Arxiv:2006.14057V7 [Quant-Ph] 4 Mar 2021 Tem Is Measured to Be in Some Eigenstate of a Divide N by That Factor to Ascertain the Other

Two quantum Ising algorithms for the Shortest Vector Problem: one for now and one for later

David Joseph,1, 2 Adam Callison,2 Cong Ling,1 and Florian Mintert2 1Electrical and Electronic Engineering Department, Imperial College London 2Physics Department, Imperial College London (Dated: 13 January 2021) Quantum computers are expected to break today’s public key cryptography within a few decades. New cryptosystems are being designed and standardised for the post-quantum era, and a significant proportion of these rely on the hardness of problems like the Shortest Vector Problem to a quantum adversary. In this paper we describe two variants of a quantum Ising algorithm to solve this problem. One variant is spatially efficient, requiring only O(N log N) qubits where N is the lattice dimension, while the other variant is more robust to noise. Analysis of the algorithms’ performance on a quantum annealer and in numerical simulations show that the more qubit-efficient variant will outperform in the long run, while the other variant is more suitable for near-term implementation.

I. INTRODUCTION 2020 the QC community finds itself at a turning point, with the first credible claim to quantum The concept of quantum computing (QC) was supremacy [4] having been made in late 2019, first conceived of in the early 1980s [7, 19] and though performing useful computations of this has slowly grown to become a major field within size is still some way off for quantum comput- modern computer science and physics. Utilis- ers. ing intrinsic properties of quantum mechanics allows some computations to be sped up beyond what is classically possible. Some offer exponen- A. Post-quantum cryptography tial speed-up, such as integer factorisation and the discrete logarithm [43], whereas others offer One area subject to much disruption is that of polynomial, but still impressive, improvements cryptography. Classical cryptography will be a like Grover’s algorithm for searching unsorted victim —once quantum hardware reaches matu- lists [24]. rity —of the exponential speed-up due to Shor’s As the field of quantum computing has blos- algorithm for integer factorisation and discrete somed, multiple paradigms and families of algo- logarithm computation. This is because the se- rithms have emerged. The gate model of quan- curity of public key cryptography relies upon the tum computing most closely resembles classical existence of a problem that is intractable with- computers, with directly programmable qubit out a certain piece of information (known as a architectures, whereas quantum annealer-style key) but is efficiently computable when in pos- algorithms can be seen as an analogue ver- session of the key. An example of such a prob- sion, whereby after system initialisation in some lem is factorisation of a large semi-prime num- eigenstate of a Hamiltonian, the Hamiltonian is ber n = pq, which has only two non-trivial prime gradually altered, until at completion the sys- factors p and q. If either factor is known, one can arXiv:2006.14057v7 [quant-ph] 4 Mar 2021 tem is measured to be in some eigenstate of a divide n by that factor to ascertain the other. new Hamiltonian which offers a solution to the If, however, one knows neither factor, then one problem under consideration. must resort to a much more computationally ex- While some forms of quantum computing, pensive approach, such as√ attempting to divide such as the gate model and adiabatic quantum n by every integer up to n (naive) or apply- computing (AQC) [1, 17] are universal, near- ing one of the family of number field sieves [32], term quantum annealing devices are likely to be which in the best cases take super-polynomial more suited to specific problem types. Nonethe- time. less, these near term devices have compelling use The security of the RSA cryptosystem [40] re- cases —from simulating quantum chemistry to lies on integer factorization, while the security developing medicines [5,6] —though some are of Diffie-Hellman key exchange, ElGamal and more practical in the near future than others. In more rely on closely related problems [8, 15], 2 all efficiently computable in the QC domain. other hand, enumeration literally enumerates all To preserve security of communications and in- vectors within a certain ball around the origin, formation storage moving forward into a post- which if picked carefully is guaranteed to contain quantum world, a new set of cryptographic the best possible solution [20, 29], though re- primitives must be developed and demonstrated cently significant speed-ups have been obtained to be invulnerable to quantum attacks. This by moving into the probabilistic domain (using a new field is known as post-quantum cryptogra- technique called extreme pruning), randomising phy (PQC). the input, and repeating many times [21]. The search for quantum-safe primitives cen- Grover’s algorithm has been applied to sieving tres around five families of problems, as outlined and saturation algorithms to achieve speedups in [8]: lattice-based cryptography (LBC), code- of roughly 25% in the exponent [30]. It seems based cryptography, isogenies, multivariate- unlikely that Grover’s algorithm can be applied based and hash-based cryptography. Candidate to lattice enumeration, but building on devel- systems are being assessed in the NIST Post- opments for quantum tree algorithms [35, 36] a Quantum Cryptography Standardization pro- quadratic speed-up has been obtained [3]. The cess and there are 26 systems being analysed quantum Fourier transform (QFT) plays a part in round two of the process, of which 12 derive in many quantum algorithms, such as those for from lattice-based primitives. solving variants of the hidden subgroup prob- LBC has spawned the celebrated learning lem (HSP) —Shor’s is an example. The dihedral with errors (LWE) problem [39], later adapted coset problem is another type of HSP; a relaxed for efficiency (at the risk of as-yet unknown secu- form, the extrapolated dihedral coset problem, rity tradeoffs) into Ring-LWE whereby compu- has been shown to be equivalent to LWE [11]. tations are performed in algebraic number-fields, Lattice problems in certain algebraic number and also Module-LWE. LWE has even served as fields can be solved using quantum HSP algo- the basis for the first fully homomorphic encryp- rithms that compute unit groups [16] and prin- tion scheme (FHE) [22]. Other notable lattice- cipal ideals [14]. A recent work [27] proposes based cryptosystems include NTRU [26] and a new approach to finding short vectors, encod- GGH [23]. The central problems in LBC tend ing vector norms into a Hamiltonian of a system to revolve around minimisation of distances in of ultra-cold bosons trapped in a potential land- high-dimensional spaces. scape. Whilst broadly in the adiabatic quantum Two closely related problems are finding the optimisation regime, sweeps are performed sub- shortest distance between two points in a lattice, adiabatically to obtain results from a distribu- known as the shortest vector problem (SVP) and tion over low energy eigenstates (consequently, finding the closest lattice point to any given vec- ‘short’ vectors). tor in the ambient space (CVP). Under a guarantee that said point is at most a certain distance from the nearest lattice point CVP be- C. Contribution comes a bounded distance decoding problem (BDD) upon which the security proof of LWE SectionII contains preliminaries, then in Sec- is based. tionIII we detail a derivative quantum shortest vector algorithm based on the quantum Ising model. In particular, two variants are presented B. Quantum algorithms for LBC with provable asymptotic space requirements. In SectionIV these two algorithms are analysed Up to this point most quantum algorithms for in a noiseless setting numerically, and are also lattice problems focus on application of a preex- implemented on the D-Wave quantum annealer isting algorithm to gain a quantum speed up in [33], providing a fully quantum analysis of lat- a primarily classical approach. The two main tice problems in up to 7-dimensional instances approaches to lattice problems are enumeration utilising 56 logical qubits (and over 1000 physi- and sieving. Sieving takes as input a selection of cal qubits). vectors from some distribution over the lattice The two variants of the algorithm presented and iteratively combines them in order to out- relate to different ways of encoding qudits in the put short solutions probabilistically [2]. On the quantum Ising model, and we offer an analysis 3 of both implementations, including the circum- the angles between basis vectors or ratios of their stances in which each is superior. This last con- lengths. Knowledge of the specifics of these contribution has wider relevance for the QC com- ditions will not be important to the work, but it munity, especially when looking at algorithms is essential to appreciate the concept that short to optimise over integral combinations of more and close-to-orthogonal is good. general vectors. Necessarily, there are only a small number of good bases (a finite number by any definition of good), and infinitely many bad bases. The II. PRELIMINARIES subject of turning arbitrary bad lattice bases into ‘good enough’ bases is a widely studied Vectors and matrices are denoted by boldface one, and is at the centre of lattice cryptanalysis lower and upper-case letters respectively, while [25, 31, 42]. Hamiltonians are denoted by H. Throughout the paper two vector norms are of interest: the l2 (or Euclidean) norm of a d-dimensional vector 2 2 2 x is described by kxk = x1 + ... + xd, and the infinity norm is kxk∞ = max{|xi|, 1 ≤ i ≤ d}. The length of the shortest vector is denoted λ1; there are at least two vectors of this length in a lattice, as any vector can be reflected about the origin to produce another of identical length. Where log is used, it is in base 2.

