A new quantum algorithm for the hidden shift problem in \mathbb{Z}_{2^t}^n
aa r X i v : . [ qu a n t - ph ] F e b A NEW QUANTUM ALGORITHM FOR THE HIDDEN SHIFTPROBLEM IN Z n t GERGELY CS ´AJI
E¨otv¨os Lor´and University, 1117 Budapest, P´azm´any P´eter s´et´any 1/ABudapest, 1185, [email protected]
February 9, 2021
Abstract
In this paper we make a step towards a time and space efficient algorithmfor the hidden shift problem for groups of the form Z nk . We give a solution tothe case when k is a power of 2, which has polynomial running time in n , andonly uses quadratic classical, and linear quantum space in n log( k ). It can be auseful tool in the general case of the hidden shift and hidden subgroup problemstoo, since one of the main algorithms made to solve them can use this algorithmas a subroutine in its recursive steps, making it more efficient in some instances. The hidden subgroup and hidden shift problems have been intensively studiedby several authors since Shor’s discovery of efficient factoring and discrete log-arithm algorithms [7] . Many of the problems that have an exponentially fasterquantum algorithm are instances of the first one and the latter is a closely re-lated problem, which is useful for example when we are dealing with the hiddensubgroup problem in groups of the form G ⋊ Z , G abelian.The hidden subgroup problem consists of a finite group G , a subgroup H ≤ G ,a finite set S ⊂ { , } l , (this l is called the encoding length) and a function f : G → S such that f ( x ) = f ( y ) if and only if x and y are both elements of thesame left coset of H . We then say that f hides the subgroup H . Furthermore wesuppose that f is efficiently computable or that we have an oracle U f mappingthe state | x i| i to | x i| f ( x ) i .In the hidden shift problem we are given a finite group G , a finite set S ⊂ { , } l ,and two functions f , f : G → S , both injective and we know that there existssome s ∈ G such that f ( x ) = f ( xs ) for every x ∈ G . The task is to find s ,given oracle access to f and f , which are unitary transforms U f , U f , thatmap the state | x i| i to | x i| f i ( x ) i .For example, if we have a finite abelian group G , then the hidden shift problemcan be viewed as an instance of the hidden subgroup problem with G ′ = G ⋊ Z ,and f : G ′ → S given with f ( x, i ) = f i ( x ). Then the function f hides the sub-group H = { (0 , , ( s, } , so if we find H , we can determine s too. Ettinger andHoyer showed [2] that there is a reduction in the other direction as well, thereforethe two problems are quantum polynomially equivalent.1here has been a massive amount of research regarding these problems, how-ever an efficient solution to the general case has not yet been discovered and isstarting to seem impossible. But in some special cases we can at least give somealgorithms, that are quite more efficient than the brute force search, which isgenerally the only classical solution. For example when G is abelian, then wecan solve the hidden subgroup problem in polynomial time, but the hidden shiftproblem seems more difficult even in this case.The hidden shift problem, although not as general as the hidden subgroup prob-lem, is still very useful in a lot of areas. For example, as Regev showed [6] , thecase when G = Z n (which corresponds to the hidden subgroup problem in thedihedral group) is important, because an efficient fault tolerant algorithm forthis would break a primitive from lattice based cryptography. Another relevantaspect for the hidden shift problem is that it is recursively used by an algorithmof Friedl et al. [3] which is one of the most important algorithms for the hiddensubgroup problem (it can be used to solve the hidden shift problem as well), be-cause it works efficiently for a reasonably large class of groups, namely solvablegroups with constant exponent and constant derived length. It introduces a newproblem called Translating Coset , which is a generalization of both the hiddensubgroup and the hidden shift problems and then the authors show that this
