« Maths, Informatique, Jeux » - The Standard Method for The Hidden Subgroup Problem

This section deals with the abelian HSP and is mostly based on [Dam2001]. We just give the big picture of the general method and show how it generalizes the three previous examples. A more detailed presentation is given in [Lom2004].

In the previous chapter, we have seen three efficient quantum algorithms that fit into the framework of the hidden subgroup problem. Actually, these problems are also sharing the same kind of algorithm. First, they are all based on a particular case of HSP where the group is abelian. As it is well-known, such a group is isomorphic to a product of cyclic groups

ℤ_{t_{1}} \times ℤ_{t_{2}} \times ℤ_{t_{3}} \times \dots \times ℤ_{t_{k}}

and this is clearly the case in the three previous algorithms. We can then describe the quantum circuit in a general way:

The first register is composed of a product of

k

states of

⌈ \log (t_{i}) ⌉

qubits and we apply to this register the operation

F_{G} = F_{t_{1}} \otimes F_{t_{2}} \dots \otimes F_{t_{k}}

i.e. the Fourier transform

F_{t_{i}}

to the i-th state (note that for Simon's problem,

H = F_{2}

). First, let's consider the effect of

F_{G}

on any element

g \in G

\begin{aligned} F_{G} ∣ g ⟩ & = F_{G} (\otimes_{i = 1}^{k} ∣ g_{i} ⟩) \\ = \otimes_{i = 1}^{k} (F_{t_{i}} ∣ g_{i} ⟩) \\ = \otimes_{i = 1}^{k} (\frac{1}{\sqrt{t_{i}}} \sum_{g_{i}' = 0}^{t_{i} - 1} ⅇ^{\frac{2 ⅈ π g_{i} g_{i}'}{t_{i}}} ∣ g_{i}' ⟩) \\ = \frac{1}{\sqrt{\prod_{i = 1}^{k} t_{i}}} \sum_{g' \in G} (\prod_{i = 1}^{k} ⅇ^{\frac{2 ⅈ π g_{i} g_{i}'}{t_{i}}}) (\otimes_{i = 1}^{k} ∣ g_{i}' ⟩) \\ = \frac{1}{\sqrt{∣ G ∣}} \sum_{g' \in G} χ_{g} (g') ∣ g' ⟩ \end{aligned}

Where we have introduced the characters

χ_{g} (g')

. Note that

g \mapsto χ_{g}

is a group homomorphism i.e.

χ_{g + g'} = χ_{g} χ_{g'}

. We also have

χ_{g} (g') {= χ}_{g'} (g)

and so

χ_{g} (g' + g'') = χ_{g} (g') χ_{g} (g'')

. Hence we can define the group

H^{⊥} = \{g \in G| χ_{g} (H) = 1\}

. By Theorem 3.10 of [Lom2004],

H^{⊥}

is isomorphic to

\frac{G}{H}

and moreover

{(H^{⊥})}^{⊥} = H

As we have already seen many times, the state after the gate

U_{f}

is the following superposition:

\frac{1}{\sqrt{∣ G ∣}} \sum_{g \in G} ∣ g ⟩ ∣ f (g) ⟩ where ∣ g ⟩ = ∣ g_{1} ⟩ \dots ∣ g_{k} ⟩

Measuring the second register gives a value

y = f (g^{0})

and leaves the first register in the state

Then we apply the Fourier transform

F_{G}

. Using the expression of formula 4.1 and the properties of the characters, we get

\begin{aligned} F_{G} (\frac{1}{\sqrt{∣ H ∣}} \sum_{h \in H} ∣ g^{0} + h ⟩) & = \frac{1}{\sqrt{∣ H ∣}} \sum_{h \in H} (F_{G} ∣ g^{0} + h ⟩) \\ = \frac{1}{\sqrt{∣ H ∣ ∣ G ∣}} \sum_{h \in H} \sum_{g \in G} χ_{(g^{0} + h)} (g) ∣ g ⟩ \\ = \frac{1}{\sqrt{∣ H ∣ ∣ G ∣}} \sum_{h \in H} \sum_{g \in G} χ_{g} (g^{0}) χ_{g} (h) ∣ g ⟩ \\ = \frac{1}{\sqrt{∣ H ∣ ∣ G ∣}} \sum_{g \in G} (χ_{g} (g^{0}) \sum_{h \in H} χ_{g} (h)) ∣ g ⟩ \end{aligned}

If we measure the first register, the probability to get an element of

H^{⊥}

is:

\begin{aligned} \frac{1}{∣ H ∣ ∣ G ∣} \sum_{g \in H^{⊥}} {∣ χ_{g} (g^{0}) \sum_{h \in H} χ_{g} (h) ∣}^{2} & = \frac{1}{∣ H ∣ ∣ G ∣} \sum_{g \in H^{⊥}} ({∣ χ_{g} (g^{0}) ∣}^{2} {∣ \sum_{h \in H} 1 ∣}^{2}) \\ = \frac{1}{∣ H ∣ ∣ G ∣} \sum_{g \in H^{⊥}} (1^{2} {∣ H ∣}^{2}) \\ = \frac{∣ H^{⊥} ∣ {∣ H ∣}^{2}}{∣ H ∣ ∣ G ∣} \\ = \frac{∣ G ∣ {∣ H ∣}^{2}}{{∣ H ∣}^{2} ∣ G ∣} \\ = 1 \end{aligned}

