Available via license: CC BY-NC-ND 4.0
Content may be subject to copyright.
Factoring integers with sublinear resources on a superconducting quantum processor
Bao Yan,1, 2, ∗Ziqi Tan,3, ∗Shijie Wei,4, ∗Haocong Jiang,5Weilong Wang,1Hong Wang,1Lan Luo,1Qianheng Duan,1
Yiting Liu,1Wenhao Shi,1Yangyang Fei,1Xiangdong Meng,1Yu Han,1Zheng Shan,1Jiachen Chen,3Xuhao Zhu,3
Chuanyu Zhang,3Feitong Jin,3Hekang Li,3Chao Song,3Zhen Wang,3, †Zhi Ma,1 , ‡H. Wang,3and Gui-Lu Long2,4, 6, 7 , §
1State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
2State Key Laboratory of Low-Dimensional Quantum Physics and Department of Physics, Tsinghua University, Beijing 100084, China
3School of Physics, ZJU-Hangzhou Global Scientific and Technological Innovation Center, Interdisciplinary Center for Quantum Information,
and Zhejiang Province Key Laboratory of Quantum Technology and Device, Zhejiang University, Hangzhou 310000, China
4Beijing Academy of Quantum Information Sciences, Beijing 100193, China
5Institute of Information Technology, Information Engineering University, Zhengzhou 450001, China
6Beijing National Research Center for Information Science and Technology
and School of Information Tsinghua University, Beijing 100084, China
7Frontier Science Center for Quantum Information, Beijing 100084, China
Shor’s algorithm has seriously challenged information security based on public key cryptosystems.
However, to break the widely used RSA-2048 scheme, one needs millions of physical qubits, which is
far beyond current technical capabilities. Here, we report a universal quantum algorithm for integer
factorization by combining the classical lattice reduction with a quantum approximate optimization algo-
rithm (QAOA). The number of qubits required is O(logN/loglogN), which is sublinear in the bit length
of the integer N, making it the most qubit-saving factorization algorithm to date. We demonstrate the
algorithm experimentally by factoring integers up to 48 bits with 10 superconducting qubits, the largest
integer factored on a quantum device. We estimate that a quantum circuit with 372 physical qubits and
a depth of thousands is necessary to challenge RSA-2048 using our algorithm. Our study shows great
promise in expediting the application of current noisy quantum computers, and paves the way to factor
large integers of realistic cryptographic significance.
Quantum computing has entered the era of noisy inter-
mediate scale quantum (NISQ) [1,2]. A milestone in the
NISQ era is to prove that NISQ devices can surpass classi-
cal computers in problems with practical significance, that is,
to achieve practical quantum advantage. Low-resource algo-
rithms, which harness only limited available qubits and cir-
cuit depths to perform classically challenging tasks, are of
great significance. Variational quantum algorithms, adopt-
ing a “classical+quantum” hybrid computing framework, hold
great promise for a meaningful quantum advantage in the
NISQ era [3–6]. One representative is the quantum approx-
imate optimization algorithm (QAOA) [5], which was pro-
posed to solve eigenvalue problems, and has subsequently
been widely used in various fields such as chemical simu-
lation [7,8], machine learning [9], and engineering applica-
tions [10,11].
Integer factorization has been one of the most impor-
tant foundations of modern information security [12]. The
exponential speedup of integer factorization by Shor’s al-
gorithm [13] is a great manifestation of the superiority of
quantum computing. However, running Shor’s algorithm
on a fault-tolerant quantum computer is quite resource-
intensive [14,15]. Up to now, the largest integer factorized
by Shor’s algorithm in current quantum systems is 21 [16–
18]. Alternatively, integer factorization can be transformed
into an optimization problem, which can be solved by adi-
abatic quantum computation (AQC) [19–22] or QAOA [23].
Larger numbers have been factored using these approaches, in
various physical systems [24–27]. The maximum integers fac-
torized are 291311 (19-bit) in NMR system [26], 249919 (18-
bit) in D-Wave quantum annealer [25], 1099551473989 (41-
bit) in superconducting device [27]. However, it should be
noted that some of the factored integers have been carefully
selected with special structures [28], thus the largest integer
factored by a general method in a real physical system by now
is 249919 (18-bit).
In this paper, we propose a universal quantum algorithm
for integer factorization that requires only sublinear quantum
resources. The algorithm is based on the classical Schnorr’s
algorithm [29,30], which uses lattice reduction to factor in-
tegers. We take advantage of QAOA to optimize the most
time-consuming part of Schnorr’s algorithm to speed up the
overall computing of the factorization progress. For an m-bit
integer N, the number of qubits needed for our algorithm is
O(m/logm), which is sublinear in the bit length of N. This
makes it the most qubit-saving quantum algorithm for integer
factorization compared with the existing algorithms, includ-
ing Shor’s algorithm. Using this algorithm, we have success-
fully factorized the integers 1961 (11-bit), 48567227 (26-bit)
and 261980999226229 (48-bit), with 3, 5 and 10 qubits in a
superconducting quantum processor, respectively. The 48-bit
integer, 261980999226229, also refreshes the largest integer
factored by a general method in a real quantum device. We
proceed by estimating the quantum resources required to fac-
tor RSA-2048. We find that a quantum circuit with 372 phys-
ical qubits and a depth of thousands is necessary to challenge
RSA-2048 even in the simplest 1D-chain system. Such a scale
of quantum resources is most likely to be achieved on NISQ
devices in the near future.
The framework of the algorithm
arXiv:2212.12372v1 [quant-ph] 23 Dec 2022
2
Schnorr’s factoring algorithm
Linear equations
Random CVPs Babai’s algorithm
Smooth relation pairs
b1
b2
b3t
d1
d2
d3
t
bop
d3
~
ǁd3ǁ
~
Hamiltonian problem
Babai’s
solution
bop
QAOA
solution
vnew
bop
vnew
t
Quantum computer
QPU
Quantum optimizer (QAOA)
Classical Quantum
Input Integer N
Output factors (p, q)
FIG. 1. Workflow of the sublinear-resource quantum integer factorization (SQIF) algorithm. The algorithm adopts a “classical+quantum”
hybrid framework where a quantum optimizer QAOA is used to optimize the classical Schnorr’s factoring algorithm. First, the problem is
preprocessed as a closest vector problem (CVP) on a lattice. Then, the quantum computer works as an optimizer to refine the classical vectors
computed by Babai’s algorithm, and this step can find a higher quality (closer) solution of CVP. The optimized results will feedback to the
procedure in Schnorr’s algorithm. After post-processing, finally output the factors pand q.
The workflow of the sublinear-resource quantum integer fac-
torization (SQIF) algorithm is summarized in Fig. 1, which
essentially manifests itself as a “classical+quantum” hybrid
framework. The core idea is to utilize the quantum opti-
mizer QAOA to optimize the most time-consuming part of
Schnorr’s algorithm, as a result, improving the whole effi-
ciency of the factoring process. As illustrated in the left panel
of Fig. 1, Schnorr’s algorithm involves two substantial steps,
finding enough smooth relation pairs (sr-pairs for short) and
solving the resulted linear equation system. Generally, find-
ing sr-pairs is the most important and consuming part of the
algorithm while solving equation system can be done in poly-
nomial time. In Schnorr’s algorithm [31], the sr-pair problem
is converted to the closest vector problem (CVP) on a lattice,
and resolved by lattice reduction algorithms such as Babai’s
algorithm [32]. Based on the fact that CVP is a famous NP-
hard problem [33], we are supposed to have only the approxi-
mate other than the severe solution of CVP in polynomial time
or other acceptable time consuming. Meanwhile, the proba-
bility of getting an sr-pair is proportional to the quality of the
CVP solution [29]. Namely, the closer the solution vector of
CVP, the more efficient the sr-pair acquaintance. Based on
the facts mentioned above, we propose a scheme which uti-
lizes QAOA to further optimize the CVP solution obtained by
Babai’s algorithm. The whole process of the SQIF algorithm
is presented by detailed examples in [31]. We mainly focus
on the quantum procedures of the algorithm in the following
part.
We combine Babai’s algorithm with QAOA to solve the
CVP on a lattice. Given a lattice Λwith a group of basis
B= [b1, ..., bn]∈R(n+1)×nand a target vector t∈Rn+1,
Babai’s algorithm can find a vector bop ∈Λwhich is approx-
imately closest to the target vector tvia two steps. First, per-
form LLL-reduction with parameter δfor the given basis B=
[b1, ..., bn]. Consequently, we have a set of LLL-reduced ba-
sis denoted by D= [d1, ..., dn],and the corresponding Gram-
Schmidt orthogonal basis denoted by ˜
D= [ ˜
d1, ..., ˜
dn]. The
second step is a “size-reduction” of the target vector tusing
the LLL-reduced basis. Then we have the approximate closest
vector, denoted by
bop = (b1
op, ..., bn+1
op )0=
n
X
i=1
cidi,(1)
where the coefficient ci=dµic=dhd,˜
dii/h˜
di,˜
diic is ob-
tained by rounding to the nearest integer to the Gram-Schmidt
coefficient µi. Here, we notice that the round-to-nearest func-
tion takes only one approximation at a time. In fact, if the
values of the two rounding functions can be taken into the
calculation simultaneously, a higher-quality solution can be
obtained [31]. This process will exponentially increase the
amount of classical operations, which is unaffordable for a
classical computer. Here we adopt the idea of quantum com-
puting, using the superposition effect of qubits to encode the
coefficient values obtained by the two rounding functions at
the same time. Then we construct the optimization problem
based on the Euclidean distance between the new lattice vec-
tor and the target vector. The details of the construction are as
follows.
Let vnew be the new vector obtained by randomly floating
xi∈ {0,±1}on the coefficient ci, satisfying
vnew =
n
X
i=1
(ci+xi)di=
n
X
i=1
xidi+bop.(2)
We construct the loss function of the optimization problem as
follows
F(x1, ..., xn) = kt−vnewk2=kt−
n
X
i=1
xidi−bopk2.(3)
3
A
Q1Q2Q3Q4Q5Q6Q7Q8Q9Q10
C1C3C5C7C9
C2C4C6C8
Q1
Q2
Q3
Q4
Q5
Q6
Q7
Q8
Q9
Q10
B C ...
...
e-iγpHc
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
Layer p
e-iγ1Hc
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
Layer 1
+
+
+
+
+
+
+
+
+
+
Q1
Q2
Q3
Q4
Q5
Q6
Q7
Q8
Q9
Q10
e-iγHc
D
RZ
RZ
RZ
RZ
RZ
RZ
RZ
RZ
RZ
RZ
H
H
H
H
H
H
H
H
H
H
=
DD Dynamic Decoupling
Swap-network
ETwo equivalent e-iγwZZ SWAP blocks:
H
HH
H=
=
H
H
H
H
RZ
RZ
H
H
H
H
H
H
H
H
FIG. 2. Experimental setup and the QAOA circuit of the SQIF algorithm. A, The 10 qubits selected on a superconducting quantum
processor, with each qubit coupled to its nearest neighbors mediated by frequency-tunable couplers. B, Native interaction topology of the
problem Hamiltonian for the 10-qubit factoring case, mapped into a chain topology depicted in A.C, Circuit diagram of a p-layer QAOA. All
qubits are initialized into |+i, followed by players of repeated application of the problem Hamiltonian (orange) and the mixing Hamiltonian
(green), finished by population measurements (gray). Note that the variational parameters {γ , β}are different for all layers. D, Routing circuit
for the 10-qubit all-to-all Hamiltonian into the linear nearest neighbor topology, built by a brickwork of two similar SWAP blocks with two
layers of Hardamard gates (H) applied at the start and end, followed by a layer of Rz(θ) gates. Here, the rotation angle is omitted. The
depth of the circuit is proportional to the number of qubits used. E, Detailed compilation of the quantum circuit into the native gates of the
superconducting quantum processor.
The function value kt−vnewk2represents the squared Eu-
clidean distance from the new vector to the target vector. The
lower the loss function value, the closer the new vector is
to the target vector t, and the higher the quality of the so-
lution. When all variables xi,i=1,...,n take 0, the optimal solu-
tion based on Babai’s algorithm is obtained.
By mapping the variable xito the Pauli-Z terms, the prob-
lem Hamiltonian corresponding to Eq. 3can be constructed
as
Hc =kt−
n
X
i=1
ˆxidi−bopk2=
n+1
X
j=1 |tj−
n
X
i=1
ˆxidi,j −bj
op|2,
(4)
where ˆxiis a quantum operator mapped to the Pauli-Z ba-
sis according to the single-qubit encoding rules, which can be
found in [31].
In this case, the number of qubits needed for the quantum
procedure to optimize Babai’s algorithm is equal to the dimen-
sion of the lattice. According to the analysis in [31], the lattice
dimension satisfies n∼2clogN/loglogN, with ca lattice pa-
rameter close to 1. Therefore, to factorize an m-bit integer N,
the number of qubits required in the algorithm is O(m/logm),
which is a sublinear scale of m, compared to O(m)qubits in
Shor’s algorithm [13] and O(m2)qubits in the product table
method [25]. This makes our algorithm the most qubit-saving
method to date, and it is also the first general quantum factor-
ing algorithm with sublinear qubit resources.
The experiment and results
We demonstrate the algorithm by experimentally factoring
three integers on a superconducting quantum processor, where
ten qubits and nine couplers arranged in a chain topology are
selected. All qubits and couplers are frequency-tunable trans-
mons, with single-qubit rotations around the x- or y-axis of
the Bloch sphere realized by applying drive signals with gate
information encoded in the amplitude and phase of the mi-
crowave pulses. We adopt virtual-z gates to implement single-
qubit rotations around z-axis. Two-qubit controlled-Z (CZ)
gates can be achieved by swapping the joint states |11iand
|02i(or |20i) of the neighboring qubits, when the interac-
tion mediated by the coupler is activated [34]. Cross-entropy
benchmarkings (XEB) in parallel yield average fidelities close
to 99.9% and 99.5% for the single-qubit rotations and the CZ
gates, respectively. More details of the experimental setup and
characteristics of the quantum processor in [31].
We factorize the 11-bit integer 1961, 26-bit integer
48567227 and 48-bit integer 261980999226229 with 3, 5 and
10 superconducting qubits, respectively. Here we demonstrate
the process of obtaining one sr-pair by quantum method in
each group of experiments. The calculations of other sr-pairs
are similar and will be obtained by numerical method. The de-
tails of all the sr-pairs and the corresponding linear equation
systems are presented in [31].
The topology of the ZZ-items in the problem Hamiltonian
is an n-order complete graph (Kn) according to Eq. 4[31].
An example for the 10-qubit case is shown in Fig. 2B. To
make the Kn-type Hamiltonian work on the 1D-chain of phys-
ical qubits, we have adopted a routing method based on the
classical parallel bubble sort algorithm, in which the all-to-all
qubits interactions can be mapped into the nearest-neighbor
two-qubit interactions on a chain through elaborate swap net-
works, as shown in Fig. 2D. In fact, the routing method is
4
optimal with only a linear increase of circuit depth overhead.
The swap networks are further complied into the native gates
(Fig. 2E), which can be directly executed on the quantum pro-
cessor. Notably, a tiny skill has been used by an up-down
combination of the ZZ-SWAP block in the even and odd lay-
ers of swap networks. As a result, a linear depth of H gates
can be reduced.
QAOA can find the approximate ground state of the Hamil-
tonian system by updating the parameters (Fig. 2C, a detailed
description can be found in [31]). The parameter optimization
process of QAOA can be understood through the landscape
of the energy function E(γ, β ). The comparison between
the theoretical and the experimental landscapes is a qualita-
tive diagnostic for the application of QAOA to real hardware.
For the hyperparameter p= 1, we can visualize the energy
landscape as a function of the parameters (γ, β )in a three-
dimensional plot in Fig. 3. Here, the energy function values
are normalized by E∗= (E−Emin)/(Emax −Emin ). Fig. 3
shows the noiseless simulated (left) and experimental (right)
energy maps for the 3, 5 and 10 qubits cases, respectively.
The different colors of the pixel blocks in the figure represent
different function values. We overlay the convergence path of
the classical optimization procedure, as the red curve shown in
Fig. 3. To optimize the parameters, we use the model gradient
descent method, which performs well both numerically and
experimentally on some variational quantum ansatzes. We
find that the algorithm can converge to the region of global
minimum within 10 steps in all three cases. We can see that
the convergence paths of the experiments differ from those of
the theoretical results, however, converged to the optimum in
comparable steps. This indicates that the algorithm is robust
to certain noise.
