Abstract
We investigate prime factorization from two perspectives: quantum annealing and computational algebraic geometry, specifically Gröbner bases. We present a novel autonomous algorithm which combines the two approaches and leads to the factorization of all biprimes up to just over 200000, the largest number factored to date using a quantum processor. We also explain how Gröbner bases can be used to reduce the degree of Hamiltonians.
Introduction
Prime factorization is at the heart of secure data transmission because it is widely believed to be NPcomplete. In the prime factorization problem, for a large biprime M, the task is to find the two prime factors p and q such that M = pq. In RSA cryptosystem, the message to be transmitted is encrypted using a public key which is, essentially, a large biprime that can only be decrypted using its prime factors, which are kept in a private key. Prime factorization also connects to many branches of mathematics; two branches relevant to us are computational algebraic geometry^{1} and quantum annealing^{2,3,4}.
To leverage the problem of finding primes p and q into the realm of computational algebraic geometry, it suffices to transform it into a system of algebraic equations . This is done using the binary representation and , which is plugged into M = pq and expanded into a system of polynomial equations. The system is given by this initial system of equations in addition to the auxiliary equations expressing the binary nature of the variables P_{i} and Q_{i}, carryon, and connective variables. The two primes p and q are then given by the unique zero of . In theory, we can solve the system using Gröbner bases; however, in practice, this alone does not work, since Gröbner basis computation (Buchberger’s algorithm) is exponential in the number of variables.
The connection to quantum annealing can also be easily described. Indeed, finding p and q can be formulated into an unconstrained binary optimization problem , where the cost function f is the sum of the squares of polynomials in . The unique zero of now sits on the unique global minimum of (which has minimum energy equal to zero). There are, however, a few nontrivial requirements we need to deal with before solving the cost function using quantum annealing. These requirements concern the nature of cost functions that quantum annealers can handle. In particular, we would like the cost function of to be a positive quadratic polynomial. We also require that the coefficients of the cost function (coupling and external field parameters) be rather uniform and match the hardwareimposed dynamic range.
In the present paper, we suggest looking into the problem through both lenses, and demonstrate that indeed this approach gives better results. In our scheme, we will be using quantum annealing to solve , but at the same time we will be using Gröbner bases to help us reduce the cost function f into a positive quadratic polynomial f^{+} with desired values for the coefficients. We will be also using Gröbner bases at the important step of preprocessing f^{+} before finally passing it to the quantum annealer. This preprocessing significantly reduces the size of the problem. The result of this combined approach is an algorithm with which we have been able to factorize all biprimes up to 2 × 10^{5} using the DWave 2X processor. The algorithm is autonomous in the sense that no a priori knowledge, or manual or ad hoc preprocessing, is involved. We refer the interested reader to Supplementary materials for a brief description of the DWave 2X processor, along with some statistics for several of the highest numbers that we embedded and solved. More detail about the processor architecture can be found in ref. 5. Another important reference is the work of S. Boixo et al. in ref. 6, which presents experimental evidence that the scalable DWave processor implements quantum annealing (with surprising robustness against noise and imperfections). Additionally, evidence that, during a critical portion of quantum annealing, the qubits become entangled and entanglement persists even as the system reaches equilibrium is presented in ref. 7.
Relevant to us also is the work in ref. 8, which uses algebraic geometry to solve optimization problems (though not specifically factorization; see Methods for an adaptation to factorization). Therein, Gröbner bases are used to compute standard monomials and transform the given optimization problem into an eigenvalue computation. Gröbner basis computation is the main step in this approach, which makes it inefficient. In contrast to that work, we ultimately solve the optimization problem using a quantum annealing processor and preprocess and adjust the problem with algebraic tools, that is, we reduce the size of the cost function and adjust the range of its parameters. However, we share that work’s point of view of using real algebraic geometry, and our work is the first to introduce algebraic geometry, and Gröbner bases in particular, to solve quantum annealingrelated problems. We think that this is a fertile direction for both practical and theoretical endeavours.
