\documentclass[11pt]{article}
\usepackage{latexsym}
\usepackage{amsmath}
\usepackage{amssymb}
\usepackage{amsthm}
\usepackage{hyperref}
\usepackage{algorithmic}
\usepackage{algorithm}
\usepackage{complexity}
\usepackage{graphicx}
\newcommand{\handout}[5]{
\noindent
\begin{center}
\framebox[\textwidth]{
\vbox{
\hbox to \textwidth { {\bf Algebra and Computation } \hfill Course Instructor: #2 }
\vspace{4mm}
\hbox to \textwidth { {\Large \hfill #5 \hfill} }
\vspace{2mm}
\hbox to \textwidth { {\em #3 \hfill #4} }
}
}
\end{center}
\vspace*{4mm}
}
\newcommand{\lecture}[4]{\handout{#1}{#2}{Lecturer: #3}{Scribe: #4}{Lecture #1}}
\newtheorem{theorem}{Theorem}
\newtheorem{theorem*}{Theorem}
\newtheorem{corollary}[theorem]{Corollary}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{observation}[theorem]{Observation}
\newtheorem{proposition}[theorem]{Proposition}
\newtheorem{definition}[theorem]{Definition}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{fact}[]{Fact}
\newtheorem{subclaim}[theorem]{Subclaim}
% my custom commands
\newcommand{\inparen}[1]{\left(#1\right)} %\inparen{x+y} is (x+y)
\newcommand{\inbrace}[1]{\left\{#1\right\}} %\inbrace{x+y} is {x+y}
\newcommand{\insquar}[1]{\left[#1\right]} %\insquar{x+y} is [x+y]
\newcommand{\inangle}[1]{\left\langle#1\right\rangle} %\inangle{A} is
\newcommand{\abs}[1]{\left|#1\right|} %\abs{x} is |x|
\newcommand{\norm}[1]{\left\Vert#1\right\Vert} %\norm{x} is ||x||
\newcommand{\union}{\cup}
\newcommand{\Union}{\bigcup}
\newcommand{\intersection}{\cap}
\newcommand{\super}[2]{#1^{\inparen{#2}}} %\super{G}{i-1} is G^{(i-1)}
\newcommand{\setdef}[2]{\inbrace{{#1}\ : \ {#2}}}
\newcommand{\inv}[1]{#1^{-1}}
\newcommand{\inrpdt}[2]{\left\langle{#1},{#2}\right\rangle}%\inrpdt{x}{y} is .
\newcommand{\pderiv}[2]{\frac{\partial #1}{\partial #2}}
% Commands specific to this file
% TODO: Find the right way to typeset group index
\DeclareMathOperator{\Sym}{Sym}
\newcommand{\gpidx}[2]{\insquar{#1 : #2}} %\gpidx{H}{K} is [H : K]
\newcommand{\gpigs}[2]{\gpidx{\super{G}{#1}}{\super{G}{#2}}} %Group index of g super ...
\newcommand{\llhd}{\!\!\lhd\!\!\lhd}
\newcommand{\roundoff}[1]{\left\lfloor #1 \right\rceil}
% \newcommand{\ceil}[1]{\lceil #1 \rceil}
\newcommand{\floor}[1]{\left\lfloor #1 \right\rfloor}
\newcommand{\F}{\mathbb{F}}
\newcommand{\N}{\mathbb{N}}
\newcommand{\Q}{\mathbb{Q}}
\newcommand{\Z}{\mathbb{Z}}
\renewcommand{\C}{\mathbb{C}}
%for algorithms
\renewcommand{\algorithmicrequire}{\textbf{Input:}}
% Problems we look at
\newcommand{\GIso}{\lang{Graph\text{-}Iso}} %Without \text, ugly minus instead of hyphen.
\newcommand{\GAut}{\lang{Graph\text{-}Aut}}
\newcommand{\SStab}{\lang{Set\text{-}Stab}}
%for Quantum computing
\newcommand{\q}[1]{\left|#1\right\rangle}
\begin{document}
\lecture{24: The Hidden Subgroup Problem}{V. Arvind}{V. Arvind}{Ramprasad Saptharishi}
\section{Overview}
In this class we shall look at character theory and it's take on
quantum computing. Once we have sufficient tools, we will get into the
hidden subgroup problem, which can be used to solve a whole class of
problems including the discrete logarithm.
