Quantum Algorithm for Decomposing Black-Box Finite Abelian Groups Yong Zhang Department of Computer Science, Kutztown University of Pennsylvania, Kutztown, PA 19530 Abstract— Cheung and Mosca [1] gave an efficient quan- to a quantum algorithm for the HIDDEN SUBGROUP problem tum algorithm for decomposing finite abelian groups in a where the given group G is abelian. In the case when G is unique-encoding group model. We present another efficient non-abelian, the HIDDEN SUBGROUP problem generalizes quantum algorithm for this problem in a more general model, other well-known problems such as GRAPH ISOMORPHISM. the black-box group model, where each group element is not However, the non-abelian case is much harder to solve and necessarily uniquely encoded. remains a major challenge in quantum computation. Before one can efficiently implement QFT to solve the Keywords: quantum computation, black-box group model abelian HIDDEN SUBGROUP problem, the decomposition of the given abelian group G must be known. Cheung and Mosca [1] first studied the problem of decomposing finite 1. Introduction abelian groups. They gave an efficient quantum algorithm for this problem. However, one of their assumptions is that Any finite abelian group G can be decomposed into each element of the input group G is uniquely represented the direct sum of cyclic subgroups of prime power order. by a binary string. In another word, their quantum algorithm However, given a set of generators for G, no efficient only works for a unique-encoding group model. classical algorithm is known to find the decomposition of G, i.e., find generators for the cyclic subgroups of G. This In this paper we study the problem of decomposing finite abelian groups in a more general group model — the black- problem is at least as hard as INTEGER FACTORIZATION – finding nontrivial factors of a given integer N is equivalent box group model. In the black-box group model elements to finding the decomposition of the (finite abelian) group of the input group G are not necessarily uniquely encoded. Z∗ , the multiplicative group of integers modulo N. The black-box group model was first introduced by Babai N and Szemerédi [3] as a general framework for studying algo- Decomposing finite abelian groups plays an important rithmic problems for finite groups. It is a widely used model role in quantum computation, the study of the information in computational group theory and quantum computation processing tasks that can be accomplished using quantum [4], [5], [6], [7], [8], [9]. This non-unique encoding feature mechanical systems. We call an algorithm that is defined enables this model to handle factor groups [3]. A factor over a traditional computational model a classical algorithm group (also known as quotient group) is a group obtained and an algorithm that is defined over a quantum computa- by identifying together elements of a larger group using tional model a quantum algorithm. an equivalence relation. In this paper we give an efficient quantum algorithm for decomposing finite abelian groups in In 1994 Shor [2] presented polynomial-time quantum the black-box group model. algorithms for two important problems INTEGER FACTOR- IZATION and DISCRETE LOGARITHM. No efficient classical algorithms are known for these two problems. These two 2. Perliminaries problems are widely believed to be hard on classical com- puters; their hardness are the basic assumptions for several In this section we give a brief introduction of the fun- cryptosystems including the widely used RSA public-key damental results in group theory. We refer the readers to a cryptosystem. Shor’s paper is the first illustration of the classic book on group theory [10] for more details. practical importance of quantum computation. A key com- ponent in Shor’s algorithms is the efficient implementation A set G is called a group if there is a binary operation · of the Quantum Fourier Transform (QFT), which explores defined on G such that: the underlying algebraic structure of the problems. From this perspective, Shor’s quantum algorithms, together with 1) for any x; y 2 G, x · y 2 G. several other quantum algorithms, can be further generalized 2) for any x; y; z 2 G, (x · y) · z = x · (y · z). 