The Present and Future of Discrete Logarithm Problems on Noisy Quantum Computers

The discrete logarithm problem (DLP) is the basis for several cryptographic primitives. Since Shor's work, it has been known that the DLP can be solved by combining a polynomial-size quantum circuit and a polynomial-time classical post-processing algorithm. Evaluating and predicting the instance size that quantum devices can solve is an emerging research topic. In this paper, we propose a quantitative measure based on the success probability of the post-processing algorithm to determine whether an experiment on a quantum device (or a classical simulator) succeeded. We also propose a procedure to modify bit strings observed from a Shor circuit to increase the success probability of a lattice-based post-processing algorithm. We report preliminary experiments conducted on IBM-Quantum quantum computers and near-future predictions based on noisy-device simulations. We conducted our experiments with the ibm_kawasaki device and discovered that the simplest circuit (7 qubits) from a 2-bit DLP instance achieves a sufficiently high success probability to proclaim the experiment successful. Experiments on another circuit from a slightly harder 2-bit DLP instance, on the other hand, did not succeed, and we determined that reducing the noise level by half is required to achieve a successful experiment. Finally, we give a near-term prediction based on required noise levels to solve some selected small DLP and integer factoring instances.


I. INTRODUCTION
Since Shor [1] proved that a reasonably large quantum circuit can solve both the integer factoring problem (IFP) and discrete logarithm problem (DLP) efficiently, many followers have been discussing its effect and implementability, and have been attempting to reduce the attack's resource costs.
One of the emergent topics in the cryptographic area is to predict when the progress of quantum computers threatens modern cryptosystems.Extrapolation from data points, such as regression [2], is a common method for predicting time.
To put the points accurately, we need to reach an agreement on the following tasks.
(1) The threat will be realized by the progress of quantum computers.Finding the relation between the performance and calendar years is needed.This relation depends highly on the published roadmaps from the companies [3]- [7] which are continuously updated.In this paper, our focus is not on this topic.
(2) Connecting a quantum computer's performance value and the "difficulty" of the hardest problem instance that the computer can solve.To make the connection clear, it is necessary to quantify the concept of "solve" to use cryptographic applications.

A. SUMMARY OF OUR CONTRIBUTION
Defining successful experiments in a quantitative way: We propose our formalization of success probability and successful experiments in our framework including circuit generation, quantum device execution, and post-processing.More precisely, after fixing a problem instance and a quantum circuit, execution on a quantum device outputs a set of bit strings.The post-processing algorithm then takes a set of bit strings as input and returns a set of candidate solutions to the problem instance.The success probability is defined by the probability that the set of candidates contains the desired solution.This success probability can be defined on bit strings from the ideal device (a noiseless device for a quantum circuit simulated by a classical computer), a noisy device (real or simulated), and a virtual device that outputs uniformly random bit strings.Thus, by measuring where the quantum device is between the ideal and the uniform in the sense of success probability, we can measure the performance of the device.Also, we propose to claim the success of the experiment if the device success probability is higher than the median of the ideal and the uniform.
DLP experiments on an IBM Quantum device: We use the framework described above to furnish some data points for future prediction of the security of the DLP over a finite field against quantum computers.We present results from experiments in which we used an IBM Quantum device to solve selected 2 bit instances realized by 7 and 8 qubit circuits.More precisely, by using the ibm_kawasaki device of quantum volume (QV) = 32, we observed that the simplest DLP instance 2 z ≡ 1 (mod 3) with the smallest quantum circuit (Instance I in Table 1) outputs meaningful bit strings and success probability higher than the threshold that defines the successful experiment in our sense.
We also experimented with slightly more complicated circuits (Instances II and III in Table 1) from the instance 2 z ≡ 2 (mod 3).They generate bit strings with a low success probability.To improve the success probability, we propose a simple algorithm for modifying bit strings from the devices.As a result, we discovered that the device success probability of the instance III circuit is slightly below the threshold and that reducing the noise by half is required to claim success using our noisy-device simulation.Table 1 shows the specifics of our DLP instances and quantum circuits.Also, the smallest circuit used in the experiment is illustrated in Figure 5.
Near-future prediction: By the simulation, we also predict how much noise needs to be reduced to solve larger instances IV and V which are from the DLP instance 4 z ≡ 2 mod 7 and 3 z ≡ 4 mod 7. We discovered that reducing the noise level to about 1/10th is required to solve IV from a device that solves III.Table 3 summarizes the results.With the historical trend of reducing averaged CNOT gate errors by 1/2 every year [8], instances IV and V are expected to be solved within the next five years.To solve a larger instance of DLP, it requires a more strong quantum device and additional techniques such as quantum error correction which will be developed in the future.

B. RELATED WORK
Discrete logarithm problem (DLP) and its applications: DLP over a finite field is a computational problem believed for a long time to be classically hard and is used as a theoretical foundation of digital signature schemes [9], [10].Many academic areas, including quantum computing and classical cryptography, are investigating how resilient the schemes are against quantum computers and when they become compromised.We note that some cryptographic systems based on the DLP over elliptic curves (ECDLP) have also been used [11].Finding the smallest instance of ECDLP that is executable on quantum devices and experiment is a challenging open problem as of 2021.
Experiments on Shor's algorithm on quantum devices: Many experiments that execute Shor's factoring circuits (and its subcircuits) have been performed [12]- [14] by using several quantum devices.The latest record of factoring by a quantum circuit is 21 = 3 × 7 by Amico et al. [14] by using the ibmqx5 device, and they also reported 35 is infeasible.
However, there are no reports on DLP, even though the circuit construction is very similar.We discovered that the DLP is better suited for quantum benchmarking experiments in the NISQ era because many circuits that are simpler than factoring 15 or 21 can be constructed by changing three integers in DLP instances.For instance, the numbers of CNOT gates are given in Table 1 for DLP, and in Table 4 for factoring.
Most of the existing experiments have employed folklore techniques, which are used in logical circuit optimization, to simplify the quantum circuits.Because the latest quantum devices may not be able to execute modular arithmetic with sufficient accuracy [15], our circuit implementations are also simplified from the full implementation.Following this simplifying policy, we carefully designed our circuit so that no information on the solution was used, as it was claimed that some experimental circuits were oversimplified by using problem solution information [16].Our circuits are made up of shift operations over qubits with no auxiliary bits.Details are explained in Section IV-A.
It is also necessary to follow the policy when we construct a post-processing algorithm that generates a set of candidate solutions by using bit strings from quantum observations.We also carefully designed our modification algorithm that transforms an observed bit string to another bit string if it is necessary.
Quantification of experimental results: It has been a longstanding problem to claim an experiment has succeeded or failed quantitatively.Several quantifier functions have been used to estimate the quality of outputs from quantum devices.
Satoh et al. used the Kullback-Leibler divergence [17].Cross et al. [18] used the probability that the outputs bit strings are in the heavy output set.We found that these works share a spirit that compares distances between the ideal outputs, device outputs, and uniform random using their distance function; for more information, see Sections III-B and III-C.We follow their approach and define our distance function based on the success probability of our generic framework including the required post-processing algorithm.
Another way of benchmark has been proposed.The linear cross-entropy benchmark (linear XEB) was used to claim demonstration of quantum supremacy by Arute et al. [19].However, Barak et al. claimed that the linear XEB was fooled [20].The square of the statistical overlap is used in Amico et al. [14] which is introduced in Monz et al. [13] to claim their advantage from previous works.

