A Fast Exact Quantum Algorithm for Solitude Verification
Abstract
Solitude verification is arguably one of the simplest fundamental problems in distributed computing, where the goal is to verify that there is a unique contender in a network. This paper devises a quantum algorithm that exactly solves the problem on an anonymous network, which is known as a network model with minimal assumptions [Angluin, STOC’80]. The algorithm runs in rounds if every party initially has the common knowledge of an upper bound on the number of parties. This implies that all solvable problems can be solved in rounds on average without error (i.e., with zerosided error) on the network. As a generalization, a quantum algorithm that works in rounds is obtained for the problem of exactly computing any symmetric Boolean function, over distributed input bits, which is constant over all the bits whose sum is larger than for . All these algorithms work with the bit complexities bounded by a polynomial in .
1 Introduction
1.1 Background
In synchronous distributed models of computation, the number of rounds (also called the round complexity) is one of the most important complexity measures, especially when we want to design fast distributed algorithms. From a complexitytheoretic point of view, seeking lowround complexity leads to clarifying how much parallelism the problem inherently has. This would be reminiscent of the study of shallow circuit classes (e.g., ), in which the depth of a circuit solving a problem corresponds to the inherent parallelism of the problem. In this paper, we study distributed algorithms with lowround complexity.
The round complexity is closely related to the diameter of the underlying graph of a given network. This is because, when computing global properties of the network, it necessarily takes at least as many rounds for message exchanges as the value of the diameter for some party to get information from the farthest party. Therefore, when every party’s initial knowledge includes an upper bound on the diameter, the ultimate goal is to achieve a round complexity close to (typically, linear in) . In particular, we are interested in whether the round complexity (resp., ) can be achieved when every party’s initial knowledge includes the number of parties (resp., an upper bound on ). This can actually be achieved in a straightforward manner if there is a unique party (called the leader) distinguishable from the others or, almost equivalently, if every party has its own identity: The unique leader, which can be elected in rounds if every party has its own identity, can gather all the distributed inputs, solve the problem, and distribute the solution to every party in rounds. However, it is not a simple task to bound the achievable round complexity for networks where no party has its own identity (namely, all parties with the same number of communication links are identical). Such a network is called an anonymous network, which was first introduced by Angluin [Ang80] to examine how much each party in a network needs to know about its own identity and other parties’ (e.g., Refs. [IR81, IR90, AM94, KKvdB94, BSV96, YK96a, YK96b, BV02]), and thereby understand the fundamental properties of distributed computing. It has been revealed in the literature that anonymous networks make it highly nontrivial or even impossible to exactly solve many distributed problems, including the leader election one, that are easy to solve on nonanonymous networks (i.e., the networks in which every party has its own identity). Here, by “exactly solve”, we mean “solve without error within a bounded time”. The good news is that if the number of parties is provided to each party, all solvable problems can be solved exactly in rounds^{1}^{1}1If the diameter is given, all solvable problems can be solved in rounds [Hen14]. for any unknown underlying graph by constructing treeshaped data structures, called universal covers [Ang80] or views [YK96a]. Obviously, however, this does not help us deal with the infinitely many instances of fundamental problems that are impossible to solve on anonymous networks. The best known among them is the leader election problem (), the problem of electing a unique leader. There are infinitely many such that cannot be solved exactly for anonymous networks with certain underlying graphs over nodes even if is provided to each party [Ang80, YK96a, BV02].
The above situation changes drastically if quantum computation and communication are allowed on anonymous networks (called anonymous quantum networks): can be solved exactly for any unknown underlying graph, even when only an upper bound on is provided to every party [TKM12]. This implies that, if a problem is solvable in nonanonymous networks, then it is also solvable in anonymous quantum networks. For the round complexity, however, the known quantum algorithms for electing a unique leader require superlinear rounds in (or when is provided) [TKM05, TKM12].
Motivated by this situation, we study the linearround exact solvability of another fundamental problem, the solitude verification problem () [AAHK86, AAHK94, HKAA97], in anonymous quantum networks. The goal of is to verify that there is a unique contender in a network with an unknown set of contenders (which may be empty) among the parties. Although the final target is to clarify whether a unique leader can be elected in linear rounds or not, would be a natural choice as the first step. This is because is a subproblem of many common problems, including the leader election problem: a unique leader can be elected by repeating attrition and solitude verification as observed in Ref. [AAHK86]. Another reason is that is one of the simplest nontrivial problems concerned with the global properties of a given network, as pointed out in Ref. [AAHK94]. Indeed, is not always solvable in the classical case: One can easily show, by modifying the proof of Theorem 4.5 in Ref. [Ang80], that it is impossible to exactly solve on any anonymous classical network whose underlying graph is not a tree if only an upper bound is provided to each party (the problem can be solved exactly in rounds if is provided). In the quantum setting, the only quantum algorithms for are the straightforward ones that first elect a unique leader (with a superlinear round complexity), who then verifies that there is a unique contender.
