Variational quantum solutions to the Shortest Vector Problem

A fundamental computational problem is to find a shortest non-zero vector in Euclidean lattices, a problem known as the Shortest Vector Problem (SVP). This problem is believed to be hard even on quantum computers and thus plays a pivotal role in post-quantum cryptography. In this work we explore how (efficiently) Noisy Intermediate Scale Quantum (NISQ) devices may be used to solve SVP. Specifically, we map the problem to that of finding the ground state of a suitable Hamiltonian. In particular, (i) we establish new bounds for lattice enumeration, this allows us to obtain new bounds (resp.~estimates) for the number of qubits required per dimension for any lattices (resp.~random q-ary lattices) to solve SVP; (ii) we exclude the zero vector from the optimization space by proposing (a) a different classical optimisation loop or alternatively (b) a new mapping to the Hamiltonian. These improvements allow us to solve SVP in dimension up to 28 in a quantum emulation, significantly more than what was previously achieved, even for special cases. Finally, we extrapolate the size of NISQ devices that is required to be able to solve instances of lattices that are hard even for the best classical algorithms and find that with approximately $10^3$ noisy qubits such instances can be tackled.


Introduction
Cryptography studies the limits of computing: what can and cannot efficiently be computed. In 1976 Diffie and Hellman significantly expanded the realm of the possible by inventing public key cryptography [1] which allows two parties to agree on a shared secret over a public channel in the presence of a wiretapping adversary. 1 Since its invention public-key cryptography has seen widespread adoption and is now a crucial building block for securing, say, the Internet. However, this advance was not unconditional but re-lies on the presumed hardness of some computational problem. Virtually all currently deployed public-key encryption schemes rely on the difficulty of one of two computational problems: the discrete logarithm problem and the problem of factoring large integers.
Everything changed in 1994 when Peter Shor's seminal work [2] showed that quantum computers could effectively solve those two central problems. While the timeline for when sufficiently big quantum computers may be available is uncertain, the proposed such timelines and the threat of "collect-now-decryptlater"-style attacks provoked global efforts to develop "post-quantum cryptography", cryptographic schemes that run on classical computers but resist attacks with quantum computers. The centre of these international efforts is the Post-Quantum Standardisation Process (NIST PQC) by the US National Institute of Standards and Technology (NIST) [3]. To date, there are several candidates for post-quantum cryptography, mainly lattice-based, code-based, hash-based, multivariate cryptography and supersingular elliptic curve isogeny cryptography. Lattice-based cryptography seems to be a prime contender for large scale adaption: among the winners the NIST PQC process, three out of four are based on lattices.
While, of course, all post-quantum candidates are conjectured to be hard also on a quantum computer, a pressing question for adoption is "how hard?". That is, in order to pick parameters that are both efficient in practice but quantifiably resist attacks, the research community studies the quantum resources required to solve the underlying hard problems.
On the other hand, it is expected that the transition to quantum computers will start with a phase referred to as Noisy Intermediate Scale Quantum (NISQ), featuring devices that consist of at most one thousand erroneous qubits. This low number of qubits makes use of any known error-correction technique infeasible, something that also puts stringent restrictions on the depth a quantum computation can have before the noise becomes dominant leading to essentially random outcomes. To overcome this limitation of these devices, hybrid classical-quantum algorithms are designed specifically for these devices while most of the famous quantum algorithms like Grover's search, Quantum Fourier Transform or Shor's algorithms are impracticable. A natural question is thus "how hard are lattice problems on NISQ devices?" 2 . This question sheds light on the performance of these devices on a natural and central computational problem.

Contributions.
After some preliminaries (Section 2), we determine a suitable mapping of the central hard problem on lattices, the Shortest Vector Problem (SVP) into the ground state of a Hamiltonian operator, the form required by the classical-quantum optimisation algorithms of our interest. In Section 3, we introduce Ising spin Hamiltonian operators and explain how to map SVP to an optimisation problem in this framework. We discuss the challenges that arise with this formulation and give a solution to the "zero vector problem" for VQE. 3 Our problem formulation requires to know a priori bounds for each coordinate of a shortest vector in a given basis B of the lattice. In Section 4 we thus analyse the cost of solving SVP in a non-adaptive exhaustive search which allows us to quantify the search space. In particular, we show that the size of the search space depends on the norms of the vectors forming the "dual basis" B := (B · B T ) −1 · B. This allows us to obtain a NISQ quantum algorithm to compute an HKZ reduced basis, one of the strongest notion of reduction, using 3 2 n log 2 n+O(n) qubits and thus solving SVP in passing. This cost of non-adaptive enumeration was previously known only for a special class of lattices. We also perform extensive classical numerical experiments to study the average case behaviour of lattice reduction in the context of our NISQ quantum enumeration algorithm. In Section 5 we then show that our bounds allow us to run quantum emulation experiments that using up to 28 qubits are able to solve SVP in dimension 28 which is considerably more than prior literature. Extrapolating our experimental data we find that between 1, 000 and 1, 600 qubits suffice to encode SVP for a dimension 180 lattice, the current record dimension for "Darmstadt SVP Challenge" [4]. For the avoidance of doubt, our results do not violate any previous claims on the hardness of lattice problems on quantum computers because in general we may hope for a running time at best 2 λ/2+o(λ) for 2 By NISQ devices, in this paper, we mean devices with limited number of qubits and using algorithms with limited depth of quantum computation in each iteration. Of course, the limitation in the depth comes from the existence of "noise" but the effects of noise extend further, e.g. by reducing the probability that the classical optimisation loop ends-up with the correct solution. Since we mainly focus on the qubit-count and do not address the scaling of the probability of success even in the noiseless case, we also leave the full analysis of the effects of noise to a future publication. 3 In Appendix A we outline a less efficient solution to impose the constraint at the Hamiltonian level adding new variables. That approach is applicable to QAOA, quantum annealing and adiabatic quantum computing thus extending our method.