In QAOA, the core work of the quantum computer is to
prepare the quantum states according to the given variational
parameters. The performance of QAOA will be improved by
increasing the depth of hyperparameter pin theory. How-
ever, the errors are accumulated during the increasing of cir-
cuit depth and the bonus of the computation can be counter-
acted. Here we report the performance of the superconducting
quantum processor on running circuits at the optimal β, γ pa-
rameters. We show QAOA layers up to p= 3 for the cases
of 3 and 5 qubits, and a single-layer QAOA for the 10-qubit
case. The results of p= 3 for the 10-qubit case have also
been performed and are apparently better than random guess,
however, not as good as that of p= 1 [31]. We can observe in
Fig. 4A-C that the probability of the target state (red dashed
box) increases as the hyperparameter pgrows. Although the
increase is not as large as the theoretical value, it is in good
agreement with the noise simulation. Similar results can be
found in the 5-qubit experiment, see Fig. 4D-F. The results
for the 10-qubit case with p= 1 are shown in Fig. 4G. We
only show the most significant 120 states according to the the-
oretical results for illustration. We can find that the theoreti-
cal probability of the target state is 0.02 (the highest), while
the experimental result is around 0.008, which is close to the
noise result 0.009. The experimental results are significantly
Noiseless simulation Experiment
3-qubit case
5-qubit case10-qubit case
γβ
E*
A
γβ
E*
B
γβ
E*
C
γβ
E*
D
γβ
E
E*
γβ
E*
F
FIG. 3. Energy landscapes and convergence paths of QAOA for
p= 1. A, B, Numerical and experimental landscapes for the 3-qubit
case, C, D 5-qubit case, and E, F 10-qubit case. In each group of
the experiment, 41 ×41 combinations of (γ, β )have been evalu-
ated, which are evenly distributed grid points in a sub-zone of the
entire 2-dimensional parameter space. For each grid point, the ex-
pectation value is estimated using 30,000 circuit repetitions. The
comparison of the experimental and numerical landscapes shows a
clear correspondence of landscape features. An overlaid optimiza-
tion trace (red, initialized from the square marker and converged into
the triangle) demonstrates the ability of a classical optimizer to find
optimal parameters.
larger than that of random guess 0.001, which means the com-
putation bonus of QAOA is still considerable. In addition, the
shape of the probability distribution of each quantum state is
symmetric with that of the simulation results, which shows
that the experimental results are in good agreement with the
theoretical values.
The quantum resource estimation
Here we report the quantum resources needed to challenge
some real-life RSA numbers based on the SQIF algorithm in
this paper. The main quantum resources mentioned include
the number of qubits and the quantum circuit depth of QAOA
in one layer. Usually, quantum circuits cannot be directly exe-
cuted on quantum computing devices, as their design does not
consider the qubits connectivity characteristics of actual phys-
ical systems. The execution process often requires additional
quantum resources such as ancilla qubits and extending circuit
depths. We have discussed the quantum resources required in
quantum systems under three typical topologies, including all
connected system (Kn), 2D-lattice system (2DSL), and 1D-
chain system (LNN). We demonstrate with specific schemes
5
3-qubit, p=1
0
3
3
Probability (10-1)
Experiment
Theory
Noisy
A
Experiment
Theory
Noisy
3-qubit, p=2
0
4
4
B C
Experiment
Theory
Noisy
3-qubit, p=3
0
5
5
5-qubit, p=1
0
1
1
Experiment
Theory
Noisy
D
5-qubit, p=2
0
1
1
Experiment
Theory
Noisy
2
E
5-qubit, p=3
0
Experiment
Theory
Noisy
2
2
F
10-qubit, p=1
0
1
Experiment
Theory
Noisy
1
2
G H
Q1
Q3
Q4
Q5
Q6
Q7
Q8
Q9
Q10
Q2
Zero state
Target state
Probability (10-1)
Probability (10-1)
Probability (10-1)
Probability (10-1) Probability (10-1)
Probability (10-2)
FIG. 4. Experimental performance of QAOA for the three factoring cases. A-C, QAOA performance of the 3-qubit case with p= 1,p= 2
and p= 3, respectively. D-F, QAOA performance of the 5-qubit case with p= 1,p= 2 and p= 3, respectively. G,p= 1 performance
of QAOA for the 10-qubit case . The experimental results shown in orange are averaged over 20 repeated experiments with error bars giving
a confidence interval of one standard deviation. The theory(yellow) and 0.01-noise(taupe) results are also given for comparison. It can be
observed that all the three groups of experimental results on the superconducting quantum processor are in good agreement with the theoretical
and 0.01-noise values. H, Representations of the color blocks that are basis states of different qubits in x-tick labels.
that the embedding process needs no extra qubits overhead
and the circuit depths of QAOA in one layer are O(n)for all
three systems. As a result, a sublinear quantum resource is
necessary for factoring integers using our algorithm. Taking
RSA-2048 as an example, the number of qubits required is
n= 2 ∗2048/log2048 ∼372. The quantum circuit depth
of QAOA with a single layer is 1118 in Kn topology system,
1139 in 2DSL system and 1490 in the simplest LNN system,
which is achievable for the NISQ devices in the near future.
The quantum resources required for different lengths of RSA
numbers are shown in Table I. The detailed analysis can be
found in [31].
Conclusion
The integer factorization problem is the security cornerstone
of the widely used RSA public key cryptography nowadays.
In this paper, we have proposed a general quantum algorithm
for integer factorization based on the classical lattice reduction
method. To factor an m-bit integer N, the number of qubits
needed for the algorithm is O(m/logm), which is a sublinear
scale of the bit length of N. This quantum factoring algo-
rithm uses the least qubits compared with previous methods,
including Shor’s algorithm. We have demonstrated the factor-
ing principle for the algorithm on a superconducting quantum
processor. The 48-bit integer 261980999226229 in our work
is the largest integer factored by the general method in a real
TABLE I. Resource estimation for RSA numbers. The main quan-
tum resources mentioned are the number of qubits, the quantum cir-
cuit depth of QAOA with a single iteration in three typical topologies,
including all connected system (Kn), 2D-lattice system (2DSL) and
1D-chain system (LNN). The results are obtained without consid-
ering the native compilation of the ZZ-basic module (or ZZ-SWAP
basic module) in a specific physical system.
RSA number Qubits Kn-depth 2DSL-depth LNN-depth
RSA-128 37 113 121 150
RSA-256 64 194 204 258
RSA-512 114 344 357 458
RSA-1024 205 617 633 822
RSA-2048 372 1118 1139 1490
6
quantum system to date. We have analyzed the quantum re-
sources required to factor RSA-2048 in quantum systems un-
der three typical topologies. We find that a quantum circuit
with 372 physical qubits and a depth of thousands is neces-
sary to challenge RSA-2048 even in the simplest 1D-chain
system. Such a scale of quantum resources is most likely to
be achieved on NISQ devices in the near future. It should
be pointed out that the quantum speedup of the algorithm is
unclear due to the ambiguous convergence of QAOA. How-
ever, the idea of optimizing the “size-reduce” procedure in
Babai’s algorithm through QAOA can be used as a subroutine
in a large group of widely used lattice reduction algorithms.
Further on, it can help to analyze the quantum-resistant cryp-
tographic problems based on lattice.
∗These authors contributed equally to this work.
†2010wangzhen@zju.edu.cn
‡ma zhi@163.com
§gllong@tsinghua.edu.cn
[1] J. Preskill, Quantum computing in the NISQ era and beyond,
Quantum 2, 79 (2018).
[2] F. Arute, K. Arya, R. Babbush, D. Bacon, J. C. Bardin,
R. Barends, R. Biswas, S. Boixo, F. G. Brandao, D. A. Buell,
et al., Quantum supremacy using a programmable supercon-
ducting processor, Nature 574, 505 (2019).
[3] M. Cerezo, A. Arrasmith, R. Babbush, S. C. Benjamin, S. Endo,
K. Fujii, J. R. McClean, K. Mitarai, X. Yuan, L. Cincio, et al.,
Variational quantum algorithms, Nat. Rev. Phys. 3, 625 (2021).
[4] A. Peruzzo, J. McClean, P. Shadbolt, M.-H. Yung, X.-Q. Zhou,
P. J. Love, A. Aspuru-Guzik, and J. L. O’brien, A variational
eigenvalue solver on a photonic quantum processor, Nat. Com-
mun. 5, 1 (2014).
[5] E. Farhi, J. Goldstone, and S. Gutmann, A quantum approxi-
mate optimization algorithm, arXiv:1411.4028 (2014).
[6] Z. Wang, S. Wei, G.-L. Long, and L. Hanzo, Variational quan-
tum attacks threaten advanced encryption standard based sym-
metric cryptography, Sci. China Inf. Sci. 65, 1 (2022).
[7] S. McArdle, S. Endo, A. Aspuru-Guzik, S. C. Benjamin, and
X. Yuan, Quantum computational chemistry, Rev. Mod. Phys.
92, 015003 (2020).
[8] S. Wei, H. Li, and G. Long, A full quantum eigensolver for
quantum chemistry simulations, Research 2020 (2020).
[9] J. Biamonte, P. Wittek, N. Pancotti, P. Rebentrost, N. Wiebe,
and S. Lloyd, Quantum machine learning, Nature 549, 195
(2017).
[10] Z. Wang, S. Hadfield, Z. Jiang, and E. G. Rieffel, Quantum
approximate optimization algorithm for Maxcut: A fermionic
view, Phys. Rev. A 97, 022304 (2018).
[11] M. P. Harrigan, K. J. Sung, M. Neeley, K. J. Satzinger, F. Arute,
K. Arya, J. Atalaya, J. C. Bardin, R. Barends, S. Boixo, et al.,
Quantum approximate optimization of non-planar graph prob-
lems on a planar superconducting processor, Nature Physics 17,
332 (2021).
[12] R. L. Rivest, A. Shamir, and L. Adleman, A method for obtain-
ing digital signatures and public-key cryptosystems, Commun.
ACM 21, 120 (1978).
[13] P. Shor, Algorithms for quantum computation: discrete loga-
rithms and factoring, in Proc. 35th Ann. Symp. on Foundations
of Computer Science (1994) pp. 124–134.
[14] C. Gidney and M. Eker˚
a, How to factor 2048 bit RSA inte-
gers in 8 hours using 20 million noisy qubits, Quantum 5, 433
(2021).
[15] E. Gouzien and N. Sangouard, Factoring 2048-bit RSA integers
in 177 days with 13 436 qubits and a multimode memory, Phys.
Rev. Lett. 127, 140503 (2021).
[16] L. M. Vandersypen, M. Steffen, G. Breyta, C. S. Yannoni, M. H.
Sherwood, and I. L. Chuang, Experimental realization of Shor’s
quantum factoring algorithm using nuclear magnetic resonance,
Nature 414, 883 (2001).
[17] T. Monz, D. Nigg, E. A. Martinez, M. F. Brandl, P. Schindler,
R. Rines, S. X. Wang, I. L. Chuang, and R. Blatt, Realization of
a scalable shor algorithm, Science 351, 1068 (2016).
[18] E. Martin-Lopez, A. Laing, T. Lawson, R. Alvarez, X.-Q. Zhou,
and J. L. O’brien, Experimental realization of Shor’s quantum
factoring algorithm using qubit recycling, Nat. Photon. 6, 773
(2012).
[19] E. Farhi, J. Goldstone, S. Gutmann, J. Lapan, A. Lundgren,
and D. Preda, A quantum adiabatic evolution algorithm applied
to random instances of an NP-complete problem, Science 292,
472 (2001).
[20] G. Schaller and R. Sch ¨
utzhold, The role of symmetries in adi-
abatic quantum algorithms, Quantum Info. Comput. 10, 109
(2010).
[21] W. A. Borders, A. Z. Pervaiz, S. Fukami, K. Y. Camsari,
H. Ohno, and S. Datta, Integer factorization using stochastic
magnetic tunnel junctions, Nature 573, 390 (2019).
[22] B. Yan, H. Jiang, M. Gao, Q. Duan, H. Wang, and Z. Ma, Adi-
abatic quantum algorithm for factorization with growing mini-
mum energy gap, Quan. Eng. 3, e59 (2021).
[23] E. Anschuetz, J. Olson, A. Aspuru-Guzik, and Y. Cao, Varia-
tional quantum factoring, in Int. Worksh. on Quantum Technol-
ogy and Optimization Problems (Springer, 2019) pp. 74–85.
[24] K. Xu, T. Xie, Z. Li, X. Xu, M. Wang, X. Ye, F. Kong, J. Geng,
C. Duan, F. Shi, et al., Experimental adiabatic quantum factor-
ization under ambient conditions based on a solid-state single
spin system, Phys. Rev. Lett. 118, 130504 (2017).
[25] S. Jiang, K. A. Britt, A. J. McCaskey, T. S. Humble, and
S. Kais, Quantum annealing for prime factorization, Sci. Rep.
8, 1 (2018).
[26] Z. Li, N. S. Dattani, X. Chen, X. Liu, H. Wang, R. Tanburn,
H. Chen, X. Peng, and J. Du, High-fidelity adiabatic quan-
tum computation using the intrinsic hamiltonian of a spin sys-
tem: Application to the experimental factorization of 291311,
arXiv:1706.08061 (2017).
[27] A. H. Karamlou, W. A. Simon, A. Katabarwa, T. L. Scholten,
B. Peropadre, and Y. Cao, Analyzing the performance of vari-
ational quantum factoring on a superconducting quantum pro-
cessor, npj Quantum Inf. 7, 1 (2021).
[28] M. Mosca and S. R. Verschoor, Factoring semi-primes with
(quantum) SAT-solvers, Sci. Rep. 12, 1 (2022).
[29] C. P. Schnorr, Factoring integers by CVP algorithms, in Number
Theory and Cryptography (Springer, 2013) pp. 73–93.
[30] C. P. Schnorr, Fast factoring integers by SVP algorithms, cor-
rected, Cryptology ePrint Archive (2021).
[31] See supplementary materials.
[32] L. Babai, On lov´
asz’lattice reduction and the nearest lattice
point problem, Combinatorica 6, 1 (1986).
[33] D. Micciancio, The hardness of the closest vector problem with
preprocessing, IEEE Trans. Inf. Theory 47, 1212 (2001).
[34] X. Zhang, W. Jiang, J. Deng, K. Wang, J. Chen, P. Zhang,
W. Ren, H. Dong, S. Xu, Y. Gao, et al., Digital quantum simula-
tion of Floquet symmetry-protected topological phases, Nature
7
607, 468 (2022).
[35] A. K. Lenstra, H. W. Lenstra, and Lov´
asz, Factoring polynomi-
als with rational coefficients, Math. Ann 261, 515 (1982).
[36] M. Ajtai, R. Kumar, and D. Sivakumar, A sieve algorithm for
the shortest lattice vector problem, in STOC ’01 (2001) pp. 601–
610.
[37] C.-P. Schnorr and M. Euchner, Lattice basis reduction: Im-
proved practical algorithms and solving subset sum problems,
Math Program 66, 181 (1994).
[38] U. Fincke and M. Pohst, Improved methods for calculating vec-
tors of short length in a lattice, including a complexity analysis,
Math. Comp 44, 463 (1985).
[39] C.-P. Schnorr and H. H. H¨
orner, Attacking the Chor-Rivest
cryptosystem by improved lattice reduction, in Proc. EURO-
CRYPT ’95 (Springer, 1995) pp. 1–12.
[40] N. Gama, P. Q. Nguyen, and O. Regev, Lattice enumeration
using extreme pruning, in Proc. EUROCRYPT ’10 (Springer,
2010) pp. 257–278.
[41] C. Schnorr, Factoring integers and computing discrete loga-
rithms via diophantine approximation, in Proc. EUROCRYPT
’91 (1991) pp. 281–293.
[42] J. W. S. Cassels, An introduction to the geometry of numbers
(Springer Science & Business Media, 2012).
[43] G. A. Kabatiansky and V. I. Levenshtein, On bounds for pack-
ings on a sphere and in space, Probl. Peredachi Inf. 14, 3 (1978).
[44] S. Xu, Z.-Z. Sun, K. Wang, L. Xiang, Z. Bao, Z. Zhu, F. Shen,
Z. Song, P. Zhang, W. Ren, et al., Digital simulation of non-
Abelian anyons with 68 programmable superconducting qubits,
arXiv:2211.09802 (2022).
[45] Z. Wang, Y. Chen, Z. Song, D. Qin, H. Li, Q. Guo, H. Wang,
C. Song, and Y. Li, Scalable evaluation of quantum-circuit er-
ror loss using clifford sampling, Phys. Rev. Lett. 126, 080501
(2021).
[46] D. C. McKay, C. J. Wood, S. Sheldon, J. M. Chow, and J. M.
Gambetta, Efficient zgates for quantum computing, Phys. Rev.
A96, 022330 (2017).
[47] W. Ren, W. Li, S. Xu, K. Wang, W. Jiang, F. Jin, X. Zhu,
J. Chen, P. Zhang, H. Dong, et al., Experimental quantum ad-
versarial learning with programmable superconducting qubits,
arXiv:2204.01738 (2022).
[48] K. J. Sung, J. Yao, M. P. Harrigan, N. C. Rubin, Z. Jiang, L. Lin,
R. Babbush, and J. R. McClean, Using models to improve opti-
mizers for variational quantum algorithms, Quantum Sci. Tech-
nol. 5, 044008 (2020).
[49] J. C. Lagarias, J. A. Reeds, M. H. Wright, and P. E. Wright,
Convergence properties of the Nelder–Mead simplex method
in low dimensions, SIAM J. Optim. 9, 112 (1998).
[50] C. G. Broyden, The convergence of a class of double-rank min-
imization algorithms 1. general considerations, IMA J Appl
Math 6, 76 (1970).
[51] D. C. Liu and J. Nocedal, On the limited memory BFGS method
for large scale optimization, Math Program 45, 503 (1989).
[52] G. Pagano, A. Bapat, P. Becker, K. S. Collins, A. De, P. W.
Hess, H. B. Kaplan, A. Kyprianidis, W. L. Tan, C. Baldwin,
et al., Quantum approximate optimization of the long-range
Ising model with a trapped-ion quantum simulator, PNAS 117,
25396 (2020).
[53] Y. Takahashi, N. Kunihiro, and K. Ohta, The quantum fourier
transform on a linear nearest neighbor architecture, Quantum
Info. Comput. 7, 383 (2007).
[54] S. A. Kutin, Shor’s algorithm on a nearest-neighbor machine,
arXiv:quant-ph/0609001 (2006).
[55] D. Cheung, D. Maslov, and S. Severini, Translation techniques
between quantum circuit architectures, in Workshop on Quant.
Inf. Proc. (Citeseer, 2007).
[56] Y. Hirata, M. Nakanishi, S. Yamashita, and Y. Nakashima, An
efficient method to convert arbitrary quantum circuits to ones
on a linear nearest neighbor architecture, in ICQNM ’09 (IEEE,
2009) pp. 26–33.
[57] M. Saeedi, R. Wille, and R. Drechsler, Synthesis of quantum
circuits for linear nearest neighbor architectures, Quantum Inf
Process 10, 355 (2011).
[58] R. Wille, O. Keszocze, M. Walter, P. Rohrs, A. Chattopadhyay,
and R. Drechsler, Look-ahead schemes for nearest neighbor op-
timization of 1D and 2D quantum circuits, in ASP-DAC ’16
(IEEE, 2016) pp. 292–297.
[59] A. Farghadan and N. Mohammadzadeh, Quantum circuit phys-
ical design flow for 2D nearest-neighbor architectures, Int. J.
Circ. Theor. Appl. 45, 989 (2017).
Acknowledgements: We thank H.Fan, K.Xu and C.Chen for
helpful discussions. The device was fabricated at the Micro-
Nano Fabrication Center of Zhejiang University. The exper-
iment was performed on the quantum computing platform at
Zhejiang University.
Funding: This research was supported by the National Nat-
ural Science Foundation of China (Grant Nos. U20A2076,
12274367, 12174342, 12005015, 61972413, 61901525,
11974205, 11774197), the Zhejiang Province Key Research
and Development Program (Grant No. 2020C01019), the
Fundamental Research Funds for the Central Universities
(Grant No. 2022QZJH03), the National Key Research and
Development Program of China (2017YFA0303700), the Key
Research and Development Program of Guangdong province
(2018B030325002).
Author contributions: B.Y. proposed the SQIF algorithm
and designed the experiment scheme. Z.T. and C.Z carried
out the experiments and collected results under the supervi-
sion of Z.W.. J.C., X.Z. and F.J. designed the device, and H.L.
fabricated the device supervised by H.W.. S.-J.W., H.W., Q.D.
contributed to the theory and experiment design. H.J., W.W.,
L.L., W.S., Y.H. performed numerical simulations. Y.L., Y.F.,
X.M., Z.S. contributed to the depth analysis. Z.M. and G.-L.L.
initiated and supervised this project. All authors contributed
to the writing of the manuscript.
Competing interests: All authors declare no competing in-
terests.
Data and materials availability: The data presented in the
figures and that support the other findings of this study will be
publically available upon its publication.
8
Supplementary material for “Factoring integers
with sublinear resources on a superconducting
quantum processor”
CONTENTS
References 6
I. Background knowledge about lattice 8
A. Basic concepts 8
B. LLL algorithm 9
C. Babai’s nearest plane algorithm 9
II. Schnorr’s integer factoring algorithm 10
A. Schnorr’s sieve method 10
B. The construction of the lattice and target vector 10
C. Solving the CVP 11
III. The sublinear scheme about lattice dimension 11
A. The history results 11
B. Linear scheme 12
C. Sublinear scheme 12
IV. Preprocessing: the details about the factoring cases 13
A. The construction of the lattice and target vector 13
B. Solving the CVP using Babai’s algorithm 14
C. The problem Hamiltonian 14
D. The energy spectrum and the target state 15
V. Experimental details 17
A. Device parameters 17
B. Benchmarking the experimental gates 17
C. QAOA procedure and the convergence 18
D. 10-qubit case up to p= 3 19
VI. Postprocessing: the smooth relation pairs and linear
equations 20
A. The 3-qubit case 21
B. The 5-qubit case 23
C. The 10-qubit case 25
VII. The exploration of quantum advantage 25
A. The random sample results 26
B. Quantum advantage and lattice precision 26
C. Quantum advantage and lattice dimension 26
VIII. The resource estimation for RSA-2048 27
A. Introduction 27
B. Problem description 27
C. Circuit depth under complete graph topology 28
D. Circuit depth under linear chain topology and
lattice topology 29
E. Resource estimation for RSA-2048 31
I. BACKGROUND KNOWLEDGE ABOUT LATTICE
In recent years, lattices are used as algorithmic tools to
solve a wide variety of problems in computer science, math-
ematics and cryptography, especially in quantum-resistant
cryptography protocols. The following introduces some ba-
sic concepts and well-known algorithms in lattices that are
closely related to our work.
A. Basic concepts
Let k · kbe the Euclidean norm of the vectors in Rm. Vec-
tors will be written in bold and we use row-representation for
matrices. For a matrix M, we usually denote its coefficients
by mi,j . We also use superscript ’T’ to represent the transpose
of matrices or vectors.
•Lattice: Let b1, ..., bn∈Rmbe a group of linearly
independent column vectors, then we call the set gener-
ated by the linear combination of its integer coefficients
a lattice, denoted as
Λ(B) = {Bx|x∈Zn}
={b=x1b1+... +xnbn|x1, ..., xn∈Z},(S1)
where B= [b1, ..., bn]∈Rm×nis called a basis ma-
trix, which could also be used to represent a lattice for
simplicity. {b1, ..., bn}is a group of basis of lattice
Λ(B). The dimension of lattice Λis n. The determi-
nant of Λis det Λ = (det BTB)1/2, here BTis the
transpose of B. For a square matrix B, it is directly
det Λ = det B. The determinant also represents the
volume of the lattice in geometry perspective, denoted
as vol(Λ). The length of the lattice point b∈Rmis
defined as kbk= (bTb)1/2.
•Successive minima: The successive minima of an
n-dimensional lattice Λare the positive quantities
λ1(Λ) ≤λ2(Λ) ≤... ≤λn(Λ), where λk(Λ) is the
smallest radius of a zero-centered ball containing klin-
early independent vectors of Λ. Denote λ1=λ1(Λ) as
the length of the shortest nonzero vector of Λ.
•Hermite’s constant: The Hermite invariant of the lat-
tice Λis defined by
γ(Λ) = λ2
1(Λ)/vol(Λ)2/n =λ2
1(Λ)/det(Λ)2/n.(S2)
Hermite’s constant γnis the maximal value γ(Λ) over
all n-dimensional lattices, or the minimal constant γ
which enables λ1(Λ)2≤γ(det Λ)2/n satisfied for all
n-dimensional lattices equivalently.
•QR-decomposition: The lattice basis matrix Bhas
the unique decomposition B=QR ∈Rm×n, R =
[ri,j ]1≤i,j≤n∈Rn×n,here Q∈Rm×nis isometric
(with pairwise orthogonal column vectors of length 1)
9
and R∈Rn×nis an upper-triangular matrix with posi-
tive diagonal entries ri,i . The Gram-Schmidt (GS) co-
efficients µj,i =ri,j/ri,i can be obtained easily by the
QR-decomposition. For an integer matrix B, the GS
coefficients are usually rational.
•Shortest Vector Problem (SVP): Given a group of ba-
sis Bof a lattice Λ,
Shortest Vector Problem (SVP): Find a vector v∈
Λ, such that kvk=λ1(Λ).
Approximate Shortest Vector Problem (α-SVP):
Find a nonzero vector v∈Λ, such that
kvk ≤ α·λ1(Λ).
Hermite Shortest Vector Problem (r-Hermite
SVP): Find a nonzero vector v∈Λ, such that kvk ≤
r·det(Λ)1/n.
The parameter α≥1in α-SVP is called the approx-
imation factor. Usually, the problem becomes easier
when αgets bigger. When α= 1,α-SVP and SVP
are the same problem. The real value of λ1in α-SVP
is hard to obtain because of the hardness of SVP. Thus
the solution of α-SVP is hard to check in some cases.
The problem r-Hermite SVP is defined by a computable
(ralatively easy to compute) value det(Λ)1/n instead of
λ1to qualify the solution. As a result, we can check the
solution easily but lack a comparison with the shortest
vector.
•Closest Vector Problem (CVP): Given a group of basis
Bof a lattice Λ, and a target vector t∈span(B),
Closest Vector Problem (CVP): Find a vector v∈
Λ, such that the distance kv−tkcould be
minimized, namely kv−tk=dist(Λ,t).
α-Approximate Closest Vector Problem (α-CVP):
Find a vector v∈Λ, such that the distance
kv−tk ≤ α·dist(Λ,t).
r-Approximate Closest Vector Problem (r-
AbsCVP): Find a vector v∈Λ, such that the distance
kv−tk ≤ r.
Here the problem definitions are similar to those in SVP,
the role of parameter α≥1in α-CVP is the same as
α-SVP. In r-AbsCVP, the parameter rcan be any rea-
sonable value which is comparable to dist(Λ,t), such
like det(Λ)1/n in r-Hermite SVP.
B. LLL algorithm
The LLL algorithm is one of the most famous algorithms in
the field of lattice reduction, proposed by A. K. Lenstra, H. W.
Lenstra, Jr., and L. Lovasz in 1982 [35]. For an n-dimensional
lattice, the algorithm can be used to solve the α-SVP with
α= ( 2
√3)nin polynomial time. The related concepts and
algorithms are as follows.
•LLL basis: A basis B=QR is called LLL-reduced or
a LLL basis, given LLL-reduction parameter δ∈(1
4,1],
if it satisfies:
i. |ri,j |/ri,i ≤1
2, for all j > i;
ii. δr2
i,i ≤r2
i,i+1 +r2
i+1,i+1 , for i= 1, .., n −1.
Obviously, LLL basis also satisfies r2
i,i ≤αr2
i+1,i+1,
for α= 1/(δ−1
4).
The parameters considered in the original literature of
the LLL algorithm are δ= 3/4, α = 2. A well-known
result about LLL basis shows that for any δ < 1, LLL
basis can be obtained in polynomial time and that they
nicely approximate the successive minima :
iii. α−i+1 ≤ kbik2λ−2
i≤αn−1, for i= 1, ..., n;
iv. kb1k2≤αn−1
2(det Λ)2/n.
•LLL algorithm: Given a group of basis B=
[b1, ..., bn]∈Zm×n, the algorithm can make it LLL-
reduced or convert it into a LLL basis. The algorithm
consists of three main steps: Gram-Schmidt orthogo-
nalization, reduction, and swap. The specific steps can
be found in Algorithm 1.
Algorithm 1: LLL-reduction algorithm
Input: lattice basis b1, ..., bn∈Zm, parameter δ
Output: δ-LLL-reduced basis
1.Gram-Schmidt orthogonalization
Imply the Gram-Schmidt orthogonalization to basis
b1, ..., bn, denote the results as: ˜
b1, ..., ˜
bn∈Rm.
2.Reduction step
for i from 2 to ndo
for j from i-1 to 1 do
bi←bi−ci,j bj, where ci,j =dhbi,˜
bjih˜
bj,˜
bjic.
end
end
3.Swap step
if ∃is. t. δk˜
bik2>kµi+1,i ˜
bi+˜
bi+1k2then
bi↔bi+1,
go to 1.
end
4.Output b1, ..., bn.
C. Babai’s nearest plane algorithm
Babai’s nearest plane algorithm [32] (Babai’s algorithm
for short) can be used to solve CVP. For an n-dimensional
lattice, the algorithm can obtain an approximation factor of
α= 2( 2
√3)nfor α-CVP. The algorithm consists of two steps,
the first is to reduce the input lattice basis with the LLL algo-
rithm. The second is a size reduction procedure, which mainly
calculates the linear combination of integer coefficients clos-
est to the target vector tunder the LLL basis. This step is
essentially the same as the second step in LLL reduction. The
specific steps of the algorithm can be found in Algorithm 2.
10
Algorithm 2: Babai’s algorithm
Input: lattice basis b1, ..., bn∈Zm, parameter δ= 3/4
and target t∈Zm
Output: a vector x∈Λ(B), such that
kx−tk ≤ 2n
2dist(t,Λ(B))
1. LLL reduction
Apply the LLL reduction on basis Bwith parameter δ.
Denote the results as ˜
b1, ..., ˜
bn∈Rm.
2.Size reduction
b←t
for j from nto 1 do
b←b−cjbj, where cj=dhb,˜
bji/h˜
bj,˜
bjic.
end
3.Output t−b.
II. SCHNORR’S INTEGER FACTORING ALGORITHM
A. Schnorr’s sieve method
Consider a general integer factoring situation in which the
integer to be factored into two non-trivial factors, namely
given N, finding the factors p, q (p<q)such that N=p×q.
The sieve method to factor an integer firstly needs to define
the smooth relation pair. Let pi, i = 1, ..., n be the first n
primes together with p0which satisfy −1 = p0<1< p1<
... < pn< p. The set P={pi}i=0,...,n is called a prime
basis. The p0=−1is not a prime, nevertheless, it is included
to characterize the sign of an integer. An integer is called
pn-smooth if all of its prime factors are less than pn, here
pnis also called the smooth bound. The integer pair (uj, vj)
is called pn-smooth pair, if both ujand vjare pn-smooth.
Further more, a pair of integers (uj, vj)is called pn-smooth
relation pair (abbreviate as sr-pair), if:
uj=
n
Y
i=1
pei,j
i, uj−vjN=
n
Y
i=0
pe0
i,j
i,(S3)
where ei,j , e0
i,j ∈N, then we have
(uj−vjN)/uj≡
n
Y
i=0
pe0
i,j −ei,j
i≡1modN. (S4)
It should be noted that the smooth pair is different with
sr-pair in which the sr-pair not only need to be smooth, but
also to meet more severe conditions in Eq. S3. Let S=
{(uj, vj)}j=1,...,n+1 be a set with n+1 sr-pairs. If there exists
a group of coefficients t1, ..., tn+1 ∈ {0,1}, such that
n+1
X
j=1
tj(e0
i,j −ei,j )≡0mod 2, i = 0,1, ..., n. (S5)
Denote X=Qn
i=0 p
1
2Pn+1
j=1 tj(e0
i,j −ei,j )
i, then we have
X2−1=(X+ 1)(X−1) ≡0modN. (S6)
If X6≡ ±1modN, then we’ll obtain a nontrivial factor of
Nby gcd(X±1, N ).
Since the dimension of the linear equation system is O(n),
and it can be solved within O(n3)operations. We neglect this
minor part of the workload for factoring N. Hence the factor-
ing problem is reduced to the sr-pair problem. This problem
will be transformed into the closest vector problem on a lattice
in the following part.
B. The construction of the lattice and target vector
The sr-pairs will be obtained from the approximate solu-
tion of CVP in Schnorr’s algorithm. We first introduce the
construction of the prime lattice Λ(Bn,c)and the target vector
t∈Rn+1, here c > 0is an adjustable parameter. The matrix
form of the lattice Bn,c = [b1, ..., bn]∈R(n+1)×ncan be
constructed as
Bn,c =
f(1) 0 ... 0
0f(2) ... 0
.
.
..
.
.....
.
.
0 0 ... f (n)
Nclnp1Nclnp2... Nclnpn
,t=
0
.
.
.
0
NclnN
,
(S7)
where the functions f(i)for i= 1, ..., n are the random per-
mutations of diagonal elements (√lnp1,√lnp2, ..., √lnpn).
A lattice point or vector can be represented by
the integer combination of the lattice basis as b=
Pn
i=1 eibi∈Λ(Bn,c), here ei∈Zfor i= 1, ..., n. In the fol-
lowing, we’ll assume (u, v)is pn-smooth and gcd(u, v) = 1.
Then u, v can be represented by the product of primes on the
prime basis, namely:
u=Y
ei>0
piei, v =Y
ei<0
p−ei
i.(S8)
Under this representation, the smooth pair (u, v)corresponds
to the vector b= (e1, ..., en)in the lattice one-to-one, de-
noted as b∼(u, v). Therefore, a vector on a lattice encodes
a smooth pair.
The closest vector problem (CVP) is to find a vector b0∈
Λ(Bn,c)which is closest to the target vector t, mathematically
expressed as
b0=arg min
b∈Λkb−tk.(S9)
According to the above definition, the following relationship
is established
kb−tk2≥ln(uv) + N2c|ln u
vN |2.(S10)
The equation is established if and only if ei∈ {−1,0,1}, that
is, u , v do not contain square factors. The constant N2cacts
11
as a ”weight” which is controlled by adjusting the parameter
c. When N2c>> ln(uv), the body of the equation is N2c|
ln u
vN |2. Hence the quality |ln u
vN |2, or further on, |u−vN |
can be effected by parameter c, which is also called precision
parameter. According to the inequality S10, we can find that
the shorter the length of distance vector b−t, the smaller
|u−vN |could be, hence the higher probability for (u, v)
being an sr-pair. Further discussion about this relationship can
be found in the next part of this Material.
C. Solving the CVP
There are mainly two well-studied approaches to solve
CVP or approximate CVP. One is based on the sieve method
which is firstly proposed by Ajtai et al. in 2001 [36]. The
other is based on Babai’s algorithm, in which a lattice reduc-
tion method such as LLL algorithm is firstly implemented
to obtain a group of relatively short basis, then apply the
size-reduction procedure to get the approximate closest vec-
tor solution. Schnorr adopted the latter approach to solve
CVP. In fact, some superior lattice reduction methods such as
BKZ [37], HKZ, ENUM [37–40] and so on, are involved to
get a better efficiency of the algorithm. However, these meth-
ods are too complicated and need more professional knowl-
edge which is out of the scope of this paper. We adopt the
LLL lattice reduction algorithm when we mention Babai’s al-
gorithm in the following part (and in the main text), which is
simple and relatively easy to understand. Besides the princi-
ple of quantum enhancement of Babai’s algorithm is general
for any of the lattice reduction algorithm.