A. Lattices

Lattices are simply a repeating pattern of FIG. 1: An example of a two-dimensional lattice points in N-dimensional space. Fig1 shows an with lattice points depicted in black. Red ar- example of a lattice in two dimensions. Lat- rows represent a bad basis with long vectors that tices have two attractive mathematical proper- are far from orthogonal (though still linearly- ties: they all contain the origin, and adding any independent); green arrows are a good basis for two lattice vectors together with integer coeffi- the same lattice, with short and highly orthogo- cients gives a point that is also in the lattice. nal vectors. Both bases (by definition) span the The concept can be formalised as follows: lattice. Definition II.1. A lattice L ∈ RN is the discrete set of all integer combinations of a set Definition II.2. The fundamental paral- of N linearly independent basis vectors B = lelepiped P(L) of a lattice described by a basis N {b0, ..., bN }: B is the set of points in R N P(L) = {x · B | x ∈ [0, 1)N }, n X o N L = xibi = {B · x: x ∈ Z }. i=1 and the covolume of L is defined to be the volume of this N-dimensional polyhedron. Every lattice contains the zero vector, denoted 0 and this is considered a trivial lattice vector, The shape of the fundamental parallelepiped as 0 · B = 0. A set of N linearly independent depends on the geometry of the particular basis, basis vectors together are known as ‘a basis’. but they will all have the same covolume, and Each lattice has infinitely many bases, and ev- provide a tiling on the ambient space RN . One ery basis can be mapped to every other basis by can compute the covolume of a lattice by taking a unimodular transformation. There is a notion its determinant, which is obtained by taking the of good and bad bases, where good means that determinant of the basis det(L) = det(B). the basis vectors are quite orthogonal and quite One important family of bases for this work short, where ‘quite’ varies according to the con- is that of Hermite Normal Form (HNF) bases. text, but can be defined in terms of bounds on The reason these are of interest are that: 4

1. They can be described (and therefore com- physical system in order to drive it from an municated) efficiently; initial state toward a state from which the solution to a problem can be read. Typically, 2. Each lattice has a unique HNF; the Hamiltonian H(t) is a linear combination 3. The HNF of a lattice can be efficiently (which may or may not be time-dependent) computed from any provided basis. of a problem-independent driver Hamiltonian H0 (often referred to as an initial Hamiltonian Definition II.3. Hermite Normal Form (row- when appropriate), and a problem Hamiltonian N basis version) of a full rank lattice L ⊂ Z is HP which encodes the problem to be solved. an upper-triangular matrix H that satisfies: The eigenstates of the problem Hamiltonian HP correspond to solutions to a problem, (often the • Hij = 0 for i > j; ground state is desired), and targeting these eigenstates is where the crux of CTQC lies. The first nonzero term from the left (the • CTQC encompasses a number of quantum al- pivot) is positive and strictly to the right gorithmic families, for example adiabatic quan- of the first nonzero term of the row above; tum computation [17] (AQC), quantum anneal- • Elements directly below the pivot are zero ing [28] (QA) and continuous-time quantum and those directly above are reduced mod- walk (QW) computing [12, 13] and others. Fur- ulo the pivot. thermore, the quantum approximate optimisation algorithm [18] (QAOA) in the discrete-time The HNF of a lattice is described as optimal if gate model is inspired by continuous-time meth- there exists only one non-unit pivot. This means ods. (for a row basis HNF) that there is only one col- For the purposes of this work, we will con- umn of non-zero values. In this work, we exam- sider systems which are initialised in the ground ine only full rank integer lattices, so we take the state of the initial Hamiltonian, and are evolved N bi ∈ Z from this point onward. In general, according to a linear time-sweep of length T , the HNF of a lattice is bad basis by any canon- leaving the system in a Hamiltonian which at ical measure, though it is an efficient means of any time t ∈ [0,T ] can be described as representing the lattice as it contains fewer non- zero entries than a general basis. t t H(t) = 1 − H0 + HP . (1) The lattice problem that is the focus of this T T work is the shortest vector problem. In the following section, the initial Hamiltonian Definition II.4. Shortest Vector Problem: H0, the problem Hamiltonian HP , and consequently the full Hamiltonian H(t) are defined in given a basis B = {b1, ..., bn} describing a lattice L find the closest (non-zero) lattice point to the context of the quantum Ising model. The the origin, key to constructing the algorithm is in defining the problem Hamiltonian HP such that low en- λ1(L) = min{||x|| : x ∈ L\{0}}. ergy eigenstates relate to good solutions, which reduces in the Ising model to the setting of ap- This can alternatively be stated as finding propriate fields on and coupling between spins. the shortest distance between any two distinct points in the lattice. A major stepping-stone in the field was the reduction from GAPSVP C. Quantum annealing in the Ising Model (a close relative to SVP) to the Learning With Errors (LWE) cryptosystem [39]. The Ising model originated as a tool for mod- elling ferromagnetism in materials. In a given material each magnetic domain has a dipole, or B. Continuous-time Quantum Computing spin —denoted si. These spins interact with their neighbours in a manner dependent on the Continuous-time quantum computing properties of the material. The system achieves (CTQC) refers to a group of quantum com- its lowest energy state when the spins align so putational strategies in which a specially as to minimise the total interaction energies. engineered Hamiltonian H(t) is applied to a The energy of such a system is described by 5