\section{The Hidden Subgroup Problem}
The hidden subgroup problem is the natural generalization of the order
finding problem. \\
{\em The Problem:} Let $G$ be a finite group and $H\leq G$ be a
subgroup of $G.$ Let $X$ be an arbitrary set and we are given a
function $f:G\rightarrow X$ such that it is constant on every right
coset of $H$ ($f(x) = f(y)$ if and only if $x$ and $y$ belong to the
same right coset of $H$) and is different for different right cosets.
Find a generating set for $H$.\\
\subsection{Discrete Log as a hidden subgroup problem}
{\em Problem:} $p$ is a prime and $g$ is a generator for $\Z_p^\star.$
Given $a\in \Z_p^\star$ find $x$ such that $g^x = a\pmod{p}.$\\
This can be easily converted to the HSP setting. Let $G'$ be the
additive group $\inparen{\Z_{p-1}\times \Z_{p-1},+}$ and $f:G'
\rightarrow \Z_p^\star$ such that it sends $(\alpha,\beta)$ to
$g^\alpha a^{-\beta}\pmod{p}.$
It is easy to see that $(\alpha,\beta)$ goes to $1$ if and only if
$\alpha = x\beta.$ Therefore, the hidden subgroup of this function is
the subgroup generated by $(x,1).$ Thus all we need to do is find a
generator $(\alpha,\beta)$ and $\beta/\alpha = x.$
\subsection{Graph Isomorphism as a hidden subgroup problem}
We have seen earlier that graph isomorphism reduces to the problem of
finding the automorphism group of the graph. Converting to the HSP
setting is easy.
Let $\mathcal{G}_n$ be the set of all possible graphs on $n$
nodes. The hidden function is
\begin{eqnarray*}
f_X:S_n & \longrightarrow & \mathcal{G}_n\\
\pi & \mapsto & X^\pi
\end{eqnarray*}
that is, it takes a permutation and sends is to the graph obtained by
permuting $X$ by that permutation.
The hidden subgroup is precisely the automorphism group of the
graph. \\
This however is a case of the HSP in a non-abelian group setting. We
will just solve the problem for finite abelian groups.
\section{Characters of a finite group}
A character of a finite abelian group $G$ is a homomorphism
$\chi:G\rightarrow \C^\star.$ That is, they satisfy properties like
$\chi(1) = 1$,$\chi(g_1g_2) = \chi(g_1)\chi(g_2)$,$\chi(g^{-1}) =
\overline{\chi(g)}$ etc.\\
Define $\C[G]$ to be the $|G|$ dimensional vector space over $\C,$ by
just consider the elements of $G$ as the standard basis elements of
the vector space. It in fact also has a multiplicative structure and
is called a group algebra. Note that the vector space for the quantum
algorithms was $\C^{2^n} = \C[\Z_2^n]$ and at some points we even
exploited the group structure of $\Z_2^n$. And the standard basis for
the quantum setting were $\setdef{\q{g}}{g\in G}$ which is precisely
$\C[G].$
Now notice that $\C[G]$ can be thought of as a function from $\C$ to
$G$, where every coordinate of the basis element can be thought of as
the value of the function. Thus $\C[G] = \C^G.$ In this setting, the
characters, being functions from $G$ to $\C$, can be thought of as
vectors in $\C[G].$
\subsection{Properties of Characters}
\begin{itemize}
\item It is easy to see that for every $g\in G$, $\chi(g)^{|G|} = 1$ since
$\chi$ is a homomorphism. Hence, $\chi(g)$ is a $|G|$-th root of
unity.
Thus characters are vectors where each coordinate is a $|G|$-th root
of unity. The vector $(1,1,\cdots, 1)$ is referred to as the trivial
character.
\item As in the quantum setting, we shall normalize characters by
writing them as
$$
\q{\chi} = \frac{1}{\sqrt{G}}\sum_g \chi(g)\q{g}
$$
By the usual hermitian inner product ($\inangle{a|b} = \sum
\overline{a_i}b_i$), it is clear that $\inangle{\chi|\chi} = 1.$
Thus characters are vectors of norm $1$.
\item Suppose we have two distinct characters $\chi_1,\chi_2$, that is
there exists an $h$ such that $\chi_1(h) \neq \chi_2(h).$ Let us
look at what happens to $\inangle{\chi_1|\chi_2}.$ Multiplying both
sides by $\chi_1(h)$:
\begin{eqnarray*}
\chi_1(h)\inangle{\chi_1|\chi_2} & = & \frac{1}{\sqrt{G}}\sum_g
\chi_1(h)\chi_1(g^{-1})\chi_2(g)\\
& = & \frac{1}{\sqrt{G}}\sum_g \chi_1(hg^{-1})\chi_2(g)\\
& = & \frac{1}{\sqrt{G}}\sum_{\tilde{g}}
\chi_1(\tilde{g}^{-1})\chi_2(\tilde{g}h)\quad,\quad \tilde{g} =
gh^{-1}\\
& = &
\chi_2(h)\inparen{\frac{1}{\sqrt{G}}\sum_{\tilde{g}}\chi_1(\tilde{g}^{-1})\chi_2(\tilde{g})}\\
& = & \chi_2(h)\inangle{\chi_1|\chi_2}
\end{eqnarray*}
But since we assumed that $\chi_1(h) \neq \chi_2(h)$, this will
force $\inangle{\chi_1|\chi_2}=0.$ Thus the characters are mutually
orthogonal to each other.
And hence, for any non-trivial character $\chi$,
$\inangle{(1,1,\cdots, 1)|\chi} =0$ and hence $\sum_g \chi(g) = 0.$
\end{itemize}
Therefore it is clear that there are at most $|G|$ characters (a $|G|$
dimensional space can have at most that many mutually orthogonal
vectors). For the finite abelian group setting, it is easy to show
that there are in fact $|G|$ many characters.
\begin{theorem}[Structure theorem for finite abelian groups]
Any finite abelian group $G$ is isomorphic to a direct product of
cyclic groups.
\end{theorem}
Thus
$$
G\cong \Z_{N_1}\times \Z_{N_2}\times \cdots \times \Z_{N_l}
$$
For a cyclic group $\Z_N$, it is easy to show that we indeed have $N$
characters:
\begin{eqnarray*}
\omega_N & = & e^{\frac{2\pi i}{N}}\\
\chi_j:\Z_n & \longrightarrow & \C^\star\\
1 & \mapsto& \omega_N^j\\
k & \mapsto & \omega_N^{jk}
\end{eqnarray*}
And clearly these are distinct. In the same way, we have $|G|$
distinct characters by just saying:
$$
\chi_{j_1,j_2,\cdots, j_l}(a_1,a_2,\cdots, a_l) \mapsto
\inparen{\omega_{N_1}}^{j_1a_1}\inparen{\omega_{N_2}}^{j_2a_2}\cdots \inparen{\omega_{N_l}}^{j_la_l}
$$
Thus, the characters indeed form an orthonormal basis for $\C[G].$
\subsection{The fourier transform}
The fourier transform is just the change of basis from the standard to
the characters. And the transform played an important role in the
order finding algorithm due to the property of 'shift invariance that
the character basis enjoys.
\begin{eqnarray*}
\q{\chi_g} & = & \frac{1}{\sqrt{G}} \sum_x \chi_g(x)\q{x}\\
U_h{\chi_g} & = & \frac{1}{\sqrt{G}} \sum_x \chi_g(x)\q{hx}\\
& = & \frac{1}{\sqrt{G}} \sum_x \chi_g(h^{-1})\chi_g(hx)\q{hx}\\
& = &
\chi_g(h^{-1})\inparen{\frac{1}{\sqrt{G}}\sum_{x'}\chi_g(x')\q{x'}}\quad,\quad x' = hx\\
& = & \chi_g(h^{-1})\q{\chi_g}
\end{eqnarray*}
The fourier basis are all eigenvectors for all shift operators $U_h$, the
eigenvalue being $\chi_g(h^{-1}).$
\section{The Hidden Subgroup Problem for Finite Abelian Groups}
The group is given to us as $\Z_{N_1}\times \Z_{N_2} \times \cdots
\times \Z_{N_l}.$ And we need to find the hidden subgroup of $G.$
As in the Simon's problem and Shor's algorithm, first create the
uniform superposition
$$
\q{\psi} = \frac{1}{\sqrt{G}}\sum_g \q{g}
$$
How we create this is a lovely trick that we shall see later in this
lecture. Another thing we will assume that we can do a fourier
transform (approximate at least) efficiently. Applying the function to
the padded version, we get
$$
\frac{1}{\sqrt{G}}\sum_g \q{g}\q{f(g)}
$$
On measuring the second qubits, we would measure some $f(x)$ and thus
would result in the state
$$
\frac{1}{\sqrt{H}}\sum_h \q{xh}
$$
A fourier transform on this gives
$$
\frac{1}{\sqrt{H}\sqrt{G}}\sum_h\sum_g\chi_{xh}(g)\q{g}
$$
Note that $\chi_a(b) = \chi_b(a).$ And hence
\begin{eqnarray*}
\frac{1}{\sqrt{H}\sqrt{G}}\sum_h\sum_g\chi_{xh}(g)\q{g} & = &
\frac{1}{\sqrt{H}\sqrt{G}}\sum_h\sum_g\chi_g(xh)\q{g}\\
& = & \frac{\sqrt{H}\sqrt{G}}\sum_g\inparen{\sum_h
\chi_g(h)}\chi_g(x)\q{g}\\
\end{eqnarray*}
Now, since $\chi_g(h)$ is a character of $H$ as well the summation
inside the bracket will be zero for a lot of $\chi$s.