Mapping the factorization problem into a degree4 unconstrained binary optimization problem is first discussed in ref. 9. There, the author proposes solving the problem using a continuous optimization method he calls curvature inversion descent. Another related work is the quantum annealing factorization algorithm proposed in ref. 10. We will discuss it in the next section and improve upon it in two ways. The first involves the addition of the preprocessing stage using Gröbner bases of the cost function. This dramatically reduces the number of variables therein. The second way concerns the reduction of the initial cost function, for which we propose a general Gröbner basis scheme that precisely answers the various requirements of the cost function. In Results, we present our algorithm (the column algorithm) which outperforms this improved algorithm (i.e., the cell algorithm). Using a reduction proposed in ref. 10 and adhoc simplifications, the paper^{11} reports the factorization of biprime 143 on a liquidcrystal NMR quantum processor. It has been then observed by ref. 12 that the same 4qubit Hamiltonian can be used to factor biprimes 3599, 11663, and 56153. More recently, in ref. 13, the authors factored the biprime 551 using a 500 MHz NMR spectrometer.
This review will not be complete without mentioning Shor’s algorithm^{14} and Kitaev’s phase estimation^{15}, which, respectively, solve the factorization problem and the abelian hidden subgroup problem in polynomial time, both for the gate model paradigm. The largest number factored using a physical realization of Shor’s algorithm is 15^{16}; see ref. 17 also for a discussion about oversimplification in the previous realizations. Finally, in ref. 18, it has been proved that contextuality (KochenSpecker theorem) is needed for any speedup in a measurementbased quantum computation factorization algorithm.
Results
The binary multiplication of the two primes p and q can be expanded in two ways: cellbased and columnbased procedures (see Methods). Each procedure leads to a different unconstrained binary optimization problem. The cellbased procedure creates the unconstrained binary quadratic programming problem
and the columnbased procedure results in the problem
The two problems and are equivalent. Their cost functions are not in quadratic form, and thus must be reduced before being solved using a quantum annealer. The reduction procedure is not a trivial task. In this paper we define, for both scenarios: (1) a reduced quadratic positive cost function and (2) a preprocessing procedure. Thus, we present two different quantum annealingbased prime factorization algorithms. The first algorithm’s decomposition method (i.e., the cell procedure) has been addressed in ref. 10, without preprocessing and without the use of Gröbner bases in the reduction step. Here, we discuss it from the Gröbner bases framework and add the important step of preprocessing. The second algorithm, however, is novel in transformation of its quartic terms to quadratic, outperforming the first algorithm due to its having fewer variables.
We write for the ring of polynomials in with real coefficients and for the affine variety defined by the polynomial , that is, the set of zeros of the equation f = 0. Since we are interested only in the binary zeros (i.e., ), we need to add the binarization polynomials x_{i}(x_{i} − 1), where i = 1, …, n, to f and obtain the system . The system generates an ideal by taking all linear combinations over of all polynomials in ; we have . The ideal reveals the hidden polynomials which are the consequence of the generating polynomials in . To be precise, the set of all hidden polynomials is given by the socalled radical ideal , which is defined by . In practice, the ideal is infinite, so we represent such an ideal using a Gröbner basis which one might take to be a triangularization of the ideal . In fact, the computation of Gröbner bases generalizes Gaussian elimination in linear systems. We also have and . A brief review of Gröbner bases is given in Methods.
The cell algorithm
Suppose we would like to define the variety by the set of global minima of an unconstrained optimization problem , where f^{+} is a quadratic polynomial. For instance, we would like f^{+} to behave like f^{2}. Ideally, we want f^{+} to remain in (i.e., not in a larger ring), which implies that no slack variables will be added. We also want f^{+} to satisfy the following requirements:
f^{+} vanishes on or, equivalently, .
f^{+} > 0 outside , that is, f^{+} > 0 over .
Coefficients of the polynomial f^{+} are adjusted with respect to the dynamic range allowed by the quantum processor.
Let be a Gröbner basis for . We can then go ahead and define
where the real coefficients a_{i} are subject to the requirements above; note that we already have and thus the first requirement (i) is satisfied.
