reader is comfortable with the meaning of expressions such as # g, f (g) >, and their

Transcription

1 The Abelian Hidden Subgroup Problem Stephen McAdam Department of Mathematics University of Texas at Austin Introduction: The general Hidden Subgroup Problem is as follos. Let G be a knon finite group. Let H be an unknon subgroup of G. Suppose there is a set S and a function f : G S such that for g, k ε G, f(g) = f(k) if and only if g and k are in the same coset of H. (We say f separates cosets.) The question is to find a method of using f to determining hat H is, significantly faster than naïve methods. The most naïve method is to compare every f(g) to f(identity). Then g ill be in H exactly hen equality holds. Of course, standard facts about group theory, such as LaGrange s theorem, can clearly be used to speed that up somehat, but not really significantly. These notes outline ho quantum computations can be used to attack the problem in the case that G is Abelian. Later, e ill discuss Kiteav s reduction of the discrete log problem to the Abelian hidden subgroup problem. We ill also discuss the oft made statement that the factorization problem is a special case of the Abelian hidden subgroup problem, seeing that it is true if e modify our definition slightly. Of the fe quantum algorithm s I have learned, the one discussed here is the easiest, and so ould be a good place for a beginner to start. Hoever, for a true beginner, I ould strongly recommend first reading section 2 of [M], hich gives a general introduction to the physics and notation relevant to quantum computing. If one follos that by then reading this, and then reading the rest of [M], and finally reading [M3] (the most elaborate quantum algorithm I kno), the reader ill have learned everything I kno about the subject (and ill no doubt realize ho little that is). These notes are not complete. They present the parts that I find prettiest, namely, a revie of group characters, the group Fourier transform, and the actual quantum computation. They do not discuss the efficiency of the method. These notes are adapted from [L], hich discusses the details missing here, and also discusses hat progress has been made on the non-abelian case. Our computations ill on the complex inner-product space having the set of symbols { g, s> g ε G, s ε S} as an orthonormal bases. The inner product ill be the standard one. Recall, a unit vector in such an inner product space is called a state, and (mathematical) states accurately represent actual (physical) states of a collection of qubits. (We ill assume the reader is comfortable ith the meaning of expressions such as # g, f (g) >, and their relation to physical reality.)

2 BRIEF OUTLINE (details later): Let G be Abelian. Group character theory defines a subgroup H " that is determined by H. If H is knon, H " can be found. Of course, e do not kno H. Hoever, the quantum computations e ill present allo us to find H " directly. Knoing H ", e can then find H " ". We ill prove that H " " = H, and so be done. Well, actually, it is a bit more complicated. Each run of the computer ill be guarantied to produce an element of H ", all possibilities being equally likely to appear. We must collect a set of such elements, and hope that they constitute a generating set for H ". If so, using them, e can find H. (See [L] for discussions of the efficiency of finding a generating set for H ", and a method of using such to find H.) Of course, e need matters to be in a computational form. For instance, e ill assume G = Z N Z N2 Z N (recalling that any finite Abelian group is isomorphic to such). That allos us to use a register in the computer to input an element g of G, using the standard base 2 method. (Example: If (3 mod 5, mod 4) ε Z 5 Z 4, that element could be expressed as (0,,, 0 ), the first 0 representing 3, and the last 0 representing, here the first part has three places, since > 2 2. What this does is encode Z 5 Z 4 as a subset of Z ) We ill also assume a second register of the computer can be used to deal ith f(g), hich means e need to be able to (efficiently) identify S ith a subset of Z 2 s, for some s. (If, say s = 3, and G = Z 5 Z 4, e ould need qubits in our computer.) Finally, e must assume the function f can be efficiently computed. Our computer ill have to registers, the first dealing ith the g ε G, the second dealing ith the s ε S. Our computer program ill involve three steps. Near the end of section 2 of [M], it is shon that there is a quantum gate that converts # g,0 > to # g, f (g) >. Therefore, that conversion is an alloable quantum calculation, and is the middle one of our three steps. It is the only one of the three that deals ith both registers simultaneously. The first and last steps in our program only deal ith the first register. Actually, both those steps are the same, namely, applying the group Fourier transform. In order to introduce that transform, e must first remind the reader of the theory of (irreducible) characters of a finite Abelian group. (The knoledgeable reader can skip ahead.) Definition: An irreducible character of the Abelian group G is a homomorphism from G to the multiplicative group of nonzero complex numbers. (Whenever e use the ord character, it ill be understood to refer to an irreducible character of G.) G ill denote the set of all such characters. G is easily made into a group. The identity is the character that sends each element of G to. The inverse of χ sends g to the inverse of χ(g). The operation is function multiplication. 2

