# How symmetric is too symmetric for large quantum speedups?

Suppose a Boolean function f is symmetric under a group action G acting on the n bits of the input. For which G does this mean f does not have an exponential quantum speedup? Is there a characterization of how rich G must be before the function f cannot have enough structure for quantum algorithms to exploit? In this work, we make several steps towards understanding the group actions G which are "quantum intolerant" in this way. We show that sufficiently transitive group actions do not allow a quantum speedup, and that a "well-shuffling" property of group actions – which happens to be preserved by several natural transformations – implies a lack of super-polynomial speedups for functions symmetric under the group action. Our techniques are motivated by a recent paper by Chailloux (2018), which deals with the case where G=S_n. Our main application is for graph symmetries: we show that any Boolean function f defined on the adjacency matrix of a graph (and symmetric under relabeling the vertices of the graph) has a power 6 relationship between its randomized and quantum query complexities, even if f is a partial function. In particular, this means no graph property testing problems can have super-polynomial quantum speedups, settling an open problem of Ambainis, Childs, and Liu (2011).

## Authors

• 11 publications
• 3 publications
• ### Symmetries, graph properties, and quantum speedups

Aaronson and Ambainis (2009) and Chailloux (2018) showed that fully symm...
06/23/2020 ∙ by Shalev Ben-David, et al. ∙ 0

• ### Neural Group Actions

We introduce an algorithm for designing Neural Group Actions, collection...
10/08/2020 ∙ by Span Spanbauer, et al. ∙ 0

• ### Quantum Equivalence of the DLP and CDHP for Group Actions

In this short note we give a polynomial-time quantum reduction from the ...
12/21/2018 ∙ by Steven Galbraith, et al. ∙ 0

• ### Quantum algorithms for group convolution, cross-correlation, and equivariant transformations

Group convolutions and cross-correlations, which are equivariant to the ...
09/23/2021 ∙ by Grecia Castelazo, et al. ∙ 0

• ### Combining Determinism and Indeterminism

Our goal is to construct mathematical operations that combine indetermin...
09/02/2020 ∙ by Michael Stephen Fiske, et al. ∙ 0

• ### Can graph properties have exponential quantum speedup?

Quantum computers can sometimes exponentially outperform classical ones,...
01/28/2020 ∙ by Andrew M. Childs, et al. ∙ 0

• ### Quantum computing cryptography: Unveiling cryptographic Boolean functions with quantum annealing

As the building block in symmetric cryptography, designing Boolean funct...
06/22/2018 ∙ by Feng Hu, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

One of the most fundamental questions in the field of quantum computing is the question of when quantum algorithms substantially outperform classical ones. While polynomial quantum speedups are known in many settings, super-polynomial quantum speedups are known (or even merely conjectured) for only a few select problems. An important lesson in the field has been that exponential quantum speedups only occur for certain “structured” problems: problems such as period-finding (used in Shor’s factoring algorithm [Sho97]), or Simon’s problem [Sim97], in which the input is known in advance to have a highly restricted form. In contrast, for “unstructured” problems such as blackbox search or -complete problems, only polynomial speedups are known (and in some models, it can be formally shown that only polynomial speedups are possible).

In this work, we are interested in formalizing and characterizing the structure necessary for fast quantum algorithms; in particular, we study the types of symmetries a Boolean function can have while still exhibiting super-polynomial quantum speedups.

### 1.1 Previous work

Despite the strong intuition in the field that structure is necessary for exponential quantum speedups, only a handful of works have attempted to formalize this intuition and characterize the necessary structure. All of them study the problem in the query complexity (black-box) model of quantum computation, which is a natural framework in which both period-finding and Simon’s problem can be formally shown to give exponential quantum speedups (see [BdW02] for a survey of query complexity, or [Cle04] for a formalization of period-finding specifically).

In the query complexity model, the goal is to compute a Boolean function using as few queries to the bits of the input as possible. Here is some finite alphabet, and each query specifies an index and receives the response . A query algorithm, which may depend on but not on , must output (to worst-case bounded error) after as few queries as possible. Quantum query algorithms are allowed to make queries in superposition; we are interested in how much advantage this gives them over randomized classical algorithms (for a formal definition of these notions, see [BdW02]).

