Testing Shift-Equivalence of Polynomials Using Quantum ... - CiteSeerX

Testing Shift-Equivalence of Polynomials Using Quantum Machines D. Grigoriev1 Department of Computer Science & Department of Mathematics Penn State University University Park, PA 16802 USA email: [email protected]

For the positive characteristic p when F = Fp is the eld of residues mod p and the polynomial f is reduced, i.e. the degree with respect to each variable degXi (f )  p ? 1, 1  i  n, we design in the section 3 a randomized algorithm for testing shift-equivalence which has a polynomial runningtime, if p grows slower than a certain polynomial in n=d. For an arbitrary nite ground eld F and the degree of f we design in the section 4 a quantum machine (for this computational model and the background see e.g. [1, 13, 14, 16]) which computes the group Sf;f . Observe that the developed in the section 4 methods actually allow one to design a quantum machine which for a given action of an abelian group on a nite set, computes the stabilizator subgroup of a given element from the set (as the author recently learned, the problem of computing the stabilizator subgroup by a quantum machine was also solved in [17] with a better complexity bound). In [18] a quantum machine was constructed which allows one to test, whether a given function has a hidden linear structure, or to nd the period of a periodic univariate function with small preimages (the latter result generalizes 1 Introduction [13]). The method exhibited in the section 4 has a common point with [18] in applying the Fourier transform to In the paper we deal with the problem of testing, whether similar initial con gurations (actually, this idea rises to two given polynomials f;g 2 F [X1; : : : ; Xn ] are shift-equivalent, the but it is easier since it does not use the uniqueness of i.e. there exists a shift 1 ; : : : ; n such that f (X1+1 ; : : : ; Xn + [14]), a hidden linear structure and estimations of the amplitudes n ) = g. The issue of considering polynomials up to the as in [18], but rather exploites the duality of Sf;f with its shifts appeared already in the context of the interpolation group of characters. of shifted-sparse polynomials (see [8, 10, 7]), namely, the When the characteristic of F is 2 we design a quantum polynomials which become sparse after a suitable shift. machine which computes Sf;g . Moreover, if the abelian We present the algorithms for computing the group Sf;f group being a direct product of cyclic groups each of the of the shifts ( 1 ; : : : ; n ) such that f (X1 + 1 ; : : : ; Xn + order 2 acts on a nite set, one can design a quantum ma n ) = f and for testing, whether the set Sf;g of the shifts chine, which tests, whether two elements from the set lie in (1 ; : : : ; n ) for which f (X1 + 1; : : : ; Xn + n ) = g is nonthe same orbit of the action of the group. It seems to be empty (in the latter case Sf;g = (1 ; : : : ; n ) + Sf;f and the an open question, whether one could solve the latter probalgorithm yields a certain (1 ; : : : ; n ) 2 Sf;g ). The nature lem by a quantum machine over a nite eld of an arbiand the complexity of the algorithms drastically depends on trary characteristics. The designed quantum machines run the characteristic of the ground eld F . For the characterisin polynomial time, if pgrows slower  than a certain polynotic zero we design in the section 2 a deterministic algorithm n + d for testing shift-equivalence which has a polynomial time mial in the input size (being the number of the d complexity, if the degree of f grows slower than n. coecients of f ). 1 Supported by NSF grant CCR-9424358. Now we formulate the main result of the paper. Theorem 1) Let f;g 2 Q[X1 ; : : : ; Xn ], deg(f ); deg(g)  d and the bit-size of the coecients of f; g be less than M . A (deterministic) algorithmn is designed which nds a ba-n sis (over C) v1 ; : : : ; vk 2 Q of the linear space Sf;f  C of all the shift-selfequivalences of f . Moreover, the algorithm tests, whether the set of all shift-equivalences Sf;g  C is nonempty and in the later case produces an element The polynomials f;g 2 F [X1; : : : ; Xn ] are called shiftequivalent if there exists a shift (1 ; : : : ; n) 2 F n such that f (X1 + 1 ; : : : ; Xn + n ) = g. The algorithms in three dierent cases are designed which produce the set of all shiftequivalences of f;g in polynomial time, herewith in the case of a 1. zero-characteristics eld F the designed algorithm is deterministic; 2. prime residue eld F = Fp and a reduced polynomial f , i.e. deg Xi (f )  p ? 1, 1  i  n, the algorithm is randomized; 3. nite eld F = Fq of the characteristic 2 the algorithm is quantum. For an arbitrary nite eld Fq a quantum machine is designed which computes the groupnof all shift-self-equivalences of f , i.e. ( 1 ; : : : ; n ) 2 Fq such that f (X1 + 1 ; : : : ; Xn + n ) = f .

