The Quantum Hidden Subgroup Problem for Semidirect Products of Cyclic Groups

A Thesis
Presented to
The Division of Mathematics and Natural Sciences
Reed College
In Partial Fulllment
of the Requirements for the Degree
Bachelor of Arts
Samuel F. Hopkins
December 2012
Approved for the Division
(Mathematics)
James Pommersheim
Acknowledgements
I must rst thank my adviser Jamie Pommersheim: for introducing me to quantum
computing and the Hidden Subgroup Problem, for guiding me through the dark
forest of qubits in which I quickly found myself lost, and for being one of the truly
luminous teachers during my time at Reed. I also give thanks to the other members
of the Quantum Mechanics (Daniel Copeland, Ethan Edwards, Mikhail Lepilov, and
Marcus Robinson), as well as all those Reed students who took part in Jamies topics
class on quantum computing during the spring semester of 2012. Stephanie Bastek
gets thanks for being a stellar roommate-proofreader. Finally, I thank Asif Shakeel
for his thoughtful comments regarding chapter 3 and because his PhD thesis provided
a launchpad for my research.
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1: Quantum Computing . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Information storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1 State spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2 Notation and composite systems . . . . . . . . . . . . . . . . . 4
1.1.3 State vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Information processing . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Information retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 The quantum Fourier transform . . . . . . . . . . . . . . . . . . . . . 9
1.5 Oracle problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2: The Hidden Subgroup Problem . . . . . . . . . . . . . . . . 13
2.1 History and overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Statement of the problem . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3 The abelian HSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4 The non-abelian HSP . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 3: The HSP for Z
N
Z
p
. . . . . . . . . . . . . . . . . . . . . . . 19
3.1 The metacyclic group Z
N
Z
p
. . . . . . . . . . . . . . . . . . . . . . 19
3.2 Overview of the algorithm . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4 Single-query algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.5 Multi-query algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.6 Analysis of probability of success . . . . . . . . . . . . . . . . . . . . 30
3.6.1 A lemma on the distribution of

ds . . . . . . . . . . . . . . . 31
3.6.2 N prime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.6.3 General N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 4: Representation Theory and the HSP for Z
N
Z
p
. . . . . 35
4.1 The Fourier transform over a group . . . . . . . . . . . . . . . . . . . 35
4.2 Irreducible representations of Z
N

k
Z
p
. . . . . . . . . . . . . . . . . 37
4.3 The Fourier transform over Z
N

k
Z
p
. . . . . . . . . . . . . . . . . . 39
Appendix A: Basic Representation Theory . . . . . . . . . . . . . . . . 41
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Abstract
In this thesis we explore the Hidden Subgroup Problem in quantum computing. While
there exist ecient quantum algorithms that solve the Hidden Subgroup Problem for
many families of groups, there is no known general polynomial-time solution. Our
main new result, proved in chapter 3, shows that if a certain proposed algorithm
for the dihedral Hidden Subgroup Problem can be eciently implemented, then in
fact there exists an ecient quantum solution to the Hidden Subgroup Problem for
arbitrary semidirect products of a cyclic group by a cyclic group of prime order.
Introduction
In 1994, Peter Shor [22] shocked the computer science community by demonstrat-
ing that a quantum computer, if it were ever built, could quickly factorize integers.
Practically, Shors algorithm threatened to break the most widely used public-key
cryptography systems and immediately spurred government and industry to invest in
quantum computing research. Philosophically, Shors algorithm represented a poten-
tial counterexample to the Extended Church-Turing Thesis.
1
Mathematically, Shors
algorithm, which employs variously number theory, linear algebra, probability and
analysis, laid bare the richness of the theory of quantum computing and prompted
mathematicians to explore its capabilities and limitations. Almost twenty years later,
there have been few breakthroughs in quantum computing comparable to Shors algo-
rithm. Indeed, even as engineers are testing small-scale quantum computers that can
factor 15 or 21, there exist only a handful of signicant quantum algorithms. As Amit
Hagar [10] writes in the Stanford Encyclopedia of Philosophy, quantum computing
is a domain where experimentalists nd themselves ahead of their fellow theorists.
This thesis represents one theorist ghting back. In the following pages, I attempt
to develop an algorithm for solving a particular case of the so-called Hidden Subgroup
Problem (HSP), a natural algebraic generalization of Shors problem of factorizing
integers. The HSP is a highly active area of research in quantum computing: it has
implications for certain proposed cryptographic systems and is of general computer
scientic interest because of its relation to classically intractable problems like the
graph isomorphism problem. While my research has not led to a new, unconditionally
ecient solution to the HSP, it does expose an interesting connection between the
dihedral HSP and the HSP for more general semidirect products of cyclic groups.
Throughout the thesis, we assume familiarity with basic results from linear algebra
and group theory. Representation theory is used only in chapter 4; Appendix A
quickly explains all the representation-theoretic terms and theorems we need.
1
The Extended Church-Turing Thesis is the claim that all reasonable physical models of a com-
puter are polynomial-time equivalent to a Turing machine; see [10], 1.1.
Chapter 1
Quantum Computing
In this chapter we describe the standard model of quantum computing and present its
postulates, with the aim of developing a quantum algorithm that solves some classi-
cally hard mathematical problem. These postulates are justied by well-documented
physical evidence but we will not focus on providing any such justication here. For
a comprehensive treatment of the theory of quantum computing, with perspectives
from physics, mathematics, computer science and information theory, we direct the
readers attention to Nielsen and Chaung [15].
Before formally describing the model, it will help to give a brief overview of quan-
tum computers to understand why they are potentially interesting. A quantum com-
puter stores information as quantum bits, or qubits, where a qubit is mathematically
notated as a vector [ = [0 + [1. Unlike classical bits, qubits can take values
in-between 0 and 1. Here and are complex coecients which we call amplitudes,
and so a single qubit could be said to store an innite amount of information. How-
ever, this last assertion is extremely misleading because we are not free to arbitrarily
access the amplitudes of our qubits. Rather, when we measure a qubit, we obtain
only classical information (either 0 or 1). The real values [[
2
and [[
2
determine the
probabilities of measuring 0 or 1 respectively.
The nave account of quantum computing contends that a quantum algorithm can
solve an intractable problem because it tests all the possibilities at once. But this
description is misleading. If we used a single system of qubits to compute all possible
solutions to some problem and then attempted to read o the solution by measuring
this system, instead we would only measure the result of a random computation. This
is no better than the classical probabilistic approach of randomly guessing the answer
and checking if it works. However, quantum computers have one tremendous advan-
tage over classical probabilistic computers: unlike classical probabilities, which are
nonnegative reals, the amplitudes of a quantum state are complex numbers and thus
can cancel out. The true explanation for why quantum algorithms work is that they
exploit the structure of the problems they solve and cleverly manipulate their quan-
tum states so that the amplitudes of bad solutions destructively interfere while the
amplitudes of the correct solutions constructively interfere. With this perhaps fuzzy
intuition about the potential of quantum computing in mind, we now systemically
describe the way a quantum computer stores, processes, and retrieves information.
4 Chapter 1. Quantum Computing
1.1 Information storage
1.1.1 State spaces
Quantum computers store information in quantum systems; indeed, it is through
quantum mechanical phenomena such as superpositions and entanglement that they
are able to achieve any computational advantage over classical computers. Von Neu-
mann, in rigorously establishing a mathematical framework for quantum mechanics,
realized that the proper setting for a quantum system is a Hilbert space. Through-
out this thesis, we will consider our Hilbert spaces to be nite-dimensional complex
inner-product spaces.
Postulate 1. (State spaces)
The state space of a quantum system is a nite-dimensional complex Hilbert space
1. That is, 1 is a nite-dimensional vector space over C equipped with an inner
product , : 11 C such that for all x, y, z 1 and a, b C,
1. ax + bz, y = ax, y +bz, y (linearity);
2. x, y = y, x (skew-symmetry);
3. x, x 0 with equality if and only if x = 0 (positive deniteness).
The inner product of 1 induces a norm [x[ :=
_
x, x for any vector x 1 and a
distance function d(x, y) := [x y[ between any two vectors x, y 1. It is a routine
exercise to check that this distance function in fact makes 1 into a metric space, and
that 1 is complete with respect to this metric.
1.1.2 Notation and composite systems
It is convenient to use Dirac notation to represent quantum systems. A quantum
system, as we shall see, is a vector in some state space 1. We call such a vector a
state vector. In Dirac notation, a vector is written as [ 1, which we read as ket
phi. The conjugate transpose of [ is written [ := [

, which we read as bra phi.

This notation is attractive because the product [ [ is in fact equal to [, the
inner product of [ and [.
We use the notation [ [ to represent the outer product of [ and [. The
outer product is a linear transform [ [ : 1 1 that acts by
[ [ ([) := [ [ .
For instance, if [ is a unit vector, [ [ is a rank one linear transform representing
projection onto [.
Finally, we will use [ [ to denote the tensor product of [ and [. Suppose
1
1
and 1
2
are Hilbert spaces. Then 1
1
1
2
is also a Hilbert space, of dimension
dim(1
1
) dim(1
2
). The tensor product is a map : 1
1
1
2
1
1
1
2
where we
have the following identities for any [
1
, [
2
, [ 1
1
, [
1
, [
2
, [ 1
2
, and
c C:
1.1. Information storage 5
1. ([
1
+[
2
) [ = [
1
[ +[
2
[;
2. [ ([
1
+[
2
) = [ [
1
+[ [
2
;
3. c [ [ = [ c [ = c([ [).
The inner product of a tensor product of two Hilbert spaces is the product of the
inner products of the tensor factors; in symbols, we have
([
1
[
1
), ([
2
[
2
=
1
[
2