C. PAPER ORGANIZATION
In Section II, we give a theoretical introduction to DLP, lattices, and an overview of Shor's algorithm for solving DLP and a computational problem to recover the solution.In Section III, we define our discussion framework, which including circuit generation, device execution, and postprocessing.In addition, with our motivation, we define a quantitative method for determining whether an experiment has succeeded or failed.Section IV introduces modularexponentiation gadgets used in our experiments, and latticebased post-processing algorithm.Appendix A contains background theory on this post-processing algorithm.Section V is the experimental section that gives our experimental results on IBM Quantum.Section VI gives simulation results of noisy quantum devices and comparison with the real device.Section VII gives the concluding remarks and future work.

II. BACKGROUND THEORY
We introduce notations and background theory.
N, Z, Q, R are the set of natural numbers, integers, rational numbers, and real numbers, respectively.For a prime number p, Z p = {0, . . ., p − 1} is the field under modulo p.
The Kullback-Leibler (KL) divergence defined over two discrete probability distributions P and Q is where P (x i ), Q(x i ) are the probability densities at x i .It is used to measure "a distance" from P to Q though it is asymmetric and the triangle inequality does not hold .We note that D KL (P ||Q) = 0 if and only if P = Q.

A. DISCRETE LOGARITHM PROBLEM OVER A FIELD
The DLP considered in this paper is the version defined over a prime field Z p while Shor's algorithm can work over more general situations.An instance of DLP is given by a tuple (g, a, p) ∈ N 3 that represents the equation to find z ∈ Z p .Here, g is assumed to be a generator under modulo p, that is, it satisfies g n = 1 (mod p) for n = p − 1 and = 1 for any n ∈ [p − 2].
A variant of the DLP where one has extra information, e.g., the upper bound of z, has been considered under a cryptographic context and it significantly reduces the classical complexity to solve the problem [21], [22].In this paper we assume that no information is provided except for the DLP instance.

B. LATTICES
We provide a brief overview of the lattices used in the analysis of Shor's algorithms on DLP.Bremner's textbook [23] provides a gentle introduction.The use of lattices in post-processing to solve the DLP by Shor's algorithm is also discussed in [22], [24].
For a sequence of (not necessary independent) vectors b 1 , . . ., b K ∈ Q m , the lattice spanned by them is defined by the set where b 1 , . . ., b K are called the basis vectors.A vector in L(B) is represented by row vectors.We use the matrix T to represent the basis in this paper.Particularly, we say the lattice is full-rank if K = m and the vectors are all independent.
A point x ∈ Q m is called a lattice point if x ∈ L(B).Many useful lattice algorithms takes a matrix representation of a lattice basis as input, and the majority of them assume an input basis is a set of independent vectors, though non-independent bases are occasionally used in applications.There is an efficient algorithm for converting a nonindependent basis to an independent basis that spans the same lattice (See [23,Sect. 6] or [25,Sect. 2.6.4]).We assume the existence of such an algorithm in post-processing.
For a given basis, the fundamental region is defined by and the covolume covol(L) of a lattice is defined by the volume of the region.Both the lattice and its fundamental region are subsets of span(B) : Note that covol(L) is efficiently computable from the basis if the basis vectors are independent, since it is equal to where b * i is the vector in the Gram-Schmidt basis.The Gaussian heuristic of lattices under the context of this paper claims that for an n-dimensional full-rank lattice L and a ball Y , the number of lattice points in Y is expected by vol(Y )/covol(L).We should note that the original version of the Gaussian heuristic [26] argued for a probabilistic distribution over random lattices, whereas the lattice discussed in the post-processing of Shor's algorithm may not be random.Appendix C contains experimental evidence in small dimensions.
For a lattice L, its dual lattice L × is defined by the set where x, v denotes the standard Euclidean inner-product.A basis of L × is explicitly given as B(B T B) −1 where B is a basis of the primal lattice L. It is simplified by For a given lattice basis B in the m-dimensional space and a target vector y ∈ Q m , the closest vector problem (CVP) is the computational problem to find a lattice point x ∈ L that minimizes x − y .Anyone is allowed if there are many lattice points to minimize.a similar problem is the bounded distance decoding (BDD) problem.For a problem instance (B, y) and a bound ρ > 0, the goal is to find all lattice points x ∈ L such that x − y ≤ ρ.If there is no vector in the ball Ball m (y, ρ), the empty symbol ⊥ is returned.We should point out that the version of BDD presented above differs significantly from the standard one.In the typical situation of BDD, it assumes the existence of a unique solution x.

C. OVERVIEW OF SHOR'S ALGORITHM IN OUR FRAMEWORK
Fix a DLP instance (1) represented by I = (g, a, p) ∈ N 3 .The parameter to specify the circuit size is param = (n x , n y ).n F is the bit size of the DLP instance, i.e., we set n F = log 2 p .n x and n y are the circuit size parameters (≥ n F ) to define the size of Quantum Fourier Transform (QFT) and let N x := 2 nx and N y := 2 ny .Note that n x , n y > 2n F is necessary in theory, however, the computing device we used cannot operate the necessary number of qubits as of now.Thus, we will use smaller numbers n x , n y ≈ n F as in Table 1.
An overview of the quantum circuit for solving the DLP is shown in Figure 1.We do not consider the serializing implementations [14], [27] that can reduce the number of qubits in the exponent part n x + n y to one, because our experimental environment (see, Section V-A) does not fully support such an implementation.It is easy to see that the bivariate function F (x, y) := g x a −y mod p has two periods (p, 0) and (z, 1) where z is the desired DLP solution.Thus, finding the periods will reveal the solution.The circuit is designed to compute the superposition of x,y |x, y, F (x, y) over the box [0, N x − 1] × [0, N y − 1], and apply the QFT for finding the periods.
The ideal state that assumes no quantum error, which corresponds to the distribution P Ideal in our framework, is computed as follows.(2) An observed bit string s is represented as a pair (k, ) of integers within the box Computational Problem in Post-Processing A postprocessing algorithm tries to generate a set of candidates z 1 , . . ., z J of the solution to the instance I.There could be several strategies for recovering.Formally, the computational problem we have to consider after the quantum observation is as follows.Details to derive the following problem will be provided in Appendix A. Problem 1: Let L be the 2-dimensional integer lattice spanned by (p − 1, 0) and (z, 1) where p is known and z is unknown.are the points from the observations, which are (noisy) approximations of lattice points in L × .Then, find (a suitable approximation of) z.
We remark that it is enough to assume the existence of an algorithm that finds an approximation of z, say recover z s.An observed point is shifted from a lattice point by two factors.The first is due to the finiteness of QFT, which is represented by a closed, but difficult to analyse formula precisely described by (11) in Appendix A. The other is caused by noise in quantum devices.If the quantum circuit works without any quantum noise, we know the observed points are close to lattice points with a high probability [24], [28].