Preliminaries
Lattices. A (Euclidean) lattice L is a discrete subgroup of R d , or equivalently the set We say that a matrix B forms a basis of L if its rows form a basis of L. All the bases have the same number n of elements, called the dimension or rank of L. The dual L of a lattice L is the set of all vectors x ∈ span(L) such that x, y is an integer for all y ∈ L. If B is a basis of L then B := (B · B T ) −1 · B is a basis of L. We call B the "dual basis" of B. Lattice algorithms often involve the orthogonal projections π i : One of the fundamental algorithmic problems related to lattices is to find a shortest non-zero element of an arbitrary lattice (with respect to its Euclidean norm), given an arbitrary basis of this lattice. This problem is referred to as the shortest vector problem (SVP) and the length of such a vector denoted by λ 1 (L). It is a central premise of lattice-based cryptography that solving SVP (and its decision variant GapSVP) within a polynomial factor takes superpolynomial time also on a quantum computer [5]. It is well-known that the hardness of the SVP is related to the "quality" of the input basis which informally quantifies the length of the vectors in the basis and the angles between. Intuitively, a basis with short and relatively orthogonal vectors is of higher quality. Therefore, a fundamental problem in lattice-based cryptography is to increase the quality of a given basis, a process known as lattice reduction. The celebrated LLL algorithm [6] was the first polynomial-time algorithm that computes a reduced basis of guaranteed quality, namely the first vector is at most exponentially longer than the shortest vector of the lattice. The BKZ algorithm [7] is a generalisation of LLL to obtain more strongly reduced basis at the expense of a higher running time. More precisely, the BKZ algorithm requires us to choose a so-called block size β: the larger the β, the stronger the reduction but the higher the running time (which is at least exponential in β). BKZ internally uses an algorithm to solve (near) exact SVP in lower-dimensional lattices. Therefore, understanding the complexity of SVP is critical to understanding the complexity of BKZ and lattice reduction. This, in turns, is critical to choosing security parameters of cryptographic primitives [8].
When β = n we recover the HKZ algorithm producing HKZ reduced bases, which one of the strongest notion of reduction [9]. The first vector of such a basis is always a shortest vector of the lattice. Furthermore, HKZ basis naturally lend themselves to be computed recursively and enjoy many good properties (see Section 4.2 for more details), especially in conjunction with enumeration [10]. Enumeration algorithms list all of the lattice points within a ball of prescribed radius r. One of the most important aspect of enumeration is to correctly chose the enumeration radius r so that it is larger than λ 1 (L), but not too large since the running time increases rapidly with r. For random lattices, the so-called Gaussian Heuristic gives a good estimate of λ 1 (L) as gh(L) := n 2πe · det(L) 1/n .
The fastest known (heuristic) quantum algorithm [11] for solving SVP is a "sieving algorithm" runs in time 2 0.257 n+o(n) , uses QRAM [12] of maximum size 2 0.0767 n+o(n) , a quantum memory of size 2 0.0495 n+o(n) and a classical memory of size 2 0.2075 n+o(n) . The second main class of quantum algorithms for solving SVP are "lattice-point enumeration" algorithms which combine exhaustive search with projections [13]. These algorithms run in time n n/(4e)+o(n) and poly(d) memory. In many cryptography applications n n/16+o(n) seems plausible [14]. On classical computers, the current record computation solved the "Darmstadt SVP Challenge", which asks to solve a slightly relaxed version of SVP, in dimension 180 [4] using sieving on GPUs. Both classes of algorithms rely on Grover's algorithm or random walks which require long running computations on fault-tolerant quantum computers and thus are not suitable on quantum devices of the next decade, the NISQ era.
Variational Quantum Algorithms. (VQA)s [15] are hybrid classical-quantum algorithms that can solve a variety of problems, including optimisation problems. VQAs are believed to be one of the most promising approaches to use and possibly offer quantum advantage on near-term quantum devices -also known as Noisy Intermediate-Scale Quantum (NISQ) devices. The quantum devices that currently exist and those that will become available in the coming 2-5 years are expected to have at most 1000 qubits (intermediate-scale) and have imperfections (noisy). Since the number of qubits is limited, to run computations of interest one cannot "afford" to perform quantum error-correction since this would require an overhead in the order of ≈ 10 3 physical qubits for every useful logical qubit. VQAs mitigate the effects of noise by a different approach. A computationally expensive subroutine is solved by the quantum device that amounts in estimating the "energy" of a quantum state that arises as the output of a parameterised quantum circuit of short depth (avoiding the excessive accumulation of errors). The preparation and measurement is run multiple times and the output is fed to a classical optimisation part that essentially off-loads part of the computation to a classical device. VQAs appear to offer advantages over classical algorithms in various areas of quantum chemistry [16,17] and is a promising approach for many other areas including combinatorial optimization [18], quantum machine learning [19] and quantum metrology [20].
Since SVP can be formulated as an optimisation problem, we focus on two most widely used VQAs for combinatorial optimisation, namely Variational Quantum Eigensolver (VQE) [21,22] and Quantum Approximate Optimisation Algorithm (QAOA) [23]. The first step for both of them, as well as for quantum annealing [24], is to encode the problem (SVP here) to the ground state (smallest eigenvalue) of a Hamiltonian operator H. For QAOA and quantum annealing, the Hamiltonian needs to be an Ising spin Hamiltonian (i.e. involving only Z spins and up to quadratic interaction terms) and for quantum annealing extra limitations due to the connectivity of the spins apply. For VQE the Hamiltonian can take more general form (including higher order terms and/or X spins). The second step, once the Hamiltonian is chosen, is to select an ansatz state |ψ(θ) -a family of quantum states, parameterised by θ, that are the output of a simple parameterised circuit. Ideally, we would like to ensure that elements of the family considered are close to the ground state of the problem's Hamiltonian. The two classes of ansätze that exist are the hardware efficient ones that are essentially chosen for the ease that can be implemented at a given quantum hardware, and the problem specific that are ansätze that use information about the problem for example using the problem's Hamiltonian. The former are less prone to errors and can be used with any Hamiltonian but have no guarantee to be "dense" around the true ground state, while the latter are more sensitive to noise and can be used with specific classes of Hamiltonians but are designed to have states close to the true ground state. The third step is to prepare a state from the ansatz and measure it where this step is repeated multiple times. From these repetitions an estimate of the expectation ψ(θ)|H|ψ(θ) is calculated and passed as the cost value for the choice of parameters to a classical optimiser.
The optimiser then calculates new parameter θ and the procedure repeats until some stopping criterion is reached and an estimate for the ground state is produced. For our VQE runs we used hardware efficient ansätze. QAOA is by definition a problem specific ansatz since the family is constructed as a discretised version of Quantum Adiabatic Computation. This puts a constraint on the form of the Hamiltonian (which makes it harder to solve SVP with fewer qubits see Section 3.2), but has the theoretical guarantee that for sufficiently deep circuits the solution should be found. Specifically, for Hamiltoni-ans that involve only spin Z terms, to compute the energy/cost C(θ) of a quantum state |ψ(θ) we prepare the state and measure in the computational basis N times. Each run gives outcomes (bit-strings) x i , and for every outcome we compute the related cost m i (x i ). Our estimate of the cost of the state is C(θ) = ψ(θ)|H|ψ(θ) ≈ 1 N N i=1 m i and is used by the classical optimiser. For classical combinatorial optimization problems one can find that other methods are performing better. The Conditional Vale at Risk (CVaR) [25] and the Ascending-CVaR [26] are two methods that give better results and in this work we will use the former. In [25] instead of computing the cost taking the average of the values m i , they considered ordering the values from the smallest to the larger and counting the α-tail of the distribution. Specifically, α is to be chosen heuristically and the cost is calculated as an average of αN lowest measurements outcomes. Suppose ..,N in non-decreasing order. Then the cost is calculated as: We note that finding a ground state of a Hamiltonian is QMA-complete in general, but for specific Hamiltonians the ground can be found efficientlyadiabatic quantum computing is a universal model, that finds efficiently the ground state of those Hamiltonians that correspond to BQP problems. Indeed, in our case, since SVP is believed to be outside BQP we do not expect to find the solution efficiently. On the other hand, obtaining a polynomial speed-up is valuable for the cryptanalysis -after all Grover's algorithm also provides such a moderate speed-up. In particular, we do not expect to do better than Grover -query complexity bounds indicate that for our problem we can get at most a small constant improvement to Grover. However, due to the fact that our approach is heuristic, we may still be able to get considerable (larger) speed-up for certain (but not the hardest) instances. To properly analyse the timecomplexity of a variational quantum algorithm, one needs to bound the scaling of the probability that the algorithm (at the end of the classical-quantum iterations) returns the correct solution -viewed differently, to bound the overlap of the output quantum state with the true shortest-vector. Then by repeating the algorithm sufficient 5 number of times, one is guaranteed to find the correct solution with high probability. While such bounds have been found for certain problems [27,23,28], in the general case it is hard to obtain them (or even impossible), so this is left for future work. Note that the classical time-complexity scales exponentially, therefore even if this probability vanishes exponentially fast (as expected) our solution may still give competitive results offering similar performance to other "fault-tolerant" quantum algo- 5 Here sufficient scales inversely with the probability of success of a single run rithms.