P P the Hamiltonian H = − i,j Jijsisj − i hisi, an equal superposition of all eigenstates of the where Jij are coupling coefficients and hi are problem Hamiltonian HP , before evolving the field strengths. Hamiltonian toward the problem Hamiltonian The transverse Ising model was introduced to HP according to Eq.1. quantum computing back in 1998 [28]. A transverse magnetic field can represent temperature, and reducing the strength of this field brings about ‘quantum cooling’. The ground state of a system modelled by an Ising Hamiltonian can be found if the system is cooled sufficiently slowly. In a material, the coefficients Jij and hi of the Ising model are determined by the properties of III. QUANTUM ISING-SVP the material. In a quantum computing device that implements the Ising model, however, the programmer chooses the coefficients in order to In this section we describe how the encoding encode their problem. The programmer sets the of the SVP problem into the Ising coefficients coefficients so as to ensure that the ground state Jij, hi that define the energy of the system is and other low energy eigenstates encode good performed. The coefficients are derived directly solutions to the problem they wish to solve. from the input basis, following a similar pro- A classical Ising Hamiltonian cess as for the Bose-Hubbard quantum SVP al-

N N gorithm [27]. X X H(s , ..., s ) = − J s s − h s , (2) 1 N ij i j i i Any lattice point can be written as the vector i

z z HP = H(σ1 , ..., σN ). (3) The l2 norm of the vector v can be written Pauli operators can be expressed as 2 × 2 matrices

2 X ||v|| = xixjbi · bj . (8) 1 0 0 1 σ = 1 = , σ = , (4) i,j 0 0 1 x 1 0 0 −i 1 0 σy = , σz = , (5) i 0 0 −1 The aim is to ﬁnd the integer combination

0,x,y,z x = (x1, ..., xN ) that minimises this sum over where σi represents a Pauli operator acting i, j = 1, ..., N, given the ﬁxed scalar values b ·b th i j only on the i qubit of the system. which are determined by the lattice basis with As is typical for quantum annealing in the which the algorithm is run. It would be rather Ising model, for the algorithms we consider in straightforward to map this minimisation into a this work, we choose the initial Hamiltonian H0 device consisting of coupled qudits rather than to be a simple transverse ﬁeld Hamiltonian com- qubits; that is, if the device implemented a gen- posed of Pauli-X operators eralised Ising model Hamiltonian with the spins

N si = ±1 generalised to take integer values. Since X H = −h σx. (6) this is not the case, it is necessary to construct 0 0 i an ersatz qudit by combining multiple qubits. i=1 This can be visualised —as in Fig2 —as a grid The system is initialised in the ground state of of spins, where each column represents a qudit the transverse ﬁeld Hamiltonian H0, which is for a diﬀerent basis vector. 6

strings, as well as present bounds describing how 1 0 0 big the range of qudit values must be, and therefore how many physical qubits are needed, to en- 1 1 0 sure that the problem Hamiltonian HP actually Q expresses at least one shortest vector. 0 0 1 A. Hamming-weight-encoded Qudits 1 1 0 This qudit mapping is extremely simple and is not optimal in terms of space. This is because it b1 b2 ... bN leads to redundancies, with multiple spin config- urations corresponding to the same qudit value FIG. 2: Representation of qudits as a collection in [−2k, 2k]. The reason for presenting this map- of several qubits. Each column corresponds to ping is that it is more robust to noise (explained a basis vector, and the qubits in that column in AppendixB) than the more spatially effi- are interpreted as an integer, according to the cient approach we present subsequently. This qudit definitions, which are set out in Sections is demonstrated in SectionIV. While it is not IIIA,IIIB. A binary-encoded qudit in the above expected that even today’s cryptosystems will can take one of 16 values, whereas a Hamming- be broken with noisy intermediate-scale quan- encoded qudit can take one of 5 values. tum (NISQ [9, 38]) computers, for the foreseeable future the quantum computing community Assuming such qudits are available, we can must contend with poor quality qubits. Conse- write Qˆ(j) to mean the qudit operator acting quently, this simple qudit may become a useful on qudit j. Then, following [27], the problem tool in the near term. For the purposes of the Hamiltonian can be written as analysis in SectionIV, the D-Wave 2000Q provides ample qubits to compensate for the ineffi- N ciencies of this mapping, and so what follows is X ˆ(i) ˆ(j) HP = Q Q Gij, (9) the quantum Ising SVP algorithm for now. i,j Here, we define a qudit operator by a simple sum of qubit operators, where Gij = bi · bj is the (i, j)th element of the Gram matrix for the lattice basis. k+1 2 ˆ (j) X Zpj The eigenstates of HP in Eq.9 all correspond Qˆ = . (10) Ham 2 to vectors in the lattice for which every compo- p=0 nent xj is expressible within the range of values taken by the qudits (how big this range should This qudit operator assigns to each computa- be is a separate question, which we address later tional basis state a value by counting the num- in this section). The corresponding eigenval- ber of qubits in the the +1 state, its Hamming ues are simply the squared Euclidean length of weight, shifted so that the possible values are those vectors. Thus, the ground state of the symmetric about zero. From here on, when problem Hamiltonian HP will correspond to the referring to the quantum Ising SVP algorithm uninteresting zero vector, while the first-excited with Hamming-weight-encoded qudits, we will manifold will consist of states that correspond use the term Ham. to vectors with length λ1(L) (the shortest vectors); there are usually at least two such shortest vectors, since applying the transformation B. Binary-encoded qudits xj → −xj to each vector coordinate of v produces −v, which has the same length. Solv- This qudit mapping assigns values to the ing SVP thus becomes equivalent to finding a states of its qubit register by combining the con- state in the first-excited manifold of the prob- stituent qubits into a binary number. This is lem Hamiltonian HP . maximally efficient in space as each Ising spin In the following, we describe two different configuration results in a distinct coefficient vec- ways to encode the qudits into these column bit- tor. This optimal efficiency, however, necessi- 7 tates high quality qubits as we will show in Sec- The HNF basis of L looks as such: tionIV, and so this is the quantum Ising SVP     algorithm for later. b1 1 b1  b2   .. .  We define the following qudit operator on the   =  . .  . (12) th  .    j qudit as  .   1 bN−1 bN D k (j) X 1 Qˆ = − 2p−1Zˆ − 1, (11) The covolume of L is D as, for bases of this Bin pj 2 p=0 form, the determinant is just the product of the diagonal entries. The form of a general lattice 0,j k,j vector, written as a linear combination of the which maps the operators σZ , ..., σZ on qubits (0, j), ..., (k, j) to integers in the range [−2k, 2k − basis vectors, is 1], which is roughly symmetric range around the   origin. The values are to be interpreted as a bi- 1 b1 . nary number in [0, 2k+1 −1] which is then shifted  .. .  x . . . x ·  . .  = down by 2k, to give the required range. From 1 N    1 bN−1 (13) here on, when referring to the quantum Ising D SVP algorithm with binary-encoded qudits, we will use the term Bin. x1, . . . , xN−1, (x1b1 + ... + xN D) . Minkowski’s theorem [34] provides the bound √ 1/N C. Space analysis λ1(L) ≤ N · D (14)