1

over Q system de ning the intersection \1in S (i) and substitutes the general (parametric) solution (A1 ; : : : ; An ) = v+ 1 v1 +


+ k vk of the latter system (here 1 : : : ; k are parameters, the vectors v; v1 ; : : : ; vk 2 Qn , k = dim \1in S (i) , and v1 : : : ; vk are linearly independent) into f . Due to lemma 1 the set of the vectors (A1 ; : : : ; An ) satisfying the equation f (A1 ; : : : ; An ) = g(0; : : : ; 0), coincides with Sf;g . Hence the equation f (A1 ; : : : ; An ) = g(0; : : : ; 0) determines a linear variety V in the space  ' Qk of parameters (1 ; : : : ; k ). There could occur one of the following three cases. In the rst case V = ;, i.e. Sf;g = ;, this means that the polynomial f (A1 ; : : : ; An ) ? g(0; : : : ; 0) 2 Q[1 ; : : : ; k ] equals to a nonzero constant from Q. In the second case V = , i.e. Sf;g = \1in S (i) , it is equivalent to identical vanishing of the polynomial f (A1 ; : : : ; An ) ? g(0; : : : ; 0). In the lastX case V is a hyperplane in , given by a linear cj j ? c0 = 0 for suitable cj 2 Q. Therefore, equation

(1 ; : : : ; n ) 2 Sf;g \ Qn . The running time of the algorithm can be bounded by (M (dn)d )O(1) . 2) Let f; g 2 Fp [X1 ; : : : ; Xn ] for a prime p, the degrees deg(f ), deg(g)  d and degXi (f ), degXi (g)  p ? 1, 1  i  n. A randomized algorithm is designed which nds a basis over Fp of the linear space Sf;f  Fnp . Moreover, the algorithm tests, whether Sf;g 6= ; and in the latter case produces an element (1 ; : : : ; n ) 2 Sf;g . The  running time n + d O(1) of the algorithm does not exceed (pd d ) . 3) Let f; g 2 Fpm [X1; : : : ; Xn ], the degrees deg(f ); deg(g)  d. A quantum machine is designed which nds a basis over Fp of Sf;f  (Fpm )n . Moreover, when the elds characteristics p = 2, anquantum machine is designed which computes Sf;g  (F2m ) in the form similar to 2). The times  running n + d O(1) of the quantum machines are less than (pm d ) .

1jk

2 Testing shift-equivalence of polynomials over zero-characteristic eld: deterministic algorithm Let f; g 2 Q[X1 ; : : : ; Xn ] be two polynomials with deg(f ), deg(g)  d and with the size of rational coecients less than M . Actually, one could consider the coecients of f;g from a larger (say, algebraic number) eld, but we stick with the rational coecients just for simplifying the bounds on the size of the output data. n Denote by Sf;g  Q (herewith the bar denotes the algebraic closure) the nset of all shift-equivalence of f and g, i.e. ( 1 ; : : : ; n ) 2 Q such that f (X1 + 1 ; : : : ; Xn + n ) = g(X1 ; : : : ; Xn ). If Sf;g 6= ; we say that f and g are shiftequivalent. In this section we design a deterministic algorithm which computes Sf;g . Observe that if (1 ; : : : ; n ) 2 Sf;f then for any integer m we have (m1 ; : : : ; mn ) 2 Sf;f . Hence (t1 ; : : : ; tn ) 2 Sf;f holds for any t 2 Q. Thus, considering t as a new variable, we get that 0 = df (X1 + t1 ; : : : ; Xn + tn )

f (A1 ; : : : ; An ) ? g(0; : : : ; 0) = c

X 1jk

cj j ? c 0

!

