Nishant Rodrigues,Brad Lackey

DOI: https://doi.org/10.48550/arXiv.2110.13352

2021-10-26

Quantum Physics

Abstract:Lattices are very important objects in the effort to construct cryptographic primitives that are secure against quantum attacks. A central problem in the study of lattices is that of finding the shortest non-zero vector in the lattice. Asymptotically, sieving is the best known technique for solving the shortest vector problem, however, sieving requires memory exponential in the dimension of the lattice. As a consequence, enumeration algorithms are often used in place of sieving due to their linear memory complexity, despite their super-exponential runtime. In this work, we present a heuristic quantum sieving algorithm that has memory complexity polynomial in the size of the length of the sampled vectors at the initial step of the sieve. In other words, unlike most sieving algorithms, the memory complexity of our algorithm does not depend on the number of sampled vectors at the initial step of the sieve.

Thijs Laarhoven,Michele Mosca,Joop van de Pol

DOI: https://doi.org/10.48550/arXiv.1301.6176

2013-01-25

Cryptography and Security

Abstract:By applying Grover's quantum search algorithm to the lattice algorithms of Micciancio and Voulgaris, Nguyen and Vidick, Wang et al., and Pujol and Stehl\'{e}, we obtain improved asymptotic quantum results for solving the shortest vector problem. With quantum computers we can provably find a shortest vector in time $2^{1.799n + o(n)}$, improving upon the classical time complexity of $2^{2.465n + o(n)}$ of Pujol and Stehl\'{e} and the $2^{2n + o(n)}$ of Micciancio and Voulgaris, while heuristically we expect to find a shortest vector in time $2^{0.312n + o(n)}$, improving upon the classical time complexity of $2^{0.384n + o(n)}$ of Wang et al. These quantum complexities will be an important guide for the selection of parameters for post-quantum cryptosystems based on the hardness of the shortest vector problem.

Joao F. Doriguello,George Giapitzakis,Alessandro Luongo,Aditya Morolia

2024-10-18

Abstract:One of the main candidates of post-quantum cryptography is lattice-based cryptography. Its cryptographic security against quantum attackers is based on the worst-case hardness of lattice problems like the shortest vector problem (SVP), which asks to find the shortest non-zero vector in an integer lattice. Asymptotic quantum speedups for solving SVP are known and rely on Grover's search. However, to assess the security of lattice-based cryptography against these Grover-like quantum speedups, it is necessary to carry out a precise resource estimation beyond asymptotic scalings. In this work, we perform a careful analysis on the resources required to implement several sieving algorithms aided by Grover's search for dimensions of cryptographic interests. For such, we take into account fixed-point quantum arithmetic operations, non-asymptotic Grover's search, the cost of using quantum random access memory (QRAM), different physical architectures, and quantum error correction. We find that even under very optimistic assumptions like circuit-level noise of $10^{-5}$, code cycles of 100 ns, reaction time of 1 $\mu$s, and using state-of-the-art arithmetic circuits and quantum error-correction protocols, the best sieving algorithms require $\approx 10^{13}$ physical qubits and $\approx 10^{31}$ years to solve SVP on a lattice of dimension 400, which is roughly the dimension for minimally secure post-quantum cryptographic standards currently being proposed by NIST. We estimate that a 6-GHz-clock-rate single-core classical computer would take roughly the same amount of time to solve the same problem. We conclude that there is currently little to no quantum speedup in the dimensions of cryptographic interest and the possibility of realising a considerable quantum speedup using quantum sieving algorithms would require significant breakthroughs in theoretical protocols and hardware development.

