andrew m. childs wim van dam - arxiv

arX

iv:0

812.

0380

v1 [

quan

t-ph

] 2

Dec

200

8

Quantum algorithms for algebraic problems

Andrew M. Childs∗

Department of Combinatorics & Optimization and Institute for Quantum ComputingUniversity of Waterloo, Waterloo, Ontario, Canada N2L 3G1

Wim van Dam†

Departments of Computer Science and PhysicsUniversity of California, Santa Barbara, California 93106, USA

Quantum computers can execute algorithms that dramatically outperform classical computation. As thebest-known example, Shor discovered an efficient quantum algorithm for factoring integers, whereas factoringappears to be difficult for classical computers. Understanding what other computational problems can besolved significantly faster using quantum algorithms is oneof the major challenges in the theory of quantumcomputation, and such algorithms motivate the formidable task of building a large-scale quantum computer. Thisarticle reviews the current state of quantum algorithms, focusing on algorithms with superpolynomial speedupover classical computation, and in particular, on problemswith an algebraic flavor.

PACS numbers: 03.67.Lx

Contents

I. Introduction 2

II. Complexity of Quantum Computation 3A. Quantum data 3B. Quantum circuits 3C. Reversible computation 4D. Quantum complexity theory 5E. Fault tolerance 5

III. Abelian Quantum Fourier Transform 6A. Fourier transforms over finite Abelian groups 6B. Efficient quantum circuit for the QFT overZ/2nZ 6C. Phase estimation and the QFT over any finite Abelian group7D. The QFT over a finite field 8

IV. Abelian Hidden Subgroup Problem 8A. Period finding overZ/NZ 8B. Computing discrete logarithms 9

1. Discrete logarithms and cryptography 92. Shor’s algorithm for discrete log 9

C. Hidden subgroup problem for finite Abelian groups 10D. Period finding overZ 11E. Factoring integers 13F. Breaking elliptic curve cryptography 14G. Decomposing Abelian and solvable groups 15H. Counting points on curves 16

V. Quantum Algorithms for Number Fields 19A. Pell’s equation 19B. From Pell’s equation to the unit group 19C. Periodic function for Pell’s equation 20D. Period finding overR 20E. The principal ideal problem and number field cryptography21F. Computing the unit group of a general number field 22G. The principal ideal problem and the class group 22

VI. Non-Abelian Quantum Fourier Transform 23A. The Fourier transform over a non-Abelian group 23B. Efficient quantum circuits 24

∗[email protected]†[email protected]

VII. Non-Abelian Hidden Subgroup Problem 24A. The problem and its applications 24B. The standard method 25C. Weak Fourier sampling 26D. Strong Fourier sampling 27E. Multi-register measurements and query complexity 27F. The Kuperberg sieve 29G. Pretty good measurement 31

VIII. Hidden Shift Problem 34A. Abelian Fourier sampling for the dihedral HSP 34B. Finding hidden shifts in(Z/pZ)n 34C. Self-reducibility, quantum hiding, and the orbit coset problem 35D. Shifted Legendre symbol and Gauss sums 36

1. Shifted Legendre symbol problem 362. Estimating Gauss sums 37

E. Generalized hidden shift problem 38

IX. Hidden Nonlinear Structures 39A. The hidden polynomial problem 39B. Shifted subset problems and exponential sums 40C. Polynomial reconstruction by Legendre symbol evaluation 41

X. Approximating #P-Complete Problems 41

Acknowledgments 43

A. Number Theory 431. Arithmetic moduloN 432. Finite fields and their extensions 433. Structure of finite fields 44

B. Representation Theory of Finite Groups 441. General theory 442. Abelian groups 453. Dihedral group 45

C. Curves Over Finite Fields 461. Affine and projective spaces 462. Projective curves 463. Properties of curves 464. Rational functions on curves 47

References 47

http://arXiv.org/abs/0812.0380v1

mailto:[email protected]

mailto:[email protected]

2

I. INTRODUCTION

In the early 1980s,Manin (1980) andFeynman(1982) in-dependently observed that computers built from quantum me-chanical components would be ideally suited to simulatingquantum mechanics. Whereas brute-force classical simula-tion of a system ofn quantum particles (say, two-level atoms)requires storing 2n complex amplitudes, and hence exponen-tially many bits of information, a quantum computer can nat-urally represent those amplitudes using onlyn quantum bits.Thus, it is natural to expect a quantum mechanical computerto outperform a classical one at quantum simulation.1

The perspective of quantum systems as abstract informa-tion processing devices subsequently led to the identificationof concrete tasks, apparently unrelated to quantum mechan-ics, for which quantum computers have a quantifiable advan-tage. Deutsch(1985) gave the first such example, a black-box problem that requires two queries to solve on a clas-sical computer, but that can be solved with only one quan-tum query. A series of related results (Bernstein and Vazirani,1997; Deutsch and Jozsa, 1992) gave increasingly dramaticseparations between classical and quantum query complex-ity, culminating in an example ofSimon(1997) providing anexponential separation. Building on this work,Shor (1997)discovered in 1994 that a quantum computer could efficientlyfactor integers and calculate discrete logarithms. Shor’sre-sult drew considerable attention to the concept of quantum in-formation processing (seeEkert and Jozsa(1996) for an earlyreview), and since then, the design and analysis of quantumalgorithms has become a vibrant research area.

Quantum computers achieve speedup over classical compu-tation by taking advantage of interference between quantumamplitudes. Of course, interference occurs in classical wavemechanics as well, but quantum mechanics is distinguishedby the ability to efficiently represent a large number of am-plitudes with only a few quantum bits.2 In Shor’s algorithmand its predecessors, the “exponential interference” leadingto quantum speedup is orchestrated using a unitary operationcalled thequantum Fourier transform(QFT), an algebraic op-eration. In this article, we review the state of the art in quan-tum algorithms foralgebraic problems, which can be viewedas continuations of the line of work leading from Deutsch toShor. Many, though not all, of these algorithms make use of

1 In principle, quantum systems evolving according to simpleinteractionsfrom a simple initial configuration can be described using fewer param-eters, and classical simulations exploiting this idea havebeen developed(see for examplePerez-Garcıaet al. (2007)). But while these ideas areextremely fruitful for simulating some quantum systems, wedo not ex-pect them to be efficient foranyphysically reasonable system—in particu-lar, not for systems capable of performing universal quantum computation.However, we emphasize that there is no unconditional proof that classicalsimulation of quantum systems requires exponential overhead.

2 A similar situation occurs for the description ofn probabilistic bits by2n real-valued probabilities. However, probabilities do notinterfere; andcontrary to the quantum case, randomized algorithms are notbelieved tobe dramatically more powerful than deterministic ones (seefor exampleImpagliazzo and Wigderson(1997)).

the QFT in some capacity.Before beginning our exploration of quantum algorithms

for algebraic problems, we briefly summarize the develop-ment of quantum algorithms more generally. It has sometimesbeen said that there are really only two quantum algorithms:Shor’s and Grover’s. We hope that this article will, in somesmall way, help to dispel this pernicious myth. While it is dif-ficult to compete with the impact of Shor’s algorithm (a dra-matic speedup for a problem profoundly relevant to modernelectronic commerce) or the broad applicability of Grover’salgorithm (a modest yet surprising speedup for the most basicof search problems), recent years have seen a steady stream ofnew quantum algorithms, both for artificial problems that shedlight on the power of quantum computation, and for problemsof genuine practical interest.

In 1996, Grover (1997) gave an algorithm achievingquadratic speedup3 for the unstructured search problem, theproblem of deciding whether a black-box Boolean func-tion has any input that evaluates to 1. Grover’s algo-rithm was subsequently generalized to the framework ofamplitude amplification and to counting the number of so-lutions (Brassardet al., 2002). The unstructured searchproblem is extremely basic, and Grover’s algorithm hasfound application to a wide variety of related problems(e.g., Ambainis andSpalek (2006); Brassardet al. (1997);Durr et al. (2004)).

The concept of quantum walk, developed by analogy to theclassical notion of random walk, has proven to be anotherbroadly useful tool for quantum algorithms. Continuous-time quantum walk was introduced byFarhi and Gutmann(1998), and discrete-time quantum walk was introduced byWatrous(2001b). The continuous-time formulation has beenused to demonstrate exponential speedup of quantum overclassical computation (Childset al., 2003, 2007), though itremains to be seen whether these ideas can be applied toa problem of practical interest. However, both continuous-and discrete-time quantum walk have been applied to achievepolynomial speedup for a variety of search problems. Follow-ing related work on spatial search (Aaronson and Ambainis,2005; Ambainiset al., 2005; Childs and Goldstone, 2004a,b;Shenviet al., 2003), Ambainis(2007) gave an optimal quan-tum algorithm for the element distinctness problem. This ap-proach was subsequently generalized (Magniezet al., 2007;Szegedy, 2004) and applied to other problems in query com-plexity, namely triangle finding (Magniezet al., 2005), check-ing matrix multiplication (Buhrman andSpalek, 2006), andtesting group commutativity (Magniez and Nayak, 2007). Re-cently, quantum walk has also been applied to give optimalquantum algorithms for evaluating balanced binary game trees(Farhiet al., 2007) and, more generally, Boolean formulas(Ambainiset al., 2007; Reichardt andSpalek, 2008).

3 Prior to Grover’s result it was already shown byBennettet al. (1997) thata quadratic speedup for the unstructured search problem is optimal. Moregenerally, foranytotal Boolean function, there can be be at most a polyno-mial separation (in general, at most degree 6) between classical and quan-tum query complexity (Bealset al., 2001).

3

A related technique for quantum algorithms is the conceptof adiabatic evolution. The quantum adiabatic theorem guar-antees that a quantum system in its ground state will remainclose to its ground state as the Hamiltonian is changed, pro-vided the change is sufficiently slow, depending on spectralproperties of the Hamiltonian (see for exampleBorn and Fock(1928); Jansenet al. (2007)). Farhiet al. (2000) proposed us-ing adiabatic evolution as an approach to optimization prob-lems. Unfortunately, analyzing this approach is challeng-ing. While it is possible to construct specific cost functionsfor which specific formulations of adiabatic optimization fail(van Damet al., 2001; van Dam and Vazirani, 2003; Fisher,1992; Reichardt, 2004), the performance in general remainspoorly understood. Going beyond the setting of optimizationproblems, note that adiabatic evolution can simulate a univer-sal quantum computer (Aharonovet al., 2007b).

Finally, returning to the original motivation for quan-tum computation, Manin and Feynman’s vision of quan-tum computers as quantum simulators has been considerablydeveloped (e.g.,Aspuru-Guziket al. (2005); Lloyd (1996);Wiesner(1996); Zalka(1998)). However, it has proven diffi-cult to identify a concrete computational task involving quan-tum simulation for which the speedup over classical comput-ers can be understood precisely. While it is widely expectedthat quantum simulation will be one of the major applicationsof quantum computers, much work remains to be done.

The main body of this article is organized as follows. InSectionII , we give a brief introduction to the model of quan-tum computation and the complexity of quantum algorithms.In SectionIII , we introduce the Abelian quantum Fouriertransform, and in SectionIV, we show how this transformcan be applied to solve the Abelian hidden subgroup problem,with various applications. In SectionV, we describe quantumalgorithms for problems involving number fields, includingthe efficient quantum algorithm for solving Pell’s equation. InSectionVI , we introduce the non-Abelian version of the quan-tum Fourier transform, and in SectionVII we discuss the sta-tus of the non-Abelian version of the hidden subgroup prob-lem. In SectionsVIII andIX, we describe two approaches togoing beyond the hidden subgroup framework, namely hid-den shift problems and hidden nonlinear structure problems,respectively. Finally, in SectionX, we briefly discuss quan-tum algorithms for approximating the Jones polynomial andother#P-complete problems.

II. COMPLEXITY OF QUANTUM COMPUTATION

In this section we give a brief introduction to quantum com-puters, with particular emphasis on characterizing computa-tional efficiency. For more detailed background, the readerisencouraged to consultKayeet al.(2007); Kitaevet al.(2002);Nielsen and Chuang(2000); Preskill(1998a).

A. Quantum data

A quantum computer is a device for performing calcula-tions using a quantum mechanical representation of informa-tion. Data are stored using quantum bits, orqubits, the statesof which can be represented byℓ2-normalized vectors in acomplex vector space. For example, we can write the stateof n qubits as

|ψ〉 = ∑x∈0,1n

ax|x〉 (1)

where theax ∈ C satisfy∑x∈0,1n |ax|2 = 1. We refer to thebasis of states|x〉 as thecomputational basis.

Although we can always suppose that our data is repre-sented using qubits, it is often useful to think of quantumstates as storing data more abstractly. For example, given agroupG, we write |g〉 for a computational basis state corre-sponding to the group elementg∈ G, and

|φ〉 = ∑g∈G

bg|g〉 (2)

(wherebg ∈ C with ∑g∈G |bg|2 = 1) for an arbitrary superpo-sition over the group. We often implicitly assume that thereissome canonical way of concisely representing group elementsusing bit strings; it is usually unnecessary to make this repre-sentation explicit. We use the convention that for any finitesetS, the state|S〉 denotes the normalized uniform superpositionof its elements, i.e.,

|S〉 :=1√|S| ∑s∈S

|s〉. (3)

If a quantum computer stores the state|ψ〉 in one registerand the state|φ〉 in another, the overall state is given by thetensor product of those two states. This may variously be de-noted|ψ〉⊗ |φ〉, |ψ〉|φ〉, or |ψ,φ〉.

It can be useful to consider statistical mixtures of purequantum states, represented bydensity matrices. We refer thereader to the references above for further details.

B. Quantum circuits

The allowed operations on pure quantum states are thosethat map normalized states to normalized states, namelyuni-tary operators U, satisfyingUU† = U†U = 1. When viewedas anN×N matrix, the rows (and columns) ofU form anorthonormal basis of the spaceCN.

To have a sensible notion ofefficientcomputation, we re-quire that the unitary operators appearing in a quantum com-putation are realized byquantum circuits(Deutsch, 1989;Yao, 1993). We are given a set of gates, each of which actson one or two qubits at a time, meaning that it is a tensorproduct of a nontrivial one- or two-qubit operator with theidentity operator on the remaining qubits. A quantum compu-tation begins in the|0. . .0〉 state, applies a sequence of one-and two-qubit gates chosen from the set of allowed gates, and

4

finally reports an outcome obtained by measuring in the com-putational basis. A circuit is called efficient if it contains anumber of gates that is polynomial in the number of qubitsthe circuit acts on.

In principle, any unitary operator onn qubits can be imple-mented using only 1- and 2-qubit gates (DiVincenzo, 1995).Thus we say that the set of all 1- and 2-qubit gates is(exactly)universal. Of course, some unitary operators take many more1- and 2-qubit gates to realize than others, and indeed, a sim-ple counting argument shows that most unitary operators onnqubits can only be realized using an exponentially large circuit(Knill , 1995).

In general, we are content with circuits that give good ap-proximations of our desired unitary transformations. We saythat a circuit with gatesU1,U2, . . . ,Ut approximatesU withprecisionε if ‖U −Ut · · ·U2U1‖ ≤ ε, where‖ · ‖ denotes theoperator norm, i.e., the largest singular value. We call a set ofelementary gatesuniversalif any unitary operator on a fixednumber of qubits can be approximated to precisionε usingpoly(log 1

ε ) elementary gates. It turns out that there are finitesets of gates that are universal (Boykin et al., 2000): for ex-ample, the setH,T,Λ(X) with

H :=1√2

(1 11 −1

)T :=

(eiπ/8 0

0 e−iπ/8

)(4)

Λ(X) :=

1 0 0 00 1 0 00 0 0 10 0 1 0

. (5)

There are situations in which a set of gates iseffectivelyuniversal, even though it cannot actually approximate anyunitary operator onn qubits. For example, the gate setH,T2,Λ(X),Λ2(X), whereΛ2(X) denotes the Toffoli gate(Λ2(X)|xyz〉 = |xyz〉 for xy∈ 00,01,10, andΛ2(X)|11z〉 =|11z〉) is universal (Kitaev, 1997), but only if we allow theuse of ancilla qubits (qubits that start and end in the|0〉state). Similarly, the gate setH,Λ2(X) is universal in thesense that, with ancillas, it can approximate anyorthogo-nal transformation (Aharonov, 2003; Shi, 2003). It clearlycannot approximate complex unitary matrices, since the en-tries of H and Λ2(X) are real; but the effect of arbitraryunitary transformations can be simulated using orthogonalones by simulating the real and imaginary parts separately(Bernstein and Vazirani, 1993; Rudolph and Grover, 2002).

One might wonder whether some universal gate sets are bet-ter than others. It turns out that the answer is essentially no:a unitary operator that can be realized efficiently with one setof 1- and 2-qubit gates can also be realized efficiently withanother such set. This is a consequence of the Solovay-Kitaevtheorem (Harrowet al., 2002; Kitaev, 1997; Solovay, 2000):

Theorem 1. Fix two gate sets that allow universal quantumcomputation and that are closed under taking inverses. Thenany t-gate circuit using the first gate set can be implementedwith error at mostε using a circuit of t·poly(log(t/ε)) gatesfrom the second gate set. Furthermore, there is an efficientclassical algorithm for finding this circuit.

In particular, this means we can view a simple finite gateset, such asH,T,Λ(X), as equivalent to an infinite gateset, such as the set of all two-qubit gates. A finite gate setis needed both for fault tolerance (SectionII.E) and for theconcept of uniformly generated circuits (Footnote4).

Note that to implement unitary operatorsexactly, the no-tion of efficiency might depend on the allowed gates (see forexampleMosca and Zalka(2004)), so we usually restrict ourattention to quantum computation with bounded error.

In principle, one can construct quantum circuits adaptively,basing the choices of gates on the outcomes of intermedi-ate measurements. We may also discard quantum data inthe course of a circuit. In general, the possible operationson mixed quantum states correspond to completely positive,trace preserving maps on density matrices. Again, we referthe reader to the aforementioned references for more details.

C. Reversible computation

Unitary matrices are invertible: in particular,U−1 = U†.Thus any unitary transformation is a reversible operation.This may seem at odds with how we often define classicalcircuits, using irreversible gates such asAND and OR. Butany classical computation can be made reversible by replac-ing each irreversible gatex 7→ g(x) by the reversible gate(x,y) 7→ (x,y⊕g(x)), where⊕ denotes bitwise addition mod-ulo 2. Applying this gate to the input(x,0) produces(x,g(x)).By storing all intermediate steps of the computation, we makeit reversible (Bennett, 1973).

On a quantum computer, storing all intermediate computa-tional steps could present a problem, since two identical re-sults obtained via distinct computational histories wouldnotbe able to interfere. However, there is an easy way to removethe accumulated information. After performing the classicalcomputation with reversible gates, we simply copy the answerinto an ancilla register, and then perform the computation inreverse. Thus we can implement the map(x,y) 7→ (x,y⊕ f (x))even whenf is a complicated circuit consisting of many gates.

Using this trick, any computation that can be performed ef-ficiently on a classical computer can be performed efficientlyon a quantum computer, even on a superposition of computa-tional basis states. In other words, if we can efficiently im-plement the mapx 7→ f (x) on a classical computer, we canefficiently perform the transformation

∑x

ax|x,y〉 7→ ∑x

ax|x,y⊕ f (x)〉 (6)

on a quantum computer. Note that this does not necessarilymean we can efficiently perform the transformation

∑x

ax|x〉 7→ ∑x

ax| f (x)〉, (7)

even if the functionf is bijective.

5

D. Quantum complexity theory

We say that an algorithm for a problem isefficient if thecircuit describing it uses a number of gates that is polynomialin the input size, the number of bits needed to write down theinput.4 For example, if the input is an integer moduloN, theinput size is⌈log2N⌉.

With a quantum computer, as with a randomized (or noisy)classical computer, the final result of a computation may notbe correct with certainty. Instead, we are typically contentwith an algorithm that can produce the correct answer withhigh enough probability. To solve a decision problem, it suf-fices to give an algorithm with success probability boundedabove 1/2 (say, at least 2/3), since we can repeat the compu-tation many times and take a majority vote to make the proba-bility of outputting an incorrect answer arbitrarily small. Sim-ilarly, if we can check whether a given solution is correct, itsuffices to output the correct answer with probabilityΩ(1).5

It is common practice to characterize the difficulty of com-putational problems usingcomplexity classes(see for examplePapadimitriou(1994)). Typically, these classes contain deci-sion problems, problems with a ‘yes’ or ‘no’ answer. (Sucha problem is conventionally formulated as deciding whethera string over some finite alphabet is in a givenlanguage; for-mally, a complexity class is a set of languages.) For example,the problems that can be decided in polynomial time on a de-terministic classical computer belong to the classP; on a prob-abilistic classical computer with error at most 1/3, to the classBPP; and on a quantum computer with error at most 1/3, tothe classBQP. Clearly,P ⊆ BPP ⊆ BQP. The central problemof quantum algorithms can be viewed as trying to understandwhat problems are inBQP, but not inP (or BPP).

Whereas the classesP, BPP, andBQP all attempt to char-acterize modes of computation that could be carried out inpractice,computational complexity theoryis also concernedwith more abstract classes that characterize other aspectsofcomputation. For example, the classNP corresponds to thosedecision problems for which a ‘yes’ answer can beverifiedin polynomial time on a classical computer, given a succinctproof. It is widely believed thatP 6= NP, and indeed, thatNP 6⊆ BQP (though it is also plausible thatBQP 6⊆ NP), butproving this appears to be an extremely challenging prob-

4 Strictly speaking, we would like the circuits for solving instances of a prob-lem of different sizes to be related to one another in some simple way.Given the ability to choose an arbitrary circuit for each input size, we couldeven have circuits computing uncomputable functions (i.e., functions that aTuring machine could not compute). Thus we require our circuits to beuni-formly generated: say, that there exists a fixed (classical) Turing machinethat, given a tape containing the symbol ‘1’n times, outputs a descriptionof thenth circuit in time poly(n).

5 In this article, we use standard big-O notation, wheref = O(g) if there existpositive constantsc,y such that| f (x)| ≤ c|g(x)| for all x≥ y; f = Ω(g) ifg = O( f ); and f = Θ(g) if both f = O(g) and f = Ω(g). The expressionΩ(1) thus represents a function lower bounded by an unspecified positiveconstant. We writef = o(g) to denote that limx→∞ f (x)/g(x) = 0. Toconvey that a functionf is bounded from above by a polynomial in thefunctiong, we write f = poly(g), which could also be written asf = gO(1).

lem (see for example the excellent survey of quantum com-plexity by Watrous(2009)). Indeed, it seems almost as diffi-cult just to proveP 6= PSPACE, wherePSPACE denotes theclass of problems that can be decided by a deterministic clas-sical computer running in polynomialspace. SinceBQP ⊆PSPACE (Bernstein and Vazirani, 1997) (i.e., any computa-tion that can be performed on a quantum computer in poly-nomial time can be performed on a classical computer withpolynomial memory—indeed, even stronger such results areknown (Adlemanet al., 1997; Bernstein and Vazirani, 1997;Fortnow and Rogers, 1998)), we expect it will be hard toprove P 6= BQP. Instead, we try to find efficient quantumalgorithms for problems thatappearto be hard for classicalcomputers.

While most complexity classes contain decision problems,some classes describe the complexity of computing non-Boolean functions. For example, the class#P characterizesthe complexity of counting the number of ‘yes’ solutions to aproblem inNP.

Alternatively, instead of consideringnaturalcomputationalproblems (in which the input is a string), we sometimes workin the setting ofquery complexity. Here the input is a black-box transformation (ororacle)—which in the quantum settingis given as a unitary transformation as in Eq. (6)—and our goalis to discover some property of the transformation by queryingit as few times as possible. For example, in Simon’s problem(Simon, 1997), we are given a black box for a transformationf : 0,1n → S satisfying f (x) = f (y) iff y ∈ x,x⊕ t forsome unknownt ∈ 0,1n, and the goal is to learnt.

The query model facilitates proving lower bounds: it is of-ten tractable to establish that many queries must be used tosolve a given black-box problem, whereas it is generally hardto show that many gates are required to compute some ex-plicit function. Indeed, we will encounter numerous exam-ples of black-box problems that can be solved in polynomialtime on a quantum computer, but thatprovablyrequire expo-nentially many queries on a randomized classical computer.Of course, if we find an efficient algorithm for a problem inquery complexity, then if we are provided with an explicit, ef-ficient circuit realizing the black-box transformation, wewillhave an efficient algorithm for a natural computational prob-lem. We stress, however, that lower bounds in the query modelno longer apply when the black box is thus replaced by a trans-parent one. For example, Shor’s factoring algorithm (Sec-tion IV.E) proceeds by solving a problem in query complexitywhich is provably hard for classical computers. Nevertheless,it is an open question whether factoring is classically hard,since there might be a fast classical algorithm that does notwork by solving the query problem.

E. Fault tolerance

With any real computer, operations cannot be done per-fectly. Quantum gates and measurements may be performedimprecisely, and errors may happen even to stored data thatis not being manipulated. Fortunately, there are protocolsfordealing with faults that occur during the execution of a quan-

6

tum computation. Specifically, thefault-tolerant thresholdtheoremstates that as long as the noise level is below somethreshold (depending on the noise model and the architec-ture of the quantum computer, but typically in the range of10−2 to 10−4), an arbitrarily long computation can be per-formed with arbitrarily small error (Aharonov and Ben-Or,2008; Kitaev, 1997; Knill et al., 1996, 1997; Preskill, 1998b;Shor, 1996). Throughout this article, we implicitly assumethat fault-tolerant protocols have been applied, so that weef-fectively have a perfectly functioning quantum computer.

III. ABELIAN QUANTUM FOURIER TRANSFORM

A. Fourier transforms over finite Abelian groups

For the groupZ/NZ, the group of integers moduloN underaddition (see AppendixA), the quantum Fourier transform(QFT) is a unitary operationFZ/NZ. Its effect on a basis state|x〉 for anyx∈ Z/NZ is

|x〉 7→ 1√N

∑y∈Z/NZ

ωxyN |y〉, (8)

whereωN := e2πi/N denotes a primitiveNth root of unity.More generally, a finite Abelian groupG has|G| distinct

one-dimensional irreducible representations (or irreduciblecharacters)ψ ∈ G. These are functionsψ : G → C withψ(a+b) = ψ(a)ψ(b) for all a,b∈ G, using additive notationfor the group operation ofG (see AppendixB for further de-tails). The quantum Fourier transformFG overG acts as

|x〉 7→ 1√|G| ∑

ψ∈G

ψ(x)|ψ〉 (9)

for eachx∈ G.For example, the group(Z/NZ) × (Z/NZ) has N2 ir-

reducible representations defined byψy1,y2 : (x1,x2) 7→ωx1y1+x2y2

N for all y1,y2 ∈ Z/NZ; hence its quantum FouriertransformF(Z/NZ)×(Z/NZ) acts as

|x1,x2〉 7→1N ∑

y1,y2∈Z/NZ

ωx1y1+x2y2N |y1,y2〉 (10)

for all x1,x2 ∈ Z/NZ. In this example,F(Z/NZ)×(Z/NZ) canbe written as the tensor productFZ/NZ ⊗ FZ/NZ. In gen-eral, according to the fundamental theorem of finite Abeliangroups, any finite Abelian groupG can be expressed as a di-rect product of cyclic subgroups of prime power order,G ∼=(Z/pr1

1 Z)× ·· ·× (Z/prkk Z), and the QFT overG can be writ-

ten as the tensor product of QFTsFZ/pr11 Z ⊗·· ·⊗F

Z/prkk Z

.

The Fourier transformFG is useful for exploiting symmetrywith respect toG. Consider the operatorPs that addss∈ G,defined byPs|x〉 = |x+ s〉 for anyx ∈ G. This operator is di-agonal in the Fourier basis: we have

FGPsF†G = ∑

ψ∈G

ψ(s)|ψ〉〈ψ|. (11)

Thus, measurements in the Fourier basis produce the samestatistics for a pure state|φ〉 and its shiftPs|φ〉. Equivalently,aG-invariant mixed state is diagonalized byFG.

B. Efficient quantum circuit for the QFT over Z/2nZ

To use the Fourier transform overG as part of an efficientquantum computation, we must implement it (approximately)by a quantum circuit of size poly(log|G|). This can indeed bedone for any finite Abelian group (Barencoet al., 1996; Cleve,1994; Coppersmith, 1994; Hales and Hallgren, 2000; Kitaev,1995; Shor, 1997). In this section we explain a constructionfor the case of the groupZ/2nZ, following the presentation ofCleveet al. (1998).

Transforming from the basis of states|x〉 : x ∈ G to thebasis|ψ〉 : ψ ∈ G, the matrix representation of the Fouriertransformation overZ/NZ is

FZ/NZ =1√N

1 1 1 · · · 11 ωN ω2

N · · · ωN−1N

1 ω2N ω4

N · · · ω2N−2N

......

.... . .

...

1 ωN−1N ω2N−2

N · · · ω(N−1)(N−1)N

. (12)

More succinctly,

FZ/NZ =1√N

∑x,y∈Z/NZ

ωxyN |y〉〈x|, (13)

where|y〉 represents the basis state corresponding to the char-acter ψy with ψy(x) = ωxy

N . It is straightforward to ver-ify that FZ/NZ is indeed a unitary transformation, i.e., that

FZ/NZF†Z/NZ = F†

Z/NZFZ/NZ = 1.Assume now thatN = 2n, and let us represent the integer

x∈ Z/NZ by n bits x0,x1, . . . ,xn−1 wherex = ∑n−1j=0 2 jx j . The

Fourier transform of|x〉 can then be written as the tensor prod-uct ofn qubits, since

FZ/2nZ|x〉 =1√2n ∑

y∈0,1n

ωx(∑n−1

j=0 2 j yj )

2n |y0, . . . ,yn−1〉 (14)

=1√2n

n−1O

j=0∑

yj∈0,1e2πi xyj /2n− j |y j〉 (15)

=n−1O

j=0

|0〉+e2πi ∑n−1k=0 2 j+k−nxk |1〉√

2(16)

=:n−1O

j=0

|zj〉. (17)

Now, because exp(2πi2sxk) = 1 for all integerss≥ 0, we seethat thejth output qubit is

|zj〉 =1√2(|0〉+e2πi(2 j−nx0+2 j+1−nx1+···+2−1xn−1− j )|1〉), (18)

and hence only depends on then− j input bitsx0, . . . ,xn−1− j .

7

To describe a quantum circuit that implements the Fouriertransform, we define the single-qubit phase rotation

Rr :=

(1 00 e2πi/2r

)≃ /. -,() *+Rr (19)

and the two-qubit controlled rotation

Λ(Rr) :=

1 0 0 00 1 0 00 0 1 00 0 0 e2πi/2r

≃•

/. -,() *+Rr(20)

acting symmetrically ona and b ∈ 0,1 as Λ(Rr)|a,b〉 =

e2πiab/2r |a,b〉. The circuit shown in Figure1 uses(n

2

)of these

gates together withn Hadamard gates to exactly implementthe quantum Fourier transform overZ/2nZ.

In this circuit, there are many rotations by small angles thatdo not significantly affect the final result. By simply omit-ting the gatesΛ(Rr) with r = Ω(logn), we obtain a circuit ofsizeO(nlogn) (instead ofO(n2) for the original circuit) thatimplements the QFT with precision 1/poly(n) (Coppersmith,1994).

C. Phase estimation and the QFT over any finite Abelian group

Aside from being directly applicable to quantum algo-rithms, such as Shor’s algorithm, the QFT overZ/2nZ pro-vides a useful quantum computing primitive calledphase es-timation (Cleveet al., 1998; Kitaev, 1995). In the phase es-timation problem, we are given a unitary operatorU (eitheras an explicit circuit, or as a black box that lets us apply acontrolled-Ux operation for integer values ofx). We are alsogiven a state|φ〉 that is promised to be an eigenvector ofU ,namelyU |φ〉 = eiφ|φ〉 for someφ ∈ R. The goal is to outputan estimate ofφ to some desired precision. (Of course, we canalso apply the procedure to a general state|ψ〉; by linearity, weobtain each valueφ with probability|〈φ|ψ〉|2.)

The procedure for phase estimation is straightforward:

Algorithm 1 (Phase estimation).Input: Eigenstate|φ〉 (with eigenvalueeiφ) of a given unitaryoperator U.Problem:Produce an n-bit estimate ofφ.

1. Prepare the quantum computer in the state

1√2n ∑

x∈Z/2nZ

|x〉⊗ |φ〉. (21)

2. Apply the unitary operator

∑x∈Z/2nZ

|x〉〈x|⊗Ux, (22)

giving the state

1√2n ∑

x∈Z/2nZ

eiφx|x〉⊗ |φ〉. (23)

3. Apply an inverse Fourier transform on the first register,giving

12n ∑

x,y∈Z/2nZ

ωx( 2n2π φ−y)

2n |y〉⊗ |φ〉. (24)

4. Measure the first register of the resulting state in thecomputational basis.

If the binary expansion ofφ/2π terminates after at mostnbits, then the result is guaranteed to be the binary expansionof φ/2π. In general, we obtain a good approximation withhigh probability (Cleveet al., 1998). (The relevant calcula-tion appears in SectionIV.D for the case whereφ ∈ Q; thatsame calculation works for anyφ ∈ R.) The optimal way ofestimating the unknown phase is analyzed in (van Damet al.,2007), but the above method is sufficient for our purposes.

The complexity of Algorithm1 can depend on the formof the unitary operatorU . If we are only given a black boxfor the controlled-U gate, then there may be no better wayto implement the controlled-Ux operation than by perform-ing a controlled-U gatex times, so that the running time isΘ(2n) (i.e., approximately the inverse of the desired preci-sion). On the other hand, if it is possible to implement Eq. (22)in poly(n) time—say, using repeated squaring—then phaseestimation can be performed in poly(n) time.

One useful application of phase estimation is to implementthe QFT Eq. (13) over an arbitrary cyclic groupZ/NZ (Kitaev,1995). The circuit presented in the previous section onlyworks whenN is a power of two (or, with a slight generaliza-tion, a power of some other fixed integer). But the followingsimple technique can be used to realizeFZ/NZ (approximately)using phase estimation. (While this approach is conceptuallysimple, it is possible to implement the QFT over a cyclic groupmore efficiently; seeHales and Hallgren(2000).)

We would like to perform the transformation that maps|x〉 7→ |x〉, where|x〉 := FZ/NZ|x〉 denotes a Fourier basis state.By linearity, if the transformation acts correctly on a basis, itacts correctly on all states. It is straightforward to performthe transformation|x,0〉 7→ |x, x〉 (create a uniform superposi-tion ∑y∈Z/NZ |y〉/

√N in the second register and apply the con-

trolled phase shift|x,y〉 7→ ωxyN |x,y〉), but it remains to erase

the first register.Consider the unitary operatorP1 that adds 1 moduloN, i.e.,

P1|x〉 = |x+ 1〉 for any x ∈ Z/NZ. According to Eq. (11),the eigenstates of this operator are precisely the Fourier ba-sis states|x〉, with eigenvaluesωx

N. Thus, using phase esti-mation onP1 (with n = O(logN) bits of precision), we canapproximate the transformation|x,0〉 7→ |x,x〉. Reversing thisoperation, we can erase|x〉, giving the desired QFT. Note thatwe can performPx

1 in poly(logN) steps even whenx is expo-nentially large in logN, so the resulting procedure is indeedefficient.

Given the Fourier transform overZ/NZ, it is straightfor-ward to implement the QFT over an arbitrary finite Abeliangroup using the decomposition of the group into cyclic fac-tors, as discussed at the end of SectionIII.A .

8

|x0〉 · · · • · · · • · · · • H |zn−1〉

|x1〉 · · · • · · · • · · · H /. -,() *+R2 |zn−2〉...

......

...

|xn−3〉 • · · · • · · · · · · |z2〉|xn−2〉 • · · · H /. -,() *+R2 · · · /. -,() *+Rn−2

/. -,() *+Rn−1 · · · |z1〉

|xn−1〉 H /. -,() *+R2/. -,() *+R3 · · · /. -,() *+Rn−1

/. -,() *+Rn · · · · · · |z0〉

FIG. 1 An efficient (sizeO(n2)) quantum circuit for the quantum Fourier transform overZ/2nZ. Note that the order of then output bitsz0, . . . ,zn−1 is reversed, as compared with the order of then input bitsx0, . . . ,xn−1.

If gates can be performed in parallel, it is possible to per-form the QFT much more quickly, using onlyO(loglogN)time steps (Cleve and Watrous, 2000; Hales, 2002).

D. The QFT over a finite field

The elements of the finite fieldFq, whereq = pm is a powerof a prime numberp, form an Abelian group under addition(see AppendixA), and the QFT over this group has many ap-plications. If q is prime, thenFq = Z/qZ, so the QFT overFq is straightforward. More generally, as an additive group,Fq

∼= (Z/pZ)m, so in principle, the QFT overFq could be de-fined using an explicit isomorphism to(Z/pZ)m. However, itis often more convenient to defineFFq in terms of the(abso-lute) trace, the linear function Tr :Fq → Fp defined by

Tr(x) := x+xp+xp2+ · · ·+xpm−1

. (25)

One can show that the functionsψy : Fq → C defined by

ψy(x) = ωTr(xy)p (26)

for eachy∈ Fq form a complete set of additive characters ofFq. Thus, the QFT overFq can be written

FFq =1√q ∑

x,y∈Fq

ωTr(xy)p |y〉〈x|. (27)

This definition is preferred over other possible choices be-cause it commutes with the permutation|z〉 7→ |zp〉 implement-ing the Frobenius automorphism, and hence respects the mul-tiplicative structure ofFq.

IV. ABELIAN HIDDEN SUBGROUP PROBLEM

A. Period finding over Z/NZ

Suppose we are given a function over the integers0,1, . . . ,N−1 that is periodic with periodr. Further, supposethat this function never takes the same value twice within thefundamental period (i.e., it isinjectivewithin each period). Inother words, the functionf : Z/NZ → Ssatisfies

f (x) = f (y) if and only ifx−y

r∈ Z (28)

for all x,y∈ Z/NZ. Notice that this can only be the case ifrdividesN, so thatf can have exactlyN/r periods.

If we knowN, then we can find the periodr efficiently usingthe quantum Fourier transform over the additive groupZ/NZ.We represent each elementx ∈ Z/NZ uniquely as an integerx ∈ 0, . . . ,N−1. Similarly, the irreducible representationsψ : Z/NZ → C can be labeled by integersy∈ 0, . . . ,N−1,namely withψy(x) = e2πixy/N. The following algorithm solvesthe period finding problem.

Algorithm 2 (Period finding overZ/NZ).Input: A black box f: Z/NZ → S satisfying Eq. (28) for someunknown r∈ Z/NZ, where r divides N.Problem:Determine r.

1. Create the uniform superposition

|Z/NZ〉 =1√N

∑x∈Z/NZ

|x〉 (29)

of all elements ofZ/NZ (recall the notation Eq. (3)).For example, this can be done by applying the Fouriertransform overZ/NZ to the state|0〉.

2. Query the function f in an ancilla register, giving

1√N

∑x∈Z/NZ

|x, f (x)〉. (30)

3. At this point, if we were to measure the ancilla register,the first register would be left in a superposition of thosex ∈ Z/NZ consistent with the observed function value.By the periodicity of f , this state would be of the form

√rN

Nr −1

∑j=0

|s+ jr 〉 (31)

for some unknown offset s∈ 0, . . . , r − 1 occurringuniformly at random, corresponding to the uniformlyrandom observed function value f(s). Since we willnot use this function value, there is no need to explic-itly measure the ancilla; ignoring the second registerresults in the same statistical description. Thus, wemay simply discard the ancilla, giving a mixed quan-tum state, or equivalently, a random pure state.

9

4. Apply the Fourier transform overZ/NZ, giving

√rN ∑

y∈Z/NZ

Nr −1

∑j=0

ω(s+ jr )yN |y〉. (32)

By the identity

M−1

∑j=0

ω jyM = M δ j ,y modM (33)

(applied with M= N/r, soω jryN = ω jy

M ), only the valuesy∈ 0,N/r,2N/r, . . . ,(r−1)N/r experience construc-tive interference, and Eq. (32) equals

1√r

r−1

∑k=0

ωskr |kN/r〉. (34)

5. Measure this state in the computational basis, givingsome integer multiple kN/r of N/r. Dividing this inte-ger by N gives the fraction k/r, which, when reduced tolowest terms, has r/gcd(r,k) as its denominator.

6. Repeating the above gives a second denominatorr/gcd(r,k′). If k and k′ are relatively prime, theleast common multiple of r/gcd(r,k) and r/gcd(r,k′)is r. The probability of this happening is at least∏p prime(1− 1

p2 ) = 6/π2 ≈ 0.61, so the algorithm suc-ceeds with constant probability.

B. Computing discrete logarithms

Let C = 〈g〉 be a cyclic group generated by an elementg,with the group operation written multiplicatively. Given anelementx∈C, thediscrete logarithm of x in C with respect tog, denoted loggx, is the smallest non-negative integerℓ suchthat gℓ = x. The discrete logarithm problemis the problemof calculating loggx giveng andx. (Notice that foradditivegroups such asG= Z/pZ, the discrete log represents division:loggx = x/g mod p.)

1. Discrete logarithms and cryptography

Classically, the discrete logarithm seems like a good candi-date for a one-way function. We can efficiently computegℓ,even ifℓ is exponentially large (in log|C|), by repeated squar-ing. But givenx, it is not immediately clear how to computeloggx without checking exponentially many possibilities.

The apparent hardness of the discrete logarithm problemis the basis of theDiffie-Hellman key exchange protocol(Diffie and Hellman, 1976), the earliest published public-keycryptographic protocol. The goal of key exchange is for twodistant parties, Alice and Bob, to agree on a secret key usingonly an insecure public channel. The Diffie-Hellman protocolworks as follows:

1. Alice and Bob publicly agree on a large primep andan integerg of high order. For simplicity, suppose theychoose ag for which 〈g〉 = (Z/pZ)× (i.e., a primitiveroot modulop). (In general, finding such ag might behard, but it can be done efficiently given certain restric-tions onp.)

2a. Alice chooses somea ∈ Z/(p− 1)Z uniformly at ran-dom. She computesA := ga mod p and sends the resultto Bob (keepinga secret).

2b. Bob chooses someb ∈ Z/(p− 1)Z uniformly at ran-dom. He computesB := gb mod p and sends the resultto Alice (keepingb secret).

3a. Alice computesK := Ba = gab mod p.

3b. Bob computesK = Ab = gab mod p.

At the end of the protocol, Alice and Bob share a keyK, andan eavesdropper Eve has only seenp, g, A, andB.

The security of the Diffie-Hellman protocol relies on theassumption that discrete log is hard. Clearly, if Eve cancompute discrete logarithms, she can recovera and b, andhence the key. But it is widely believed that the discretelogarithm problem is difficult for classical computers. Thebest known algorithms for general groups, such as Pollard’srho algorithm and the baby-step giant-step algorithm, run intime O(

√|C|). For particular groups, it may be possible

to do better: for example, over(Z/pZ)× with p prime, thenumber field sieve is conjectured to compute discrete loga-

rithms in time 2O((logp)1/3(loglogp)2/3) (Gordon, 1993) (whereasthe best known rigorously analyzed algorithms run in time2O(

√logploglogp) (Pomerance, 1987)); but this is still super-

polynomial in logp. It is suspected that breaking the Diffie-Hellman protocol is essentially as hard as computing the dis-crete logarithm.6

This protocol by itself only provides a means of exchanginga secret key, not of sending private messages. However, Aliceand Bob can subsequently use their shared key in a symmetricencryption protocol to communicate securely. The ideas be-hind the Diffie-Hellman protocol can also be used to directlycreate public-key cryptosystems (similar in spirit to the widelyused RSA cryptosystem), such as the ElGamal protocol; seefor example (Buchmann, 2004; Menezeset al., 1996).

2. Shor’s algorithm for discrete log

Although the problem appears to be difficult for classicalcomputers, quantum computers can calculate discrete loga-rithms efficiently. Recall that we are given some elementx ofa cyclic groupC = 〈g〉 and we would like to calculate loggx,the smallest non-negative integerℓ such thatgℓ = x.

6 It is nevertheless an open question whether, given the ability to break theprotocol, Eve can calculate discrete logarithms. Some partial results on thisquestion are known (den Boer, 1990; Maurer and Wolf, 1999).

10

For simplicity, assume that the order of the group,N := |C|,is known. For example, ifC = (Z/pZ)×, then we knowN = p− 1. If we do not knowN, we can determine it ef-ficiently using Shor’s algorithm for period finding overZ,which we discuss in SectionIV.D. We also assume thatx 6= g(i.e., loggx 6= 1), since it is easy to check this.

The algorithm ofShor(1997) for computing discrete loga-rithms works as follows:

Algorithm 3 (Discrete logarithm).Input: A cyclic group C= 〈g〉 and an element x∈C.Problem:Calculateloggx.

1. If necessary, using the period finding algorithm of Sec-tion IV.D, determine the order N= |C|.

2. Create the uniform superposition

|Z/NZ×Z/NZ〉 =1N ∑

α,β∈Z/NZ

|α,β〉 (35)

over all elements of the additive Abelian groupZ/NZ×Z/NZ.

3. Define a function f: Z/NZ×Z/NZ →C as follows:

f (α,β) = xαgβ. (36)

Compute this function in an ancilla register, giving

1N ∑

α,β∈Z/NZ

|α,β, f (α,β)〉. (37)

4. Discard the ancilla register.7 Since f(α,β) = gα loggx+β,f is constant on the lines

Lγ := (α,β) ∈ (Z/NZ)2 : α loggx+ β = γ, (38)

so the remaining state is a uniform superposition overgroup elements consistent with a uniformly random, un-knownγ ∈ Z/NZ, namely

|Lγ〉 =1√N

∑α∈Z/NZ

|α,γ−α loggx〉. (39)

5. Now we can exploit the symmetry of the quantum stateby performing a QFT overZ/NZ×Z/NZ, giving

1

N3/2 ∑α,µ,ν∈Z/NZ

ωµα+ν(γ−α logg x)N |µ,ν〉 (40)

=1√N

∑ν∈Z/NZ

ωνγN |ν logg x,ν〉 (41)

where we used the identity Eq. (33).

7 Note that if we were to measure the ancilla register instead of discardingit, the outcome would be unhelpful: each possible valuegγ occurs withequal probability, and we cannot obtainγ from gγ unless we know how tocompute discrete logarithms.

6. Measure this state in the computational basis. Weobtain some pair(ν loggx,ν) for a uniformly randomν ∈ Z/NZ.

7. Repeating the above gives a second pair(ν′ loggx,ν′)with a uniformly randomν′ ∈ Z/NZ, independent ofν.With constant probability (at least6/π2 ≈ 0.61), ν andν′ are coprime, in which case we can find integersλandλ′ such thatλν+ λ′ν′ = 1. Thus we can determineλν logg x+ λ′ν′ logg x = loggx.

This algorithm can be carried out for any cyclic groupC,given a unique representation of its elements and the ability toefficiently compute products and inverses inC. To efficientlycomputef (α,β), we must compute high powers of a groupelement, which can be done quickly by repeated squaring.

In particular, Shor’s algorithm for discrete log breaks theDiffie-Hellman key exchange protocol described above, inwhichC= (Z/pZ)×. In SectionIV.F we discuss further appli-cations to cryptography, in whichC is the group correspond-ing to anelliptic curve.

C. Hidden subgroup problem for finite Abelian groups

Algorithms 2 and 3 solve particular instances of a moregeneral problem, theAbelian hidden subgroup problem(orAbelian HSP). We now describe this problem and show howit can be solved efficiently on a quantum computer.

Let G be a finite Abelian group with group operations writ-ten additively, and consider a functionf : G → S, whereS issome finite set. We say thatf hidesthe subgroupH ≤ G if

f (x) = f (y) if and only if x−y∈ H (42)

for all x,y∈ G. In the Abelian hidden subgroup problem, weare asked to find a generating set forH given the ability toquery the functionf .

It is clear thatH can in principle be reconstructed from theentire truth table off . Notice in particular thatf (0) = f (x)if and only if x ∈ H: the hiding function is constant on thehidden subgroup, and does not take that value anywhere else.Furthermore, fixing anyy∈ G, we see thatf (y) = f (x) if andonly if x ∈ y+ H := y+ h : h∈ H, a cosetof H in G withcoset representativey. So f is constant on the cosets ofH inG, and distinct on different cosets.

The simplest example of the Abelian hidden subgroupproblem is Simon’s problem, in which G = (Z/2Z)n andH = 0,x for some unknownx ∈ (Z/2Z)n. Simon’s effi-cient quantum algorithm for this problem (Simon, 1997) ledthe way to Shor’s algorithms for other instances of the AbelianHSP.

The period finding problem discussed in SectionIV.A is theAbelian HSP withG = Z/NZ. The subgroups ofG are of theform H = 0, r,2r, . . . ,N− r (of order|H|= N/r), wherer isa divisor ofN. Thus a function hidesH according to Eq. (42)precisely when it isr-periodic, as in Eq. (28). We have alreadyseen that such a subgroup can be found efficiently.

The quantum algorithm for discrete log, as discussed inSectionIV.B, solves an Abelian hidden subgroup problem in

11

the groupZ/NZ×Z/NZ. The function defined in Eq. (36)hides the subgroup

H = (α,α loggx) : α ∈ Z/NZ. (43)

Shor’s algorithm computes loggx by finding this hidden sub-group.

More generally, there is an efficient quantum algorithm toidentify any hidden subgroupH ≤Gof a known finite AbeliangroupG. (In SectionVII.C we relax the commutativity re-striction to the requirement thatH is a normal subgroup ofG,which is always the case ifG is Abelian.) The algorithm forthe general Abelian hidden subgroup problem is as follows:

Algorithm 4 (Abelian hidden subgroup problem).Input: A black-box function f: G→ S hiding some H≤ G.Problem:Find a generating set for H.

1. Create a uniform superposition|G〉 over the elementsof the group.

2. Query the function f in an ancilla register, giving thestate

1√|G| ∑

x∈G

|x, f (x)〉. (44)

3. Discard the ancilla register, giving thecoset state

|s+H〉=1√|H| ∑

y∈H|s+y〉 (45)

for some unknown, uniformly random s∈ G. Equiva-lently, the state can be described by the density matrix

ρH :=1|G| ∑

s∈G

|s+H〉〈s+H|. (46)

4. Apply the QFT over G to this state. According to thedefinition of the QFT in Eq. (9), the result is

1√|H| · |G| ∑

ψ∈G∑y∈H

ψ(s+y)|ψ〉 (47)

=

√|H||G| ∑

ψ∈G

ψ(s)ψ(H)|ψ〉 (48)

where

ψ(H) :=1|H| ∑

y∈H

ψ(y). (49)

If ψ(y) = 1 for all y ∈ H, then clearlyψ(H) = 1. Onthe other hand, if there is any y∈ H with ψ(y) 6= 1 (i.e.,if the restriction ofψ to H is not the trivial characterof H), then by the orthogonality of distinct irreduciblecharacters (Theorem6 in AppendixB), ψ(H) = 0. Thuswe have the state

|s+H〉 :=

√|H||G| ∑

ψ∈G,ResGH ψ=1

ψ(s)|ψ〉 (50)

or, equivalently, the mixed quantum state

ρH :=|H||G| ∑

ψ∈G,ResGH ψ=1

|ψ〉〈ψ|, (51)

whereResGH ψ = 1 means thatψ(h) = 1 for all h ∈ H.

5. Measure in the computational basis. Then we obtainone of the|G|/|H| charactersψ ∈ G that is trivialon the hidden subgroup H, with every such charac-ter occurring with equal probability|H|/|G|. Lettingkerψ := g ∈ G : ψ(g) = 1 denote thekernelof thecharacterψ (which is a subgroup of G), we learn thatH ≤ kerψ.

6. Repeat the entire process T times, obtaining charactersψ1, . . . ,ψT , and output a generating set for KT , whereKt :=

Ttj=1kerψ j . We are guaranteed that H≤ Kt for

any t. A simple calculation shows that if Kt 6= H, then|Kt+1|/|Kt | ≤ 1/2 with probability at least1/2. Thus,we can choose T= O(log|G|) such that KT = H withhigh probability.

In summary, given a black-box functionf hiding a sub-groupH of a known finite Abelian groupG, a quantum com-puter can determineH in time poly(log|G|), and in particular,using only poly(log|G|) queries to the functionf . Of course,this assumes that we can efficiently implement group opera-tions inG using some unique representation of its elements.

In contrast, the Abelian hidden subgroup problem is typi-cally hard for classical computers. For example, an argumentbased on the birthday problem shows that even the simplecase of Simon’s problem (whereG = (Z/2Z)n) has classicalquery complexityΩ(

√2n) (Simon, 1997). While certain spe-

cial cases are easy—for example, since the only subgroupsof Z/pZ with p prime are itself and the trivial subgroup, pe-riod finding overZ/pZ is trivial—the classical query com-plexity of the Abelian HSP is usually exponential. In partic-ular, one can show that ifG has a set ofN subgroups withtrivial pairwise intersection, then the classical query complex-ity of the HSP inG is Ω(

√N). (For a proof in the case where

G = Fq×Fq, seede Beaudrapet al. (2002).)

D. Period finding over Z

In the previous section, we saw that the Abelian HSP canbe solved efficiently over any known finite Abelian group.In this section we consider the HSP over an infinite Abeliangroup, namelyZ (Shor, 1997). Similar ideas can be usedto solve the HSP over any finitely generated Abelian group(Mosca and Ekert, 1999). (For an Abelian group that is notfinitely generated, new ideas are required, as we discuss inSectionV.D.)

The HSP inZ is of interest when we are faced with a pe-riodic function f over an unknown domain. For example,Shor’s factoring algorithm (SectionIV.E) works by finding theperiod of a function defined overZ. Without knowing the fac-torization, it is unclear how to choose a finite domain whose

12

N︷︸︸︷•x0 · · ·

︸︷︷︸r

︸︷︷︸r

︸︷︷︸r

︸︷︷︸N−r⌊N/r⌋

FIG. 2 Sampling aZ-periodic function overZ/NZ.

size is a multiple of the unknown period, so we cannot imme-diately apply the period finding algorithm from SectionIV.A .

Of course, we cannot represent arbitrary integers on a com-puter with finitely many bits. Instead, we can restrict the func-tion to the inputs0,1, . . . ,N−1 for some chosenN and per-form Fourier sampling overZ/NZ. This can work even whenthe function is not precisely periodic overZ/NZ, providedNis sufficiently large. To simplify the implementation of theQFT, we can chooseN = 2n to be a power of 2.

This approach can only work if the period is sufficientlysmall, since otherwise we could miss the period entirely. Wewill see how to chooseN if given an a priori upper boundon the period. If we do not initially have such a bound, wecan simply start withN = 2 and repeatedly doubleN until theperiod finding algorithm succeeds. The overhead incurred bythis procedure is only poly(logr).

Algorithm 5 (Period finding overZ).Input: A black box f: Z/NZ → S satisfying Eq. (28) for somer ∈ Z with r2 < N, where r does not necessarily divide N.Problem:Determine r.

1. Prepare the uniform superposition|Z/NZ〉.

2. Query the function in an ancilla register, giving

1√N

∑x∈Z/NZ

|x, f (x)〉. (52)

3. Discard the ancilla register, leaving the first register ina uniform superposition over those x∈Z/NZ consistentwith some particular function value. Since f is periodicwith minimum period r, we obtain a superposition overpoints separated by r. The number of such points, n,depends on where the first point, x0 ∈ 0,1, . . . , r −1,appears. When restricted toZ/NZ, the function has⌊N/r⌋ full periods and N− r ⌊N/r⌋ remaining points,as depicted in Figure2. Thus

n =

⌊N/r⌋+1 x0 < N− r ⌊N/r⌋⌊N/r⌋ otherwise.

(53)

In other words, we are left with the quantum state

1√n

n−1

∑j=0

|x0 + jr 〉 (54)

where x0 occurs nearly uniformly at random (specifi-cally, it appears with probability n/N) and is unknown.

4. Apply the Fourier transform overZ/NZ, giving

1√nN

∑k∈Z/NZ

ωkx0N

n−1

∑j=0

ω jkrN |k〉. (55)

If we were lucky enough to choose a value of N forwhich r|N, then n= N/r regardless of the value of x0,and the sum over j gives nδk modn,0 by Eq. (33), so thisstate is identical to Eq. (34). But more generally, thesum over j in Eq. (55) is the geometric series

n−1

∑j=0

ω jkrN =

ωkrnN −1

ωkrN −1

= ω(n−1)kr/2N

sin(πkrnN )

sin(πkrN )

. (56)

5. Measure in the computational basis. The probability ofseeing a particular value k is

Pr(k) =sin2(πkrn

N )

nNsin2(πkrN )

. (57)

From the case where n= N/r, we expect this distribu-tion to be strongly peaked around values of k that areclose to integer multiples of N/r. The probability ofseeing k= ⌊ jN/r⌉ = jN/r + ε for some j∈ Z, where⌊x⌉ denotes the nearest integer to x, is

Pr(k = ⌊ jN/r⌉) =sin2(π jn+ πεrn

N )

nNsin2(π j + πεrN )

(58)

=sin2(πεrn

N )

nNsin2(πεrN )

. (59)

Using the inequalities4x2/π2 ≤ sin2x≤ x2 (where thelower bound holds for|x| ≤ π/2, and can be appliedsince|ε| ≤ 1/2), we find

Pr(k = ⌊ jN/r⌉) ≥ 4π2r

. (60)

This bound shows that Fourier sampling produces avalue of k that is the closest integer to one of the r inte-ger multiples of N/r with probabilityΩ(1).

6. To discover r given one of the values⌊ jN/r⌉, divide byN to obtain a rational approximation to j/r that devi-ates by at most1/2N, and compute the positive integersai in thecontinued fraction expansion(CFE)

⌊ jN/r⌉N

=1

a1 +1

a2 +1

a3 + · · ·

. (61)

This expansion gives a sequence of successively bet-ter approximations to⌊ jN/r⌉/N by fractions, calledthe convergentsof the CFE. By (Hardy and Wright,1979, Theorem 184), any fraction p/q with |p/q−⌊ jN/r⌉/N| < 1/2q2 will appear as one of the con-vergents. Since j/r differs by at most1/2N from

13

⌊ jN/r⌉/N, the fraction j/r will appear as a convergentprovided r2 < N. Thus, we carry out the CFE until weobtain the closest convergent to⌊ jN/r⌉/N whose de-nominator is smaller than our a priori upper bound onthe period; this denominator must equal r. These calcu-lations can be done in polynomial time using standardtechniques; see for example (Hardy and Wright, 1979,Chapter X).

Notice that period finding can efficiently determine theor-derof a given group elementg∈ G, the smallestr ∈ 1,2, . . .such thatgr = 1. This follows because the functionf : Z → Gdefined byf ( j) = g j is periodic, with period equal to the or-der of g in G. In particular, this allows us to find the orderof a cyclic groupC = 〈g〉, as needed in Algorithm3. In con-trast, the classical query complexity of computing the order ofa permutation of 2n elements isΩ(2n/3/

√n) (Cleve, 2004).

E. Factoring integers

Perhaps the best-known application of quantum comput-ers is to the problem of factoring integers (Shor, 1997). Atpresent, the mostly widely used public-key cryptosystem,RSA (Rivestet al., 1978), is based on the presumed diffi-culty of this problem.8 The fastest rigorously analyzed clas-sical algorithm for factoring an integerN has running time2O(

√logN loglogN) (see for examplePomerance(1987)), and the

best known classical algorithm is believed to be the numberfield sieve (Buhleret al., 1993), which is conjectured to run intime 2O((logN)1/3(loglogN)2/3). Both of these running times aresuperpolynomial in logN. In contrast, a quantum computercan factorN in time O(log3N). Thus, the development of alarge-scale quantum computer could have dramatic implica-tions for the practice of cryptography.

We have already discussed the core of Shor’s quantum fac-toring algorithm, the ability to perform period finding overtheintegers. It remains to see how factoring can be reduced to aparticular instance of period finding.

To efficiently factor a given integerN, it suffices to effi-ciently produce some nontrivial factor ofN (i.e., a factor otherthan 1 orN) with constant probability. The repeated use ofsuch a subroutine, combined with an efficient primality testingalgorithm (Agrawalet al., 2004; Miller , 1976; Rabin, 1980),can be used to find all the prime factors ofN. It is easy tocheck whether 2 dividesN, so we can focus on the case ofNodd without loss of generality. Furthermore, it is straightfor-ward to check whetherN is a prime power, or indeed whetherit is the kth power of any integer, simply by computingk

√N

for k = 2,3, . . . , log2 N, so we can assume thatN has at leasttwo distinct prime factors.

8 The RSA protocol uses similar ideas to the Diffie-Hellman protocol (Sec-tion IV.B), but relies on a different assumption and achieves secure com-munication instead of key exchange. Note that breaking RSA might beeasier than factoring. For elementary discussions of the details of RSA andrelated protocols, see (Buchmann, 2004; Menezeset al., 1996).

The reduction from finding some nontrivial factor of an oddN to order finding in the multiplicative group(Z/NZ)× is dueto Miller (1976). Suppose we choosea ∈ 2,3, . . . ,N− 1uniformly at random from those values that are coprime toN.Furthermore, assume for now that the orderr of a is even.Then sincear = 1 modN, we have(ar/2)2−1= 0 modN, orequivalently,

(ar/2−1)(ar/2+1) = 0 modN. (62)

SinceN divides the product(ar/2 − 1)(ar/2 + 1), we mighthope for gcd(ar/2−1,N) to be a nontrivial factor ofN. No-tice that gcd(ar/2 − 1,N) 6= N, since if it were, the orderof a would be at mostr/2. Thus it suffices to ensure thatgcd(ar/2 − 1,N) 6= 1, which holds ifar/2 6= −1 modN. InLemma2 below, we show that a random value ofa satisfiesthese properties with probability at least 1/2, providedN hasat least two distinct prime factors. Thus the following quan-tum algorithm can be used to factorN:

Algorithm 6 (Integer factorization).Input: An odd integer N with at least two distinct prime fac-tors.Problem:Determine some nontrivial factor of N.

1. Choose a random a∈ 2,3, . . . ,N−1.

2. Computegcd(a,N) using the Euclidean algorithm. Ifthe result is different from1, then it is a nontrivial factorof N, and we are done. More likely,gcd(a,N) = 1, andwe continue.

3. Using Algorithm5, determine the order of a modulo N.If r is odd, the algorithm has failed, and we return tostep1. If r is even, we continue.

4. Computegcd(ar/2−1,N). If the result is different from1, then it is a nontrivial factor of N. Otherwise, returnto step1.

Lemma 2. Suppose a is chosen uniformly at random from(Z/NZ)×, where N is an odd integer with at least two distinctprime factors. Then with probability at least1/2, the multi-plicative order r of a modulo N is even, and ar/2 6=−1 modN.

Proof. SupposeN = pm11 · · · pmk

k is the factorization ofN intopowers ofk ≥ 2 distinct odd primes. By the Chinese remain-der theorem, there are unique valuesai ∈ Z/pmi

i Z such thata = ai mod pmi

i . Let r i be the multiplicative order ofai mod-ulo pmi

i , and let 2ci be the largest power of 2 that dividesr i . Weclaim that ifr is odd or ifar/2 =−1 modN, thenc1 = · · ·= ck.Sincer = lcm(r1, . . . , rk), we havec1 = · · · = ck = 0 whenris odd. On the other hand, ifr is even andar/2 = −1 modN,then for eachi we havear/2 = −1 modpmi

i , sor i does not di-vider/2; but we know thatr/r i is an integer, so it must be odd,which implies that eachr i has the same number of powers of2 in its prime factorization.

Now we claim that the probability of any givenci takingon any particular value is at most 1/2, which implies thatPr(c1 = c2)≤ 1/2, and the desired conclusion follows. To see

14

this, considera chosen uniformly at random from(Z/NZ)×—or equivalently, eachai chosen uniformly at random from(Z/pmi

i Z)×. The order of the latter group isϕ(pmii ) = (pi −

1)pmii = 2di qi for some positive integerdi and some odd in-

tegerqi. The number ofai ∈ (Z/pmii Z)× of odd order isqi ,

and the number ofai ’s with any particularci ∈ 1, . . . ,di is2ci−1qi . In particular, the highest-probability event isci = di ,which happens with probability only 1/2.

F. Breaking elliptic curve cryptography

As discussed in SectionIV.B, Shor’s algorithm allowsquantum computers to break cryptographic protocols basedon the presumed hardness of the discrete logarithm problemin (Z/NZ)×, such as the Diffie-Hellman key exchange proto-col. However, Shor’s algorithm works equally well for calcu-lating discrete logarithms in any finite group, provided onlythat group elements can be represented uniquely and operatedon efficiently. In particular, quantum computers can also ef-ficiently calculate discrete logarithms over the group corre-sponding to anelliptic curve, thereby breaking elliptic curvecryptography.

An elliptic curve is a cubic, nonsingular, planar curve oversome field. (The terminology “elliptic curve” has to do witha connection to elliptic functions.) For simplicity, suppose wechoose a field with characteristic not equal to 2 or 3. (Crypto-graphic applications often use the fieldF2n of characteristic 2,but the definition of an elliptic curve is slightly more compli-cated in this case.) Then, by suitable linear transformations,any elliptic curve can be rewritten in the form of theWeier-straß equation,

y2 = x3 +ax+b, (63)

wherea,b are parameters. The set of points(x,y) satisfyingthis equation form an elliptic curve. To be nonsingular, thediscriminant∆ := −16(4a3 + 27b2) must be nonzero. Typi-cally, one considers elliptic curves in the projective plane P2

rather than the affine plane, which means that one point at in-finity must be included in the set of solutions. (For furtherdetails on the concepts of projective curves, points at infinity,and nonsingularity, see AppendixC.)

An example of an elliptic curve over the fieldR (namely,the curvey2 = x3 − x+ 1) is shown in Figure3. Althoughsuch pictures are helpful for developing intuition about ellip-tic curves, it is useful in cryptographic applications to havea curve whose points can be represented exactly with a finitenumber of bits, so we use curves over finite fields. For sim-plicity, we will only consider the fieldFp wherep is a primelarger than 3.

Example. Consider the curve

E = (x,y) ∈ F27 : y2 = x3−x+1 (64)

overF7. It has4a3 +27b2 = 2 mod 7, so it is nonsingular. Itis straightforward to check that the points on this curve are

E = O ,(0,1),(0,6),(1,1),(1,6),(2,0),

(3,2),(3,5),(5,3),(5,4),(6,1),(6,6), (65)

P

Q

R

P+Q

-2 -1 1 2x

-2

-1

1

2

y

FIG. 3 The group law for an elliptic curve:P+Q = −R. The pointsP andQ sum to the point−R, whereR is the intersection betweenthe elliptic curve and the line throughP andQ, and−R is obtainedby the reflection ofRabout thex axis.

whereO denotes the point at infinity.

In general, the number of points on an elliptic curve de-pends on the parametersaandb. However, a theorem of Hassesays that

∣∣|E|− (p+1)∣∣≤ 2

√p, so for largep the number of

points is close top.An elliptic curve can be used to define an Abelian group

by designating one point of the curve as the additive iden-tity. Here, we use the common convention thatO , the pointat infinity, is this special element (although in principle,it ispossible to let any point play this role). It remains to defineabinary operation ‘+’ that maps a pair of points on the curve toa new point on the curve in a way that satisfies the group ax-ioms. To motivate the definition, consider the case of the fieldR. Given two pointsP,Q∈ E, their sumP+Q is defined ge-ometrically, as follows. First, assume that neither point is O .Draw a line through the pointsP andQ (or, if P= Q, draw thetangent to the curve atP), and letR denote the third point ofintersection, defined to beO if the line is vertical. ThenP+Qis the reflection ofR about thex axis, where the reflection ofO is O . If one ofP or Q is O , we draw a vertical line throughthe other point, so thatP+O = P as desired. SinceO is theadditive identity, we defineO +O = O . Reflection about thex axis corresponds to negation, so we can think of the rule assaying that the three points of intersection of a line with thecurve sum toO , as depicted in Figure3.

It can be shown that(E,+) is an Abelian group, wherethe inverse ofP = (x,y) is −P = (x,−y). From the geomet-ric definition, it is clear that this group is Abelian (the linethroughP andQ does not depend on which point is chosenfirst) and closed (we always chooseP+ Q to be some pointon the curve). The only remaining group axiom to check isassociativity: we must show that(P+Q)+T = P+(Q+T).

To define the group operation for a general field, it is usefulto have an algebraic description of elliptic curve point addi-tion. Let P = (xP,yP) andQ = (xQ,yQ). ProvidedxP 6= xQ,

15

the slope of the line throughP andQ is

λ =yQ−yP

xQ−xP. (66)

Computing the intersection of this line with Eq. (63), we find

xP+Q = λ2−xP−xQ (67)

yP+Q = λ(xP−xP+Q)−yP. (68)

If xP = xQ, there are two possibilities forQ: either Q =(xQ,yQ) = (xP,yP) = P or Q = (xQ,yQ) = (xP,−yP) = −P.If Q = −P, thenP+Q= O . On the other hand, ifP = Q (i.e.,if we are computing 2P), then Eqs. (67) and (68) hold with λreplaced by the slope of the tangent to the curve atP, namely

λ =3x2

P +a2yP

(69)

(unlessyP = 0, in which case the slope is infinite, so 2P= O ).While the geometric picture does not necessarily make

sense for the case of a finite field, we can take its algebraicdescription as a definition of the group operation. It is againobvious that addition of points, defined by these algebraic ex-pressions, is commutative and closed. Associativity of thegroup operation can be verified by a direct calculation. Thisshows that(E,+) is indeed an Abelian group.

Suppose we fix an elliptic curve group(E,+) and choose apointg∈ E. Then we can consider the subgroup〈g〉, which ispossibly the entire group if it happens to be cyclic. Using ex-ponentiation in this group (which is multiplication in our ad-ditive notation), we can define analogs of Diffie-Hellman keyexchange and related cryptosystems such as ElGamal. Thesecurity of these cryptosystems then relies on the assumptionthat the discrete log problem on〈g〉 is hard.

In practice, there are many details to consider whenchoosing an elliptic curve group for cryptographic purposes(Buchmann, 2004; Menezeset al., 1996). Algorithms areknown for calculating discrete logarithms on “supersingular”and “anomolous” curves that run faster than algorithms for thegeneral case, so such curves should be avoided. At the sametime, g should be chosen to be a point of high order. Curveswith the desired hardness properties can be found efficiently,and in the general case it is not known how to solve the dis-crete log problem over an elliptic curve group classically anyfaster than by general methods (see SectionIV.B), which runin time O(

√p).

However, using Shor’s algorithm, a quantum computer cansolve the discrete log problem for an elliptic curve group overFp in time poly(logp). Points on the curve can be representeduniqely by their coordinates, with a special symbol used todenoteO . Addition of points on the curve can be computedusing Eqs. (67) and (68), which involve only elementary arith-metic operations in the field. The most complex of these oper-ations is the calculation of modular inverses, which can easilybe done using Euclid’s algorithm. For more details on theimplementation of Shor’s algorithm over elliptic curves, see(Cheunget al., 2008; Kaye, 2005; Proos and Zalka, 2003).

Elliptic curve cryptosystems are commonly viewed as be-ing more secure than RSA for a given key size, since the best

classical algorithms for factoring run faster than the bestclas-sical algorithms for calculating discrete logarithms in ellipticcurve groups. Thus in practice, much smaller key sizes areused in elliptic curve cryptography than in factoring-basedcryptography. Ironically, Shor’s algorithm takes a compara-ble number of steps for both factoring and discrete log,9 soit could actually beeasier for quantum computers to breakpresent-day elliptic curve cryptosystems than to break RSA.

One can also define an Abelian group corresponding to ahyperelliptic curve, a curve of the formy2 = f (x) for somesuitable polynomialf of degree higher than 3. These groupsare also candidates for cryptographic applications (see for ex-ample (Koblitz, 1998, Chapter 6)). In general, such a group isreferred to as theJacobianof the curve; it is no longer isomor-phic to the curve itself in the non-elliptic case. The elementsof a general Jacobian can be represented uniquely and addedefficiently, so that Shor’s algorithm can also efficiently com-pute discrete logarithms over the Jacobian of a hyperellipticcurve.

G. Decomposing Abelian and solvable groups

Recall from SectionIV.D that Shor’s period-finding algo-rithm can be used to compute the order of a cyclic groupC = 〈g〉, given the ability to efficiently represent and multi-ply elements of the group. More generally, given a black-boxrepresentation of some group, it would be useful to have a wayof identifying the structure of that group. For certain kinds ofgroups, such decompositions can be obtained efficiently by aquantum computer.

These algorithms operate in the framework ofblack-boxgroups(Babai and Szemeredi, 1984). In this framework, theelements of a groupG are represented uniquely by strings oflength poly(log|G|), and we are given a black box that cancompute products or inverses inG as desired. Of course, anyalgorithm that works in the black-box setting also works whenthe group is represented explicitly, say as a matrix group orassome known group. Note that computing the order ofG in theblack-box group setting is hard even whenG is promised tobe Abelian (Babai and Szemeredi, 1984).

Suppose we are given a generating set for a finite Abelianblack-box group. Recall that by the fundamental theorem offinite Abelian groups, any such group can be decomposed asa direct productG ∼= Z/pr1

1 Z× ·· · ×Z/prkk Z of cyclic sub-

groups of prime power order. By combining the solutionof the Abelian HSP with classical techniques from computa-tional group theory, there is an efficient quantum algorithmfordetermining the structure of the group (i.e., the valuespr i

i ), andfurthermore, for obtaining generators for each of the cyclicfactors (Cheung and Mosca, 2001; Mosca, 1999). Note that

9 Naively, computing the group operations for an elliptic curve usingEqs. (67) and (68) requires slightly more operations than performing or-dinary integer multiplication. However, there are ways to improve the run-ning time of Shor’s algorithm for discrete log over ellipticcurve groups, atleast in certain cases (Cheunget al., 2008).

16

this provides an alternative approach to factoring an integerN: by decomposing the multiplicative group(Z/NZ)×, welearn its sizeϕ(N), which is sufficient to determine the factorsof N (Miller , 1976; Shoup, 2005).

More generally, a similar decomposition can be obtainedfor any solvable group (Watrous, 2001a). A finite groupG iscalledsolvableif there exist elementsg1, . . . ,gm∈ G such that

1 = H0 EH1E · · ·EHm = G, (70)

whereH j := 〈g1, . . . ,g j〉 for each j = 0,1, . . . ,m, and wherethe notationHi EH j+1 indicates thatH j is anormal subgroupof H j+1, i.e., thatxHj = H jx for everyx ∈ H j+1. (Equiva-lently, G is solvable if its derived series contains the trivialsubgroup.) Every Abelian group is solvable, but the con-verse does not hold; for example,S3

∼= D3 is non-Abelianbut solvable. Given a generating set for a black-box solvablegroup, there is an efficient probabilistic classical algorithm tofind g1, . . . ,gm satisfying Eq. (70) for somem= poly(log|G|)(Babaiet al., 1995). To compute the order ofG, it sufficesto compute the orders of the quotient groupsH j/H j−1 forj = 1, . . . ,m, which are necessarily cyclic. We cannot di-rectly compute the orders of these groups using Shor’s al-gorithm since we do not have unique encodings of their el-ements. However, Watrous shows that if we are given the uni-form superposition|H j−1〉, we can (probabilistically) compute|H j/H j−1| using a modified version of Shor’s algorithm, andalso (probabilistically) prepare the state|H j〉. By recursingthis procedure along the normal series Eq. (70) (starting withenough copies of|H0〉, and maintaining enough copies of theintermediate states|H j〉, to handle the cases where the algo-rithm fails), a quantum computer can calculate|G| in poly-nomial time. By straightforward reductions, this also givesefficient quantum algorithms for testing membership in solv-able groups and for deciding whether a subgroup of a solvablegroup is normal. Similar ideas give a method for determiningthe structure of any Abelian factor groupG/H, whereH EG(Watrous, 2001a); see also (Ivanyoset al., 2003) for relatedwork.

H. Counting points on curves

Suppose we are given a polynomialf ∈ Fq[x1, . . . ,xn] in nvariables over the finite fieldFq. The setH f := x ∈ Fn

q :f (x) = 0 of solutions to the equationf (x) = 0 is calleda hypersurface. Counting the number of solutions|H f | ofthis equation is a fundamental computational problem. Moregenerally, givenm polynomialsf1, . . . , fm ∈ Fq[x1, . . . ,xn], wemay be interested in the number of solutions to the system ofequationsf1(x) = · · · = fm(x) = 0. The complexity of suchcounting problems can be characterized in terms of at leastfive parameters: the numberm of polynomials, the numbernof variables, the degrees deg( fi) of the polynomials, the sizeq of the finite fieldFq, and the characteristicp of the field,whereq = pr andp is prime.

The complexity class#P characterizes the difficulty ofcounting the number of valuesx such thatf (x) = 0, wheref is an efficiently computable function. One can show that

for quadratic polynomials overF2, with no restrictions on thenumbern of variables and the numberm of polynomials, thecorresponding counting problem is#P-complete. As#P prob-lems are at least as hard asNP problems (see SectionII.D),we do not expect quantum computers to solve such count-ing problems in time poly(n,m). In fact, the counting prob-lem is#P-hard even for a single polynomial in two variables(von zur Gathenet al., 1997) provided we use a sparse repre-sentation that only lists the nonzero coefficients of the polyno-mial, which allows its degree to be exponential in the size ofits representation. Using a non-sparse representation, sothatwe aim for a running time polynomial in the degree, the com-putational complexity of such counting problems is a moresubtle issue.

Here we are concerned with the counting problem for pla-nar curves, meaning that we havem= 1 polynomial inn = 2variables. (AppendixC contains some crucial background in-formation about curves over finite fields for readers unfamil-iar with this topic.) A key parameter characterizing the com-plexity of this counting problem is thegenus gof the curve.For a nonsingular, projective, planar curvef , the genus isg = 1

2(d−1)(d−2), whered = deg( f ).Schoof (1985) gave an algorithm to count the number

of points on an elliptic curve (for whichg = 1) over Fqin time poly(logq). Following results byPila (1990),Adleman and Huang(2001) generalized this result to hy-perelliptic curves, giving an algorithm with running time(logq)O(g2 logg), whereg is the genus of the curve. For fieldsFpr with characteristicp, Lauder and Wan(2002) showed theexistence of a deterministic algorithm for counting pointswithtime complexity poly(p, r,degf ). While the former algo-rithm is efficient forg = O(1), and the latter is efficient forp = poly(logq), neither is efficient without some restrictionon the genus or the field characteristic.

On the other hand,Kedlaya(2006) explained how the quan-tum algorithm for determining the structure of an unknownfinite Abelian group (SectionIV.G) can be used to count thenumber of points on a planar curve of genusg overFq in timepoly(g, logq). It is probably fair to say that this constitutes notso much a new quantum algorithm, but rather a novel applica-tion of known quantum algorithms to algebraic geometry.

In brief, Kedlaya’s algorithm counts the solutions of asmooth, projective curveCf of genusg by determining the2g nontrivial roots of the corresponding Zeta functionZf (T),which are determined from the orders of the class groupsCls(Cf ) over the different base fieldsFps for s = 1, . . . ,16g.As the class groups are all finite Abelian groups,|Cls(Cf )|can be computed in time poly(g,s, logp) by a quantum com-puter, thus giving an efficient quantum algorithm for the pointcounting problem. We explain some of the details below. Forfurther information, see (Hulek, 2003), (Lorenzini, 1996), andthe original article by Kedlaya (in increasing order of sophis-tication).

The Zeta function of a curve. Let the polynomialf ∈ Fp[X,Y]define a smooth, planar, projective curveCf . To count thenumber of points on this curve in the projective planeP2(Fp),

17

it is useful to consider extensions of the base field. For anypositive integerr, we define

Nr := |Cf (Fpr )|, (71)

where

Cf (Fpr ) := x∈ P2(Fpr ) : f (x) = 0 (72)

denotes the projective curve defined byf when viewed as apolynomial overFpr .

In terms of these values, we can define theZeta functionZf (T) of the curveCf , namely

Zf (T) := exp

( ∞

∑r=1

Nr

rTr)

, (73)

with T a formal variable, and the exponential function definedby the Taylor series exp(x) = ∑∞

j=0x j/ j!. Whereas the Rie-mann zeta function is used to study the elements and primesof the ringZ, the Zeta function of a curve captures the idealsand prime ideals of the ringFp[X,Y]/( f ), where( f ) denotesthe ideal generated byf .

From the proof of Weil’s Riemann hypothesis for curves(see for example (Lorenzini, 1996, Chap. X)), the Zeta func-tion of a smooth, projective curveCf of genusg has the form

Zf (T) =Qf (T)

(1− pT)(1−T), (74)

whereQf (T) is a polynomial of degree 2g with integer coef-ficients. Moreover,Qf (T) has the factorization

Qf (T) =2g

∏j=1

(1−α jT) (75)

with αg+ j = α∗j and|α j | =

√p for all j. By considering the

rth derivative ofZf (T) atT = 0, it is easy to see that the valuesα j determine the numbersN1,N2, . . . , and in particular

Nr = pr +1−2g

∑j=1

αrj (76)

for all r. Thus, if we know the integer coefficients of the de-gree 2g polynomialQf (T), we can infer the number of pointson the curvef (x) = 0 overP2(Fpr ). Kedlaya’s algorithm cal-culatesZf (T), and henceQf (T), by relating it to theclassgroupof the curve, a finite Abelian group.

The class group of a function field.A divisor D on a curveCover Fp is a finite, formal sum over points on the curve ex-tended to the algebraic closureFp of Fp, namely

D = ∑P∈C(Fp)

cP ·P. (77)

To be a divisor,D must satisfy three conditions: (1)cP ∈ Zfor all P, (2) ∑P |cP| is finite, and (3)D is invariant under the

Frobenius automorphismφ : x 7→ xp, i.e.,cP = cφ(P) for all P.Thedegreeof D is the integer deg(D) = ∑PcP. Under point-wise addition of the coefficientscP, the divisors of degree 0form the group

Div(C) := D : deg(D) = 0. (78)

As explained in AppendixC, for any curveCf one can de-fine thefunction fieldFp(Cf ), the field of rational functionsg= g1/g2 : g2 6= 0, whereg1 andg2 are homogeneous poly-nomials of equal degree modulo( f ), such thatg is a functionon the projective curveCf (Fp). For each such nonzero ratio-nal functiong∈ F×

p (Cf ) we define the correspondingprinci-pal divisor

div(g) := ∑P∈Cf (Fp)

ordP(g) ·P (79)

= ∑P∈Cf (Fp)

ordP(g1) ·P− ∑P∈Cf (Fp)

ordP(g2) ·P, (80)

where the nonnegative integer ordP(gi) is the multiplicity ofPas a solution togi = 0. In particular, ordP(gi) ≥ 1 if and onlyif gi(P) = 0, and ordP(gi) = 0 whengi(P) 6= 0.

For each principal divisor we have deg(div(g)) = 0. For arational curve such as the straight lineC = P1, the converseholds as well: the only divisors of degree 0 are the principaldivisors of the curve. But it is an important fact that for gen-eral curves the converse doesnothold. For curves that are notrational, i.e., curves of positive genus such as elliptic curves,the class group captures the relationship between the groupDiv(Cf ) and its subgroup of principal divisors.

There is a crucial equivalence relation∼ among divisorsdefined by

D1 ∼ D2 if and only if D1−D2 is a principal divisor. (81)

Finally, the(divisor) class groupCl(C) of a curveC is definedas the group of degree 0 divisors modulo this equivalence re-lation:

Cl(C) := Div(C)/ ∼ . (82)

Returning to the theory of Zeta functions, it is known thatthe order of Cl(Cf ) can be expressed in terms of the rootsα jof Zf (T) as

|Cl(Cf )| =2g

∏j=1

(1−α j). (83)

This fact establishes a close connection between the numberof pointsN1 = |Cf (Fp)| on a curve and the size|Cl(Cf )| of itsclass group.

All of the above can repeated while interpreting the polyno-mial f as an element of the extended ringFps[X,Y]. Indicatingthis change of the base fieldFp to its degrees extensionFps

with a parenthesized superscript, the Zeta functionZ(s)f (T) has

2g nontrivial rootsα(s)j = αs

j for j = 1, . . . ,2g, and the class

group Cl(s)(Cf ) has order

|Cl(s)(Cf )| =2g

∏j=1

(1−αsj). (84)

18

Observe that the change of base field affects the class groupsince the new divisors must be invariant under the Frobeniusautomorphismφs : x 7→ xps

(which is a weaker restriction thanthe corresponding condition overFp, making Div(s)(Cf ) largerthan Div(Cf )), while the group of principal divisors now al-lows all rational functionsg∈ Fps(Cf ).

To illustrate the above definitions, we present the followingextensive example of the class group of an elliptic curve.

Example (Point counting and the class group of an ellipticcurve). Consider the elliptic curve E overF2 defined by theequation Y2 + XY+ X3 + 1 = 0. The projective version of Eis defined by the homogeneous equation Y2Z + XYZ+ X3 +Z3 = 0. We want to consider the number of points Nr in theprojective spaceP2(F2r ) for various r.

It is not hard to see that N1 = 4 with the four solutions

P0 P1 P2 P3

(X : Y : Z) (0 : 1 : 0) (1 : 0 : 1) (0 : 1 : 1) (1 : 1 : 1)

For the first extension field, there are N2 = 8 elements inE(F4): in addition to the previous four points, we now alsohave the solutions

P4 P5 P6 P7

(X : Y : Z) (ω : 0 : 1) (ω : ω : 1) (ω2 : 0 : 1) (ω2 : ω2 : 1)

with ω an element of the fieldF4 satisfyingω2 = ω+1.In general, it can be shown that the number of points on

E(F2r ) is

Nr = 2r +1r −αr − αr (85)

for any r, whereα := − 12 + 1

2

√−7.

To explore the class groupCl(E) of this curve, we start byconsidering some principal divisors. For the linear functionsin X,Y,Z we find the following (degree3) divisors:

ordP( f ) P0 P1 P2 P3 P4 P5 P6 P7

X 1 2

Y 1 1 1

Z 3

X +Y 1 1 1

X +Z 1 1 1

Y +Z 1 2

X +Y+Z 2 1

From this table we see, for example, that the principal divisorof X/Z equals−2P0 + 2P2, and thatdiv((X +Y + Z)/(X +Z)) =−P0+P1+P2−P3. (Note also that in this function fieldwe have equalities such as X2+YZ= (X +Z)2(Y+Z)/(X +Y + Z), which confirms thatdiv(X2 +YZ) = 2div(X + Z) +div(Y+Z)−div(X +Y+Z) = 2P0+4P3.)

One can also show that P0−P1 is not a principal divisor,and hence thatCl(E) is nontrivial. In fact, there are fourdifferent elements Cj of the class group, which we can indicateby the representatives

C0 C1 C2 C3

0 P0−P1 P0−P2 P0−P3

(Note however that these representatives are far from unique,as for example0 ∼ −P0 + P1 + P2 − P3 = div((X + Y +Z)/(X + Z)).) One can verify that the elements ofCl(E) actas the groupZ/4Z, with Cx +Cy ∼Cx+y for any x,y∈ Z/4Z.

Performing similar calculations over the extension fieldF2s,one can show that in general,

|Cl(s)(E)| = (1−αs)(1− αs) = 2s+1−αs− αs, (86)

whereα is as in Eq. (85). This concludes our example.

While for elliptic curves the number of points on the curveequals the number of elements of the corresponding classgroup, this coincidence does not persist for general curveswith genus different from 1. However, the class group is nev-ertheless always a finite Abelian group, which can be exploredusing the quantum algorithm of SectionIV.G.

Kedlaya’s algorithm. Finally, we describe the quantum algo-rithm of Kedlaya(2006) for counting the points on a curveover a finite field.

Algorithm 7 (Point counting).Input: A nonsingular, planar, projective curve Cf defined by apolynomial f∈ Fq[X,Y].Problem:Determine the number of solutions|Cf (Fqr )| of theequation f= 0 in the projective planeP2(Fqr ).

1. Let g= 12(d−1)(d−2) be the genus of the curve, where

d = deg( f ).

2. For s= 1,2, . . . ,16g:

(a) Construct the class groupCl(s)(Cf ).

(b) Using the algorithm of SectionIV.G, determine|Cl(s)(Cf )|.

3. Using the calculated group sizes and the equalities

|Cl(s)(Cf )| =2g

∏j=1

(1−αsj) (87)

for s= 1,2, . . . ,16g, determine the rootsα j .

4. Compute Nr = |Cf (Fqr )| = qr +1−∑2gj=1 αr

j .

Several aspects of this algorithm are beyond the scope ofthis article, most notably the issue of uniquely representingand manipulating the elements of the class group Cl(Cf ) insuch a way that they can be sampled (nearly) uniformly, facil-itating finding a set of generators. For an explanation of thisand other issues, we refer the reader to the original articleandreferences therein.

In conclusion, note that the above quantum algorithm hasrunning time polynomial in the parameters logpr and g,whereas the best known classical algorithms are either ex-ponential ing (Adleman and Huang, 2001), or exponential inlogp (Lauder and Wan, 2002). Whether it is possible to gener-alize Kedlaya’s algorithm for curves to more general surfaces,

19

i.e., to polynomialsf with more than 2 variables, remains anopen question. The best known classical result for this prob-lem is that ofLauder and Wan(2002), who described an algo-rithm with running time poly(pn, rn,deg( f )n2

).

V. QUANTUM ALGORITHMS FOR NUMBER FIELDS

A. Pell’s equation

Given a squarefree integerd (i.e., an integer not divisibleby any perfect square), the Diophantine equation

x2−dy2 = 1 (88)

is known asPell’s equation. This appellation provides a niceexample of Stigler’s Law of Eponymy (Stigler, 1980) in ac-tion, as Pell had nothing whatsoever to do with the equa-tion. The misattribution is apparently due to Euler, who con-fused Pell with a contemporary, Brouncker, who had actuallyworked on the equation. In fact, Pell’s equation was studiedinancient India, where (inefficient) methods for solving it weredeveloped hundreds of years before Pell (Lenstra, 2002). (In-deed, Lenstra has suggested that most likely, Pell was namedafter the equation.)

The left hand side of Pell’s equation can be factored as

x2−dy2 = (x+y√

d)(x−y√

d). (89)

Note that a solution of the equation(x,y) ∈Z2 can be encodeduniquely as the real numberx+ y

√d: since

√d is irrational,

x+ y√

d = w+ z√

d if and only if (x,y) = (w,z). Thus wecan also refer to the numberx+ y

√d as a solution of Pell’s

equation.There is clearly no loss of generality in restricting our at-

tention topositivesolutions of the equation, namely those forwhich x > 0 andy > 0. It is straightforward to show that ifx1 + y1

√d is a positive solution, then(x1 + y1

√d)n is also a

positive solution for anyn ∈ N. In fact, with x1 + y1√

d thesmallest positive solution of the equation, called thefunda-mental solution,one can show thatall positive solutions equal(x1 +y1

√d)n for somen∈ N. Thus, even though Pell’s equa-

tion has an infinite number of solutions, we can in a sense findthem all by finding the fundamental solution.

Some examples of fundamental solutions for various val-ues ofd are shown in TableI. Notice that while the size ofthe fundamental solution generally increases with increasingd, the behavior is far from monotonic: for example,x1 has44 decimal digits whend = 6009, but only 11 decimal digitswhend = 6013. In general, though, it is possible for the so-lutions to be very large: the size ofx1 + y1

√d is only upper

bounded by 2O(√

d logd). Thus it is not even possible towritedownthe fundamental solution with poly(logd) bits.

To get around this difficulty, we define theregulatorof thefundamental solution,

R := log(x1 +y1

√d). (90)

d x1 y1

2 3 2

3 2 1

5 9 4...

......

13 649 180

14 15 4...

......

6009 131634010632725315892594469510599473884013975≈ 1.3×1044

1698114661157803451688949237883146576681644≈ 1.6×1042

6013 40929908599 527831340...

......

TABLE I Some examples of fundamental solutions of Pell’s equa-tion x2−dy2 = 1 for different input valuesd (Jozsa, 2003).

SinceR = O(√

d logd), we can write down⌊R⌉, the nearestinteger toR, usingO(logd) bits. SinceR is an irrational num-ber, determining only its integer part may seem unsatisfac-tory, but in fact, given⌊R⌉, there is a classical algorithm tocomputen digits of R in time poly(logd,n). Thus we willbe satisfied with an algorithm that finds the integer part ofR in time poly(logd). The best known classical algorithmfor this problem runs in superpolynomial time (for more de-tails, see SectionV.E). In contrast,Hallgren (2007) gave apolynomial-time quantum algorithm for computing⌊R⌉. Fora self-contained review of Hallgren’s algorithm, see (Jozsa,2003).

B. From Pell’s equation to the unit group

Given a squarefree positive integerd, thequadratic numberfield Q[

√d] is defined as

Q[√

d] := x+y√

d : x,y∈ Q. (91)

It is easy to check thatQ[√

d] is a field with the usual additionand multiplication operations. We also define an operationcalledconjugationas

x+y√

d := x−y√

d. (92)

One can easily check that conjugation of elements ofQ[√

d]has many of the same properties as complex conjugation, andindeedQ[

√d] behaves in many respects likeC, with

√d tak-

ing the place of the imaginary unit i=√−1. Defining the ring

Z[√

d] ⊂ Q[√

d] as

Z[√

d] := x+y√

d : x,y∈ Z, (93)

we see that solutions of Pell’s equation correspond to thoseξ ∈ Z[

√d] satisfyingξξ = 1.

Notice that any solution of Pell’s equation,ξ ∈ Z[√

d], hasthe property that its multiplicative inverse overQ[

√d], ξ−1 =

20

ξ/ξξ = ξ, is also an element ofZ[√

d]. In general, an elementof a ring with an inverse that is also an element of the ring iscalled aunit. In Z, the only units are±1, but in other rings itis possible to have more units.

It should not be a surprise that the units ofZ[√

d] are closelyrelated to the solutions of Pell’s equation. In particular,ξ =x+y

√d is a unit inZ[

√d] if and only if ξξ = x2−dy2 = ±1.

To see this, we note that

ξ−1 =ξξξ

=x−y

√d

x2−dy2 , (94)

and if x2−dy2 = ±1, then clearlyξ−1 = ±ξ ∈ Z[√

d]. Con-versely, ifξ−1 ∈ Z[

√d], then so is

ξ−1ξ−1 =(x−y

√d)(x+y

√d)

(x2−dy2)2 =1

x2−dy2 , (95)

which shows thatx2−dy2 = ±1.The set of units inZ[

√d] forms a group under multipli-

cation called theunit group. This group is given by±εn1 :

n∈ Z, whereε1 is the aforementioned fundamental unit, thesmallest unit greater than 1. The proof of this fact is essen-tially the same as the proof that all solutions of Pell’s equationare powers of the fundamental solution.

If we can findε1, then it is straightforward to find all the so-lutions of Pell’s equation. Ifε1 = x+y

√d hasx2−dy2 = +1,

then the units are precisely the solutions of Pell’s equation.On the other hand, ifx2 − dy2 = −1, thenε2 := ε2

1 satisfiesε2ε2 = ε2

1ε21 = (−1)2 = 1; in this case the solutions of Pell’s

equation are±ε2n1 : n∈ Z. Thus our goal is to findε1. Just

as in our discussion of the solutions to Pell’s equation,ε1 istoo large to write down, so instead we compute theregulatorof the fundamental unit, R := logε1.

Example. Consider the quadratic number fieldQ[√

5] andthe corresponding ringZ[

√5]. The unit group ofZ[

√5]

has the fundamental unitε1 = 2 +√

5, whose regulator isR = log(2+

√5)≈ 1.44. Hereε1ε1 =−1, so the fundamental

solution of Pell’s equation is x1+y1√

5= ε21 = 9+4

√5. Thus

the set of positive solutions to Pell’s equation x2−5y2 = 1 is

(xk,yk) : xk +yk

√5 = (9+4

√5)k, k∈ N. (96)

C. Periodic function for Pell’s equation

To define a periodic function that encodesR , we need tointroduce the concept of anideal of a ring (and more specifi-cally, aprincipal ideal). For any ringR, we say thatI ⊆ R isan ideal if it is closed under integer linear combinations andunder multiplication by arbitrary elements ofR. For example,2Z is an ideal ofZ. We say that an ideal isprincipal if it isgenerated by a single element of the ring, i.e., if it is of theform αR for someα ∈ R; thus 2Z is a principal ideal.

Principal ideals are useful because the function mapping thering elementξ ∈ Z[

√d] to the principal idealξR is periodic,

and its periodicity corresponds to the units ofZ[√

d]. Specifi-cally, ξZ[

√d] = ζZ[

√d] if and only if ξ = ζε whereε is a unit

in Z[√

d]. To see this, note that ifε is a unit, thenξZ[√

d] =

ζεZ[√

d] = ζZ[√

d] sinceεZ[√

d] = Z[√

d] by the definitionof a unit. Conversely, suppose thatξZ[

√d] = ζZ[

√d]; then,

since 1∈ Z[√

d], we haveξ ∈ ξZ[√

d] = ζZ[√

d], so there issomeµ∈ Z[

√d] satisfyingξ = ζµ. Similarly, ζ ∈ ζZ[

√d] =

ξZ[√

d], so there is someν ∈ Z[√

d] satisfyingζ = ξν. Thuswe haveξ = ζµ= ξνµ. This shows thatνµ= 1, soµ andν areunits (indeed,ν = µ−1).

As a result, the functiong(ξ) = ξZ[√

d] is (multiplicatively)periodic with periodε1. In other words, lettingξ = ez, thefunction

h(z) = ezZ[√

d] (97)

is (additively) periodic with periodR . However, we cannotsimply use this function since it is not possible to succinctlyrepresent the values it takes.

To define a more suitable periodic function, one can usethe concept of areducedideal. We will not describe thedetails here. However, one can show that there are onlyfinitely many reduced principal ideals, and indeed onlyO(d)of them, so that we can represent a reduced principal idealusing poly(logd) bits.

It is also helpful to have a way of measuring the distanceδof any principal ideal from theunit ideal, 1Z[

√d] = Z[

√d].

Such a function can be defined by

δ(ξZ[√

d]) := log

∣∣∣∣ξξ

∣∣∣∣ modR . (98)

Notice that the unit ideal has distanceδ(1Z[√

d]) =log|1/1| modR = 0, as desired. Furthermore, the distancefunction does not depend on which generator we choose torepresent an ideal, since two equivalent ideals have generatorsthat differ by some unitε = εn

1, and

δ(εZ[√

d]) = 2log|ε| modR = 0. (99)

With this definition of distance, one can show that there is areduced ideal close to any non-reduced ideal.

The periodic functionf (z) used in Hallgren’s algorithm isdefined as the reduced principal ideal whose distance fromthe unit ideal is maximal among all reduced principal idealsof distance at mostz (together with the distance fromz, toensure that the function is injective within each period). Inother words, we select the reduced principal ideal “to the leftof, or at,z.”

This functionf is periodic with periodR , and one can showthat it can be computed in time poly(logd). However, sinceR is in general irrational, it remains to see how to performperiod finding for such a function.

D. Period finding over R

Suppose we are given a functionf : R → Ssatisfying

f (x) = f (y) if and only ifx−y

r∈ Z (100)

21

for somer ∈ R, for all x,y∈ R. Here we consider how Shor’speriod-finding algorithm (SectionIV.D) can be adapted tofind an approximation tor, even if it happens to be irrational(Hallgren, 2007).

Of course, to perform period finding on a digital computer,we must discretize the function. We must be careful abouthow we perform this discretization. For example, suppose thatS= R. If we simply evaluatef at equally spaced points andround the resulting values to obtain integers, there is no reasonfor the function values corresponding to inputs separated byan amount close to the period to be related in any way what-soever. It could be that the discretized function is injective,carrying absolutely no information about the period.

Instead we will discretize in such a way that the resultingfunction ispseudoperiodic. We say thatf : Z → S is pseu-doperiodic at k∈ Z with period r∈ R if for eachℓ ∈ Z, ei-ther f (k) = f (k+ ⌊ℓr⌋) or f (k) = f (k−⌈ℓr⌉). We say thatf is ε-pseudoperiodicif it is pseudoperiodic for at least anεfraction of the valuesk = 0,1, . . . ,⌊r⌋. We will require thatthe discretized function isε-pseudoperiodic for some constantε, and that it is injective on the subset of inputs where it ispseudoperiodic. The periodic function encoding the regulatorof Pell’s equation can be constructed so that it satisfies theseconditions.

The algorithm for period finding overR closely follows Al-gorithm5. Again the basic approach is Fourier sampling overZ/NZ, with N depending on some a priori upper bound on theperiod.

Algorithm 8 (Period finding for a pseudoperiodic function).Input: Black box f: Z → S that isε-pseudoperiodic (for someε = Ω(1)) with period r∈ R.Problem:Approximate r.

1. Prepare the uniform superposition|Z/NZ〉.2. Query the pseudoperiodic function in an ancilla regis-

ter, giving

1√N

∑x∈Z/NZ

|x, f (x)〉. (101)

3. Discard the ancilla register, so that the first register isleft in a uniform superposition over those x for whichf (x) takes some particular value. With constant proba-bility, this is a value at which f is pseudoperiodic. Sup-pose that this value is f(x0) where0 ≤ x0 ≤ r. As instep3 of Algorithm5, the first register is a superposi-tion over n≈ N/r points, with the rounding dependingon the particular value of x0. Let us write[ℓ] to denotean integer that could be either⌊ℓ⌋ or ⌈ℓ⌉. With this no-tation, we obtain the state

1√n

n−1

∑j=0

|x0 +[ jr ]〉. (102)

4. Perform the Fourier transform overZ/NZ, giving

1√nN

∑k∈Z/NZ

ωkx0N

n−1

∑j=0

ωk[ jr ]N |k〉. (103)

We have[ jr ] = jr + δ j where−1 < δ j < 1, so the sumover j above is

n−1

∑j=0

ωk[ jr ]N =

n−1

∑j=0

ωk jrN ωkδ j

N . (104)

When the offsetsδ j are zero, this is simply Eq. (56),which we have already shown is strongly peaked aroundvalues of k close to integer multiples of N/r. To com-pare with this case, we compute the deviation

∣∣∣∣n−1

∑j=0

ωk jrN ωkδ j

N −n−1

∑j=0

ωk jrN

∣∣∣∣≤n−1

∑j=0

|ωkδ jN −1| (105)

≤ 12

n−1

∑j=0

∣∣∣πkδ j

N

∣∣∣ (106)

≤ πkn2N

. (107)

This bound does not show that the amplitudes are closefor all values of k. However, suppose we restrict ourattention to those values of k less than N/ logr. (We ob-tain such a k with probability about1/ logr, so we cancondition on such a value with only a polynomial in-crease in the overall running time.) Then if k= ⌊ jN/r⌉for some j∈ Z, we find (using Eq. (60))

∣∣∣∣1√nN

n−1

∑j=0

ωk[ jr ]N

∣∣∣∣= Ω( 1√

r

). (108)

5. Measure the state of Eq. (103) in the computationalbasis. As in step5 of Algorithm 5, we sample froma distribution in which some value k= ⌊ jN/r⌉ (withj ∈ Z) appears with reasonably large probability (nowΩ(1/poly(logr)) instead ofΩ(1)).

6. Finally, we must obtain an approximation to r usingthese samples. Since r is not an integer, the procedurefrom step6 of Algorithm5 does not suffice. However, wecan perform Fourier sampling sufficiently many timesthat we obtain two values⌊ jN/r⌉ ,⌊ j ′N/r⌉ where jand j′ are relatively prime, again with only polyno-mial overhead. It can be shown that if N≥ 3r2, thenj/ j ′ is guaranteed to be one of the convergents inthe continued fraction expansion of⌊ jN/r⌉/⌊ j ′N/r⌉.Thus we can learn j, and hence compute jN/⌊ jN/r⌉,which gives a good approximation to r: in particular,|r −⌊ jN/⌊ jN/r⌉⌉ | ≤ 1.

E. The principal ideal problem and number field cryptography

Pell’s equation is closely related to another problem in al-gebraic number theory called theprincipal ideal problem. Fixa quadratic number fieldQ[

√d], and suppose we are given

an invertible idealI , an ideal for which there exists someJ ⊆ Q[

√d] with IJ = Z[

√d]. In the principal ideal problem,

we are asked to decide whether there is someα ∈ Z[√

d] such

22

that I = αZ[√

d] (i.e., whetherI is principal), and if so, tofind thatα (or more precisely,⌊logα⌉). Notice that comput-ing α can be viewed as an analog of the discrete logarithmproblem inZ[

√d]. Using similar ideas as in the algorithm for

solving Pell’s equation, and proceeding along similar lines toAlgorithm 3, Hallgren(2007) also gave an efficient quantumalgorithm for the principal ideal problem.

The integer factoring problem reduces to solving Pell’sequation, and Pell’s equation reduces to the principal idealproblem (Buchmann and Williams, 1990); but no reductionsin the other direction are known. Indeed, whereas factor-ing is conjectured to be possible with a classical computer

in time 2O((logd)1/3(loglogd)1/3), the best known classical algo-rithms for Pell’s equation and the principal ideal problem bothtake time 2O(

√logd loglogd) assuming the generalized Riemann

hypothesis, or timeO(d1/4poly(logd)) with no such assump-tion (Buchmann, 1990; Vollmer, 2000). Motivated by the pos-sibility that the principal ideal problem is indeed harder thanfactoring, Buchmann and Williams proposed a key exchangeprotocol based on it (Buchmann and Williams, 1990). Thissystem is analogous to the Diffie-Hellman protocol discussedin SectionIV.B.1, but instead of exchanging integers, Aliceand Bob exchange reduced ideals. Hallgren’s algorithm showsthat quantum computers can efficiently break the Buchmann-Williams cryptosystem.