for an appropriate c 2 Q, where  = deg1 ;:::;k f (A1; : : : ; An ). Let us nd all cj . Checking, whether the polynomial f (A1 ; : : : ; An )?g(0; : : : ; 0) is homogeneous, we detect, whether c0 = 0. If c0 6= 0 we set c0 = 1 and for every 1  j  k replace ` , for all ` 6= j by zeroes in f (A1 ; : : : ; An ) ? g(0; : : : ; 0), as a result we obtain a univariate polynomial j = f (A1; : : : ; An ) ? g(0; : : : ; 0) ` =0;`6=j = c(cj j ? 1) .   The algorithm nds cj calculating GCD j ; dd jj = cj j ? 1. If on the opposite c0 = 0, then for each pair 1  j1 ; j2  k we make a substitution j1 = 1 and ` = 0 for all ` 6= j1 ; j2 , as a result the algorithm either nds the quotient cj2 =cj1 or returns cj1 = 0 similar to the situation c0 = 1. This completes the description of the recursive algorithm which computes Sf;g . In particular, this allows one to test, whether f and g are shift-equivalent. Now we estimate the number of arithmetic operations in the described algorithm. The number of monomials in f; g number of taking the derivatives can be bounded by andd the  O(1) +n . At each step of recursion for constructing d

dt @f @f  (X1 + t1 ; : : : ; Xn + tn ) = 1 @X +


+ n @X 1 n Substituting t = 0 in the latter identity, we obtain that @f +


+ n @f = 0. Inversing this arguing, we con1 @X @Xn clude that Sf;f  Qn is a linear subspace. Therefore, Sf;g is a linear variety of the same dimension as Sf;f (if Sf;g is nonempty). Observe that the variety Sf;g is de ned over Q, therefore the subspace Sf;f has a basis from Qn (one could obtain it @f +


+n @f = 0 from the system of linear equations 1 @X @Xn in the variablesn 1 ; : : : ; n ). Furthermore, Sf;g contains a vector from Q , indeed, take any vector 2 Sf;g and all its conjugates = 1 ( ); 2 ( );: : : ; N ( ) 2 Sf;g over Q, then 1 X j ( ) 2 Sf;g \ Qn , thus Sf;g is de nable by a linear N



1

the intersection \1in S (i) the algorithm solves a linear system in n variables, it requires nO(1) arithmetic operations. After that calculating of the substitution f (A1 ; : : : ; An )  d the  O(1) +n needs operations, and nally computing cj

d

1

takes nO(1) operations. Thus, the number of arithmetic opO(1)

 d+n 

erations of the algorithm does not exceed , d i.e. is polynomial in the input size. Now we estimate the bit-size of the occurring intermediate coecients. The bit-size of the coecients of any involved partial derivative is less than d(log n)M . Denote by M` , 0  b  d the bit-size of the coecients of the linear systems representing Sf` ;g` for intermediate in the recursion polynomials of degrees `. Then at the current step of the recursion the size of the coecients in a linear system representing \1in S (i) can be bounded by nO(1) M` , then the

1jN

system over Q. For brevity denote S (i) = S@f=@Xi ;@g=@Xi , 1  i  n. Lemma 1 Sf;g = \1in S (i) \ f(1 ; : : : ; n ) 2 Qn : f (1 ; : : : ; n ) = g(0; : : : ; 0)g. Relying on lemma 1, the algorithm nds each S (i) , 1  i  n by a linear over Q system de ning S (i) , using the recursion on the degree. Then the algorithm nds a linear 2