Recently, Kobayashi et al. [KMT14] proposed an round quantum algorithm when each communication link in the network is bidirectional, i.e., the underlying graph is undirected. However, their algorithm cannot work in the more general case where the underlying graph is directed. This is due to a technicality that is distinctive in quantum computing: Their algorithm uses a standard quantum technique to erase “garbage” information generated in the course of computation. The technique inverts some operations that have been performed and thus involves sending back messages via bidirectional communication links in the distributed computing setting.
1.2 Our Results
Let be the set of all strongly connected digraphs with nodes. Our main result is an round quantum algorithm that exactly solves , where the input to each party is a binary value indicating whether the party is a contender or not (see Sec. 2.2 for a more formal definition).
Theorem 1
There exists a quantum algorithm that, if an upper bound on the number of parties is provided to each party, exactly solves in rounds with bit complexity on an anonymous network with any unknown underlying graph in .
As described previously, we are most interested in whether can be solved exactly in rounds. For the present, we do not have an answer to this question. We can, however, obtain a partial answer as a corollary of Theorem 1: There exists an round zeroerror quantum algorithm for . Here, we say that a problem is solved with zero error if there exists an algorithm that outputs a correct answer with probability at least and gives up with probability at most , where is some nonnegative constant less than . We can assume without loss of generality that is an arbitrarily small constant, since a constant number of repetitions reduce the “giveup” probability to an arbitrary small constant, which changes the complexity by at most a constant factor.
Corollary 2
There exists a zeroerror quantum algorithm that, if an upper bound on the number of parties is provided to each party, solves in rounds with bit complexity on an anonymous network with any unknown underlying graph in .
This implies that in the quantum setting, anonymous networks can be converted to the corresponding nonanonymous ones without error in rounds on average, since a unique leader can assign a unique number to each party in rounds (in the worst case). In the special case of , if a classical problem is solvable in a nonanonymous classical/quantum network in rounds with a polynomial bit complexity, then in the corresponding anonymous networks the problem is still solvable without error in rounds on average with a polynomial bit complexity whenever quantum computation and communication are allowed.
We next consider a generalization of Theorem 1. Note that we can think of as the problem of deciding whether the Hamming weight (i.e., the sum) of the input bits is exactly one or not, which is equivalent to computing the corresponding symmetric function. As generalizations of this function, let us consider a collection , for , of all symmetric Boolean functions such that is constant over all with . Note that for each , and for any represents the set of all symmetric functions over bits. In particular, the function corresponding to belongs to . We then have the following theorem.
Theorem 3
Suppose that there are parties on an anonymous network with any unknown underlying graph in in which an upper bound on is provided to each party. For every with , there exists a quantum algorithm that exactly computes over distributed input on the network in rounds with a bit complexity bounded by some polynomial in .
Note that an round quantum algorithm for would imply that all solvable problems, including computing , can be solved in rounds (since the leader can convert the anonymous network into the corresponding nonanonymous one). Computing is thus something lying between and with respect to linearround solvability.
1.3 Technical Outline
Recall that the reason the round leader election algorithm in Ref. [KMT14] does not work on directed graphs is that it sends back messages via bidirectional communication links to erase “garbage” information produced in the course of computation. This seems inevitable as it uses (a version of) the quantum amplitude amplification [CK98] (or a special case of the general quantum amplitude amplification [BHMT02]). It is a critical issue, however, when the underlying graph is directed, since, although strong connectivity ensures at least one directed path on which the message could be sent back, parties cannot identify the path in the anonymous network (since the original sender of the message cannot be identified). In the classical setting, such an issue cannot arise since the message need not be sent back (the sender has only to keep a copy of the message if it needs to).
