Quantum Algorithm for Decomposing Black-Box Finite Abelian Groups

Yong Zhang Department of Computer Science, Kutztown University of Pennsylvania, Kutztown, PA 19530

Abstract— Cheung and Mosca [1] gave an efficient quan- to a quantum algorithm for the HIDDEN SUBGROUP problem tum algorithm for decomposing finite abelian groups in a where the given group G is abelian. In the case when G is unique-encoding group model. We present another efficient non-abelian, the HIDDEN SUBGROUP problem generalizes quantum algorithm for this problem in a more general model, other well-known problems such as GRAPH ISOMORPHISM. the black-box group model, where each group element is not However, the non-abelian case is much harder to solve and necessarily uniquely encoded. remains a major challenge in quantum computation.

Before one can efficiently implement QFT to solve the Keywords: quantum computation, black-box group model abelian HIDDEN SUBGROUP problem, the decomposition of the given abelian group G must be known. Cheung and Mosca [1] first studied the problem of decomposing finite 1. Introduction abelian groups. They gave an efficient quantum algorithm for this problem. However, one of their assumptions is that Any finite abelian group G can be decomposed into each element of the input group G is uniquely represented the direct sum of cyclic subgroups of prime power order. by a binary string. In another word, their quantum algorithm However, given a set of generators for G, no efficient only works for a unique-encoding group model. classical algorithm is known to find the decomposition of G, i.e., find generators for the cyclic subgroups of G. This In this paper we study the problem of decomposing finite abelian groups in a more general group model — the black- problem is at least as hard as INTEGER FACTORIZATION – finding nontrivial factors of a given integer N is equivalent box group model. In the black-box group model elements to finding the decomposition of the (finite abelian) group of the input group G are not necessarily uniquely encoded. Z∗ , the multiplicative group of integers modulo N. The black-box group model was first introduced by Babai N and Szemerédi [3] as a general framework for studying algo- Decomposing finite abelian groups plays an important rithmic problems for finite groups. It is a widely used model role in quantum computation, the study of the information in computational group theory and quantum computation processing tasks that can be accomplished using quantum [4], [5], [6], [7], [8], [9]. This non-unique encoding feature mechanical systems. We call an algorithm that is defined enables this model to handle factor groups [3]. A factor over a traditional computational model a classical algorithm group (also known as quotient group) is a group obtained and an algorithm that is defined over a quantum computa- by identifying together elements of a larger group using tional model a quantum algorithm. an equivalence relation. In this paper we give an efficient quantum algorithm for decomposing finite abelian groups in In 1994 Shor [2] presented polynomial-time quantum the black-box group model. algorithms for two important problems INTEGER FACTOR- IZATION and DISCRETE LOGARITHM. No efficient classical algorithms are known for these two problems. These two 2. Perliminaries problems are widely believed to be hard on classical com- puters; their hardness are the basic assumptions for several In this section we give a brief introduction of the fun- cryptosystems including the widely used RSA public-key damental results in group theory. We refer the readers to a cryptosystem. Shor’s paper is the first illustration of the classic book on group theory [10] for more details. practical importance of quantum computation. A key com- ponent in Shor’s algorithms is the efficient implementation A set G is called a group if there is a binary operation · of the Quantum Fourier Transform (QFT), which explores defined on G such that: the underlying algebraic structure of the problems. From this perspective, Shor’s quantum algorithms, together with 1) for any x, y ∈ G, x · y ∈ G. several other quantum algorithms, can be further generalized 2) for any x, y, z ∈ G, (x · y) · z = x · (y · z). 