« Maths, Informatique, Jeux » - Efficient Quantum Algorithms and The Hidden Subgroup Problem

This problem imagined by Simon [Sim1994] demonstrates a quantum algorithm solving a black-box problem exponentially faster than any probabilistic classical algorithm. Contrary to Deutsch–Jozsa algorithm [DeuJoz1992], it is even exponentially faster than probabilistic classical algorithms.

(Simon's problem)

Let $m \geq n$ be natural numbers and $f : {ℤ_{2}}^{n} \to {ℤ_{2}}^{m}$ a function. Assume that there is a string $s \in {ℤ_{2}}^{n}$ such that two distinct $x, x'$ have the same image iff $x' = x \oplus s$ . Simon's problem is to determine $s$ .

The quantum solution to the problem is to repeat enough time the procedure given by the following circuit:

Measuring the second register gives a value

y

and makes the first register collapse to the superposition of its two preimages

x, x \oplus s

\frac{1}{\sqrt{2}} \frac{1}{\sqrt{N}} \sum_{z = 0}^{N - 1} ((- 1)^{z . x} + (- 1)^{z . (x \oplus s)}) ∣ z ⟩

Performing a standard measurement on the first register yields a random

n

-bits vector

z

such that

z . s = 0

i.e. in the subspace orthogonal to

s

. Repeating the procedure

O (n)

times gives a set of generators

z^{1}, \dots z^{O (n)}

for this subspace with probability exponentially close to 1. Said otherwise, we have a system of equations

\sum_{i = 1}^{n} z_{i}^{j} s_{i} \equiv 0 \mod (2)

of rank the dimension of the subspace and

n

unknowns

s_{1}, \dots s_{n}

. If

s = 0

, then the rank of the system is

n

, so we get the unique solution

s = 0

. Otherwise

s \neq 0

and the rank of the system is

n - 1

, so solving the system gives a subspace of dimension

n - (n - 1) = 1

, which is simply

{0, s}

. In either case, we have obtained

s

as expected. The procedure is repeated

O (n)

times, so a polynomial number of queries to the oracle

f

are used.

What about (probabilistic) classical algorithm? Consider the special case

m = n .

Let's choose randomly

f

to be a permutation (

s = 0

) or a two-to-one function (

s \neq 0

). In the former case, we randomly choose a permutation

f

and in the latter case a nonzero string

s

. Simon proved that a classical algorithm calling

f

no more than

2^{\frac{n}{4}}

times can not determine whether

s

is zero or not with success probability greater than

\frac{1}{2} + 2^{- \frac{n}{2}}

. Hence for a fixed minimal probability of success

\frac{1}{2} + δ

, no classical algorithm using a polynomial number of queries can solve Simon's problem.

Shor's Factoring Algorithm

Shor's algorithm [Sho1995] allows to factor an integer

N_{0}

poly (\log N_{0})

time. No classical algorithm are currently known to run this task in polynomial time. Actually, some cryptographic protocols are based on the assumption that no efficient algorithm exists for integer factoring and hence Shor's algorithm shows that they can be broken by quantum computation.

Shor's algorithm contains classical parts that can be executed in polynomial time and quantum computation is actually only used in a sub-procedure. More precisely, one step is to choose a random integer

a < N_{0}

(which can be assumed to be coprime with

N_{0}

). The function defined on

ℤ

f (x) = a^{x} mod (N_{0})

r

-periodic and the problem reduces to find the period

r

. We can restrict our study to the domain

ℤ_{N} \subseteq ℤ

for some multiple

N

of the period. Of course, we do not know how to choose

N

precisely but it is possible to find some value

N = O ({N_{0}}^{2})

for which the approximation does not change the final result. For simplicity, let's assume

N = r M

is an exact multiple of the period. The period-finding submodule can be executed in

poly (\log N) = poly (\log N_{0})

using the circuit of figure 3.2, which is very similar to the one of Simon's problem. We define the Fourier transform

F_{N}

to be the symmetric matrix

F_{N} = \frac{1}{\sqrt{N}} \sum_{i = 0}^{N - 1} \sum_{j = 0}^{N - 1} ⅇ^{\frac{2 π ⅈ}{N} i j} ∣ j ⟩ ⟨ i ∣

It can easily be shown to be unitary and hence a valid quantum operation. We assume that there exists an efficient implementation of

poly (\log N)

elementary gates computing

F_{N}

. This implementation uses

n = ⌈ \log N ⌉

qubits, so we are working in an Hilbert Space of dimension

2^{n} \geq N

. Hence some basis states may not be used, they are just unchanged by the gate implementing

