[Quant-Ph] 8 Feb 2021 Ups That Suppose H W Rbesaeqatmplnmal Equivalent

Home , Hidden subgroup problem

arXiv:2102.04171v1 [quant-ph] 8 Feb 2021 ups that suppose h w rbesaeqatmplnmal equivalent. polynomially quantum are problems two the showed Hoyer ie rceacs to access oracle given h idnsbru rbe ossso nt group finite a of consists problem subgroup hidden The a h state the map h state the ae rbe,wihi sflfreapewe eaedaigwt the c form with a the dealing is of are we latter groups when in the example problem and for subgroup one useful is first which the problem, of lated instances are algorithm quantum ysvrlatossneSo’ icvr fecetfcoigan factoring efficient of intensively discovery algorithms been Shor’s arithm have since problems authors shift several hidden by and subgroup hidden The Introduction 1 group aelf oe of coset left same nt set finite a ntehde hf rbe eaegvnafiiegroup finite a given are we problem shift hidden the In a evee sa ntneo h idnsbru rbe with problem subgroup hidden the of instance an group as abelian viewed finite be a can have we if example, For and f some n w functions two and E UNU LOIH O H IDNSHIFT HIDDEN THE FOR ALGORITHM QUANTUM NEW A : G f → sasbotn nisrcrieses aigi oeefficien more us it can making them steps, solve recursive to its hidden made in and algorithms subroutine shift main a hidden the as the of of one case since general too, the in tool useful h aewhen case the nyue udai lsia,adlna unu pc in space quantum linear and classical, quadratic uses only o h idnsitpolmfrgop fteform the of groups for problem shift hidden the for s H : ∈ G S nti ae emk tptwrsatm n pc ffiin al efficient space and time a towards step a make we paper this In = ¨ t¨ sLradUiest,11 uaet PázmányEötvös Budapest, Pé 1117 Loránd University, | ′ x G uhthat such → i| { S (0 uhthat such 0 f [2] S i { ⊂ | , x secetycmual rta ehv noracle an have we that or computable efficiently is 0) to htteei euto nteohrdrcina el therefore well, as direction other the in reduction a is there that ie with given i| H , 0 [7] k 0 | f ( i x ete a that say then We . s, , 0 sapwro ,wihhsplnma unn iein time running polynomial has which 2, of power a is ayo h rbesta aea xoetal faster exponentially an have that problems the of Many . i| 1 f f , to 1) } f ( f 1 l x f ( (this , | } 0 x x = ) 0 : oi efind we if so , ( ) i| G and x i f . = ) f i f → uaet 15 Hungary 1185, Budapest, RBE IN PROBLEM ( ( [email protected] eray9 2021 9, February ( ,i x, x y f l ) S EGL CS GERGELY fadol if only and if ) 1 f i scle h noiglnt)adafunction a and length) encoding the called is ohijcieadw nwta hr exists there that know we and injective both , hc r ntr transforms unitary are which , = ) . 1 ( Abstract xs f o every for ) i f H ( x ie h subgroup the hides ecndetermine can we , 1 G .Te h function the Then ). Z ⋊ AJI ´ G x Z 2 hntehde hf problem shift hidden the then , , 2 n and x t G Z ∈ k n abelian. y egv ouinto solution a give We . G G r oheeet fthe of elements both are h aki ofind to is task The . nt set finite a , n G nsm instances. some in t e sétányter 1/A ugopproblems subgroup log( subgroup a , H s hsalgorithm this e k o.Etne and Ettinger too. utemr we Furthermore . .I a ea be can It ). f iceelog- discrete d ie h sub- the hides U G gorithm f U S 0 n ′ f U , and , = { ⊂ oeyre- losely mapping f H G studied 1 hidden that , 0 ⋊Z ≤ , 1 } G s 2 l , , , , There has been a massive amount of research regarding these problems, however an efficient solution to the general case has not yet been discovered and is starting to seem impossible. But in some special cases we can at least give some algorithms, that are quite more efficient than the brute force search, which is generally the only classical solution. For example when G is abelian, then we can solve the hidden subgroup problem in polynomial time, but the hidden shift problem seems more difficult even in this case. The hidden shift problem, although not as general as the hidden subgroup problem, is still very useful in a lot of areas. For example, as Regev showed[6], the case when G = Zn (which corresponds to the hidden subgroup problem in the dihedral group) is important, because an efficient fault tolerant algorithm for this would break a primitive from lattice based cryptography. Another relevant aspect for the hidden shift problem is that it is recursively used by an algorithm of Friedl et al.[3] which is one of the most important algorithms for the hidden subgroup problem (it can be used to solve the hidden shift problem as well), because it works efficiently for a reasonably large class of groups, namely solvable groups with constant exponent and constant derived length. It introduces a new problem called Translating Coset, which is a generalization of both the hidden subgroup and the hidden shift problems and then the authors show that this Translating Coset in any finite solvable group G and for any normal subgroup N of G is reducible to the Translating Coset in G/N and in N. The hidden shift problem comes into the picture, because the algorithm used to solve Translating Zn Coset uses an algorithm for the hidden shift problem in p as a subroutine. So more efficient algorithms for the hidden shift problem in these cases or efficient Zn algorithms for a larger class of groups, for example pt would mean a more efficient solution in the general case too, the latter because then the algorithm could save t 1 recursive calls. Our paper adresses this problem and gives an − Zn efficient solution to the case when G = 2t . Generally there are two main algorithms for the hidden shift problem. The first [4] (√log G ) one is Kuperberg’s , which solves the problem in 2O | | time and space. It is currently considered the best algorithm for the general case of the problem. Although Kuperberg’s algorithm used exponential space, Regev made a modified version, which uses a pipeline of routines, each waiting until it gets enough objects from the previous one and reduces the space complexity to only polynomial in log G . | | The other is the previously mentioned FIMMS algorithm of Friedl et al.[3] Its √log(s) (e) r running time is ((log G +e+2 )O log(1/ε)) (see Ref. [3] Theorem 4.13), | | if G has a subnormal series of length r, where each factor is either elementary abelian of prime exponent bounded by e or is an abelian group of order at most s and ε is the allowed error probability. So it works efficiently in solvable groups with constant exponent and constant derived lenght. The space complexity is exponential, because the algorithm has to have all the states it needs at the beginning, because making further copies would violate