on the length of the shortest vector, and we Examination of the space requirements for im- will use a weaker version of this to bound the plementation of this quantum Ising SVP algo- coefficients on the right hand side of Eq (13). rithm (Bin) leads to the following theorem, and Minkowski’s bound prescribes a sphere about a similar analysis is conducted for Ham in Corol- the origin, with radius equal to the bound in lary III.1.1: Eq (14), in which to search for the shortest vector. Relaxing this constraint slightly, it can be Theorem III.1. For any N-dimensional lattice asserted that every√ coordinate of v must be less L with covolume det(L) = D and optimal Her- than or equal to N · D1/N , which now pre- mite Normal Form, there exists a quantum SVP scribes a (larger) N-cube around the origin in algorithm that can be run on a system of size at which to search. 3N most 2 log N + N + log D qubits. This means that each coordinate on the right- hand side of Eq (13) must be smaller than the We point out here that that the optimal HNF bound, so for the first N − 1 entries in the coef- is particularly desirable for cryptography appli- ficient vector, √ cations [37], and lattices with optimal HNF are 1/N common, with approximately 40% of lattices se- |x1|,..., |xN−1| ≤ N · D . (15) lected at random having optimal HNF [41]. For the final coordinate xN , we have that √ 1/N |x1b1 + ... + xN D| ≤ N · D (16) Proof. The point of the proof is to ascertain how and so many qubits are required per qudit in order to √ 1/N guarantee that the shortest vector in L is rep- |xN D| ≤ N · D + resented in the Hilbert space explored by the |x b + ... + x b |. (17) algorithm. This question can be reduced to find- 1 1 N−1 N−1 ing a bound on the range in which to search for Applying the triangle inequality, coefficients for the basis vectors. That is, the |x D| ≤ |x b | + ... + |x b | + algorithm seeks to minimise the lengh of vectors N √1 1 N−1 N−1 k k 1/N v = x · B where −2 ≤ xi < 2 for 1 ≤ i ≤ N. N · D , (18) 8 and using the HNF property that the bi are re- at the expense of the assurance of being able to duced modulo D, find a shortest vector. It is also the case that Theorem III.1 and Corollary III.1.1 give upper bounds for HNF in- |xN D| ≤ |x1D| + ... + |xN−1D| + √ put bases. Using different, (classically) better- 1/N | N · D |. (19) reduced bases is also likely to require lower Then by applying Eq (15) qubit-per-qudit values and so yield better re- √ sults, but giving a bound for these is not 1/N |xN D| ≤ (N − 1) N · D · D + straightforward, and the HNF has the advan- √ tage that each lattice has a unique HNF that N · D1/N can be efficiently obtained from any other basis. ≤ N 3/2 · D1+1/N . (20)

This gives an interval to search for xN bounded in size by

3/2 1/N IV. RESULTS |xN | ≤ 2N · D , (21) and an interval to search for xi (1 ≤ i < N) bounded in size (from Eq (15)) by (2N 1/2 · To analyse the performance of the two algo- D1/N ). The algorithm therefore requires rithms described in SectionIII, Ham and Bin were implemented on the D-Wave 2000Q quan- 3 1 tum annealer, to shed light on what is possible log 2N 3/2D1/N = 1+ log N+ log D (22) 2 N in the NISQ era of quantum computing. We also performed numerical simulations of ideal, qubits per qudit, meaning the total system re- closed-system versions of these algorithms to quires O(N log N + log D) qubits. give an indication of what may be possible in the future —though we were limited to smaller experiment sizes due to the computational con- Based on the above analysis, we can state the straints of simulating quantum systems on clas- space requirements for Ham: sical hardware. Corollary III.1.1. Ham can be implemented In our experiments we generated random full- on any N-dimensional lattice L with covolume rank integer lattices, and obtained a ‘bad’ input det(L) = D and optimal Hermite Normal Form, basis by post-multiplying with randomly gen- 5/2 1/N using a system of at most 2N · D qubits. erated unimodular matrices. These bad bases The first excited eigenstate, modulo degenera- were not in HNF, and we did not use the upper cies, of the system at completion solves SVP on bounds given in III.1, III.1.1, but instead fixed L. our qudits to the ranges [−4, 4] and[−4, 3] for Sketch of proof : Recycling working from the Ham, Bin respectively. This choice was made proof of Theorem III.1, the number of qubits in order to improve overall results by a range in the grid is determined by the dimension of of metrics discussed in this section, while also the lattice (N), and the interval over which to fixing a degree of freedom to make the analysis search for coefficients, which is given in Eq (21) easier to perform. as 2N 3/2 · D1/N , leaving total qubit scaling as This means that it is not guaranteed that a 5/2 1/N 2N · D . shortest vector (of length λ1(L)) is represented The bounds given in Theorem III.1 and Corol- in the Hilbert space for every instance. In fact, lary III.1.1 are upper bounds that guarantee the a shortest vector is represented in all of the existence of a vector with length λ1(L) (a short- three-dimensional lattice instances we used, and est vector) within the Hilbert space explored by approximately half of the instances in each of the quantum Ising algorithms described inIIIB, the higher dimensions. This is reflected in the IIIA. In practice, an attacker may choose to re- results presented in this section for finding a duce the complexity of the system by reducing shortest vector; we have not post-selected on the qubits-per-qudit parameter in order to give instances where shortest vectors are obtainable stronger probabilities of finding ‘short’ vectors, with coefficients in the specified range. 9