Related Work
There have been several works focusing on translating SVP into Hamiltonian H where the ground state corresponds to the shortest lattice vector. Note that we can trivially achieve encodings where the corresponding eigenvalues of H define the order of lattice vector lengths. The resulting variational quantum formulation is thus capable of solving the approximate SVP, a relaxation of SVP, on which the security of most lattice-based protocols is relied upon. In [29] the energy gaps between the first three excited states of the problem Hamiltonian are analysed when solving low dimensional SVP via adiabatic computation. The ground state is by their construction a zero state and hence the first excited state is sought. The results suggest the existence of "Goldilocks" zones. In such zones the adiabatic evolutions are slow enough that there is a high probability of sampling any of the first three excited states without any strong dominance of any of them. As a consequence, in this case it is possible to obtain the shortest non-zero vector with a small number of measurement samples. This motivates the use of QAOA to find the ground state as it mimics the adiabatic computation. However, the experiments were performed only for lattices up to 4 dimensions. Moreover, as SVP is an integer optimisation problem, bounds on the ranges of the (integer) variables need to be defined prior to mapping the problem into a binary optimisation problem. The authors make an experimental guess that each of them grows linearly with lattice dimension resulting in guess of O(n log n) qubit requirement. The qubit requirement was later proved in [30] for special lattices with what they called "an optimal Hermite Normal Form (HNF)". The density of such lattices is around 44% for lattices generated with entries selected "uniformly at random" [31, Section 5.1]. For such lattices, they show that 3 2 n log 2 n + n + log (det(L)) qubits are enough to guarantee that the shortest vector is an eigenvector of the hamiltonian. To confirm the approach, experiments for up to 7-dimensional instances of SVP were performed on D-Wave quantum annealer making use of up to 56 logical qubits. The proof of their bound crucially relies on the special shape of the HNF namely that it has at most one nontrivial column. However, q-ary lattices (which are ubiquitous in cryptography, see Section 5.1) almost never have such a special Hermite Normal Form since 6 they have k nontrivial colums, where k is the rank of the underlying linear code and typically linear in the dimension (such as n/2). 6 Indeed, the matrix of a q-ary lattice is has rank k, is already in HNF.

