Deterministic Algorithms for the Hidden Subgroup Problem

Home , Hidden subgroup problem

arXiv:2104.14436v1 [cs.DS] 29 Apr 2021 0 nvriyAe . aelo N 2 G,Cnd.Email Canada. 3G1, N2L ON, Waterloo, W., Ave. University 200 uhta o all for that such si mle yte“itdyPrdx:i epick we if Paradox”: “Birthday the algori by classical implied for is bound as lower The required.) are queries nteSmnPolmwt parameter with Problem Simon the In Introduction 1 etyaduiomya admfrom random at uniformly and dently with nasrihfradmne oso hti h loih mak algorithm the if that show to manner straightforward a in o h rbe requires class problem bounded-error the any for that showed and problem, eponymous esyta h ucin“ie”teelement the “hides” function if the that say we es / efidacliin(.. pair a (i.e., collision a find we 3/4 least if civsteaypoial pia lsia ur compl query classical optimal asymptotically the achieves h idnSbru rbe,w r ie h ecito of description the given are we Problem, Subgroup Hidden the o function a for eemn hc ftetocsshls When holds. cases two the of which determine nnw o-rva subgroup non-trivial unknown ru rbe hnteodro h idnsubgroup hidden the of order the when Problem group form Ω eemnsi loihsfrteHde ugopProblem Subgroup Hidden the for Algorithms Deterministic ( x f * 2 ( eateto obntrc n piiain n Institu and Optimization, and Combinatorics of Department − io eindabudderrqatmagrtmwt quer with algorithm quantum bounded-error a designed Simon nti oe eso htteei simple, a is there that show we note, this In h io rbe saseilcs fteHde ugopPro Subgroup Hidden the of case special a is Problem Simon The h admzdagrtmfrteSmnPolmgeneralizes Problem Simon the for algorithm randomized The n x 1 /4 m = ) { atro h pia admzdqeycomplexity. query randomized optimal the group of q non-abelian factor asymptotic for algorithm same The the algorithm. achieves randomized groups abelian for algorithm y 0, ) ∈ ≥ o lsia loihswt ro tmost at error with algorithms classical for nti oe epeetdtriitcagrtm o h Hi the for algorithms deterministic present we note, this In s } f H n ( o oeukonnnzr element non-zero unknown some for y h function The . ntelte ae esyta h ucin“ie”tesubg the “hides” function the that say we case, latter the In . ) h aki odtriewiho h w ae holds. cases two the of which determine to is task The . f : x , G y → ∈ Z { ,1 0, 2 n Ω ehave we , f ( } sete netv,o hr sa nnw o-eoelement non-zero unknown an is there or injective, either is 2 m n hr 2 where , /2 H ) of ure 4.(h ur oe on ttdi h ae is paper the in stated bound lower query (The [4]. queries nvriyo Waterloo of University G f ( n Z x uhta o all for that such X swnNayak Ashwin eaegvna rcefrafunction a for oracle an given are we , m = ) pi 7 2021 27, April 2 n i , if , ≥ X j Abstract | f with f G ( s deterministic y ie oennzr lmn,wt rbblt at probability with element, non-zero some hides n alapi fdsic inputs distinct of pair a call and , | 1 h function The . ) s G fadol if only and if i ∈ 1 2 t , : − j : = : Z = [email protected] efrQatmCmuig nvriyo Waterloo, of University Computing, Quantum for te ∈ 2 2 n x Z − ⌈ egtteSmnProblem. Simon the get we , [ H t , 2 n * 2 n ] y n xt Term2.1). (Theorem exity /2 hsi pia pt osatfactor, constant a to up optimal is thms uhthat such /2 skon n h eutn algorithm resulting the and known, is n h idnsubgroup hidden the and ∈ loih o h io rbe that problem Simon the for algorithm oee,tepofcnb modified be can proof the However, . + oe ihnapolylogarithmic a within comes s G 1 eycmlxt steoptimal the as complexity uery ⌉ ehave we , dnSbru rbe.The Problem. Subgroup dden serra most at error es f x cl(.. admzd algorithm randomized) (i.e., ical elements meitl oteHde Sub- Hidden the to immediately sete netv,o hr san is there or injective, either is nt group finite a + y X lm(e,eg,Rf 3) In [3]). Ref. e.g., (see, blem opeiyO complexity y i ∈ 6 = { f 0, X X roup ( j 1 x s , but } = ) X ntelte case, latter the In . . f 2 H G , . . . , 4 1 f : f tlat2 least at , h aki to is task The . n noracle an and , ( Z ( x X y , 2 n ) i y X = ) ( H fadonly and if → collision a n t indepen- ) so the of is { f s o the for ,1 0, ( ∈ X n /2 j } ) Z − ). m 2 n 1 , has query complexity O( G / H ). When the order is not known, we can use this basic al- | | | | gorithm to design a newp algorithm. The new algorithm has query complexity O( G ) when | | the function is injective, and expected query complexity O( G / H ) when the functionp f hides | | | | some non-trivial subgroup H. Namely, we run the basic randomizedp algorithm above, with error at most 1/4, assuming that the order of the hidden subgroup is at least r, starting from r := G /2. | | If we do not succeed, we halve r, and repeat (until r 1). ≤ We may ask if the Hidden Subgroup Problem also admits a deterministic algorithm that is as efficient as the best randomized one. We answer this in the affirmative when the underlying group is abelian (Corollary 3.6). For non-abelian groups, we present a deterministic algorithm that comes within a polylogarithmic factor, namely O( log G ), of the optimal randomized query | | complexity (Corollary 4.2). All of the algorithms arep based on the construction of a generating pair of subsets of optimal or nearly optimal size for a group (Definition 3.1).