Quantum Physics,Cryptography and Security

Eden Schirman,Cong Ling,Florian Mintert

2023-07-22

Abstract:Leading protocols of post-quantum cryptosystems are based on the mathematical problem of finding short vectors in structured lattices. It is assumed that the structure of these lattices does not give an advantage for quantum and classical algorithms attempting to find short vectors. In this work we focus on cyclic and nega-cyclic lattices and give a quantum algorithmic framework of how to exploit the symmetries underlying these lattices. This framework leads to a significant saving in the quantum resources (e.g. qubits count and circuit depth) required for implementing a quantum algorithm attempting to find short vectors. We benchmark the proposed framework with the variational quantum eigensolver, and show that it leads to better results while reducing the qubits count and the circuit depth. The framework is also applicable to classical algorithms aimed at finding short vectors in structured lattices, and in this regard it could be seen as a quantum-inspired approach.

Quantum Physics

Martin R. Albrecht,Miloš Prokop,Yixin Shen,Petros Wallden

DOI: https://doi.org/10.22331/q-2023-03-02-933

2023-03-02

Quantum

Abstract:A fundamental computational problem is to find a shortest non-zero vector in Euclidean lattices, a problem known as the Shortest Vector Problem (SVP). This problem is believed to be hard even on quantum computers and thus plays a pivotal role in post-quantum cryptography. In this work we explore how (efficiently) Noisy Intermediate Scale Quantum (NISQ) devices may be used to solve SVP. Specifically, we map the problem to that of finding the ground state of a suitable Hamiltonian. In particular, (i) we establish new bounds for lattice enumeration, this allows us to obtain new bounds (resp. estimates) for the number of qubits required per dimension for any lattices (resp. random q-ary lattices) to solve SVP; (ii) we exclude the zero vector from the optimization space by proposing (a) a different classical optimisation loop or alternatively (b) a new mapping to the Hamiltonian. These improvements allow us to solve SVP in dimension up to 28 in a quantum emulation, significantly more than what was previously achieved, even for special cases. Finally, we extrapolate the size of NISQ devices that is required to be able to solve instances of lattices that are hard even for the best classical algorithms and find that with approximately 10 3 noisy qubits such instances can be tackled.

physics, multidisciplinary,quantum science & technology

Yanlin Chen,Kai-Min Chung,Ching-Yi Lai

DOI: https://doi.org/10.26421/qic18.3-4-7

2018-03-01

Quantum Information and Computation

Abstract:A lattice is the integer span of some linearly independent vectors. Lattice problems have many significant applications in coding theory and cryptographic systems for their conjectured hardness. The Shortest Vector Problem (SVP), which asks to find a shortest nonzero vector in a lattice, is one of the well-known problems that are believed to be hard to solve, even with a quantum computer. In this paper we propose space-efficient classical and quantum algorithms for solving SVP. Currently the best time-efficient algorithm for solving SVP takes 2^{n+o(n)} time and 2^{n+o(n)} space. Our classical algorithm takes 2^{2.05n+o(n)} time to solve SVP and it requires only 2^{0.5n+o(n)} space. We then adapt our classical algorithm to a quantum version, which can solve SVP in time 2^{1.2553n+o(n)} with 2^{0.5n+o(n)} classical space and only poly(n) qubits.

physics, particles & fields,quantum science & technology, mathematical,computer science, theory & methods