2 the no cloning theorem. In this paper we give a new algorithm, that solves the hidden shift problem in Zn 2t . It combines some ideas from previous algorithms to achieve both polynomial space complexity and polynomial running time in n. So it is faster than Kuperberg’s algorithm in some cases, for example when t is constant, or is asymptotically small compared to n. The FIMSS algorithm has similar running time, but its exponential space complexity is a lot worse than our quadratic space need. So ours is the first algorithm for the hidden shift problem in groups Zn of the form k , that has both polynomial running time in n and polynomial Zn space complexity (apart from Simon’s algorithm for the case G = 2 ). We hope its ideas can be extended to make more general algorithms with similar efficiency. Oddly enough, space complexity hasn’t had too much attention in the litera- ture of quantum computing, despite the fact that even if we can build quantum computers, that can work like the mathematical model we use to describe them, they probably won’t have too much space to operate with, especially in the beginning, because the more qubits we have, the more difficult to maintain the quantum states of qubits and prevent errors, decoherence and unwanted enta- glement, so it’s important to make algorithms, that will be able to run with these limitations. Now we state our main result:

Theorem 1. There is a quantum algorithm, that solves the hidden shift problem n 3 (t+2) 1 in Z t with success probability 1 ε (for any ε> 0) in (t (n+1) l) log(ε− ) 2 − O time and (tn2 + l) classical and (tn + l) quantum space. O O The structure of this paper is the following. In Section 2 we describe the new algorithm in details. In Section 3 we analyse the algorithm as well as prove its correctness and clarify some of the methods mentioned in Section 2. In the end of Section 3 we give a modiﬁed version of our algorithm that runs with coset states as input. Zn It turns out that the FIMSS algorithm can be tailored for the special case 2t to achieve very close running time to our method’s, although the space complexity remains exponential in t. We outline such a version of the FIMSS in Section 4.

2 The new algorithm

In this section we present the algorithm for solving the hidden shift problem Zn Zn ⋊ Z in 2t or equivalently the hidden subgroup problem in 2t 2, with hidden n subgroup H = (0, 0), (s, 1) and f : Z t ⋊ Z S, f(x, i) = fi(x). It has { } 2 2 → some of its main ideas based on Kuperberg’s subexponential-time algorithm[4] for solving the dihedral hidden subgroup problem in Z2t ⋊ Z2. Although it becomes exponential in t, it is only polynomial in n, so in the case when t is

3 constant or n is asymptotically large compared to t, it is more eﬃcient than Kuperberg’s general algorithm for this problem.

