Implementation And Analysis of Regev’s Quantum Factorization Algorithm

At the time of working on this paper, no publicly available implementation of Regev’s quantum algorithm for quantum computers existed. Therefore, the main challenge was to develop the first implementation of Regev’s algorithm for quantum computers. The implementation served as the foundation for analyzing experimentally observable phenomena related to its speed and effectiveness, achieved by introducing and varying relevant parameters. Throughout our study, comparisons were made between Regev’s algorithm and Shor’s algorithm to highlight their respective strengths and limitations. Additionally, this paper aimed to identify and present potential areas for future research on Regev’s algorithm, providing a starting point for subsequent studies in the field.

The remainder of this paper is organized as follows. First, in Section 2, both Shor’s and Regev’s algorithms are reviewed and briefly compared, especially from the viewpoint of feasible implementations of the quantum part. The next part, Section 3, focuses on the non-trivial details of Regev’s algorithm implementation. Section 4 elaborates on the performance comparison of Regev’s and Shor’s algorithms, although the results related to the former are emphasized as more original. Finally, Section refconcl concludes the paper.

Basically, Shor’s algorithm finds the smallest even period r of a modular exponentiation function, which is defined as follows: z↦azmodN.z \mapsto {a^z}\,\bmod \,N.

Here, a is a random integer that belongs to the group of units of (ℤ/Nℤ) × and z ∈ ℤ. After finding the period of this function, factorizing N is trivial and begins with this equation: ar≡1modN.{a^r} \equiv 1\,\bmod \,N.

During the next steps, we use the condition that r is an even number: ar−1≡0modN;(ar2−1)(ar2+1)≡0modN;(ar2−1)(ar2+1)≡0mod(p·q).\matrix{ {{a^r} - 1 \equiv 0\,\bmod \,N;} \cr {\left( {{a^{{r \over 2}}} - 1} \right)\left( {{a^{{r \over 2}}} + 1} \right) \equiv 0\,\bmod \,N;} \cr {\left( {{a^{{r \over 2}}} - 1} \right)\left( {{a^{{r \over 2}}} + 1} \right) \equiv 0\,\bmod \,(p\cdotq).} \cr }

Therefore, there must exist such k ∈ ℤ, that: (ar2−1)(ar2+1)=p·q·k.\left( {{a^{{r \over 2}}} - 1} \right)\left( {{a^{{r \over 2}}} + 1} \right) = p\cdotq\cdotk.

It is very likely that p is a divisor of (ar2−1)\left( {{a^{{r \over 2}}} - 1} \right) and q is a divisor of (ar2+1)\left( {{a^{{r \over 2}}} + 1} \right). As discussed by Shor [3], this probability “is at least 1 – 1/2^k–1, where k is the number of distinct odd prime factors of n”, so in this case there is approximately a 50% chance. One possibility is that both p and q are factors of (ar2+1)\left( {{a^{{r \over 2}}} + 1} \right) or (ar2−1)\left( {{a^{{r \over 2}}} - 1} \right). Theoretically, there should not be any case where they are both factors of (ar2−1)\left( {{a^{{r \over 2}}} - 1} \right), but sometimes Shor’s algorithm finds a multiple of the smallest period. Once such an even period r is obtained, the prime factors p and q are computed using the greatest common divisor as follows: p=gcd((ar2−1),N);q=gcd((ar2+1),N)=Np.\matrix{ {p = \gcd \left( {\left( {{a^{{r \over 2}}} - 1} \right),N} \right);} \cr {q = \gcd \left( {\left( {{a^{{r \over 2}}} + 1} \right),N} \right) = {N \over p}.} \cr }

If it comes to the implementation, the most time-consuming part of the algorithm is a previously described modular exponentiation function: z↦azmodN.z \mapsto {a^z}\,\bmod \,N.

The reason is that seeing the period of this function requires z to be large enough. For the n-bit integer N, z increases to 2ⁿ. Moreover, this function needs to be applied in superposition inside the quantum part of the algorithm. In order to reduce a computational load, the repeated squaring trick is used. Thus, quantum part needs n multiplications of n-bit numbers, so roughly O˜(n2)\widetilde O\left( {{n^2}} \right) gates. The Big-O-tilde notation (O˜){\rm{(}}\widetilde O{\rm{)}} is commonly used in describing quantum metrics. Unlike the classical Big-O notation, it disregards logarithmic factors. For example, O(nlogn)=O˜(n)O(n\log n) = \widetilde O(n). Despite this reduction in computational complexity, the numbers that need to be computed are very large.