Translating Coset in any finite solvable group G and for any normal subgroup N of G is reducible to the Translating Coset in G/N and in N . The hidden shiftproblem comes into the picture, because the algorithm used to solve TranslatingCoset uses an algorithm for the hidden shift problem in Z np as a subroutine. Somore efficient algorithms for the hidden shift problem in these cases or efficientalgorithms for a larger class of groups, for example Z np t would mean a moreefficient solution in the general case too, the latter because then the algorithmcould save t − G = Z n t . Generally there are two main algorithms for the hidden shift problem. The firstone is Kuperberg’s [4] , which solves the problem in 2 O ( √ log | G | ) time and space.It is currently considered the best algorithm for the general case of the prob-lem. Although Kuperberg’s algorithm used exponential space, Regev made amodified version, which uses a pipeline of routines, each waiting until it getsenough objects from the previous one and reduces the space complexity to onlypolynomial in log | G | .The other is the previously mentioned FIMMS algorithm of Friedl et al. [3] Itsrunning time is ((log | G | + e +2 √ log( s ) ) O ( e ) log(1 /ε )) r (see Ref. [3] Theorem 4.13),if G has a subnormal series of length r , where each factor is either elementaryabelian of prime exponent bounded by e or is an abelian group of order at most s and ε is the allowed error probability. So it works efficiently in solvable groupswith constant exponent and constant derived lenght.The space complexity is exponential, because the algorithm has to have all thestates it needs at the beginning, because making further copies would violate2he no cloning theorem.In this paper we give a new algorithm, that solves the hidden shift problem in Z n t . It combines some ideas from previous algorithms to achieve both polyno-mial space complexity and polynomial running time in n . So it is faster thanKuperberg’s algorithm in some cases, for example when t is constant, or isasymptotically small compared to n . The FIMSS algorithm has similar runningtime, but its exponential space complexity is a lot worse than our quadraticspace need. So ours is the first algorithm for the hidden shift problem in groupsof the form Z nk , that has both polynomial running time in n and polynomialspace complexity (apart from Simon’s algorithm for the case G = Z n ). Wehope its ideas can be extended to make more general algorithms with similarefficiency.Oddly enough, space complexity hasn’t had too much attention in the litera-ture of quantum computing, despite the fact that even if we can build quantumcomputers, that can work like the mathematical model we use to describe them,they probably won’t have too much space to operate with, especially in the be-ginning, because the more qubits we have, the more difficult to maintain thequantum states of qubits and prevent errors, decoherence and unwanted enta-glement, so it’s important to make algorithms, that will be able to run withthese limitations.Now we state our main result: Theorem 1.
There is a quantum algorithm, that solves the hidden shift problemin Z n t with success probability − ε (for any ε > in O ( t ( n +1) ( t +2) l ) log( ε − ) time and O ( tn + l ) classical and O ( tn + l ) quantum space. The structure of this paper is the following. In Section 2 we describe the newalgorithm in details. In Section 3 we analyse the algorithm as well as prove itscorrectness and clarify some of the methods mentioned in Section 2. In the endof Section 3 we give a modified version of our algorithm that runs with cosetstates as input.It turns out that the FIMSS algorithm can be tailored for the special case Z n t toachieve very close running time to our method’s, although the space complexityremains exponential in t . We outline