Divesh Aggarwal,Yanlin Chen,Rajendra Kumar,Yixin Shen

DOI: https://doi.org/10.48550/arXiv.2002.07955

2020-02-19

Data Structures and Algorithms

Abstract:The most important computational problem on lattices is the Shortest Vector Problem (SVP). In this paper, we present new algorithms that improve the state-of-the-art for provable classical/quantum algorithms for SVP. We present the following results. $\bullet$ A new algorithm for SVP that provides a smooth tradeoff between time complexity and memory requirement. For any positive integer $4\leq q\leq \sqrt{n}$, our algorithm takes $q^{13n+o(n)}$ time and requires $poly(n)\cdot q^{16n/q^2}$ memory. This tradeoff which ranges from enumeration ($q=\sqrt{n}$) to sieving ($q$ constant), is a consequence of a new time-memory tradeoff for Discrete Gaussian sampling above the smoothing parameter. $\bullet$ A quantum algorithm for SVP that runs in time $2^{0.950n+o(n)}$ and requires $2^{0.5n+o(n)}$ classical memory and poly(n) qubits. In Quantum Random Access Memory (QRAM) model this algorithm takes only $2^{0.835n+o(n)}$ time and requires a QRAM of size $2^{0.293n+o(n)}$, poly(n) qubits and $2^{0.5n}$ classical space. This improves over the previously fastest classical (which is also the fastest quantum) algorithm due to [ADRS15] that has a time and space complexity $2^{n+o(n)}$. $\bullet$ A classical algorithm for SVP that runs in time $2^{1.669n+o(n)}$ time and $2^{0.5n+o(n)}$ space. This improves over an algorithm of [CCL18] that has the same space complexity. The time complexity of our classical and quantum algorithms are obtained using a known upper bound on a quantity related to the lattice kissing number which is $2^{0.402n}$. We conjecture that for most lattices this quantity is a $2^{o(n)}$. Assuming that this is the case, our classical algorithm runs in time $2^{1.292n+o(n)}$, our quantum algorithm runs in time $2^{0.750n+o(n)}$ and our quantum algorithm in QRAM model runs in time $2^{0.667n+o(n)}$.

André Chailloux,Johanna Loyer

DOI: https://doi.org/10.48550/arXiv.2105.05608

2021-05-12

Quantum Physics

Abstract:Lattice-based cryptography is one of the leading proposals for post-quantum cryptography. The Shortest Vector Problem (SVP) is arguably the most important problem for the cryptanalysis of lattice-based cryptography, and many lattice-based schemes have security claims based on its hardness. The best quantum algorithm for the SVP is due to Laarhoven [Laa16 PhD] and runs in (heuristic) time $2^{0.2653d + o(d)}$. In this article, we present an improvement over Laarhoven's result and present an algorithm that has a (heuristic) running time of $2^{0.2570 d + o(d)}$ where $d$ is the lattice dimension. We also present time-memory trade-offs where we quantify the amount of quantum memory and quantum random access memory of our algorithm. The core idea is to replace Grover's algorithm used in [Laa16 PhD] in a key part of the sieving algorithm by a quantum random walk in which we add a layer of local sensitive filtering.

David Joseph,Adam Callison,Cong Ling,Florian Mintert

DOI: https://doi.org/10.1103/PhysRevA.103.032433

2021-03-27

Abstract:Quantum computers are expected to break today's public key cryptography within a few decades. New cryptosystems are being designed and standardized for the postquantum era, and a significant proportion of these rely on the hardness of problems like the shortest-vector problem to a quantum adversary. In this paper we describe two variants of a quantum Ising algorithm to solve this problem. One variant is spatially efficient, requiring only O(Nlog2N) qubits, where N is the lattice dimension, while the other variant is more robust to noise. Analysis of the algorithms' performance on a quantum annealer and in numerical simulations shows that the more qubit-efficient variant will outperform in the long run, while the other variant is more suitable for near-term implementation. https://doi.org/10.1103/PhysRevA.103.032433 ©2021 American Physical Society

