Quantum Factoring, Discrete Logarithms, and the Hidden Subgroup Problem

Q UANTUM C OMPUTATION

QUANTUM FACTORING, DISCRETE LOGARITHMS, AND THE HIDDEN SUBGROUP PROBLEM

Among the most remarkable successes of quantum computation are Shor’s efﬁcient quantum algorithms for the computational tasks of integer factorization and the evaluation of discrete logarithms. This article reviews the essential ingredients of these algorithms and draws out the unifying generalization of the so-called hidden subgroup problem.

uantum algorithms exploit quantum- these issues, including further applications such physical effects to provide new modes as the evaluation of discrete logarithms. I will of computation that are not available outline a unifying generalization of these ideas: Qto “conventional” (classical) comput- the so-called hidden subgroup problem, which is ers. In some cases, these modes provide efficient just a natural group-theoretic generalization of algorithms for computational tasks for which no the periodicity determination problem. Finally, efficient classical algorithm is known. The most we’ll examine some interesting open questions celebrated quantum algorithm to date is Shor’s related to the hidden subgroup problem for non- algorithm for integer factorization.1–3 It provides commutative groups, where future quantum al- a method for factoring any integer of n digits in gorithms might have a substantial impact. an amount of time (for example, in a number of computational steps), whose length grows less rapidly than O(n3). Thus, it is a polynomial time Periodicity algorithm in contrast to the best-known classi- Think of periodicity determination as a par- cal algorithm for this fundamental problem, ticular kind of pattern recognition. Quantum which runs in superpolynomial time of order computers can store and process a large volume exp(n1/3(log n)2/3). of information—represented compactly in an At the heart of the quantum-factoring algo- entangled quantum state’s identity—but quan- rithm is the discrete Fourier transform (FT) and tum measurement theory severely restricts our the remarkable ability of a quantum computer to access to that information. We can only read a efficiently determine periodicities. This in turn relatively small “globally available” amount of it, rests on the mathematical formalism of fast such as a few broad features of a large intricate Fourier transforms (FFTs) combined with prin- pattern, which are generally impossible to ex- ciples of quantum physics. In this article, I review tract efficiently by classical means. This intuition is exemplified in the earliest quantum algorithm, known as Deutsch’s algorithm.3 Here, a black 1521-9615/01/$10.00 © 2001 IEEE box computes a Boolean function of n variables (a function of all n-bit strings with one-bit val- RICHARD JOZSA ues). The function is either constant or balanced University of Bristol (in the sense that exactly half of the values are 0

34 COMPUTING IN SCIENCE & ENGINEERING and half are 1). We need to know whether the about r. Generally, we require O(N ) random given function is balanced or constant, using the tries to hit two equal values with high probability. least number of queries. Thus, we are asking for Using quantum effects, we can ﬁnd r using only one bit of information about the function’s 2n O((log N)2) steps, which represents an exponen- values. Classically, 2n–1 + 1 queries are necessary tial speedup over any known classical algorithm. in the worst case (if the problem is to be solved In the quantum context, we assume the black with certainty), but quantumly we can solve the box is a coherent quantum process that evolves problem in all cases with just one query.3 How- the input state|x〉|0〉 to|x〉|f(x)〉. Here, the val- ever, if we tolerate any arbitrarily small proba- ues of x and f(x) are labels on a suitable set of or- bility of error in the answer, then there is also a thogonal states. We begin by computing all val- classical algorithm using only a constant num- ues of f in equal superposition, using one ber of queries. application of the box. To do this, we set up the Inspired by these results, Daniel Simon4 con- input register in the equal superposition 1 ∑ sidered a more complicated situation of a class of x x , apply the function, and obtain the state functions from n bits to n bits and developed a N computational task displaying an exponential gap between the classical and quantum query com- N−1 = 1 Quantum computers plexities, even if (in contrast to Deutsch’s algo- f ∑ xfx(). (2) N = rithm) the algorithm is required to work only x 0 can store and process with bounded error probability of 1/3—we allow a large volume of probabilistic algorithms, and in any run the an- Although this state’s descrip- swer must be correct with probability at least 2/3. tion embodies all the values of information— In retrospect, Simon’s problem turns out to be f and hence the periodicity, it represented an example of a “generalized periodicity” (or is not immediately clear how hidden subgroup problem) for the group of n bit to extract r’s information. If compactly in an strings under binary bitwise addition. Shor rec- we measure the value in the entangled quantum ognized the connection with periodicity deter- second register, giving, say, a mination and generalized the constructions to value y0, then the first regis- state’s identity— the group of integers modulo N, showing signif- ter’s state will be reduced to an but quantum icantly that the associated discrete Fourier trans- equal superposition of all 〉 form could be efficiently implemented in that those |x ’s such that f(x) = y0. measurement theory context as well. Using known reductions of the If x0 is the least such x and N severely restricts our tasks of integer factorization and evaluation of = Kr, then we obtain in the discrete logarithms to periodicity determina- ﬁrst register the periodic state access to that tions, he could give polynomial time quantum information. algorithms for these computational tasks as well. K −1 ψ =+1 ∑ xkr0 .(3) K k=0 The quantum Fourier transform and periodicities ≤ ≤ Note here that 0 x0 r – 1 is generated at ran- Suppose that we have a black box that com- dom, corresponding to having seen any value y0 → putes a function f : ZN Z, which is guaranteed of f with equal probability. So, if we now mea- to be periodic with some period r: sure the value in this register, the overall result is merely to produce a number between 0 and N – f(x + r) = f(x) for all x.(1)1 uniformly at random, giving no information at all about r’s value. Here, ZN denotes the additive group of integers The resolution of this difficulty is to use the modulo N. We also assume that f does not take FT, which (even for classical data) can pick out the same value twice within any single period. periodic patterns in a set of data regardless of Note that Equation 1 holds only if r divides N how the whole pattern is shifted. The discrete exactly. FT F for integers modulo N is the N × N uni- Our aim is to determine r. In the absence of tary matrix with entries any further information about f, we could merely FX==1 π ab 1 try different values of x in the black box, hoping abexp2 i a (b ) two equal results could then give information N N N (4)