III. THE SUBLINEAR SCHEME ABOUT LATTICE
DIMENSION
A. The history results
In this section, we discuss the dimension selection of lat-
tices in Schnorr’s algorithm. The dimension nof the lattice
depends on the size of the prime basis, meantime has an im-
portant influence on the efficiency of the algorithm. On the
one hand, the number of smooth relation pairs on the prime
basis will increase greatly when nis large, which is more con-
ducive to obtaining smooth relation pairs. On the other hand,
ncannot be too large, because the time complexity of the lat-
tice reduction process and the linear equations solving proce-
dure is positively correlated with n. Choosing an appropriate
nrequires a balance between the two facts. This issue is not
clearly explained by Schnorr in the original text [29,30,41],
and there are different descriptions or applications in different
places. In Schnorr’s near edition in 2021 [30], when analyzing
specific examples, a sub-linear magnitude of lattice dimension
is used, but the author does not explain the choice of the lattice
dimension scheme. For example, when discussing the factor-
ing of a 400-bit integer, the lattice dimension is 48, which is
close to the sublinear scheme 400/log2400 ∼46. In many
other works, however, the lattice dimension nis usually as-
sumed to be polynomial order of the binary length mof a large
integer N. The specific description is given based on the re-
striction of the smooth bound pn. In Schnorr’s sieve method,
it is usually assumed that the smooth bound pnsatisfies
pn≈(logN)α=mα, α > 0.(S11)
According to the prime number theorem, we have
n≈(logN)α
αloglogN=mα/αlogm. (S12)
When taking α= 1, the dimension is
n=m/logm, (S13)
which is a sublinear scale of the bit length of N. When α > 1,
nis typically polynomial scale of m. Therefore, the specific
value of αdetermines the dimension of the lattice.
The value of αis mainly determined by the mathematical
relationship between the short vector and the smooth relation
pair. Regarding what conditions short vectors satisfy to obtain
smooth relation pairs, Schnorr gives the following lemma:
Lemma 1 If kb−tk2=O(logN)and v≤
Nc−1pn(n/logN)1/2, then most likely |u−vN |=O(pn).
Here cis the precision parameter. The lemma answers that
when the square norm of a short vector is O(logN), then most
likely the sr-pairs can be obtained. Here we set the short vec-
tor length O(logN)as a theoretical bound.
The next important question is whether short vectors sat-
isfying this condition exist, or whether there are enough of
them. Schnorr proved that there will be a large number of
short vectors that satisfy the theoretical bound when α > 2.
Specifically, the size of αis proportional to the size of the
smooth bound according to the Eq. S11. In the sieve method,
the larger the smooth bound pnis, the easier it is to obtain
smooth relation pairs. However, the number of smooth rela-
tion pairs required as whole increases accordingly. Schnorr
pointed out that there will be a large number of short vectors
that can generate smooth relation pairs according to the den-
sity polynomial of smooth numbers when α > (2c−1)/(c−
1) >2[29,30,41], which leads to a polynomial dimension
scheme.
We discuss the relationship between the short vector and the
smooth relation pair based on the former. That is, to discuss
the condition that αor the dimension nof the lattice needs
to satisfy from the perspective of the existence of the short
vector. We first give a linear scheme of the lattice dimension
nunder Minkowski’s first theorem [42]. Under the density
assumption in Schnorr’s algorithm [30], a sublinear dimension
scheme is given.
12
B. Linear scheme
The existence problem refers to whether there is a vector
b∈Λ(Bn,c),such that kb−tk2=O(logN)holds. Here,
we estimate the distance from the target vector tto the lattice
Λby considering the length λ1of the shortest vector on the
extended lattice ¯
Bn,c = [Bn,c,t]. Further, since the determi-
nant of the extended lattice ¯
Bn,c can be obtained, the upper
bound of λ1can be estimated according to Minkowski’s first
theorem, which is described as follows.
Lemma 2 (Minkowski’s first theorem) For any full rank lat-
tice Λwith dimension n,
λ1(Λ)2≤n(detΛ)2/n.(S14)
Minkowski’s first theorem considers the upper bound of the
shortest nonzero vector, i.e., the first successive minimum λ1.
With this bound, we have the following results.
Proposition 1 If the dimension nof the lattice Bn,c satisfies
n=logN, then there exists a vector b∈Λ( ¯
Bn,c),such that
kb−tk2=O(logN).(S15)
Proof Let the length of the shortest vector on the extended
lattice ¯
Bn,c be λ1. Here we use the scale of λ1to estimate
the dist(Bn,c,t)between the lattice and the target vector,
that is, assuming dist(Bn,c,t) = O(λ1). Then according to
Minkowski’s first theorem, we have
λ2
1≤(n+ 1)(det ¯
Bn,c)2/n+1 .(S16)
According to the construction of the lattice, we have
(det ¯
Bn,c)2/n+1 = (
n
Y
i=1
f(i))2/n+1(NclogN)2/n+1 .(S17)
Here we set the diagonal elements belong to the set {1,2}.
And, we choose the diagonal elements as 2in a proportion of
(n+ 1)/3n, to ensure the number of different arrangements is
large enough to generate random lattices. Then, we have
(
n
Y
i=1
f(i))2/(n+1) = (2(n+1)/3)2/(n+1) = 22/3=O(1).
(S18)
Then substitute Eq. S18 and n=logNinto Eq. S17 , we have
(det ¯
Bn,c)2/(n+1) =O(N2c/(n+1) ) = O(2 2cn
n+1 ) = O(1).
(S19)
Hence we have
λ2
1≤nO(1) = O(logN).(S20)
This completes the proof.
It should be point out that the construction of the lattice is
modified in that the diagonal elements are generated from the
set {1,2}, and the number of 2s is about (n+ 1)/3n. This
condition can be further generalized on the condition of
n
Y
i=1
f(i))2/n+1 ∼O(1).(S21)
In Minkowski’s first theorem, a tighter upper bound can be
obtained when we introduce Hermitian constants. Consider
the following relationship
γ=λ2
1(Λ)
(detΛ)2/n .(S22)
Definition 1 Denote γnas the maximum value (upper bound)
that satisfies Eq. S22 in all ndimensional lattices, then γnis
called the Hermitian constant of dimension n.
In fact, γnis also a supremum, that is, for any n > 1, there is
an ndimensional lattice Λsuch that γn=λ2
1(Λ)/(detΛ)2/n
holds. Such lattices are also commonly referred to as being
critical. But calculating the exact γnis usually difficult, which
is also the central problem in the study of Minkowski’s ge-
ometric numbers [42]. Currently, we only know the results
when 1≤n≤8and n= 24. Asymptotically, the tightest
bound [43] known is
λ2
1≤γn(detΛ)2/n ≤1.744n
2eπ (detΛ)2/n.(S23)
By using Eq. S23 to estimate λ1, the same conclusion as
Proposition 1 can be obtained.
C. Sublinear scheme
Since Minkowski’s first theorem gives an upper bound on
the value of the shortest vector, for many random lattices, the
real shortest vector is quite different from this upper bound.
This gap can be measured by the relative density rd(Λ) of
the lattice. The relative density rd(Λ) of the lattice refers to
the ratio between the actual length of the shortest vector λ1
and the upper bound of the shortest vector estimated by the
Hermitian constant. According to Eq. S23, it is obvious that
0< rd(Λ) ≤1, and we specifically defined as
rd(Λ) = λ1
√γn(detΛ)1/n .(S24)
When the relative density is close to 1, it indicates that the op-
timal lattice basis vectors are of the same size, and the lattice
points are dense.
Schnorr has made the following assumption about the rel-
ative density of the lattices used for finding smooth relation
pairs when discussing the efficiency of the algorithm.
Assumption 1 The random lattice Λwith basis B=
[b1, ..., bn]has relative density which satisfies
rd(Λ) ≤(reπ
2n
λ1
kb1k)1/2.(S25)
13
That is, both b1and rd(Λ) are relatively small. Since
λ1/kb1k ≤ 1, according to this assumption, we have
rd(Λ) = λ1
√γn(detΛ)1/n ≤(eπ
2n)1/4.(S26)
Hence we have the following results.
Proposition 2 If the dimension nof the lattice Bn,c satisfies
n= 2clogN/loglogN, and the relative density of the lattice
satisfies Assumption 1, then there exists a vector b∈Λ(Bn,c),
such that:
kb−tk2=O(log N).(S27)
Proof According to Eq. S26, we have
λ12≤(eπ
2n)1/2γn(detΛ)2/n.(S28)
Substituting Eq. S17 and Eq. S18 into the above equation, we
have
λ12≤(eπ
2n)1/2γn(N)2c/n.(S29)
At this time, if we choose n= 2clogN/loglogN, then we have
λ12≤(eπ
2)1/21.744
2eπ p2clogN/loglogNlogN=O(logN).
(S30)
Here, since p2clogN/loglogNis a lower order quantity
compared to logN, it is ignored in the final expression.
This completes the proof.
It is reasonable to ignore this lower order quantity men-
tioned in the proof. Choosing c= 1, for N≈21024 as an
example, we have
(eπ
2)1/21.744
2eπ p2clnN/loglogN≈3.0960 ∼O(1).(S31)
Or for N≈22048 as another example, we have
(eπ
2)1/21.744
2eπ p2clogN/loglogN≈4.1641 ∼O(1).
(S32)
This indicates that under the density assumption in As-
sumption 1, taking the dimension of the lattice nas
2clogN/loglogNis reasonable, and the length (square norm)
of the shortest vector in the lattice can be guaranteed to be
O(logN). That is, a smooth relation pair can be obtained from
the closest vector of the lattice with a high probability, as de-
scribed in Lemma 1.
IV. PREPROCESSING: THE DETAILS ABOUT THE
FACTORING CASES
A. The construction of the lattice and target vector
We’ll take the factorization of N= 48567227 in 5 qubits
as an example to introduce the computational steps before
the quantum part, which include the construction of lattice
and target vector, LLL-reduction and the solution process of
Babai’s nearest plane algorithm. The 3-qubit case and 10-
qubit case will be shown directly. Here we adopt the sublin-
ear lattice dimension scheme. The lattice dimension required
to factorize the integer N= 48567227 is logN/loglogN =
26/5≈5. The prime basis consists of the first five prime
numbers, which is {−1,2,3,5,7,11}.
In order to generate enough random integer lattices, we
roughly adjust the lattice construction in Eq. S7. Firstly, us-
ing di/2cto replace the original diagonal √lnpi, where d c is
the nearest rounding function. Secondly, in order to get dis-
tinct fac-relations, a random permutation function fis used to
perform random permutation on the diagonal elements of the
lattice. In addition, using ”10c” to replace the ’weight’ item
”Nc” in the original lattice. In this way, if cis an integer, it
will be easy to convert the lattice to an integer lattice and the
parameter cwill directly represent the precision. The specific
lattice structure is presented in S33 and S34:
Bn,c =
f(1) 0 ... 0
0f(2) ... 0
.
.
..
.
.....
.
.
0 0 ... f(n)
d10cln2c d10cln3c... d10cln11c
(S33)
tn=
0
.
.
.
0
d10clnNc
.(S34)
Here Bn,c is the matrix form of the lattice with every column
as a basis vector. The subscript represents the dimension n
of the lattice and the precision parameter c. In the 5-qubit
case, the dimension is 5and the precision parameter is 4. The
f(i)elements on the diagonal are random permutations of ele-
ments in {d1/2c, ..., d5/2c} ={1,1,2,2,3}. Thus, the exact
lattice and the target vector corresponding to the sr-pair are
presented in S35 and S36:
B5,4=
20000
01000
00300
00020
00001
6931 10986 16094 19459 23979
(S35)
14
t5=
0
0
0
0
0
176985
.(S36)
Similarly, in the 3-qubit case, the dimension satisfies n= 3
and the precision parameter satisfies c= 1.5. The exact lattice
and the target vector corresponding to the sr-pair are
B3,1.5=
100
010
002
22 35 51
,t3=
0
0
0
240
.(S37)
In the 10-qubit case, the dimension satisfies n= 10 and the
precision parameter satisfies c= 4. The exact lattice and the
target vector corresponding to the sr-pair are presented in S38
and S39:
t10 =(0000000000331993)T.
(S39)
B. Solving the CVP using Babai’s algorithm
The smooth relation pair can be obtained by solving the
CVP on the above lattice. Before using the quantum method,
an approximate optimal solution of the CVP can be obtained
by the classical lattice reduction algorithm (the Babai’s al-
gorithm). Firstly, a LLL-reduction with parameter δ= 3/4
is performed on the lattice basis. The LLL-reduced basis is
D3,1.5(S40), D5,4(S41) and D10,4(S42) for the three factor-
ing cases respectively.
D3,1.5=
1−4−3
−2 1 2
220
3−2 4
(S40)
D5,4=
6−8 2 −4−4
−4−3 11 −5−3
6 6 3 0 −3
4−2 0 12 4
−2 2 −6−2 1
−3 5 −3 4 −17
,(S41)
D10,4=
00300030−3−3
00204−4 0 4 −2 4
−3 0 0 0 0 0 −3 0 0 0
1 2 1 4 −4−2−2 0 −1 0
202−2 0 0 1 −1 0 4
0 0 −3−3 0 0 0 0 −3 3
−3 3 −1 0 1 2 1 2 −2−1
0−2 0 1 2 −1 1 −3 3 −3
0−2−2 0 −2 0 0 0 2 2
2−2 0 −2 0 2 −2 2 0 0
0−2−2 0 1 3 1 −2−2−1
.
(S42)
Secondly, perform the size reduction procedure. This pro-
cess takes the largest basis vector in the LLL basis (the right-
most column of the matrix D5,4) as the starting point, sub-
tracts it from the target vector t5in turn according to the round
function of GS-coefficient values µi, i = 1, ..., 5, until the
shortest basis vector in the LLL basis (the leftmost column)
is subtracted. The distance vector ¯
t5and the approximate
nearest vector bop are obtained at the end of this procedure.
Since the length of the distance vector represents the quality of
the CVP solution, we also referred it the short vector in CVP.
Here, the classical optimal solutions obtained by the Babai’s
algorithm are presented in S43 to S46.
The approximate closest vector is relatively far from the
target vector t5, which is k¯
t5k2= 229. In the three factoring
cases, a vector that is closer (or shorter) than that of Babai’s
algorithm can be obtained by the quantum optimization.
C. The problem Hamiltonian
In the main text, we have introduced the construction of
the problem Hamiltonian by mapping the binary variables
15
B10,4=
3000000000
0200000000
0030000000
0001000000
0000100000
0000030000
0000001000
0000000100
0000000020
0000000002
6931 10986 16094 19459 23979 25649 28332 29444 31355 33673
,(S38)
bop = (2 4 9 8 0 176993)T,¯
t5=bop −t5=2 4 9 8 0 8T
.(S43)
The corresponding results for the 3-qubit case are:
bop = (0 4 4 242)T,¯
t3=bop −t3=0 4 4 2T
.(S44)
The corresponding results for the 10-qubit case are:
bop =(3401232322331993)T,(S45)
¯
t10 =bop −t10 =(34012323220)T.(S46)
xi,{i= 1, ..., n}to the Pauli-Z items, namely
Hc =kt−
n
X
i=1
ˆxidi−bopk2=
n+1
X
j=1 |tj−
n
X
i=1
ˆxidi,j −bj
op |2,
(S47)
We use a single qubit to encode the floating variables xi∈
{−1,0,1}, i = 1,2, . . . , n, according to the intermediate cal-
culation results of Babai’s algorithm. The quantum operator
ˆxiis mapped to the Pauli-Z basis according to the following
rules:
ˆxi=(I−σi
z
2,if ci≤µi
σi
z−I
2,if ci> µi
(S48)
As shown above, if the function is rounding down to the near-
est integer, namely ci≤µi, the coefficient value ciwill be
floated up by 1 or unchanged. In this case, the floating value
xi∈ {0,1}corresponds to the eigenvalues of quantum opera-
tor I−σi
z
2, and vice versa. Therefore, we can use the rounding
information of the coefficient ciin Babai’s algorithm to deter-
mine the encoding of the floating value xi. It is easy to see that
the lower energy state of the Hamiltonian system will result in
an approximate close vector solution in lattice Λaccording
to the correspondence of the problem Hamiltonian and loss
function.
The problem Hamiltonian for the 5-qubit case can be con-
struct as Hc5=P6
j=1 ˆ
hj, where
ˆ
h1= (6ˆx1−8 ˆx2+ 2ˆx3−4ˆx4−4ˆx5+ 2)2
ˆ
h2= (−4ˆx1−3 ˆx2+ 11ˆx3−5ˆx4−3ˆx5+ 4)2
ˆ
h3= (6ˆx1+ 6 ˆx2+ 3ˆx3−0ˆx4−3ˆx5+ 9)2
ˆ
h4= (4ˆx1−2 ˆx2+ 0ˆx3+ 12ˆx4+ 4ˆx5+ 8)2
ˆ
h5= (−2ˆx1+ 2 ˆx2−6ˆx3−2ˆx4+ ˆx5)2
ˆ
h6= (−3ˆx1+ 5 ˆx2−3ˆx3+ 4ˆx4−17ˆx5+ 8)2
(S49)
We can determine the specific encoding process of each vari-
able xi, i = 1, ..., 5according to the intermediate calculation
results of Babai’s algorithm, which is shown in Table S2.
