The dihedral hidden subgroup problem

2.1 Cyclic group case

Suppose that G = C N ≅ Z ∕ N Z is the cyclic group of order N . There are N irreducible representations that are one-dimensional and given by:

where ζ N is a choice of N th root of unity.

2.2 Dihedral group case

Suppose that G = D N is the dihedral group of order 2 n , which can be presented as:

If n is even, there are four one-dimensional representations given by:

where u , v ∈ Z ∕ 2 Z . These are pullbacks of the four one-dimensional representations of D N ∕ ⟨ x 2 ⟩ ≅ C 2 × C 2 under the quotient homomorphism D N → D N ∕ ⟨ x 2 ⟩ , where C m denotes the cyclic group of order m .

If n is odd, there are two one-dimensional representations given by ϕ 0 , v where v ∈ Z ∕ 2 Z . These are pullbacks of the two one-dimensional representations of D N ∕ ⟨ x ⟩ ≅ C 2 under the quotient homomorphism D N → D N ∕ ⟨ x ⟩ .

There are ⌊ n − 1 2 ⌋ irreducible representations of dimension 2 given by:

for 0 < k < n 2 , where ω N = e 2 π i ∕ n . These are the induction of the representation ψ k : C n → C × given by ψ k ( x ) = ω N k from C n to D N .

The representations ϕ u , v and ρ k form the complete list of irreducible representations of D N up to isomorphism.

3.1 Cyclic group case

Fix an integer N > 1 . Let S be a finite set, and G ≔ ( Z ∕ N Z , + ) . Suppose that we have a function f : G → S , which separates a subgroup H ⊂ G , where H = ⟨ d ⟩ . Let M ≔ # H . Assume that we have a quantum machine capable of computing the unitary transformation on two registers U f : ∣ x ⟩ ∣ y ⟩ → ∣ x ⟩ ∣ f ( x ) ⊕ y ⟩ (recall that we can take ∣ x ⟩ ∣ y ⟩ as ∣ x ⟩ ⊗ ∣ y ⟩ ).

Suppose that we do not know M , d , nor H and we only know G and have a machine computing f . We want to determine a generating set for H , calling the “black-box” function f as few times as possible.

Let F N be the QFT for the cyclic group G . Explicitly, this is an operator on a register with n ≥ log 2 N qubits given by:

The F N is a unitary transformation. If we let ω ≔ exp 2 π i N be the primitive N th root of unity, then

One can check that F N ⋅ F N * = I N , where I N is the N × N identity matrix.

We map G = { 0 , 1 , … , N − 1 } onto the basis of the quantum state { ∣ 0 ⟩ , ∣ 1 ⟩ , … , ∣ N − 1 ⟩ } . Suppose that the hidden subgroup is given by H = { ∣ 0 ⟩ , ∣ d ⟩ , ∣ 2 d ⟩ , … , ∣ ( M − 1 ) d ⟩ } .

Computing on two registers:

Note that we put ∣ f ( j ) ⟩ inside the sum since tensor product is distributive. Measuring in ∣ f ( j 0 ) ⟩ on the second register for some 0 ≤ j 0 ≤ N − 1 collapses our state, leaving only those values g ∈ G such that f ( g ) = f ( j 0 ) in the first register. Since f separates cosets of H , we obtain (for simplicity, we now drop our second register that remains ∣ f ( j 0 ) ⟩ ):

using the fact that

for 0 ≤ k ≤ N − 1 and that M N = 1 d .

Now, measurement at this point gives a multiple of M in { 0 , M , … , ( d − 1 ) M } with uniform probability. We repeat this whole process many times to obtain a collection of multiples of M and take the greatest common divisor (GCD) to obtain M with high probability.

To estimate how many trials m ≥ 2 we need, suppose that we have t 1 , … , t m ∈ { 0 , 1 , … , d − 1 } . We want to estimate the probability that gcd ( t 1 , … , t m ) = 1 ; in particular, we have the lower bound:

where ζ ( s ) is the Riemann zeta function by Nymann [27]. Thus, a few runs of this algorithm determine H with high probability for any N and “most” d .

We may therefore view the standard algorithm for HSP on the cyclic group G as producing a quantum state of the form:

We may compute the greatest common divisor of the aforementioned registers into a blank register:

Thus, the standard HSP algorithm for G can be viewed as a unitary operation of the form:

satisfying

for every m . We remark the second map sending e ↦ N ∕ e in the last register is unitary (if e ∤ N , the map leaves e alone).

The aforementioned example motivates the next definition.

We may view (3.12) as computing a main term:

with error term

The next theorem is stated for completeness and for later comparison to the case of DCP. It summarizes the well-known standard algorithm for HSP on a finite cyclic group in terms of the aforementioned definitions.

