Quantum Property Testing of Group Solvability

Quan tum Prop ert y T esting of Gr o up Solv abilit y Y oshifumi In ui ⋆, † F ran¸ cois Le Gal l † ⋆ Dep artm ent of Computer Scienc e, The University of T okyo 7-3-1 Hongo, Bunkyo-ku, T okyo 113-00 33, Jap an † ERA TO-SORST Quantum Computa tion and Information Pr oje ct Jap an Scie nc e and T e chnolo g y A gency 5-28-3 Hongo, Bunkyo-ku, T okyo 11 3-0033, Jap an email: legall@qci.jst.go.jp Abstract. T esting efficien tly whether a finite set Γ with a bin ary op eration · o ver it, giv en as an oracle , is a group is a wel l-known op en problem in the field of prop ert y testing. Recen tly , F riedl, Iv an yo s and San tha ha ve made a significan t step in the direction of solving this problem by sho wing that it is p ossible to test efficien tly whether the input (Γ , · ) is an ab elian group or is far, with r esp ect to s ome distance, from an y ab elian group. In this pap er , we mak e a step further and construct an efficient quan tum algorithm that tests whether (Γ , · ) is a solva ble group, or is far from any solv able group. More precisely , the num b er o f queries used by our algorithm is p olylogarithmic in the size of the set Γ. 1 In tro duction In prop ert y testing, th e problem consid ered is to d ecide w hether an ob ject giv en as an oracle has some exp ected prop ert y or is far fr om an y ob j ect ha ving that p rop erty . This is a v ery activ e researc h area and man y p r op erties in cluding algebraic fun ction prop erties, graph prop erties, computational geometry prop erties and regular languages were pro v ed to b e testable. W e refer to, for example, [15, 19] f or surv eys on classica l prop erty testing. Quan tum testers ha ve also b een studied [7, 11, 16], and they are kno wn to b e strictly more p ow erful th an classical testers in some cases [7, 16]. In this pap er, we fo cus on testing group-theoretical pr op erties. A famous example is testing whether a function f : G → H , where H and G are group s, is a homomorphism. It is w ell known that suc h a test can b e done efficien tly [5, 6, 21]. Another kind of problems deals with the case where the inp ut is a finite set Γ and an oracle of a bin ary op eration · : Γ × Γ → Γ ov er it. A classical algorithm testing asso ciativit y of the oracle · u s ing O ( | Γ | 2 ) queries to the oracle has b een constructed by Ra jagopalan and Sc hulman [18 ], and Erg¨ un et al. [8] ha ve prop osed an algorithm, using ˜ O ( | Γ | ) queries, testing if · is close to the multi p lication of a group. But notice that, since eac h elemen t in Γ n eeds Θ(log | Γ | ) bits to b e enco ded, the query complexities of these algorithms can b e considered as exponential in the input length when not Γ, but only | Γ | is giv en (e.g., Γ is supp osed to b e the set of binary strings of length ⌈ log 2 | Γ |⌉ ). Designing an algorithm d eciding whether (Γ , · ) is a group that u ses a n umb er of queries to · p olynomial in log | Γ | is ind eed a wel l-known op en problem. Recen tly , F riedl et al. [10] hav e made a signifi cant step in the direction of solving this p roblem by constructing a classical algorithm with query and time complexities p olynomial in log | Γ | that tests whether (Γ , · ) is an ab elian group or is far from an y ab elian group . In this wo r k , w e make a step further and construct an efficient qu antum algorithm that tests whether (Γ , · ) is a solv able group or the distance b et we en (Γ , · ) and any s olv able group is at least ǫ | Γ | 2 . More precisely , our algorithm uses a num b er of queries p olynomial in log | Γ | and ǫ − 1 , and its time complexity is p olynomial in exp((log log | Γ | ) 2 ) and ǫ − 1 , i.e., sub exp onential in log | Γ | . Notice that the class of solv able groups is f ar m uch larger than the class of ab elian groups and includ es a v ast class of non-ab elian groups. T o deal with those groups, we introd uce new id eas r elying on th e 1 abilit y of qu an tum computation to solv e fundamenta l group-theoretical problems, suc h as fin ding orders of elements or working with su p erp ositions of all the elemen ts of a sub group. Besides the theoretic al in terest of this result, our algorithm can b e used when studyin g group - theoretical problems where the input is a blac k-b o x solv ab le group (i.e., give n as a set a generators and an oracle p erformin g group op erations). Most kno wn algorithms for su c h problems can ha ve an unpr ed ictable b eha vior when the inpu t is not a solv able group. By applying our algorithm we can detect (in the quan tum setting) if the inp ut is far from an y solv able group, and we thus obtain robust v ersions of the quantum algorithms already k n o wn for solv able b lac k-b o x group s [9, 13, 14, 23]. W e also h op e that this will b e usefu l to d esign new quantum prop ert y testers or group-theoretical quan tum algorithms. In particular, our tester may