3) there is an identity element e ∈ G such that for any to the groups Bm of a group family and their subgroups x ∈ G, x · e = e · x = x. (presented by generator sets) as black-box groups. Common −1 4) for any x ∈ G, there is a unique x ∈ G such that examples of black-box groups are {Sn}n≥1 where Sn is the −1 −1 x · x = x · x = e. permutation group on n elements, and {GLn(q)}n≥1 where GLn(q) is the group of n × n invertible matrices over the finite field F . Depending on whether the group elements are Z q The set of integers together with the “+” operation is uniquely encoded, we have the unique encoding model and · an example of a group. Usually if the binary operation is non-unique encoding model, the latter of which enables us obvious from the context, we will just write xy instead of to deal with factor groups [3]. In the non-unique encoding · x y. model an additional group oracle has to be provided to test if two strings represent the same group element. A group G is abelian if and only if for any x, y ∈ G, xy = yx. Otherwise, G is nonabelian. A group G is cyclic if there exist a ∈ G such that G = {an|n ∈ Z}. Then we 3. The Algorithm say a is a generator of G.A subgroup H of a group G is a subset which is also a group under the same operation in G. If H is a subgroup of a group G, then a right coset of H is a Our algorithm uses a divide-and-conquer approach. The subset S of G such that ∃x ∈ G for which S = Hx = {yx : algorithm first finds the Sylow p-subgroups of the given y ∈ H}.A left coset of H is defined similarly. The order of input group and then decomposes each Sylow p-subgroup. a group G, denoted by |G|, is the cardinality of the set G. We start with two technical Lemmas. The first Lemma shows The order of the element a is the smallest number n such how to find a p-Sylow subgroup in quantum polynomial that an = e, denoted by ord(a). If such n ∈ Z exists, we time. say a has finite order. In fact, the subset {e, a, a2, . . . , an−1} Lemma 3.1: Let B = {B } be a group family. Let forms a subgroup. We call this subgroup the cyclic subgroup m m>0 G < B be an abelian black-box group given by generating generated by a and denote it by hai. m sets S = {g1, . . . , gs}. For any prime number p, the gener- Lagrange’s Theorem states that if H is a subgroup of a ating sets for the p-Sylow subgroup of G can be computed group G, then |H| divides |G|. We say [G : H] = |G|/|H| is in quantum polynomial time. the index of H in G. Let G be a group, p be a prime number, Proof: Since G is abelian, for any prime p, there and P be a subgroup of G. If |P | = pr for some r ∈ Z, we is an unique p-Sylow subgroup of G. Let n be the the say P is a p-subgroup of G. If furthermore pr divides |G| order of B . By our assumption for black-box model, we but pr+1 does not, then we say P is a Sylow p-subgroup m can efficiently compute n. Furthermore, we can use Shor’s of G. Let G1,G2 be groups such that G1 ∩ G2 = {e}. The algorithm to compute the prime factorization pe1 ··· per of n. set {(a , a ) | a ∈ G , a ∈ G }, denoted by G ⊕ G , 1 r 1 2 1 1 2 2 1 2 If p is not a factor of n, then clearly the p-Sylow subgroup of is called the direct sum of G1 and G2. G1 ⊕ G2 is a group G is trivial. If p is equal to pk for some 1 ≤ k ≤ r, then we under the binary operation · such that (a1, b1) · (a2, b2) = ek 0 0 0 n/pk compute the set Sk = {g , . . . , g } where g = g . Note (a1a2, b1b2). 