A. Numerical Simulation such a gap for both types of encoding is shown in Fig.4. The initial ( t/T = 0) and final (t/T = 1) We numerically simulated results for both gap coincides for both encodings, but the gap Ham and Bin algorithms for three-dimensional for the Bin-encoded qubits (blue) decreases very lattices for a range of sweep times to investigate rapidly in the early stage of the dynamics. For what performance could be expected in the limit t/T . 0.2 the gap becomes much smaller than of perfect hardware. the minimal gap for Ham encoded qudits (red) Fig3 depicts the probabilities to obtain the which is obtained for t/T . 0.6. The smaller zero-vector (blue), the shortest non-zero vector minimal gap for the Bin encoded qudits means (red) and the second-shortest non-zero vector as that to achieve the same probability of attaining a function of the sweep duration for Ham en- the ground state significantly slower sweeps are coded qudits (subfigure (a)) and Bin encoded required (which for SVP purposes is advanta- qudits (subfigure (b)). For slow sweeps, there geous, as we do not seek the ground state). This is a high probability to obtain the zero vec- is because, as per adiabatic theory, a smaller tor, as one would expect for adiabatic dynamics. minimum energy gap means that excitations to The adiabatic limit is achieved well for the dis- the first excited state are more common. An al- played sweep durations in subfigure (a), but sub- gorithm based on Bin encoded qudits, further- figure (b) shows only the onset of adiabaticity, more, has lower space requirements. Thus, Bin even though the x-axis extends to substantially is certainly the algorithm for later. slower sweeps than in subfigure (b). For fast sweeps, both subfigures show compa- 2.0 rable probabilities for each of the three vectors. Ham The three displayed probabilities do not add up 1.6 to the value of one in the regime of fast sweeps, Bin which indicates finite probabilities to also obtain 1.2 longer vectors. E ∆ Both fast and slow sweeps are thus of little 0.8 use, since slow sweeps favour returning the zero- 0.4 vector and fast sweeps result in essentially random results. There is, however, a regime of in- 0 termediate sweep durations in which the prob- 0 0.2 0.4 0.6 0.8 1.0 ability to obtain the desired shortest non-zero t/T vector is enhanced. In subfigure (a), this regime is found for 1 . log T . 2, and in subfigure (b) it FIG. 4: Energy gap ∆E between the ground is found for 7 . log T . 10. In this ‘Goldilocks state and the first excited state at each time zone’ [27], the sweep is sufficiently fast to ex- t along a linear sweep of total duration T for cite the system from its ground state, but also the Ham algorithm (red) and the Bin algorithm sufficiently slow to avoid excitations to highly (blue). The minimum gap occurs much earlier excited states. for Bin and is much smaller. Comparison of subfigures (a) and (b) of Fig3 also highlights that the probability to obtain the first excited state (red) in the Goldilocks zone is substantially higher for Bin encoded qubits B. D-Wave Quantum Annealer than for Ham encoded qubits. This makes the Bin encoded qubits clearly the preferable choice The algorithms Bin and Ham, due to their under the conditions simulated. Ising formulation, can be performed on the D- The superior solution probabilities demon- Wave 2000Q quantum annealer [33]. We ex- strated by Bin can also be explained in terms amined the performance of the algorithms pre- of the adiabatic theorem. For Bin, the mini- sented here experimentally using the D-Wave mum gap mint(∆E) between the ground state quantum processor. Interpreting these results and first excited can become extremely small requires a subtle understanding of the interplay due to the large range of energy scales present in between features of the algorithm and the me- the qubit coupling coefficients. An example of chanics of the QPU, discussed in AppendixB. 10

FIG. 3: Numerical experiments carried out on 20 3D lattices. The lines show mean final probabilities for measuring the system to be in the ground (blue), first (red) and second (green) excited eigenstates —grouped by degeneracy —at completion for sweep lengths T , increasing in powers of 2, for the quantum Ising algorithm implemented with (a) Hamming-weight-encoded qudits (Ham) and (b) binary-encoded qudits (Bin). The Ham algorithm nears the adiabatic limit at T = 28, after the shortest vector success probability peak at around T = 22, which is considerably lower than the peak time for Bin. The Bin algorithm nears the adiabatic limit past the rightmost data point but not before an encouraging peak in shortest vector success probability at T = 29. Standard errors across the 20 samples are shown in both subfigures by vertical error bars.

In particular, we used the default embedding lengths after 900 iterations of the algorithms. provided with the API to map from the fully The green line indicates the lengths of the short- connected qubit graph specified by the theoret- est non-zero vector and the red lines show the ical model described in SectionIII (the logical length of the 6 basis vectors used to define the qubits), and the QPU qubit graph (the phys- lattice. ical qubits). In general, this embedding in- Subfigures (a) and (b) show data obtained curs a quadratic cost (logical qubits to physical with Bin encoded qudits and (c) and (d) show qubits), resulting in a maximum system size for data obtained with Ham encoded qudits. In the experiments listed of 56 logical qubits, which fact, subfigures (a/c) show the same data as maps (non-deterministically) to over 1000 phys- (b/c), but subfigures (a/c) resolve the results ical qubits. of shorter vectors better, while subfigures (b/d) show the full distribution including the results for longer data. 1. Representative example Comparison of subfigures (b) and (d) shows that the majority of vector lengths obtained Fig.5 depicts the result obtained for one spe- with the algorithm based on Bin encoded qu- cific (6-dimensional) lattice. The x-axis depicts dits are longer than all of the the basis vectors, the lenghts of vectors on a linear scale in sub- while the algorithm based on Ham encoded qu- figures (a) and (c) and on a logarithmic scale in dits returns substantially shorter vector lengths. (b) and (d). The blue bars represent the num- This behaviour is also manifest in subfigures (a) ber of occurrences (y-axis) of the corresponding and (c) that shows occurrences of the order of 11

FIG. 5: Illustrative results from D-Wave for Bin (a,b) and Ham (c,d) algorithms showing vector length squared on the x-axis on the left (a,c), and the natural logarithm of vector length squared the right (b,d), with bar height equal to number of occurrences. The right hand subfigures show the same data as the left hand subfigures, but allow an easier comparison at a glance. This is a sample experiment comprising 900 runs of each algorithm on the same 6-dimensional lattice, all with a sweep length of T = 64µs. The green verticals represent the length λ1(L) on the x-axis, and the red verticals represent the length of the 6 input basis vectors (from which G is generated) on the x-axis. The heights of the green and red verticals have no significance.

10 for lengths shorter than the median basis vec- While Fig5 helps to understand what the tor, while the corresponding lengths in Bin are quantum annealing results look like for a rep- obtained between 1 and 3 times. resentative example, as well as to qualitatively An ideal scenario (for all subfigures in Fig5) compare Ham with Bin, for rigorous perfor- would be a single blue line, with height 900, lo- mance analysis other visualisations of results are cated on the x-axis at the same location as the appropriate, which we look at next. green line. This would indicate that the output of the algorithm was the shortest vector with probability 1. The farther to the right (longer) 2. Aggregated results a blue line is, the less useful the vectors it represents are. Lines further right than all of the Fig6 shows a summary of results obtained for red lines are of no use as they are longer than 19 lattices in dimensions N = {3, 4, 5, 6, 7}, ac- all of the basis vectors which were input to the cording to four key figures of merit (FoM). The algorithm. Showing these results too, however, experiments took 900 samples for each lattice is useful as it helps to compare the Ham algo- instance with sweep times of 1µs. The x-axis rithm with Bin, and in doing so one can see shows the lattice dimension, while the y-axis that Ham produces significantly shorter vectors shows the probability of attaining the figure of on D-Wave hardware than Bin. merit corresponding to the particular subfigure. 12

FIG. 6: T = 1µs for Ham (red) and Bin (green) algorithms performed on 19 randomly generated ‘bad’ lattice bases in dimensions 3 to 7 inclusive, and for 4 diﬀerent ﬁgures of merit: ground state ((a) not desired), shortest vector ((b) preferable), shorter than minimum input basis vector (c), and shorter than median input basis vector (d). The black lines are baselines indicating the results from uniform random sampling from the searched-over Hilbert space (dotted for Ham, solid for Bin), i.e. what proportion of lattice vectors in the solution space are shorter than miniminum (c), median (d) input basis vectors.