Let us apply this procedure to the optimization problem above. There, f = H_{ij} and the ring of polynomials is . We obtain the following Gröbner basis (see Methods about algorithm used):
We have used the lexicographic order ; see Methods for definitions. Note that t_{1} = H_{ij}. We define
where the real coefficients a_{k} are to be found. We need to constrain the coefficients a_{k} with the other requirements. The second requirement (ii), which translates into a set of inequalities on the unknown coefficients a_{k}, can be obtained through a brute force evaluation of over the 2^{6} points of . The outcome of this evaluation is a set of inequalities expressing the second requirement (ii) (see Supplementary materials).
The last requirement (iii) can be expressed in different ways. We can, for instance, require that the absolute values of the coefficients of , with respect to the variables P_{j}, Q_{i}, S_{i,j}, S_{i+1,j−1}, Z_{i,j}, and Z_{i,j+1}, be within [1 − ε, 1 + ε]. This, together with the set of inequalities from the second requirement, define a continuous optimization problem and can be easily solved. Another option is to minimize the distance between the coefficients to one specific coefficient. The different choices of the objective function and the solution of the corresponding continuous optimization problem are presented in Supplementary materials.
Having determined the quadratic polynomial satisfyies the important requirements (i, ii, and iii) above, we can now phrase our problem as the equivalent quadratic unconstrained binary optimization problem . Notice that this reduction is performed only once for all cases; it need not to be redone for different biprimes M. Before passing the problem to the quantum annealer, we use Gröbner bases again, this time to reduce the size of the problem. In fact, what we pass to the quantum annealer is , where NF is the normal form and is now the Gröbner basis cutoff, which we discuss in the next section. The largest biprime number that we embedded and solved successfully using the cell algorithm is ~35 000. Table 1 presents a small sample of many biprime numbers M that we tested using the cell algorithm, the number of variables using both the customized reduction CustR (i.e., reduction explained above before preprocessing with Gröbner bases) and the windowbased GB reduction (i.e., reduction CustR followed with preprocessing with Gröbner bases), the overall reduction percentage R%, and the embedding and solving status inside the DWave 2X processor Embed.
The column algorithm (factoring up to 200000)
The total number of variables in the cost function of the previous method is 2s_{p}s_{q}, before any preprocessing. Here we present the columnbased algorithm where the number of variables (before preprocessing) is bounded by . Recall that here we are phrasing the factorization problem M = pq as
where H_{i}, for 1 ≤ i ≤ s_{p}, is
The cost function is of degree 4 and, in order to use quantum annealing, it must be replaced with a positive quadratic polynomial with the same global minimum. The idea is to replace the quadratic terms Q_{j}P_{i−j} inside the different H_{i} with new binary variables W_{i−j,j}, and add the penalty to the cost function (now written in terms of the variables W_{i−j,j}). To find , we run Gröbner bases computation on the system
Following the same steps as in the previous section, we get
with a, b, such that −a − b − c > 0, −b − c > 0, −a − c > 0, c > 0 (e.g., c = 1, a = b = −2). The new cost function is now
We can obtain a better Hamiltonian by preprocessing the problem before applying the W transformation. Indeed, let us first fix a positive integer cutoff ≤(s_{p} + s_{q} + 1) and let be a Gröbner basis of the set of polynomials
In practice, the cutoff is determined by the size of the maximum subsystem of polynomials H_{i} on which one can run a Gröbner basis computation; it is defined by the hardware. We also define a cutoff on the other tail of {H_{i}}, that is, we consider . Notice that here we are working on the original H_{i} rather than the new H_{i}(W). This is because we would like to perform the replacement after the preprocessing (some of the quadratic terms might be simplified by this preprocessing). Precisely, what we pass to the quantum annealer is the quadratic positive polynomial
Here LT stands for the leading term with respect to the graded reverse lexicographic order. The second summation is over all i and j such that is still quadratic. The outer normal form in the first summation refers to the replacement , which is again performed only if is still quadratic.