Our idea for resolving this issue is to employ the symmetrybreaking procedure introduced in [TKM12, Sec. 4]. The procedure was used to solve the leader election problem as follows: Initially, all parties are candidates for the leader and they repeatedly perform a certain distributed procedure that reduces the set of the candidates by at least 1. More concretely, the procedure partitions into at least two subsets if and removes one of them from . A simple but effective way of viewing this is that it not only reduces but decides whether is at least two or not, since it can partition only when there are at least two candidates. This observation would exactly solve by regarding as the set of contenders if the procedure outputs the correct answer with certainty. However, the procedure heavily depends on the following unknowns: the cardinality of and the number of parties. In Ref. [KMT14], a similar problem arises when deciding whether an bit string is of Hamming weight at most , and it is resolved by running a base algorithm in parallel for all possible guesses at and making the decision based on the set of all outputs (the “base algorithm” uses amplitude amplification and is totally different from the symmetrybreaking approach). Together with a simple algorithm for testing whether is the allzero string, the parallel execution of the base algorithm is used in the leader election algorithm [KMT14] to verify that a random is of Hamming weight exactly one. This verification framework actually works in our case, and it underlies the entire structure of our algorithm. Namely, we replace the base algorithm in the framework with a subroutine constructed by carefully combining the symmetrybreaking procedure introduced in Ref. [TKM12] with classical techniques related to the view [YK96a, Nor95, BV02, Tan12]. This means that all parties collaborate to perform this subroutine in parallel for all possible pairs of guesses at . The round complexity is thus equal to the number of rounds required to perform the subroutine once, i.e., rounds. To show the correctness, we prove that the set of the outputs over all possible pairs of the guesses yields the correct answer to any instance with certainty. This needs an indepth and careful analysis of all operations of which our algorithm consists for every pair not necessarily equal to .
Before the present work, it has seemed as if the symmetrybreaking approach introduced in Refs. [TKM05, TKM12] is entirely different from the amplitude amplification approach used in Ref. [KMT14]. Our algorithm first demonstrates that these approaches are quite compatible, and, indeed, the technical core of Refs. [TKM05, TKM12] can effectively function in the algorithmic framework proposed in Ref. [KMT14]. This would contribute to a better understanding of distributed quantum computing and would be very helpful for future studies of quantum algorithms.
Our algorithm can be generalized to the case of computing a family of more general symmetric functions as follows: All parties collaborate to partition into subsets by recursively applying the procedure up to levels. If there is a singleton set among the subsets at a certain recursion level, then the algorithm stops and all parties elect the only member of the subset as a leader, who can compute and thus compute the value of the given function in . If no singleton set appears even after theth recursion level, there must be more than parties in , in which case any function in is constant by the definition.
1.4 Related Work
Pal, Singh, and Kumar [PSK03] and D’Hondt and Panangaden [DP06b] dealt with and the GHZstate sharing problem in a different setting, where preshared entanglement is assumed but only classical communication is allowed. The relation between several network models that differ in available quantum resources has been discussed by Gavoille, Kosowski, and Markiewicz [GKM09]. Recently, Elkin et al. [EKNP14] proved that quantum communication cannot substantially speed up algorithms for some fundamental problems, such as the minimum spanning tree, compared to the classical setting. For faulttolerant distributed quantum computing, the Byzantine agreement problem and the consensus problem were studied by BenOr and Hassidim [BOH05] and Chlebus, Kowalski, and Strojnowski [CKS10], respectively. In the cryptographic context where there are cheating parties, Refs. [AS10, Gan09] devises quantum algorithms that elect a unique leader with a small bias. Some quantum distributed protocols were experimentally demonstrated by Gaertner et al. [GBK08] and Okubo et al. [OWJ08].
1.5 Organization
Section 2 defines the network model and the problems considered in this paper. It then mentions several known facts employed in the subsequent sections. Section 3 provides the structure of our algorithm and then proves Theorem 1 assuming several properties of the key subroutine . Section 4 describes step by step and presents numerous claims and propositions to show how each step takes effect. Section 5 proves all the claims and propositions appearing in Section 4 and then completes the proof that has the properties assumed in Section 3. Section 6 proves Corollary 2, and then generalizes Theorem 1 for proving Theorem 3.
2 Preliminaries
Let be the set of all complex numbers, the set of all positive integers, and the set of all nonnegative integers. For any with , denotes the set , and represents .
2.1 The Distributed Computing Model
We first define a classical model and then adapt it to the quantum model, where every party can perform quantum computation and communication.
A classical distributed network consists of multiple parties and unidirectional communication links, each of which connects a pair of parties. By regarding the parties and links as nodes and edges, respectively, in a graph, the topology of the distributed network can be represented by a strongly connected digraph (i.e., directed graph), which may have multiple edges or selfloops.