b e useful wh en consid ering quantum v ersions of classical algorithms s olving p roblems o v er blac k-b ox solv able groups [1, 2, 3, 4] as w ell. Finally , w e b eliev e that our qu an tum algorithm ma y also b e a first step in the direction of designing efficien t classical testers for solv able groups. Indeed, the efficien t classical tester f or ab elian groups prop osed by F riedl et al. [10] w as inspir ed b y a quan tum algorithm solving the same p roblem. In this case, they w ere able to “dequ an tumize” the algorithm. A similar ap p roac h may b e p ossible for our algorithm too. 2 Definitions 2.1 Distances b et ween sets Let Γ b e a set and · : Γ × Γ → X a binary op eration o v er it, w here X is some set. W e say that suc h couple (Γ , · ) is a p seudo-magma. If X ⊆ Γ, w e say that (Γ , · ) is a magma. When ther e is no am biguit y w e will denote a pseudo-magma or a magma (Γ , · ) simply b y Γ. W e no w define a distance b et wee n tw o pseud o-magmas. In this pap er we adopt the so-calle d edit distance. This is th e same distance as the one used by F riedl et al. [10]. Define a table of size k as a k × k matrix w ith en tries in some arbitrary set. W e consider thr ee op erations to trans f orm a table to another. An exchange op eration r eplaces elements in a table by arbitrary elemen ts and its cost is the num b er of r eplaced elemen ts. An inser t op eration at index i inserts a r o w and a column of index i . Its cost is 2 k + 1 if the original table is of size k . A d elete op eration at in dex i deletes b oth the ro w of ind ex i an d the column of index i , giving a table of size ( k − 1) × ( k − 1). Its cost is (2 k − 1). Let (Γ , · ) b e a pseud o-magma, with · : Γ × Γ → X . A multiplicat ion table for Γ is a table of size | Γ | with entries in X for which b oth r o ws and columns are in one-to-one corresp ondence with elemen ts in Γ, i.e., there exists a bijection σ : { 1 , · · · , | Γ |} → Γ suc h that the elemen t in the i -th ro w and the j -th column is σ ( i ) · σ ( j ). The distance b et ween tw o pseudo-magmas is defined as follo ws. Definition 1. The e dit distanc e b etwe e n two tables T and T ′ is the minimum c ost ne e de d to tr ans- form T to T ′ by the ab ove e xc hange, i nsert and delete op er ations. The e dit distanc e b etwe en two pseudo-magmas Γ and Γ ′ , denote d d (Γ , Γ ′ ) , is the minimum e dit distanc e b etwe en T and T ′ wher e T (r esp. T ′ ) runs over al l tables c orr esp onding to a multiplic ation table of Γ (r esp. Γ ′ ). F or δ ≥ 0 , we say that a pseudo-magma Γ is δ -close to another pseudo-magma Γ ′ if d (Γ , Γ ′ ) ≤ δ . Otherwise we say that Γ and Γ ′ ar e δ -f ar. Notice that if the sizes of Γ and Γ ′ are the same, then th e edit d istance b ecomes the m inimal Hamming distance of the corresp onding tables. 2.2 Prop ert y testing of group solv abilit y In this p ap er w e assume that th e r eader is familiar with the standard notions of group theory . W e refer to an y standard textb o ok for details. F or completeness, we only recall the definition of 2 solv able groups . Definition 2. A gr oup G is solvable if ther e exists a c ol le ction of sub gr oups G 0 , . . . , G k of G suc h that: (i) for e ach 0 < j ≤ k , the sub g r oup G j − 1 is normal in G j and G j /G j − 1 is cyclic; (ii) { e } = G 0 ⊳ · · · ⊳ G k = G . W e now giv e our definition of a quantum prop ert y tester of group s olv abilit y . W e define suc h a tester as a qu an tum algo rithm A rec eiving as in p ut a magma (Γ , · ). More pr ecisely , the actual input of the algorithm is the v alue | Γ | , and tw o oracles are a v ailable: an oracle that generates random elemen ts in Γ (the details of the implementat ion of this oracle are not essent ial b ecause this oracle w ill only b e u sed in a classical subpro cedu re), and a quan tum oracle that p erforms the binary op eration · . Since th e elemen ts of Γ can b e enco ded by binary strings of length k = ⌈ log 2 | Γ |⌉ , w e iden tify the elemen ts w ith their enco ding and sup p ose that this quantum oracle p erforms the map | g i| h i| c i 7→ | g i| h i| c ⊕ g · h i , where g and h are elements in Γ and c is a string in { 0 , 1 } k . W e denote b y A (Γ) the b eha vior of the algorithm A on an input (Γ , · ) giv en in this wa y . A m ore formal definition of a qu an tum prop ert y tester can b e give n but the follo wing definition will b e su fficien t for our purp ose. Definition 3. L et d b e the distanc e define d in Subse ction 2.1. A quantum ǫ -tester of gr oup solva bility is a quantum algorithm A such that, f or any magma (Γ , · ) , the fol lowing holds:  Pr [ A (Γ) accepts ] > 2 / 3 if d (Γ , S ) = 0 Pr [ A (Γ) r ej ects ] > 2 / 3 if d (Γ , S ) > ǫ | Γ | 2 . Her e we use d (Γ , S ) to r epr esent inf G ∈ S d (Γ , G ) , wher e S denotes the set of finite solvable gr oups. Notice that, a priori, requir ing that the oracle is quantum ma y seem to giv e a prob lem differen t than in the classical setting, where the oracle is classica l. But this is not really the case: if a classical pro cedure that computes the p ro duct g · h from g and h is a v ailable, su c h a quantum oracle can b e effectiv ely constructed usin g standard tec hn iques of quantum computation [17]. The main result of this pap er is the follo wing theorem. Theorem 4. Ther e exists a quantum ǫ - tester of gr oup solvability that uses a numb er of q u eries p olynomial i n log | Γ | and ǫ − 1 . The running time of this algorithm is p olynomial in exp((log log | Γ | ) 2 ) and ǫ − 1 . 