Direct approaches to SVP with Variational Quantum Algorithms
Recall that the starting point for VQE and QAOA (but also for quantum annealing) is to encode the problem to the ground state of a Hamiltonian H. As in other combinatorial optimisation problems, one first needs to turn the problem to a quadratic unconstrained binary (QUBO) form and then there is a standard method to obtain an Ising Hamiltonian (i.e. a Hamiltonian that involves only Z operators and the interaction terms involve just pairs of qubits). Note that to run VQE one can have more general Hamiltonians and as we will see later, in some cases it is simple to include constraints (or even higher order terms).
Coming back to QUBO formulatons the general form of the cost is C( where Z i and I i are the Pauli-Z and identity operators respectively, acting on i-th qubit.

Mapping the Shortest Vector Problem into QUBO formulation
A first approach (also starting point of [29,30]), is to consider as variables the coefficients of the basis vectors. Each choice of the coefficients determines a vector in the lattice, and its length can be easily calculated using the basis matrix. There are two major challenges with this approach. The first one is that the coefficients are integers while we want to use a finite number of binary variables. Recall that each binary variable will result to a qubit so we can only use a finite number while making this number as small as possible is crucial to run it in a NISQ device. We therefore need to truncate (limit) the possible coefficients, but in a way that the shortest vector is included in our possible solutions. The second challenge is that if the variables are the coefficients then a possible vector is the all zero vector, a vector that clearly is shorter than the shortest (non-zero) vector we are searching. We would therefore need to impose the constraint x = 0 at some level.
Going back to the formulation, given an ndimensional full-rank row-major lattice basis matrix B, we define lattice L(B) = {x · B|x row vector, x ∈ Z n }. The shortest vector problem (SV P ) finds the solution λ 1 := min y∈L(B)\{0} y . Let x be a row vector of coefficients and G = B · B T a Gram matrix of the basis. Then y = x · B =⇒ y 2 = x · B · B T · x T = x · G · x T which allows us to reformulate it as a quadratic constrained integer optimisation problem: As a consequence of rank-nullity theorem, we have λ 1 = 0 as required. In order to convert (1) into a binary optimisation problem, we need bounds |x i | ≤ a i for all i = 1, ..., n. This has been the core problem of all approaches to map the SVP into a Hamiltonian and we provide tighter and more general bounds in Section 4. We now define new binary variables {x ij } 0≤j≤ log 2a using the initial integer variables x i and the bound a i where the last term ensures we do not enlarge the search space. By substituting into (1)

Encoding the x = 0 constraint
In deriving Equation (3) we ignored the x = 0 condition in the definition of SVP. The true minimum is zero and is obtained by setting all the integer variables x 1 , . . . , x n to zero. Instead we want to obtain the second smallest value. In other words, we are seeking the first excited state of the corresponding Hamiltonian, with the extra information that the "true" ground state (zero vector) is known. There are three ways to address this. First is to ignore the constraint, run the optimisation to find the ansatz state with greatest overlap with the zero vector, and hope that it has an (ideally large) overlap with the first excited state [29]. Even if this approach succeeds in finding SVP for small dimensions it is unlikely to work well at large scales. The second solution is to exclude the zero vector by imposing it in a form of a constraint that "penalises" the zero vector. To map the problem back to a QUBO, however, requires introducing extra variables (n − 2 in our case), making this approach less practical. Since this approach can work both for QAOA and quantum annealing where the last and more practical approach does not work, we give the details of this mapping in Appendix A.
The third approach, that we will analyse here and used in our numerical experiments, can be used in VQE. One directly targets the first excited state by modifying the classical loop of the VQE i.e. modifying the way that the cost is evaluated. In the general form, assuming that |ψ 0 is the ground state, instead of using the expression C(ψ) = ψ|H|ψ for the cost, we use C(ψ) = ψ|H|ψ 1 1−| ψ|ψ0 | 2 , where the multiplicative factor is the inverse of the probability of not being in the ground state. This gives infinite cost to the ground state, and in general penalises states with greater overlap with the ground state. It is easy to see that this cost is minimised at the first excited state of the original Hamiltonian. Note that other approaches to find the first excited state exist (see for example [32]).
In our case the ground state is the zero vector. Let N be the cardinality of m i 's (measured bit-strings) that are non-zero. Then Ñ N is the numerical estimate of the inverse of the probability not being the zero vector. Therefore we will be using the modified cost Equivalently, this means that to compute the cost of a state, we disregard the zero-vector outcomes taking the average value over all the other outcomes. In the measurements of the final ansatz state, at the end of the optimisation, we output the measurement sample with the lowest nonzero energy. The advantage of this approach is that the quantum part (states and measurements) are identical to the unconstrained one, and the only difference is in the way that the measurement outcomes are used to assign a cost to different states in the classical optimisation part of the VQE.