Algorithm: Input: N,n Z, where N =2t. ∈ Zn ⋊ Z l Oracle input: f : 2t 2 S 0, 1 , hiding H = (0, 0), (s, 1) for some n → ⊂{ } { } s Z t . ∈ 2 Output: s.

First, we prepare a state in 0(tn+1+l) . Then we apply Hadamard operations | i to the ﬁrst tn + 1 qubits to achieve the uniform superposition state:

1 l X ( x 0 + x 1 ) 0 . √ tn+1 | i| i | i| i | i 2 x Zn ∈ 2t

We then apply the unitary transform Uf (which maps the state Z 0 to | i| i Z f(Z) ) to get: | i| i 1 X ( x 0 f(x, 0) + x 1 f(x, 1) ). √ tn+1 | i| i| i | i| i| i 2 x Zn ∈ 2t We then measure the last l bits and assuming we measured f(x, 0) for some n x Z t , then omitting the last l bits the state becomes: ∈ 2 1 ( x 0 + x + s 1 ). √2 | i| i | i| i Zn Next we use a quantum Fourier-transform (QFT) over 2t to obtain the state:

1 2πihu,xi 2πihu,x+si X (e N u 0 + e N u 1 ), √ tn+1 | i| i | i| i 2 u Zn ∈ 2t which can be written as:

1 2πihu,xi 2πihu,si X e N u ( 0 + e N 1 ). √ tn+1 | i⊗ | i | i 2 u Zn ∈ 2t Then, after a measurement on the ﬁrst tn qubits, we will obtain a state similar to the ones in Kuperberg’s algorithm:

1 2πihu,si φu = 0 + e N 1 , | i √2| i | i with the value of u being known. Then we generate n+1 of them the same way. The rest of the algorithm will go as follows:

4 Step 1 Having (n +1) of the u-s, we can find coefficients a1,...,an+1 0, 1 , n+1 ∈ { } such that Pi=1 aiui 0 (mod 2), because any n + 1 vectors have to be lin- Z≡n early dependent in 2 . If there are more than one option for the choice of a = (a1, ..., an+1), then we will select one randomly with equal probabilities (the method will be clarified in the next section).

Step 2 Using Kuperberg’s method (see Section 4), from two states φu and | i φu′ with a suitable measurement we can extract a state φu+u′ or φu u′ | i | i | − i with equal probabilities. With that technique we will ”add” the φu states | i (1) corresponding to those ai-s, that were equal to 1 to get φv(1) states, where v | i Zn Zn has coordinates divisible by 2 and is uniformly distributed over 2 2t = 2t−1 (as we will show later). Since u + u′ and u u′ have the same parity, obtain- (1) n+1 − ing v = εiui, εi 1, 1 instead won’t be a problem, as it will be Pi=1 ∈ {− } congurent to 0 and the uniformity will remain too, as we will see.

Step 3 We divide each of the achieved sums by 2 to obtain an other sample (1) v(1) of u = 2 -s. When we are out of u-s we will generate another n + 1, until we have n +1 of (1) u -s and φ (1) -s too. | v i We repeat Step 1, Step 2 and Step 3 with the new sample of u(1)-s, then with (2) (t 1) u -s, and so forth, until we have a sample of (n + t) u − elements, uniformly Zn distributed over 2 . Notice that we use a pipeline like routine similar to Regev’s[5], so at each level we wait until we have enough states for the next step, so this way we won’t need more than n(t 1) + n + t = nt + t states at the same time ever during − the algorithm.

1 P si Step 4 The ﬁnal φ (t−1) states are of the form ( 0 + ( 1) i∈I 1 ), where | v i √2 | i − | i (t 1) t 1 = i 1, ..., n +1 : vi − = 2 − , because if we add the original u-s I { ∈ { (t 1)} } contained in each u − , then the sums will consist of elements, that have each t 1 of their coordinates either 0 or 2 − . So now a measurement in the basis |±i (the one with basis vectors 1 ( 0 + 1 ) and 1 ( 0 1 )) reveals the parity of √2 | i | i √2 | i − | i Pi si. And with (n + t) states, we will have n linearly independent equations ∈I 1 with probability very close to 1 (This probability is at least (1 t ), since its − 2 1 P r(any n are linearly dependent) 1 2nP r( every point are from a given − n ≥ − n 1 n+t 1 (n 1)-dimensional subspace of Z )= 1 2 ( ) =1 t ), so we can deter- − 2 − 2 − 2 mine the vector s (mod 2).