English Else

Thijs Laarhoven

DOI: https://doi.org/10.1007/978-3-319-69453-5_28

2017-01-01

Abstract:Lattice-based cryptography has recently emerged as a prime candidate for efficient and secure post-quantum cryptography. The two main hard problems underlying its security are the shortest vector problem (SVP) and the closest vector problem (CVP). Various algorithms have been studied for solving these problems, and for SVP, lattice sieving currently dominates in terms of the asymptotic time complexity: one can heuristically solve SVP in time $$2^{0.292d + o(d)}$$ in high dimensions d [Becker–Ducas–Gama–Laarhoven, SODA’16]. Although several SVP algorithms can also be used to solve CVP, it is not clear whether this also holds for heuristic lattice sieving methods. The best time complexity for CVP is currently $$2^{0.377d + o(d)}$$ [Becker–Gama–Joux, ANTS’14].In this paper we revisit sieving algorithms for solving SVP, and study how these algorithms can be modified to solve CVP and its variants as well. Our first method is aimed at solving one problem instance and minimizes the overall time complexity for a single CVP instance with a time complexity of $$2^{0.292d + o(d)}$$. Our second method minimizes the amortized time complexity for several instances on the same lattice, at the cost of a larger preprocessing cost. Using nearest neighbor searching with a balanced space-time tradeoff, with this method we can solve the closest vector problem with preprocessing (CVPP) with $$2^{0.636d + o(d)}$$ space and preprocessing, in $$2^{0.136d + o(d)}$$ time, while the query complexity can be further reduced to $$2^{0.059d + o(d)}$$ at the cost of $$2^{d + o(d)}$$ space and preprocessing, or even to $$2^{\varepsilon d + o(d)}$$ for arbitrary $$\varepsilon > 0$$, at the cost of preprocessing time and memory complexities of $$(1/\varepsilon )^{O(d)}$$.For easier variants of CVP, such as approximate CVP and bounded distance decoding (BDD), we further show how the preprocessing method achieves even better complexities. For instance, we can solve approximate CVPP with large approximation factors $$\kappa $$ with polynomial-sized advice in polynomial time if $$\kappa = \varOmega (\sqrt{d / \log d})$$. This heuristically closes the gap between the decision-CVPP result of [Aharonov–Regev, FOCS’04] (with equivalent $$\kappa $$) and the search-CVPP result of [Dadush–Regev–Stephens-Davidowitz, CCC’14] (which required larger $$\kappa $$).

David Joseph,Adam Callison,Cong Ling,Florian Mintert

DOI: https://doi.org/10.48550/arXiv.2006.14057

2020-06-24

Quantum Physics

Abstract:Quantum computers are expected to break today's public key cryptography within a few decades. New cryptosystems are being designed and standardised for the post-quantum era, and a significant proportion of these rely on the hardness of problems like the Shortest Vector Problem to a quantum adversary. In this paper we describe two variants of a quantum Ising algorithm to solve this problem. One variant is spatially efficient, requiring only O(NlogN) qubits where N is the lattice dimension, while the other variant is more robust to noise. Analysis of the algorithms' performance on a quantum annealer and in numerical simulations show that the more qubit-efficient variant will outperform in the long run, while the other variant is more suitable for near-term implementation.

Qian Zuo,Tongyang Li

DOI: https://doi.org/10.48550/arxiv.2307.06627

2023-01-01

Abstract:We propose fast and practical quantum-inspired classical algorithms for solving linear systems. Specifically, given sampling and query access to a matrix $A\in\mathbb{R}^{m\times n}$ and a vector $b\in\mathbb{R}^m$, we propose classical algorithms that produce a data structure for the solution $x\in\mathbb{R}^{n}$ of the linear system $Ax=b$ with the ability to sample and query its entries. The resulting $x$ satisfies $\|x-A^{+}b\|\leq\epsilon\|A^{+}b\|$, where $\|\cdot\|$ is the spectral norm and $A^+$ is the Moore-Penrose inverse of $A$. Our algorithm has time complexity $\widetilde{O}(\kappa_F^4/\kappa\epsilon^2)$ in the general case, where $\kappa_{F} =\|A\|_F\|A^+\|$ and $\kappa=\|A\|\|A^+\|$ are condition numbers. Compared to the prior state-of-the-art result [Shao and Montanaro, arXiv:2103.10309v2], our algorithm achieves a polynomial speedup in condition numbers. When $A$ is $s$-sparse, our algorithm has complexity $\widetilde{O}(s \kappa\log(1/\epsilon))$, matching the quantum lower bound for solving linear systems in $\kappa$ and $1/\epsilon$ up to poly-logarithmic factors [Harrow and Kothari]. When $A$ is $s$-sparse and symmetric positive-definite, our algorithm has complexity $\widetilde{O}(s\sqrt{\kappa}\log(1/\epsilon))$. Technically, our main contribution is the application of the heavy ball momentum method to quantum-inspired classical algorithms for solving linear systems, where we propose two new methods with speedups: quantum-inspired Kaczmarz method with momentum and quantum-inspired coordinate descent method with momentum. Their analysis exploits careful decomposition of the momentum transition matrix and the application of novel spectral norm concentration bounds for independent random matrices. Finally, we also conduct numerical experiments for our algorithms on both synthetic and real-world datasets, and the experimental results support our theoretical claims.