F_{N}

The first call to

F_{N}

0^{n}

returns the first column of

F_{N}

i.e. a uniform superposition of basis vectors as in Simon's algorithm. Hence the state after

U_{f}

is also

Measuring the second register gives a value

y

and makes the first register collapse to the superposition of the preimages of

y

. If

x_{0}

is such an image all the others are obtained by

x_{0} + i r

for

i

going from

0

M - 1

After the second Fourier Transform gate, the state in the first register is

\frac{1}{\sqrt{M N}} \sum_{j = 0}^{N - 1} (\sum_{i = 0}^{M - 1} ⅇ^{\frac{2 π ⅈ}{N} (x_{0} + i r) j}) ∣ j ⟩

Each sum over

i

is a geometric series of initial term

ⅇ^{\frac{2 π ⅈ}{N} x_{0} j}

and ratio

ⅇ^{\frac{2 π ⅈ}{N} r j}

. So the sum is nonzero (and equal to

{M ⅇ}^{\frac{2 π ⅈ}{N} x_{0} j}

) iff

ⅇ^{\frac{2 π ⅈ}{N} r j} = 1

iff

j \equiv 0 mod (\frac{N}{r})

iff

j

is multiple of

M

. Hence the state can be rewritten:

\frac{1}{\sqrt{r}} \sum_{j multiple of M} ⅇ^{\frac{2 π ⅈ x_{0} j}{N}} ∣ j ⟩

All the vectors in the sum have same amplitude, so measuring the first register yields a uniformly random multiple of

M

between

0

and

N - 1

. Using

k

trials gives

j_{1}, \dots j_{k}

multiples of

M

. One can show that

\gcd (j_{1}, \dots j_{k}) = M

with success probability

\geq 1 - 2^{- \frac{k}{2}}

(see Appendix E of [Lom2004] applied to

t_{i} = \frac{j_{i}}{M}

) and thus we get

r = \frac{N}{M}

Shor's Discrete Logarithm Algorithm

(discrete logarithm)

Let $p$ be a prime number and $g$ a generator of $ℤ_{p}^{*}$ . Any $x \in ℤ_{p}^{*}$ can be written uniquely as $x = g^{y}$ for some $y \in ℤ_{p - 1}$ . $y = \log_{g} x$ is called the discrete logarithm of $x$ (with respect to $g$ ).

Similarly to Shor's algorithm, some cryptographic protocols are based on the difficulty of computing discrete logarithms. In [Sho1995], Shor describes a quantum algorithm to compute these logarithms in polynomial time. So suppose

x, g

are given and that we want to find

y

We first define the function

f (a, b) = g^{a} x^{b} mod (p)

going from

ℤ_{p - 1} \times ℤ_{p - 1}

ℤ_{p}

. Each call to

f

is clearly done in time

poly (\log (p))

. Note that we can rewrite

f

using the discrete logarithm

y

f (a, b) = g^{a + y b} mod (p)

. Hence

(a_{1}, b_{1}) \equiv (a_{2}, b_{2}) + λ (y, - 1) mod (p - 1)

implies

f (a_{1}, b_{1}) = f (a_{2}, b_{2})

. Conversely, if this equality is true, we have

a_{2} - a_{1} \equiv y (b_{1} - b_{2}) mod (p - 1)

and we can take

λ \in ℤ_{p - 1}

to be the unique element congruent with

b_{2} - b_{1}

modulo

p - 1

to recover the previous equality. As a consequence, we can say that

(y, - 1)

is the period of

f

and all the values are obtained when

λ

varies from

0

p - 2

We now define a circuit which is really similar to those we saw earlier. Here, the first register is the tensor product of two

⌈ \log (p - 1) ⌉

-qubits state and the second a

⌈ \log (p) ⌉

-qubits state. On the first register we apply

F_{p - 1} \otimes F_{p - 1}

i.e. a Fourier transform on each state of the tensor product:

On the first register applying the first

F_{p - 1} \otimes F_{p - 1}

gives, as in Shor's algorithm, a superposition over the whole group

(\frac{1}{\sqrt{p - 1}} \sum_{a = 0}^{p - 2} ∣ a ⟩) (\frac{1}{\sqrt{p - 1}} \sum_{b = 0}^{p - 2} ∣ b ⟩) = \frac{1}{p - 1} \sum_{a, b = 0}^{p - 2} ∣ a ⟩ ∣ b ⟩

Measuring the second register yields a

f (a_{0}, b_{0})

and makes the first register collapse to the superposition of the preimages. By the discussion above it is:

\frac{1}{\sqrt{p - 1}} \sum_{λ = 0}^{p - 2} ∣ a_{0} + λ y ⟩ ∣ b_{0} - λ ⟩ ∣ f (a_{0}, b_{0}) ⟩

Now, we apply

F_{p - 1} \otimes F_{p - 1}

on the first register, giving the state

\frac{1}{\sqrt{p - 1}} \sum_{λ = 0}^{p - 2} (\frac{1}{\sqrt{p - 1}} \sum_{u = 0}^{p - 2} ⅇ^{\frac{2 π ⅈ (a_{0} + λ y) u}{p - 1}} ∣ u ⟩) (\frac{1}{\sqrt{p - 1}} \sum_{v = 0}^{p - 2} ⅇ^{\frac{2 π ⅈ (b_{0} - λ) v}{p - 1}} ∣ v ⟩)

\frac{1}{{(\sqrt{p - 1})}^{3}} \sum_{λ, u, v = 0}^{p - 2} ⅇ^{\frac{2 π ⅈ ((a_{0} u + b_{0} v) + λ (y u - v))}{p - 1}} ∣ u ⟩ ∣ v ⟩ = \frac{1}{{(\sqrt{p - 1})}^{3}} \sum_{u, v = 0}^{p - 2} ⅇ^{\frac{2 π ⅈ (a_{0} u + b_{0} v)}{p - 1}} (\sum_{λ = 0}^{p - 2} {[ⅇ^{\frac{2 π ⅈ (y u - v)}{p - 1}}]}^{λ}) ∣ u ⟩ ∣ v ⟩

The sum over lambda is a geometric series, and its value is nonzero (and of value

p - 1

) iff

y u - v \equiv 0 mod (p - 1)

. Replacing

v

y u

in the expression gives the final state:

\frac{1}{\sqrt{p - 1}} \sum_{u = 0}^{p - 1} ⅇ^{\frac{2 π ⅈ (a_{0} + b_{0} y) u}{p - 1}} ∣ u ⟩ ∣ y u ⟩

A measurement in the standard basis gives

u

and

y u

modulo

p - 1

. If

u

and

p - 1

are coprime, using the euclidean algorithm we can find

v

such that

u v = 1

modulo

p - 1

from the first state. Then, we get

y = y u v

modulo

p - 1

from the second state. So we have obtained

y = \log_{g} x

as expected. Note that u and

p - 1

are coprime with probability

\frac{φ (p - 1)}{p} = Ω (\frac{1}{\log (\log (p))})

so we only need to repeat the procedure about

\log (\log (p))

times to ensure a success with high probability.

The Hidden Subgroup Problem

In this section, we interpret the algorithms seen in previous sections in a common framework. The hope is to find new algorithms exponentially faster than their classical counterparts.

(hidden subgroup problem)

Let $G$ be a group and $H \subseteq G$ one of its subgroup. Let $S$ be any set and $f : G \to S$ a function that distinguishes cosets of $H$ i.e. $\forall g_{1}, g_{2} \in G, f (g_{1}) = f (g_{2}) \Leftrightarrow g_{1} H = g_{2} H$ . The hidden subgroup problem (HSP) is to determine the subgroup $H$ using calls to $f$ .

(interpretation of previous algorithms)

Problem	$G$	$H$	$S$	$f$	Comment
Simon	$ℤ_{2}^{n}$	${0, s}$	$ℤ_{2}^{m}$	Such that two distinct elements $x, x'$ have the same image iff $x' = x \oplus s$ .	$s$ is any $n$ -bits strings.
Shor's algorithm (order finding subroutine)	$ℤ_{N}$	$r ℤ_{N}$	$ℤ_{N}$	$f (x) = a^{x} mod (N_{0})$	$N_{0}$ is the number to factor, $a < N_{0}$ a random integer coprime with $N_{0}$ , $r$ is the order of $a$ modulo $N_{0}$ . Ideally, $N$ should be a multiple of $r$ but we can choose some $N = O ({N_{0}}^{2})$ giving a good approximation.
Discrete logarithm	$ℤ_{p - 1} \times ℤ_{p - 1}$	$(y, - 1) ℤ_{p - 1}$	$ℤ_{p}^{*}$	$f (a, b) = g^{a} x^{b} mod (p)$	$p$ is prime, $g$ a generator of $ℤ_{p}^{}$ , $x$ an element of $ℤ_{p}^{}$ , $y$ the discrete logarithm of $x$ .

