Factoring integers with sublinear resources on a superconducting quantum processor

Abstract

Shor's algorithm has seriously challenged information security based on public key cryptosystems. However, to break the widely used RSA-2048 scheme, one needs millions of physical qubits, which is far beyond current technical capabilities. Here, we report a universal quantum algorithm for integer factorization by combining the classical lattice reduction with a quantum approximate optimization algorithm (QAOA). The number of qubits required is O(logN/loglog N), which is sublinear in the bit length of the integer $N$, making it the most qubit-saving factorization algorithm to date. We demonstrate the algorithm experimentally by factoring integers up to 48 bits with 10 superconducting qubits, the largest integer factored on a quantum device. We estimate that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 using our algorithm. Our study shows great promise in expediting the application of current noisy quantum computers, and paves the way to factor large integers of realistic cryptographic significance.

Full text

Factoring integers with sublinear resources on a superconducting quantum processor
Bao Yan,1, 2, ∗Ziqi Tan,3, ∗Shijie Wei,4, ∗Haocong Jiang,5Weilong Wang,1Hong Wang,1Lan Luo,1Qianheng Duan,1
Yiting Liu,1Wenhao Shi,1Yangyang Fei,1Xiangdong Meng,1Yu Han,1Zheng Shan,1Jiachen Chen,3Xuhao Zhu,3
Chuanyu Zhang,3Feitong Jin,3Hekang Li,3Chao Song,3Zhen Wang,3, †Zhi Ma,1 , ‡H. Wang,3and Gui-Lu Long2,4, 6, 7 , §
1State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
2State Key Laboratory of Low-Dimensional Quantum Physics and Department of Physics, Tsinghua University, Beijing 100084, China
3School of Physics, ZJU-Hangzhou Global Scientific and Technological Innovation Center, Interdisciplinary Center for Quantum Information,
and Zhejiang Province Key Laboratory of Quantum Technology and Device, Zhejiang University, Hangzhou 310000, China
4Beijing Academy of Quantum Information Sciences, Beijing 100193, China
5Institute of Information Technology, Information Engineering University, Zhengzhou 450001, China
6Beijing National Research Center for Information Science and Technology
and School of Information Tsinghua University, Beijing 100084, China
7Frontier Science Center for Quantum Information, Beijing 100084, China
Shor’s algorithm has seriously challenged information security based on public key cryptosystems.
However, to break the widely used RSA-2048 scheme, one needs millions of physical qubits, which is
far beyond current technical capabilities. Here, we report a universal quantum algorithm for integer
factorization by combining the classical lattice reduction with a quantum approximate optimization algo-
rithm (QAOA). The number of qubits required is O(logN/loglogN), which is sublinear in the bit length
of the integer N, making it the most qubit-saving factorization algorithm to date. We demonstrate the
algorithm experimentally by factoring integers up to 48 bits with 10 superconducting qubits, the largest
integer factored on a quantum device. We estimate that a quantum circuit with 372 physical qubits and
a depth of thousands is necessary to challenge RSA-2048 using our algorithm. Our study shows great
promise in expediting the application of current noisy quantum computers, and paves the way to factor
large integers of realistic cryptographic significance.
Quantum computing has entered the era of noisy inter-
mediate scale quantum (NISQ) [1,2]. A milestone in the
NISQ era is to prove that NISQ devices can surpass classi-
cal computers in problems with practical significance, that is,
to achieve practical quantum advantage. Low-resource algo-
rithms, which harness only limited available qubits and cir-
cuit depths to perform classically challenging tasks, are of
great significance. Variational quantum algorithms, adopt-
ing a “classical+quantum” hybrid computing framework, hold
great promise for a meaningful quantum advantage in the
NISQ era [3–6]. One representative is the quantum approx-
imate optimization algorithm (QAOA) [5], which was pro-
posed to solve eigenvalue problems, and has subsequently
been widely used in various fields such as chemical simu-
lation [7,8], machine learning [9], and engineering applica-
tions [10,11].
Integer factorization has been one of the most impor-
tant foundations of modern information security [12]. The
exponential speedup of integer factorization by Shor’s al-
gorithm [13] is a great manifestation of the superiority of
quantum computing. However, running Shor’s algorithm
on a fault-tolerant quantum computer is quite resource-
intensive [14,15]. Up to now, the largest integer factorized
by Shor’s algorithm in current quantum systems is 21 [16–
18]. Alternatively, integer factorization can be transformed
into an optimization problem, which can be solved by adi-
abatic quantum computation (AQC) [19–22] or QAOA [23].
Larger numbers have been factored using these approaches, in
various physical systems [24–27]. The maximum integers fac-
torized are 291311 (19-bit) in NMR system [26], 249919 (18-
bit) in D-Wave quantum annealer [25], 1099551473989 (41-
bit) in superconducting device [27]. However, it should be
noted that some of the factored integers have been carefully
selected with special structures [28], thus the largest integer
factored by a general method in a real physical system by now
is 249919 (18-bit).
In this paper, we propose a universal quantum algorithm
for integer factorization that requires only sublinear quantum
resources. The algorithm is based on the classical Schnorr’s
algorithm [29,30], which uses lattice reduction to factor in-
tegers. We take advantage of QAOA to optimize the most
time-consuming part of Schnorr’s algorithm to speed up the
overall computing of the factorization progress. For an m-bit
integer N, the number of qubits needed for our algorithm is
O(m/logm), which is sublinear in the bit length of N. This
makes it the most qubit-saving quantum algorithm for integer
factorization compared with the existing algorithms, includ-
ing Shor’s algorithm. Using this algorithm, we have success-
fully factorized the integers 1961 (11-bit), 48567227 (26-bit)
and 261980999226229 (48-bit), with 3, 5 and 10 qubits in a
superconducting quantum processor, respectively. The 48-bit
integer, 261980999226229, also refreshes the largest integer
factored by a general method in a real quantum device. We
proceed by estimating the quantum resources required to fac-
tor RSA-2048. We find that a quantum circuit with 372 phys-
ical qubits and a depth of thousands is necessary to challenge
RSA-2048 even in the simplest 1D-chain system. Such a scale
of quantum resources is most likely to be achieved on NISQ
devices in the near future.
The framework of the algorithm
arXiv:2212.12372v1 [quant-ph] 23 Dec 2022