Beals, Buhrman, Cleve, Mosca, and de Wolf [BBC01] showed that all total Boolean functions have a polynomial relationship between their classical and quantum query complexities (which we denote and respectively). This means that super-polynomial speedups are not possible in query complexity unless we impose a promise on the input: that is, unless we define with , and allow an algorithm computing to behave arbitrarily on inputs outside of the promise set . For such promise problems (also called partial functions), provable exponential quantum speedups are known; this is the setting in which Simon’s problem and period-finding reside.

The question, then, is whether we can say anything about the structure necessary for a partial Boolean function to exhibit a super-polynomial quantum speedup. Towards this end, Aaronson and Ambainis [AA14] showed that symmetric functions do not allow super-polynomial quantum speedups, even with a promise. Chailloux [Cha18] improved this result by improving the degree of the polynomial relationship between randomized and quantum algorithms for symmetric functions, and removing a technical requirement on the symmetry of those functions.111 Aaronson and Ambainis required the function to be symmetric both under permuting the bits of the input, and under permuting the alphabet symbols in ; Chailloux showed that the latter is not necessary.

Other work attempted to characterize the structure necessary for quantum speedups in other ways. [Ben16] Showed that certain types of symmetric promises do not admit any function with a super-polynomial quantum speedup, a generalization of [BBC01] (who showed this when the promise set is ). [AB16] Showed that small promise sets, which contain only inputs out of , also do not admit functions which separate quantum and classical algorithms by more than a polynomial factor.

### 1.2 Our contributions

In this work, we extend the results of Aaronson-Ambainis and Chailloux to other symmetry groups. To state our results, we introduce the following definition.

###### Definition 1.

Let be a function with , where is a finite alphabet and . We say that is symmetric with respect to a group action acting on domain if for all and all , the string defined by satisfies and .

This definition allows us to talk about more general symmetries of a Boolean function. The case where is the fully-symmetric group action is the one handled in Chailloux’s work [Cha18]: he showed that if is symmetric under . Aaronson and Ambainis [AA14] required an even stronger symmetry property. We note that when is large, say or larger, the class of functions symmetric under is already highly nontrivial: among others, it includes functions such as Collision, an important function whose quantum query complexity was established in [AS04]; -Sum, whose quantum query complexity required the negative-weight adversary to establish [BŠ13]; and -Distinctness, whose quantum query complexity is still open [BKT18]. Additionally, computational geometry functions such as ClosestPair (a function studied in recent work by Aaronson, Chia, Lin, Wang, and Zhang [ACL19]) are typically symmetric under as well, as the points are usually represented as alphabet symbols. If we round the alphabet to be finite, the case already shows that no computational geometry problem of this form can have super-cubic quantum speedups.

In this work, we examine what happens when we relax the full symmetry to smaller symmetry groups . We introduce some tools for showing that particular classes of group actions do not allow super-polynomial quantum speedups; that is, we provide tools for showing that every symmetric with respect to satisfies . Our primary application is the following theorem, in which is the graph symmetry: the group action acting on strings of length (which represent the possible edges of a graph), which includes all permutations of the edges which are induced by one of the relabelings of the vertices. Functions which take in the adjacency matrix of a graph as input, and whose output depends only on the graph (and not on the labeling of its vertices), are always symmetric with respect to the graph symmetry .

###### Theorem 2 (Informal).

Any Boolean function defined on the adjacency matrix of a graph (and symmetric with respect to renaming the vertices of the graph) has a polynomial (power ) relationship between and . This holds even if is a partial function.

(For a formal version of this theorem, see Corollary 32.)

This theorem holds even when the alphabet of is non-Boolean. We note that this is a strict generalization of the result of Aaronson and Ambainis [AA14], since any fully-symmetric function will necessarily be symmetric under the graph symmetry as well. It is also a generalization of Chailloux [Cha18], except that our polynomial degree (power ) is larger than the power of Chailloux.

This theorem also settles an open problem of Ambainis, Childs, and Liu [ACL11] at least for the adjacency matrix version of graph property testing. They asked whether there is any graph property testing problem with an exponential quantum speedup over the best possible classical algorithm; our theorem implies the answer is no.222An alternative version of graph property testing is called the adjacency list model, in which it is possible to directly query the list of neighbors of each vertex. Query functions on adjacency list graphs can achieve large quantum speedups – for example, the glued trees problem [CCD03] – but it is still open whether property testing graph problems in the adjacency list model can achieve exponential quantum speedups. We conjecture that such exponential speedups for graph property testing do exist – perhaps by a modification of the glued trees problem. Indeed, any graph property testing problem is always symmetric under the graph symmetry group action , which means that all graph property testing problems satisfy a power relationship between their quantum and classical query complexities.