1
[
2
.
Instead of [ [, we often write [ [ or even [ if this is unambiguous. Of
course it is possible to take the tensor product of more than two Hilbert spaces; it is
routine to verify that the order in which we take the products does not matter, i.e.
that 1
1
(1
2
1
3
) = (1
1
1
2
) 1
3
.
The tensor product is extremely important in the mathematical formulation of
quantum mechanics because the composite of multiple quantum systems is the tensor
product of the constituent systems.
Postulate 2. (Composite systems)
If 1
1
, . . . , 1
k
are quantum state spaces, then the composite system of these spaces is
1
1
1
k
. If 1
i
is in state [
i
for all 1 i k, then 1
1
1
k
is in state
[
1
[
k
.
1.1.3 State vectors
The bit is the basic unit of information for classical computers. A bit can have one
of two values, 0 or 1. Any natural number can be stored as a series of bits by writing
it in binary; e.g. 5 = 101. We see that it takes log(N) bits to represent the number
N N.
The qubit is the quantum analogue of the bit. Like the bit, a qubit, which we
regard as a state vector [ in the Hilbert space C
2
, can take on the classical values
[0 and [1. However, a qubit may also be in a superposition of these two states:
[ = [0 + [1 .
Here we consider [0 , [1 to be an orthonormal basis of C
2
. Which values of and
are permissible? To answer this we need another postulate.
Postulate 3. (State vectors)
A state vector is a unit vector in some state space.
1
1
If two state vectors dier only by a global phase, i.e. if [ = e
i
[, then, as we shall see, there
is no way to distinguish [ and [ via a measurement. While it might therefore be tempting to
consider a state vector to be an equivalence class of unit vectors that dier by a global phase, this
would cause some problems with our denition of a composite state. We will consider a state vector
to be a single vector.
6 Chapter 1. Quantum Computing
Thus we see that in [ above we have [[
2
+ [[
2
= 1. We may also consider a
state vector representing multiple qubits, for instance:
[ = [00 + [01 + [10 + [11 .
In this case [ C
4
C
2
C
2
, and again we have [[
2
+ [[
2
+ [[
2
+ [[
2
= 1. It
is often convenient to look at parts of our qubit systems, and for this purpose the
notion of a register is convenient.
Denition 1.1. A register of a state vector involving multiple qubits is some subset
of all of the qubits.
The notation [
1
[
2
stresses that we are viewing a state vector as comprising
two registers. So for instance we write [ = [0 [0 + [0 [1 + [1 [0 + [1 [1
to represent [ as comprising two single qubit registers.
Just as we can encode a natural number on a classical computer by writing its
binary representation in bits, we can encode a number on a quantum computer by
writing its binary representation in qubits. For instance, [5 = [101 = [1 [0 [1. We
can encode any nite set of numbers in qubits, so although we assume our quantum
computer stores its information in qubits, we have no problem working in the Hilbert
space C
N
whose orthonormal basis vectors we will call [0 , [1 , . . . , [N 1. In fact,
any nite set X can be encoded in qubits by some map X 0, . . . , [X[ 1, so we
will also feel comfortable working in the Hilbert space CX C
|X|
whose orthonormal
basis vectors are [x for x X. Sometimes we use the notation C[x to mean the
subspace of CX spanned by [x.
1.2 Information processing
In the last section, we explained how there is a signicant dierence in the way
classical and quantum computers store information (bits versus qubits). There is
a similarly signicant dierence in information processing between the two kinds of
computers. In a classical computer, bits can be rewritten at will; however, because
the evolution of a quantum state is symmetric with respect to time, in a quantum
computer all operations on qubits must be reversible. In particular, we have the
following postulate:
Postulate 4. (State evolution)
Quantum systems evolve over time by unitary transforms on their Hilbert spaces,
and any unitary transform represents a valid evolution of a quantum system. In
other words, if a quantum system is in state [ 1 at time t and at a later time t

is in state [

, then there exists some unitary transform U such that [

= U [.
A unitary transform on a Hilbert space 1 is a bijective linear transformation
U : 1 1 that preserves inner products:
, = U, U for all [ , [ 1.
1.2. Information processing 7
Equivalently, U is a bijective linear transformation such that UU

= I, where I is
the identity map on 1. Or equivalently again, U maps an orthonormal basis of 1 to
another orthonormal basis of 1.
The tensor product of two unitary transforms U
1
: 1
1
1
1
and U
2
: 1
2
1
2
,
which we write |
1
|
2
, operates on a vector [ [ 1
1
1
2
in the way one
would expect:
(|
1
|
2
)([ [) = |
1
[ |
2
[ .
An example of a unitary transform that is extremely important for quantum
computing is the Hadamard transform, H: C
2
C
2
. The Hadamard transform
can be written in matrix form as
H =
1

2
_
1 1
1 1
_
,
with respect to the orthonormal basis [0 , [1 of C
2
. So H [0 =
1

2
([0 +[1) and
H [1 =
1

2
([0 [1). These states are themselves so important that we give them
special names:
[+ :=
1

2
([0 +[1) ,
[ :=
1

2
([0 [1) .
Another example of a basic unitary transform on C
2
is
X =
_
0 1
1 0
_
.
We have X [0 = [1 and X [1 = [0. Because it ips the value of a qubit, we call X
the quantum NOT transform. A unitary transform related to NOT but which acts
on C
4
is:
CNOT =
_
_
_
_
1 0 0 0
0 1 0 0
0 0 0 1
0 0 1 0
_
_
_
_
.
This matrix representation of CNOT assumes our basis is [00 , [01 , [10 , [11.
Hence we have CNOT[00 = [00, CNOT[01 = [01, CNOT[10 = [11, and
CNOT[11 = [10. As we can see, CNOT ips the second qubit of the tensor product
if the rst qubit is [1, and acts as the identity if the rst qubit is [0. Thus we call
CNOT the controlled NOT transform.
There exists a set of four unitary transforms including H and CNOT called a set
of universal quantum gates that can approximate any unitary transform arbitrarily
well.
2
That is, we can get a very good approximation of an arbitrary transform
2
These two transforms along with the phase and /8 transforms suce; see [15], section 4.5, for
a precise explanation. The terms universal quantum gate and circuit complexity come from a
model of quantum computers as circuits.
8 Chapter 1. Quantum Computing
unitary U with a nite product of these simpler transforms. We assume our quantum
computer at least has the ability to perform the universal quantum gates on its qubits.
Because the product of two unitary transforms is again unitary, the application of
a series of transforms (U
1
followed by U
2
and so on up to U
n
) could just as easily
be seen as the application of a single unitary U := U
n
U
n1
U
1
. However, we are
interested in computational eciency, so we care about how many simple transforms
are needed to execute our algorithm.
Denition 1.2. The circuit complexity of a quantum algorithm is the number of
universal quantum gates required to approximate the unitary transforms used in the
algorithm.
Whether we are analyzing classical or quantum algorithms, an algorithm is con-
sidered ecient if it takes time polynomial in the size of the input. Since our inputs
are stored as a series of qubits, an input of N N has size log(N). Thus we are inter-
ested in algorithms that take time f(N) polynomial in the logarithm of N; we write
f = poly(log(N)) in such a case. We want the circuit complexity of our algorithm to
be poly(log(N)) as a function of the input size.
1.3 Information retrieval
Information retrieval also diers greatly between classical computers and quantum
computers. Rarely do we even consider our ability to retrieve the information stored
in a classical computer: we are allowed to access the true value of any of our bits at
any time, and looking up a bit does not aect its value. On the other hand, when
we measure a qubit, we only receive classical information (a value of 0 or 1) even
if the qubit was in a superposition between [0 and [1, and in measuring the qubit
we collapse it to the classical state we measured. Importantly, while the unitary
operations we considered in the previous section were all reversible, measurement of
a quantum state is an irreversible process.
Postulate 5. (Measurement)
Suppose M
m
is a set of linear transforms acting on a state space 1 such that

m
M
m
= I. Then we call these M
m
measurement operators, and they allow us to
measure a system [ H. The probability that we measure the value m is given by
P(m) = [ M

m
M
m
[ ,
and if we do measure the value m, the state of the system post-measurement is
M
m
[
[M
m
[ [
.
(Note that the requirement

m
M
m
= I, called completeness, ensures that the laws
of probability are obeyed.)
The most important example of measurement is measurement in the computa-
tional basis:
1.4. The quantum Fourier transform 9
Denition 1.3. Let [ CX be some state vector. To measure [ in the compu-
tational basis is to measure [ with the set of measurement operators being the set
[x x[
xX
. Measurement in the computational basis yields some value x X.
For example, if we measure [+ in the computational basis, we obtain value 0
half the time, and we obtain the value 1 half the time. After measurement, the state
becomes [0 or [1 depending on which value we measured. There are many more
sophisticated kinds of measurements, but in this thesis we will need only measurement
in the computational basis and partial measurement, which we explain with the next
denition. Thus, whenever we say we measure some state vector, we mean that we
measure it in the computational basis.
Denition 1.4. Suppose [ [ is some vector in 1 CX. To measure the second
register of [ [ in the computational basis is to measure [ [ with the set of
measurement operators being the set (I [x x[)
xX
, where I is the identity on
1. This measurement yields some value x X. Measurement of the rst register is
dened analogously.
Note that the state after measurement always projects to a unit vector. For ex-
ample, let [ =
1

2
([0 [0 +[1 [1). Then, when we measure the second register
of [, we obtain 0 half the time and 1 half the time. If we measure 0, the state
becomes [0 [0, whereas if we measure 1, the state becomes [1 [1. Thus we see
that a measurement of the second register has aected the value of the rst regis-
ter. This phenomenon, known as quantum entanglement, is important in explaining
how quantum computers might oer a computational speed-up from their classical
analogues.
1.4 The quantum Fourier transform
One unitary transform in particular, the quantum discrete Fourier transform, will
be a key tool in our development of a quantum algorithm. There are only a few
categories of quantum algorithms that perform better than the best known classical
algorithms for the same problem; algorithms based on the quantum Fourier transform
make up one of these categories.
3
Denition 1.5. The quantum Fourier transform, T
N
: C
N
C
N
, acts on a basis of
C
N
by
T
N
[j =
1

N
N1

k=0

jk
[k ,
where := e
2i/N
is a primitive Nth root of unity.
3
Examples of other classes include quantum search algorithms, such as Grovers algorithm, and
quantum annealing algorithms.
10 Chapter 1. Quantum Computing
We can easily verify that the quantum Fourier transform is unitary. First we claim
that the inverse of the quantum Fourier transform acts as
T
1
N
[j :=
1

N
N1

k=0

jk
[k .
Recall the following basic fact about roots of unity:
Fact 1.6. Let be a primitive mth root of unity, with m > 1, and let r be some
integer. Then we have
1
m
m1

k=0

rk
=
_
1 r = 0;
0 r ,= 0.
Straightforward computation, along with this fact, shows that the above formula for
the inverse Fourier transform is correct:
T
1
N
T
N
[j =
1

N
N1

l=0

jl
1

N
N1

k=0

lk
[k
=
1
N
N1

l=0
N1

k=0

l(jk)
[k
= [j .
Finally, to conclude that T
N
is unitary, note that the formula for T
1
N
makes explicit
that T