Handling approximate solutions
As the dimension of the lattice increases, the probability that the algorithm converges to a shortest vector might become vanishingly small. Instead, the system might return a short-but-not-shortest vector. In this case, one approach would be to replace a vector of the basis by the newly obtained one, making the basis more reduced, and restart. This approach has been experimentally observed to work in [33]. In the classical setting, the use of tightly controlled approximate SVP oracles was shown to provide an exponential speedup over enumeration with exact SVP oracles [34], but here we likely do not get to choose the looseness of our oracles. In principle, if we could characterise the distribution of the output of the algorithm and quantify the expected size of the vector, we could estimate the number of times the algorithm needs to be re-run before obtaining a shortest vector with good probability. We leave this analysis as future work since it is nontrivial to estimate the distribution of the output of the algorithm.

Bounds on lattice enumeration and application to variational quantum algorithms for solving SVP
In the previous section we gave a map of SVP to a QUBO formulation that is suitable for VQE. This map, however, relies on bounds on each |x i |. In this section, we obtain worst case bounds on the |x i | based on the orthogonality defect of the dual basis. We then give two applications of this result. First, we show how to obtain a recursive algorithm to compute a HKZ reduced basis and thus solving the SVP in passing. This method gives us the best asymptotical bound on the number of qubits required. Second, we estimate the number of qubits required to directly solve the SVP by reducing the dual basis with recursive or classical preprocessing and then applying the NISQ enumeration.

General bounds on lattice enumeration
As we have seen in Section 3.1, we need to choose a bound on each of the |x i | to obtain a finite optimisation problem. This bound will then determine the number of qubits required. In order to be sure to find a solution, we first derive a general bound on all the x i that correspond to lattice points in a ball of radius A. We then use the Gaussian heuristic to choose the radius A so as to ensure that this ball contains at least one nonzero vector for most lattices and therefore a shortest vector.

Lemma
1. Let x 1 , . . . , x n be such that x 1 · b 1 + · · · + x n · b n A, then for all i = 1, . . . , n we have |x i | A · b i whereb 1 , . . . ,b n are the rows of B, a dual basis of B which is the matrix whose rows are b 1 , . . . , b n .
Proof. Let δ i,j denote the Kronecker delta. Observe If we now make use of the Gaussian heuristic to choose the radius A and take A := gh(L) = n/2πe · vol(L) 1/n . The total number of qubits that we need will be where m i is the bound on the |x i |. Using the bound of Lemma 1 we obtain where L is the dual of L = L(b 1 , . . . , b n ) and δ(·) denotes the orthogonality defect. This suggest that the critical factor for the enumeration is the reduction of the dual of the lattice and not the lattice itself.

Corollary 1. The number of qubits required for the enumeration on the basis B, assuming the Gaussian
heuristic is bounded by 2 n + log 2 where δ(·) denotes the orthogonality defect and C the multiplicative factor used with the Gaussian heuristic 7 .

Bound on the number of qubits for producing a HKZ basis
In this section, we show that our NISQ enumeration procedure can be used to HKZ reduce a basis in a recursive way using only 3 2 n log 2 (n) + O(n) qubits, thus solving SVP in passing. This is asymptotically the same as the algorithm in [30]. However, our algorithm works for any lattice, whereas the algorithm in [30] only works for lattices that have what they called "an optimal Hermite Normal Form". See Section 2.1 for more details.
Recall that the notion of HKZ-reduced basis can be defined inductively as follows. Any vector b is a HKZ-reduced basis of L(b). A basis B = (b 1 , . . . , b k ), for k 2, is HKZ-reduced if • b 1 is a shortest vector in L(B), • (π 2 (b 2 ), . . . , π 2 (b k )) is HKZ-reduced, where π 2 (·) is the projection on b ⊥ 1 , Intuitively, the first two conditions mean that b 1 is a shortest vector of the lattice L(b 1 , . . . , b k ), and after projecting on b ⊥ 1 , π 2 (b 2 ) is a shortest vector of the projected lattice L(π 2 (b 2 ), . . . , π 2 (b k )), and so on. This notion of reduction is much stronger than LLLreduced basis and BKZ-reduced basis. The third condition is equivalent to the notion of size-reduction which is also required by LLL-reduced basis and is a technical condition.
We say that a basis B = (b 1 , . . . , b n ) is pseudo-HKZ-reduced if it is an LLL basis on which we apply 7 The enumeration is done with a radius of C · gh(L).
an HKZ reduction to the first n − 1 vectors. This intuitively means that the basis is almost HKZ-reduced, except for the last vector, and the last vector is still controlled by the fact it comes from an LLL-reduction. In particular, the last vector is guaranteed to be at most exponentially longer than a shortest vector of the lattice.
Our algorithm is a variant of the classical algorithm for producing a HKZ reduced basis due to Kannan [9]. The main difference is that Kannan's algorithm exclusively works on the (primal) basis whereas our algorithm has to reduce both the primal and the dual basis to control the number of qubits required in the enumeration steps. This difference requires us to work slightly differently. In particular, Kannan's algorithm works by recursively producing a "quasi-HKZ" reduced basis, and then applying enumeration on this basis to obtain a full HKZ basis. A quasi-HKZ reduced basis is essentially a LLL basis on which we apply an HKZ reduction to the projection of the last n − 1 vectors (orthogonally to the first). In contrast, our algorithm first produces a pseudo-HKZ basis, i.e. an LLL-reduced basis on which we apply an HKZ reduction to the first n − 1 vectors. Our algorithm then runs enumeration on the dual.  1 , b 2 , . . . , b n ) Algorithm 1: HKZ-reduction algorithm using quantum enumeration We will require the following well-known result about HKZ basis.