F. Computing the unit group of a general number field

Recall from SectionV.B that the quantum algorithm forsolving Pell’s equation proceeds by computing the fundamen-tal unit of the unit group ofZ[

√d]. More generally, there

is an efficient quantum algorithm to compute the unit groupof an arbitrary number field of fixed degree (Hallgren, 2005;Schmidt and Vollmer, 2005), which we briefly summarize.

In general, analgebraic number field(or simply numberfield) K = Q[θ] is a finite extension of the fieldQ of rationalnumbers. Hereθ is a root of some monic irreducible polyno-mial overQ called theminimal polynomial. If the minimalpolynomial has degreen, we say thatK is a number field ofdegreen. For example, the quadratic number fieldQ[

√d] has

the minimal polynomialx2−d, and hence is of degree 2.For a general number field, the units are defined as the al-

gebraic integers of that field whose inverses are also algebraicintegers. In general, the units form a group under multiplica-tion. Just as the units of a quadratic number field are powersof some fundamental unit, it can be shown that the unit groupU(K) of any number fieldK consists of elements of the formζεn1

1 · · ·εnrr for n1, . . . ,nr ∈ Z, whereζ is a root of unity and

ε1, . . . ,εr are called thefundamental units(with r defined be-low). Given a number field of constant degree (say, in termsof its minimal polynomial),ζ can be computed efficiently bya classical computer. Theunit group problemasks us to com-pute (the regulators of) the fundamental unitsε1, . . . ,εr .

As in the quantum algorithm for solving Pell’s equation, wecan reduce this computation to a period-finding problem. Tosee how the periodic function is defined, suppose the mini-mal polynomial ofK hass real roots andt pairs of complex

roots; then the number of fundamental units isr = s+ t −1.Let θ1, . . . ,θs be thes real roots, and letθs+1, . . . ,θs+t be tcomplex roots that, together with their complex conjugatesθ∗s+1, . . . ,θ

∗s+t , constitute all 2t complex roots. For eachj =

1, . . . ,s+t, we can embedK in C with the mapσ j : K→C thatreplacesθ by θ j . Then we define a functionL : K× → Rs+t as

L(x) := ( log|σ1(x)|, . . . , log|σs(x)|,2log|σs+1(x)|, . . . ,2log|σs+t(x)|).

(109)

By Dirichlet’s theorem,L(U(K)) is anr-dimensional lattice inRr+1 whose coordinates(y1, . . . ,yr+1) obey∑ j y j = 0 (Cohen,1993, Thm. 4.9.7). The unit group problem is essentiallyequivalent to finding a basis for this lattice, i.e., determiningthe periodicity ofL(x). Note that since the lattice has dimen-sion r, we can restrict our attention to anyr components ofL(x), thereby giving a period finding problem overRr .

There are two main parts to the quantum algorithm for com-puting the unit group, again paralleling the algorithm for Pell’sequation. First, one must show how to efficiently computethe functionL(x), or more precisely, a related function thathides the same lattice, analogous to the function discussedin SectionV.C (and again based on the concept of a reducedideal). Second, one must generalize period finding overR(SectionV.D) to period finding overRr . All relevant compu-tations can be performed efficiently provided the degree ofKis constant, giving an efficient quantum algorithm for the unitgroup problem in this case.

G. The principal ideal problem and the class group

We conclude our discussion of quantum algorithms fornumber fields by mentioning two additional problems with ef-ficient quantum algorithms.

In SectionV.E, we saw that the efficient quantum algo-rithm for Pell’s equation can be adapted to efficiently decidewhether a given ideal is principal, and if so, to compute (theregulator of) its generator. More generally, the principalidealproblem can be defined for any number field, and the tech-niques discussed in SectionV.F can be applied to give an effi-cient quantum algorithm for it whenever the number field hasconstant degree (Hallgren, 2005).

A related problem is the task of computing theclass groupCl(K) of a number fieldK. The class group is defined asthe set of ideals ofK modulo the set of principal ideals ofK; it is a finite Abelian group. Theclass group problemasksus to decompose Cl(K) in the sense of SectionIV.G. As-suming the generalized Riemann hypothesis (GRH), there is apolynomial-time algorithm to find generators of Cl(K) (Thiel,1995). If K = Q[

√−d] is an imaginary quadratic number

field, then its elements have unique representatives that canbe computed efficiently, and Cl(K) can be decomposed usingthe procedure of (Cheung and Mosca, 2001; Mosca, 1999).More generally, it is not known how to uniquely represent theelements of Cl(K) in an efficiently computable way. How-ever, we can take advantage of the technique introduced in(Watrous, 2001a) for computing over quotient groups, namely

23

to represent a coset by the uniform superposition of its ele-ments. Using this idea, it can be shown that there is an ef-ficient quantum algorithm for decomposing Cl(K), providedK has constant degree and assuming the GRH (Hallgren,2005) (see (Hallgren, 2007) for the special case of a realquadratic number field). In particular, we can efficiently com-pute|Cl(K)|, theclass numberof the number fieldK, just asKedlaya’s algorithm does for curves (SectionIV.H).

VI. NON-ABELIAN QUANTUM FOURIER TRANSFORM

In SectionIV, we saw that the Abelian Fourier transformcan be used to exploit the symmetry of an Abelian HSP, andthat this essentially gave a complete solution. In the non-Abelian version of the HSP, we will see that a non-Abelianversion of the Fourier transform can similarly be used to ex-ploit the symmetry of the problem. However, in general, thiswill only take us part of the way to a solution of the non-Abelian HSP.

A. The Fourier transform over a non-Abelian group

We begin by discussing the definition of the non-AbelianFourier transform. For a more extensive review of Fourieranalysis on finite groups, we recommend the books byDiaconis(1988); Serre(1977); Terras(1999). Here we as-sume knowledge of group representation theory; see Ap-pendixB for a summary of the requisite background.

TheFourier transformof the state|x〉 corresponding to thegroup elementx∈ G is a weighted superposition over a com-plete set of irreducible representationsG, namely

|x〉 :=1√|G| ∑

σ∈G

dσ|σ,σ(x)〉, (110)

wheredσ is the dimension of the representationσ, |σ〉 is a statethat labels the irreducible representation (orirrep), and|σ(x)〉is a normalized,d2

σ-dimensional state whose amplitudes aregiven by the entries of thedσ ×dσ matrixσ(x)/

√dσ:

|σ(x)〉 := (σ(x)⊗1dσ)dσ

∑j=1

| j, j〉√dσ

(111)

=dσ

∑j ,k=1

σ(x) j ,k√dσ

| j,k〉. (112)

Hereσ(x) is a unitary matrix representing the group elementx∈ G; we haveσ(x)σ(y) = σ(xy) for all x,y∈ G. (If σ is onedimensional, then|σ(x)〉 is simply a phase factorσ(x) ∈ Cwith |σ(x)|= 1.) In other words, the Fourier transform overGis the unitary matrix

FG := ∑x∈G

|x〉〈x| (113)

= ∑x∈G

∑σ∈G

√dσ

|G|dσ

∑j ,k=1

σ(x) j ,k |σ, j,k〉〈x|. (114)

Note that the Fourier transform over a non-AbelianG is notuniquely defined, but rather, depends on a choice of basis foreach irrep of dimension greater than 1.

It is straightforward to check thatFG is indeed a unitarytransformation. Using the identity

〈σ(y)|σ(x)〉 = Tr(σ†(y)σ(x)

)/dσ = χσ(y−1x)/dσ, (115)

we have

〈y|x〉 = ∑σ∈G

d2σ

|G| 〈σ(y)|σ(x)〉 (116)

= ∑σ∈G

dσ

|G|χσ(y−1x). (117)

Hence by Eqs. (B5) and (B6) in Appendix B, we see that〈y|x〉 = δx,y.

As noted in AppendixB, FG is precisely the transformationthat simultaneously block-diagonalizes the actions of left andright multiplication, or equivalently, that decomposes both theleft and right regular representations ofG into their irreduciblecomponents. Let us check this explicitly for the left regularrepresentationL of G. This representation satisfiesL(x)|y〉 =|xy〉 for all x,y∈ G, so

L(x) := FG L(x)F†G (118)

= ∑y∈G

|xy〉〈y| (119)

= ∑y∈G

∑σ,σ′∈G

dσ

∑j ,k=1

dσ′

∑j ′,k′=1

√dσdσ′

|G|

σ(xy) j ,k σ′(y)∗j ′,k′ |σ, j,k〉〈σ′, j ′,k′| (120)

= ∑y∈G

∑σ,σ′∈G

dσ

∑j ,k,ℓ=1

dσ′

∑j ′,k′=1

√dσdσ′

|G|

σ(x) j ,ℓ σ(y)ℓ,k σ′(y)∗j ′,k′ |σ, j,k〉〈σ′, j ′,k′| (121)

= ∑σ∈G

dσ

∑j ,k,ℓ=1

σ(x) j ,ℓ |σ, j,k〉〈σ, ℓ,k| (122)

=M

σ∈G

(σ(x)⊗1dσ

), (123)

where in the fourth line we have used the orthogonality rela-tion for irreps (Theorem5 in AppendixB).

A similar calculation can be done for the right regular rep-resentation defined byR(x)|y〉 = |yx−1〉, giving

R(x) := FGR(x)F†G (124)

=M

σ∈G

(1dσ ⊗σ(x)∗

). (125)

This identity will be useful when analyzing the applicationofthe quantum Fourier transform to the hidden subgroup prob-lem in SectionVII .

24

B. Efficient quantum circuits

In SectionIII.B , we described efficient quantum circuitsfor implementing the quantum Fourier transform over any fi-nite Abelian group. Analogous circuits are known for many,but not all, non-Abelian groups. Just as the circuit for theQFT over a cyclic group parallels the usual classical fastFourier transform (FFT), many of these circuits build onclassical implementations of FFTs over non-Abelian groups(Beth, 1987; Clausen, 1989; Diaconis and Rockmore, 1990;Maslen and Rockmore, 1995; Rockmore, 1990). Here webriefly summarize the groups for which efficient QFTs areknown.

Høyer(1997) gave efficient circuits for the quantum Fouriertransform over metacyclic groups (i.e., semidirect productsof cyclic groups), including the dihedral group, and over thePauli group onn qubits. An alternative construction for cer-tain metacyclic 2-groups is given in (Puschelet al., 1999).Beals gave an efficient implementation of the QFT over thesymmetric group (Beals, 1997). Finally, Mooreet al. (2006)gave a general construction of QFTs, systematically quan-tizing classical FFTs. For example, this approach yieldspolynomial-time quantum circuits for Clifford groups, thesymmetric group, the wreath product of a polynomial-sizedgroup, and metabelian groups.

There are a few important groups for which efficient quan-tum Fourier transforms arenot known. These include theclassical groups, such as the groupGLn(Fq) of n× n invert-ible matrices over a finite field withq elements. However, itis possible to implement these transforms in subexponentialtime (Mooreet al., 2006).

VII. NON-ABELIAN HIDDEN SUBGROUP PROBLEM

We now turn to the general, non-Abelian version of thehidden subgroup problem. We begin by stating the problemand describing some of its potential applications. Then wedescribe the standard way of approaching the problem on aquantum computer, and explain how the non-Abelian Fouriertransform can be used to simplify the resulting hidden sub-group states. This leads to the notions of weak and strongFourier sampling; we describe some of their applications andlimitations. Then we discuss how multi-register measure-ments on hidden subgroup states can potentially avoid some ofthose limitations. Finally, we describe two specific algorith-mic techniques for hidden subgroup problems: the Kuperbergsieve and the pretty good measurement. Note that some of theresults presented in SectionVIII , on the hidden shift problem,also give algorithms for the non-Abelian HSP.

A. The problem and its applications

The non-Abelian hidden subgroup problem naturally gen-eralizes the Abelian HSP considered in SectionIV. In thehidden subgroup problem for a groupG, we are given a blackbox function f : G→ S, whereS is a finite set. We say thatf

hides a subgroupH ≤ G provided

f (x) = f (y) if and only if x−1y∈ H (126)

(where we use multiplicative notation for non-Abeliangroups). In other words,f is constant on left cosetsH,g1H,g2H, . . . of H in G, and distinct on different left cosets.We say that an algorithm for the HSP inG is efficient if it runsin time poly(log|G|).

The choice of left cosets is an arbitrary one; we could just aswell define the HSP in terms of right cosetsH,Hg′1,Hg′2, . . .,by promising thatf (x) = f (y) if and only if xy−1 ∈ H. Buthere we will use the definition in terms of left cosets.

The non-Abelian HSP is of interest not only because it gen-eralizes the Abelian case in a natural way, but because a so-lution of certain non-Abelian HSPs would have particularlyuseful applications. The most well-known (and also the moststraightforward) applications are to thegraph automorphismproblemand thegraph isomorphism problem(Beals, 1997;Boneh and Lipton, 1995; Ettinger and Høyer, 1999; Høyer,1997).

In the graph automorphism problem, we are given a graphΓ on n vertices, and our goal is to determine its automor-phism group. We say thatπ ∈ Sn is an automorphism ofΓ ifπ(Γ) = Γ. The automorphisms ofΓ form a group AutΓ ≤ Sn;if Aut Γ is trivial then we sayΓ is rigid. We may cast the graphautomorphism problem as an HSP overSn by considering thefunction f (π) := π(Γ), which hides AutΓ.

In the graph isomorphism problem, we are given two con-nected graphsΓ,Γ′, each onn vertices, and our goal is todetermine whether there is any permutationπ ∈ Sn such thatπ(Γ) = Γ′, in which case we say thatΓ andΓ′ are isomor-phic. We can cast graph isomorphism as an HSP in the wreathproductSn ≀S2 ≤ S2n. (The wreath product groupG≀T, whereT ≤ Sm, is the semidirect productGm ⋊ T, whereT acts topermute the elements ofGm.) Writing the elements ofSn ≀S2in the form(σ,τ,b) whereσ,τ ∈ Sn represent permutations ofΓ,Γ′, respectively, andb∈ 0,1 denotes whether to swap thetwo graphs, by defining

f (σ,τ,b) :=

(σ(Γ),τ(Γ′)) b = 0

(σ(Γ′),τ(Γ)) b = 1.(127)

The functionf hides the automorphism group of the disjointunion ofΓ andΓ′. This group contains an element that swapsthe two graphs, and hence is at least twice as large as|AutΓ| ·|AutΓ′|, if and only if the graphs are isomorphic. In particular,if Γ andΓ′ are rigid (which seems to be a hard case for the HSPapproach to graph isomorphism, and in fact is equivalent to theproblem of deciding rigidity (Hoffmann, 1982, Sec. VI.6)),the hidden subgroup is trivial whenΓ,Γ′ are non-isomorphic,and has order two, with its nontrivial element the involution(π,π−1,1), whenΓ = π(Γ′).

The graph automorphism and graph isomorphism problemsare closely related. The decision version of graph isomor-phism is polynomial-time equivalent to the problems of find-ing an isomorphism between two graphs provided one ex-ists, counting the number of such isomorphisms, finding theautomorphism group of a single graph, and computing the

25

size of this automorphsim group (Hoffmann, 1982). Decid-ing whether a graph is rigid (i.e., whether the automorphsimgroup is trivial) can be reduced to general graph isomorphism,but the other direction is unknown, so deciding rigidity couldbe an easier problem (Kobleret al., 1993).

We should point out the possibility that graph isomor-phism is not a hard problem, even for classical computers.There are polynomial-time classical algorithms for many spe-cial cases of graph isomorphism, such as when the maxi-mum degree is bounded (Luks, 1982), the genus is bounded(Filotti and Mayer, 1980; Miller , 1980), or the eigenvaluemultiplicity is bounded (Babaiet al., 1982). Furthermore,there are classical algorithms that run in time 2O(

√nlogn) for

general graphs (Babaiet al., 1983); and in time 2O( 3√n) forstrongly regular graphs (Spielman, 1996), which are suspectedto be some of the hardest graphs for the problem. Evenif there is a polynomial-time quantum algorithm for graphisomorphism, it is plausible that the HSP in the symmetricgroup might be substantially harder, since the graph structureis lost in the reduction to the HSP. Indeed, solving the HSPin the symmetric group would equally well solve other iso-morphism problems, such as the problem of code equivalence(Ettinger and Høyer, 1999), which is at least as hard as graphisomorphism, and possibly harder (Petrank and Roth, 1997).

The second major potential application of the hidden sub-group problem is to lattice problems. Ann-dimensional latticeis the set of all integer linear combinations ofn linearly inde-pendent vectors inRn (a basisfor the lattice). In theshortestvector problem, we are asked to find a shortest nonzero vec-tor in the lattice (see for exampleMicciancio and Goldwasser(2002)). In particular, in theg(n)-unique shortest vectorproblem, we are promised that the shortest nonzero vec-tor is unique (up to its sign), and is shorter than any othernon-parallel vector by a factorg(n). This problem can besolved in polynomial time on a classical computer ifg(n) =

(1+ ε)Ω(n) (Lenstraet al., 1982), and indeed even ifg(n) =

2Ω(nloglogn/ logn) (Ajtai et al., 2001; Schnorr, 1987). The prob-lem isNP-hard if g(n) = O(1) (Ajtai, 1998; van Emde Boas,1981; Micciancio, 2001); in fact, even stronger hardness re-sults are known (Khot, 2005). Even for g(n) = poly(n),the problem is suspected to be hard, at least for a classi-cal computer. In particular, the presumed hardness of theO(n8)-unique shortest vector problem is the basis for a cryp-tosystem proposed byAjtai (1996); Ajtai and Dwork(1997);Micciancio and Goldwasser(2002), and a subsequent im-provement byRegev(2003) requires quantum hardness of theO(n1.5)-shortest vector problem.

Regev showed that an efficient quantum algorithm for thedihedral hidden subgroup problem based on the standardmethod (described below) could be used to solve the poly(n)-unique shortest vector problem (Regev, 2004a). Such an al-gorithm would be significant since it would break these lat-tice cryptosystems, which are some of the few proposed cryp-tosystems that are not compromised by Shor’s algorithm.

So far, only the symmetric and dihedral hidden subgroupproblems are known to have applications to natural problems.Nevertheless, there has been considerable interest in under-standing the complexity of the HSP for general groups. There

are at least three reasons for this. First, the problem is sim-ply of fundamental interest: it appears to be a natural settingfor exploring the extent of the advantage of quantum com-puters over classical ones. Second, techniques developed forother HSPs may eventually find application to the symmet-ric or dihedral groups. Finally, exploring the limitationsofquantum computers for HSPs may suggest cryptosystems thatcould be robust even to quantum attacks (Hayashiet al., 2008;Kawachiet al., 2005; Mooreet al., 2007c; Okamotoet al.,2000; Regev, 2004a).

B. The standard method

Nearly all known algorithms for the non-Abelian hiddensubgroup problem use the black box forf in essentiallythe same way as in the Abelian HSP (SectionIV.C). Thisapproach has therefore come to be known as thestandardmethod.

In the standard method, we begin by preparing a uniformsuperposition over group elements:

|G〉 :=1√|G| ∑

x∈G

|x〉. (128)

We then compute the valuef (x) in an ancilla register, giving

1√|G| ∑

x∈G

|x, f (x)〉. (129)

Finally, we discard the second register. If we were to measurethe second register, obtaining the outcomey∈S, then the statewould be projected onto the uniform superposition of thosex ∈ G such thatf (x) = y, which is simply some left coset ofH. Since every coset contains the same number of elements,each left coset occurs with equal probability. Thus discardingthe second register yields thecoset state

|xH〉 :=1√|H| ∑

h∈H

|xh〉 with x∈ G uniformlyrandom and unknown.

(130)

Depending on context, it may be more convenient to view theoutcome either as a random pure state, or equivalently, as themixed quantum state

ρH :=1|G| ∑

x∈G

|xH〉〈xH| (131)

which we refer to as ahidden subgroup state. In the stan-dard approach to the hidden subgroup problem, we attempt todetermineH using samples of this hidden subgroup state.

Historically, work on the hidden subgroup problem has fo-cused almost exclusively on the standard method. However,while this method seems quite natural, there is no generalproof that it is necessarily the best way to approach the HSP.Koiranet al.(2005) showed that the quantum query complex-ity of Simon’s problem is linear, so that Simon’s algorithm(using the standard method) is within a constant factor of op-timal. This immediately implies anΩ(n) lower bound for the

26

HSP in any group that contains the subgroupZ/2nZ. It wouldbe interesting to prove similar results for more general groups,or to find other ways of evaluating the effectiveness of thestandard method as compared with more general strategies.

C. Weak Fourier sampling

The symmetry of the coset state Eq. (130) (and equivalently,the hidden subgroup state Eq. (131)) can be exploited usingthe quantum Fourier transform. In particular, we have

|xH〉 =1√|H| ∑

h∈H

R(h)|x〉 (132)

whereR is the right regular representation ofG. Thus thehidden subgroup state can be written

ρH =1

|G| · |H| ∑x∈G

∑h,h′∈H

R(h)|x〉〈x|R(h′)† (133)

=1

|G| · |H| ∑h,h′∈H

R(hh′−1) (134)

=1|G| ∑

h∈H

R(h). (135)

Since the right regular representation is block-diagonal in theFourier basis, the same is true ofρH . In particular, usingEq. (125), we have

ρH := FGρH F†G (136)

=1|G|

M

σ∈G

(Idσ ⊗σ(H)∗

)(137)

where

σ(H) := ∑h∈H

σ(h). (138)

Since ρH is block diagonal, with blocks labeled by irre-ducible representations, we may now measure the irrep labelwithout loss of information. This procedure is referred to asweak Fourier sampling. The probability of observing repre-sentationσ ∈ G under weak Fourier sampling is

Pr(σ) =1|G| Tr

(Idσ ⊗σ(H)∗

)(139)

=dσ

|G| ∑h∈H

χσ(h)∗, (140)

which is preciselydσ|H|/|G| times the number of times thetrivial representation appears in ResG

H σ, the restriction ofσto H (Hallgrenet al., 2003, Theorem 1.2). We may now askwhether polynomially many samples from this distribution aresufficient to determineH, and if so, whetherH can be recon-structed from this information efficiently.

If G is Abelian, then all of its representations are one-dimensional, so weak Fourier sampling reveals all of the avail-able information aboutρH . This information can indeed beused to efficiently determineH, as discussed in SectionIV.C.

Weak Fourier sampling succeeds for a similar reason when-everH is anormal subgroupof G (denotedH EG), i.e., when-evergHg−1 = H for all g∈ G (Hallgrenet al., 2003). In thiscase, the hidden subgroup state within the irrepσ ∈ G is pro-portional to

σ(H)∗ =1|G| ∑

g∈G,h∈H

σ(ghg−1)∗, (141)

and this commutes withσ(x)∗ for all x ∈ G, so by Schur’sLemma (Theorem4), it is a multiple of the identity. ThusρHis proportional to the identity within each block, and againweak Fourier sampling reveals all available information aboutH. Indeed, the distribution under weak Fourier sampling isparticularly simple: we have

Pr(σ) =

d2

σ|H|/|G| H ⊆ kerσ0 otherwise

(142)

(a straightforward generalization of the distribution seen instep5 of Algorithm 4), where kerσ := g ∈ G : σ(g) = 1denotes thekernelof the representationσ. To see this, notethat if H 6⊆ kerσ, then there is someh′ ∈ H with σ(h′) 6= 1;but thenσ(h′)σ(H) = ∑h∈H σ(h′h) = σ(H), and sinceσ(h′)is unitary andσ(H) is a scalar multiple of the identity, thiscan only be satisfied if in factσ(H) = 0. On the other hand,if H ⊆ kerσ, thenχσ(h) = dσ for all h∈ H, and the result isimmediate.

To findH, we can simply proceed as in the Abelian case:

Algorithm 9 (Finding a normal hidden subgroup).Input: Black box function hiding HEG.Problem:Determine H.

1. Let K0 := G. For t = 1, . . . ,T, where T= O(log|G|):

(a) Perform weak Fourier sampling, obtaining an ir-rep σt ∈ G.

(b) Let Kt := Kt−1∩kerσt .

2. Output KT .

To see that this works, suppose that at thetth step, the inter-section of the kernels isKt−1 E G with Kt−1 6= H (so that, inparticular,|Kt−1| ≥ 2|H|); then the probability of obtaining anirrepσ for whichKt−1 ⊆ kerσ is (cf. step6 of Algorithm 4)

|H||G| ∑

σ:Kt−1⊆kerσd2

σ =|H|

|Kt−1|≤ 1

2(143)

where we have used the fact that the distribution Eq. (142) re-mains normalized ifH is replaced by any normal subgroup ofG. Each repetition of weak Fourier sampling has a probabilityof at least 1/2 of cutting the intersection of the kernels at leastin half, so we converge toH in O(log|G|) steps. In fact, ap-plying the same approach whenH is not necessarily normal inG gives an algorithm to find thenormal coreof H, the largestsubgroup ofH that is normal inG (Hallgrenet al., 2003).

27

This algorithm can be applied to find hidden subgroups ingroups that are “close to Abelian” a certain sense. In partic-ular, Grigni et al. (2004) showed that ifκ(G), the intersec-tion of the normalizers of all subgroups ofG, is sufficiently

large—specifically, if|G|/|κ(G)| = 2O(log1/2 n), such as whenG = Z/3Z ⋊ Z/2nZ—then the HSP inG can be solved inpolynomial time. The idea is simply to apply the algorithmfor normal subgroups to all subgroups containingκ(G); theunion of all subgroups obtained in this way gives the hiddensubgroup with high probability. This result was subsequentlyimproved to give a polynomial-time quantum algorithm when-ever|G|/|κ(G)| = poly(log|G|) (Gavinsky, 2004).

D. Strong Fourier sampling

Despite the examples given in the previous section, weakFourier sampling does not provide sufficient information tore-cover the hidden subgroup in the majority of non-Abelian hid-den subgroup problems. For example, weak Fourier samplingfails to solve the HSP in the symmetric group (Grigni et al.,2004; Hallgrenet al., 2003) and the dihedral group.

To obtain more information about the hidden subgroup, wecan perform a measurement on thed2

σ-dimensional state thatresults when weak Fourier sampling returns the outcomeσ.Such an approach is referred to asstrong Fourier sampling.From Eq. (137), this d2

σ-dimensional state is the tensor prod-uct of a dσ-dimensional maximally mixed state for the rowregister (as a consequence of the fact that the left and rightregular representations commute) with somedσ-dimensionalstateρH,σ for the column register. Since the row register doesnot depend onH, we may discard this register without loss ofinformation. In other words, strong Fourier sampling is effec-tively faced with the state

ρH,σ =σ(H)∗

∑h∈H χσ(h)∗. (144)

This state is proportional to a projector whose rank is sim-ply the number of times the trivial representation appears inResGH σ∗. This follows because

σ(H)2 = ∑h,h′∈H

σ(hh′) = |H|σ(H), (145)

which gives

ρ2H,σ =

|H|∑h∈H χσ(h)∗

ρH,σ, (146)

so thatρH,σ is proportional to a projector with rank(ρH,σ) =∑h∈H χσ(h)∗/|H|.

It is not immediately clear how to choose a good basis forstrong Fourier sampling, so a natural first approach is to con-sider the effect of measuring in a random basis (i.e., a basischosen uniformly with respect to the Haar measure overCdσ).There are a few cases in which suchrandom strong Fouriersamplingis fruitful. For example,Radhakrishnanet al.(2005)showed that measuring in a random basis provides sufficient

information to solve the HSP in the Heisenberg group. Sub-sequently,Sen(2006) generalized this result to show that ran-dom strong Fourier sampling is information-theoreticallysuf-ficient whenever rank(ρH,σ) = poly(log|G|) for all σ ∈ G (forexample, whenG is the dihedral group), as a consequence of amore general result on the distinguishability of quantum statesusing random measurements.

However, in some cases random strong Fourier sampling isunhelpful. For example,Grigni et al. (2004) showed that ifH is sufficiently small andG is sufficiently non-Abelian (ina certain precise sense), then random strong Fourier samplingis not very informative. In particular, they showed this fortheproblem of finding hidden involutions in the symmetric group.Another example was provided byMooreet al. (2007a), whoshowed that random strong Fourier sampling fails in the meta-cyclic groupsZ/pZ ⋊ Z/qZ (subgroups of the affine groupZ/pZ⋊ (Z/pZ)×) whenq < p1−ε for someε > 0.

Even when measuring in a random basis is information-theoretically sufficient, it does not give an efficient quantumalgorithm; we must consider both the implementation of themeasurement and the interpretation of its outcomes. We can-not efficiently measure in a random basis, but we can insteadtry to find explicit bases in which strong Fourier sampling canbe performed efficiently, and for which the results solve theHSP. The first such algorithm was provided byMooreet al.(2007a), for the metacyclic groupsZ/pZ ⋊ Z/qZ with q =p/poly(logp). Note that for these values ofp,q, unlike thecaseq< p1−ε mentioned above, measurement in a random ba-sis is information-theoretically sufficient. Indeed, we donotknow ofanyexample of an HSP for which strong Fourier sam-pling gives an efficient algorithm, yet random strong Fouriersampling fails information-theoretically; it would be interest-ing to find any such example (or to prove that none exists).

Of course, simply finding an informative basis is not suf-ficient; it is also important that the measurement results canbe efficiently post-processed. This issue arises not only inthe context of measurement in a pseudo-random basis, butalso in the context of certain explicit bases. For example,Ettinger and Høyer(2000) gave a basis for the dihedral HSPin which a measurement gives sufficient classical informationto infer the hidden subgroup, but no efficient means of post-processing this information is known (see SectionVIII.A ).

For some groups, it turns out that strong Fourier samplingsimply fails. Mooreet al. (2005) showed that, regardless ofwhat basis is chosen, strong Fourier sampling provides insuf-ficient information to solve the HSP in the symmetric group.Specifically, they showed that for any measurement basis (in-deed, for any POVM on the hidden subgroup states), the dis-tributions of outcomes in the cases where the hidden subgroupis trivial and where the hidden subgroup is a random involu-tion are exponentially close.

E. Multi-register measurements and query complexity

Even if we restrict our attention to the standard method, thefailure of strong Fourier sampling does not necessarily meanthat the HSP cannot be solved. In general, we need not restrict

28

ourselves to measurements acting on a single hidden subgroupstateρH at a time; rather, it may be advantageous to measurejoint observables onρ⊗k

H for k > 1. Such an approach couldconceivably be efficient providedk = poly(log|G|).

By considering joint measurements of many hidden sub-group states at a time,Ettingeret al. (1999, 2004) showedthat thequery complexityof the HSP is polynomial. In otherwords, poly(log|G|) queries of the black box functionf suf-fice to determineH. Unfortunately, this does not necessar-ily mean that the (quantum)computational complexityof theHSP is polynomial, since it is not clear in general how to per-

form the quantum post-processing ofρ⊗poly(log|G|)H efficiently.

Nevertheless, this is an important observation since it alreadyshows a difference between quantum and classical computa-tion: recall that the classical query complexity of even theAbelian HSP is typically exponential. Furthermore, it offerssome clues as to how we might design efficient algorithms.

To show that the query complexity of the HSP is polyno-mial, it is sufficient to show that the (single-copy) hidden sub-group states are pairwise statistically distinguishable,as mea-sured by the quantum fidelity

F(ρ,ρ′) := Tr |√ρ√

ρ′|. (147)

This follows from a result ofBarnum and Knill(2002), whoshowed the following.

Theorem 3. Suppose ρ is drawn from an ensembleρ1, . . . ,ρN, where eachρi occurs with some fixed priorprobability pi . Then there exists a quantum measurement (thepretty good measurement10) that identifiesρ with probabilityat least

1−N√

maxi 6= j

F(ρi ,ρ j). (148)

In fact, by the minimax theorem, this holds evenwithout assuming a prior distribution for the ensemble(Harrow and Winter, 2006).

Given only one copy of the hidden subgroup state, Eq. (148)will typically give a trivial bound. However, by taking multi-ple copies of the hidden subgroup states, we can ensure thatthe overall states are nearly orthogonal, and hence distinguish-able. In particular, sinceF(ρ⊗k,ρ′⊗k) = F(ρ,ρ′)k, arbitrarilysmall error probabilityε > 0 can be achieved using

k≥⌈

2(logN− logε)log(1/maxi 6= j F(ρi ,ρ j)

)⌉

(149)

copies ofρ.Provided thatGdoes not have too many subgroups, and that

the fidelity between two distinct hidden subgroup states is nottoo close to 1, this shows that polynomially many copies of

10 To distinguish the statesρi with prior probabilitiespi , the pretty good mea-surement (PGM) uses the measurement operatorsEi := piρ−1/2ρi ρ−1/2,whereρ := ∑i piρi (see for exampleHausladen and Wootters(1994)).

ρH suffice to solve the HSP. The total number of subgroups ofG is 2O(log2 |G|), which can be seen as follows. Any groupKcan be specified in terms of at most log2 |K| generators, sinceevery additional (non-redundant) generator increases thesizeof the group by at least a factor of 2. Since every subgroupof G can be specified by a subset of at most log2 |G| ele-ments ofG, the number of subgroups ofG is upper boundedby |G|log2 |G| = 2(log2 |G|)2

. Thusk = poly(log|G|) copies ofρH suffice to solve the HSP provided the maximum fidelity isbounded away from 1 by at least 1/poly(log|G|).

To upper bound the fidelity between two statesρ,ρ′, let Πρdenote the projector onto the support ofρ. By considering thePOVM with elementsΠρ,1−Πρ and noting that the classicalfidelity of the resulting distribution is an upper bound on thequantum fidelity, we have

F(ρ,ρ′) ≤√

TrΠρρ′. (150)

Now consider the fidelity betweenρH andρH′ for two dis-tinct subgroupsH,H ′ ≤ G. Let |H| ≥ |H ′| without loss ofgenerality. We can write Eq. (131) as

ρH =|H||G| ∑

x∈TH

|xH〉〈xH| (151)

whereTH is a left transversal ofH (i.e., a complete set ofunique representatives for the left cosets ofH in G). SinceEq. (151) is a spectral decomposition ofρH , we have

ΠρH = ∑x∈TH

|xH〉〈xH| = 1|H| ∑

x∈G

|xH〉〈xH|. (152)

Then we have

F(ρH ,ρH′)2 ≤ TrΠρH ρH′ (153)

=1

|H| · |G| ∑x,x′∈G

|〈xH|x′H ′〉|2 (154)

=1

|H| · |G| ∑x,x′∈G

|xH∩x′H ′|2|H| · |H ′| (155)

=|H ∩H ′||H| (156)

≤ 12, (157)

where we have used the fact that

|xH∩x′H ′| =|H ∩H ′| if x−1x′ ∈ HH ′

0 otherwise(158)

to evaluate

∑x,x′∈G

|xH∩xH′|2 = |G| · |H∩H ′|2 · |HH ′| (159)

= |G| · |H| · |H ′| · |H∩H ′|. (160)

This shows thatF(ρH ,ρH′)≤ 1/√

2, thereby establishing thatthe query complexity of the HSP is poly(log|G|).

