\documentclass[11pt]{article}
\usepackage{latexsym}
\usepackage{amsmath}
\usepackage{amssymb}
\usepackage{amsthm}
\usepackage{hyperref}
\usepackage{algorithmic}
\usepackage{algorithm}
\usepackage{complexity}
\usepackage{graphicx}
\newcommand{\handout}[5]{
\noindent
\begin{center}
\framebox[\textwidth]{
\vbox{
\hbox to \textwidth { {\bf Algebra and Computation } \hfill Course Instructor: #2 }
\vspace{4mm}
\hbox to \textwidth { {\Large \hfill #5 \hfill} }
\vspace{2mm}
\hbox to \textwidth { {\em #3 \hfill #4} }
}
}
\end{center}
\vspace*{4mm}
}
\newcommand{\lecture}[4]{\handout{#1}{#2}{Lecturer: #3}{Scribe: #4}{Lecture #1}}
\newtheorem{theorem}{Theorem}
\newtheorem{theorem*}{Theorem}
\newtheorem{corollary}[theorem]{Corollary}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{observation}[theorem]{Observation}
\newtheorem{proposition}[theorem]{Proposition}
\newtheorem{definition}[theorem]{Definition}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{fact}[]{Fact}
\newtheorem{subclaim}[theorem]{Subclaim}
% my custom commands
\newcommand{\inparen}[1]{\left(#1\right)} %\inparen{x+y} is (x+y)
\newcommand{\inbrace}[1]{\left\{#1\right\}} %\inbrace{x+y} is {x+y}
\newcommand{\insquar}[1]{\left[#1\right]} %\insquar{x+y} is [x+y]
\newcommand{\inangle}[1]{\left\langle#1\right\rangle} %\inangle{A} is
\newcommand{\abs}[1]{\left|#1\right|} %\abs{x} is |x|
\newcommand{\norm}[1]{\left\Vert#1\right\Vert} %\norm{x} is ||x||
\newcommand{\union}{\cup}
\newcommand{\Union}{\bigcup}
\newcommand{\intersection}{\cap}
\newcommand{\super}[2]{#1^{\inparen{#2}}} %\super{G}{i-1} is G^{(i-1)}
\newcommand{\setdef}[2]{\inbrace{{#1}\ : \ {#2}}}
\newcommand{\inv}[1]{#1^{-1}}
\newcommand{\inrpdt}[2]{\left\langle{#1},{#2}\right\rangle}%\inrpdt{x}{y} is .
\newcommand{\pderiv}[2]{\frac{\partial #1}{\partial #2}}
% Commands specific to this file
% TODO: Find the right way to typeset group index
\DeclareMathOperator{\Sym}{Sym}
\newcommand{\gpidx}[2]{\insquar{#1 : #2}} %\gpidx{H}{K} is [H : K]
\newcommand{\gpigs}[2]{\gpidx{\super{G}{#1}}{\super{G}{#2}}} %Group index of g super ...
\newcommand{\llhd}{\!\!\lhd\!\!\lhd}
\newcommand{\roundoff}[1]{\left\lfloor #1 \right\rceil}
% \newcommand{\ceil}[1]{\lceil #1 \rceil}
\newcommand{\floor}[1]{\lfloor #1 \rfloor}
\newcommand{\F}{\mathbb{F}}
\newcommand{\N}{\mathbb{N}}
\newcommand{\Q}{\mathbb{Q}}
\newcommand{\Z}{\mathbb{Z}}
%for algorithms
\renewcommand{\algorithmicrequire}{\textbf{Input:}}
% Problems we look at
\newcommand{\GIso}{\lang{Graph\text{-}Iso}} %Without \text, ugly minus instead of hyphen.
\newcommand{\GAut}{\lang{Graph\text{-}Aut}}
\newcommand{\SStab}{\lang{Set\text{-}Stab}}
%for Quantum computing
\newcommand{\q}[1]{\left|#1\right\rangle}
\begin{document}
\lecture{22: Simon's Problem and towards Shor}{V. Arvind}{V. Arvind}{Ramprasad Saptharishi}
\section{Overview}
Last lecture we saw a toy problem that showed that the quantum model
could be more efficient than the turing machine model, query
complexity in the last example.
In this lecture, we shall inspect one more problem, which in a way is
a true separation from the classical and quantum model since it beats
even randomized algorithms on classical turing machines. The
techniques used here will be essential in Shor's algorithms for
integer factoring and discrete logarithm, whci hwe shall see in the
following lectures.
\section{Simon's Problem}
We are given a function $f:\inbrace{0,1}^n\rightarrow X$ with the
promise that $f$ is a $2$-to-$1$ function (exactly two strings in
$\inbrace{0,1}^n$ mapping to an element of $X$). Further, $f$
satisfies the additional property that there exists a $\lambda\neq 0^n$ such
that $f(x\oplus\lambda) = f(x)$ for all $x.$ The goal is to find the period
$\lambda$ with as few probes as possible.
We could make $X$ canonical by enforcing an order on $X.$ We can think
of strings in $\inbrace{0,1}^n$ as ordered pairs $\inbrace{(x,x\oplus
\lambda)}$ where $x$ is lexicographically smaller than
$x\oplus\lambda.$ These pairs can now be identified with
$\inbrace{0,1}^{n-1}$ by just sorting the pairs, and hence fixes the
set on the right. Thus, the number of such functions is exactly equal
to the number of possible $\lambda$s which is $2^{n}-1.$
\subsection{Lower Bounds on Classical Deterministic Computation}
An adversial argument showsn an exponential lower bound for the query
complexity in the determistic model. As an adversary, the point is to
keep giving different answers for queries as long as it is
possible. If $k$ strings have been queried, the number of $\lambda$s
that we eliminate by giving different answers to each is
$\binom{k}{2}.$ Thus the adversary can go on giving different answers
till $2^{n/2}$ queries have made.
Thus, the deterministic query complexity is atleast $2^{n/2}.$
\subsection{Lower Bounds on Classical Randomized Computation}
Suppose there was a procedure such that with just $q(n)$ queries the
procedure will find $\lambda$ with error probability atmost $1/3.$ We
can amplify this by repeating this experiment suitably many times and
ge the error probability down to less than $2^{-n}.$
Now we can use the same idea as we did in showing $\BPP\in \Ppoly.$
There are only $2^n - 1$ possible $\lambda$s and the error probability
is less than $2^{-n}.$ The randomized algorithms makes some random
choices in the case of each $\lambda.$ Suppose there was atleast $1$
error in every possible $\lambda$, then the overall error probability
would be more than $2^{-n}.$ Hence there has to be a sequence of
choices such that it works for all possible values of $\lambda.$
But we have just shown earlier that the determistic computation has an
exponential lowerbound, which gives a contradiction. Hence there is no
probabilistic algorithm in the classical model that can find $\lambda$
error bounded by a constant.
\subsection{A Quantum Algorithm}
Again, the hadamard code plays the major role here. Start with the
uniform superposition
\begin{eqnarray*}
H_n\q{x} & = & \frac{1}{2^{n/2}}\sum_{u\in \inbrace{0,1}^n}
(-1)^{u\cdot x}\q{u} \\
\implies H_n\q{0^m} & = &\frac{1}{2^{n/2}}\sum_{u\in \inbrace{0,1}^n}\q{u}
\end{eqnarray*}
By giving it input $x$ and $0^m$, it would return $x$ and $0^m\oplus
f(x) = f(x)$ on the other side.
Hence, if we make $x$ the uniform superposition, on applying $f$ we get:
$$
\q{\psi} = \frac{1}{2^{n/2}}\sum_{x\in
\inbrace{0,1}^n}\q{x}\otimes\q{0^m}\longrightarrow \frac{1}{2^{n/2}}\sum_{x\in
\inbrace{0,1}^n}\q{x}\otimes\q{f(x)}
$$
Now on just measuring the qubit $\q{f(x)}$, it would collapse to a
uniformly random element in the image say $f(x_0).$ And on a
measurement, since every other coordinate dies, the state would now
collapse to:
$$
\q{\psi} = \frac{1}{\sqrt{2}}\inparen{\q{x_0} + \q{x_0+\lambda}}
$$
On applying $H_n$ to this, we get
\begin{eqnarray*}
\q{\psi} & \rightarrow & c\inparen{\sum_{u\in \inbrace{0,1}^n}
(-1)^{x_0\cdot u}\q{u} + \sum_{u\in \inbrace{0,1}^n}
(-1)^{(x_0\oplus\lambda)\cdot u}\q{u}}\\
& = & c\sum_{u\in \inbrace{0,1}^n}\inparen{(-1)^{x_0\cdot u} +
(-1)^{x_0\cdot u \oplus \lambda\cdot u}}\q{u}\\
& = & \sum_{u\cdot \lambda=0}\alpha_u\q{u} \quad,\quad \alpha_u = \frac{1}{2^{(n-1)/2}}
\end{eqnarray*}
But this is just a uniform superposition on the orthogonal space of
the span of $\alpha$, and thus measuring $u$ would now give a random
sampling in the orthogonal space. We will now show that once we have a
random sampling of the space, we can get a basis.