2.3 Quan tum algorithms for solv able groups As stated in the f ollo wing theorem, efficien t qu an tum algorithms f or studyin g the stru cture of solv able groups hav e b een constr u cted by W atrous [23]. Our algorithm deeply r elies on these algorithms. Theorem 5. ([23]) L et G b e a solvable gr oup given as a black- b ox gr oup. Then ther e exists a quantum algorithm running in time p olynomial in log | G | that outputs, with pr ob ability at le ast 3/4, t = O (log | G | ) elements h 1 , . . . , h t of G and t inte gers m 1 , . . . , m t such that, if we denote H i = h h 1 , . . . , h i i for 1 ≤ i ≤ t , the fol lowing holds. (a) { e } = H 0 ⊳ H 1 ⊳ · · · ⊳ H t − 1 ⊳ H t = G ; and (b) H i /H i − 1 is cyclic, for 1 ≤ i ≤ t , with | H i | / | H i − 1 | = m i . 3 Mor e over, giv en any 0 ≤ i ≤ t , and any element g in H i , ther e exists a quantum algorithm running in time p olynomial in log | G | that outputs, with pr ob ability at le ast 3 / 4 , the (unique) factor ization of g over H i , i.e., inte gers a 1 , . . . , a i with e ach a k ∈ Z m k , suc h that g = h a i i h a i − 1 i − 1 · · · h a 1 1 . In the algorithm of Theorem 5 , the group is supp osed to b e in put as a blac k-b o x group: the input is a set of strings represen ting a set of generators of the group and an oracle p erform ing the group pro duct is a v ailable. The oracle necessary f or W atrous’s algorithm [23] is the m ap | g i| h i| c i 7→ | g i| h i| c ⊕ g · h i , for any elemen ts g , h ∈ G and any string c in { 0 , 1 } k . Notice that this is the same oracle as the one giv en to a quan tum tester of group s olv abilit y as d efi ned in Subsection 2.2. 3 Our Quan tum Algorithm In this section w e describ e our quant um algorithm. W e first giv e an o ve rv iew of th e algorithm in Subsection 3.1. Then, in S ubsection 3.2, we explain the details. Finally , we analyse its correctness and complexit y in Su bsection 3.3. 3.1 Outline of our algorithm Our algorithm consists of four parts. Decomp osition of Γ W e first constru ct, using Theorem 5, t = O (log | Γ | ) elemen ts h 1 , . . . , h t of Γ that satisfy , if Γ is a solv able group , the r elations { e } = H 0 ⊳ H 1 = h h 1 i ⊳ · · · ⊳ H i = h h 1 , · · · , h i i ⊳ · · · ⊳ H t = h h 1 , · · · , h t i = Γ , w here eac h H i is a subgroup of Γ, normal in H i +1 , suc h th at H i +1 /H i is cyclic. If Γ is a solv able group, this decomp osition giv es a so-called p ow er-conju gate pr esentati on of Γ. If Γ is not a solv able group, these elemen ts h 1 , . . . , h t will still define some pseud o-magmas H 0 , . . . , H t , although in general these sets satisfy no group -theoretic p rop erty (in p articular, th ey are not n ecessarily magmas). T est of em b edding Then, we tak e sufficien tly many element s of Γ and c hec k that they are all in H t . Success of this test imp lies that | Γ \ H t | is s mall enough. Of course, if Γ is a solv able group, th en Γ = H t with high pr obabilit y and this test alw a ys succeeds. Ass ume that Γ is far from an y solv able group ˜ H t . If the test succeed, sin ce the inequalit y d (Γ , ˜ H t ) ≤ d (Γ , H t ) + d ( H t , ˜ H t ) holds for any solv able group ˜ H t , this w ill imply that H t is far from any solv able group ˜ H t to o (b ecause the v alue of d (Γ , H t ) is basically a f u nction of | Γ \ H t | , and th us sm all). Construction of the group G t W e constru ct, using the information ab out the structure of Γ obtained at the first p art of the algorithm, t solv able groups G 1 , . . . , G t and a fun ction ψ : G t → H t in a wa y suc h that, if Γ is a solv able group, then ψ is a group isomorphism from G t to H t . T est of homomorphism Finally , the algorithm will test wh ether ψ is “a lmost” an homomorphism . W e will show th at this test is robust: if ψ is close to an homomorphism , then H t is close to the solv able group G t . If H t is far from any solv able group, then this cannot hold and the homomorph ism test m ust fail with high probabilit y . Again, the similar idea of constructing a group G , a fu nction ψ : G → Γ an d use homomorph ism tests was at the heart of the prop ert y tester for ab elian groups prop osed by F riedl et al. [10] and inspired th is w ork (notice that the F riedl et al. first constru cted a q u an tum prop erty tester for ab elian group s, an d then w ere able to remov e th e quantum part in their algorithm). Ho wev er there are new d ifficulties that arise when considering prop erty testers for solv able grou p s. The fir s t one is 4 that analyzing the decomp osition the H i ’s is more difficult and the p o w er of qu an tum computation seems necessary to p erform this task efficien tly . Th e second complication is that, now, the groups G i ’s we are considering are solv able, i.e., in general not comm utativ e. I n this case, w e h a v e to b e v ery careful in the defi nition of G i and additional tests ha ve to b e d on e to ensure that the G i ’s we define are r eally group s . 