III. GENERIC FRAMEWORK AND SUCCESS PROBABILITY
We revisit the standard procedures of computation by using quantum devices and propose our definition of the success of experiments and success probability.

A. THREE-STEP FRAMEWORK
Our standard procedure to solve a computational problem using a quantum computer has the following three steps.
(1) Generate a quantum circuit from a given problem instance (2) Execute the circuit on a quantum device (3) Recover solution candidates and check.In the NISQ era, (1) and ( 3) are assumed to be classical (probabilistic polynomial) algorithms which we may call preprocessing and post-processing, respectively.If the performance of quantum devices improves, they can be replaced by quantum algorithms.However, we think considering this change is pointless for the time being, and we have left it as an open problem for the future.
Furthermore, we assume that the quantum circuit generated in ( 1) is optimized to solve the given problem instance rather than being designed to solve generic instances of a fixed size.It has the potential to simplify the circuit significantly more than the circuit designed for generic instances.
More formally, we write the algorithms using the notations shown below.
• CircuitGen(I, param) → QC; A probabilistic algorithm that for given a problem instance I and auxiliary information param such as the qubit size of the circuit, it outputs a quantum circuit QC.The output can be different each time.• Device(QC) → s; Execute the circuit QC by a quantum device and get a bit string s.Here a device is considered to be either a real quantum device or a quantum simulator on a classical computer.• PostProcess(s 1 , . . ., s K ; I, param) → Z; A probabilistic algorithm that for given bit strings, problem instance I and param, it outputs a set of solution candidates Z = {z 1 , . . ., z J } to I.
Here, the numbers J, K of solution candidates and bit strings are not fixed, but assumed to be a polynomial of the instance size.We have to add some remarks on the post-processing step.The step could be further divided into two steps: modification of bit strings and recovering a solution.The latter will be discussed as a lattice-based algorithm in Section IV-B.The former attempts to transform a bit string into a better one (a simple method will be presented in Section 8) or to modify a probabilistic distribution.One well-known technique for improving probability distributions is error mitigation [29], [30], which recovers a probabilistic distribution from an approximated distribution of bit strings derived from many shots and some information on the error distributions derived from additional experiments.We do not consider the modification of the probabilistic distribution because our preliminary experiments using error mitigation do not significantly change the success probability.Also, in the situation where we want to solve a large DLP instance, execution costs mean that it will be feasible to execute only a few shots so that we cannot estimate the distribution.Therefore, under the cryptographic contexts, we only consider the modification of bit strings.

B. DEFINING SUCCESS PROBABILITIES
Within the framework in the above section, we can define the "success" for the experiments using real devices.We start the discussion by introducing the devices that we will compare.
(1) Ideal: this outputs bit strings from the noiseless quantum circuit, (2) Dev: this is a real quantum device to be tested, and (3) Unif: this outputs random bit strings uniformly.Definition 1: Let us fix a post-processing algorithm, in particular, the number of input bit strings K is fixed.For a device X ∈ {Ideal, Dev, Unif}, we denote by P X the probability distribution over the bit strings s 1 , . . ., s K from K execution of the device X with the circuit QC i = CircuitGen(I, param).The suffix i denotes the i-th execution where we can usually reuse the same circuit for each execution.The probability includes the circuit generator's random coins and superposition in the device.
Also, the success probability on the computational problem is defined by the probability that the set of output candidates contains the desired solution I: Fixing the generator and post-processing algorithm with the number of input bit strings, the success probabilities p Ideal , p Dev and p Unif are fixed.We should point out that this definition is intended for the situation in which a solution candidate can be easily checked, such as the situations where the IFP, DLP, and other NP problems.
If a program can be executed without any noise on a device, the output distribution and success probability are expected to be the same as the ideal.Increasing the quantum noise of execution, p Dev drops.Also, if the bit strings approach uniform noise, p Dev approaches to p Unif .Thus, we can expect p Unif < p Dev < p Ideal and the scaled value can be used to measure the performance of devices.Following the common strategy of existing works that we named "the median principle" (see also the next subsection), we say the device succeeded to solve the problem if s > 0.5.
In other words, we can say the device experiment to solve a problem instance is succeed if We observe that the above definition of success, which we may call "the success of device experiments as a computing algorithm" is somewhat disconnected from the cryptographic context in the real world.In the cryptographic area, they can claim success if there exists a trial such that z sol ∈ PostProcess(s 1 , . . ., s K ; I, param) even though superpolynomial time was wasted.
For small instances considered in the NISQ era, classical simulations to compute the accurate value of p Ideal and p Unif are possible and the median principle is a good criteria to check whether the device a performance is adequate.For the era of large scale quantum devices, we may assume p Unif ≈ 0 since the number of candidates is polynomial despite the search space is being exponential.For DLP [28, Section 4], we can assume the success probability p Ideal ≈ 1 for sufficiently large instances.The above assumptions deduce the threshold 0.5.It turns out some lazy version of the median principle for a large scale device is smoothly connected from the exact version.

C. BACKGROUND OF THE DEFINITION
We should add some explanations to the above definition (5) of success.Following preliminary experiments, we needed to use some quantitative measures to determine whether or not a quantum device produces meaningful results.However, when we simply applied the existing framework to Shor's DLP algorithm, we discovered two major issues.
The first one is that a typical condition for success on DLP computation should be defined over multiple vectors since the post-processing algorithm must take at least two bit strings from a device.However, the existing criteria on success are defined by using a distribution over a single bit string.
The second issue is how we define our quantitative measure that can be used to determine the limitations of state-ofthe-art quantum devices and can be used to forecast future device progress.We found that several previous criteria to evaluate experiments aim to compare "a distance" among device output distribution P Dev , the ideal P Ideal and the uniform P Unif [17], [18].Also, they employed the median principle that decides the success of the experiment by comparing d(P Dev , P Ideal ) and d(P Dev , P Unif ) by using a reasonable distance function d(•, •).Definition 2: (The median principle) Fixing the quantum circuit and some function d to measure the distance between two probability distributions.We say a device experiment is succeed if d(P Dev , P Ideal ) < d(P Dev , P Unif ).
Therefore, we first define the success probability p Device based on the outputs from the post-processing algorithm, and then define the successful experiment with the distance function d(P, Q) = |p − q|.Here, p and q are the corresponding success probability of P and Q, respectively.
We think our criteria as of now is a basic version and expect that followers will update it according to their own needs.