A natural assumption is that every party can distinguish one link from another among all communication links incident to the party; namely, it can assign a unique label to every such link. We associate these labels with communication ports. Since every party has incoming and outgoing communication links (although a selfloop is a single communication link, it looks like a pair of incoming and outgoing links for the party), it has two kinds of communication ports accordingly: inports and outports. For a more formal definition in graph theory terms, we modify the definition given in Ref. [Ang80, YK96a], which assumes undirected graphs: the underlying digraph of the distributed network has a portnumbering, which is a set of paired functions such that for each node with indegree and outdegree , the function (resp., ) is a bijective map from the set of incoming edges (resp., outgoing edges) incident to to the set (resp., ). It is stressed that each function pair is defined independently of any other pair with . For the sake of convenience, we assume that each edge is labeled with the pair of the associated outport and inport (of the two different parties); namely, (each party can know the labels of edges incident to it by only a oneround message exchange as described in Example 1). In our model, each party knows the number of its inports and outports and can choose one of its inports or one of its outports in any way whenever it sends or receives a message.
In distributed computing, what information each party initially possesses has a great impact on complexity. Let be the information that only party initially knows, such as its local state and the number of its ports. Let be the information initially shared by all parties. We may call and local and global information, respectively.^{2}^{2}2 In this paper, we do not consider the case where only a subset of parties share some information, since an upper bound on the complexity for that case can be obtained by regarding such information as local information (when dealing with noncryptographic/nonfaulttolerant problems, which is our case).
Without loss of generality, we assume that every party runs the same algorithm with as its arguments (or the input to the algorithm), in addition to the instance of a problem to solve. We will not explicitly write as input to algorithms when it is clear from the context. Note that is not part of the problem instance but part of the model. Also note that the algorithm may invoke subroutines with part of as input to the subroutine. If all parties in a network have the same local information except for the number of their ports, the network is said to be anonymous, and the parties in the anonymous network are said to be anonymous. In this paper, we assume that for each party , consists of a common initial state, a common description of the same algorithm, and the numbers of inports and outports. An extreme case of networks is a regular graph, such as a directed ring, in which case each party is identical to any other party; that is, effectively, every party has the same identifier. Obviously, the difficulty of solving a problem depends on the underlying graph. Moreover, it may also depend on portnumberings. This can be intuitively understood from Example 1. When solving problems on distributed networks, we do not assume a particular portnumbering; in other words, we say that a problem can be solved if there is an algorithm that solves the problem for any portnumbering.
This paper deals with only anonymous networks but may refer to a party with its index (e.g., party ) only for the purpose of clear descriptions. Our goal is to construct an algorithm that works for any portnumbering on any digraph in , where denotes the set of all node strongly connected digraphs, which may have multiple edges or selfloops, and is used through this paper.
Example 1
Fig. 1 shows two anonymous networks, and , on the same fournode regular graph with different portnumberings and , respectively, where each party has two inports and two outports, and each directed edge is labeled with and on networks and , respectively, where resp., is put on the source side and resp., is put on the destination side. Observe that each party can know the label of each incoming edge incident to the party by exchanging a message Each party sends a message “” out via every outport , and if another party receives this message via inport , the receiver concludes that it has an incoming edge with label . To elect a unique leader on network in Fig. 1, consider the following game: If a party has an incoming edge with label , then it scores 1 point if win, 0 points if draw, 1 point if lose each party earns the the sum of points over all its incoming edge and a party wins the game if it earns the largest sum of points among all parties. It is easy to see that each party can compute the sum of points as we observed. In the case of , the upperleft party is the unique winner: it earns 1 point in total, while the others earn or points. This fact can be used to elect a unique leader. In the case of , however, all parties earn points. Hence, the above game cannot elect a unique leader. Actually, no deterministic algorithm can elect a unique leader in the case of [YK96a].
A network is either synchronous or asynchronous. In the synchronous case, message passing is performed synchronously. The unit interval of synchronization is called a round, which consists of the following sequential execution of the two (probabilistic) procedures that are defined in the algorithm invoked by each party [Lyn96]: one procedure changes the local state of the party depending on the current local state and the incoming messages, and then removes the messages from ports; the other procedure then prepares new messages and decides the ports through which the messages should be sent, depending on the current local state, and finally the messages are sent out via the ports. We do not impose any limit on the number of bits in a message sent in each round.
A network that is not synchronous is asynchronous. In asynchronous networks, every party can send messages at any time and the time it takes for a message to go through a communication link is finite but not bounded. This paper deals with synchronous networks for simplicity, but our algorithms can be emulated in asynchronous networks without sacrificing the communication cost by just delaying the local operation that would be done in each round in the synchronous setting until a message arrives at every port.