Thus, the 5-qubit Hamiltonian is reduced to Eq. S50. The
qubits encoding information and the problem Hamiltonian
corresponding to the 3-qubit case are presented in Table S3
and Eq. S51. The qubits encoding information and the prob-
lem Hamiltonian corresponding to the 10-qubit case are pre-
sented in Table S4 and Eq. S52.
D. The energy spectrum and the target state
We numerically traverse the energy spectrum of the prob-
lem Hamiltonian. Here we only show the lowest ten energy
16
Hc5=781I−142σ1
z−64σ2
z−81σ3
z−213σ4
z−4.5σ5
z−13.5σ1
zσ2
z+ 3.5σ1
zσ3
z+ 18σ1
zσ4
z+ 17.5σ1
zσ5
z
−29σ2
zσ3
z+ 19.5σ2
zσ4
z−34σ2
zσ5
z−31.5σ3
zσ4
z−2.5σ3
zσ5
z+ 4.5σ4
zσ5
z.(S50)
Hc3=43.5I−4σ1
zσ2
z+ 2.5σ1
zσ3
z−1.5σ1
z+ 3σ2
zσ3
z−3.5σ2
z−4σ3
z.(S51)
TABLE S2. Qubits encoding information for the 5-qubit case. The
subscript ”j” decreases sequentially from left to right.
steps 1 (x5) 2 (x4) 3 (x3) 4 (x2) 5 (x1)
µj-8731.5607 3882.5019 -1837.4760 -354.467 -3092.4957
cj-8732 3883 -1837 -354 -3092
µj−cj0.4393 -0.4981 -0.4760 -0.4669 -0.4957
coding (0,1) (0,-1) (0,-1) (0,-1) (0,-1)
TABLE S3. Qubits encoding information for the 3-qubit case. The
subscript ’j’ decreases sequentially from left to right.
steps 1 (x3) 2 (x2) 3 (x1)
µj33.5812 -20.4974 21.6667
cj34 -20 22
µj−cj-0.4188 -0.4974 -0.3333
coding (0,-1) (0,-1) (0,-1)
levels and the corresponding quantum states, meantime, the
corresponding sr-pairs, if there are. It should be noted that
the smooth bound B2about |u−vN |is different from the
smooth bound B1of (u, v). In the 5-qubit case, we choose
B2=p50 = 229, and the dimension of the corresponding
linear equation system (denote by eq-dim) is 51. The de-
tails for the 3- and 10-qubit case can be found in Table S5.
The dimension of the corresponding linear equation system
is ∼2n2, which is the polynomial scale of n. Hence it is
reasonable to relax the B2bound here. On the one hand, the
dimension of the prime basis (lattice dimension) is low in the
Schnorr’s sieve method, solving the system of linear equa-
tions consumes relatively less computational resources. On
the other hand, the algorithm has higher quality requirements
for short vectors, which increases the overall computational
complexity of the algorithm drastically. Therefore, we can re-
duce the quality requirements of the algorithm for short vec-
tors by appropriately relaxing the smooth bound B2, which
will increase the amount of the linear equation system. How-
ever, with the balance between the amount of calculation the
short vector and solving the linear equation system, the effi-
ciency of the whole algorithm is improved.
In Table S6, the first column represents the first ten lowest
energy levels of the Hamiltonian in Eq. S50, and the second
column represents the energys corresponding to the energy
level. It also represents the square norm value of the short
vector. Columns 3represent the eigenstate of the Hamilto-
nian. The first row represents the ground state, and the cor-
responding energy value is 186. Here we find that the length
of the solution vector corresponding to the ground state is the
shortest, but no sr-pair is obtained. This is because the relation
between the short vector and the sr-pair is probabilistic. The
energy corresponding to the fourth excited state is 215, and the
corresponding |u−vN |= 12097706 = 2 ∗41 ∗43 ∗47 ∗73
is smooth on the B2bound. A set of sr-pair is obtained from
the state (00111). Meanwhile, the square norm of the solu-
tion vector corresponding to the seventh excited state (00000)
is 229, which is the optimal solution obtained by the Babai al-
gorithm. Hence we can see that the quantum method leads to
shorter vectors and obtains an sr-pair for factoring. Therefore,
the quantum state (00111) is the target state required in the
following.
Making a relatively low energy state as a target state is a
good idea since QAOA is often challenging to iterate to the
lowest energy state. When the energy of the quantum state
prepared by the QAOA circuit is low enough, the quantum
states of low energy levels will prevail. Therefore, even if the
target state is not the ground state, there will be a consider-
able probability of being measurable. This is verified by the
experiments results in the next part.
Likewise, we give the first four low-energy eigenstates for
the 3-qubit case. In Table S7, we find that sr-pairs can be
obtained from the first three low-energy states including the
ground state. Here the second excited state (000) corresponds
to the optimal solution obtained by the Babai’s algorithm. Al-
though the solution itself can obtain an sr-pair, after quan-
tum optimization, shorter vectors are obtained with the square
norms of 33 and 35 respectively. And new sr-pairs can also
be obtained. We set the target state in the 3-qubit case as the
ground state (001) which will be prepared in the experiments.
For the 10-qubit case, the details are shown in Table S8. The
ground state (0100010010) would lead to an sr-pair, which
makes it a target state in the 10-qubit case.
17
TABLE S4. Qubits encoding information for the 10-qubit case. The subscript ’j’ decreases sequentially from left to right.
steps 1 (x10) 2 (x9) 3 (x8) 4 (x7) 5 (x6) 6 (x5) 7 (x4) 8 (x3) 9 (x2) 10 (x1)
µj21514.149 -45688.541 -29225.45 -5953.325 29891.446 23868.721 42395.337 -18221.276 -29823.805 5952.889
cj21514 -45689 -29225 -5953 29891 23869 42395 -18221 -29824 5953
µj−cj0.149 0.459 -0.45 -0.325 0.446 -0.279 0.337 -0.276 0.195 -0.111
coding (0,1) (0,1) (0,-1) (0,-1) (0,1) (0, -1) (0,1) (0,-1) (0,1) (0,-1)
Hc10 = (708I+ 22σ1
zσ2
z+ 16σ1
zσ3
z+ 8σ1
zσ4
z−14σ1
zσ5
z+ 8σ1
zσ6
z+ 4σ1
zσ7
z−8σ1
zσ8
z−10σ1
zσ9
z−22σ1
zσ10
z−46σ1
z−14σ2
zσ3
z
+ 20σ2
zσ4
z+ 14σ2
zσ5
z−12σ2
zσ6
z+ 2σ2
zσ7
z−24σ2
zσ8
z−28σ2
zσ9
z+ 2σ2
zσ10
z−16σ2
z−18σ3
zσ4
z+ 10σ3
zσ5
z+ 36σ3
zσ6
z+ 12σ3
zσ7
z
+ 16σ3
zσ8
z+ 6σ3
zσ9
z−30σ3
zσ10
z−78σ3
z+ 28σ4
zσ5
z−26σ4
zσ6
z+ 10σ4
zσ7
z+ 10σ4
zσ8
z+ 16σ4
zσ9
z−4σ4
zσ10
z−72σ4
z+ 10σ5
zσ6
z
+ 24σ5
zσ7
z+ 20σ5
zσ8
z+ 12σ5
zσ9
z−8σ5
zσ10
z−116σ5
z−8σ6
zσ7
z+ 22σ6
zσ8
z−6σ6
zσ9
z−36σ6
zσ10
z−12σ6
z−16σ7
zσ8
z+ 16σ7
zσ9
z
+ 20σ7
zσ10
z−84σ7
z+ 34σ8
zσ9
z−42σ8
zσ10
z−36σ8
z+ 18σ9
zσ10
z−74σ9
z−24σ10
z)/4.
(S52)
TABLE S5. Two smooth bounds for the three factoring cases.
case B1-dim B1 B2-dim B2 eq-dim
3-qubit 3 5 15 47 16
5-qubit 5 11 50 229 51
10-qubit 10 29 200 1223 201
V. EXPERIMENTAL DETAILS
A. Device parameters
We perform our experiment on a flip-chip superconduct-
ing quantum processor [44] with 10 qubits (Q1∼Q10) and
9 couplers (C1∼C9) alternately arranged in a chain topol-
ogy (Fig. 2A). All qubits and couplers are of transmon type,
and their frequencies can be tuned independently by applying
slow flux pulses (up to hundreds of microseconds in length)
or fast Z flux pulses (up to tens of microseconds in length) on
their corresponding control lines. The maximum frequencies
of the qubits (couplers) are around 4.7 GHz (9.0 GHz) with
nonlinearities around -210 MHz (-150 MHz). The coupling
strength between each pair of neighboring qubits can be tuned
from nearly off to -10 MHz by modulating the frequency of
the coupler between them. Control lines for all qubits can
also be used to apply microwave pulses to implement single-
qubit gates. The energy relaxation times, dephasing times,
gate fidelities and other relevant parameters are summarized
in Table S9.
TABLE S6. The first ten lowest energy levels and the corresponding
quantum states. The fourth excited state generates a smooth relation
pair, and its corresponding value |u−vN |= 12097706 = 2 ∗41 ∗
43 ∗47 ∗73 is smooth on the B2bound, which made it a target state
required for the 5-qubit case.
level energy state u v |u−vN |smooth
0 186 0 0 1 1 0 21435888100 441 89*199337 no
1 189 0 1 1 1 0 340139712 7 53*3191 no
2 193 1 1 1 0 0 1215290846 25 3*370057 no
3 198 1 0 0 0 1 776562633 16 512999 no
4 215 0 0 1 1 1 11789738455 243 2*41*43*47*73 yes
5 218 1 1 0 0 0 243045684 5 209549 no
6 222 1 1 1 1 0 4.16714E+11 8575 249693139 no
7 229 0 0 0 0 0 48620250 1 17*3119 no
8 230 1 0 0 0 0 194500845 4 41*5657 no
9 232 1 0 1 1 1 2.85312E+11 5880 37*7124977 no
B. Benchmarking the experimental gates
We initialize all qubits in the ground states via a reset pro-
cedure. More specifically, we first tune one of the qubit’s
adjacent couplers into resonance with the qubit for several
nanoseconds, which swaps the excitation into the coupler. We
then tune this coupler to its maximum frequency, where it has
a very short T1, so that the excitation decays quickly. We
repeat the above steps several times until the qubit is thor-
oughly initialized to the ground state. Then we implement the
experimental circuits (Fig. 2D). Note that for some long idle
18
TABLE S7. The first four lowest energy levels and the correspond-
ing quantum states for the 3-qubit case.
levels energy state u v |u−vN |smooth
0 33 0 0 1 1800 1 7*23 yes
1 35 1 1 0 1944 1 17 yes
2 36 0 0 0 2025 1 26yes
3 42 1 0 0 3645 2 277 no
positions, we insert double Rx(π)gates to protect the qubit
from dephasing. After measuring the raw probabilities of all
bitstrings, a readout correction is performed to eliminate the
readout errors [45].
The experimental circuit consists of Rx(θ), Ry(θ), Rz(θ)
(rotations around x-, y- and z-axis by θ), Hadamard and
CZ gates. Rx(θ), Ry(θ) gates are implemented by 30-ns-
long microwave pulses with controlled phases and ampli-
tudes. Rz(θ) gates are implemented by virtual Z gates that
could be considered ideal gates that take zero time sim-
ply by changing the phases of all subsequent microwave
pulses [46]. Hadamard gates are implemented by the com-
position of Rz(π) gates followed byRy(π/2) gates, written as
H=Ry(π/2)Rz(π). CZ gates are realized by applying a
well-designed flux pulses on the neighboring qubits and their
shared coupler, and detailed procedures for the individual im-
plementation of them on neighboring qubits were described
in our previous study [34,47]. If possible, consecutive single-
qubit gates are combined to one gate in order to reduce the
total circuit depth.
Here we discuss the case of optimizing the gate fidelities
when executing the CZ gates in parallel, which is similar
to the individual implementation except for optimizing the
pulse parameters for the couplers. As requested by the exper-
imental circuit, we divide the nine couplers into two groups,
{C1, C3, C5, C7, C9}for group A and {C2, C4, C6, C8}for
group B. We apply sine-decorated rectangular flux pulses of
the form A(t) = zCj·h1−rCj+rCjsin πt
tgate ito all cou-
plers in group A or B simultaneously. Here zCjis the maxi-
mum flux amplitude applied on Cj,rCjis a modulated param-
eter fixed around 0.1 and tgate is 50 ns. Note that 5-ns spacings
are applied before and after this flux pulse. To optimize zCj,
we prepare Qj,Qj+1 in the state of |11iand apply m cycles
of CZ pulses with m∈ {1,3,5}. Then we directly measure
the |2i-state leakage of the qubit that has a higher resonant
frequency in a pair, and minimize the leakage populations for
all pairs simultaneously by fine-tuning all zCis.
We adopt the cross entropy benchmarking (XEB) [2] to
evaluate the performance of our quantum gates. The Pauli
errors for simultaneous single-qubit gates average to 0.09%.
The Pauli errors for CZ gates in group A and B average to
0.69%and 0.60%, respectively. Note that the structure of the
experimental circuit is different from the standard benchmark-
ing circuits. As such, we take alternative quantum circuits to
further verify the performance of our CZ gates, which have
structures similar to the circuits for our algorithm (Fig. S1).
Figure S1Cdepicts the XEB fidelity as a function of cir-
cuit depth (number of cycles), showing a cycle error around
3.45%, based on which we estimate an average CZ gate error
of 0.55%.
C. QAOA procedure and the convergence
QAOA can find the approximate ground state of the Hamil-
tonian system by updating the parameters. For the p-layer
QAOA, 2pvariational parameters γ= (γ1, ..., γp), β =
(β1, ..., βp)are involved. The main job for the quantum pro-
cessor is to repeatedly prepare the following parameterized
wave function
|γ, β i=e−iβpHbe−iγpHc...e−iβ1Hbe−iγ1Hc|+in,(S53)
where Hb=Pn
j=1 σj
xis the mixing Hamiltonian. This state
can be prepared by applying the unitaries U(Hc, γ) = e−iγ Hc
and U(Hb, β) = e−iβ Hbalternately with different parameters
in the uniform superposition state |+in. A classical optimizer
is used to find the optimal parameters (γ∗, β∗)that minimize
the expected energy value of the problem Hamiltonian:
E(γ, β ) = hγ, β|Hc|γ , βi.(S54)
This energy function can be calculated by repeatedly
preparing the wave function |γ, βiin the quantum register and
measuring it on the computational basis. Finally, the quantum
state |γ∗, β∗icorresponding to the approximate solution is ob-
tained. The algorithm is shown graphically in Fig. 2C.
Here we briefly introduce the classical optimizer adopt in
QAOA during the parameter optimization procedure. The op-
timizer is called model gradient descent(MGD) method [48].
In fact, there are a lot of other classical optimization algo-
rithms can be considered for the optimizer, like Nelder-Mead
simplex method [49], quasi-Newton method [50,51]. The
performance of these methods often varies depending on the
problem. Model gradient descent has been shown both numer-
ically and experimentally perform well on some variational
quantum ansatz [11,48]. The core idea of MGD is using
model to estimate the gradient of the objective function, which
is a continuous surface or hypersurface. To estimate the gradi-
ent of a given point in the surface, several points in the vicinity
are randomly chosen and their objective function values need
to be evaluated. Then a quadratic model is fit to the surface
of these points in the vicinity using least-squares regression.
The gradient of this quadratic model is then used as a surro-
gate for the true gradient, and the algorithm descends in the
corresponding direction. The pseudocode is given in Algo-
rithm 3.
In our experiment, the MGD method performs well for the
three factoring cases. It can converge to the local or global
optimum within 10 steps from randomly chosen initial points.
19
TABLE S8. The first ten lowest energy levels and the corresponding quantum states for the 10-qubit case. The ground state (0100010010)
generates a smooth relation pair, and its corresponding value |u−vN |= 2 ∗31 ∗97 ∗109 ∗163 ∗433 is smooth on the B2bound, which
made it a target state required for 10-qubit case.
level energy state u v |u−vN |smooth
0 51 0 1 0 0 0 1 0 0 1 0 785989264048241 3 2∗31 ∗97 ∗109 ∗163 ∗433 yes
1 57 0 1 0 0 0 0 0 0 1 0 261933899831373 1 23∗29 ∗203014633 no
2 60 0 0 0 0 0 0 0 0 0 0 262049748526566 1 47 ∗139 ∗10523389 no
3 60 0 0 0 1 0 1 0 0 0 0 262123789565918 1 3803 ∗37546763 no
4 61 0 1 0 0 0 0 1 1 0 0 262027921960805 1 24∗457 ∗2243 ∗2861 no
5 65 0 1 0 0 0 0 0 1 0 0 7599879238585630 29 32∗211 ∗1531 ∗835897 no
6 66 0 0 0 0 0 0 1 1 0 0 4455399847833940 17 2∗3∗24407 ∗11764801 no
7 68 0 0 0 0 0 0 0 0 1 0 261988302332823 1 2∗7∗22717 ∗22963 no
8 70 0 0 0 0 0 0 1 0 0 0 262012871275155 1 2∗1693 ∗9412891 no
9 70 0 0 0 0 1 0 0 0 0 0 262002304109546 1 21304883317 no
TABLE S9. Device parameters. ω0
jis the idle frequency of Qjwhere the qubit is initialized. ηjis the nonlinearity of Qj.T1,j and T2,j are
the energy relaxation time and Ramsey dephasing time of Qjat idle frequency, respectively. F0,j and F1,j are the measure fidelities of Qj
prepared in |0iand |1irespectively. eS
jis the simultaneous single-qubit gate Pauli error of Qj.eCZ
j,A(B)is the simultaneous CZ-gate Pauli error
of Qjand Qj+1 in group A (B). (ωA(B)
j, ωA(B)
j+1 )are the estimated qubit frequencies of Qjand Qj+1 in group A (B) when we perform CZ
gates.