Theorem 1. Assuming the Gaussian heuristic, Algorithm 1 produces an HKZ basis with
Proof. We first show that the algorithm is correct by induction on n. Let L = L(b 1 , . . . , b n ) at the beginning of the algorithm. First note that at the beginning of line 6, the basis (b 1 , . . . , b n ) is still a basis of the original lattice L since all the previous operations preserve that property. Assuming the Gaussian heuristic is true (or true with a multiplicative factor 8 C), the enumeration algorithm will indeed find a shortest nonzero vector v at line 6. The reduction at line 7 will allow to extract a basis of L among the n + 1 vectors v, b 1 , . . . , b n . Since v is a shortest vector, the LLL reduction will ensure that b 1 is a shortest vector of L at the beginning of line 8. Let L = L(b 2 , . . . , b n ) be the projected lattice obtained after line 8. The reduction at line 9 does not change the lattice spanned by the b i which is now a HKZ basis. The lifting operation at line 10 ensures that (b 1 , . . . , b n ) is a basis of L at the end of the algorithm. Since b 1 is a shortest vector of L and (b 2 , . . . , b n ) is HKZ and a basis of the projected lattice, it follows that the returned basis is HKZ.
We now analyse the qubits requirement of the algorithm. Let (d 1 , . . . ,d n ) . . . , d n ) has a small orthogonality defect. By Corollary 1, the number of qubits required for this 8 Many papers and the SVP challenge [36], typically use the GH with a multiplicative factor C ≈ 1.05. For large n, Minkowski's bound on the shortest vector implies that C = √ 2πe actually holds but this is a much worse bound. Denote by Q(n) the number of qubits necessary to run the algorithm in dimension n. Since we run the enumerations sequentially, Q(n) = max(Q(n − 1), n log 2 (n) + O(n)) and therefore Q(n) = 3 2 n log 2 (n) − 2.26n + O(log n) for C = 1.

Solving the SVP directly in the NISQ era
As we have seen in the previous sections, the bound on the x i and thus the running time of the enumeration fundamentally depend on the quality of the dual basis. The algorithm of the previous section takes advantage of this fact by recursively reducing the primal and dual basis and always running the enumeration on a dual quasi-HKZ reduced basis, one of the strongest notion of basis reduction. Unfortunately, the bound on the number of qubits that we obtained relies on worst case bounds on the orthogonality defect of such basis. In particular, the linear term in the bound of Theorem 1 is quite pessimistic for most bases.
In this section, we perform numerical experiments to understand the number of qubits necessary to run the quantum enumeration depending on the quality of the dual basis. As mentioned above, the cost of enumeration is affected by the quality of the input basis. We thus consider input bases preprocessed with LLL or BKZ-β. Using Corollary 1, we draw Figure 1a which shows the number of qubits needed when the dual basis is LLL reduced or BKZ-β reduced with different β. We choose the maximum value of β = 70, since the running time becomes prohibitively long for larger β. We also performed experiments with dual pseudo-HKZ reduced basis to understand the practical behavior of the algorithm in the previous section 9 . The graph was obtained by generating random q-ary lattices (for q = 65537 and k = n/2), reducing them and then computing N as in (4) using the bounds in Lemma 1. Each experiment was repeated 5 times 10 and the average was taken. We also performed regression using quadratic polynomials for LLL and BKZ reduced basis. This type of regression is expected to fit well since the number of qubits can be shown to be quadratic. On the other 9 Given the high cost of computing HKZ reduced basis, our experiments are limited to dimension 80. 10 The q-ary lattices that we generate have fixed determinant, hence the number of qubits only depends on the orthogonality defect. We observed that the orthogonality defect of LLL and BKZ reduced basis varies little between runs, hence the small number of runs.
hand, as shown in Theorem 1, for pseudo-HKZ reduced dual basis, the number of qubits should grow as Θ(n log 2 (n)) asymptotically. Hence, we fitted with a curve of form 3 2 n log 2 (n) + an + b. In order to solve the current lattice approximate SVP record (dimension 180), we need approximately 1157 qubits when the dual is sufficiently reduced (β = 70 for example). This is considered to be achievable in the not so far future. We stress, however, that this does not imply such an algorithm will converge on a good solution efficiently but only that it can be run.