MARCH/APRIL 2001 35 where we have introduced the functions mial in log N rather than N itself—to achieve an exponential speedup over any known classical al- X = π lm gorithm for determining periodicity. We showed l(mi ) exp2 .(5) N earlier that merely O(log log N) repetitions suffice If we apply this unitary transform to the state to determine r, but a significant gap exists in our |ψ〉 in Equation 3, we obtain2 argument. The FT F that we used is a large nontrivial unitary operation of size N × N, and we can- − 1 r 1 Xj N not just assume ab initio that we can implement it F ψπ= ∑exp2 i o j .(6) r N r using only poly(log N) basic computational oper- j=0 ations. We could implement any d × d unitary op- A direct calculation shows that the labels ap- eration on a quantum computer (equipped with pearing with nonzero amplitude are those val- any universal set of operations) in O(d2) steps.2 ues of l that satisfy This is also the number of steps needed for the classical computation of multiplying a d × d ma- X ==π lr trix into a d-dimensional column vector. For our l(ri ) exp21 (7) N use of F, this bound of O(N2) does not suffice. Fortunately, the FT has extra properties that let and they appear with equal squared amplitudes. us implement it in O((log N)2) steps. These prop- This calculation uses Equation 3’s periodic struc- erties stem from the classical theory of the FFT,7 ture and the elementary identity which shows how to reduce the O(N2) steps of classical matrix multiplication to O(N log N) steps − k K 1 l  0 if lK is not a multiple of when N is a power of 2. If we implement the same ∑ exp2πi =  .(8) ideas in a quantum setting, then we can see2,8 that  K  Klif is a multiple of K k=0 the number of steps reduces to O((log N)2), giving our desired implementation. Note also that ac- The random shift x0 no longer appears in the cording to Equation 4, we have labels. If we now read the label, we will obtain a − value c, which is necessarily a multiple of N/r, 1 N 1 meaning c = λN/r. Thus we can write F 0 = ∑ x (10) N x=0 c/N = λ/r (9) so that once we have an efficient implementation where c and N are known numbers, and the mea- of F, we can efficiently produce the uniform large surement has chosen 0 ≤λ≤r – 1 uniformly at superposition in the input register—necessary to random. If the randomly chosen get |f 〉 in Equation 2. The technical details of ef- λ is fortuitously coprime to r ficiently implementing the FT appear elsewhere.8 There is no known (where λ and r have no common In summary, the quantum algorithm for de- classical algorithm factors), we can determine r by termining the periodicity of a given function f, canceling c/N down to an irre- with N inputs, begins with the computation of that will factorize any ducible fraction. What is the all values of f in superposition using one appli- given N in a time probability that a randomly cho- cation of FT and one evaluation of f. FT is then sen λ actually is coprime to r? applied to pick out the resulting state’s periodic polynomial in the According to a basic theorem of structure. The quantum implementation of the 2,5,6 number of digits of N. number theory, the number FFT algorithm guarantees that we can imple- of coprimes less than r goes as ment FT in poly(log N) steps. An analogous clas- γ e– r/log log r (where γ is Euler’s sical computation would be exponentially slower, constant) for large r. Thus, the requiring O(N) invocations of f to compute a col- probability that our randomly umn vector of all the function values and then chosen λ is coprime to r is O(1/log log r), which O(N log N) steps to perform the FFT. exceeds O(1/log log N). So, if we repeat the above procedure O(log log N) times, we can determine r with any prescribed probability as Quantum factoring close to 1 as desired. The problem of integer factorization is the We want our quantum algorithm to run in time following: Given a number N of n = log2 N dig- poly(log N)—in a number of steps that is polyno- its, we wish to determine a number k (not equal