29

It is possible to obtain tighter bounds on the number of hid-den subgroup states needed to solve the HSP. For example,Baconet al.(2006) showed that(1+o(1)) log2 N hidden sub-group states are necessary and sufficient to find a hidden re-flection in the dihedral group of order 2N. In a similar vein,Hayashiet al. (2008) gave asymptotically tight bounds on thenumber of hidden subgroup states needed to solve the HSP ingeneral groups, taking into account both the number of candi-date subgroups and their sizes.

The measurements described in this section are highlymulti-register: they observe correlated properties of allofpoly(log|G|) hidden subgroup states at once. Thus they arequite far from strong Fourier sampling, in which measure-ments are made on only one hidden subgroup state at a time.It is natural to ask whether some less entangled measurementmight also be sufficient for general groups, perhaps measur-ing a smaller number of hidden subgroup states at a time, andadaptively using those measurement results to decide whatmeasurements to make on successive hidden subgroup states.However,Hallgrenet al.(2006) have shown that this is not al-ways the case: in the symmetric group (as well as a few othergroups such as the general linear group), entangled measure-ments onΩ(log|G|) registers at a time are required to solvethe HSP.

F. The Kuperberg sieve

In this section, we describe an approach developed byKuperberg(2005) that gives a subexponential (though notpolynomial) time algorithm for the dihedral hidden subgroup

problem—specifically, it runs in time 2O(√

log|G|).The dihedral group of order 2N, denotedDN, is the group

of symmetries of a regularN-gon. It has the presentation

DN = 〈r,s|r2 = sN = 1, rsr = s−1〉. (161)

Here r can be viewed as a reflection about some fixed axis,andscan be viewed as a rotation by an angle 2π/N.

Using the defining relations, we can write any group ele-ment in the formsxra wherex ∈ Z/NZ anda∈ Z/2Z. Thuswe can equivalently think of the group as consisting of ele-ments(x,a) ∈ Z/NZ×Z/2Z. Since

(sxra)(syrb) = sxrasyrara+b (162)

= sxs(−1)ayra+b (163)

= sx+(−1)ayra+b, (164)

the group operation for such elements can be expressed as

(x,a) · (y,b) = (x+(−1)ay,a+b). (165)

(In particular, this shows that the dihedral group is the semidi-rect productZ/NZ ⋊ϕ Z/2Z, whereϕ : Z/2Z → Aut(Z/NZ)is defined byϕ(a)(y) = (−1)ay.) It is also easy to see that thegroup inverse is

(x,a)−1 = (−(−1)ax,a). (166)

The subgroups ofDN are either cyclic or dihedral. The sub-groups that are cyclic are of the form〈(x,0)〉 wherex∈ Z/NZis some divisor ofN (includingx = N). The subgroups thatare dihedral are of the form〈(x,0),(y,1)〉 wherex ∈ Z/NZis some divisor ofN and y ∈ Z/xZ; in particular, there aresubgroups of the form〈(y,1)〉 wherey ∈ Z/NZ. A result ofEttinger and Høyer(2000) reduces the general dihedral HSP,in which the hidden subgroup could be any of these possibili-ties, to the dihedral HSP with the promise that the hidden sub-group is of the form〈(y,1)〉 = (0,0),(y,1), i.e., a subgroupof order 2 generated by the reflection(y,1).11 Thus, from nowon we will assume that the hidden subgroup is of the form〈(y,1)〉 for somey∈ Z/NZ without loss of generality.

When the hidden subgroup isH = 〈(y,1)〉, one particularleft transversal ofH in G consists of the left coset representa-tives(z,0) for all z∈ Z/NZ. The coset state Eq. (130) corre-sponding to the coset(z,0)H is

|(z,0)H〉 =1√2(|z,0〉+ |y+z,1〉). (167)

We saw in SectionVII.C that to distinguish coset states ingeneral, one should start with weak Fourier sampling: applya Fourier transform overG and then measure the irrep label.Equivalently, we can simply Fourier transform the first regis-ter overZ/NZ, leaving the second register alone. When the re-sulting measurement outcomek is not 0 orN/2, this procedureis effectively the same as performing weak Fourier sampling,obtaining a two-dimensional irrep labeled by eitherk (for k∈1, . . . ,⌈N/2⌉− 1) or −k (for k ∈ ⌊N/2⌋+ 1, . . . ,N− 1),with the uniformly random sign ofk corresponding to themaximally mixed row index, and the remaining qubit statecorresponding to the column index. Fork = 0 or N/2, therepresentation is reducible, corresponding to a pair of one-dimensional representations.

Fourier transforming the first register overZ/NZ, we obtain

(FZ/NZ ⊗ I2)|(z,0)H〉

=1√2N

∑k∈Z/NZ

(ωkzN |k,0〉+ ωk(y+z)

N |k,1〉) (168)

=1√N

∑k∈Z/NZ

ωkzN |k〉⊗ 1√

2(|0〉+ ωky

N |1〉). (169)

If we then measure the first register, we obtain one of theNvalues ofk uniformly at random, and we are left with the post-

11 The basic idea of the Ettinger-Høyer reduction is as follows. Supposethat f : DN → S hides a subgroupH = 〈(x,0),(y,1)〉. Then we canconsider the functionf restricted to elements from the Abelian groupZ/NZ×0 ≤ DN. This restricted function hides the subgroup〈(x,0)〉,and since the restricted group is Abelian, we can findx efficiently us-ing Algorithm 4. Now 〈(x,0)〉 E DN (since (z,a)(x,0)(z,a)−1 = (z+(−1)ax,a)(−(−1)az,a) = ((−1)ax,0) ∈ Z/NZ×0), so we can definethe quotient groupDN/〈(x,0)〉. But this is simply a dihedral group (of or-derN/x), and if we now define a functionf ′ as f evaluated on some cosetrepresentative, it hides the subgroup〈(y,1)〉.

30

measurement state

|ψk〉 :=1√2(|0〉+ ωyk

N |1〉) (170)

(dropping an irrelevant global phase that depends onz). Thuswe are left with the problem of determiningy given the abilityto produce single-qubit states|ψk〉 of this form (wherek isknown). Since this procedure is equivalent to dihedral weakFourier sampling, there is no loss of information in processingthe state to produce Eq. (170).

It would be useful if we could prepare states|ψk〉 with par-ticular values ofk. For example, given the state|ψN/2〉 =

1√2(|0〉+(−1)y|1〉), we can learn the parity ofy (i.e., its least

significant bit) by measuring in the basis of states|±〉 :=(|0〉 ± |1〉)/

√2. The main idea of Kuperberg’s algorithm is

to combine states of the form Eq. (170) to produce new statesof the same form, but with more desirable values ofk.

To combine states, we can use the following procedure.Given two states|ψp〉 and|ψq〉, perform a controlled-not gatefrom the former to the latter, giving

|ψp,ψq〉

=12(|0,0〉+ ωyp

N |1,0〉+ ωyqN |0,1〉+ ωy(p+q)

N |1,1〉) (171)

7→ 12(|0,0〉+ ωyp

N |1,1〉+ ωyqN |0,1〉+ ωy(p+q)

N |1,0〉) (172)

=1√2(|ψp+q,0〉+ ωyq

N |ψp−q,1〉). (173)

Then a measurement on the second qubit leaves the first qubitin the state|ψp±q〉 (up to an irrelevant global phase), with the+ sign occurring when the outcome is 0 and the− sign oc-curring when the outcome is 1, each outcome occurring withprobability 1/2.

Note that this combination procedure can be viewed as im-plementing theClebsch-Gordan decomposition, the decom-position of a tensor product of representations into its irre-ducible constituents. The state indicesp andq can be inter-preted as labels of irreps ofDN, and the extraction of|ψp±q〉can be seen as transforming their tensor product (a reduciblerepresentation ofDN) into one of two irreducible components.

Now we are ready to describe the algorithm ofKuperberg(2005). For simplicity, we will assume from now on thatN = 2n is a power of 2. For such a dihedral group, it isactually sufficient to be able to determine the least signifi-cant bit of y, since such an algorithm could be used recur-sively to determine all the bits ofy.12 Our strategy for do-

12 To see this, note that the groupDN contains two subgroups isomorphic toDN/2, namely(2x,0),(2x,1) : x ∈ Z/(N/2)Z and(2x,0),(2x+ 1,1) :x∈ Z/(N/2)Z. The hidden subgroup is a subgroup of the former ify haseven parity, and of the latter ify has odd parity. Thus, once we learn theparity of y, we can restrict our attention to the appropriateDN/2 subgroup.The elements of eitherDN/2 subgroup can be represented using onlyn−1bits, and finding the least significant bit of the hidden reflection within thissubgroup corresponds to finding the second least significantbit of y in DN.Continuing in this way, we can learn all the bits ofy with only n iterationsof an algorithm for finding the least significant bit of the hidden reflection.

ing this is to start with a large number of states, and collectthem into pairs|ψp〉, |ψq〉 that share many of their least sig-nificant bits, such that|ψp−q〉 is likely to have many of itsleast significant bits equal to zero. Trying to zero out all butthe most significant bit in one shot would take exponentiallylong, so instead we proceed in stages, only trying to zero someof the least significant bits in each stage; this turns out togive an improvement. (This approach is similar to previousclassical sieve algorithms for learning (Blum et al., 2003) andlattice (Ajtai et al., 2001) problems, as well as a subsequentclassical algorithm for average case instances of subset sum(Flaxman and Przydatek, 2005).)

Algorithm 10 (Kuperberg sieve).Input: Black box function f: D2n → S hiding〈(y,1)〉 ≤ D2n

for some y∈ Z/2nZ.Problem:Determine the least significant bit of y.

1. PrepareΘ(16√

n) coset states of the form Eq. (170),where each copy has k∈ Z/2nZ chosen independentlyand uniformly at random.

2. For each j= 0,1, . . . ,m−1 where m:= ⌈√n⌉, assumethe current coset states have indices k with at least m jof the least significant bits equal to0. Collect them intopairs |ψp〉, |ψq〉 that share at least m of the next leastsignificant bits, discarding any qubits that cannot bepaired. Create a state|ψp±q〉 from each pair, and dis-card it if the + sign occurs. Notice that the resultingstates have at least m( j +1) significant bits equal to0.

3. The remaining states are of the form|ψ0〉 and |ψ2n−1〉.Measure one of the latter states in the|±〉 basis to de-termine the least significant bit of y.

Since this algorithm requires 2O(√

n) initial queries and pro-ceeds throughO(

√n) stages, each of which takes at most

2O(√

n) steps, the overall running time is 2O(√

n).To show that the algorithm works, we need to prove that

some qubits survive to the final stage of the process with non-negligible probability. Let us analyze a more general versionof the algorithm to see why we should try to zero out

√n bits

at a time, starting with 2O(√

n) states.Suppose we try to cancelm bits in each stage, so that there

aren/m stages (not yet assuming any relationship betweenmandn), starting with 2ℓ states. Each combination operationsucceeds with probability 1/2, and turns two states into one,so at each step we retain only about 1/4 of the states that canbe paired. Now when we pair states that allow us to cancelm bits, there can be at most 2m unpaired states, since that isthe number of values of them bits to be canceled. Thus ifwe ensure that there are at least 2· 2m states at each stage,we expect to retain at least a 1/8 fraction of the states for thenext stage. Since we begin with 2ℓ states,we expect to have atleast 2ℓ−3 j states left after thejth stage. Thus, to have 2·2m

states remaining at the last stage of the algorithm, we require2ℓ−3n/m > 2m+1, or ℓ > m+ 3n/m+ 1. This is minimized bychoosingm≈√

n, soℓ ≈ 4√

n suffices.This analysis is not quite correct because we do not ob-

tain precisely a 1/8 fraction of the paired states for use in the

31

next stage. For most of the stages, we have many more than2 ·2m states, so nearly all of them can be paired, and the ex-pected fraction remaining for the next stage is close to 1/4.Of course, the precise fraction will experience statistical fluc-tuations. However, since we are working with a large num-ber of states, the deviations from the expected values are verysmall, and a more careful analysis (using the Chernoff bound)shows that the procedure succeeds with high probability. Fora detailed argument, see (Kuperberg, 2005, Sec. 3.1). That pa-per also gives an improved algorithm that runs faster and thatworks for generalN.

Note that this algorithm uses not only superpolynomialtime, but also superpolynomial space, since all 2Θ(

√n) coset

states are present at the start. However, by creating a smallernumber of coset states at a time and combining them accord-ing to the solution of a subset sum problem,Regev(2004b)showed how to make the space requirement polynomial innwith only a slight increase in the running time.

Although Kuperberg’s algorithm acts on pairs of cosetstates at a time, the overall algorithm effectively implementsa highly entangled measurement on all 2Θ(

√n) registers, since

the procedure for producing|ψp±q〉 entangles the coset states|ψp〉 and|ψq〉. The same is true of Regev’s polynomial-spacevariant.

It is natural to ask whether a similar sieve could be appliedto other HSPs, such as in the symmetric group, for whichhighly entangled measurements are necessary.Alagic et al.(2007) adapt Kuperberg’s approach to give a subexponential-time algorithm for the HSP inGn, whereG is a fixed non-Abelian group. (Note that the HSP inGn can be much harderthan solvingn instances of the HSP inG, sinceGn has manysubgroups that are not direct products of subgroups ofG.)Also, Bacon(2008) showed that an algorithm for the Heisen-berg HSP, similar to the one described in SectionVII.G be-low, can be derived using the Clebsch-Gordan transform overthe Heisenberg group. It would be interesting to find furtherapplications of the approach, especially ones that give newpolynomial-time algorithms.

Unfortunately, this kind of sieve does not seem well-suitedto the symmetric group. In particular,Mooreet al. (2007b)gave the following negative result for the HSP inSn ≀S2, wherethe hidden subgroup is promised to be either trivial or an in-volution. Consider any algorithm that works by combiningpairs of hidden subgroup states to produce a new state intheir Clebsch-Gordan decomposition, and uses the sequenceof measurement results to guess whether the hidden subgroupis trivial or nontrivial. Any such algorithm must use 2Ω(

√n)

queries. Note that this lower bound is only slightly smallerthan the best known classical algorithm for graph isomor-phism, as mentioned in SectionVII.A .

G. Pretty good measurement

Another recent technique for the HSP is based on imple-menting thepretty good measurement(PGM) on the hiddensubgroup states. Recall from SectionVII.E that for any groupG, the PGM applied to poly(log|G|) copies ofρH identifies

H with high probability. Thus if we can efficiently implementthe PGM on sufficiently many copies, we will have found anefficient algorithm for the HSP.

This approach was considered in (Baconet al., 2005, 2006)for certain semidirect product groupsA⋊ Z/pZ, whereA isan Abelian group andp is prime. For these groups, the gen-eral HSP can be reduced to the HSP assuming that the hid-den subgroup is chosen from a certain subset. Furthermore,the PGM turns out to be the optimal measurement for distin-guishing the resulting hidden subgroup states, in the sensethatit maximizes the probability of correctly identifying the hid-den subgroup assuming a uniform distribution over the sub-groups under consideration (as can be proven using the char-acterization of optimal measurement byHolevo (1973) andYuenet al. (1975)). This generalizes the result of (Ip, 2003)that Shor’s algorithm implements the optimal measurementfor the Abelian HSP, and suggests that in general, optimalmeasurements may be good candidates for efficient quantumalgorithms.

For general groups of the formA⋊ Z/pZ, the PGM ap-proach reveals a connection between the original hidden sub-group problem and a related average-case algebraic problem.Specifically, the PGM succeeds in distinguishing the hiddensubgroup states exactly when the average case problem islikely to have solutions, and the PGM can be implemented ef-ficiently by giving an efficient algorithm for solving the aver-age case problem (or more precisely, forapproximately quan-tum samplingfrom the set of solutions to the problem). Dif-ferent HSPs correspond to different average case problems,of varying difficulty. For example, the dihedral HSP corre-sponds to the average case subset sum problem (Baconet al.,2006), which appears to be hard. But other average caseproblems appearing in the approach are easier, leading toefficient algorithms. Certain instances of the Abelian HSPgive rise to systems of linear equations. For the metacyclicHSPs solved in (Mooreet al., 2007a) (and indeed for someadditional cases), the average-case problem is a discrete logproblem, which can be solved using Shor’s algorithm as de-scribed in SectionIV.B. And for the HSP in the Heisenberggroup13 (Z/pZ)2 ⋊Z/pZ, and more generally in any semidi-rect product(Z/pZ)r ⋊ Z/pZ, the average case problem is aproblem of solving polynomial equations, which can be doneefficiently using Grobner basis techniques providedr = O(1)(Baconet al., 2005).

Here we briefly summarize the algorithm that results fromapplying the PGM to the HSP in the Heisenberg group,since this case exemplifies the general approach. TheHeisenberg group can be viewed as the semidirect product(Z/pZ)2 ⋊ϕ Z/pZ, whereϕ : Z/pZ → Aut((Z/pZ)2) is de-fined byϕ(c)(a,b) = (a+bc,b). Equivalently, it is the group

13 The Heisenberg group is an example of anextraspecial group.Ivanyoset al. (2007) give an efficient quantum algorithm for the HSP inany extraspecial group (see SectionVIII.C for more details). This subse-quent algorithm also makes use of the solution of a system of polynomialequations to implement an entangled measurement.

32

of lower triangular 3×3 matrices

1 0 0

b 1 0

a c 1

: a,b,c∈ Fp

(174)

overFp, or alternatively, the group generated bygeneralizedPauli operators X,Z ∈ Cp×p satisfyingX|x〉 = |x+1 modp〉andZ|x〉 = ωx

p|x〉, with elementsωapXbZc. With any of these

descriptions, the group elements are of the form(a,b,c) witha,b,c∈ Z/pZ, and the group law is

(a,b,c) · (a′,b′,c′) = (a+a′+b′c,b+b′,c+c′). (175)

Just as the dihedral HSP can be reduced to the problem offinding a hidden reflection (Footnote11), one can show thatto solve the general HSP in the Heisenberg group, it is suffi-cient to be able to distinguish the following cyclic subgroupsof orderp:

Ha,b := 〈(a,b,1)〉 = (a,b,1) j : j ∈ Z/pZ, (176)

wherea,b∈ Z/pZ. A simple calculation shows that

(a,b,1)x = (xa+(x

2

)b,xb,x). (177)

Furthermore, the cosets of any such subgroup can be repre-sented by thep2 elements(ℓ,m,0) for ℓ,m∈ (Z/pZ)2. Thusthe coset state Eq. (130) can be written

|(ℓ,m,0)Ha,b〉 =1√p ∑

x∈Z/pZ

|xa+(x

2

)b+ ℓ,xb+m, j〉. (178)

Our goal is to determine the parametersa,b ∈ Z/pZ usingcopies of this state withℓ,m∈ Z/pZ occurring uniformly atrandom.

At this point, we could perform weak Fourier samplingover the Heisenberg group without discarding any informa-tion. However, as for the dihedral group (SectionVII.F), itis simpler to consider an Abelian Fourier transform insteadofthe full non-Abelian Fourier transform. Using the representa-tion theory of the Heisenberg group (see for exampleTerras(1999, Chap. 18)), one can show that this procedure is essen-tially equivalent to non-Abelian Fourier sampling.

Fourier transforming the first two registers over(Z/pZ)2,we obtain the state

1

p3/2 ∑x,s,t∈Z/pZ

ωs(ℓ+xa+(x

2)b)+t(m+xb)p |s, t,x〉. (179)

Now suppose we measure the valuess, t appearing in the firsttwo registers. In fact this can be done without loss of informa-tion, since the density matrix of the state (mixed over the uni-formly random values ofℓ,m) is block diagonal, with blockslabeled bys,t. Collecting the coefficients of the unknown pa-rametersa,b, the resultingp-dimensional quantum state is

|Ha,b;s,t〉 :=1√p ∑

x∈Z/pZ

ωa(sx)+b(s(x

2)+tx)p |x〉 (180)

where the valuess,t ∈ Z/pZ are known, and are obtained uni-formly at random. We would like to use samples of this stateto determinea,b∈ Z/pZ.

With only one copy of this state, there is insufficient in-formation to recover the hidden subgroup: Holevo’s theorem(see for exampleNielsen and Chuang(2000, Sec. 12.1)) guar-antees that a measurement on ap-dimensional quantum statecan reliably communicate at mostp different outcomes, yetthere arep2 possible values of(a,b) ∈ (Z/pZ)2. Thus wemust use at least two copies.

However, by making a joint measurement on two copiesof the state, we can recover the information abouta,b thatis encoded in a quadratic function in the phase. To see this,consider the state

|Ha,b;s,t〉⊗ |Ha,b;u,v〉 =1p ∑

x,y∈Z/pZ

ωαa+βbp |x,y〉, (181)

where

α := sx+uy (182)

β := s(x

2

)+ tx+u

(y2

)+vy (183)

and where we suppress the dependence ofα,β on s,t,u,v,x,yfor clarity. If we could replace|x,y〉 by |α,β〉, then the re-sulting state would be simply the Fourier transform of|a,b〉,and an inverse Fourier transform would reveal the solution.To work toward this situation we compute the values ofα,βin ancilla registers, giving the state

1p ∑

x,y∈Z/pZ

ωαa+βbp |x,y,α,β〉, (184)

and attempt to uncompute the first two registers.For fixed values ofα,β,s,t,u,v∈Z/pZ, the quadratic equa-

tions Eqs. (182) and (183) could have zero, one, or two solu-tionsx,y∈ Z/pZ. Thus we cannot hope to erase the first andsecond registers by a classical procedure conditioned on thevalues in the third and fourth registers (and the known valuesof s,t,u,v). However, it is possible to implement a quantumprocedure to erase the first two registers by considering thefull set of solutions

Ss,t,u,vα,β := (x,y) ∈ (Z/pZ)2 :

sx+uy= α and

s(x

2

)+ tx+u

(y2

)+vy= β.

(185)

The state Eq. (184) can be rewritten

1p ∑

x,y∈Z/pZ

ωαa+βbp

√|Ss,t,u,v

α,β | |Ss,t,u,vα,β ,α,β〉. (186)

Thus, if we could perform a unitary transformation satisfying

|Ss,t,u,vα,β 〉 7→ |α,β〉 for |Ss,t,u,v

α,β | 6= 0 (187)

(and defined in any way consistent with unitarity for othervalues of α,β), we could erase the first two registers of

33

Eq. (184),14 producing the state

1p ∑

α,β∈Z/pZ

ωαa+βbp

√|Ss,t,u,v

α,β | |α,β〉. (188)

The inverse of the transformation Eq. (187) is calledquantumsamplingbecause it produces a uniform superposition over theset of solutions, a natural quantum analog ofrandom samplingfrom the solutions.

Since the system of Eqs. (182) and (183) consists of a pairof quadratic equations in two variables overFp, it has eitherzero, one, or two solutionsx,y∈ Fp. For about half the cases,there are zero solutions; for about half the cases, there aretwo solutions; and for a vanishing fraction of the cases, thereis only one solution. More explicitly, by a straightforwardcalculation, the solutions can be expressed in closed form as

x =αs+sv− tu±

√∆

s(s+u)(189)

y =αu+ tu−sv∓

√∆

u(s+u)(190)

where

∆ := (2βs+αs−α2−2αt)(s+u)u+(αu+ tu−sv)2. (191)

Providedsu(s+u) 6= 0, the number of solutions is completelydetermined by the value of∆. If ∆ is a nonzero square inFp,then there are two distinct solutions; if∆ = 0 then there isonly one solution; and if∆ is a non-square then there are nosolutions. In any event, since we can efficiently compute anexplicit list of solutions in each of these cases, we can effi-ciently perform the transformation Eq. (187).

It remains to show that the state Eq. (188) can be used torecovera,b. This state is close to the Fourier transform of|a,b〉 provided the solutions are nearly uniformly distributed.Since the values ofs, t,u,v are uniformly distributed overFp,it is easy to see that∆ is uniformly distributed overFp. Thismeans that∆ is a square about half the time, and is a non-square about half the time (with∆ = 0 occurring only withprobability 1/p). Thus there are two solutions about half thetime and no solutions about half the time. This distributionofsolutions is uniform enough for the procedure to work.

Applying the inverse quantum Fourier transform overZ/pZ×Z/pZ, we obtain the state

1p2 ∑

α,β,k,ℓ∈Z/pZ

ωα(a−k)+β(b−ℓ)p

√|Ss,t,u,v

α,β | |k, ℓ〉. (192)

Measuring this state, the probability of obtaining the outcomek = a andℓ = b for any particular values ofs, t,u,v is

1p4

(

∑α,β∈Z/pZ

√|Ss,t,u,v

α,β |)2

. (193)

14 Note that we can simply apply the transformation Eq. (187) directly to thestate Eq. (181); there is no need to explicitly compute the valuesα,β in anancilla register.

Since those values occur uniformly at random, the overall suc-cess probability of the algorithm is

1p8 ∑

s,t,u,v∈Z/pZ

(

∑α,β∈Z/pZ

√|Ss,t,u,v

α,β |)2

≥ 1p12

(

∑s,t,u,v∈Z/pZ

∑α,β∈Z/pZ

√|Ss,t,u,v

α,β |)2

(194)

≥ 1p12

(

∑α,β∈Z/pZ

p4

2+o(1)

√2

)2

=12−o(1), (195)

which shows that the algorithm succeeds with probabilityclose to 1/2.

In summary, the efficient quantum algorithm for the HSP inthe Heisenberg group is as follows:

Algorithm 11 (Heisenberg HSP).Input: Black box function hiding Ha,b.Problem:Determine the parameters a,b.

1. Prepare two coset states, as in Eq. (178).

2. Perform the QFT FZ/pZ×Z/pZ on the first two registersof each coset state and measure those registers in thecomputational basis, giving Eq. (181).

3. Perform the inverse quantum sampling transformationEq. (187), giving Eq. (188).

4. Perform the inverse QFT F†Z/pZ×Z/pZ, giving Eq. (192).

5. Measure the resulting state in the computational basis,giving (a,b) with probability1/2−o(1).

Because the transformation Eq. (187) acts jointly on the tworegisters, the algorithm described above effectively makes anentangled measurement on two copies of the hidden subgroupstate. However, we do not know whether this is the only wayto give an efficient algorithm for the HSP in the Heisenberggroup. In particular, recall from SectionVII.D that Fouriersampling in a random basis provides sufficient information toreconstruct the hidden subgroup (Radhakrishnanet al., 2005).It would be interesting to know whether there is anefficientquantum algorithm using only the statistics of single-registermeasurements, or if no such algorithm exists. It would alsobe interesting to find any group for which Fourier samplingdoes not suffice, even information-theoretically, but for whichthere is an efficient quantum algorithm based on multi-registermeasurements.

The PGM approach outlined above can also be appliedto certain state distinguishability problems that do not arisefrom HSPs. In particular, it can be applied to the general-ized Abelian hidden shift problem discussed in SectionVIII(for which the average case problem is an integer program)(Childs and van Dam, 2007) and to hidden polynomial prob-lems of the form Eq. (230), as discussed in SectionIX (forwhich the average case problem is again a system of polyno-mial equations) (Deckeret al., 2007).

34

VIII. HIDDEN SHIFT PROBLEM

Thehidden shift problem(also known as thehidden trans-lation problem) is a natural variant of the hidden subgroupproblem. Its study has shed light on (and indeed, led to newalgorithms for) the HSP. Furthermore, the hidden shift prob-lem has applications that are of interest in their own right.

In the hidden shift problem, we are given two injectivefunctions f0 : G→ Sand f1 : G→ S, with the promise that

f0(g) = f1(sg) for somes∈ G. (196)

The goal of the problem is to finds, thehidden shift. In thenon-Abelian hidden shift problem, as in the non-Abelian HSP,there is an arbitrary choice of left or right multiplication; herewe again make the choice of left multiplication.

When G is Abelian, this problem is equivalent to theHSP inG⋊ϕ Z/2Z (sometimes called theG-dihedral group),where the homomorphismϕ : Z/2Z → Aut(G) is defined byϕ(0)(x) = x and ϕ(1)(x) = x−1. In particular, the hiddenshift problem inZ/NZ is equivalent to the dihedral HSP. Tosee this, consider the functionf : G⋊ Z/2Z → S defined byf (x,b) := fb(x). This function hides the involution〈(s,1)〉,so a solution of the HSP gives a solution of the hidden shiftproblem. Conversely, solving the HSP inG⋊ Z/2Z with thepromise thatH is an involution is sufficient to solve the HSP ingeneral (Footnote11), so a solution of the hidden shift prob-lem gives a solution of the HSP. While no polynomial timequantum algorithm is known for the general Abelian hiddenshift problem, Kuperberg’s sieve (Algorithm10) solves the

problem in time 2O(√

log|G|), whereas a brute force approachtakes 2Ω(log|G|) steps.

WhenG is non-Abelian, the inversion mapx 7→ x−1 is nota group automorphism, so we cannot even define a groupG⋊ϕ Z/2Z. However, the hidden shift problem inG is closelyconnected to an HSP, namely in the wreath product groupG ≀Z/2Z = (G×G) ⋊ϕ Z/2Z, whereϕ(0)(x,y) = (x,y) andϕ(1)(x,y) = (y,x). The hidden shift problem inG reduces tothe HSP inG ≀Z/2Z with the hidden subgroup〈(s,s−1,1)〉.Furthermore, the HSP inG ≀Z/2Z with hidden subgroups ofthis form reduces to the hidden shift problem inG×G. Thus,for families of groups in whichG×G is contained in a largergroup G′ from the same family—such as for the symmet-ric group, whereSn×Sn ≤ S2n—the hidden shift and hiddensubgroup problems are essentially equivalent (Hallgrenet al.,2006). Moreover, by a similar argument to the one in Sec-tion VII.E, the quantum query complexity of the hidden shiftproblem inG is poly(log|G|) even whenG is non-Abelian.

Testing isomorphism of rigid graphs can be cast as a hid-den shift problem in the symmetric group. If we letf (π,0) =π(Γ) and f (π,1) = π(Γ′), then the hidden shift isσ, whereΓ = σ(Γ′). Despite the equivalence between hidden shift andhidden subgroup problems, the hidden shift problem inSn isarguably a more natural setting for rigid graph isomorphismthan the HSP, since every possible hidden shift correspondsto a possible isomorphism between graphs, whereas the HSPmust be restricted to certain subgroups (Childs and Wocjan,2007).

In this section we describe quantum algorithms for vari-ous hidden shift problems. We begin by presenting a single-register measurement for the cyclic hidden shift problem (i.e.,the dihedral HSP) that provides sufficient information to en-code the hidden shift. While no efficient way of postprocess-ing this information is known, we explain how a similar ap-proach leads to an efficient quantum algorithm for the hiddenshift problem over(Z/pZ)n with p a fixed prime. Since bothof these problems are Abelian hidden shift problems, theycould equally well be viewed as HSPs, but we discuss themhere because the latter is an important ingredient of theor-bit cosetapproach, which uses self-reducibility of a quantumversion of the hidden shift problem to give efficient quantumalgorithms for certain hidden subgroup and hidden shift prob-lems. Then we describe an algorithm for the shifted Legendresymbol problem, a non-injective variant of the dihedral HSPthat can be solved efficiently, and that also leads to an effi-cient quantum algorithm for estimating Gauss sums. Finally,we describe a generalization of the hidden shift problem thatinterpolates to an Abelian HSP, and that can be solved ef-ficiently in some cases even when the original hidden shiftproblem cannot.

A. Abelian Fourier sampling for the dihedral HSP

Consider the HSP in the dihedral groupZ/NZ⋊Z/2Z withhidden subgroup〈(s,1)〉—or equivalently, the hidden shiftproblem in the cyclic groupZ/NZ with hidden shifts. Re-call from SectionVII.F (specifically, Eq. (170)) that the stan-dard method, followed by a measurement of the first reg-ister in the Fourier basis (overZ/NZ), produces the state

1√2(|0〉+ ωsk

N |1〉) for some uniformly random measurement

outcomek ∈ Z/NZ. Now suppose we measure this qubit inthe basis of states|±〉 := 1√

2(|0〉± |1〉) (i.e., the Fourier ba-

sis overZ/2Z); then the outcome ‘+’ occurs with probabil-ity cos2(πsk

N ). Thus, if keep only those measured values ofk for which the outcome of the second measurement is ‘+’,we effectively sample from a distribution overk∈ Z/NZ withPr(k) = 2cos2(πsk

N )/N.This procedure was proposed byEttinger and Høyer

(2000), who showed thatO(logN) samples of the result-ing distribution provide sufficient information to determinek with high probability. This single-register measurement isa much simpler procedure than either the Kuperberg sieve(Kuperberg, 2005) or the optimal measurement described in(Baconet al., 2006), both of which correspond to highly en-tangled measurements. However, we are left with the problemof post-processing the measurement results to infer the valueof s, for which no efficient procedure is known.

B. Finding hidden shifts in (Z/pZ)n

A similar approach can be applied to the hidden shift prob-lem in the elementary Abelianp-group (Z/pZ)n with p afixed prime, but in this case the postprocessing can be car-ried out efficiently. This result is an important building block

35

in an efficient quantum algorithm for the hidden shift and hid-den subgroup problems in certain families of solvable groups(Friedlet al., 2003), as discussed in the next section.

Consider the hidden shift problem in(Z/pZ)n with hiddenshift s. Applying the standard method, we obtain the hiddenshift state

1√2(|z,0〉+ |z+s,1〉) (197)

for some unknownz∈ (Z/pZ)n chosen uniformly at random.Now suppose that, as in the measurement for the dihedralgroup described above, we perform Abelian Fourier samplingon this state. In other words, we Fourier transform the firstregister over(Z/pZ)n and the second overZ/2Z; this gives

12√

pn ∑y∈(Z/pZ)n

∑b∈Z/2Z

[ωy·zp + ωy·(z+s)

p (−1)b]|y,b〉 . (198)

Finally, suppose we measure this state in the computationalbasis. A straightforward calculation shows that we obtain theoutcome(y,0) with probability cos2(πy·s

p )/pn and the outcome

(y,1) with probability sin2(πy·sp )/pn. Thus, conditioned on ob-

serving 1 in the second register, we seey in the first registerwith probability

Pr(y) =2pn sin2

(πy ·sp

). (199)

In particular, notice that there is zero probability of seeing anyy∈ (Z/pZ)n such thaty·s= 0 modp: we see only points thatarenotorthogonal to the hidden shift. (This may be contrastedwith the HSP in(Z/pZ)n with hidden subgroup〈s〉, in whichFourier sampling only gives pointsx∈ (Z/pZ)n with x·s= 0.)

We now argue thatO(n) samples from this distribution areinformation-theoretically sufficient to determine the hiddenshift s. Since we only observe pointsy that are not orthogonalto s, the observation ofy allows us to eliminate the hyper-planey · s= 0 of possible values ofs. With enough samples,we can eliminate all possible candidate values ofs except thetrue value (and scalar multiples thereof).

For simplicity, suppose we sample uniformly from ally ∈(Z/pZ)n satisfyingy·s 6= 0 for the unknowns. While the truedistribution Eq. (199) is not uniform, it is not far from uni-form, so the argument given here can easily be modified towork for the true distribution. Consider some fixed candidatevalues′ with s′ 6= αs for any α ∈ Z/pZ. If y were sampleduniformly at random, thens′ would be eliminated with prob-ability 1/p. Sampling uniformly from the subset of pointsysatisfyingy · s 6= 0 only raises the probability of eliminatings′, so a randomly sampledy eliminatess′ with probability atleast 1/p. Thus afterO(n) samples, the probability of noteliminatings′ is exponentially small, and by a union bound,the probability of any suchs′ not being eliminated is upperbounded by a constant.