Zn ⋊ Zn Step 5 Knowing s (mod 2) we can pass on to a subgroup G1 of 2t 2 Zn ⋊ Zn isomorphic to 2t−1 2 containing each possible hidden subgroup H (we will give the detailed method in the next chapter) and repeat the algorithm from step 1 for G1 to obtain s (mod 4), then for G2,...,Gt 1 to get the exact value −

5 of s. The probability that we can determine s (mod 2i), for every i =1, ..., t is t t 1 1 at least (1 2− ) . So (log(ε− )) applications is enough to obtain s with − ≥ 2 O 1 ε probability − In order to achieve the linear quantum space usage of our algorithm, notice that the ϕu states only require one qubit and it’s the u vectors and the calcu- | i lations with them that require the most space. But since the u vectors can be described by classical bits and the calculation with them can be done on a classical computer we can just do this part of our algorithm on a classical computer and only use the quantum computer to create, add and measure the ϕu -s. We | i can even store the u-s and ϕu -s in an array such that the i-th cell of the array | i of the classical machine contains ui and the i-th cell of the quantum computer’s array contains ϕu , so we can trace back what ϕu -s to add. Therefore after | i i | i we created a (u, ϕu ) pair in (nt + l) space, we can copy this classical u to | i O a classical computer and use the same storage for creating the next pair only excluding the one qubit that ϕu uses. So generating (n) pairs can be done | i O with (nt + l) quantum space and so does the whole algorithm. O 3 Analysis of the algorithm 3.1 The methods and theorems needed In this section we will give details of the methods used in our algorithm, as well as prove some lemmas needed for its correctness. First we will prove, that in step 2 we get a uniformly random element from Zn 2t−1 indeed.

Zn Lemma 1. Let u1, ..., un+1 be a uniformly random sample from 2t , and let n+1 A = a = (a , ..., an ) = (0, ..., 0) : aiui 0(mod 2), ai 0, 1 . { 1 +1 6 Pi=1 ≡ ∈ { ± }} Furthermore, choose an a A randomly (each with equal probabilities). Then Pn+1 a u ∈ i=1 i i Zn 2 is an uniformly random element from 2t−1 .

Proof Notice that for any = 1, ..., n+1 the sum Pi εiui, εi 1, 1 ∅ 6 I⊂{Zn } ∈I ∈ {− } is a uniformly random element from 2t , because adding or subtracting the last ui can yield any vector with equal probabilities, since ui is uniformly random. Zn Next, let x be an arbitrary element in 2t−1 . Then

aiui P (P = x)= P ( aiui =2x)= P ((A B ) (A B ) ... (Am Bm)), 2 X 1 ∩ 1 ∪ 2 ∩ 2 ∪ ∪ ∩

where Ai is the event that we choose the i-th element of A (after ordering A’s

elements some way) and Bi is the event j aj uj = 2x , where consists {P ∈J } J of those j-s, for which aj = 1 in the i-th element of A. ± Now observe, that the probability of Bi doesn’t depend on the choice of x

6 and that ﬁxing ui-s for some 1, .., n +1 , the rest of the ui-s will be J ⊂{ } independent of that, and because the probability that we choose a given vector a only depends on the parity of the coordinates of the ui-s (since it only depends on what elements will A consist of) and they have the same distribution in ui : i for any x, the probability of the events Ai Bi will be independent { ∈J} ∩ of x too. That means, for each pairwise disjunct event Ai Bi the probability Zn ∩ will be same for any y 2t−1 . ∈ Zn So we could substitute the Bi-s with j uj =2y for any y 2t−1 , thus {P ∈J } ∈

P (X aiui =2x)= P (X aiui =2y) concluding the proof.