3.2 Dihedral group case

In [29], it is shown that the HSP for G = D N for a general subgroup H is reduced to the case of a single reflection subgroup H = H a .

For H = H a = ⟨ y x a ⟩ , the probability of obtaining ∣ ρ , i , j ⟩ is 1 ∣ G ∣ when d ρ = 2 , which does not allow us to distinguish the groups H a . Explicitly, in the complex basis (2.3):

If ρ = ρ k , then

If ρ = ϕ u , v , then

If one changes to the real basis, we obtain a probability distribution dependent on a , but it is very flat, making it hard to distinguish the subgroups H a .

More generally, in order for the QFT to be an unitary operator, we require that ρ k ( g ) be unitary for every k and g ∈ D N ⇒ ∣ ρ k ( g ) i , j ∣ ≤ 1 for 1 ≤ i , j ≤ 2 . In particular, for any set of two-dimensional irreducible representations ρ k , we have that

where P ( ρ k , i , j ) is the probability of observing the state ∣ ρ k , i , j ⟩ . Although the choice of basis may result in probability distributions of states that depend on a , if N is very large, the aforementioned inequalities show that the probabilities will always be very flat.

In the study by Moore and Russell [30], it is shown that the POVM to determine a from a single DCP sample exists and is given by the the pretty good measurement (PGM), and this has success probability:

3.3 Dihedral coset sampling

In the standard HSP algorithm, after the first step, we are left with random coset samples as in (3.3). In the case of G = D N , the dihedral group of order n , and H = H a = ⟨ y x a ⟩ , this is explicitly of the form:

where c = y β x α .

Given samples of the form

the DCP is the problem of finding generators for the hidden subgroup H = H a . The states ψ a = ψ a ; α are called the DCP samples for a .

For HSP samples produced from the standard algorithm, where α is from the uniform distribution, we may view HSP samples as DCP samples by Remark 3.25.

3.4 Generalizations of DCP

Let A be a finite abelian group (written multiplicatively) with identity e . Let f 0 , f 1 : A → S be the injective functions to a finite set S and such that f 1 ( x ) = f 0 ( x s ) for all x ∈ A and some s ∈ A . The hidden shift problem is the problem of determining the hidden shift s ∈ A from evaluations of the functions f 0 and f 1 . We refer the reader to previous studies [17, §5] for a discussion of the hidden shift problem without the condition of injectivity.

Let G = C 2 ⋉ A , where C 2 = ⟨ τ ⟩ acts from the left on A by inversion. In the resulting semi-direct product, let y = ( τ , e ) . Then, for elements in the normal subgroup A ˜ of G corresponding to A , i.e., elements of the form α ˜ = ( e , α ) , we have that y α ˜ y − 1 = α ˜ − 1 , and every element in G can be written in the form y α ˜ or α ˜ .

The HSP for subgroups of the form:

is equivalent to the hidden shift problem with shift s ∈ A . Indeed, an element in Z [ G ] , which is constant on left H -cosets, is a linear combination of sums of the form:

which are (up to scaling) left H -coset samples that result from applying the standard algorithm to the group G to find hidden subgroups of the form (3.28). After mapping S injectively into Z , the function f 0 + f 1 corresponds to an element in Z [ G ] , which is distinctly constant on left H -cosets so it is a separating function for H . Hence, a solution to the HSP on G implies a solution to the hidden shift problem on A . For a complete proof of equivalence, see [13, Proposition 6.1].

In the application to constructing isogenies between elliptic curves over finite fields with identical endomorphism ring (i.e., horizontal isogenies), the hidden shift problem is applied in the following way [17]. Let O be an order in an imaginary quadratic field K , and consider the set

The class group Cl ( O ) of the order O acts freely on Ell q , n ( O ) assuming this set is non-empty for the given q a power of a prime p , with one orbit if p is not inert in O and two orbits otherwise (see [31, Theorem 4.5]). Given [ b ] ∈ Cl ( O ) and E ∈ Ell q , n ( O ) denote the action by [ b ] ⋆ E . Now, suppose E 1 = [ s ] ⋆ E 0 for some hidden s ∈ Cl ( O ) . For i = 0 , 1 , define f i ( [ b ] ) = [ b ] ⋆ E i . Then, it holds that f 1 ( [ b ] ) = f 0 ( [ b ] [ s ] ) and both f 0 and f 1 are the injective functions to S = Ell q , n ( O ) . A solution to the hidden shift problem on Cl ( O ) allows us to recover the hidden shift s . The subexponential algorithm of Childs et al. [17] consists of applying a subexponential algorithm for the hidden shift problem to find s and applying a subexponential algorithm to compute the ⋆ operator.

