hidden subgroup problem

The hidden subgroup problem (HSP) is a topic of research in mathematics and theoretical computer science. The framework captures problems such as factoring, discrete logarithm, graph isomorphism, and the shortest vector problem. This makes it especially important in the theory of quantum computing because Shor's algorithms for factoring and finding discrete logarithms in quantum computing are instances of the hidden subgroup problem for finite abelian groups, while the other problems correspond to finite groups that are not abelian.

Problem statement

Given a group $G$, a subgroup $H \leq G$, and a set $X$, we say a function $f : G \to X$ hides the subgroup $H$ if for all $g_1, g_2 \in G, f(g_1) = f(g_2)$ if and only if $g_1 H = g_2 H$. Equivalently, $f$ is constant on each coset of ''H'', while it is different between the different cosets of ''H''.

Hidden subgroup problem: Let $G$ be a group, $X$ a finite set, and $f : G \to X$ a function that hides a subgroup $H \leq G$. The function $f$ is given via an oracle, which uses $O(\log , G, + \log , X, )$ bits. Using information gained from evaluations of $f$ via its oracle, determine a generating set for $H$.

A special case is when $X$ is a group and $f$ is a group homomorphism in which case $H$ corresponds to the kernel of $f$.

Motivation

The hidden subgroup problem is especially important in the theory of quantum computing for the following reasons.
* Shor's algorithm for factoring and for finding discrete logarithms (as well as several of its extensions) relies on the ability of quantum computers to solve the HSP for finite abelian groups.
* The existence of efficient quantum algorithms for HSPs for certain non-abelian groups would imply efficient quantum algorithms for two major problems: the graph isomorphism problem and certain shortest vector problems (SVPs) in lattices. More precisely, an efficient quantum algorithm for the HSP for the symmetric group would give a quantum algorithm for the graph isomorphism. An efficient quantum algorithm for the HSP for the dihedral group would give a quantum algorithm for the $\operatorname(n)$ unique SVP.

Quantum algorithms

There is an efficient quantum algorithm for solving HSP over finite abelian groups in time polynomial in $\log, G,$. For arbitrary groups, it is known that the hidden subgroup problem is solvable using a polynomial number of evaluations of the oracle. However, the circuits that implement this may be exponential in $\log, G,$, making the algorithm not efficient overall; efficient algorithms must be polynomial in the number of oracle evaluations and running time. The existence of such an algorithm for arbitrary groups is open. Quantum polynomial time algorithms exist for certain subclasses of groups, such as semi-direct products of some abelian groups.

Algorithm for abelian groups

The algorithm for abelian groups uses representations, i.e. homomorphisms from $G$ to $\mathrm_k(\mathbb)$, the general linear group over the complex numbers. A representation is irreducible if it cannot be expressed as the direct product of two or more representations of $G$. For an abelian group, all the irreducible representations are the characters, which are the representations of dimension one; there are no irreducible representations of larger dimension for abelian groups.

Defining the quantum fourier transform

The quantum fourier transform can be defined in terms of $\mathrm_N$, the additive cyclic group of order $N$. Introducing the character$\chi_j(k) = \omega^_N = e^,$the quantum fourier transform has the definition of$F_N , j\rangle = \frac \sum_^N \chi_j(k) , k\rangle.$Furthermore, we define $, \chi_j\rangle = F_N , j\rangle$. Any finite abelian group can be written as the direct product of multiple cyclic groups $\mathrm_ \times \mathrm_ \times \ldots \times \mathrm_$. On a quantum computer, this is represented as the tensor product of multiple registers of dimensions $N_1, N_2, \ldots, N_m$ respectively, and the overall quantum fourier transform is $F_ \otimes F_ \otimes \ldots \otimes F_$.

Procedure

The set of characters of $G$ forms a group $\widehat$ called the dual group of $G$. We also have a subgroup $H^\perp \leq \widehat$ of size $, G, /, H,$ defined by$H^\perp = \$For each iteration of the algorithm, the quantum circuit outputs an element $g \in G$ corresponding to a character $\chi_g \in H^\perp$, and since $\chi_g(h) =$ for all $h \in H$, it helps to pin down what $H$ is.

The algorithm is as follows:
# Start with the state $, 0\rangle , 0\rangle$, where the left register's basis states are each element of $G$, and the right register's basis states are each element of $X$.
# Create a superposition among the basis states of $G$ in the left register, leaving the state $\frac \sum_ , g\rangle , 0\rangle$.
# Query the function $f$. The state afterwards is $\frac \sum_ , g\rangle , f(g)\rangle$.
# Measure the output register. This gives some $f(s)$ for some $s \in G$, and collapses the state to $\frac \sum_ , s + h\rangle , f(s)\rangle$ because $f$ has the same value for each element of the coset $s +$. We discard the output register to get $\frac \sum_ , s + h\rangle$.
# Perform the quantum fourier transform, getting the state $\frac \sum_ , \chi_\rangle$.
# This state is equal to $\sqrt \sum_ \chi_g(s) , g\rangle$, which can be measured to learn information about $H$.
# Repeat until $H$ (or a generating set for $H$) is determined.

The state in step 5 is equal to the state in step 6 because of the following:$\begin \frac \sum_ , \chi_\rangle &=\frac \sum_ \sum_ \chi_(g), g\rangle \\ &=\frac \sum_ \chi_s(g) \sum_ \chi_h(g), g\rangle \\ &=\frac \sum_ \chi_g(s) \left(\sum_ \chi_g(h)\right) , g\rangle \\ &=\sqrt \sum_ \chi_g(s) , g\rangle \end$For the last equality, we use the following identity:

Each measurement of the final state will result in some information gained about $H$ since we know that $\chi_g(h) = 1$ for all $h \in H$. $H$, or a generating set for $H$, will be found after a polynomial number of measurements. The size of a generating set will be logarithmically small compared to the size of $G$. Let $T$ denote a generating set for $H$, meaning $\langle T\rangle = H$. The size of the subgroup generated by $T$ will at least be doubled when a new element $t \notin T$ is added to it, because $H$ and $t + H$ are disjoint and because $H \cup t+H \subseteq \langle \\cup T\rangle$. Therefore, the size of a generating set $, T,$ satisfies$, T, \leq \log, H, \leq \log, G,$Thus a generating set for $H$ will be able to be obtained in polynomial time even if $G$ is exponential in size.

Instances

Many algorithms where quantum speedups occur in quantum computing are instances of the hidden subgroup problem. The following list outlines important instances of the HSP, and whether or not they are solvable.

See also

* Hidden shift problem
* Pontryagin duality

References

External links

Richard Jozsa: Quantum factoring, discrete logarithms and the hidden subgroup problem

Chris Lomont: The Hidden Subgroup Problem - Review and Open Problems

Hidden subgroup problem on arxiv.org

Complete implementation of Shor's algorithm for finding discrete logarithms with Classiq

{{Quantum Computing, state=expanded

Group theory
Quantum algorithms
Quantum computing
Theoretical computer science