#U  pd . Then with the probability greater than 1 ?  #A

size of the coecients cj does not exceed (nd)O(1) M` by the subresultant theorem [11]. Hence M`+1  (nd)O(1) M` and we conclude that Md  (nd)O(d) M and the bit-size of all occurring coecients is also less than M (nd)O(d) . Therefore, the running time of the described algorithm does not exceed (M (nd)d )O(1) which completes the of theorem  dproof O(1) +n and 1). When d = no(1) then (nd)O(d) 

among the chosen N = O(pd d log n) vectors there would be a vector u0 2 Sf;g , (one could easily check the membership to Sf;g ), provided that Sf;g 6= ;. If none of the chosen N vectors belongs to Sf;g , the algorithm returns that Sf;g = ;. After that the algorithm makes 2N independent choices of the elements from U . Among them with the probability greater than 1 ?  there is a vector u1 2 Sf;g such that u1 ? u0 6= 0 (herewith we take A = A1 = Sf;g nfu0 g, obviously #A1  12 #A0 ). Thereupon making again 2N independent choices the algorithm with the probability greater than 1 ?  nds a vector u2 2 Sf;g such that the vectors u2 ? u0 ; u1 ? u0 are linearly independent.0 Herewith we take A = A2 = Sf;g nL fu0 ; u1 g where L (u0 ;


; u0` ) denotes the minimal 00 ; : : : ; u0 (clearly linear variety which contains the points u ` L fu0 ; u1 g is a line), obviously #A2  21 #A0 . Continuing in this way, the algorithm makes at most s  k rounds of 2N independent choices, while it is possible to nd the vectors u0 ; u1 ; : : : ; us0 2 Sf;g , s0  s such that the dierences u1 ? u0 ; : : : ; us0 ? u0 are linearly independent. The algorithm returns that Sf;g = u0 + 1 (u1 ? u0 ) +


+ s0 (us0 ? u0 ), where 1 ; : : : ; s0 are parameters from Fp . The algorithm  n + nds Sf;g correctly with the probability at d   n + d ?1 n d least (1 ? ) , because  1? n d

n

the bit complexity of the described2 algorithm is polynomial. When d grows faster than, say, n it is more pro table for computing Sf;g to solve a system of polynomial equations f (X1 + 1 ; : : : ; Xn + n ) = g(X1 ; : : : ;2Xn ) in n variables 1 ; : : : ; n with the running time (Mdn )O(1) [3].

3 Testing shift-equivalence of reduced polynomials over a prime residues eld: randomized algorithm Let the polynomials f; g 2 Fp [X1; : : : ; Xn ], deg(f ); deg(g)  d, where p is a prime, be reduced, namely degXi (f ); degXi (g)  p ? 1, 1  i  n. In this section we design a polynomial-time randomized algorithm which computes Sf;g  Fnp . Observe that Sf;f is a linear subspace over Fp and Sf;g = v + Sf;f for an arbitrary vector v 2 Sf;g (if Sf;g 6= ;). Notice that since f;g are reduced, lemma 1 from the section 2 holdsmfor Sf;g also in the case under consideration. Let q = p , a polynomial h 2 Fq [X1 ; : : : ; Xn ]. The following lemma 2 was told the author by R. Smolensky [15] and strengthens Schwartz's lemma [12] for nite elds. Observe that when n  q deg h and degXi (h)  q ? 2, 1  i  n, lemma 2 follows from [9] (for arbitrary h a weaker bound was proved in [5]). Lemma 2 If h has a zero in Fnq then h has at least n ? q deg(h) zeroes. Now we describe a randomized algorithm which computes Sf;g  Fnp . Similar to the section 2 the algorithm by recursion on the degree computes S (i) , 1  i  n representing each S (i) by a linear system over Fp . Then the algorithm produces a linear system which represents the intersection \1in S (i) yields the general (parametric) solution (A1 ; : : : ; An ) = v? + 1 v1 +