Experimental results
We run quantum emulation of the VQE algorithm on a classical computer to assess the performance of our SVP solver. Due to the limited number of emulable qubits we considered lattices with rank up to 28, much smaller than the cryptographically relevant ranks but much bigger than prior quantum attempts. While we estimated the space-complexity required to solve large dimensions, we cannot reliably extrapolate the performance (accuracy/time) due to the heuristic nature of VQE. The effects of noise and error-mitigation are beyond the scope of this work and are left for future explorations.

Experimental framework
For our experiments we first sample and I x ∈ Z x×x is the identity. We then consider the lattice L(A) spanned by the rows of this matrix. In particular, we first LLL reduce the entire lattice basis and then consider the sublattice of rank n spanned by the first rows of the reduced basis. Our choice of q-ary lattices L(A) is partly motivated by their ubiquity in cryptography and by their connection to worst-case lattice problems. For example, finding short vectors in the dual of a random q-ary lattice is as hard as finding short vectors in any lattice [38]. We preprocess these lattices using the polynomial-time LLL algorithm for numerical stability reasons. We extract a n-rank sublattice in dimension d rather than considering full-rank lattices with n = d since LLL will succeed in solving SVP for such small dimensions directly. The VQE receives a n × d matrix as input and this "leaves some work" for the quantum algorithm to do. Note that even though many instances of these sub-lattices were "almost" solved by the described procedure, it is little advantage for the VQE as the size of the search space was not reduced. Therefore, by using a random guess for initial optimization parameters of an ansatz circuit, our experiments represent scaled-down real instances. Consequently, the hardness of SVP for VQE is in our experiments not even lowered if the shortest vector is already present in the given basis. The search space is defined by bounds on the coefficient vector as discussed in Section 4.1. However, the bounds there are worst-case and asymptotic. In contrast, lattice algorithms tend to perform much better on average than in the worst case, especially in small dimensions. Indeed, Figure 1a illustrates the same phenomenon here. We hence present a different qubit mapping strategy for which we compute probabilities of the shortest lattice vector lying within these bounds and in our quantum experiments we evaluate the probability of finding the ground state of problem Hamiltonian. The advantage is that the two problems: choosing an appropriate qubit mapping and finding the ground state of the problem Hamiltonian, can be tackled separately. The overall success probability of the variational SVP solver is then a product of the probability of encoding the shortest non-zero lattice vector in the search space and the probability of finding the Hamiltonian's ground state.
Naive qubit mapping approach. Given an nrank sublattice we assign one qubit per coefficient of the coefficient vector, i.e. |x i | ≤ 1 for 1 ≤ i ≤ n. Using this approach we found that the shortest non-zero lattice vector was included in the search space with the following probabilities: rank 15 : 80%, rank 16 : 75%, rank 17 : 75%, rank 18 : 74%, rank 19 : 71%, rank 20 : 70%, rank 21 : 64%, rank 22 : 62%, rank 23 : 57%, rank 24 : 55%, rank 25 : 50%. See Appendix B for analysis of naive qubit mappings with ranks up to 50 that also considers different naive mapping strategies. The results presented in the appendix can be of an interest for all experimental approaches to the SV P that use a Hamiltonian formulation.
Quantum emulation setup. We developed distributed variational quantum algorithms emulation software framework 11 by modification of parts of Xacc [39] library to utilize implementations of variational quantum algorithms and useful classical optimisers and we use QuEST [40] for the underlying quantum emulation. The experiments have been run on Ngio 5, a distributed computer provided by Edinburgh Parallel Computing Centre featuring 2x Xeon Platinum 8260 24C 2.4GHz with 12x 16GB DRAM modules. The emulations use state-vector representation of intermediate quantum states and do not consider any effects of noise. Noise would affect the probability of finding the ground state (uncertainty of cost makes the classical optimization harder) (Figure 1b Top), but it would not affect the time requirements (Figure 1b Bottom), neither the number of qubits. As it has been noted, extrapolating our results to lattice dimensions of cryptographic interest is infeasible from our experiments, because the way the probability of success decays cannot be extrapolated (among other reasons because we cannot anticipate the effects that barren plateaus would have). This is why for our current contribution adding noise would not add much in our analysis, beyond perhaps, bringing lower the probabilities of solving the problem in the very low qubit experiments that are possible to emulate.

