlet states.Boldface (italic) denotes the information possessed by (hidden from) R0.(b) Flowchart of the communication and decision steps in case of a faulty R0 and correct S and R1, for the Event in (a) and the adversary strategy S = (0, ℓ2, nmin), see Eq. (22).For this random Event, the strategy ζR leads to failure of Weak Broadcast, as the two receivers have different outputs values, y0 ̸ = y1.

Figure 12 :
Figure 12: Optimal, suboptimal, and dysfunctional strategies.(a) Adversary strategies of a faulty sender S. (b) Adversary strategies of a faulty receiver R0.Filled green circle represents the incomplete optimal adversary strategy ζS in (a), ζR in (b).Red, purple, and blue circles represent dysfunctional strategies.Opaque green circles represent suboptimal adversary strategies.Arrows depict increasing failure probability.

Table 1 :
Truth table of broadcast with n = 3 components, resilient up to t = 1 faulty component.Column 1 is the input and output bit of the sender (S), column 2 (3) is the output bit of receiver R0 (R1).Columns 4, 5, 6 indicate whether the list of output bits and the faulty configuration together satisfies the conditions of broadcast or not.The faulty configuration 'R1 faulty' is not shown as it is analogous to R0 faulty.

Table 2 :
Truth (3,1) of WBC(3,1), that is, weak broadcast with n = 3 components, resilient up to t = 1 faulty component.Column 1 is the input and output bit of the sender (S), column 2 (3) is the output value of receiver R0 (R1).Columns 4, 5, 6 indicate whether the list of output values and the faulty configuration together satisfies the conditions of weak broadcast or not.The faulty configuration 'R1 faulty' is not shown as it is analogous to R0 faulty.
P ζr (failure|ℓ 1 , ℓ 2,max )P (ℓ) (63)= P ζr (failure|ℓ 2,max )Note that Eq. (61) implies that the coefficient of m on the right hand side is positive, i.e., the upper bound in Eq. (67) is exponentially decreasing with increasing m.F Preparation and benchmarking of the four-qubit singlet state on IBM QThis Appendix exhibits the data we obtained by conducting experiments on IBM Q quantum computer prototypes.We aimed these experiments to prepare the four-qubit singlet state |ψ⟩ of Eq. (1) using Circuit A of Fig.7, and to quantify how close the experiment resembles the preparation of an ideal four-qubit singlet state.Further details are in the table caption.