The only difference between the quantum and classical models is that every party can perform quantum computation and communication in the former model [for the basics of quantum computation and communication, we refer readers to standard textbooks (e.g., Refs. [NC00, KSV02, KLM07])]. More concretely, the two procedures for producing messages and changing local states are replaced with physically realizable superoperators (i.e., a tracepreserving completely positive superoperator) that act on the registers storing the local quantum state and quantum messages received to produce new quantum messages and a new local quantum state and to specify port numbers. Accordingly, we assume that every communication link can transfer quantum messages. For sending quantum messages at the end of each round, each party sends out one of its quantum registers through the specified outport. The party then receives quantum registers from its neighbors at the beginning of the next round and uses them for local quantum computation.
This paper focuses on the required number of rounds as the primary complexity measure (called round complexity). This is often used as an approximate value of time complexity, which includes the time taken by local operations as well as the time taken by message exchanges. Although our primary goal is to construct algorithms with low round complexities, our algorithms all have bit complexities bounded by certain polynomials in the given upper bound on the number of parties (or polynomial bit complexities for short), where the bit complexity of an algorithm is the number of bits or qubits communicated by the algorithm (a.k.a., communication complexity).
Finally, we assume that there are no faulty parties and no faulty communication links.
2.2 Solitude Verification and Leader Election
Let . For any bit string , let be the Hamming weight of , i.e., the number of ’s in . For any , without loss of generality, we assume that is identified with the set .
For any , let be the symmetric Boolean function that is if and only if is equal to for input distributed over parties (i.e., each party is in possession of one of the bits). Note that may be larger than , in which case is for all . The function is hence welldefined even if each party does not know the integer (since the value of depends not on but on and ). We also define as the symmetric Boolean function such that is if and only if for ; namely, . Note again that is welldefined even if is unknown. The solitude verification problem is equivalent to computing as can be seen from the following definition.
Definition 4 (Solitude Verification Problem ())
Suppose that there is a distributed network with any underlying graph , which is unknown to any party. Suppose further that each party in the network is given as input a Boolean value and a variable initialized to . The goal is to set for every , where .
If every party has a unique identifier picked from, say, , this problem can easily be solved by simply gathering all ’s to the party numbered (although the complexity may not be optimal). On anonymous networks, however, this simple idea can no longer work since the parties do not have a unique identifier. If the global information includes the exact number of parties, can be solved deterministically by a nontrivial algorithm, which runs in rounds with a polynomial bit complexity [YK96a, BV02, Tan12]. In a more general case, however, this is impossible.
Fact 5 ([Ang80, Ir90])
There are infinitely many such that, if only an upper bound on the number of the parties is provided to each party as global information, cannot be solved in the zeroerror i.e., Las Vegas setting as well as in the exact setting on anonymous classical networks with a certain underlying graph .
Our main contribution is a quantum algorithm that exactly computes the function in rounds linear in even if only an upper bound on is provided. This implies that there exists a quantum algorithm that exactly computes (and thus ) in rounds linear in , since there is a simple (classical) deterministic algorithm for computing (i.e., the negation of over all input bits).
We next define the leader election problem, which is closely related to .
Definition 6 (Leader Election problem ())
Suppose that there is a distributed network with any underlying graph , which is unknown to any party. Suppose further that each party is given a variable initialized to . The goal is to set for arbitrary but unique and for every remaining .
is a fundamental problem with a long history of research starting from the dawn of distributed computing; there are a lot of studies on efficient algorithms for solving it on nonanonymous networks. On anonymous networks, however, it is impossible to exactly solve .
Fact 7 ([Ang80, Ir90, YK96a, Bv02])
There are infinitely many such that, even if the number is provided to each party as global information, cannot be solved exactly on anonymous classical networks with a certain underlying graph . Moreover, if only an upper bound on is provided to each party, it is impossible to solve even with zeroerror.
Actually, the former part of this fact is a corollary of a more general theorem proved in Ref. [YK96a, BV02], which provides a necessary and sufficient condition on underlying graphs and portnumbering for exactly solving when every party knows the number as its global information. The latter part of Fact 7 (i.e., the zeroerror unsolvability of ) follows from Fact 5 and the fact^{3}^{3}3 Once elected, the leader can verify that is one: The leader first assigns a unique identifier to each party. It then gathers all together with the identifier of the owner of (along a spanning tree after setting it up). that is reducible to .