3.2 Algorithm Our algorithm app ears in Figure 1 and eac h of the four parts are explained in details in S ubsections 3.2.1 to 3.2.4. If all the tests p erformed succeed, w e decide that Γ is a solv able group. O therwise w e decide that Γ is ( ǫ | Γ | 2 )-far fr om any solv able group. P AR T I : Decomp osition of Γ 1. T ak e O (log | Γ | ) ran d om elements uniform ly and ind ep endently in Γ. 2. Use the fi r st algorithm of Theorem 5 on them and obtain the set { h 1 , . . . , h t } and integ ers m 1 , ..., m t . 3. F or eac h i ∈ { 1 , . . . , t } , use Shor’s order find in g algorithm on h i and obtain some intege r n i . 4. C ompute the decomp ositions of all h m i i and h n i − 1 i · ( h k · h i ) o v er H i − 1 , for i ∈ { 1 , . . . , t } and k ∈ { 1 , . . . , i − 1 } , and c heck the obtained decomp ositions. P AR T I I: T est of em b edding 5. C hec k that | Γ | = m 1 × · · · × m t and | Γ \ H t | / | Γ | < ǫ/ 4. P AR T I I I : Construction of the group G t 6. F or j from 2 to t chec k that Cond itions (a), (b) and (c) of Pr op osition 7 hold. P AR T I V: T est of homomo rphism 7. C hec k that Pr x,y ∈ G t [ ψ ( x ◦ y ) = ψ ( x ) · ψ ( y )] > 1 − η w ith η = ǫ/ 422 . Figure 1: Quan tum ǫ -tester of group solv ability 3.2.1 Decomposition of Γ The fir st step in our algorithm finds a p ow er-conjugate repr esentati on of Γ wh en Γ is a solv able group. W e will p ro ve that wh en Γ is far from an y solv able group, then the output of this step cannot b e a p o we r-conju gate r epresen tation of a group close to Γ and th at this can b e detected by our algorithm at p art I I, I I I or IV. W e b egin by picki n g s = Θ(log | Γ | ) r andom elemen ts α 1 , · · · , α s uniformly and in dep endently from the groun d set Γ. F or s im p licit y , we fi rst sup p ose that Γ is a solv ab le group, and then discu ss the general case. Case where Γ is a solv able group. Denote Γ ′ = h α 1 , · · · , α s i . Th en, with h igh probability , Γ = Γ ′ . Here we rely on the standard fact in compu tational group theory that, f or any group K , Θ(log | K | ) random elemen ts tak en uniformly in K constitute, with high probabilit y , a generating set of K . W e no w run the fi rst algorithm of Th eorem 5 with input Γ ′ present ed as a b lac k-b o x group as follo ws: α 1 , · · · , α s is the set of generators and the op eration · is the oracle p erf orm ing group m ultiplication. The output of the algorithm is then, with high p robabilit y , a set of t elemen ts h 1 , . . . , h t of Γ and t integ ers m 1 , . . . , m t suc h that, if we d enote H i = h h 1 , . . . , h i i for 1 ≤ i ≤ t , the follo wing holds: 5 (a) { e } = H 0 ⊳ H 1 ⊳ · · · ⊳ H t − 1 ⊳ H t = Γ ′ ; and (b) H i /H i − 1 is cyclic for 1 ≤ i ≤ t and satisfies | H i | / | H i − 1 | = m i . W e then u se Sh or’s quantum algorithm [20] to compu te the order n i of eac h h i in Γ. Moreo v er, w e further analyze the structure of Γ ′ and u se the second algorithm of Theorem 5 to decomp ose the elemen ts h m i i and h n i − 1 i · ( h k · h i ) o v er H i − 1 , for eac h i ∈ { 2 , . . . , t } and eac h k ∈ { 1 , . . . , i − 1 } . Notice that, indeed, eac h h m i i and h n i − 1 i · ( h k · h i ) = h − 1 i · h k · h i are in H i − 1 when Γ is a solv able group. W e denote the decomp ositions obtained by h m i i = h r ( i ) i − 1 i − 1 ·  · · · ·  h r ( i ) 3 3 ·  h r ( i ) 2 2 · h r ( i ) 1 1  for 2 ≤ i ≤ t , (1) h n i − 1 i · ( h k · h i ) = h s ( i ) k,i − 1 i − 1 ·  · · · ·  h s ( i ) k, 3 3 ·  h s ( i ) k, 2 2 · h s ( i ) k, 1 1  for 1 ≤ k < i ≤ t, (2) where eac h r ( i ) ℓ and eac h s ( i ) k ,ℓ are in Z m ℓ . (The p aren theses are sup erfl uous when · is asso ciativ e, but not in th e general case we discus s b elo w.) General C ase. In general, w e do not kno w whether Γ is a solv able group or not bu t w e do exac tly the same as ab o ve: we firs t run the fir st algorithm of Theorem 5 on the set { α 1 , · · · , α s } with th e oracle · . If this algorithm errs, we conclude that Γ is not a solv able group (this decision is correct with high probabilit y b ecause, if Γ is a solv able group, then th e algorithm of Th eorem 5 s u cceeds with high probabilit y). No w sup p ose th at w e ha ve obtained element s h 1 , . . . , h t and a set of int egers m 1 , . . . , m t . W e define the follo wing sets by recurren ce: H 1 = { h a 1 | a ∈ Z m 1 } , and, for 2 ≤ j ≤ t , H j = { h a j · h | a ∈ Z m j , h ∈ H j − 1 } . Here, and in many other p laces in th is pap er, w e use the n otation h r , for h ∈ Γ and r ≥ 1, to denote the pro duct h · ( · · · · ( h · ( h · h ))), since · is not in general asso ciativ e. Moreo v er w e use the conv en tion h 0 = h m 1 1 for an y h ∈ Γ. Notice that the v alue of h r can b e compu ted u s ing O (log r ) quer ies to the oracle · usin g rep eated sq u aring metho ds. Notice that, in general, the pseudo-magmas H i ’s ha ve no group-theoretical s tr ucture at all (in particular they may not b e m agmas). W e th en use S hor’s order find ing algorithm [20] on eac h h i and obtain some inte ger n i . Then w e r un the second algorithm of Theorem 5 to decomp ose the elemen ts h m i i and h n i − 1 i · ( h k · h i ) o v er H i − 1 , for eac h i ∈ { 2 , . . . , t } and eac h k ∈ { 1 , . . . , i − 1 } . If the algorithm errs or outputs something irrelev ant, w e conclude that Γ is not a solv able group. Sup p ose that the algorithm succeeds and outputs decomp ositions. W e use the notations of Equations (1) and (2) to d enote the decomp ositions obtained. W e c h ec k whether these decomp ositions are correct, i.e., we compute the right sid es of Equ ations (1) and (2) and chec k that th ey matc h the left s ides. If they are correct, we mov e to the next step (Subsection 3.2.2). Otherw ise, we conclude that Γ is not a solv able group. 3.2.2 T est of em b e dding In the second part of our algorithm, we fir st c h ec k that | Γ | = m 1 × · · · × m t . Th en, w e w ant to chec k whether | Γ \ H t | is small enough. Otherwise we conclude that Γ is not a solv able group. Indeed, if Γ is a group , then with high pr obabilit y (on the c hoice of α 1 , . . . , α s and on th e randomness of the algorithm of Th eorem 5) Γ = H t . More pr ecisely w e c h eck wh ether | Γ \ H t | / | Γ | < ǫ/ 4 holds. In order to p erform this test, we simply tak e c 1 elemen ts of Γ and c heck w hether they are all in H t (b y using th e second algorithm of T heorem 5 and chec kin g the obtained decomp ositions). It is easy to show that, wh en taking c 1 = Θ( ǫ − 1 ), w e can detect w hether | Γ \ H t | / | Γ | > ǫ/ 4 with constant pr obabilit y . 6 3.2.3 Construction of the group G t W e now sho w how to construct an ab s tract group G t defined by the p o we r -conju gate p resen tation found in Part I of our algorithm (Equations (1) and (2) ) when suc h a group exists, i.e., when the present ation is consisten t with the defin ition of a group. W e fir st define by recurrence the family of magmas { G j } 1 ≤ j ≤ t , wh ere eac h G j is equal (as a set) to Z m j × · · · × Z m 1 . G 1 is d efined as the cyclic group ( Z m 1 , +), w here + is th e addition mo dulo m 1 . F or an y i ∈ { 2 , . . . , t } , denote by u i the elemen t ( r ( i ) i − 1 , . . . , r ( i ) 1 ) of G i − 1 and, for any i ∈ { 2 , . . . , t } and k ∈ { 1 , . . . , i − 1 } , denote by v i,k the elemen t ( s ( i ) k ,i − 1 , . . . , s ( i ) k , 1 ) of G i − 1 . Definition 6. Define G 1 = ( Z m 1 , +) and, for 2 ≤ j ≤ t , let G j b e the magma ( Z m j × G j − 1 , ◦ j ) with ( a, x ) ◦ j ( b, y ) =     a + b, φ ( b ) j ( x ) ◦ j − 1 y  if a + b < m j  a + b − m j , u j ◦ j − 1 φ ( b ) j ( x ) ◦ j − 1 y  if a + b ≥ m j wher e φ j : G j − 1 → G j − 1 maps any element ( a j − 1 , · · · , a 1 ) of G j − 1 to th e element φ j (( a j − 1 , · · · , a 1 )) = v a j − 1 j,j − 1 ◦ j − 1  · · · ◦ j − 1  v a 2 j, 2 ◦ j − 1 v a 1 j, 1  of G j − 1 , and φ ( b ) j me ans φ j c omp ose d by itself b times. W e will u sually d enote ◦ j or ◦ j − 1 simply b y ◦ wh en ther e is n o ambiguit y . In order to illustrate this definition, let u s consider the case where all th e H j ’s are solv able groups. In this case, eac h H j = { h a j j · · · · · h a 1 1 | a j ∈ Z m j } is in bijection with Z m j × · · · × Z m 1 (as a set). Fix a j and consider H j . Eac h elemen t h a j j · · · h a 1 1 is asso ciated with the element ( a j , . . . , a 1 ) of G j . No w the elemen t φ j (( a j − 1 , · · · , a 1 )) corresp onds to the elemen t h − 1 j · ( h a j − 1 j − 1 · · · h a 1 1 ) · h j =  h s ( j ) j − 1 ,j − 1 j − 1 · · · h s ( j ) j − 1 , 1 1  a j − 1 · · ·  h s ( j ) 1 ,j − 1 j − 1 · · · h s ( j ) 1 , 1 1  a 1 . In other words, the m ap φ j in G j − 1 corresp onds to the automorphism h 7→ h − 1 j hh j of H j . F or an y t w o elements g and g ′ in H j − 1 , since h a j · g · h b j · g ′ = h a + b j · ( h − b j · g · h b j ) · g ′ w e see that the G j ’s are defined to b e isomorphic to th e H j ’s in the case wh ere the H j ’s are s olv able groups. If th e H j ’s are not group s, then the G j ’s constructed in Definition 6 are not necessarily groups. But w e no w s ho w that when some add itional conditions are satisfied, th e G j ’s b ecome groups. In technical w