Unfortunately, givenk = Θ(n) samplesy1, . . . ,yk, we donot know how toefficientlydetermines. We would like tosolve the system of inequationsy1 · s 6= 0, . . . ,yk · s 6= 0 fors∈ (Z/pZ)n. Using Fermat’s little theorem, which says that

ap−1 = 1 for anya∈ Z/pZ with a 6= 0, we can rewrite theseinequations as a system of polynomial equations(y1 ·s)p−1 =· · · = (yk · s)p−1 = 1. However, the problem of solving poly-nomial equations over a finite field isNP-hard, so we cannothope to solve forsquickly using generic methods.

This problem is circumvented in (Friedlet al., 2003;Ivanyos, 2008) using the idea of linearization. If we treat eachproduct ofp−1 components ofs∈ (Z/pZ)n as a separate vari-able, then we can view(y·s)p−1 = 1 as a linear equation overa vector space of dimension

(n+p−2p−1

)(the number of ways of

choosingp−1 items fromn items, with replacement and with-out regard for ordering). Since this method treats variables asindependent that are in fact highly dependent, it requires moresamples to obtain a unique solution. Nevertheless,Friedlet al.(2003) show thatO(np−1) samples suffice. Since this methodonly involves linear equations, and the number of equationsremains poly(n) (recall the assumption thatp = O(1)), the re-sulting algorithm is efficient.

A similar approach works for the hidden shift problem in(Z/pkZ)n, wherepk is any fixed prime power (Friedlet al.,2003; Ivanyos, 2008). However, no efficient algorithm isknown for the case of(Z/mZ)n with m not a prime power,even in the smallest case,m= 6.

C. Self-reducibility, quantum hiding, and the orbit cosetproblem

By combining the result of the previous section with aself-reduciblevariant of the hidden shift problem,Friedlet al.(2003) also give an efficient quantum algorithm for the HSPand hidden shift problem in a large family of solvable groups.The idea of self-reducibility is as follows. Suppose we couldreduce the HSP inG to the HSP in subgroups ofG, and ap-ply such a reduction recursively until the remaining groupsare either simple enough that the HSP can be solved by someknown method, or small enough that it can be solved by bruteforce. For example, it would be useful if we could reduce theHSP inG to the HSP inN andG/N, whereN⊳G is a propernormal subgroup ofG. No approach of this kind has beendirectly applied to the HSP or the hidden shift problem, butthis self-reducibility concept has proved fruitful for a quan-tum generalization of the hidden shift problem called the orbitcoset problem.

Recall that in the standard method for the HSP, we pre-pare the uniform superposition|G〉, query a black-box func-tion f : G → S satisfying Eq. (126), and discard the result-ing function value, producing a uniformly random coset state|xH〉. More generally, suppose we have some black-box isom-etryF satisfying

F |x〉 = |x〉⊗ |φx〉 (200)

for some set of quantum states|φx〉 : x∈ G satisfying

〈φx|φy〉 =

1 x−1y∈ H

0 otherwise.(201)

By analogy to Eq. (126), we say thatF is a quantum hidingfunctionfor H in G. Querying the quantum black boxF on

36

the uniform superposition|G〉 and discarding the second reg-ister has the same effect as the standard method: the result isa uniformly random coset state|xH〉. But the possibility ofusing quantum superpositions for the states|φx〉 offers morefreedom when constructing reductions.

One way to produce quantum hiding states|φx〉 : x ∈ Gis as follows. LetΦ be an orthonormal set of quantum states,and letα : G×Φ → Φ be a (left) action ofG on Φ. For somefixed |φ〉 ∈ Φ, define|φx〉 := α(x)(|φ〉). Then the isometryEq. (200) is a quantum hiding function for thestabilizer of|φ〉, the subgroup stab(|φ〉) := x∈ G : α(x)(|φ〉) = |φ〉 ≤ G.Fixing G, Φ, andα, thestabilizer problem15 asks us to find agenerating set for stab(|φ〉) given (some number of copies of)the state|φ〉.

In the same sense that the stabilizer problem can be viewedas an HSP with a quantum hiding function, the orbit cosetproblem is analogous to the hidden shift problem. Theorbitcosetof |φ0〉, |φ1〉 ∈ Φ is the setx∈ G : α(x)(|φ1〉) = |φ0〉; itis either empty or a left coset of stab(|φ1〉) (or equivalently, aright coset of|φ0〉). In theorbit coset problem(OCP), we aregiven (some number of copies of)|φ0〉, |φ1〉 ∈ Φ. The goal isto decide whether their orbit coset is nonempty, and if so, tofind both a generating set for stab(|φ1〉) and an elementx∈ Gsuch thatα(x)(|φ0〉) = |φ1〉.

It can be shown that for any groupG and any solvable nor-mal subgroupN ⊳ G, the OCP inG reduces to the OCP inG/N and subgroups ofN (Friedlet al., 2003). While the de-tails are beyond the scope of this article, the reduction is basedon a method for creating a uniform superposition over the or-bit of a state|φ〉 under the actionα, building on a techniqueintroduced by Watrous in his algorithms for solvable groups(SectionIV.G). By combining this with the efficient quantumalgorithm for the hidden shift problem in(Z/pZ)n discussedin SectionVIII.B (which can be straightforwardly adapted toan efficient algorithm for orbit coset in(Z/pZ)n), Friedlet al.(2003) obtain an efficient quantum algorithm for the hiddenshift problem in smoothly solvable groups, and for the HSPin solvable groups with a smoothly solvable commutator sub-group.

Recently, Ivanyos, Sanselme, and Santha have given al-gorithms for the HSP in extraspecial groups (Ivanyoset al.,2007) and groups of nilpotency class at most 2 (Ivanyoset al.,2008). These algorithms use the concept of a quantum hidingfunction introduced above to reduce the problem to an AbelianHSP. It would be interesting to develop further applications ofquantum hiding functions to the HSP, hidden shift, and relatedproblems.

D. Shifted Legendre symbol and Gauss sums

While no efficient quantum algorithm is known for thecyclic hidden shift problem (i.e., the dihedral HSP) for a

15 Kitaev (1995) gave an efficient algorithm for the stabilizer problem in thecase whereG is Abelian and the hiding function is classical, prefiguringthe hidden subgroup framework.

general functionf0 : Z/NZ → S, the problem can be moretractable given a hiding function of a particular form. As asimple example, the hidden shift problem with the identityfunction f0(x)= x is trivial; but this case is uninteresting as theproblem can be solved equally well with a classical or quan-tum computer. However, more interesting examples can beconstructed if we drop the requirement thatf0 be injective.16

For example, the Legendre symbolχ provides an example ofa function with an efficient quantum algorithm, but no knownefficient classical algorithm.

1. Shifted Legendre symbol problem

For a finite fieldFp with p an odd prime, the valueχ(x)of the Legendre symbolχ : Fp → −1,0,+1 depends onwhetherx is zero, a nonzero square (i.e., a quadratic residue),or a nonsquare (i.e., a quadratic nonresidue) inFp. It is definedby

χ(x) =

0 x = 0

+1 ∃y 6= 0 : x = y2

−1 otherwise.

(202)

For example, inF5 we have the values

x 0 1 2 3 4

χ(x) 0 +1 −1 −1 +1

The Legendre symbol is amultiplicative character, as it iseasy to verify thatχ(xy) = χ(x)χ(y) for all x,y∈ Fp. This factcan be used to show that∑x∈Fp χ(x) = 0. The identity

χ(x) = x(p−1)/2 mod p (203)

shows that repeated squaring modulop can be used to com-pute the valueχ(x) in time poly(logp).

In the shifted Legendre symbol problemover Fp, we de-fine the functionsf0(x) := χ(x) and f1(x) := χ(x+ s) for alls∈Fp; the task is to determine the hidden shiftsgiven a black-box implementation of the functionf1. We emphasize thatalthough the functionsf0, f1 are not injective, this can never-theless be viewed as (a relaxed version of) a hidden shift prob-lem. The ability to efficiently solve this particular hiddenshiftproblem quantum mechanically stems from properties of mul-tiplicative functions under the (additive) Fourier transform.

No efficient classical algorithm for the shifted Legendresymbol problem is known. Although one can show thatO(logp) random queries to the functionχ(x+s) are sufficientto obtain enough information to determines (van Dam, 2002),

16 Dropping this restriction, the quantum query complexity ofthe hidden shiftproblem may no longer be polynomial; for example, the hiddenshift prob-lem with f0(x) = δx,0 is equivalent to unstructured search, which has quan-tum query complexityΩ(

√N) (Bennettet al., 1997).

37

it is not clear how to do so efficiently. In fact, the Legen-dre sequenceχ(x),χ(x+ 1), . . . has been proposed as a pseu-dorandom function with potential cryptographic applications(Damgard, 1990).

The following quantum algorithm efficiently solves theshifted Legendre symbol problem (van Damet al., 2006):

Algorithm 12 (Shifted Legendre symbol).Input: Black-box functionχ(x+s) for some unknown s∈ Fp.Problem:Determine the hidden shift s.

1. Prepare the uniform superposition|Fp〉 and query thefunction in an ancilla register, giving the state

1√p ∑

x∈Fp

|x,χ(x+s)〉. (204)

2. Measure whether the second register is in the state|0〉.If it is, the first register is left in the state| − s〉, andmeasuring it determines s. Otherwise, we are left withthe state

1√p−1 ∑

x∈Fp\−s|x,χ(x+s)〉, (205)

and we continue.

3. Apply the unitary operation|x,b〉 7→ (−1)b|x,b〉 and un-compute the shifted Legendre symbol, giving the state

1√p−1 ∑

x∈Fp

χ(x+s)|x〉. (206)

4. Apply the Fourier transform overFp, yielding

1√p−1 ∑

y∈Fp

χ(y)ω−syp |y〉. (207)

whereχ : Fp → C is the normalized Fourier transformof χ (a normalizedGauss sum, cf. Eq. (216)), namely

χ(y) :=1√p ∑

x∈Fp

χ(x)ωxyp . (208)

(Note thatχ(0) = 0 and|χ(y)| = 1 for y∈ F×p .)

5. The equality

χ(y) =1√p ∑

x∈Fp

χ(xy−1)ωxp (209)

= χ(y)χ(1) (210)

shows that the state Eq. (207) is in fact a uniformlyweighted superposition of the elements ofFp, wherethe state|y〉 has a phase proportional toχ(y)ω−sy

p .Thus we correct the relative phases by the operation|y〉 7→ χ(y)|y〉 for all y ∈ F×

p , giving the state

χ(1)√p−1 ∑

y∈F×p

ω−syp |y〉. (211)

6. Perform the Fourier transform overFp and measure inthe computational basis, giving s with probability1−O(1/p).

It is easy to see that the above algorithm solves the shiftedLegendre symbol problem not only over a prime fieldFp, butover any finite fieldFq. To verify this, we need only com-pute the Fourier transform of the quadratic characterχ : Fq →−1,0,+1, namely

χ(y) :=1√q ∑

x∈Fq

χ(x)ωTr(xy)p (212)

=1√q ∑

x∈Fq

χ(xy−1)ωTr(x)p (213)

= χ(y)χ(1) (214)

(recall the definition of the Fourier transform overFq in Sec-tion III.D). Indeed, the solution can be generalized to anyshifted multiplicative character ofFq (van Damet al., 2006),and to any function overFp that hides a multiplicative sub-group of polylogarithmic index (Mooreet al., 2007a).

For the ringZ/NZ with N = pr11 ×·· ·× prk

k odd, the gener-alization of the Legendre symbol is called theJacobi symbol(·/N) : Z/NZ →−1,0,+1. It is defined as the product

( xN

)=

(xp1

)r1

· · ·(

xpk

)rk

(215)

(where(x/p) := χ(x) is an alternative notation for the Legen-dre symbol that makes the field size explicit). This is againa multiplicative character, although its values need not indi-cate squares moduloN (for example,(2/15) = (2/3)(2/5) =(−1)2 = 1, while 2 is not a square modulo 15). Analogous tothe shifted Legendre symbol problem, one can define a shiftedJacobi symbol problem overZ/NZ, which also has an efficientquantum algorithm (van Damet al., 2006).

2. Estimating Gauss sums

In the above solution to the shifted Legendre symbol prob-lem, we encountered the Fourier transform of the multi-plicative characterχ, which is a Gauss sum. This naturallyleads to a quantum algorithm for approximating Gauss sums(van Dam and Seroussi, 2002).

For a finite fieldFq, a nontrivial multiplicative characterχ :Fq → C, and a nontrivial additive characterψ : Fq → C, theGauss sumis defined as the inner product between these twocharacters:

G(χ,ψ) := ∑x∈Fq

χ(x)ψ(x). (216)

It is not hard to show that any Gauss sum has norm|G(χ,ψ)|=√q, so to learn the value of a Gauss sum, it suffices to deter-

mine the phaseφ ∈ [0,2π) of G(χ,ψ) =√

q·eiφ.There areq−1 distinct multiplicative charactersχa : Fq →

C indexed bya ∈ Z/(q− 1)Z. For a fixed multiplicative

38

generatorg of F×q , we haveχa(g j) := ωa j

q−1 for all j ∈ Z,and χa(0) := 0. The q− 2 nontrivial characters are thosewith a 6= 0. As the discrete logarithm logg(g

j) = j modq−1can be calculated efficiently with a quantum computer (Sec-tion IV.B), we can efficiently induce the phaseχa(g j) by sub-tracting the valuea j moduloq−1 from the state|1〉, giving

|g j〉⊗ |1〉 = |g j〉⊗ 1√q−1 ∑

y∈Z/(q−1)Z

ωyq−1|y〉 (217)

7→ |g j〉⊗ 1√q−1 ∑

y∈Z/(q−1)Z

ωyq−1|y−a j〉 (218)

= |g j〉⊗ωa j

q−1√q−1 ∑

y∈Z/(q−1)Z

ωyq−1|y〉 (219)

= χa(gj)|g j〉⊗ |1〉 (220)

(this is sometimes referred to as thephase kickback trick).Theq additive charactersψb : Fq →C indexed byb∈ Fq are

defined asψb(x) := ωTr(bx)p for all x∈ Fq. The characterψ0 is

trivial, and allb 6= 0 give nontrivial characters.With these definitions in place, the Gauss sum estimation

algorithm is as follows.

Algorithm 13 (Gauss sum estimation).Input: A finite fieldFq, a nontrivial multiplicative characterχa (where a∈ (Z/(q−1)Z)×), and a nontrivial additive char-acterψb (where b∈ F×

q ).Problem:Approximate within precisionδ > 0 the angleφ ∈[0,2π) such that G(χa,ψb) =

√q·eiφ.

Perform phase estimation (SectionIII.C) with precisionδ onthe following single-qubit unitary operation (which requiresapplying the operation O(1/δ) times), inputting its eigenstate|1〉 of eigenvalueeiφ:

1. For an arbitrary input stateα|0〉+ β|1〉, prepare thestate|F×

q 〉 in an ancilla register.

2. Using the phase kickback trick described in Eq. (220),transform the state to

1√q−1

(α|0〉⊗ ∑

x∈Fq

χ∗a(x)|x〉+ β|1〉⊗ ∑

x∈Fq

χa(x)|x〉)

. (221)

3. Conditional on the qubit being in the state|1〉, multiplythe ancilla register by b and apply the Fourier transformoverFq, yielding the state

(α|0〉+ χa(b)β|1〉

)⊗ 1√

q−1 ∑x∈Fq

χ∗a(x)|x〉 (222)

where

χa(b) :=G(χa,ψb)√

q= eiφ. (223)

4. Apply the phase rotation|x〉 7→ χa(x)|x〉 to the ancillaregister, returning it to its original state, and giving

(α|0〉+ χa(b)β|1〉

)⊗|F×

q 〉. (224)

Discarding the ancilla register, notice that the abovesteps effectively implement the conditional phase shift|0〉 7→ |0〉, |1〉 7→ eiφ|1〉.

The above quantum algorithm has running time polynomialin logq and 1/δ, whereas classical sampling over theq valuesχa(x)ψb(x) requires poly(

√q/δ) samples to achieve the same

quality of approximation.Both additive and multiplicative characters can be defined

over the ringZ/NZ, and there are corresponding Gauss sums

G(χa,ψb) = ∑x∈Z/NZ

χa(x)ψb(x) (225)

with χa(xy) = χa(x)χa(y) and ψb(x) = ωNbx for all x,y ∈Z/NZ (see the comprehensive book byBerndtet al. (1998)).Such Gauss sums over finite rings can be approximated bya quantum computer as well, using the above algorithm in arelatively straightforward way.

As Gauss sums occur frequently in the calculation of thenumber of points on hypersurfaces over finite fields (see forexampleIreland and Rosen(1990)), these same quantum al-gorithms can be used to approximately count such pointswith an accuracy that does not seem achievable classically(van Dam, 2004).

E. Generalized hidden shift problem

Polya has advised that “if there is a problem you can’t solve,then there is an easier problem you can solve: find it” (Polya,1945). In that spirit, we conclude our discussion of the hiddenshift problem by describing a generalization that offers moreways to obtain information about the hidden shift. At least inthe case of cyclic groups, this problem indeed turns out to beeasier than the original hidden shift problem.

In theM-generalized hidden shift problemfor the groupG,we are given a hiding functionf : 0, . . . ,M − 1× G → Ssatisfying two conditions: for any fixedj ∈ 0, . . . ,M − 1,f ( j,x) is an injective function ofx ∈ G; and for eachj ∈0, . . . ,M −2, f ( j + 1,x) = f ( j,sx). For M = 2, this prob-lem is equivalent to the usual hidden shift problem, sincethe hiding functionsf0, f1 can be obtained asf j(x) = f ( j,x).However, theM-generalized hidden shift problem appears tobecome easier for largerM; it trivially reduces to theM′-generalized hidden shift problem withM′ < M, but largervalues ofM provide new ways to query the hiding func-tion. Note that ifsM = 1, then theM-generalized hiddenshift problem is equivalent to the HSP inZ/MZ×G with thecyclic hidden subgroup〈(1,s)〉. In general, theM-generalizedhidden shift problem inG reduces to the HSP inG ≀Z/MZ(Fenner and Zhang, 2008), but notice that this reduction isonly efficient forM = poly(log|G|).

39

The Abelian generalized hidden shift problem could poten-tially be applied to solve lattice problems. Recall from Sec-tion VII.A that the poly(n)-unique shortest lattice vector prob-lem efficiently reduces to (the standard approach to) the dihe-dral HSP. In fact the same holds for theM-generalized hiddenshift problem inZ/NZ, providedM = poly(logN).

While no efficient algorithm is known for the case whereM = poly(logN), efficient algorithms do exist for larger val-ues ofM. First, notice that theN-generalized hidden shiftproblem inZ/NZ is an HSP inZ/NZ×Z/NZ, which can besolved by Abelian Fourier sampling. Essentially the samestrategy works providedM = Ω(N), but fails for sublin-ear values ofM. However, there is another quantum algo-rithm that is efficient providedM ≥ Nε for some fixedε > 0(Childs and van Dam, 2007), based on the pretty good mea-surement techniques discussed in SectionVII.G. For theM-generalized hidden shift problem inZ/NZ, implement-ing the PGM reduces to an integer programming problem ind = logN/ logM dimensions, which can be solved efficientlyfor d = O(1) (Lenstra, 1983).

It would also be interesting to consider the generalized hid-den shift problem in non-Abelian groups. For example, a so-lution of this problem for the symmetric group could be usedto solve theM-generalized graph isomorphism problem, inwhich we are givenM rigid n-vertex graphsΓ0,Γ1, . . . ,ΓM−1that are either all non-isomorphic, or sequentially isomorphicwith a fixed isomorphismπ ∈ Sn, namelyΓ j+1 = π(Γ j) forj = 0,1, . . . ,M−2. For largeM, this problem might seem con-siderably easier than graph isomorphism, yet no efficient algo-rithms for the corresponding generalized hidden shift problemare known. Indeed, very little is known about the non-Abeliangeneralized hidden shift problem in general.

IX. HIDDEN NONLINEAR STRUCTURES

The non-Abelian hidden subgroup problem (SectionVII )was originally introduced with the hope of generalizing thesuccess of Shor’s algorithm. As we have seen, these effortshave so far met with only limited success: while polynomial-time quantum algorithms are known for the HSP in somenon-Abelian groups, the cases with significant applications—namely, the dihedral and symmetric groups—remain largelyunresolved. Thus there have been several attempts to general-ize the Abelian HSP in other ways. The hidden shift problem(SectionVIII ) represents one such attempt. In this sectionwe discuss a more radical departure from the HSP, a class ofproblems aimed at findinghidden nonlinear structures.

Let us return our attention the Abelian HSP—and morespecifically, to the hidden subgroup problem in the additivegroup of thed-dimensional vector spaceFd

q (whereFq denotesthe finite field withq elements). Then we can view the HSPas a problem of identifying ahidden linear structure: the sub-groups of the additive groupFd

q are precisely its linear sub-spaces, and their cosets are parallel affine subspaces, orflats(cf. step4 of Algorithm 3). Thus in this HSP, we are givena function that is constant on sets of points specified by lin-ear equations, and the goal is to recover certain parametersof

those equations. It is natural to consider replacing the linearfunction by a polynomial of higher degree. Here we describethree such hidden nonlinear structure problems: the hiddenpolynomial problem, shifted subset problems, and polynomialLegendre symbol problems.

A. The hidden polynomial problem

Perhaps the most straightforward nonlinear generaliza-tion of the Abelian HSP is thehidden polynomial problem(Childset al., 2007). In this problem, the hidden object is apolynomialh(x) ∈ Fq[x1, . . . ,xd]. Generalizing Eq. (42), wesay that a black box functionf : Fd

q → S (for some finite setS) hides the polynomial h(x) if

f (x) = f (x′) if and only if h(x) = h(x′) (226)

for all x,x′ ∈ Fdq . In other words, the functionf is constant on

the level sets

Lhy := h−1(y) = x∈ Fd

q : h(x) = y (227)

and distinct on different level sets. The hidden polynomialproblem is to determineh(x) up to differences that do not af-fect its level sets (i.e., up to an overall additive or multiplica-tive constant).

Notice that the polynomialh(x) trivially hides itself. Butjust as there is no a priori relationship between function val-ues and cosets in the general HSP, we prefer to assume that theassociation of function values to level sets is arbitrary. Indeed,if we were promised thatf (x) = h(x), even a classical com-puter could solve the hidden polynomial problem efficiently.But with no promise on how the level sets are mapped to func-tion values, it is not hard to show that the classical randomizedquery complexity of the hidden polynomial problem is expo-nential ind logq (Childset al., 2007), by a similar argumentas for the Abelian HSP (Simon, 1997).

With a quantum computer, we can approach the hiddenpolynomial problem by closely following the standard methodfor the HSP (SectionVII.B). Querying the functionf onthe uniform superposition|Fd

q 〉 and discarding the resultingfunction value, one is left with the state|Lh

y〉 with probabil-ity |Lh

y|/qd. Equivalently, the result is thehidden polynomialstate

ρh := ∑y∈Fd

q

|Lhy|

qd|Lh

y〉〈Lhy|. (228)

Notice that these states are quite similar to the hidden sub-group states Eq. (131), modulo the fact that level sets of apolynomial can have different sizes, unlike the cosets of a sub-group. Just as we upper bounded the query complexity of theHSP by analyzing the statistical distinguishability of thestatesEq. (131), so we can upper bound the query complexity of thehidden polynomial problem by doing the same for the statesEq. (228). Following a similar argument as in SectionVII.E,

40

one can show that

F(ρh,ρh′)2 ≤ 1

qd ∑y,y′∈Fq

|Lhy ∩Lh

y′ |2

|Lhy|

(229)

(cf. Eq. (155)). Thus, the hidden polynomial states are pair-wise distinguishable provided their level sets do not intersecttoo much. Since almost all polynomials areabsolutely irre-ducible (i.e., they do not have any nontrivial factors, evenover an extension of the base field), this suffices to showthat if the dimensiond and the maximum degree of the poly-nomials are fixed, then the query complexity of the hiddenpolynomial problem is poly(logq) for almost all polynomials(Childset al., 2007).

Moving beyond query complexity, we would like to knowwhether there is an efficient quantum algorithm—i.e., onewith running time poly(logq)—for the hidden polynomialproblem. Just as for the HSP, the most general version ofthis question is currently open. However, suppose we arepromised that the hidden polynomial has the form

h(x1, . . . ,xd) = g(x1, . . . ,xd−1)−xd (230)

for some (d − 1)-variate polynomial g(x1, . . . ,xd−1) ∈Fq[x1, . . . ,xd−1]. (A simple example is thehidden parabolaproblem, in which h(x,y) = αx2 + βx− y for some unknownα,β ∈ Fq that we would like to determine.) For such a hiddenpolynomial, the level sets are simply translates of each other,namelyLh

y = Lh0+(0, . . . ,0,y). Provided the maximum degree

of the polynomial is at most some fixed constant, there is aquantum algorithm that determinesh (up to an additive offset)in time poly(d logq) (Deckeret al., 2007). This algorithm isbased on the pretty good measurement approach described inSectionVII.G. Recall that the implementation of the PGMrelies on quantum sampling from the solutions of an average-case algebraic problem. For the hidden polynomial problemwith a polynomial of the form Eq. (230), this problem is a sys-tem of polynomial equations, much like the pair of quadraticequations Eqs. (182) and (183) that arise in the algorithm forthe HSP in the Heisenberg group.

B. Shifted subset problems and exponential sums

Other families of hidden nonlinear structure problems arisein the setting ofshifted subset problems. Such problems aremost naturally stated directly in terms of quantum state dis-tinguishability.17 Suppose that for fixed subsetsS,T ⊆ Fd

q ,we are given the quantum state|S+ t〉 (a uniform superposi-tion over the elements ofS+ t), wheret is chosen uniformly

17 Although the construction is somewhat technical, it is possible to formu-late shifted subset problems in terms of a black box from which the stateρS,T can be efficiently prepared on a quantum computer, but that typicallymust be queried exponentially many times to determineS,T on a classicalcomputer (Childset al., 2007).

at random fromT. In other words, we are given the mixedquantum state

ρS,T =1|T| ∑

t∈T

|S+ t〉〈S+ t|. (231)

In the shifted subset problem, the goal is to determine someproperty ofSor T (or both) using samples ofρS,T .

In (Childset al., 2007), two examples of shifted subsetproblems are considered in which the setS is ad-dimensionalsphere, i.e., the set of points

S r := L∑d

i=1x2i

r =

x∈ Fd

q :d

∑i=1

x2i = r

(232)

for somer ∈ Fq. In thehidden radius problem, T = Fdq , and

the goal is to learnr. In thehidden flat of centers problem, weare promised thatr = 1, andT is some unknown flat inFd

q ;the goal is to determine this flat.

In general, whenT = Fdq , symmetry ensures thatρS,T is

diagonal in the Fourier basis. Then the goal is to learnS fromsamples of a distribution given by its Fourier transform (recallSectionIII.D), namely

Pr(k) =1

qd|S|

∣∣∣∣∣∑x∈S

ωTr(kx)p

∣∣∣∣∣

2

(233)

wherep is the characteristic ofFq and Tr :Fq → Fp denotesthe trace map. In particular, whenS= S r is ad-dimensionalsphere, the distribution is proportional to an exponentialsumknown as aKloosterman sumfor d even, or aSalie sum(a kindof twisted Kloosterman sum) ford odd. In either case, thesedistributions are information-theoretically distinguishable fordifferent values ofr. Moreover, a closed form expression forSalie sums gives an efficient quantum algorithm for determin-ing whetherr is a quadratic residue, providedd is odd.

On the other hand, supposeS is fixed andT is an unknownflat (or, more generally, some low-degree surface). If we couldperform the transformation|S+ t〉 7→ |t〉, then we could sam-ple from points on the flat, and thereby reconstruct it. Unfor-tunately, this transformation is generally not unitary, sinceScould intersect with its translates. However, we can attemptto approximate such a transformation using the continuous-time quantum walk on the Cayley graph ofFd

q generated byS. WhenS= S1, this Cayley graph is known as theWinnieLi graph. Its eigenvalues are given by Kloosterman or Saliesums, depending on whetherd is even or odd. Ford odd, theexplicit expression for Salie sums provides an efficient imple-mentation of the quantum walk, which in turn gives an effi-cient quantum algorithm for the hidden flat of centers prob-lem.

Of course, it is possible to make many other choices forSandT, so the above examples just begin to explore potentialquantum algorithms for shifted subset problems. However,these simple examples already reveal a connection between

41

the calculation of exponential sums18 and the implementationof quantum walk that could perhaps be developed further. Itwould also be interesting to find concrete algorithmic applica-tions of shifted subset problems.

C. Polynomial reconstruction by Legendre symbol evaluatio n

The quantum algorithm for the shifted Legendre symbolproblem (SectionVIII.D ) recovers the constant terms of alinear functionf (x) = x+s hidden in the black-box functionχ( f (x)) = χ(x+ s), whereχ is the Legendre symbol. As aprecursor to the efficient quantum algorithm, it was shownthat the quantum query complexity isO(1), while the clas-sical query complexity isΩ(logp) (van Dam, 2002). Here wediscuss the generalization to a nonlinear functionf (x) hiddenin the black-box functionχ( f (x)). Russell and Shparlinski(2004) showed that the quantum query complexity is signif-icantly lower than the classical query complexity even in thismore general case. Whether there exists an efficient quantumalgorithm to reconstruct the polynomial remains open.

Let f ∈ Fp[x] be an unknown polynomial. Given a blackbox for χ( f (x))), with χ the Legendre symbol overFp, wewant to reconstructf using as few queries as possible. Notethat for anyc ∈ F×

p , χ(c2 f (x)) = χ( f (x)), making it impos-sible to tell the difference betweenf (x) and c2 f (x) on thebasis of the black boxχ( f (x)). Moreover, if the factoriza-tion of f (x) contains a square, i.e., iff (x) = g2(x) ·h(x), thenχ( f (x)) = χ(g2(x))χ(h(x)), which is identical toχ(h(x)) (ex-cept possibly at the zeros ofg). Thus we restrict our attentionto polynomials that are monic and squarefree.

In the case wheref (x) = x+ s, the reason thatO(1) quan-tum queries suffice is that the states∑x χ(x+ s)|x〉 are nearlyorthogonal for different values ofs∈ Fp. This follows fromthe identity

∑x∈Fp

χ(x+ r)χ(x+s) =

p−1 s= r

−1 s 6= r.(234)

For polynomialsf ,g of degreed that are monic and square-free, the generalization of this fact is provided by the Weilbound (Lidl and Niederreiter, 1997), which implies that

∑x∈Fp

χ( f (x))2 ≥ p−d (235)

∑x∈Fp

χ( f (x))χ(g(x)) ≤ 2d√

p if f 6= g. (236)

Note that ford ≥ √p/2, Eq. (236) is trivial. However, for

d ≤ p1/2−ε with ε > 0, we find the following.

18 Computing exponential sums is also closely related to counting the solu-tions of finite field equations. Indeed, Kedlaya’s algorithm(SectionIV.H)can be used to efficiently approximate Kloosterman sums whenthe fieldcharacteristic is small (seeChildset al. (2007)).

Given a black box functionχ( f (x)) where f ∈ Fp[x] isan unknown monic, squarefree polynomial of degreed, twoqueries can be used to create the state

|χ( f )〉 :=1√p ∑

x∈Fp

χ( f (x))|x〉, (237)

whereχ is identical toχ except thatχ(0) = 1. (This adjust-ment to the Legendre symbol is required to deal with the oth-erwise zero amplitudes for the zeros off .) Using Eqs. (235)and (236), it follows that

|〈χ( f )|χ(g)〉| ≤ 2d√p. (238)

Since there arepd monic polynomials of degreed over Fp,Theorem3 (and specifically, Eq. (149)) shows that there is ameasurement onO(d) copies of|χ( f )〉 that determines thedunknown coefficients off with probability 1−O(1/p). Theclassical query complexity of this problem can be shown to beΩ(d logp), which therefore gives a separation between classi-cal and quantum query complexity.

X. APPROXIMATING #P-COMPLETE PROBLEMS

Recently, there has been considerable interest in quantumalgorithms for approximately solving various#P-completeproblems. The first such algorithms were for approximatingthe Jones polynomial; more recently, similar ideas have beenused to give approximate solutions to other#P-complete prob-lems. These algorithms are not as closely related to Shor’s asmost of those discussed in this article, but they are decidedlyalgebraic, relying heavily on group representation theory.

TheJones polynomialis a central object in low-dimensionaltopology with surprising connections to physics.Witten(1989) showed that the Jones polynomial is closely relatedto topological quantum field theory (TQFT).Freedmanet al.(2003) investigated the relationship between TQFT and topo-logical quantum computing, showing that quantum comput-ers can efficiently simulate TQFTs (Freedmanet al., 2002b),and that in fact TQFTs essentially capture the power ofquantum computation (Freedmanet al., 2002a). In particular,Freedmanet al. (2002b) showed that quantum computers canefficiently approximate the Jones polynomial at a fifth rootof unity. Subsequently,Aharonovet al. (2006) described anexplicit quantum algorithm for approximating the Jones poly-nomial, generalizing to any primitive root of unity (see alsothe work byWocjan and Yard(2008)).

To define the Jones polynomial, we must first introduce theconcepts of knots and links. Aknot is an embedding of thecircle inR3, i.e., a closed loop of string that may wrap arounditself in any way. More generally, alink is a collection of anynumber of knots that may be intertwined. In anoriented link,each loop of string is directed. It is natural to identify linksthat areisotopic, i.e., that can be transformed into one anotherby continuous deformation of the strings.

The Jones polynomialof an oriented linkL is a LaurentpolynomialVL(t) in the variable

√t, i.e., a polynomial in

√t

42

and 1/√

t. It is a link invariant, meaning thatVL(t) = VL′(t)if the oriented linksL andL′ are isotopic. While it is possiblefor the Jones polynomial to take the same value on two non-isotopic links, it can often distinguish links; for example, theJones polynomials of the two orientations of the trefoil knotare different.

Given an oriented linkL, one way to define its Jones poly-nomial is as follows (Kauffman, 1987). First, let us define theKauffman bracket〈L〉, which does not depend on the orienta-tion of L. Each crossing in the link diagram can be opened inone of two ways, and for any given crossing we have

⟨ ⟩= t1/4

⟨ ⟩+ t−1/4

⟨ ⟩, (239)

where the rest of the link remains unchanged. Repeatedly ap-plying this rule, we eventually arrive at a link consisting ofdisjoint unknots. The Kauffman bracket of a single unknot is〈©〉 := 1, and more generally, the Kauffman bracket ofn un-knots is(−t1/2− t−1/2)n−1. By itself, the Kauffman bracketis not a link invariant, but it can be turned into one by takinginto account the orientation of the link, giving the Jones poly-nomial. For any oriented linkL, we define itswrithe w(L) asthe number of crossings of the form

??__

minus the number

of crossings of the form??__

. Then the Jones polynomial isdefined as

VL(t) := (−t−1/4)3w(L)〈L〉. (240)

It is useful to view links as arising frombraids. A braidis a collection ofn parallel strands, with adjacent strands al-lowed to cross over or under one another. Two braids on thesame number of strands can be composed by placing them endto end. Thebraid group Bn on n strands is an infinite groupwith generatorsσ1, . . . ,σn−1, whereσi denotes a twist inwhich strandi passes over strandi +1, interchanging the twostrands. More formally, the braid group is defined by the rela-tionsσiσi+1σi = σi+1σiσi+1 andσiσ j = σ jσi for |i − j| > 1.

Braids and links differ in that the ends of a braid are open,whereas a link consists of closed strands. We can obtain a linkfrom a braid by connecting the ends of the strands in someway. One simple way to close a braid is via thetrace closure,in which theith strand of one end is connected to theith strandof the other end for eachi = 1, . . . ,n, without crossing thestrands. A theorem ofAlexander(1923) states that any linkcan be obtained as the trace closure of some braid.

The Jones polynomial of the trace closure of a braid can beexpressed in terms of the Markov trace (a weighted variant ofthe usual trace) of a representation of the braid group definedover the Temperley-Lieb algebra (Jones, 1985). When evalu-ating the Jones polynomialVL(t) at the root of unityt = e2πi/k,this representation is unitary. This naturally suggests a quan-tum algorithm for approximating the Jones polynomial. Sup-pose that we can implement unitary operations correspondingto twists of adjacent strands on a quantum computer. By com-posing such operations, we can implement a unitary operationcorresponding to the entire braid. It remains to approximatethe Markov trace of this operator.

The trace of a unitary operationU can be approximated ona quantum computer using theHadamard test. If a conditional

U operation is applied to the state|+〉⊗|ψ〉 and the first qubitis measured in the|±〉 basis, where|±〉 := 1√

2(|0〉± |1〉), the

expectation value of the outcome is precisely Re(〈ψ|U |ψ〉).(This is simply the phase estimation procedure described inSectionIII.C with n = 1, i.e., with a single bit of precision.)Replacing the states|±〉 by the states|± i〉 := 1√

2(|0〉± i|1〉),

we can approximate Im(〈ψ|U |ψ〉). Using a maximally mixedstate as input instead of the pure state|ψ〉 and sampling suf-ficiently many times from the resulting distribution, we canobtain an approximation of Re(TrU) or Im(TrU). Similarly,we can approximate a weighted trace by sampling from anappropriate distribution over pure states.

Applying this approach to the relevant unitary representa-tion of the braid group, one obtains a quantum algorithm forapproximating the Jones polynomial of the trace closure of abraid at a root of unity. In particular, for a braid onn strands,with m crossings, and witht = e2πi/k, there is an algorithmrunning in time poly(n,m,k) that outputs an approximationdiffering from the actual valueVL(t) of the Jones polynomialby at most(2cosπ

k)n−1/poly(n,k,m), with only exponentiallysmall probability of failure (Aharonovet al., 2006).

Given a braid with an even number of strands, another nat-ural way to create a link is called theplat closure. Here, wesimply join adjacent pairs of strands at each end of the braid.The plat closure can be viewed as the trace closure of a braidon 2n strands together with 2n additional straight strands. Us-ing this fact, we can express the Jones polynomial of the platclosure of a braid att = e2πi/k as the expectation value of aparticular unitary representation of the braid group in a purequantum state. Thus the Jones polynomial of the plat closurecan also be approximated using the Hadamard test, but nowusing a pure input state instead of a mixed one. This gives anefficient quantum algorithm for an additive approximation ofthe Jones polynomial of the plat closure of a braid at a root ofunity (Aharonovet al., 2006).

Notice that these algorithms only provideadditive ap-proximations, meaning that the error incurred by the al-gorithm is independent of the value being approximated,which is undesirable when that value is small. (In fact,note that the additive error increases exponentially withn,the number of strands in the braid.) It would be prefer-able to obtain amultiplicativeapproximation, or better still,an exact calculation. However, exactly computing the Jonespolynomial is #P-hard (Jaegeret al., 1990), and hence un-likely to be possible even with a quantum computer. Fur-thermore, obtaining the additive approximation achieved by(Aharonovet al., 2006) for the Jones polynomial of theplat closure of a braid is as hard as any quantum com-putation (Aharonov and Arad, 2006; Bordewichet al., 2005;Freedmanet al., 2002a; Wocjan and Yard, 2008).

To implement the quantum algorithm for approximating thetrace closure of a braid, it is only necessary to have a sin-gle pure qubit (the qubit initialized to|+〉 in the Hadamardtest), and many mixed ones. Thus it can be carried out inthe one clean qubit model introduced byKnill and Laflamme(1998) to investigate the power of mixed state quantum com-putation. In fact, the problem of estimating the Jones polyno-mial of the trace closure of a braid at a fifth root of unity (to

43

the precision described above) exactly characterizes the powerof this model (Jordan and Wocjan, 2008; Shor and Jordan,2008), just as the approximation of the plat closure charac-terizes general quantum computation.

We conclude by briefly mentioning various extensions ofthese results.Wocjan and Yard(2008) show how to evalu-ate the Jones polynomial of a generalized closure of a braid,and how to evaluate a generalization of the Jones polyno-mial called the HOMFLYPT polynomial. Recent work ofAharonovet al. (2007a) shows how to approximate the Tuttepolynomial of a planar graph, which in particular gives an ap-proximation of the partition function of the Potts model ona planar graph; this problem also characterizes the power ofquantum computation, albeit only for unphysical choices ofparameters. More generally, there are efficient quantum algo-rithms to compute additive approximations of tensor networks(Arad and Landau, 2008).

Acknowledgments

We thank Sean Hallgren for discussions of algorithms fornumber fields. We also thank Dorit Aharonov, Greg Kuper-berg, Frederic Magniez, Cris Moore, Miklos Santha, JohnWatrous, and Pawel Wocjan for comments on a preliminaryversion. This article was written in part while AMC was atthe Institute for Quantum Information at Caltech, where hereceived support from the National Science Foundation un-der grant PHY-456720 and from the Army Research Officeunder grant W9111NF-05-1-0294. AMC was also supportedin part by MITACS, NSERC, and the US ARO/DTO. WvDwas supported in part by the Disruptive Technology Office(DTO) under Army Research Office (ARO) contract numberW911NF-04-R-0009 and by an NSF CAREER award.

APPENDIX A: Number Theory

1. Arithmetic modulo N

When performing calculations with integers moduloN weuse the equivalence relationx= y modN if and only if x−y∈NZ = . . . ,−N,0,N,2N, . . .. Often we omit the notation‘modN’ and instead considerx andy as elements of the ringZ/NZ. Other ways of denoting this ring areZN andZ/(N); inthis article we use the notationZ/NZ, which is conventionalin computational number theory. Although formally the ele-ments ofZ/NZ are the sets. . . ,−N+x,x,x+N,x+2N, . . .,we often simply represent such an element by the integerx;this representation is unique if we requirex∈ 0, . . . ,N−1 .

Addition modulo N corresponds to the additive group(Z/NZ,+), which hasN elements. For example, withN = 2we have 0+0= 0, 1+0= 0+1= 1, and 1+1= 0. If N hasthe prime factorizationN = pr1

1 · · · prkk , then the additive group

Z/NZ can be decomposed as(Z/pr11 Z)×·· ·× (Z/prk

k Z).Multiplication moduloN is more complicated than addi-

tion as not all elements ofZ/NZ have a multiplicative in-verse. For example, 5·5 = 1 mod 6, but there is no elementx

such that 2x = 1 mod 6. In general, there exists ay such thatxy= 1 modN if and only if gcd(x,N) = 1, where gcd(x,N) isthe greatest common divisor ofx andN. The set of such in-vertible elements ofZ/NZ make up the multiplicative group(Z/NZ)×. It is easy to check that inZ/6Z there are only twoinvertible elements:(Z/6Z)× = 1,5. The size of the multi-plicative group(Z/NZ)× depends on the prime factorizationof N; one can show that forN = pr1

1 · · · prkk ,

ϕ(N) := |(Z/NZ)×| = (p1−1)pr1−11 · · · (pk−1)prk−1

k , (A1)

whereϕ is called Euler’s totient function. Similarly to the ad-ditive case, one also has the multiplicative group isomorphism(Z/NZ)× ∼= (Z/pr1

1 Z)××·· ·× (Z/prkk Z)×.

By combining the isomorphisms for the additive andthe multiplicative groups of integers moduloN, we obtainthe Chinese remainder theorem. This states that forN =pr1

1 · · · prkk , the bijection between the elements ofx ∈ Z/NZ

and thek-tuples(x1, . . . ,xk)∈ (Z/pr11 Z)×·· ·×(Z/prk

k Z) (with

xi = x mod pkii for all i) respects both addition and multiplica-

tion in the ringZ/NZ. This fact often allows us to break up al-gebraic problems inZ/NZ into k smaller problems inZ/pr i

i Z,which can be easier to deal with.

2. Finite fields and their extensions

For a prime numberp we haveϕ(p) = p−1, which meansthat all but the zero element ofZ/pZ have a multiplicativeinverse modulop. ThusZ/pZ is a finite field, which we de-note byFp. Just asR is a field that can be extended toCby including the solutions to polynomial equations such asα2 + 1 = 0, so can the finite fieldFp be extended toFpr forany positive integerr. Any finite field has orderq = pr with psome prime, and for each prime powerpr there is a finite fieldof that order. Up to isomorphism, this finite field is in factunique, so we can refer tothefinite fieldFq without ambiguity.The additive group ofFpr is isomorphic to the additive group(Z/pZ)r , while the multiplicative groupF×

pr is cyclic, and isisomorphic to the additive groupZ/(pr −1)Z. Note thatFpr

is very different fromZ/prZ for r > 1, as|F×pr |= pr −1 while

|(Z/prZ)×| = (p−1)pr−1.A standard way of explicitly constructing a finite fieldFpr is

by extendingFp with a formal variableα satisfyingT(α) = 0,whereT is an irreducible polynomial of degreer in Fp[α]. Thefinite field Fpr is isomorphic to the ring of polynomialsFp[α]modulo the polynomialT(α), i.e.,Fpr ∼= Fp[α]/T(α).

Example (Construction ofF8). Modulo 2, the polynomialT(α) = α3 + α + 1 is irreducible: T(α) cannot be writ-ten as the product of two nontrivial polynomials. HenceF2[α]/(α3 + α + 1) is the finite fieldF8. The addition in thisfield is the straightforward addition of quadratic polynomi-als modulo2, such that, for example,(α2 + α)+ (α2 + 1) =α+1. Multiplication of the elements is slightly more involved,but the explicit multiplication table (TableII ) confirms thatF2[α]/(α3 + α+1) is indeed a field. Note for example thatαhas multiplicative inverseα2 +1, asα(α2 +1) = α3 + α = 1by the equalityα3 + α+1= 0.

44

× 0 1 α α+1 α2 α2 +1 α2 +α α2 +α+1

0 0 0 0 0 0 0 0 0

1 0 1 α α+1 α2 α2 +1 α2 +α α2 +α+1

α 0 α α2 α2 +α α+1 1 α2 +α+1 α2 +1

α+1 0 α+1 α2 +α α2 +1 α2 +α+1 α2 1 αα2 0 α2 α+1 α2 +α+1 α2 +α α α2 +1 1

α2 +1 0 α2 +1 1 α2 α α2 +α+1 α+1 α2 +αα2 +α 0 α2 +α α2 +α+1 1 α2 +1 α+1 α α2

α2 +α+1 0 α2 +α+1 α2 +1 α 1 α2 +α α2 α+1

TABLE II The multiplication table of the finite fieldF8 represented by the elements ofF2[α]/(α3 +α+1).

Obviously,F8 contains the subfieldF2, but less obviously,F8 does not containF4. In general,Fq1 contains the finite fieldFq2 if and only if q1 is a power ofq2, hence if and only ifq1 = pr1 andq2 = pr2 wherer2 dividesr1. For a finite fieldFqwith q = pr andp prime, we callFp thebase fieldof Fq, andwe callFpr the degreer extensionof the fieldFp. By takingthe limit of arbitrarily high degreer, we obtain thealgebraicclosureFp of Fp, which is an infinite field.

Although the construction of an extension field using an ir-reducible polynomial makes it easy to explicitly perform cal-culations, the procedure soon becomes cumbersome, as Ta-bleII already shows. Furthermore, the representation dependson the specific polynomial being used, so it introduces a cer-tain arbitrariness. Hence, whenever possible, we talk aboutfinite fields without specifying a particular representation.

3. Structure of finite fields

Starting from the infinite fieldFp, the elements ofFpr canbe characterized as theq= pr solutions to the equationxq = x.This immediately implies the above statement thatFpr1 con-tainsFpr2 if and onlyr2 dividesr1.

Within the finite field Fpr , the Frobenius automorphismφ : Fpr → Fpr is the map defined byφ(x) = xp. It is afield automorphism, meaning thatφ(x+y) = φ(x)+ φ(y) andφ(xy) = φ(x)φ(y) for all x,y ∈ Fpr . Iterating the Frobenius

automorphism gives ther different mapsφ j : x 7→ xp jfor

j = 0,1, . . . , r − 1, which are all automorphisms ofFpr . Be-causeφ(a) = a for all base field elementsa ∈ Fp, we seethat if x∈ Fpr is a root of a polynomialF(X) = adXd + · · ·+a1X + a0 ∈ Fp[X] with coefficients in the base fieldFp, thenso are its conjugatesφ j (x) as, assumingF(x) = 0, we haveF(φ(x)) = ∑i ai(φ(x))i = ∑i φ(aixi) = φ(F(x)) = 0. This re-sult generalizes to multivariate polynomialsF ∈Fp[X1, . . . ,Xn]with roots x = (x1, . . . ,xn) ∈ Fn

pr : if F(x) = 0 then alsoF(φ j(x)) = F(φ j (x1), . . . ,φ j(xn)) = 0. Hence the set of so-lutionsx ∈ Fn

pr : F(x) = 0 is invariant under the Frobeniusautomorphism.

APPENDIX B: Representation Theory of Finite Groups

In this appendix, we briefly review the theory of group rep-resentations needed to study the non-Abelian HSP. Here it issufficient to restrict our attention finite groups, and to rep-resentations over finite-dimensional complex vector spaces.For a more detailed introduction to representation theory,seeHamermesh(1989); Serre(1977).

1. General theory

A linear representation(or simply representation) of a fi-nite groupG over the vector spaceCn is a homomorphismσ : G→ GL(Cn), i.e., a map from group elements to nonsin-gularn×n complex matrices satisfyingσ(x)σ(y) = σ(xy) forall x,y∈ G. Clearly,σ(1) = 1 andσ(x−1) = σ(x)−1. We saythatCn is therepresentation spaceof σ, wheren is called itsdimension(or degree), denoteddσ.

Two representationsσ andσ′ with representation spacesCn

areisomorphic(denotedσ ∼ σ′) if and only if there is an in-vertible linear transformationM ∈ Cn×n such thatMσ(x) =σ′(x)M for all x∈G. (Representations of different dimensionscannot be isomorphic.) Every representation is isomorphictoa unitary representation, i.e., one for whichσ(x)−1 = σ(x)†

for all x ∈ G. Thus we can restrict our attention to unitaryrepresentations without loss of generality.

The simplest representations are those of dimension one,such thatσ(x) ∈ C with |σ(x)| = 1 for all x∈ G. Every grouphas a one-dimensional representation called thetrivial repre-sentation, defined byσ(x) = 1 for all x∈ G.

Two particularly useful representations of a groupG areits left regular representationand itsright regular representa-tion. Both of these representations have dimension|G|, andtheir representation space is thegroup algebraCG, i.e., the|G|-dimensional complex vector space spanned by basis vec-tors |x〉 for x ∈ G. The left regular representationL satisfiesL(x)|y〉 = |xy〉, and the right regular representationR satisfiesR(x)|y〉 = |yx−1〉. In particular, both regular representationsarepermutation representationsas each consists entirely ofpermutation matrices.

Given two representationsσ : G→V andσ′ : G→V ′, wecan define theirdirect sum, a representationσ⊕σ′ : G→V ⊕V ′ of dimensiondσ⊕σ′ = dσ +dσ′ . The representation matrices

45

of σ⊕σ′ are of the form

(σ⊕σ′)(x) =

(σ(x) 0

0 σ′(x)

)(B1)

for all x∈ G.A representation isirreducible if it cannot be decomposed

as the direct sum of two other representations. Any repre-sentation of a finite groupG can be written as a direct sumof irreducible representations (orirreps) of G. Up to isomor-phism,G has a finite number of irreps. The symbolG denotesa complete set of irreps ofG, one for each isomorphism type.

Another way to combine two representations is with thetensor product. The tensor product ofσ : G → V and σ′ :G→V ′ is σ⊗σ′ : G→V ⊗V ′, a representation of dimensiondσ⊗σ′ = dσdσ′ .

Thecharacterof a representationσ is the functionχσ : G→C defined byχσ(x) := Trσ(x). We haveχσ(1) = dσ, χ(x−1) =χ(x)∗, andχ(yx) = χ(xy) for all x,y∈ G. For two representa-tionsσ,σ′, we haveχσ⊕σ′ = χσ + χσ′ andχσ⊗σ′ = χσ ·χσ′ .

Perhaps the most useful result in representation theory isSchur’s Lemma, which can be stated as follows:

Theorem 4 (Schur’s Lemma). Letσ andσ′ be two irreduciblerepresentations of G, and let M∈ Cdσ×dσ′ be a matrix satis-fying σ(x)M = Mσ′(x) for all x ∈ G. Then ifσ 6∼ σ′ we haveM = 0; and if σ = σ′, then M is a scalar multiple of the iden-tity matrix.

Schur’s Lemma can be used to prove the following orthog-onality relation for irreducible representations:

Theorem 5. For two irrepsσ,σ′ ∈ G, we have

dσ

|G| ∑x∈G

σ(x)∗i, j σ′(x)i′, j ′ = δσ,σ′δi,i′δ j , j ′ , (B2)

whereδσ,σ′ is 1 if σ = σ′, and0 otherwise.

In particular, this implies a corresponding orthogonalityre-lation for theirreducible characters(i.e., the characters of theirreducible representations):

Theorem 6. For two irrepsσ,σ′ ∈ G, we have

(χσ,χσ′) :=1|G| ∑

x∈G

χσ(x)∗ χσ′(x) = δσ,σ′ . (B3)

Characters provide a simple test for irreducibility. In par-ticular, for any representationσ, (χσ,χσ) is a positive integer,and is equal to 1 if and only ifσ is irreducible.

Any representation ofG can be broken up into its irre-ducible components. The regular representations ofG are use-ful for understanding such decompositions, since they containevery possible irrep ofG, each occurring a number of timesequal to its dimension. In particular,

L ∼=M

σ∈G

(σ⊗1dσ

), R∼=

M

σ∈G

(1dσ ⊗σ∗), (B4)

where 1d denotes thed×d identity matrix. In fact, this holdswith the same isomorphism for bothL andR, since they are

commutants of each other. The isomorphism is simply theFourier transform overG. For its precise definition, as wellas a proof that it decomposes the regular representations, seeSectionVI.

ConsideringχL(1) = χR(1) = |G| and using this decompo-sition, we find the well-known identity

∑σ∈G

d2σ = |G|. (B5)

Also, noting thatχL(x) = χR(x) = 0 for anyx ∈ G\ 1, wesee that

∑σ∈G

dσ χσ(x) = 0. (B6)

In general, the multiplicity of the irrepσ ∈ G in an arbitraryrepresentationτ of G is given byµτ

σ := (χσ,χτ). Then we havethe decomposition

τ ∼=M

σ∈G

σ⊗1µτσ. (B7)

The projection onto theσ-isotypic subspaceof τ is given by

Πτσ :=

dσ

|G| ∑x∈G

χσ(x)∗ τ(x). (B8)

Any representationσ of G can also be viewed as a repre-sentation of any subgroupH ≤ G, simply by restricting itsdomain to elements ofH. We denote the resultingrestrictedrepresentationby ResGH σ. Even whenσ is irreducible overG,it will in generalnotbe irreducible overH. (It is also possibleto extend any representationσ′ of H to an induced represen-tation IndG

H σ′ of G, but we will not need the definition here.)We conclude with some examples of groups and their irre-

ducible represenations.

2. Abelian groups

The irreducible representations of any finite Abelian groupare all one-dimensional. (Conversely, any non-Abelian grouphas some irrep of dimension greater than 1.)

For a cyclic groupG = Z/nZ, all irreps are of the formσk :Z/nZ → C with σk(x) := e2πikx/n, wherek ∈ Z/nZ uniquelylabels the representation. Hence there are indeedn inequiva-lent irreps ofZ/nZ, all of dimension 1.

Any finite Abelian group can be written as a direct productof cyclic factors, and its irreducible representations aregivenby products of irreps of those factors. For example, the irre-ducible representations of the groupG=(Z/nZ)2 are given byσk(x) := e2πi(k1x1+k2x2)/n, wherek=(k1,k2)∈Z/nZ2 uniquelylabels the irrep.

3. Dihedral group

The dihedral group of order 2n is Dn = Z/nZ⋊Z/2Z, withthe group law

(x,a) · (y,b) = (x+(−1)ay,a+b) (B9)

46

for x,y∈ Z/nZ anda,b∈ Z/2Z.For n even, we have the following 1-dimensional represen-

tations:

σtt((x,a)) := 1 (B10)

σts((x,a)) := (−1)a (B11)

σst((x,a)) := (−1)x (B12)

σss((x,a)) := (−1)x+a; (B13)

for n odd, we have onlyσtt andσts. The 2-dimensional repre-sentations are of the form

σh((x,0)) :=

(e2πihx/n 0

0 e−2πihx/n

)(B14)

and

σh((x,1)) :=

(0 e−2πihx/n

e−2πihx/n 0

)(B15)

for someh∈ 1,2, . . . ,⌈

n2

⌉−1. It is straightforward to check

that these representations are all irreducible and that thesumof the dimensions squared gives 2n.

APPENDIX C: Curves Over Finite Fields

Kedlaya’s quantum algorithm for counting the number ofpoints on a curve over a finite field relies on several resultsin algebraic geometry. Here we explain some of the centralconcepts that are necessary to understand the algorithm. Forconcreteness, we limit ourselves to the case of planar alge-braic curves. Our notation follows (Lorenzini, 1996), a highlyrecommended textbook for more information on this topic.

Given a bivariate polynomialf ∈ Fq[X,Y], we can considerthe solutions to the equationf (x,y) = 0 with x,y elements ofthe base fieldFq or of an extension fieldFqr . The set of thesesolutions is the planar curve denoted byCf (Fq) or Cf (Fqr ),respectively. Often we drop the subscriptf when it is clearfrom context.

1. Affine and projective spaces

The theory of algebraic equations works more generally ifwe allow points at infinity to be possible solutions as well.We frequently work over the projective planeP2, which for agiven finite fieldFqr can be expressed as

P2(Fqr ) = (F3qr \ (0,0,0))/∼ (C1)

where two points are equivalent,(x,y,z) ∼ (x′,y′,z′), if andonly if there exists aλ ∈ F×

qr such that(λx,λy,λz) = (x′,y′,z′).

These rays inF3q are denoted by(x : y : z), i.e.,

(x : y : z) = (λx,λy,λz) : λ ∈ F×qr ⊂ F3

qr (C2)

for all (x,y,z) 6= (0,0,0).

One can easily verify that the projective planeP2(Fq) con-sists ofq2 + q+ 1 points, of whichq2 lie in the affine planeA2(Fq) = (x,y,1) : (x,y) ∈ Fq; the remainingq+ 1 pointsare theline at infinity(x,1,0) : x∈ Fq and thepoint at infin-ity (1,0,0). This decomposition can be summarized by theequationP2 = A2∪P1 = A2∪A1∪A0. (For clarity, an affinespace is often indicated byAn(Fq) rather than by the equiva-lent setFn

q , as the latter suggests a vector space with an origin,a concept that plays no role in affine spaces. In this article weignore this subtlety.)

2. Projective curves

The affine solutions to the polynomial equationf (X,Y) = 0over Fq consist of the set(x,y) ∈ F2

q : f (x,y) = 0, but forthe solutions in the projective planeP2(Fq) we must makethe following adjustment. To definef (X,Y) in P2, we in-troduce a third variableZ that allows us to translatef intoa homogeneous polynomial, such that iff (x,y,z) = 0 for(x,y,z) ∈ F3

q \ (0,0,0), then f (λx,λy,λz) = 0 for all λ ∈F×

q . For example, withf (X,Y) = Y2 + X3 + X + 1, we havef (X,Y,Z) = Y2Z+X3+XZ2+Z3.

In other words, an algebraic curveCf in the projective planeis defined by a homogeneous polynomialf ∈ Fq[X,Y,Z], andits set ofFqr -rational solutions is given by

Cf (Fqr ) = (x : y : z) : f (x,y,z) = 0 ⊂ P2(Fqr ). (C3)

Notice that for each extension degreer there is a different setof solutionsCf (Fqr ). Explicit examples of curves are given inSectionsIV.F andIV.H.

3. Properties of curves

Let f ∈ Fq[X,Y,Z] define a planar, projective curveCf . Apoint(x : y : z) ∈Cf (Fqr ) is callednonsingularif and only if

(∂ f∂X

,∂ f∂Y

,∂ f∂Z

)(x,y,z) 6= (0,0,0), (C4)

where∂ f/∂X denotes theformal derivativeof f with respectto X. A projective curve is calledsmoothif all its points arenonsingular. In many ways, curves over finite fields are anal-ogous to compact Riemann surfaces. Most importantly, onecan assign a genusg to a smooth projective curveCf , just asone can for a compact Riemann surface. (This is why we usethe projective curve: the affine curve is not compact.) Theprojective lineP1, defined by a linear equation such asX = 0,has genus 0; elliptic curves, defined by cubic equations, havegenus 1; and in general, a degreed polynomial gives a curvewith genusg= 1

2(d−1)(d−2). The complexity of algorithmsfor curves often depends critically on the genus of the curve,and hence on the degree of the defining polynomialf .

47

4. Rational functions on curves

Similar to the case of Riemann surfaces, the geometricproperties of a smooth, projective curve are closely relatedto the behavior of rational functions on the same surface. Fora smooth, projective curveCf defined by the homogeneouspolynomial f ∈ Fq[X,Y,Z], we define thefunction fieldof ra-tional functions by

Fq(Cf ) =

g(X,Y,Z)

h(X,Y,Z): deg(g) = deg(h)

/ ∼ (C5)

with g andh homogenous polynomials inFq[X,Y,Z] of iden-tical degree, and with equivalence between functions definedby

gh∼ g′

h′if and only if hg′−gh′ ∈ ( f ) (C6)

where( f ) is the ideal generated byf . Notice that by the re-quirement thatg andh are of the same degree, we have

g(λx,λy,λz)h(λx,λy,λz)

=λdeg(g)

λdeg(h)

g(x,y,z)h(x,y,z)

=g(x,y,z)h(x,y,z)

, (C7)

which shows thatg/h is indeed well-defined on the points(x :y : z) in the projective spaceP2(Fq).

It is an important fact that each non-constant rational func-tion on Cf has both roots (points whereg = 0) and poles(h = 0), and that the number of roots equals the number ofpoles, counting multiplicity. See SectionIV.H for an exampleof the structure ofFq(Cf ) for an elliptic curve overF2.

References

Aaronson, S., and A. Ambainis, 2005, Quantum search of spatialregions,Theory of Computing1, pp. 47–79, preliminary versionin FOCS 2003, eprint quant-ph/0303041.

Adleman, L. M., J. Demarrais, and M.-D. A. Huang, 1997, Quan-tum computability,SIAM Journal on Computing26(5), pp. 1524–1540.

Adleman, L. M., and M.-D. Huang, 2001, Counting points on curvesand Abelian varieties over finite fields,Journal of Symbolic Com-putation 32(3), pp. 171–189, preliminary version in ANTS-II1996.

Agrawal, M., N. Kayal, and N. Saxena, 2004, Primes is in P,Annalsof Mathematics160(2), pp. 781–793.

Aharonov, D., 2003, A simple proof that Toffoli and Hadamardarequantum universal, eprint quant-ph/0301040.

Aharonov, D., and I. Arad, 2006, The BQP-hardness of approximat-ing the Jones polynomial, eprint quant-ph/0605181.

Aharonov, D., I. Arad, E. Eban, and Z. Landau, 2007a, Poly-nomial quantum algorithms for additive approximations of thePotts model and other points of the Tutte plane, eprint quant-ph/0702008.

Aharonov, D., and M. Ben-Or, 2008, Fault-tolerant quantum compu-tation with constant error rate,SIAM Journal on Computing38(4),pp. 1207–1282, preliminary version in STOC 1997, eprint quant-ph/9611025.

Aharonov, D., W. van Dam, J. Kempe, Z. Landau, S. Lloyd, andO. Regev, 2007b, Adiabatic quantum computation is equivalent

to standard quantum computation,SIAM Journal on Computing37(1), pp. 166–194, preliminary version in FOCS 2004, eprintquant-ph/0405098.

Aharonov, D., V. Jones, and Z. Landau, 2006, A polynomial quantumalgorithm for approximating the Jones polynomial,Proceedings ofthe 38th ACM Symposium on Theory of Computing, pp. 427–436,eprint quant-ph/0511096.

Ajtai, M., 1996, Generating hard instances of lattice problems,Pro-ceedings of the 28th ACM Symposium on Theory of Computing,pp. 99–108.

Ajtai, M., 1998, The shortest vector problem inL2 is NP-hard forrandomized reductions,Proceedings of the 30th ACM Symposiumon Theory of Computing, pp. 10–19.

Ajtai, M., and C. Dwork, 1997, A public-key cryptosystem withworst-case/average-case equivalence,Proceedings of the 29thACM Symposium on Theory of Computing, pp. 284–293.

Ajtai, M., R. Kumar, and D. Sivakumar, 2001, A sieve algorithm forthe shortest lattice vector problem,Proceedings of the 33rd ACMSymposium on Theory of Computing, pp. 601–610.

Alagic, G., C. Moore, and A. Russell, 2007, Quantum algorithmsfor Simon’s problem over general groups,Proceedings of the 18thACM-SIAM Symposium on Discrete Algorithms, pp. 1217–1224,eprint quant-ph/0603251.

Alexander, J. W., 1923, A lemma on systems of knotted curves,Pro-ceedings of the National Academy of Sciences9(3), pp. 93–95.

Ambainis, A., 2007, Quantum walk algorithm for element distinct-ness,SIAM Journal on Computing37(1), pp. 210–239, prelimi-nary version in FOCS 2004, eprint quant-ph/0311001.

Ambainis, A., A. M. Childs, B. W. Reichardt, R.Spalek, andS. Zhang, 2007, Any AND-OR formula of sizeN can be evalu-ated in timeN1/2+o(1) on a quantum computer,Proceedings ofthe 48th IEEE Symposium on Foundations of Computer Science,pp. 363–372, eprint quant-ph/0703015, eprint arXiv:0704.3628.

Ambainis, A., J. Kempe, and A. Rivosh, 2005, Coins make quantumwalks faster,Proceedings of the 16th ACM-SIAM Symposium onDiscrete Algorithms, pp. 1099–1108, eprint quant-ph/0402107.

Ambainis, A., and R.Spalek, 2006, Quantum algorithms for match-ing and network flows,Proceedings of the 23rd Annual Sympo-sium on Theoretical Aspects of Computer Science, volume 3884of Lecture Notes in Computer Science, pp. 172–183, eprint quant-ph/0508205.

Arad, I., and Z. Landau, 2008, Quantum computation and the evalu-ation of tensor networks, eprint arXiv:0805.0040.

Aspuru-Guzik, A., A. D. Dutoi, P. J. Love, and M. Head-Gordon,2005, Simulated quantum compuation of molecular energies,Sci-ence309, pp. 1704–1707, eprint quant-ph/0604193.

Babai, L., G. Cooperman, L. Finkelstein, E. Luks, andA. Seress,1995, Fast Monte Carlo algorithms for permutation groups,Jour-nal of Computer and System Sciences50(2), pp. 296–308, prelim-inary version in STOC 1991.

Babai, L., D. Grigoriev, and D. Mount, 1982, Isomorphism of graphswith bounded eigenvalue multiplicity,Proceedings of the 14thACM Symposium on Theory of Computing, pp. 310–324.

Babai, L., W. M. Kantor, and E. Luks, 1983, Computational com-plexity and the classification of finite simple groups,Proceedingsof the 24th IEEE Symposium on Foundations of Computer Sci-ence, pp. 162–171.

Babai, L., and E. Szemeredi, 1984, On the complexity of matrixgroup problems I,Proceedings of the 25th IEEE Symposium onFoundations of Computer Science, pp. 229–240.

Bacon, D., 2008, How a Clebsch-Gordan transform helps to solvethe Heisenberg hidden subgroup problem,Quantum Information& Computation8(5), pp. 438–467, eprint quant-ph/0612107.

Bacon, D., A. M. Childs, and W. van Dam, 2005, From optimal mea-

48

surement to efficient quantum algorithms for the hidden subgroupproblem over semidirect product groups,Proceedings of the 46thIEEE Symposium on Foundations of Computer Science, pp. 469–478, eprint quant-ph/0504083.

Bacon, D., A. M. Childs, and W. van Dam, 2006, Optimal mea-surements for the dihedral hidden subgroup problem,ChicagoJournal of Theoretical Computer Science2006(2), eprint quant-ph/0501044.

Barenco, A., A. Ekert, K.-A. Suominen, and P. Torma, 1996,Ap-proximate quantum Fourier transform and decoherence,PhysicalReview A54(1), pp. 139–146, eprint quant-ph/9601018.

Barnum, H., and E. Knill, 2002, Reversing quantum dynamics withnear-optimal quantum and classical fidelity,Journal of Mathemat-ical Physics43(5), pp. 2097–2106, eprint quant-ph/0004088.

Beals, R., 1997, Quantum computation of Fourier transformsoversymmetric groups,Proceedings of the 29th ACM Symposium onTheory of Computing, pp. 48–53.

Beals, R., H. Buhrman, R. Cleve, M. Mosca, and R. de Wolf, 2001,Quantum lower bounds by polynomials,Journal of the ACM48(4), pp. 778–797, preliminary version in FOCS 1998, eprintquant-ph/9802049.

de Beaudrap, J. N., R. Cleve, and J. Watrous, 2002, Sharp quantumvs. classical query complexity separations,Algorithmica34, pp.449–461.

Bennett, C. H., 1973, Logical reversibility of computation, IBMJournal of Research and Development17, pp. 525–532.

Bennett, C. H., E. Bernstein, G. Brassard, and U. Vazirani, 1997,Strengths and weaknesses of quantum computing,SIAM Journalon Computing26, pp. 1510–1523, eprint quant-ph/9701001.

Berndt, B. C., R. J. Evans, and K. S. Williams, 1998,Gauss andJacobi sums, Wiley.

Bernstein, E., and U. Vazirani, 1993, Quantum complexity theory,Proceeding of the 25th ACM Symposium on Theory of Computing,pp. 11–20.

Bernstein, E., and U. Vazirani, 1997, Quantum complexity theory,SIAM Journal on Computing26(5), pp. 1411–1473, preliminaryversion in STOC 1993.

Beth, T., 1987, On the computational complexity of the general dis-crete Fourier transform,Theoretical Computer Science51, pp.331–339.