3 Since G is a group under addition, if χ is a character and g, h ε G, then χ(g + h) = χ(g)χ(h). Thus, for n an integer, e have χ(ng) = (χ(g)) n. If it happens that ng = 0, then = χ(0) = χ(ng) = (χ(g)) n, and so χ(g) is an n-th root of unity. (In particular, χ(g) is an n-th root of unity for n the order of g.) Notation: We have G = Z N Z N2 Z N. For a = (a, a 2,, a ) and b = (b, b 2, b ) in G (and treating the a j and b j as integers beteen 0 and N j ), define χ a (b) to be " exp(2πia j b j /N j ). j= (A) Lemma: The map a χ a is a group isomorphism beteen G and G. Proof: It is straightforard to see that χ a is a character. No let χ be any character. For j, let B j ε G be the -tuple consisting entirely of zeros except for the j-th position in hich there is a. No N j B j = 0, and so χ(b j ), being an N j -th root of unity, has the form exp(2πia j /N j ) for some integer a j beteen 0 and N j. Since (b, b 2,, b ) = b B + b 2 B b B W, e easily see that χ = χ a, for a = (a, a 2,, a ). Thus G = {χ a a ε G}, and so our map is onto. Furthermore, it is easily verified that it is a group homomorphism. No if χ a is the identity of G, then χ a (B j ) =. As it also equals exp(2πia j /N j ), e must have N j a j, so that a j is the zero of Z Nj. As that holds for j, e must have a = 0 in G. We therefore see that the kernel of our map is {0}, and e are done. (B) Lemma: χ a (b) = χ b (a). Also, χ -a (b) = " a (b) (ith the overbar denoting complex conjugation). Proof: The first statement is immediate from the definition. As for the second, χ -a (b) = " exp(-2πia j b j /N j ) = # exp(2"ia j b j /N j ) = " a (b). j= j= (C) Lemma: Let a,c ε G. Then $ " a (b)" c (b) equals 0 unless a = c, in hich case it equals G. b#g Proof: $ " a (b)" c (b) = # ((" exp(2πia j b j /N j ))( exp(2"ic j b j /N j b#g b"g j= j= # )) = # ((" exp(2πia j b j /N j ))( " exp(-2πic j b j /N j )). Letting d j = a j c j, that becomes b"g j= j= 3

4 # (( b"g " exp(2πid j /N j )) b j) = j= # b "Z N # b 2 "Z N2 # (( b "Z N j= " exp(2πid j /N j )) b j) = " ( j= # (exp(2πid j /N j ) b j). If N j divides d j, then b j "Z N j # (exp(2πid j /N j ) b j = N j. Otherise, it is a b j "Z N j geometric series summing to " (exp(2#id j /N j ))N j " exp(2#id j /N j ), hich equals 0, since the numerator is 0 but the denominator is not. Therefore, $ " a (b)" c (b) = 0 unless N j divides d j for j, in hich case it equals d j for j, exactly hen a = c. b#g " N j = G. Hoever, since d j = a j c j is in Z N j, e see that N j divides j= Remark: (C) is called the first orthogonality relation, and holds for the irreducible characters of non-abelian groups as ell. Since the definition of an irreducible character is harder for the non-abelian case, the proof is somehat harder. See [I, Chapter 2]. (D) Corollary: $ " a (b) equals 0 unless a = 0, in hich case it equals G. b#g Proof: This is just the special case of (C) in hich c = 0 (since χ 0 is identically ). We previously mentioned that the first and last steps of our program ill be an application of the group Fourier transform to the first register (that register being used to deal ith states hich are linear combinations of basic states k> for k ε G). Notation: Let H(G) be the complex inner-product space having the set of symbols { k> k ε G} as an orthonormal bases. Definition: The Fourier transform of G is the operator on H(G) hich takes the basis element k> to $ " g (k) g >. g#g 4