36 COMPUTING IN SCIENCE & ENGINEERING to 1 or N) that divides N exactly. We can reduce of 15 with 50 and 48 gives 5 and 3, respectively, this problem to a problem of periodicity deter- which are indeed nontrivial factors of 15. mination for a suitable periodic function f. Then, Our method will give a factor of N provided the quantum algorithm described earlier will that r comes out even and that neither of (ar/2 ± 1) achieve the factorization of N in poly(n) time— are exact multiples of N. It may be shown2 that polynomial in the number of digits of N. if a is chosen at random, these There is no known classical algorithm that will provisos will always occur factorize any given N in a time polynomial in the with probability at least half. We can reduce number of digits of N. For example, the most Overall, our method will factoring to a naive factoring algorithm involves test-dividing produce a factor of N with N by each number from 1 to N (because any probability at least half in every problem of composite N must have a factor in this range). case. This success probability periodicity This requires at least N steps (one step for each is amplified as close as desired trial factor), and N ≈ 2n/2 is exponential in n. Us- to 1, by K repetitions of the determination for a ing all the ingenuity of modern mathematics, the procedure (with K constant suitable periodic fastest known classical factoring algorithm runs independent of N), which in a time of order exp(n1/3(log n)2/3). will succeed in factorizing N function f. To reduce the problem to one of periodicity, with probability exceeding 1 we use some basic results from number the- 1− . ory.2,5,6 We begin by selecting a number a < N at 2K random. Using Euclid’s algorithm, we compute We can perform all steps in the procedure, in poly(log N) time the highest common factor such as applying Euclid’s algorithm and the of a and N. If this is larger than 1, we have found arithmetic manipulation of numbers in poly(n) a factor of N and we’re finished! However, it is time. The only remaining outstanding ingredi- overwhelmingly likely that a randomly chosen a ent is a method for determining r in poly(log N) will be coprime to N (especially if N is the prod- time. Consider the exponential function uct of two large primes). If a is coprime to N, Euler’s theorem of number theory guarantees a f(x) = ax mod N. (13) power of a that has remainder 1 when divided by N. Let r be the smallest such power: Now, Equation 11 says precisely that f is periodic with period r—that f(x + r) = f(x). Therefore, we ar ≡ 1 mod N and r is the least such power. (11) use the quantum algorithm for periodicity determination, described in the previous section, to r is called the order of a modulo N. find r. To apply the algorithm as stated, we need Suppose that we have a method for determin- to restrict the scope of x values in Equation 13 to ing r (in fact, this is precisely the quantum com- a finite range 0 ≤ x ≤ q for some q. If q is not an ex- puter’s function) and suppose further that r act multiple of (the unknown) r (if q = Ar + t for comes out to be an even number. Then, we can some 0 < t < r), the resulting function will not be rewrite Equation 11 as ar – 1 ≡ 0 mod N and fac- exactly periodic—the single final period over the torize as a difference of squares: last t values will be incomplete. However if q is chosen large enough, giving sufficiently many in- (ar/2 – 1)(ar/2 + 1) ≡ 0 mod N. (12) tact periods of f, the single corrupted period will have negligible effect on the use of the q × q FT to Let α = ar/2 – 1 and β = ar/2 +1. Then N exactly di- determine r, as we might intuitively expect. We vides the product α β. If neither α nor β is a mul- can show that if q is chosen to have size O(N2), we tiple of N, N must divide partly into α and partly get a reliable efficient determination of r. Other into β. Therefore, computing the highest com- research examines the technical analysis of this mon factor of N with α and β (again using Euclid’s imperfect periodicity (involving the theory of algorithm) generates a nontrivial factor of N. continued fractions).1,2 Generally, q is also cho- As an example, take N = 15 and choose the co- sen to be a power of 2 to allow an efficient imple- prime number a = 7. By computing the powers of mentation of FT through the FFT formalism. 7 modulo 15, we find that 74 ≡ 1 mod 15, meaning the order of 7 modulo 15 is 4. Thus, 15 must exactly divide the product (74/2 – 1)(74/2 + 1) = Evaluation of discrete logarithms (48)(50). Computing the highest common factor In the previous section we learned how to re-