\begin{lemma}
Let $G$ be a finite group. The probability that a
uniform sample of size $4\log|G|$ generates $G$ is at least $\frac{1}{3}.$
\end{lemma}
\begin{proof}
Let $g_1,g_2,\cdots, g_m$ be the sample. Define $G_i$ to be the
group generated by $\inbrace{g_j}_{j\leq i}.$ Let $X$ be the
indicator random variable that something bad happens:
$$
X_i = \begin{cases}
0 & \text{if $G_{i-1} = G$ or $g_i\notin G_{i-1}$}\\
1 & \text{otherwise}
\end{cases}
$$
and let $X = \sum_{i=1}^m X_i$ then
\begin{eqnarray*}
\Pr[X_i = 0] & = & \Pr[G_{i-1} = G] + \Pr[G_i\neq G]\Pr[g_i\notin
G_{i-1}|G_{i-1}\neq G]\\
& = & p_i + (1-p_i)\frac{1}{2}\\
& = & \frac{1}{2} + \frac{p_i}{2}\geq \frac{1}{2}\\
\implies E[X_i] & = & \Pr[X_i = 1] \leq \frac{1}{2}\\
\implies E[X] & = & \sum_{i=1}^m E[X_i] \leq \frac{m}{2}
\end{eqnarray*}
By Markov's inequality,
$$
\Pr[X\geq a] \leq \frac{E[x]}{a} \leq \frac{m}{2a}
$$
Choosing $a = \frac{3m}{4}$ would get give $\Pr[X\geq \frac{3m}{4}]
\leq \frac{2}{3}.$
But notice that if we haven't got a generating set already, $X_i =
0$ can happen atmost $\log |G|$ many times. Thus if we were to
choose $m=4\log|G|$, at most $\log|G|$ of the $X_i$ can be zero and
hence will force $G_m=G$ with probability atleast $\frac{1}{3}.$
\end{proof}
Now that we have a generating set for the orthogonal set, all we need
to do right now is solve a system of linear equations to get the
orthogonal space of this, which is the space of $\lambda.$ Thus we
would find $\lambda$ with just polynomially many queries since
$\log|G| \leq n.$\\
The same idea can be used to solve a general problem as well. We are
given a function $f$ such that there is a subspace such that
$f(x\oplus H) = f(x).$ The goal is to find a subspace. The same ideas
can be used to do this as well. (exercise to the reader)
\section{Towards Shor's Algorithms}
The techniques used in the quantum solution to Simon's problem is
essential for Shor's algorithms for integer factoring and the discrete
logarithm problem. Shor's algorithm is a quantum algorithm for order
finding (given a numbers $a$ and $n$, find $ord_n(a)$). But the
following lemma would show that this is good enough.
\begin{lemma}
Order finding is as hard as integer factoring.
\end{lemma}
\begin{proof}
We will show a probabilistic reduction from factoring to order
finding. Without loss of generality, we can assume that $n$ is odd.
Pick an $x$ at random from $\Z_n\setminus\inbrace{0}.$ We would be
extremely lucky if $\gcd(x,n) \neq 1$, we then immediately have a
non-trivial factor of $n$. Hence, we can assume that $x$ is randomly
picked from $\Z_n^\star.$
Suppose $ord_n(x)$ is even, and it further satisfies the property
that $x^{ord_n(x)/2} \neq -1\pmod{n}$, then we have non-trivial
square root of unity and hence $\gcd(n,x^{ord_n(x)/2}-1)$ or
$\gcd(n,x^{ord_n(x)/2}+1)$ will be non-trivial. This is the
reduction. Once we show that we find a good $x$ with high
probability, we are done.
Assume that $n = p_1^{\alpha_1}p_2^{\alpha_2}\cdots p_k^{\alpha_k}.$
By the chinese remaindering theorem,
$$
\Z_n^\star = \Z_{p_1^{\alpha_1}}^\star\times\Z_{p_2^{\alpha_2}}^\star\times\cdots\Z_{p_k^{\alpha_k}}^\star
$$
This map would take $x\mapsto \inparen{x_1,x_2,\cdots, x_k}.$ Let $r
= s2^t = ord_n(x)$ and $r_i =s_i2^{t_i}= ord_{p_i^{\alpha_i}}(x_i).$
Clearly, $s = \text{lcm }s_i$ and $t = \max t_i.$ Thus if $r$ is
odd, then $t=0$ which means $t_1 = t_2 = \cdots = t_k=0.$
Suppose $r$ was even, we shall analyze the probability that $x^{r/2}
= -1 \pmod{n}.$ By the chinese remaindering theorem, $x^{r/2} = -1
\mapsto \inparen{-1,-1,\cdots, -1}.$ But suppose some $t_i \neq t$,
then $t_i\leq t-1$ and hence $r_i \mid r/2$ and therefore the $i$-th
coordinate in the tuple will have to be a $1$ instead of a $-1.$
Therefore, the probability that $r$ is odd and $x^{r/2} = -1
\pmod{n}$ is bounded above by $\Pr[t_1 = t_2 = \cdots = t_k] \leq
2^{k-1}$ since each $t_i$ is independent.
Therefore $\Pr[r \text{ is even and }x^{r/2} \neq -1 \pmod{n}] \geq
1 - 2^{k-1}.$
\end{proof}
Over the next few lectures, we will see how we can find the order of
an element using a quantum algorithm, and this would solve the integer
factoring problem.
\end{document}