N
= T
1
N
, and so T
N
T

N
= I.
Quantum algorithms based on the quantum Fourier transform depend crucially
on the fact that it can be eciently implemented by a quantum computer. Currently,
the best implementations of the quantum Fourier transform have a circuit complexity
of only O(log N log log N) [11]. It is dicult to explain exactly why the Fourier
transform is so successful in a wide range of applications, but, roughly speaking, the
Fourier transform gives information about the periodicity of a function. Worth noting
is that the quantum Fourier transform of size two is just the Hadamard transform:
T
2
= H.
1.5 Oracle problems
We have now developed enough background in quantum computing to present an
example of a quantum algorithm: Deutschs algorithm. Deutschs algorithm solves
an oracle problem.
Denition 1.7. In an oracle problem, we are given access to a certain unitary trans-
form, O
f
: CXCY CXCY , called an oracle, that acts on a basis of CXCY
by
O
f
[i [r = [i [f(i) + r ,
1.5. Oracle problems 11
where f is some unknown function from X to Y . (Here, in order that O
f
be unitary,
we assume addition makes sense in Y ; that is, we assume Y is an abelian group.)
The function f is guaranteed to be from some set of functions F = F
1
. . F
k
,
and a priori we assume some probability distribution over the f F. Our goal is to
identify the family F
i
that our function f belongs to with as few applications of the
oracle as possible.
We call the rst register, CX, the query register, and the second register, CY , the
response register. Two registers are required because we need the action of the oracle
to be reversible. Although this description of an oracle problem may make it seem
like a contrived concept, in fact such problems arise quite naturally in theoretical
computer science. We are not really interested in probing some black box for its
hidden information. Rather, we think of the oracle as a computationally expensive
subroutine whose behavior we cannot predict except by evaluating it on certain inputs.
We can therefore see why we want to minimize the number of calls to the subroutine.
In analyzing the eciency of an algorithm that solves an oracle problem, we must
consider both the circuit complexity and query complexity.
Denition 1.8. The query complexity of an algorithm that solves an oracle problem
is the number of applications of the oracle it requires.
We are looking for algorithms that solve problems in a probabilistic sense. That
is, we say that an algorithm solves a problem if it yields the desired result with
probability arbitrarily close to 1. Note that if an algorithm eciently yields the
desired result with probability greater than c, where c > 1/2 is some xed constant,
then in fact this algorithm solves the problem eciently. This follows from a basic
statistical fact: if we have a coin that is biased towards either heads or tails, with
only a constant number of ips we are able to determine the bias with probability
exponentially close to 1 by concluding that it is biased towards the side it lands on a
majority of the time.
Deutschs problem, unlike oracle problems generally, is rather contrived. The or-
acle in Deutschs problem hides two bits x
0
and x
1
from us and we are asked to
determine the binary sum x
0
+ x
1
. It is clear that a classical computer requires two
queries to this oracle to determine x
0
+x
1
because it needs to know both bits to know
the sum; in particular, with only a single oracle query, a classical computer has a prob-
ability 1/2 of determining the sum because the sum takes the values 0 or 1 with equal
probability independent of the value of one of the hidden bits. Deutschs quantum
algorithm solves Deutschs problem with only one query. We present Deutschs prob-
lem here because historically it was one of the rst problems to show that quantum
computers could be computationally more powerful than their classical analogues,
because its solution is simple to explain, and especially because it is a special case
of the Hidden Subgroup Problem, a problem which we will fully dene in the next
chapter and which is the focus of this thesis.
Denition 1.9. Let O
x
0
,x
1
: CZ
2
CZ
2
CZ
2
CZ
2
, with x
0
, x
1
Z
2
act by
O
x
0
,x
1
[i [r = [i [x
i
+ r .
12 Chapter 1. Quantum Computing
Deutschs problem is to determine the sum x
0
+ x
1
(mod 2).
Theorem 1.10. There is a quantum algorithm that solves Deutschs problem with a
single application of the oracle.
Proof: We prove this theorem by demonstrating the algorithm. Deutschs algorithm,
rst devised in [5], proceeds as follows:
1. Prepare the state [ := [0 [1 CZ
2
CZ
2
. Note that [ = (I X) [0 [0,
so we could have as easily started with [0 . . . 0, which is a state we assume our
quantum computer can prepare.
2. Apply H H to yield (H H) [ = [+ [.
3. Apply O
x
0
,x
1
to yield
O
x
0
,x
1
(H H) [ =
1
2
([0 [x
0
[0 [x
0
+ 1 +[1 [x
1
[1 [x
1
+ 1) .
If x
0
= 0, then [0 [x
0
[0 [x
0
+ 1 = [0 [0[0 [1 =

2 [0 [, and if x
0
= 1,
then [0 [x
0
[0 [x
0
+ 1 =

2 [0 [. The value of [1 [x
1
[1 [x
1
+ 1
depends on x
1
similarly. Therefore we may rewrite this state as
O
x
0
,x
1
(H H) [ =
1

2
((1)
x
0
[0 [ + (1)
x
1
[1 [)
=
(1)
x
0

2
_
[0 [ + (1)
x
1
x
0
[1 [
_
.
4. Apply (H I) to yield
(H I)O
x
0
,x
1
(H H) [ =
(1)
x
0

2
_
[+ [ + (1)
x
1
x
0
[ [
_
=
(1)
x
0

2
_
(1 + (1)
x
1
x
0
) [0 [ + (1 (1)
x
1
x
0
) [1 [
_
.
5. Measure the rst register. If x
1
= x
0
, then our state is [0 [, so we measure 0
with probability 1. On the other hand, if x
1
,= x
0
, then our state is [1 [, so
we measure 1 with probability 1. Either way, we yield the sum x
0
+ x
1
.
Since Deutschs algorithm invokes the oracle only once, we call it a single-query
algorithm. To solve more sophisticated problems, we will consider multi-query al-
gorithms that invoke the oracle multiple times, either in series or parallel. Also, as
explained earlier, we do not require that our algorithm succeed with probability 1 as
Deutschs algorithm does. Despite these dierences from more advanced algorithms,
Deutschs algorithm showcases the general structure of any quantum algorithm that
solves an oracle problem: prepare a certain state via unitary transforms applied to
[0 . . . 0, apply the oracle to this state, apply more unitary transforms to the post-
oracle state, and nally measure the state to obtain the desired result.
Chapter 2
The Hidden Subgroup Problem
In this chapter we explore the group structure underlying problems in quantum com-
puting, like Deutschs problem, and see how, as in the case of Deutschs algorithm, the
Fourier transform is instrumental in attacking such problems. The Hidden Subgroup
Problem provides a unied framework for describing many of the known quantum
algorithms and for suggesting problems that may admit of some quantum solution.
We recount the state of the art of the Hidden Subgroup Problem here so that in
the next chapter we may build on existing research and develop an algorithm for a
particular case of the problem, relative to certain assumptions about the feasibility
of another proposed algorithm.
2.1 History and overview
The Hidden Subgroup Problem (HSP) was rst introduced by Brassard and Hyer [1]
as a generalization of Simons problem, another early quantum problem. Later it
was seen that not only Simons algorithm, but also Deutschs algorithm and the
most remarkable known quantum algorithm, Shors algorithm for factorizing integers,
all solve special cases of the HSP. Indeed, the key quantum component of Shors
algorithm,
1
the period-nding subroutine, reduces to the HSP for cyclic groups. The
HSP oers an elegant generalization of the task of determining the discrete period of
some unknown function to determining the period of an unknown function that is
periodic over a group; this is why we might expect the Fourier transform to be a
crucial tool. Contemporary research has attempted to nd ecient solutions to the
HSP in the case of non-abelian groups. Several classes of non-abelian groups have
HSPs that are equivalent to seemingly-unrelated, outstanding problems in computer
science, such as the graph isomorphism problem. No general solution to the HSP
exists, and the problem remains an area of active research because it encapsulates
many independently interesting problems and lies on the border of what might be
computationally feasible with a quantum computer.
1
Shors algorithm [22] has two major components: a classical number-theoretic reduction of
factoring to nding the order of an element of the multiplicative group Z

N
, and a quantum algorithm
for order-nding.
14 Chapter 2. The Hidden Subgroup Problem
2.2 Statement of the problem
Denition 2.1. Let G be a nite group, X a nite set, H a subgroup of G, and
f : G X a function such that f(g) = f(g

) if only if g

gH. In other words, f

is constant and distinct on left cosets of H. We say that f hides H. The Hidden
Subgroup Problem (HSP) is, given such an f (and therefore knowledge of G and X),
nd the subgroup that it hides.
The HSP can be realized as an oracle problem in the following manner. Let / be
the set of subgroups of G we are trying to distinguish among, and let F be the set
of all functions f for which there exists some subgroup H / such that f hides H.
For each f F, dene O
f
: CGCX CGCX by
O
f
[g [r = [g [f(g) + r .
Then the HSP asks us to determine the subgroup H hidden by the function f with
as few queries to the oracle O
f
as possible. Usually we assume that / is the set of all
subsets of G, and sometimes we adjust the probability distribution over F to make
each subgroup equally likely to be chosen. We often ignore the particular function
that hides our subgroup and write O
H
:= O
f
, where f is an arbitrary function that
hides H.
Deutschs problem is an instance of the HSP. In particular, if we set G = Z
2
,
X = Z
2
, and the hidden subgroup H to be either the full group Z
2
or the trivial group,
we recover Deutschs problem. The case H = Z
2
corresponds to a sum x
0
+ x
1
= 0,
and the case of H trivial corresponds to a sum x
0
+ x
1
= 1.
Shors problem of nding the order of some element x of the multiplicative group
Z

N
is also an instance of the HSP. Suppose we are given access to the function
f : Z
N
Z

N
dened by f(a) = x
a
(mod N). Then, if the order of x is r, we have
f(a + r) = f(a) for all a Z
N
. So with G = Z
N
and X = Z

N
, we see that the
function f hides the subgroup r.
2.3 The abelian HSP
The abelian HSP has an ecient quantum solution. We will now work through a
solution for a special case of the abelian HSP, namely, the HSP for cyclic groups. Not
only is this algorithm quite elegant, but it also oers a good example of the use of
entanglement in quantum computing and has some structural similarity to the HSP
algorithm for a non-abelian group we will develop in the next chapter.
Theorem 2.2. There exists an ecient quantum algorithm for solving the HSP for
the cyclic group Z
N
.
Proof: We prove this theorem by demonstrating the algorithm. Our presentation
follows Lomont [13], section 3.4. First, realize that the subgroups of G are H
d
:= d
for those d Z
N
such that d [ N. Suppose our hidden subgroup is H
d
and then let
M := N/d. The algorithm repeats the following procedure times, for some constant
, obtaining the samples t
1
, t
2
, . . . , t

as the result of the nal measurement in step 6:

2.3. The abelian HSP 15
1. Prepare the state [0 [0 CZ
N
CZ
N
.
2. Apply (T
N
I) to yield the equal superposition state [ :=
1

N1
j=0
[j [0.
3. Apply O
H
d
to yield
O
H
d
(T
N
I) =
N1

j=0
[j [f
H
d
(j) .
4. Measure the second register. This obtains some value f
H
d
(j
0
), and, thanks to
quantum entanglement, collapses the rst register into an equal superposition
over elements in the coset j
0
+ H
d
. Call the resulting vector [j
0
+ H
d
:
[j
0
+ H
d
=
1

hH
d
[j
0
+ h
=
1

M
M1

s=0
[j
0
+ sd .
5. Apply T
N
again, to give the state
T
N
[j
0
+ H
d
=
1

M
M1

s=0
1

N
N1

k=0
e
2i(j
0
+sd)k/N
[k
=
1

MN
N1

k=0
e
2ij
0
k/N
[k
M1

s=0
e
2isdk/N
.
But then note that, for some xed k,
M1

s=0
e
2isdk/N
=
M1

s=0
_
e
2ik/M
_
s
=
_
0 M k;
M M [ k.
So only those [k that are multiples of M have nonzero amplitudes, and thus
our state is in fact
T
N
[j
0
+ H
d
=
1

d
d1

t=0
e
2ij
0
tM/N
[tM .
6. Measure the state vector. We obtain a random element of 0, M, . . . , (d1)M
with uniform probability.
After repeating the above times, we are left with samples t
1
, . . . , t

