The One-Way Communication Complexity of Group Membership

This paper studies the one-way communication complexity of the subgroup membership problem, a classical problem closely related to basic questions in quantum computing. Here Alice receives, as input, a subgroup $H$ of a finite group $G$; Bob receives an element $x \in G$. Alice is permitted to send a single message to Bob, after which he must decide if his input $x$ is an element of $H$. We prove the following upper bounds on the classical communication complexity of this problem in the bounded-error setting: (1) The problem can be solved with $O(\log |G|)$ communication, provided the subgroup $H$ is normal; (2) The problem can be solved with $O(d_{\max} \cdot \log |G|)$ communication, where $d_{\max}$ is the maximum of the dimensions of the irreducible complex representations of $G$; (3) For any prime $p$ not dividing $|G|$, the problem can be solved with $O(d_{\max} \cdot \log p)$ communication, where $d_{\max}$ is the maximum of the dimensions of the irreducible $\F_p$-representations of $G$.


Introduction
Background The power of quantum computing in various settings has been gradually clarified by many researchers: some problems can be solved on quantum computers much more efficiently than on classical computers, while others cannot. One computational model that has been extensively studied in this light is the communication complexity model. In particular, one-way communication is one of the simplest settings but it has rich connections to areas such as information theory, coding theory, on-line computing, and learning theory. Therefore, its quantum version has then been the target of intensive research [Aar05, INRY07, Kla07, GKK + 07].
Let f : X ×Y → {0, 1} be a Boolean function, where X and Y are arbitrary sets. The one-way communication task associated to f is the following: Alice has an input x ∈ X , Bob has an input y ∈ Y and the goal is for Bob to output f (x, y). The assumption here is that only one message can be sent, from Alice to Bob, and the communication cost of a protocol is the number of bits of this message on the worst-case input. We say that a protocol for f has completeness error ε if it outputs 1 with probability at least 1 − ε whenever f (x, y) = 1, and soundness error δ if it outputs 0 with probability at least 1 − δ whenever f (x, y) = 0. The one-way classical bounded-error communication complexity of f , denoted by R 1 ( f ), is the minimum, over all protocols P for f with completeness and soundness error 1/3, of the communication cost of P. The one-way quantum bounded-error communication complexity of f , denoted by Q 1 ( f ), is defined similarly, but a quantum message can be used this time from Alice to Bob, and the number of qubits of the message is considered (in this paper we suppose that there is no prior entanglement and no shared randomness between Alice and Bob). Obviously for any function f , the relation Q 1 ( f ) ≤ R 1 ( f ) ≤ ⌈log 2 |X |⌉ holds.
One of the main open problems in quantum communication complexity is to understand how large the gap between R 1 and Q 1 can be. For partial functions (functions restricted to some domain R ⊂ X × Y or, equivalently, functions with a promise on their inputs), an exponential separation between these two quantities has been shown recently in [GKK + 07]. However the situation for total functions is far less clear: the largest gap known is an asymptotic factor of 2 [Win04].
In the exact setting, i.e., the setting where no error and no giving up are allowed, the quantum and classical one-way communication complexities are known to be the same for any total function [Kla07]. In the unbounded-error setting, i.e., the setting where any error probability less than 1/2 is allowed, it is known that the gap is exactly a factor 2 for both partial and total functions [INRY07]. Although bounded-error is a notion between the exact and unbounded-error, we stress that the bounded-error setting usually behaves quite differently from the other two in the case of total functions, e.g., for two-way communication there is a quadratic gap in the bounded-error setting [KS92,AA05] whereas in the exact setting no gap is known and, in the unbounded-error setting, the gap is again exactly a factor 2 [INRY07].
Note also that for total functions in the bounded-error setting, quadratic gaps are known in the two-way model [KS92,AA05] and exponential gaps are known in the simultaneous message-passing model [NS96,BCWdW01]; and these models are respectively stronger and weaker than the one-way model. Thus, whether a superlinear gap between R 1 and Q 1 can be achieved for some total function is an intriguing question.
The subgroup membership function Many of the problems for which quantum computation is more powerful than classical computation have group-theoretic structure. In particular, Watrous [Wat00] has used the subgroup membership problem (as a computational problem) to separate the complexity classes MA and QMA relative to an oracle. Inspired by Watrous's work [Wat00], we propose the subgroup membership function as a candidate to show a superlinear gap between R 1 and Q 1 . Let G be any finite group, and let H G denote the set of subgroups of G. Then the subgroup membership function for G, denoted by MEMB G , is the function with domain H G × G such that For any group G, the upper bound |H G | ≤ 2 (log 2 |G|) 2 follows easily from the fact that any subgroup of G is generated by at most log 2 |G| elements. 1 Furthermore, there exist families of groups G such that |H G | = 2 Ω((log |G|) 2 ) : for example, the abelian groups G = Z r 2 with r ≥ 1. Thus there exist groups G for which the "trivial protocol," wherein Alice simply sends Bob the name of her subgroup, requires Θ((log |G|) 2 ) communication. The one-way classical communication complexity of the function MEMB G was previously considered by Miltersen et al. [MNSW98], who showed that for the family of groups G = Z r 2 , any one-way protocol with perfect soundness and completeness error 1/2 requires Ω((log |G|) 2 )-bit communication. For certain groups G, we conjecture that Ω((log |G|) 2 )-bit communication is needed even if the completeness and soundness errors are both 1/3. On the other hand, there is a simple quantum one-way protocol, using O(log |G|)-bit communication, by which Bob can compute MEMB G with perfect completeness and constant soundness for any group G. In this protocol-inspired by [Wat00]-Alice sends the quantum state |H = |H| −1/2 ∑ h∈H |h . Bob then creates the state 1 √ 2 (|H |0 + |yH |1 ) where |yH = |H| −1/2 ∑ h∈H |yh , applies a Hadamard gate on the last register, and measures it in the basis {|0 , |1 } to decide which of |H = |yH and H|yH = 0 holds.
Thus, proving that there exists a family of groups G such that R 1 (MEMB G ) = Ω((log |G|) 2 ) would lead to a quadratic separation between R 1 and Q 1 for a total function. In other words, a major objective has been to prove a 2-sided-error version of the lower bound by Miltersen et al. [MNSW98] mentioned above. Apart from the goal of proving a separation between R 1 and Q 1 , we believe that the communication complexity of deciding subgroup membership is interesting in itself, since the latter is a key task in most group-theoretic computational problems.

Overview of our results
In this paper we present three upper bounds on the one-way classical communication complexity of the subgroup membership function: • We give a classical protocol using ⌈log 2 |G|⌉-bit communication, with perfect completeness and constant soundness, for the subgroup membership function in the case where Alice's subgroup H is normal. This suggests that in order to obtain a separation between R 1 and Q 1 using the subgroup membership problem, one must consider groups with many nonnormal subgroups. We also present a lower bound which is tight for some families of groups. Notice that this situation appears to be similar to the status of the Hidden Subgroup Problem: there exists an efficient quantum algorithm solving the problem in the case where the hidden subgroup is normal [HRTS03]; without the normality condition, however, very little is known. Our results rely on the theory of characters of finite groups and especially on the connection between kernels of irreducible characters and normal subgroups, as did the algorithms of [HRTS03].
• Let p be a prime not dividing |G|. Then we show that is the maximum dimension of an irreducible F p -representation of G. This result uses a beautiful characterization of the subspaces of the group algebra F p [G] stabilized by H. We remark that for any group G of exponent m (which is to say that g m = 1 for all g ∈ G), we have d p max ≤ d 0 max ord m (p), where d 0 max is the maximum dimension of a complex irreducible representation of G and ord m (p) is the order of p in Z * m , the multiplicative group of the integers relatively prime to m. In particular, as there is always a prime p of size O(log |G|) relatively prime to |G|, this protocol has complexity no more than This upper bound is obtained by a protocol that mirrors the technique utilized in the modular case by suitably discretizing the vector space C d and controlling "geometric expansion" around invariant spaces. One corollary is that any family of groups with an abelian subgroup of constant index has a protocol with complexity O(log |G|). In particular, for groups such as G = Z 2 ⋉ Z n 2 , the action of Z 2 on Z n 2 being to reverse the order of the coordinates, we These results suggest a nontrivial connection between the representation theory of the group G and the subgroup membership problem, and provide natural candidates for which a superlinear separation between R 1 (MEMB G ) and Q 1 (MEMB G ) may be obtained: groups with large irreducible representations and many nonnormal subgroups, e.g., the symmetric group.

Preliminaries
We assume the reader is familiar with basic concepts of group theory. Here we introduce some notions from representation theory that we will need. In this paper, G always denotes a finite group and 1 denotes its identity element.
Group representations Let F be a field whose characteristic does not divide the order of G (so the characteristic of F could be zero). An F-representation ρ of G is a homomorphism from G to GL(V ), the group of invertible linear transformations over a vector space V (over the field F). The dimension of ρ is the dimension of V . We say that a representation ρ : G → GL(V ρ ) is irreducible if the only subspaces of V ρ simultaneously fixed by the entire family of linear operators ρ(g) are the trivial ones: {0} and V ρ .
The group algebra F[G] is the F-algebra of formal sums with coordinatewise addition and multiplication defined by linearly extending the rule e g · e h = e gh . Note that F[G] has dimension |G| as a vector space over F. The natural action of G on the group algebra defines the regular representation: the action of x ∈ G on a vector v = ∑ g∈G α g · e g in F[G] is denoted by xv and defined as A theorem of Maschke's (see, e.g., [CR06,Ser77]) asserts that F[G] is semi-simple, i.e., F[G] can be written as the direct sum of a family of irreducible representations. In this case, a theorem of Wedderburn's [Ser77,CR06] asserts that each irreducible representation appears with multiplicity equal to its dimension: where Irr(G, F) denotes the set of (representatives of) all the irreducible F-representations ρ : G → GL(V ρ ) and d ρ denotes the dimension of ρ. If I H (ρ) is the subspace of V ρ pointwise fixed by H, we see that and conclude that ∑ ρ∈Irr(G,F) Complex characters Let F be the complex field C. For any C-representation ρ of G, the character of ρ is the function χ : G → C such that χ(g) = tr(ρ(g)) for any g ∈ G, where tr denotes the trace. Characters are conjugacy class functions: the relation χ(gg ′ g −1 ) = χ(g ′ ) holds for any two elements g, g ′ of G. Moreover, the value χ(1) is the dimension of the representation ρ. The kernel of χ, denoted by ker(χ), is defined as ker(χ) = {g ∈ G | χ(g) = χ(1)}. It is easy to see that ker(χ) is a subgroup of G.
A character is said to be irreducible if it is the character of an irreducible representation. Denote by Char(G) the set of irreducible (complex) characters of G. The relation ∑ χ∈Char(G) [χ(1)] 2 = |G| is wellknown and implies the inequality |Char(G)| ≤ |G|. Let H be a normal subgroup of G. Denote Then the relation holds (see, e.g., [Isa76]).

Normal subgroups
In this section we give an efficient classical protocol computing the subgroup membership function in the special case where Alice's subgroup H is normal. Our protocol is actually more general: we show that one can decide efficiently membership in the normal closure of H, denoted by H (the smallest normal subgroup of G containing H).
The protocol testing normal closure membership, denoted by NORM(G), is as follows. To conclude our proof, we now prove that Let K denote the normal closure of the set H ∪ {y} in G. Remember that the normal closure of a set S ⊆ G is the smallest normal subgroup of G including S, and can be defined explicitly as the subgroup of G generated by all the elements gzg −1 for g ∈ G and z ∈ S. Since y / ∈ H the subgroup H is a proper subgroup of K. In particular |K|/|H| ≥ 2. We now claim that B = Λ K . Then Equation (2) implies that The proof of the claim follows. First suppose that χ is an element of Λ K . Then χ(y) = χ(1) and thus χ ∈ B. Now suppose that χ is an element of B. Then H ∪ {y} ⊆ ker(χ). From the basic properties of characters, we conclude that K ⊆ ker(χ) and thus χ ∈ Λ K .
Given a finite group G, let H * G be the set of normal subgroups of G. Since for a normal subgroup H of G we have H = H, we conclude that Protocol NORM(G) solves the restriction of MEMB G to the domain H * G × G (notice that this is still a total function). Theorem 1. For any finite group G, the restriction of MEMB G to the domain H * G × G can be computed with perfect completeness and soundness error 1/2 by communicating at most ⌈log 2 |G|⌉ bits.
We now show a simple lower bound on the communication complexity of MEMB G . We first recall the definition of the VC-dimension of a set of functions [VC71].

Definition 1. Let Σ be a set of Boolean functions over a finite domain Y . We say that a set S ⊆ Y is shattered by Σ if for every subset R ⊆ S there exists a function σ R ⊆ Σ such that ∀y ∈ S, (σ R (y) = 1 if and only if y ∈ R). The largest size of set S over all S shattered by Σ is the VC-dimension of Σ, denoted by VC(Σ).
We say that a subset S of a finite group G is an independent subset of G if, for each g ∈ S, element g cannot be written as any product of elements of S\{g}. We denote by γ(G) the maximal size of an independent subset of G. Notice that, for any finite group G, the inequality γ(G) ≤ log 2 |G| holds. We now state our lower bound.

Proof. For each subgroup
where h is the binary entropy function.
Let g 1 , . . . , g γ(G) be distinct elements of G such that S = {g 1 , . . . , g γ(G) } is a subset of independent elements of G. The subset S ⊆ G is shattered by Σ since it is easy to show that, for any subset R ⊆ S, the function f R is such that ∀y ∈ S, f R (y) = 1 if and only if y ∈ R (here R denotes the subgroup generated by the elements in R). Then VC(Σ) ≥ γ(G) and Q 1 (MEMB G ) ≥ (1 − h(1/3)) · γ(G).
The second part of the proposition follows from the observation that each group Z r 2 is also a vector space of dimension r over the finite field Z 2 and, thus, γ(Z r 2 ) = r = log 2 (|Z r 2 |).
Proposition 2 shows that, for the family of groups G = Z r 2 , Protocol NORM(G) is optimal up to a constant factor.

Algorithms for groups with small modular representations
In this section we present a protocol computing the group membership function for groups with small modular representations. Let F q be a finite field with characteristic p not dividing |G|. Our protocol, denoted by MOD-REP(G, F q ), is the following. Observe that by equation (1), the weights of Step 1 do indeed determine a probability distribution.
We now show the correctness of this protocol.

MOD-REP(G, F q ) computes MEMB G with perfect completeness and constant soundness error. Its communication complexity is at most ⌈log
Proof. Note that the protocol is clearly complete: if y ∈ H, then Bob always accepts.
To establish soundness, let y / ∈ H and define K = H, y , the smallest subgroup containing both H and y. Remember that I K (ρ) denotes the subspace of V ρ pointwise fixed by K. We see that again by equation (1). Observe, then, that I K (ρ) ⊆ I H (ρ) and so Then When I K (ρ) = I H (ρ), the vector v chosen by Alice has probability no more than 1/q to be in I K (ρ). Then ρ(y)v = v with constant probability in her choices of ρ and v.
In light of the complexity guarantee of the protocol above, it is natural to ask how the dimensions of the irreducible representations of a finite group G compare over various fields and, especially, how the modular case compares to the complex case. When the group algebras involved are semi-simple (as they are in this paper due to our insistence that p | |G|), there is a tight connection expressed in the following proposition.

Proposition 3. Let G be a finite group of exponent m and p be any prime not dividing |G|. Then the relation d p max ≤ d 0 max ord m (p) holds, where d 0 max is the maximum dimension of a complex irreducible representation of G, d p max is the maximum dimension of an irreducible F p -representation of G, and ord m (p) is the order of p in Z *
m , the multiplicative group of the integers relatively prime to m. Proof. This is a consequence of the "c-d-e triangle" (see [Ser77]). See Appendix A for a brief discussion.
As there always exists a prime p of size O(log |G|) that does not divide |G|, we obtain the following corollary.
where m denotes the exponent of G and d 0 max is the maximum dimension of a complex irreducible representation of G.

Algorithms for groups with small C-representations
We now focus on the case where the dimensions of the irreducible C-representations of G is under control.
The key idea is to discretize the protocol given in the previous section. To achieve this goal we use the concept of an ε-net of a sphere. (As our nets will lie in the vector spaces acted upon by the irreps of G, we define them as subsets of complex Hilbert spaces.) Definition 2. Let V be a finite-dimensional complex Hilbert space. An ε-net of V is a finite family of unitvectors N ⊆ V so that for every unit-length vector w ∈ V , there is a vector n ∈ N so that | n, w | 2 > 1 − ε 2 .
Proposition 4. For any ε > 0 and for any complex Hilbert space V of dimension d, there exists an ε-net of size at most (4/ε) 2d .
Proof. For any dimension d and distance ε > 0, there is a set of points A ⊂ S d−1 of cardinality no more than (4/ε) d with the property that every point of S d−1 has distance no more than ε from some point of A (see, e.g., [Mat02, §3.1]). This yields a set with analogous properties of size no more than (4/δ ) 2d−1 for the complex d-sphere, which has the same metric as the real 2d − 1 sphere. Note that if v and w are two unit vectors of V , we may write v = v, w w + r with r, w = 0 in which case, r ≤ v − w . The statement of the proposition follows.
Our protocol requires the choice of a sufficiently dense ε-net for each irreducible representation in Irr(G, C). This choice is independent of the inputs of the protocol and so can be done by Alice and Bob without communication. The protocol is as follows. ; 3 Alice chooses a random (according to Haar measure) unit length vector v ∈ I H (ρ) ⊆ V ρ ; 4 Alice sends Bob the name of ρ and the closest vector n in N ρ to the vector v; 5 If |1 − ρ(y)(n), n | ≤ 2ε, then Bob outputs 1; Otherwise |1 − ρ(y)(n), n | > 2ε, and Bob outputs 0.
Observe that by equation (1), the weights at Step 2 do indeed determine a probability distribution on Irr(G, C). Ideally, at Step 3, Alice would communicate v to Bob: Bob could then check if ρ(y)(v) = v and, if so, would figure that y ∈ H. If ρ(y)(v) = v, Bob would be sure that y ∈ H, since I H (ρ) is precisely the fixed space of H. The proof below shows that by sending a sufficiently close approximation to v, Bob can still answer confidently.
The following theorem states the correctness and the communication complexity of this protocol. Proof. As the name of the representation ρ can be encoded using ⌈log 2 |G|⌉ bits, the communication complexity of the protocol will be dominated by the number of bits necessary to encode the vector n. We will show that a choice ε = ε G = Ω(1/(|G| 2 poly log |G|)) suffices to achieve perfect completeness and constant soundness. According to Proposition 4, such an ε-net can be indexed with O(d ρ log |G|) bits. This gives our upper bound. We proceed with the analysis of the completeness and soundness of the protocol.
Completeness Observe that if y ∈ H, then the vector v chosen by Alice in the protocol is fixed by ρ(y).
As ε < 1, we have ε 2 + ε ≤ 2ε and it follows that the protocol has perfect completeness.
Soundness We wish to show that for sufficiently small ε (= 1/poly|G|), the protocol has constant soundness. Assume that y ∈ H and let K = H, y , the smallest subgroup containing H and y. Our goal will be to show that with constant probability v, ρ(y)v is far from 1, in which case the same can be said of n so long as ε is sufficiently small. From equation (1), Then, with constant probability, the subspace of I H (ρ) fixed by y has dimension no more than 2/3 · dim I H (ρ). We may write the vector v ∈ I H (ρ) as v = v y + v ′ , where v y ∈ I K (ρ) and v ′ ∈ [I K (ρ)] ⊥ , the space perpendicular to I K (ρ). We then have ρ(y)v y = v y and v y ∈ I K (ρ) ⊂ I H (ρ). Now, as v is chosen uniformly on the unit sphere in V ρ , we have E v [ v y 2 ] = dim I K (ρ)/ dim I H (ρ) and the probability Pr ρ,v [ v ′ 2 ≥ 1/6] is lower bounded by a constant. 2 We wish to conclude that, conditioned on the event v ′ 2 ≥ 1/6, the value v ′ , ρ(y)v ′ v ′ 2 cannot be too close to 1. We will show, in fact, that the real part is appropriately bounded below 1. Consider the restriction of the representation ρ : G → GL(V ρ ) chosen by Alice to the subgroup K: specifically, we may decompose V ρ as an orthogonal direct sum of K-invariant subspaces: where each σ i is in Irr(K, C) (but copies of the same irrep may appear several times in the direct sum). In this decomposition, v y is precisely the projection of v into the subspace i: σ i =1 W σ i corresponding to the copies of the trivial representation; v ′ , on the other hand, lies solely in i: σ i =1 W σ i . As both v and v y lie in I H (ρ), the difference v ′ does as well and the projection of v ′ into each W σ i is H-invariant (that is, lies in I H (σ i )). With this in mind, we shall upper bound taken over all nontrivial irreps σ of K and all H-invariant vectors w in W σ . In particular, Observe that if A is a set of generators for H and w is an H-invariant vector of W σ , (Note that the vector w is not constrained to be H-invariant in this expression.) If we choose A to be a symmetric generating set (so that a ∈ A ⇔ a −1 ∈ A) then S A is self-adjoint and σ (y) is unitary so that As the operator σ (y)S A + S A σ (y −1 ) is Hermitian, we have where · denotes the operator norm.
In order to control this operator norm, observe that the linear operator (1/2) σ (y)S A + S A σ (y −1 ) is precisely given by the left action of the group algebra element on the invariant subspace W σ of C[K] corresponding to the representation σ . Alternatively, we may consider the Cayley graph on the group K given by the symmetric generating (multi-)set yA ∪ Ay −1 . The (normalized) adjacency matrix of this Cayley graph is identical to the regular representation evaluated at the group algebra element (3) above. As yA ∪ Ay −1 is a (symmetric) generating set for K, the operator norm of σ ([A, y]) is bounded below 1 for each nontrivial σ (see, e.g., [HLW06]). In order to conclude the proof, we require explicit bounds on this spectral gap. A result of Erdős and Renyi [ER65] asserts that we may select a set of generators A for H of size O(log |H|) so that the diameter of the resulting Cayley graph (generated by A over H) is O(log |H|). Considering that the diameter of A (as generators for H) is O(log |H|), it is easy to see that the set yA ∪ Ay −1 induces a Cayley graph on K of diameter no more than O([K : H] log |H|).
In particular, Theorem 3 shows that, over groups for which d 0 max is constant, the subgroup membership problem can be solved using O(log |G|)-bit communication. There is a very beautiful characterization of such groups: a family of groups has representations of bounded degree if and only each group of the family has an abelian subgroups of constant index [Glu85]. We thus obtain the following corollary.