In the EDCP, one considers the infinite abelian group:

where n ∈ N , and hidden subgroups of the form:

Let y = ( 1 , 0 ) ∈ G and f β : H → C be a weight function satisfying

A weighted left H -coset sample has the form:

where we assume f β ( j − β ) = f ( j ) and we use the multiplicative notation to make the comparison with the hidden shift and dihedral cases more clearly. Here, x α is the multiplicative notation for the element corresponding to α = ( α 1 , … , α n ) ∈ ( Z ∕ N Z ) n .

If the transformation α → α + s β leaves the distribution of α invariant, we are left with samples of the form:

The problem of recovering s from such samples (EDCP) is shown to be equivalent to LWE up to polynomial loss in parameters [22].

4.1 Subexponential algorithms

The first row of (3.17) can be encoded as:

Measuring the first register yields the samples of the form:

where k is known from the measurement.

Let N = 2 t for simplicity and m = ⌈ t − 1 ⌉ . The idea behind the subexponential algorithm in the study by Kuperberg [13] is to combine states of the form (4.1). In particular, we see that

If p and q have the same m j least significant bits, then p ± q strictly increases the number of least significant bits p and q share.

With sufficiently many samples of the form Ψ p that have m j common least significant bits, it is shown in the study by Kuperberg [13] that combining the states as in (4.2) produces enough states with m ( j + 1 ) common least significant bits. Thus, sieving from enough samples at the outset, we eventually produce states of the form:

which are sufficient to determine the parity of a . It is shown in the study by Kuperberg [13] that the aforementioned method yields an algorithm that requires 2 O ( log N ) time, space, and queries. In the study by Regev [12], a modified algorithm is given that requires 2 O ( log N log log N ) time and poly ( log N ) space. An abstract description of this sieving process is given in previous studies [13, §9] and further improvements and generalizations can be found in the study by Kuperberg [15], in particular the so-called “collimation sieve.”

4.2 Query complexity

In the study by Ettinger and Høyer [29], it is shown that a polynomial number of HSP samples is sufficient to recover H a using exponential time post-processing. A related result in the study by Ettinger and Høyer [32] using different methods shows that the HSP problem in a general finite group has polynomial quantum query complexity.

Transposing i ↔ j , and applying a Hadamard gate to the state in (3.17), gives the state

The probability of observing the first row is

For the second row, it is

We are now in the situation of the study by Ettinger and Høyer [29] and can apply the post-processing algorithm described (which is exponential in time) to determine a with high probability, for large N .

4.3 Relation to the subset sum problem

Given x = ( x 1 , … , x m ) ∈ ( Z ∕ N Z ) m and r ∈ Z ∕ N Z , the problem of finding b ∈ { 0 , 1 } m such that b ⋅ x = r is called the subset sum problem over Z ∕ N Z .

The vector b corresponds to specifying a subset of the x 1 , … , x m that sum to r . Denote by

the set of subset sums for ( x , r ) .

If such a b exists, then ( x , r ) is called a legal instance. In the decision version of the subset sum problem, the problem is to determine whether a given ( x , r ) is a legal instance.

In the study by Regev [12], it is shown that the ability to efficiently find an element b ∈ S r x for a large fraction of legal instances gives an efficient algorithm to solve DHSP. Furthermore, the study by Bacon et al. [24] shows that the ability to quantum sample from S r x allows us to efficiently implement an optimal measurement to determine a from m DCP samples.

The subset sum problem over Z is known to be an NP-complete problem. Since one can reduce the subset sum problem over Z to the subset sum problem over Z ∕ N Z , by choosing a large enough modulus N , it follows that the subset sum problem over Z ∕ N Z is also NP-complete.

4.4 Optimal measurements

It is shown in the study by Ettinger and Høyer [33] that efficient elimination observables do not exist for the dihedral group. Further results can be found in the study by Bacon et al. [24]. In particular, let

be the density defined in the study by Bacon et al. [24].

It is shown in [24, Theorem 2] that if ν > 1 + 4 ∕ log 2 N , the probability of determining a using the optimal measurement on m DCP samples is ≥ 1 ∕ 8 . Furthermore, for any N and m , the probability of determining a is

which is exponentially small in log 2 N for any fixed ν < 1 , and gives a trivial upper bound when ν ≥ 1 .

More general results on optimal measurements to distinguish conjugate hidden subgroups in certain groups can be found in the study by Moore and Russell [30].

In the study by Bacon et al. [24], the success probability of the optimal measurement is determined as:

where η r x ≔ ∣ S r x ∣ .

In the study by Moore and Russell [30], it is shown that the optimal POVM measurement to determine a from m DCP samples exists and is given by PGM. The theorem of Naimark states that a POVM measurement on a system can be realized by augmenting the system with ancilla registers, applying a unitary operator, and then a projection-valued measurement on the ancilla. Seen in this light, the result in the study by Ettinger and Høyer [29] implies that the success probability of the optimal measurement is > 1 − 1 2 N if ν > 89 , though no efficient implementation is known.