In contrast, it is possible to solve the problems on anonymous quantum networks.
Fact 8 ([Tkm05])
There exists a quantum algorithm that, for every with , if an upper bound on is provided to each party as global information, exactly solves in rounds with a polynomially bounded bit complexity on an anonymous network with any unknown underlying graph , where is the bit complexity of constructing the view [YK96a, BV02], a treelike datastructure, of depth . The best known bound on is [Tan12].
Remark 9
When an upper bound on the diameter of the graph is provided to each party, the round complexity becomes by using the recent result on the view in Ref. [Hen14].
We next provide a powerful primitive in classical distributed computing: a linearround algorithm that deterministically computes any symmetric function on anonymous networks. This algorithm is actually obtained from a more generic one that effectively uses the fullpower of deterministic computation in the anonymous classical network: during the execution of the generic algorithm, every party constructs a treelike data structure, called view [YK96a, BV02], which contains as much information as it can gather in the anonymous network. In terms of graph theory, the view of depth is defined for each node , and it is a labeled tree rooted at that is obtained by sharing the maximal common suffix of every pair of length directed paths to the node . It is not difficult to see that the view of depth can be constructed by exchanging messages times [YK96a, BV02] as follows: (1) every party creates a depth view, which is nothing but a single node, , labeled by the input to the party; (2) for each in this order, each party sends its depth view to every neighbor, receives a depth view from every neighbor, and then makes a depth view by connecting the node with the roots of received views by edges labeled with port numbers. Since it is proved in Ref. [Nor95] that setting is necessary and sufficient to gather all the information in the network, depth views need to be constructed in general for solving problems. For , the above naïve construction algorithm obviously has an exponential bit complexity in , but it is actually possible to compress each message so that the total bit complexity is polynomially bounded in [Tan12]. Since the Hamming weight of distributed input bits can be locally computed as a rational function of the number and the number of nonisomorphic subtrees of depth in the view [YK96a, Nor95, BV02], every party can compute any symmetric function on from its view whenever is given. This algorithm is summarized as follows.
Fact 10 (Computing Symmetric Functions [YK96a, Nor95, Bv02, Tan12])
For any with , suppose an anonymous network with any unknown underlying graph , where the number of parties is given to each party as global information. Then, there exists a deterministic algorithm that computes any symmetric function over distributed input bits in rounds with bit complexity , where is the function defined in Fact 8.
To exactly compute the symmetric function with this algorithm, every party needs to know the exact number of the parties. Nevertheless, even when a wrong is provided instead of , the algorithm can still run through and output some value. Namely, it constructs the view of depth for every party and outputs the value of the rational function over the number and the number of isomorphic subtrees in the view, as can be seen from the above sketch of the algorithm. This requires rounds and bits of communication. In fact, we will use this algorithm for a guess at (this is not necessarily equal to ). Although the output may be wrong, the set of the outputs over all possible guesses ’s contains useful information as will be described in the following sections.
Finally, we define some terms. Suppose that each party has a bit string (i.e., the parties share a bit string ). Given a set , the string is said to be consistent over if has the same value for all in . Otherwise, is said to be inconsistent over . In particular, if is the empty set, then any string is consistent over . We also say that a qubit pure state shared by the parties is consistent (inconsistent) over if only for ’s that are consistent (inconsistent) over . Note that there are pure states that are neither consistent nor inconsistent over (i.e., superpositions of both consistent string(s) and inconsistent string(s) over ). We may simply say “consistent/inconsistent strings/states” if the associated set is clear from the context. We say that a quantum state is an partite GHZstate if is of the form for some natural number . When is clear from the context, we may simply call the state a GHZstate.
3 Solitude Verification (Proof of Theorem 1)
This section proves Theorem 1 by showing a quantum algorithm that exactly computes on bits distributed over an anonymous quantum network with parties when an upper bound on is provided as global information. Suppose that a bit is provided to each party as input. We say that any party with is active and any party with is inactive. Let .
The algorithm actually computes the functions and on input in parallel and then outputs . The function can be computed in any anonymous network by a simple and standard deterministic algorithm in rounds if any upper bound on is given, as stated in Proposition 11 (the proof is provided in Sec. 5 for completeness).
Proposition 11 (Computing )
Suppose that there are parties on an anonymous network with any underlying graph , in which an upper bound on is given as global information. Then, there exists a deterministic algorithm that computes on the network in rounds with bit complexity , where , if every party gives a bit as the input to the algorithm.