3) there is an identity element e 2 G such that for any to the groups Bm of a group family and their subgroups x 2 G, x · e = e · x = x. (presented by generator sets) as black-box groups. Common −1 4) for any x 2 G, there is a unique x 2 G such that examples of black-box groups are fSngn≥1 where Sn is the −1 −1 x · x = x · x = e. permutation group on n elements, and fGLn(q)gn≥1 where GLn(q) is the group of n × n invertible matrices over the finite field F . Depending on whether the group elements are Z q The set of integers together with the “+” operation is uniquely encoded, we have the unique encoding model and · an example of a group. Usually if the binary operation is non-unique encoding model, the latter of which enables us obvious from the context, we will just write xy instead of to deal with factor groups [3]. In the non-unique encoding · x y. model an additional group oracle has to be provided to test if two strings represent the same group element. A group G is abelian if and only if for any x; y 2 G, xy = yx. Otherwise, G is nonabelian. A group G is cyclic if there exist a 2 G such that G = fanjn 2 Zg. Then we 3. The Algorithm say a is a generator of G.A subgroup H of a group G is a subset which is also a group under the same operation in G. If H is a subgroup of a group G, then a right coset of H is a Our algorithm uses a divide-and-conquer approach. The subset S of G such that 9x 2 G for which S = Hx = fyx : algorithm first finds the Sylow p-subgroups of the given y 2 Hg.A left coset of H is defined similarly. The order of input group and then decomposes each Sylow p-subgroup. a group G, denoted by jGj, is the cardinality of the set G. We start with two technical Lemmas. The first Lemma shows The order of the element a is the smallest number n such how to find a p-Sylow subgroup in quantum polynomial that an = e, denoted by ord(a). If such n 2 Z exists, we time. say a has finite order. In fact, the subset fe; a; a2; : : : ; an−1g Lemma 3.1: Let B = fB g be a group family. Let forms a subgroup. We call this subgroup the cyclic subgroup m m>0 G < B be an abelian black-box group given by generating generated by a and denote it by hai. m sets S = fg1; : : : ; gsg. For any prime number p, the gener- Lagrange’s Theorem states that if H is a subgroup of a ating sets for the p-Sylow subgroup of G can be computed group G, then jHj divides jGj. We say [G : H] = jGj=jHj is in quantum polynomial time. the index of H in G. Let G be a group, p be a prime number, Proof: Since G is abelian, for any prime p, there and P be a subgroup of G. If jP j = pr for some r 2 Z, we is an unique p-Sylow subgroup of G. Let n be the the say P is a p-subgroup of G. If furthermore pr divides jGj order of B . By our assumption for black-box model, we but pr+1 does not, then we say P is a Sylow p-subgroup m can efficiently compute n. Furthermore, we can use Shor’s of G. Let G1;G2 be groups such that G1 \ G2 = feg. The algorithm to compute the prime factorization pe1 ··· per of n. set f(a ; a ) j a 2 G ; a 2 G g, denoted by G ⊕ G , 1 r 1 2 1 1 2 2 1 2 If p is not a factor of n, then clearly the p-Sylow subgroup of is called the direct sum of G1 and G2. G1 ⊕ G2 is a group G is trivial. If p is equal to pk for some 1 ≤ k ≤ r, then we under the binary operation · such that (a1; b1) · (a2; b2) = ek 0 0 0 n=pk compute the set Sk = fg ; : : : ; g g where g = g . Note (a1a2; b1b2). 1 s i i that this can be done efficiently using modular exponetiation. The fundamental theorem of finite abelian groups states We claim that Sk is the generating set for the p-Sylow 0 the following. subgroup. Clearly the order of gi is power of p for all i, so hSki is a p-subgroup of G. To show that hSki is indeed 2 Theorem 2.1: Given a set fg1; : : : ; gng of generators the p-Sylow subgroup it suffices to show that any gi S of the finite abelian group G, find a set of elements can be written as products of elements in hS1i;:::; hSri, i.e., h i ⊕ · · · ⊕ h i r el h1; : : : ; hk 2 G such that G = hh1i ⊕ · · · ⊕ hhki and hhii G = S1 Sr . Since Σl=1n=pl is coprime with n ≤ ≤ and thus the order of any elements in G, for any g 2 G, is a cyclic group of prime power order for all 1 i k. e i Σr n=p l l=1 l h i h i gi , which is a product of elements in S1 ;:::; Sr , Next we introduce the black-box group model.