, which are all

random multiples of M. It is a well-known fact from number theory that, with high
probability, the greatest common divisor of a few random numbers in 0, . . . , d 1
is 1; for instance, see Lomonts demonstration in [13], Appendix E. In fact, Lomont
16 Chapter 2. The Hidden Subgroup Problem
shows = 8 suces to guarantee that this algorithm succeeds with probability greater
than 1/2. So we take gcd(t
1
, . . . , t
8
) and with high probability get M; we then return
N/M = d and have solved the HSP for Z
N
.
This algorithm can be generalized to work for an arbitrary nite abelian group G.
The following classical result from group theory oers at least a hint of why that is
so:
Theorem 2.3. ( Fundamental Theorem of Finite Abelian Groups, see [6], 5.2)
Any nite abelian group G is isomorphic to the direct product of a nite number of
cyclic groups.
A general solution to the abelian HSP will break G into its cyclic group factors and
apply the above algorithm to these separate factors. Making this idea more precise
is beyond the scope of this chapter; see [13] for the details.
2.4 The non-abelian HSP
There is no known general polynomial-time solution to the non-abelian HSP, but
the HSP has been eciently solved for certain classes of non-abelian groups such as
almost abelian groups [24], nearly Hamiltonian groups [9], the wreath product
Z
n
2
/ Z
2
[18], certain groups of the form Z
n
p
k
Z
2
[19], groups of the form Z
r
p
Z
p
[3],
and so on.
Almost all known algorithms for the non-abelian HSP emulate the abelian HSP
algorithm presented in the last section by following the so-called Standard Method.
The Standard Method proceeds as follows:
1. Prepare an equal superposition over group elements in the rst register and [0
in the response register:
[ :=
1
_
[G[

gG
[g [0 .
2. Apply O
f
H
:
O
H
[ =
1
_
[G[

gG
[g [f
H
(g) .
3. Measure the second register in order to collapse the rst into [gH, an equal
superposition over some coset gH for a random g G:
[gH :=
1

hH
[gh .
Then repeat the above steps times in parallel, obtaining samples [g
1
H , . . . [g

H,
and attempt to determine H from these coset states. Again, almost all HSP research
has focused on the Standard Method, but there is no proof that this approach is
2.4. The non-abelian HSP 17
optimal. At any rate, the HSP algorithm for a non-abelian group we develop in the
next chapter will employ the Standard Method.
The HSP for the symmetric group and the HSP for the dihedral group are of
particular interest because of their connections to other problems in computer sci-
ence. An ecient solution to the symmetric group HSP would imply a solution to
the notorious graph isomorphism problem [7]. The graph isomorphism problem is
one of only a handful of NP problems, like integer factorization, that are neither
believed to be in P nor believed to be NP-complete.
2
Thus there is some hope that
an ecient quantum algorithm for graph isomorphism exists because the problem is
well-structured in a way that may be particularly suited to quantum computing.
Nevertheless, researchers have so far been unable to nd an ecient algorithm for the
symmetric group HSP.
An ecient solution to the dihedral HSP would imply a solution to a class of
shortest vector problems in lattices [16]. The supposed intractability of these shortest
vector problems is the basis for certain proposed cryptography systems; thus, there
is considerable practical interest in developing a quantum dihedral HSP algorithm.
As in the case of the symmetric group, there is no known ecient solution to the
dihedral HSP. However, there are many partial results. Regev [16] has shown that
an ecient, approximate solution to the subset sum problem (dened formally in
section 3.6) implies an ecient solution to the dihedral HSP. Kuperburg [12] dis-
covered a subexponential, but not polynomial, time algorithm for the dihedral HSP.
Bacon et al. [3] showed that, under the assumption of the Standard Method, a general
measurement technique for distinguishing quantum states, the so-called Pretty Good
Measurement, is optimal for the dihedral HSP. Further, in [4] they extend the results
of Regev and show that the ability to implement the Pretty Good Measurement for
the dihedral HSP is equivalent to the ability to quantum sample solutions to the
subset sum problem.
In the next chapter, we build on the work of Bacon et al. and show that their
proposed algorithm for the dihedral HSP, which assumes a kind of quantum subset
sum solver, in fact applies to a much broader class of groups. The dihedral group
D
n
is the group of symmetries of a regular n-gon, but can also be envisioned more
abstractly as a semidirect product Z
N
Z
2
. The algorithm in the next chapter applies
to arbitrary semidirect products of a cyclic group by a prime cyclic group. The fact
that the dihedral algorithm of Bacon et al. [4] readily generalizes to Z
N
Z
p
(for
xed p) may suggest that the assumption of an ecient quantum subset sum solver
is too strong, and that no such algorithm exists. Regardless, the connection between
the HSP for Z
N
Z
2
and for Z
N
Z
p
is worth demonstrating.
2
The complexity class P consists of decision problems that can be solved in polynomial time (i.e.,
those admitting what we have termed an ecient solution). The complexity class NP consists of
decision problems whose solutions can be veried in polynomial time. NP-complete problems are,
roughly, the hardest problems in NP. For a technical treatment of computational complexity, see
[23], chapter 7.
Chapter 3
The HSP for Z
N
Z
p
In this chapter we present original research. The major theorem of this chapter is the
following:
Theorem 3.1. If there is an ecient implementation of the Pretty Good Measure-
ment for the dihedral HSP, there is an ecient quantum algorithm that solves the
HSP for Z
N
Z
p
, with N any natural number and p prime.
We prove this theorem by demonstrating such an algorithm. Ettinger and Hyer [8]
have reduced the dihedral HSP to the problem of nding a hidden trivial subgroup
or hidden order 2 subgroup. Bacon et. al. [3] generalized this reduction by reducing
the HSP over A Z
p
to nding a hidden trivial subgroup or hidden cyclic order
p subgroup. They then apply the Pretty Good Measurement and discover ecient
algorithms for several classes of semidirect product groups, including the metacyclic
group Z
N
Z
p
, provided that N/p is poly(log(N)).
Here we consider the hidden subgroup problem on Z
N
Z
p
with N/p super-
polynomial in the logarithm of N. We generalize an algorithm presented in Asif
Shakeels PhD thesis [21] for the dihedral group (which can be realized as Z
N
Z
2
)
to Z
N
Z
p
. The dihedral algorithm Shakeel presents comes from another paper
by Bacon et. al. [4] Our algorithm, as in the dihedral case, assumes that we can
eciently quantum sample solutions to the subset sum problem, which is known to
be NP-complete. Bacon et. al. [4] show that being ample to implement the Pretty
Good Measurement for the dihedral HSP implies the ability to quantum sample subset
sum solutions.
3.1 The metacyclic group Z
N
Z
p
Let p be a prime and N any integer. The metacyclic group G := Z
N
Z
p
is presented
as a, b [ a
p
= b
N
= e, aba
1
= b
k
for some k such that k
p
= 1 (mod N). From now
on we write Z
N

k
Z
p
to stress that the conjugation factor k is necessary to precisely
specify the group and that we always have knowledge of k. Note that k = 1 gives
the direct product, an abelian group whose HSP has been eciently solved, so we
assume k ,= 1. Also, k = 1 is only possible for p = 2; in this case, we have the
20 Chapter 3. The HSP for Z
N
Z
p
dihedral group whose HSP is the subject of [21], so we assume further that k ,= 1.
Of course, k Z

N
.
We will write G = (x, y) Z
p
Z
N
, with multiplication given by
(x

, y

) (x, y) = (x + x

, k
x
y

+ y).
(N.B.: In keeping with Shakeels presentation of the dihedral algorithm, we have
chosen to write the pairs (x, y) G with the rst coordinate corresponding to Z
p
and
the second corresponding to Z
N
, even though the notation Z
N

k
Z
p
might suggest
the opposite is more natural.)
Following the notation of Bacon et. al., for convenience we dene
j
Z
N
as

j
:=
j1

i=0
k
i
.
Dene the subgroups
H
l
:= (1, l) = (0, 0), (1, l), . . . , (p 1, (k
p2
+ + 1)l) = (a,
a
l)
p1
a=0
,
for l Z
N
such that
p
l = 0. These distinct order p subgroups will be the subgroups
we are trying to distinguish. By the reduction of Bacon et. al., distinguishing these
is enough to solve the HSP (because, as they explain, we can identify the trivial
subgroup in a constant number of queries).
It will be useful to consider the characters of both Z
p
and Z
N
, so dene
:= e
2i/p
,
:= e
2i/N
.
3.2 Overview of the algorithm
Our algorithm is presented in two parts: single-query and multi-query. We run the
single-query algorithm in parallel many times. Each run may result in success or
failure. The input to the multi-query algorithm is the tensor product of j copies of
successful single-query runs.
We assume that CG is encoded into our quantum computer in a reasonable way
so that we may write [(x, y) in two registers as [x [y. With this assumption, it is
easy to create the equal superposition state:
(T
p
T
N
I) [0 [0 [0 =
1

pN
p1

j=0
N1

m=0
[j [m [0
=
1
_
[G[

gG
[g [0 .
3.2. Overview of the algorithm 21
Each single-query iteration follows the Standard Method. The Standard Method
calls the oracle on an equal superposition of all group elements in the query register
and zero in the response register:
O
H
l
_
1
_
[G[

gG
[g [0
_
=
1
_
[G[

gG
[g [f
H
l
(g) .
We then measure the response register to collapse to the state
[gH
l
:=
1

hH
l
[gh ,
for a random g G. Suppose g = (x, y). Then we have
[gH
l
=
1

p
p1

j=0
[x + j [k
j
y +
j
l .
By applying a series of quantum Fourier transforms and measurements to [gH
l
,
we are able, with a probability dependent only on p, to yield the state
[ =
1

pN
p1

j=0
N1

m=0

(k
j
y+
j
l)m
[m .
We then use a partial measurement to collapse [

into the space

V

= C[ +C[k +C[ +C[k ,

for some Z
N
and sum the amplitudes in the [ and [k components and the
amplitudes in the [ and [k components to yield the state
[

=
1

2
(
l/2
[ +
l/2
[).
This state is the same state Shakeel reaches at the end of one run of the single-
query algorithm he presents for the dihedral group. Accordingly, we take the tensor
product of many copies of [

for random values of and plug them into the multi-

query algorithm, which proceeds exactly as in the dihedral case. With a subset sum
solver we can identify l with high probability with only O(log(N)) queries.
Figures 3.1 and 3.2 on the next page present diagrams of quantum circuits imple-
menting the single-query and multi-query algorithms respectively.
22 Chapter 3. The HSP for Z
N
Z
p

Z
p
[
i

Z
N
[
j

[
0

O
H
l
T
p
T
N
[

R
e
j
e
c
t
i
f

,=
0

R
e
j
e
c
t
i
f

R
r
S
u
m
a
m
p
l
i
t
u
d
e
o
f
[

,
[

;
o
f
[

,
[
k

.
[

F
i
g
u
r
e
3
.
1
:
T
h
e
S
i
n
g
l
e
-
Q
u
e
r
y
A
l
g
o
r
i
t
h
m
[

... ...

=
(

1
,
.
.
.
,

j
)
S
u
b
s
e
t
s
u
m
s
o
l
v
e
r
M
a
k
e
t
h
e
i
d
e
n
t
i

c
a
t
i
o
n

[
b
m

S
z
[

[
z

1
2
N
l
o
r
l
+
N
F
i
g
u
r
e
3
.
2
:
T
h
e
M
u
l
t
i
-
Q
u
e
r
y
A
l
g
o
r
i
t
h
m
3.3. Preliminaries 23
3.3 Preliminaries
As explained in the overview, in the single query-algorithm we need to project the
vector [ into the space V

for some Z
N
. The spaces V

over all Z
N
clearly
overlap. The aim of this section is to show how we can nevertheless project [

into
these subspaces, and in particular collapse [ into V

with a random element of a

large subset of Z
N
.
First we need the following result about the eect of multiplication by k on an
element of Z
N
:
Claim 3.2. For each m Z
N
, either km = m or k
j
m ,= m for any 0 < j < N.
Proof: Fix some m Z
N
and let j be the smallest positive integer such that k
j
m =
m. Then note k
p
m = m = k
j
m and k
j
has a multiplicative inverse, so in fact
k
pj
m = m. We can repeatedly multiply by k
j
to arrive at k
r
m = m for r < j. But
by the minimality of j, it follows that r = 0. Thus j divides p, which means j = 1 or
j = p.
The m Z
N
such that km = m are in some sense badly behaved for our purposes;
accordingly, dene the set
Z

N
:= m Z
N
: km ,= m.
If we set q := N/gcd(N, k 1), then Z

N
= m Z
N
: m ,= qy for all y Z
N
. In
particular, q 2, so [Z
N
[
N
2
. For N prime, Z

N
= Z
N
0.
For each m Z
N
, dene the set
O
m
:= m, km, k
2
m, . . . , k
p1
m.
Obviously the O
m
partition Z
N
. By the above claim, for m Z

N
, we have [O
m
[ = p
and for m Z
N
Z

N
, we have [O
m
[ = 1. Note that m Z

N
if and only if m Z

N
,
and that O
m
and O
m
are disjoint unless m is 0 or N/2, which are never elements
of Z

N
. The spaces V

that we wish to project into are subspaces of C(O

m
O
m
).
We now explain how to associate one V

to each O
m
O
m
by choosing a random
representative of this set every single-query iteration.
For i j with i, j Z, dene the operator ord
j
a
1
, . . . , a
i
to be the jth element of
the set a
1
, . . . , a
i
when ordered from least to greatest. We will take a
1
, . . . , a
i
Z
N
with the order dened as 0 < 1 < < N 1. For each iteration of the single-query
algorithm, choose the number r randomly from 1, . . . , 2p. We then dene the set
of representatives R
r
as
R
r
:= m Z

N
: ord
r
(O
m
O
m
) = m.
Checking membership in the set of R
r
is classically ecient since it takes poly(p)
steps. Thus we can also eciently compute the function g : Z
N
Z
N
, dened as
g(m) =
_

_
m : m R
r
km : km R
r
m : m R
r
km : km R
r
m : otherwise.
24 Chapter 3. The HSP for Z
N
Z
p
In the single-query algorithm, we will create the vector
[ =
1

pN
p1

j=0
N1

m=0

(k
j
y+
j
l)m
[m .
for a random y Z
N
. With an auxiliary qubit of [0, we will apply the transform
: CZ
N
CZ
N
CZ
N
CZ
N
dened as
: [m [s [m [g(m) + s ,
to [ and then measure the second register to hopefully project this vector into one
of the states
V

:= C[ +C[k +C[ +C[k ,

for R
r
.
Example 3.3. In the case of N = 13, p = 3, k = 3, and r = 1, we have R
r
= 1, 2
with
V
1
= C[1 +C[10 +C[12 +C[3 ,
V
2
= C[2 +C[7 +C[11 +C[6 .
The left over spaces are C[0, C[4, C[5, C[8 and C[9.
Claim 3.4. For m Z
N
, dene,
prob
avg
(m) :=
1
pN
2
N1

y=0

p1

j=0

(k
j
y+
j
)l)m

2
.
Note that prob
avg
is the average probability, over all values of y, of measuring the
value m if we were to measure [. We claim that prob
avg
(m) =
1
N
for m Z

N
.
Proof: We compute
1
pN
2
N1

y=0

p1

j=0

(k
j
y+
j
l)m

2
=
1
pN
2
N1

y=0
_
p1

j=0

(k
j
y+
j
l)m
_

_
p1

j=0

(k
j
y+
j
l)m
_
=
1
pN
2
N1

y=0
_
_
p + 2

i>jZp
Re
_

(k
i
y+
i
l)m

(k
j
y+
j
l)m
_
_
_
=
1
N
+
2
pN
2
N1

y=0

i>jZp
Re
_

(k
i
y+
i
lk
j
y
j
l)m
_
.
3.4. Single-query algorithm 25
Fix some i > j Z
p
. We wish to show
N1

y=0
Re
_

(k
i
y+
i
lk
j
y
j
l)m
_
= 0.
Of course, it suces to show
N1

y=0

(k
i
y+
i
lk
j
y
j
l)m
= 0.
Then note
N1

y=0

(k
i
y+
i
lk
j
y
j
l)m
=
N1

y=0

(k
i
k
j
)my
,
for some C. But since km ,= m, we know (k
i
k
j
)m ,= 0. So set r := gcd((k
i

k
j
)m, N). Then
(k
i
k
j
)m
is a primitive rth root of unity, and thus
N1

y=0

(k
i
k
j
)my
=
N
r
r1

y=0

(k
i
k
j
)my
= 0,
which nishes proof of the claim.
With this claim established, it follows that the probability that measuring the
second register projects [ into a particular V

for R
r
is
4
N
. In order to
compute how likely we are to project [ into any V

, we must consider the size

of R
r
. We established previously that [Z

N
[
N
2
, and since [O
m
O
m
[ = 2p for all
m Z

N
, we have that [R
r
[
N
4p
|. Thus the probability of projecting into some V

is greater than or equal to

4
N

N
4p
|
1
p
. For N prime, this probability is actually
2(N1)
Np

2
p
. We can know when we have successfully projected into a V

since we
know r and we know , so we can check if R
r
. If we do not succeed we throw
away that run of the single-query algorithm. When we do succeed, we have that
is a random element of O
m
O
m
for a random m Z

N
. Thus, since the size of all
these O
m
are the same and they partition Z

N
, we have in fact chosen uniformly at
random from Z

N
.
3.4 Single-query algorithm
The Standard Method gives
[gH
l
=
1

p
p1

j=0
[x + j [k
j
y +
j
l .
Apply T
p
I:
(T
p
I) [gH
l
=
1
p

N
p1

j=0
_
p1

s=0

(x+j)s
[s
_
[k
j
y +
j
l .
26 Chapter 3. The HSP for Z
N
Z
p
Measure the rst tensor factor in the computational basis, and call this result
Z
p
. The probability that we measure = 0 is given by
Pr( = 0) =
1
p
2
p1

j=0
[
0
[
2
=
1
p
.
Assume = 0; the state post-measurement becomes
1

p
p1

j=0
p1

s=0
[k
j
y +
j
l .
Apply T
N
and call the resulting vector [; we have
[ =
1

pN
p1

j=0
N1

m=0

(k
j
y+
j
l)m
[m .
Now, as explained in the previous section, we generate the random number r and
use an auxiliary qubit of [0 to apply the transform :
[ =
1

pN
p1

j=0
N1

m=0

(k
j
y+
j
l)m
[m [g(m) .
We then measure the second register to hopefully project into the spaces V

.
Assume we measure R
r
and call the resulting vector [

. We have, for a
moment ignoring the global normalization scalar,
[

=
p1

j=0

(k
j
y+
j
l)
[ +
p1

j=0

(k
j
y+
j
l)k
[k
+
p1

j=0

(k
j
y+
j
l)
[ +
p1

j=0

(k
j
y+
j
l)k
[k .
We will now use an auxiliary qubit, which will be [0 for the [ and [ factors,
and [1 for the [k and [k factors, i.e. we have
[

=
p1

j=0

(k
j
y+
j
l)
[ [0 +
p1

j=0

(k
j
y+
j
l)k
[k [1
+
p1

j=0

(k
j
y+
j
l)
[ [0 +
p1

j=0

(k
j
y+
j
l)k
[k [1 .
We now perform a controlled permutation on the rst register that sends [k
to [ and [k to [ if the second register is [1 and acts as the identity if the
3.4. Single-query algorithm 27
second register is [0. We then we apply a Hadamard transform on the second register.
Calling the resulting vector [

, we have
[

=
p1

j=0

(k
j
y+
j
l)
[ [+ +
p1

j=0

(k
j
y+
j
l)k
[ [
+
p1

j=0

(k
j
y+
j
l)
[ [+ +
p1

j=0

(k
j
y+
j
l)k
[ [ .
Measure the second register in the computational basis. Suppose we measure 0.
Then, calling the result [

, we have
[

=
p1

j=0

(k
j
y+
j
l)
+
(k
j
y+
j
l)k
[
+
p1

j=0

(k
j
y+
j
l)
+
(k
j
y+
j
l)k
[
Clearly these two amplitudes are conjugates of one another and thus the compo-
nents have the same magnitude. But also note that we have
p1

j=0

(k
j
y+
j
l)
+
(k
j
y+
j
l)k
= c
l/2
,
for some c R. To see this, recall that
j
l = 0 and perform the following computa-
tion:

y
+
(ky+l)
+ +
(k
p1
y+(k
p2
++1)l)
+
ky
+
k(ky+l)
+ +
k(k
p1
y+(k
p2
++1)l)
=
l
(
(y+k
p1
l++kl)
+
ky
+ +
(k
p1
y+k
p2
l++kl)
)
+ (
ky
+
(k
2
ykl)
+ +
(yk
p1
lkl)
)
=
l
z + z
for some z ,= 0 C. (We have z ,= 0 because otherwise we would not have projected
into V

.) But then observe that

l
z + z =
l/2
(
l/2
z +
l/2
z)
=
l/2
( + )
for some ,= 0 C, and of course ( + ) R. So the state in fact projects to
[

=
1

2
_

l/2
[ +
l/2
[
_
.
28 Chapter 3. The HSP for Z
N
Z
p
Note that ( + ) ,= 0, because otherwise we would not have measured 0 in the
auxiliary register. So suppose instead we measure 1. We have
[

=
p1

j=0

(k
j
y+
j
l)

(k
j
y+
j
l)k
[
+
p1

j=0

(k
j
y+
j
l)

(k
j
y+
j
l)k
[ .
Substantially similar calculations to the previous case show that
[

=
i

2
_

l/2
[ +
l/2
[
_
.
But we can correct for the global phase by applying the transform [m i [m, so
in fact we have
[

=
1

2
_

l/2
[ +
l/2
[
_
.
3.5 Multi-query algorithm
To reach the state
1

2
(
l/2
[ +
l/2
[), we need = 0 and R
r
. Call such
a run of the single-query algorithm a successful run. Our input into the multi-query
algorithm will be the tensor product of j successful runs; that is, we start with the
tensor product of j samples of these [

s. We will use the vector := (

1
, . . . ,
j
)
(Z

N
)
j
to index the s. So our state at the beginning of the multi-query algorithm is
[

:=
j

m=1
[

m
,
for some chosen uniformly at random among elements of (Z

N
)
j
.
We now introduce a version the subset sum problem and demonstrate its connec-
tion to our HSP algorithm.
Denition 3.5. Let

b = (b
1
, . . . , b
k
) be an element of 1, 1
j
and dene

b :=
j

m=1
b
m

m
(mod 2N).
For any z Z
2N
, we dene

S

z
:=

b 1, 1
j
:

b = z.
The signed subset sum problem is, given some and z, nd the set

S

z
.
3.5. Multi-query algorithm 29
With this subset sum notation, we can write our vector [

in a more sophisti-
cated way:
[

=
1

2
(

1
l/2
[
1
+

1
l/2
[
1
)
1

2
(

j
l/2
[
j
+

j
l/2
[
j
)
=

b{1,1}
j
1

2
j

b l/2
j

m=1
[b
m

=
1

2
j

zZ
2N

zl/2

S

z
j

m=1
[b
m

m
.
Since the vector is known to us, it makes sense to identify

j
m=1
[b
m

m
with
[

b. Under this identication we have

[

=
1

2
j

zZ
2N

zl/2

S

z
[

b .
Now we will suppose we have a solution to the signed subset sum problem. The
sets

S

z
form a partition of all the

b 1, 1
j
, so for any z ,= z

Z
2N
, the vectors

S

z
[

b and

S

z

b are orthogonal. Dene n

z
:= [

S

z
[ and dene
Z

:= z Z
2N
: n

z
,= 0.
Then the vectors (1/
_
n

z
)

S

z
[

b for z Z

are orthonormal, so we can nd some
unitary transformation that sends (1/
_
n

z
)

S

z
[

b [z. In order to apply the

transform we need to be able to quantum sample subset sum solutions; that is, we
need to be able to create an equal superposition over all vectors

b such that

b = z
for any z Z
2N
. Applying , we have
[

=
1

2
j

zZ

_
n

z

zl/2
[z .
We apply the inverse quantum Fourier transform on Z
2N
:
T
1
2N
[

=
1

2
j
1

2N

yZ
2p
_

zZ

_
n

z

zl/2

zy/2
_
[y
=
1
_
2
j+1
p

yZ
2N
_

zZ

_
n

z

z(ly)/2
_
[y .
Measure in the computational basis. Note that when we plug in y = l, we get

z(ly)/2
= 1. When we plug in y = l + N, we get
z(ly)/2
= e
iz
, which is 1 if z is
30 Chapter 3. The HSP for Z
N
Z
p
even and 1 if z is odd. Our success probability is the probability of measuring l or
l + N (from which we can obtain l since we know N):
p
succ,
=
1
2
j+1
N
_

zZ
2N
_
n

z
_
2
+
1
2
j+1
N
_

zZ
N
_
n

2z

zZ
N
_
n

2z+1
_
2
Since 2N is even, the elements of Z

are either all even or all odd. Thus we have
p
succ,
=
1
2
j
N
_

zZ
2N
_
n

z
_
2
.
Our is chosen uniformly at random from (Z

N
)
j
. So our overall probability of
success is
p
succ
=
1
2
j
N[Z

N
[
j

(Z

N
)
j
_

zZ
2N
_
n

z
_
2
.
3.6 Analysis of probability of success
In analyzing this probability of success, it will help to consider another, more standard
version of the subset sum problem which is in fact equivalent.
Denition 3.6. Let

d = (d
1
, . . . , d
k
) be an element of 0, 1
j
and dene

d :=
j

m=1
d
m

m
(mod N).
For any z Z
N
, we dene
S

z
:=

d 0, 1
j
:

d = z.
The standard subset sum problem is, given some and z, nd the set S

z
.
As stated earlier, the elements of Z

are either all even or all odd. Consider
only the w Z
2N
of the same parity as elements in Z

. Then there is a bijection
between the sets

C

w
and the sets S

z
for z Z
N
that preserves cardinalities. For any

b 1, 1
j
, let

d be given by d
i
= 0 b
i
= 1 and d
i
= 1 b
i
= 1. Note that

b = (1, . . . , 1) +2(

d ). So if we let z :=

d and c := (1, . . . , 1) , we
have [

C

2z+c
[ = [S

z
[.
Thus, dening n

z
:= [S

z
[, we can write the probability of success of the multi-
query algorithm as
p
succ
=
1
2
j
N[Z

N
[
j

(Z

N
)
j
_

zZ
N
_
n

z
_
2
. (3.1)
Our probability of success is very similar to that of Bacon et. al. [4] However,
whereas their is chosen uniformly at random from Z
j
N
, ours is chosen from (Z

N
)
j
.
We must show that this does not matter and that the

ds spread out evenly among
the S

z
for j on the order of log(N).
3.6. Analysis of probability of success 31
3.6.1 A lemma on the distribution of

ds
Lemma 3.7. For a xed z Z
N
and uniformly random from (Z
N
0)
j
, dene
(j) := Pr
_
n

z

3
4
_
2
j
N
__
.
Then we have (j) 0.99 for j 2 lg(N) + 10.
We rst recap some work done in Regev [16]. Fix some z Z
N
, and consider a
uniformly random Z
j
N
. For each

d 0, 1
j
, with

d ,= 0
j
, we dene the random
variable X

d
to be 1 if

d = z and 0 otherwise. Because the sum

i
d
i
u
i
(mod N) is
every value with equal probability, we have E
_
X

=
1
N
. Thus E[n

z
] E
_
X

E
_
X

=
2
j
1
N
. Further, Regev shows that for any

d ,=

d

, the variables X

d
and
X

are independent. Thus we can apply the Cherno bound to give

Pr
_

d
<
_
3
4
_
2
j
1
N
_
e

(2
j
1)
32N
.
Note that n

z
is either

d
or

d
+ 1, so

d
<
_
3
4
_
2
j
1
N
implies that
n

z
<
_
3
4
_
2
j
N
. So let us dene (j) := Pr
_
n

z

_
3
4
_
2
j
N
_
. Then we have
(j) 1 e

(2
j
1)
32N
. (3.2)
Claim 3.8. A little combinatorial work shows that
(j) =
j

i=0
_
j
i
_
(N 1)
i
N
j
(i). (3.3)
Proof: For i = 0, , j, let
i
be a random element of of Z
j
N
that has exactly
i entries not equal to 0. The probability that n

z
is greater than
3
4
_
2
j
N
_
is the sum
of the probabilities of that same event for each of the
i
, weighted by their relative
proportion; i.e., we have
(j) =
j

i=0
_
j
i
_
(N 1)
i
N
j
Pr
_
n

i
z

3
4
_
2
j
N
__
.
Let
i
be a random element of (Z
N
0)
i
. Without loss of generality, we may
assume
i
=
i
+0
ji
, where addition denotes tuple concatenation. Then consider any

d in n

i
z
. For any

d

0, 1
ji
, we have that (

d+

d

) is an element of n

i
z
. Conversely,
any

d in n

i
z
corresponds to some

d

in n

i
z
if we drop its last (j i) components.
Thus n

i
z
= 2
ji
n

i
z
. So Pr
_
n

i
z

3
4
_
2
j
N
__
= Pr
_
n

i
z

3
4
_
2
i
N
__
= (i), establishing
our claim.
32 Chapter 3. The HSP for Z
N
Z
p
Of course 0 (i) 1 for all i = 0, . . . , j 1, so (3.3) gives us
(j) 1 (1 (j))
_
N
N 1
_
j
.
Using (3.2) and the fact that
N
N1
2, this becomes
(j) 1
2
j
e
2
j
1
32N
.
If j 2 lg(N) + 10 then
(j) 1
2
10
N
2
e
16
e
N
,
and since
N
2
e
N
1 for all N 2, we have our result.
3.6.2 N prime
In the case of N prime, Z

N
= Z
N
0. Then by Cauchys inequality applied to (3.1),
we have
p
succ

1
2
j
N
_
_
1
(N 1)
j

(Z
N
\{0})
j

zZ
N
_
n

z
_
_
2
. (3.4)
But by Lemma 3.7, for any z Z
N
, with j 2 lg(N) + 10,
1
(N 1)
j

(Z
N
\{0})
j
_
n

z

3
4
_
2
j
N
_
Pr
_
n

z

3
4
_
2
j
N
__
(0.99)

3
4
_
2
j
N
_
. (3.5)
So, combining (3.4) and (3.5), we have
p
succ

1
2
j
N
_

zZ
N
(0.99)

3
4
_
2
j
N
_
_
2
= (0.99)
2
3
4
>
2
3
.
3.6.3 General N
Recall that Z

N
= z Z
N
: z ,= qy for all y Z
N
. Fix some z Z
N
and
let (Z

N
)
j
be uniformly random. We can represent each component of as

i
=
i
q +
i
, where the
i
is a random element of 0, . . . , N/q and the
i
is a
random element of 1, . . . , q 1. Then

d =

i
d
i

i
(mod N) = q + (

i
d
i

i
(mod q)), where is a random element of 0, . . . , N/q.
If we let n

z
=

d 0, 1
j
:

d (mod q) = z (mod q), then Lemma 1 gives us
Pr
_
n

z

3
4
_
2
j
q
__
0.99, (3.6)
3.7. Conclusion 33
for j 2 lg(q) + 10.
But then note that the event

d (mod q) = z (mod q) and the event (

d )/q| =
z/q| are independent, because (

d )/q| takes on every value in 0, . . . , N/q with

equal probability regardless of what the
i
are.
For each

d n

z
, let X

d
be a random variable, and dene X

d
= 1 if (

d )/q| =
z/q| and X

d
= 0 otherwise. Again, (

d )/q| takes on every value in 0, . . . , N/q

with equal probability, so E
_
X

=
q
N
. Furthermore, we claim that for any

d ,=

d

the
variables X

d
and X

are independent. For instance, consider the probability that X

d
and X

are both 1. Assume without loss of generality that d

1
= 1 while d

1
= 0. In
this case, (

d )/q| is z/q| with probability q/N for any

2
, . . . ,
j
, and (

)/q|
does not depend on
1
, so the probability X

d
and X

are both 1 is just (q/N)