such a version of the FIMSS in Section 4. In this section we present the algorithm for solving the hidden shift problemin Z n t or equivalently the hidden subgroup problem in Z n t ⋊ Z , with hiddensubgroup H = { (0 , , ( s, } and f : Z n t ⋊ Z → S , f ( x, i ) = f i ( x ). It hassome of its main ideas based on Kuperberg’s subexponential-time algorithm [4] for solving the dihedral hidden subgroup problem in Z t ⋊ Z . Although itbecomes exponential in t , it is only polynomial in n , so in the case when t is3onstant or n is asymptotically large compared to t , it is more efficient thanKuperberg’s general algorithm for this problem. Algorithm:Input:
N, n ∈ Z , where N = 2 t . Oracle input: f : Z n t ⋊ Z → S ⊂ { , } l , hiding H = { (0 , , ( s, } for some s ∈ Z n t . Output: s .First, we prepare a state in | ( tn +1+ l ) i . Then we apply Hadamard operationsto the first tn + 1 qubits to achieve the uniform superposition state:1 √ tn +1 X x ∈ Z n t ( | x i| i + | x i| i ) | l i . We then apply the unitary transform U f (which maps the state | Z i| i to | Z i| f ( Z ) i ) to get: 1 √ tn +1 X x ∈ Z n t ( | x i| i| f ( x, i + | x i| i| f ( x, i ) . We then measure the last l bits and assuming we measured f ( x,
0) for some x ∈ Z n t , then omitting the last l bits the state becomes:1 √ | x i| i + | x + s i| i ) . Next we use a quantum Fourier-transform (QFT) over Z n t to obtain the state:1 √ tn +1 X u ∈ Z n t ( e πi h u,x i N | u i| i + e πi h u,x + s i N | u i| i ) , which can be written as:1 √ tn +1 X u ∈ Z n t e πi h u,x i N | u i ⊗ ( | i + e πi h u,s i N | i ) . Then, after a measurement on the first tn qubits, we will obtain a state similarto the ones in Kuperberg’s algorithm: | φ u i = 1 √ | i + e πi h u,s i N | i , with the value of u being known. Then we generate n + 1 of them the same way.The rest of the algorithm will go as follows:4 tep 1 Having ( n + 1) of the u -s, we can find coefficients a ,..., a n +1 ∈ { , } ,such that P n +1 i =1 a i u i ≡ mod n + 1 vectors have to be lin-early dependent in Z n . If there are more than one option for the choice of a = ( a , ..., a n +1 ), then we will select one randomly with equal probabilities(the method will be clarified in the next section). Step 2
Using Kuperberg’s method (see Section 4), from two states | φ u i and | φ u ′ i with a suitable measurement we can extract a state | φ u + u ′ i or | φ u − u ′ i with equal probabilities. With that technique we will ”add” the | φ u i statescorresponding to those a i -s, that were equal to 1 to get | φ v (1) i states, where v (1) has coordinates divisible by 2 and is uniformly distributed over 2 Z n t = Z n t − (as we will show later). Since u + u ′ and u − u ′ have the same parity, obtain-ing v (1) = P n +1 i =1 ε i u i , ε i ∈ {− , } instead won’t be a problem, as it will becongurent to 0 and the uniformity will remain too, as we will see. Step 3
We divide each of the achieved sums by 2 to obtain an other sampleof u (1) = v (1) -s.When we are out of u -s we will generate another n + 1, until we have n + 1 of u (1) -s and | φ v (1) i -s too.We repeat Step 1 , Step 2 and
Step 3 with the new sample of u (1) -s, then with u (2) -s, and so forth, until we have a sample of ( n + t ) u ( t − elements, uniformlydistributed over Z n .Notice that we use a pipeline like routine similar to Regev’s [5] , so at each levelwe wait until we have enough states for the next step, so this way we won’tneed more than n ( t −
1) + n + t = nt + t states at the same time ever duringthe algorithm. Step 4
The final | φ v ( t − i states are of the form √ ( | i + ( − P i ∈I s i | i ), where I = { i ∈ { , ..., n + 1 } : v ( t − i = 2 t − } , because if we add the original u -scontained in each u ( t − , then the sums will consist of elements, that have eachof their coordinates either 0 or 2 t − . So now a measurement in the |±i basis(the one with basis vectors √ ( | i + | i ) and √ ( | i − | i )) reveals the parity of P i ∈I s i . And with ( n + t ) states, we will have n linearly independent equationswith probability very close to 1 (This probability is at least (1 − t ), since its1 − P r (any n are linearly dependent) ≥ − n P r ( every point are from a given( n − Z n )= 1 − n ( ) n + t = 1 − t ), so we can deter-mine the vector s ( mod Step 5