Moreover, the previous calculation shows that each element of

H^{⊥}

has the same probability to be measured. Hence, measuring the first register yields a uniformly random element of

H^{⊥}

. Repeating the previous circuit about

n = ⌈ \log ∣ G ∣ ⌉

times gives with high probability a set of generators

g^{1}, \dots, g^{O (n)}

H^{⊥}

. We have

h \in H = {(H^{⊥})}^{⊥}

iff for all

j

χ_{h} (g^{j}) = 1 = \prod_{i = 1}^{k} ⅇ^{\frac{2 ⅈ π h_{i} g_{i}^{j}}{t_{i}}}

. If we denote

e

the lower common multiple of the

t_{i}

's and

α_{i}^{g^{j}} = \frac{e g_{i}^{j}}{t_{i}}

h \in H

iff

\sum_{i = 1}^{k} α_{i}^{g^{j}} h_{i} \equiv 0 mod (e)

. We can put this system in Smith normal form (i.e. write as a diagonal system) in time polynomial of

n

. Then get

O (n)

linear congruences i.e. of the form

a x \equiv b mod (e)

. The method to enumerate the list of solution to a linear congruence is well-known. We randomly pick one solution to each linear congruence to get a uniformly random element of

H

. Repeating this about

n

times gives with high probability a set of generators of

H

As previously stated, we also need an efficient quantum circuit to compute the Fourier transform

F_{G}

. Note that such a circuit is known for

F_{2^{x}}

and an approximate one (i.e. measuring the result gives a probability distribution very close to the exact version) for other

F_{x}

's. See for instance [Lom2004]. This allows to have an approximate implementation of

F_{G} = F_{t_{1}} \otimes F_{t_{2}} \dots \otimes F_{t_{k}}

that does not change too much the measurement of the circuit of figure 4.1.

As a consequence, we have an efficient solution to the abelian HSP if we know a decomposition

ℤ_{t_{1}} \times ℤ_{t_{2}} \times ℤ_{t_{3}} \times \dots \times ℤ_{t_{k}}

G

. Otherwise, we can get it if we are working in the black-box model with unique encoding. We describe the idea of [CheMos2001], without trying to optimize the computation. We choose randomly

k' = O (n)

elements

a_{1}, \dots, a_{k'}

G

, so that they generate the group with high probability. Then we define

f : ℤ_{∣ G ∣}^{k'} \to G

f (x) = \sum_{i = 1}^{k'} x_{i} a_{i}

. Each term

x_{i} a_{i}

is computed using

O (\log x_{i}) = O (\log ∣ G ∣) = poly (n)

sums (by a double-and-add algorithm), so

f

has a polynomial complexity.

ℤ_{∣ G ∣}^{k'}

is abelian and we know its decomposition so we can apply the HSP algorithm to find a set of generators for the hidden subgroup

H = Ker f

. Alternatively, these generators can be obtained using the algorithm of [BucNei1996]. It can be shown that from this set of generators we can find (classically) in

poly (n)

a set of generators

\bar{u_{1}}, \dots, \bar{u_{k}}

\frac{ℤ_{∣ G ∣}^{k'}}{H}

that satisfies:

\frac{ℤ_{∣ G ∣}^{k'}}{H} = ⟨ \bar{u_{1}} ⟩ \oplus \dots \oplus ⟨ \bar{u_{k}} ⟩

Using the isomorphism

G ≅ \frac{ℤ_{∣ G ∣}^{k'}}{H}

, we get

G = ⟨ v_{1} ⟩ \oplus \dots \oplus ⟨ v_{k} ⟩

where

v_{i} = f (u_{i})

. We define an abelian HSP by

f_{i} : ℤ_{∣ G ∣} \to G

and

f_{i} (x) = x v_{i}

(again,

f

has a

poly (n)

complexity). As in Shor's algorithm, the hidden subgroup is

t_{i} ℤ_{∣ G ∣}

where

t_{i}

is the order of

v_{i}

. Finally, we get

G ≅ ℤ_{t_{1}} \times ℤ_{t_{2}} \times ℤ_{t_{3}} \times \dots \times ℤ_{t_{k}}

Fourier Transform over Finite Groups

In order to generalize the previous algorithm to any finite group, we need a way to define Fourier Transform. First, we give a brief overview of representation theory of groups, based on [Ser1971].