MARCH/APRIL 2001 37 〉 〉 ∈ duce the problem of factoring to a question of normal basis {|a |b : a,b Zp–1} labeled by the periodicity of a function on ZN, the additive elements of G and begin by computing an equal group of integers modulo N. Let’s now examine superposition of all values of f: the problem of discrete logarithms and show how to reduce it to a slightly more general kind 1 f = ∑ ab fab(,) of periodicity—on the additive group of pairs of − . (14) p 1 ab, integers modulo N. These important special cases provide the basis for the generalization in If we measure the last register and see a value k0 the next section to an elegant and natural group- = f(a0, b0), we obtain the periodic state theoretic setting. − * 1 p 2 Let p be a prime number, and let Zp denote the ψ = ∑ akybk++ group of integers {1, 2, ..., p – 1}under multipli- − 0 0 . (15) p 1 k=0 cation modulo p. A number g in Z*p is called a generator (or primitive root mod p) if the powers of To eliminate the dependence of the labels on the 0 1 F g generate all of Z*p, so we have Z*p= {g = 1, g , randomly chosen (a0, b0), we apply , the FT 2 p–2 g , ..., g }. (For example, in Z*5 2 and 3 are gen- modulo (p – 1) to each of the two registers. The erators but 1 and 4 are not.) Thus, we can write calculations are very similar to those for factoring every element x of Z*p uniquely (see Equation 8). Let us introduce the functions y as x = g for some y in Zp–1. y is  +  X = π al12 bl . (16) called the discrete logarithm ll (ab , ) exp2 i  As in the case of 12  p −1  of x (with respect to g), and we factoring, there is F ⊗F ψ〉 write y = loggx. Note that mul- Similar to Equation 7, | will yield an the residual issue tiplication of x’s mod p corre- equally weighted superposition of those labels sponds to addition of y’s mod (l , l ) such that X (y, 1) = 1, meaning yl + l ≡ of efficiently 1 2 l1, l2 1 2 (p – 1), so a generator provides 0 mod p – 1, so l2 = –yl1 mod p – 1 and l1 = 0, 1, ..., * implementing the a way of identifying Zp as Zp–1. p – 2. Explicitly, we have The problem of discrete FT that is used logarithms is the following: FF⊗ ψ We have p and a generator g of ∈ p−2 . (17) Z*p. For any x Z*p, we want to 1  al− byl = exp 2πi 01 0 1 lyl− compute its discrete logarithm ∑ 11 −  p − 1  p 1 l =0 y = loggx. Let n be the number of digits of p. The 1 fastest known classical algorithm runs in time of order exp(n1/3(log n)2/3), whereas our quantum Then, a measurement of the labels will provide a 3 ∈ algorithm will run in time less than O(n ). pair (l1,l2) = (l1,– yl1 mod p – 1), where l1 Zp–1 is We begin by noting that we can compute mul- chosen uniformly at random. If l1 happens to be tiplicative inverses in Z*p using Euclid’s algorithm. coprime to p – 1, we can use Euclid’s algorithm −1 Indeed, for any x, we have the highest common to find l1 , the multiplicative inverse modulo p – − −1 factor of x and p being 1, so Euclid’s algorithm 1, and compute y as ll1 2 . If l1 is not coprime provides integers a and b such that ax + bp = 1, so to p – 1, we cannot uniquely determine y from ≡ ax 1 mod p, and a is the desired inverse. (l1, l2). What is the probability that a uniformly × Consider G = Zp–1 Zp–1, the additive group chosen l1 is coprime to p – 1? Earlier, we saw that of integer pairs. For given values of x, g, p, there this probability will be of order 1/log log (p – 1), * a –b is a function from G to Zp given by f(a, b) = g x so to determine y with high probability, we need mod p, which is computable in time poly(n). In to repeat our algorithm a very modest O(log log terms of the discrete logarithm y = loggx, we have p) times (which is even exponentially smaller a–yb f(a,b) = g mod p, so f(a1, b1) = f(a2, b2) if and than our goal of poly(log p) times). λ λ ∈ only if (a2, b2) = (a1, b1) + (y, 1) for Zp–1. As in the case of factoring, there is the residual Thus, the pair (y, 1) is the period of f on its prod- issue of efficiently implementing the FT that is uct domain. To determine y, our quantum algo- used. To take advantage of the FFT formalism, rithm will follow the standard period-finding we want to use FT for integers modulo a power procedure described earlier, slightly generalized of 2 (instead of modulo p – 1). Let 2t be the to deal with the fact that the domain consists of smallest power of 2 greater than p – 1, so t is the pairs rather than just single numbers. smallest integer greater than log2(p – 1). Then, We consider a Hilbert space with an ortho- we can implement FT modulo 2t in O(t2) =

38 COMPUTING IN SCIENCE & ENGINEERING O((log p)2) steps. If we use FT modulo 2t in place = 1 of FT modulo p – 1 in this algorithm, we will ob- f ∑ gfg() (19) G gG∈ tain a larger set of possible output pairs (l1, l2) with varying probabilities. However, as in the case of factoring, these pairs will lie with high and reading the second register. Assuming that f probability sufﬁciently near to the “good” pairs is suitably nondegenerate—in the sense that f(g1) ∈ (l1, –yl1) where l1 is coprime to p – 1, so that we = f(g2) iff g1 – g2 K (that f is one-to-one within can still determine y. The details of dealing with each period)—we will obtain in the ﬁrst register the nearby pairs and assessing their probabilities are quite involved.1 ψ =+1 ()g00∑ gk (20) K kK∈ The abelian hidden subgroup problem