ords these are necessary and sufficien t conditions to mak e the presentati on of G j a consisten t presenta tion of successive cyclic extensions. In the next prop osition, we d en ote by x j,k , for 1 ≤ k ≤ j ≤ t , the elemen t of G j with one 1 at the index k (from the r igh t) and zeros at all the other ind exes. Prop osition 7. L et 1 < j < t . Supp ose that G j − 1 is a solvable gr oup and, if j ≥ 3 , supp ose additiona l ly that G j − 2 is a solvable gr oup and φ j − 1 is a g r oup automorphism of G j − 2 . Assume that the fol lowing thr e e c onditions hold. (a) x j − 1 ,k ◦ v j − 1 ,j − 1 = v j − 1 ,j − 1 ◦ v j − 1 ,k for al l 1 ≤ k < j − 1 ; and (b) φ j ( u j ) = u j ; and (c) φ ( m j ) j ( x j − 1 ,i ) = u − 1 j ◦ x j − 1 ,i ◦ u j for al l 1 ≤ i ≤ j − 1 . Then G j is a solvable g r oup and φ j is a gr oup automorphism of G j − 1 . 7 Pr o of. I f φ j is an automorph ism of G j − 1 , then Cond itions (b) and (c) im p ly th at G j , as defin ed in Definition 6, is a so-called cyclic extension of G j − 1 and th us a solv able group (see for example [22 , Section 9.8]). W e will sho w b elo w that Cond ition (a) implies that φ j is an end omorp hism of G j − 1 . Since φ ( m j ) j is an automorphism of G j − 1 from Condition (c), φ j is thus an automorphism to o. W e no w pr o v e that φ j is an end omorphism of G j − 1 . If j = 2, then this is ob viously the case: φ 2 is the endomorphism of G 1 = ( Z m 1 , +) mappin g a to av (2) 11 . In the follo w ing w e su pp ose that j ≥ 3. W e first start with a few u seful observ ations. First n otice th at, for an y a and b in Z m j − 1 , the equality φ j (( a + b, e )) = φ j (( a, e )) ◦ φ j (( b, e )), where e denotes the unity element of G j − 2 , holds from the definition of φ j . Also notice that, f or any a in Z m j − 1 and an y x in G j − 2 , the equalit y φ j (( a, x )) = φ j (( a, e )) ◦ φ j − 1 ( x ) holds. An y ele ment z ∈ G j − 2 can b e w ritten in the form z = x α j − 2 j − 1 ,j − 2 · · · x α 1 j − 1 , 1 for some integ ers α 1 , . . . , α j − 2 . Condition (a) then implies that th e equalit y z ◦ v j − 1 ,j − 1 = v j − 1 ,j − 1 ◦ v α j − 2 j − 1 ,j − 2 ◦ · · · ◦ v α 1 j − 1 , 1 = v j − 1 ,j − 1 ◦ φ j − 1 ( z ) holds (sin ce φ j − 1 is an endomorphism of G j − 2 and φ j − 1 ( x j − 1 ,k ) = v j − 1 ,k for any 1 ≤ k < j − 1). More generally , for an y b ∈ Z m j − 1 and an y z ∈ G j − 2 , w e h a v e z ◦ φ j (( b, e )) = z ◦ v b j − 1 ,j − 1 = v b j − 1 ,j − 1 ◦ φ ( b ) j − 1 ( z ) = φ j (( b, e )) ◦ φ ( b ) j − 1 ( z ) . Let a, b b e t wo elements of Z m j − 1 and x, y b e tw o elements of G j − 2 . Putting together the ab o v e observ ations we can write φ j (( a, x )) ◦ φ j (( b, y )) = φ j (( a, e )) ◦ φ j − 1 ( x ) ◦ φ j (( b, e )) ◦ φ j − 1 ( y ) = φ j (( a, e )) ◦ φ j (( b, e )) ◦ φ ( b +1) j − 1 ( x ) ◦ φ j − 1 ( y ) = φ j (( a, e )) ◦ φ j (( b, e )) ◦ φ j − 1 ( φ ( b ) j − 1 ( x ) ◦ y ) = φ j (( a, e )) ◦ φ j (( b, φ ( b ) j − 1 ( x ) ◦ y )) = φ j (( a + b, v ◦ φ ( b ) j − 1 ( x ) ◦ y )) , where v = u j if a + b ≥ m j and v = e otherwise. W e conclude that φ j (( a, x )) ◦ φ j (( b, y )) = φ j (( a, x ) ◦ ( b, y )) , and thus φ j is an endomorphism of G j − 1 . T o illustrate the thr ee conditions of Prop osition 7, let us again consider the case wh ere (Γ , · ) is a group. Then conditions (b) and (c) hold du e to the facts th at u j in G j − 1 corresp onds to the elemen t h m j j and that φ j corresp onds to the automorphism h 7→ h − 1 j hh j of H j − 1 . Condition (a) follo w s from Equation (2). F or eac h j ∈ { 2 , . . . , t } , testing that Cond itions (a) and (b) h old can b e done usin g a num b er of multiplicat ions in the group G j − 1 p olynomial in log | Γ | . The b est kn o wn classical algorithm f or computing p ro ducts in a solv able grou p giv en as a p o wer-co nj ugate p resen tation is an algorithm b y H¨ ofling [12] with time complexit y O (exp((log log | G j − 1 | ) 2 )) = O (exp((log log | Γ | ) 2 )). Not ice th at if Condition (a) holds then φ j is a homomorphism. Then eac h term φ ( m j ) j ( x j − 1 ,i ) in Condition (c) can b e compu ted us in g a n umb er of group pro d ucts p olynomial in log | Γ | b y computing, step by step b y increasing ℓ f rom 0 to ⌊ log m j ⌋ , the v alues φ (2 ℓ ) j ( x j − 1 ,k ) f or all 1 ≤ k ≤ j − 1. The tota l time complexit y of c hecking that all the G i ’s are solv able group s is th u s O (exp((log log | Γ | ) 2 )). No query to th e oracle · is needed. 