(representation)

A representation of a group $G$ is a group homomorphism $ρ : G \to GL (V)$ where $GL (V)$ is the group of automorphisms over a finite dimensional vector space $V$ . The dimension $d_{ρ}$ of the representation $ρ$ is the dimension of $V$ . A subspace $W \subseteq V$ is invariant iff $\forall g \in G, ρ (g) (W) \subseteq W$ . If the only invariant subspaces are ${0}$ and $V$ , we say that $ρ$ is irreducible. Two representations $ρ : G \to GL (V_{ρ})$ and $τ : G \to GL (V_{τ})$ of $G$ are equivalent or isomorphic iff there is an isomorphism $ψ : V_{ρ} \to V_{τ}$ such that $τ (g) = ψ \circ ρ (g) \circ ψ^{- 1}$ for any $g \in G$ . Given a representation $ρ$ , we define the character $χ_{ρ}$ by $χ_{ρ} (g) = tr (ρ (g))$ .

In [Ser1971], it is shown that any finite group

G

has only a finite number of irreducible pairwise non-isomorphic representations. More precisely, if we denote

\hat{G}

a complete set of such representations and

V_{ρ}

and

d_{ρ}

the associated vector space and dimension (for any

ρ \in Ĝ

), we have the following equality from 2.4 Décomposition de la représentation régulière - Corollaire 2:

In particular for

g = 1

, because

χ_{ρ} (1) = tr (I_{d_{ρ}}) = d_{ρ}

, we have:

For each

ρ

, we can choose a basis of

V_{ρ}

and then

ρ (g)

is represented by a matrix of size

d_{ρ}

. Again, in view of formula 4.8, we can group all the coefficients

{(ρ_{i j} (g))}_{1 \leq i, j \leq d_{ρ}, g \in G}

in a square matrix of dimension

∣ G ∣

. To make this matrix unitary, we add the requirement that each

ρ (g)

is unitary. We will see that it is always possible to choose the basis such that this requirement is satisfied. Once such a basis is chosen and when no confusion is possible, we will also denote

ρ (g)

the matrix representation of

ρ (g)

in this basis.

(general Fourier Transform)

Let $G$ be a group and $\hat{G}$ a complete set of pairwise non-isomorphic representations $ρ : G \to GL (V_{ρ})$ of size $d_{ρ}$ . For any $ρ$ , we fix a basis of $V_{ρ}$ such that for each $g \in G$ we have a unitary matrix representation ${(ρ_{i j} (g))}_{1 \leq i, j \leq d_{ρ}}$ of $ρ (g)$ . Then the Fourier Transform over $G$ in the given basis is defined as a linear operation over a Hilbert space of dimension $∣ G ∣$ . More precisely, if we denote the canonical basis either by group elements ( ${∣ g ⟩}_{g \in G}$ ) or by representations/coordinates ( ${∣ ρ i j ⟩}_{ρ \in \hat{G}, 1 \leq i, j \leq d_{ρ}}$ ), we have:

$\forall g \in G, F_{G} ∣ g ⟩ = \frac{1}{\sqrt{∣ G ∣}} \sum_{ρ \in \hat{G}} \sqrt{d_{ρ}} \sum_{i, j = 1}^{d_{ρ}} ρ_{i j} (g) ∣ ρ i j ⟩$

or, if $\hat{G} = {ρ^{1}, \dots, ρ^{M}}$ and $d_{k} = d_{ρ_{k}}$ , by the images of basis vectors:

$F_{G} ∣ g ⟩ = \frac{1}{\sqrt{∣ G ∣}} (\begin{matrix} \sqrt{d_{1}} (ρ_{11}^{1} (g)) \\ \sqrt{d_{1}} (ρ_{12}^{1} (g)) \\ ⋮ \\ \sqrt{d_{1}} (ρ_{1 d_{1}}^{1} (g)) \\ \sqrt{d_{1}} (ρ_{21}^{1} (g)) \\ ⋮ \\ \sqrt{d_{1}} (ρ_{2 d_{1}}^{1} (g)) \\ ⋮ \\ \sqrt{d_{1}} (ρ_{d_{1} d_{1}}^{1} (g)) \\ \sqrt{d_{2}} (ρ_{11}^{2} (g)) \\ ⋮ \\ \sqrt{d_{M}} (ρ_{d_{M} d_{M}}^{M} (g)) \end{matrix})$

(Fourier Transform is unitary)

$F_{G}$ is a unitary transform i.e. the columns ${(F_{G} ∣ g ⟩)}_{g \in G}$ of $F_{G}$ form an orthonormal family.

proof: We have $χ_{ρ} ({(g')}^{- 1} g) = tr ({ρ (g')}^{- 1} ρ (g)) = tr ({ρ (g')}^{†} ρ (g)) = {⟨ ρ (g'), ρ (g) ⟩}_{F} = \sum_{i, j = 1}^{d_{ρ}} {(ρ_{i j} (g'))}^{*} (ρ_{i j} (g))$ .