Given the developments described earlier, it corresponding to seeing f(g0) in the second register is exciting to observe that we can generalize the (g0 is chosen at random). In concept of periodicity and the construction of Equation 20, we have an equal We can generalize the FT to apply to any finite group G. Our dis- superposition of labels corre- cussion so far pertains simply to the special cases sponding to a randomly chosen the concept of of the additive group of integers modulo N (for coset of K in G. Now G is the × periodicity and the factoring) and the product group Zp–1 Zp–1 (for disjoint union of all the cosets so evaluating discrete logarithms). The general- that if we read the label in construction of FT to ized viewpoint will also provide considerable in- Equation 20, we will see a ran- apply to any finite sight into the FT’s workings. Let’s look at the dom element of a random essential ideas of finite abelian or commutative coset—a label chosen equiprob- group G. groups. ably from all of G, yielding no Let G be any finite abelian group. Let f : G → information at all about K. X be a function on the group (taking values in The general construction of some set X) and consider an FT on G will provide a way of eliminating g0 from the labels (just as in the ∈ ∈ K = {k G : f(k + g) = f(g) for all g G}. (18) case of ZN), and the resulting state will then provide direct information about K. Let H be a (Note that we write the group operation in ad- Hilbert space with a basis {|g〉 : g ∈ G} labeled ∈ ditive notation.) K is necessarily a subgroup of G by the elements of G. Each group element g1 called the stabilizer or symmetry group of f. It G gives rise to a unitary shifting operator U(g1) characterizes the periodicity of f with respect to on H defined by the group operation of G. For factoring where 〉 〉 G was ZN, K was the cyclic subgroup of all mul- U(g1) |g = |g + g1 for all g. (21) tiples of r. 〉 The condition in Equation 18 is equivalent to For any coset g0 + K, let us write |g0 + K for the saying that f is constant on the cosets of K in G. uniform superposition of its elements (as given (Recall that the cosets are subsets of G of the in Equation 20). Note that we can write this state ∈ form g + K = {g + k : k K}, and they partition as a g0-shifted state: all of G into disjoint parts of equal size |K|.) 〉 〉 Given a device that computes f, our aim is to |g0 + K = U(g0)|K . (22) suitably determine the “hidden subgroup” K— we might ask for a set of generators for K or for Our basic idea now is to introduce into H a X 〉 ∈ an algorithm that outputs a randomly chosen el- new basis {| g : g G} of special states that are ement of K. More precisely, we wish to obtain shift-invariant: this information in time O(poly(log|G|)), where φ G is the size of the group and the evaluation igg(,12 ) | | Ug()XX= e for all g1, g2 (23) of f on an input counts as one computational 1 g2 g2 X 〉 step. (Note that we can easily determine K in meaning the | g ’s are the common eigenstates time O(poly(|G|)) by simply evaluating and ex- of all the shifting operations U(g). Note that the amining all the values of f.) We begin as in our U(g)’s all commute (because the group is abelian), earlier examples by constructing the state so such a basis of common eigenstates is guaran-