+ k vk, where v; v1; : : : ; vk 2 Fnp , k = dimFp \1in S (i) of this linear system (cf. section 2). After that the algorithm substitutes (A1 ; : : : ; An ) in f . Due to lemma 1 Sf;g is isomorphic to the set of the solutions of the polynomial over Fp equation f (A1 ; : : : ; An ) = g(0; : : : ; 0) in the parameters 1 ; : : : ; k , one could consider w.l.o.g. Sf;g as a linear over Fp variety in the space  ' Fkp of the parameters. Lemma 2 implies that s = dimFp Sf;g  k ? deg f  k ? d (if Sf;g 6= ;). In [8] it is proved that if in a set U to choose randomly independently N times elements u 2 U then the number y of the times when a chosen u belongs to a xed subset ; =6 A  U , satis es with the probability greater than 1 ?  the following inequalities: 21 ##AU  Ny  23 ##UA , where U N=# #A
16
log 2 (2=): The randomized algorithm under description for computing Sf;g checks rst, whether 0 2 Sf;g , if yes then we set the vector u0 = 0 2 Sf;g . If not then the algorithm chooses N times randomly independently elements U = ,   from the set ?2 n + d herewith A = A0 = Sf;g and  = n . Hence d





d the algorithm calls recursively to itself at most n + d times since the number partial derivatives  nof+nonvanishing  d of f does not exceed , and at each recursive step d the algorithm makes at most n rounds of 2N independent choices as described above. Notice that if Sf;g = ;, the algorithm always returns the correct answer. Finally, estimate the running time  of the algorithm. As  n + d already mentioned, there are at most recursive d calls of the algorithm to itself. At each recursive step the algorithm rst nds (deterministically) the intersection \1in S (i) , by means of solving a linear over Fp system with at most n variables, that requires ((log p)n)O(1) running time. Then the algorithm makes at most of choosing 2N vec n rounds  d O(1) , which comtors from U = , it takes pd n + d pletes the proof of theorem 2). Notice that the time bound of the algorithm is better than the time bound pn of the trivial search in Fnp when d = o(n). In this case the time bound  nof+the algorithm is d polynomial in the input size log p
when p = d

? n
O(1) . d

4 Testing shift-equivalence of polynomials over a nite eld: quantum computation Let g = pm and the polynomials f; g 2 Fq [X1 ; : : : ; Xn ], deg(f ), deg(g)  d. In this section we design a quantum machine which computes Sf;f  Fnq and, furthermore, in the case of the elds characteristic p = 2 we design a quantum machine which computes Sf;g . Observe as above that Sf;f is an abelian group and Sf;g = v + Sf;f for an arbitrary v 2 Sf;g (if Sf;g 6= ;). 3

The core of a quantum machine, a concept being an extension of a randomized algorithm (see e.g. [1, 16]), is a fast unitary transformation. In [13] it was shown that a quantum machine could compute in polynomial time the Fourier transform n for the cyclic group Zn of the order n for \smooth" n, namely n = p1


p` being a product of pairwise distinct small primes. In [4] 2k was computed by a quantum machine based on the fast Fourier transform. First we show (although we do not immediately use it below) that pk for any small p could be computed recursively on k by a quantum machine in a more succinct way using the product-formula for Fourier transform [2], which in its turn easily entails the fast? Fourier algorithm. ? s`transform

The matrix p = p1p exp 2i p 1s;`p the quantum machine computes directly. For the recursive step, let w be k+1 . Denote by D a a primitive root of unity of the degree p square pk  pk diagonal matrix with the diagonal elements being successive powers of w : 1; w; w2 ; : : : ; wpk ?1 . Denote by I` the unit `  ` matrix. Then the following productformula

pk

+1

0 Ip k BB
? = Ipk p B B@

D

D2

...