8 3.2.4 T est of homomorphism W e no w su pp ose that the G i ’s h av e passed all th e tests of P r op osition 7 and thus G t is a solv able group. L et ψ be the su rjectiv e map from G t to H t defined as ψ ( a t , a t − 1 , · · · , a 1 ) = h a t t · ( h a t − 1 t − 1 · ( · · · · ( h a 2 2 · h a 1 1 )) . W e will test wh ether ψ is a h omomorphism from G t to H t . If (Γ , · ) is a solv able group, th en ψ is an h omomorphism by construction. W e n o w show that this test is robus t. Prop osition 8. L et η b e a c onstant su ch that 0 < η < 1 / 120 . Assume that | H t | > 3 | G t | / 4 . Supp ose that Pr x,y ∈ G t [ ψ ( x ◦ y ) = ψ ( x ) · ψ ( y )] > 1 − η . (3) Then ther e exists a solvable gr oup ˜ H t that is (211 η | Γ | 2 ) -close to H t . Pr o of. F rom Cond ition (3), Theorem 2 of [10] implies that there exists a group ( ˜ H t , ∗ ) w ith | ˜ H t | ≤ | G t | , and a h omomorphism ˜ ψ : G t → ˜ H t suc h that: (a) | ˜ H t \ H t | ≤ 30 η | ˜ H t | ; (b) Pr h,h ′ ∈ ˜ H t [ h ∗ h ′ 6 = h · h ′ ] ≤ 91 η ; and (c) Pr x ∈ G t [ ˜ ψ ( x ) 6 = ψ ( x )] ≤ 30 η . Notice that, strictly sp eaking, Th eorem 2 of [10] is stat ed only in the case where H t is a magma, i.e., closed under · . This is n ot the case here b ecause H t ma y not b e a magma, but only a ps eu do- magma. Ho wev er, careful insp ection of the p ro of of Theorem 2 of [10] sho ws that exactly th e same result h olds when H t is a pseudo-magma to o. The distance b etw een ˜ H t and H t is determined by the num b er of elemen ts b eing a memb er of either set and the num b er of p airs of t wo elemen ts for whic h the resu lt of the m ultiplication differ. In particular, this distance has for upp er b ound the cost of the follo wing tr ansform: starting from the table of ˜ H j , we firs t delete ro ws and columns corresp onding to elemen ts in ˜ H t \ H t , inser t ro ws and columns corresp ond ing to element s in H t \ ˜ H t , and then exchange m u ltiplication en tries wh ic h differ b et we en t w o tables. It follo w s fr om (a) and (b) that the n umber of elemen ts in ˜ H t \ H t is less than 30 η | ˜ H t | and the n umber of pairs ( h, h ′ ) ∈ ˜ H t × ˜ H t suc h that h ∗ h ′ 6 = h · h ′ is less than 91 η | ˜ H t | 2 . It remains to show that H t \ ˜ H t is small enough to o and that ˜ H t is a solv able group. Supp ose to wards a contradicti on that | ˜ ψ ( G t ) | < | G t | . Then | ˜ ψ ( G t ) | ≤ | G t | / 2. F rom Condition (c), we obtain | H t | = | ψ ( G t ) | ≤ | G t | / 2 + 30 η | G t | ≤ 3 | G t | / 4. This giv es a contradictio n. Thus | ˜ ψ ( G t ) | = | ˜ H t | = | G t | and ˜ ψ is an isomorphism from G t to ˜ H t . Since G t is a solv able group, ˜ H t is solv ab le to o. Since | H t | ≤ | G t | , it also follo w s that | H t | ≤ | ˜ H t | and th us | H t \ ˜ H t | ≤ | ˜ H t \ H t | ≤ 30 η | ˜ H t | . Deleting | ˜ H t \ H t | ro ws and column fr om the table of ˜ H t costs 2 | ˜ H t || ˜ H t \ H t | − | ˜ H t \ H t | 2 ≤ 60 η | ˜ H t | 2 . Then ins erting | H t \ ˜ H t | rows and columns similarly costs at most 60 η | ˜ H t | 2 to o. Th us the d istance b et wee n H t and the solv able group ˜ H t is at most [(60 + 60 + 91) η | ˜ H t | 2 ] ≤ 211 η | Γ | 2 . More precisely , w e p erf orm the follo w in g test. W e w ant to test whic h of Pr x,y ∈ G [ ψ ( x ◦ y ) = ψ ( x ) · ψ ( y )] = 1 and Pr x,y ∈ G t [ ψ ( x ◦ y ) = ψ ( x ) · ψ ( y )] ≤ 1 − η with η = ǫ/ 422 holds. W e take c 2 pairs ( x, y ) of elemen ts of G t and test w hether they all satisfy ψ ( x ◦ y ) = ψ ( x ) · ψ ( y ). It is easy to sh o w that, wh en taking c 2 = Θ( η − 1 ) = Θ( ǫ − 1 ), w e can decide wh ich case holds with constan t p robabilit y . 9 3.3 Correctness and complexit y W e now ev aluate the p erform ance of our algorithm. This give s the resu lt of Th eorem 4. First, supp ose that the magma (Γ , · ) is a s olv able group. With high probabilit y the set of elemen ts tak en at step 1 of the algorithm of Figur e 1 is a generating set of Γ and the first algo rithm of Theorem 5 succeeds on this set. In this case, eac h of the tests realized at steps 3 to 5 succeeds with high p robabilit y (since the success probab ility of S hor’s algorithm and of the second algo rithm of Theorem 5 can b e amplified), and then all the tests at steps 6 and 7 su cceed with probabilit y 1. Th u s the global error probability is constan t. No w, w e w ould like to sho w that an y magma Γ that is ( ǫ | Γ | 2 )-far from an y solv able group is rejected with high probabilit y . T ak e such a magma Γ. T hen H t is ( ǫ 2 | Γ | 2 )-far from any solv able group ˜ H t or | Γ \ H t | / | Γ | > ǫ/ 4. Th is assertion holds b ecause for an y solv able group ˜ H t , the inequalities ǫ | Γ | 2 < d (Γ , ˜ H t ) ≤ d (Γ , H t ) + d ( H t , ˜ H t ) hold and d (Γ , H t ) = 2 | Γ \ H t || Γ | − | Γ \ H t | 2 ≤ 2 | Γ \ H t || Γ | since H t ⊆ Γ and the op eration is th e same. If the latter holds, it s hould b e rejected with high probabilit y at test 5. No w supp ose that the former holds and that all the s teps 1–6 s u cceed. Then with high prob ab ility | H t | ≥ (1 − ǫ/ 4) | Γ | ≥ 3 | Γ | / 4 = 3 | G t | / 4. F r om Prop osition 8 this implies that Pr x,y ∈ G t [ ψ ( x ◦ y ) = ψ ( x ) · ψ ( y )] ≤ 1 − ǫ/ 422. This is detected w ith h igh pr obabilit y at step 7. The algorithm quer ies th e oracle Γ a num b er of times p olynomial in log | Γ | at ea ch of the steps 1 to 4, and a n umb er of times p olynomial in log | Γ | and ǫ − 1 at s teps 5 and 7. Additional com- putational work is n eeded at steps 6 and 7 to compute a p olynomial num b er of pr o ducts in the groups G i ’s. Since eac h p ro duct can b e d one (without queries) u sing O (exp((log log | G i | ) 2 )) = O (exp((log log | Γ | ) 2 )) time using th e algorithm b y H¨ ofling [12], the total time complexit y of the algorithm is p olynomial in exp ((log log | Γ | ) 2 ) and ǫ − 1 . Ac knowled gmen ts The authors thank anon ymous review ers for h elpf ul commen ts and suggestions. References [1] V. Arvind and N. V. Vino dchandran, Solvable black-b ox gr oup pr oblems ar e low for PP , The- oretical C omputer Science, 180(1- 2), p p. 17–45, 1997. [2] L. Babai and R. Beals, L as V e gas algo rithms for ma trix gr oups , Pro ceedings of the 34th An n ual Symp osiu m on F oundations of Compu ter S cience, pp . 427–436, 1993. [3] L. Babai, G. Co op erman, L. Finkelst ein, E. Luks and ´ A. Ser ess, F ast M onte Carlo algorithms for p ermutation gr oups , J ournal of Computer and System S ciences, 50(2), pp. 296–307, 1995. [4] L. Babai and E. Szemer´ edi, On the c omplexity of matr ix gr oup pr oblems , P r o ceedings of the 25th An n ual IEEE Symp osium on F ou n dations of Computer Science, pp. 229–240 , 1984. [5] M. Ben-Or, D. Copp ersmith, M. Luby and R. Rubinfeld, Non-Ab elian homomorph ism test- ing, and distributions close to their self-c onvolutions , Pro ceedings of the 8th In ternational W orkshop on Rand omizatio n and Computation, pp . 273–28 5, 20 04. [6] M. Blum, M. Luby and R. Ru b infeld, Self-testing/c orr e cting with applic ations to numeric al pr oblems , Pro ceedings of th e 22nd Annual A CM S ymp osium on T h eory of Computing, pp . 73– 83, 1990. [7] H. Buhr m an, L. F ortnow, I. Newman and H. R¨ ohrig, Quantum pr op erty testing , Pro ceedings of the 14th An n ual A CM-SIAM S ymp osium on Discrete Algorithms, pp. 873–882, 2001. 10 [8] F. Erg ¨ un, S. Kannan, R. K umar, R. Rubin feld and M. Viswanathan, Sp ot-che ckers , Jou r nal of Comp uter and System S ciences, 60(3), pp. 717–751, 2000. [9] K. F r iedl, G. Iv any os, F. Magniez, M. Sant ha and P . Sen, Hidden tr anslation and orbit c oset in quantum c omputing , Pr o ceedings of the 35th Annual A C M Sy m p osium on Theory of Com- puting, pp. 1–9, 2003. [10] K . F riedl, G. Iv an y os and M. San tha, E fficient testing of gr oups , Pro ceedings of the 37th Ann u al A CM Symp osium on Theory of C omputing, p p. 157–1 66, 2005. [11] K . F riedl, F. Magniez, M. San tha and P . Sen, Quantum testers for hidden gr oup pr op erties , Pro ceedings of the 28th In ternational Symp osiu m on Mathematical F ound ations of Computer Science, L ecture Notes in Computer Science, 2747, pp. 419–428 , 2003. [12] B. H¨ ofling, Efficient multiplic ation algorithms for finite p olycyclic gr oups , pr eprint , a v ailable at http://www-public.tu-bs.de:8080/ ∼ bho eflin/, 2004. [13] Y. In ui and F. Le Gall, Efficie nt algorithms for the hid den sub gr oup pr oblem over a c lass of semi-dir e ct pr o duct gr oups , Qu an tum Information and Computation, 7(5&6), p p. 559–570 , 2007. [14] G. Iv any os, F. Magniez and M. San tha, Efficient quantum algorithms for some i nstanc es of the non-Ab e lian hidden su b gr oup pr oblem , International Jour nal of F oundations of Computer Science, 14(5), pp. 723–740 , 2003. [15] M. K iwi, F.Mag niez and M. Santha, Exact and appr oximate testing/c orr e cting of algebr aic functions: a survey , Pro ceedings of the 1st Su m mer Sc ho ol on Theoretical Comp uter Science, Lecture Notes in C omputer Science, 2292, pp. 30–83 , 2000. [16] F. Magniez and A. Nay ak, Quantum c omplexity of testing gr oup c ommutativity , Pr o ceedings of the 32nd Internatio nal C olloqu ium on Automata, Languages and Programming, Lecture Notes in Comp uter S cience, 3580, pp.1312–13 24, 2005. [17] M. A. Nielsen and I. L. C h uang, Quantum c omputation and quantum information , Cambridge Univ ersit y Press, 2000. [18] S . Ra jagopalan and L. Sc h ulm an , V erific ation of identities , Pro ceedings of the 37th Ann ual IEEE Symp osium on F oundations of C omp uter Science, p p. 612–616 , 199 6. [19] D. Ron, Pr op erty testing , In Handb o ok of Randomized Comp u ting, Kluw er Academic Pub- lishers, pp. 597–64 9, 2001. [20] P . W. Sh or, Polynomial-time algorithms for prime factorization and discr e te lo garithms on a quantum c omputer , S IAM Jour nal on Compu ting, 26(5), p p. 1484–15 09, 199 7. [21] A. Shpilk a and A. Wigderson, Der andomizing homomorp hism testing in gener al gr oups , Pro- ceedings of the 36th Ann u al A CM Symp osiu m on Theory of Computing, pp. 427–435 , 200 4. [22] C . Sims , Computation with Finitely P r esente d Gr oups , Cam br idge Universit y Press, 1994. [23] J . W atrous, Quantum algorithms f or solvable gr oups , Pro ceedings of the 33rd Ann ual A CM Symp osiu m on Theory of Computing, pp. 60–67, 2001. 11