D. SUCCESS PROBABILITY AND KL-DIVERGENCE
We give an experimental motivation to use the success probability as the function d(P, Q) rather than the KL-divergence.We simulated the probability density functions of ideal and noisy execution for the quantum circuit instance VI (see Table 1 in the experimental section).In this case, we set the noise parameters to have a two-bit gate depolarizing error p 2 = 0.003 and a single-bit gate depolarizing error 2   Although we might think the device works well on first impression, the following KL-divergence metrics show it is questionable.The concrete values are D KL (P Ideal , P Noisy ) = 1.022,D KL (P Noisy , P Unif ) = 2.881, by which we can conclude that device output is good.On the other hand, the reverse directions are D KL (P Unif , P Noisy ) = 1.745,D KL (P Noisy , P Ideal ) = 3.305, which are evidence that the device output is closer to the uniform than the ideal distribution.Hence, we can obtain contradicting results.
From the result, we think a naive comparison of KLdivergence is not suitable to decide the success of experiments.Furthermore, our goal is not only to benchmark quantum devices but also to measure the device performance as an accelerator for solving DLP.This is why we proposed using the overall success probability to determine whether an experiment is succeed, as in (5).

IV. OUR IMPLEMENTATION
In Section II-C, we omitted details of modular-exponentiation arithmetic gadgets and a post-processing algorithm to generate solution candidates to Problem 1.Many implementations have been proposed for their building blocks.In this section, we give details of our version of the implementation used in our experiments.

A. OUR QUANTUM MODULAR-EXPONENTIATION CIRCUIT
The modular exponentiation gadgets are the most complicated part of Shor's circuit.They are typically implemented by a sequence of modular multiplication operations.
Based on our understanding of the latest hardware, the general modular multiplication circuit, even for problems involving only a few qubits, is too demanding for the latest generation of quantum machines [15].As a result, we must consider specific cases and simplify the modular multiplication circuit as much as possible by following existing reports.
We used the standard binary representation of nonnegative integers.For a state |F n−1 • • • F 0 comprising n qubits, we regard it as the integer F = F n−1 2 n−1 + • • • + F 0 and denote it as |F .To simplify the circuits, we exploited the fact that the shift rotation [13] without using any auxiliary qubits.A stack of the shift rotation circuits realizes the modulus power function F → F •2 k mod (2 n −1) for any k.
With this gadget, the controlled version of double-thenmodular operation is expressed as whose circuit is shown in Figure 3.

FIGURE 3. n-bit double-then-modular quantum circuit without any auxiliary qubits
In the modular exponentiation, we considered quantum circuits that use only NOT, CNOT gates, and the above gadget.In particular, such simplified circuits meet the following requirements.(1) p is a number of the form 2 n − 1 (p should be prime in a cryptographic context), and (2) both g 2 j mod p for j ≥ 1 and (a −1 ) 2 k mod p for k ≥ 0 are represented by a power of two.
Thus, the modulus exponentiation part that computes |x, y, 1 → |x, y, g x a −y mod p comprises of |x, y, 1 → |x, y, g • x 0 (implemented by NOT and CNOT gates, where x 0 is the least significant bit of x), and the controlled doublethen-modular gadgets.

B. OUR POST PROCESSING
We present our version of a classical algorithm for recovering candidates of z via dual lattices, whose naive extension would be useful in many situations involving Shor-type algorithms.See, for example [22], [24], [31] for details on the algorithm that employs primal lattices.In theoretical analysis, we assume, as in many previous works, that there is no gate or measurement noise during algorithm execution.
We outline the algorithm in Algorithm 1.For the input of a sequence of bit strings s 1 , . . ., s K , it outputs a set of solution candidates z 1 , . . ., z J to the DLP instance.As we described in Appendix A, the bit strings correspond to the points {(p i , r i )} i=1,...,K are approximations of points in L × ∩ [0, 1) 2 where L × is the dual lattice of L spanned by (p − 1, 0) and (z, 1) with the DLP solution z.
Also, the lattice defined by the (K + 1) × K matrix has a lattice point x = K+1 i=1 a i b i close to the target vector y = (r 1 , r 2 , . . ., r K ). ( Finding x, we can recover the DLP candidate solution z since the combination coefficient a 1 is −z.The details of the postprocessing are given in Appendix A. Therefore, for a given point set {(p i , r i )} i=1,...,K , executing a BDD subroutine BDD(B, y, ρ K ) generates a list of vectors v 1 , . . ., v J and the corresponding combination coefficients derive the candidate set z 1 , . . ., z J .The parameters in the BDD subroutine are B and y, which are defined above.The remainder of this section is concerned with the selection of the searching radius ρ K .
We need to set it so that the overall success probability is sufficiently high while keeping the computing time feasible.In other words, we need to keep the number of lattice points in Ball K (y, ρ K ) small, namely, O(K).
To bound the number, the Gaussian heuristic assumption provides us a good estimation in general.The assumption claims that the number of lattice points in Ball K (y, ρ K ) is averageabout one if we set for detail of the derivation, see Appendix C.Although we basically followed Ekerå's theory [28] to implement our post-processing, we have found two issues to modify whose details are postponed to Appendix B and C.
The first one is the determinant computation of the lattice B. In the lattice application, a lattice basis is usually given by a triangle matrix for the simplicity of determinant analysis.In our situation, the lattice is represented by a (K + 1) × K matrix as in (6).An auxiliary column c = (τ, 0, . . ., 0) T on the left of B, is commonly used to analyze such bases, where τ is a parameter to be optimized.Because the dimension has been changed, it may cause some theoretical issues.In Theorem 1 of Appendix B, we provide a theoretical analysis of covol(B).This is appropriate for our situation, in which experiments to solve the DLP are carried out using small dimensional lattices.
The second one is on the number of lattice points within Ball(y, ρ K ).We experimentally find that an exponential number of lattice points is contained in the ball (Appendix C).This result shows that the DLP lattices are not close to random enough required to use the Gaussian heuristic.Thus, we should work in low dimensions such as K + 1 ≤ 10 to limit the number of found vectors.Unfortunately, to the best of our knowledge, how a method for setting the radius in a large dimension is unknown.
In small dimensions, the number of lattice points within the ball has a non-negligible variance.We experimentally discovered that there is a non-negligible number of trials in which there is no lattice point within Ball K (y, ρ K ).In this case, we add the execution of the CVP oracle that finds the closest lattice point to y and recovers a solution candidate from it.As a result, Algorithm 1 describes the postprocessing algorithm.We can easily check the candidates by computing g zi (mod p).We say the success of the experiment when one of the candidates passes the check.If otherwise, the experiment is failed and we try with a new set of inputs.