MARCH/APRIL 2001 39 teed to exist. According to plicability of the quantum algorithm for period- Given a device that Equation 23, if we view |K〉 icity determination. Simon considered the fol- 〉 and |g0 + K in the new basis, lowing problem: Suppose that we have a black computes f, our aim they will contain the same box that computes a function f from n-bit strings is to suitably pattern of labels determined to n-bit strings. It is also promised that the func- by the subgroup K only, and tion is two-to-one in the sense that there is a determine the corresponding amplitudes will ﬁxed n-bit string ξ such that “hidden subgroup” differ only by phase factors. Thus the probability distrib- f(x + ξ) = f(x) for all n-bit strings x. (27) K—we might ask for ution of the outcomes of a a set of generators measurement in the new basis (Here “+” denotes binary bitwise addition of n- will directly provide informa- bit strings.) Our problem is to determine ξ. for K or for an tion about the subgroup K, To see that this is just a generalized periodicity n algorithm that whose precise nature is elabo- determination, note that in the group (Z2) of n- rated elsewhere.8 bit strings, every element satisfies x + x = 0. outputs a randomly The FT F on G is deﬁned Hence Equation 27 states just that f is periodic chosen element of K. to simply be the unitary on the group with periodicity subgroup K = {0, transformation, which rotates ξ}. Thus, to determine ξ, we construct the FT the shift invariant basis back on the group of n-bit strings and apply our quan- to the standard basis: tum algorithm for periodicity determination. The relevant Hilbert space H with a basis la- F X 〉 〉 | g = g for all g. (24) beled by n-bit strings is just a row of n qubits. | N The irreducible representations of the group Z2 ψ 〉 =−xy11 − xynn Hence, to read | (g0) in the new basis, we just are the functions fyx ( ) (11 ) ...( ) , where F ...... apply and read in the standard basis. x = x1 xn and y = y1 yn are n-bit strings. Thus To give an explicit construction of F, it suf- we can easily see the FT to be just the applica- X 〉 8 fices to give the states | g written as compo- tion of the 1-qubit Hadamard transform: nents in the standard basis. There is a standard way of calculating these components based on 1 11 H = (28) constructions from group representation theory. 2 11−  Here’s a summary of the main points.3,8 If we write to each of the n qubits. The resulting quantum algorithm for determining the hidden subgroup XX= 1 ll∑ ()gg for each l ∈ G (25) then reproduces Simon’s original algorithm.4 It G g determines ξ in O(n2) steps, whereas we could argue that any classical algorithm must evaluate X → n 4 we can take the functions l : G C to be the f at least O(2 ) times. |G| characters of the group G. For abelian groups, these are also the irreducible respresen- tations of the group. Then, the basic theorems Nonabelian groups of group representation theory3 guarantee that Let’s move on to the hidden subgroup prob- X 〉 the states | l are orthonormal and have the re- lem in the situation where G and the subgroup K quired shift-invariant property. Shift invariance may be nonabelian—we have f : G→ X, which is is a direct consequence of the basic defining constant on the (left) cosets of K in G. We now X X property of a representation: (g1 + g2) = (g1) also write the group operation multiplicatively. X (g2). For the group ZN, the irreducible repre- As before, our algorithm begins by producing X π 〉 sentations are given by k(j) = exp 2 i jk/N for j, the state |g0 K , where g0 is chosen at random. ∈ k ZN and The passage from abelian to nonabelian groups is accompanied by various potential conceptual N−1 problems: X = 1 π jk k ∑ exp2 i j (26) N = N j 0 1.Construction of nonabelian FT. For abelian leading to the FT formula in Equation 4. groups, the irreducible representations are χ The group-theoretic framework just pre- always 1D (the functions l in Equation 25) sented serves to generalize and extend the ap- whereas for nonabelian groups, they are

40 COMPUTING IN SCIENCE & ENGINEERING functions ρ : G → U(d) taking values in the that the subgroup is information-theoreti- set U(d) of all d × d unitary matrices for suit- cally determined. However, in general it able values of d. In this case, there is a further might still be a difficult computational task freedom in the choice of the unitary matri- to identify the actual subgroup from the out- ces ρ(g) corresponding to a choice of ortho- put result. For finite abelian groups, a fun- normal basis in the representation space. Ul- damental structure theorem11 asserts that timately, our definition of FT will also exhibit any such group is isomorphic to a direct a corresponding nonuniqueness, which is a product of groups of the form Zn. In this significant new feature. According to a basic case, any subgroup K will theorem of group representation theory,9 if have a simple poly(log ... d1 , dm are the dimensions of a complete set |G|)-sized description The passage from ρ ... of irreducible unitary representations 1, , given by a list of genera- ρ 2 ... 2 ρ abelian to m, then d1 + + dm = |G|. Let us write i, jk tors, which we can require (g) for the (j,k)th component of the unitary as the algorithm’s output. nonabelian groups is ρ matrix i (g). Thus, as i,j,k vary, we get |G| For nonabelian groups, accomplished by complex valued functions, and, as in Equa- the classification of possi- tion 25, we can define the |G| states: bilities is not so simple. various potential For example, even the conceptual problems. problem of deciding whe- ρρ= 1 ijk,,∑ ijk()gg. (29) ther two sets of generators G gG∈ and relations give isomorphic groups is known to be The orthogonality relations of irreducible uncomputable!11 Furthermore, it is not ap- representations9 guarantee that these are propriate to ask for a list of all elements of K again orthonormal states, called the Fourier because this might be exponentially large in basis, and the nonabelian FT is defined as log|G|. We can circumvent these difficulties the unitary operation that rotates this basis of description by asking for less—instead of into standard position. In the abelian case, j characterizing K per se, we could ask that the and k take only the value 1, and we can omit algorithm output a randomly chosen element them. We can group the Fourier basis into m of K or determine whether some chosen sub- 2 2 subsets of sizes d1 , ..., dm according to the group property holds for the hidden sub- value of i—we can also consider the associ- group. ated incomplete von Neumann measurement 4.Shift invariance. In the preceding section, we that distinguishes only the various represen- used the existence of the shift-invariant ba- χ 〉 tations. We denote this incomplete measure- sis | l to give some intuitive insight into M ment by rep. why FT is useful for abelian hidden subgroups. It provided a means of eliminating 2. Efficient implementation of nonabelian FT. For the effects of a randomly chosen g0 in the 〉 the efficiency of our quantum algorithms, state |g0 +K . The existence of a shift-in- FT must be implementable in poly(log |G|) variant basis relies on the commuting of the computational steps. In the abelian case, this shift operators U(g), which is a consequence was a consequence of the FFT formalism. of G’s “abelian-ness.” In the nonabelian case, Fortunately, this formalism extends to the such a basis will not exist. However, a re- nonabelian case, too,7 requiring only that stricted form of shift invariance still survives the group contain a suitable tower of sub- because of the multiplicative property of ρ ρ ρ groups. For the standard FFT on Z2n, this representations: i (g1 g2) = i (g1) i (g2) ⊂ ⊂... ⊂ tower is H0 H1 Z2n, where Hk is the (where the right-hand side is multiplication n–k × subgroup of multiples of 2 in Z2n. A fun- of di di unitary matrices). If we perform a damental nonabelian group is the permuta- complete measurement for the labels i,j,k (as 〉 tion group G = Pn on n symbols. Pn contains in the first point) on the state |gK , the re- ⊂ ⊂... ⊂ the tower P1 P2 Pn, and its FT is ef- sulting probability distribution will not be ficiently implementable.10 independent of g. However, if we perform M 3. Description of subgroups. Our quantum algo- the incomplete measurement rep, then it rithm should provide distinguishable outputs is a simple consequence12 of the multiplica- for different possible subgroups K. We say tive property that the outcome distribution