For the sake of completeness, we state a more general theorem:

Theorem 2. Let p be any prime, k N, and u1, ..., un+1 a uniformly ran- n ∈ n+1 dom sample from Z t . Let A = a = (a , ..., an ) = (0, ...0) : aiui p { 1 +1 6 Pi=1 ≡ 0 (mod p),ai (p 1), ..., 1, 0, 1, 2, ..., p 1 . Then, if we choose an a A P a∈iu {−i − − − }} Zn ∈ randomly, p will be a uniformly random element from pk−1 .

Proof The proof is very similar to the previous case, only here we will have more Ai Bi events. For clarity, here Bi is the event Pj aj uj = px , for ∩ Zn { ∈J } a given x k−1 , and consists of those j-s, for which aj = 0 in the i-th ∈ p J 6 element of A. The independence from x will follow from the same argument 2 and the fact that aiui pxi (mod p ) will have a unique solution in ui for ≡ any ai (p 1), ..., 1, +1, .., p 1 and xi Zpk−1 , because there exists a ∈ {− − − 2 − } ∈ solution if and only if gcd(ai,p ) pxi, which is trivially true, and the number 2 | of solutions has to be gcd(ai,p ), which will always be 1, because p is prime. (So we can choose 1 ui freely and then the last one will be determined |J | − uniquely, so we have the same number of solutions for any x.)

Next, we will give a method to get a uniformly random element from A: Observe, that aiui 0 (mod 2) can be easily transformed to a set of lin- P ≡ ear equations over Z2, thus we can use Gaussian elimination to achieve echelon form. Once that is done, we will count the free variables. Let k be the number we got. Then we choose a random element from 0, 1 k 0k, and assign the { } \ free variables 0 or 1 accordingly. (If we would let all free variables to be 0, then the ﬁxed ones had to be 0 too). Since any chosen element will correspond to a unique a A and any a A is achievable this way (because it has to be a ∈ ∈ solution), this method will give a uniform a A indeed. ∈ Zn Now we will clarify how we can move to a subgroup of 2t once we know the parity of s.

7 n Lemma 2. Let G = Z t ⋊ Z and let f : G S be a function hiding the 2 2 → subgroup H = (0, 0), (s, 1) . Then, if we know s (mod 2), we can reduce the { } n problem to a subgroup K G isomorphic to Z t ⋊ Z . ≤ 2 −1 2 Zn Proof Let s2 denote s (mod 2). For each possible vector s2 2 , let Ks2 n ∈ be the subgroup (2x, 0), (y, 1) : x Z t , y s (mod 2) , y s (mod 2) { ∈ 2 −1 ≡ 2 } ≡ 2 meaning that yi s2i (mod 2) for every i =1, ..., n. ≡ nt Observe that each Ks2 has 2 elements, closed under multiplication and that Zn ⋊Z the map φ : Ks t−1 , φ(2x, 0)=(x, 0), φ(s , 1) = (0, 1), φ(2x+s , 1) = 2 → 2 2 2 2 (x, 1) is both a bijection and a homomorphism, so it is an isomorphism.

Furthermore, each Ks2 contains every possible subgroup of the form H = (0, 0), (s′, 1) with s′ s (mod 2) and none with s′ s, so we can safely { } ≡ 6≡ and uniquely move to one of the Ks2 -s knowing s2.

Remark. An equivalent way to prove Lemma 2 would be if we change f : Zn ⋊ Z Zn ⋊ Z t S to f ′ : t−1 S according to s , with f ′(x, 0) = f(2x, 0) 2 2 → 2 2 → 2 and f ′(x, 1) = f(2x + s2, 1). So now f ′(x, 0) = f(2x, 0) = f(2x + s, 1) = s s2 s s2 s s2 f ′(x + − , 1), hence f ′ hides the subgroup (0, 0), ( − , 1) . Now from − 2 { 2 } 2 (mod 2) we can determine s (mod 4), and so forth.

[4] For completeness, we describe Kuperberg’s method to obtain φu u′ from | ± i φu and φu′ . First, we create the tensor product φu φu′ of the two states, | i | i | i⊗| i which will be

1 2πihu,si 2πihu′,si 2πihu+u′,si ( 00 + e N 10 + e N 01 + e N 11 ). 2 | i | i | i | i Then we apply a CNOT-gate and obtain

1 2πihu,si 2πihu′,si 2πihu+u′,si ( 00 + e N 11 + e N 01 + e N 10 ). 2 | i | i | i | i

′ 1 2πihu+u ,si Now we can measure the second qubit and get either ( 0 + e N 1 )= √2 ′ | i ′ | i 1 2πihu,si 2πihu ,si 1 2πihu−u ,si φu+u′ or (e N 1 + e N 0 ) = ( 0 + e N 1 ) = φu u′ | i √2 | i | i √2 | i | i | − i with equal probability.

