the quantum hidden subgroup problem for semidirect products of cyclic groups

8/10/2019 The Quantum Hidden Subgroup Problem for Semidirect Products of Cyclic Groups

1/54

The Quantum Hidden Subgroup Problem for Semidirect Products of Cyclic Groups

A Thesis

Presented to

The Division of Mathematics and Natural Sciences

Reed College

In Partial Fulfillment

of the Requirements for the Degree

Bachelor of Arts

Samuel F. Hopkins

December 2012


2/54


3/54

Approved for the Division(Mathematics)

James Pommersheim


4/54


5/54

Acknowledgements

I must first thank my adviser Jamie Pommersheim: for introducing me to quantumcomputing and the Hidden Subgroup Problem, for guiding me through the darkforest of qubits in which I quickly found myself lost, and for being one of the trulyluminous teachers during my time at Reed. I also give thanks to the other membersof the Quantum Mechanics (Daniel Copeland, Ethan Edwards, Mikhail Lepilov, andMarcus Robinson), as well as all those Reed students who took part in Jamies topics

class on quantum computing during the spring semester of 2012. Stephanie Bastekgets thanks for being a stellar roommate-proofreader. Finally, I thank Asif Shakeelfor his thoughtful comments regarding chapter 3 and because his PhD thesis provideda launchpad for my research.


6/54


7/54

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 1: Quantum Computing . . . . . . . . . . . . . . . . . . . . . . 31.1 Information storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1.1 State spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1.2 Notation and composite systems . . . . . . . . . . . . . . . . . 41.1.3 State vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2 Information processing . . . . . . . . . . . . . . . . . . . . . . . . . . 61.3 Information retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.4 The quantum Fourier transform . . . . . . . . . . . . . . . . . . . . . 91.5 Oracle problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 2: The Hidden Subgroup Problem . . . . . . . . . . . . . . . . 132.1 History and overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2 Statement of the problem . . . . . . . . . . . . . . . . . . . . . . . . 142.3 The abelian HSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.4 The non-abelian HSP . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 3: The HSP forZN Zp . . . . . . . . . . . . . . . . . . . . . . . 193.1 The metacyclic groupZN Zp . . . . . . . . . . . . . . . . . . . . . . 193.2 Overview of the algorithm . . . . . . . . . . . . . . . . . . . . . . . . 203.3 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233.4 Single-query algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 253.5 Multi-query algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 283.6 Analysis of probability of success . . . . . . . . . . . . . . . . . . . . 30

3.6.1 A lemma on the distribution of ds . . . . . . . . . . . . . . . 31

3.6.2 N prime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.6.3 General N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 4: Representation Theory and the HSP forZN Zp . . . . . 354.1 The Fourier transform over a group . . . . . . . . . . . . . . . . . . . 354.2 Irreducible representations ofZNk Zp . . . . . . . . . . . . . . . . . 374.3 The Fourier transform overZNk Zp . . . . . . . . . . . . . . . . . . 39


8/54

Appendix A: Basic Representation Theory . . . . . . . . . . . . . . . . 41

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43


9/54

Abstract

In this thesis we explore the Hidden Subgroup Problem in quantum computing. Whilethere exist efficient quantum algorithms that solve the Hidden Subgroup Problem formany families of groups, there is no known general polynomial-time solution. Ourmain new result, proved in chapter 3, shows that if a certain proposed algorithmfor the dihedral Hidden Subgroup Problem can be efficiently implemented, then infact there exists an efficient quantum solution to the Hidden Subgroup Problem for

arbitrary semidirect products of a cyclic group by a cyclic group of prime order.


10/54


11/54

Introduction

In 1994, Peter Shor [22] shocked the computer science community by demonstrat-ing that a quantum computer, if it were ever built, could quickly factorize integers.Practically, Shors algorithm threatened to break the most widely used public-keycryptography systems and immediately spurred government and industry to invest inquantum computing research. Philosophically, Shors algorithm represented a poten-tial counterexample to the Extended Church-Turing Thesis.1 Mathematically, Shors

algorithm, which employs variously number theory, linear algebra, probability andanalysis, laid bare the richness of the theory of quantum computing and promptedmathematicians to explore its capabilities and limitations. Almost twenty years later,there have been few breakthroughs in quantum computing comparable to Shors algo-rithm. Indeed, even as engineers are testing small-scale quantum computers that canfactor 15 or 21, there exist only a handful of significant quantum algorithms. As AmitHagar [10] writes in the Stanford Encyclopedia of Philosophy, quantum computingis a domain where experimentalists find themselves ahead of their fellow theorists.

This thesis represents one theorist fighting back. In the following pages, I attemptto develop an algorithm for solving a particular case of the so-called Hidden SubgroupProblem (HSP), a natural algebraic generalization of Shors problem of factorizing

integers. The HSP is a highly active area of research in quantum computing: it hasimplications for certain proposed cryptographic systems and is of general computerscientific interest because of its relation to classically intractable problems like thegraph isomorphism problem. While my research has not led to a new, unconditionallyefficient solution to the HSP, it does expose an interesting connection between thedihedral HSP and the HSP for more general semidirect products of cyclic groups.

Throughout the thesis, we assume familiarity with basic results from linear algebraand group theory. Representation theory is used only in chapter 4; Appendix Aquickly explains all the representation-theoretic terms and theorems we need.

1The Extended Church-Turing Thesis is the claim that all reasonable physical models of a com-puter are polynomial-time equivalent to a Turing machine; see [10],1.1.


12/54


13/54

Chapter 1

Quantum Computing

In this chapter we describe the standard model of quantum computing and present itspostulates, with the aim of developing a quantum algorithm that solves some classi-cally hard mathematical problem. These postulates are justified by well-documented

physical evidence but we will not focus on providing any such justification here. Fora comprehensive treatment of the theory of quantum computing, with perspectivesfrom physics, mathematics, computer science and information theory, we direct thereaders attention to Nielsen and Chaung [15].

Before formally describing the model, it will help to give a brief overview of quan-tum computers to understand why they are potentially interesting. A quantum com-puter stores information as quantum bits, or qubits, where a qubit is mathematicallynotated as a vector| = |0 +|1. Unlike classical bits, qubits can take valuesin-between 0 and 1. Hereandare complex coefficients which we callamplitudes,and so a single qubit could be said to store an infinite amount of information. How-

ever, this last assertion is extremely misleading because we are not free to arbitrarilyaccess the amplitudes of our qubits. Rather, when we measure a qubit, we obtainonly classical information (either 0 or 1). The real values||2 and||2 determine theprobabilities of measuring 0 or 1 respectively.

The nave account of quantum computing contends that a quantum algorithm cansolve an intractable problem because it tests all the possibilities at once. But thisdescription is misleading. If we used a single system of qubits to compute all possiblesolutions to some problem and then attempted to read off the solution by measuringthis system, instead we would only measure the result of a random computation. Thisis no better than the classical probabilistic approach of randomly guessing the answerand checking if it works. However, quantum computers have one tremendous advan-

tage over classical probabilistic computers: unlike classical probabilities, which arenonnegative reals, the amplitudes of a quantum state are complex numbers and thuscan cancel out. The true explanation for why quantum algorithms work is that theyexploit the structure of the problems they solve and cleverly manipulate their quan-tum states so that the amplitudes of bad solutions destructively interfere while theamplitudes of the correct solutions constructively interfere. With this perhaps fuzzyintuition about the potential of quantum computing in mind, we now systemicallydescribe the way a quantum computer stores, processes, and retrieves information.


14/54

4 Chapter 1. Quantum Computing

1.1 Information storage

1.1.1 State spaces

Quantum computers store information in quantum systems; indeed, it is through

quantum mechanical phenomena such as superpositions and entanglement that theyare able to achieve any computational advantage over classical computers. Von Neu-mann, in rigorously establishing a mathematical framework for quantum mechanics,realized that the proper setting for a quantum system is a Hilbert space. Through-out this thesis, we will consider our Hilbert spaces to be finite-dimensional complexinner-product spaces.

Postulate 1. (State spaces)The state spaceof a quantum system is a finite-dimensional complex Hilbert spaceH. That is,H is a finite-dimensional vector space over C equipped with an innerproduct, :H H Csuch that for allx, y,z H anda, b C,

1.ax+bz, y=ax,y + bz,y (linearity);2.x, y=y, x (skew-symmetry);3.x, x 0 with equality if and only ifx = 0 (positive definiteness).The inner product ofHinduces a norm|x|:=

x, xfor any vector x Hand a

distance functiond(x, y) :=|x y| between any two vectors x, y H. It is a routineexercise to check that this distance function in fact makesHinto a metric space, andthatHis complete with respect to this metric.

1.1.2 Notation and composite systemsIt is convenient to use Dirac notation to represent quantum systems. A quantumsystem, as we shall see, is a vector in some state space H. We call such a vector astate vector. In Dirac notation, a vector is written as| H, which we read as ketphi. The conjugate transpose of| is written|:=|, which we read as bra phi.This notation is attractive because the product| | is in fact equal to|, theinner product of| and|.

We use the notation| | to represent the outer product of| and|. Theouter product is a linear transform| |:H H that acts by

| | (|) :=| | .For instance, if|is a unit vector,| |is a rank one linear transform representingprojection onto|.

