Lecture 15: The Hidden Subgroup Problem

Similar documents
Quantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 6: Quantum query complexity of the HSP

Quantum Algorithms Lecture #2. Stephen Jordan

Factoring integers with a quantum computer

From the shortest vector problem to the dihedral hidden subgroup problem

Lecture 9: Phase Estimation

Quantum algorithms for hidden nonlinear structures

Quantum Computing Lecture Notes, Extra Chapter. Hidden Subgroup Problem

Lecture 4: Elementary Quantum Algorithms

Lecture 8: Finite fields

Hidden Symmetry Subgroup Problems

0 Sets and Induction. Sets

5 Group theory. 5.1 Binary operations

Lecture 7 Cyclic groups and subgroups

Ph 219b/CS 219b. Exercises Due: Wednesday 11 February 2009

Lecture 24: Approximate Counting

Lecture 22: Counting

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Lecture 26: Arthur-Merlin Games

Graph isomorphism, the hidden subgroup problem and identifying quantum states

QIP Note: On the Quantum Fourier Transform and Applications

Graph Isomorphism is in SPP

Lecture 10: Eigenvalue Estimation

The Hunt for a Quantum Algorithm for Graph Isomorphism

Lecture 4: Orbits. Rajat Mittal. IIT Kanpur

Quantum algorithms (CO 781, Winter 2008) Prof. Andrew Childs, University of Waterloo LECTURE 1: Quantum circuits and the abelian QFT

Lecture 11: Cantor-Zassenhaus Algorithm

Math 430 Final Exam, Fall 2008

Lecture 4 : Quest for Structure in Counting Problems

Page Points Possible Points. Total 200

Fourier Sampling & Simon s Algorithm

MATH 430 PART 2: GROUPS AND SUBGROUPS

McEliece and Niederreiter Cryptosystems That Resist Quantum Fourier Sampling Attacks

Introduction to Cryptology. Lecture 20

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

17 More Groups, Lagrange s Theorem and Direct Products

Lecture 12: Lower Bounds for Element-Distinctness and Collision

Lecture 23: Alternation vs. Counting

Ph 219b/CS 219b. Exercises Due: Wednesday 22 February 2006

QUANTUM COMPUTATION AND LATTICE PROBLEMS


Group. Orders. Review. Orders: example. Subgroups. Theorem: Let x be an element of G. The order of x divides the order of G

Supplement. Dr. Bob s Modern Algebra Glossary Based on Fraleigh s A First Course on Abstract Algebra, 7th Edition, Sections 0 through IV.

Quantum Computing: Foundations to Frontier Fall Lecture 3

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Quantum Computing. Winter Quarter, 2011 and Spring Quarter, 2013

Lecture 2: Basics of Harmonic Analysis. 1 Structural properties of Boolean functions (continued)

Algorithms for ray class groups and Hilbert class fields

Permutation Groups. John Bamberg, Michael Giudici and Cheryl Praeger. Centre for the Mathematics of Symmetry and Computation

Ph 219b/CS 219b. Exercises Due: Wednesday 4 December 2013

Theoretical Cryptography, Lectures 18-20

Introduction to Quantum Computing

Algebra Exercises in group theory

From the Shortest Vector Problem to the Dihedral Hidden Subgroup Problem

DEDEKIND S TRANSPOSITION PRINCIPLE

MA441: Algebraic Structures I. Lecture 18

Introduction to Quantum Computing

REU 2007 Discrete Math Lecture 2

Extra exercises for algebra

Basic Definitions: Group, subgroup, order of a group, order of an element, Abelian, center, centralizer, identity, inverse, closed.

Lecture 6: Finite Fields

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Mathematics 331 Solutions to Some Review Problems for Exam a = c = 3 2 1

1 Agenda. 2 History. 3 Probabilistically Checkable Proofs (PCPs). Lecture Notes Definitions. PCPs. Approximation Algorithms.

Classical simulations of non-abelian quantum Fourier transforms

Math 581 Problem Set 7 Solutions

BASIC GROUP THEORY : G G G,

Section 15 Factor-group computation and simple groups

ALGEBRA I (LECTURE NOTES 2017/2018) LECTURE 9 - CYCLIC GROUPS AND EULER S FUNCTION

What are we talking about when we talk about post-quantum cryptography?