So the hermitian product of two such columns $F_{G} ∣ g' ⟩$ and $F_{G} ∣ g ⟩$ is exactly:

${(F_{G} ∣ g' ⟩)}^{†} (F_{G} ∣ g ⟩) = \frac{1}{∣ G ∣} \sum_{ρ \in \hat{G}} d_{ρ} \sum_{i, j = 1}^{d_{ρ}} {(ρ_{i j} (g'))}^{*} (ρ_{i j} (g)) = \frac{1}{∣ G ∣} \sum_{ρ \in Ĝ} d_{ρ} χ_{ρ} ({(g')}^{- 1} g)$

and we conclude with formula 4.7.

(representations are unitarizable)

For each $ρ \in \hat{G}$ , there is a basis ${(f_{i}^{ρ})}_{1 \leq i \leq d_{ρ}}$ of $V_{ρ}$ such that every $ρ (g)$ is unitary.

proof: Let ${(e_{i}^{ρ})}_{1 \leq i \leq d_{ρ}}$ be an arbitrary basis of $V_{ρ}$ . We have the canonical hermitian product given by $⟨ \sum_{i = 1}^{d_{ρ}} a_{i} e_{i}^{ρ}, \sum_{i = 1}^{d_{ρ}} b_{i} e_{i}^{ρ} ⟩ = \sum_{i = 1}^{d_{ρ}} a_{i}^{*} b_{i}$ . We define ${⟨ a, b ⟩}_{G} = \sum_{g \in G} ⟨ ρ (g) (a), ρ (g) (b) ⟩$ which is still a inner product because $ρ (g)$ is an automorphism. Using Gram-Schmidt process, we construct a new basis $f_{1}^{ρ}, \dots, f_{d_{ρ}}^{ρ}$ orthonormal for ${⟨ ., . ⟩}_{G}$ in which we express $ρ (g)$ . On the one hand, we have by construction ${⟨ a, b ⟩}_{G}$ = ${⟨ ρ (g) (a), ρ (g) (b) ⟩}_{G}$ and in particular ${⟨ ρ (g) (f_{i}^{ρ}), ρ (g) (f_{j}^{ρ}) ⟩}_{G} = {⟨ (f_{i}^{ρ}), (f_{j}^{ρ}) ⟩}_{G}$ . On the other hand, $ρ (g) (f_{j}^{ρ}) = \sum_{k = 1}^{d_{ρ}} ρ_{k j} (g) f_{k}^{ρ}$ and hence ${⟨ ρ (g) (f_{i}^{ρ}), ρ (g) (f_{j}^{ρ}) ⟩}_{G} = \sum_{k = 1}^{d_{ρ}} ρ_{k, i}^{*} (g) ρ_{k, j} (g)$ . Finally we have:

$\begin{aligned} {ρ (g)}^{†} ρ (g) & = {(\sum_{k = 0}^{d_{ρ}} ρ_{k, i}^{*} (g) ρ_{k, j} (g))}_{1 \leq i, j \leq d_{ρ}} \\ = {({⟨ ρ (g) (f_{i}^{ρ}), ρ (g) (f_{j}^{ρ}) ⟩}_{G})}_{1 \leq i, j \leq d_{ρ}} \\ = {({⟨ (f_{i}^{ρ}), (f_{j}^{ρ}) ⟩}_{G})}_{1 \leq i, j \leq d_{ρ}} \\ = {(δ_{i, j})}_{1 \leq i, j \leq d_{ρ}} \\ = I_{d_{ρ}} \end{aligned}$

(Abelian Fourier Transform)

Suppose $G$ is abelian and define for all $g \in G$ the 1-dimensional (i.e. $d_{ρ_{g}} = 1$ ) representation $ρ_{g} : G \to GL (ℂ^{1}) ≅ ℂ^{*}$ by $ρ_{g} (h) = χ_{g} (h)$ where $χ_{g}$ is the character defined in the previous chapter. The representations are clearly unitary. Note that $χ_{ρ_{g}} (h) = χ_{g} (h)$ so the definition of the character is consistent with what we have seen earlier. Suppose that two representations $ρ (g)$ and $ρ (g')$ are isomorphic. This means that there is a $λ \neq 0$ such that $ρ_{g} (h) = λ ρ_{g'} (h) λ^{- 1} = ρ_{g'} (h)$ for all $h \in G$ . With the notation of previous chapter, we have

$\frac{ρ_{g}}{ρ_{g'}} (h) = 1 = (\prod_{i = 1}^{k} ⅇ^{\frac{2 ⅈ π (g_{i} - g_{i}') h_{i}}{t_{i}}})$

For $j$ going from 1 to $k$ , we evaluate the equality at $h = h^{j} = {(δ_{i, j})}_{1 \leq i \leq k}$ we get $g_{j} - g_{j}' = 0$ and finally $g = g'$ . So $\hat{G} = \{ρ (g)| g \in G\}$ is a set of pairwise non-isomorphic 1-dimensional representations. It is complete since it satisfies the equality of formula 4.8. Using the identification $∣ g ⟩ ≅ ∣ ρ_{g} 11 ⟩$ , and ${(ρ_{g})}_{11} (h) = χ_{g} (h)$ we recover the definition of the abelian Fourier Transform.