1

n

1

1

n

n

is taken with the amplitude (p1q)n . Notice that each basic 0  n + d 1 state is a basic ort in B @qn
q d CA-dimensional C-

Dp?1



`

1

1

C CC ? k I
CA p p

allows one to compute pk+1 recursively by a quantum machine within time O((kp)2 ). Also observe that this gives a representation of pk+1 as a product of O(k) matrices, while [4] provides for it the product of O(k2 ) matrices. Remark that as any nite abelian group G is a direct product Zpk1 


 Zpk` of the cyclic groups its Fourier `

X ?p1q
n n )2Fnq  ; : : : (; ;:::;  1 n ; f (X1 + 1 ; : : : ; Xn + n) ;  i.e. each basic state  ; : : : ;  ; f (X +  ; : : : ; X +  ) C =



space with the Hermitean metric. Let w(1) ; : : : ; w(m) 2 Fq be a basis over Fp . Then one can represent each basic state j1; : : : ; n; f (X1 + 1 ; : : : ; Xn + n )i in the form (m) (m) : : : ; (1) j(1) n ; : : : ; n ; f (X1 + 1; : : : ; Xn + n)i 1 ; : : : ; 1 ;X ( j ) ` w(j), (`j) 2 Fp , 1  `  n. The where ` = 1jm

nq acts on the rst nm components as a additive group of Fnm direct product (Zp ) .  n+d d Denote Q = q . The quantum machine applies to C the matrix (see above) p


p IQ where the tensor product of p is taken nm times (cf. [18]). Then in the resulting con guration any basic state j1 ; : : : ; nm ; f i where ` : Z=pZ ! C, 1  `  nm are the characters ?
of the cyclic additive group of Fp , i.e. ` (a) = exp 2ipa b for a suitable b and f = f (X1 + 1 ; : : : ; XnX + n ) 2 Fq [X1; : : : ; Xn ] `(j) w(j) 1  `  n, for some ( 1 ; : : : ; n ) 2 Fnq , ` =

1jm

occurs with the amplitude (cf. [13, 14, 18]) transform G = pk1


pk` = pk1 Ipk2


Ipk` 2 1 1 `  `  X 1 Ipk1 pk2


Ipk`


Ipk1 Ipk2


pk` could 1 ((1) 1 n 1

2

`

1

2

be computed by a quantum machine within time O

`

X

1i`

!

(pi ki )2 .

First we design a quantum machine which computes the group Sf;f  Fnq . This construction extends essentially the idea from [14]. We utilize the notations and terminology from the quantum computations which one could nd in [1, 13, 14, 16]. Actually, the described algorithm and the above quantum computation of G allows one to solve the following problem by means of a quantum machine. Let a nite abelian group G with all the primes dividing its order, being small, act on a set. The algorithm enables one to nd for each element of the set the subgroup of G which preserves this element (the stabilizator subgroup, see also [17]). Furthermore, if G is a direct product of cyclic groups each of the order 2, one can design a quantum machine which for any pair of elements of the set tests, whether these two elements are on the same orbit of the action of G. In the case under consideration G = Zp 


 Zp is the direct product of mn copies of Zp , herewith the action of (Zp )m on each variable Xi , 1  i  n is isomorphic to the action of the additive group of Fq by the shifts. The quantum machine under description starts with the initial con guration (cf. [1, 13, 14, 16, 18])

q

P

P

( 1(j) w(j) ;:::; n(j) w(j) )2Sf;f + 1(1) )


m ((1m) + 1(m) )


nm?m+1 (1) (m) (m) ((1) n + n )


nm (n + n ) X = q1n 1 ( 1(1))


nm ( n(m) ) P P ( 1(j) w(j) ;:::; n(j) w(j) )2Sf;f (m) 1 ((1) 1 )


nm (n )

For every restriction of the character



 = 1


nm Sf;f the sum =



P

0 #Sf;f

if  6 1 if   1

P

X 2Sf;f

()

where  = ( (1j) w(j) ; : : : ; (nj) w(j) ). Thus, each of the basic states j1 ; : : : ; nm ; f i for which 1


nm Sf;f  1 (and only these basic states) occurs in the resulting con guration with the same for each of them probability (which equals to the square of the absolute2 value of the ampli) tude, see [1, 13, 14, 16, 18]) (#Sq2f;f n . Hence, each vector (1 ; : : : ; nm ) such that 1


nm Sf;f  1, occurs as 4

where (1 ; : : : ; n ) 2 Fnq . Thus, a basic state could be treated as an ort from C-space of the dimension qn
a, where a = Q(Q2+1) . As in the above construction, the quantum machine applies the Fourier transform  = 2


