Complete analysis of Simon’s quantum algorithm with additional collisions

Abstract

Simon’s algorithm, an exponential speedup quantum algorithm for recovering period, has been widely applied to symmetric cryptography. At Crypto 2016, Kaplan et al. showed the effect of additional collisions on the success probability of Simon’s algorithm, which led to a better analysis of previous applications. In this paper, we provide several new results of Simon’s algorithm. Firstly, we present the composing form of additional collisions and reveal the exact relationship between additional collisions and measurement outcomes for the first time. Specifically, all probabilities of observed measurements are completely depended on the number of additional collisions. Our findings shed new light on how to estimate the success probability of Simon’s algorithm with additional collisions and point out somewhere unreasonable in the work by Kaplan et al. Finally, we give the trade-off between the success probability and the number of runs of the subroutine afresh. For a random function, 4n repetitions of subroutine will ensure the success probability exponentially close to 1.

Appendices

The proof of Theorem 2

For an arbitrary f(z) that \(|{{\varOmega }_{z}}|=2m\), we classify u into \({{2}^{m}}\) categories by the orthogonal relationship with t in \({{\varOmega }_{z}}\). Denoting them as \({{u}^{j}}(0\le j\le {{2}^{m}}-1)\), we have

$$\begin{aligned} p[{{u}^{j}}\text { is observed}]&=p[u\text { is observed,}u\in {{u}^{j}}]\times |{{u}^{j}}| \end{aligned}$$

(13)

$$\begin{aligned}&=\frac{|{{u}^{j}}|}{{{2}^{n-2}} (|{{\varOmega }_{z}}|+2)}{{\left( 1+\sum \limits _{t\in \varOmega _{z}^{0}}{{{(-1)}^{{{u}^{j}}\cdot t}}}\right) }^{2}} \end{aligned}$$

(14)

where \(|{{u}^{j}}|=\frac{{{2}^{n-1}}}{{{2}^{m}}}\) and \(p[u\text { is observed,}u\in {{u}^{j}}]\) is from Eq. (4). If \(t\in {{\varOmega }_{z}}\), the probability of \(u\cdot t=0\) is

$$\begin{aligned} p\left[ u\cdot t=0|t\in {{\varOmega }_{z}} \right]&=\sum \limits _{j=0}^{{{2}^{m}}-1}{p[{{u}^{j}}\text { is observed}]\times p[{{u}^{j}}\cdot t=0|t\in {{\varOmega }_{z}}]} \end{aligned}$$

(15)

$$\begin{aligned}&=\sum \limits _{j=0}^{{{2}^{m}}-1}\frac{|{{u}^{j}}|}{{{2}^{n-2}}(|{{\varOmega }_{z}}|+2)}{{\left( 1+\sum \limits _{t\in \varOmega _{z}^{0}}{{{(-1)}^{{{u}^{j}}\cdot t}}}\right) }^{2}}\nonumber \\&\quad \times \frac{\#\{t:{{u}^{j}}\cdot t=0,t\in {{\varOmega }_{z}}\}}{|{{\varOmega }_{z}}|} \end{aligned}$$

(16)

$$\begin{aligned}&{=}\frac{1}{{{2}^{m}}(m+1)m}\sum \limits _{j=0}^{{{2}^{m}}-1}{{(2\times \#\{t:{{u}^{j}}\cdot t=0,t\in \varOmega _{z}^{0}\}{-}(m{-}1))}^{2}} \nonumber \\&\quad \times \#\{t:{{u}^{j}}\cdot t=0,t\in \varOmega _{z}^{0}\} \end{aligned}$$

(17)

where

$$\begin{aligned} \sum \limits _{t\in \varOmega _{z}^{0}}{{{(-1)}^{{{u}^{j}}\cdot t}}}&=\#\{t:{{u}^{j}}\cdot t=0,t\in \varOmega _{z}^{0}\}-\#\{t:{{u}^{j}}\cdot t=1,t\in \varOmega _{z}^{0}\} \end{aligned}$$

(18)

$$\begin{aligned}&=2\times \#\{t:{{u}^{j}}\cdot t=0,t\in \varOmega _{z}^{0}\}-m \end{aligned}$$

(19)

and \(\#\{t:{{u}^{j}}\cdot t=0,t\in {{\varOmega }_{z}}\}=2\times \#\{t:{{u}^{j}}\cdot t=0,t\in \varOmega _{z}^{0}\}\).

If \(t\in {{\varPhi }_{z}}\), the probability of \(ut=0\) is

$$\begin{aligned} p\left[ u\cdot t=0|t\in {{\varPhi }_{z}} \right]&=\sum \limits _{j=0}^{{{2}^{m}}-1}{p[{{u}^{j}}\text { is observed}]\times p[{{u}^{j}}\cdot t=0|t\in {{\varPhi }_{z}}]} \end{aligned}$$

(20)

$$\begin{aligned}&=\sum \limits _{j=0}^{{{2}^{m}}-1}{p[{{u}^{j}}\text { is observed}]\times \frac{\#\{t:{{u}^{j}}\cdot t=0,t\in {{\varPhi }_{z}}\}}{|{{\varPhi }_{z}}|}} \end{aligned}$$

(21)

$$\begin{aligned}&=\sum \limits _{j=0}^{{{2}^{m}}-1}p[{{u}^{j}}\text { is observed}] \nonumber \\&\quad \times \frac{{{2}^{n-1}}-1-\#\{t:{{u}^{j}}\cdot t=0,t\in {{\varOmega }_{z}}\}}{{{2}^{n}}-|{{\varOmega }_{z}}|} \end{aligned}$$

(22)

Since

$$\begin{aligned} \frac{{{2}^{n-1}}-1-2m}{{{2}^{n}}-2m}\le \frac{{{2}^{n-1}}-1-\#\{t:{{u}^{j}}\cdot t=0,t\in {{\varOmega }_{z}}\}}{{{2}^{n}}-2m}\le \frac{{{2}^{n-1}}-1}{{{2}^{n}}-2m} \end{aligned}$$

When m is small,

$$\begin{aligned} \frac{{{2}^{n-1}}-1-\#\{t:{{u}^{j}}\cdot t=0,t\in {{\varOmega }_{z}}\}}{{{2}^{n}}-2m}\approx \frac{1}{2} \end{aligned}$$

Hence,

$$\begin{aligned} p\left[ u\cdot t=0|t\in {{\varPhi }_{z}} \right] \approx \frac{1}{2}\sum \limits _{j}{p[{{u}^{j}}\text { is observed}]}=\frac{1}{2} \end{aligned}$$

.

The probability distribution \({{u}_{2}}t\) when \(\left| {{\varOmega }_{z}} \right| =4\)

For \(({{u}_{2}},f({{z}_{2}}))\) that \(\varOmega _{{{z}_{2}}}^{0}=\{{{t}_{0}},{{t}_{1}}\}\). We can classify the measurement outcomes \({{u}_{2}}\) into \({{2}^{2}}\) categories by the orthogonal relationship with \(\{{{t}_{0}},{{t}_{1}}\}\). Denoting them as \(u_{2}^{j}(0\le j\le 3)\), then we have combined Tables 7 and 8, and the total probability distribution of \({{u}_{2}}t\) is shown as:

$$\begin{aligned}&p\left[ {{u}_{2}}\cdot t=0|t\in {{\varOmega }_{{{z}_{2}}}} \right] =\sum \limits _{j}{p[u_{2}^{j}\text { is observed}]\times p[u_{2}^{j}\cdot t=0|t\in {{\varOmega }_{{{z}_{2}}}}]} \end{aligned}$$

(23)

$$\begin{aligned}&=\frac{3}{4}\times 1+\frac{1}{12}\times \frac{1}{2}\times 2+\frac{1}{12}\times 0 \end{aligned}$$

(24)

$$\begin{aligned}&=\frac{5}{6} \nonumber \\&p\left[ {{u}_{2}}\cdot t=0|t\in {{\varPhi }_{{{z}_{2}}}} \right] =\sum \limits _{j}{p[u_{2}^{j}\text { is observed}]\times p[u_{2}^{j}\cdot t=0|t\in {{\varPhi }_{{{z}_{2}}}}]}\approx \frac{1}{2} \end{aligned}$$

(25)

Table 7 The probability of being observed in different \(u_{2}^{j}\) when \(|{{\varOmega }_{{{z}_{2}}}}|=4\)

Table 8 The distribution of \(u_{2}^{j}\cdot t\) when \(|{{\varOmega }_{{{z}_{2}}}}|=4\)

Thus,

$$\begin{aligned} \underset{t\in {{\{0,1\}}^{n}}\backslash \{0,s\}}{\mathop {\max }}\,p[{{u}_{2}}\cdot t=0]=\underset{t\in \{{{\varOmega }_{{{z}_{2}}}},{{\varPhi }_{{{z}_{2}}}}\}}{\mathop {\max }}\,p[{{u}_{2}}\cdot t=0]=p[{{u}_{2}}\cdot t=0|t\in {{\varOmega }_{{{z}_{2}}}}]=\frac{5}{6}. \end{aligned}$$