There is also an even more serious problem. Quantum effects, such as superposition and entanglement, can be destroyed during the run of an algorithm. This is because the larger the number of entangled particles and / or the larger the number of gates in a quantum circuit, the more quantum effects are susceptible to noise and decoherence, leading to destruction [6]. For this reason, it is desirable to reduce the number of quantum gates as much as possible.

To address these challenges, Oded Regev proposed the approach of extending to a larger number of dimensions [7]. The concept of his algorithm bears similarities to Shor’s algorithm, as it also focuses on finding the period of a specific function. However, the function is defined in a slightly different manner: 1(z1,z2,…,zd)↦a1z1·a2z2·…·adzdmodN.\left( {{z_1},{z_2}, \ldots ,{z_d}} \right) \mapsto a_1^{{z_1}}\cdota_2^{{z_2}}\cdot \ldots \cdota_d^{{z_d}}\,\bmod \,N.

Here, the numbers a₁, a₂, …, a_d are the first squared primes (that is, 4, 9, 25, …), N is still an integer of n bits that is being factorized, and z_i ∈ ℤ. After finding the period vector [r₁, r₂, …, r_d] of this function, factorization of N is trivial, and – similarly to the transformations described above – it starts with the following step: a1r1·a2r2·…·adrd≡1modN.a_1^{{r_1}}\cdota_2^{{r_2}}\cdot \ldots \cdota_d^{{r_d}} \equiv 1\,\bmod \,N.

Let us define ai=bi2{a_i} = b_i^2. Due to the fact that each a_i is a squared prime b_i: b12r1·b22r2·…·bd2rd≡1modN;b12r1·b22r2·…·bd2rd−1≡0modN;(b1r1·b2r2·…·bdrd−1)(b1r1·b2r2·…·bdrd+1)≡0modN.\matrix{ {b_1^{{2^{{r_1}}}}\cdotb_2^{{2^{{r_2}}}}\cdot \ldots \cdotb_d^{{2^{{r_d}}}} \equiv 1\,\bmod \,N;} \cr {b_1^{{2^{{r_1}}}}\cdotb_2^{2{r_2}}\cdot \ldots \cdotb_d^{{2^{{r_d}}}} - 1 \equiv 0\,\bmod \,N;} \cr {\left( {b_1^{{r_1}}\cdotb_2^{{r_2}}\cdot \ldots \cdotb_d^{{r_d}} - 1} \right)\left( {b_1^{{r_1}}\cdotb_2^{{r_2}}\cdot \ldots \cdotb_d^{{r_d}} + 1} \right) \equiv 0\,\bmod \,N.} \cr }

Regev’s algorithm relies on a number-theoretic heuristic assumption, as described in [7]. This assumption states that at least half of the period vectors, when applied to the analyzed cyclic function and followed by bilateral square rooting, produce non-trivial factors of 1 mod N, that is, factors that are neither 1 nor – 1. Consequently, this assumption ensures that, in at least half of the cases, b1r1·b2r2·…·bdrd∉{1,−1}b_1^{{r_1}}\cdotb_2^{{r_2}}\cdot \ldots \cdotb_d^{{r_d}} \notin \{ 1, - 1\} mod N. As a result, it avoids the trivial solutions (b1r1·b2r2·…·bdrd−1)=0\left( {b_1^{{r_1}}\cdotb_2^{{r_2}}\cdot \ldots \cdotb_d^{{r_d}} - 1} \right) = 0 or (b1r1·b2r2·…·bdrd+1)=0\left( {b_1^{{r_1}}\cdotb_2^{{r_2}}\cdot \ldots \cdotb_d^{{r_d}} + 1} \right) = 0, thereby enabling the computation of p and q, as detailed in the following discussion.

From this point, the reasoning aligns with that of Shor’s algorithm: p=gcd((b1r1·b2r2·…·bdrd−1),N);q=gcd((b1r1·b2r2·…·bdrd+1),N)=Np.\matrix{ {p = \gcd \left( {\left( {b_1^{{r_1}}\cdotb_2^{{r_2}}\cdot \ldots \cdotb_d^{{r_d}} - 1} \right),N} \right)} \cr {q = \gcd \left( {\left( {b_1^{{r_1}}\cdotb_2^{{r_2}}\cdot \ldots \cdotb_d^{{r_d}} + 1} \right),N} \right) = {N \over p}.} \cr }

In the next lines, we present a sketch of the proof that this approach will also result in a period vector finding. It is based on the brief proof description that Regev outlined in his work.