1 s i i that this can be done efficiently using modular exponetiation. The fundamental theorem of finite abelian groups states We claim that Sk is the generating set for the p-Sylow 0 the following. subgroup. Clearly the order of gi is power of p for all i, so hSki is a p-subgroup of G. To show that hSki is indeed ∈ Theorem 2.1: Given a set {g1, . . . , gn} of generators the p-Sylow subgroup it suffices to show that any gi S of the finite abelian group G, find a set of elements can be written as products of elements in hS1i,..., hSri, i.e., h i ⊕ · · · ⊕ h i r el h1, . . . , hk ∈ G such that G = hh1i ⊕ · · · ⊕ hhki and hhii G = S1 Sr . Since Σl=1n/pl is coprime with n ≤ ≤ and thus the order of any elements in G, for any g ∈ G, is a cyclic group of prime power order for all 1 i k. e i Σr n/p l l=1 l h i h i gi , which is a product of elements in S1 ,..., Sr , Next we introduce the black-box group model. We fix the generates the same cyclic subgroup that gi generates. alphabet Σ = {0, 1}.A group family is a countable sequence B = {Bm}m≥1 of finite groups Bm, such that there exist Any finite abelian p-group can be expressed as a direct e1 em polynomials p and q satisfying the following conditions. For sum of m cyclic groups with order p , . . . , p and e1 ≤ ≥ each m 1, elements of Bm are encoded as strings (not · · · ≤ em. We say that (e1, . . . , em) is the type of the necessarily unique) in Σp(m). The group operations (inverse, p-group. In the second lemma we describe a method to product and identity testing) of Bm are performed at unit decompose a finite abelian p-group. cost by black-boxes (or group oracles). The order of Bm is computable in time bounded by q(m), for each m. We refer Lemma 3.2: Let G be a finite abelian p-group of type (m1, m2, . . . , ms). Let g1, . . . , gi be elements of G of or- procedure for computing order of an group element in any ders pm1 , . . . , pmi and for any j =6 k and 1 ≤ j, k ≤ solvable group [4]. Then, by Lemma 3.1 we can compute i the cyclic groups hgji, hgki have trivial intersection. the generating set of each pi-Sylow subgroup, 1 ≤ i ≤ r. Given ahg1, . . . , gii as an element in the factor group mi+1 h i mi+1 p x1 ··· xi G/ g1, . . . , gi of order p with a = g1 gi , Let Xi be the generating set for the pi-Sylow subgroup. mi+1 ≤ ≤ we can efficiently find another element gi+1 of order p For each 1 i r, we use Lemma 3.2 to compute an where hgi+1i and is hg1, . . . , gii have trivial intersection. independent generating set Si of the pi-Sylow subgroup. We will construct Si in steps. Initially Si is empty. We mi+1 Proof: First we show that xj is a multiple of p add one element to Si at each step. Suppose after the for all 1 ≤ j ≤ i. (j − 1)’th step, Si = {s1, . . . , sj−1}. At the j’th step, ∈ h i m m m −m first compute an element h Xi such that h Si has the ap i = (ap i+1 )p i i+1 maximum possible order in the factor group hXii/hSii. This m −m x1 ··· xi p i i+1 = (g1 gi ) can be done by the constructive group membership test − − mi mi+1 mi mi+1 x1p xip described in [11], i.e., we will get x1, . . . , xj−1 such that = g ··· g . − 1 i ord(hhSii) j 1 xk h = Πk=1sk . By Lemma 3.2, we will add the − m mi mi+1 j−1 −x /ord(hhS i) p i h i xip element s = hΠ s k i to the set S . We then But a is clearly in g1, . . . , gi−1 , so gi is j k=1 k i mi+1 h i also in hg1, . . . , gi−1i, therefore xi is a multiple of p . test if Xi is a subset of Si . If yes, we can stop and return Similarly we have Si as the independent generating set. Otherwise, we will go to the j + 1’th step. m − m m − −m ap i 1 = (ap i+1 )p i 1 i+1 − − mi−1 mi+1 mi−1 mi+1 x1p ··· xip Once we compute the independent generating set Si for = g1 gi − − each p -Sylow subgroup, the decomposition of G is obtained mi−1 mi+1 mi−1 mi+1 i = gx1p ··· gxi−1p . ∪r 1 i−1 as i=1Si.