Our tools apply to other group actions as well. We show that highly transitive group actions also are not consistent with exponential quantum speedups.

###### Theorem 3 (informal).

Let be a -transitive group action on , and let be a (possibly partial) Boolean function on strings of length which is symmetric under . Then .

(A formal version of this theorem can be found in Corollary 23.)

We note that this theorem does not subsume the previous one, as graph symmetry group actions are not even -transitive.

Further, we are able to generalize our results to directed graph symmetries, hypergraph symmetries, and bipartite graph symmetries. We also provide a reasonably clean framework in which we prove these results, and show that various natural operations on group actions preserve the lack-of-exponential-quantum-speedup property.

Finally, we examine the other direction, and exhibit some classes of group actions whose symmetries do allow exponential quantum speedups. In particular, we show the following.

###### Theorem 4 (informal).

The order of the group action does not characterize whether it allows exponential quantum speedups. In particular, there is a group action on and a different group action on such that , but every function that’s symmetric under has while there exists a function that’s symmetric under and has and .

(A formal version of this theorem can be found in Theorem 38.)

This theorem says that even very large group actions may still be consistent with exponential quantum speedups; to characterize the group actions which do not allow super-polynomial quantum advantage, we must use some richness measure other than the order of the group action (and also other than transitivity, as some -transitive group actions allow exponential quantum speedups and some don’t). We leave such a characterization as an intriguing open problem for future work.

###### Open Problem 1.

Is there a clean combinatorial characterization of the classes of group actions that allow super-polynomial quantum speedups, and the ones that don’t? For example, is there a combinatorial measure such that any function symmetric under satisfies something like , and also such that there always exists a function symmetric under for which ?

We view Open Problem 1 as an important direction for understanding the nature of quantum speedups.

### 1.3 Our techniques

Our main tool is a simple observation from [Cha18]. Suppose that is symmetric under the full symmetric group action . Zhandry [Zha13] showed that distinguishing a random permutation from from a random small-range function with requires quantum queries333Actually, we will show that a version of Zhandry’s result that is sufficient for our purposes follows easily from the collision lower bound, so his techniques are not necessary for our results.. Now, if was a quantum algorithm solving using queries, then also outputs on input (the input with bits shuffled according to ) for any , since is symmetric under . In particular, for a random still outputs . However, the -query algorithm cannot distinguish a random from a random function with range ; hence must output to constant error even when run on for a random small-range function . This property can be used to simulate classically: a classical algorithm will simply sample a small-range function , explicitly query the entire string (possible to do using queries since has range only ), and then simulate on the string . This is an -query classical algorithm for computing , created out of a -query quantum algorithm for .

The above trick can be generalized from the fully-symmetric group action to any other group action , so long as we can show that it is hard for a -query quantum algorithm to distinguish from a small-range function with range . The question of whether there exists an arbitrary symmetric function with a quantum speedup is therefore reduced to the question of whether the concrete task of distinguishing from the set of all small-range functions can be done quickly using a quantum algorithm. That is, if is the set of all strings in which use only unique symbols, then we care about the quantum query cost of distinguishing from ; if this cost is , then no function which is symmetric under can exhibit a super-polynomial quantum speedup. In this case, we call well shuffling. We show that the well-shuffling property is preserved under various operations one might perform on a group action, and that these operations allow us to prove many group actions are well-shuffling simply by reduction to .

## 2 Preliminaries

### 2.1 Query complexity

We start with introducing some standard notation from query complexity. A Boolean function will be a -valued function on strings of length , with . We will use to denote the domain of , and we will always have where is a finite alphabet. The function is called total if , and otherwise it is called partial.

For a (possibly partial) Boolean function , we use to denote its randomized query complexity to error , as defined in [BdW02]. This is the minimum number of queries required in the worst case by a randomized algorithm which computes to worst-case error . We use to denote the quantum query complexity to error of , also defined in [BdW02]. This is the minimum number of queries required in the worst case by a randomized algorithm which computes to worst-case error . When , we omit it and simply write and .

An important tool for lower bounding query complexity is the minimax theorem, the original version of which was given by Yao for zero-error (Las Vegas) randomized algorithms [Yao77]

. Here we will need a bounded-error, quantum version of the minimax theorem. Bounded-error versions of the minimax theorem can be shown using linear programming duality (see also

[Ver98] who proved a minimax theorem in the setting where both the error and the expected query complexity are measured against the same hard distribution). A similar technique works for quantum query complexity; this result is folklore, and we prove it in Appendix A.