5 (E) Lemma: F is a unitary operator (and so applying it constitutes an alloable quantum computation). Proof: We must sho that {F( k>) k ε G} is an orthonormal bases of H(G). For k, h ε G, the inner product of f( h>) and f( k>) is $ " g (k)" g (h) = (by (B)) $ " k (g)" h (g). g#g By (C), that is 0 unless h = k, in hich case it is. The lemma follos (linear independence using a standard argument). g#g The next lemma is not strictly required, but is of interest. (F) Lemma: For k ε G, F(F( k>)) = -k>. Proof: F(F( k>)) = $ " g (k)f( g > ) = g#g $ " g (k)[ g#g %" #h (g) #h > ] = #h$g %[%" g (k)" #h (g))] #h > = (using (B)) #h$g g$g %[%" k (g)" h (g)] #h > = -k> (using (C)). #h$g g$g Our brief outline said that e ill find H by first finding H ". We revie that subgroup. Definition: Let H be a subgroup of G. Then H " = {g ε G χ g (h) = for all h ε H} = Ker χ h over all h ε H. (The last equality, by (B), makes it clear that H " is a subgroup of G). (G) Lemma: H " = G/H. Proof: We ill sho more than hat is stated, but e only need the statement. If g ε H ", then clearly H Ker χ g. Therefore, the map γ g defined on G/H by γ g (a + H) = χ g (a) is ell defined. No γ g is easily seen to be a homomorphism into the multiplicative group of nonzero complex numbers. That is, it is a character of G/H. Therefore, the map Γ sending g ε H " to γ g is a map from H " to G /H. 5

6 We claim Γ is a homomorphism. For g, k ε H ", Γ(g + k) = γ g+k sends a + H to χ g+k (a) = χ g (a)χ k (a), and so does Γ(g)Γ(k). We claim that Γ is one-to-one. Suppose g ε H " is in the kernel of Γ. Then for all a + H, e have χ g (a) = γ g (a + H) =. This is true for all a ε G, and so χ g = χ 0. By (A), g = 0. We claim that Γ is onto. Pick some γ ε G /H. Define χ on G by saying χ(a) = γ(a + H). Clearly χ is a character of G, and so χ = χ g for some g ε G. Hoever, clearly H Ker χ, and so g ε H ". Thus γ = γ g = Γ(g). We no see that Γ is an isomorphism. In particular, H " = G /H. Hoever, by (A), e already kno G /H = G/H, and so e are done. Notation: For H a subgroup of G, let H> = # h > (hich is a state). (H) Lemma: If H is a subgroup of G, then F( H>) = H " >. Proof: F( H>) = # F( h > ) = # [ $ " t (h) t > ] = t#g t"g # ( " t (h) h#h $ ) t>. No χ t is a character of G. Hoever, hen restricted to H, it is obviously also a character of H. Therefore, by (D), $ " t (h) is 0 unless χ t restricted to H is identically, in hich case that sum equals H. Hoever, χ t restricted to H is identically exactly hen t is in H. Therefore, e have h#h F( H>) = $ H t> = (using G) t"h # H " $ t > = H " >. t"h # We give to proofs of the next corollary. (I) Corollary: If H is a subgroup of G, then H " " = H. Proof #: The definition of H " shos H H " ". By to applications of (G), e have H " " = G / H " = G /( G / H ) = H. Proof #2: By (H), F(F( H>)) = H " " > = H "" $ k >. Hoever, by (F), e also have k"h ## 6