mi+1 By the same reasoning xi−1 is also a multiple of p . Clearly this inductive procedure can go down to i = 1. Thus mi+1 xj is a multiple of p for all 1 ≤ j ≤ i. Let yj = 4. Discussion −y −y mi+1 ≤ ≤ 1 ··· i xj/p for 1 j i and gi+1 = ag1 gi . Then

mi+1 − − m p y1 ··· yi p i+1 In this paper we present an efficient quantum algorithm gi+1 = (ag1 gi ) − − to decompose finite-abelian groups in a more general group x1 ··· xi = ag1 gi model — black-box group model. Comparing to Cheung = e and Mosca’s algorithm [1], our algorithm is conceptually simpler and only uses elementary results in group theory. h i h i It is also easy to verify that gi+1 and g1, . . . , gi have Components of our algorithm may be used to construct trivial intersection. quantum algorithms for HIDDEN SUBGROUP problem over certain non-abelian finite groups. Now we describe the whole algorithm. Given a generating set {g1, . . . , gs} of a finite abelian group G ⊆ Bm, we want to output a set of elements {d1, . . . , dl} such that G = hd1i ⊕ · · · ⊕ hdli. The algorithm uses a divide-and- References conquer approach. It first computes the generating set of each p-Sylow subgroup, and then convert each generating set into [1] K. Cheung and M. Mosca, “Decomposing finite abelian groups,” an “indepedent generating set”. We say a generating set S Quantum Information and Computation, vol. 1, no. 3, 2001. ∈ [2] P. W. Shor, “Polynomial-time algorithms for prime factorization of a group is indepedent if for any two element si, sj S, and discrete logarithms on a quantum computer,” SIAM Journal on hsii and hsji has trivial intersection. Note that in a p-group Computing, vol. 26, pp. 1484–1509, 1997. an independent generating set is exactly the decomposition [3] L. Babai and E. Szemerédi, “On the complexity of matrix group prob- lems I.” in Proceedings of the 25th IEEE Symposium on Foundations of the p-group. of Computer Science, 1984, pp. 229–240. [4] J. Watrous, “Quantum algorithms for solvable groups,” in Proceedings We first compute |Bm|. Recall that in the black-box of the 33rd ACM Symposium on the Theory of Computing, 2001, pp. model, |B | is computable in time bounded by q(m), for 60–67. m [5] ——, “Succinct quantum proofs for properties of finite groups,” in each m. In some cases, we will also obtain the prime Proceedings of the 41st IEEE Symposium on Foundations of Computer factorization of |Bm|. If not, we can always use Shor’s Science, 2000. quantum algorithm for INTEGER FACTORIZATION to get the [6] K. Friedl, G. Ivanyos, F. Magniez, M. Santha, and P. Sen, “Hidden translation and orbit coset in quantum computing,” in Proceedings of e1 ··· er ≤ ≤ prime factorization p1 pr . For 1 i s, compute the 35th ACM Symposium on the Theory of Computing, 2003, pp. the order of gi. This can be done using Watrous’s quantum 1–9. [7] S. Fenner and Y. Zhang, “Quantum algorithms for a set of group- theoretic problems,” in Proceedings of the Ninth IC-EATCS Italian Conference on Theoretical Computer Science, Siena, Italy, 2005, pp. 215–227, lecture notes in computer science No. 3701. [8] L. Babai, R. Beals, and A. Seress, “Polynomial-time theory of matrix groups,” in Proceedings of the 41st annual ACM symposium on Theory of computing, ser. STOC ’09, 2009, pp. 55–64. [9] P. Holmes, S. Linton, E. O’Brien, A. Ryba, and R. Wilson, “Con- structive membership in black-box groups,” Jounal of Group Theory, vol. 11, pp. 747–763, 2008. [10] W. Burnside, Theory of Groups of Finite Order. Dover Publications, Inc, 1955. [11] G. Ivanyos, F. Magniez, and M. Santha, “Efficient quantum algorithms for some instances of the non-abelian hidden subgroup problem,” in Proceedings of 13th ACM Symposium on Parallelism in Algorithms and Architectures, 2001, pp. 263–270.