###### Lemma 5 (Minimax for bounded error quantum algorithms).

Let be a (possibly partial) Boolean function with , and let . Then there is a distribution supported on which is hard for in the following sense: any quantum algorithm using fewer than quantum queries for computing must have average error on inputs sampled from .

Note that achieving average error against a known distribution is always easier than achieving worst-case error ; the minimax theorem says that there is a hard distribution against which achieving average error is just as hard as achieving worst-case error .

### 2.2 Group actions

We review some basic definitions about group actions.

###### Definition 6 (Group action).

A group action is a pair where is a set and is a set of bijections , such that forms a group under composition (i.e.  contains the identity function and is closed under composition and inverse of the bijections). We will often denote a group action simply by , with the domain being implicit.

In other words, a group action is simply a set of permutations of a domain which is closed under composition and inverse. In this work we will generally take , where denotes the set for . The set will represent the indices of an input string, or equivalently, the queries an algorithm is allowed to make.

We define orbits and transitivity of group actions, both of which are standard definitions.

###### Definition 7 (Orbit).

Let be a group action on domain , and let . Then the orbit of is the set . A subset of is an orbit of if it is the orbit of some with respect to .

###### Definition 8 (Transitivity).

We say that a group action on domain is -transitive if for all distinct and distinct , there exists some such that for all .

### 2.3 Symmetric functions

We introduce some notation that will be used throughout this paper to talk about symmetric functions.

###### Definition 9 (Notation for permuting strings).

Let be a permutation on , and let . We use to denote the string whose characters have been permuted by ; that is, . More generally, is similarly defined when is merely a function rather than a permutation.

Note that if we view a string as a function with , then is simply the usual function composition of and . This notation allows us to easily define symmetric functions.

###### Definition 10 (Symmetric function).

Let be a group action on , and let be a (possibly partial) Boolean function with . We say is symmetric under if for all and all we have and .

In order for asymptotic bounds such as to be well-defined, we actually need to talk about classes of functions rather than individual functions. To do that, we will need to talk about classes of group actions. We introduce the following definition, which defines, for a class of group actions , the set of all functions symmetric under some group action in . We denote this set by .

###### Definition 11 (Class of symmetric functions).

Let be a (possibly infinite) set of finite group actions, with acting on for each . Here is an arbitrary index set and for all . Then define to be the set of all (possibly partial) Boolean functions that are symmetric under some . That is, we have if and only if is a function with for some , and is symmetric under for some such that .

(In the above definition, represents the alphabet .)

## 3 Well-shuffing group actions

In this section we first define the notion of a well-shuffling class of group actions, which will be a class of group actions that are hard to distinguish from the set of small-range functions via a quantum query algorithm. We will then show that a well-shuffling class of group actions does not allow super-polynomial quantum speedups. This result (Theorem 15) converts the task of showing group actions do not allow quantum speedups into the task of showing those group actions are well-shuffling, a much simpler objective.

We start by defining the set of small-range strings .

###### Definition 12 (Small-range strings).

For , let be the set of all strings in for which the number of unique alphabet symbols in is at most .

We identify a string with a function . Then is the set of all functions with range size at most . Next, we define as the quantum query complexity of distinguishing from (where is a group action acting on ).

###### Definition 13 (Cost).

Identify a permutation on with a string in in which each alphabet symbol occurs exactly once. Then a group action on corresponds to a subset of . For , let be the minimum number of quantum queries needed to distinguish from to worst-case error ; that is, , where has domain and is defined by if and if . When , we set . When , we omit it and write .

We note that since is defined as the worst-case quantum query complexity of a Boolean function, it satisfies amplification, meaning that the precise value of does not matter so long as it is a constant in and so long as we do not care about constant factors.

We define a well-shuffling class of group actions as follows.

###### Definition 14 (Well-shuffling group actions).

Let be a collection of group actions. We say is well-shuffling if for and . More explicitly, we say is well-shuffling with power if there exists such that for all and all .

We note that is always satisfied when is greater than or equal to the domain size of , since in that case . Hence to show well-shuffling we only need to worry about smaller than , the domain size of the group action .

The following theorem will play a central role in this work: it shows that a well-shuffling collection of group actions does not allow super-polynomial quantum speedups.

###### Theorem 15.

Let be a partial Boolean function on bits, with (where is a finite alphabet). Let be a group action on , and suppose that is symmetric under . Then there is a universal constant such that

 R(f)≤min{r∈N:cost(G,r)≥cQ(f)}.

Consequently, if is a well-shuffling collection of group actions with power , then for all we have .

In order to prove this theorem, we will need the following minimax theorem for the cost measure.

###### Lemma 16 (Minimax for cost).

Let satisfy , let , and let be a group action on . Then there is a distribution on that is hard in the following sense. Let

be the uniform distribution on

. Then any quantum algorithm for distinguishing from which uses fewer than queries must either make error on average against , or else make error against (i.e. it fails to distinguish from the uniform distribution on ).

###### Proof.

Let be the function which asks to distinguish from in the worst case. Then by the minimax theorem (Lemma 5), there is a hard distribution for , such that any quantum algorithm using fewer than queries must make more than error against . Let be the distribution we get by applying a uniformly random permutation from to a sample from . Then is still a hard distribution for . Indeed, if it were not a hard distribution, there would be some quantum algorithm solving against using too few queries; but in that case, we could design an algorithm for solving against simply by taking the input , implicitly applying a uniformly random from to permute the bits of (this can be done without querying , simply by redirecting all future queries through the permutation ), and then running on the permuted string.

Now, note that composing a uniformly random permutation from with an arbitrary (fixed) permutation from gives a uniformly random permutation from . This means that is some mixture of the uniform distribution on and another distribution on . Then any algorithm which succeeds on both and to error will also succeed on to error , from which the desired result follows. ∎

Using this lemma, we now prove Theorem 15.

###### Proof.

(Of Theorem 15.) Let be a quantum algorithm for which uses queries. Amplify it to by repeating times and taking the majority vote; then it uses queries and makes worst-case error instead of . Using Lemma 16, let be the hard distribution on which is hard to distinguish from to error , where we pick later and pick to be a constant close to . Sample from , and consider the string with .

Now, succeeds on to error , and is invariant under , so outputs to error when run on for each . In particular, consider picking from uniformly at random, and running on where the string is fixed. Compare this to the behavior of on , where is sampled from the hard distribution on .

If did not output on to error at most , then we could convert to an algorithm distinguishing from with constant error. This is because outputs to error at most on input ; hence behaves differently when run on and on . We can convert to an algorithm which hard codes the input , and receives either a random from or a random from as input. This algorithm will only make queries to or

, but its acceptance probability differs by a constant gap between the two distributions, which (using some standard re-balancing) we can use to distinguish

from to a constant error.

Now, assuming the distribution was picked to be hard enough (i.e.  was chosen sufficiently close to ), this means that , the query cost of , is at least . Since is the worst-case quantum query complexity of a Boolean function, it can be amplified. We conclude that if failed to output on input (with ) to error at most , then we have , that is, for some universal constant (from amplification).

Now assume that . Then has error at most for computing when run on , with chosen from . Since uses at most alphabet symbols, a randomized algorithm can simulate simply by picking from and querying all the bits of used in the string , fully determining that string. This algorithm uses queries, and makes at most error, so we conclude that .

By correctly picking , we conclude that , as desired. Finally, note that if , then by picking we get . From this it follows that , as desired. ∎

The upshot of Theorem 15 is that we can show a class of group actions does not allow super-polynomial quantum speedups simply by showing that it is well-shuffling – that is, by showing that is hard to distinguish from the set of small-range functions using a quantum query algorithm.

## 4 Showing group actions are well-shuffling

In this section, we introduce some tools for showing that a collection of group actions is well-shuffling. Due to Theorem 15, a well-shuffling collection of group actions does not allow any super-polynomial quantum speedups for the class of functions symmetric under it, so these tools can be directly used to show that certain symmetries are not consistent with large quantum speedups.

### 4.1 The symmetric group action

The first fundamental result is that the class of full symmetric group actions is well-shuffling. This was shown by Zhandry [Zha13] in a different context, though we also provide a simpler proof by a reduction from the collision problem.

###### Theorem 17.

There is a universal constant such that any quantum algorithm distinguishing a permutation in from a string in must make at least queries.

This theorem says that is hard to distinguish from (moreover, Zhandry [Zha13] showed that the hard distribution over is uniform, but we do not need this fact).

###### Proof.

When is a multiple of , then each -to- function has range and each -to- function is a permutation; hence distinguishing -to- from -to- functions is a sub-problem of distinguishing from . This sub-problem is the collision problem, from which an lower bound directly follows [AS04, Amb05, Kut05]. When is not a multiple of but , we can just set , and then distinguishing -to- from -to- functions with domain size still reduces to distinguishing from . ∎

From Theorem 17, the following two corollaries immediately follow (in light of Theorem 15).