Knowing s ( mod
2) we can pass on to a subgroup G of Z n t ⋊ Z n isomorphic to Z n t − ⋊ Z n containing each possible hidden subgroup H (we willgive the detailed method in the next chapter) and repeat the algorithm from step 1 for G to obtain s ( mod G ,..., G t − to get the exact value5f s . The probability that we can determine s ( mod i ), for every i = 1 , ..., t isat least (1 − − t ) t ≥ . So O (log( ε − )) applications is enough to obtain s with1 − ε probabilityIn order to achieve the linear quantum space usage of our algorithm, noticethat the | ϕ u i states only require one qubit and it’s the u vectors and the calcu-lations with them that require the most space. But since the u vectors can bedescribed by classical bits and the calculation with them can be done on a clas-sical computer we can just do this part of our algorithm on a classical computerand only use the quantum computer to create, add and measure the | ϕ u i -s. Wecan even store the u -s and | ϕ u i -s in an array such that the i -th cell of the arrayof the classical machine contains u i and the i -th cell of the quantum computer’sarray contains | ϕ u i i , so we can trace back what | ϕ u i -s to add. Therefore afterwe created a ( u, | ϕ u i ) pair in O ( nt + l ) space, we can copy this classical u toa classical computer and use the same storage for creating the next pair onlyexcluding the one qubit that | ϕ u i uses. So generating O ( n ) pairs can be donewith O ( nt + l ) quantum space and so does the whole algorithm. In this section we will give details of the methods used in our algorithm, as wellas prove some lemmas needed for its correctness.First we will prove, that in step 2 we get a uniformly random element from Z n t − indeed. Lemma 1.
Let u , ..., u n +1 be a uniformly random sample from Z n t , and let A = { a = ( a , ..., a n +1 ) = (0 , ...,
0) : P n +1 i =1 a i u i ≡ mod , a i ∈ { , ± }} .Furthermore, choose an a ∈ A randomly (each with equal probabilities). Then P n +1 i =1 a i u i is an uniformly random element from Z n t − . Proof
Notice that for any ∅ 6 = I ⊂ { , ..., n +1 } the sum P i ∈I ε i u i , ε i ∈ {− , } is a uniformly random element from Z n t , because adding or subtracting the last u i can yield any vector with equal probabilities, since u i is uniformly random.Next, let x be an arbitrary element in Z n t − . Then P ( P a i u i x ) = P ( X a i u i = 2 x ) = P (( A ∩ B ) ∪ ( A ∩ B ) ∪ ... ∪ ( A m ∩ B m )) , where A i is the event that we choose the i -th element of A (after ordering A ’selements some way) and B i is the event { P j ∈J a j u j = 2 x } , where J consistsof those j -s, for which a j = ± i -th element of A .Now observe, that the probability of B i doesn’t depend on the choice of x u i -s for some J ⊂ { , .., n + 1 } , the rest of the u i -s will beindependent of that, and because the probability that we choose a given vector a only depends on the parity of the coordinates of the u i -s (since it only dependson what elements will A consist of) and they have the same distribution in { u i : i ∈ J } for any x , the probability of the events A i ∩ B i will be independentof x too. That means, for each pairwise disjunct event A i ∩ B i the probabilitywill be same for any y ∈ Z n t − .So we could substitute the B i -s with { P j ∈J u j = 2 y } for any y ∈ Z n t − , thus P ( X a i u i = 2 x ) = P ( X a i u i = 2 y )concluding the proof. (cid:3) For the sake of completeness, we state a more general theorem:
Theorem 2.
Let p be any prime, k ∈ N , and u , ..., u n +1 a uniformly ran-dom sample from Z np t . Let A = { a = ( a , ..., a n +1 ) = (0 , ...