Experimental results
To improve the performance in our experiments we used CV aR α cost for VQE. We chose α = 0.175 since this gave better results (see also Appendix C). We were able to solve the SVP with our emulator for lattices with rank up to 28. Our experiments with 128 instances suggest that the success probability of finding the shortest non-zero lattice vector remains roughly constant for lattice instances with ranks not much larger than 28. Figure 1b  We note, however, that the ranks of cryptographically relevant lattices are larger (≈ 400) and we cannot extrapolate our observations with confidence.
the "naive" Hamiltonian). Introducing the extra constraint, and ensuring that the new Hamiltonian is still QUBO (so that we can run QAOA or quantum annealing) requires to introduce auxiliary variables and thus requires more qubits. In our case, we succeed to obtain a theoretical guarantee that the optimization result converges to the shortest lattice vector in the limit of optimization parameters for the cost of introducing extra n − 2 qubits for a lattice with rank n. Such approach hence roughly reduces the abilities of QAOA algorithm or quantum annealer device by a half compared to the VQE algorithm but allows us to benefit from a wider range of quantum variational approaches and hence we include it here for the reference. A trivial solution would be to penalise certain assignment of QUBO binary variables that makes the QUBO formulation zero. As we will argue below, given m QUBO binary variables, the approach would require to introduce m − 2 new binary variables. Note that m ≥ n is the number of binary variables in QUBO. If we let n be rank of a lattice we can see that m ≥ n as shown in Section 3.1 where m ≈ n log(2a) if each x i has the same variable range 2a assigned. Suppose that instead of the mapping presented in Equation 2 we instead map each integer variable as by introducing new binary variables ζ i , ω i and {x ij } 0≤j≤ log a for eachi x i .The encoding (5) allows us to encode penalization of zero state with much less qubits. It is easy to observe that for the last two terms of (5) it holds that and consequently Hence the penalization of the case where all integer variables are penalised for being zero ∀x i = 0 is equivalent to penalization of the case where the same number of binary variables are one ∀ζ i = 1. The penalization term then becomes (6) where P is the penalty value. The term (6) can be encoded as (7) where {z i } 1≤i≤n are extra auxiliary binary variables with bijective correspondence to {ζ i } 0≤i≤n .
(7) encodes constraint (6). Let x i = 1−ζ i , τ i = −x i + k=i+1 x k and let z i = 1 ⇐⇒ τ i < 0. Then it is easy to see that values of z 1 , . . . , z n minimise (7). If ∀x i = 0, the whole expression is equal to P as required. Otherwise, let j 1 , ..., j m be positions of m ≤ n binary ones in the bitstring x 1 x 2 . . . x n sorted in the increasing order. Then τ jm = −1 and τ j l ≥ 0 for 1 ≤ l < m. Hence ∀ i =jm z i = 0, z jm = 1 and the whole expression is 0, hence no penalty is imposed.
Observe that setting z n = 1 and z n−1 = ζ n does not change the global minimum of (7). Hence n − 2 additional binary variables {z i } 1≤i≤n−2 are needed to encode the penalization term for an n-rank lattice. The quadratic unconstrained binary optimization problem formulation that can be trivially mapped to Ising spin Hamiltonian hence becomes min x1,...,xn z1,...,zn−2 where x i is encoded as in Equation (5). Number of binary variables needed to represent x i bounded by a i is log a i + 3. Hence the total number of binary variables in Equation (8) is B Probability of including the shortest lattice vector in the search space using naive qubit mapping strategies As discussed in Sections 4 and 5.1, the bounds determined in Section 4.1 are not the best choice for small lattice instances. Given n dimensional lattice L and m available qubits, choosing a uniform distribution of qubits over elements of the coefficient vector x turns out to achieve a high probability of encoding the shortest non-zero lattice vector as the ground state of a problem Hamiltonian when m is sufficiently large. Figure 2 depicts the probabilities of encoding the shortest non-zero lattice vector as a Hamiltonian's ground state given the number of available qubits and the lattice rank. The results were averaged over 1024 instances prepared using the same methodology as for the quantum emulation experiments described in Section 5.1. Three approaches have been compared: blue distributing m n qubits to each of the coefficient of x, red randomly distributing m n qubits to n × m n , coefficients of x and distributing m n + 1 to the remaining coefficients of x green using Lemma 1 with A = gh(L) to obtain a discrete distribution of the bounds over coefficients of x; the distribution is then scaled such that at most m qubits were distributed.

C Conditional value at risk experiment data
We chose the value of α = 0.175 to use in the CV aR α VQE algorithm in our quantum emulation experiments in Section 5. Based on an experiment involving 1024 instances of rank 16 lattices prepared as in Section 5.1 this value gave the best results. The value of α was varied incrementally in small steps. Figures 3a and 3b depict the mean and the median overlaps of the final ansatz state with Hamiltonian's ground state respectively. We can observe that despite positive linear correlation between the mean overlap and parameter α, the median overlap peaks sharply at α ≈ 0.175, an indication of a rightly-skewed distribution. In other words, we have seen significantly less instances with high overlap as α >≈ 0.4 tends towards one, although when such overlaps happen, they are high enough so that their mean increases with α. The inverse of the overlap is the expected number of measurement samples of the final ansatz state to obtain the ground state. Hence a compromise must have been made to achieve as many as possible overlaps which were sufficiently high in the sense that the ground state could be obtained from them by a reasonable number of measurements. In order to make a fair comparison, we considered the probabilities of sampling the ground state if 5000 measurements of the final ansatz were to be performed as depicted in Figure 3c. We chose the value α = 0.175 as it achieved around 78% probability of finding the Hamiltonian's ground state and at the same time it achieves the highest median of overlaps (around 0.006). Note that the non-CV aR α VQE version, i.e. when α = 1 resulted in only 21% probability of finding the Hamiltonian's ground state. A final thing to note is that when one uses CVaR, the optimiser has incentive to find a quantum state that has α overlap with the true ground state, but no incentive to increase the overlap to higher values than α, since anything above the α-tail is irrelevant for computing the cost. Therefore, while it has been demonstrated that small values of α may increase the chances of finding the solution after a fixed number of shots/measurements of the final state is carried out, the actual (mean) overlap does not necessarily increase (at least not to values above α). This was one of the motivation to look modify CVaR and define an Ascending-CVaR [26].