The difficult part is computing . It runs another quantum algorithm as a subroutine for all pairs of . The integers and mean guesses at the number of active parties (i.e., ) and the number of parties (i.e., ), respectively, which are unknown to any party. The following lemma states the properties of .
Lemma 12 (Main)
There exists a set of distributed quantum algorithms such that, if every party performs the algorithm with a bit and an upper bound on the number of parties, then always reaches a halting state^{4}^{4}4 This property is crucial when one emulates our algorithm in asynchronous (anonymous) networks, since deadlocks that parties cannot detect may occur. in rounds with qubits and classical bits of communication for every and every and satisfies the following properties

For each , outputs “” or “” at each party, where these outputs agree over all parties

for , computes with certainty for every and

for every and every , outputs “” with certainty whenever ,
where .
After all parties collaborate to run (in parallel) for all pairs , every party obtains classical results:
where is the output of for input . Note that this set of results agree over all parties by property 1 in Lemma 12. From properties 2 and 3, we can observe that there is at least one in if and only if is “” (since is equal to whenever equals ). Thus, every party can locally compute , once it obtains all the classical results . Therefore, together with the algorithm in Proposition 11, can be computed exactly. Moreover, Proposition 11 and Lemma 12 imply that the entire solitude verification algorithm runs in rounds and with qubits and classical bits of communication. The pseudo code, Algorithm QSV, provided below summarizes the above operations.
4 Algorithm Q
To demonstrate simply how works, we mainly consider the case where equals (and defer the analysis in the other cases until the following sections). In fact, originates from the following simple idea. Every active party flips a coin, broadcasts the outcome, and receives the outcomes of all parties. Obviously, those outcomes cannot include both heads and tails if there is at most one active party. Otherwise, they include both with high probability. This implies that, with high probability, one can tell whether the number of active parties is at most one or not, based on whether the outcomes include both heads and tails. One can thus obtain the correct answer to with high probability, since one can easily check whether there exists at least one active party. However, this still yields the wrong answer with positive probability. Since we want to solve the problem exactly, we need to suppress this error. For this purpose, we carefully combine several quantum tools with classical techniques based on the idea sketched in [TKM12, Sec. 4].
Suppose that every party has a twoqubit register . Let be an orthonormal basis of (“” represents the empty set). For notational simplicity, we also use to denote , respectively (“” intuitively means inconsistency since we have both and in the corresponding set). Without loss of generality, we identify with , respectively. We now start to describe step by step and explain the effect of each step by showing claims and propositions. We defer their proofs to the next section.
STEP 1: Every active party prepares in register , while every inactive party prepares in .
Let be the set of over all , where is the set of active parties, and let be the set of over all . We then denote by the pair . The quantum state over can be written as
STEP 2: All parties attempt to project onto the space spanned by or , where is the set of all strings in such that does not contain both and simultaneously, i.e., , and is the complement of .
For STEP 2, every party applies the operator with to , where is defined in the following claim. The resulting state is times
(1) 
Claim 13
There exists a distributed quantum algorithm qconsistency that, for given upper bound on the diameter of the underlying graph , implements the following operator^{5}^{5}5 More formally, this operator should be written as a unitary one acting on ancillary registers initialized to as well as
(2) 
where is an orthonormal basis of , denotes a set of ancillary singlequbit registers possessed by party for all , and denotes a set of all the other ancillary registers, the content of which is a bit string uniquely determined^{6}^{6}6 Actually, also depends on the underlying graph, but we assume without loss of generality that the graph is fixed. by and . Moreover, qconsistency runs in rounds and communicates qubits. In particular, any upper bound of can be used as .
Note that the operator has an effect similar to the measurement on , where and for the identity operator over the space . The difference is that leaves the garbage part , which is due to the “distributed execution” of the measurement.
STEP 3: Every party measures the register of in the basis . If the outcome is “”, then halts and returns “”.
To understand the consequence of each possible outcome, we first provide an easy proposition.
Claim 14
is in the space spanned by if and only if .
If the outcome is “”, there must exist such that has a nonzero amplitude in , implying that does not lie in the space spanned by and thus by Claim 14. Therefore, every party can conclude that is “” without error if the outcome is “”.
If the outcome is “”, we have the resulting state (from Eq. (1)):
where is the normalizing factor. In this case, the parties cannot determine the value of on since may or may not be in the space . Hence, we need a few more steps.