C. SELECTION AND MODIFICATION OF BIT STRINGS
In our preliminary experiments, we found a naive execution of Algorithm 1 sometimes fails to find the desired DLP solution.To increase the success probability, we propose two methods to select and modify the bit strings from the devices.
The first method is to remove the zeros.It is based on the fact that the zero vector p i = (0, 0), derived from the zero bit string, is useless because the zero vector is always the point in the dual lattice L × .As a result it provides no information and we remove vectors representing points near (0, 0) from the post-processing algorithm's inputs.Because the number of instances considered in our experiments is very small, we removed only zero vectors whereas vectors near the zero should be removed in the case of large DLP instances.
The second method is using the properties of distributions after QFT.Since L × is spanned by two vectors in the matrix D (see Appendix A for details), any points in L × ∩ [0, 1) 2 from any DLP instance considered under modulo p must be in the set (9) Thus, if the converted point p = (p , r ) is not very close to a point in S p , it must have bit flip errors.
We emphasize that determining whether a vector is close to a point in S p can be done quickly and without using any DLP solution information.Furthermore, unlike error mitigation techniques, it does not make use of any information from the probability distribution.
For a bit string containing errors, we can try all the 1 bit flips to ensure that the corresponding vectors are on the correct points.If all of the trials fail, we reject the bit string, and try all the 2-bit, 3-bit, and so on flips if necessary.In our experiments, we try every single 1 bit flip.
Therefore, we modify the bit strings from devices as in Algorithm 2. Note that we use the criteria p ∈ S p and p i ∈ S p exactly to check the conditions in Step 2 and 6, respectively in our experiments.Using the above two modification methods in Step 1 in Algorithm 1, each input bit string is translated to a modified point (p i , r i ), or rejected sample ⊥.We replace ⊥ with a new modified sample from a device and move to Step 2 after all the points are legitimated.

V. EXPERIMENTS IN IBM QUANTUM
This section provides experimental results on a real superconducting quantum computer.For Shor's quantum circuits to solve selected instances of DLP, we measured probability distributions and success probabilities.

A. EXPERIMENTAL ENVIRONMENT
First, we explain the target DLP instances and the conditions of the experiments.The experiments were performed with IBM Quantum device ibm_kawasaki which has the connectivity of qubits shown in Figure 4.
Table 1 shows the DLP instances with the gadgets described in Section IV-A.n x and n y are the widths of the exponent variables, which are equal to the size of QFT gadgets.n F is the number of qubits to compute F (x, y).Since we do not use any auxiliary bits to perform the computation under modulo p, it consumes log 2 p bits.Therefore, the total number of qubits used in the curcuit is The circuit of instance I assuming full-connectivity is shown in Figure 5 as an illustrative example.On the other hand, current superconducting quantum computers do not have fully connectivity.Thus, we have to embed the circuit  by fitting the topology of the target quantum device so that the performance loss is small as possible as we can.There are many methods to measure the loss.We tried to reduce the total number of CNOT (cx) gates, which is expected to be equal to increase the total performance because the fidelity of CNOT gate is lower than single gate in IBM Quantum devices.Such circuit-to-circuit translation is performed by the transpile command in Qiskit [32].This command returns a variety of feasible circuits since it uses a random number in its optimizing subroutine.We set the seed of random number generator as the input of the transpile command, so that we can generate many circuits and take the circuit whose number of CNOT gates is minimum.We also set the options so that the output circuit consists of the gate set ['cx','id','rz','sx','x'], and optimization level 3. Figure 6 shows the circuit of instance I used in our experiments.
The circuits of instances II and III, which are used in our experiments, are shown in Figure 14 in Appendix E. As we explained in the next section, experiments using the both instances are not succeed because its success probabilities do not meet the level of threshold values.Instances IV to VI are not executed because they are clearly more complicated than II and III, and the success probabilities are very lower than the thresholds.
The summary of the experimental environment is shown in Table 2.One execution consists of 8, 192 shots and measurements, and one experiment consists of 100 repeats of execution to evaluate the statistical variance.Totally, we have 819, 200 bit strings for each instance.

B. RESULTS FROM REAL QUANTUM DEVICES
We compare the output distribution by which we denote P Kawasaki and the ideal distribution P Ideal .Figure 7 shows the comparison among the probability distributions of instance I, II and III.
From the graph, clearly the instance I is solved.In fact, using our post-processing algorithm (Section IV-B) on the instance I, the success probability is always higher than 99.9% for K = 2, . . ., 20.On the other hand, in the instances II and III, although the exact peaks of P Kawasaki and P Ideal are close to each other, there are some other peaks that are not expected, such as 00100.So, in the next section, we discuss the effects of these peaks in post-processing.Instances IV ,V ,VI have more than 100 CNOT gates and are not expected to output meaningful results.

C. SUCCESS PROBABILITY RESULTS
To facilitate a more quantitative comparison, we checked the success probability of the post-processing algorithm.Figure 8 shows the success probability of p Ideal , p Unif and the experimental success probability p Kawasaki (i.e., the probability that the return of Algorithm 1 includes the correct  1.In instances II and III, the values are cut at 0.2 and the ideal probabilities are all 0.5.solution) of instances II and III, using 819,200 samples from the device.we compared the probabilities without bit string modification in both cases as described in Section 8.
Figure 8 depicts a summary of the results.The success probability from the ideal distribution is almost 1, and the threshold values are computed by (1 + p Unif )/2.Unfortunately, the success probabilities of the device outputs are lower than that of the uniform.This can be expressed as follows.In the instance II and III, the DLP has the solution z = 1 and the vectors that spans the dual lattice are (0, 1) and (1/2, 1/2).Thus, (p, r) = (0, 0) and (1/2, 1/2) from the bit string s 0 = 00000 and s 1 = 10100 in instance II is the point observed under ideal conditions.On the other hand, noise bit strings s 2 = 00100 and s 3 = 10000 are frequently observed in experiments.In particular s 2 corresponds to (p, r) = (1/2, 0) and the solution z = 0 that the post-processing algorithm makes mistake.We think the reason that the error bit sequence s 2 is higher than the correct solutions (s 0 = 00000 and s 1 ) is a concentration of error since the Hamming distance relation d H (s 0 , s 2 ) = d H (s 1 , s 1 ) = 1.

FIGURE 8.
The experiment success probabilities using our post-processing algorithm (Algorithm 1).The top and bottom are on instance II and III respectively.Note that this result is before using our bit modification algorithm, whose detail and result are explained in Section V-D and .Here, K the number of used bit strings sampled from the set of bit strings generated by the IBM Quantum device.

D. RESULTS AFTER 1BIT MODIFICATION
To obtain better results, we apply our procedure to modify the bits introduced in Section 8. We also apply the modification for the uniform output for a fair comparison.The probability distribution of the device output before and after modification is supplied in Appendix D.
Figure 9 shows the comparison of success probabilities.We can see that the device probabilities have increased, as have the thresholds.The success probabilities of device outputs are still lower than the thresholds.We emphasize that in instance III, the probabilities of the device become higher than the uniform.As a result, it appears that if noise levels are reduced, there is a chance of success.In the following section, we will discuss how much noise we need to reduce through simulation.