The proposition 4.4 above shows that there is at least one basis of

V_{ρ}

. Actually, we obtain all of them by unitary change of basis:

Let $τ$ be an irreducible representation of $G$ and let $τ (g)$ denote an unitary matrix representation. Then the possible unitary matrix representations of all other isomorphic representations $ρ$ are given by $\forall g \in G, ρ (g) = U τ (g) U^{†}$ for any unitary matrix $U$ .

proof: First, it is clear that given a unitary matrix, then $ρ (g) = U τ (g) U^{†}$ is still unitary and is the matrix representation of $ρ = τ$ obtained using $U$ as a change-of-basis matrix. Conversely, suppose $ρ$ is isomorphic to $τ$ and let $ρ (g)$ denote an unitary matrix representation. Then there is an invertible matrix $M$ (the matrix representation of an isomorphism between $τ, ρ$ in their respective basis) such that $\forall g \in G ρ (g) = M τ (g) M^{- 1}$ . This gives:

$I = {ρ (g)}^{†} ρ (g) = {(M τ (g) M^{- 1})}^{†} (M τ (g) M^{- 1}) = {(M^{†})}^{- 1} {τ (g)}^{- 1} M^{†} M τ (g) M^{- 1}$

and finally $τ (g) M^{†} M = M^{†} M τ (g)$ for any $g \in G$ . Since $τ$ is irreducible, the Schur's lemma (see Le lemme de Schur ; premières applications - Proposition 4 of [Ser1971]) implies that $M^{†} M = λ I$ for some $λ \in ℂ$ . More precisely, $λ = \frac{1}{d_{τ}} tr (M^{†} M) = \frac{1}{d_{τ}} {‖ M ‖}_{F}^{2} \in ℝ_{+}^{*}$ . We conclude the proof by taking $U = \frac{1}{\sqrt{λ}} M$ .

In this section, we have defined an operation

F_{G}

for any given group. We know that it is unitary so a valid quantum. However, if we want to to use it in a HSP algorithm, we need to implement it efficiently i.e. using

poly (n)

elementary gates. As mentioned above, there is an approximate efficient implementation of

F_{N}

for cyclic group. By taking the tensor product of such operations, we get an approximate efficient implementation for any abelian group

G

. Other efficient implementations are known for various groups, see [Lom2004] for an overview. The exact description of the quantum gate

F_{G}

depends on the design used for the implementation. Nevertheless, we will suppose in what follows that the gate implementing

F_{G}

works on

n

qubits. The input

∣ g ⟩

and output

∣ ρ i j ⟩

are encoded by the integers

0, \dots, ∣ G ∣ - 1

. The possible remaining basis states are not touched by the gate.

Weak and Strong Fourier Sampling

For the generalized version of the Fourier Sampling circuit, we replace the first Fourier Transform by a gate

V

that computes a superposition

\frac{1}{\sqrt{∣ G ∣}} \sum_{g \in G} ∣ g ⟩

from the

∣ 0^{n} ⟩

state. There is no canonical implementation for

V

but if the elements of

G

are encoded by the integer

0, \dots, ∣ G ∣ - 1

(as we have assumed in previous section) we can use the following circuit:

We use a hadamard gate to create a superposition over

0, \dots, 2^{n} - 1

and a function

g

to select the values less than

∣ G ∣

g (i) = 1

0 \leq i < ∣ G ∣

and

g (i) = 0

otherwise (It can be implemented efficiently, just by comparing the binary decomposition of

i

and

∣ G ∣

). We succeed to create the superposition if the result of the measurement is 1. We have

2^{n - 1} < ∣ G ∣ \leq 2^{n}

, so this happens with probability

\frac{∣ G ∣}{2^{n}} > \frac{1}{2}

The remaining of the circuit is similar to what we have previously seen, with the use of a general Fourier Transform gate

F_{G}

We then measure the second register and get

y = f (g^{0})

. We obtain a superposition on a coset

g^{0} H

Creating this superposition is the starting point for all HSP algorithms currently known. Hence we define:

For Fourier Sampling, the next step is to apply the Fourier Transform

F_{G}

. This gives the state

\sum_{ρ \in \overset{̂^}{G}} \sum_{i, j = 1}^{d_{ρ}} \sqrt{\frac{d_{ρ}}{∣ G ∣}} {(\frac{1}{\sqrt{∣ H ∣}} \sum_{h \in H} ρ (g^{0} h))}_{i j} ∣ ρ i j ⟩ = \sum_{ρ \in \hat{G}} \sum_{i, j = 1}^{d_{ρ}} \sqrt{\frac{d_{ρ}}{∣ G ∣}} {(ρ (g^{0} H))}_{i j} ∣ ρ i j ⟩

where we have introduced

ρ (g^{0} H) = \frac{1}{\sqrt{∣ H ∣}} \sum_{h \in H} ρ (g^{0} h)

. Finally, we perform a measurement on the first register.