2 (nm times) to the rst n coordinates, formally the machine multiplies the initial con guration 1 P (pq)n 1 ;:::;n 2Fq j1 ; : : : ; n ; ff (X1 + 1 ; : : : ; Xn + n ); g(X1 + 1 ; : : : ; Xn + n gi by the matrix  Ia . Then as above the quantum machine computes the group S (by means of its basis over F2 ). Obviously, Sf;g 6= ; () Sf;f 6= S , and in this case we can take as v any element of the basis of S which does not belong to Sf;f . This completes the description of the quantum machine which computes Sf;g . Finally, we estimate the complexity of the designed quantum machines. In the course of computing Sf;f the machine computes (deterministically) for any (1; : : : ; n ) 2 Fnq the coecients  of the polynomial  n + d f (OX(1)1+1; : : : ; Xn+n) which requires m log p time. Producing

the rst nm coordinates of the basic states in the resulting con guration with the same for each of them probability #Sf;f , because for the rest of Q coordinates there are qn qn #Sf;f possibilities for f , each of them appearing with the same probability. Since Sf;f is an abelian subgroup of the additive group of (Fq )n , the order #Sf;f = pk for a certain 0  k  nm. All the vectors of the characters (1 ; : : : ; nm) such that the restriction 1


nm Sf;f  1 constitute the (multiplicative) group S being isomorphic to the vector space (Fp )nm?k over Fp . Applying nm times independently the described quantum machine and each time observing the projection onto the rst nm coordinates of a basic state of the resulting con guration, we obtain a sequence of nm elements from S . The probability that the rst nm ? k vectors (one can assume that they are chosen independently as each of them appears with the same probability, see above) among?1them form a basis of S over Fp is greater or equal to (1 ? p )(1 ? p?2 )(1 ? p?3 )


> 41 . Therefore, making 4 rounds each consisting of nm described applications of the quantum machine, with the probability greater than 1 ? (1 ? 41 )4 > 32 , the quantum algorithm yields at one of the rounds a basis for the space S over Fp . The algorithm returns as a basis the maximal set of linearly independent over Fp elements of S obtained at one of 4 rounds. Having a basis of S , the algorithm can uniquely select the subgroup Sf;f . Indeed, for every element ?
(1; : : : ; nm) from the yielded basis let t () = exp 2ip`t  , 1  t  nm for appropriate 0  `t < p, then for!any element

X

(1j) w(j); : : : ;

X

(nj) w(j)

d

Fourier transform p takes pO(1) time. So, the application of O(1)

 

d

lar bound is valid for the quantum machine which computes Sf;g , this completes the proof of theorem 3. Notice that this bound is always not worse that the complexity bound for the randomized algorithm  designed in Othe (1) section 3 (for m = 1). When p grows like n +d d the running time of the designed quantum machine is polynomial which is not the case for the randomized algorithm from the section 3. Acknowledgements. The author is grateful to Aliosha Kitaev for valuable remarks.

2 Sf;f we have

1jm 1jm (1) (m) (m) 1 ((1) 1 )


nm (n ) = 1, i.e. p `1 1 +


+ `nm n .

Conversely, if the latter divisibility holds for every element !

from the basis then

X

1jm

(1j) w(j) ; : : : ;