3.2 Complexity of our algorithm Now we ﬁnish the proof of Theorem 1 by analysing the time and space required for our algorithm. 3 4 Zn Step 1 requires time (t (n + 1) l) (because the QFT over 2t has complexity 2 O 2 ((nt) ), and has to be done to prepare each φu ) and space (tn + l) (since O | i O we can use the same l qubits for generating each (u, ϕu ) pair) to prepare the | i (n) states needed for the algorithm. As we showed before most of this can O be implemented on a classical computer, so the needed quantum space is only (nt+l). Finding the coeﬃcients ai-s with the above written technique requires O

8 ((n+1)3) time for each (n+1)-tuple, and during step 1 to step 5 we will apply O t 2 t 3 it (n + t)(n + 1) − +(n + t)(n + 1) − +...+(n + t) times, which combined can t+2 be computed in (t(n + 1) ) time. Then, obtaining the (n + t) φv(t−1) -s O t 1 | i can be done with ((n + t)(n + 1) − ) additions, each requiring (1) time (a O O CNOT-gate and a measurement). Step 4, if we have n linearly independent equations, can be solved in ((n + t)3) time too with Gaussian elimination. O Thus, the algorithm computes s (mod 2) in (t3(n + 1)4l)+ (t(n + 1)t+2) 3 t+2 O n nO 3 ≤ (t (n + 1) l) time, and then iterating it for Z t ,...,Z takes (t (n + O 2 −1 2 O 1)t+1l),..., (t3(n + 1)3l) time respectively. So the whole algorithm has running 3 O t+2 3 (t+2) 1 time (t (n + 1) l)(or (t (n + 1) l) log(ε− ), if we need ε error instead O O of 1 ) and requires (tn2 + l) classical and (nt + l) quantum space (step 1 to 2 O O step 5 can be computed in (tn2 +l) classical and (nt+l) quantum space and O O we can use the same space for each iteration as we only need (nt) space to O store the actual values of s, which can be overwritten after each iteration too).

3.3 A modified version of our algorithm with coset-state input Finally, another advantage of our algorithm compared to the FIMSS is that a slightly modified version can be implemented with coset-states as input, which are (in our case) states of the form 1 ( x 0 + x + s 1 ). Its usefulness is that √2 | i| i | i| i it can use these states, even if they are generated by an other source. The modified version of our algorithm is as follows: In the Input we suppose that we have a stream of coset states. We could have all the required states as input, but that would need an exponential amount of space. Then we apply the QFT to these states and follow the steps of the original algorithm. Only the iteration after obtaining s (mod 2i) will be different: i After we know si = s (mod 2 ) we will start with applying a unitary transform U to the coset states, which maps x i x i si i , i =0, 1, and only then | i| i → | − ∗ i| i n use the QFT (U is unitary, since it permutes the basis vectors x i , x Z t , | i| i ∈ 2 i 0, 1 ). ∈{ } So now our φv states will have the form | i

1 2πihv,s−sii ( 0 + e N 1 ) √2 | i | i

i Since s si is divisible by 2 , we only need to repeat the ﬁrst three steps until − (t i 1) we have n + t φv(t−i−1) states, where v − − ’s coordinates are divisible by t i 1 | i t 1 2 − − , because now the scalar product will be a multiple of 2 − . That means, if we measure the state in the basis, we will obtain equations for the parity ± s si of the sum of some coordinates of −2i (the coordinates being the ones for (t i 1) v(t−i−1) which the same coordinate in u − − = 2t−i−1 is odd), so we can determine s si −2i (mod 2) the same way and acquire si+1.