(Fourier Sampling Algorithm)

The Fourier Sampling algorithm for the HSP consists in running the circuit of figure 4.3 several times and trying to deduce information on the hidden subgroup $H$ . We distinguish two forms of Fourier Sampling:

In the Weak Fourier Sampling for the HSP, we observe a representation $ρ \in \hat{G}$ with probability $P (ρ) = \sum_{i, j = 0}^{d_{ρ}} P (ρ, i, j)$
In the Strong Fourier Sampling, we observe a representation $ρ \in \hat{G}$ as well as coordinates $i, j$ with probability $P (ρ, i, j)$ .

What is the distribution probability? First the conditional probability given

g^{0}

P (\frac{ρ, i, j}{g^{0}}) = \frac{d_{ρ}}{∣ G ∣} {∣ ρ (g^{0} H) ∣}_{i j}^{2}

. Hence for the Weak Fourier Sampling, we have

P (\frac{ρ}{g^{0}}) = \sum_{i, j = 1}^{d_{ρ}} P (\frac{ρ, i, j}{g^{0}}) = \frac{d_{ρ}}{∣ G ∣} {‖ ρ (g^{0} H) ‖}_{F}^{2}

and using

ρ (g^{0} H) = ρ (g^{0}) ρ (H)

and the fact that

ρ (g^{0})

is unitary:

It was proven in [GriSchVaz2000] that

ρ (H)

\sqrt{∣ H ∣}

times a projection matrix

P

. Moreover,

ρ (H)

is hermitian:

{ρ (H)}^{†} = \frac{1}{\sqrt{∣ H ∣}} \sum_{h \in H} {ρ (h)}^{†} = \frac{1}{\sqrt{∣ H ∣}} \sum_{h \in H} ρ (h^{- 1}) = \frac{1}{\sqrt{∣ H ∣}} \sum_{h^{'} \in H} ρ (h') = ρ (H)

Hence

\frac{1}{∣ H ∣} {‖ ρ (H) ‖}_{F}^{2} = tr (P^{†} P) = tr (P^{2}) = tr (P) = \frac{1}{\sqrt{∣ H ∣}} tr (ρ (H))

and formula 4.18 can be rewritten:

In particular, this probability does not depend on the choice of the basis of

V_{ρ}

For the Strong Fourier Sampling, we first note that the

∣ G ∣

-dimensional vectors

{({ρ (g^{0})}_{i k})}_{g^{0} \in G}

for

1 \leq k \leq d_{ρ}

are orthogonal of norm

\sqrt{\frac{∣ G ∣}{d_{ρ}}}

\begin{aligned} ⟨ {({ρ (g^{0})}_{i k})}_{g^{0} \in G}, {({ρ (g^{0})}_{i k'})}_{g^{0} \in G} ⟩ & = \sum_{g^{0} \in G} {ρ (g^{0})}_{i k}^{*} {ρ (g^{0})}_{i k'} \\ = \sum_{g^{0} \in G} {ρ ({(g^{0})}^{- 1})}_{k i} {ρ (g^{0})}_{i k'} \\ = \frac{∣ G ∣}{d_{ρ}} δ_{k k'} δ_{i i} \end{aligned}

where the last line is 2.2 Le lemme de Schur ; premières applications - Corollaire 3 of [Ser1971]. We use this fact to simplify the expression of

P (ρ, i, j)

as described in [GriSchVaz2000]. Because

g^{0}

has been chosen uniformly it is the mean of

P (\frac{ρ, i, j}{g^{0}})

over the elements of the group

G

\begin{aligned} P (ρ, i, j) & = \frac{d_{ρ}}{{∣ G ∣}^{2}} \sum_{g^{0} \in G} {∣ {ρ (g^{0} H)}_{i j} ∣}^{2} \\ = \frac{d_{ρ}}{{∣ G ∣}^{2}} {∥ {({ρ (g^{0} H)}_{i j})}_{g^{0} \in G} ∥}^{2} \\ = \frac{d_{ρ}}{{∣ G ∣}^{2}} {∥ {({(ρ (g^{0}) ρ (H))}_{i j})}_{g^{0} \in G} ∥}^{2} \\ = \frac{d_{ρ}}{{∣ G ∣}^{2}} {∥ {(\sum_{k = 0}^{d_{ρ}} {ρ (g^{0})}_{i k} {ρ (H)}_{k j})}_{g^{0} \in G} ∥}^{2} \\ = \frac{d_{ρ}}{{∣ G ∣}^{2}} {∥ \sum_{k = 0}^{d_{ρ}} {ρ (H)}_{k j} {({ρ (g^{0})}_{i k})}_{g^{0} \in G} ∥}^{2} \\ = \frac{d_{ρ}}{{∣ G ∣}^{2}} \sum_{k = 0}^{d_{ρ}} ({∣ {ρ (H)}_{k j} ∣}^{2} \frac{∣ G ∣}{d_{ρ}}) \\ = \frac{1}{∣ G ∣} {∥ {ρ (H)}_{j} ∥}^{2} \end{aligned}

\begin{matrix} P (ρ, i, j) = \frac{1}{∣ G ∣} {∥ {ρ (H)}_{j} ∥}^{2} \\ P (ρ, ., j) = \frac{d_{ρ}}{∣ G ∣} {∥ {ρ (H)}_{j} ∥}^{2} \end{matrix}

This means that measuring the row provides no information and the Strong Fourier Sampling can be reduced to observing

ρ, j

. Note that summing over all the

j

, we recover formula 4.18.