2
Schnorr’s factoring algorithm
Linear equations
Random CVPs Babai’s algorithm
Smooth relation pairs
b1
b2
b3t
d1
d2
d3
t
bop
d3
~
ǁd3ǁ
~
Hamiltonian problem
Babai’s
solution
bop
QAOA
solution
vnew
bop
vnew
t
Quantum computer
QPU
Quantum optimizer (QAOA)
Classical Quantum
Input Integer N
Output factors (p, q)
FIG. 1. Workflow of the sublinear-resource quantum integer factorization (SQIF) algorithm. The algorithm adopts a “classical+quantum”
hybrid framework where a quantum optimizer QAOA is used to optimize the classical Schnorr’s factoring algorithm. First, the problem is
preprocessed as a closest vector problem (CVP) on a lattice. Then, the quantum computer works as an optimizer to refine the classical vectors
computed by Babai’s algorithm, and this step can find a higher quality (closer) solution of CVP. The optimized results will feedback to the
procedure in Schnorr’s algorithm. After post-processing, finally output the factors pand q.
The workflow of the sublinear-resource quantum integer fac-
torization (SQIF) algorithm is summarized in Fig. 1, which
essentially manifests itself as a “classical+quantum” hybrid
framework. The core idea is to utilize the quantum opti-
mizer QAOA to optimize the most time-consuming part of
Schnorr’s algorithm, as a result, improving the whole effi-
ciency of the factoring process. As illustrated in the left panel
of Fig. 1, Schnorr’s algorithm involves two substantial steps,
finding enough smooth relation pairs (sr-pairs for short) and
solving the resulted linear equation system. Generally, find-
ing sr-pairs is the most important and consuming part of the
algorithm while solving equation system can be done in poly-
nomial time. In Schnorr’s algorithm [31], the sr-pair problem
is converted to the closest vector problem (CVP) on a lattice,
and resolved by lattice reduction algorithms such as Babai’s
algorithm [32]. Based on the fact that CVP is a famous NP-
hard problem [33], we are supposed to have only the approxi-
mate other than the severe solution of CVP in polynomial time
or other acceptable time consuming. Meanwhile, the proba-
bility of getting an sr-pair is proportional to the quality of the
CVP solution [29]. Namely, the closer the solution vector of
CVP, the more efficient the sr-pair acquaintance. Based on
the facts mentioned above, we propose a scheme which uti-
lizes QAOA to further optimize the CVP solution obtained by
Babai’s algorithm. The whole process of the SQIF algorithm
is presented by detailed examples in [31]. We mainly focus
on the quantum procedures of the algorithm in the following
part.
We combine Babai’s algorithm with QAOA to solve the
CVP on a lattice. Given a lattice Λwith a group of basis
B= [b1, ..., bn]∈R(n+1)×nand a target vector t∈Rn+1,
Babai’s algorithm can find a vector bop ∈Λwhich is approx-
imately closest to the target vector tvia two steps. First, per-
form LLL-reduction with parameter δfor the given basis B=
[b1, ..., bn]. Consequently, we have a set of LLL-reduced ba-
sis denoted by D= [d1, ..., dn],and the corresponding Gram-
Schmidt orthogonal basis denoted by ˜
D= [ ˜
d1, ..., ˜
dn]. The
second step is a “size-reduction” of the target vector tusing
the LLL-reduced basis. Then we have the approximate closest
vector, denoted by
bop = (b1
op, ..., bn+1
op )0=
n
X
i=1
cidi,(1)
where the coefficient ci=dµic=dhd,˜
dii/h˜
di,˜
diic is ob-
tained by rounding to the nearest integer to the Gram-Schmidt
coefficient µi. Here, we notice that the round-to-nearest func-
tion takes only one approximation at a time. In fact, if the
values of the two rounding functions can be taken into the
calculation simultaneously, a higher-quality solution can be
obtained [31]. This process will exponentially increase the
amount of classical operations, which is unaffordable for a
classical computer. Here we adopt the idea of quantum com-
puting, using the superposition effect of qubits to encode the
coefficient values obtained by the two rounding functions at
the same time. Then we construct the optimization problem
based on the Euclidean distance between the new lattice vec-
tor and the target vector. The details of the construction are as
follows.
Let vnew be the new vector obtained by randomly floating
xi∈ {0,±1}on the coefficient ci, satisfying
vnew =
n
X
i=1
(ci+xi)di=
n
X
i=1
xidi+bop.(2)
We construct the loss function of the optimization problem as
follows
F(x1, ..., xn) = kt−vnewk2=kt−
n
X
i=1
xidi−bopk2.(3)

3
A
Q1Q2Q3Q4Q5Q6Q7Q8Q9Q10
C1C3C5C7C9
C2C4C6C8
Q1
Q2
Q3
Q4
Q5
Q6
Q7
Q8
Q9
Q10
B C ...
...
e-iγpHc
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
e-iβpX
Layer p
e-iγ1Hc
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
e-iβ1X
Layer 1
+
+
+
+
+
+
+
+
+
+
Q1
Q2
Q3
Q4
Q5
Q6
Q7
Q8
Q9
Q10
e-iγHc
D
RZ
RZ
RZ
RZ
RZ
RZ
RZ
RZ
RZ
RZ
H
H
H
H
H
H
H
H
H
H
=
DD Dynamic Decoupling
Swap-network
ETwo equivalent e-iγwZZ SWAP blocks:
H
HH
H=
=
H
H
H
H
RZ
RZ
H
H
H
H
H
H
H
H
FIG. 2. Experimental setup and the QAOA circuit of the SQIF algorithm. A, The 10 qubits selected on a superconducting quantum
processor, with each qubit coupled to its nearest neighbors mediated by frequency-tunable couplers. B, Native interaction topology of the
problem Hamiltonian for the 10-qubit factoring case, mapped into a chain topology depicted in A.C, Circuit diagram of a p-layer QAOA. All
qubits are initialized into |+i, followed by players of repeated application of the problem Hamiltonian (orange) and the mixing Hamiltonian
(green), finished by population measurements (gray). Note that the variational parameters {γ , β}are different for all layers. D, Routing circuit
for the 10-qubit all-to-all Hamiltonian into the linear nearest neighbor topology, built by a brickwork of two similar SWAP blocks with two
layers of Hardamard gates (H) applied at the start and end, followed by a layer of Rz(θ) gates. Here, the rotation angle is omitted. The
depth of the circuit is proportional to the number of qubits used. E, Detailed compilation of the quantum circuit into the native gates of the
superconducting quantum processor.
The function value kt−vnewk2represents the squared Eu-
clidean distance from the new vector to the target vector. The
lower the loss function value, the closer the new vector is
to the target vector t, and the higher the quality of the so-
lution. When all variables xi,i=1,...,n take 0, the optimal solu-
tion based on Babai’s algorithm is obtained.
By mapping the variable xito the Pauli-Z terms, the prob-
lem Hamiltonian corresponding to Eq. 3can be constructed
as
Hc =kt−
n
X
i=1
ˆxidi−bopk2=
n+1
X
j=1 |tj−
n
X
i=1
ˆxidi,j −bj
op|2,
(4)
where ˆxiis a quantum operator mapped to the Pauli-Z ba-
sis according to the single-qubit encoding rules, which can be
found in [31].
In this case, the number of qubits needed for the quantum
procedure to optimize Babai’s algorithm is equal to the dimen-
sion of the lattice. According to the analysis in [31], the lattice
dimension satisfies n∼2clogN/loglogN, with ca lattice pa-
rameter close to 1. Therefore, to factorize an m-bit integer N,
the number of qubits required in the algorithm is O(m/logm),
which is a sublinear scale of m, compared to O(m)qubits in
Shor’s algorithm [13] and O(m2)qubits in the product table
method [25]. This makes our algorithm the most qubit-saving
method to date, and it is also the first general quantum factor-
ing algorithm with sublinear qubit resources.
The experiment and results
We demonstrate the algorithm by experimentally factoring
three integers on a superconducting quantum processor, where
ten qubits and nine couplers arranged in a chain topology are
selected. All qubits and couplers are frequency-tunable trans-
mons, with single-qubit rotations around the x- or y-axis of
the Bloch sphere realized by applying drive signals with gate
information encoded in the amplitude and phase of the mi-
crowave pulses. We adopt virtual-z gates to implement single-
qubit rotations around z-axis. Two-qubit controlled-Z (CZ)
gates can be achieved by swapping the joint states |11iand
|02i(or |20i) of the neighboring qubits, when the interac-
tion mediated by the coupler is activated [34]. Cross-entropy
benchmarkings (XEB) in parallel yield average fidelities close
to 99.9% and 99.5% for the single-qubit rotations and the CZ
gates, respectively. More details of the experimental setup and
characteristics of the quantum processor in [31].
We factorize the 11-bit integer 1961, 26-bit integer
48567227 and 48-bit integer 261980999226229 with 3, 5 and
10 superconducting qubits, respectively. Here we demonstrate
the process of obtaining one sr-pair by quantum method in
each group of experiments. The calculations of other sr-pairs
are similar and will be obtained by numerical method. The de-
tails of all the sr-pairs and the corresponding linear equation
systems are presented in [31].
The topology of the ZZ-items in the problem Hamiltonian
is an n-order complete graph (Kn) according to Eq. 4[31].
An example for the 10-qubit case is shown in Fig. 2B. To
make the Kn-type Hamiltonian work on the 1D-chain of phys-
ical qubits, we have adopted a routing method based on the
classical parallel bubble sort algorithm, in which the all-to-all
qubits interactions can be mapped into the nearest-neighbor
two-qubit interactions on a chain through elaborate swap net-
works, as shown in Fig. 2D. In fact, the routing method is

4
optimal with only a linear increase of circuit depth overhead.
The swap networks are further complied into the native gates
(Fig. 2E), which can be directly executed on the quantum pro-
cessor. Notably, a tiny skill has been used by an up-down
combination of the ZZ-SWAP block in the even and odd lay-
ers of swap networks. As a result, a linear depth of H gates
can be reduced.
QAOA can find the approximate ground state of the Hamil-
tonian system by updating the parameters (Fig. 2C, a detailed
description can be found in [31]). The parameter optimization
process of QAOA can be understood through the landscape
of the energy function E(γ, β ). The comparison between
the theoretical and the experimental landscapes is a qualita-
tive diagnostic for the application of QAOA to real hardware.
For the hyperparameter p= 1, we can visualize the energy
landscape as a function of the parameters (γ, β )in a three-
dimensional plot in Fig. 3. Here, the energy function values
are normalized by E∗= (E−Emin)/(Emax −Emin ). Fig. 3
shows the noiseless simulated (left) and experimental (right)
energy maps for the 3, 5 and 10 qubits cases, respectively.
The different colors of the pixel blocks in the figure represent
different function values. We overlay the convergence path of
the classical optimization procedure, as the red curve shown in
Fig. 3. To optimize the parameters, we use the model gradient
descent method, which performs well both numerically and
experimentally on some variational quantum ansatzes. We
find that the algorithm can converge to the region of global
minimum within 10 steps in all three cases. We can see that
the convergence paths of the experiments differ from those of
the theoretical results, however, converged to the optimum in
comparable steps. This indicates that the algorithm is robust
to certain noise.
In QAOA, the core work of the quantum computer is to
prepare the quantum states according to the given variational
parameters. The performance of QAOA will be improved by
increasing the depth of hyperparameter pin theory. How-
ever, the errors are accumulated during the increasing of cir-
cuit depth and the bonus of the computation can be counter-
acted. Here we report the performance of the superconducting
quantum processor on running circuits at the optimal β, γ pa-
rameters. We show QAOA layers up to p= 3 for the cases
of 3 and 5 qubits, and a single-layer QAOA for the 10-qubit
case. The results of p= 3 for the 10-qubit case have also
been performed and are apparently better than random guess,
however, not as good as that of p= 1 [31]. We can observe in
Fig. 4A-C that the probability of the target state (red dashed
box) increases as the hyperparameter pgrows. Although the
increase is not as large as the theoretical value, it is in good
agreement with the noise simulation. Similar results can be
found in the 5-qubit experiment, see Fig. 4D-F. The results
for the 10-qubit case with p= 1 are shown in Fig. 4G. We
only show the most significant 120 states according to the the-
oretical results for illustration. We can find that the theoreti-
cal probability of the target state is 0.02 (the highest), while
the experimental result is around 0.008, which is close to the
noise result 0.009. The experimental results are significantly
Noiseless simulation Experiment
3-qubit case
5-qubit case10-qubit case
γβ
E*
A
γβ
E*
B
γβ
E*
C
γβ
E*
D
γβ
E
E*
γβ
E*
F
FIG. 3. Energy landscapes and convergence paths of QAOA for
p= 1. A, B, Numerical and experimental landscapes for the 3-qubit
case, C, D 5-qubit case, and E, F 10-qubit case. In each group of
the experiment, 41 ×41 combinations of (γ, β )have been evalu-
ated, which are evenly distributed grid points in a sub-zone of the
entire 2-dimensional parameter space. For each grid point, the ex-
pectation value is estimated using 30,000 circuit repetitions. The
comparison of the experimental and numerical landscapes shows a
clear correspondence of landscape features. An overlaid optimiza-
tion trace (red, initialized from the square marker and converged into
the triangle) demonstrates the ability of a classical optimizer to find
optimal parameters.
larger than that of random guess 0.001, which means the com-
putation bonus of QAOA is still considerable. In addition, the
shape of the probability distribution of each quantum state is
symmetric with that of the simulation results, which shows
that the experimental results are in good agreement with the
theoretical values.
The quantum resource estimation
Here we report the quantum resources needed to challenge
some real-life RSA numbers based on the SQIF algorithm in
this paper. The main quantum resources mentioned include
the number of qubits and the quantum circuit depth of QAOA
in one layer. Usually, quantum circuits cannot be directly exe-
cuted on quantum computing devices, as their design does not
consider the qubits connectivity characteristics of actual phys-
ical systems. The execution process often requires additional
quantum resources such as ancilla qubits and extending circuit
depths. We have discussed the quantum resources required in
quantum systems under three typical topologies, including all
connected system (Kn), 2D-lattice system (2DSL), and 1D-
chain system (LNN). We demonstrate with specific schemes