The columns of Table 2 present: a small sample of many biprime numbers that we tested and their prime factors, the number of variables using each of a naïve polynomialtoquadratic transformation tool P2Q written mostly based on the algorithm discussed in ref. 19 (Other degree reduction procedures are discussed in refs 20, 21, 22, 23). Our novel polynomialtoquadratic transformation CustR, and our windowbased reduction GB after applying preprocessing. The overall reduction percentage R% and the embedding and solving status in the DWave 2X processor Embed are also shown. Figure 1 shows the adjacency matrix of the corresponding positive quadratic polynomial graph H and its embedded pattern inside the Chimera graph of the DWave 2X processor for one of the biprimes. Details pertaining to the use of the hardware can be found in Supplementary materials.
Discussion
In this work, factorization is connected to quantum annealing through binarization of the long multiplication. The algorithm is autonomous in the sense that no a priori knowledge, or manual or ad hoc preprocessing, is involved. We have attained the largest biprime factored to date using a quantum processor, though moresubtle connections might exist. A future direction that this research can take is to connect factorization (as an instance of the abelian hidden subgroup problem), through Galois correspondence, to covering spaces and thus to covering graphs and potentially to quantum annealing. We believe that morerewarding progress can be made through the investigation of such a connection.
Methods
Column factoring procedure
Here we discuss the two singlebit multiplication methods of the two primes p and q. The first method generates a Hamiltonian for each of the columns of the long multiplication expansion, while the second method generates a Hamiltonian for each of the multiplying cells in the long multiplication expansion. The column factoring procedure initially introduced in ref. 9, has been generalized. The generalized column factoring procedure of and is depicted Figure 2.
The equation for an arbitrary column (i) can be written as the sum of the column’s multiplication terms (above) plus all previously generated carryon terms from lower significant columns (j < i). This sum is equal to the column’s biprime term m_{i} plus the carryons generated from higher significant columns. The polynomial equation for the ith column is
The above equation is used as the main column procedure’s equation H_{i}. The Hamiltonian generation and reduction is discussed in detail in Results.
Cell factoring procedure
In the cell multiplication procedure the ultimate goal is to break each of the column equations discussed above into multiple smaller equations so that each equation contains only one quadratic term. This not only simplifies the generation of quadratic Hamiltonians, but also generates Hamiltonians with moreuniform quadratic coefficients in comparison to the column procedure. We generalized the procedure initially introduced in ref. 10. Figure 3 depicts our generalization:
Each cell contains one of the total (s_{p} − 1) (s_{q} − 1) quadratic terms in the form of Q_{i}P_{j}. To chain a cell to its upper cell, one extra sum variable S_{i,j} is added. Also, each carryon variable Z_{i,j} in a cell is the carryon of the cell directly to its right, so each cell contains four variables. The sum of three terms Q_{i}P_{j}, S_{i,j}, and Z_{i,j} is at most 3; thus, it generates an additional sum variable S_{i+1,j−1} and one carryon variable Z_{i,j+1}. Therefore, the equation for an arbitrary cell indexed (i, j), shown in the centre of the above table, is
As we can see, only six binary variables are involved in each cell equation and the equation contains one quadratic term, so it can be transformed into a positive Hamiltonian without adding slack variables. The Hamiltonian generation and reduction procedure is discussed in detail in Results.
Gröbner bases
Good references for the following definitions are chapters 1 and 2 of ref. 1 and chapter 1 of ref. 24.
Normal forms
A normal form is the remainder of Euclidean divisions in the ring of polynomials . Precisely, the normal form of a polynomial , with respect to the set of polynomials (usually a Gröbner basis), is the polynomial , which is the image of f modulo . It is the remainder of the Euclidean of f by all .
Term orders
A term order on is a total order on the set of all monomials , which has the following properties: (1) if , then for all positive integers a, b, and c; (2) for all strictly positive integers a. An example of this is the pure lexicographic order . Monomials are compared first by their degree in x_{1}, with ties broken by degree in x_{2}, etc. This order is usually used in eliminating variables. Another example, is the graded reverse lexicographic order . Monomials are compared first by their total degree, with ties broken by reverse lexicographic order, that is, by the smallest degree in x_{n}, x_{n−1}, etc.