(measurement of $f (g^{0})$ )

As in the abelian case, the measurement of $y = f (g^{0})$ is only used to produce a superposition over one coset. As noted in [GriSchVaz2000], we may discard information by not using this value later. For example, just counting the number of distinct values after many samplings gives an indication on $\frac{∣ G ∣}{∣ H ∣}$ so on the size of the hidden subgroup $H$ . In particular, it is easy to determine whether $H$ is a proper subgroup of $G$ (i.e. the ratio above is at least 2) by repeating several measurements until we find two distinct values or get $k$ times the same value. In the former case we know with certainty that $H$ is a proper subgroup of $G$ and in the latter case we know that $H = G$ with probability at least $1 - 2^{- k}$ . For completeness, we give the distribution probability. If $x_{1}, \dots, x_{\frac{∣ G ∣}{∣ H ∣}}$ is a complete set of coset representatives, $P (ρ, i, j, f (x_{k})) = \sum_{g^{0} \in G} P (x_{k}) P (g^{0} / f (x^{k})) P (ρ, i, j / g^{0}) = \sum_{h \in H} \frac{∣ H ∣}{∣ G ∣} \frac{1}{∣ H ∣} \frac{d_{ρ}}{∣ G ∣} {∣ {(ρ (x_{k} h H))}_{i j} ∣}^{2}$ and finally

$P (ρ, i, j, f (x_{k})) = d_{ρ} \frac{∣ H ∣}{{∣ G ∣}^{2}} {∣ {(ρ (x_{k} H))}_{i j} ∣}^{2}$

It seems difficult to construct an algorithm from these values since we do not know the $x_{k}$ corresponding to the measured value $f (x_{k})$ .

As said in remark 4.6, all the irreducible representations are 1-dimensional in the abelian case. Consequently, the Strong Fourier Sampling is the same as the Weak Fourier Sampling: we only take into account the irreducible representations

ρ_{g_{j}}

measured. More precisely, we measure random elements

g^{1}, \dots, g^{O (n)}

H^{⊥} = \{g \in G| χ_{g} (H) = 1\} = \{g \in G| H \subseteq Ker ρ_{g}\}

. Then we solve the systems of equations

χ_{g^{j}} (h) = χ_{h} (g^{j}) = 1

to get elements

h

H

. Said otherwise, we are looking to random elements in

H = ⋂_{j = 1}^{O (n)} Ker ρ_{g_{j}}

. In the next section, we will see that more generally, considering the intersection of irreducible representations measured gives information on

H

and allows to solve the HSP in some particular cases.

The Dedekindian Hidden Subgroup Problem and its extensions

In this section, we see how the Weak Fourier Sampling can be used to extend the abelian HSP. The idea is to measure

ρ_{1}, \dots {, ρ}_{O (n)}

irreducible representations and to consider the intersection

⋂_{j = 1}^{O (n)} Ker ρ_{j}

. Let's consider first what is happening in an example:

(Fourier Sampling on the dihedral group $D_{4}$ )

The dihedral group $D_{4}$ is the group of isometries of the plane generated by the reflection $s$ about the x-axis and the rotation $r$ of 90°. It is composed of 4 rotations $r^{k}$ and 4 reflections $r^{k} s$ (for $0 \leq k \leq 3$ ). It satisfies $r^{4} = s^{2} = s r s r = Id$ . A set of complete irreducible representations is given by the table of figure 4.4 (adapted from 5.3 Le groupe diédral $D_{n}$ of [Ser1971]):

$ρ$	$ρ (r^{k})$	$ρ (r^{k} s)$	$Ker ρ$
$a$	1	1	$D_{4}$
$b$	1	-1	${Id, r, r^{2}, r^{3}}$
$c$	${(- 1)}^{k}$	${(- 1)}^{k}$	${Id, r^{2}, s, s r^{2}}$
$d$	${(- 1)}^{k}$	${(- 1)}^{k + 1}$	${Id, r^{2}, s r, s r^{3}}$
$e$	$(\begin{matrix} {(- ⅈ)}^{k} & 0 \\ 0 & ⅈ^{k} \end{matrix})$	$(\begin{matrix} 0 & {(- ⅈ)}^{k} \\ ⅈ^{k} & 0 \end{matrix})$	${Id}$

We are considering two hidden subgroups $H_{1} = {1, r s}$ and $H_{2} = {1, r^{2}}$ . Using formula 4.20 and formula 4.23, it is easy to get:

	$H = H_{1}$		$H = H_{2}$
$ρ$	$ρ (H)$	$P (ρ)$	$ρ (H)$	$P (ρ)$
$a$	$\sqrt{2}$	$\frac{1}{4}$	$\sqrt{2}$	$\frac{1}{4}$
$b$	0	0	$\sqrt{2}$	$\frac{1}{4}$
$c$	0	0	$\sqrt{2}$	$\frac{1}{4}$
$d$	$\sqrt{2}$	$\frac{1}{4}$	$\sqrt{2}$	$\frac{1}{4}$
$e$	$\frac{1}{\sqrt{2}} (\begin{matrix} 1 & - ⅈ \\ ⅈ & 1 \end{matrix})$	$\frac{1}{2}$	$(\begin{matrix} 0 & 0 \\ 0 & 0 \end{matrix})$	0

and the probability distribution observed by a Strong Fourier Sampling is:

	$P (a, ., 1)$	$P (b, ., 1)$	$P (c, ., 1)$	$P (d, ., 1)$	$P (e, ., 1)$	$P (e, ., 2)$
$H_{1}$	$\frac{1}{4}$	0	0	$\frac{1}{4}$	$\frac{1}{4}$	$\frac{1}{4}$
$H_{2}$	$\frac{1}{4}$	$\frac{1}{4}$	$\frac{1}{4}$	$\frac{1}{4}$	0	0

Suppose we repeat enough time the Weak Fourier Sampling. For $H = H_{1}$ , we will measure the representations $a, d, e$ . The intersection of their kernels is ${Id} \neq H$ . For $H = H_{2}$ , we will measure the representations $a, b, c, d$ . The intersection of their kernels is ${Id, r^{2}} = H$ .

Consequently, the direct application of the abelian method does not always work. Note that

H_{2}

is normal (it is the of center

D_{4}

) but

H_{1}

is not (for example

s (rs) s^{- 1} = sr = r^{3} s \notin H_{1}

). In general,

tr (ρ (g^{- 1} H g)) = tr ({ρ (g)}^{- 1} ρ (H) ρ (g)) = tr (ρ (H))

so by formula 4.20, the Weak Fourier Sampling can not distinguish

H

with one of its conjugate

g^{- 1} H g

. However, we can still hope that it will work for a normal subgroup

H

. This is what Hallgren, Russel and Ta-Shma proved in [HalRusTa-2000]:

As a consequence, we can use this to solve the Dedekindian Hidden Subgroup Problem i.e. over groups that have only normal subgroups. Of course, this includes the Abelian HSP that we have previously studied. The non-abelian Dedekind groups are called Hamiltonian and they are of the form

G = ℤ_{2}^{k} \times A \times ℚ_{8}

where

A

is an abelian group with all elements of odd order. The appendix B.2 of [HalRusTa-2000] gives a precise algorithm for the Hamiltonian HSP: an efficient implementation of the Weak Fourier Sampling over

G

and a way to pick

O (n)

random solutions to the system

ρ_{i} (h) = I_{d_{ρ_{i}}}

in order to get a set of generators for

H

By calling several times the Weak Fourier Sampling (possibly over subgroups of

G

), the Dedekindian HSP can be generalized. However the possibility to compute the Fourier Transform, to solve systems

ρ_{i} (h) = I_{d_{ρ_{i}}}

and to do the same for any of its subgroup involved in the algorithm, depends on the underlying group

G

. First, as noted in [GriSchVaz2000], running this algorithm for any

H

(not necessarily normal) gives with high probability the highest subgroup of

H

which is normal in

G

. We can also solve the case where "almost all" subgroups of

G

are normal i.e. the intersection of normalizers

M_{G}

is big enough or, equivalently, that

\frac{∣ G ∣}{∣ M_{G} ∣}

is small. For example

M_{G} = G

for an abelian group and

\frac{∣ G ∣}{∣ M_{G} ∣} = 1

. In [GriSchVaz2000], Grigni et al. presented an efficient HSP algorithm when

\frac{∣ G ∣}{∣ M_{G} ∣} \in \exp (O (\sqrt{\log (\log ∣ G ∣)}))

. They give an application to the semi-direct product

ℤ_{3} ⋊ ℤ_{2^{n}}

. Gavinsky [Gav2004] strengthened their result to

\frac{∣ G ∣}{∣ M_{G} ∣} \in poly (\log ∣ G ∣)

. Actually, he proved that we can even just assume

\frac{∣ G ∣}{∣ {H M}_{G} ∣} \in poly (\log ∣ G ∣)

so that the algorithm still works when

H

is large.

Note that if the group is given as a black-box group without necessarily unique encoding, there is an alternative way to find the normal subgroup

H

as described in [IvaMagSan2001]. The algorithm does not require the assumptions on Fourier Transform and systems above. Its complexity is given by the input size + a number

v (\frac{G}{H})

that we will define later. We will come back to this method in the last part of this report.

The "Standard Method" for The Hidden Subgroup Problem

The Abelian Hidden Subgroup Problem

Fourier Transform over Finite Groups

Weak and Strong Fourier Sampling

The Dedekindian Hidden Subgroup Problem and its extensions