Sirui Shen,Wenqing Song,Xinyu Wang,Xinyu Shao,Yuxiang Fu,Zhonghai Lu,Li

DOI: https://doi.org/10.1109/iscas48785.2022.9937989

2022-01-01

Abstract:Discrete Gaussian sampling is one of the important components in lattice-based cryptosystems which are promising candidates for post-quantum cryptographic algorithms. For sufficient security and satisfactory performance, the Knuth-Yao algorithm is an efficient way to implement discrete Gaussian samplers. Nevertheless, most polynomials in lattice-based cryptography have 256 coefficients or more, which suffers from long latency to complete the sample generation. In this paper, the first parallel discrete Gaussian sampler with hierarchical structure is proposed, while keeping statistical distance to the actual distribution. Based on the imbalanced visiting frequency of the probability matrix, a three-stage generation strategy is adopted with hierarchical bit search units (BSUs) that can greatly reduce area consumption of the repeated costly lookup tables. Besides the architecture improvement, a lowest-set-bit scanning scheme is introduced to BSUs. Moreover, the parallelism of our design provides obfuscation ability against side-channel attacks (SCAs). A practical hardware implementation of discrete Gaussian distributions with $\sigma$=3.33 on the Xilinx Virtex-5 XC5VLX30 FPGA device spends 26.12 ns on average to generate 256 samples, consuming 994 slices. Results have verified its advantages of area efficiency over the state-of-the-arts (SOAs).

Matthew Kowalsky,Tameem Albash,Itay Hen,Daniel A. Lidar

DOI: https://doi.org/10.1088/2058-9565/ac4d1b

2022-02-21

Abstract:With current semiconductor technology reaching its physical limits, special-purpose hardware has emerged as an option to tackle specific computing-intensive challenges. Optimization in the form of solving Quadratic Unconstrained Binary Optimization (QUBO) problems, or equivalently Ising spin glasses, has been the focus of several new dedicated hardware platforms. These platforms come in many different flavors, from highly-efficient hardware implementations on digital-logic of established algorithms to proposals of analog hardware implementing new algorithms. In this work, we use a mapping of a specific class of linear equations whose solutions can be found efficiently, to a hard constraint satisfaction problem (3-regular 3-XORSAT, or an Ising spin glass) with a 'golf-course' shaped energy landscape, to benchmark several of these different approaches. We perform a scaling and prefactor analysis of the performance of Fujitsu's Digital Annealer Unit (DAU), the D-Wave Advantage quantum annealer, a Virtual MemComputing Machine, Toshiba's Simulated Bifurcation Machine (SBM), the SATonGPU algorithm from Bernaschi et al., and our implementation of parallel tempering. We identify the SATonGPU and DAU as currently having the smallest scaling exponent for this benchmark, with SATonGPU having a small scaling advantage and in addition having by far the smallest prefactor thanks to its use of massive parallelism. Our work provides an objective assessment and a snapshot of the promise and limitations of dedicated optimization hardware relative to a particular class of optimization problems.

Quantum Physics

Yu-Ao Chen,Xiao-Shan Gao,Chun-Ming Yuan

DOI: https://doi.org/10.48550/arXiv.1802.03856

2018-10-07

Abstract:In this paper, we give quantum algorithms for two fundamental computation problems: solving polynomial systems over finite fields and optimization where the arguments of the objective function and constraints take values from a finite field or a bounded interval of integers. The quantum algorithms can solve these problems with any given success probability and have polynomial runtime complexities in the size of the input, the degree of the inequality constraints, and the condition number of certain matrices derived from the problem. So, we achieved exponential speedup for these problems when their condition numbers are small. As applications, quantum algorithms are given to three basic computational problems in cryptography: the polynomial system with noise problem, the short integer solution problem, the shortest vector problem, as well as the cryptanalysis for the lattice based NTRU cryptosystem. It is shown that these problems and NTRU can against quantum computer attacks only if their condition numbers are large, so the condition number could be used as a new criterion for the lattice based post-quantum cryptosystems.

Symbolic Computation,Computational Complexity,Cryptography and Security,Quantum Physics

Léo Ducas,Maxime Plançon,Benjamin Wesolowski

DOI: https://doi.org/10.1007/978-3-030-26948-7_12

2019-01-01

Abstract:The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the analog problem for general lattices (SVP), even when considering quantum algorithms.But in the last few years, a series of works has lead to a quantum algorithm for Ideal-SVP that outperforms what can be done for general SVP in certain regimes. More precisely, it was demonstrated (under certain hypotheses) that one can find in quantum polynomial time a vector longer by a factor at most documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$alpha = exp ({widetilde{O}(n^{1/2})})$$end{document} than the shortest non-zero vector in a cyclotomic ideal lattice, where n is the dimension.In this work, we explore the constants hidden behind this asymptotic claim. While these algorithms have quantum steps, the steps that impact the approximation factor documentclass[12pt]{minimal}usepackage{amsmath}usepackage{wasysym}usepackage{amsfonts}usepackage{amssymb}usepackage{amsbsy}usepackage{mathrsfs}usepackage{upgreek}setlength{oddsidemargin}{-69pt}egin{document}$$alpha $$end{document} are entirely classical, which allows us to estimate it experimentally using only classical computing. Moreover, we design heuristic improvements for those steps that significantly decrease the hidden factors in practice. Finally, we derive new provable effective lower bounds based on volumetric arguments.This study allows to predict the crossover point with classical lattice reduction algorithms, and thereby determine the relevance of this quantum algorithm in any cryptanalytic context. For example we predict that this quantum algorithm provides shorter vectors than BKZ-300 (roughly the weakest security level of NIST lattice-based candidates) for cyclotomic rings of rank larger than about 24000.

Chaohui Du,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1109/trustcom.2015.510

2015-01-01

Abstract:Lattice-based cryptography is considered as a main candidate for post-quantum cryptosystems. Its security is based on worst-case computational assumptions in lattices that remain hard even for quantum computers. In this paper, we present an efficient software implementation of lattice based Ring-LWE public key encryption scheme, which optimizes the two basic building blocks: multiplication over polynomial rings and discrete Gaussian sampling. We exploit the number theoretic transform (NTT) to speed up polynomial multiplication over rings and propose an optimized single instruction multiple data (SIMD) based implementation of NTT. It takes 1965/4411 clock cycles to perform a transform with 256/512 elements. Our implementation can save about 75% memory accesses and more than 51% modulo q operations during NTT computation. On the other hand, we propose an efficient implementation of high precision discrete Gaussian sampler, which is based on the inverse of the cumulative distribution function. Our implementation has maximum statistical distance of 2-90 to a theoretical discrete Gaussian distribution. It takes on average 15.4 ns and 9.5 uniformly random bits to generate a Gaussian sample. With these optimizations, our implementation of the public key encryption scheme performs encryption/decryption operations in 15.88/2.37 μs for medium security and 31.30/4.59 μs for high security on one core of an Intel Core i7-4771 processor. Its throughput is higher than the existing software implementation by about two orders of magnitude, and it is even higher than all the hardware implementations.