5
3-qubit, p=1
0
3
3
Probability (10-1)
Experiment
Theory
Noisy
A
Experiment
Theory
Noisy
3-qubit, p=2
0
4
4
B C
Experiment
Theory
Noisy
3-qubit, p=3
0
5
5
5-qubit, p=1
0
1
1
Experiment
Theory
Noisy
D
5-qubit, p=2
0
1
1
Experiment
Theory
Noisy
2
E
5-qubit, p=3
0
Experiment
Theory
Noisy
2
2
F
10-qubit, p=1
0
1
Experiment
Theory
Noisy
1
2
G H
Q1
Q3
Q4
Q5
Q6
Q7
Q8
Q9
Q10
Q2
Zero state
Target state
Probability (10-1)
Probability (10-1)
Probability (10-1)
Probability (10-1) Probability (10-1)
Probability (10-2)
FIG. 4. Experimental performance of QAOA for the three factoring cases. A-C, QAOA performance of the 3-qubit case with p= 1,p= 2
and p= 3, respectively. D-F, QAOA performance of the 5-qubit case with p= 1,p= 2 and p= 3, respectively. G,p= 1 performance
of QAOA for the 10-qubit case . The experimental results shown in orange are averaged over 20 repeated experiments with error bars giving
a confidence interval of one standard deviation. The theory(yellow) and 0.01-noise(taupe) results are also given for comparison. It can be
observed that all the three groups of experimental results on the superconducting quantum processor are in good agreement with the theoretical
and 0.01-noise values. H, Representations of the color blocks that are basis states of different qubits in x-tick labels.
that the embedding process needs no extra qubits overhead
and the circuit depths of QAOA in one layer are O(n)for all
three systems. As a result, a sublinear quantum resource is
necessary for factoring integers using our algorithm. Taking
RSA-2048 as an example, the number of qubits required is
n= 2 ∗2048/log2048 ∼372. The quantum circuit depth
of QAOA with a single layer is 1118 in Kn topology system,
1139 in 2DSL system and 1490 in the simplest LNN system,
which is achievable for the NISQ devices in the near future.
The quantum resources required for different lengths of RSA
numbers are shown in Table I. The detailed analysis can be
found in [31].
Conclusion
The integer factorization problem is the security cornerstone
of the widely used RSA public key cryptography nowadays.
In this paper, we have proposed a general quantum algorithm
for integer factorization based on the classical lattice reduction
method. To factor an m-bit integer N, the number of qubits
needed for the algorithm is O(m/logm), which is a sublinear
scale of the bit length of N. This quantum factoring algo-
rithm uses the least qubits compared with previous methods,
including Shor’s algorithm. We have demonstrated the factor-
ing principle for the algorithm on a superconducting quantum
processor. The 48-bit integer 261980999226229 in our work
is the largest integer factored by the general method in a real
TABLE I. Resource estimation for RSA numbers. The main quan-
tum resources mentioned are the number of qubits, the quantum cir-
cuit depth of QAOA with a single iteration in three typical topologies,
including all connected system (Kn), 2D-lattice system (2DSL) and
1D-chain system (LNN). The results are obtained without consid-
ering the native compilation of the ZZ-basic module (or ZZ-SWAP
basic module) in a specific physical system.
RSA number Qubits Kn-depth 2DSL-depth LNN-depth
RSA-128 37 113 121 150
RSA-256 64 194 204 258
RSA-512 114 344 357 458
RSA-1024 205 617 633 822
RSA-2048 372 1118 1139 1490

6
quantum system to date. We have analyzed the quantum re-
sources required to factor RSA-2048 in quantum systems un-
der three typical topologies. We find that a quantum circuit
with 372 physical qubits and a depth of thousands is neces-
sary to challenge RSA-2048 even in the simplest 1D-chain
system. Such a scale of quantum resources is most likely to
be achieved on NISQ devices in the near future. It should
be pointed out that the quantum speedup of the algorithm is
unclear due to the ambiguous convergence of QAOA. How-
ever, the idea of optimizing the “size-reduce” procedure in
Babai’s algorithm through QAOA can be used as a subroutine
in a large group of widely used lattice reduction algorithms.
Further on, it can help to analyze the quantum-resistant cryp-
tographic problems based on lattice.
∗These authors contributed equally to this work.
†2010wangzhen@zju.edu.cn
‡ma zhi@163.com
§gllong@tsinghua.edu.cn
[1] J. Preskill, Quantum computing in the NISQ era and beyond,
Quantum 2, 79 (2018).
[2] F. Arute, K. Arya, R. Babbush, D. Bacon, J. C. Bardin,
R. Barends, R. Biswas, S. Boixo, F. G. Brandao, D. A. Buell,
et al., Quantum supremacy using a programmable supercon-
ducting processor, Nature 574, 505 (2019).
[3] M. Cerezo, A. Arrasmith, R. Babbush, S. C. Benjamin, S. Endo,
K. Fujii, J. R. McClean, K. Mitarai, X. Yuan, L. Cincio, et al.,
Variational quantum algorithms, Nat. Rev. Phys. 3, 625 (2021).
[4] A. Peruzzo, J. McClean, P. Shadbolt, M.-H. Yung, X.-Q. Zhou,
P. J. Love, A. Aspuru-Guzik, and J. L. O’brien, A variational
eigenvalue solver on a photonic quantum processor, Nat. Com-
mun. 5, 1 (2014).
[5] E. Farhi, J. Goldstone, and S. Gutmann, A quantum approxi-
mate optimization algorithm, arXiv:1411.4028 (2014).
[6] Z. Wang, S. Wei, G.-L. Long, and L. Hanzo, Variational quan-
tum attacks threaten advanced encryption standard based sym-
metric cryptography, Sci. China Inf. Sci. 65, 1 (2022).
[7] S. McArdle, S. Endo, A. Aspuru-Guzik, S. C. Benjamin, and
X. Yuan, Quantum computational chemistry, Rev. Mod. Phys.
92, 015003 (2020).
[8] S. Wei, H. Li, and G. Long, A full quantum eigensolver for
quantum chemistry simulations, Research 2020 (2020).
[9] J. Biamonte, P. Wittek, N. Pancotti, P. Rebentrost, N. Wiebe,
and S. Lloyd, Quantum machine learning, Nature 549, 195
(2017).
[10] Z. Wang, S. Hadfield, Z. Jiang, and E. G. Rieffel, Quantum
approximate optimization algorithm for Maxcut: A fermionic
view, Phys. Rev. A 97, 022304 (2018).
[11] M. P. Harrigan, K. J. Sung, M. Neeley, K. J. Satzinger, F. Arute,
K. Arya, J. Atalaya, J. C. Bardin, R. Barends, S. Boixo, et al.,
Quantum approximate optimization of non-planar graph prob-
lems on a planar superconducting processor, Nature Physics 17,
332 (2021).
[12] R. L. Rivest, A. Shamir, and L. Adleman, A method for obtain-
ing digital signatures and public-key cryptosystems, Commun.
ACM 21, 120 (1978).
[13] P. Shor, Algorithms for quantum computation: discrete loga-
rithms and factoring, in Proc. 35th Ann. Symp. on Foundations
of Computer Science (1994) pp. 124–134.
[14] C. Gidney and M. Eker˚
a, How to factor 2048 bit RSA inte-
gers in 8 hours using 20 million noisy qubits, Quantum 5, 433
(2021).
[15] E. Gouzien and N. Sangouard, Factoring 2048-bit RSA integers
in 177 days with 13 436 qubits and a multimode memory, Phys.
Rev. Lett. 127, 140503 (2021).
[16] L. M. Vandersypen, M. Steffen, G. Breyta, C. S. Yannoni, M. H.
Sherwood, and I. L. Chuang, Experimental realization of Shor’s
quantum factoring algorithm using nuclear magnetic resonance,
Nature 414, 883 (2001).
[17] T. Monz, D. Nigg, E. A. Martinez, M. F. Brandl, P. Schindler,
R. Rines, S. X. Wang, I. L. Chuang, and R. Blatt, Realization of
a scalable shor algorithm, Science 351, 1068 (2016).
[18] E. Martin-Lopez, A. Laing, T. Lawson, R. Alvarez, X.-Q. Zhou,
and J. L. O’brien, Experimental realization of Shor’s quantum
factoring algorithm using qubit recycling, Nat. Photon. 6, 773
(2012).
[19] E. Farhi, J. Goldstone, S. Gutmann, J. Lapan, A. Lundgren,
and D. Preda, A quantum adiabatic evolution algorithm applied
to random instances of an NP-complete problem, Science 292,
472 (2001).
[20] G. Schaller and R. Sch ¨
utzhold, The role of symmetries in adi-
abatic quantum algorithms, Quantum Info. Comput. 10, 109
(2010).
[21] W. A. Borders, A. Z. Pervaiz, S. Fukami, K. Y. Camsari,
H. Ohno, and S. Datta, Integer factorization using stochastic
magnetic tunnel junctions, Nature 573, 390 (2019).
[22] B. Yan, H. Jiang, M. Gao, Q. Duan, H. Wang, and Z. Ma, Adi-
abatic quantum algorithm for factorization with growing mini-
mum energy gap, Quan. Eng. 3, e59 (2021).
[23] E. Anschuetz, J. Olson, A. Aspuru-Guzik, and Y. Cao, Varia-
tional quantum factoring, in Int. Worksh. on Quantum Technol-
ogy and Optimization Problems (Springer, 2019) pp. 74–85.
[24] K. Xu, T. Xie, Z. Li, X. Xu, M. Wang, X. Ye, F. Kong, J. Geng,
C. Duan, F. Shi, et al., Experimental adiabatic quantum factor-
ization under ambient conditions based on a solid-state single
spin system, Phys. Rev. Lett. 118, 130504 (2017).
[25] S. Jiang, K. A. Britt, A. J. McCaskey, T. S. Humble, and
S. Kais, Quantum annealing for prime factorization, Sci. Rep.
8, 1 (2018).
[26] Z. Li, N. S. Dattani, X. Chen, X. Liu, H. Wang, R. Tanburn,
H. Chen, X. Peng, and J. Du, High-fidelity adiabatic quan-
tum computation using the intrinsic hamiltonian of a spin sys-
tem: Application to the experimental factorization of 291311,
arXiv:1706.08061 (2017).
[27] A. H. Karamlou, W. A. Simon, A. Katabarwa, T. L. Scholten,
B. Peropadre, and Y. Cao, Analyzing the performance of vari-
ational quantum factoring on a superconducting quantum pro-
cessor, npj Quantum Inf. 7, 1 (2021).
[28] M. Mosca and S. R. Verschoor, Factoring semi-primes with
(quantum) SAT-solvers, Sci. Rep. 12, 1 (2022).
[29] C. P. Schnorr, Factoring integers by CVP algorithms, in Number
Theory and Cryptography (Springer, 2013) pp. 73–93.
[30] C. P. Schnorr, Fast factoring integers by SVP algorithms, cor-
rected, Cryptology ePrint Archive (2021).
[31] See supplementary materials.
[32] L. Babai, On lov´
asz’lattice reduction and the nearest lattice
point problem, Combinatorica 6, 1 (1986).
[33] D. Micciancio, The hardness of the closest vector problem with
preprocessing, IEEE Trans. Inf. Theory 47, 1212 (2001).
[34] X. Zhang, W. Jiang, J. Deng, K. Wang, J. Chen, P. Zhang,
W. Ren, H. Dong, S. Xu, Y. Gao, et al., Digital quantum simula-
tion of Floquet symmetry-protected topological phases, Nature

7
607, 468 (2022).
[35] A. K. Lenstra, H. W. Lenstra, and Lov´
asz, Factoring polynomi-
als with rational coefficients, Math. Ann 261, 515 (1982).
[36] M. Ajtai, R. Kumar, and D. Sivakumar, A sieve algorithm for
the shortest lattice vector problem, in STOC ’01 (2001) pp. 601–
610.
[37] C.-P. Schnorr and M. Euchner, Lattice basis reduction: Im-
proved practical algorithms and solving subset sum problems,
Math Program 66, 181 (1994).
[38] U. Fincke and M. Pohst, Improved methods for calculating vec-
tors of short length in a lattice, including a complexity analysis,
Math. Comp 44, 463 (1985).
[39] C.-P. Schnorr and H. H. H¨
orner, Attacking the Chor-Rivest
cryptosystem by improved lattice reduction, in Proc. EURO-
CRYPT ’95 (Springer, 1995) pp. 1–12.
[40] N. Gama, P. Q. Nguyen, and O. Regev, Lattice enumeration
using extreme pruning, in Proc. EUROCRYPT ’10 (Springer,
2010) pp. 257–278.
[41] C. Schnorr, Factoring integers and computing discrete loga-
rithms via diophantine approximation, in Proc. EUROCRYPT
’91 (1991) pp. 281–293.
[42] J. W. S. Cassels, An introduction to the geometry of numbers
(Springer Science & Business Media, 2012).
[43] G. A. Kabatiansky and V. I. Levenshtein, On bounds for pack-
ings on a sphere and in space, Probl. Peredachi Inf. 14, 3 (1978).
[44] S. Xu, Z.-Z. Sun, K. Wang, L. Xiang, Z. Bao, Z. Zhu, F. Shen,
Z. Song, P. Zhang, W. Ren, et al., Digital simulation of non-
Abelian anyons with 68 programmable superconducting qubits,
arXiv:2211.09802 (2022).
[45] Z. Wang, Y. Chen, Z. Song, D. Qin, H. Li, Q. Guo, H. Wang,
C. Song, and Y. Li, Scalable evaluation of quantum-circuit er-
ror loss using clifford sampling, Phys. Rev. Lett. 126, 080501
(2021).
[46] D. C. McKay, C. J. Wood, S. Sheldon, J. M. Chow, and J. M.
Gambetta, Efficient zgates for quantum computing, Phys. Rev.
A96, 022330 (2017).
[47] W. Ren, W. Li, S. Xu, K. Wang, W. Jiang, F. Jin, X. Zhu,
J. Chen, P. Zhang, H. Dong, et al., Experimental quantum ad-
versarial learning with programmable superconducting qubits,
arXiv:2204.01738 (2022).
[48] K. J. Sung, J. Yao, M. P. Harrigan, N. C. Rubin, Z. Jiang, L. Lin,
R. Babbush, and J. R. McClean, Using models to improve opti-
mizers for variational quantum algorithms, Quantum Sci. Tech-
nol. 5, 044008 (2020).
[49] J. C. Lagarias, J. A. Reeds, M. H. Wright, and P. E. Wright,
Convergence properties of the Nelder–Mead simplex method
in low dimensions, SIAM J. Optim. 9, 112 (1998).
[50] C. G. Broyden, The convergence of a class of double-rank min-
imization algorithms 1. general considerations, IMA J Appl
Math 6, 76 (1970).
[51] D. C. Liu and J. Nocedal, On the limited memory BFGS method
for large scale optimization, Math Program 45, 503 (1989).
[52] G. Pagano, A. Bapat, P. Becker, K. S. Collins, A. De, P. W.
Hess, H. B. Kaplan, A. Kyprianidis, W. L. Tan, C. Baldwin,
et al., Quantum approximate optimization of the long-range
Ising model with a trapped-ion quantum simulator, PNAS 117,
25396 (2020).
[53] Y. Takahashi, N. Kunihiro, and K. Ohta, The quantum fourier
transform on a linear nearest neighbor architecture, Quantum
Info. Comput. 7, 383 (2007).
[54] S. A. Kutin, Shor’s algorithm on a nearest-neighbor machine,
arXiv:quant-ph/0609001 (2006).
[55] D. Cheung, D. Maslov, and S. Severini, Translation techniques
between quantum circuit architectures, in Workshop on Quant.
Inf. Proc. (Citeseer, 2007).
[56] Y. Hirata, M. Nakanishi, S. Yamashita, and Y. Nakashima, An
efficient method to convert arbitrary quantum circuits to ones
on a linear nearest neighbor architecture, in ICQNM ’09 (IEEE,
2009) pp. 26–33.
[57] M. Saeedi, R. Wille, and R. Drechsler, Synthesis of quantum
circuits for linear nearest neighbor architectures, Quantum Inf
Process 10, 355 (2011).
[58] R. Wille, O. Keszocze, M. Walter, P. Rohrs, A. Chattopadhyay,
and R. Drechsler, Look-ahead schemes for nearest neighbor op-
timization of 1D and 2D quantum circuits, in ASP-DAC ’16
(IEEE, 2016) pp. 292–297.
[59] A. Farghadan and N. Mohammadzadeh, Quantum circuit phys-
ical design flow for 2D nearest-neighbor architectures, Int. J.
Circ. Theor. Appl. 45, 989 (2017).
Acknowledgements: We thank H.Fan, K.Xu and C.Chen for
helpful discussions. The device was fabricated at the Micro-
Nano Fabrication Center of Zhejiang University. The exper-
iment was performed on the quantum computing platform at
Zhejiang University.
Funding: This research was supported by the National Nat-
ural Science Foundation of China (Grant Nos. U20A2076,
12274367, 12174342, 12005015, 61972413, 61901525,
11974205, 11774197), the Zhejiang Province Key Research
and Development Program (Grant No. 2020C01019), the
Fundamental Research Funds for the Central Universities
(Grant No. 2022QZJH03), the National Key Research and
Development Program of China (2017YFA0303700), the Key
Research and Development Program of Guangdong province
(2018B030325002).
Author contributions: B.Y. proposed the SQIF algorithm
and designed the experiment scheme. Z.T. and C.Z carried
out the experiments and collected results under the supervi-
sion of Z.W.. J.C., X.Z. and F.J. designed the device, and H.L.
fabricated the device supervised by H.W.. S.-J.W., H.W., Q.D.
contributed to the theory and experiment design. H.J., W.W.,
L.L., W.S., Y.H. performed numerical simulations. Y.L., Y.F.,
X.M., Z.S. contributed to the depth analysis. Z.M. and G.-L.L.
initiated and supervised this project. All authors contributed
to the writing of the manuscript.
Competing interests: All authors declare no competing in-
terests.
Data and materials availability: The data presented in the
figures and that support the other findings of this study will be
publically available upon its publication.

8
Supplementary material for “Factoring integers
with sublinear resources on a superconducting
quantum processor”
CONTENTS
References 6
I. Background knowledge about lattice 8
A. Basic concepts 8
B. LLL algorithm 9
C. Babai’s nearest plane algorithm 9
II. Schnorr’s integer factoring algorithm 10
A. Schnorr’s sieve method 10
B. The construction of the lattice and target vector 10
C. Solving the CVP 11
III. The sublinear scheme about lattice dimension 11
A. The history results 11
B. Linear scheme 12
C. Sublinear scheme 12
IV. Preprocessing: the details about the factoring cases 13
A. The construction of the lattice and target vector 13
B. Solving the CVP using Babai’s algorithm 14
C. The problem Hamiltonian 14
D. The energy spectrum and the target state 15
V. Experimental details 17
A. Device parameters 17
B. Benchmarking the experimental gates 17
C. QAOA procedure and the convergence 18
D. 10-qubit case up to p= 3 19
VI. Postprocessing: the smooth relation pairs and linear
equations 20
A. The 3-qubit case 21
B. The 5-qubit case 23
C. The 10-qubit case 25
VII. The exploration of quantum advantage 25
A. The random sample results 26
B. Quantum advantage and lattice precision 26
C. Quantum advantage and lattice dimension 26
VIII. The resource estimation for RSA-2048 27
A. Introduction 27
B. Problem description 27
C. Circuit depth under complete graph topology 28
D. Circuit depth under linear chain topology and
lattice topology 29
E. Resource estimation for RSA-2048 31
I. BACKGROUND KNOWLEDGE ABOUT LATTICE
In recent years, lattices are used as algorithmic tools to
solve a wide variety of problems in computer science, math-
ematics and cryptography, especially in quantum-resistant
cryptography protocols. The following introduces some ba-
sic concepts and well-known algorithms in lattices that are
closely related to our work.
A. Basic concepts
Let k · kbe the Euclidean norm of the vectors in Rm. Vec-
tors will be written in bold and we use row-representation for
matrices. For a matrix M, we usually denote its coefficients
by mi,j . We also use superscript ’T’ to represent the transpose
of matrices or vectors.
•Lattice: Let b1, ..., bn∈Rmbe a group of linearly
independent column vectors, then we call the set gener-
ated by the linear combination of its integer coefficients
a lattice, denoted as
Λ(B) = {Bx|x∈Zn}
={b=x1b1+... +xnbn|x1, ..., xn∈Z},(S1)
where B= [b1, ..., bn]∈Rm×nis called a basis ma-
trix, which could also be used to represent a lattice for
simplicity. {b1, ..., bn}is a group of basis of lattice
Λ(B). The dimension of lattice Λis n. The determi-
nant of Λis det Λ = (det BTB)1/2, here BTis the
transpose of B. For a square matrix B, it is directly
det Λ = det B. The determinant also represents the
volume of the lattice in geometry perspective, denoted
as vol(Λ). The length of the lattice point b∈Rmis
defined as kbk= (bTb)1/2.
•Successive minima: The successive minima of an
n-dimensional lattice Λare the positive quantities
λ1(Λ) ≤λ2(Λ) ≤... ≤λn(Λ), where λk(Λ) is the
smallest radius of a zero-centered ball containing klin-
early independent vectors of Λ. Denote λ1=λ1(Λ) as
the length of the shortest nonzero vector of Λ.
•Hermite’s constant: The Hermite invariant of the lat-
tice Λis defined by
γ(Λ) = λ2
1(Λ)/vol(Λ)2/n =λ2
1(Λ)/det(Λ)2/n.(S2)
Hermite’s constant γnis the maximal value γ(Λ) over
all n-dimensional lattices, or the minimal constant γ
which enables λ1(Λ)2≤γ(det Λ)2/n satisfied for all
n-dimensional lattices equivalently.
•QR-decomposition: The lattice basis matrix Bhas
the unique decomposition B=QR ∈Rm×n, R =
[ri,j ]1≤i,j≤n∈Rn×n,here Q∈Rm×nis isometric
(with pairwise orthogonal column vectors of length 1)

9
and R∈Rn×nis an upper-triangular matrix with posi-
tive diagonal entries ri,i . The Gram-Schmidt (GS) co-
efficients µj,i =ri,j/ri,i can be obtained easily by the
QR-decomposition. For an integer matrix B, the GS
coefficients are usually rational.
•Shortest Vector Problem (SVP): Given a group of ba-
sis Bof a lattice Λ,
Shortest Vector Problem (SVP): Find a vector v∈
Λ, such that kvk=λ1(Λ).
Approximate Shortest Vector Problem (α-SVP):
Find a nonzero vector v∈Λ, such that
kvk ≤ α·λ1(Λ).
Hermite Shortest Vector Problem (r-Hermite
SVP): Find a nonzero vector v∈Λ, such that kvk ≤
r·det(Λ)1/n.
The parameter α≥1in α-SVP is called the approx-
imation factor. Usually, the problem becomes easier
when αgets bigger. When α= 1,α-SVP and SVP
are the same problem. The real value of λ1in α-SVP
is hard to obtain because of the hardness of SVP. Thus
the solution of α-SVP is hard to check in some cases.
The problem r-Hermite SVP is defined by a computable
(ralatively easy to compute) value det(Λ)1/n instead of
λ1to qualify the solution. As a result, we can check the
solution easily but lack a comparison with the shortest
vector.
•Closest Vector Problem (CVP): Given a group of basis
Bof a lattice Λ, and a target vector t∈span(B),
Closest Vector Problem (CVP): Find a vector v∈
Λ, such that the distance kv−tkcould be
minimized, namely kv−tk=dist(Λ,t).
α-Approximate Closest Vector Problem (α-CVP):
Find a vector v∈Λ, such that the distance
kv−tk ≤ α·dist(Λ,t).
r-Approximate Closest Vector Problem (r-
AbsCVP): Find a vector v∈Λ, such that the distance
kv−tk ≤ r.
Here the problem definitions are similar to those in SVP,
the role of parameter α≥1in α-CVP is the same as
α-SVP. In r-AbsCVP, the parameter rcan be any rea-
sonable value which is comparable to dist(Λ,t), such
like det(Λ)1/n in r-Hermite SVP.
B. LLL algorithm
The LLL algorithm is one of the most famous algorithms in
the field of lattice reduction, proposed by A. K. Lenstra, H. W.
Lenstra, Jr., and L. Lovasz in 1982 [35]. For an n-dimensional
lattice, the algorithm can be used to solve the α-SVP with
α= ( 2
√3)nin polynomial time. The related concepts and
algorithms are as follows.
•LLL basis: A basis B=QR is called LLL-reduced or
a LLL basis, given LLL-reduction parameter δ∈(1
4,1],
if it satisfies:
i. |ri,j |/ri,i ≤1
2, for all j > i;
ii. δr2
i,i ≤r2
i,i+1 +r2
i+1,i+1 , for i= 1, .., n −1.
Obviously, LLL basis also satisfies r2
i,i ≤αr2
i+1,i+1,
for α= 1/(δ−1
4).
The parameters considered in the original literature of
the LLL algorithm are δ= 3/4, α = 2. A well-known
result about LLL basis shows that for any δ < 1, LLL
basis can be obtained in polynomial time and that they
nicely approximate the successive minima :
iii. α−i+1 ≤ kbik2λ−2
i≤αn−1, for i= 1, ..., n;
iv. kb1k2≤αn−1
2(det Λ)2/n.
•LLL algorithm: Given a group of basis B=
[b1, ..., bn]∈Zm×n, the algorithm can make it LLL-
reduced or convert it into a LLL basis. The algorithm
consists of three main steps: Gram-Schmidt orthogo-
nalization, reduction, and swap. The specific steps can
be found in Algorithm 1.
Algorithm 1: LLL-reduction algorithm
Input: lattice basis b1, ..., bn∈Zm, parameter δ
Output: δ-LLL-reduced basis
1.Gram-Schmidt orthogonalization
Imply the Gram-Schmidt orthogonalization to basis
b1, ..., bn, denote the results as: ˜
b1, ..., ˜
bn∈Rm.
2.Reduction step
for i from 2 to ndo
for j from i-1 to 1 do
bi←bi−ci,j bj, where ci,j =dhbi,˜
bjih˜
bj,˜
bjic.
end
end
3.Swap step
if ∃is. t. δk˜
bik2>kµi+1,i ˜
bi+˜
bi+1k2then
bi↔bi+1,
go to 1.
end
4.Output b1, ..., bn.
C. Babai’s nearest plane algorithm
Babai’s nearest plane algorithm [32] (Babai’s algorithm
for short) can be used to solve CVP. For an n-dimensional
lattice, the algorithm can obtain an approximation factor of
α= 2( 2
√3)nfor α-CVP. The algorithm consists of two steps,
the first is to reduce the input lattice basis with the LLL algo-
rithm. The second is a size reduction procedure, which mainly
calculates the linear combination of integer coefficients clos-
est to the target vector tunder the LLL basis. This step is
essentially the same as the second step in LLL reduction. The
specific steps of the algorithm can be found in Algorithm 2.

10
Algorithm 2: Babai’s algorithm
Input: lattice basis b1, ..., bn∈Zm, parameter δ= 3/4
and target t∈Zm
Output: a vector x∈Λ(B), such that
kx−tk ≤ 2n
2dist(t,Λ(B))
1. LLL reduction
Apply the LLL reduction on basis Bwith parameter δ.
Denote the results as ˜
b1, ..., ˜
bn∈Rm.
2.Size reduction
b←t
for j from nto 1 do
b←b−cjbj, where cj=dhb,˜
bji/h˜
bj,˜
bjic.
end
3.Output t−b.
II. SCHNORR’S INTEGER FACTORING ALGORITHM
A. Schnorr’s sieve method
Consider a general integer factoring situation in which the
integer to be factored into two non-trivial factors, namely
given N, finding the factors p, q (p<q)such that N=p×q.
The sieve method to factor an integer firstly needs to define
the smooth relation pair. Let pi, i = 1, ..., n be the first n
primes together with p0which satisfy −1 = p0<1< p1<
... < pn< p. The set P={pi}i=0,...,n is called a prime
basis. The p0=−1is not a prime, nevertheless, it is included
to characterize the sign of an integer. An integer is called
pn-smooth if all of its prime factors are less than pn, here
pnis also called the smooth bound. The integer pair (uj, vj)
is called pn-smooth pair, if both ujand vjare pn-smooth.
Further more, a pair of integers (uj, vj)is called pn-smooth
relation pair (abbreviate as sr-pair), if:
uj=
n
Y
i=1
pei,j
i, uj−vjN=
n
Y
i=0
pe0
i,j
i,(S3)
where ei,j , e0
i,j ∈N, then we have
(uj−vjN)/uj≡
n
Y
i=0
pe0
i,j −ei,j
i≡1modN. (S4)
It should be noted that the smooth pair is different with
sr-pair in which the sr-pair not only need to be smooth, but
also to meet more severe conditions in Eq. S3. Let S=
{(uj, vj)}j=1,...,n+1 be a set with n+1 sr-pairs. If there exists
a group of coefficients t1, ..., tn+1 ∈ {0,1}, such that
n+1
X
j=1
tj(e0
i,j −ei,j )≡0mod 2, i = 0,1, ..., n. (S5)
Denote X=Qn
i=0 p
1
2Pn+1
j=1 tj(e0
i,j −ei,j )
i, then we have
X2−1=(X+ 1)(X−1) ≡0modN. (S6)
If X6≡ ±1modN, then we’ll obtain a nontrivial factor of
Nby gcd(X±1, N ).
Since the dimension of the linear equation system is O(n),
and it can be solved within O(n3)operations. We neglect this
minor part of the workload for factoring N. Hence the factor-
ing problem is reduced to the sr-pair problem. This problem
will be transformed into the closest vector problem on a lattice
in the following part.
B. The construction of the lattice and target vector
The sr-pairs will be obtained from the approximate solu-
tion of CVP in Schnorr’s algorithm. We first introduce the
construction of the prime lattice Λ(Bn,c)and the target vector
t∈Rn+1, here c > 0is an adjustable parameter. The matrix
form of the lattice Bn,c = [b1, ..., bn]∈R(n+1)×ncan be
constructed as
Bn,c =