At this point, for any group $G$, define the dual group $G'$ as the
group of characters of $G.$ $H^\perp = \setdef{\chi\in
G'}{\chi(h)=1\forall h\in H}$.
For all characters in $H^\perp$, the summation in the bracket will be
$|H|$, and $0$ otherwise. Hence the summation reduces to
$$
\frac{\sqrt{H}}{\sqrt{G}}\sum_{g:\chi_g\in H^\perp} \chi_g(x)\q{g}
$$
Now measuring $\q{g}$ will give us a random element in $H^\perp.$ Thus
using the sampling lemma in Simon's problem we can get a generating
set for $H^\perp.$ With this, how do we find a generating set for $H$?
Suppose we have our sample $g_1,g_2,\cdots,g_t$ where $t = 4\log|G|.$
By the structure of the group $G$, $g_i =
\inangle{a_{i_1},a_{i_2},\cdots, a_{i_l}}.$ Thus for each $x_i\in H$
we know that
$$
\omega_{N_1}^{x_1a_{i_1}}\omega_{N_2}^{x_2a_{i_2}}\cdots \omega_{N_l}^{x_1a_{i_l}}=1
$$
But this is an exponential constraint, if we have a linear constraint
we can solve it using the techniques discussed earlier.
Let $N = lcm(N_i)$ and let $M_i = N/N_i.$ Then the constraint above is
just finding solutions $x_i$ to $\sum_j M_ja_{i_j}x_j = 0\pmod{N}.$ The
mod can be removed as well by having an extra indeterminate $y_i$ and
writing it as
$$
M_1a_{i_1}x_1 + M_2a_{i_2}x_2 + \cdots M_la_{i_l}x_l + Ny_i = 0
$$
These constraints, for each $i$, is just a system of diophantine
equations that can be solved using the hermite normal form. Thus, this
would solve the hidden subgroup problem.
\subsection{The Converse}
Another important question is the following: suppose we have a way of
solving the hidden subgroup problem for a finite abelian group, can we
use that to find the structure of $G$?
One way is to take the generators of $G$ (by random sampling), finding
their orders and factorizing them. The factorization of the orders
will decompose the group in to a direct product of $p$-groups. How do
we find the cyclic product decomposition of the $p$-groups?
We shall discuss this in the next lecture.
\subsection{Creating the uniform superposition}
We want to create the state
$$
\q{\psi} = \frac{1}{\sqrt{G}}\sum_g\q{g}
$$
The idea is to find a binary encoding of the group and use that.
Encode elements of $G$ using binary strings of length $m$, $m$ chosen
such that $2^m \geq |G| \geq 2^m/poly(m)$ (a reasonably efficient
encoding). Once we have an encoding function, we naturally have
another checker functions $U_f$ that takes a binary string and decides
whether it is actually an encoding of an element of $G.$
Using the hadamard transform, we can create a uniform superposition
over $\inbrace{0,1}^m$:
$$
\q{\psi} = \frac{1}{2^m}\sum_{x\in\inbrace{0,1}^m}\q{x}
$$
Applying the checker function to the padded version of this, we get
$$
\frac{1}{2^m}\sum_{x\in \inbrace{0,1}^m}\q{x}\q{f(x)}
$$
Now since we assumed that the encoding is reasonably efficient,
measuring $f(x)$ will give us a $1$ with high probability. And hence,
the rest of the state will collapse to
$$
\frac{1}{\sqrt{G}}\sum_g \q{g}
$$
which is precisely what we want!
%%% Local Variables:
%%% mode: latex
%%% TeX-master: "lecture24"
%%% End:
\end{document}