Hidden Symmetry Subgroup Problems

Hidden Symmetry Subgroup Problems Miklos Santha CNRS, Université Paris Diderot, France and Centre for Quantum Technologies, NUS, Singapore joint work with Thomas Decker CQT, Singapore Gábor Ivanyos SZTAKI, Budapest Pawel Wocjan U. of Central Florida 1/27 How to build quantum algorithms with exponential saving? The success story in hidden structures: Theorem[Shor’94]: The hidden subgroup problem can be solved in abelian groups in quantum polynomial time. Post-abelian hidden structures finding: • Hidden subgroups in non-abelian groups • Hidden algebraic sets of higher degrees Here: • New proposal: Subgroups hidden by symmetries • Generalizes the above problems • In some cases reduces to solvable hidden subgroup problems 2/27 Hidden Subgroup Problem (HSP) Hidden Subgroup Problem Hidden (HSP) H is a family of subgroups1 HSP(G ; H)Subgroup where G Problem is finite group, Oracle Input: A function f : G → S (where S finite) The problem Promise: For some subgroup H ∈ H, we have Input: Finite group G and f : G → S which hides H ≤ G: f (x)on =the f (yleft ) ⇐⇒ Hx H . Hy . constant and distinct cosets of = Output: Generators forfor H.H . Output: Generators G H S a1 H .. . at H Theorem: If G is Abelian then there is a quantum algorithm • Parameter: G H and Hprobability are given≥ explicitly • which finds with 1 − 1/|G|, • in polynomial time in log|G|. • Information: Partition πf of G defined by the level sets f −1 (s) = {x ∈ G : f (x) = s}, for s ∈ S • Efficiency: Polynomial in log |G | 3/27 HSP in non-abelian groups Theorem: Can be solved in quantum poly(log |G |)-time when – G = Zk2 o Z2 [Roetteler,Beth’98] – H is normal and QFTG is available [Hallgren,Russell,Ta-Shma’00] – ∩{N(H) : H ≤ G } is large [Grigni,Schulman,Vazirani,Vazirani’01] p−1 – G = Zp o Zm if m = (log p)c [Moore,Rockmore,Russell,Schulman’04] – H is normal and G is solvable [Ivanyos,Magniez,Santha’01] – G : is of constant exponent and constant length derived series [Friedl,Ivanyos,Magniez,Santha,Sen’03] – G is the Heisenberg group [Bacon,Childs,van Dam’05] – G is a nil-2 group [Ivanyos,Sanselme,Santha’08] 4/27 Non-linear hidden structure problems Hidden Polynomial Problem HPP(Fq ) Oracle Input: A function f : Fnq → S Promise: For some n-variate polynomial P of degree d over Fq , f (x) = f (y ) ⇐⇒ P(x) = P(y ). Output: P. Hidden Quadratic Polynomial Problem HQPP(Fq , n, d) Oracle Input: A function f : Fq → S Promise: Let Pu (x) = x 2 − 2ux. Then for some u ∈ Fq , f (x) = f (y ) ⇐⇒ Pu (x) = Pu (y ), Output: u. Theorem[Childs,Schulman,Vazirani’07]: If n and d are constants, then for a 1 − o(1) fraction of the hidden polynomials, HPP(Fq , n, d) has polylogarithmic query complexity. Hidden Polynomial Graph Problem HPGP(Fq ) 5/27 Group actions Definitions: 1 Permutation action of G on a set M: ◦ : G × M → M, where • g ◦ (h ◦ m) = (gh) ◦ m for all g , h ∈ G • e ◦ m = m for the identity element e of G . 