9 Zn 4 A tailored version of the FIMSS for 2t Although running the FIMSS algorithm for the hidden shift problem in groups Zn pt of the form pt would require at least (n )poly(n,t,l) time and space, in Zn O the special case of 2t with appropriate modifications the running time can be lowered to ( (n))t+2poly(n,t,l), so it will be similar to our algorithm’s. O This part is devoted to a more or less self-contained outline of such a modified version. Note however that the space requirements remain exponential in t, so the method of this paper could be a lot easier to implement, therefore it should still be a useful recursive tool for the general case. We start with recalling some basic concepts from Ref. [3] with appropriate simplifications. A simple but important idea is formulating a version of the hidden shift problem that is suitable for taking ”averages” over subgroups and making recursions into factor groups possible. Let Γ be a finite set of mutually orthogonal quantum states and let G be a finite group. A map α : G Γ Γ × → is said to be a group action if for every x G the map αx : φ α(x, φ ) ∈ | i → | | i i gives a permutation of Γ, α is the identity map and αx α −1 = α −1 . We 1G ◦ y xy denote α(x, φ ) by x φ and x φ by G φ . | | i i | · i Px G | · i | · i We assume that the action α is given∈ by an oracle. The single translator problem assumes that G acts (semi-)regularly on Γ and ”sufficiently many” copies of a pair φ , φ from Γ as input. The output should be the el- | 0i | 1i ement x G such that φ = xφ (provided existence). (This problem ∈ | 0i | 1i is a simplification of the more general translating coset problem of Ref. [3] which is for the situation when the action is not semiregular.) To capture the hidden shift problem for a function f : G S consider the superpostion → f = z f(z) . Then the corresponding superposition xf for the shifted | i Pz G | i| i | i function xf∈ : z f(zx) can be obtained by multiplying the first register by 1 7→ 1 x− from the right: z f(zx) = zx− f(z) . Pz G | i| i Pz G | i| i As already mentioned,∈ the input for the ∈single translator problem consists of k k several identical copies of the pair of states. Formally, we have φ ⊗ φ ⊗ | 0i ⊗ | 1i as input for some integer k (which needs to be sufficiently large to get a correct answer with reasonable probability). Our averages will be superpositions of k k orbits on several identical copies of states. Formally, let Γ = φ ⊗ : φ Γ , {| i | i ∈ } the set of products of k identical copies of states from Γ and define αk on k k k k k Γ = φ ⊗ : φ Γ as α (x, φ ⊗ ) = x φ ⊗ . Obviously, if we have an {| i | i ∈ } | i | · i oracle for α (that maps x φ x x φ ) then we can simulate an oracle for | i| i → | i| · i αk too using k queries to the oracle for α. Zn Let us turn to the special case G = 2t . Then we can take a length t Zn subnormal series of G, where each factor group will be isomorphic to 2 and in these groups the subroutine for single translator reduces essentially to Simon’s problem. The algorithm will mostly be the same as the standard FIMSS, so the reader is invited to read Ref. [3] for details omitted here and for further clarification. Let

10 t 1 n q N =2 − G = Z and Fi = φi ⊗ , where q is some integer we set in advance. ∼ 2 | i | i The orbit of a state φ under a subgroup K G is K( φ )= x φ : x K , | i ≤ | i {| · i ∈ } while the orbit superposition is the uniform superposition Kφ = x φ . | i Px K | · i We can modify the exact algorithm of Brassard and Hoyer[1] for∈ Simon’s problem to take q = O(n) identical copies of two quantum states as input in the same way as in Ref. [3] Corollary 3.6 and 3.8. From that we can construct an al- Zn q q gorithm for the single translator problem in N ∼= 2 , that maps x φ ⊗ φ ⊗ 0 q q | · i | i | i to x φ ⊗ φ ⊗ x like the ElementaryAbelianTCS algorithm in Ref. [3]. | · i | i | i Based on this, we give an algorithm for creating the uniform superposition of a given state’s orbit under some group action α of N (so creating the state N φ ). Call it OS(N,α,q,φ). | · i 2q It takes as input φ ⊗ N . | i | i Step 1: Apply the group element in the last register to the ﬁrst q registers:

q q X x φ ⊗ φ ⊗ x | · i | i | i x N ∈ q q Step 2: Apply the translator ﬁnding algorithm (the one that maps x φ ⊗ φ ⊗ 0 q q n | · i | i | i to x φ ⊗ φ ⊗ x ) for Z backwards: | · i | i | i 2 NF F 0 , | i| i| i q q where F = φ ⊗ and NF is the orbit superposition under the action α on | i | i | i N. Now let’s get to the main algorithm: T(G, N, α, q(r + 1)). Zn If t = 1, so G = 2 then we saw that we can solve the problem in time poly(n) for q = O(n). So let us suppose by induction, that we already have an algorithm n n for T(G/N, α, r) (G/N Z t and we present how to solve it in G = Z t using ∼= 2 −1 2 q(r+1) q(r+1) that as a subroutine). The algorithm takes as input φ0 ⊗ φ1 ⊗ 0 2r | i | i | i with ancilla N ⊗ 0 . | i | i