Qubit Q1Q2Q3Q4Q5Q6Q7Q8Q9Q10 mean
ω0
j/2π(GHz) 4.420 4.500 4.553 4.460 4.370 4.600 4.430 4.515 4.445 4.570 4.486
ηj/2π(MHz) -213 -209 -208 209 -211 -211 -209 -210 -211 -210 -210
T1,j (µs) 91.4 83.3 113.6 131.1 111.6 99.5 116.0 108.2 123.3 115.1 109.3
T2,j (µs) 5.3 7.0 5.7 7.2 4.3 6.2 4.9 5.8 8.2 6.9 6.2
F0,j (µs) 0.982 0.984 0.976 0.991 0.972 0.990 0.981 0.978 0.974 0.978 0.981
F1,j (µs) 0.949 0.967 0.942 0.957 0.951 0.958 0.960 0.958 0.927 0.923 0.949
eS
j(%) 0.11 0.07 0.09 0.09 0.15 0.12 0.06 0.07 0.08 0.09 0.09
(ωA
j, ωA
j+1)/2π(GHz) 4.315, 4.520 4.666, 4.460 4.600, 4.392 4.335, 4.540 4.570, 4.364 -
eCZ
j,A (%) 0.65 0.72 0.65 0.67 0.76 0.69
(ωB
j, ωB
j+1)/2π(GHz) - 4.348, 4.553 4.510, 4.304 4.609, 4.400 4.532, 4.325 - -
eCZ
j,B (%) - 0.54 0.70 0.58 0.57 - 0.60
Meantime, the experimental convergence results are compa-
rable to the theoretical results at the current scale. The details
about the convergence traces can be found in Fig. S2.
D. 10-qubit case up to p= 3
Here we present the whole statistical histogram for the 1024
states in the experiment of 10-qubit factoring case. We also
present the noiseless simulation results and 0.01-noise simu-
lation results for comparison. For the noisy simulation, we
randomly implement a group of single qubit Pauli gates in
[X, Y, Z, I], and two-qubit Pauli gates in [X, Y, Z, I]⊗2after
20
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
Q1
Q2
Q3
Q4
Q
2k-1
Q
2k
Q
2k+1
. . .
. . .
B
. . .
. . .
. . .
. . .
. . .
. . .
. . .
Q1
Q2
Q3
Q4
Q
2k-2
Q
2k-1
Q
2k
. . .
. . .
. . .
. . .
A
=
20
m - number of cycles
40 60 80
0.0
0.2
0.4
0.6
0.8
1.0
Fidelity
XEB fidelities
Fitt
10-qubit circuit XEB
C
FIG. S1. Alternative quantum circuits used to benchmark the CZ gates, for even (A) and odd (B) number of qubits. Green squares
represent randomly chosen half-πrotations around 8 axes, where θis the angle between the rotation axis and x-axis. Yellow squares represent
gates randomly chosen from SU(2). C, XEB fidelity as a function of numbers of gate cycles for the 10-qubit case. The cycle error is fitted to
be around 3.45%, where each cycle contains a layer of 11 single-qubit gates followed by a layer of 4.5 CZ gates on average.
1
2
3
4
5
6
Steps
0
0.3
0.6
0.9
E
*
qub3-experiment
qub3-theory
qub5-experiment
qub5-theory
qub10-experiment
qub10-theory
FIG. S2. Details about the convergence paths for the three factoring
cases. The squares, circles and triangles represent for the 3, 5 and
10 qubits cases respectively. The solid (hollow) symbols represent
the experiment (theory) results. The vertical coordinates represent
the normalized energy function value E∗while the horizontal coor-
dinates represent the computational iteration steps.
every operation in the quantum circuit with error rates of 0.2%
and 1%, respectively. As shown in Fig. S3A, the histogram re-
sults are obtained by excuting the QAOA circuit 30000 times
repeatedly. The states are sorted by the probability of the
noiseless simulation results which can be take as theory re-
sults. The target state is pointed out with an arrow which can
be found in the far left of the histogram. The experimental
results for p= 2 and p= 3 are also given, see Fig. S3B, C.
The performance of QAOA will be improved by increas-
ing the depth of hyperparameter pin theory. However, the
errors are accumulated during the increasing of circuit depth
and the bonus of the computation can be counteracted. The
best performance of QAOA should make balance of the com-
putation bonus and the effects of noise. As can be found in
Fig. S3, the relative ratio of the target state is more significant
than the other states as pgrows. However, the absolute ratio
is reduced. Meanwhile, it is still significantly higher than the
results of random guess when p= 3.
VI. POSTPROCESSING: THE SMOOTH RELATION
PAIRS AND LINEAR EQUATIONS
Attached here are other smooth relation pairs obtained
in the examples of factoring integers 1961, 48567227 and
261980999226229, as shown in the following lists. The first
column is the sequence number of the sr-pair, and |u−vN |is
presented in terms of the corresponded prime basis. In the 3-
qubit case, we give 20 independent smooth relation pairs, and
the corresponding Boolean matrix is combined by 20 vectors
of 16 dimension. Hence there must be a group of linearly de-
pendent vectors, that is, the linear equation system has at least
one group of solution.
21
0
100
200
300
400
500
600
700
800
900
1000
States
1
0.5
0
0.5
1
1.5
2
Probability (10
-2
)
A
Theory
Experiment
Noisy
Random guess
B
0
100
200
300
400
500
600
700
800
900
1000
States
0.5
0
0.5
1
1.5
2
2.5
3
Probability (10
-2
)
Theory
Experiment
Noisy
Random guess
10-qubit, p=1
Target state
0
100
200
300
400
500
600
700
800
900
1000
States
0.5
0
0.5
1
1.5
2
2.5
3
3.5
Probability (10
-2
)
Theory
Experiment
Noisy
Random guess
C
10-qubit, p=3
Target state
5
10
15
20
25
States
1
0
1
2
Probability (10
-2
)
10-qubit, p=2
5
10
15
20
25
States
0
1
2
3
Probability (10
-2
)
Target state
5
10
15
20
25
States
0
1
2
3
Probability (10
-2
)
FIG. S3. Whole statistical histogram for the 1024 states in the experiment of 10-qubit factoring case, Afor p= 1 case, B, C for p= 2 and
p= 3 cases respectively. The states are sorted by the probability of the noiseless simulation results and the target state can be found in the far
left of the histogram. The horizontal red lines represent the results of random guess. The inner plot gives the amplified details of the highlight
zone.
A. The 3-qubit case
Table S10 shows a list of Boolean vectors corresponding to
the exponents of the prime basis consist of u/(u−vN ). We
can see that the fourth vector is an all-zero vector, which is it-
self a linear correlation vector. The 10-th vector and the 17-th
vector, the 5-th vector and the 16-th vector, are two groups of
22
Th e sm oo th r e l a t i o n p a i r s f o r t h e 3 q u b i t s f a c t o r i n g c as e :
sn u v |u−vN |
1 2 ˆ 3 *3 ˆ 5 1 1 7
2 2 ˆ 4 *5 ˆ 3 1 3 *13
3 2 ˆ 7 *3*5 1 41
4 3 ˆ 4 *5 ˆ 2 1 2 ˆ 6
5 3 *5 ˆ 4 1 2 *43
6 2 ˆ 3 *3 ˆ 2 *5 ˆ 2 1 7 *23
7 2 *3ˆ2 *5 ˆ 3 1 1 7 ˆ 2
8 2 ˆ 2 *3 ˆ 4 *5 1 11 *31
9 2 ˆ 6 *5 ˆ 2 1 1 9 ˆ 2
10 2 ˆ 2 *5 ˆ 4 1 7ˆ 2 *11
11 2 *3ˆ3 *5 ˆ 2 1 13 *47
12 2 ˆ 4 *3 ˆ 4 1 5 *7*19
13 3 ˆ 2 *5 ˆ 3 1 2ˆ 2 *1 1 *1 9
14 2 ˆ 3 *5 ˆ 3 1 31 ˆ 2
15 2 ˆ 2 *3 ˆ 5 1 2 3 *43
16 2 ˆ 5 *5 ˆ 2 1 3ˆ 3 *43
17 2 ˆ 4 *3 ˆ 6 5 1 1 *13 ˆ 2
18 2 ˆ 4 *3 ˆ 5 1 4 1 *47
19 3 ˆ 5 *5 ˆ 2 1 2 *1 1ˆ2 *1 7
20 3 *5 ˆ 5 2 7 *1 9 *4 1
linearly dependent vectors. Other linearly dependent vectors
need to be obtained by solving linear equations. Here each
group of linear correlations will correspond to a quadratic con-
gruence equation of the form X2≡Y2mod N. There is a
high probability that the factorization of the integer Nwill
be obtained by this equation. Below we will give the details
about factorization of N= 1961 in combination with the spe-
cific smooth relation pairs.
According to the above discussion, from the above smooth
relation pairs we can find the solutions of linear equations,
such as
• Eg.1: The 4th pair, where u= 34∗52, v = 1,|u−
vN |= 26, which made a quadratic congruence: (9 ∗
5)2−82=N. Then we have: p=gcd(45 + 8, N ) =
53, q =gcd(45 −8, N) = 37.
• Eg.2: The 9th pair, where u= 26∗52, v = 1,|u−
vN |= (19)2,(8 ∗5)2+ 192=N, then according the
factoring method of Gauss, it’ll lead to a pair of factors.
Let
p=x2+y2, q =a2+b2.(S55)
Then, we have
(|ax −by |= 40,
|bx +ay |= 19,or (|ax −by |= 19,
|bx +ay |= 40.(S56)
Solving the above equations, we have a= 1, b = 6, x =
2, y = 7. Substitute the result into Eq. S55, we have
p= 53, q = 37. Or a= 2, b = 7, x = 6, y =−1, we
have p= 37, q = 53.
• Eg.3: The combination of the 10-th and 17-th pair, we
have
(2 ∗52∗22∗33)2≡(7 ∗11 ∗13)2mod 1961.(S57)
Then we have
p=gcd(5400 + 1001,1961) = 37,(S58)
q=gcd(5400 −1001,1961) = 53.(S59)
• Eg.4: The combination of the 5-th and 16-th pair, we
have
25∗52∗3∗54≡2∗43 ∗33∗43 mod 1961,(S60)
namely
(22∗53)2≡(43 ∗3)2mod 1961.(S61)
Hence we have
p=gcd(500 + 129,1961) = 37,(S62)
q=gcd(500 −129,1961) = 53.(S63)
In addition, prime factors can also be obtained from the solu-
tion of linear equations of other relationships, which will not
be listed here.
23
Algorithm 3: Model Gradient Descent
Input: Initial point x0, learning rate γ, sample radius δ,
sample number k, rate decay exponent α, stability
constant A, sample radius decay exponent ξ,
tolerance , maximum evaluations n
1Initialize a list L.
2Let x←x0.
3Let m←0.
4while (#function evaluations so far)+ kdoes not exceed ndo
5Add the tuple (x, f (x)) to the list L.
6Let δ0←δ/(m+ 1)ξ.
7Sample kpoints uniformly at random from the
δ0-neighborhood of x. Call the resulting set S.
8for each x0in Sdo
9Add(x0, f (x0)) to L.
10 end
11 Initialize a list L0.
12 for each tuple (x0, y0)in Ldo
13 if |x0−x|< δ0then
14 Add (x0, y0)to L0.
15 end
16 end
17 Fit a quadratic model to the points in L0using least
squares linear regression with polynomial features.
18 Let gbe the gradient of the quadratic model evaluated at
x.
19 Let γ0=γ/(m+ 1 + A)α.
20 if γ0· | g|< then
21 return x
22 end
23 Let x←x−γ0·g.
24 Let m←m+ 1.
25 end
26 return x.
B. The 5-qubit case
In the 5-qubit case, we present 55 independent smooth re-
lation pairs in the following list. The corresponding Boolean
matrix containing 55 vectors of 51 dimension (50 dimension
for the prime basis plus 1 dimension sign basis). Similarly,
there must be a group of linearly dependent vectors.
Due to the large dimension of the vectors corresponding to
the 5-qubit case, we just present a set of solution for the linear
equation system:
x=(0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,1,0,0,
1,1,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,1,1,0,0,0,0,0).
(S65)
The corresponding solution for the quadratic conjugation is
X= 639232456435359657331994419097900390625,
Y= 12136572734325633629343926054845304.
(S66)
TABLE S10. Boolean exponential vectors corresponding to smooth
relation pairs. The first column represents the sequence number of
the smooth relation pair (u, v). The second column is the sign basis,
which represents the positive or negative of u/(u−vN ). Columns
3 to 17 represent the Boolean exponents on the first 15 prime basis,
respectively.
sn sign p1p2p3p4p5p6p7p8p9p10 p11 p12 p13 p14 p15
1 1 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0
2 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0
3 1 1 1 0 0 0 0 0 0 0 0 0 0 1 0 0
4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
5 1 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0
6 1 1 0 0 1 0 0 0 0 1 0 0 0 0 0 0
7 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
8 1 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0
9 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
10 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0
11 1 1 1 0 0 0 1 0 0 0 0 0 0 0 0 1
12 1 0 0 1 1 0 0 0 1 0 0 0 0 0 0 0
13 1 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0
14 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
15 1 0 1 0 0 0 0 0 0 1 0 0 0 0 1 0
16 1 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0
17 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0
18 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 1
19 0 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0
20 0 0 1 0 1 0 0 0 1 0 0 0 0 1 0 0
It is easy to verify that the solution satisfies the equation:
X2≡Y2mod N(S67)
Furthermore, we have
p=gcd(X+Y, N )
= (639232456435359657331994419097900390625+
12136572734325633629343926054845304,48567227)
= 7919,
q=gcd(X−Y, N )
= (639232456435359657331994419097900390625−
12136572734325633629343926054845304,48567227)
= 6133.