To find a period, there need to be at least two combinations of the vectors (z₁, z₂, …, z_d) that give the same function results. Following this condition, a period vector can be constructed by analyzing these two vector values.

The analyzed transform given in equation (1) is a product of d squared primes raised to a power of up to 2^n/d. Thus, the total number of results of the analyzed function is (2^n/d)d = 2ⁿ.

Furthermore, period r of the analyzed function abides by this inequality: r≤ϕ(N)=(p−1)(q−1)=pq−p−q+1<N=pq≤2n−1<2n.r \le \phi (N) = (p - 1)(q - 1) = pq - p - q + 1 < N = pq \le {2^n} - 1 < {2^n}.

Combining these two facts and using the pigeon hole principle, there have to be two vectors (z₁, z₂, …, z_d) giving the same function result and that is why the period can be found.

With this approach, each z_i goes up to 2^n/d and not up to 2ⁿ as in Shor’s approach, which reduces the scale of the computed numbers, and thus reduces the computational load. Moreover, it appears that the number of gates needed in the quantum part of the original Regev’s algorithm is reduced to O˜(n3/2)\widetilde O\left( {{n^{3/2}}} \right), which reduces the noise and decoherence of quantum effects. In our case, the gate complexity is on the order of O˜(n5/2logn)\widetilde O\left( {{n^{5/2}}\log n} \right), whereas the width of the quantum circuit is smaller, on the order of O˜(n)\widetilde O{\rm{(}}n{\rm{)}}.

Quantum algorithms are characterized using three metrics: width, depth and gate complexity. Their values help us assess runtime, simplicity of implementation, and resilience to decoherence, which directly affect the effectiveness of the quantum algorithm. Moreover, the complexities of Regev’s and Shor’s algorithms are heavily influenced by the choice of multiplication algorithm. Depending on it, quantum metrics change significantly.

• Width metric represents the number of qubits that are required to run an algorithm. It also takes into account ancillary qubits. The main purpose of ancillary qubits is to help perform computations – they do not contain any input or output values. Width affects the simplicity of implementation: the fewer the qubits, the easier it is to implement a quantum algorithm, due to the limited amount of qubits in existing quantum computers.

• Depth is the metric that describes the number of quantum gates in sequence. This value affects the quantum decoherence resistance as well as the run time of an algorithm. The fewer sequenced steps (gates), the faster and more robust the quantum circuit’s performance. Depth is often used to describe quantum algorithms interchangeably with width, because it is common for one to be reduced at the expense of another.

• Gate complexity represents the quantity of operations (quantum gates) required to run the algorithm. Its value has an impact on run time as well as on the quantum decoherence resistance. The lower the gate complexity, the less susceptible the algorithm’s quantum effects are to destruction by external noise.

Shor’s algorithm [3] factorizes an n-bit integer using gate complexity of order O˜(n2)\widetilde O\left( {{n^2}} \right). But, as previously described, large gate complexity comes with a large decoherence and in the result the collapse of quantum effects. Regev’s algorithm [7] addresses this issue and proposes a solution with gate complexity of O˜(n3/2)\widetilde O\left( {{n^{3/2}}} \right). It should be pointed out that a quantum circuit of this size needs to be run n\sqrt n times. Moreover, the gate complexity can be reduced at the expense of the complexity of the classical part of the algorithm. This is the case if superpolynomial-time classical post-processing is allowed. In that case, for 1 < ϵ ≤ 1/2, the gate complexity is of order O˜(n3/2−ϵ)\widetilde O\left( {{n^{3/2 - }}} \right) with the classical post-processing part (solving the hard lattice problem) of order O˜(en2ϵ)\widetilde O\left( {{e^{{n^{2}}}}} \right). Under these circumstances, the number of times that the quantum circuit needs to be run is n^1/2+ϵ. Regev states that the lower gate complexity comes at the expense of width, because his algorithm has a width of order O(n^3/2), while the optimized Shor’s algorithm O(n). If it comes to depth, Shor’s algorithm can be implemented with O˜(n3)\widetilde O\left( {{n^3}} \right) [15], O˜(n)\widetilde O{\rm{(}}n{\rm{)}} [16] or even O˜(logn)\widetilde O(\log n) [17] depending on the optimization and width of the algorithm. Currently, an optimized Shor’s algorithm uses depth of order O˜(n)\widetilde O{\rm{(}}n{\rm{)}}. Nevertheless, Regev states that his algorithm depth is smaller by O˜(n1/2)\widetilde O\left( {{n^{1/2}}} \right) than the original Shor’s algorithm.

Paper [9] provides a theoretical and mathematical overview of the improvements and modifications to the implementation of Regev’s algorithm. Based on this work, Table 1 presents a comparison of Shor’s and Regev’s algorithms in terms of theoretical circuit width and gate complexity for various multiplication algorithms. The comparison concerns just one run of the quantum algorithm: Shor’s algorithm needs only o(1) runs, while Regev’s algorithm needs o(n)o(\sqrt n ) runs in the proposed configuration.

Table 1.

Algorithm	Multiplication algorithm	Width	Gate complexity
Shor [3]	Harvey, Hoeven [18]	O(n log n)	O(n2 log n)
Shor	Schoolbook	O(n)	O(n3)
Shor	Gidney [19], KMY [20]	O(n)	Oϵ(n2+ϵ)
Optimized Shor [12,14,15,21,22]	Schoolbook	(1.5 + o(1))n	O˜(n3)\widetilde O\left( {{n^3}} \right)
Regev [7]	Schoolbook	O(n3/2)	O˜(n3/2)\widetilde O\left( {{n^{3/2}}} \right)
Regev [7]	Harvey, Hoeven [18]	O(n3/2)	O(n3/2 log n)
Optimized Regev [9]	Harvey, Hoeven [18]	O(n log n)	O(n3/2 log n)
Optimized Regev [9]	Gidney [19], KMY [20]	(10.32 + o(1))n	O˜ϵ(n3/2+ϵ){\widetilde O_}\left( {{n^{3/2 + }}} \right)
Optimized Regev [9]	Schoolbook [23]	(10.32 + o(1))n	O(n5/2 log n)
Our implementation	Schoolbook	O(n)	O(n5/2 log n)

In our work, we use d∈{⌈ n ⌉,⌊ n ⌋}d \in \{ \left\lceil {\sqrt n } \right\rceil ,\left\lfloor {\sqrt n } \right\rfloor \} quantum input registers, each of them having width qd∈{ ⌈ nd+d ⌉,⌊ nd+d ⌋ }qd \in \left\{ {\left\lceil {{n \over d} + d} \right\rceil ,\left\lfloor {{n \over d} + d} \right\rfloor } \right\}. Note that qd is a symbolic parameter name and should not be interpreted as a multiplication. Our output register has width n, while an ancilla register uses n + 1 qubits. Therefore, the upper bound width of our algorithm is calculated as: O(d·qd+n+n+1)=O(n·2n+2n+1)=O(4n+1)=O(n).O(d\cdotqd + n + n + 1) = O(\sqrt n \cdot2\sqrt n + 2n + 1) = O(4n + 1) = O(n).

As mentioned previously, Regev’s algorithm is a multidimensional version of Shor’s algorithm. The gate with the highest complexity metric upper bound value in both algorithms is a modulo exponentiation gate. In Shor’s quantum circuit, there is only one modulo exponentiation gate, while in Regev’s circuit, there are d modulo exponentiation gates, but each of them uses a smaller number of qubits. Regardless of the algorithm, a modulo exponentiation gate consists of 2w multiplications and each multiplication consists of w addition operations, where w is the width of the input quantum register. For addition, we used Häner implementation [11,14], which has gate complexity of O(w log w). Here, w denotes the widths of the quantum input and output registers. In Regev’s algorithm, the input and output registers used by the modulo exponentiation gate have different widths, and because of this, we experienced difficulties in applying theoretical Häner’s complexity in our case. Thus, we decided to take into consideration the worst possible scenario and its complexity is of the order O(w_output log w_output).

As a result, if it comes to gate complexity in our implementation of Regev’s algorithm, it consists of d modulo exponentiation gates, each with 2qd multiplications, each with qd operations of addition, each of complexity O(n log n). Therefore, the upper bound gate complexity of our algorithm is calculated as follows: O(d·2qd·qd·O(nlogn))=O(n·2(2n)·2n·O(nlogn))=O(8n3/2·O(nlogn))=O(n3/2·O(nlogn))=O(n5/2logn).\matrix{ {O(d\cdot2qd\cdotqd\cdotO(n\log n)) = O(\sqrt n \cdot2(2\sqrt n )\cdot2\sqrt n \cdotO(n\log n))} \hfill \cr { = O\left( {8{n^{3/2}}\cdotO(n\log n)} \right) = O\left( {{n^{3/2}}\cdotO(n\log n)} \right) = O\left( {{n^{5/2}}\log n} \right).} \hfill \cr }

The classical part of Shor’s algorithm has computational complexity O(n), where n = ⌈log₂ N⌉. In the case of Regev’s algorithm, it is equal to the complexity of running Lenstra–Lenstra–Lovász (LLL) algorithm [24]. The LLL algorithm, for a given lattice ℒ defined by the basis F = {f₁, …, f_z}, where z ≤ n and f₁, …, f_z ∈ ℝⁿ, finds a set of nearly shortest vectors. The computational complexity of the LLL algorithm for such a lattice ℒ is O(z⁵n log³ G), where G = max (∥f₁∥₂, …, ∥f_z∥₂).

In our case, the LLL algorithm is applied to the columns of the matrix B. The columns of B form a basis of a lattice in ℝ^d+m. Parameter M is the maximum Euclidean norm of the vectors in the lattice B. The details of lattice B are provided in Section 3.2. Therefore, the computational complexity of the classical part of Regev’s algorithm is polynomial and equal to O((d + m)⁶ log³ M).

The quantum part was developed using the Qiskit SDK. In addition, we used a quantum computer simulator provided with the qiskit-aer package. It performs calculations on a statevector that stores the probabilities of the basic states of the qubits. Using this tool, the Qiskit SDK runs a quantum circuit once and computes the full premeasurement state. Then an arbitrary number of measurements can be simulated. In a real quantum computer, the pre-measurement quantum state is not accessible; therefore, the quantum circuit must be executed separately for each measurement outcome. This approach in the simulator does not affect the accuracy of the results, since it directly follows the rules of quantum mechanics in the Qiskit framework. As mentioned in Section 1, we performed the simulations under ideal conditions, neglecting the effects of decoherence.

This feature is particularly beneficial in the context of Regev’s algorithm. The quantum part theoretically requires d + 4 executions. Using a quantum computer simulator, we simulate this behavior by performing a single execution of the quantum part, collecting 128 measurements, and subsequently selecting d + 4 vectors from the results rather than running a quantum part multiple times. The selection process of these d + 4 vectors is performed using one of the three methods described above in Section 3.2. This approach significantly reduced the overall runtime of the algorithm, enabling a detailed investigation into the impact of various parameters of Regev’s algorithm. In a real-world scenario, executing Regev’s algorithm on a physical quantum computer could further optimize the runtime of the quantum component. Even if d + 4 quantum part executions are required, this approach may still outperform the single-run simulation employed in this study.

Additionally, qiskit-aer package comes with different simulation methods, each with distinct properties. For example, some of them can support computation on a GPU or can simulate noise in quantum circuits. They also differ in the number of qubits they can simulate (excluding classical registers used for measurements) and in their hardware requirements. It is also possible to introduce noise to the simulator. In our implementation, we used the statevector simulator method, as it allows for simulating ideal circuit (without noise simulation) with the usage of CPU. However, this approach comes at the cost of large RAM consumption [26]. A statevector of n-qubits uses 2ⁿ complex values, each requiring 16 bytes of memory. This means that a 32-qubit vector uses 64 GB of RAM. Our environment enabled us to perform computations on up to 29 qubits, which requires 8 GB of RAM.

The applied quantum simulation method did not simulate quantum noise. In case of some of other simulation methods, or real quantum computers, it is necessary to apply quantum error mitigation techniques [27]. Qiskit also provides error mitigation techniques for running a quantum circuit on real quantum computers with its qiskit-ibm-runtime package [28].

3.1.2.

Regev’s Quantum Circuit

The implementation initializes a uniform superposition over the d quantum input registers using Hadamard gates, which constitutes the first step in the quantum component of the algorithm. In Regev’s paper [29], a Gaussian distribution is proposed instead. However, Kiebert notes that “It is possible that the algorithm still works if one takes a uniform superposition restricted to a grid, but this would lead to less convenient quantum Fourier transform calculations” [8]. Due to time constraints and the complexity of implementing a Gaussian distribution, we chose to use a uniform distribution instead. Consequently, our implementation represents a modified variant of Regev’s algorithm rather than a full implementation.

A Pauli-X gate is applied to the first qubit of the output register, which is equivalent to a NOT gate in classical computing. This operation sets the initial value of the output register to 1, enabling it to store the result of the multiplication process in subsequent steps (by default, the output register holds a value of 0). The next stage involves applying modulo exponentiation gates to each input register and the output register.

To implement this step, we used Stępień’s adaptation of Häner’s modular exponentiation gate. This variant was selected because, among the four variants analyzed in Stępień’s work [11], it yields a circuit with the best asymptotic complexity in terms of both size and depth. Regev’s algorithm employs d quantum input registers of smaller width qd, in contrast to Shor’s algorithm, which uses a single quantum input register of width n. Consequently, we modified Häner’s modulo exponentiation gate by eliminating redundant quantum input qubits in each of the d gates. In addition, we adopted Stępień’s naming convention [11] for quantum gates. The modulo exponentiation gate is referred to as the “Exp” gate and is decomposed into qd multiplication gates, denoted as “C-U” gates. Following this, the output register is ignored (measured), as its value is not relevant to our objectives. The next step involves applying Quantum Fourier Transform (QFT) gates to each quantum input register. Finally, the values of the quantum input registers are measured and stored in the classical registers.

To illustrate the impact of this decomposition, we present the quantum circuits in two forms: general and decomposed. This approach emphasizes that any modification leading to the addition of a single “Exp” quantum gate in the circuit actually results in an increase in the number of underlying quantum gates that make up that additional gate. Figures 1 and 2 depict a general and decomposed quantum circuits accordingly. The factorized number is 57 = 3 · 19 and a parameter combination is ceil_ceil (parameters d and qd are taken in the ceil version, which results in d = 3 and qd = 5). It is worth mentioning that in reality, the “Exp” gates are small quantum circuits. This also holds for the “C-U” gates, which are composed of the modulo adder gates. These, in turn, are composed of gates such as adder or carry, and these gates are finally composed from primary gates such as Pauli-X (X) or Hadamard gates. These gates compositions are described in detail in Stępień’s work [11].

Figure 1.

General quantum circuit for N = 57, d ceil and qd ceil (ceil_ceil) parameters.

Figure 2.

Decomposed quantum circuit for N = 57, d ceil and qd ceil (ceil_ceil) parameters.

3.1.3.

Output Vectors

Applying the Quantum Fourier Transform (QFT) and measuring the states of each quantum input register yields a specific output vector. For example, the output vector [10, 22, 21] consists of three values, each corresponding to the measurement of a quantum input register at the end of the quantum circuit. Measurement of the first quantum input register produces the value 10, the second register yields 22, and the third register results in 21.

In Qiskit’s nomenclature, measurements are referred to as shots. Due to the probabilistic nature of qubits in a quantum superposition, the values in the output vector may vary across multiple runs of the quantum circuit. Another consequence of qubit probabilistic behavior is that certain vectors have a higher probability of occurrence than others. As a result, repeated measurements of the quantum circuit output reveal variations in the frequency of observed vectors.

In summary, for a fixed N and parameter set, the measured vectors and their frequencies are governed by the underlying probability distribution and may vary between measurement collections.

In our implementation, we collected 128 measurements for each N using a single quantum circuit run. Consequently, the total number of vector occurrences sums up to 128. For example, the difference between Figures 3 and 4 illustrates the impact of quantum probabilities on the occurrences of the output vectors for N = 51 with the ceil_ceil and ceil_floor parameter settings.

Figure 3.

Output vector measurements for N = 51 and ceil_ceil parameters.

Figure 4.

Output vector measurements for N = 51 and ceil_floor parameters.

The goal of the classical part of Regev’s algorithm is to process the output of a quantum circuit to factorize a given number N. The environment for computations for the classical part was the same as for the quantum part. The used CPU model name is Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz. It has 12 logical cores (6 cores with 2 logical threads per core) and operates on x86_64 architecture in 64-bit mode. Its minimum clock speed is 800 MHz while maximum (with the Turbo Boost mechanism) is 4100 MHz. RAM has the total size of 16 Gi with the speed of 2667 MT/s (megatransfers per second).

To explain the classical part of Regev’s algorithm, it is necessary to introduce some new terms. Let us define the lattice ℒ, which represents trivial (that is, – 1 or 1) and non-trivial square roots of unity modulo-N: ℒ={ (z1,…,zn)∈Zd∣(∏ibizi)2=1modN }={ (z1,…,zn)∈Zd∣∏iaizi=1modN }⊂ℤd,\matrix{ {\cal L} \hfill & = \hfill & {\left\{ {\left( {{z_1}, \ldots ,{z_n}} \right) \in {Z^d}\mid {{\left( {\prod\limits_i {b_i^{{z_i}}} } \right)}^2} = 1\,\bmod \,N} \right\}} \hfill \cr {} \hfill & = \hfill & {\left\{ {\left( {{z_1}, \ldots ,{z_n}} \right) \in {Z^d}\mid \prod\limits_i {a_i^{{z_i}}} = 1\,\bmod \,N} \right\} \subset {^d},} \hfill \cr } (note that b = (b₁, …, b_d) and a=(b12,…,bd2)q = \left( {b_1^2, \ldots ,b_d^2} \right) were defined in Section 2.1).

Let us define the sublattice ℒ₀ of lattice ℒ, which represents trivial square roots of unity modulo-N: ℒ0={ (z1,…,zn)∈Zd∣∏ibizi∈{−1,1}modN }⊆ℒ.{{\cal L}_0} = \left\{ {\left( {{z_1}, \ldots ,{z_n}} \right) \in {Z^d}\mid \prod\limits_i {b_i^{{z_i}}} \in \{ - 1,1\} \,\bmod \,N} \right\} \subseteq {\cal L}.

It is worth noting that the lattice ℒ\ℒ₀ represents only not-trivial square roots of unity modulo N, which are the desired elements to factorize N with the use of Regev’s algorithm.

In our implementation, we used the parameters proposed in Kiebert’s work [8], which are defined as follows: m=d+4;R=6T(d+5)(2d+4)(d/2)·2(n+1)/(d+4)+d+2,\matrix{ {m\;{\rm{ = }}\;d\;{\rm{ + }}\;{\rm{4;}}} \cr {R = 6T\sqrt {(d + 5)(2d + 4)(d/2)} \cdot{2^{(n + 1)/(d + 4) + d + 2}},} \cr } where T is the upper bound on the norm of the smallest vector in ℒ\ℒ₀; t=1+⌈ log2(dR) ⌉δ=d2R;S=δ−1.\matrix{ {t = 1 + \left\lceil {{{\log }_2}(\sqrt d R)} \right\rceil } \cr {\delta = {{\sqrt d } \over {\sqrt 2 R}};} \cr {S = {\delta ^{ - 1}}.} \cr }

The matrix B is defined as follows:

However, we rounded the parameter S to the nearest integer. Without this adjustment, the LLL algorithm for some numbers could reduce the vectors to a zero vector. For small numbers, it is possible to find exactly such a vector with complexity O(qd^d), but it is equivalent to finding a result vector that allows computing p and q for N without a usage lattice and LLL algorithm. For large numbers, this approach is very time consuming. To make our solution scalable, we approximate the value of T using a heuristic assumption introduced in Regev’s work. It states that there exists a vector in ℒ\ℒ₀ with the norm at most T=exp(O(nd))T = \exp \left( {O\left( {{n \over d}} \right)} \right). This assumption provides an estimate for the likely norm of the desired vectors before applying the LLL algorithm. Based on this, we can predict the value of R, which influences the determinant of the matrix B. By estimating R, we can adjust the determinant of B to ensure that, after applying the LLL algorithm, we are likely to obtain vectors with the desired norm. The correlation between the determinant of matrix B and the impact on the length of vectors after applying the LLL algorithm, along with a mathematical proof, is detailed in Kiebert’s work [24]. For small N(N ≤ 57), we found that a good approximation for T is ⌈ exp(n2d) ⌉\left\lceil {\exp \left( {{n \over {2d}}} \right)} \right\rceil . This result was obtained by calculating accurate values of T for a few cases and determining the best-fitting curve. The comparison between the exact values of T and the approximation using the function exp(n2d)\exp \left( {{n \over {2d}}} \right) is presented in Table 3.