VI. HOW MUCH NOISE DO WE NEED TO REDUCE
As we can see in the above section, the problem level that the latest quantum device can solve is between I and II.This section provides the results of our simulation of noisy devices to discuss the near-future of DLP and IFP against quantum devices.
Noise considered in the real quantum devices is represented by many parameters.To simplify the discussion, we represent the noise by one real number p 2 that indicates the 2-bit gate depolarizing error.
We simulated the circuit of instance III, setting 1-bit and 2-bit gate depolarizing errors to 0.1 • p 2 and p 2 , respectively.Figure 10 shows the success probabilities.Since the success probability of random bits with 1bit modification is about 0.55, the threshold (red dot line) is about 0.8.On the other hand, the success probability of Kawasaki output with 1bit modification is about 0.6, which does not meet the threshold.The success probability graph is comparable to that of our simulation with p 2 = 0.07.It is necessary to achieve p 2 = 0.04 to obtain a success experiment.We remark that p 2 = 0.07 does not match the claimed CNOT gate error of ibm_kawasaki [33], because we tried to represent the effect of whole errors in the real device by using a single value.From the ratio of p 2 we think it is necessary to halve the noise to claim the successful experiments of instance III.
We also simulate the circuits in Table 1 to find the noise levels we need to achieve to claim success.The result is FIGURE 10.Comparison of success probabilities.The yellow line is the probability of random bits with 1bit modification.Because the success probability of ideal output is 1, the threshold (red dot line) is computed by (pUnif + 1)/2.The blue line is the probability of real Kawasaki device and it matches to the purple dot line of simulation with p2 = 0.07.To claim success, it is necessary to reduce the noise level of p2 = 0.04.
summarized in Table 3 and Figure 11.p mod and p nomod are maximum of p 2 to claim the success of the experiment when 1bit modification is used and unused, respectively.Here, we decide the success if one of the success probabilities of postprocessing for K = 2, . . ., 10 is higher than the threshold.
The values on the instance II and III look the same, whereas the details are different.The size of QFT is one of the differences between II and III.Based on the results of the experiments, we discovered that increasing the QFT size, results in increased noise resiliency.In these cases, it appears that the noise increase caused by the number of gates and the resiliency from the QFT size are balanced.
For the instance IV and V, the values p mod and p nomod are completely the same because the modification algorithm (Algorithm 2) have very small effects on the inputs.Since both instances are from the DLP instance with p = 6, the set of legitimate points S p defined by the equation ( 9) contains 31 points and the number of corresponding legitimate bit strings are inherently greater than 31.On the other hand, the possible number of output bit strings is 2 nx+ny = 64 and 256 for instance IV and V, respectively.Thus, most output are regarded as legitimate such that the true condition is satisfied in Step 2 in Algorithm 2. Figure 11 is the log plot of #cx and the probability.We can see the values of instances II to V are on the line 1/x.This explains the weakness of circuits against noise.Any one of the CNOT gates has an error, the whole computation would be failed.The blue circles and red triangles are the results with bit string after and before modification, respectively.For the points from instances II to V, they all fits on the line of 1/#cx.The horizontal dot line is p2 = 0.07, the noise level as of 2021.
Future prediction: IBM provides us the history of averaged CNOT gate error rate [8] over the past 5 years.The rate continues to decrease and it falls by roughly half every year.We can predict when the DLP instances will be solved if the total noise level of real quantum devices decreases at the same rate.As previously stated, the IBM Quantum (ibm_kawasaki) released in 2021 corresponds to the noise level p 2 = 0.07, which we use to simulate CNOT and single gate errors.To solve the instances II and III, p 2 = 0.04 is required.If the current trend will continue, they would expect to be solved by a quantum device released in 2022.Also, in 2025, the noise level will be reached about p 2 = 0.07 • 2 −4 = 0.004375 and the instances IV and V are expected to be solved.
We also give a prediction on Shor's factoring algorithm based on the number of CNOT gates and a slightly evidenceless assumption because we have never discussed enough lattice-based postprocessing algorithms and bit string modification for the integer factoring situation.Table 4 summarized that factoring quantum circuits that were considered.Similar to the DLP circuits, we implement them using Qiskit and compile them using the transpile commmand with 100 different seeds.The columns #cx min and #cx ave represent the minimum and average of #cx of transpiled circuits.
The factoring circuits considered here are textbook proofof-concept circuits.That is, they are simplified by using the properties of a x mod N .For example, the second line instance 15B is simplified by using the fact 2 x mod 15 ∈ {1, 2, 4, 8} and 2 4 mod 15 = 1.The third line instance 21A is from the circuit by Amico et al. [14].The details of the factoring circuits considered are described in Appendix F.
From the viewpoint of #cx, 15A, 15B and 21A are 2-3 times harder than the DLP instances II and III.Under our assumption, when p 2 = 0.07 • 2 −3 = 0.00875 is achieved in 2024, 15A and 15B could be solved since 1/#cx = 0.01 and 0.0116, respectively.The instance 21A has a chance to be solved since 1/#cx = 0.00794.On the other hand, to solve the larger instance 21B, we have to wait for the machine to progress until 2026.
This near term prediction also explains why the existing reports on success experiment of integer factoring in this 20 years [34]- [35] except for oversimplified circuits only factor 15 and 21.It is not enough to execute the proof-ofconcept circuits of factoring 15, which require a hundred CNOT gates.The first step will take several years.We predict larger instances will constantly solved after the first report of complete execution of factoring 15 or 21 including post-processing because the growing speed of gate size is polynomial of log N to the factoring number N .We expect new reports of factoring the numbers greater than 35 will be published frequently after 2025.

