Simon's problem

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

In computational complexity theory and quantum computing, Simon's problem is a computational problem that is proven to be solved exponentially faster on a quantum computer than on a classical (that is, traditional) computer. The quantum algorithm solving Simon's problem, usually called Simon's algorithm, served as the inspiration for Shor's algorithm.[1] Both problems are special cases of the abelian hidden subgroup problem, which is now known to have efficient quantum algorithms.

The problem is set in the model of decision tree complexity or query complexity and was conceived by Daniel Simon in 1994.[2] Simon exhibited a quantum algorithm that solves Simon's problem exponentially faster and with exponentially fewer queries than the best probabilistic (or deterministic) classical algorithm. In particular, Simon's algorithm uses a linear number of queries and any classical probabilistic algorithm must use an exponential number of queries.

This problem yields an oracle separation between the complexity classes BPP (bounded-error classical query complexity) and BQP (bounded-error quantum query complexity).[3] This is the same separation that the Bernstein–Vazirani algorithm achieves, and different from the separation provided by the Deutsch–Jozsa algorithm, which separates P and EQP. Unlike the Bernstein–Vazirani algorithm, Simon's algorithm's separation is exponential.

Because this problem assumes the existence of a highly-structured "black box" oracle to achieve its speedup, this problem has little practical value.[4] However, without such an oracle, exponential speedups cannot easily be proven, since this would prove that P is different from PSPACE.

Problem description[edit]

Given a function (implemented by a black box or oracle) with the promise that, for some unknown , for all ,

if and only if ,

The goal is to identify s by making as few queries to f(x) as possible.

Another common statement of this problem is of distinguishing the case, where the function is one-to-one, from the case, where the function is two-to-one and satisfies .


For example, if , then the following function is an example of a function that satisfies the required and just mentioned property:

000 101
001 010
010 000
011 110
100 000
101 110
110 101
111 010

In this case, (i.e. the solution). It can easily be verified that every output of occurs twice, and the two input strings corresponding to any one given output have bitwise XOR equal to .

For example, the input strings and are both mapped (by ) to the same output string . and . If we apply XOR to 010 and 100 we obtain 110, that is

can also be verified using input strings 001 and 111 that are both mapped (by f) to the same output string 010. If we apply XOR to 001 and 111, we obtain 110, that is . This gives the same solution we solved for before.

In this example the function f is indeed a two-to-one function where .

For a one-to-one function, such that

Problem hardness[edit]

Intuitively, this is a very hard problem to solve in a "classical" way, even if one uses randomness and accepts a small probability of error. The intuition behind the hardness is reasonably simple: if you want to solve the problem classically, you need to find two different inputs and for which . There is not necessarily any structure in the function that would help us to find two such inputs: more specifically, we can discover something about (or what it does) only when, for two different inputs, we obtain the same output. In any case, we would need to guess different inputs before being likely to find a pair on which takes the same output, as per the birthday problem. Since, classically to find s with a 100% certainty it would require checking up to inputs, Simon's problem seeks to find s using fewer queries than this classical method.

Overview of Simon's algorithm[edit]


The high-level idea behind Simon's algorithm is to "probe" (or "sample") a quantum circuit (see the picture below) "enough times" to find (linearly independent) n-bit strings, that is

such that the following equations are satisfied

where is the modulo-2 dot product; that is, , and , for and for .

So, this linear system contains linear equations in unknowns (i.e. the bits of ), and the goal is to solve it to obtain , and is fixed for a given function . There is not always a (unique) solution.

Simon's quantum circuit[edit]

Quantum circuit representing/implementing Simon's algorithm

The quantum circuit (see the picture) is the implementation (and visualization) of the quantum part of Simon's algorithm.

A quantum state of all zeros is first prepared (this can easily be done). The state represents where is the number of qubits. Half of this state is then transformed using a Hadamard transform. The result is then fed into an oracle (or "black box"), which knows how to compute . Where acts on the two registers as . After that, part of the output produced by the oracle is transformed using another Hadamard transform. Finally, a measurement on the overall resulting quantum state is performed. It is during this measurement that we retrieve the n-bit strings, , mentioned in the previous sub-section.

Simon's algorithm can be thought of as an iterative algorithm (which makes use of a quantum circuit) followed by a (possibly) classical algorithm to find the solution to a linear system of equations.

Simon's algorithm[edit]

In this section, each part of Simon's algorithm is explained (in detail). It may be useful to look at the picture of Simon's quantum circuit above while reading each of the following sub-sections.


Simon's algorithm starts with the input , where is the quantum state with zeros.

(The symbol is the typical symbol used to represent the tensor product. To not clutter the notation, the symbol is sometimes omitted: for example, in the previous sentence, is equivalent to . In this article, it is (often) used to remove ambiguity or to avoid confusion.)


So, for example, if , then the initial input is


First Hadamard transformation[edit]

After that, the input (as described in the previous sub-section) is transformed using a Hadamard transform. Specifically, the Hadamard transform (the tensor product can also be applied to matrices) is applied to the first qubits, that is, to the "partial" state , so that the composite state after this operation is

where denotes any n-bit string (i.e. the summation is over any n-bit string). The term can be factored out of the summation because it does not depend on (i.e. it is a constant with respect to ), and .


Suppose (again) , then the input is and the Hadamard transform is

If we now apply to the first , i.e. to the state

we obtain

To obtain the final composite quantum state, we can now tensor product with , that is


We then call the oracle or black-box ( in the picture above) to compute the function on the transformed input , to obtain the state

Second Hadamard transformation[edit]

We then apply the Hadamard transform to the states of the first qubits of the state , to obtain

where can either be or , depending on , where , for . So, for example, if and , then , which is an even number. Thus, in this case, , and is always a non-negative number.

Intuition behind this inverse Hadamard transformation that is applied here can be found on CMUs lecture notes

Let's now rewrite

as follows

This manipulation will be convenient to understand the explanations in the next sections. The order of the summations has been reversed.


After having performed all previously described operations, at the end of the circuit, a measurement is performed.

There are now two possible cases we need to consider separately

  • or
  • , where .

First case[edit]

Let's first analyze the (special) case , which means that is (by requirement) a one-to-one function (as explained above in the "problem description").

Let's keep in mind that the quantum state before the measurement is

Now, the probability that the measurement results in each string is

This follows from

because the two vectors only differ in the ordering of their entries, given that is one-to-one.

The value of the right-hand side, that is

is more easily seen to be .

Thus, when , the outcome is simply a uniformly distributed -bit string.

Second case[edit]

Let's now analyze the case , where . In this case, is a two-to-one function, that is, there are two inputs that map to the same output of .

The analysis performed in the first case is still valid for this second case, that is, the probability to measure any given string can still be represented as

However, in this second case, we still need to figure out what this value of is. Let's see why in the following explanations.

Let , the image of . Let (i.e. is some output of the function ), then for every , there is one (and only one) , such that ; moreover, we also have , which is equivalent to (see "the problem description" section above for a review of this concept).

Hence, we have

Given that , then we can rewrite the coefficient as follows

Given that , then we can further write the expression above as

So, can further be written as

Odd number[edit]

Now, if is an odd number, then . In that case,

Consequently, we have

Given that , then we never have this case, that is, no string is seen (after the measurement) in this case.

(This is the case where we have destructive interference.)

Even number[edit]

If, instead, is an even number (e.g. zero), then . In that case,

So, we have

Is the case of constructive interference,

. So, in summary, for this second case, we have the following probabilities

Classical post-processing[edit]

When we run the circuit (operations) above, there are two cases:

  • in the (special) case where (i.e. ), the measurement results in each string with probability
  • in the case (where ), the probability to obtain each string is given by

Thus, in both cases, the measurement results is some string that satisfies , and the distribution is uniform over all of the strings that satisfy this constraint.

Is this enough information to determine ? The answer is "yes", provided that the process (above) is repeated several times (and a small probability of failure is accepted). Specifically, if the above process is run times, we get strings , such that

This is a system of linear equations in unknowns (i.e. the bits of ), and the goal is to solve it to obtain . Note that each of the that we obtain after each measurement (for each "round" of the process) is, of course, the result of a measurement, so it is known (at the end of each "round").

We only get a unique non-zero solution if we are "lucky" and are linearly independent. The probability that are linearly independent is at least

If we have linear independence, we can solve the system to get a candidate solution and test that . If , we know that , and the problem has been solved. If , it must be that (because, if this were not so, the unique non-zero solution to the linear equations would have been ). Either way, once we have linear independence, we can solve the problem.


Simon's algorithm requires queries to the black box, whereas a classical algorithm would need at least queries. It is also known that Simon's algorithm is optimal in the sense that any quantum algorithm to solve this problem requires queries.[5][6]

See also[edit]


  1. ^ Shor, Peter W. (1999-01-01). "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer". SIAM Review. 41 (2): 303–332. arXiv:quant-ph/9508027. doi:10.1137/S0036144598347011. ISSN 0036-1445.
  2. ^ Simon, Daniel R. (1997-10-01). "On the Power of Quantum Computation". SIAM Journal on Computing. 26 (5): 1474–1483. doi:10.1137/S0097539796298637. ISSN 0097-5397.
  3. ^ Preskill, John (1998). Lecture Notes for Physics 229: Quantum Information and Computation. pp. 273–275.
  4. ^ Aaronson, Scott (2018). Introduction to Quantum Information Science Lecture Notes (PDF). pp. 144–151.
  5. ^ Koiran, P.; Nesme, V.; Portier, N. (2007), "The quantum query complexity of the Abelian hidden subgroup problem", Theoretical Computer Science, 380 (1–2): 115–126, doi:10.1016/j.tcs.2007.02.057, retrieved 2011-06-06
  6. ^ Koiran, P.; Nesme, V.; Portier, N. (2005), "A quantum lower bound for the query complexity of Simon's Problem", Proc. ICALP, 3580: 1287–1298, arXiv:quant-ph/0501060,, retrieved 2011-06-06