Wei Wei,Mingjie Liu,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-319-16715-2_13

2015-01-01

Abstract:The \(\lambda _i\)-gap \(\lambda _i/\lambda _1\) among the successive minima of a lattice especially its \(\lambda _2\)-gap often provides useful information for analyzing the security of lattice-based cryptographic schemes. In this paper, we mainly study the efficiency of shortest vector problem (SVP) algorithms for lattices with \(\lambda _i\)-gap. First, we prove new upper bounds for the packing density of this type of lattices. Based on these results, we discuss the efficiency of the ListSieve-Birthday algorithm proposed by Pujol and Stehlé for SVP, and obtain the conclusion that the complexity will decrease obviously as the \(\lambda _i\)-gap increases. Particularly, ListSieve-Birthday becomes faster than the current best deterministic (Voronoi cell-based) algorithm for SVP, as long as \(\lambda _2\)-gap is larger than 1.78. When \(\lambda _2\)-gap is up to 28, the time complexity is \(2^{0.9992n+o(n)}\), and the coefficient factor of \(n\) is approximately to 0.802 if \(\lambda _2\)-gap is large enough. Moreover, we provide an SVP approximation algorithm modified by the ListSieve-Birthday algorithm. This algorithm terminates sieve process earlier and relaxes the birthday search, and hence decreases the time complexity significantly.

Sabrina Ammann,Maximilian Hess,Debora Ramacciotti,Sándor P. Fekete,Paulina L. A. Goedicke,David Gross,Andreea Lefterovici,Tobias J. Osborne,Michael Perk,Antonio Rotundo,S. E. Skelton,Sebastian Stiller,Timo de Wolff

2023-11-17

Abstract:In recent years, strong expectations have been raised for the possible power of quantum computing for solving difficult optimization problems, based on theoretical, asymptotic worst-case bounds. Can we expect this to have consequences for Linear and Integer Programming when solving instances of practically relevant size, a fundamental goal of Mathematical Programming, Operations Research and Algorithm Engineering? Answering this question faces a crucial impediment: The lack of sufficiently large quantum platforms prevents performing real-world tests for comparison with classical methods. In this paper, we present a quantum analog for classical runtime analysis when solving real-world instances of important optimization problems. To this end, we measure the expected practical performance of quantum computers by analyzing the expected gate complexity of a quantum algorithm. The lack of practical quantum platforms for experimental comparison is addressed by hybrid benchmarking, in which the algorithm is performed on a classical system, logging the expected cost of the various subroutines that are employed by the quantum versions. In particular, we provide an analysis of quantum methods for Linear Programming, for which recent work has provided asymptotic speedup through quantum subroutines for the Simplex method. We show that a practical quantum advantage for realistic problem sizes would require quantum gate operation times that are considerably below current physical limitations.

Quantum Physics,Data Structures and Algorithms,Optimization and Control

Elijah Pelofske,Georg Hahn,Hristo Djidjev

2024-11-06

Abstract:Posiform planting is a method for constructing QUBO problems with a single unique planted solution that can be tailored to arbitrary connectivity graphs. In this study we investigate making posiform planted QUBOs computationally harder by fusing many smaller random discrete coefficient spin-glass Ising models, whose global minimum energy is computed classically using classical binary integer programming optimization software, with posiform-planted QUBOs. The single unique ground-state solution of the resulting QUBO problem is the concatenation of (exactly one of) the ground-states of each of the smaller problems. We apply these modified posiform planted QUBOs to the task of benchmarking programmable D-Wave quantum annealers. The proposed method enables generating binary variable combinatorial optimization problems that cover the entire quantum annealing processor hardware graph, have a unique solution, are entirely hardware-graph-native, and can have tunable computational hardness. We benchmark the capabilities of three D-Wave superconducting qubit quantum annealing processors, having from 563 up to 5627 qubits, to sample the optimal unique planted solution of problems generated by our proposed method and compare them against simulated annealing and Gurobi. We find that the D-Wave QPU ground-state sampling success rate does not change with respect to the size of the random QUBOs we employ. Surprisingly, we find that some of these classes of QUBOs are solved at very high success rates at short annealing times compared to longer annealing times for the Zephyr connectivity graph QPUs.

Quantum Physics,Optimization and Control