(S68)
Finally, we obtain the factorization result: N=
24
Th e sm oo th r e l a t i o n p a i r s f o r t h e 5 q u b i t s f a c t o r i n g c as e :
sn u v |u− vN |
1 5 ˆ 6 *7*1 1 ˆ 3 3 2 ˆ 2 *1 7 *2 3 *79
2 5 ˆ1 1 1 2 *3*11 *5 9 *67
3 3 ˆ 3 *5*7ˆ2 *11 ˆ 4 2 31 *53 *173
4 5 *1 1 ˆ 7 2 3 ˆ 4 *6 1 ˆ2
5 3 ˆ 2 *5 ˆ 6 *7ˆ3 1 2ˆ2 *13 *37 *173
6 2 *3*5ˆ3 *7 ˆ 2 *1 1 ˆ3 1 37 *8 3 *113
7 3 ˆ 6 *5 ˆ 3 *7ˆ2 *1 1 1 2 ˆ 2 *2 3 *47 *127
8 2 *3*7 ˆ 9 5 1 3 *1 7 *5 3 *61
9 3 ˆ 3 *1 1 ˆ 6 1 2 ˆ 3 *5*17 *23 *47
10 3 ˆ 2 *5 ˆ 9 *11 4 53 *131ˆ2
11 2 ˆ 3 *3 ˆ 4 *5*11 ˆ4 1 37 *137 *223
12 2 ˆ 4 *5 ˆ 2 *7 ˆ 6 1 1 1 *2 3 *5 9 *101
13 3 ˆ 2 *5 ˆ 3 *7ˆ3 *11 ˆ 2 1 2 ˆ 7 *107 *137
14 2 ˆ 4 *3 ˆ 7 *11 ˆ 3 1 5 ˆ 3 *107 *149
15 2 ˆ 7 *3*5*7 ˆ 4 *11 1 13 *3 7 *61 *73
16 2 ˆ 8 *5 ˆ 7 *7 3 1 7ˆ 2 *109 *181
17 2 ˆ 7 *3 ˆ 7 *7*11 ˆ2 5 17 *19 *113 *157
18 2 *3*5ˆ4 *11 ˆ 4 1 23 *4 3 ˆ2 *149
19 7 ˆ 3 *1 1 ˆ 5 1 2 *3ˆ6 *2 3 *199
20 2 ˆ 7 *5*7ˆ2 *1 1 ˆ 3 1 3 ˆ 2 *13 *23 *43 *59
21 5 ˆ 7 *1 1 ˆ 3 2 3 *1 3 *37 *47 *101
22 2 ˆ 2 *5 ˆ 3 *7 ˆ 6 1 3 ˆ 5 *13 *17 *191
23 2 ˆ 6 *3 ˆ 5 *7 ˆ 4 1 5 ˆ 4 *11 *23 *7 1
24 3 ˆ 7 *5 ˆ 2 *7 ˆ 3 *11 4 17 *61 *67 *173
25 5 *11 ˆ 9 2 43 2 *41 *4 3 *47 *73
26 5 *7*1 1 ˆ 6 1 2 ˆ 5 *3*19 *53 *139
27 2 ˆ 2 *3 ˆ 8 *7 ˆ 4 1 1 1 ˆ 2 *19 *6 1 *103
28 2 ˆ 2 *3*5ˆ8 *7 1 31 *43 *5 3 *223
29 2 ˆ 6 *5 ˆ 2 *7*11 ˆ4 3 13 ˆ 2 *37ˆ 2 *7 9
30 2 ˆ 4 *1 1 ˆ 6 1 7 ˆ 3 *19 *29 *107
31 3 ˆ 4 *5*7ˆ5 *11 2 29 *41 *97 *193
32 2 ˆ 2 *5 ˆ 7 *7*11 1 13 *7 1 *139 *191
33 2 ˆ 2 *5 ˆ 8 *7*11 3 29 *6 7 *73 *179
34 3 ˆ 2 *5 ˆ 2 *7*11 ˆ 4 1 2 ˆ 2 *19 *37 *4 7 *193
35 2 ˆ 7 *3 ˆ 6 *5*7 ˆ 2 1 3 7 *43 *107 *151
36 3 ˆ 3 *7 ˆ 7 1 2 *43 *5 3ˆ2 *109
37 2 ˆ 2 *5 ˆ 2 *7 ˆ 5 *11 1 3 *19 *41 *61 *211
38 2 ˆ 5 *3 ˆ 3 *5 ˆ 2 *7*1 1 ˆ2 1 2 9 *31 *151 *223
39 2 *5 ˆ 6 *7ˆ2 *1 1 1 29 *6 1 *7 9 *227
40 2 ˆ 2 *5ˆ2 *1 1 ˆ 5 1 3 ˆ 5 *19 *79 *8 9
41 3 ˆ 2 *5ˆ4 *1 1 ˆ 4 1 2 *7*97 *139 *179
42 5 ˆ 4 *7ˆ4 *1 1 ˆ 2 3 2 ˆ 3 *17 *31 *6 7 *127
43 2 ˆ 3 *3ˆ2 *5 ˆ 6 *7*11 1 13 *29 ˆ 2 *59 ˆ2
44 3 ˆ 2 *5ˆ4 *7 ˆ 3 *11 ˆ2 4 1 9ˆ 3 *29 *197
45 7 ˆ 4 *1 1 ˆ 5 9 2 ˆ 3 *13 *17 *1 9ˆ2 *79
46 2 *5 ˆ 4 *1 1ˆ 5 3 19 *103 *157 *181
47 3 *5 ˆ 2 *1 1ˆ 6 4 37 *73 *127 *179
48 2 ˆ 2 *3 ˆ 4 *5 ˆ 5 *1 1 ˆ2 1 29 *109 *149 *157
49 2 ˆ 2 *5 ˆ 3 *7 ˆ 2 *1 1 ˆ4 9 13 *2 9ˆ2 *71 *101
50 3 ˆ 7 *5 ˆ 2 *7 ˆ 4 1 2 ˆ 3 *17 *23 *137 *193
51 2 *5*7ˆ3 *11 ˆ 4 3 23 *29 *37 *53 *7 3
52 2 ˆ 2 *3*7ˆ7 *11 5 47 *107 *149 *179
53 3 *11 ˆ 8 10 7 *29 *6 7 *71 *163
54 2 *5ˆ5 *7 ˆ 6 11 3 *43 *83 *89 *211
55 3 *5ˆ5 *7ˆ2 *11 ˆ 3 8 23 *41 *4 7 ˆ 2 *107
25
X= 75695763106501556705305764502754936587819598184067351577433032507856332859
5679423010251901850133526999585453943501610097294132617819824833831101214591
4436530877754829641771815233949422940291369528064063220752769498277701462410
8310326460216549269998237692558639726079463565070924375206289830057722589435
9044218428126425544707265515259392507522823290552782790244143095915540083328
6647355489098701203665266097543096430161981191012698547957753245615400642156
6009521484375000000000000000000000000000000000000000000,
Y= 89703025676439146909634318953050859996463498582497692905363926386871531215
1470596839682183291916847167330486410267725009210425053361066685989493430651
6222448335298694730188139419712140836303477738769684013638969809410021181628
1484584566446454557099758814179896192053526153001893986178123643916393821728
8509975066081055665376292175821267217313751458334859802980440111341258224039
13885046671262199158753471668113044162973340975659170623801.
(S64)
48567227 = 7919 ×6133.
C. The 10-qubit case
In the 10-qubit case, we present 221 independent smooth
relation pairs in the Supplementary Data. The corresponding
Boolean matrix containing 221 vectors of 201 dimension (200
dimension for the prime basis plus 1 dimension sign basis).
We present a set of solution for the linear equation system:
x=(1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,
1,1,0,1,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,
0,0,0,0,1,1,0,0,0,1,0,1,1,1,1,1,0,0,1,0,1,
1,1,1,0,1,0,0,1,0,1,0,1,1,1,0,0,1,1,0,1,0,
0,1,1,1,0,0,1,0,1,0,0,0,0,1,0,0,1,1,0,1,1,
1,0,0,0,1,1,0,0,0,0,0,1,0,0,1,1,0,0,1,1,1,
0,0,0,1,0,0,0,0,0,0,1,0,1,1,1,1,0,1,0,0,1,
0,0,0,0,0,0,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,
0,1,0,0,0,0,1,1,1,0,0,0,1,0,0,0,1,1,1,1,1,
1,0,0,0,0,0,1,0,0,1,0,0).
(S69)
The corresponding solution for the quadratic conjugation is
presented in Eq. S64.
It is easy to verify that the solution satisfies the equation:
X2≡Y2mod N(S70)
Furthermore, we have
p=gcd(X+Y, N ) = 15538213,
q=gcd(X−Y, N ) = 16860433.(S71)
Finally, we obtain the factorization result:
N= 261980999226229 = 15538213 ×16860433.(S72)
B
0
0.4
0.8
1.2
Relative length
5
10
15
40
45
50
20
25
30
35
Random samples
Babai
QAOA
n=10, c=7
A
5
10
15
20
25
30
35
40
45
50
Random samples
0
0.5
1
1.5
2
Relative length
n=7, c=10
Babai
QAOA
FIG. S4. Performance on random samples for the quantum optimizer
(QAOA) over Babai’s algorithm. A (B) for the results of 50 random
CVP samples under the condition of n= 7, c = 10 (n= 10, c = 7).
The yellow (blue) bars represent the results of the quantum optimizer
(classical Babai’s algorithm). We can observe that the quantum opti-
mization results are better than the classical results in many cases.
VII. THE EXPLORATION OF QUANTUM ADVANTAGE
In this part, we explore the advantage of the quantum opti-
mizer compared to Babai’s algorithm numerically. The mea-
surable criteria considered is the quality of the short vectors
for CVP. The quality of the short vector is positively related to
the efficiency of obtaining smooth relation pairs in Schnorr’s
26
sieve method. The higher the quality of the short vector, the
more efficient the factoring method. Since it is an open ques-
tion to estimate the analytical complexity of the QAOA algo-
rithm at present, in the discussion here, it is assumed that the
QAOA procedure can give the optimal solution to the opti-
mization problem in a limited time. Here we use the relative
distance parameter rto measure the length of the vector in-
stead of the Euclid norm or square norm. The parameter is
specifically defined by
r=kb−tk2/det(B0
n,c)2
n,(S73)
where B0
n,c = [Bn,c,Nc]. This parameter uses the 2/n-
power of the determinant of the extended lattice B0
n,c to mea-
sure the relative length of the short vector b−t, which can
reduce the effects of different determinant of lattices to a cer-
tain extent on short vector quality.
A. The random sample results
We first study the performance of the quantum optimizer
and the classical Babai’s algorithm on random samples of
CVP. Here, we generate 50 random CVP (lattice and tar-
get vector) samples under the condition of lattice dimension
n= 7, precision c= 10 and n= 10,c= 7 respectively.
For each random sample, the lattice determinant and the tar-
get vector are the same, only the main diagonal elements of
the lattice are randomly permuted. The results can be found
in Fig. S4. Here the horizontal axis represents random sam-
ples, and the vertical axis represents the relative quality rof
the result vector. The blue (yellow) bars represent the results
of the classical Babai’s algorithm (quantum optimization). As
shown in the picture, the quantum-optimized results are not
worse than the classical results. And in many cases, the quan-
tum optimization results are significantly better than the clas-
sical results, i.e., shorter vectors are obtained.
B. Quantum advantage and lattice precision
We further study the advantage of the quantum optimizer
with increasing precision parameter cof the lattice. In
Fig. S5A, we present the numerical results when the param-
eter cincreases from 5to 14 in the dimension of n= 12,14
separately. The results are averaged by 40 randomly gener-
ated CVP samples for each set of parameters {n, c}. Among
them, the circles (triangles) represent the calculation results
of n= 12 (n= 14). The solid (hollow) symbols represent
the results of quantum (classical). The error bars give a con-
fidence interval under a unit standard deviation. In both the
case of n= 12 and n= 14, a shorter vector is obtained after
quantum optimization. Taking the n= 14 case as an example,
we can see that the quality gap between the results of Babai’s
algorithm and the quantum algorithm gradually increases with
the increase of the parameter c, which indicates that the vec-
tor quality after quantum optimization is higher than that of
Precision c
1
1.2
1.4
1.6
1.8
2
Relative length r
5
6
7
8
9
10
11
12
13
14
n=12, Babai
n=12, QAOA
n=14, Babai
n=14, QAOA
5
6
7
8
9
10
11
12
13
14
Precision c
0
0.5
1
Ratio
n=12
n=14
A
B
FIG. S5. Performance of the quantum optimizer with the increasing
precision of the lattice. A, Relative length results for the quantum
and classical methods. The horizontal axis represents precision pa-
rameter c, which is positively correlated with the determinant of the
lattice. B, Advantage ratio for the 40-random samples, blue (orange)
bars for the n= 12 (n= 14) case. We can see from the picture
that the quantum optimization results is better than that of Babai’s in
average cases, especially when the determinant (positively correlated
with c) of the lattice is large.
Babai’s algorithm in an average sense when the determinant
of the lattice grows. In addition, we have counted the advan-
tage sample ratio for the quantum results over the 40 random
samples, shown by the blue and orange bars in Fig. S5B. We
found that the ratio of quantum advantages at n= 12 is about
0.5, and this proportion increases to 0.65 when n= 14. The
results indicate that quantum advantage becomes more signif-
icant when the lattice dimension increases. This results will
be further demonstrated in the following part.
C. Quantum advantage and lattice dimension
Here we study the the relation between the advantages
of quantum optimizer versus the dimension of lattice up to
n= 14. For each dimension n, the results are averaged over
40 random samples with c=n. As can be found in Fig. S6A,
the vector quality after quantum optimization is higher than
27
0.4
0.8
1.2
1.6
2
Relative length r
5
6
7
8
9
10
11
12
13
14
Dimension n
Babai
QAOA
Dimension n
0
0.4
0.8
Ratio
5
6
7
8
9
10
11
12
13
14
A
B
FIG. S6. Performance of the quantum optimizer with the increasing
dimension of the lattice. A, Relative length results for the quantum
and classical methods. The horizontal axis represents lattice dimen-
sion n. The results are averaged over 40 random samples with c=n.
The error bars give a confidence interval under a unit standard devi-
ation. B, Advantage ratio for the 40-random samples. We can find
that the relative distance gap between the quantum and classical re-
sults becomes more significant as the dimension of the lattice grows.
the result of the classic Babai algorithm in the average sense.
That is, we can find a shorter vector through quantum opti-
mization. The quality gap between the quantum and clas-
sical results becomes more significant as the dimension of
the lattice grows, which means the advantage of the quan-
tum method becomes more significant in the larger system.
At the same time, we have counted the ratio of the quantum
advantage over the 40 random samples, showing the results in
Fig. S6B. The advantage ratio is highlighted when the dimen-
sion increases, which is consistent with the different trends of
the vector quality curves in Fig. S6A. Both results indicate that
the advantages of quantum methods will become more and
more obvious when the dimension of the lattice is increased.
VIII. THE RESOURCE ESTIMATION FOR RSA-2048
A. Introduction
How many quantum resources does it take to factor a 2048-
bit RSA integer? This part we focus on the specific quan-
tum resources required to factor a 2048-bit RSA integer based
on the SQIF algorithm. The quantum resources considered
mainly include the number of physical qubits and the depth
of the QAOA circuit with single layer. Usually, quantum
circuits cannot be directly executed on quantum computing
devices, as their design does not consider the qubit connec-
tivity characteristics or the topology construction of actual
physical systems. The execution process often requires addi-
tional quantum resources such as ancilla qubits and extend-
ing circuit depths. We discuss the quantum resources re-
quired to factor real-life RSA numbers in terms of complete
graph topology (Kn), 2-dimensional lattice topology (2DSL),
and one-dimensional chain topology (LNN), respectively. We
demonstrate with specific schemes that the embedding pro-
cess needs no extra qubits overhead. Furthermore, the cir-
cuit depth of QAOA with a single layer is linear to the di-
mension nof the quantum system for all the three topology
systems. As a result, we consume a sublinear quantum re-
sources to factor integers using the SQIF algorithm. Taking
RSA-2048 as an example, the number of qubits required is
n= 2 ∗2048/log2048 ∼372. The quantum circuit depth of
QAOA with single layer is 1118 in Kn topology system, 1139
in 2DSL system and 1490 in the simplest LNN system, which
is achievable for the NISQ devices in the near future or even
today.
B. Problem description
First, we review the construction of the problem Hamilto-
nian Hc. Using the single-qubit encoding rules, the corre-
sponding Hamiltonian Hc could be taken as a 2-dimensional
Ising model of the following form:
Hc =
n
X
i=1
hiσi
z+
n
X
i,j=1
Ji,j σi
zσj
z,(S74)
where the parameters hi, Ji,j are determined by the coeffi-
cients of the primary and quadratic terms of the quadratic
unconstrained binary optimization (QUBO) problem . The
summation symbol on the right side of the second equation
above traverses all subscript combinations. If we regard each
quadratic term as an edge in an undirected graph, all the ZZ-
terms {σi
zσj
z}i<j will form an n-order complete graph Kn.
Namely, the connectivity topology of the logical qubits is a
Kn-graph. Take the 3-qubit case and 5-qubit case in the main
text as examples, the qubit topology of the problem Hamil-
tonian is a 3-order and 5-order complete graph, as shown in
Fig. S7A, B, respectively.
28
AB
C
H
H
H
RZ
RZRZRZ
RZ
RZRX
RX
RX
Q1
Q2
Q3
1( ) =− 2( ) =−
D
ZZ-basic module:
−,=
RZ
FIG. S7. Qubits connectivity and the typical quantum circuit of QAOA. Arepresents the qubits connectivity for the 3-qubit case, which is a
K3graph. Bfor the 5-qubit case, which is a K5graph. C. A typical QAOA circuit with single layer for the 3-qubit QUBO Hamiltonian. It
manly consists of two U1(γ)and U2(β), which correspond to the evolution operator of the problem Hamiltonian Hcand mixing Hamiltonian
Hb.D. ZZ-basic module. It is consist of two CNOT gates and a single qubit Rz rotation arranged together as a sandwich.
A typical QAOA circuit for the Kn-type Hamiltonian is
shown in Fig. S7C. Two types of unitaries are involved in the
quantum circuit of single-layer QAOA iteration. U1(γ)is the
evolution operator of the problem Hamiltonian Hc.U2(β)is
the evolution operator of the mixing Hamiltonian Hb, which
consists of single qubit rotations around the x-axis. U1(γ)
can be implemented by the single qubit Rz-rotations and the
two-qubit blocks, which are corresponding to the local terms
(primary) and ZZ-terms of the problem Hamiltonian Hc. We
mainly focus on the two-qubit blocks which is specifically de-
fined as
ZZj,k (γ) = e−iγ Jj,kσj
zσk
z.(S75)
The ZZj,k (γ)unitary can be realized by the combination of
two CNOT gates and one Rz gate like a sandwich, as shown
in Fig. S7D. In the following discussions, we’ll take the gate-
combination as a basic module of depth 3 without considering
its compilation in a specific physical system. The actual phys-
ical system often compiles this module according to its native
universal quantum gates, and this often increases at most O(1)
additional quantum operations and circuit depths.
Since the circuit depth of the single-qubit operations in
U1(γ)and U2(β)is at most 2 in a physical system, we will
not discuss them later. We focus on the embedding problem of
the quadratic terms in U1(γ)into the physical system. Specif-
ically, to estimate the overhead of qubits and the circuit depth
after embedding a group of ZZ-terms which form a Kn-type
circuit. This problem will be referred to as a Kn-type embed-
ding problem in the following part.
C. Circuit depth under complete graph topology
We first consider an ideal situation that any two qubits can
interact directly. Namely, the qubits connectivity of the phys-
ical system is a complete graph. In this scenario, the Kn-type
embedding problem does not need additional qubits or quan-
tum SWAP gates. Therefore, the depth of the quantum circuit
can be made optimal.
The n-node complete graph Kn contains n(n−1)/2edges,
which means the QAOA circuit contains O(n2)ZZ-basic
modules. The depth of the single-layer QAOA circuit is
O(n2)without optimization. Since the ZZ-terms in opera-
tor U1(γ)are mutual commutes, we are free to rearrange the
order of all two-qubit interactions to minimize the depth of
the embedded circuit. Here we introduce an optimization
scheme based on the maximum matching theory in an undi-
rected graph, which will reduce the depth of the circuit to
O(n). The scheme is optimal when considering the ZZ-term
as a basic module.