7 F(F(H)) = # F(F( h > )) = $ "h > = h#h # h >. Since all the k> and h> are part of the same bases of our vector space H(G), the equality of these to linear combinations implies they are identical, and e are done. Notation: For t ε G, let τ t be the operator hich sends the basis element g> to t+g>. (Clearly that operator permutes the canonical orthonormal basis elements of H(G), and so is unitary.) Also, let φ t be the operator hich multiplies the basis element g> of H(G) by χ g (t). (As the norm of χ g (t) is, this operator is also unitary.) Finally, let T be a transversal for the subgroup H of G (i.e., T is a set of coset representatives). (J) Lemma: For t ε G, e have Fτ t = φ t F. Proof: One can easily verify that both sides send the basis vector g> of H(G) to $ " k (t + g) k >, (using that χ k (t) χ k (g) = χ k (t+g)). k#g We are no ready to beginning shoing ho to program the computer to produce equally likely random elements of H ". (K) The Program: We begin ith the computer in the state 0,0>. We then apply F to the first register, hich is easily seen to result in the state # g,0 >. As explained earlier, there is a quantum gate that converts the above state to the state # g, f (g) >. Since f separates cosets, e kno that for t ε T and h ε H, f(t + h) = f(t). Therefore, (using that G = T H ) our previous state can be ritten as # ( # t + h >) f (t) > = t"t # ( # $ ( h >)) f (t) > = t t"t # (τ t ( t"t # h > )) f(t)> = # (τ t ( H>)) f(t)>. We next apply F to t"t 7

8 the first register. Using (J), e see the result is # (φ t F( H>)) f(t)>, hich by (H) equals t"t # (φ t ( H " >)) f(t)> = # (φ t ( $ k > )) f(t)>. Using the definition of φ t and t"t t"t H " the fact that (G) shos H " = T, this last state equals k#h " # ( %" k (t) k > ) f(t)> = t"t %" k (t) k, f (t) >. At this point, let us mention that since f separates cosets, f takes t#t,k#h $ distinct values on distinct members of T. Thus, the various k, f(t)> are H " T = T 2 distinct states. Since the norm of χ k (t) is, if %" k (t) k, f (t) > is read, all of the states t#t,k#h $ k, f(t)> (ith k ε H ", t ε T) have an equally likely chance (namely / T 2 ) of appearing. Also, any such k appears in exactly T such states, and so each k ε H " has a chance of exactly / T of being read from the first register. Therefore, e produce a random element of H ", all equally likely. k#h $ Remark: There is a subtlety in the above mathematics that might be overlooked. Let us illuminate it. At the second step, e ent from the state # g,0 > to the state # g, f (g) >. Superficially, that appears to leave the first register unaffected. Hoever, the step actually has a profound affect on the first register, since it entangles it ith the second register. If one reads the second register of # g,0 >, one ill assuredly get 0, and the first register ill remain in the state # g >. Hoever, if one reads the second register of # g, f (g) >, one ill get some choice of f(g). Suppose g is in the coset t + H (ith t ε T). Then by entanglement, the first register ill be in the state # g >. Our process had three steps, the first and last being the application of F to the first register. We are discussing the middle step. Suppose it as left out. Then e ould merely start ith 0, 0>, and apply F tice to the first register. By (F), e ould end up back at 0, 0>. It is the middle step, the entangling step, hich orks the magic. (Entanglement is thoroughly examined in [M4], and perhaps too thoroughly in [M2].) g"t + H 8