2 3 Stabilizer subgroup of m ∈ M: Gm = {g ∈ G : g ◦ m = m} H-orbit of m ∈ M for a subgroup H: H ◦ m = {h ◦ m : h ∈ H}. 6/27 Subgroups and partitions Notation: (A(G ), ⊆) is the lattice of all subgroups of G and (Π(M), ≤) is the lattice of partitions of M (A(G ), ⊆) (Π(M), ≤) H → H ∗ = {H ◦ m : m ∈ M} π ∗ = {g ∈ G : ∀i g ◦ πi = πi } ← π = {π1 , . . . , π` } This is an order-reversing Galois connection between (S(G ), ⊆) and (Π(M), ≤) (where π ≤ π 0 if π 0 is finer than π): H ≤ π ∗ if and only if π ⊆ H ∗ . Definition: The closure of H is H ∗∗ , and H is closed if H = H ∗∗ . Facts: • H ⊆ H ∗∗ • H is closed if and only if H = π ∗ for some partition π. 7/27 Subgroups and partitions: examples 1 2 3 Conjugation action: G , M = G , g ◦ h = ghg −1 H = {e} =⇒ H ∗ = Equality =⇒ H ∗∗ = Z (G ) G = Sn , M = labelled graphs on n vertices, σ ◦ G = σ(G ) π = Total =⇒ π ∗ = Sn =⇒ π ∗∗ = Isomorphism types General affine group: invertible affine transformations over Fq a b Aff q = : a ∈ F∗q , b ∈ Fq . 0 1 Natural action over Fq : a b x ax + b = . 0 1 1 1 The stabilizer of m ∈ F q: a (1 − a)m ∗ Gm = : a ∈ Fq . 0 1 Gm∗ = {{m}, {x ∈ Fq : x 6= m}} since ax + (1 − a)m = y ⇐⇒ x = m + a−1 (y − m). Gm = Gm∗∗ is closed 8/27 Hidden symmetry subgroup problem Hidden Symmetry Subgroup Problem HSSP(G , M, ◦; H), where G finite, H a set of closed subgroups Oracle Input: A function f : M → S Promise: For some subgroup H ∈ H, we have f (x) = f (y ) ⇐⇒ H ◦ x = H ◦ y . Output: H. Remarks: • For an arbitrary f there can be no or several subgroups H whose orbits are πf • Our promise: πf is closed and πf∗ ∈ H • More general problem: Without any promise find πf∗ . • HSP is a special case of HSSP for M = G and g ◦ h = gh 9/27 HSSP can have exponential query complexity Theorem: The query complexity of HSSP(Aff q , Fq , ◦, S) is Ω(q 1/2 ), where S = {Gm : m ∈ Fq }. Proof: Grover’s search over Fq is trivially reducible to this HSSP. Recall that a (1 − a)m ∗ Gm = : a ∈ Fq , 0 1 and Gm∗ = {{m}, {x ∈ Fq : x 6= m}}. These are exactly the level sets of the Grover oracle fm (x) = δm,x . If a b 0 1 generates Gm then m = (1 − a)−1 b. 10/27 Reduction scheme of HSSP to HSP Suppose f : M → S hides H ≤ G by symmetries. How to construct fHSP : G → S, which hides H? Natural idea: Pick B = {m1 , . . . , mt } ⊆ M and define fHSP (g ) = (f (g ◦ m1 ), . . . , f (g ◦ mt )). T For {e} it T works if ti=1 Gmi = {e}. In general m∈B HGm = H is necessary. Definition: B is an H-strong base if for every g ∈ G , we have T m∈B HGg ◦m = H. B is H-strong for a family of subgroups if it is H-strong for H ∈ H. Lemma: If f : M → S hides some H ∈ H by symmetries and B = {m1 , . . . , mt } is H-strong, then H is hidden by fHSP . Remark M is strong for closed subgroups: T m∈M HGm = H ∗∗ . 11/27 Affine groups The general affine group Aff q is the semi-direct product Fq o F∗q : (b, a)(b 0 , a0 ) = (ab 0 + b, aa0 ) Definition For {1} < H ≤ F∗q let G = Aff q (H) = Fq o H. The stabilizer of 0 is G0 = {(0, a) : a ∈ H} ∼ = H, and its conjugates are the other stabilizers, for m ∈ Fq : Gm = (m, 1)G0 (−m, 1). We consider the family of stabilizer subgroups of G : S = {Gm : m ∈ Fq } Aff q doesn’t have polynomial size S-strong base. Theorem: Let G = Aff q (H) such that H < F∗q . If B ⊆ Fq is a uniformly random set of size Θ(log q · log 1/) then B is a S-strong base with probability of at least 1 − . Remark: The same is true in Frobenius groups for the Frobenius complements. 12/27 Small bases in affine groups Outline of proof: Since S consists of H-conjugate subgroups, it suffices to show that B is H-strong. For b 6= b 0 ∈ Fq we say that m ∈ Fq separates b and b 0 if b 0 ◦ m 6∈ H ◦ (b ◦ m). Lemma 1: B is an H-strong base ⇐⇒ for all b 6= b 0 ∈ Fq there exists m ∈ B which separates b and b 0 . Lemma 2: For all b 6= b 0 ∈ Fq we have |{m ∈ Fq : m does not separate b and b 0 }| < q/2. Proof: If m does not separate b 6= b 0 then ∃ am 6= 1 ∈ H such that b 0 + m = am (b + m). 0 For m 6= m we have am 6= am0 since otherwise b 0 + m0 = am (b + m0 ) which implies am = 1. Therefore |{m ∈ Fq : m does not separate b and b 0 }| ≤ |H| − 1 < q/2. The rest is just counting. 13/27 Efficient solution for the HSSP in some affine groups Theorem: Let H ≤ F∗q such that 1 < |H| < q − 1. Then the following results hold for HSSP(Aff q (H), Fq , ◦, S): 1 It has polynomial quantum query complexity. 2 It can be solved in quantum polynomial time when q = p is prime and |H| = Ω(p/polylog(p)). 3 It can be solved in quantum polynomial time when q = p n is the power of a fixed prime p. Proof: By the reduction scheme to HSP(Aff q (H), S). Special case: Generalized dihedral group, for p 6= 2 Affpn ({±1}) ∼ = Znp o Z2 14/27 HQPP and HSSP in generalized dihedral groups Theorem: HQPP(Fq ) and HSSP(Aff q ({±1}), Fq , ◦, S) are polynomially equivalent. Proof: The level sets of Pu (x) = x 2 − 2ux are {x, −x + 2u} since x 2 − 2ux = y 2 − 2uy exactly when y ∈ {x, −x + 2u}. The Gu = {(0, 1)(2u, −1)}-orbits: Gu∗ = {{x, −x + 2u} : x ∈ Fq } Therefore f hides Pu ⇐⇒ πf = Gu∗ ⇐⇒ πf∗ = Gu ⇐⇒ f hides Gu . Theorem HQPP(Fq ) can be solved in quantum polynomial time over fields of constant characteristic (q = p n and p constant). Remark: HQPP(Fq ) and HSP(Aff q ({±1}), S) are equivalent. 15/27 Multivariate quadratic polynomials Theorem: HPP(Fq , n, 2) can be computed in time (n + log q)O(1) using an oracle for HQPP(Fq ). Classical reduction Corollary:HPP(Fq , n, 2) can be solved by a polynomial time quantum algorithm if q is a power of a fixed prime. 16/27 HIDDEN TRANSLATION 3 Input: G finite group. f0 , f1 : G → S injective functions having a translation u ∈ G: ∀x ∈ G, f0 (x) = f1 (xu). Output: u. f0 7 ❅u ❘ ❅ f1 7 3 ❅u ❘ ❅ 3 2 ❅u ❘ ❅ 2 4 ❅u ❘ ❅ 4 Theorem. [Ettinger-Høyer’00]. If G finite Abelian group then HIDDEN TRANSLATION on G � HIDDEN SUBGROUP on G � Z2 . Group operation on G � Z2 : (x1 , b1 ) · (x2 , b2 ) = (x1 + (−1)b1 x2 , b1 ⊕ b2 ). Fact. f (x, b) = fb (x) hides H = {(0, 0); (u, 1)} on G � Z2 . Theorem. For every prime p, HIDDEN TRANSLATION can be solved on Zn p by a quantum algorithm with query complexity O(p(n + p)p−1 ) and time complexity (n + p)O(p) . 