VII. DISCUSSION
We reported our experiments on the DLP with the IBM Quantum device.The entire performance of the latest quantum device against DLP including the post-processing algorithm is very limited.It can solve the smaller 2 bit instance 2 z ≡ 1 (mod 3) (instance I in Table 1) in the sense of median principle on the success probability.On the other hand, it might reduce the noise by half to solve the larger instance 2 z ≡ 2 (mod 3) (instance II and III in Table 1).We have predicted the 3 bit DLPs considered in Table 1 and factoring in Table 4 would be solved around 2025.On the other hand, solving 4 bit or larger instances seem to necessitate the use of a device with quantum error correction.The importance of noise reduction has been known since the early days of Shor's algorithm [36].Here, we provide quantitative support by (10) for that consensus.
Threatening RSA-2048: The growing speed of device performance under the assumption from the history of device noises and ( 10) is notable.Assuming the executable number of CNOT gates with negligible errors is doubled every year, it can be expected that a quantum circuit with millions of gates can be executed in the coming decades.The estimation of Gidney and Ekerå [37,Table 1] claims that about 2.7 × 10 9 abstract Toffoli gates are required to factor RSA-2048.Assuming one Toffoli gate is implemented by 5 CNOT gates and several single qubit gates, about 1.35 × 10 10 ≈ 2 34 CNOT gates are necessary to implement the circuit.As a result, it can be expected that a quantum device that threatens integer factoring-based cryptosystems will be developed in the next 30-40 years.
This prediction backs up previous reports predicting that the time of compromise RSA-2048 will also arrive in the coming decades.Sevilla and Riedel [2] make a prediction based on the assumption of exponential progress of physical qubits and gate fidelity, claiming that this is an optimistic scenario.Their prediction is based on their quantifier of quantum devices that they named generalized logical qubits.They predicted that a superconducting quantum device capable of solving RSA-2048 (using 4,100 qubits) would be available in the early 2050s, rather than before 2039.This is more optimistic than expert opinions [38], [39] published in 2019 and updated in 2020.Mosca and Piani say that 90% of experts predict that there is 50% or greater chance of a quantum device that can break RSA-2048 in 24 hours being released in the next 20 years.
In addition, our method also shares the difficulty of early prediction of emerging technologies.That is, the predictions on RSA in the above assumed the exponential growth of some performance values at a glance from historical values.Due to the small number of datapoints, the evidence supporting our assumptions is not very strong and we need to refine the predictions by taking account into the progress of quantum devices and experiments over the next few years.
We also remark that our prediction method is slightly different from the typical methods in cryptographic research.To predict threats on RSA and DSA in future, cryptographers typically have used "bit lengths of cryptosystems", represented by the bit lengths of numbers to be factored in RSA and the modulus in DSA, to measure the security of cryptosystems.However, this strategy cannot be applied simply to the situation of quantum computing.Despite the advances in technology, the known claimed successful factoring experiments using Shor's circuit on real quantum computers have only been for the values 15 and 21 over a span of 20 years [34]- [35].Thus, it is difficult to predict the time of compromise RSA-2048 from only previous experiments.Therefore, another predicting method was needed, leading us to the present analysis.
Technical future work: Our experiments in this paper employ the standard way to construct the circuits.To increase the success probability, several techniques can be applied.
In addition to the simplification of modular exponentiation circuits, the approximation of QFT can also be used [40], [41].It can reduce the number of gates, i.e., total noise levels, at the expense of accuracy.Balancing the hardware noise and its inaccuracy is a problem that we hope to address in the near-future.
Quantum error correction (QEC) is under continuing development.Once implemented, it can also significantly reduce the noise level.It will be interesting to see how the noise level trend changes as QEC and fault tolerant techniques are applied to actual algorithm execution [5], [42].
The post-processing algorithm is also a work in progress, with room for continued improvement.Based on the set S p of valid bit strings, we proposed a simple bit modification algorithm.Other methods should be considered.Outputs with low levels of noise, in particular, can aid in the recovery of the correct solution in some security-related problems [43].
Sect. 2.6.4]) that outputs a pair of a unimodular matrix U and a square basis matrix B so that satisfies In particular, each b j is expressed as K+1 i=1 u j,i b i .Then, a BDD subroutine with input (B , y, ρ) returns a set of lattice vectors.Let x = K j=1 c j b j be a vector in the set.Here, a typical BDD subroutine returns its combination coefficients c j .If not, we can easily compute them by simple matrix multiplication.By the relation 1 and it is −z, the negative of desired DLP solution candidate.

B. REFINED DETERMINANT ANALYSIS
This section gives our refined theoretical analysis of the covolume of the lattice defined by (6), which is used in our BDD implementation in relatively small dimensions.The technique is generally called the point-counting method and we apply it to the dual lattice of B. Theorem 1: Let B be the matrix of the form (6). In particular, assume that all p i are fractions of the form a i /2 mi where a i is odd integer or zero.For p i = 0, we set a i = m i = 0.Then, the covolume of the lattice spanned by the rows of B is covol(B) = 2 −mj where m j is the maximum of all m i 's.Proof.Let w = (w 1 , . . ., w K ) be a vector in the dual lattice and consider the condition the vector must satisfy.By the definition of dual lattice, w, b i ∈ Z for all i = 1, . . ., K+1.Thus, w must be an integer vector by the condition for i = 2, . . ., K + 1.Consider the condition for i = 1, it must be After fixing all i except for j, there exists just one w j in 2 mj integers, so that the inner-product is an integer.Thus, we have vol(D) = 2 mj and vol(B) = vol(D) −1 = 2 −mj .In our situation max m i = n x (QFT size) holds with high probability since p i = a i /2 nx are considered as random numbers from the observations.

C. SELECTING RADII IN BDD
Computing the lattice covolume, one can try to set the searching radius ρ in the BDD subroutine so that the computational time of post-processing is feasible.The number of lattice points in the ball Ball K (y, ρ) should be small, for this purpose, i.e., bounded by some constant or sub-polynomial function of the lattice dimension.As a result, determining a relationship between the number of lattice points and the radius is crucial.In typical situations, the Gaussian heuristic plays an important role.However, we discover that the heuristic does not hold in our DLP situation, posing a new unsolved problem.
The Gaussian heuristic says there exists approximately vol(Ball K )/covol(L) lattice points in the intersection Ball ∩ L for a K-dimensional full-rank lattice.In our situation, the number can be computed as Thus, setting the radius the expected number of lattice points is about N .Ekerå [28, Sect.5.2.1]'s estimation compares the above radius and an asymptotic upper bound ∆ K to y − x in the K-dimensional space.Then, estimate how many samples K is required so that the lattice-based postprocessing can be completed in a reasonable amount of time.However, based on our preliminary experiments, we discovered that the strategy needs to be modified.We simulated noiseless quantum computation and sample many bit-strings for the DLP instance V. We generate 10,000 sets of BDD instances defined by ( 6) and ( 7), for each dimension K and count the number of lattice points within Ball K (y, ρ) where ρ is defined by (14), corresponding to N = 1.For the control, we also count the number of lattice points when the target point y is randomly generated from [0, 1) K .The result is depicted in Figure 12.We can see the number in the ball grows exponentially in the DLP case while the random case keeps about 1.
Hence, we think we cannot use the Gaussian heuristic simply in the post-processing of Shor's algorithm for DLP.Either lattices or target vectors are not random.The reason can be explained as follows.Suppose there exists a lattice vector x in the ball.Then, the neighborhood lattice vectors x ± e i ± e j ± • • • are very likely in the ball where e i = (0, . . ., 0, 1, 0, . . ., 0) is the unit vector.As a result, we believe that using the Gaussian heuristic to set the BDD radius is not a good strategy in this situation.How to set the searching radius or searching space for large K should be an open problem.This is why, in the main section, We propose using post-processing with small K.
We remark an another setting method by using the covering radius could be considered, but may not be very useful.The covering radius of a lattice L is defined by the minimum where y is set from the DLP (red) and set randomly (blue).The radius ρ is set by ( 14) so that the average number is expected to be 1.
radius c of the ball so that the set ∩ x∈L Ball K (x, c) = span(L).In other words, the BDD instance (B, y, c) has always a solution for any y ∈ span(L).Thus, setting ρ K by some upper bound of the covering radius, the return of BDD subroutine is always not empty.However, there could find an exponential number of lattice points even for K = 2. Let us consider the following extreme situation with K = 2, p 1,1 = N −1  which is achieved by the target vector y = (0, 0.5).On the other hand, for the target vector y = (0, 0) the ball of radius c contains an exponential number of lattice points.Thus, we decided to keep using the simple radius from the Gaussian heuristic and use an extra CVP subroutine if the BDD subroutine returns the empty set.