Step 1: We call the algorithm OS(N,α,q,φi) r times on blocks of the form q q φ ⊗ N and r times on blocks φ ⊗ N to get: | 0i | i | 1i | i r r 2r N F ⊗ F N F ⊗ F 0 0 ⊗ 0 . | · 0i | 0i| · 1i | 1i| i| i | i q r r Step 2: We recursively call T(G/N, N, α , r) on N F0 ⊗ N F1 ⊗ 0 (We Zn | · i | · i | i can do it, since G/N ∼= 2t−1 and we already have our algorithm for that for any α group action):

r r 2r N F ⊗ F N F ⊗ F 0 0 ⊗ sN . | · 0i | 0i| · 1i | 1i| i| i | i Step 3: Undo Step 1:

q(r+1) q(r+1) 2r φ ⊗ φ ⊗ 0 N ⊗ sN . | 0i | 1i | i| i | i

11 1 Now, since s φ0 = φ1 s = vu, u N, such that u φ0 = v− φ1 , we | · i | i ⇐⇒ ∈ | Z·n i | · i reduced the problem to a simple hidden shift problem in 2 , so with one more use of the modified Brassard–Hoyer algorithm we can find u, then s. Therefore, because the Brassard-Hoyer algorithm for Simon’s problem only needs q = (n) states to work, then by simple induction we can conclude, that O the algorithm needs ( (n))t states, because one level would need only (n), O t 1 O therefore by induction we have to give (n) blocks of ( (n) − ) states to the O O recursive calls. Then taking in factor that the final Brassard-Hoyer algorithm needs O(n) states too at the end, and that the φi = x fi(x) states each | i Px | i| i take O(nt) qubits, we have that both the space and time complexity of the algorithm will be poly(n,t,l)( (n))t+2, so it should be similar, if not somewhat O slower than our method. The subroutines that the algorithm uses, like the OS can all be implemented in polynomial time, and can be done simultaneously on the blocks, so they don’t really affect the running time.

Acknowledgements

The author would like to thank G´abor Ivanyos for helpful remarks and sugges- tions.

References

[1] G. Brassard and P. Hoyer. “An exact quantum polynomial-time algorithm for Simon’s problem”. In: Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems. June 1997, pp. 12–23. doi: 10.1109/ISTCS.1997.595153. [2] Mark Ettinger and Peter Høyer. “On Quantum Algorithms for Noncommu- tative Hidden Subgroups”. In: Adv. Appl. Math. 25.3 (2000), pp. 239–251. doi: 10.1006/aama.2000.0699. url: https://doi.org/10.1006/aama.2000.0699. [3] Katalin Friedl et al. “Hidden Translation and Translating Coset in Quan- tum Computing”. In: SIAM J. Comput. 43.1 (2014), pp. 1–24. doi: 10.1137/130907203. url: https://doi.org/10.1137/130907203. [4] Greg Kuperberg. “A Subexponential-Time Quantum Algorithm for the Dihedral Hidden Subgroup Problem”. In: SIAM J. Comput. 35.1 (2005), pp. 170–188. doi: 10.1137/S0097539703436345. url: https://doi.org/10.1137/S0097539703436345. [5] Oded Regev. “A Subexponential Time Algorithm for the Dihedral Hidden Subgroup Problem with Polynomial Space”. In: (July 2004). [6] Oded Regev. “Quantum Computation and Lattice Problems”. In: SIAM Journal on Computing 33.3 (2004), pp. 738–760. doi: 10.1137/S0097539703440678. eprint: https://doi.org/10.1137/S0097539703440678. url: https://doi.org/10.1137/S0097539703440678. [7] Peter W. Shor. “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer”. In: SIAM J. Comput. 26.5 (1997), pp. 1484–1509. doi: 10.1137/S0097539795293172. url: https://doi.org/10.1137/S0097539795293172.