9 The rest of the procedure consists of repeating (K) many times, each time getting a random element of H ". No [L, Theorem D, appendix D] states that if n + " log K #elements are chosen at random from a finite group K, then the probability they generate K exceeds /2 n. We ish to apply that to K = H ". Hoever, not knoing H ", e instead use n + " log #. For adequately large n, e ill almost certainly have a generating set for H ". Next, [L, p. 23] shos ho to use that generating set to successively find random elements of H. Again, e take n + log " # of them, since e do not kno H. DISCRETE LOG PROBLEM: Let p be prime, and let b be a primitive root for p. Given x, it is easy to find c such that c b x mod p. Hoever, given c it is very hard to find x ith b x c mod p. That is called the discrete log problem. The x b x mod p function is an example of a one-ay function, and such functions are prime candidates for use in cryptography. Indeed, El Gamel encryption makes use of the difficulty of finding x given c. In [S], along ith his famous quantum factorization algorithm, Shor gives a lesser mentioned but equally interesting quantum algorithm for solving the discrete log problem. (It is also exhibited in [M].) Here, e give a solution to the discrete log problem due to Kiteav [K]. It is accomplished by converting the discrete log problem into an Abelian hidden subgroup problem. (L) Let b be a primitive root of the prime p and suppose p does not divide c. We ish to find x ith b x c mod p. Let G = Z p- " Z p-. Let f be the function from G to S = U p, the multiplicative group of units mod p, defined by f(u, v) = b u c v mod p. No f is easily seen to be a group homomorphism from G to U p, and its kernel is H = { (u, v ) f(u, v) = mod p}. One easily sees that f separates cosets of H, the hidden subgroup e seek. Suppose an element (u, v) of H has been found. Then since b x " c mod p, e have " b u c v " b u+vx mod p. As b is a primitive root for p, e have u + vx " 0 mod p -. For each choice of v in {0,, 2,, p 2}, there is one choice of u making that congruence true. Many of the v in that set are relatively prime to p. Assuming that is so for our v, e see x " -uv - mod p, and e are done. (Note that e did not need to find a generating set for H. Finding v - from v is easy via the Euclidean algorithm.) Remark: Applying the Abelian hidden subgroup algorithm to Z p- " Z p- ould require using the Fourier transform of that group. I do not kno ho efficient that is, nor am I interested enough to try to learn. A more interested reader can find some discussion of such matters in [L]. FACTORING: One often sees claims that factorization can be reduced to the Abelian hidden subgroup problem. That appears to be correct under a eaker version of the hidden subgroup problem, as e no discuss. Suppose e ish to factor n (not a prime poer). An incorrect approach ould be to say that e can rite n = kh ith GCD(k, h) =. Thus Z n Z k Z h, and e ish to find the hidden subgroup Z k 0 of Z n. The problem here is that e do not have any coset separating f. Without the additional information given by f, our task is exactly as hard as finding a factor of n. 9

10 We must find an approach that incorporates some useful f. Pick a random b ith < b < n, and use the Euclidean algorithm to quickly find GCD(b, n). If the GCD exceeds, it is a non-trivial factor of n. The more likely case is that GCD equals. If so, let r (unknon) be the order of b mod n in the group of units of Z n. Since r divides φ(n), let H = {0, r, 2r,, (φ(n)/r )r} Z φ(n) = G. H is our hidden subgroup. Is there an f? Yes! For x Z φ(n), let f(x) = b x mod n. We then have f(x) = f(y) IFF b x b y mod n IFF r x y IFF x and y are in the same coset of H. Suppose e could find H. Actually, e do not have to find all of H; a fe random elements of H ill probably suffice to factor n, as e no explain. First of all, e hope that r is even. If the process e are about to explain fails to factor n ithin a fairly small number of tries, e can guess that for the b e selected, r is probably odd. In that case, e ill pick a ne b, and try again. (Exercise: Sho that at least half of all b have an even r. Consider n as a product of prime poers, and use that prime poers have primitive roots.) Assuming r is even, suppose e have managed to find some h in H. Then h = rk ith 0 k φ(n)/r. Claim: There is a good chance that GCD(b h/2, n) is a non-trivial factor of n. If k is even, then r h/2, and e easily see that GCD equals n, and e fail. Hoever, if k is odd, then r does not divide h/2, and so e kno that b h/2 is not congruent to mod n. Thus GCD(b h/2, n) < n. Therefore, e must sho there is a good chance that GCD is bigger than. No b h/2 = (b r/2 ) k has b r/2 as a factor. Thus, it ill suffice to sho there is a good chance that GCD(b r/2, n) >. In fact, the ell-knon exponential factorization method (see [M, section ] or many textbooks) shos the chance of that last GCD being greater than is at least ½. Within a fe tries for b and h, e should be able to factor n. Hoever, e cannot use the Abelian hidden subgroup algorithm described above to find elements of H. That algorithm assumes that G is knon. Our G = Z φ(n) is not knon. We do not kno φ(n). What e have is a variant of the hidden subgroup problem (as defined at the start of this paper). We have an unknon G, and unknon H, and a knon f. EXAMPLE: Suppose e do not kno the factorization of 2, but are told by an oracle that φ(2) = 2. Since GCD(2, 2) =, e try letting b = 2. We kno that the order of 2 mod 2 (= r, unknon) ill divide 2, and so the multiples of r (taken mod 2) ill constitute a hidden subgroup H of Z 2. We also kno the function f(x) = 2 x mod 2 is a coset separating function for H. (Note that f(5) =, since 2 5 mod 2.) Thus, the algorithm given above can be used to find H. Notice that at the end of the second step of the algorithm (the entangling step), the computer ill be in the state ( 0, > +, 2> + 2, 4> + 3, 8> + 4, 6> + 5, > 2 + 6, > + 7, 2> + 8, 4> + 9, 8> + 0, 6> +, >). (Notice the to cycles of second entries, each of length 6.) With a small amount of luck, the algorithm ould soon tell us that H = {0, 6}, from hich e ould learn that the order of r is 6. No using the exponential factorization 0