17/27 The algorithm: Part 1 (quantum) 4 Idea of [EH’00]: Apply QFT on the direct product State: 1 2pn 1 � � 1 � � Znp × Z2 . ωpx·y (−1)bc |y�|c�|fb (x)� n x∈Zn p b=0 y∈Zp c=0 Rewrite using the hidden translation: 1 2pn 1 � � � � � ωpx·y + ωp(x+u)·y (−1)c |y�|c�|f0 (x)� n x∈Zn p y∈Zp c=0 For all x, y the amplitude of |y�|1�|f0 (x)� is: x·y 1 2pn ωp (1 − ωpy·u ) After observation: Pr[output = (y, 1)] = 1 4p2n |1 − ωpy·u |2 . Properties of the output distribution: • Pr[c = 1] = 12 • depends only on y · u • for every (y, 1) observed: y · u �= 0 mod p. 18/27 The algorithm: Part 2 (classical postprocessing) Sample (y, 1) such that y · u �= 0 mod p Linear inequations �→ polynomial equations 5 ⊥ (i.e. y �∈ u ) y · u �= 0 mod p ⇐⇒ (y · u)p−1 = 1 mod p Fact. Solving polynomial equations is NP-complete. Idea: ‘Linearize’ the system in the symmetric power of Znp Definition. Z(p−1) [x1 , . . . , xn ] is the vector space of homogeneous p polynomials in n-variables of degree (p−1) over Zp . • A basis: Monomials of degree (p−1) � � • Dimension: n+p−2 p−1 n ∗ (p−1) Transfer from Zn [x1 , . . . , xn ] : p via (Zp ) to Zp � (p−1) Definition. For y = (a1 , . . . , an ) ∈ Zn = ( j aj xj )p−1 . p let y y · u �= 0 mod p =⇒ y (p−1) · u∗ = (y · u)p−1 = 1 mod p, e1 e1 en en where in u∗ ∈ Zn p the monomial x1 · · · xn has coordinate u1 · · · un . 19/27 The algorithm: Part 2 (classical postprocessing) 6 End of the algorithm: • Hopefully the linear system in Z(p−1) [x1 , . . . , xn ] has unique p solution • Find the solution U = u∗ • Try the (p − 1) candidates v such that v ∗ = u∗ Example. p = 3, n = 3, u = (1, 2, 0). (2) Sample in Z33 Inequation in Z33 Equation in Z3 [x1 , x2 , x3 ] y1 = (0, 1, 0) x2 · u �= 0 x22 · U = 1 y2 = (0, 2, 1) (2x2 + x3 ) · u �= 0 (x22 + x23 + x2 x3 ) · U = 1 y3 = (0, 2, 2) .. . (2x2 + 2x3 ) · u �= 0 .. . (x22 + x23 + 2x2 x3 ) · U = 1 .. . where x1 = (1, 0, 0), x2 = (0, 1, 0), x3 = (0, 0, 1), x21 = (1, 0, 0, 0, 0, 0), . . . System of full rank =⇒ unique solution U = x21 + x22 + 2x1 x2 . Try the 2 possible translations (1, 2, 0) and (2, 1, 0) ❀ u = (1, 2, 0). 20/27 Translation finding Algorithm 7 Translation findingf (Zn p) 0. If f0 (0) = f1 (0) then return 0. � � 1. N ← 13p n+p−2 p−1 . 2. For i = 1, . . . , N do (zi , bi ) ← Fourier samplingf (Zn p × Z2 ). 3. {y1 , . . . , ym } ← {zi : bi = 1}. (p−1) 4. For i = 1, . . . , m do Yi ← yi . 5. Solve Y1 · U = 1, . . . , Ym · U = 1. 6. If several solutions then abort. p−1 7. Let j be such that the coeﬃcient of xj 8. Let v ∈ Znp in U is 1. p−2 be such that vk vj is the coeﬃcient of xk xj in U . 9. Find 0 < a < p such that f0 (0) = f1 (av). 10. Return av . 21/27 Line Lemma 8 Line Lemma. Let Lz,y = {(z + ay)(p−1) : 0 ≤ a ≤ p − 1} for y, z ∈ Znp . Then y (p−1) ∈ Span(Lz,y ). Proof. Let Mz,y = { �p−1� z (k) y (p−1−k) : 0 ≤ k ≤ p − 1}. Claim: Span(Lz,y ) = Span(Mz,y ). �p−1� 0 �p−1� 1 �p−1� 2 z (p−1) z (p−2) (1) z (p−3) (2) y y .. . �p−1� (p−1) p−1 y k z (p−1) (z + y)(p−1) (z + 2y)(p−1) . . . (z + (p − 1)y)(p−1) 1 1 1 ... 1 0 1 2 ... (p − 1) 0 .. . 1 .. . 2 2 .. . ... (p − 1)2 .. . 0 1 (p − 1)2 ... (p − 1)(p−1) Corollary. Z(p−1) [x1 , . . . , xn ] is spanned by {y (p−1) : y ∈ Znp }. p 22/27 Full rank 9 Lemma. Let W ≤ Z(p−1) [x1 , . . . , xn ] and R = {y ∈ Znp : y (p−1) ∈ W }. p Set Vk = {y ∈ Zn p : y · u = k}, and Rk = R ∩ Vk . If W �= Z(p−1) [x1 , . . . , xn ] then p Proof. Corollary =⇒ R �= |Rk | |Vk | ≤ p−1 p for k = 1, . . . , p − 1. Znp . Case 1: R0 = V0 . Then Rk �= Vk for k = 1, . . . , p − 1. Let y ∈ V1 − R1 . Line Lemma =⇒ in each coset of <y> an element is outside R. =⇒ |R| |Zpn | ≤ <y> ... z + <y> ... V0 0 ... z ... V1 .. . y .. . ... z+y .. . ... Vp−1 (p−1)y p−2 p−1 |Rk | |Vk | =⇒ ... . . . z + (p−1)y ≤ ... ... p−2 p−1 . Case 2: R0 �= V0 . Let y ∈ V0 − R0 , then Vk is union of cosets of <y>. |R | Line Lemma =⇒ |Vkk| ≤ p−1 p . 23/27 Non-linear hidden structure problems Hidden Polynomial Graph Problem HPGP(Fq ) Oracle Input: A function f : Fnq × Fq → S Promise: For some n-variate polynomial Q of degree d over Fq , f (x, y ) = f (x 0 , y 0 ) ⇐⇒ y − Q(x) = y 0 − Q(x 0 ). Output: Q. Theorem[Decker, Draisma and Wocjan’09]: • For every d and for every constant n, HPGP(Fq , n, d) can be reduced in polynomial time to HPGP(Fq , 1, d). • For every d there exists a finite set Ed of primes such that when d is constant and the characteristic of Fq is not from Ed then HPGP(Fq , 1, d) can be solved in quantum polynomial time. 24/27 Function graph groups Consider n = 1 and q = p. Level sets of f : Fp × Fp → S: f (x, y ) = f (x 0 , y 0 ) ⇐⇒ ∃t ∈ Zp : (x 0 , y 0 ) = (x + t, y + Q(x + t) − Q(x)). (d) Let Fp [x] be the group of univariate polynomials of degree d. Definitions Shift map at , for every t ∈ Zp : (at Q)(x) = Q(x − t). (d) Function graph group Fg(Fp [x]): semidirect product (d) Fg(Fp [x]) ot7→at Zp . Multiplication rule: (Q1 , t1 )(Q2 , t2 ) = (Q1 + at1 Q2 , t1 + t2 ). (d) Shifting action ◦ of Fg(Fp [x]) on M = Zp × Zp : (Q, t) ◦ (x, y ) = (x + t, y + Q(x + t)). Standard complements: Conjugates of {(0, t) : t ∈ Zp } by (Q, 0): AQ = {(Q − at Q, t) : t ∈ Zp }. Claim: Level sets of f hiding Q are the orbits of AQ . 25/27 Results for HPGP Lemma: There exists an easily computable basis of size d + 1 for (d) H = {AQ : Q ∈ Fq [x]}. Theorem: For n and d constants, and for fixed characteristic, HPGP(Fq , n, d) can be solved in quantum polynomial time. 26/27 Conclusion • This work: • A new paradigm: HSSP • Generic reduction to HSP • HPP and HPGP are reducible to HSSP • Open problems: • Multivariate HPP of higher degree • Study of HSP inspired by HSSP • Find for HSP(Znp o Z2 ) quantum algorithm polynomial in n and p. 27/27

Hidden Symmetry Subgroup Problems

Products

Support

Hidden Symmetry Subgroup Problems

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib