Zero sum subsequences and hidden subgroups

We propose a method for solving the hidden subgroup problem in nilpotent groups. The main idea is iteratively transforming the hidden subgroup to its images in the quotient groups by the members of a central series, eventually to its image in the commutative quotient of the original group; and then using an abelian hidden subgroup algorithm to determine this image. Knowing this image allows one to descend to a proper subgroup unless the hidden subgroup is the full group. The transformation relies on finding zero sum subsequences of sufficiently large sequences of vectors over finite prime fields. We present a new deterministic polynomial time algorithm for the latter problem in the case when the size of the field is constant. The consequence is a polynomial time exact quantum algorithm for the hidden subgroup problem in nilpotent groups having constant nilpotency class and whose order only have prime factors also bounded by a constant.


Introduction
The standard version of the hidden subgroup problem (HSP for short) is the following.Given a function f on the group G → {0, 1} r with the property that there is a subgroup H such that f (x) = f (y) if and only if x and y are in the same left coset of H, find the subgroup H. Perhaps Kitaev was the first who observed that Shor's factoring and discrete logarithm algorithms can be generalized to solve the HSP in finite abelian groups (and also in certain infinite commutative groups) in polynomial time.Much less is known about the complexity of the problem in non-commutative groups.The most general result is due to Ettinger, Hoyer and Knill.They showed in [EHK04] that the query complexity of the problem in finite not necessarily abelian groups is polynomial.Regarding the time complexity, Kuperberg's subexponential time quantum algorithm [Kup05] for the HSP in dihedral and very similar groups is perhaps the best known result.It has a remarkable extension by Alagic, Moore and Russell [AMR07]to a special HSP in a class including non-solvable groups.There are some classes of groups in which the HSP can be solved in polynomial time.See the survey papers by Lomont [Lom04] and by Wang [Wan10] for early results of this kind.The paper [LK07b] by Lomonaco and Kauffman proposes interesting derivatives and generalizations of the Shor-Kiteav algorithm.The paper [HK18] by Horan and Kahrobaei discusses cryptographic aspects of the HSP and reports also on more recent results.The hidden shift problem in abelian groups (and hence the HSP in the related semidirect product groups) appears to be quite popular in post-quantum cryptography, see, e.g., [CM23] by Castryck and Vander Meeren and [AR17] by Alagic and Russell.In [BL21], Bae and Lee propose a polynomial time solution to a continuous version of the hidden shift problem.
A quantum procedure is exact if it returns a correct output (after a final measurement) with probability one.Besides that exact quantum algorithms can be considered as counterparts of deterministic classical methods, their measurement-free versions can serve as ingredients of larger unitary procedures.The method of [EHK04] has an exact version, so it is natural to ask that in which classes of groups can the HSP be solved by an exact quantum algorithm in polynomial time.Brassard and Hoyer [BH97] presented a polynomial time exact method that works in Z n 2 .In [CQ18], Cai and Qiu proposed a simpler efficient exact method for Simon's problem (a special, though arguably the hardest instance of the HSP in Z n 2 ).Efficient exact algorithms with optimal query complexity for the HSP in Z n 2 appeared independently in [Bon21] by Bonnetain and in [WQT + 22] by Wu et al.Mosca and Zalka in [MZ03] proposed an efficient exact solution of the discrete logarithm problem in cyclic groups of known order.An exact quantum algorithm for the HSP in Z n m k for general m was presented recently in [II22], settling the case of abelian groups under the assumption that a multiple of the prime factors of the order of the group is known.
In this paper we present an approach to solving the hidden subgroup problem in nilpotent groups that have nilpotency class O(1).Our main result is a polynomial time exact quantum algorithm for the HSP in such groups only having prime factors also of size O(1) in their order.We assume that the group G is given as a black-box group with unique encoding.The main strategy of our algorithm is essentially a reduction to instances of the hidden subgroup problem in quotient groups of subgroups of G.We choose an input model suitable for such a reduction.
In the standard version, the input is given by an oracle which is a unitary map computing |x |f (x) from |x |0 .The usual hidden subgroup algorithms start with computing the superposition 1 √ |G| x∈G |x |f (x) using the oracle and most of them ignore the second register that holds the value of f and work with the coset superpositions |xH = 1 √ |H| y∈H |xy in the sequel, see e.g., [LK07b].These methods, as noted in [Kup05], remain applicable in the context where the oracle is assumed to generate copies of a mixture of the coset superpositions.This holds in particular in the case of the exact abelian hidden subgroup algorithm of [II22].
Specifically, we consider the state is referred to as a (hidden) subgroup state.We assume that our hidden subgroup H is given by a unitary map (referred as oracle) that, on zero input, returns a copy of an arbitrary (though fixed) purification of the subgroup state Ξ G,H .
It will be convenient to introduce a subtask of the HSP, namely computing the hidden subgroup modulo the commutator subgroup of G, that is, the subgroup HG ′ where H is the hidden subgroup.We use the shorthand HSMC for this problem.To illustrate the power of HSMC in nilpotent groups note that it naturally includes the commutative case of the HSP and that having computed the subgroup HG ′ and it is a proper subgroup of G then we can descend to it to compute H, while if HG ′ = G then H = G because in a nilpotent group every maximal subgroup contains the commutator.
We give a high-level description of a strategy for solving the problem HSMC in a class of nilpotent groups.We call a group G semi-elementary if G is a p-group for some prime p such that G/G ′ is elementary abelian.In a semielementary group G, our strategy for computing the hidden subgroup modulo the commutator is based on iterating the following procedure.Assume that L is an elementary abelian subgroup contained in the center of G. Then we create a copy of the subgroup state corresponding to HL/L in the quotient group G/L from sufficiently many copies of the subgroup state for H in G.We refer to this procedure (as well as some simpler ones) as subgroup state conversion.This conversion is based on finding zero sum subsequences of sufficiently long sequences of elements of L. Eventually, in c−1 rounds of iteration, where c is the nilpotency class of G, we compute a copy of the subgroup state corresponding to HG ′ /G ′ in G. (The semi-elementary property ensures the existence of a standard central series of length c with elementary abelian factors.)Finally, from sufficiently many copies of such subgroup states we compute HG ′ /G ′ using the exact abelian hidden subgroup algorithm of [II22].Fortunately, semi-elementary groups occur as factor groups of subgroups of nilpotent groups frequently enough to make a reduction from the HSP to the special case of HSMC possible, see Proposition 1 for details.The main result we obtain is the following.
Theorem 1. Suppose that G is a nilpotent group of class bounded by a constant and that the prime factors of |G| are also bounded by a constant.We assume that G is a black-box group with unique encoding of elements by ℓ-bit strings.Then there is an exact quantum algorithm that solves the hidden subgroup problem in G using poly(ℓ) operations and poly(log|G|) calls to the subgroup state creating oracle and its inverse.
Related results.In the exact setting, [II22] efficiently solves the abelian case without the restriction on the prime factors of |G|.There are quite a few related non-exact polynomial-time algorithms.Among them, the result of [FIM + 14], which solves the HSP in solvable groups that have derived series and exponent bounded by constants, is perhaps the closest to Theorem 1.This class of groups covers the groups for which our result is applicable, except those that have exponent divisible by large powers of small primes.Note however, that the case of these groups could be efficiently treated by a combination of the reduction of Proposition 1 with the algorithm of [FIM + 14].We remark that the semidirect product group in which the HSP is equivalent to the hidden shift problem over Z n 2 k is a nilpotent group of class k.Bonnetain and Naya-Plasencia [BNP18] propose a non-exact method whose main ingredient can be considered as a combination of Kuperberg's sieve with finding zero sum subsequences in Z n 2 using linear algebra.
The case of nilpotency class at most two is efficiently treated by the non-exact method of [ISS12], without any restriction on the size of the prime factors of |G|.It is worth mentioning that by technical content, [ISS12] can be considered as the closest relative of the present paper.The idea of reducing the HSP to HSMC stems from there and many ingredients of the reduction appeared in that paper.Also, the key tool of [ISS12], using several coset superpositions and the quantum Fourier transform of a central subgroup can be considered as some (though less transparent) form of subgroup state conversion.In the class two case, however, there is a more powerful tool to cancel out characters of the subgroup: one can also apply twists with certain nice automorphisms of the group that do not change the hidden subgroup too much.Unfortunately, such automorphisms do not exist in general nilpotent groups of class greater than two.
The methods of [DHIS14,IS17] offer efficient solution to the HSP in certain nilpotent groups of higher class, again with potentially large prime factors in there orders.These groups have a normal subgroup with an abelian factor group of restricted kind (e.g., cyclic).These methods as well as that of [FIM + 14] are of highly non-exact nature.Probably, the technique of [DHIS14] can be made exact with some efforts.
The Davenport constant S(A) of a finite abelian groupA is the smallest number s such that any sequence of s elements of A contains a nonempty subsequence adding up to the zero element of A. The name comes from that H. Davenport proposed determining S(A) in the case when A is the ideal class group of a number field as a measure for non-uniqueness of factorization of the integers of the field.The general problem has become a famous question of additive combinatorics.Olson [Ols69] determined the exact value of the Davenport constant of p-groups; in particular for Z n p it is 1 + n(p − 1).What we are looking for is an "effective" Davenport constant: what is the smallest number S ′ = S B (A) such that from any sequence of S ′ elements of A, algorithm B finds a non-empty zero sum subsequence in time polynomial in S ′ log|A| (roughly this is the bit size of the input sequence).In this paper we give a deterministic algorithm B running in time poly(n), that, for p = O(1), given a sequence of S B (Z n p ) = poly(n) vectors from Z n p , returns a zero sum subsequence.The structure of the rest of the paper is the following.In Section 2, we give some background material on exact quantum procedures, on nilpotent blackbox groups and on computations with them, on (hidden) subgroups states and their purifications and present methods to convert subgroup states in the entire group to those in subgroups and -in certain very easy cases -in factor groups.Proposition 1, the existence of an exact polynomial time reduction from the HSP in general nilpotent groups to the problem HSMC in semi-elementary groups is proved in Section 3. Section 4 is devoted to converting several copies of a subgroup state in a semi-elementary group to a copy of a subgroup state in the abelian factor of the group.As an application of the technique, we prove Proposition 2 which tells us that we can solve by a polynomial time exact quantum algorithm the problem HSMC in a semi-elementary p-group of constant nilpotency class provided that we can find zero sum subsequences of sequences consisting of poly(n log p) vectors from Z n p in time poly(n log p).In Section 5, we prove Theorem 2 on efficiently solvability the latter task in the case when p is bounded by a constant.Propositions 1 and 2, together with Theorem 2, immediately imply Theorem 1. Section 6 is devoted to concluding remarks.

On exact quantum computations
To obtain sufficiently general intermediate results, we use the model of uniform circuit families described by Nishimura and Ozawa [NO05].This is because some of the exact methods of [II22] as well as our main conversion technique work under the assumption that the quantum Fourier transforms and their inverses modulo the prime factors of |G| can be exactly implemented.As it is pointed out in [NO02], this task cannot be accomplished using a fixed finite gate set.For the sake of transparency, we state our intermediate result using assumptions on availability of the quantum Fourier transforms rather than on gates required by the exact implementations of them.(See the implementation of the Fourier transform modulo general numbers proposed by Mosca and Zalka [MZ03].)Note however, that for the case of our Theorem 1, where these primes are assumed to be bounded by a constant, a constant number of gates are sufficient and hence, by [NO09], the theorem remains valid in the quantum Turing machine model of Bernstein and Vazirani [BV97].

Groups
For standard notations and concepts from group theory such as subgroups, normal subgroups, cosets, conjugates, commutators, commutator subgroup, center, etc., we refer the reader to the textbooks, e.g., to [Rob95].For subsets U and A finite group is nilpotent if and only if it is the direct product of its Sylow subgroups.
To obtain sufficiently general results, we work over black-box groups with unique encoding of elements.The concept captures various "real" groups such as permutation groups and matrix groups over finite fields.Elements of a blackbox group are represented by binary strings of a certain length ℓ and the group operations are given by oracles and as input, a generating set for the group is given.Subgroups will also be given by sets of generators.One can use the exact polynomial time quantum membership test of [II22] to reduce the size of generating sets to at most log|G|.
During the rest of this part, we assume that G is a nilpotent black-box group of class c and the prime factors of |G| are known.
For a normal subgroup N of G, the subgroup [G, N ] is a normal subgroup of G contained in N .If Γ and ∆ are sets of generators for G and N , respectively, a generating set for [G, N ] can be obtained by taking the commutators [x, y] for x ∈ Γ, y ∈ ∆ and then adding iterated commutators with elements of Γ until the subgroup generated by the elements stabilizes.For testing stabilization, one can use the exact quantum subgroup membership algorithm of [II22].This gives a polynomial time exact method in particular to compute the lower central series.
Below we describe efficient solutions to some further group theoretic tasks that we use in our hidden subgroup algorithm.The p-Sylow subgroup of G can be computed as follows.Let Γ be a generating set for G. Then for each g ∈ Γ we compute the order o g of g and decompose o g as the product p α o g ′ where o g ′ is coprime with p. Then the g og ′ (g ∈ Γ) generate the (unique) p-Sylow subgroup of G.We shall compute hidden subgroups in G by computing the intersections with the Sylow subgroups.
The normalizer of a subgroup of G can be computed using the deterministic polynomial method of Kantor and Luks [KL90].It was originally described for nilpotent permutation groups but it also finds normalizers in any nilpotent black box group of order having small prime factors only.
Assume that L is a subgroup of G.It will be useful to decompose elements x of G as products of the form α L (x)β L (x) where β L (x) ∈ L and α L (x) depend only on the coset xL.(Thus the range of α L is a transversal of L in G.) To this end, compute a chief series (a series of normal subgroups with cyclic factors of prime order) G = K 0 > K 1 > . . .> K r = 1.Perhaps the easiest way to obtain such series is taking a refinement of the lower central series.By taking the subgroups K i L, and removing repeated elements, we obtain a subnormal series G = M 0 > M 1 > . . .> M s = L with cyclic factors of prime order.Also take elements a i ∈ M i−1 \ M i and denote by p i the order of M i−1 /M i (i = 1, . . ., s).Then the elements a γ1 1 a γ2 2 . . .a γs s ((γ 1 , . . .γ s ) ∈ s i=1 Z pi ) are a left transversal of L in G.For an element x ∈ G, the representative of the coset in this transversal can be computed as follows.First we find the smallest non-negative integer γ 1 such that xa −γ1 1 ∈ M 1 by computing the base a 1 discrete logarithm of x modulo M 1 .This can be done by solving an instance of the hidden subgroup problem in Z 2 p1 .Specifically, we define the function (β, γ) → |x γ |a −β 1 M 1 .The function can be evaluated with the aid of computing the uniform superposition |M 1 using the exact version [II22] of Watrous's method [Wat01].The values are p pairwise orthogonal states and the hidden subgroup is {(δ, γ) : We use the exact hidden subgroup algorithm of [II22] to find a generator of this group.From this, γ 1 can be obtained in an obvious way.Now we proceed with xa −γ1 1 to compute γ 2 , and so on.We set α L (x) = a γ1 1 . . .a γr r and β L (x) = α L (x) −1 x.If L is a normal subgroup of G, we can encode the coset xL by α L (x).This makes the factor group G/L a black-box group: the elements are encoded by the elements of the transversal {α(x); x ∈ G} and the multiplication oracle is obtained as a composition of the multiplication oracle for G with the computation of the function α L .

Subgroup states and purifications
Let G be a finite group and let H be a subgroup of G.We consider elements of the group algebra CG as pure quantum states.(The "natural" scalar product ( x α x |x , y α y |y ) = αβxy −1 makes CG a Hilbert space where the group elements form an orthonormal basis.) A A purification of Ξ G,H is any pure state |ψ ∈ CG ⊗ V for some Hilbert space V such that Ξ G,H is the relative trace of |ψ ψ| with respect to the second subsystem.For general facts about purification of mixed states, in particular for the connection with Schmidt decompositions, we refer the reader to Section 2.5 of [NC10].The following lemma gives a characterization of purifications of subgroup states.

Basic subgroup state conversions
Given a subgroup L of G, a copy of (a purification of) the subgroup state Ξ G,H can be "converted" to a copy of (a purification of) Ξ ) are equal (i = 1, 2), while otherwise they do not overlap as for y 1 , y 2 ∈ Y either |y 1 and |y 2 are orthogonal or (for y 1 = y 2 ) |ψ(y 1 x 1 ) and |ψ(y 1 x 2 ) are orthogonal.We shall refer to this procedure as restriction.The term is justified by that in the standard version of the HSP, one could obtain an instance of the HSP in the subgroup L by restricting the "hiding function" to L.
Similarly, assume that L is a normal subgroup of G contained in H. Then a copy of (a purification of) the subgroup sate Ξ G,H can be converted to a copy of (a purification of) Ξ G/L,H/L by replacing x with |α L (x) |β L (x) and passing |β L (x) to the purifying subsystem.This corresponds to the technique called "pushing" in [LK07a,LK07b].

A group-theoretic reduction
In this section we prove the following.
Proposition 1.Let G be a nilpotent black-box group of class at most c and assume that the prime factors of |G| are given as part of the input and that for each such prime p the quantum Fourier transform modulo a multiple of p and its inverse can be implemented by an efficient exact quantum procedure.Then, the HSP in G can be reduced by an exact procedure in time poly(log ℓ) to poly(log|G|) instances of the problem HSMC in semi-elementary quotient groups of subgroups of G. (The elements of G are assumed to be uniquely encoded by strings of length ℓ.) Proof.A finite nilpotent group G is the direct product of its Sylow subgroups.Therefore any subgroup H is the product of its Sylow subgroups.The p-Sylow subgroup of H is P ∩ H where P is the p-Sylow subgroup of G.The Sylow subgroups of G can be computed using the method outlined in Subsection 2.2.One can convert subgroup states in G to subgroup states in P using restriction, see Subsection 2.4.
In the rest of the description of the reduction we assume that G is a p-group.We maintain a subgroup H 0 of H. Initially H 0 = {1 G }.In each round of an outer loop of the algorithm H 0 will be increased if H 0 < H.If H 0 is already G then we can obviously stop.We will also maintain a subgroup K of G such that if H 0 < H then even H 0 < K ∩ H. Initially K = N G (H 0 ).This is a good choice because in a nilpotent group every proper subgroup has a strictly larger normalizer, therefore if H 0 < H then H 0 < N H (H 0 ) = H ∩ N G (H 0 ).In an inner loop K will be decreased until either H 0 is increased or K becomes identical with H 0 .In the latter case we can conclude that H = H 0 and stop the whole procedure.If the abelian factor K/(K ′ H 0 ) is not elementary then we can replace K with a proper subgroup as follows.Let L > K ′ H 0 be the subgroup of K such that L/(K ′ H 0 ) contains all the elements of order p of K/(K ′ H 0 ).To compute L, first compute K ′ and K ′ H 0 .Then take the set of generators Γ for K and for each element g ∈ Γ, compute the smallest positive integer α g such that g p αg ∈ K ′ H 0 .The elements g p αg −1 (g ∈ Γ) generate L. If L is a proper subgroup of K then we replace K with L and repeat the step above.(Correctness of this is justified by observing that L/H 0 contains all the elements of order p of K/H 0 , whence if H ∩ K > H 0 then also H ∩ L > H 0 .)Otherwise we have achieved that K/(K ′ H 0 ) is elementary abelian.Then we compute (H ∩ K)K ′ /H 0 using HSMC.If (H ∩ K)K ′ = K then H ∩ K = K because K ′ is contained in every maximal subgroup of K. Then we can increase H 0 by replacing H 0 with K and continue the outer loop.If (H ∩ K)K ′ < K we can replace K with (H ∩ K)K ′ and continue the inner loop.
Based on the descriptions above, we summarize the exact algorithm in the pseudocode below.

23: end while
If |G| = p n then the outer loop is executed at most n times while within each round of the outer loop the inner loop has at most n rounds.Thus we need at most n 2 calls to the HSMC procedure for factors of subgroups of G and further n 2 poly(ℓ) group and other operations.Note that all the groups we need to apply the HSMC procedure are of class at most c because the family of nilpotent groups of class at most c is closed under taking subgroups and factor groups.

The main conversion
Let L be a subgroup of the center of G isomorphic to Z n p where p is a prime.Then L is a normal subgroup of G. Our aim is to convert a copy of the subgroup state Ξ G,H to a copy of Ξ G/L,HL/L .In the light of the second conversion ("pushing") described in Subsection 2.4, one could do it by converting first to a copy of Ξ G,HL .
To this end, it would be desirable to have a procedure that converts the coset superposition |aH to |aHL .A possible approach would be comput- Using the assumption that L is in the center of G, a direct calculation shows that for every x 1 , x 2 ∈ G, we have It is also straightforward to see that for every x ∈ G and for every w ∈ L, we have We define the support of an element |u of CG as the set of elements appearing with nonzero coefficient in the decomposition of |u as a linear combination of group elements.Using equality (1), one can show that if x 1 and x 2 are not in the same left coset of LH then the states |P y (aH)x −1 1 and |P y (aH)x −1 2 are orthogonal.This is because the support of |P y (aH)x and the two states are equal.By the characterization given in Lemma 1, it follows that for any left coset aH, the state 1 Of course it is hopeless to enforce y = 0 in |P y (aH)x −1 1 .However, we can compute a state with essentially the same effect using several copies of the subgroup state and by applying an algorithm that finds zero sum subsequences of sufficiently long sequences of elements of L. Assume that we have a procedure that, for some S = S(p, n), given an element y = (y 1 , . . ., y S ) ∈ L S computes a non-empty subset J(y) of {1, . . ., S} such that j∈J(y) y j = 0.
Then, for a sequence |a 1 H . . .Consider the term of |ψ(x) corresponding to any y.As J(y) is non-empty, we have that for x 1 , x 2 not in the same left coset of LH, the appropriate terms of |ψ(x i ) are orthogonal.As |y also appears in the corresponding term, we have that |ψ(x i ) are also orthogonal.On the other hand, if x 1 , x 2 are in the same left coset of H then these states are equal term by term.Finally, for x ∈ L, by (2, the term for y only gets a phase change by j∈J (y)ω −(yj ,x) = ω j∈J(y) (yj ,x) = ω 0 = 1 by the choice of J(y).It follows that if x 1 and x 2 are in the same left coset of LH, |φ(x 1 ) = |φ(x 2 .Thus our state is a purification of Ξ G,LH .As this holds for any fixed S-tuple of left cosets of H, by linearity we also obtain a purification of Ξ G,LH if we apply the procedure to copies of a purification of Ξ G,H .We obtained the following. Lemma 2. Assume that we have an exact quantum procedure (e.g., a deterministic polynomial time algorithm) that, given any sequence y 1 , . . ., y S of S = S(p, n) elements of Z n p , in time T (p, n) ≥ S(p, n) finds a non-empty subset of {1, . . ., S} such that j∈J y j = 0. Then we have an exact quantum procedure using n quantum Fourier transforms modulo p that converts S(p, n) copies of (a purification) of Ξ G,H to a copy of (a purification of ) Ξ G/L,HL/L where L is subgroup of the center of G isomorphic to Z n p in time T (p, n) poly(log |G|).
Using the lemma in iteration and applying the exact abelian hidden subgroup algorithm of [II22], we can derive the following.
Proposition 2. Let G be a semi-elementary black-box group with unique encoding of order p n .Assume that the quantum Fourier transform modulo p and its inverse can be implemented by an efficient exact algorithm and that, like in Lemma 2, we have an exact method to find zero sum subsequences of sequences of S(p, n) elements of Z n p in time T (p, n) ≥ S(p, n).Then the problem HSMC can be solved by an exact quantum algorithm that uses poly(T (p, n) O(c) ℓ) elementary operations, poly(T (p, n) O(c) log |G|) applications of the group oracle, calls to the oracle computing the purification of the subgroup state; and the inverses of these.(The elements of G are assumed to be uniquely encoded by strings of length ℓ.) Proof.We compute the lower central series G = G 0 > G 1 > . . .> G c = {1} using the method presented in Subsection 2.2.As G/G ′ is elementary abelian, so are the factors G i−1 /G i (i = 1, . . ., c).This is because the factor groups G i−1 /G i are homomorphic images of tensor powers (as Z-modules) of the G/G ′ , see Theorem 5.2.5 of [Rob95].Also, isomorphisms of G i−1 /G i with Z ni p can be efficiently computed using the method of [II22].Iteration of Lemma 2 gives a procedure to convert c i=2 S(n i ) copies of a purification of Ξ G,H to a copy of a purification of Ξ G/G ′ ,HG ′ /G ′ .The composition of instances of the original subgroup state creating procedure (the calls to the oracle) with the conversion gives a procedure for creating a purification of Ξ G/G ′ ,HG ′ /G ′ .We can use this as the oracle input for the exact hidden subgroup algorithm of [II22] in Z n1 p .For i = 1, . . ., c, we have S(p, n i ) ≤ S(p, n) and T (p, n i ) ≤ T (p, n) because Z ni p can be embedded in Z n p as a subgroup.
In the non-exact setting, essentially the same proof gives the following.5 Zero sum subsequences in Z n p In this section, we assume that our input is a sequence of vectors from Z n p .We also assume that p is an odd prime as for p = 2 a zero sum subsequence can be obtained from n + 1 vectors in the form of a zero linear combination.As subsequences can be represented as subsets of the index set, it will not be too misleading to use the term (sub)set for a (sub)sequence.Our strategy will be finding p pairwise disjoint subsets of input vectors having equal sums.We will achieve this goal by designing a method for finding a nontrivial pair of subsets having equal sum and then, like in [IS17], applying the algorithm recursively to obtain 4, 8, 16, etc. disjoint subsets with equal sum.
Note that a pair of disjoint subsets with equal sum can be interpreted as a representation of the zero vector by a linear combination of the input vectors with nonzero coefficients 1 or −1 only.Based on this, it will be convenient to use the term signed subsets and signed subset sums.A signed subset of a set S of vectors is formally a function from S to the set {0, 1, −1}.The support of such a signed subset is the set of elements on which the function takes nonzero values.With some sloppiness, we use the term signed subset sum to refer both to the signed subset and to the value of the signed sum.(Technically, a signed subset sum could be a data structure consisting of the description of the signed subset and the value.)We call two or more subset sums disjoint if their supports are pairwise disjoint.Based on the observation that a signed subset sum of vectors that are results of pairwise disjoint subset sums is again a signed subset sum of the original vectors, one can build signed subset sums hierarchically from smaller disjoint signed subset sums.The trivial subset sum corresponds to the empty set with the zero vector as value.
A linear relation (or just relation for short) among a collection of vectors is an array of coefficients such that the corresponding linear combination is the zero vector.It is often useful to omit the vectors to which coefficient zero are assigned.By taking the signed subsets of the vectors having the same or the opposite coefficient in a linear relation, we obtain a linear relation among pairwise disjoint signed subset sums in which the coefficients are form {1, . . ., p−1 2 } and each coefficient appears at most once.We call such a relation of signed subset sums standard.
We shall build standard linear relations among signed subset sums with smaller and smaller coefficients (among increasingly larger subset sums).The key idea is constructing first (p−1) 2 4 pairwise signed subset sums arranged in a square matrix having a relation in each row as well as in each column and subtracting the sum of higher half of "horizontal" relations from the sum of the higher half of the "vertical" relations to obtain a relation with coefficients between 1 and p−1 4 , and iterating the construction.We give the details in the following lemma and its proof.(We present a version that even saves up maintaining the first half of vertical relations.)Lemma 3. Let d be a positive integer.Assume that there is a deterministic procedure A that, given h(d, n) vectors from Z n p , in time poly(h(d, n) log p) finds d pairwise disjoint signed subset sums v 1 , . . ., v d of the input vectors, not all empty, such that d i=1 iv i = 0. Then there also exists a deterministic procedure that, given h(d, n)h(d, ⌈d/2⌉n) vectors, in time poly(h(d, n)h(d, ⌈d/2⌉n) log p) finds pairwise disjoint signed subset sums w ′ 1 , . . ., w ′ ⌊d/2⌋ , not all empty, such that ⌊d/2⌋ i=1 iw ′ i = 0.
Proof.We divide the input set into h(d, ⌈d/2⌉n) pairwise disjoint parts of size h(d, n).We apply procedure A within each part.This way for each k = 1, . . ., h(d, ⌈d/2⌉n), we get d pairwise disjoint subset sums u k1 , . . ., u kd , not all empty, such that d j=1 ju kj = 0.For each k we consider the concatenation u k of the vectors u kj (j = ⌊d/2⌋+ 1, . . ., d).These are vectors of dimension ⌈d/2⌉n.We apply procedure A to find pairwise disjoint signed subsets M 1 , . . ., M d such that d i=1 iu ′ i = 0, where u ′ i is the signed sum of the u k s corresponding to the signed subset M i .Now for each 1 ≤ i ≤ d, u ′ i is the concatenation of vectors w ij (j = ⌊d/2⌋ + 1, . . ., d).Here, for 1 ≤ i, j ≤ d, w ij stands for the signed subset sum obtained by joining the signed subset sums u kj according to the signed subset M i .The signed subset sums w ij are pairwise disjoint, not all of them are empty and they satisfy the relations We subtract the sum of the last ⌈d/2⌉ ("horizontal") relations of the second kind from the sum the ⌈d/2⌉ ("vertical") relations of the first kind and obtain the relation Notice that for ⌊d/2⌋ + 1 ≤ i, j ≤ d, we have |i − j| ≤ ⌊d/2⌋.Therefore, by flipping signs where appropriate and then joining the signed subsets with equal coefficients, we obtain pairwise disjoint subset sums w ′ 1 , . . ., w ′ ⌊d/2⌋ with ⌊d/2⌋ i=1 iw ′ i = 0.The subset sums w ′ i can all be empty only if each w ij is empty when i = j and at least one of i and j is greater than ⌊d/2⌋.Assume that this is the case.Then, if there is an index i > ⌊d/2⌋ such that w ii is non-empty then w ii must be itself a nontrivial zero subset sum and gives a one-term solution.Otherwise not all w ij are empty for i, j ≤ ⌊d/2⌋ and ⌊d/2⌋ i,j=1 iw ij = 0. Iterated application of the method of Lemma 3 gives the following result.
Proposition 4. Given S ± (p, n) = p O(p log p) n O(p) vectors from Z n p , a nontrivial signed subset sum representing the zero vector can be found in deterministic time poly(S ± (p, n)).

Proof. Put d
p a nontrivial linear relation can be found in time poly(n log p), recursive applications of Lemma 3 gives that among h ⌊log d0⌋ (n) vectors a single nontrivial signed subset sum (that is, a linear relation with nonzero coefficients ±1 only) can be found in time poly(h ⌊log d0⌋ (n) log p).We show by induction that (3) For i = 0, both sides are equal to n + 1. Assume that the inequality holds for 0 ≤ i < ⌊log d 0 ⌋.Then we also have (⌈d i /2⌉n + 1) 2 i .
We interpret a non-empty zero sum signed subset as a non-trivial collision between two disjoint subset sums.(Non-trivial means that at most one of the subsets can be empty.)We use the short term collision for such a pair.We have the following.
Proposition 5. Suppose that there is an algorithm B that, given a set of vectors from Z n p of size S ± (p, n) finds a collision.Then there is a deterministic procedure that, given S ± (p, n) ⌈log p⌉ vectors, finds a nontrivial zero sum subset using less than S ⌈log p⌉ ± applications of algorithm B and poly((S ± (p, n)) ⌈log p⌉ ) other operations.
Proof.Put S = S ± (p, n) and ℓ = ⌈log p⌉.We start with finding a collision (H + 1 , H − 1 ) among the first S vectors with common sum w 1 using algorithm B. We continue with the next S input vectors and find a collision (H + 2 , H − 2 ) with sum w 2 , and so on.We then take the first S subset sums w 1 , . . ., w S and find a pair of disjoint subsets (K + , K − ) of {1, . . ., S}, not both empty, such that i∈K + w i = i∈K − w i = w.The four subsets L ++ = i∈K + H + i , L +− = i∈K + H − i , L −+ = i∈K − H + i , and L −− = i∈K − H − i of input vectors are pairwise disjoint, not all empty and have common sum w.Iterating this we end up with at least p pairwise disjoint subsets (not all empty) with equal sum.If one of these sets is empty then the common sum is zero and we can take any of the non-empty subsets.Otherwise the union of the first p of the subsets has zero sum.The total number of applications of the collision finding algorithm B is S ℓ−1 + . . .+ S + 1 < S ℓ .Propositions 4 and 5, together with the remark on the case p = 2 immediately give the following.
Theorem 2. There is a deterministic algorithm that, given a sequence of S(p, n) = p O(p log 2 p) n O(p log p) vectors from Z n p , finds a non-trivial zero sum subsequence in time poly(S(p, n)).
A. As the sums are random vectors, in each group, procedure A succeeds with probability at least δ and, with probability at least 1 2 , A will succeed in at least S groups.If this is the case then we choose S "lucky" groups, in each group take the sum of the random vectors corresponding to the members of the zero sum subsequences.We apply algorithm A for these S sums.It finds a nontrivial zero sum subsequence with probability at least δ.Finally, we take the union of the corresponding subsequences.This way we obtain a procedure that finds a nontrivial zero sum subsequence of every sequence of length 1 δ • S 2 in time poly(T + 1 δ • ST ) with probability at least δ/2.

Lemma 1 .
The pure state |ψ ∈ CG ⊗ V is a purification of the subgroup state Ξ G,H if and only if it can be written as |ψ = 1 |G| x∈G |x |v(x) , where the states |v(x) and |v(y) are equal if x and y are in the same left coset of H and orthogonal otherwise.Proof.The "if" part follows easily from that the conditions on |v() imply |ψ = 1 √ k a∈X |aH |v(a) .To see the the "only if" part, recall that a Schmidt decomposition of a state |ψ ∈ CG ⊗ V is of the form |ψ =m i=1 λ i |u i |v i where m = |G|, |u 1 , . . ., |u m is an arbitrary orthonormal basis of CG in which the relative trace of |ψ ψ| w.r.t. to the second subsystem is diagonal (with entries λ 1 , . . ., λ m ) and the system of the vectors v i corresponding to nonzero eigenvalues λ i is an orthonormal system of vectors in V .The vectors v i depend on the choice of the basis |u i (i = 1, . . ., m).Notice that the only nonzero eigenvalue of Ξ G,H is 1 k with multiplicity k, where k = |G : H|.The coset superpositions give an orthonormal basis of the corresponding eigenspace.Thus, if |ψ is a purification of Ξ G,H then a Schmidt decomposition of |ψ which is a purification of Ξ G,H is of the form |ψ = 1 √ k k i=1 |u i |v i where |u 1 , . . ., |u k is an arbitrary orthonormal basis of the 1 k -eigenspace of Ξ G,H and |v 1 , . . ., |v k is an orthonormal system of V .In particular, if X = {a 1 , . . ., a k } then by taking |u i = |a i H and by defining |v(x) = |v i for x ∈ a i H, we obtain |ψ = 1 √ k a∈X |aH |v(a) = 1 √ |G| x∈G |x |v(x) .
L,H∩L by replacing |x with the decomposition |β L (x) |α L (x) obtained by the method outlined in Subsection 2.2 for x ∈ G, and "ignoring" |α L (x) (passing this part to the purifying subsystem).To see this, let 1 √ |G| x∈G |x |ψ(x) be a purification of Ξ G,H , with |ψ(x) and |ψ(y) are equal if and only if y −1 x ∈ H, and orthogonal otherwise.Then, the substitution gives the state 1 √ = {α L (z) : z ∈ G}.Now if x 1 , x 2 ∈ L are from the same left coset of H ∩ L then |ψ(yx 1 ) = |ψ(yx 2 ) for every y ∈ Y and hence the states For y ∈ L, let us denote by P y the linear transformation of CG mapping |x to 1 √ y (aH) |y .
Proposition 3. Let G be a semi-elementary black-box group with unique encoding of order p n .Assume that there exists a quantum (or a randomized) algorithm that finds zero sum subsequences of sequences of S(p, n) elements of Z p n in time T (p, n) ≥ S(p, n) with high probability.Then the problem HSMC can be solved by a quantum algorithm that uses poly(T (p, n) O(c) ℓ) elementary operations, poly(T (p, n) O(c) log |G|) applications of the group oracle and calls to the oracle computing the purification of the subgroup state.