1 Perfect Matching and Matching Polytopes

The non-injective hidden shift problem

CONJUGATION IN A GROUP

13. Examples of measure-preserving tranformations: rotations of a torus, the doubling map

Sylow structure of finite groups

Sensitivity, Block Sensitivity and Certificate Complexity of Boolean Functions (Master s Thesis)

Figure 1: Circuit for Simon s Algorithm. The above circuit corresponds to the following sequence of transformations.

book 2005/1/23 20:41 page 132 #146

1 Shortest Vector Problem

Galois Theory TCU Graduate Student Seminar George Gilbert October 2015

Groups and Symmetries

GALOIS THEORY I (Supplement to Chapter 4)

Algebra homework 6 Homomorphisms, isomorphisms

EXERCISE SHEET 1 WITH SOLUTIONS

Solutions to Assignment 4

2 Lecture 2: Logical statements and proof by contradiction Lecture 10: More on Permutations, Group Homomorphisms 31

Some Sieving Algorithms for Lattice Problems

Assigment 1. 1 a b. 0 1 c A B = (A B) (B A). 3. In each case, determine whether G is a group with the given operation.

Modern Algebra Prof. Manindra Agrawal Department of Computer Science and Engineering Indian Institute of Technology, Kanpur

Chapter 2. First-Order Differential Equations

Symmetries and Polynomials

The quantum threat to cryptography

To hand in: (a) Prove that a group G is abelian (= commutative) if and only if (xy) 2 = x 2 y 2 for all x, y G.

NP-Completeness I. Lecture Overview Introduction: Reduction and Expressiveness

Math 451, 01, Exam #2 Answer Key

U.C. Berkeley CS294: Spectral Methods and Expanders Handout 11 Luca Trevisan February 29, 2016

ABSTRACT ALGEBRA 1, LECTURES NOTES 5: SUBGROUPS, CONJUGACY, NORMALITY, QUOTIENT GROUPS, AND EXTENSIONS.

15-451/651: Design & Analysis of Algorithms October 31, 2013 Lecture #20 last changed: October 31, 2013

Modern Algebra I. Circle the correct answer; no explanation is required. Each problem in this section counts 5 points.

Lecture 18: Inapproximability of MAX-3-SAT

MATH HL OPTION - REVISION SETS, RELATIONS AND GROUPS Compiled by: Christos Nikolaidis

Transcription:

CS 880: Quantum Information Processing 10/7/2010 Lecture 15: The Hidden Subgroup Problem Instructor: Dieter van Melkebeek Scribe: Hesam Dashti The Hidden Subgroup Problem is a particular type of symmetry finding problem. It captures a lot of quantum algorithms and instantiations of this problem give many of the previous problems that we have seen in this course. In this lecture we see how we can cast the previous problems as instantiations of this problem. We also consider an efficient Quantum algorithm to solve the Hidden Subgroup Problem on finite Abelian groups. 1 The Hidden Subgroup Problem Let us start with the definition of the Hidden Subgroup Problem (HSP): Definition 1. Given access to an oracle function f : G R, from a known group G to its range, such that there exists a subgroup H G such that x, y G, f(x) = f(y) Hx = Hy. Problem is to find a set S of generators of H. This means that the function f, returns the same value iff x and y belong to the same coset of H within G. Note that Hx = Hy yx 1 H and in general we can have right or left coset (in this case right coset). Clearly, when we consider an Abelian group G or the subset H is a normal subgroup of G, there is not any difference between right and left cosets of H, where Hx = {hx h H}. Before delving into efficient algorithms for finding a set S of generators for H, a more basic question is whether a small set of generators exists. The answer is yes and its proof comes as an exercise. Exercise 1. Show that for every subgroup H of G, there exists a set of generators of size at most log 2 H. We will use S to denote the set of elements generated by S. Next, we show that how HSP captures many of the problems we have seen before. 1.1 Deutsch Problem The Deutsch problem is a simple instantiation of the HSP problem. Let us recall the problem: For a given f : {0, 1} {0, 1} the problem is whether f(0) = f(1) or not. In order to cast this as an HSP instantiation, we define the group G = Z 2 and we also need to define our oracle function, which is the same as the function f in the Deutsch problem. When the function f is constant, the set H equals G and otherwise it is {0}. Hence, the HSP problem would be distinguishing between H = {0} vs H = Z 2, where, G = Z 2. 1

