Quantum algorithm for a generalized hidden shift problem

Consider the following generalized hidden shift problem: given a function f on {0,...,M − 1} × ZN promised to be injective for fixed b and satisfying f(b, x) = f(b + 1, x + s) for b = 0, 1,...,M − 2, find the unknown shift s ∈ ZN. For M = N, this problem is an instance of the abelian hidden subgroup problem, which can be solved efficiently on a quantum computer, whereas for M = 2, it is equivalent to the dihedral hidden subgroup problem, for which no efficient algorithm is known. For any fixed positive �, we give an efficient (i.e., poly(logN)) quantum algorithm for this problem provided M ≥ N^∈. The algorithm is based on the “pretty good measurement” and uses H. Lenstra’s (classical) algorithm for integer programming as a subroutine

Hidden Shift Quantum Cryptanalysis and Implications

International audienceAt Eurocrypt 2017 a tweak to counter Simon's quantum attack was proposed: replace the common bitwise addition, with other operations, as a modular addition. The starting point of our paper is a follow up of these previous results: First, we have developed new algorithms that improve and generalize Kuperberg's algorithm for the hidden shift problem, which is the algorithm that applies instead of Simon when considering modular additions. Thanks to our improved algorithm, we have been able to build a quantum attack in the superposition model on Poly1305, proposed at FSE 2005, largely used and claimed to be quantumly secure. We also answer an open problem by analyzing the effect of the tweak to the FX construction. We have also generalized the algorithm. We propose for the first time a quantum algorithm for solving the problem with parallel modular additions , with a complexity that matches both Simon and Kuperberg in its extremes. We also propose a generic algorithm to solve the hidden shift problem in non-abelian groups. In order to verify the theoretical analysis we performed, and to get concrete estimates of the cost of the algorithms, we have simulated them, and were able to validate our estimated complexities. Finally, we analyze the security of some classical symmetric constructions with concrete parameters, to evaluate the impact and practicality of the proposed tweak, concluding that it does not seem to be efficient

Quantum algorithm for the Boolean hidden shift problem

The hidden shift problem is a natural place to look for new separations between classical and quantum models of computation. One advantage of this problem is its flexibility, since it can be defined for a whole range of functions and a whole range of underlying groups. In a way, this distinguishes it from the hidden subgroup problem where more stringent requirements about the existence of a periodic subgroup have to be made. And yet, the hidden shift problem proves to be rich enough to capture interesting features of problems of algebraic, geometric, and combinatorial flavor. We present a quantum algorithm to identify the hidden shift for any Boolean function. Using Fourier analysis for Boolean functions we relate the time and query complexity of the algorithm to an intrinsic property of the function, namely its minimum influence. We show that for randomly chosen functions the time complexity of the algorithm is polynomial. Based on this we show an average case exponential separation between classical and quantum time complexity. A perhaps interesting aspect of this work is that, while the extremal case of the Boolean hidden shift problem over so-called bent functions can be reduced to a hidden subgroup problem over an abelian group, the more general case studied here does not seem to allow such a reduction.Comment: 10 pages, 1 figur

Quantum algorithms for highly non-linear Boolean functions

Attempts to separate the power of classical and quantum models of computation have a long history. The ultimate goal is to find exponential separations for computational problems. However, such separations do not come a dime a dozen: while there were some early successes in the form of hidden subgroup problems for abelian groups--which generalize Shor's factoring algorithm perhaps most faithfully--only for a handful of non-abelian groups efficient quantum algorithms were found. Recently, problems have gotten increased attention that seek to identify hidden sub-structures of other combinatorial and algebraic objects besides groups. In this paper we provide new examples for exponential separations by considering hidden shift problems that are defined for several classes of highly non-linear Boolean functions. These so-called bent functions arise in cryptography, where their property of having perfectly flat Fourier spectra on the Boolean hypercube gives them resilience against certain types of attack. We present new quantum algorithms that solve the hidden shift problems for several well-known classes of bent functions in polynomial time and with a constant number of queries, while the classical query complexity is shown to be exponential. Our approach uses a technique that exploits the duality between bent functions and their Fourier transforms.Comment: 15 pages, 1 figure, to appear in Proceedings of the 21st Annual ACM-SIAM Symposium on Discrete Algorithms (SODA'10). This updated version of the paper contains a new exponential separation between classical and quantum query complexit

Quantum algorithms for problems in number theory, algebraic geometry, and group theory

Quantum computers can execute algorithms that sometimes dramatically outperform classical computation. Undoubtedly the best-known example of this is Shor's discovery of an efficient quantum algorithm for factoring integers, whereas the same problem appears to be intractable on classical computers. Understanding what other computational problems can be solved significantly faster using quantum algorithms is one of the major challenges in the theory of quantum computation, and such algorithms motivate the formidable task of building a large-scale quantum computer. This article will review the current state of quantum algorithms, focusing on algorithms for problems with an algebraic flavor that achieve an apparent superpolynomial speedup over classical computation.Comment: 20 pages, lecture notes for 2010 Summer School on Diversities in Quantum Computation/Information at Kinki Universit

Efficient Quantum Algorithm for Identifying Hidden Polynomials

We consider a natural generalization of an abelian Hidden Subgroup Problem where the subgroups and their cosets correspond to graphs of linear functions over a finite field F with d elements. The hidden functions of the generalized problem are not restricted to be linear but can also be m-variate polynomial functions of total degree n>=2. The problem of identifying hidden m-variate polynomials of degree less or equal to n for fixed n and m is hard on a classical computer since Omega(sqrt{d}) black-box queries are required to guarantee a constant success probability. In contrast, we present a quantum algorithm that correctly identifies such hidden polynomials for all but a finite number of values of d with constant probability and that has a running time that is only polylogarithmic in d.Comment: 17 page