Following the implementation of the algorithm and its execution on a simulated quantum computer under ideal conditions, we conducted a series of experiments. Selecting multiple output vectors from the quantum circuit consists in executing the circuit once and then performing multiple measurements of the statevector, rather than running the quantum circuit independently multiple times. Therefore, we collect 128 vectors for every parameter (ceil_ceil, ceil_floor, floor_ceil and floor_floor) and for all values N that our hardware allows us to simulate (as indicated in Table 2). Therefore, after measuring quantum output vectors, we simulate many independent runs of circuits. In our program, we implemented a method called run_file_data_analyzer, which analyzes the outputs of quantum circuit saved in files. The purpose of this function is to measure the effectiveness of finding square roots of unity modulo-N (highlighting non-trivial ones) for our implementation of Regev’s algorithm. This method takes four parameters. Two of them specify which quantum output files to analyze, while the other two define the type of test (parameter type_of_test) and the number of repetitions (parameter number_of_combination). We implemented three different types of tests.

In the first test, we randomly took d + 4 vectors according to the probability of their return by the quantum circuit. This approach allows us to simulate d + 4 executions of the quantum circuit.

In the second test, we wanted to check whether there exist some vectors that, despite frequent occurrence among quantum circuit output vectors, might not be a good approximation of the vectors from the dual lattice ℒ*. To achieve that, we selected each vector from the quantum circuit’s output with equal probability to form a set of d + 4 vectors, regardless of how many times a specific vector was returned. If the results of the second test were better than those of the first test, it would indicate that certain frequently returned vectors – such as [0, 0, 0] for N = 21 – reduce the algorithm’s effectiveness.

In the third test, we generated completely random vectors. The length of the vector is defined by parameter d. In the quantum circuit, each coordinate of the vector is measured from qd qubits. That means that if it was unknown what happens in the circuit, we could assume that the measurement would return values from the range [0, 2^qd). Thus, according to this method, we create vectors of length d with random coordinates in the range [0, 2^qd). This test allows us to verify whether the correct factoring of N in our implementation of Regev’s algorithm is not a coincidence.

In each test, we measured two parameters. The first parameter is a percentage of vectors that, after computation, returns the square root of unity modulo-N. The second parameter is the percentage of vectors that return non-trivial square roots of unity modulo-N, i.e., values not equal to – 1 or 1. For every number N and parameters d and qd that we tried to factorize on the quantum circuit simulator, we ran the three tests 1000 times to gather sufficient statistics.

As discussed in the preceding sections, our implementation is subject to several limitations. Due to memory constraints, computations were restricted to circuits of at most 29 qubits, which limited the problem size to relatively small instances, with the largest factorized number being N = 143. All simulations were performed under ideal, noise-free conditions; consequently, the algorithm’s effectiveness is expected to be lower in practical, noisy settings. Furthermore, the use of a uniform superposition in place of the Gaussian superposition prescribed in Regev’s algorithm may have additionally affected the observed performance.

In Regev’s algorithm, the execution time of the quantum part depends on the chosen rounding for the parameters d and qd. This is because these parameters directly impact the circuit width (the number of qubits that need to be simulated) and gate complexity (the number of quantum gates in the quantum circuit). However, the faster the quantum part was executed, the lower the effectiveness of factoring the number N we obtained. The execution time of Regev’s algorithm was significantly greater than that of Shor’s algorithm (for both the quantum and classical parts). This is because Regev’s algorithm is asymptotically more efficient than Shor’s algorithm, and this advantage is not apparent for smaller N.

In our implementation of Regev’s algorithm, the parameters proposed in Kiebert’s work resulted in low effectiveness in factoring the number N. The results we obtained were similar to those obtained by using a random vector. For N > 35, we observed significantly lower effectiveness compared to Shor’s algorithm. In our implementation of the algorithm, due to its complexity, we did not implement the Gaussian distribution, which is correlated with parameter t. Therefore, we assumed that changing the value of t might increase the effectiveness of our implementation.

For some values of t, we achieved much greater effectiveness. For some values of N, this even improved the effectiveness over Shor’s algorithm. Table 6 shows the values of t for which we achieved the highest effectiveness. Unfortunately, the correlation between the value of the parameter t and the effectiveness of finding a non-trivial square root modulo-N is not visible. However, we can conclude that the choice of parameters in the classical part has a significant impact on the algorithm’s effectiveness.