1.2 Bernstein-Vazirani Problem Let us recall the problem; for a given f : {0, 1} n {0, 1} : x ax + b and the challenging goal was to find a. First let define our group G = Z n 2, and the oracle function is as the same as the f function. Now we use the definition of the subset H to cast it, which is looking for f(x) = f(y). Hence, in the Bernstein-Vazirani Problem, for all the elements of H we should have a(x y) = 0: H := {z Z n 2 az = 0}. Once we have a set of generators for H, we can find a as the nontrivial solution to a homogeneous system of linear equations. 1.3 Simon s Problem In Simon s Problem we were given a function f : Z n 2 R such that f(x) = f(y) x + y = s. The function is either one-to-one (s = 0) or two-to-one (s 0) and the goal was to finding the shift s. In order to cast it, the group G = Z n 2, the oracle function is this f function, and the H is the subgroup generated by S = {s}. 1.4 Period Finding For a given function f : Z R, we knew that f is periodic with period of r, ( x)f(x) = f(x + r), and ( 0 x < y < r)f(x) f(y) and the goal was to find the period r. Hence, the group G = Z, the oracle is the same as f function, and H is a subgroup generated by r. We note that the Order Finding Problem is a special case of the Period Finding Problem and falls in this category of HSP problems, as well. 1.5 Finding Discrete Logarithms Let us first setup the problem by introducing notations; an integer M > 0, g generator for Z M, a Z M, R = Z M, used to find smallest l, such that gl = a. The function we used in the previous lecture was f : Z R Z R Z M : (x, y) a x g y mod M. This function was designed such that it is constant on the coset of H = (1, l) in G = Z R Z R. Indeed, f(x 1, y 1 ) = f(x 2, y 2 ) lx 1 + y 1 = lx 2 + y 2 l(x 1 x 2 ) = (y 1 y 2 ). We use the function f as a HSP instantiation and can extract l as the generator of H. 2

1.6 Graph Automorphism and Graph Isomorphism For a graph A(V, E), say with V = n, a graph automorphism is a relabeling of vertices which preserves the edges. The graph automorphism problem for A is to find a set of generators for the group of automorphisms Aut(A) of A. We can cast the problem as an HSP over the group G of all permutations of {1, 2,..., n}, i.e., G is the symmetric group S n. In addition, our function f should be constant on the automorphisms of G and the way that we can define it, is that for a permutation π, f(π) = π(a). f(π) = f(σ) π(a) = σ(a) (σ 1 π)(a) = A σ 1 π Aut(A) σaut(a) = πaut(a) We note that, in this case the group G is not an Abelian group and the subgroup H = Aut(A) is not always normal. Based on the above definition our subgroup is a left coset. Hence, the Graph Automorphism Problem can be cast as an instantiation of HSP problem. Next we consider the Graph Isomorphism Problem. The Graph Isomorphism Problem reduces to The Graph Automorphism Problem Here, we claim that if there is an efficient algorithm to solve the Graph Automorphism Problem we can use it to solve the Graph Isomorphism Problem. Two connected graphs A 1 and A 2 are isomorphic iff there exists an automorphisms of A 1 A 2 that maps a vertex from A 1 to a vertex from A 2. Given a set of generators for Aut(A 1 A 2 ), we can check the latter condition by verifying that there is a generator that maps a vertex from A 1 to a vertex from A 2. In the general case, in which A 1 and A 2 are not connected graphs, we can add a node to each graphs, connect the new nodes to every other vertex in their associated graphs, and make a connected graph. Actually, the new nodes have maximum degree in each graph. Next, by adding an extra node to each graph which is only connected to the new node, we can handle the case that the graphs are full-connected. Then, if we can find a permutation which maps one vertex from one graph to a vertex from another graph and also preserves edges, the graphs are isomorphic. Figure 1: The extra nodes are shown with filled circles and new edges are shown by curves. We only showed some of the new edges to show general idea of using extra vertexes. 3