Gröbner bases
Given a term order on , then by the leading term (initial term) LT of f we mean the largest monomial in f with respect to . A (reduced) Gröbner basis to the ideal with respect to the ordering is a subset of such that: (1) the initial terms of elements of generate the ideal of all initial terms of ; (2) for each , the coefficient of the initial term of g is 1; (3) the set LT(g) minimally generates ; and (4) no trailing term of any lies in . Currently, Gröbner bases are computed using sophisticated versions of the original Buchberger algorithm, for example, the F4 and F5 algorithms by J. C. Faugère^{25,26}.
Factorization as an eigenvalue problem
In this section, for completeness, we describe how the factorization problem can be solved using eigenvalues and eigenvectors. This is an adaptation of the method presented in ref. 8 to factorization, which is itself an adaption to real polynomial optimization of the method of solving polynomial equations using eigenvalues in ref. 1.
Let be in as in (12), where we have used the notation x_{i} instead of the P_{s}, Q_{s}, Z_{s}, and W_{s}. Define
which is in the larger ring . We also define the set of polynomials
The variety is the set of all binary critical points of . Its coordinates ring is the residue algebra . We need to compute a basis for A. This is done by first computing a Gröbner basis for and then extracting the standard monomials (i.e., the monomials in that are not divisible by the leading term of any element in the Gröbner basis). In the simple example below, we do not need to compute any Gröbner basis since is a Gröbner basis with respect to plex(α, x). We define the linear map
Since the number of critical points is finite, the algebra A is always finitedimensional by the Finiteness Theorem (page 39 of ref. 1). Now, the key points are:
The value of (i.e., values of ), on the set of critical points , are given by the eigenvalues of the matrix .
Eigenvalues of and give the coordinates of the points of .
If v is an eigenvector for , then it is also an eigenvector for and for 1 ≤ i ≤ n.
We illustrate this in an example. Consider M = pq = 5 × 3 and let
be the corresponding Hamiltonian as in (12), where x_{1} = p_{2}, x_{2} = q_{1}, x_{3} = w_{2,1}, and x_{4} = z_{2,3}. A basis for the residue algebra A is given by the set of the 16 monomials
The matrix is
We expect the matrix’s smallest eigenvalue to be zero and, indeed, we get the following eigenvalues for :
This is also the set of values which takes on . The eigenvector v which corresponds to the eigenvalue 0 is the column vector
This eigenvector is used to find the coordinates of that cancel (minimize) . The coordinates of the global minimum are defined by , and this gives x_{1} = x_{2} = x_{3} = 1, x_{4} = 0, and α_{1} = 2α_{2} = α_{3} = 2, α_{4} = 5.
Additional Information
How to cite this article: Dridi, R. and Alghassi, H. Prime factorization using quantum annealing and computational algebraic geometry. Sci. Rep. 7, 43048; doi: 10.1038/srep43048 (2017).
Publisher's note: Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Change history
22 March 2017
A correction has been published and is appended to both the HTML and PDF versions of this paper. The error has not been fixed in the paper.
References
 1.
Cox, D. A., Little, J. B. & O’Shea, D. Using algebraic geometry. Graduate texts in mathematics (Springer, New York, 1998).
 2.
Kadowaki, T. & Nishimori, H. Quantum annealing in the transverse ising model. Phys. Rev. E 58, 5355–5363 (1998).
 3.
Farhi, E. et al. A quantum adiabatic evolution algorithm applied to random instances of an npcomplete problem. Science 292, 472–475 (2001).
 4.
Das, A. & Chakrabarti, B. K. Colloquium: Quantum annealing and analog quantum computation. Rev. Mod. Phys. 80, 1061–1081 (2008).
 5.
Johnson, M. W. et al. Quantum annealing with manufactured spins. Nature 473, 194–198 (2011).
 6.
Boixo, S., Albash, T., Spedalieri, F. M., Chancellor, N. & Lidar, D. A. Experimental signature of programmable quantum annealing. Nat Commun 4 (2013).
 7.
Lanting, T. et al. Entanglement in a quantum annealing processor. Phys. Rev. X 4, 021041 (2014).
 8.
Parrilo, P. A. & Sturmfels, B. Minimizing polynomial functions. DIMACS Series in Discrete Mathematics and Theoretical Computer Science (2001).