0) : P n +1 i =1 a i u i ≡ mod p ) , a i ∈ {− ( p − , ..., − , , , , ..., p − }} . Then, if we choose an a ∈ A randomly, P a i u i p will be a uniformly random element from Z np k − . Proof
The proof is very similar to the previous case, only here we will havemore A i ∩ B i events. For clarity, here B i is the event { P j ∈J a j u j = px } , fora given x ∈ Z np k − , and J consists of those j -s, for which a j = 0 in the i -thelement of A . The independence from x will follow from the same argumentand the fact that a i u i ≡ px i ( mod p ) will have a unique solution in u i forany a i ∈ {− ( p − , ..., − , +1 , .., p − } and x i ∈ Z p k − , because there exists asolution if and only if gcd ( a i , p ) | px i , which is trivially true, and the numberof solutions has to be gcd ( a i , p ), which will always be 1, because p is prime.(So we can choose |J | − u i freely and then the last one will be determineduniquely, so we have the same number of solutions for any x .) (cid:3) Next, we will give a method to get a uniformly random element from A :Observe, that P a i u i ≡ mod
2) can be easily transformed to a set of lin-ear equations over Z , thus we can use Gaussian elimination to achieve echelonform. Once that is done, we will count the free variables. Let k be the numberwe got. Then we choose a random element from { , } k \ k , and assign thefree variables 0 or 1 accordingly. (If we would let all free variables to be 0, thenthe fixed ones had to be 0 too). Since any chosen element will correspond toa unique a ∈ A and any a ∈ A is achievable this way (because it has to be asolution), this method will give a uniform a ∈ A indeed.Now we will clarify how we can move to a subgroup of Z n t once we know theparity of s. 7 emma 2. Let G = Z n t ⋊ Z and let f : G → S be a function hiding thesubgroup H = { (0 , , ( s, } . Then, if we know s ( mod , we can reduce theproblem to a subgroup K ≤ G isomorphic to Z n t − ⋊ Z . Proof
Let s denote s ( mod s ∈ Z n , let K s be the subgroup { (2 x, , ( y,
1) : x ∈ Z n t − , y ≡ s ( mod } , y ≡ s ( mod y i ≡ s i ( mod
2) for every i = 1 , ..., n .Observe that each K s has 2 nt elements, closed under multiplication and thatthe map φ : K s → Z n t − ⋊Z , φ (2 x,
0) = ( x, φ ( s ,
1) = (0 , φ (2 x + s ,
1) =( x,
1) is both a bijection and a homomorphism, so it is an isomorphism.Furthermore, each K s contains every possible subgroup of the form H = { (0 , , ( s ′ , } with s ′ ≡ s ( mod
2) and none with s ′ s , so we can safelyand uniquely move to one of the K s -s knowing s . (cid:3) Remark.
An equivalent way to prove
Lemma 2 would be if we change f : Z n t ⋊ Z → S to f ′ : Z n t − ⋊ Z → S according to s , with f ′ ( x,
0) = f (2 x, f ′ ( x,
1) = f (2 x + s , f ′ ( x,
0) = f (2 x,
0) = f (2 x + s,
1) = f ′ ( x + s − s , f ′ hides the subgroup { (0 , , ( s − s , } . Now from s − s ( mod
2) we can determine s ( mod [4] to obtain | φ u ± u ′ i from | φ u i and | φ u ′ i . First, we create the tensor product | φ u i ⊗ | φ u ′ i of the two states,which will be12 ( | i + e πi h u,s i N | i + e πi h u ′ ,s i N | i + e πi h u + u ′ ,s i N | i ) . Then we apply a CNOT-gate and obtain12 ( | i + e πi h u,s i N | i + e πi h u ′ ,s i N | i + e πi h u + u ′ ,s i N | i ) . Now we can measure the second qubit and get either √ ( | i + e πi h u + u ′ ,s i N | i ) = | φ u + u ′ i or √ ( e πi h u,s i N | i + e πi h u ′ ,s i N | i ) = √ ( | i + e πi h u − u ′ ,s i N | i ) = | φ u − u ′ i with equal probability. Now we finish the proof of Theorem 1 by analysing the time and space requiredfor our algorithm.Step 1 requires time O ( t ( n + 1) l ) (because the QFT over Z n t has complexity O (( nt ) ), and has to be done to prepare each | φ u i ) and space O ( tn + l ) (sincewe can use the same l qubits for generating each ( u, | ϕ u i ) pair) to prepare the O ( n ) states needed for the algorithm. As we showed before most of this canbe implemented on a classical computer, so the needed quantum space is only O ( nt + l ). Finding the coefficients a i -s with the above written technique requires8 (( n + 1) ) time for each ( n + 1)-tuple, and during step 1 to step 5 we will applyit ( n + t )( n + 1) t − +( n + t )( n + 1) t − +...