11 technique, e cross our fingers and find GCD(2 6/2, 2). It is 7, and so e have found a factor of 2. REMARK: In the special case here n = pq is the product of to distinct primes, since n - ϕ(n) + = p + q, if e kno ϕ(n), e ould have pq and p + q, and so could easily factor n. But hat if the oracle is closed for remodeling, and e do not kno hat φ(2) equals? Shor s famous algorithm ([S], [M]) deals ith that problem. Since 2 9 = 52 is the first poer of 2 larger than 2 2, it orks ith Z 52. (That modulus is manageably small, yet big enough to give a high probability of success to Shor s method.) We also use the function f(x) = 2 x mod 2, but no for all x in Z 52. Hoever, f is not a coset separating function. We sa above that f gives cycles of length 6, and so ere it a coset separating function, there ould have to be 6 cosets, so that the subgroup they came from ould have to have size 52/6 = /6. But that is not an integer. Instead, one step of Shor s algorithm has the computer in the state (/ 52 )[ 0, > +, 2> + 2, 4> + 3, 8> + 4, 6> + 5, > + 6, > + 7, 2> + 8, 4> + 9, 8> + 0, 6> +, > + 2, > + 3, 2> + 4, 4> + 5, 8> + 6, 6> + 7, > , > + 505, 2> + 506, 4> + 507, 8> + 508, 6> + 509, > + 50, > + 5, 2>]. (There are 85 complete cycles, and 2/6 of another cycle.) Suppose e no read the second register, and get (for example) 2. That means the first register goes into the state (/ 86 )[ > + 7> + 3> > + 5>] = 84 (/ 86 )" 6i + >. (We hope to find the 6 = r.) Shor then applies a Fourier transform, i= 0 and ends ith a state having the property that hen read, has a good chance of producing a number t such that t/52 is a good approximation to a number of the form k/r. The theory of continued fractions allos us to find r, (ith luck, the right r). We apply exponential factorization ith r. If e fail to factor 2, e kno e got the rong r. With luck, a fe tries gives us the right r, namely 6. Remark: It has been said that Shor s algorithm is a special case of the hidden subgroup problem. Although there are similarities, perhaps it ould be better to say both are examples of hidden cycle problems. In [K], Kiteav introduces a ne idea, hich gives an alternate factorization algorithm, ith some similarities to Shor s. (See [M3].) Hoever, there are aspects of [K] that I do not yet understand.

12 REFERENCES [I] I. M. Isaacs, Character theory of finite groups, Dover Publications, inc. [K] A. Y. Kiteav, Quantum measurements and the Abelian stabilizer problem, arxiv:quant-ph/95026v, November 20, 995 [L] C. Lomont, The hidden subgroup problem revie and open problems, raxiv:quant-ph/04037v, November 4, 2004 [M] S. McAdam, Shor s algorithms,.ma.utexas.edu/users/mcadam [M2] S. McAdam, Entanglement,.ma.utexas.edu/users/mcadam [M3] S. McAdam, Eigenvalues and Kiteav s factoring algorithm,.ma.utexas.edu/users/mcadam [M4] S. McAdam, Unkonoable Matters, American Mathematical Monthly, 9 (4) 202, [S] P. Shor, Polynomial time algorithms for prime factorization and discrete logarithms on a quantum computer, available at xxx.lanl.gov/abs/quant-ph/