Probabilities for each lattice dimension are av- ever, in relation to other FoM and the perfor- eraged over 19 lattices with standard error bars mance of the algorithm overall, as 0 results can shown. be interpretted as a measure of ‘adiabaticity’. The red lines show the results from Ham and Through this lens, it can be seen that Ham is the green lines are for Bin in all subfigures. far superior to Bin in returning ground states In subfigures (c) and (d) baseline probabilities on the noisy quantum annealing hardware. from uniform random sampling of the Hilbert Subfigure (b) shows the probability to obtain spaces are shown in black solid and dotted lines the shortest vector, which is the most important (Ham, Bin have different, but asymptotically FoM. In (b), in contrast to (a), both algorithms close, baselines due to the slight difference in perform similarly, though again with Ham pro- coefficients searched over). ducing slightly higher probabilities. Here, while Both algorithms suffer decreasing probabili- in 3 dimensions both Ham and Bin return the ties of success for all FoM as lattice dimension shortest vector with 2.5 − 5% chance, in dimen- increases, which is to be expected due to the in- sions 6 and 7 no shortest vectors were observed. creased complexity and larger Hilbert spaces to This FoM is the one for which high probabilities search over. One can see from Fig6 that the red are most desired, as these probabilities represent lines sit above the green lines in all subfigures. the chances that we can solve exact SVP. This indicates higher probabilities of success for It is easier to analyse ensembles of vectors Ham on the quantum annealing hardware for all as opposed to individual results, as these give FoM, and over all lattice dimensions. probabilities which can be more easily analysed Subfigure (a) shows probability of the an- within the constraints of 900 repetitions per lat- nealer returning the zero vector 0. While Ham tice sample per algorithm per time sweep. This returns zero vectors in 4 − 5% of runs for 3- is where subfigures (c) and (d) offer insight. dimensional lattices, decreasing to almost 0% The FoM in (c) is the probability of returned in higher dimensions, Bin displays much lower vectors having length shorter than the shortest probabilities even in the lowest dimensions. This basis vector, and (d) gives probabilities of vec- is due to the smaller minimum energy gap, tors having length shorter than the median basis mint ∆E, for Bin between the ground state and vector. Because the length requirements to sat- first excited state, a typical example of which is isfy these criteria are more relaxed than in (a) depicted in Fig4 and explained in SectionIVA. and (b), higher probabilities are observed for all Zero vector-probability may initially seem to points. Both Ham and Bin in subfigures (c) and be of no use because the zero vector is of no use (d) begin with order of 10% success probability computationally. It is best understood, how- for 3-dimensional lattices, followed by a smooth 13 decay in mean success probabilities as lattice di- theoretical endeavour. With an ever increas- mension increases. In (c) and (d), the decay in ing pace of development in quantum hardware, success probability is encouragingly less drastic coupled with worst-case asymptotic scaling of than for the results in (a) and (b). The baselines O(N log N) for Bin, it is foreseeable that in the in black show the proportion of the solutions in near future much larger experiments can be car- the entire Hilbert space that are shorter than the ried out to put quantum lattice algorithms to shortest and median basis vectors for (c) and (d) the test, be it on annealers such as D-Wave’s as respectively. described here or gate architectures. While good results from (c) and (d) will not help directly to solve SVP, they can be used to find basis vectors with which to update the in- AQC usually suffers poor time-scaling due to put basis, resulting in a ‘shorter basis’. This its dependence on 1/∆ (where ∆ is the mini- technique is known as ‘lattice basis reduction’ mum spectral gap between the ground and first [31], and iteratively finds shorter vectors by im- excited eigenstates along the Hamiltonian path) proving the basis, and vice versa. which can grow very quickly as system size in- To understand how the two FoM in (c) and creases. This is necessary in order to preserve (d) relate back to the representative example the system in its ground state throughout the shown in Fig5, the shorter than shortest ba- evolution. The identification of the ‘Goldilocks sis vector probability would be computed from zone’ well away from the adiabatic limit in this the results in Fig5 by summing the heights of work is encouraging as it hints that algorithms all the blue bars to the left of the leftmost red such as the ones described in SectionIII may vertical, then dividing by 900 (total number of achieve much more appealing time-scaling. runs), and the shorter than median basis vector probability would be computed by summing the heights of the blue bars to the left of the middle In fact, this raises the curious question of how (or median) red bar, then dividing by 900. to approach extracting asymptotic time scaling for an algorithm where success is defined to be In Fig6 (b) we stress that it is not important measuring the system in its first excited eigen- that probability of obtaining λ tends to zero 1 state. More generally, the approximate form of as dimension increases (this is inevitable), but SVP, SVP , only requires an attacker to find a how fast this occurs is important. A polyno- γ vector of length polynomially (poly(N)) larger mial decay, for example, would be catastrophic than λ (L). This of course means that poly(N) for LBC, whereas an exponential decay could 1 excitations are admissable during the evolution, even match the current state of the art for lat- which could potentially be traded off against tice algorithms. At this stage, not enough data significant speed-ups. Answering this question points are available to heuristically estimate the would doubtless be of interest well beyond post- rate of decay —for this, significantly more ad- quantum cryptography, as it would unlock solu- vanced quantum hardware would be required. tions to many approximate optimisation prob- The key takeaway from Fig6 is that Ham out- lems in QC. performs Bin at almost every data point across the four FoM, demonstrating a significant im- provement on Bin for the present regime (many One key area of progress bearing significance qubits available but not high quality), cement- for QC is that of improving the fidelity of qubits ing it as the choice for now. both in the annealer and gate architectures. In the meantime, as demonstrated above, it is down to theorists to think carefully about how V. CONCLUSION their mathematical constructions might best make use of the hardware available to them as The algorithms described in SectionIII go the significant improvements we extracted from a way to establishing the vector optimisation Ham qudits were nearly dropped from consider- framework first proposed in [27], and the work ation due to the asymptotic inefficiency in space described in SectionIV signals emphatically of O(N 2) versus O(N log N) for Bin qudits. In that quantum cryptanalysis is drawing into the this way, it is possible for experimental and the- empirical realm, and is no longer purely a oretical work to meet in the middle. 14

VI. ACKNOWLEDGEMENTS topology incurring a quadratic cost in the number of qubits required. This is done by creat- The authors would like to thank Charles ing qubit ‘chains’, which are illustrated in Fig Grover for his helpful discussions on the proof of 7. In a qubit chain, all qubits are strongly in- Theorem III.1, and D-Wave for providing Fig7. centivised to return the same value by assigning AC was funded by EPSRC grant EP/L016524/1 qubits in the same chain with stronger qubit- via the Imperial College London CDT in Con- qubit ferromagnetic interactions than between trolled Quantum Dynamics, and would like to qubits in diﬀerent chains. By way of error cor- thank Viv Kendon and Nicholas Chancellor for rection, when not all qubits in a chain return their insightful comments. the same value (called a chain break), a simple majority vote is taken to decide on the ﬁnal value. Appendix A: SVP instance generation

Here we talk through the exact procedure for generating the lattice bases used to perform the quantum SVP algorithms described in Section III on. For each dimension, we generated 20 random matrices with coefficients in {0, 1} (ensur- ing non-zero determinants, so that corresponding lattices are full rank). These are the ‘good’ bases. We then generated 20 random unimodular matrices with coefficients in [−6,... 6]. The ‘good’ bases (which are just a matrix with binary entries, interpretted as a row basis) are then post-multiplied by a unimodular matrix. FIG. 7: Diagram, from [10] shows logical qubits The result is the set of ‘bad’ bases. These are embedded as qubit chains (of physical qubits) used as inputs to the algorithm (i.e. the ‘bad’ into the Chimera topology, where each qubit bases are post-multiplied with their transpose sharing the same colour has strong ferromag- to get the Gram matrix, which is used to define netic interactions with other qubits which it is inter-qubit interactions). connected to in the same chain. The reason we generated ‘good’ bases with short vectors before transforming into ‘bad’ bases to input into the algorithms in this paper is to ensure the existence of short vectors, and 1. Ham qudit advantage to more closely resemble the SVP instances one is likely to encounter in the wild, by which we The reason the Ham qudits trump the Bin mean approaching bases for which it is known qudits despite the larger system size required short vectors exist. to search the same solution space is that they allow for greater utilisation of the energy spectrum available. In the Bin setting, the strength Appendix B: D-Wave of qubit-qubit interactions decrease on average by a factor of 2 for each step away from the most The quantum Ising model assumes full qubit- significant qubit. This means that despite the qubit connectivity, whereas D-Wave 2000Q is instability of SVP solutions (by which we mean constructed according to a Chimera topology, that a small error in the coefficient vector makes whereby each qubit is connected to a handful of a large difference to the output eigenenergy) the nearby qubits that form a sort of cluster, and least significant qubits have relatively very weak each cluster is connected to a few others. Each interactions with the rest of the system, as all cluster is represented as the diamond formation J, h interaction values must be scaled down to of dots in Fig7. A model requiring full connec- the energy spectrum provided. Crucially, this tivity can be mapped into D-Wave’s Chimera also means that errors in the interaction ener- 15 gies become much larger relative to the problem so small differences (±1 in the value of a coef- Hamiltonian, in effect meaning that it is much ficient) are effected by stronger forces, increas- more likely that the qpu is solving the wrong ing likelihood of attaining low-energy solutions. problem [44], leading to poorer performance rel- We believe this effect to be quite significant, but ative to Ham. tempered somewhat by the effects of having a larger system size: longer chains are required, In Ham, however, each qubit contributes the which leads to higher chain-break probabilities, same amount to the output of the qudit, and and thus more errors occur.

[1] Dorit Aharonov, Wim van Dam, Julia cryptography. Springer-Verlag, 2009. Kempe, Zeph Landau, Seth Lloyd, and Oded [9] Kishor Bharti, Alba Cervera-Lierta, Thi Ha Regev. Adiabatic Quantum Computation Kyaw, Tobias Haug, Sumner Alperin-Lea, Ab- is Equivalent to Standard Quantum Com- hinav Anand, Matthias Degroote, Hermanni putation. SIAM Journal of Computing, 37 Heimonen, Jakob S Kottmann, Tim Menke, (1):166–194, 2004. ISSN 19492081. doi: et al. Noisy intermediate-scale quantum (nisq) 10.1109/Group4.2015.7305974. URL http:// algorithms. arXiv preprint arXiv:2101.08448, arxiv.org/abs/quant-ph/0405098. 2021. [2] Miklós Ajtai, Ravi Kumar, and Dandapani [10] Tomas Boothby, Andrew D King, and Aidan Sivakumar. A Sieve Algorithm for the Short- Roy. Fast clique minor generation in Chimera est Lattice Vector Problem. Proc. 33rd ACM qubit connectivity graphs. Quantum Informa- Symp. on Theory of Computing (STOC), 2146: tion Processing, 15(1):495–508, 2016. ISSN 601–610, 2001. ISSN 16113349. doi:10.1007/3- 1570-0755. 540-44670-2“˙1. [11] Zvika Brakerski, Elena Kirshanova, Damien [3] Yoshinori Aono, Phong Q. Nguyen, and Yixin Stehlé,and Weiqiang Wen. Learning with Er- Shen. Quantum lattice enumeration and tweak- rors and Extrapolated Dihedral Cosets. Lec- ing discrete pruning. In ASIACRYPT, 2018. ture Notes in Computer Science (including sub- ISBN 9783030033255. doi:10.1007/978-3-030- series Lecture Notes in Artificial Intelligence 03326-2“˙14. and Lecture Notes in Bioinformatics), 10769 [4] Frank Arute, Kunal Arya, Ryan Babbush, Dave LNCS:702–727, 2018. ISSN 16113349. doi: Bacon, Joseph C Bardin, Rami Barends, Rupak 10.1007/978-3-319-76581-5“˙24. Biswas, Sergio Boixo, Fernando G S L Bran- [12] Adam Callison, Nicholas Chancellor, Florian dao, and David A Buell. Quantum supremacy Mintert, and Viv Kendon. Finding spin glass using a programmable superconducting proces- ground states using quantum walks. New Jour- sor. Nature, 574(7779):505–510, 2019. ISSN nal of Physics, 21(12):123022, 2019. ISSN 1367- 1476-4687. 2630. [5] Alán Aspuru-Guzik, Roland Lindh, and [13] Andrew M Childs and Jeffrey Goldstone. Spa- Markus Reiher. The Matter Simulation tial search by quantum walk. Physical Review (R)evolution. ACS Central Science, 4(2): A, 70(2):22314, 2004. 144–152, 2018. ISSN 23747951. doi: [14] Ronald Cramer, Léo Ducas, and Benjamin 10.1021/acscentsci.7b00550. Wesolowski. Short stickelberger class relations [6] Ryan Babbush, Nathan Wiebe, Jarrod Mc- and application to ideal-SVP. Lecture Notes in Clean, James McClain, Hartmut Neven, and Computer Science, 10210:324–348, 2017. ISSN Garnet Kin-Lic Chan. Low-Depth Quan- 16113349. doi:10.1007/978-3-319-56620-7“˙12. tum Simulation of Materials. Physical Review [15] Whitfield Diffie and Martin Hellman. New di- X, 8(1):11044, 2018. ISSN 21603308. doi: rections in cryptography. IEEE transactions on 10.1103/PhysRevX.8.011044. URL https:// Information Theory, 22(6):644–654, 1976. doi.org/10.1103/PhysRevX.8.011044. [16] Kirsten Eisenträger, Sean Hallgren, Alexei Ki- [7] Paul Benioff. The computer as a physical taev, and Fang Song. A quantum algorithm for system: A microscopic quantum mechanical computing the unit group of an arbitrary degree Hamiltonian model of computers as represented number field. In Proceedings of the forty-sixth by Turing machines. Journal of statistical annual ACM symposium on Theory of comput- physics, 22(5):563–591, 1980. ISSN 0022-4715. ing, pages 293–302, 2014. [8] Daniel Bernstein, Johannes Buchmann, and [17] Edward Farhi, Jeffrey Goldstone, Sam Gut- Erik Dahmen. Introduction to post-quantum mann, and Michael Sipser. Quantum Compu- 16