 9.
Burges, C. Factoring as optimization. Tech. Rep. MSRTR200283, Microsoft Research (2002).
 10.
Schaller, G. & Schutzhold, R. The role of symmetries in adiabatic quantum algorithms. Quantum Information & Computation 10, 109–140 (2010).
 11.
Xu, N. et al. Quantum factorization of 143 on a dipolarcoupling nuclear magnetic resonance system. Phys. Rev. Lett. 108, 130501 (2012).
 12.
Dattani, N. S. & Bryans, N. Quantum factorization of 56153 with only 4 qubits. arXiv:1411.6758 (2014).
 13.
Pal, S., Moitra, S., Anjusha, V. S., Kumar, A. & Mahesh, T. S. Hybrid scheme for factorization: Factoring 551 using a 3qubit NMR quantum adiabatic processor. arXiv:1611.00998 [quantph] (2016).
 14.
Shor, P. W. Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26, 1484–1509 (1997).
 15.
Kitaev, A. Quantum measurements and the abelian stabilizer problem. arXiv:9511026 (1995).
 16.
Monz, T. et al. Realization of a scalable shor algorithm. Science 351, 1068–1070 (2016).
 17.
Smolin, J. A., Smith, G. & Vargo, A. Oversimplifying quantum factoring. Nature 499, 163–165 (2013).
 18.
Raussendorf, R. Contextuality in measurementbased quantum computation. Phys. Rev. A 88, 022322 (2013).
 19.
Boros, E. & Aritanan, G. On quadratization of pseudoboolean functions. arXiv:1404.6538 (2014).
 20.
Anthony, M., Boros, E., Crama, Y. & Gruber, A. Quadratization of symmetric pseudoboolean functions. Discrete Applied Mathematics 203, 1–12 (2016).
 21.
Babbush, R., O’Gorman, B. & AspuruGuzik, A. Resource efficient gadgets for compiling adiabatic quantum optimization problems. Annalen der Physik 525, 877–888 (2013).
 22.
Babbush, R., Denchev, V. S., Ding, N., Isakov, S. & Neven, H. Construction of nonconvex polynomial loss functions for training a binary classifier with quantum annealing. CoRR abs/1406.4203 (2014).
 23.
Tanburn, R., Okada, E. & Dattani, N. S. Reducing multiqubit interactions in adiabatic quantum computation without adding auxiliary qubits. part 1: The “deducreduc” method and its application to quantum factorization of numbers. arXiv:1508.04816 (2015).
 24.
Sturmfels, B. Gröbner bases and convex polytopes, vol. 8 of University Lecture Series (American Mathematical Society, Providence, RI, 1996).
 25.
Faugére, J.C. A new efficient algorithm for computing Gröbner bases (f4). Journal of Pure and Applied Algebra 139, 61–88 (1999).
 26.
Faugère, J. C. A new efficient algorithm for computing Gröbner bases without reduction to zero (f5). In Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC ’02, 75–83 (ACM, New York, NY, USA, 2002).
Acknowledgements
We appreciate discussions with Pooya Ronagh and thank Marko Bucyk for proofreading the manuscript.
Author information
Affiliations
1QB Information Technologies (1QBit), Vancouver, British Columbia, V6C 2B5, Canada
 Raouf Dridi
 & Hedayat Alghassi
Authors
Search for Raouf Dridi in:
Search for Hedayat Alghassi in:
Contributions
R.D. and H.A. designed the algorithms. R.D. and H.A. conceived the experiments and analysed the results. All authors wrote and reviewed the manuscript.
Competing interests
The authors declare no competing financial interests.
Corresponding authors
Correspondence to Raouf Dridi or Hedayat Alghassi.
Supplementary information
PDF files
Rights and permissions
This work is licensed under a Creative Commons Attribution 4.0 International License. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in the credit line; if the material is not included under the Creative Commons license, users will need to obtain permission from the license holder to reproduce the material. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/
About this article
Further reading

Factoring larger integers with fewer qubits via quantum annealing with optimized parameters
Science China Physics, Mechanics & Astronomy (2019)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.