For proceeding to the next step, the following observation is crucial, which is obtained from the definition of : In the state , the contents of the registers for all active parties (i.e., the values at the positions of all such in ) are identical; namely, they are all “” or all “”. Furthermore, we can prove the following claim:
Claim 15
The state is of the form
(3) 
for some with , where is a certain partition of the set of registers in . In particular, if there are no active parties, then is equal to and thus is a tensor product of .
This follows from the fact that the operator consists of idempotent operations, copy operations via cnot, and register exchanges.
STEP 4: Every party attempts to shrink the GHZstate part of down to a partite GHZstate over only the registers of active parties by performing a subroutine, called ghzscaledown, the properties of which are described in Claim 16. If ghzscaledown outputs “”, then halts and returns “”.
For realizing STEP 4, if the state were over local registers, we could just apply the following standard technique: measure all registers except all of active parties in the Hadamard basis , count the number of outcomes , and correct the phase by rotating the state by the angle 0 or , depending on (the parity of) the number. By the definition of anonymous networks, however, every (active) party has to use the same algorithm to collaboratively compute the parity of the number of and rotate the state if needed. For this purpose, the classical algorithm provided in Fact 10 seems suitable, since it computes any symmetric function in an anonymous network. What one should note here is that this classical algorithm outputs a correct answer if it is given the correct number of parties (as ). If is equal to , the algorithm outputs a correct answer. In general cases, however, the value of is merely a guess at and not necessarily equal to . To rotate the state by the angle , every active party applies to its share of the registers the rotation operator for the angle , so that the sum of the angles over all active parties is . This works correctly if the number of active parties is given (as ). With the assumption that equals , the state should be rotated by the correct angle . In general cases, however, the value of is not necessarily equal to .
In the case where equals , no active parties exist and thus no operations are performed in this step.
The following claim summarizes the effect of ghzscaledown.
Claim 16
There exists a distributed quantum algorithm ghzscaledown such that, for given ,

if equals zero, then for any it halts with the output “” at every party or applies the identity operator to

else if equals , it transforms to

else it halts with the output “” at every party or transforms to the state for some real .
Moreover, ghzscaledown runs in rounds and communicates classical bits, where is the function defined in Fact 8.
Then, proceeds to STEP 5. By Claim 16, STEP 5 is performed with only if both and hold. In this case, to meet item 3 in Lemma 12, we only need to examine the output of Q on with (we defer until the next section easy proofs that item 1 holds and that Q reaches a halting state for all ). For with , the behavior of Q is almost the same as in the case of . Thus, in the following part of this section, we assume that is equal to or STEP 5 starts with for simplicity (the proof of Lemma 12 provided in the next section will rigorously analyze all cases).
To see how the operator works, we provide the following claim.
Claim 17 (Adaptation from Lemmas 3.3 and 3.5 in Ref. [Tkm12])
STEP 5 satisfies the following:

If is zero, then STEP 5 is effectively skipped.

If is one, then for some .

If is at least two and equals , then it holds that
where and .
If is exactly one, i.e., for some , then, whatever unitary operator has acted on , the resulting state is a quantum state over the register . This state is obviously consistent over , since there is only one active party.
If is at least two and equals , STEP 5 transforms the state into , which is an inconsistent state over . Intuitively, the state is a superposition of only the basis states that correspond to the situations where at least two active parties have different contents chosen from in their . This fact exhibits a striking difference from the case of . We should emphasize that the amplitude vanishes for each only when equals . In general, however, may not be equal to , in which case the amplitude is nonzero for some .
STEP 6: Every active party measures in the basis and obtains a twobit classical outcome .
Suppose that is at least one and that the quantum state over just before STEP 6 is . If is at least two and equals , Claim 17 implies that there are at least two distinct outcomes among those obtained by active parties. If equals one, then there is obviously a single outcome in the network.
Finally, suppose that is zero. Since there are no active parties, there are no outcomes that would be obtained by the measurement.
The number of distinct outcomes is hence different between these three cases.
STEP 7: All parties collaborate to decide whether the number of distinct elements among the outcomes is at most one by running the distributed deterministic algorithm provided in Proposition 18. If the number is at most one, return ; otherwise, return .
To realize STEP 7, it suffices to decide whether the string is consistent over , where for is set at an appropriate value that is distinguishable from any possible outcome for (technically, is a threebit value). For this purpose, we use the distributed algorithm consistency given in Proposition 18 (a special form of a more general statement [KKvdB94]). The algorithm yields the correct output if an upper bound of the diameter of the underlying graph is known. In our setting, can be used to upperbound the diameter. Every party can therefore decide whether is or