2 Efficient Quantum Algorithm for The Hidden Subgroup Problem Over Finite Abelian Groups Each finite Abelian group is isomorphic to the direct sum of some cyclic groups G = k j=1 In lecture 8 we developed the Fourier Transform over such G, which was a mapping from the standard δ basis into orthonormal basis that maps convolutions into the point wise products. We use the Fourier Transform here, because the Fourier Transform of a group interacts very nicely with the symmetries in the group. In particular, it perfectly works for a coset state Hg, which is the uniform superposition of all elements of the coset H, Z Nj Hg = 1 H h H hg Now, let us complete the Fourier Transform of a coset state F Hg = 1 H = h H 1 H 1 χ y (hg) y (1) y G y G χ y (g)( h H χ y (h)) y, (2) where, χ y (h) = e 2πi k y j h j j=1 N j. Exercise 2. Show that where χ y (h) = h H { H H = {y G ( h H) if y H = 0 otherwise k j=1 y j h j N j Z} Plugging in Exercise 2 into Equation (2) gives us: H F Hg = χ y (g) y. (3) y H This is the reason of using the Fourier Transform; we started with the coset state H g of all elements and by using the Fourier Transform we get an equally weighted superposition over H. In particular, if g = 0 we get the coset state which is a uniform superposition over H. The quantum algorithm for solving the HSP over G starts with the uniform superposition over G: G = 1 x 4 x G

By applying our blackbox fo f we obtain 1 x f(x). x G Next, we observe the second register f(x), which leaves us in the first register the coset state Hg for a uniformly at random chosen g G. The next step is applying F 1, which by Equation (3) gives us: H χ y (g) y. y H Then, we observe the first register to get a uniform y H. Lemma 1. When we run these steps log H times and collect the y s, then where δ is a universal positive constant. Pr[ y 1, y 2,..., y log H = H ] δ, The proof is the same as what we explained for Simon s problem in Lecture 5. When we find a set of generators for H, we can use it to find (H ) to get the hidden subgroup H by solving a linear system of modular equations. This way we solve the HSP over a finite Abelian group G in poly-logarithmic time in. To solve the problem over finitely generated Abelian groups that are not finite, we perform a similar process as we did for the Period Finding problem. 3 Hidden Subgroup Problem for Non-Abelian Groups In general, the HSP over any finite group G can be solved using only polylog() many queries to the blackbox f. This is something we will prove in the next homework. However, this does not mean that the overall algorithm runs in polylogarithmic time in. In fact, we only know how to do the latter for a few non-abelian finite groups. We do not know it for the following groups, for which efficient solutions to the HSP would have interesting consequences. 1. Dihedral Groups (D N ): The group D N consiste of the symmetries of a regular N-gon (rotations and reflections). A solution to the HSP problem on the Dihedral groups that would allow us to solve the g(n)-unique SVP (Shortest Vector Problem) for polynomial functions g(n). The SVP is a Lattice Problem on a real N-dimensional space with N basis vectors, where every element in the lattice is a linear combination of the basis vectors with integer coefficients. The SVP asks for a shortest nonzero vector in the lattice. The SVP does not have a unique solution because for every vector in the lattice its minus is also in the lattice. The unique SVP is a promise version of SVP in which we are told that the solution is unique up to the sign. The term g(n)-unique means that the second shortest lattice vector up to sign is of length at least g(n) times the length of the shortest nonzero lattice vector. Solving the g(n)-unique SVP for polynomial g(n) is considered hard in the classical setting, and is used to design lattice-based cryptosystems. Efficiently solving the HSP over the dihedral group would break those cryptosystems. 5

2. Symmetric Group: As we saw, Graph Isomorphism reduces to the HSP over the symmetric group, and the coset states Hg contain enough information to solve the problem in principle. However, it turns out that Fourier sampling loses that information. More specifically, there are positive and negative instances of Graph Isomorphism for which the dsitributions that result after Fourier sampling are exponentially close. This means we would need exponentially many runs in order to have a good chance of distinguishing the positive from the negative instances. Now, we are done with the Hidden Subgroup Problem and in the next lecture, we will talk about Quantum Walks. 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback