Lecture 4
advertisement
Quantum Computing
(Fall 2013)
Instructor: Shengyu Zhang.
Lecture 4 Hidden Subgroup Problem 2: Fourier sampling and
query-efficient algorithms.
1. HSP: What and why.
Suppose that πΊ is a group and π» is a subgroup. Recall that cosets of π» partition the group
πΊ. A function π: πΊ → π hides a subgroup π» ≤ πΊ if π(π₯) = π(π¦) for π₯ and π¦ in the
same coset and π(π₯) ≠ π(π¦) for π₯ and π¦ in different cosets.
Definition. Given a black box function π: πΊ → π (for some finite set π) that hides a
subgroup π» ≤ πΊ, the Hidden Subgroup Problem (HSP) asks to find π».
Two important special cases: symmetric group and dihedral group.
Symmetric group ππ : the set of permutations on π elements. An efficient algorithm for HSP
for symmetric group can be used to solve Graph Isomorphism in ππππ¦(π) time.
Graph Isomorphism (GI): Given two π-node graphs πΊ1 and πΊ2 , decide whether they are
isomorphic, i.e. whether there exists a permutation π ∈ ππ s.t. π(πΊ1 ) = πΊ2 .
Here for a graph πΊ = (π, πΈ), π(πΊ) = (π, π(πΈ)) where π(πΈ) = {(π(π), π(π)) βΆ (π, π) ∈ πΈ}.
Thus the two graphs are isomorphic if the following holds: (π, π) ∈ πΈ1 iff (π(π), π(π)) ∈ πΈ2.
Graph Isomorphism is known to be equivalent to the following variants: Graph Isomorphism
Finding (given two isomorphic graphs, find an isomorphism), Graph Isomorphism Counting
(given two isomorphic graphs, count the number of isomorphisms), Graph Automorphism
Finding (given a graph πΊ, find its automorphism group π΄π’π‘(πΊ) β {π: π(πΊ) = πΊ}). The
decision version of Graph Automorphism (just to decide whether π΄π’π‘(πΊ) = {π}) is a clearly
no harder, and possibly easier task.
Graph Isomorphism is a fundamental problem that appears in many disciplines, and it’s one
of the few problems whose complexity isn’t pinned down: It’s not known to be in P, but it’s
also not known to be NP-complete either. Actually, most people believe that it is not
NP-complete. It may be well in P and we just haven’t found an algorithm yet.
Given the equivalence between GI and Graph Automorphism Finding (GA), we can see why
GI reduces to HSP for symmetric group. First reduce GI to GA. Now for GA, given a graph
πΊ, define π on ππ by π(π) = π(πΊ). We claim that π hides π΄π’π‘(πΊ). Actually,
π(π) = π(π) ⇔ π(πΊ) = π(πΊ) ⇔ π −1 π(πΊ) = πΊ
⇔ π −1 π ∈ π΄π’π‘(πΊ) ⇔ ππ΄π’π‘(πΊ) = ππ΄π’π‘(πΊ)
The second major application of HSP for non-Abelian groups is the (Approximate) Shortest
Vector problem, which reduces to HSP for dihedral group. We’ll define (Approximate)
Shortest Vector problem and dihedral group next.
Consider βπ and a set of basis, namely π linearly independent vectors in it. An
π-dimensional lattice is the set of all integer linear combinations of π basis vectors. In the
Shortest Vector problem, we want to find a shortest (but nonzero) vector in the lattice. That is,
we want to use integer linear combination of basis vectors to get a vector that is very close to
the origin. This problem itself is NP-hard, and we consider a relaxed version, that the input is
promised to have only one (up to its sign) vector that achieves the minimum length; all the
other vectors are at least π(π) times longer. Of course, the larger π(π) is, the stronger the
promise and thus the easier the problem. It is known that if π(π) = π(1) then the problem
is still NP-hard, and if π(π) = (1 + π)Ω(π) , then the problem becomes in P. The question is
what the complexity is for π(π) = ππππ¦(π). It is conjectured to be hard, and actually
cryptosystems are built based on this computational assumption. What can a quantum
computer do? If HSP for dihedral group is easy, then there is an efficient quantum algorithm
to solve the (Approximate) Shortest Vector problem. The reduction is nontrivial, and we
won’t do it here. (It’s actually one of the reading projects.) We’ll just introduce what a
dihedral group is.