2
.
Similar arguments work for other values of X

d
and X

.
Of course n

z
=

d n

z
X

d
. Thus we apply the Cherno bound, and we have
Pr
_
n

z

5
6
_
q n

z
N
__
1 e

q n

z
72N
. (3.7)
So, combining (3.6) and (3.7), we have
Pr
_
n

z

5
8
_
2
j
N
__
Pr
_
n

z

5
6
_
q n

z
N
_

n

z

3
4
_
2
j
q
__
Pr
_
n

z

3
4
_
2
j
q
__

_
1 e

2
j
96N
_
(0.99) > (0.99)
2
> 0.98,
for j 2 lg(N) +10. Then the same calculations as in the case of N prime show that
p
succ
(0.98)
2
5
8
> 0.6.
3.7 Conclusion
To successfully identify the hidden subgroup H
l
with probability greater than some
xed constant greater than 1/2, we need O(log(N)) successful runs. We measure
= 0 with probability 1/p and we measure R
r
with probability at least 1/p,
so we need only O(p
2
log(N)) queries to yield O(log(N)) successful runs. But since
N/p ,= poly(log(N)), this is just O(log(N)) queries. Thus we have presented an
ecient algorithm for solving the HSP on Z
N

k
Z
p
under the assumption that we
can eciently quantum sample solutions to the subset sum problem. We remark
that, as in the case of the dihedral HSP, the subset sum solver is required only for
the multi-query algorithm and that the single-query algorithm may be independently
of interest.
Chapter 4
Representation Theory and the
HSP for Z
N
Z
p
In the previous chapter we presented an ecient algorithm for solving the HSP for
Z
N

k
Z
p
under the assumption that there is an ecient implementation of the Pretty
Good Measurement for the dihedral HSP. Our approach was to mimic the algorithm
of Bacon et al. [4] for the dihedral group wherever possible; however, we provided
no justication for many steps of our procedure. In this chapter, we motivate some
of our decisions from the perspective of representation theory. In particular, we give
some reasons for why it is appropriate to apply a series of Fourier transforms on each
component and why we would want to project our state into a subspace of CZ

N
. For
a quick overview of the representation theory of nite groups used in this section, see
Appendix A.
4.1 The Fourier transform over a group
Earlier we considered the discrete Fourier transform, but it is in fact possible to dene
the Fourier transform over any arbitrary nite group. We shall see that the Fourier
transform over the cyclic group Z
N
is exactly the discrete Fourier transform dened
in chapter 1. Let G be a nite group and let

G be a complete set of inequivalent
irreducible representations of G (see Fact A.5 for the denition of a complete set of
irreps). Note that the Fourier transform over a group depends, as the denition below
makes clear, on the set

G of irreducible representations we choose. Dene the Fourier
coecients [(g)]
a,b
, for g G and

G of dimension d

with 1 a, b d

, to bet
the (a, b)th entry of the matrix (g).
Denition 4.1. The quantum Fourier transform over a nite group G, T
G
, acts on
a basis of CG by
T
G
[g =

1a,bd

[G[
[(g)]
a,b
[, a, b .
36 Chapter 4. Representation Theory and the HSP for Z
N
Z
p
The sum of the squares of the dimensions of the irreps equals the size of the group
(see Fact A.5), so it is easy to see that there are the same number of basis vectors
[, a, b as [g. For an overview of the quantum Fourier transform over a group,
and its applications to the HSP, see the masters thesis of Jean-Noel Murphy [14].
Murphy shows that T
G
is indeed a unitary transform, and thus in principle could be
implemented by a quantum computer. However, there is no guarantee that there is
an ecient way of implementing the Fourier transform for an arbitrary group G; that
is, there is no known general decomposition of T
G
into a product of only a few simple
transforms. Ecient implementations of the quantum Fourier transform do exist for
many families of groups; see [17] for the cases of Abelian groups, the dihedral group,
and the symmetric group.
All known ecient quantum solutions to the HSP for a group G are essentially
based on the quantum Fourier transform over G. To see where the Fourier transform
comes into play, we redo some computations in Childs and van Dam [2], sections VI A
and VII C.
Denition 4.2. The right regular representation R: G GL
|G|
(C) acts on a basis
of CG by:
R(g
1
) [g
2
= [g
2
g
1
1
.
Theorem 4.3. Recall that [gH is the coset state that results from the Standard
Method applied to the HSP. Dene,

H
:=
1
[G[

gG
[gH gH[
to be the statistical ensemble (or mixed state) over all [gH for all possible g G.
Then the Fourier transform over G block-diagonalizes
H
, from which we sample as
part of the Standard Method.
Proof : We will show rst that the Fourier transform T
G
breaks R into its ir-
reducible components. If we write R(g
1
) =

g
2
G
[g
2
g
1
1
g
2
[, and dene

R(g
1
) =
T
G
[g
1
T

G
, then we can compute

R(g
1
) =

g
2
G
T
G
[g
2
g
1
1
g
2
[ T

G
=

g
2
G

G
d

a,b=1
d

,b

=1
_
d

[G[
[(g
2
g
1
1
)]
a,b
[

(g
2
)]
a

,b
[, a, b

, a

, b

[
=

g
2
G

G
d

a,b,c=1
d

,b

=1
_
d

[G[
[(g
2
)]
a,c
[(g
1
1
)]
c,b
[

(g
2
)]
a

,b
[, a, b

, a

, b

[
=

G
d

a,b,c=1
[, a, b [(g
1
)]
c,b

, a

, b

[
=

G
(I
d
(g
1
)),
4.2. Irreducible representations of Z
N

k
Z
p
37
where I
d
is the d

identity matrix, and we have used the orthogonality of

irreducible representations (see Lemma A.6) in the third line. We can write the coset
state [gH that results from the Standard Method as [gH =
1
|H|

hH
R(h) [g. Then
the mixed state
H
is

H
=
1
[G[ [H[

gG

h
1
,h
2
H
R(h
1
) [g g[ R

(h
2
)
=
1
[G[ [H[

h
1
,h
2
H
R(h
1
h
1
2
)
=
1
[G[

hH
R(h).
The upshot of this computation is that, since the Fourier transform over G block
diagonalizes R, it is also the case that T
G
block diagonalizes
H
.
We now will demonstrate that our HSP algorithm employs the Fourier transform
over Z
N

k
Z
p
, although we have previously not described it in those terms. Therefore
we must investigate representations of Z
N

k
Z
p
and work out explicitly how the
Fourier transform over Z
N

k
Z
p
acts.
4.2 Irreducible representations of Z
N

k
Z
p
We now compute the irreducible representations of G := Z
N

k
Z
p
. We follow Serre
[20], section 8.2, which explains how to use Mackeys criterion to construct the ir-
reducible representations of a semidirect product by an abelian group from repre-
sentations of the component groups. See Serre for a precise statement of Mackeys
criterion.
Let X = Hom(Z
N
, C

) be the group of irreducible representations of Z

N
. The
elements of X are
m
for 0 m N 1, where
m
is determined by
m
(1) =
m
for some primitive Nth root of unity . The group G acts on X by
(g)(y) = (g
1
yg) for g G, X, y Z
N
.
We are interested in the orbits of X under Z
p
(considered as a subgroup of G). Fix
some
m
X. Then
((x, 0)
m
)(0, 1) =
m
((x, 0) (0, 1) (x, 0)) =
m
(0, k
x
) =
mk
x
.
Thus we see that ((x, 0)
m
) =
mk
x. There are two cases to consider. If km =
m, then the orbit of
m
under Z
p
is just
m
. If km ,= m, then, as we have
seen earlier, k
x
m ,= m for all 1 x p 1, so the orbit of
m
under Z
p
is

m
,
km
,
k
2
m
, . . . ,
k
p1
m
. These orbits correspond to the sets O
m
dened in
section 3.3. As in the previous chapter, let us set q := N/gcd(N, k 1), and
Z

N
:= m Z
N
: m ,= qy for all y Z
N
. Choose some system of representa-
tives
i
from the orbits of X under Z
p
. Recall that we have ki = i exactly when
i / Z

N
.
38 Chapter 4. Representation Theory and the HSP for Z
N
Z
p
First consider the case where i / Z

N
. Let
j
Hom(Z
p
, C

) for 0 j p 1 be
an irreducible representation of Z
p
dened by
j
(1) =
j
, where is a primitive pth
root of unity. Let : G Z
p
be the canonical projection. Dene

i,j
=
i
(
j
) Hom(G, C

).
(See Denition A.8 for the denition of a tensor product of representations.) Then

i,j
is an irreducible one dimensional representation of G. Explicitly, we have

i,j
(x, y) = (
i
(
j
))(x, y) =
i
(y)
j
(x) =
iy

jx
. (4.1)
Now consider the case where i Z

N
. Dene

i,
= Ind
G
Z
N
(
i
) Hom(G, GL
p
(C)),
(See Denition A.9 for the denition of a tensor product of representations.) Then
i,
is an irreducible p-dimensional representation of G. We can compute the character of

i,
by applying the Frobenius formula. Let
i
(g) =
i
(g) if g Z
N
and 0 otherwise.
Then for (x, y) G, we have
Tr(
i,
(x, y)) =

(x

,0)G/Z
N

i
((x

, 0)(x, y)(x

, 0))
=

(x

,0)G/Z
N

i
(x, k
x

y)
=
_
0 : x ,= 0

p1
j=0

k
j
iy
: x = 0
Let g := (x, y) and s := (s, 0) be elements of G. We compute the matrix for
i,
(see
Fact A.10 for an explanation of this computation):

i,
(g) =
_
_
_
_
_

i
(0 g 0)
i
(0 g 1)
i
(0 g p 1)

i
(1 g 0)
i
(1 g 1)
i
(1 g p 1)
.
.
.
.
.
.
.
.
.
.
.
.

i
((p 1) g 0)
i
((p 1) g 1)
i
((p 1) g p 1)
_
_
_
_
_
=
_
_
_
_
_

i
(x, k
0
y)
i
(x + 1, k
1
y)
i
(x + (p 1), k
p1
y)

i
(x 1, k
0
y)
i
(x, k
1
y)
i
(x + (p 2), k
p1
y)
.
.
.
.
.
.
.
.
.
.
.
.

i
(x (p 1), k
0
y)
i
(x (p 2), k
1
y)
i
(x, k
p1
y)
_
_
_
_
_
=
_
_
_
_
_
0 0
k
x
iy
0 0
0 0 0
k
x+1
iy
0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
0
k
x+(p1)
iy
0 0 0
_
_
_
_
_
. (4.2)
Mackeys criterion guarantees that for any of the
i,j
or
i,
we have just dened,
the representation
i,j
is indeed irreducible and if
i,j
and
i

,j
are isomorphic, then
4.3. The Fourier transform over Z
N

k
Z
p
39
i = i

and j = j

. Therefore these (Np)/q one-dimensional representations and

(N (N/q))/p p-dimensional representations are all the irreducible representations
of G, as can be veried by the following calculation (see Fact A.5):
N
q
p 1 +
_
(N
N
q
)
p
p
2
_
= Np = [G[.
In conclusion, we have proved the following:
Theorem 4.4. A complete set of irreducible representations of Z
N

k
Z
p
is
i,
for
i Z

N
and
i,j
for i Z
N
Z

N
, j Z
p
, where the are dened as in (4.1) and (4.2)
above.
4.3 The Fourier transform over Z
N

k
Z
p
In the algorithm presented in chapter 3, rather than use the Fourier transform over
G := Z
N

k
Z
p
, we applied a series of Fourier transforms on each register. In this
section, we show that our application of Z
p
followed by Z
N
approximates T
G
in a
certain sense.
Suppose

G is a complete set of the irreducible representations of G; we can suppose
further that the elements of

G are labeled as
i,j
or
i,
as dened in the previous
section. Let

Z

N
be the set of i Z

N
such that
i,


G. Then, let us see how T
G
acts on an element [(x, y) CG:
T
G
[(x, y) =

1a,bd

[G[
[(x, y)]
a,b
[, a, b
=
1

pN
_
_
_
_
_

iZ
N
\Z

N
p1

j=0

i,j
(x, y) [
i,j
+

N
1a,bp
[
i,
(x, y)]
a,b
[
i,
, a, b
_
_
_
_
_
=
1

pN
_
_

iZ
N
\Z

N
p1

j=0

iy

jx
[
i,j
+

N
p1

j=0

k
x+j
iy
[
i,
, j, j x
_
_
=
1

pN
_
_

iZ
N
\Z

N
p1

j=0

iy

jx
[j [i +
k
x

iZ

iy
[0 [i
_
_
,
where we have relabeled the vectors [
i,j
as [j [i CZ
p
CZ
N
and [
i,
, j, x + j
as [0 [k
j
i CZ
p
CZ
N
.
On the other hand, T
p
I acts on [(x, y) CG by
(T
p
I) [(x, y) =
1

p
p1

s=0

sx
[s [y .
40 Chapter 4. Representation Theory and the HSP for Z
N
Z
p
Now suppose we measure the rst register of (T
p
I) [(x, y) and in particular measure
0; the resulting state is merely [y. If we now apply T
N
and call the resulting vector
[, we have
[ =
1

N
N1

i=0

iy
[i .
Note that [ agrees with T
G
[(x, y) in the coordinates corresponding to i Z

N
. If
we project T
G
[(x, y) into CZ
p
CZ

N
and call the resulting vector [, we have
[ =
1
_
[Z

N
[

iZ

iy
[i .
Thus, as long as we project our state vector into some subspace of CZ

N
, the procedure
of applying T
p
, measuring the rst register, and then applying T
N
yields the same
result as applying T
G
would. We follow exactly this series of steps in the single-
query algorithm of section 3.4. The vector [

dened in that section is created by

applying T
p
to the coset state [gH
l
from the Standard Method, measuring 0 in the
rst register, applying T
N
to the resulting vector, and nally projecting the state
into some subspace of CZ

N
. However, the most remarkable step of the algorithm, in
which we sum the amplitudes of [

in the [ and [k components, is still not

adequately explained by the considerations of this chapter. It would be extremely
interesting if representation theory gave some a priori justication for this step. We
have been unable to nd such a justication.
Appendix A
Basic Representation Theory
In this appendix we quickly recap the basic denitions and theorems from group
representation theory used in chapter 4; for a in-depth treatment of the representation
theory of nite groups, see Serre [20] or Dummit and Foote [6], chapter 15.
Denition A.1. A representation of a nite group G is a group homomorphism
: G GL(V ), where V is some vector space over a eld F. We will always take F
to be C and V to be nite-dimensional of dimension d

; thus we will consider to be

a map from G to GL
d
(C) and from now on we do not state the assumption that our
base eld is C. Fixing a basis of V C
d
, we can realize (g) as a d

matrix for
each g G. We say that d

is the dimension of .
Two representations,
1
: G GL(V ) and
2
: G GL(W) are isomorphic if
there is some isomorphism from V to W such that
1
(g)(v) =
2
(g)((v)) for all
g G, v V .
Denition A.2. A subspace W V is said to be an invariant subspace of if
(g)(W) W for all g G. If there are no nontrivial (i.e. proper and nonzero)
invariant subspaces of , then we say is irreducible.
Denition A.3. Let : G GL(V ) be a representation of G, and suppose we have
V V
1
V
2
, where V
1
and V
2
are nontrivial invariant subspaces of . Then is
decomposable, and we write =
1

2
, where
i
is the restriction of to V
i
. If is
not decomposable, we say is indecomposable.
An important rst result in representation theory says that irreducibility is the
same as indecomposability as long as we are working over a eld of characteristic 0:
Theorem A.4. (Maschke)
A representation of G is irreducible if and only if it is indecomposable. Thus any
representation can be written as,
=
1

k
,
where
1
, . . . ,
k
are irreducible representations.
42 Appendix A. Basic Representation Theory
Because we can break up any reducible representation into a direct sum of irre-
ducible representations, we focus our attention on irreducible representations, which
we sometimes call irreps for shorthand. The following fact helps us nd all the irreps:
Fact A.5. A nite group G has a nite number of non-isomorphic irreducible repre-
sentations. We call a maximal set of non-isomorphic irreps a complete set of irreps.
Let

G be a complete set of irreps of G. Then,
[G[ =

G
d
2

,
where d

is the dimension of .
In section 4.1 we use the following corollary of Schurs lemma (see [6], 15.1):
Lemma A.6. (Orthogonality of irreducible representations)
For two irreps ,

of G we have
d

[G[

gG
[(g)]
i,j
[

(g)]
i

,j
=
,

i,i

j,j
,
where
,
= 1 if =

and 0 otherwise.
Denition A.7. Associated to each representation is its character,

: G C,
where, for each g G,

(g) = tr((g)), the matrix trace of (g). Note that this trace
is independent of the basis of the matrix representation of (g). We can see that a
one-dimensional representation is essentially the same as its character.
Denition A.8. If
1
: G GL(V ) and
2
: G GL(W) are representations of G,
then the tensor product of these representations is
1

2
: G GL(V W), and it
acts as we would expect: (
1

2
)(g)(v w) =
1
(g)(v)
2
(g)(w). We can check
that

2
=

1
+

2
and

2
=

2
.
Denition A.9. Let : H GL(V ) be a representation of H, where H is some
subgroup of G. Let t
1
, . . . , t
n
be representatives of the cosets of H in G. Then the
induced representation Ind
G
H
() acts on the space V =

n
i=1
t
i
V by g

n
i
t
i
v
i
=

n
i
t
j(i)
(h
i
)v
i
, where v
i
V and we have written gx
i
= x
j
h with h H in a unique
way for each i.
The following fact lets us compute an explicit description of the induced repre-
sentation:
Fact A.10. Let : H GL(V ) be a representation of H < G. Dene : G
GL(V ) to be (g) if g H and 0 otherwise. Let t
1
, . . . , t
n
be representatives from the
cosets of H in G. The matrix of the induced representation is the block matrix
Ind
G
H
() =
_
_
_
_
_
(t
1
1
gt
1
) (t
1
1
gt
2
) . . . (t
1
1
gt
n
)
(t
1
2
gt
1
) (t
1
2
gt
2
) . . . (t
1
2
gt
n
)
.
.
.
.
.
.
.
.
.
.
.
.
(t
1
n
gt
1
) (t
1
n
gt
2
) . . . (t
1
n
gt
n
)
_
_
_
_
_
.
References
[1] G. Brassard and P. Hyer. An exact quantum polynomial-time algorithm for
Simons problem. In Proceedings of the 5th Israeli Symposium on Theory of
Computing and Systems (ISTCS97), pages 1223. Society Press, 1997.
[2] A. Childs and W. van Dam. Quantum algorithms for algebraic problems. Rev.
Mod. Phys., 82:152, Jan 2010.
[3] D. Bacon; A. Childs; and W. van Dam. From optimal measurements to ecient
quantum algorithms for the hidden subgroup problem over semidirect product
groups. 46th Annual IEEE Symposium on Foundations of Computer Science,
pages 469478, 2005.
[4] D. Bacon; A. Childs; and W. van Dam. Optimal measurements for the dihedral
hidden subgroup problem. Chicago Journal of Theoretical Computer Science,
2005.
[5] David Deutsch. Quantum theory, the Church-Turing principle and the universal
quantum computer. Proceedings of the Royal Society of London, 400:97117,
1985.
[6] D. Dummit and R. Foote. Abstract Algebra. Prentice Hall, Englewood Clis,
New Jersey, 1991.
[7] M. Ettinger and P. Hyer. A quantum observable for the graph isomorphism
problem. eprint, arXiv:9901029, 1999.
[8] M. Ettinger and P. Hyer. On quantum algorithms for noncommutative hidden
subgroups. Advances in Applied Mathematics, 25:239251, 2000.
[9] D. Gavinsky. Quantum solution to the hidden subgroup problem for poly-near-
hamiltonian groups. Quantum Information and Computing, 4:229235, 2004.
[10] Amit Hagar. Quantum computing. The Stanford Encyclopedia of Philosophy,
http://plato.stanford.edu/archives/spr2011/entries/qt-quantcomp/,
2011.
[11] L. Hales and S. Hallgren. An improved quantum Fourier transform algorithm and
applications. In In Proceedings of the 41st Annual Symposium on Foundations
of Computer Science, pages 515525, 2000.
44 References
[12] G. Kuperberg. A subexponential-time quantum algorithm for the dihedral hidden
subgroup problem. eprint, arXiv:0302112, 2003.
[13] C. Lomont. The hidden subgroup problem - review and open problems. eprint,
arXiv:0411037, 2004.
[14] J.-N. Murphy. Analysing the quantum Fourier transform for nite groups
through the hidden subgroup problem. Masters Thesis, McGill University, 2001.
[15] M. Nielsen and I. Chuang. Quantum Computation and Quantum Information.
Cambridge University Press, 2000.
[16] O. Regev. Quantum computation and lattice problems. Proceedings of the 43rd
Annual Symposium on Foundations of Computer Science, IEEE, Los Alamitos,
CA, pages 520529, 2002.
[17] C. Moore; D. Rockmore; and A. Russell. Generic quantum Fourier transforms.
ACM Trans. Algorithms, 2(4):707723, October 2006.
[18] M. R otteler and T. Beth. Polynomial-time solution to the hidden subgroup
problem for a class of non-abelian groups. eprint, arXiv:9812070, 1998.
[19] K. Friedl; G. Ivanyos; F. Magniez; M. Santha; and P. Sen. Hidden translation
and orbit coset in quantum computing. In Proc. 35th Annual ACM Symposium
on Theory of Computing, pages 19, 2001.
[20] J.P. Serre. Linear Representations of Finite Groups. Springer-Verlag, New York,
1977.
[21] A. Shakeel. Implementing measurements and optimizing queries for the quantum
hidden subgroup problem. PhD Thesis, UCSD, 2011.
[22] P. Shor. Polynomial-time algorithms for prime factorization and discrete log-
arithms on a quantum computer. SIAM J. on Computing, pages 14841509,
1997.
[23] M. Sipser. Introduction to the theory of computation. Thomson Course Technol-
ogy, Boston, 2006.
[24] M. Grigni; L. Schulman; M. Vazirani; and U. Vazirani. Quantum mechanical
algorithms for the nonabelian hidden subgroup problem. In Proc. 33rd Annual
ACM Symposium on Theory of Computing, page 6874, 2001.