MARCH/APRIL 2001 41 is independent of g, providing direct (but eral finite abelian hidden subgroup problem generally incomplete) information about K seems not to be described in the literature (al- itself. Similarly, if K and L are conjugate though the essential ingredients appear to be im- –1 13 1 subgroups (if L = g0 Kg0 for some g0), then plicit in Kitaev’s work and Shor’s treatment of 〉 〉 any coset states |g1 K and |g2 L will also factoring and discrete logarithms). give identical output distributions, hence Returning to the hidden subgroup problem M 14 the measurement rep cannot distinguish for finite nonabelian groups, other researchers conjugate subgroups. (In the abelian case, have shown that N = O(log |G|) preparations of 〉 〉 this is not a problem because subgroups are random coset states |g1 K , ..., |gNK always suf- conjugate if and only if they are equal.) fice to determine K information theoretically— 〉⊗ a quantum observable on the state |g1 K |g2 〉⊗... ⊗ 〉 There is no known efficient quantum algo- K |gN K exists that will distinguish all rithm that will solve the hidden subgroup prob- possible K’s with high probability (for any ran- ... lem in general, but we have various significant dom choices of g1, , gN). However, we don’t partial results. know how to efficiently implement such an ob- Let G be any finite group, and assume that we servable in general. For the special case of nor- can efficiently compute the FT on G. Under mal K’s, the results in other work give precisely this assumption, some researchers12 have shown such an efficiently implementable observable.12 that they can solve the hidden subgroup problem for any normal subgroup K of G. We pro- ceed as usual by first constructing a randomly 〉 chosen coset state |g0 K , M then measuring rep in the There are important first point (by performing FT and reading the representa- open questions, tion labels i only). Previous 12 which we can work shows that we can re- construct K with high proba- formulate in terms of bility from O(log|G|) repeti- nonabelian hidden tions of this procedure—the O(log|G|) measurement subgroup problems. outcomes determine K infor- here are important open questions, mation theoretically. which we can formulate in terms of For finite abelian groups G nonabelian hidden subgroup prob- (where all subgroups are nor- lems. As an example, we will outline mal), this would solve the theT so-called graph isomorphism problem. general abelian hidden subgroup problem, ex- We can describe an (undirected) graph A cept that we can’t exactly implement FT effi- with n vertices labeled 1, 2, ..., n by an n × n ma- ciently for a general finite abelian G. Recall that trix MA with entries that are either 0 or 1. The in the examples of factoring and discrete loga- ijth entry is 1 if and only if the graph has an rithms we needed to replace the FT by a slightly edge joining vertices i and j (and we assume that larger one—in a dimension that was a power of A always has at most one edge joining two ver- 2—to take advantage of the FFT formalism. tices). Let Pn denote the group of all permuta- This approximation to the true FT on G was suf- tions of n symbols 1, 2, ..., n. Two graphs A and ficiently close to still allow the determination of B are said to be isomorphic if B can be made the abelian hidden subgroup. Alexei Kitaev13 has identical to A by relabeling its vertices—if there Π ∈ described similar efficient approximations to the exists a permutation Pn such that MA is ob- FT on any abelian group, which should suffice tained by simultaneously permuting the rows Π for our purposes. Also, in view of the third point, and columns of MB by . The symmetry group we could ask that the algorithm in the abelian of any graph A on n vertices is the subgroup of Π case determine K more explicitly—by outputting all permutations that leave MA unchanged an actual set of generators as in the examples of when Π is applied to the rows and columns si- factoring and discrete logarithms. Again, this multaneously. The graph isomorphism prob- should be possible, but the detailed description lem is the following: Given two connected of an efficient quantum algorithm for the gen- graphs A and B, each on n vertices, determine