Consider a regular π-gon on a 2D plane. A symmetry is a rotation or a reflection which
keeps the π-gon unchanged. A regular π-gon has 2π symmetries: π rotational ones and π
reflection ones, the collection of which form the dihedral group π·2π . So
π·2π = ⟨ π, π β£ π π = 1, π 2 = 1, π −1 ππ = π −1 ⟩
(π·2π is generated by elements π and π satisfying the relations π π = 1, π 2 = 1, π −1 ππ =
π −1.)
2. Detour: density matrices.
Mixed states: Pure states with probabilities.
ο
|π⟩ → |π⟩⟨π|, rank-1 positive semi-definite (psd) matrix
ο
{|ππ ⟩, ππ } → ∑π ππ |ππ ⟩⟨ππ |, trace-1 psd matrices.
Fact: Any trace-1 psd matrix also corresponds to an ensemble {|ππ ⟩, ππ } of quantum pure states.
Proof. Do the spectral decomposition and use the fact that the trace is 1 to conclude that the sum
of eigenvalues is 1. β‘
ο
Unitary transform: π → πππ † .
ο
Measurement: {ππ } with ∑π ππ† ππ = πΌ. Then Pr[π] = π‘π(ππ πππ† ), and the post-measurement
state is ππ πππ† /π‘π(ππ πππ† ).
Why use density matrices: Because only those matter---The exact ensemble of pure states
doesn’t since we can’t distinguish different ensembles with the same density matrix.
ο
Composition: π1 ⊗ π2 .
3. Standard approach, weak and strong Fourier sampling
Standard approach:
1
√|πΊ|
ππ’πππ¦ π
→
∑π₯∈πΊ |π₯⟩
1
√|πΊ|
∑π₯∈πΊ |π₯⟩|π(π₯)⟩
ππππ π’ππ π(π₯)
→
1
√|π»|
∑β∈π» |π₯β⟩ for a random π₯ ∈ πΊ
Writing this in the density matrix form, we have the following
π=
1
1
∑ |π₯β⟩⟨π₯β′ | =
∑ |π₯β⟩⟨π₯β′ |
|πΊ||π»|
|πΊ|
π₯∈πΊ
β,β′ ∈π»
where ππ» is a set of representatives.
Weak Fourier sampling:
π₯∈ππ»
β,β′ ∈π»
π=
1
1
∑ π
(β)|π₯⟩⟨π₯|π
(β′ )† =
∑ π
(β) (∑|π₯⟩⟨π₯|) π
(β′ )†
|πΊ||π»|
|πΊ||π»| ′
π₯∈πΊ
β,β′ ∈π»
=
1
1
1
∑ π
(β)π
(β′ )† =
∑ π
(ββ′−1 ) =
∑ π
(β)
|πΊ||π»| ′
|πΊ||π»| ′
|πΊ|
β,β ∈π»
πΉπΊ
→
π₯∈πΊ
β,β ∈π»
β∈π»
β,β ∈π»
1
1
∑⊕π∈πΊΜ (πΌππ ⊗ π(β)∗ ) =
⊕ Μ (πΌ ⊗ ∑ π(β)∗ )
|πΊ|
|πΊ| π∈πΊ ππ
β∈π»
ππππ π’ππ π
→
β∈π»
observe π w.p.
1
π‘π (πΌππ
|πΊ|
ππ
⊗ ∑β∈π» π(β)∗ ) = |πΊ| ∑β∈π» ππ (β)∗
Question: Does ππππ¦ log |πΊ| samples of π contain enough info to determine π»?
For Abelian groups: Yes, as previously discussed.
Another class of subgroups that weak Fourier sampling suffices: normal subgroups.
Definition. A subgroup π» ≤ πΊ is normal if ππ» = π»π, for all π ∈ πΊ.
So if π» is normal subgroup, then for any π ∈ πΊ, βπ = πβ′ for some β′ ∈ π». And if β
runs over π», then so does β′.
Theorem. If π» is a normal subgroup of πΊ, then the weak Fourier sampling gives π with
probability ππ2 |π»|/|πΊ| if π» ⊆ ker(π), and 0 otherwise.
Proof. If π» ⊆ ker(π), then one observes π w.p.
ππ
π
π
∑
π (β)∗ = |πΊ| ∑β∈π» ππ =
|πΊ| β∈π» π
2 |π»|
ππ
|πΊ|
.