In the remaining of this document, we are only considering the case of a finite group

G

. In particular, the set

S

may also be taken to be finite and we may even assume

∣ S ∣ \leq ∣ G ∣

. Consequently, we can formulate the problem in terms of circuits: we encode the elements of the two sets with at most

n = ⌈ \log ∣ G ∣ ⌉

bits and hence

f

can be viewed as a function

f : {ℤ_{2}}^{n} \to {ℤ_{2}}^{n}

and represented by a quantum logic gate

U_{f}

. A naive algorithm for the hidden subgroup problem is the following:

The runtime complexity of this algorithm is

O (∣ G ∣ comp (f))

so at least

O (\exp (n))

. This is really bad compared with the efficient quantum algorithms previously seen. For instance Shor's algorithm run in

poly (\log N) = poly (n)

i.e. exponentially faster. Hence we are lead to the following definition:

(efficient)

An algorithm for the hidden subgroup problem is said to be efficient iff it returns a generating set of elements of $H$ using a complexity polynomial in $n = ⌈ \log ∣ G ∣ ⌉$ .

Note that not all functions

f : {ℤ_{2}}^{n} \to {ℤ_{2}}^{n}

have a polynomial complexity, as indicated in exercise 3.16 of [NieChu2007]. The idea is that there are

{(2^{n})}^{(2^{n})}

such functions so one can note encode all of them using only a polynomial number of elementary gates. As a consequence,

f

has to be chosen carefully to satisfy the first property.

The argument given in appendix A.2.1.1 of [NieChu2007] shows that there is a set of size at most

\log (∣ H ∣) \leq \log (∣ G ∣)

that generates

H

. Actually, for any group

K

, if we pick uniformly at random

t + \log (∣ K ∣)

elements of

K

(for some integer

t \geq 0

) then the set obtained generates

K

with probability

\geq 1 - 2^{- t}

(see Appendix D of [Lom2004]).

Ettinger, Høyer and Knill [EttHøyKni1999] proved that the second requirement can always be satisfied i.e. only a polynomial number of calls to

f

is needed to identify

H

. The idea is to prepare the state

\frac{1}{\sqrt{∣ G ∣^{m}}} \sum_{g_{1}, \dots, g_{m} \in G} ∣ g_{1}, \dots, g_{m} ⟩ ∣ f (g_{1}), \dots, f (g_{m}) ⟩

and measure the second register to get a tensor product of

m

coset states (see definition 4.8). Then they apply measurements for each

g \in G

, that check whether

g \in H

. They prove that the answers given by the algorithm are correct with high probability for some

m = O (n)

. However, the whole algorithm is not

poly (n)

since we test

∣ G ∣ = Ω (\exp (n))

elements.

In Simon's problem an efficient algorithm means a $poly (n)$ (i.e. the number of bits in the strings $x$ , $s$ ...) complexity and $n = \log (∣ ℤ_{2}^{n} ∣)$ . Here, we measure the complexity using the numbers of queries to the oracle rather than elementary operations (because $f$ may not be computed efficiently per comment above).

In Shor's algorithm and the discrete logarithm problem, it means polynomial in the number of bits needed to encode the numbers we work on, i.e. $⌈ \log (N) ⌉$ and $⌈ \log (p) ⌉$ respectively. $f$ uses basic operations on such numbers so has a polynomial complexity. The sizes of the groups we work with are $N$ and ${(p - 1)}^{2}$ respectively, so their $\log G$ 's are equivalent to the values we previously used to measure efficiency.

In all cases, there is only one generator to the group $H$ , namely $s, r$ and $(y, - 1)$ .

In the particular examples of previous sections, there are natural encoding of the elements and algorithm to compute the product of two elements. For instance, for the cyclic HSP

{G = ℤ}_{N}

the elements are encoded as binary number of length

⌈ \log (N) ⌉

and there are well-known algorithms of complexity polynomial in

⌈ \log (N) ⌉

for the group operations. To study the general HSP, it is often useful to see the group

G

as a black-box where the operations are performed by a group oracle. As in the case of the HSP oracle computing

f

, replacing the group oracles by polynomial-time operations yields an efficient algorithm.

(black-box group, unique encoding, encoding length, input size)

Let $n = O (\log (N))$ and $m \geq 0$ . $n$ is called the encoding length and $m n$ the input size. A black-box group with unique encoding has the following properties:

$G$ is given by generators $g_{1}, \dots, g_{m}$ .
there are oracles to perform multiplication and inversion.
each element can be represented by a binary string of length $n$ .
the previous representation is unique.

For a black-box group without unique encoding we replace the point 4 by an oracle performing identity testing (hence equality).

Efficient Quantum Algorithms and The Hidden Subgroup Problem

Simon's Problem

Shor's Factoring Algorithm

Shor's Discrete Logarithm Algorithm

The Hidden Subgroup Problem