42 COMPUTING IN SCIENCE & ENGINEERING whether they are isomorphic. We wish to per- 5. G.H. Hardy and E.M. Wright, An Introduction to the Theory of form this efficiently, in poly(n) steps. There is Numbers, 4th ed., Clarendon, Oxford, UK, 1965. 6. M.R. Schroeder, Number Theory in Science and Communication, no known efficient classical solution. 2nd enlarged ed., Springer-Verlag, New York, 1990. To reformulate this problem as a hidden sub- 7. D.K. Maslen and D.N. Rockmore, “Generalised FFT’s: A Survey group problem, let C be the graph that is the dis- of Some Recent Results,” DIMACS Series in Discrete Mathematics joint union of A and B, having 2n vertices labeled and Theoretical Computer Science, vol. 28, AMS, New York, 1995, 1, 2, ... , n, n + 1, ..., 2n where 1, 2, ..., n label A pp. 183–238. ... 8. A. Ekert and R. Jozsa, “Quantum Algorithms: Entanglement En- and n + 1, , 2n label B. The symmetry group K hanced Information Processing,” Phil. Trans. Royal Soc. London of C is evidently a subgroup of P2n. Let LA = {1, Series A, vol. 356, no. 1743, Aug. 1998, pp. 1769–1782. ... 2, , n} and LB = {n +1, ..., 2n}. Now, we can eas- 9. M. Fulton and J. Harris, Representation Theory, Springer-Verlag, ily verify the following facts: First, if A and B are New York, 1991. 10. R. Beals, “Quantum Computation of Fourier Transforms over not isomorphic, every member of K will map LA Symmetric Groups,” Proc. 29th Ann. ACM Symp. Theory of Com- only to itself. Second, if A and B are isomorphic, puting, ACM Press, New York, 1997, pp. 48–53. exactly half the members of K will map LA to- 11. J. Fraleigh, A First Course in Abstract Algebra, 5th ed., Addison- tally to LB. Wesley, Reading, Mass., 1994. Given any element Π ∈ Κ, it is easy to check 12. S. Hallgren, A. Russell, and A. Ta-Shma, “Normal Subgroup Re- construction and Quantum Computing Using Group Represen- whether it maps LA to itself or to LB (we just Π ≤ ≥ tations,” Proc. 32nd Ann. ACM Symp.Theory of Computing, ACM compute (1) and check whether it is n or n Press, New York, 2000, pp. 627–635. + 1). Hence we will have efficiently solved the 13. A. Kitaev, “Quantum Measurements and the Abelian Stabilizer graph isomorphism problem if we can randomly Problem,” 1995, preprint available at http://xxx.lanl. sample from the elements of K. This is a weak gov/abs/quant-ph/9511026. form of the hidden subgroup problem, in which 14. M. Ettinger, P. Hoyer, and E. Knill, “Hidden Subgroup States Are Almost Given the we are not asking for the full information of K Orthogonal,” 1999, preprint available but merely whether none or half of its elements at http://xxx.lanl.gov/abs/quant-ph/ FT’s already 9901034. interchange LA and LB, knowing that one of demonstrated success these two must always hold. In our quantum algorithm, the function f used to generate the ran- and mathematical 〉 dom coset state |g0 K is the efficiently com- elegance, we can putable f : G → X, where X is the set of all matrices of size 2n × 2n with 0,1 entries and f(Π) hope that an efficient is the matrix obtained by permuting the rows Π algorithm might be and columns of MC by . Unfortunately, none of the known partial re- derived along sults about efficient quantum algorithms for de- these lines. termining hidden subgroups seem to apply to this formulation of the graph isomorphism problem, and the possibility of an efficient solution remains an open challenge. However, given the FT’s already demonstrated success and mathematical elegance, we can hope that an efficient algorithm might be derived along these lines.

References 1. P. Shor, “Polynomial Time Algorithms for Prime Factorisation and Richard Jozsa is an EPSRC senior research fellow and Discrete Logarithms on a Quantum Computer,” SIAM J. Com- professor in the Department of Computer Science at puting, vol. 26, no. 5, Oct. 1997, pp. 1484–1510. the University of Bristol. He co-invented quantum tele- 2. A. Ekert and R. Jozsa, “Quantum Computation and Shor’s Fac- toring Algorithm,” Rev. Modern Physics, vol. 68, no. 3, July 1996, portation in 1994, and his interests include quantum p. 733. computation and the foundations of physics. He re- 3. R. Jozsa, “Quantum Algorithms and the Fourier Transform,” Proc. ceived his DPhil from the University of Oxford. Con- Royal Soc. London Series A, vol. 454, no. 1969, Jan. 1998, pp. 323–337. tact him at the Dept. of Computer Science, Merchant 4. D. Simon, “On the Power of Quantum Computation,” SIAM J. Venturers Bldg., Univ. of Bristol, Bristol BS8 1UB, UK; Computing, vol. 26, no. 5, Oct. 1997, pp. 1474–1483. [email protected].

MARCH/APRIL 2001 43