Acknowledgements. A.N. is grateful for the opportunity to teach quantum computation at the undergraduate level, which prompted this work. He is also grateful to Kanstantsin Pashkovich for several helpful discussions, especially for a course-correction midway through this work, and to William Slofstra for a pointer to relevant literature. This research is supported in part by a Discovery Grant from NSERC Canada.

2 The Simon Problem

We start with a simple, deterministic algorithm for the Simon problem that matches the query complexity of the asymptotically optimal classical algorithm. n/2 n/2 Theorem 2.1. There is a deterministic algorithm that makes 2⌊ ⌋ + 2⌈ ⌉ queries and solves the Simon Problem with parameter n. Moreover, if the input function hides the non-zero element s, the algorithm ﬁnds s. Finally, any deterministic algorithm for the problem requires at least q queries, where q is the smallest positive integer such that (q) 2n 1. 2 ≥ − Zn k Proof. Let k := n/2 . Viewing elements of 2 as n-bit strings, we query the function f at all 2 ⌊ ⌋ n k Zk n k k elements of the form u 0 − , where u 2, and at all 2 − elements of the form 0 v, where v Zn k ∈ ∈ 2− . If the function is distinct at all these points, we say f is injective. Otherwise, we say that f is not injective, and output x + y, where x = y and x, y are a colliding pair (i.e., are such that f (x)= 6 f (y)). If the function is injective, the above algorithm outputs the correct answer. Suppose f hides a non-zero element s Zn. Let a be the projection of s onto the ﬁrst k coordinates, and b be the ∈ 2 projection of s onto the last n k coordinates. Then a 0n k + 0k b = s. As f (a 0n k) = f (0k b), the − − − above algorithm detects a collision and computes s correctly. Now consider any deterministic algorithm for the problem that makes t queries such that t 2n 2 . 2 ≤ −

Then we argue that there is an injective function f0, and a function f1 that hides a non-zero element s, such that f0 and f1 agree on all the t elements queried. Suppose the t queries that the algorithm makes are x1, x2,..., xt. We take f0 to be any injective function. Consider the set of elements S := x + x : i, j [t], i = j . We have S (t) 2n 2, so there is at least one non-zero i j ∈ 6 | | ≤ 2 ≤ − element in Zn S. Let s be one such element. By deﬁnition of s, wehave x + s = x for any i, j [t]. 2 \ i 6 j ∈ Thus there is a function f that equals f at all the points x , i [t] and also hides s. 1 0 i ∈

2 Note that for n 2, if (q) 2n 1, we have q2 2n+1 2, and therefore ≥ 2 ≥ − ≥ − (n+1)/2 n 1/2 (n+1)/2 (n 1)/2 q 2 (1 1/2 ) 2 2− − . ≥ − ≥ − Since q is integral, q 2(n+1)/2. The deterministic upper bound in the theorem comes within a ≥ factor of 3/2 of this lower bound. Also note that the upper bound in the theorem is within a factor of 3√2 of the query lower bound for randomized algorithms with error at most 1/4.

3 The Abelian Hidden Subgroup Problem

We now turn our focus to the Hidden Subgroup Problem when the underlying group is abelian. It is not clear how the use of projections in the algorithm presented in Section 2 may be extended to this case, let alone to the non-abelian case. The issue is that the given abelian group may be the product of cyclic groups with vastly different orders. We give a different extension of the algorithm, which combines several ways of expressing an abelian group as a sum of two subsets. More formally, the basic idea behind the algorithm in Theorem 2.1 is to finda pair of sets S1, S2 of elements of the group G such that S , S O( G ) and S + S = G, where S + S := | 1| | 2| ∈ | | 1 2 1 2 x + y : x S , y S . (Here, ‘+’ denotes the groupp operation.) We explain how such a pair of { ∈ 1 ∈ 2} sets may be constructed in a few cases. Together, they yield a construction for a general abelian group. Definition 3.1. For any group G, we say a pair S , S G is a generating pair for G if the set S S := 1 2 ⊆ 1 2 xy : x S , y S equals G. { ∈ 1 ∈ 2} We start with the construction of a generating pair for a cyclic group. Lemma 3.2. Let n be an integer greater than 1, and let m := √n . There is a generating pair S , S ⌈ ⌉ 1 2 for Z such that S = m and S n/m + 1. If n is a perfect square, the pair further satisfies S = n | 1| | 2| ≤ ⌊ ⌋ | 1| S = √n. | 2| Proof. We use the Division Algorithm to find such subsets. If we choose a divisor m that roughly equals √n, then the number of different remainders and quotients we get when we divide non- negative integers less than n are both roughly √n. Let m := √n , let S := 0,1,2,..., m 1 , and let S := mi : 0 i < n/m . The sub- ⌈ ⌉ 1 { − } 2 { ≤ } sets S1, S2 satisfy the required properties. Next, we consider a product of two cyclic groups whose orders are both odd powers of the same prime number. Lemma 3.3. Consider the group G := Z Z , where n := pk,m := pl, p is prime, and k, l are positive n × m odd integers. There is a generating pair S , S for G such that S = S = √nm. 1 2 | 1| | 2| Proof. W.l.o.g., assume that k l. Let q := p(k+l)/2. Note that 0 < q = √nm < n. Consider ≥ S := Z 0 , and 1 q × { } S := iq : 0 i < n/q Z . 2 { ≤ } × m By the Division Algorithm, we have

Z + iq : 0 i < n/q = Z . q { ≤ } n So S + S = G. Moreover, we have S = q = √nm =(n/q) m = S . 1 2 | 1| × | 2|

3 We may combine the generating pairs for two groups to obtain one for their direct product. While we state the lemma below with the notation for abelian groups, it also holds for non-abelian groups.

Lemma 3.4. Consider a product group G := G G . Suppose S , S is a generating pair for G , 1 × 2 1 2 1 and T , T is a generating pair for G . Then (S T ), (S T ) is a generating pair for G. 1 2 2 1 × 1 2 × 2 Proof. Any element g G may be expressed as g + g , where g S and g S . Similarly, ∈ 1 1 2 1 ∈ 1 2 ∈ 2 any element h G may be expressed as h + h , where h T and h T . Then (g, h) = ∈ 2 1 2 1 ∈ 1 2 ∈ 2 (g , h )+(g , h ) (S T )+(S T ). 1 1 2 2 ∈ 1 × 1 2 × 2 The construction for a general ﬁnite abelian group combines the above building blocks.

Theorem 3.5. For any ﬁnite abelian group G with order n, there is a generating pair S1, S2 for G such that S and S are both at most 2√n. | 1| | 2| Proof. By the fundamental theorem of abelian groups, any ﬁnite abelian group G may be expressed as a product of cyclic groups of prime power order:

G = Z k Z k Z k , (3.1) 1 p 2 l ∼ p1 × 2 ×···× pl where the integers p are primes, not necessarily distinct, and the integers k 1 for all i [l]. We i i ≥ ∈ prove the lemma by strong induction on l, the number of cyclic groups in a decomposition of G. If l = 1, the statement follows from Lemma 3.2. Suppose the statement holds for all ﬁnite abelian groups which have a decomposition as above with at most m cyclic groups, for some m 1. Suppose l := m + 1, and consider a group G with ≥ order n and a decomposition with l cyclic groups as in eq. (3.1). Z Suppose for some i [l], the integer ki is even. Let r be such an index. We let G1 := kr ∈ pr and G the product of the remaining cyclic groups so that G = G G . By Lemma 3.2, there is 2 ∼ 1 × 2 a generating pair S , S for G such that S = S = √n , where n := p kr . By the induction 1 2 1 | 1| | 2| 1 1 r hypothesis, there is a generating pair T , T for G such that T , T 2√n , where n := G . 1 2 2 | 1| | 2| ≤ 2 2 | 2| By Lemma 3.4, we get a generating pair (S T ), (S T ) for G such that S T , S T 1 × 1 2 × 2 | 1 × 1| | 2 × 2| ≤ 2√n1n2 = 2√n . Suppose for all i [l], the integers ki are odd. Suppose for some i, j [l], i = j, we have pi = pj. ∈ Z Z ∈ 6 Let r, s be such a pair of indices. We let G1 := kr ks and G2 the product of the remaining pr × ps cyclic groups so that G = G G . By Lemma 3.3, there is a generating pair S , S for G such ∼ 1 × 2 1 2 1 that S = S = √n , where n := p kr p ks . By the induction hypothesis, there is a generating | 1| | 2| 1 1 r s pair T , T for G such that T , T 2√n , where n := G . By Lemma3.4, we geta generating 1 2 2 | 1| | 2| ≤ 2 2 | 2| pair (S T ), (S T ) for G such that S T , S T 2√n n = 2√n . 1 × 1 2 × 2 | 1 × 1| | 2 × 2| ≤ 1 2 Suppose for all i [l], the integers k are odd, and the primes p are all distinct. Then, by the ∈ i i Chinese Remainder Theorem, we have G ∼= Zn. The statement now follows from Lemma 3.2, by noting that for n 2 we have √n 2√n and √n + 1 2√n . ≥ ⌈ ⌉≤ ⌊ ⌋ ≤ The algorithm for the abelian Hidden Subgroup Problem follows directly from the existence of a suitable generating pair for the underlying group.

Corollary 3.6. There is a deterministic algorithm with query complexity at most 4√n that solves the Hidden Subgroup Problem over an abelian group G with order n. Moreover, if the input function hides the non-trivial subgroup H, the algorithm ﬁnds all the elements of H.

4 Proof. By Theorem 3.5, there is a generating pair S , S for the group G such that S , S 2√n . 1 2 | 1| | 2| ≤ We query the oracle function f at x for all x S and at all elements y S . If the function − ∈ 1 ∈ 2 is distinct at all these points, we say f is injective. Otherwise, we say that f is not injective, and output x + y : x S , y S , f ( x)= f (y) . { ∈ 1 ∈ 2 − } If the function is injective, the above algorithm outputs the correct answer. Suppose f hides the non-trivial subgroup H. Let h H be any element of the hidden subgroup. We have h = h + h ∈ 1 2 for some h S and h S . By deﬁnition of H we have f ( h ) = f (h ), and the above 1 ∈ 1 2 ∈ 2 − 1 2 algorithm detects a collision and computes H correctly.

Note that we can get upper bounds with better constants for certain abelian groups by appeal- ing to the properties of the generating pair constructed in Theorem 3.5. As the Simon Problem is a special case, Theorem 2.1 implies that in the worst case, these upper bounds are tight up to the constant factor.

4 The General Hidden Subgroup Problem

Finally, we consider the Hidden Subgroup Problem for a general ﬁnite group. Non-abelian groups are more varied in structure than abelian ones, and it appears challenging to extend the ideas used in the abelian case to them. Instead, we resort to a probabilistic argument to show the existence of a generating pair of small size. The construction comes within a poly-logarithmic factor of optimal, and leads to our ﬁnal algorithm.