###### Corollary 18.

The set of symmetric group actions is well-shuffling with power .

###### Corollary 19.

All (possibly partial) Boolean functions that are symmetric under the full symmetric group action satisfy .

Apart from Theorem 17, the main tools we use to prove the well-shuffling property are transformations on group actions which approximately preserve . We outline several such transformations and invariances. Since we prove Theorem 17 by a reduction from collision, and since our main tools from here on out are additional reductions, it’s effectively the case that all lower bounds in this paper work by reductions from collision.

### 4.2 The case of highly-transitive group actions

We next show that a collection of highly-transitive group actions is always well-shuffling; we define the notion of highly-transitive collections below.

###### Definition 20 (Highly transitive).

We say a collection of group actions is highly transitive if each group action is -transitive, where is the domain size of . In other words, is highly transitive if there exist some constants such that each is -transitive, where is the domain size of .

To show that highly transitive collections of group actions are well-shuffling, we show that group actions with high transitivity look nearly indistinguishable from to any quantum algorithm, and that they therefore share the well-shuffling property of the group actions . More formally, we have the following theorem.

###### Theorem 21 (Similar-looking group actions have similar costs).

Suppose and are group actions on and is a positive integer such that for each , it holds that

 ∣∣∣Prπ←G[∀ℓπ(iℓ)=jℓ]−Prπ←H[∀ℓπ(iℓ)=jℓ]∣∣∣≤n−10k.

Then . In particular, if and if , then we have .

###### Proof.

Let be a quantum algorithm for distinguishing from which uses and achieves worst-case error . If , we are done, so assume . Now, can be converted into a polynomial of degree at most in the variables , where if the input satisfies and otherwise (see [AS04]). This polynomial satisfies if and if . It has variables and degree . We assume it has no monomials that always evaluate to (for example, , which is always as cannot be both and ), because if it had such monomials we could just delete them.

We claim that the sum of absolute values of coefficients of is at most , where is its degree. To see this, first note that there are at most monomials of of degree ; for each such monomial , let be the polynomial consisting of all terms in that use a subset of the variables in . Then the sum of the absolute values of the coefficients of is at most times the maximum sum of absolute values of the coefficients in one of the polynomials ; since , it suffices to upper bound the sum of absolute values of coefficients of for arbitrary . Now, consists of variables for , which equal when and equal otherwise. Consider feeding into the quantum algorithm an input string where when , and is either or for . The quantum algorithm will accept the string with some probability between and , which means the polynomial computing the acceptance probability of will evaluate to something between and . But such inputs “zero out” all terms that use variables outside of , and hence turn into . From this we can conclude that is bounded in for all inputs it receives in . But polynomials bounded in on the Boolean hypercube can have sum of coefficients at most (one way to analyze would be to recall that a bounded polynomial in the basis has its sum of squares of coefficients equal to at most , and has at most coefficients, so by Cauchy-Schwartz, the sum of absolute values of coefficients is at most ; converting the basis to the basis requires plugging in terms into the variables, which can increase the sum of absolute values by a factor of at most , for a total of at most ). Assuming , we get an upper bound of on the sum of absolute values of coefficients of .

We have , so this sum is also at most . Now, on each input , the expected output of when is sampled uniformly from is a linear combination of the expectations of the monomials of . For each monomial, this expectation is just the probability that the monomial is satisfied, which by the condition on and is within of the expectation under . It follows that the expectation of when is within of the expectation of when . But this expectation is simply the acceptance probability of . Hence the acceptance probability of on the uniform distribution on is within of the acceptance probability of on the uniform distribution on .

Since distinguishes from , it distinguishes the uniform distribution on from any string in . Since it does not distinguish the uniform distribution on from the uniform distribution on , must also distinguish the uniform distribution on from any input in to error . By amplifying, we can get this down to error , meaning that , as desired. ∎

To show that highly-transitive group actions are well-shuffling, we now only need to show that a -transitive group action looks like when examining any bits. This directly follows from the definition of transitivity.

###### Corollary 22.

If is -transitive, then , where the constant in the big- is universal.

###### Proof.

This follows directly from Theorem 21, setting to be the -transitive group action we care about and setting . To see this, observe that -transitivity completely determines , and that both and are -transitive; hence this expression is the same for both and , and the difference between the two expressions is exactly (certainly less than ). ∎

From this, the formal version of Theorem 3 follows.

###### Corollary 23.

If is a highly transitive collection of group actions, then it is well-shuffling, and hence for .

### 4.3 Transformations for graph symmetries

Next, we introduce some additional transformations on group actions which approximately preserve the cost; the transformations in this section will allow us to show that graph property group actions (and several variants of them) are well-shuffling.

#### 4.3.1 Transformation for directed graphs

We start by defining an extension of a group action on to an action on . The notation in the definition below comes from [Ker13].

###### Definition 24.

Let be a group action on domain , and let . Define to be the group action which acts on domain by for each (so the number of permutations in is the same as the number of permutations in ).

Define to be the group action with domain restricted to the subset consisting of all distinct -tuples of elements of .

We show that these transformations both preserve the cost, at least when is constant. We start with .

###### Theorem 25.

Let be a group action on , and let be the group action . Then we have .

###### Proof.

Let be an algorithm distinguishing from . Let be the hard distribution for , such that no algorithm using fewer than can distinguish from the uniform distribution on . Then is a distribution on . Let be the distribution on that we get by sampling , and returning defined by for each (here we identify with ). Note that if has range , then has range at most .

Then distinguishes from the uniform distribution on . The latter distribution is the same as what you get when sampling uniformly from , and returning defined by for in the domain of . This means that can be used to distinguish from the uniform distribution on : all we need is to simulate every query of using queries to the input . The desired result follows. ∎

To handle , we first observe that restricting the domain of a group action to some union of its orbits does not decrease its cost.

###### Lemma 26.

Let be a group action on , and let be a union of orbits of . Let be the group action acting only on . Then .

###### Proof.

We identify with without loss of generality. If distinguishes from , then we can turn it into distinguishing from by having run and make queries only from . ∎

The fact that does not decrease the cost of too much then follows as a corollary of Theorem 25 and Lemma 26.

###### Corollary 27.

Let be a group action on , and let be the group action . Then .

###### Proof.

All we need is to note that is the group action with domain restricted to , which is a union of orbits because always sends a tuple with unique entries to another tuple with unique entries (since a permutation on is applied to each entry). The desired result then follows from Theorem 25 and Lemma 26. ∎

We now observe that the transformation immediately allows us to show that directed graph symmetries are well-shuffling.

###### Corollary 28 (Directed graph symmetries).

The set of all directed graph symmetries is well-shuffling with power . Here the group action acts on a domain of size representing the possible arcs of a -vertex directed graph, and consists of all permutations on these arcs that act by relabeling the vertices.

###### Proof.

This immediately follows by observing that . To see this, note that the domain of

is the set of all ordered pairs

with , which is precisely , and the permutations in are just those in applied to both coordinates, which is precisely relabeling the vertices. Corollary 27 then gives , which is at least by Corollary 17. ∎

The collection of directed hypergraph symmetries is similarly well-shuffling.

###### Corollary 29 (Directed hypergraph symmetries).

The set consisting of all -uniform directed hypergraph symmetries is well-shuffling with power .

###### Proof.

This follows from the same argument as Corollary 28. ∎

#### 4.3.2 Transformation for undirected graphs

To handle undirected graphs, we introduce yet another operation on group actions which approximately preserves the cost.

###### Theorem 30.

Let be a group action acting on , and let be a partition of into equal parts, such that for all , all , and all , the outputs and lie in the same set . Let be the group action on induced by , where for each we have such that if and . Then .

###### Proof.

Let be a quantum algorithm distinguishing from using queries. We construct an algorithm for distinguishing from . Let be the hard distribution on that is hard to distinguish from the uniform distribution on . The algorithm fixes a unique for each . On input from , the algorithm will run in the following way: each query that makes will be turned into the query for , and the output will be converted into the symbol such that and returned to . In this way, the algorithm effectively runs on the mapped string , where is the symbol such that .

Now, if , then , while if , we have . Since distinguishes from , it follows that distinguishes from using the same number of queries, as desired. ∎

We are now finally ready to prove the formal version of Theorem 2, showing that the collection of (undirected) graph symmetries is well-shuffling.

###### Definition 31 (Graph Symmetries).

The collection of graph symmetries is the set of group actions with acting on with , such that the domain represents the set of all possible edges in a -vertex graph, and acts on these edges and permutes them in a way that corresponds to relabelling the vertices of the underlying graph.

###### Corollary 32.

The set of all graph symmetries is well-shuffling with power . Hence for functions symmetric under a graph symmetry.

###### Proof.

Let be a directed graph symmetry on domain size , and partition this domain into sets of size of the form for . Then the induced group action on these sets (from Theorem 30) is precisely the undirected graph symmetry on graphs of size . Since , and since the directed graph symmetries are well-shuffling with power , it follows that the undirected graph symmetries are also well-shuffling with power . ∎

Using similar arguments, we can show a similar result for hypergraphs.

###### Corollary 33.

For every constant , the collection of all -uniform hypergraph symmetries is well-shuffling.

#### 4.3.3 Transformations for bipartite graphs

We introduce yet more operations on group actions for the case of bipartite graph symmetries.

###### Definition 34 (Product of group actions).

Let , and be two group actions acting on and respectively. Then the group product action is a group action acting on such that for any , and any and we have .

(In the above, we identify with .)

###### Theorem 35.

For all acting on and respectively and for all , .

###### Proof.

Let and . Let be an algorithm distinguishing from . Let be the hard distribution for , and let be the hard distribution for . Then is a distribution on and is a distribution on . Let be the distribution on that we get by sampling , and independently, and returning . Note that if and have range , then has range at most . Now, since distinguishes from , it must also distinguish from the uniform distribution over , which itself is the product of the uniform distribution on and the uniform distribution on . Let be the uniform distribution on , and let be the uniform distribution on . Consider the behavior of on . It must either distinguish this distribution from , or else from (since it distinguishes and from each other). In the first case, we can construct which artificially generates the sample from and uses to distinguish from . In the second case, we can construct which artificially generates the sample from and uses to distinguish from . Hence , as desired. ∎

###### Corollary 36.

The collection of all bipartite graph symmetries with equal parts is well-shuffling.

###### Proof.

This immediately follow by observing that bipartite graph symmetries are the symmetries . Then Theorem 35 and Theorem 17 give the desired result. ∎

#### 4.3.4 Other transformations

We introduce one final transformation, which merges two group actions into one. This transformation also does not decrease the cost. While we have no direct application for it, we will mention this transformation in some discussion in the next section.

###### Lemma 37 (Merger).

Let and be two group actions on , and let be the group action on which is the closure of under composition. Then .

###### Proof.

Since is a subset of , distinguishing from is strictly easier than distinguishing from . ∎

## 5 Group actions with exponential quantum speedups

In this section, we exhibit some group actions that do allow super-polynomial quantum speedups. These serve as a barrier to proving that certain natural classes of group actions are well-shuffling.

To start, note that some of the most well-known examples of exponential quantum speedups in query complexity already have some mild symmetries.

• Period finding (the query task behind Shor’s algorithm) gives a periodic string and asks for the period; see [Sho94, Cle04] for a full definition. This function is symmetric under the cyclic group action .

• Simon’s problem [Sim97] promises that the input string represents a function with a hidden shift , such that if and only if or , and asks to find the hidden shift . It is not hard to convert this to a decision problem by requiring the function to output only one bit of information about ; in this form, Simon’s problem is symmetric under the group action which permutes by flipping some bits of the binary representation of each , i.e. the group action .

• In Forrelation, the input takes the form of two strings and of length

each, and the task is to estimate the sum

; for a full definition, see [AA15]. Forrelation is symmetric under the group action which permutes the bits in the binary representation of each (the group ).

• Another way to convert Simon’s problem to a decision problem is to define a Boolean function which outputs on strings that satisfy the Simon promise and outputs on strings that are far from satisfying the promise; see [BFNR08] for a full definition. This version of Simon’s problem is symmetric under the group action that can both flip the individual bits of and permute them, a group action of order which is the merger of the group actions and above.

While these examples are not exhaustive, other functions with exponential quantum speedups tend to have a similar flavor, being symmetric under group actions which contain only or maybe permutations instead of the maximum of .

This might suggest that in order to get an exponential quantum speedup we always need mild symmetries, with the order of the group action being small (compared to the maximum of ). However, this turns out not to be true. Theorem 38 demonstrates that even very large group actions may still be consistent with exponential quantum speedups. This means that a characterization of the group actions which do not allow super-polynomial quantum advantage must use some richness measure other than the order of the group action.

###### Theorem 38 (Exponential quantum speedup with high symmetry).

For infinitely many , there is a group action acting on such that , and yet there exists a function that’s symmetric under and has and .

###### Proof.

Consider the function