f(1) 0 ... 0
0f(2) ... 0
.
.
..
.
.....
.
.
0 0 ... f (n)
Nclnp1Nclnp2... Nclnpn












,t=









0
.
.
.
0
NclnN









,
(S7)
where the functions f(i)for i= 1, ..., n are the random per-
mutations of diagonal elements (√lnp1,√lnp2, ..., √lnpn).
A lattice point or vector can be represented by
the integer combination of the lattice basis as b=
Pn
i=1 eibi∈Λ(Bn,c), here ei∈Zfor i= 1, ..., n. In the fol-
lowing, we’ll assume (u, v)is pn-smooth and gcd(u, v) = 1.
Then u, v can be represented by the product of primes on the
prime basis, namely:
u=Y
ei>0
piei, v =Y
ei<0
p−ei
i.(S8)
Under this representation, the smooth pair (u, v)corresponds
to the vector b= (e1, ..., en)in the lattice one-to-one, de-
noted as b∼(u, v). Therefore, a vector on a lattice encodes
a smooth pair.
The closest vector problem (CVP) is to find a vector b0∈
Λ(Bn,c)which is closest to the target vector t, mathematically
expressed as
b0=arg min
b∈Λkb−tk.(S9)
According to the above definition, the following relationship
is established
kb−tk2≥ln(uv) + N2c|ln u
vN |2.(S10)
The equation is established if and only if ei∈ {−1,0,1}, that
is, u , v do not contain square factors. The constant N2cacts

11
as a ”weight” which is controlled by adjusting the parameter
c. When N2c>> ln(uv), the body of the equation is N2c|
ln u
vN |2. Hence the quality |ln u
vN |2, or further on, |u−vN |
can be effected by parameter c, which is also called precision
parameter. According to the inequality S10, we can find that
the shorter the length of distance vector b−t, the smaller
|u−vN |could be, hence the higher probability for (u, v)
being an sr-pair. Further discussion about this relationship can
be found in the next part of this Material.
C. Solving the CVP
There are mainly two well-studied approaches to solve
CVP or approximate CVP. One is based on the sieve method
which is firstly proposed by Ajtai et al. in 2001 [36]. The
other is based on Babai’s algorithm, in which a lattice reduc-
tion method such as LLL algorithm is firstly implemented
to obtain a group of relatively short basis, then apply the
size-reduction procedure to get the approximate closest vec-
tor solution. Schnorr adopted the latter approach to solve
CVP. In fact, some superior lattice reduction methods such as
BKZ [37], HKZ, ENUM [37–40] and so on, are involved to
get a better efficiency of the algorithm. However, these meth-
ods are too complicated and need more professional knowl-
edge which is out of the scope of this paper. We adopt the
LLL lattice reduction algorithm when we mention Babai’s al-
gorithm in the following part (and in the main text), which is
simple and relatively easy to understand. Besides the princi-
ple of quantum enhancement of Babai’s algorithm is general
for any of the lattice reduction algorithm.
III. THE SUBLINEAR SCHEME ABOUT LATTICE
DIMENSION
A. The history results
In this section, we discuss the dimension selection of lat-
tices in Schnorr’s algorithm. The dimension nof the lattice
depends on the size of the prime basis, meantime has an im-
portant influence on the efficiency of the algorithm. On the
one hand, the number of smooth relation pairs on the prime
basis will increase greatly when nis large, which is more con-
ducive to obtaining smooth relation pairs. On the other hand,
ncannot be too large, because the time complexity of the lat-
tice reduction process and the linear equations solving proce-
dure is positively correlated with n. Choosing an appropriate
nrequires a balance between the two facts. This issue is not
clearly explained by Schnorr in the original text [29,30,41],
and there are different descriptions or applications in different
places. In Schnorr’s near edition in 2021 [30], when analyzing
specific examples, a sub-linear magnitude of lattice dimension
is used, but the author does not explain the choice of the lattice
dimension scheme. For example, when discussing the factor-
ing of a 400-bit integer, the lattice dimension is 48, which is
close to the sublinear scheme 400/log2400 ∼46. In many
other works, however, the lattice dimension nis usually as-
sumed to be polynomial order of the binary length mof a large
integer N. The specific description is given based on the re-
striction of the smooth bound pn. In Schnorr’s sieve method,
it is usually assumed that the smooth bound pnsatisfies
pn≈(logN)α=mα, α > 0.(S11)
According to the prime number theorem, we have
n≈(logN)α
αloglogN=mα/αlogm. (S12)
When taking α= 1, the dimension is
n=m/logm, (S13)
which is a sublinear scale of the bit length of N. When α > 1,
nis typically polynomial scale of m. Therefore, the specific
value of αdetermines the dimension of the lattice.
The value of αis mainly determined by the mathematical
relationship between the short vector and the smooth relation
pair. Regarding what conditions short vectors satisfy to obtain
smooth relation pairs, Schnorr gives the following lemma:
Lemma 1 If kb−tk2=O(logN)and v≤
Nc−1pn(n/logN)1/2, then most likely |u−vN |=O(pn).
Here cis the precision parameter. The lemma answers that
when the square norm of a short vector is O(logN), then most
likely the sr-pairs can be obtained. Here we set the short vec-
tor length O(logN)as a theoretical bound.
The next important question is whether short vectors sat-
isfying this condition exist, or whether there are enough of
them. Schnorr proved that there will be a large number of
short vectors that satisfy the theoretical bound when α > 2.
Specifically, the size of αis proportional to the size of the
smooth bound according to the Eq. S11. In the sieve method,
the larger the smooth bound pnis, the easier it is to obtain
smooth relation pairs. However, the number of smooth rela-
tion pairs required as whole increases accordingly. Schnorr
pointed out that there will be a large number of short vectors
that can generate smooth relation pairs according to the den-
sity polynomial of smooth numbers when α > (2c−1)/(c−
1) >2[29,30,41], which leads to a polynomial dimension
scheme.
We discuss the relationship between the short vector and the
smooth relation pair based on the former. That is, to discuss
the condition that αor the dimension nof the lattice needs
to satisfy from the perspective of the existence of the short
vector. We first give a linear scheme of the lattice dimension
nunder Minkowski’s first theorem [42]. Under the density
assumption in Schnorr’s algorithm [30], a sublinear dimension
scheme is given.

12
B. Linear scheme
The existence problem refers to whether there is a vector
b∈Λ(Bn,c),such that kb−tk2=