D. DEVICE PROBABILITIES AFTER 1 BIT MODIFICATION
.
This section gives supporting materials of Section V-D.We give a detailed example of our modification algorithm and probability distribution results of the ibm_kawasaki device and the distribution after the 1bit modification on instances II and III.
Since the both instances II and III consider the DLP instance of p = 2, the set of a legitimate set is Table 5 shows the summary of 1 bit modification for an instance with p = 3.For instance II, its ideal distribution takes (0, 0) and (0.5, 0.5) with probabilities 0.5, which correspond to the bit-strings 00000 and 10100.The device frequently outputs bit-strings that are modified to incorrect bit-string 00100 and we can see the probabilities of 10100 (correct) and 00100 are very close to each other.This is one reason why the experiment failed.Figure 13 shows the probability distribution before and after modification of the ibm_kawasaki device outputs.After the modification, we can see the instance III has better results because the probability of the correct bit-string (100100) is higher than the other (000100), and this explains the difference in success probabilities (Figure 8 and  9).

E. CONSTRUCTION OF OUR DLP CIRCUITS
This section provides the detailed construction of the modular exponentiation part of the DLP circuit experimented in Section V.

F. CONSTRUCTION OF OUR FACTORING CIRCUITS
This section provides the detailed construction of the modular exponentiation part of Shor's factoring circuit considered in Table 4 the experimental reproducibility.
We first remark that the four circuits that we considered are proof-of-concept versions.That is, they are oversimplified by techniques that are not scalable.

ACKNOWLEDGEMENT
This work was supported by MEXT Quantum Leap Flagship Program Grant Number JPMXS0118067285 and JP-MXS0120319794.The results presented in this paper were obtained in part using an IBM Qunatum quantum computing system as a project of the Quantum Computing Center, Keio University.The views expressed are those of the authors and do not reflect the official policy or position of IBM or the IBM Quantum team.
t. |z − z | < z/4 where the notation | • | is considered under modulo p.With the approximated solution, consider the new DLP instance (g, a • g −z , p) which has a smaller solution z − z .The approximation algorithm returns z s.t.|z − z − z | < |z − z |/4 < z/16.Repeating this process, we can recover the desired z.
depicts a comparison of the ideal distribution and the noisy distribution.The horizontal and vertical axes represent the position of ( , k) as determined by 12 bit observations.

FIGURE 2 .
FIGURE 2. Density function from the exact simulation PIdeal and noisy simulation PNoisy with parameters p1 = 0.0003 and p2 = 0.003 that outputs similar data.Although we might think the device works well on first impression, the asymmetricity of the KL-divergence drives us questionable results.

FIGURE 5 .FIGURE 6 .
FIGURE 5. Our abstract circuit of instance I

FIGURE 7 .
FIGURE 7. Probability distribution of ideal output, IBM Quantum real device output.From the top, the experimenting circuits are I,II and III in Table1.In instances II and III, the values are cut at 0.2 and the ideal probabilities are all 0.5.

FIGURE 9 .
FIGURE 9.The experimented success probabilities of our post-processing algorithm with modified bit string.

FIGURE 11 .
FIGURE 11.Comparison between #cx and the necessary noise level p2.The blue circles and red triangles are the results with bit string after and before modification, respectively.For the points from instances II to V, they all fits on the line of 1/#cx.The horizontal dot line is p2 = 0.07, the noise level as of 2021.

FIGURE 12 .
FIGURE 12.The averaged numbers of vectors within the ball Ball K (y, ρ) where y is set from the DLP (red) and set randomly (blue).The radius ρ is set by (14) so that the average number is expected to be 1.

x and p 2 1 2 1 +
,k = 0.The covering radius of the lattice is c = N −2 x

FIGURE 13 .
FIGURE 13.Comparison between the probability distribution of the ibm_kawasaki outputs and after 1 bit modification.

y 3 =
x 0 • x 1 y 2 = y 3 ⊕ x 0 y 1 = y 3 ⊕ x 1 y 0 = y 1 ⊕ x 0Construction of 21A We construct a factoring circuit with parameters (a, N ) = (2, 21) and size of QFT 3. We follow the construction of Amico et al.[14].Our circuit to compute Y = (y 4 2 4 + y 3 2 3 + y 2 2 2 + y 1 2 1 + y 0 2 0 ) = 2 x22 2 +x12 1 +x02 0 mod 21 is displayed in Figure17.In the gadget circuit G 01 , it computes Y = 2 x12 1 +x02 0 by using the precomputed information that 2 X for X = 0, 1, 2, 3 is 1, 2, 4, 8 respectively.This gadget is the same as circuit 15B.Then, the next gadget computes ×2 4x2 mod 21.The trick here uses the fact for Y = {1, 4, 8}, the result of 16Y mod 21 and 16Y mod 63 are the same.This allows us to use the bit-rotation technique described in Section IV-A, which is implemented by the first three cswap gates in G 2 .After the cswap gates applied, Y = 01000 = 8 corresponding to X = 101 = 5 is only the value to modify.The last two ccx gates modify it to 2 5 mod 21 = 11.Construction of 21BA circuit with parameters (a, N ) = (2, 21) and size of QFT 4 is constructed by a similar method to that of 21A.In Figure18, the gadgets G 01 and G 2 are the same as Figure17.To construct the (×2 8x3 mod 21) = (×4 x3 mod 21) circuits, we use the equivalence between 4Y mod 21 and 4Y mod 63 for Y = 1, 2, 4, 16.The first three cswaps change the values of Y as described in Table6.The remained part transforms Y = 2, 14 to 11, 2 respectively without changing other values.

FIGURE 14 .
FIGURE 14.Our transpiled circuits of instance II (Top) and III (Bottom) to solve the DLP instance 2 z ≡ 2 (mod 3).The last observing gates are omitted.

FIGURE 15 .
FIGURE 15.Modular multiplication gadgets for a proof-of-concept circuit of Shor's factoring algorithm with parameters (a, N ) = (7, 15) and size of QFT is 4.

FIGURE 16 .
FIGURE 16.Modular multiplication gadgets for a proof-of-concept circuit of Shor's factoring algorithm with parameters (a, N ) = (2, 15) and size of QFT is 4. The number of CNOT gates after transpiling is slightly reduced to the circuit of Figure 15.

FIGURE 17 .
FIGURE 17. Modular multiplication gadgets for a proof-of-concept circuit of Shor's factoring algorithm with parameters (a, N ) = (2, 21) and size of QFT is 3.

FIGURE 18 .
FIGURE 18. Modular multiplication gadgets for a proof-of-concept circuit of Shor's factoring algorithm with parameters (a, N ) = (2, 21) and size of QFT is 4.
Algorithm 2 Our bit string modification algorithm for DLP for all pi = (p , r ) is from i-th bit flip of s do

TABLE 1 .
Summary of parameters for target DLP instances.

TABLE 2 .
Summary of experimental environment and conditions.

TABLE 3 .
Summary of necessary noise level (as of p2 in simulation) for the considered instances.The #cx row is the same as the #cx min row in Table1.p mod and p nomod are necessary p2 to claim the success experiment when 1bit modification is used and unused, respectively.

TABLE 4 .
Summary of quantum circuits for proof-of-concept of Shor's factoring algorithm.

TABLE 5 .
Summary of 1 bit modification (Algorithm 2) on instance II.

TABLE 6 .
Values that are necessary to be modified after the first three cswaps in G3.