+( n + t ) times, which combined canbe computed in O ( t ( n + 1) t +2 ) time. Then, obtaining the ( n + t ) | φ v ( t − i -scan be done with O (( n + t )( n + 1) t − ) additions, each requiring O (1) time (aCNOT-gate and a measurement). Step 4, if we have n linearly independentequations, can be solved in O (( n + t ) ) time too with Gaussian elimination.Thus, the algorithm computes s ( mod
2) in O ( t ( n + 1) l ) + O ( t ( n + 1) t +2 ) ≤O ( t ( n + 1) t +2 l ) time, and then iterating it for Z n t − ,..., Z n takes O ( t ( n +1) t +1 l ),..., O ( t ( n + 1) l ) time respectively. So the whole algorithm has runningtime O ( t ( n + 1) t +2 l ) ( or O ( t ( n + 1) ( t +2) l ) log( ε − ) , if we need ε error insteadof ) and requires O ( tn + l ) classical and O ( nt + l ) quantum space (step 1 tostep 5 can be computed in O ( tn + l ) classical and O ( nt + l ) quantum space andwe can use the same space for each iteration as we only need O ( nt ) space tostore the actual values of s , which can be overwritten after each iteration too). Finally, another advantage of our algorithm compared to the FIMSS is that aslightly modified version can be implemented with coset-states as input, whichare (in our case) states of the form √ ( | x i| i + | x + s i| i ). Its usefulness is thatit can use these states, even if they are generated by an other source.The modified version of our algorithm is as follows:In the Input we suppose that we have a stream of coset states. We could haveall the required states as input, but that would need an exponential amount ofspace. Then we apply the QFT to these states and follow the steps of the originalalgorithm. Only the iteration after obtaining s ( mod i ) will be different:After we know s i = s ( mod i ) we will start with applying a unitary transform U to the coset states, which maps | x i| i i → | x − i ∗ s i i| i i , i = 0 ,
1, and only thenuse the QFT ( U is unitary, since it permutes the basis vectors | x i| i i , x ∈ Z n t , i ∈ { , } ).So now our | φ v i states will have the form1 √ | i + e πi h v,s − si i N | i )Since s − s i is divisible by 2 i , we only need to repeat the first three steps untilwe have n + t | φ v ( t − i − i states, where v ( t − i − ’s coordinates are divisible by2 t − i − , because now the scalar product will be a multiple of 2 t − . That means,if we measure the state in the ± basis, we will obtain equations for the parityof the sum of some coordinates of s − s i i (the coordinates being the ones forwhich the same coordinate in u ( t − i − = v ( t − i − t − i − is odd), so we can determine s − s i i ( mod
2) the same way and acquire s i +1 .9 A tailored version of the FIMSS for Z n t Although running the FIMSS algorithm for the hidden shift problem in groupsof the form Z np t would require at least O ( n pt ) poly ( n, t, l ) time and space, inthe special case of Z n t with appropriate modifications the running time canbe lowered to ( O ( n )) t +2 poly ( n, t, l ), so it will be similar to our algorithm’s.This part is devoted to a more or less self-contained outline of such a modifiedversion. Note however that the space requirements remain exponential in t , sothe method of this paper could be a lot easier to implement, therefore it shouldstill be a useful recursive tool for the general case.We start with recalling some basic concepts from Ref. [3] with appropriatesimplifications. A simple but important idea is formulating a version of thehidden shift problem that is suitable for taking ”averages” over subgroups andmaking recursions into factor groups possible. Let Γ be a finite set of mutuallyorthogonal quantum states and let G be a finite group. A map α : G × Γ → Γis said to be a group action if for every x ∈ G the map α x : | φ i → | α ( x, | φ i ) i gives a permutation of Γ, α G is the identity map and α x ◦ α y − = α xy − . Wedenote | α ( x, | φ i ) i by | x · φ i and P x ∈ G | x · φ i by | G · φ i .We assume that the action α is given by an oracle. The single translator problem assumes that G acts (semi-)regularly on Γ and ”sufficiently many”copies of a pair | φ i , | φ i from Γ as input. The output should be the el-ement x ∈ G such that | φ i = | xφ i (provided existence). (This problemis a simplification of the more general translating coset problem of Ref. [3]which is for the situation when the action is not semiregular.) To capturethe hidden shift problem for a function f : G → S consider the superpostion | f i = P z ∈ G | z i| f ( z ) i . Then the corresponding superposition | xf i for the shiftedfunction xf : z f ( zx ) can be obtained by multiplying the first register by x − from the right: P z ∈ G | z i| f ( zx ) i = P z ∈ G | zx − i| f ( z ) i .As already mentioned, the input for the single translator problem consists ofseveral identical copies of the pair of states. Formally, we have | φ i ⊗ k ⊗ | φ i ⊗ k as input for some integer k (which needs to be sufficiently large to get a correctanswer with reasonable probability). Our averages will be superpositions oforbits on several identical copies of states. Formally, let Γ k = {| φ i ⊗ k : | φ i ∈ Γ } ,the set of products of k identical copies of states from Γ and define α k onΓ k = {| φ i ⊗ k : | φ i ∈ Γ } as α k ( x, | φ i ⊗ k ) = | x · φ i ⊗ k . Obviously, if we have anoracle for α (that maps | x i| φ i → | x i| x · φ i ) then we can simulate an oracle for α k too using k queries to the oracle for α .Let us turn to the special case G = Z n t . Then we can take a length t subnormal series of G , where each factor group will be isomorphic to Z n and inthese groups the subroutine for single translator reduces essentially to Simon’sproblem.The algorithm will mostly be the same as the standard FIMSS, so the reader isinvited to read Ref. [3] for details omitted here and for further clarification. Let10 = 2 t − G ∼ = Z n and | F i i = | φ i i ⊗ q , where q is some integer we set in advance.The orbit of a state | φ i under a subgroup K ≤ G is K ( | φ i ) = {| x · φ i : x ∈ K } ,while the orbit superposition is the uniform superposition | Kφ i = P x ∈ K | x · φ i .We can modify the exact algorithm of Brassard and Hoyer [1] for Simon’sproblem to take q = O ( n ) identical copies of two quantum states as input in thesame way as in Ref. [3] Corollary 3.6 and 3.8. From that we can construct an al-gorithm for the single translator problem in N ∼ = Z n , that maps | x · φ i ⊗ q | φ i ⊗ q | i to | x · φ i ⊗ q | φ i ⊗ q | x i like the ElementaryAbelianTCS algorithm in Ref. [3].Based on this, we give an algorithm for creating the uniform superpositionof a given state’s orbit under some group action α of N (so creating the state | N · φ i ). Call it OS ( N, α, q, φ ).It takes as input | φ i ⊗ q | N i . Step 1:
Apply the group element in the last register to the first q registers: X x ∈ N | x · φ i ⊗ q | φ i ⊗ q | x i Step 2:
Apply the translator finding algorithm (the one that maps | x · φ i ⊗ q | φ i ⊗ q | i to | x · φ i ⊗ q | φ i ⊗ q | x i ) for Z n backwards: | N F i| F i| i , where | F i = | φ i ⊗ q and | N F i is the orbit superposition under the action α q on N .Now let’s get to the main algorithm: T ( G, N, α, q ( r + 1)).If t = 1, so G = Z n then we saw that we can solve the problem in time poly ( n )for q = O ( n ). So let us suppose by induction, that we already have an algorithmfor T ( G/N, α, r ) (
G/N ∼ = Z n t − and we present how to solve it in G = Z n t usingthat as a subroutine). The algorithm takes as input | φ i ⊗ q ( r +1) | φ i ⊗ q ( r +1) | i with ancilla | N i ⊗ r | i . Step 1:
We call the algorithm OS ( N, α, q, φ i ) r times on blocks of the form | φ i ⊗ q | N i and r times on blocks | φ i ⊗ q | N i to get: | N · F i ⊗ r | F i| N · F i ⊗ r | F i| i| i ⊗ r | i . Step 2:
We recursively call T ( G/N, N, α q , r ) on | N · F i ⊗ r | N · F i ⊗ r | i (Wecan do it, since G/N ∼ = Z n t − and we already have our algorithm for that forany α group action): | N · F i ⊗ r | F i| N · F i ⊗ r | F i| i| i ⊗ r | sN i . Step 3:
Undo Step 1: | φ i ⊗ q ( r +1) | φ i ⊗ q ( r +1) | i| N i ⊗ r | sN i . | s · φ i = | φ i ⇐⇒ s = vu , u ∈ N , such that | u · φ i = | v − · φ i , wereduced the problem to a simple hidden shift problem in Z n , so with one moreuse of the modified Brassard–Hoyer algorithm we can find u , then s .Therefore, because the Brassard-Hoyer algorithm for Simon’s problem onlyneeds q = O ( n ) states to work, then by simple induction we can conclude, thatthe algorithm needs ( O ( n )) t states, because one level would need only O ( n ),therefore by induction we have to give O ( n ) blocks of ( O ( n ) t − ) states to therecursive calls. Then taking in factor that the final Brassard-Hoyer algorithmneeds O ( n ) states too at the end, and that the | φ i i = P x | x i| f i ( x ) i states eachtake O ( nt ) qubits, we have that both the space and time complexity of thealgorithm will be poly ( n, t, l )( O ( n )) t +2 , so it should be similar, if not somewhatslower than our method. The subroutines that the algorithm uses, like the OS can all be implemented in polynomial time, and can be done simultaneously onthe blocks, so they don’t really affect the running time. Acknowledgements
The author would like to thank G´abor Ivanyos for helpful remarks and sugges-tions.
References [1] G. Brassard and P. Hoyer. “An exact quantum polynomial-time algorithmfor Simon’s problem”. In:
Proceedings of the Fifth Israeli Symposium onTheory of Computing and Systems . June 1997, pp. 12–23. doi : .[2] Mark Ettinger and Peter Høyer. “On Quantum Algorithms for Noncommu-tative Hidden Subgroups”. In: Adv. Appl. Math. doi : . url : https://doi.org/10.1006/aama.2000.0699 .[3] Katalin Friedl et al. “Hidden Translation and Translating Coset in Quan-tum Computing”. In: SIAM J. Comput. doi : . url : https://doi.org/10.1137/130907203 .[4] Greg Kuperberg. “A Subexponential-Time Quantum Algorithm for theDihedral Hidden Subgroup Problem”. In: SIAM J. Comput. doi : . url : https://doi.org/10.1137/S0097539703436345 .[5] Oded Regev. “A Subexponential Time Algorithm for the Dihedral HiddenSubgroup Problem with Polynomial Space”. In: (July 2004).[6] Oded Regev. “Quantum Computation and Lattice Problems”. In: SIAMJournal on Computing doi : .eprint: https://doi.org/10.1137/S0097539703440678 . url : https://doi.org/10.1137/S0097539703440678 .[7] Peter W. Shor. “Polynomial-Time Algorithms for Prime Factorization andDiscrete Logarithms on a Quantum Computer”. In: SIAM J. Comput. doi : . url : https://doi.org/10.1137/S0097539795293172https://doi.org/10.1137/S0097539795293172