Definition 2 Matching and maximum matching: Denote an
undirected graph by G(V, E), and M⊆E(G)is a subset of
edges, satisfying: ∀(ei, ej)∈M,ei, ejare not adjacent in
G. Edges in Mdo not share a common vertex. Then Mis
said to be a matching of G. For each edge e= (u, v)in the
matching M, we call the edge e, or the vertices u, v matched
by M. Each vertex in the graph is either not matched by Mor
only matched by one edge in M. If there is no matching M0
in Gsuch that |M0|>|M|, then Mis said to be a maximum
matching in G. If every vertex in Gis matched by M, then M
is said to be a perfect matching of G.
According to the definition, a perfect matching must be a max-
29
imum matching. The number of maximum matchings in a
complete graph can be answered by the following lemma.
Lemma 3 (Maximum matching in the complete graph) There
are 2n−1perfect matchings with non-repeated edges in an
even-order complete graph K2n. There are 2n−1maximum
matchings with non-repeated edges in an odd-order complete
graph K2n−1.
Proof For an even-order complete graph K2n, let the vertices
of a (2n−1)-regular polygon be v1, v2, ..., v2n−1, and add a
vertex v2nat the center. Take any vertex vi,1≤i≤2n−1,
construct a matching Miincluding edge (vi, v2n)and all the
edges perpendicular to it. It is easy to prove that Miis a per-
fect match for any i, and there is no common edge between
Miand Mjwhen i6=j. Therefore, an even-order complete
graph K2nhas 2n−1perfect matchings with non-repeated
edges. Since there are total n(2n−1) different edges in K2n,
and the 2n−1different perfect matchings already matched
n(2n−1) non-repeated edges, there are no other matching
with non-repeated edges. For the odd-order complete graph
K2n−1, we need to add an auxiliary vertex v2n, then the situa-
tion is turned to the even-order case. The difference is that we
need to remove the edge (vi, v2n)in each perfect match. As a
result, we get 2n−1maximum matchings for the odd-order
case. This completes the proof.
Proposition 3 If the qubits connection of the physical system
forms a complete graph, then the Kn-type Hamiltonian can
be embedded in the physical system without additional qubits,
and the depth of the embedded quantum circuit is O(n).
Proof According to the definition of matching in Definition 2,
there is no common vertex between the edges that belong to
the same matching. So the corresponding two-qubit interac-
tions can be performed on the quantum circuit simultaneously
and in parallel. Suppose each ZZ-term is compiled using the
ZZ-basic module shown in Fig. S7D, then the circuit depth of
the ZZ-terms in the same matching is 3. According to Lemma
3, when nis even, there are n-1 non-repeated perfect match-
ings in a complete graph, and these perfect matchings infil-
trate all edges in graph Kn. Therefore, we can construct a
quantum circuit with n−1layers according to the n−1per-
fect matchings. And each layer executes n/2ZZ-basic mod-
ules without common qubits in parallel. As the circuit depth
of each layer is 3, the total circuit depth is 3(n−1). When
nis odd, the complete graph Kn has nmaximum matchings
with non-repeated edges by Lemma 3. Each maximum match-
ing infiltrates (n−1)/2edges, so these maximum matchings
infiltrate all edges in Kn. Similarly, a quantum circuit with n
layers can be constructed, and each layer executes (n−1)/2
ZZ-terms without common qubits in parallel, with a total cir-
cuit depth of 3n. In summary, the Kn-type embedding process
can be implemented without additional qubits and the depth
of the embedded quantum circuit is O(n). This completes the
proof.
The proof of Lemma 3gives the exact construction of each
perfect matching of the complete graph Kn, which means an
exact construction scheme of the embedded quantum circuit
with depth O(n)is given. The scheme is optimal when con-
sidering the ZZ-term as a basic module. In this situation,
the number of ZZ-terms in a perfect matching is maximized,
namely, the quantum gate operations have the highest paral-
lelism. Since all the maximum (perfect) machines cover all
the edges non-repeatedly, the scheme is optimal.
The qubit connectivity is a valuable resource in NISQ de-
vices. Usually, it is difficult to achieve large-scale fully con-
nected topology for actual quantum systems. However, it is
easier to realize in some special quantum systems such as the
trapped ions system [52], the optical quantum system, and the
system with large quantum memory [15].
D. Circuit depth under linear chain topology and lattice
topology
The linear chain topology is one of the most common struc-
tures, which can be realized relatively easily in real quantum
systems. This topology, also known as linear nearest neigh-
bor (LNN) architecture, in which the qubits are arranged on a
line and only the nearest neighbor couplings are available. In
this section, we focus on discussing the resource of quantum
gate and circuit depth when embedding a Kn-type Hamilto-
nian into a one-dimensional linear chain system. The results
for the lattice system can be made as a corollary.
The embedding problem from arbitrary types of Hamilto-
nian topology into LNN has been widely studied [53–59], and
some mature methods have been formed. In 2007, Donny
Cheung et al. studied the overhead of mutual conversions be-
tween various topology models based on the graph-theoretic
model [55]. They pointed out that mapping arbitrary circuits
to LNN would require at most O(n)extra depth overhead
based on the linearity of parallel sorting. However, no spe-
cific conversion scheme is given for mapping Kn-type Hamil-
tonian to LNN. In 2009, Yuichi Hirata proposed an efficient
method to map arbitrary quantum circuits to LNN based on
the idea of bubble sorting [56]. In 2021, the researchers of
Google applied the circuit of parallel bubble sorting to com-
plete the embedding from K17 to LNN and conducted related
experiments on Sycamore superconducting quantum proces-
sor [11]. Overall, mapping Kn to LNN requires an additional
O(n2)SWAP operations and an additional O(n)circuit depth
overhead based on the parallel bubble sorting circuit. In the
following, we will give proof of this conclusion independently
based on the parallel bubbling algorithm.
To embed a fully connected graph Kn into LNN, additional
SWAP operations are required to swap the positions of the
qubits, i.e. to permute (or sort) the vertices of the graph into
some specifical order. How to reduce the overhead of the
SWAP gates is the crucial issue. According to Ref. [56], the
swap network of bubble sort is optimal to fulfill the corre-
sponding permutation job, and the following lemma holds.
30
Lemma 4 Let x1, x2, ..., xnbe the initial order of nqubits
under the LNN architecture. Consider a permutation to
change the order into xj1, xj2, ..., xjn, the least SWAP gates
overhead is equivalent to the number of swap operations in
the bubble sort.
Lemma 4indicates that the bubble sort algorithm is optimal
for qubits order permutation in the case that only the nearest
neighbor qubits are coupled. Therefore, the quantum SWAP
circuit for exchanging qubits is equivalent to the classical
swap circuit for bubble sort. Bubble sort is a sort algorithm
for a given dataset. The algorithm starts from the head of the
dataset, compares the first two elements, and if the first ele-
ment is greater than the second, swaps them. This process is
performed for each pair of adjacent elements in the dataset un-
til the tail of the dataset is reached. The whole process repeats
until the last round with no swap happening. Since any two
elements are compared only once during the process of bubble
sort, the average and worst-case running time of bubble sort
are both O(n2).
Consider the worst case which would be useful for our anal-
ysis later. Let the initial order of nqubits be 1,2, ..., n, and
now we want to sort them reversely as n, n −1, ..., 1. Ac-
cording to Lemma 4, the number of swap gates used in the
bubble sort algorithm is the least for this purpose. According
to the rules of bubble sort, any two qubits are swapped and
only swapped once, and a total n(n−1)/2swaps are required,
which made an exact cover of the edges in the complete graph
Kn. Therefore, the classical swap network of bubble sort that
implements the reverse order permutation just corresponds to
the embedding of Kn-type Hamiltonian to LNN.
The parallel bubble sort algorithm is a parallel version of
the bubble sort algorithm which can reduce the running time
to O(n). The main idea of parallel bubble sort is to compare
all adjacent pairs of input data at the same time and then iter-
ate alternately between odd and even phases. A pseudocode
description of this algorithm can be found in Algorithm 4. As-
suming the size of the input data is n, the parallel bubble sort
will perform niterations of the main loop. For each itera-
tion, it is divided into odd and even phases according to the
parity of the main loop. When nis an odd number, both the
odd and even phases perform (n−1)/2compare-swap opera-
tions, which can be performed in parallel; When nis even, the
odd and even phases perform n/2and n/2−1compare-swap
operations, respectively. The following lemma holds for the
parallel bubble sort algorithm.
Lemma 5 Let nbe the size of the input data and p≤n/2
be the number of processors, then the time complexity of the
algorithm is O(n2/2p). The algorithm achieves the minimum
when p=bn/2cwith at most niterations.
If the number of processors is less than n/2, a single proces-
sor will perform about bn/2pcthe compare-swap operations
for the inner loop of each phase. In this case, the complex-
ity of the algorithm is O(n2/2p). Here, the optimal number
of processors is bn/2c. Each processor in the inner loop will
Algorithm 4: parallel bubble sort
Input: Data, which is a dataset with n elements
Output: Data, with reversed order
for i from 1 to ndo
Flag=mod(i,2), # a flag for odd and even phases.
for j from 1 to b(n−1 + Flag)/2cdo
if Data[2j-Flag]<Data[2j+1-Flag] then
swap Data[2j-Flag] and Data[2j+1-Flag]
end
end
end
perform at most one compare-swap operation. The outer loop
of the algorithm can complete the entire bubble sort task with
at most niterations. In quantum computing, it is often as-
sumed that the quantum device has enough control processors
to enable two-qubit operations executed in parallel if they do
not share the same qubit. Therefore, the following conclusion
is established.
Proposition 4 The Kn-type circuit can be embedded in the
LNN physical system without additional qubits, and the depth
of the embedded quantum circuit is O(n).
Proof Let the initial order of the nqubits LNN system be
1,2, ..., n, and now it will be rearranged into n, n −1, ..., 1.
The number of swaps required by the bubble sort algorithm
is n(n−1)/2. The swap network of bubble sort covers the
edges of the complete graph Kn exactly, which made an em-
bedding from Kn to LNN. This process can be fulfilled by the
parallel bubbling circuit Γwith n/2processors. Then the cir-
cuit needs at most nloops according to Lemma 5, and each
loop executes bn/2cswap operations in parallel. The spe-
cific parallel swap network that implements this process can
be found in Fig. S8. Hence the embedded circuit in the LNN
system can be constructed by replacing the swap gate in Γ
with the ZZ-SWAP basic module (shown in Fig. S8C). Since
the depth of the ZZ-SWAP basic module is 4, the depth of the
embedded circuit is 4n. The whole embedding process can
be implemented without additional qubits. This completes the
proof.
In addition, since the ZZ-basic module corresponding to each
edge in Kn becomes the ZZ-SWAP basic module, an addi-
tional overhead including n(n−1)/2SWAP operations and
n-depth circuit are required after embedding. Meanwhile, the
order of the qubits will be reversed after the execution of the
circuit, and the qubit order will be restored by iterating the
QAOA circuit again.
The lattice topology system is also referred as a 2-
dimensional square lattice (2DSL), in which the qubits are ar-
ranged as a two-dimensional lattice, and only the adjacent in-
teractions are allowed. Since a one-dimensional chain can be
directly embedded into the 2-dimensional lattice (find a one-
dimensional path in 2DSL), the embedded circuit depth of the
Kn type Hamiltonian will not exceed the LNN case. Hence
the following corollary is established.
31
. . .
SWAPSWAPSWAP . . .
SWAPSWAP . . .
SWAPSWAPSWAP . . .
SWAPSWAP . . .
SWAPSWAPSWAP . . .
SWAPSWAP . . .
SWAPSWAPSWAP . . .
Q1
Q2
Q3
Q4
Q
2k-1
Q
2k
Q
2k+1
. . .
2k+1 layers
A
. . .
SWAPSWAPSWAP . . .
SWAP SWAP
. . .
SWAP SWAPSWAP
. . .
SWAP SWAP
. . .
SWAP SWAP
. . .
SWAP SWAPSWAP
. . .
Q1
Q2
Q3
Q4
Q
2k-2
Q
2k-1
Q
2k
. . .
2k layers
SWAPSWAP
. . .
SWAP
SWAP SWAP
. . .
B
C
ZZ-SWAP basic module:
RZ
−,=
FIG. S8. Circuit of parallel bubbling swap network implementing reverse order sorting. Afor the odd qubits case and Bfor the even qubits
case. Both cases have the same layers of outer loops to n, which leads to an O(n)depth circuit. C. ZZ-SWAP basic module. It is a 4-depth
quantum circuit constructed by a SWAP operation after a ZZ-basic module.
Corollary 1 The embedded circuit depth for Kn-type Hamil-
tonian into a 2-dimensional square lattice (2DSL) system is
O(n)without additional qubits.
In summary, the complete graph topology is the ideal topol-
ogy, and the circuit for the Kn type Hamiltonian can be em-
beded optimally in depth O(n)without any additional quan-
tum resources. For the LNN topology, additional O(n)circuit
depth is required. Since the embedded circuit scheme based
on parallel bubble sorting shares the same depth overhead
O(n), it is also optimal for both the LNN and 2DSL systems in
the meaning of the ’O’ symbol. Moreover, Ref. [55] provides
a more efficient method to embed a Kn-type Hamiltonian into
a 2DSL system with O(√n)additional circuit depth, which
takes advantage of the convenience of two-dimensional lattice
structure.
E. Resource estimation for RSA-2048
Here we discuss the quantum resources needed to challenge
real-life RSA numbers based on the results above. Since no
additional qubits in the process of circuit embedding con-
sumed, the number of qubits required to factor an mbit in-
teger is n= 2m/logm(here we take the precision param-
eter c= 1). The embedded circuit depths for the Kn-type
Hamiltonian are 3nand 4nin the complete graph system and
the LNN system, respectively. The circuit depth for a 2DSL
system can be optimized to 3n+√n, according to Donny
Cheung et al. [55]. The results are obtained without con-
sidering the native compilation of the ZZ-basic module (or
ZZ-SWAP basic module) in a specific physical system. Tak-
ing RSA-2048 as an example, the number of qubits is about
2∗2048/log2048 ∼372, and the circuit depth of the single
layer QAOA is ∼3 + 2 = 1118 in completely connected sys-
tems, which includes 1-depth single qubit Rz operations and
1-depth single qubit Rx operations. It is ∼4n+ 2 = 1490
and ∼3n+√n+ 2 = 1139 in a one-dimensional chain sys-
tem and a 2-dimensional square lattice system, respectively.
The quantum resources required for different lengths of RSA
numbers are shown in Table S11.
TABLE S11. Quantum resource estimation for RSA numbers. The
principal quantum resources mentioned are the number of qubits, and
the quantum circuit depth of QAOA with one layer in three typical
topologies, including an all-to-all connected system (Kn), 2d-lattice
system (2DSL), and one-dimensional chain system (LNN). The re-
sults are obtained without considering the native compilation of the
ZZ-basic module (or ZZ-SWAP basic module) in a specific physical
system.
RSA number Qubits Kn-depth 2DSL-depth LNN-depth
RSA-128 37 113 121 150
RSA-256 64 194 204 258
RSA-512 114 344 357 458
RSA-1024 205 617 633 822
RSA-2048 372 1118 1139 1490
We have also analyzed the scale of RSA-numbers, namely
the touch-size that existing quantum computing devices can
reach under some ideal conditions, in which the claimed
qubits are all relatively ideal or with high fidelity. The results
are given according to the qubits connectivity of the quantum
devices by using the SQIF algorithm. The quantum processors
considered mainly including Sycamore, Eagle, Aspen-M, Zu-
32
TABLE S12. Touch-size of RSA numbers for some famous real
quantum devices. The results are given according to the qubits con-
nectivity and basic logical gate groups of the quantum devices by
using our algorithm. The last column gives the basic depth condi-
tion needing to satisfy for the devices. The circuit depth in systems
with “others” topology type will be calculated according to the LNN
model.
system devices qubits topology touch-size depth-least
supercon
-ducting
qubits
Sycamore 53 2DSL 201 170
Eagle 127 others 581 510
Aspen-M 80 others 334 322
Zuchongzhi2 66 2DSL 264 210
Tianmu-1 36 2DSL 124 118
trapped
ions
Maryland 40 Kn 142 122
IonQ 79 Kn 329 239
chongzhi2, Tianmu-1, and trapped-ion devices from Maryland
and Ion Q. All the devices are released publicly or could be
visited through quantum cloud platforms. Meawhile, we give
the “depth-least” results for the devices to try the touch-size
RSA numbers , which represent the necessary depth condi-
tion and estimated by the depth of single layer QAOA circuit.
Specifically, if the quantum processor is a two-dimensional
grid topology, the circuit depth is calculated according to the
2DSL model. For the topology type of “others”, the depth
will be calculated according to the LNN model. The detailed
results are shown in Table S12 .
We can find from Table S12 that the touch-size of NISQ
devices is close to the real life RSA numbers today. Such as
the 127 qubits ibm-eagle machine, whose touch-size is 581
and the least circuit depth necessary is 510, which means if
all the qubits work well and reaches a considerable fidelity
after 510 circuit depth, it can be used to try factoring RSA-
581. However, the touch-size is an ideal basic situation, the
QAOA usually works more than one layer and deeper circuit
required. Besides, the quantum speedup is unknown, it is still
a long way to break RSA quantumly.