If π» is not contained in ker(π), then ∃β∗ ∈ π» s.t. π(β∗ ) ≠ πΌ. Now note that
(∑ π(β)) π(π) = ∑ π(β)π(π) = ∑ π(βπ) = ∑ π(πβ′) = π(π) (∑ π(β)) ,
β∈π»
β∈π»
β∈π»
β′ ∈π»
thus by Schur’s lemma, ∑β∈π» π(β) = ππΌ for some π ∈ β. But
π(β∗ ) (∑ π(β)) = ∑ π(β∗ β) = (∑ π(β)),
β∈π»
β∈π»
Thus ∑β∈π» π(β) = 0. So one observes π w.p. 0.
β∈π»
β‘
β∈π»
The algorithm for HSP for normal subgroup is very similar to that for Abelian HSP.
ο
Use weak Fourier sampling to get π1 , π2 , … , ππ for π = π(log|πΊ|).
ο
Output πΎπ =∩ππ‘=1 ker(ππ‘ )
Theorem. πΎπ = π» with high probability.
1
Proof. If ker(πΎπ‘ ) ≠ π», we claim that Pr[πΎπ‘ ⊆ ker(ππ‘+1 )] ≤ 2. Indeed,
Pr[πΎπ‘ ⊆ ker(ππ‘+1 )] =
∑
π:πΎπ‘ ⊆ker(π)
ππ2 |π»| |πΊ| |π»| |π»| 1
=
=
≤ .
|πΊ |
|πΎπ‘ | |πΊ | |πΎπ‘ | 2
|πΊ|
Here we used a fact that for any normal subgroup π of πΊ, ∑π∈πΊΜ:π⊆ker(π) ππ2 = |π|. β‘
Strong Fourier sampling:
Weak Fourier sampling fails to provide sufficient information for HSP for ππ and π·2π . So
people resort to strong Fourier sampling, which uses the remaining state π(π») =
1
∑
π(β).
|π»| β∈π»
Question: What basis to use to measure this state?
It turns out that even random basis can already solve some cases, such as HSP for Heisenberg
Group
1
{(π
π
0 0
1 0) : π, π, π ∈ π½π }
π 1
However, for symmetric group, even strong Fourier sampling fails. Multi-register
measurement is needed.
4. Query efficient algorithm
When multi-register measurement is used, we can solve HSP using only ππππ¦ log |πΊ|
queries to π, though the computational time is still exponential.
1
Recall that the standard approach gives ππ» = |πΊ||π»| ∑
π₯∈πΊ |π₯β⟩⟨π₯β
β,β′ ∈π»
′
|. Our task is just to
identify π» from a collection {ππ» : π» ≤ πΊ}. In general, mixed state identification is known to
have the following bound.
Theorem. There exists a quantum measurement that identifies {ππ : π = 1, … , π} with
probability at least 1 − π√max πΉ(ππ , ππ ).
π≠π
Here πΉ(π, π) = π‘π √√ππ√π = β√π√πβ
π‘π
is a measure of how close two mixed states π
and π are. The πΉ value is always between 0 and 1, and the closer to 1, then closer the two
states. So to identify ππ» (namely to identify π»), it is enough if ππ» ’s for different π» are far
from each other. It turns out that this is more or less true.
Theorem. πΉ(ππ» , ππ» ′ ) ≤ 1/√2.
We will not prove this result, but only explain how to use it. It is not hard to verify that
πΉ(π⊗π , π ⊗π ) = πΉ(π, π)π .
By the above results, we know that if we want the error probability to be π, then we need to
use πΎ copies of π_π», satisfying
π√max πΉ(ππ , ππ )πΎ ≤ π.
π≠π
π
Solving this gives πΎ ≥ π (log π ). How large is π? It’s just the number of subgroups.
2 |πΊ|
Fact. Any group πΊ has at most 2log
subgroups.
Proof. Each subgroup has a generating set of size at most log |πΊ|, because adding one more
generator at least double the size of the subgroup. Therefore, the number of subgroups is at
most (
|πΊ|
2
) ≤ 2log |πΊ| .
log|πΊ|
β‘
Reference
[CvD10] Andrew M. Childs and Wim van Dam, Quantum algorithms for algebraic problems, Reviews
of Modern Physics, Volume 82, January–March 2010.
[Lom04] Chris Lomont, The hidden subgroup problem - review and open problems,
arXiv:quant-ph/0411037v1