Finally, we will use| |to denote the tensor product of|and|. SupposeH1 andH2 are Hilbert spaces. ThenH1 H2 is also a Hilbert space, of dimensiondim(H1) dim(H2). The tensor product is a map :H1 H2 H1 H2 where wehave the following identities for any|1 , |2 , | H1,|1 , |2 , | H2, andc C:


15/54

1.1. Information storage 5

1. (|1 + |2) |=|1 | + |2 |;

2.| (|1 + |2) =| |1 + | |2;

3. c | |=| c |= c(| |).

The inner product of a tensor product of two Hilbert spaces is the product of theinner products of the tensor factors; in symbols, we have

(|1 |1), (|2 |2=1|2 1|2.

Instead of| |, we often write| | or even| if this is unambiguous. Ofcourse it is possible to take the tensor product of more than two Hilbert spaces; it isroutine to verify that the order in which we take the products does not matter, i.e.thatH1 (H2 H3) = (H1 H2) H3.

The tensor product is extremely important in the mathematical formulation of

quantum mechanics because the composite of multiple quantum systems is the tensorproduct of the constituent systems.

Postulate 2. (Composite systems)IfH1, . . . , Hk are quantum state spaces, then the composite systemof these spaces isH1 Hk. IfHi is in state|i for all 1ik, thenH1 Hk is in state|1 |k.

1.1.3 State vectors

The bit is the basic unit of information for classical computers. A bit can have oneof two values, 0 or 1. Any natural number can be stored as a series of bits by writingit in binary; e.g. 5 = 101. We see that it takes log(N) bits to represent the numberN N.

The qubit is the quantum analogue of the bit. Like the bit, a qubit, which weregard as a state vector| in the Hilbert space C2, can take on the classical values|0 and|1. However, a qubit may also be in a superposition of these two states:

|= |0 +|1 .

Here we consider{|0 , |1}to be an orthonormal basis ofC2. Which values of andare permissible? To answer this we need another postulate.

Postulate 3. (State vectors)A state vectoris a unit vector in some state space.1

1If two state vectors differ only by a global phase, i.e. if|= ei |, then, as we shall see, thereis no way to distinguish| and| via a measurement. While it might therefore be tempting toconsider a state vector to be an equivalence class of unit vectors that differ by a global phase, thiswould cause some problems with our definition of a composite state. We will consider a state vectorto be a single vector.


16/54


Thus we see that in| above we have||2 + ||2 = 1. We may also consider astate vector representing multiple qubits, for instance:

|= |00 +|01 +|10 +|11 .

In this case| C4

C2

C2

, and again we have||2

+ ||2

+ ||2

+ ||2

= 1. Itis often convenient to look at parts of our qubit systems, and for this purpose thenotion of a register is convenient.

Definition 1.1. Aregister of a state vector involving multiple qubits is some subsetof all of the qubits.

The notation|1 |2 stresses that we are viewing a state vector as comprisingtwo registers. So for instance we write|= |0 |0 +|0 |1 +|1 |0 +|1 |1to represent| as comprising two single qubit registers.

Just as we can encode a natural number on a classical computer by writing its

binary representation in bits, we can encode a number on a quantum computer bywriting its binary representation in qubits. For instance,|5=|101=|1 |0 |1. Wecan encode any finite set of numbers in qubits, so although we assume our quantumcomputer stores its information in qubits, we have no problem working in the Hilbertspace CN whose orthonormal basis vectors we will call|0 , |1 , . . . , |N 1. In fact,any finite set Xcan be encoded in qubits by some map X {0, . . . , |X| 1}, so wewill also feel comfortable working in the Hilbert space CX C|X| whose orthonormalbasis vectors are|x for x X. Sometimes we use the notation C |x to mean thesubspace ofCX spanned by|x.

1.2 Information processingIn the last section, we explained how there is a significant difference in the wayclassical and quantum computers store information (bits versus qubits). There isa similarly significant difference in information processing between the two kinds ofcomputers. In a classical computer, bits can be rewritten at will; however, becausethe evolution of a quantum state is symmetric with respect to time, in a quantumcomputer all operations on qubits must be reversible. In particular, we have thefollowing postulate:

Postulate 4. (State evolution)

Quantum systems evolve over time by unitary transforms on their Hilbert spaces,and any unitary transform represents a valid evolution of a quantum system. Inother words, if a quantum system is in state| H at time tand at a later time tis in state|, then there exists some unitary transform U such that|= U|.

A unitary transform on a Hilbert spaceH is a bijective linear transformationU:H H that preserves inner products:

, =U , U for all| , | H.


17/54

1.2. Information processing 7

Equivalently, U is a bijective linear transformation such that U U = I, where I isthe identity map onH. Or equivalently again, Umaps an orthonormal basis ofHtoanother orthonormal basis ofH.

The tensor product of two unitary transforms U1 :H1 H1 and U2 :H2 H2,which we write

U1

U2, operates on a vector

|

|

H1

H2 in the way one

would expect:(U1 U2)(| |) =U1 | U2 | .

An example of a unitary transform that is extremely important for quantumcomputing is the Hadamard transform, H: C2 C2. The Hadamard transformcan be written in matrix form as

H= 1

2

1 11 1

,

with respect to the orthonormal basis{|0 , |1} ofC2. So H |0= 12(|0 + |1) and

H|1 = 1

2(|0 |1). These states are themselves so important that we give themspecial names:|+:= 1

2(|0 + |1) ,

|:= 12

(|0 |1) .

Another example of a basic unitary transform on C2 is

X=

0 11 0

.

We have X |0=|1 and X |1=|0. Because it flips the value of a qubit, we call Xthe quantum NOT transform. A unitary transform related to NOT but which actson C4 is:

CNOT =

1 0 0 00 1 0 00 0 0 10 0 1 0

.

This matrix representation of CNOT assumes our basis is {|00 , |01 , |10 , |11}.Hence we have CNOT |00 = |00, CNOT |01 = |01, CNOT |10 = |11, andCNOT

|11

=

|10

. As we can see, CNOT flips the second qubit of the tensor product

if the first qubit is|1, and acts as the identity if the first qubit is|0. Thus we callCNOT the controlled NOT transform.

There exists a set of four unitary transforms including Hand CNOT called a setofuniversal quantum gatesthat can approximate any unitary transform arbitrarilywell.2 That is, we can get a very good approximation of an arbitrary transform

2These two transforms along with the phase and /8 transforms suffice; see [15], section 4.5, fora precise explanation. The terms universal quantum gate and circuit complexity come from amodel of quantum computers as circuits.


18/54


unitaryUwith a finite product of these simpler transforms. We assume our quantumcomputer at least has the ability to perform the universal quantum gates on its qubits.Because the product of two unitary transforms is again unitary, the application ofa series of transforms (U1 followed by U2 and so on up to Un) could just as easilybe seen as the application of a single unitary U := UnUn

1

U1. However, we are

interested in computational efficiency, so we care about how many simple transformsare needed to execute our algorithm.

Definition 1.2. The circuit complexity of a quantum algorithm is the number ofuniversal quantum gates required to approximate the unitary transforms used in thealgorithm.

Whether we are analyzing classical or quantum algorithms, an algorithm is con-sidered efficient if it takes time polynomial in the size of the input. Since our inputsare stored as a series of qubits, an input ofN N has size log(N). Thus we are inter-ested in algorithms that take time f(N) polynomial in the logarithm ofN; we write

f= poly(log(N)) in such a case. We want the circuit complexity of our algorithm tobe poly(log(N)) as a function of the input size.

1.3 Information retrieval

Information retrieval also differs greatly between classical computers and quantumcomputers. Rarely do we even consider our ability to retrieve the information storedin a classical computer: we are allowed to access the true value of any of our bits atany time, and looking up a bit does not affect its value. On the other hand, whenwe measure a qubit, we only receive classical information (a value of 0 or 1) even

if the qubit was in a superposition between|0 and|1, and in measuring the qubitwe collapse it to the classical state we measured. Importantly, while the unitaryoperations we considered in the previous section were all reversible, measurement ofa quantum state is an irreversible process.

Postulate 5. (Measurement)Suppose{Mm} is a set of linear transforms acting on a state spaceH such that

m Mm = I. Then we call these Mm measurement operators, and they allow us tomeasurea system| H. The probability that we measure the value m is given by

P(m) =| MmMm | ,

and if we do measure the value m, the state of the system post-measurement isMm |

|Mm | | .

(Note that the requirement

m Mm =I, called completeness, ensures that the lawsof probability are obeyed.)

The most important example of measurement is measurement in the computa-tional basis:


19/54

1.4. The quantum Fourier transform 9

Definition 1.3. Let| CXbe some state vector. To measure| in the compu-tational basis is to measure| with the set of measurement operators being the set{|x x|}xX. Measurement in the computational basis yields some value xX.

For example, if we measure

|+

in the computational basis, we obtain value 0

half the time, and we obtain the value 1 half the time. After measurement, the statebecomes|0 or|1 depending on which value we measured. There are many moresophisticated kinds of measurements, but in this thesis we will need only measurementin the computational basis and partial measurement, which we explain with the nextdefinition. Thus, whenever we say we measure some state vector, we mean that wemeasure it in the computational basis.

Definition 1.4. Suppose| | is some vector inH CX. To measure the secondregister of| | in the computational basis is to measure| | with the set ofmeasurement operators being the set{(I |x x|)}xX, where I is the identity on

H. This measurement yields some valuex

X. Measurement of the first register is

defined analogously.

Note that the state after measurement always projects to a unit vector. For ex-ample, let| = 1

2(|0 |0 + |1 |1). Then, when we measure the second register

of|, we obtain 0 half the time and 1 half the time. If we measure 0, the statebecomes|0 |0, whereas if we measure 1, the state becomes |1 |1. Thus we seethat a measurement of the second register has affected the value of the first regis-ter. This phenomenon, known as quantum entanglement, is important in explaininghow quantum computers might offer a computational speed-up from their classicalanalogues.

1.4 The quantum Fourier transform

One unitary transform in particular, the quantum discrete Fourier transform, willbe a key tool in our development of a quantum algorithm. There are only a fewcategories of quantum algorithms that perform better than the best known classicalalgorithms for the same problem; algorithms based on the quantum Fourier transformmake up one of these categories.3

Definition 1.5. The quantum Fourier transform,F

N: CN

CN, acts on a basis of

CN by

FN|j= 1N

N1k=0

jk |k ,

where:= e2i/N is a primitive Nth root of unity.

3Examples of other classes include quantum search algorithms, such as Grovers algorithm, andquantum annealing algorithms.


20/54


We can easily verify that the quantum Fourier transform is unitary. First we claimthat the inverse of the quantum Fourier transform acts as

F1N |j:= 1

N

N1

k=0

jk |k .

Recall the following basic fact about roots of unity:

Fact 1.6. Let be a primitive mth root of unity, with m > 1, and let r be someinteger. Then we have

1

m

m1k=0

rk =

1 r= 0;0 r= 0.

Straightforward computation, along with this fact, shows that the above formula forthe inverse Fourier transform is correct:

F1NFN|j= 1

N

N1l=0

jl 1

N

N1k=0

lk |k

= 1

N

N1l=0

N1k=0

l(jk) |k

=|j .

Finally, to conclude thatFN is unitary, note that the formula forF1N makes explicitthatFN=F1N , and soFNFN=I.

Quantum algorithms based on the quantum Fourier transform depend cruciallyon the fact that it can be efficiently implemented by a quantum computer. Currently,the best implementations of the quantum Fourier transform have a circuit complexityof only O(log Nlog log N) [11]. It is difficult to explain exactly why the Fouriertransform is so successful in a wide range of applications, but, roughly speaking, theFourier transform gives information about the periodicity of a function. Worth notingis that the quantum Fourier transform of size two is just the Hadamard transform:F2 = H.

1.5 Oracle problems

We have now developed enough background in quantum computing to present anexample of a quantum algorithm: Deutschs algorithm. Deutschs algorithm solvesan oracle problem.

Definition 1.7. In anoracle problem, we are given access to a certain unitary trans-form,Of: CX CY CX CY, called anoracle, that acts on a basis ofCX CYby

Of|i |r=|i |f(i) +r ,


21/54

1.5. Oracle problems 11

wheref is some unknown function fromX toY. (Here, in order thatOfbe unitary,we assume addition makes sense in Y; that is, we assume Y is an abelian group.)The functionf is guaranteed to be from some set of functions F = F1 Fk,anda prioriwe assume some probability distribution over the f F. Our goal is toidentify the family Fi that our function fbelongs to with as few applications of the

oracle as possible.

We call the first register, CX, thequery register, and the second register,CY, theresponse register. Two registers are required because we need the action of the oracleto be reversible. Although this description of an oracle problem may make it seemlike a contrived concept, in fact such problems arise quite naturally in theoreticalcomputer science. We are not really interested in probing some black box for itshidden information. Rather, we think of the oracle as a computationally expensivesubroutine whose behavior we cannot predict except by evaluating it on certain inputs.We can therefore see why we want to minimize the number of calls to the subroutine.In analyzing the efficiency of an algorithm that solves an oracle problem, we must

consider both the circuit complexity and query complexity.

Definition 1.8. Thequery complexityof an algorithm that solves an oracle problemis the number of applications of the oracle it requires.

We are looking for algorithms that solve problems in a probabilistic sense. Thatis, we say that an algorithm solves a problem if it yields the desired result withprobability arbitrarily close to 1. Note that if an algorithm efficiently yields thedesired result with probability greater than c, where c >1/2 is some fixed constant,then in fact this algorithm solves the problem efficiently. This follows from a basicstatistical fact: if we have a coin that is biased towards either heads or tails, with

only a constant number of flips we are able to determine the bias with probabilityexponentially close to 1 by concluding that it is biased towards the side it lands on amajority of the time.

Deutschs problem, unlike oracle problems generally, is rather contrived. The or-acle in Deutschs problem hides two bits x0 and x1 from us and we are asked todetermine the binary sum x0+x1. It is clear that a classical computer requires twoqueries to this oracle to determine x0 + x1 because it needs to know both bits to knowthe sum; in particular, with only a single oracle query, a classical computer has a prob-ability 1/2 of determining the sum because the sum takes the values 0 or 1 with equalprobability independent of the value of one of the hidden bits. Deutschs quantumalgorithm solves Deutschs problem with only one query. We present Deutschs prob-

lem here because historically it was one of the first problems to show that quantumcomputers could be computationally more powerful than their classical analogues,because its solution is simple to explain, and especially because it is a special caseof the Hidden Subgroup Problem, a problem which we will fully define in the nextchapter and which is the focus of this thesis.

Definition 1.9. LetOx0,x1 : CZ2 CZ2 CZ2 CZ2, withx0, x1 Z2 act byOx0,x1 |i |r=|i |xi+r .


22/54


Deutschs problemis to determine the sum x0+x1 (mod 2).

Theorem 1.10. There is a quantum algorithm that solves Deutschs problem with asingle application of the oracle.

Proof: We prove this theorem by demonstrating the algorithm. Deutschs algorithm,first devised in [5], proceeds as follows:

1. Prepare the state| :=|0 |1 CZ2 CZ2. Note that|= (I X) |0 |0,so we could have as easily started with|0 . . . 0, which is a state we assume ourquantum computer can prepare.

2. ApplyH Hto yield (H H) |=|+|.3. ApplyOx0,x1 to yield

Ox0,x1(H H) |=1

2(|0 |x0 |0 |x0+ 1 + |1 |x1 |1 |x1+ 1) .

Ifx0 = 0, then |0 |x0|0 |x0+ 1=|0 |0|0 |1=

2 |0|, and ifx0= 1,then|0 |x0 |0 |x0+ 1 =

2 |0|. The value of|1 |x1 |1 |x1+ 1

depends on x1 similarly. Therefore we may rewrite this state as

Ox0,x1(H H) |= 1

2((1)x0 |0| + (1)x1 |1|)

=(1)x0

2

|0| + (1)x1x0 |1| .4. Apply (H

I) to yield

(H I)Ox0,x1(H H) |=(1)x0

2

|+| + (1)x1x0 ||=

(1)x02

(1 + (1)x1x0) |0| + (1 (1)x1x0) |1| .

5. Measure the first register. Ifx1= x0, then our state is|0|, so we measure 0with probability 1. On the other hand, ifx1=x0, then our state is|1|, sowe measure 1 with probability 1. Either way, we yield the sum x0+x1.

Since Deutschs algorithm invokes the oracle only once, we call it a single-query

algorithm. To solve more sophisticated problems, we will consider multi-query al-gorithms that invoke the oracle multiple times, either in series or parallel. Also, asexplained earlier, we do not require that our algorithm succeed with probability 1 asDeutschs algorithm does. Despite these differences from more advanced algorithms,Deutschs algorithm showcases the general structure of any quantum algorithm thatsolves an oracle problem: prepare a certain state via unitary transforms applied to|0 . . . 0, apply the oracle to this state, apply more unitary transforms to the post-oracle state, and finally measure the state to obtain the desired result.


23/54

Chapter 2

The Hidden Subgroup Problem

In this chapter we explore the group structure underlying problems in quantum com-puting, like Deutschs problem, and see how, as in the case of Deutschs algorithm, theFourier transform is instrumental in attacking such problems. The Hidden Subgroup

Problem provides a unified framework for describing many of the known quantumalgorithms and for suggesting problems that may admit of some quantum solution.We recount the state of the art of the Hidden Subgroup Problem here so that inthe next chapter we may build on existing research and develop an algorithm for aparticular case of the problem, relative to certain assumptions about the feasibilityof another proposed algorithm.

2.1 History and overview

TheHidden Subgroup Problem(HSP) was first introduced by Brassard and Hyer [1]as a generalization of Simons problem, another early quantum problem. Later itwas seen that not only Simons algorithm, but also Deutschs algorithm and themost remarkable known quantum algorithm, Shors algorithm for factorizing integers,all solve special cases of the HSP. Indeed, the key quantum component of Shorsalgorithm,1 the period-finding subroutine, reduces to the HSP for cyclic groups. TheHSP offers an elegant generalization of the task of determining the discrete period ofsome unknown function to determining the period of an unknown function that isperiodic over a group; this is why we might expect the Fourier transform to be acrucial tool. Contemporary research has attempted to find efficient solutions to theHSP in the case of non-abelian groups. Several classes of non-abelian groups have

HSPs that are equivalent to seemingly-unrelated, outstanding problems in computerscience, such as the graph isomorphism problem. No general solution to the HSPexists, and the problem remains an area of active research because it encapsulatesmany independently interesting problems and lies on the border of what might becomputationally feasible with a quantum computer.

1Shors algorithm [22] has two major components: a classical number-theoretic reduction offactoring to finding the order of an element of the multiplicative group Z

N, and a quantum algorithm

for order-finding.


24/54

14 Chapter 2. The Hidden Subgroup Problem

2.2 Statement of the problem

Definition 2.1. Let G be a finite group, X a finite set, H a subgroup ofG, andf: G Xa function such that f(g) = f(g) if only ifg gH. In other words, fis constant and distinct on left cosets ofH. We say that f hides H. The Hidden

Subgroup Problem(HSP) is, given such an f (and therefore knowledge ofG and X),find the subgroup that it hides.

The HSP can be realized as an oracle problem in the following manner. Let Lbethe set of subgroups ofG we are trying to distinguish among, and let Fbe the setof all functions ffor which there exists some subgroup H Lsuch that f hides H.For eachf F, defineOf: CG CX CG CXby

Of|g |r=|g |f(g) +r .Then the HSP asks us to determine the subgroup Hhidden by the function f withas few queries to the oracle

Ofas possible. Usually we assume that

Lis the set of all

subsets ofG, and sometimes we adjust the probability distribution over F to makeeach subgroup equally likely to be chosen. We often ignore the particular functionthat hides our subgroup and writeOH :=Of, where f is an arbitrary function thathidesH.

Deutschs problem is an instance of the HSP. In particular, if we set G = Z2,X= Z2, and the hidden subgroupHto be either the full group Z2or the trivial group,we recover Deutschs problem. The case H=Z2 corresponds to a sum x0+x1 = 0,and the case ofHtrivial corresponds to a sum x0+x1= 1.

Shors problem of finding the order of some elementx of the multiplicative groupZN is also an instance of the HSP. Suppose we are given access to the functionf: Z

NZ

N defined by f(a) = xa (modN). Then, if the order ofx is r, we have

f(a+ r) = f(a) for all a ZN. So with G = ZN and X = ZN, we see that thefunctionfhides the subgroupr.

2.3 The abelian HSP

The abelian HSP has an efficient quantum solution. We will now work through asolution for a special case of the abelian HSP, namely, the HSP for cyclic groups. Notonly is this algorithm quite elegant, but it also offers a good example of the use ofentanglement in quantum computing and has some structural similarity to the HSPalgorithm for a non-abelian group we will develop in the next chapter.

Theorem 2.2. There exists an efficient quantum algorithm for solving the HSP forthe cyclic group ZN.

Proof: We prove this theorem by demonstrating the algorithm. Our presentationfollows Lomont [13], section 3.4. First, realize that the subgroups ofG are Hd :=dfor those dZNsuch that d|N. Suppose our hidden subgroup is Hd and then letM :=N/d. The algorithm repeats the following procedure times, for some constant, obtaining the samplest1, t2, . . . , t as the result of the final measurement in step 6:


25/54

2.3. The abelian HSP 15

1. Prepare the state|0 |0 CZN CZN.2. Apply (FN I) to yield the equal superposition state|:= 1N

N1j=0|j |0.

3. ApplyOHd to yield

OHd(FN I) =N1j=0

|j |fHd(j) .

4. Measure the second register. This obtains some value fHd(j0), and, thanks toquantum entanglement, collapses the first register into an equal superpositionover elements in the coset j0+Hd. Call the resulting vector|j0+Hd:

|j0+Hd= 1M

hHd

|j0+h

= 1M

M1

s=0

|j0+sd .

5. ApplyFNagain, to give the state

FN|j0+Hd= 1M

M1s=0

1N

N1k=0

e2i(j0+sd)k/N |k

= 1

MN

N1

k=0e2ij0k/N |k

M1

s=0e2isdk/N.

But then note that, for some fixed k ,

M1s=0

e2isdk/N =M1s=0

e2ik/M

s=

0 M k;M M| k.

So only those|k that are multiples ofMhave nonzero amplitudes, and thusour state is in fact

FN|j0+Hd= 1d

d1

t=0

e2ij0tM/N |tM .

6. Measure the state vector. We obtain a random element of{0, M , . . . , (d1)M}with uniform probability.

After repeating the above times, we are left with samples t1, . . . , t, which are allrandom multiples ofM. It is a well-known fact from number theory that, with highprobability, the greatest common divisor of a few random numbers in{0, . . . , d 1}is 1; for instance, see Lomonts demonstration in [13], Appendix E. In fact, Lomont


26/54

16 Chapter 2. The Hidden Subgroup Problem

shows= 8 suffices to guarantee that this algorithm succeeds with probability greaterthan 1/2. So we take gcd(t1, . . . , t8) and with high probability get M; we then returnN/M=d and have solved the HSP for ZN.

This algorithm can be generalized to work for an arbitrary finite abelian groupG.The following classical result from group theory offers at least a hint of why that is

so:

Theorem 2.3. (Fundamental Theorem of Finite Abelian Groups, see [6],5.2)Any finite abelian group G is isomorphic to the direct product of a finite number ofcyclic groups.

A general solution to the abelian HSP will break G into its cyclic group factors andapply the above algorithm to these separate factors. Making this idea more preciseis beyond the scope of this chapter; see [13] for the details.

2.4 The non-abelian HSPThere is no known general polynomial-time solution to the non-abelian HSP, butthe HSP has been efficiently solved for certain classes of non-abelian groups such asalmost abelian groups [24], nearly Hamiltonian groups [9], the wreath productZn2 Z2 [18], certain groups of the form Znpk Z2 [19], groups of the formZrp Zp [3],and so on.

Almost all known algorithms for the non-abelian HSP emulate the abelian HSPalgorithm presented in the last section by following the so-called Standard Method.The Standard Method proceeds as follows:

1. Prepare an equal superposition over group elements in the first register and|0in the response register:

|:= 1|G|gG

|g |0 .

2. ApplyOfH:OH |= 1|G|

gG

|g |fH(g) .

3. Measure the second register in order to collapse the first into|

gH, an equal

superposition over some coset gHfor a random gG:

|gH:= 1H

hH

|gh .

Then repeat the above steps times in parallel, obtaining samples|g1H , . . . |gH,and attempt to determine Hfrom these coset states. Again, almost all HSP researchhas focused on the Standard Method, but there is no proof that this approach is


27/54

2.4. The non-abelian HSP 17

optimal. At any rate, the HSP algorithm for a non-abelian group we develop in thenext chapter will employ the Standard Method.

The HSP for the symmetric group and the HSP for the dihedral group are ofparticular interest because of their connections to other problems in computer sci-ence. An efficient solution to the symmetric group HSP would imply a solution to

the notorious graph isomorphism problem [7]. The graph isomorphism problem isone of only a handful of NP problems, like integer factorization, that are neitherbelieved to be in P nor believed to be NP-complete.2 Thus there is some hope thatan efficient quantum algorithm for graph isomorphism exists because the problem iswell-structured in a way that may be particularly suited to quantum computing.Nevertheless, researchers have so far been unable to find an efficient algorithm for thesymmetric group HSP.

An efficient solution to the dihedral HSP would imply a solution to a class ofshortest vector problems in lattices [16]. The supposed intractability of these shortestvector problems is the basis for certain proposed cryptography systems; thus, there

is considerable practical interest in developing a quantum dihedral HSP algorithm.As in the case of the symmetric group, there is no known efficient solution to thedihedral HSP. However, there are many partial results. Regev [16] has shown thatan efficient, approximate solution to the subset sum problem (defined formally insection 3.6) implies an efficient solution to the dihedral HSP. Kuperburg [12] dis-covered a subexponential, but not polynomial, time algorithm for the dihedral HSP.Baconet al.[3] showed that, under the assumption of the Standard Method, a generalmeasurement technique for distinguishing quantum states, the so-called Pretty GoodMeasurement, is optimal for the dihedral HSP. Further, in [4] they extend the resultsof Regev and show that the ability to implement the Pretty Good Measurement forthe dihedral HSP is equivalent to the ability to quantum sample solutions to the

subset sum problem.In the next chapter, we build on the work of Bacon et al. and show that their

proposed algorithm for the dihedral HSP, which assumes a kind of quantum subsetsum solver, in fact applies to a much broader class of groups. The dihedral groupDn is the group of symmetries of a regular n-gon, but can also be envisioned moreabstractly as a semidirect product ZNZ2. The algorithm in the next chapter appliesto arbitrary semidirect products of a cyclic group by a prime cyclic group. The factthat the dihedral algorithm of Bacon et al. [4] readily generalizes to ZN Zp (forfixed p) may suggest that the assumption of an efficient quantum subset sum solveris too strong, and that no such algorithm exists. Regardless, the connection betweenthe HSP for ZN Z2 and for ZN Zp is worth demonstrating.

2The complexity class P consists of decision problems that can be solved in polynomial time (i.e.,those admitting what we have termed an efficient solution). The complexity class NP consists ofdecision problems whose solutions can be verified in polynomial time. NP-complete problems are,roughly, the hardest problems in NP. For a technical treatment of computational complexity, see[23], chapter 7.


28/54


29/54

Chapter 3

The HSP for ZN Zp

In this chapter we present original research. The major theorem of this chapter is thefollowing:

Theorem 3.1. If there is an efficient implementation of the Pretty Good Measure-ment for the dihedral HSP, there is an efficient quantum algorithm that solves theHSP forZN Zp, withNany natural number andp prime.

We prove this theorem by demonstrating such an algorithm. Ettinger and Hyer [8]have reduced the dihedral HSP to the problem of finding a hidden trivial subgroupor hidden order 2 subgroup. Bacon et. al. [3] generalized this reduction by reducingthe HSP over A Zp to finding a hidden trivial subgroup or hidden cyclic order

p subgroup. They then apply the Pretty Good Measurement and discover efficientalgorithms for several classes of semidirect product groups, including the metacyclicgroup ZN Zp, provided that N/p is poly(log(N)).

Here we consider the hidden subgroup problem on ZN Zp with N/p super-polynomial in the logarithm of N. We generalize an algorithm presented in AsifShakeels PhD thesis [21] for the dihedral group (which can be realized as ZN Z2)to ZN Zp. The dihedral algorithm Shakeel presents comes from another paperby Bacon et. al. [4] Our algorithm, as in the dihedral case, assumes that we canefficiently quantum sample solutions to the subset sum problem, which is known tobe NP-complete. Bacon et. al. [4] show that being ample to implement the PrettyGood Measurement for the dihedral HSP implies the ability to quantum sample subsetsum solutions.

3.1 The metacyclic group ZN Zp

Letp be a prime andNany integer. The metacyclic groupG := ZN Zpis presentedasa, b|ap =bN =e,aba1 =bk for some k such that kp = 1 (modN). From nowon we writeZNk Zp to stress that the conjugation factork is necessary to preciselyspecify the group and that we always have knowledge ofk. Note that k = 1 givesthe direct product, an abelian group whose HSP has been efficiently solved, so weassume k= 1. Also, k =1 is only possible for p = 2; in this case, we have the


30/54

20 Chapter 3. The HSP forZN Zp

dihedral group whose HSP is the subject of [21], so we assume further that k=1.Of course,k ZN.

We will write G ={(x, y) Zp ZN}, with multiplication given by

(x, y)

(x, y) = (x+x, kxy+y).

(N.B.: In keeping with Shakeels presentation of the dihedral algorithm, we havechosen to write the pairs (x, y)G with the first coordinate corresponding to Zp andthe second corresponding to ZN, even though the notation ZNkZp might suggestthe opposite is more natural.)

Following the notation of Bacon et. al., for convenience we define j ZN as

j :=

j1i=0

ki.

Define the subgroups

Hl :=(1, l)={(0, 0), (1, l), . . . , (p 1, (kp2 + + 1)l)}={(a, al)}p1a=0,

forl ZNsuch that pl= 0. These distinct order p subgroups will be the subgroupswe are trying to distinguish. By the reduction of Bacon et. al., distinguishing theseis enough to solve the HSP (because, as they explain, we can identify the trivialsubgroup in a constant number of queries).

It will be useful to consider the characters of both Zp and ZN, so define

:=e2i/p,

:= e2i/N.

3.2 Overview of the algorithm

Our algorithm is presented in two parts: single-query and multi-query. We run thesingle-query algorithm in parallel many times. Each run may result in success orfailure. The input to the multi-query algorithm is the tensor product ofj copies ofsuccessful single-query runs.

We assume that CG is encoded into our quantum computer in a reasonable way

so that we may write|(x, y) in two registers as|x |y. With this assumption, it iseasy to create the equal superposition state:

(Fp FN I) |0 |0 |0= 1pN

p1j=0

N1m=0

|j |m |0

= 1|G|

gG

|g |0 .


31/54

3.2. Overview of the algorithm 21

Each single-query iteration follows the Standard Method. The Standard Methodcalls the oracle on an equal superposition of all group elements in the query registerand zero in the response register:

OHl 1|G| gG |g |0 =

1|G| gG |g |fHl(g) .We then measure the response register to collapse to the state

|gHl:= 1p

hHl

|gh ,

for a randomgG. Suppose g = (x, y). Then we have

|gHl

=

1

p

p1

j=0 |

x+j

|kjy+ jl

.

By applying a series of quantum Fourier transforms and measurements to|gHl,we are able, with a probability dependent only on p, to yield the state

|= 1pN

p1j=0

N1m=0

(kjy+j l)m |m .

We then use a partial measurement to collapse|into the space

V = C

|

+ C

|k

+ C

|

+ C

|k

,

for some ZNand sum the amplitudes in the| and|k components and theamplitudes in the| and|k components to yield the state

|= 12

(l/2 | +l/2 |).

This state is the same state Shakeel reaches at the end of one run of the single-query algorithm he presents for the dihedral group. Accordingly, we take the tensorproduct of many copies of|for random values of and plug them into the multi-query algorithm, which proceeds exactly as in the dihedral case. With a subset sum

solver we can identify l with high probability with only O(log(N)) queries.Figures 3.1 and 3.2 on the next page present diagrams of quantum circuits imple-

menting the single-query and multi-query algorithms respectively.


32/54


iZp

|i

jZN

|j

|0

OHl

Fp

FN

|

Rejectif

=0

|

R

ejectif

/Rr

Sum

amplitude

of|,|k;

of|,|k.

|

Figure3.1:TheSingle-Query

Algorithm

|1

|j

.. ... .

=

(1,...,j

)

Subset

sum

solver

Makethe

identification

|bmm

|b

bSz

|b

|z

F1

2

N

lorl+

N

Figure3.2

:TheMulti-Query

Algorithm


33/54

3.3. Preliminaries 23

3.3 Preliminaries

As explained in the overview, in the single query-algorithm we need to project thevector|into the spaceV for some ZN. The spacesV over all ZNclearlyoverlap. The aim of this section is to show how we can nevertheless project

|

into

these subspaces, and in particular collapse|intoV with a random element of alarge subset ofZN.

First we need the following result about the effect of multiplication by k on anelement ofZN:

Claim 3.2. For eachm ZN, eitherkm= m orkjm=m for any0< j < N.Proof: Fix some m ZNand letj be the smallest positive integer such that kjm=m. Then note kpm = m = kjm and kj has a multiplicative inverse, so in factkpjm= m. We can repeatedly multiply by kj to arrive at krm= m for r < j . Butby the minimality ofj , it follows that r = 0. Thusj dividesp, which meansj = 1 or

j = p.

Them ZNsuch thatkm= mare in some sense badly behaved for our purposes;accordingly, define the set

ZN :={m ZN :km=m}.If we set q := N/gcd(N, k 1), then ZN ={m ZN : m= qy for ally ZN}. Inparticular,q2, so|ZN| N2. For Nprime, ZN= ZN\ {0}.

For eachm ZN, define the setOm:={m,km,k2m , . . . , kp1m}.

Obviously theOm partitionZN. By the above claim, for m ZN, we have|Om|= pand form

ZN

\Z

N

, we have|O

m

|= 1. Note that m

Z

N

if and only if

m

ZN

,and thatOm andOm are disjoint unless m is 0 or N/2, which are never elementsofZN. The spacesV

that we wish to project into are subspaces ofC(Om Om).We now explain how to associate one V to eachOm Om by choosing a randomrepresentative of this set every single-query iteration.

Forij withi, j Z, define the operator ordj{a1, . . . , ai} to be thejth element ofthe set{a1, . . . , ai}when ordered from least to greatest. We will take a1, . . . , ai ZNwith the order defined as 0 < 1


34/54


In the single-query algorithm, we will create the vector

|= 1pN

p1j=0

N1m=0

(kjy+j l)m |m .

for a random y ZN. With an auxiliary qubit of|0, we will apply the transform : CZN CZN CZN CZNdefined as

:|m |s |m |g(m) +s ,

to| and then measure the second register to hopefully project this vector into oneof the states

V := C | + C |k + C | + C |k ,for Rr.

Example 3.3. In the case ofN = 13, p= 3, k = 3, and r= 1, we have Rr ={1, 2}with

V1 = C |1 + C |10 + C |12 + C |3 ,V2 = C |2 + C |7 + C |11 + C |6 .

The left over spaces are C |0, C |4, C |5, C |8 and C |9.Claim 3.4. Form ZN, define,

probavg(m) := 1

pN2

N1

y=0

p1

j=0

(kjy+j)l)m

2

.

Note thatprobavg is the average probability, over all values ofy, of measuring the

valuem if we were to measure|. We claim thatprobavg(m) = 1N form ZN.

Proof: We compute

1

pN2

N1y=0

p1j=0

(kjy+j l)m

2

= 1

pN2

N1y=0

p1j=0

(kj

y+j

l)m

p1j=0

(kj

y+j

l)m

= 1

pN2

N1y=0

p+ 2

i>jZpRe

(k

iy+il)m(kjy+j l)m

= 1

N +

2

pN2

N1y=0

i>jZp

Re

(kiy+ilkjyj l)m

.


35/54

3.4. Single-query algorithm 25

Fix some i > j Zp. We wish to showN1y=0

Re

(kiy+ilkjyj l)m

= 0.

Of course, it suffices to showN1y=0

(kiy+ilkjyj l)m = 0.

Then noteN1y=0

(kiy+ilkjyj l)m =

N1y=0

(kikj)my,

for some C. But since km=m, we know (ki kj)m= 0. So set r := gcd((ki kj)m, N). Then(k

ikj)m is a primitive rth root of unity, and thus

N1y=0

(kikj)my =

N

r

r1y=0

(kikj)my = 0,

which finishes proof of the claim. With this claim established, it follows that the probability that measuring the

second register projects | into a particular V for Rr is 4N. In order tocompute how likely we are to project | into any V, we must consider the sizeofRr. We established previously that|ZN| N2, and since|Om Om|= 2p for allm ZN, we have that|Rr| N4p. Thus the probability of projecting into some Vis greater than or equal to 4

N N

4p 1

p

. ForNprime, this probability is actually2(N1)

Np 2

p . We can know when we have successfully projected into a V since we

know r and we know , so we can check if Rr. If we do not succeed we throwaway that run of the single-query algorithm. When we do succeed, we have that is a random element ofOm Om for a random mZN. Thus, since the size of alltheseOm are the same and they partitionZN, we have in fact chosen uniformly atrandom fromZN.

3.4 Single-query algorithm

The Standard Method gives

|gHl= 1p

p1j=0

|x+j |kjy+ jl .

ApplyFp I:

(Fp I) |gHl= 1p

N

p1j=0

p1s=0

(x+j)s |s

|kjy+ jl .


37/54

3.4. Single-query algorithm 27

second register is |0. We then we apply a Hadamard transform on the second register.Calling the resulting vector|, we have

|=p1

j=0

(kjy+j l) | |+ +

p1

j=0

(kjy+j l)k ||

+

p1j=0

(kjy+j l) | |+ +

p1j=0

(kjy+jl)k || .

Measure the second register in the computational basis. Suppose we measure 0.Then, calling the result|, we have

|=p1j=0

(kjy+jl) +(k

jy+jl)k |

+

p

1

j=0

(kjy+j l) +(kjy+j l)k |

Clearly these two amplitudes are conjugates of one another and thus the compo-nents have the same magnitude. But also note that we have

p1j=0

(kjy+jl) +(k

jy+jl)k =c l/2,

for some c

R. To see this, recall that jl= 0 and perform the following computa-

tion:

y +(ky+l) + +(kp1y+(kp2++1)l)+ ky +k(ky+l) + +k(kp1y+(kp2++1)l)

= l((y+kp1l++kl) +ky + +(kp1y+kp2l++kl))

+ (ky +(k2ykl) + +(ykp1lkl))

= lz+z

for some z= 0 C. (We have z= 0 because otherwise we would not have projectedinto V

.) But then observe that

lz+z= l/2(l/2z+l/2z)

= l/2(+)

for some = 0 C, and of course (+) R. So the state in fact projects to

|= 12

l/2 | +l/2 | .


38/54


Note that (+ )= 0, because otherwise we would not have measured 0 in theauxiliary register. So suppose instead we measure 1. We have

|=p1

j=0

(kjy+j l) (kjy+jl)k |

+

p1j=0

(kjy+j l) (kjy+j l)k | .

Substantially similar calculations to the previous case show that

|= i2

l/2 | +l/2 | .

But we can correct for the global phase by applying the transform|m i |m, soin fact we have |= 1

2

l/2 | +l/2 | .

3.5 Multi-query algorithm

To reach the state 12

(l/2 | +l/2 |), we need = 0 and Rr. Call sucha run of the single-query algorithm a successful run. Our input into the multi-queryalgorithm will be the tensor product ofj successful runs; that is, we start with thetensor product ofj samples of these|s. We will use the vector:= (1, . . . , j)(ZN)

j to index the s. So our state at the beginning of the multi-query algorithm is

|:=j

m=1

|m ,

for some chosen uniformly at random among elements of (ZN)j.

We now introduce a version the subset sum problem and demonstrate its connec-tion to our HSP algorithm.

Definition 3.5. Let b= (b1, . . . , bk) be an element of{1, 1}j and define

b :=j

m=1

bmm (mod 2N).

For anyz Z2N, we define

Sz :={b {1, 1}j : b = z}.

Thesigned subset sum problemis, given some andz, find the set Sz.


39/54

3.5. Multi-query algorithm 29

With this subset sum notation, we can write our vector| in a more sophisti-cated way:

|= 12

(1l/2 |1 +1l/2 |1) 12

(j l/2 |j +j l/2 |j)

=

b{1,1}j

12j

bl/2

jm=1

|bmm

= 1

2j

zZ2N

zl/2bSz

jm=1

|bmm .

Since the vector is known to us, it makes sense to identifyj

m=1 |bmm with|b. Under this identification we have

|= 12j

zZ2N

zl/2bSz

|b .

Now we will suppose we have a solution to the signed subset sum problem. Thesets Sz form a partition of all theb {1, 1}j, so for any z=zZ2N, the vectors

bSz |b and

bSz

|b are orthogonal. Define nz :=|Sz | and define

Z :={z Z2N : nz= 0}.

Then the vectors (1/nz )bSz |b

for z

Z are orthonormal, so we can find some

unitary transformationthat sends (1/

nz )

bSz |b |z. In order to apply thetransformwe need to be able to quantum sample subset sum solutions; that is, weneed to be able to create an equal superposition over all vectors bsuch that b = zfor anyz Z2N. Applying , we have

|= 12j

zZ

nz

zl/2 |z .

We apply the inverse quantum Fourier transform on Z2N:

F12N|= 12j

12N

yZ2p

zZ

nz

zl/2zy/2

|y

= 1

2j+1p

yZ2N

zZ

nz

z(ly)/2

|y .

Measure in the computational basis. Note that when we plug in y = l, we getz(ly)/2 = 1. When we plug in y = l+N, we get z(ly)/2 =eiz , which is 1 ifz is


40/54


even and1 ifzis odd. Our success probability is the probability of measuring l orl+N(from which we can obtain l since we know N):

psucc,= 1

2j+1N

zZ2N

nz

2+

1

2j+1N

zZN

n2z zZNn2z+1

2

Since 2Nis even, the elements ofZ are either all even or all odd. Thus we have

psucc,= 1

2jN

zZ2N

nz

2.

Our is chosen uniformly at random from (ZN)j . So our overall probability of

success is

psucc= 1

2jN|ZN|j

(ZN)j

zZ2N

nz

2.

3.6 Analysis of probability of success

In analyzing this probability of success, it will help to consider another, more standardversion of the subset sum problem which is in fact equivalent.

Definition 3.6. Let d = (d1, . . . , dk) be an element of{0, 1}j and define

d :=j

m=1

dmm (mod N).

For anyz ZN, we defineSz :={d {0, 1}j : d = z}.

Thestandard subset sum problemis, given some and z, find the set Sz.

As stated earlier, the elements of Z are either all even or all odd. Consideronly the w Z2Nof the same parity as elements in Z. Then there is a bijectionbetween the sets Cw and the sets S

z forz ZNthat preserves cardinalities. For any

b {1, 1}j, let d be given by di = 0 bi =1 and di = 1 bi = 1. Note thatb = (1, . . . , 1) + 2(d ). So if we let z:= d and c := (1, . . . , 1) , wehave|C2z+c|=|Sz |.

Thus, defining nz :=|Sz |, we can write the probability of success of the multi-query algorithm as

psucc= 1

2jN|ZN|j

(ZN)j

zZN

nz

2. (3.1)

Our probability of success is very similar to that of Bacon et. al. [4] However,whereas their is chosen uniformly at random from ZjN, ours is chosen from (Z

N)

j .

We must show that this does not matter and that the ds spread out evenly amongtheSz forj on the order of log(N).


41/54

3.6. Analysis of probability of success 31

3.6.1 A lemma on the distribution of ds

Lemma 3.7. For a fixedz ZN and uniformly random from(ZN\ {0})j, define

(j) := Prnz3

42

j

N .

Then we have(j)0.99 forj2 lg(N) + 10.

We first recap some work done in Regev [16]. Fix some z ZN, and consider auniformly random ZjN. For each d {0, 1}j, with d= 0j, we define the randomvariable Xdto be 1 if

d =zand 0 otherwise. Because the sum i diui (mod N) isevery value with equal probability, we have E

Xd

= 1N. ThusE[n

z ]E

Xd

=

E

Xd

= 2j1N

. Further, Regev shows that for any d= d, the variables Xd andXd are independent. Thus we can apply the Chernoff bound to give

Pr

Xd0.98,

forj2 lg(N) + 10. Then the same calculations as in the case ofNprime show that

psucc(0.98)25

8 >0.6.

3.7 Conclusion

To successfully identify the hidden subgroup Hl with probability greater than somefixed constant greater than 1/2, we need O(log(N)) successful runs. We measure= 0 with probability 1/p and we measure Rr with probability at least 1/p,so we need only O(p2 log(N)) queries to yield O(log(N)) successful runs. But sinceN/p= poly(log(N)), this is just O(log(N)) queries. Thus we have presented anefficient algorithm for solving the HSP on ZNkZp under the assumption that we

can efficiently quantum sample solutions to the subset sum problem. We remarkthat, as in the case of the dihedral HSP, the subset sum solver is required only forthe multi-query algorithm and that the single-query algorithm may be independentlyof interest.


44/54


45/54

Chapter 4

Representation Theory and the

HSP for ZN Zp

In the previous chapter we presented an efficient algorithm for solving the HSP forZNk Zpunder the assumption that there is an efficient implementation of the PrettyGood Measurement for the dihedral HSP. Our approach was to mimic the algorithmof Bacon et al. [4] for the dihedral group wherever possible; however, we providedno justification for many steps of our procedure. In this chapter, we motivate someof our decisions from the perspective of representation theory. In particular, we givesome reasons for why it is appropriate to apply a series of Fourier transforms on eachcomponent and why we would want to project our state into a subspace ofCZN. Fora quick overview of the representation theory of finite groups used in this section, seeAppendix A.

4.1 The Fourier transform over a group

Earlier we considered the discrete Fourier transform, but it is in fact possible to definethe Fourier transform over any arbitrary finite group. We shall see that the Fouriertransform over the cyclic group ZN is exactly the discrete Fourier transform definedin chapter 1. Let G be a finite group and let G be a complete set of inequivalentirreducible representations ofG (see Fact A.5 for the definition of a complete set ofirreps). Note that the Fourier transform over a group depends, as the definition belowmakes clear, on the set Gof irreducible representations we choose. Define the Fouriercoefficients [(g)]a,b, for g

G and

G of dimension d with 1

a, b

d, to bet

the (a, b)th entry of the matrix (g).

Definition 4.1. The quantum Fourier transform over a finite group G,FG, acts ona basis ofCG by

FG |g=G

1a,bd

d|G| [(g)]a,b |,a,b .


46/54

36 Chapter 4. Representation Theory and the HSP forZN Zp

The sum of the squares of the dimensions of the irreps equals the size of the group(see Fact A.5), so it is easy to see that there are the same number of basis vectors|,a,b as|g. For an overview of the quantum Fourier transform over a group,and its applications to the HSP, see the masters thesis of Jean-Noel Murphy [14].Murphy shows that

FG is indeed a unitary transform, and thus in principle could be

implemented by a quantum computer. However, there is no guarantee that there isanefficientway of implementing the Fourier transform for an arbitrary group G; thatis, there is no known general decomposition ofFGinto a product of only a few simpletransforms. Efficient implementations of the quantum Fourier transform do exist formany families of groups; see [17] for the cases of Abelian groups, the dihedral group,and the symmetric group.

All known efficient quantum solutions to the HSP for a group G are essentiallybased on the quantum Fourier transform over G. To see where the Fourier transformcomes into play, we redo some computations in Childs and van Dam [2], sections VI Aand VII C.

Definition 4.2. The right regular representation R : GGL|G|(C) acts on a basisofCG by:

R(g1) |g2=|g2g11 .Theorem 4.3. Recall that|gH is the coset state that results from the StandardMethod applied to the HSP. Define,

H := 1

|G|gG

|gH gH|

to be the statistical ensemble (ormixed state) over all|gH for all possibleg G.Then the Fourier transform overG block-diagonalizesH, from which we sample as

part of the Standard Method.Proof: We will show first that the Fourier transformFG breaks R into its ir-

reducible components. If we write R(g1) =

g2G |g2g11 g2|, and define R(g1) =FG |g1 FG, then we can compute

R(g1) =g2G

FG |g2g11 g2| FG

=g2G

,G

da,b=1

da,b=1

dd

|G| [(g2g11 )]a,b[

(g2)]a,b |,a,b , a, b|

=g2G

,G

da,b,c=1

da,b=1

dd

|G| [(g2)]a,c[(g11 )]c,b[

(g2)]a,b |,a,b , a, b|

=G

da,b,c=1

|,a,b [(g1)]c,b , a, b|

=G

(Id (g1)),


47/54

4.2. Irreducible representations ofZNk Zp 37

where Id is the d d identity matrix, and we have used the orthogonality ofirreducible representations (see Lemma A.6) in the third line. We can write the cosetstate |gH that results from the Standard Method as |gH= 1|H|

hHR(h) |g. Then

the mixed state H is

H= 1|G| |H|gG

h1,h2H

R(h1) |g g| R(h2)

= 1

|G| |H|

h1,h2HR(h1h

12 )

= 1

|G|hH

R(h).

The upshot of this computation is that, since the Fourier transform over G blockdiagonalizesR, it is also the case thatFG block diagonalizes H.

We now will demonstrate that our HSP algorithm employs the Fourier transform

over ZNk Zp, although we have previously not described it in those terms. Thereforewe must investigate representations of ZN k Zp and work out explicitly how theFourier transform over ZNk Zp acts.

4.2 Irreducible representations ofZNk Zp

We now compute the irreducible representations ofG:= ZNkZp. We follow Serre[20], section 8.2, which explains how to use Mackeys criterion to construct the ir-reducible representations of a semidirect product by an abelian group from repre-sentations of the component groups. See Serre for a precise statement of Mackeys

criterion.Let X = Hom(ZN, C

) be the group of irreducible representations of ZN. Theelements ofX are m for 0m N 1, where m is determined by m(1) = mfor some primitive Nth root of unity . The group G acts on Xby

(g)(y) =(g1yg) for gG, X, y ZN.We are interested in the orbits ofX under Zp (considered as a subgroup ofG). Fixsome mX. Then

((x, 0) m)(0, 1) =m((x, 0) (0, 1) (x, 0)) =m(0, kx) =mkx.Thus we see that ((x, 0)m) = mkx. There are two cases to consider. If km =m, then the orbit of m under Zp is just{m}. If km = m, then, as we haveseen earlier, kxm= m for all 1 x p 1, so the orbit of m under Zp is{m, km, k2m, . . . , kp1m}. These orbits correspond to the setsOm defined insection 3.3. As in the previous chapter, let us set q := N/gcd(N, k 1), andZN :={m ZN : m= qy for all y ZN}. Choose some system of representa-tives i from the orbits of X under Zp. Recall that we have ki = i exactly when

i / ZN.


48/54


First consider the case where i / ZN. Let jHom(Zp, C) for 0jp 1 bean irreducible representation ofZp defined by j(1) =

j, where is a primitive pthroot of unity. Let : G Zp be the canonical projection. Define

i,j =i (j )Hom(G, C).(See Definition A.8 for the definition of a tensor product of representations.) Theni,j is an irreducible one dimensional representation ofG. Explicitly, we have

i,j(x, y) = (i (j ))(x, y) =i(y) j(x) =iy jx . (4.1)

Now consider the case where i ZN. Definei,= Ind

GZN

(i)Hom(G,GLp(C)),(See Definition A.9 for the definition of a tensor product of representations.) Then i,is an irreduciblep-dimensional representation ofG. We can compute the character of

i, by applying the Frobenius formula. Let i(g) =i(g) ifg ZNand 0 otherwise.Then for (x, y)G, we have

Tr(i,(x, y)) =

(x,0)G/ZNi((x, 0)(x, y)(x, 0))

=

(x,0)G/ZNi(x, k

xy)

=

0 :x= 0p1

j=0kjiy :x = 0

Let g := (x, y) and s := (s, 0) be elements ofG. We compute the matrix for i, (seeFact A.10 for an explanation of this computation):

i,(g) =

i(0 g 0) i(0 g 1) i(0 g p 1)i(1 g 0) i(1 g 1) i(1 g p 1)

... ...

. . . ...

i((p 1) g 0) i((p 1) g 1) i((p 1) g p 1)

=

i(x, k0y) i(x+ 1, k

1y) i(x+ (p 1), kp1y)i(x 1, k0y) i(x, k1y) i(x+ (p 2), kp1y)

... ...

. . . ...

i(x (p 1), k0

y) i(x (p 2), k1

y) i(x, kp1

y)

=

0 0 kxiy 0 00 0 0 kx+1iy 0...

. . . ...

... ...

. . . ...

0 kx+(p1)iy 0 0 0

. (4.2)

Mackeys criterion guarantees that for any of the i,j or i, we have just defined,the representation i,j is indeed irreducible and ifi,j and i,j are isomorphic, then


49/54

4.3. The Fourier transform overZNk Zp 39

i = i and j = j. Therefore these (Np)/q one-dimensional representations and(N (N/q))/p p-dimensional representations are all the irreducible representationsofG, as can be verified by the following calculation (see Fact A.5):

N

qp 1 + (N N

q)

p p2

=N p=|G|.In conclusion, we have proved the following:

Theorem 4.4. A complete set of irreducible representations ofZNkZp isi, fori ZN andi,j fori ZN\ ZN, j Zp, where the are defined as in (4.1) and (4.2)above.

4.3 The Fourier transform over ZNk Zp

In the algorithm presented in chapter 3, rather than use the Fourier transform overG := ZNk Zp, we applied a series of Fourier transforms on each register. In thissection, we show that our application of Zp followed by ZN approximatesFG in acertain sense.

Suppose Gis a complete set of the irreducible representations ofG; we can supposefurther that the elements ofG are labeled as i,j or i, as defined in the previoussection. LetZN be the set of i ZN such that i, G. Then, let us see howFGacts on an element|(x, y) CG:

FG |(x, y)= G 1a,bd

d

|G

|[(x, y)]a,b |,a,b

= 1

pN

iZN\ZN

p1j=0

i,j(x, y) |i,j +

2iZN

1a,bp

[i,(x, y)]a,b |i,, a , b

= 1

pN

iZN\ZN

p1j=0

iy jx |i,j +

2iZN

p1j=0

kx+jiy |i,, j , j x

= 1

pN iZN\ZNp1

j=0

iy

jx

|j |

i

+kx

2 iZN

iy

|0 |

i ,

where we have relabeled the vectors|i,jas|j |i CZp CZN and|i,, j, x+jas|0 |kji CZp CZN.

On the other hand,Fp Iacts on|(x, y) CG by

(Fp I) |(x, y)= 1p

p1s=0

sx |s |y .


50/54


Now suppose we measure the first register of (FpI) |(x, y) and in particular measure0; the resulting state is merely|y. If we now applyFNand call the resulting vector|, we have

|= 1N

N1

i=0

iy |i .

Note that| agrees withFG |(x, y) in the coordinates corresponding to iZN. Ifwe projectFG |(x, y) intoCZp CZNand call the resulting vector|, we have

|= 1|ZN|

iZN

iy |i .

Thus, as long as we project our state vector into some subspace ofCZN, the procedureof applyingFp, measuring the first register, and then applyingFN yields the sameresult as applying

FG would. We follow exactly this series of steps in the single-

query algorithm of section 3.4. The vector| defined in that section is created byapplyingFp to the coset state|gHl from the Standard Method, measuring 0 in thefirst register, applyingFNto the resulting vector, and finally projecting the stateinto some subspace ofCZN. However, the most remarkable step of the algorithm, inwhich we sum the amplitudes of| in the| and|k components, is still notadequately explained by the considerations of this chapter. It would be extremelyinteresting if representation theory gave somea priorijustification for this step. Wehave been unable to find such a justification.


51/54

Appendix A

Basic Representation Theory

In this appendix we quickly recap the basic definitions and theorems from grouprepresentation theory used in chapter 4; for a in-depth treatment of the representationtheory of finite groups, see Serre [20] or Dummit and Foote [6], chapter 15.

Definition A.1. A representation of a finite group G is a group homomorphism :GGL(V), where Vis some vector space over a field F. We will always take Fto beC and V to be finite-dimensional of dimensiond; thus we will consider to bea map from G to GLd(C) and from now on we do not state the assumption that ourbase field is C. Fixing a basis ofV Cd , we can realize (g) as ad d matrix foreachgG. We say that d is the dimension of.

Two representations, 1 : G GL(V) and 2 : G GL(W) are isomorphic ifthere is some isomorphism from V to W such that 1(g)(v) = 2(g)((v)) for allg

G, v

V.

Definition A.2. A subspace W V is said to be an invariant subspace of if(g)(W) W for all g G. If there are no nontrivial (i.e. proper and nonzero)invariant subspaces of, then we say is irreducible.

Definition A.3. Let : GGL(V) be a representation ofG, and suppose we haveV V1V2, where V1 and V2 are nontrivial invariant subspaces of . Then isdecomposable, and we write = 1 2, where i is the restriction oftoVi. If isnot decomposable, we say is indecomposable.

An important first result in representation theory says that irreducibility is the

same as indecomposability as long as we are working over a field of characteristic 0:

Theorem A.4. (Maschke)A representation ofG is irreducible if and only if it is indecomposable. Thus anyrepresentation can be written as,

= 1 k,

where1, . . . , k are irreducible representations.


52/54

42 Appendix A. Basic Representation Theory

Because we can break up any reducible representation into a direct sum of irre-ducible representations, we focus our attention on irreducible representations, whichwe sometimes callirrepsfor shorthand. The following fact helps us find all the irreps:

Fact A.5. A finite group G has a finite number of non-isomorphic irreducible repre-

sentations. We call a maximal set of non-isomorphic irreps acomplete set of irreps.LetG be a complete set of irreps ofG. Then,

|G|=G

d2,

whered is the dimension of.

In section 4.1 we use the following corollary ofSchurs lemma (see [6],15.1):Lemma A.6. (Orthogonality of irreducible representations)For two irreps, ofG we have

d|G|gG

[(g)]i,j [(g)]i,j =,i,ij,j,

where, = 1 if= and0 otherwise.

Definition A.7. Associated to each representation is its character, : G C,where, for eachgG,(g) = tr((g)), the matrix trace of(g). Note that this traceis independent of the basis of the matrix representation of(g). We can see that aone-dimensional representation is essentially the same as its character.

Definition A.8. If1 : GGL(V) and 2 : GGL(W) are representations ofG,then thetensor productof these representations is 1 2 : GGL(V W), and itacts as we would expect: (1 2)(g)(v w) = 1(g)(v) 2(g)(w). We can checkthat 12 =1+2 and12 =1 2.Definition A.9. Let : H GL(V) be a representation of H, where H is somesubgroup ofG. Let t1, . . . , tn be representatives of the cosets ofH in G. Then theinduced representation IndGH() acts on the space V =

ni=1 tiV by g

ni tivi =n

i tj(i)(hi)vi, where viVand we have writtengxi= xjhwithhH in a uniqueway for each i.

The following fact lets us compute an explicit description of the induced repre-sentation:

Fact A.10. Let : H GL(V) be a representation of H < G. Define : GGL(V) to be(g) ifgH and0 otherwise. Lett1, . . . , tn be representatives from thecosets ofH inG. The matrix of the induced representation is the block matrix

IndGH() =

(t11 gt1) (t11 gt2) . . . (t

11 gtn)

(t12 gt1) (t12 gt2) . . . (t

12 gtn)

... ...

. . . ...

(t1n gt1) (t1n gt2) . . . (t

1n gtn)

.


53/54

References

[1] G. Brassard and P. Hyer. An exact quantum polynomial-time algorithm forSimons problem. In Proceedings of the 5th Israeli Symposium on Theory ofComputing and Systems (ISTCS97), pages 1223. Society Press, 1997.

[2] A. Childs and W. van Dam. Quantum algorithms for algebraic problems. Rev.Mod. Phys., 82:152, Jan 2010.

[3] D. Bacon; A. Childs; and W. van Dam. From optimal measurements to efficientquantum algorithms for the hidden subgroup problem over semidirect productgroups. 46th Annual IEEE Symposium on Foundations of Computer Science,pages 469478, 2005.

[4] D. Bacon; A. Childs; and W. van Dam. Optimal measurements for the dihedralhidden subgroup problem. Chicago Journal of Theoretical Computer Science,2005.

[5] David Deutsch. Quantum theory, the Church-Turing principle and the universalquantum computer. Proceedings of the Royal Society of London, 400:97117,

1985.

[6] D. Dummit and R. Foote. Abstract Algebra. Prentice Hall, Englewood Cliffs,New Jersey, 1991.

[7] M. Ettinger and P. Hyer. A quantum observable for the graph isomorphismproblem. eprint, arXiv:9901029, 1999.

[8] M. Ettinger and P. Hyer. On quantum algorithms for noncommutative hiddensubgroups. Advances in Applied Mathematics, 25:239251, 2000.

[9] D. Gavinsky. Quantum solution to the hidden subgroup problem for poly-near-

hamiltonian groups. Quantum Information and Computing, 4:229235, 2004.

[10] Amit Hagar. Quantum computing. The Stanford Encyclopedia of Philosophy,http://plato.stanford.edu/archives/spr2011/entries/qt-quantcomp/ ,2011.

[11] L. Hales and S. Hallgren. An improved quantum Fourier transform algorithm andapplications. In In Proceedings of the 41st Annual Symposium on Foundationsof Computer Science, pages 515525, 2000.


54/54

44 References

[12] G. Kuperberg. A subexponential-time quantum algorithm for the dihedral hiddensubgroup problem. eprint, arXiv:0302112, 2003.

[13] C. Lomont. The hidden subgroup problem - review and open problems. eprint,arXiv:0411037, 2004.

[14] J.-N. Murphy. Analysing the quantum Fourier transform for finite groupsthrough the hidden subgroup problem. Masters Thesis, McGill University, 2001.

[15] M. Nielsen and I. Chuang. Quantum Computation and Quantum Information.Cambridge University Press, 2000.

[16] O. Regev. Quantum computation and lattice problems. Proceedings of the 43rdAnnual Symposium on Foundations of Computer Science, IEEE, Los Alamitos,CA, pages 520529, 2002.

[17] C. Moore; D. Rockmore; and A. Russell. Generic quantum Fourier transforms.

ACM Trans. Algorithms, 2(4):707723, October 2006.

[18] M. Rotteler and T. Beth. Polynomial-time solution to the hidden subgroupproblem for a class of non-abelian groups. eprint, arXiv:9812070, 1998.

[19] K. Friedl; G. Ivanyos; F. Magniez; M. Santha; and P. Sen. Hidden translationand orbit coset in quantum computing. In Proc. 35th Annual ACM Symposiumon Theory of Computing, pages 19, 2001.

[20] J.P. Serre. Linear Representations of Finite Groups. Springer-Verlag, New York,1977.

[21] A. Shakeel. Implementing measurements and optimizing queries for the quantumhidden subgroup problem. PhD Thesis, UCSD, 2011.

[22] P. Shor. Polynomial-time algorithms for prime factorization and discrete log-arithms on a quantum computer. SIAM J. on Computing, pages 14841509,1997.

[23] M. Sipser.Introduction to the theory of computation. Thomson Course Technol-ogy, Boston, 2006.

[24] M. Grigni; L. Schulman; M. Vazirani; and U. Vazirani. Quantum mechanical

algorithms for the nonabelian hidden subgroup problem. In Proc. 33rd AnnualACM Symposium on Theory of Computing, page 6874, 2001.

the quantum hidden subgroup problem for semidirect products of cyclic groups

Documents