tation by Adiabatic Evolution. arXiv preprint lem in lattices faster using quantum search. arXiv: quant-ph/0001106, 2000. URL http: In PQCrypto, pages 83–101, 2013. ISBN //arxiv.org/abs/quant-ph/0001106. 9783642386152. doi:10.1007/978-3-642-38616- [18] Edward Farhi, Jeffrey Goldstone, and Sam Gut- 9“˙6. mann. A Quantum Approximate Optimization [31] A. K. Lenstra, H. W. Lenstra, and L. Lovász. Algorithm. arXiv:1411.4028, pages 1–16, 2014. Factoring polynomials with rational coeffi- URL http://arxiv.org/abs/1411.4028. cients. Mathematische Annalen, 261(4): [19] Richard P Feynman. Simulating physics with 515–534, 1982. ISSN 00255831. doi: computers. Int. J. Theor. Phys, 21(6/7), 1999. 10.1007/BF01457454. [20] Ulrich Fincke and Michael Pohst. Improved [32] Arjen K Lenstra and W Hendrik Jr. The devel- methods for calculating vectors of short length opment of the number field sieve, volume 1554. in a lattice, including a complexity analysis. Springer Science & Business Media, 1993. ISBN Mathematics of computation, 44(170):463–471, 3540570136. 1985. ISSN 0025-5718. [33] Catherine C McGeoch, Richard Harris, [21] Nicolas Gama, Phong Q Nguyen, and Oded Steven P Reinhardt, and Paul I Bunyk. Prac- Regev. Lattice Enumeration Using Extreme tical annealing-based quantum computing. Pruning. EUROCRYPT 2010, Lecture Notes Computer, 52(6):38–46, 2019. ISSN 0018-9162. in Computer Science, 6110:257–278, 2010. [34] Hermann Minkowski. Geometrie der zahlen, [22] Craig Gentry. Fully homomorphic encryption volume 2. Ripol Classic, 2016. ISBN using ideal lattices. In Proceedings of the forty- 588093313X. first annual ACM symposium on Theory of [35] Ashley Montanaro. Quantum walk speedup of computing, pages 169–178, 2009. backtracking algorithms. Theory Comput., 14 [23] Oded Goldreich, Shafi Goldwasser, and Shai (15):1–24, 9 2018. URL http://arxiv.org/ Halevi. Public-Key Cryptosystems from Lat- abs/1509.02374. tice Reduction Problems. In CRYPTO, Lon- [36] Ashley Montanaro. Quantum speedup of don, 1997. Springer-Verlag. branch-and-bound algorithms. Physical Review [24] Lov K. Grover. A fast quantum mechanical Research, 2(1):13056, 2020. algorithm for database search. Proceedings, [37] Thomas Plantard, Willy Susilo, and Khin Than 28th Annual ACM Symposium on the Theory of Win. A digital signature scheme based on Computing, pages 212–219, 1996. URL http: cvp∞. In International Workshop on Pub- //arxiv.org/abs/quant-ph/9605043. lic Key Cryptography, pages 288–307. Springer, [25] Bettina Helfrich. Algorithms to construct 2008. Minkowski reduced and Hermite reduced lat- [38] John Preskill. Quantum computing in the nisq tice bases. Theoretical Computer Science, 41: era and beyond. Quantum, 2:79, 2018. 125–139, 1985. ISSN 0304-3975. [39] Oded Regev. On lattices, learning with er- [26] Hoffstein Jeffrey, Jill Pipher, and Joseph H Sil- rors, random linear codes, and cryptogra- verman. NTRU : A Ring-Based Public Key phy. Proceedings of STOC, pages 84–93, 2005. Cryptosystem. Algorithmic Number Theory ISSN 00045411. doi:10.1145/1568318.1568324. (ANTS-III)(LNCS), 1423, 1998. URL http://portal.acm.org/citation.cfm? [27] David Joseph, Alexandros Ghionis, Cong Ling, doid=1568318.1568324. and Florian Mintert. Not-so-adiabatic quantum [40] R. L. Rivest, A. Shamir, and L. Adle- computation for the shortest vector problem. man. A method for obtaining digital signa- Physical Review Research, 013361:1–13, 2020. tures and public-key cryptosystems. Commu- doi:10.1103/PhysRevResearch.2.013361. URL nications of the ACM, 21(2):120–126, 1978. http://arxiv.org/abs/1910.10462. ISSN 00010782. doi:10.1145/359340.359342. [28] Tadashi Kadowaki and Hidetoshi Nishimori. URL http://portal.acm.org/citation.cfm? Quantum annealing in the transverse Ising doid=359340.359342. model. Physical Review E - Statistical Physics, [41] Michael Rose, Thomas Plantard, and Willy Plasmas, Fluids, and Related Interdisciplinary Susilo. Improving BDD cryptosystems in gen- Topics, 58(5):5355–5363, 1998. ISSN 1063651X. eral lattices. Lecture Notes in Computer Sci- doi:10.1103/PhysRevE.58.5355. ence (including subseries Lecture Notes in Ar- [29] Ravi Kannan. Improved Algorithms for Inte- tificial Intelligence and Lecture Notes in Bioin- ger Programming and Related Lattice Prob- formatics), 6672 LNCS:152–167, 2011. ISSN lems. Proc. 15th ACM Symp. on Theory of 03029743. doi:10.1007/978-3-642-21031-0“˙12. Computing, STOC, pages 193–206, 1983. ISSN [42] C. P. Schnorr and M. Euchner. Lattice ba- 07349025. sis reduction: Improved practical algorithms [30] Thijs Laarhoven, Michele Mosca, and Joop Van and solving subset sum problems. Mathemat- De Pol. Solving the shortest vector prob- ical Programming, 66(1-3):181–199, 1994. ISSN 17

16113349. doi:10.1007/3-540-54458-5“˙51. 332, 1999. ISSN 0036-1445. [43] Peter W Shor. Polynomial-time algorithms for [44] Kevin C Young, Robin Blume-Kohout, and prime factorization and discrete logarithms on Daniel A Lidar. Adiabatic quantum optimiza- a quantum computer. SIAM review, 41(2):303– tion with the wrong Hamiltonian. Physical Re- view A, 88(6):62314, 2013.