X

1jm

(nj) w(j) 2

Sf;f . These divisibility conditions constitute a (homogeneous) linear system over Fp . Producing a basis of this linear system, the algorithm produces thereby a basis of Sf;f . This completes the description of the algorithm which computes Sf;f . Now in the case of the elds characteristic p = 2 we design a quantum machine which tests, whether Sf;g 6= ;, and if it is the case the machine yields an element v 2 Sf;g . Together with the described above construction of Sf;f this computes Sf;g = v + Sf;f . First the machine checks, whether f  g, and if it is the case we are done by the above construction of Sf;f , so we can suppose w.l.o.g. that f 6 g. Then applying the described above construction, the machine computes the groups Sf;f and Sg;g . If Sf;f 6= Sg;g then Sf;g = ;. So we can assume that Sf;f = Sg;g . Observe that S = Sf;f [ Sf;g is a group since p = 2. Notice also that S coincides with the group of all the shifts (1 ; : : : ; n ) 2 Fnq which preserve the unordered pair of the polynomials ff (X1 ; : : : ; Xn); g(X1 ; : : : ; Xn )g = ff (X1 + 1 ; : : : ; Xn + n ); g(X1 + 1 ; : : : ; Xn + n )g. To compute S the quantum machine as the basic states

takes



d the Fourier transform runs in m p n + time. d The machine makes O(nm) such rounds and at the end solves (deterministically) a linear over Fp system of the size O(nm). Thus, the running designed quantum  time ofn +thed  O(1) machine does not exceed m p . The simi-

References [1] E. Bernstein, U. Vazirani, Quantum complexity theory, Proc. STOC, (ACM, 1993), 11{20 [2] T. Beth, Verfahren der schnellen Fourier-transformation, (Teubner, Stuttgart, 1984) [3] A. Chistov, D. Grigoriev, Solving algebraic systems in subexponential time. I, II., Preprints LOMI E-9-83, E10-83, Leningrad, 1983 [4] D. Coppersmith An approximate Fourier transform useful in quantum factoring Research report 19642, IBM, 1994 [5] D. Grigoriev, M. Karpinski, An approximate algorithm for the number of zeroes of arbitrary polynomials over GF [q], Proc. FOCS (IEEE, 1991), 662{669 [6] D. Grigoriev, M. Karpinski, A zero-test and a interpolation algorithm for the shifted sparse polynomials, Proc. AEECC 1993, Lect. Notes in Comput. Sci., vol. 673, (Springer, Berlin, 1993) 162{169

j1; : : : ; n ; ff (X1 + 1 ; : : : ; Xn + n); g (X1 + 1 ; : : : ; Xn + n )gi 5

[7] D. Grigoriev, Y. Lakshman, Algorithms for computing sparse shifts for multivariate polynomials, Proc. Intern. Symp. on Symbol. Algebr. Comput. (ACM, Montreal, 1995) 96{103 [8] R. Karp, M. Luby, N. Madras, Monte-Carlo approximation algorithms for enumeration problems, J. of Algorithms, 10, N3 (1989), 429{448 [9] M. Karpinski, I. Shparlinski, Ecient approximation algorithms for sparse polynomials over nite elds, Technical Report 94{029, ICSI, Berkeley, 1994 [10] Y. Lakshman, D. Saunders, On computing sparse shifts for univariate polynomials, Proc. Intern. Symp. on Symbol. Algebr. Comput. (ACM, Oxford, 1994) [11] R. Loos, Generalized polynomial remainder sequences, in B. Buchberger, J. Calmet, R. Loos, eds., Computer Algebra, (Springer, Berlin, 1982) [12] T. Schwartz, Fast probabilistic algorithms for veri cation of polynomial identities, J. ACM, 27 (1980), 701{ 717 [13] P. W. Shor, Algorithms for quantum computation: discrete logarithms and factoring, Proc. FOCS, (IEEE, 1994), 124{134 [14] D. R. Simon, On the power of quantum computation, Proc. FOCS (IEEE, 1994), 116{123 [15] R. Smolensky, Private communication, 1995 [16] A. Yao, Quantum circuit complexity, Proc. FOCS (IEEE, 1993), 352{360 [17] A. Yu. Kitaev, Quantum measurements and the Abelian stabilizer problem, Preprint of the Institute for Theoretical Physics, Moscow, October 1995 [18] D. Boneh, R.Lipton, Quantum cryptanalysis of hidden linear functions, Lect. Notes Comput. Sci., 963 (1995), 424{437

6