Blum, A., A. Kalai, and H. Wasserman, 2003, Noise-tolerant learn-ing, the parity problem, and the statistical query model,Journal ofthe ACM50(4), pp. 506–519, preliminary version in STOC 1999.

den Boer, B., 1990, Diffie-Hellman is as strong as discrete log forcertain primes,Advances in Cryptology – CRYPTO ’88, volume403 ofLecture Notes in Computer Science, pp. 530–539.

Boneh, D., and R. Lipton, 1995, Quantum cryptanalysis of hiddenlinear functions,Advances in Cryptology – CRYPTO ’95, volume963 ofLecture Notes in Computer Science, pp. 424–437.

Bordewich, M., M. Freedman, L. Lovasz, and D. Welsh, 2005, Ap-proximate counting and quantum computation,Combinatorics,Probability and Computing14(5-6), pp. 737–754.

Born, M., and V. Fock, 1928, Beweis des Adiabatensatzes,Zeitschriftfur Physik51, pp. 165–180.

Boykin, P. O., T. Mor, M. Pulver, V. Roychowdhury, and F. Vatan,2000, On universal and fault-tolerant quantum computing,In-formation Processing Letters75, pp. 101–107, eprint quant-ph/9906054.

Brassard, G., P. Høyer, M. Mosca, and A. Tapp, 2002, Quantum am-plitude amplification and estimation,Quantum Computation andInformation, edited by S. J. Lomonaco and H. E. Brandt, AMS,volume 305 ofAMS Contemporary Mathematics Series, pp. 53–74, eprint quant-ph/0005055.

Brassard, G., P. Høyer, and A. Tapp, 1997, Quantum cryptanalysis

of hash and claw-free functions,SIGACT News28(2), pp. 14–19,eprint quant-ph/9705002.

Buchmann, J., 1990, A subexponential algorithm for the determi-nation of class groups and regulators of algebraic number fields,Seminaire de Theorie des Nombres, Paris 1988–1989, Birkhauser,volume 91 ofProgress in Mathematics, pp. 27–41.

Buchmann, J., 2004,Introduction to Cryptography, UndergraduateTexts in Mathematics, Springer-Verlag, 2nd edition.

Buchmann, J. A., and H. C. Williams, 1990, A key exchange systembased on real quadratic fields,Advances in Cryptology – CRYPTO’89, volume 435 ofLecture Notes in Computer Science, pp. 335–343.

Buhler, J. P., H. W. Lenstra, Jr., and C. Pomerance, 1993, Factor-ing integers with the number field sieve,The Development of theNumber Field Sieve, Springer, volume 1554 ofLecture Notes inMathematics, pp. 50–94.

Buhrman, H., and R.Spalek, 2006, Quantum verification of matrixproducts,Proceedings of the 17th ACM-SIAM Symposium on Dis-crete Algorithms, pp. 880–889, eprint quant-ph/0409035.

Cheung, D., D. Maslov, J. Mathew, and D. Pradhan, 2008, On thedesign and optimization of a quantum polynomial-time attack onelliptic curve cryptography,Proceedings of the 3rd Workshop onTheory of Quantum Computation, Communication, and Cryptog-raphy, volume 5106 ofLecture Notes in Computer Science, pp.96–104.

Cheung, K. K. H., and M. Mosca, 2001, Decomposing finite abeliangroups,Quantum Information & Computation1(3), pp. 26–32.

Childs, A. M., R. Cleve, E. Deotto, E. Farhi, S. Gutmann, andD. A. Spielman, 2003, Exponential algorithmic speedup by quan-tum walk,Proceedings of the 35th ACM Symposium on Theory ofComputing, pp. 59–68, eprint quant-ph/0209131.

Childs, A. M., and W. van Dam, 2007, Quantum algorithm for ageneralized hidden shift problem,Proceedings of the 18th ACM-SIAM Symposium on Discrete Algorithms, pp. 1225–1234, eprintquant-ph/0507190.

Childs, A. M., and J. Goldstone, 2004a, Spatial search and theDirac equation,Physical Review A70, 042312, eprint quant-ph/0405120.

Childs, A. M., and J. Goldstone, 2004b, Spatial search by quantumwalk, Physical Review A70, 022314, eprint quant-ph/0306054.

Childs, A. M., L. J. Schulman, and U. V. Vazirani, 2007, Quantum al-gorithms for hidden nonlinear structures,Proceedings of the 48thIEEE Symposium on Foundations of Computer Science, pp. 395–404, eprint arXiv:0705.2784.

Childs, A. M., and P. Wocjan, 2007, On the quantum hardness ofsolving isomorphism problems as nonabelian hidden shift prob-lems,Quantum Information & Computation7(5-6), pp. 504–521,eprint quant-ph/0510185.

Clausen, M., 1989, Fast generalized Fourier transforms,TheoreticalComputer Science67(1), pp. 55–63.

Cleve, R., 1994, A note on computing Fourier transforms by quan-tum programs, manuscript.

Cleve, R., 2004, The query complexity of order-finding,Informa-tion and Computation192(2), pp. 162–171, preliminary versionin CCC 2000, eprint quant-ph/9911124.

Cleve, R., A. Ekert, C. Macchiavello, and M. Mosca, 1998, Quantumalgorithms revisited,Proceedings of the Royal Society A454, pp.339–354.

Cleve, R., and J. Watrous, 2000, Fast parallel circuits for the quan-tum Fourier transform,Proceedings of the 41st IEEE Symposiumon Foundations of Computer Science, pp. 526–536, eprint quant-ph/0006004.

Cohen, H., 1993,A Course in Computational Algebraic Number The-ory, volume 138 ofGraduate Texts in Mathematics, Springer.

49

Coppersmith, D., 1994,An approximate Fourier transform useful inquantum factoring, Technical Report RC 19642, IBM ResearchDivision, Yorktown Heights, NY, eprint quant-ph/0201067.

van Dam, W., 2002, Quantum algorithms for weighing matricesandquadratic residues,Algorithmica34(4), pp. 413–428.

van Dam, W., 2004, Quantum computing and zeros of Zeta functions,manuscript, eprint quant-ph/0405081.

van Dam, W., G. M. D’Ariano, A. Ekert, C. Macchiavello, andM. Mosca, 2007, Optimal phase estimation in quantum networks,Journal of Physics A40, pp. 7971–7984.

van Dam, W., S. Hallgren, and L. Ip, 2006, Quantum algorithmsforsome hidden shift problems,SIAM Journal on Computing36(3),pp. 763–778.

van Dam, W., M. Mosca, and U. Vazirani, 2001, How powerful isadiabatic quantum computation?,Proceedings of the 42nd IEEESymposium on Foundations of Computer Science, pp. 279–287,eprint quant-ph/0206003.

van Dam, W., and G. Seroussi, 2002, Efficient quantum algorithmsfor estimating Gauss sums, eprint quant-ph/0207131.

van Dam, W., and U. Vazirani, 2003, Limits on quantum adiabaticoptimization, manuscript.

Damgard, I. B., 1990, On the randomness of Legendre and Jacobisequences,Advances in Cryptology – CRYPTO ’88, volume 403of Lecture Notes in Computer Science, pp. 163–172.

Decker, T., J. Draisma, and P. Wocjan, 2007, Efficient quantum algo-rithm for identifying hidden polynomials,Quantum Information& Computation(to appear), eprint arXiv:0706.1219.

Deutsch, D., 1985, Quantum theory, the Church-Turing principle,and the universal quantum computer,Proceedings of the RoyalSociety of London. Series A400, pp. 97–117.

Deutsch, D., 1989, Quantum computational networks,Proceedingsof the Royal Society of London. Series A425, pp. 73–90.

Deutsch, D., and R. Jozsa, 1992, Rapid solution of problems byquantum computation,Proceedings of the Royal Society: Math-ematical and Physical Sciences439, pp. 553–558.

Diaconis, P., 1988,Group Representations in Probability and Statis-tics, volume 11 ofIMS Lecture Notes–Monograph Series, Instituteof Mathematical Statistics.

Diaconis, P., and D. Rockmore, 1990, Efficient computation of theFourier transform on finite groups,Journal of the American Math-ematical Society3(2), pp. 297–332.

Diffie, W., and M. E. Hellman, 1976, New directions in cryptogra-phy, IEEE Transactions on Information Theory22(6), pp. 644–654.

DiVincenzo, D. P., 1995, Two-bit gates are universal for quantumcomputation,Physical Review A51, pp. 1015–1022, eprint cond-mat/9407022.

Durr, C., M. Heiligman, P. Høyer, and M. Mhalla, 2004, Quantumquery complexity of some graph problems,Proceedings of the31st International Colloquium on Automata, Languages and Pro-gramming, volume 3142 ofLecture Notes in Computer Science,pp. 481–493, eprint quant-ph/0401091.

Ekert, A., and R. Jozsa, 1996, Quantum computation and Shor’s fac-toring algorithm,Reviews of Modern Physics68(3), pp. 733–753.

van Emde Boas, P., 1981,Another NP-complete problem and thecomplexity of computing short vectors in a lattice, Technical Re-port 8104, Department of Mathematics, University of Amsterdam.

Ettinger, M., and P. Høyer, 1999, A quantum observable for the graphisomorphism problem, eprint quant-ph/9901029.

Ettinger, M., and P. Høyer, 2000, On quantum algorithms for non-commutative hidden subgroups,Advances in Applied Mathemat-ics 25, pp. 239–251, eprint quant-ph/9807029.

Ettinger, M., P. Høyer, and E. Knill, 1999, Hidden subgroup statesare almost orthogonal, eprint quant-ph/9901034.

Ettinger, M., P. Høyer, and E. Knill, 2004, The quantum querycomplexity of the hidden subgroup problem is polynomial,In-formation Processing Letters91(1), pp. 43–48, eprint quant-ph/0401083.

Farhi, E., J. Goldstone, and S. Gutmann, 2007, A quantum algorithmfor the Hamiltonian NAND tree, eprint quant-ph/0702144.

Farhi, E., J. Goldstone, S. Gutmann, and M. Sipser, 2000, Quantumcomputation by adiabatic evolution, eprint quant-ph/0001106.

Farhi, E., and S. Gutmann, 1998, Quantum computation and de-cision trees,Physical Review A58, pp. 915–928, eprint quant-ph/9706062.

Fenner, S. A., and Y. Zhang, 2008, On the complexity of the hid-den subgroup problem,Proceedings of the 5th International Con-ference on Theory and Applications of Models of Computation,volume 4978 ofLecture Notes in Computer Science, pp. 70–81,eprint quant-ph/0610086.

Feynman, R. P., 1982, Simulating physics with computers,Interna-tional Journal of Theoretical Physics21, pp. 467–488.

Filotti, I. S., and J. N. Mayer, 1980, A polynomial-time algorithm fordetermining the isomorphism of graphs of fixed genus,Proceed-ings of the 12th ACM Symposium on Theory of Computing, pp.236–243.

Fisher, D. S., 1992, Random transverse field Ising spin chains,Phys-ical Review Letters69(3), pp. 534–537.

Flaxman, A. D., and B. Przydatek, 2005, Solving medium-densitysubset sum problems in expected polynomial time,Proceedings ofthe 22nd Annual Symposium on Theoretical Aspects of ComputerScience, pp. 305–314.

Fortnow, L., and J. D. Rogers, 1998, Complexity limitationsonquantum computation,Journal of Computer and System Sciences59(2), pp. 240–252, preliminary version in CCC 1998, eprintcs.CC/9811023.

Freedman, M., M. Larsen, and Z. Wang, 2002a, A modular functorwhich is universal for quantum computation,Communications inMathematical Physics227(3), pp. 605–622.

Freedman, M. H., A. Kitaev, M. J. Larsen, and Z. Wang, 2003, Topo-logical quantum computation,Bulletin of the American Mathe-matical Society40, pp. 31–38.

Freedman, M. H., A. Y. Kitaev, and Z. Wang, 2002b, Simulationof topological field theories by quantum computers,Communi-cations in Mathematical Physics227, pp. 587–603, eprint quant-ph/0001071.

Friedl, K., G. Ivanyos, F. Magniez, M. Santha, and P. Sen, 2003,Hidden translation and orbit coset in quantum computing,Pro-ceedings of the 35th ACM Symposium on Theory of Computing,pp. 1–9.

von zur Gathen, J., M. Karpinski, and I. Shparlinski, 1997, Countingcurves and their projections,Computational Complexity6(1), pp.64–99.

Gavinsky, D., 2004, Quantum solution to the hidden subgroupprob-lem for poly-near-Hamiltonian groups,Quantum Information &Computation4(3), pp. 229–235.

Gordon, D. M., 1993, Discrete logarithms in GF(P) using the numberfield sieve,SIAM Journal on Discrete Mathematics6(1), pp. 124–138.

Grigni, M., L. J. Schulman, M. Vazirani, and U. Vazirani, 2004,Quantum mechanical algorithms for the nonabelian hidden sub-group problem,Combinatorica24(1), pp. 137–154, preliminaryversion in STOC 2001.

Grover, L. K., 1997, Quantum mechanics helps in searching for aneedle in a haystack,Physical Review Letters79, pp. 325–328,preliminary version in STOC 1996, eprint quant-ph/9706033.

Hales, L., and S. Hallgren, 2000, An improved quantum Fouriertransform algorithm and applications,Proceedings of the 41st

50

IEEE Symposium on Foundations of Computer Science, pp. 515–525.

Hales, L. R., 2002,The quantum Fourier transform and extensionsof the Abelian hidden subgroup problem, Ph.D. thesis, Universityof California, Berkeley, eprint quant-ph/0212002.

Hallgren, S., 2005, Fast quantum algorithms for computing the unitgroup and class group of a number field,Proceedings of the 37thACM Symposium on Theory of Computing, pp. 468–474.

Hallgren, S., 2007, Polynomial-time quantum algorithms for Pell’sequation and the principal ideal problem,Journal of the ACM54(1), preliminary version in STOC 2002.

Hallgren, S., C. Moore, M. Rotteler, A. Russell, and P. Sen,2006,Limitations of quantum coset states for graph isomorphism,Pro-ceedings of the 38th ACM Symposium on Theory of Computing,pp. 604–617, eprint quant-ph/0511148, eprint quant-ph/0511149.

Hallgren, S., A. Russell, and A. Ta-Shma, 2003, The hidden sub-group problem and quantum computation using group representa-tions, SIAM Journal on Computing32(4), pp. 916–934, prelimi-nary version in STOC 2000.

Hamermesh, M., 1989,Group Theory and Its Application to PhysicalProblems, Dover.

Hardy, G. H., and E. M. Wright, 1979,An Introduction to the Theoryof Numbers, Oxford University Press, 5th edition.

Harrow, A. W., B. Recht, and I. L. Chuang, 2002, Efficient dis-crete approximations of quantum gates,Journal of MathematicalPhysics43(9), pp. 4445–4451, eprint quant-ph/0111031.

Harrow, A. W., and A. Winter, 2006, How many copies are neededfor state discrimination?, eprint quant-ph/0606131.

Hausladen, P., and W. K. Wootters, 1994, A ‘pretty good’ measure-ment for distinguishing quantum states,Journal of Modern Optics41, pp. 2385–2390.

Hayashi, M., A. Kawachi, and H. Kobayashi, 2008, Quantum mea-surements for hidden subgroup problems with optimal samplecomplexity, Quantum Information & Computation8(3-4), pp.345–358, eprint quant-ph/0604174.

Hoffmann, C. M., 1982,Group-Theoretic Algorithms and Graph Iso-morphism, volume 136 ofLecture Notes in Computer Science,Springer-Verlag.

Holevo, A. S., 1973, Statistical decisions in quantum theory, Journalof Multivariate Analysis3, pp. 337–394.

Høyer, P., 1997, Efficient quantum transforms, eprint quant-ph/9702028.

Hulek, K., 2003,Elementary Algebraic Geometry, volume 20 ofStu-dent Mathematical Library, AMS.

Impagliazzo, R., and A. Wigderson, 1997, P = BPP if E requiresex-ponential circuits: derandomizing the XOR lemma,Proceedingsof the 29th ACM Symposium on Theory of Computing, pp. 220–229.

Ip, L., 2003, Shor’s algorithm is optimal, manuscript.Ireland, K., and M. Rosen, 1990,A Classical Introduction to Modern

Number Theory, volume 84 ofGraduate Texts in Mathematics,Springer-Verlag, 2nd edition.

Ivanyos, G., 2008, On solving systems of random linear disequa-tions,Quantum Information & Computation8(6-7), pp. 579–594,eprint 0704.2988.

Ivanyos, G., F. Magniez, and M. Santha, 2003, Efficient quantum al-gorithms for some instances of the non-abelian hidden subgroupproblem,International Journal of Foundations of Computer Sci-ence 14(5), pp. 723–739, preliminary version in SPAA 2001,eprint quant-ph/0102014.

Ivanyos, G., L. Sanselme, and M. Santha, 2007, An efficient quan-tum algorithm for the hidden subgroup problem in extraspecialgroups,Proceedings of the 24th Annual Symposium on Theoret-ical Aspects of Computer Science, pp. 586–597, eprint quant-

ph/0701235.Ivanyos, G., L. Sanselme, and M. Santha, 2008, An efficient quan-

tum algorithm for the hidden subgroup problem in nil-2 groups,Proceedings of the 8th Latin American Symposium on TheoreticalInformatics, volume 4957 ofLecture Notes in Computer Science,pp. 759–771, eprint 0707.1260.

Jaeger, F., D. L. Vertigan, and D. J. A. Welsh, 1990, On the computa-tional complexity of the Jones and Tutte polynomials,Mathemat-ical Proceedings of the Cambridge Philosophical Society108(1),pp. 35–53.

Jansen, S., M. B. Ruskai, and R. Seiler, 2007, Bounds for theadiabatic approximation with applications to quantum computa-tion, Journal of Mathematical Physics48, 102111, eprint quant-ph/0603175.

Jones, V. F. R., 1985, A polynomial invariant for knots via von Neu-mann algebras,Bulletin of the American Mathematical Society12(1), pp. 103–111.

Jordan, S. P., and P. Wocjan, 2008, Estimating Jones and HOMFLYpolynomials with one clean qubit, eprint arXiv:0807.4688.

Jozsa, R., 2003, Quantum computation in algebraic number theory:Hallgren’s efficient quantum algorithm for solving Pell’s equation,Annals of Physics306(2), pp. 241–279, eprint quant-ph/0302134.

Kauffman, L. H., 1987, State models and the Jones polynomial,Topology26(3), pp. 395–407.

Kawachi, A., T. Koshiba, H. Nishimura, and T. Yamakami, 2005,Computational indistinguishability between quantum states andits cryptographic application,Advances in Cryptology – EURO-CRYPT 2005, volume 3494 ofLecture Notes in Computer Science,pp. 268–284, eprint quant-ph/0403069.

Kaye, P., 2005, Optimized quantum implementation of elliptic curvearithmetic over binary fields,Quantum Information & Computa-tion 5(6), pp. 474–491.

Kaye, P., R. Laflamme, and M. Mosca, 2007,An Introduction toQuantum Computing, Oxford University Press.

Kedlaya, K. S., 2006, Quantum computation of zeta functionsofcurves,Computational Complexity15, pp. 1–19.

Khot, S., 2005, Hardness of approximating the shortest vector prob-lem in lattices,Journal of the ACM52(5), pp. 789–808, prelimi-nary version in FOCS 2004.

Kitaev, A. Y., 1995, Quantum measurements and the Abelian stabi-lizer problem, eprint quant-ph/9511026.

Kitaev, A. Y., 1997, Quantum computations: Algorithms and errorcorrection,Russian Mathematical Surveys52(6), pp. 1191–1249.

Kitaev, A. Y., A. H. Shen, and M. N. Vyalyi, 2002,Classical andQuantum Computation, volume 47 ofGraduate Studies in Math-ematics, American Mathematical Society.

Knill, E., 1995, Approximation by quantum circuits, Technical Re-port LAUR-95-2225, Los Alamos National Laboratory, eprintquant-ph/9508006.

Knill, E., and R. Laflamme, 1998, Power of one bit of quantum in-formation,Physical Review Letters81(25), pp. 5672–5675, eprintquant-ph/9802037.

Knill, E., R. Laflamme, and W. Zurek, 1996,Accuracy thresholdfor quantum computation, Technical Report LAUR-96-2199, LosAlamos National Laboratory, eprint quant-ph/9610011.

Knill, E., R. Laflamme, and W. Zurek, 1997, Resilient quantumcom-putation: Error models and thresholds,Proceedings of the RoyalSociety A454, pp. 365–384, eprint quant-ph/9702058.

Kobler, J., U. Schoning, and J. Toran, 1993,The Graph IsomorphismProblem: Its Structural Complexity, Springer.

Koblitz, N., 1998,Algebraic aspects of cryptography, volume 3 ofAlgorithms and Computation in Mathematics, Springer-Verlag.

Koiran, P., V. Nesme, and N. Portier, 2005, A quantum lower boundfor the query complexity of Simon’s problem,Proceedings of the

51

32nd International Colloquium on Automata, Languages and Pro-gramming, volume 3580 ofLecture Notes in Computer Science,pp. 1287–1298, eprint quant-ph/0501060.

Kuperberg, G., 2005, A subexponential-time quantum algorithm forthe dihedral hidden subgroup problem,SIAM Journal on Comput-ing 35(1), pp. 170–188, eprint quant-ph/0302112.

Lauder, A., and D. Wan, 2002, Counting points on varieties overfinite fields of small characteristic,Algorithmic Number Theory,edited by J. Buhler and P. Stevenhagen, Cambridge UniversityPress, volume 44 ofMathematical Sciences Research InstitutePublications, to appear, eprint math.NT/0612147.

Lenstra, A. K., H. W. Lenstra, Jr., and L. Lovasz, 1982, Factoringpolyonimals with rational coefficients,Mathematische Annalen261, pp. 515–534.

Lenstra, H. W., Jr., 1983, Integer programming with a fixed numberof variables,Mathematics of Operations Research8(4), pp. 538–548.

Lenstra, H. W., Jr., 2002, Solving the Pell equation,Notices of theAmerican Mathematical Society49(2), pp. 182–192.

Lidl, R., and H. Niederreiter, 1997,Finite Fields, volume 20 ofEn-cyclopedia of Mathematics and its Applications, Cambridge Uni-versity Press, 2nd edition.

Lloyd, S., 1996, Universal quantum simulators,Science273, pp.1073–1078.

Lorenzini, D., 1996,An Invitation to Arithmetic Geometry, volume 9of Graduate Studies in Mathematics, AMS.

Luks, E. M., 1982, Isomorphism of graphs of bounded valence canbe tested in polynomial time,Journal of Computer and SystemSciences25(1), pp. 42–65.

Magniez, F., and A. Nayak, 2007, Quantum complexity of testinggroup commutativity,Algorithmica48(3), pp. 221–232, prelimi-nary version in ICALP 2005, eprint quant-ph/0506265.

Magniez, F., A. Nayak, J. Roland, and M. Santha, 2007, Searchviaquantum walk,Proceedings of the 39th ACM Symposium on The-ory of Computing, pp. 575–584, eprint quant-ph/0608026.

Magniez, F., M. Santha, and M. Szegedy, 2005, Quantum algo-rithms for the triangle problem,Proceedings of the 16th ACM-SIAM Symposium on Discrete Algorithms, pp. 1109–1117, eprintquant-ph/0310134.

Manin, Y., 1980, Computable and uncomputable, Sovetskoye Radio.Maslen, D. K., and D. N. Rockmore, 1995, Adapted diameters and

the efficient computation of Fourier transforms on finite groups,Proceedings of the 6th ACM-SIAM Symposium on Discrete Algo-rithms, pp. 253–262.

Maurer, U. M., and S. Wolf, 1999, The relationship between breakingthe Diffie-Hellman protocol and computing discrete logarithms,SIAM Journal on Computing28(5), pp. 1689–1721.

Menezes, A. J., P. C. van Oorschot, and S. A. Vanstone, 1996,Hand-book of Applied Cryptography, CRC Press.

Micciancio, D., 2001, The shortest vector in a lattice is hard to ap-proximate to within some constant,SIAM Journal on Computing30(6), pp. 2008–2035, preliminary version in FOCS 1998.

Micciancio, D., and S. Goldwasser, 2002,Complexity of LatticeProblems: A Cryptographic Perspective, Kluwer.

Miller, G., 1980, Isomorphism testing for graphs of boundedgenus,Proceedings of the 12th ACM Symposium on Theory of Comput-ing, pp. 225–235.

Miller, G. L., 1976, Riemann’s hypothesis and tests for primality,Journal of Computer and System Sciences13(3), pp. 300–317,preliminary version in STOC 1975.

Moore, C., D. Rockmore, and A. Russell, 2006, Generic quan-tum Fourier transforms,ACM Transactions on Algorithms2(4),pp. 707–723, preliminary version in SODA 2004, eprint quant-ph/0304064.

Moore, C., D. N. Rockmore, A. Russell, and L. J. Schulman, 2007a,The power of strong Fourier sampling: Quantum algorithms foraffine groups and hidden shifts,SIAM Journal on Computing37(3), pp. 938–958, preliminary version in SODA 2004, eprintquant-ph/0503095.

Moore, C., A. Russell, and L. J. Schulman, 2005, The symmetricgroup defies strong Fourier sampling,Proceedings of the 46thIEEE Symposium on Foundations of Computer Science, pp. 479–490, eprint quant-ph/0501056.

Moore, C., A. Russell, and P. Sniady, 2007b, On the impossibility ofa quantum sieve algorithm for graph isomorphism,Proceedings ofthe 29th ACM Symposium on Theory of Computing, pp. 536–545,eprint quant-ph/0612089.

Moore, C., A. Russell, and U. Vazirani, 2007c, A classical one-way function to confound quantum adversaries, eprint quant-ph/0701115.

Mosca, M., 1999,Quantum computer algorithms, Ph.D. thesis, Uni-versity of Oxford.

Mosca, M., and A. Ekert, 1999, The hidden subgroup problem andeigenvalue estimation on a quantum computer,Proceedings of the1st NASA International Conference on Quantum Computing andQuantum Communication, volume 1509 ofLecture Notes in Com-puter Science.

Mosca, M., and C. Zalka, 2004, Exact quantum Fourier transformsand discrete logarithm algorithms,International Journal of Quan-tum Information2(1), pp. 91–100, eprint quant-ph/0301093.

Nielsen, M. A., and I. L. Chuang, 2000,Quantum Computation andQuantum Information, Cambridge University Press.

Okamoto, T., K. Tanaka, and S. Uchiyama, 2000, Quantum public-key cryptosystems,Advances in Cryptology – CRYPTO 2000, vol-ume 1880 ofLecture Notes in Computer Science, pp. 147–165.

Papadimitriou, C. H., 1994,Computational Complexity, Addison-Wesley.

Perez-Garcıa, D., F. Verstraete, M. M. Wolf, and J. I. Cirac, 2007,Matrix product state representations,Quantum Information &Computation7(5-6), pp. 401–430, eprint quant-ph/0608197.

Petrank, E., and M. Roth, 1997, Is code equivalence easy to decide?,IEEE Transactions on Information Theory43(5), pp. 1602–1604.

Pila, J., 1990, Frobenius maps of abelian varieties and finding rootsof unity in finite fields,Mathematics of Computation55(192), pp.745–763.

Polya, G., 1945,How to Solve It: A New Aspect of MathematicalMethod, Princeton University Press.

Pomerance, C., 1987, Fast, rigorous factorization and discrete loga-rithm algorithms,Discrete Algorithms and Complexity, edited byD. S. Johnson, T. Nishizeki, A. Nozaki, and H. S. Wilf, AcademicPress, pp. 119–143.

Preskill, J., 1998a, Lecture notes for Ph229:Quantum information and computation, URLhttp://www.theory.caltech.edu/people/preskill/ph229.

Preskill, J., 1998b, Reliable quantum computers,Proceedings of theRoyal Society A454, pp. 385–410, eprint quant-ph/9705031.

Proos, J., and C. Zalka, 2003, Shor’s discrete logarithm quantum al-gorithm for elliptic curves,Quantum Information & Computation3(4), pp. 317–344.

Puschel, M., M. Rotteler, and T. Beth, 1999, Fast quantum Fouriertransforms for a class of non-abelian groups,Proceedings ofthe 13th International Symposium on Applied Algebra, Alge-braic Algorithms and Error-Correcting Codes, volume 1719 ofLecture Notes in Computer Science, pp. 148–159, eprint quant-ph/9807064.

Rabin, M. O., 1980, Probabilistic algorithm for testing primality,Journal of Number Theory12(1), pp. 128–138.

Radhakrishnan, J., M. Rotteler, and P. Sen, 2005, On the power

http://www.theory.caltech.edu/people/preskill/ph229

52

of random bases in Fourier sampling: Hidden subgroup prob-lem in the Heisenberg group,Proceedings of the 32nd Interna-tional Colloquium on Automata, Languages and Programming,volume 3580 ofLecture Notes in Computer Science, pp. 1399–1411, eprint quant-ph/0503114.

Regev, O., 2003, New lattice based cryptographic constructions,Pro-ceedings of the 35th ACM Symposium on Theory of Computing,pp. 407–416, eprint cs.CR/0309051.

Regev, O., 2004a, Quantum computation and lattice problems, SIAMJournal on Computing33(3), pp. 738–760, eprint cs.DS/0304005.

Regev, O., 2004b, A subexponential time algorithm for the dihedralhidden subgroup problem with polynomial space, eprint quant-ph/0406151.

Reichardt, B. W., 2004, The quantum adiabatic optimizationalgo-rithm and local minima,Proceedings of the 36th ACM Symposiumon Theory of Computing, pp. 502–510.

Reichardt, B. W., and R.Spalek, 2008, Span-program-based quan-tum algorithm for evaluating formulas,Proceedings of the 40thACM Symposium on Theory of Computing, pp. 103–112, eprintarXiv:0710.2630.

Rivest, R., A. Shamir, and L. Adleman, 1978, A method for obtainingdigital signatures and public-key cryptosystems,Communicationsof the ACM21(2), pp. 120–126.

Rockmore, D., 1990, Fast Fourier analysis for abelian groupexten-sions,Advances in Applied Mathematics11(2), pp. 164–204.

Rudolph, T., and L. Grover, 2002, A 2 rebit gate universal forquan-tum computing, eprint quant-ph/0210187.

Russell, A., and I. E. Shparlinski, 2004, Classical and quantum func-tion reconstruction via character evaluation,Journal of Complex-ity 20, pp. 404–422.

Schmidt, A., and U. Vollmer, 2005, Polynomial time quantum al-gorithm for the computation of the unit group of a number field,Proceedings of the 37th ACM Symposium on Theory of Comput-ing, pp. 475–480.

Schnorr, C. P., 1987, A hierarchy of polynomial time latticebasisreduction algorithms,Theoretical Computer Science53, pp. 201–224.

Schoof, R., 1985, Elliptic curves over finite fields and the computa-tion of square roots modp, Mathematics of Computation44(170),pp. 483–494.

Sen, P., 2006, Random measurement bases, quantum state distinctionand applications to the hidden subgroup problem,Proceedings ofthe 21st IEEE Conference on Computational Complexity, pp. 274–287, eprint quant-ph/0512085.

Serre, J.-P., 1977,Linear Representations of Finite Groups, vol-ume 42 ofGraduate Texts in Mathematics, Springer.

Shenvi, N., J. Kempe, and K. B. Whaley, 2003, A quantum ran-dom walk search algorithm,Physical Review A67, 052307, eprintquant-ph/0210064.

Shi, Y., 2003, Both Toffoli and controlled-NOT need little help to douniversal quantum computation,Quantum Information & Compu-tation3(1), pp. 84–92, eprint quant-ph/0205115.

Shor, P. W., 1996, Fault-tolerant quantum computation,Proceedingsof the 37th IEEE Symposium on Foundations of Computer Sci-ence, pp. 56–65, eprint quant-ph/9605011.

Shor, P. W., 1997, Polynomial-time algorithms for prime factoriza-tion and discrete logarithms on a quantum computer,SIAM Jour-

nal on Computing26(5), pp. 1484–1509, preliminary version inFOCS 1994.

Shor, P. W., and S. P. Jordan, 2008, Estimating Jones polynomials isa complete problem for one clean qubit,Quantum Information &Computation8(8/9), pp. 681–714, eprint arXiv:0707.2831.

Shoup, V., 2005,A Computational Introduction to Number Theoryand Algebra, Cambridge University Press.

Simon, D. R., 1997, On the power of quantum computation,SIAMJournal on Computing26(5), pp. 1474–1483, preliminary versionin FOCS 1994.

Solovay, R., 2000, Lie groups and quantum circuits, URLhttp://www.msri.org/publications/ln/msri/2000/qcomputing/solovay/1/.

Spielman, D. A., 1996, Faster isomorphism testing of strongly regu-lar graphs,Proceedings of the 28th ACM Symposium on Theory ofComputing, pp. 576–584.

Stigler, S. M., 1980, Stigler’s law of eponymy,Transactions of theNew York Academy of Sciences, Series II39, pp. 147–157.

Szegedy, M., 2004, Quantum speed-up of Markov chain based algo-rithms,Proceedings of the 45th IEEE Symposium on Foundationsof Computer Science, pp. 32–41, eprint quant-ph/0401053.

Terras, A., 1999,Fourier Analysis On Finite Groups and Applica-tions, volume 43 ofLondon Mathematical Society Student Texts,Cambridge University Press.

Thiel, C., 1995,On the complexity of some problems in algorithmicalgebraic number theory, Ph.D. thesis, Universitat des Saarlandes,Saarbrucken, Germany.

Vollmer, U., 2000, Asymptotically fast discrete logarithms inquadratic number fields,Proceedings of the 4th InternationalSymposium on Algorithmic Number Theory, pp. 581–594.

Watrous, J., 2001a, Quantum algorithms for solvable groups, Pro-ceedings of the 33rd ACM Symposium on Theory of Computing,pp. 60–67.

Watrous, J., 2001b, Quantum simulations of classical random walksand undirected graph connectivity,Journal of Computer and Sys-tem Sciences62, pp. 376–391, eprint cs.CC/9812012.

Watrous, J., 2009, Quantum computational complexity,Encyclo-pedia of Complexity and Systems Science (to appear), Springer,eprint arXiv:0804.3401.

Wiesner, S., 1996, Simulations of many-body quantum systems by aquantum computer, eprint quant-ph/9603028.

Witten, E., 1989, Quantum field theory and the Jones polynomial,Communications in Mathematical Physics121(3), pp. 351–399.

Wocjan, P., and J. Yard, 2008, The Jones polynomial: Quantumalgo-rithms and applications in quantum complexity theory,QuantumInformation & Computation8(1-2), pp. 147–180, eprint quant-ph/0603069.

Yao, A. C.-C., 1993, Quantum circuit complexity,Proceedings of the34th IEEE Symposium on Foundations of Computer Science, pp.352–361.

Yuen, H. P., R. S. Kennedy, and M. Lax, 1975, Optimum testing ofmultiple hypotheses in quantum detection theory,IEEE Transac-tions on Information Theory21, pp. 125–134.

Zalka, C., 1998, Simulating quantum systems on a quantum com-puter,Proceedings of the Royal Society A454, pp. 313–322, eprintquant-ph/9603026.

http://www.msri.org/publications/ln/msri/2000/qcomputing/solovay/1/

andrew m. childs wim van dam - arxiv

Documents