Theorem 4.1. For any ﬁnite group G with order n (with n > 1), there is a generating pair S1, S2 for G such that S and S are both at most √n ln n . | 1| | 2| Proof. We let S := g , g ,..., g , any subset consisting of t distinct group elements, where t := 1 { 1 2 t} √n ln n . Let R := h , h ,..., h be an set of t distinct group elements chosen uniformly at { 1 2 t} random from the collection of t-subsets of G. Denote the set of products of elements from S1 and R by S R. That is, S R := xy : x S , y R . 1 · 1 · { ∈ 1 ∈ } We show that for any ﬁxed element g G, the probability that g S R is less than 1/n. ∈ 6∈ 1 · 1 Pr(g S R) = Pr( i [t], g− g R) 6∈ 1 · ∀ ∈ i 6∈ 1 n t n − = − t t (n t)(n t 1)(n t 2) (n 2t + 1) = − − − − − · · · − n(n 1)(n 2) (n t + 1) − − · · · − t t t t = 1 1 1 1 − n − n 1 − n 2 · · · − n t + 1 − − − t t < 1 − n t2 < exp − n 1 . ≤ n (Here, we have used the property that t > 1 in deriving the strict inequality.) By the Union Bound, the probability that S R = G is strictly less than 1. So there is a subset S 1 · 6 2 of size t such that S S = G. 1 · 2

5 A similar result may be derived from a result due to Babai and Erd¨os [1], but this gives us a generating pair with size 2 n log2 n . As before, the algorithmp for the general Hidden Subgroup Problem follows directly from the existence of a suitable generating pair for the underlying group.

Corollary 4.2. There is a deterministic algorithm with query complexity at most 2 √n ln n that solves the Hidden Subgroup Problem over an arbitrary group G with order n. Moreover, if the input function hides the non-trivial subgroup H, the algorithm ﬁnds all the elements of H.

Proof. By Theorem 4.1, there is a generating pair S , S for the group G such that S , S 1 2 | 1| | 2| ≤ √n ln n . We query the oracle function f at x 1 for all x S and at all elements y S . If − ∈ 1 ∈ 2 the function is distinct at all these points, we say f is injective. Otherwise, we say that f is not injective, and output xy : x S , y S , f (x 1)= f (y) . ∈ 1 ∈ 2 − If the function is injective, the above algorithm outputs the correct answer. Suppose f hides the non-trivial subgroup H. Let h H be any element of the hidden subgroup. We have h = h1h2 ∈ 1 for some h S and h S . By deﬁnition of H we have f (h− )= f (h ), and the above algorithm 1 ∈ 1 2 ∈ 2 1 2 detects a collision and computes H correctly.

We can obtain explicit, optimal algorithms for certain classes of non-abelian groups. For example, if a group G of order n has a subgroup H of order Θ(√n ), then we can construct a generating pair S1, S2 of size Θ(√n ) by taking S1 := H and S2 to be a complete set of coset representatives of H. In fact, in this case, the group satisﬁes a stronger property; see the construction of Cayley- Sudoku tables by Carmichael, Schloeman, and Ward [2]. Not all groups have a subgroup of such size. For example, the abelian group Zp for a prime p does not have such a subgroup, and yet admits a suitable generating pair.

5 Open problems

We conclude with a few open problems. There is an optimal randomized algorithm for the Hidden Subgroup Problem that has instance-optimal query complexity. Is there a similar deterministic algorithm that has query complexity O( G / H ) when the oracle hides H? | | | | There are a number of variants of thep Hidden Subgroup Problem, for example, when the underlying group is speciﬁed implicitly. These may also admit deterministic algorithms with optimal classical query complexity. The precise characterization of the deterministic query complexity of the Hidden Subgroup Problem for (explicitly speciﬁed) general non-abelian groups is perhaps the most interesting problem left open by this work. A related question is whether there is a generating pair of size O(√n ) any non-abelian group of order n.

References

[1] LászlóBabai and Paul Erdös. Representation of group elements as short products. In Peter L. Hammer, Alexander Rosa, Gert Sabidussi, and Jean Turgeon, editors, Theory and Practice of Combinatorics, volume 60 of North-Holland Mathematics Studies, pages 27–30. North-Holland, 1982.

[2] Jennifer Carmichael, Keith Schloeman, and Michael B. Ward. Cosets and Cayley-Sudoku tables. Mathematics Magazine, 83(2):130–139, 2010.

6 [3] Andrew M. Childs and Wim van Dam. Quantum algorithms for algebraic problems. Reviews of Modern Physics, 82:1–52, January 2010.

[4] Daniel R. Simon. On the power of quantum computation. SIAM Journal on Computing, 26(5):1474–1483, 1997.