We present a compact quantum circuit for factoring a large class of integers, including some whose classical hardness is expected to be equivalent to RSA (but not including RSA integers themselves). To our knowledge, it is the first polynomial-time circuit to achieve sublinear qubit count for a classically-hard factoring problem; the circuit also achieves sublinear depth and nearly linear gate count. We build on the quantum algorithm for squarefree decomposition discovered by Li, Peng, Du and Suter (Nature Scientific Reports 2012), which relies on computing the Jacobi symbol in quantum superposition. Our circuit completely factors any number $N$, whose prime decomposition has distinct exponents, and finds at least one non-trivial factor if not all exponents are the same. In particular, to factor an $n$-bit integer $N=P^2 Q$ (with $P$ and $Q$ prime, and $Q<2^m$ for some $m$), our circuit uses $\tilde{O}(m)$ qubits and has depth at most $\tilde{O}(m + n/m)$, with $\tilde{O}(n)$ quantum gates. When $m=\Theta(n^a)$ with $2/3 < a < 1$, the space and depth are sublinear in $n$, yet no known classical algorithms exploit the relatively small size of $Q$ to run faster than general-purpose factoring algorithms. We thus believe that factoring such numbers has potential to be the most concretely efficient classically-verifiable proof of quantumness currently known. The technical core of our contribution is a new space-efficient and parallelizable quantum algorithm to compute the Jacobi symbol of $A$ mod $B$, in the regime where $B$ is classical and much larger than $A$. In the context of the larger Jacobi algorithm for factoring $N = P^2Q$, this reduces the overall qubit count to be roughly proportional to the length of $Q$, rather than the length of $N$. Finally, we note that our circuit for computing the Jacobi symbol generalizes to related problems, such as computing the GCD.

翻译：本文提出了一种用于分解一大类整数的紧凑型量子电路，这类整数包括一些经典计算难度预期与RSA相当（但不包括RSA整数本身）的数。据我们所知，这是首个针对经典困难分解问题实现亚线性量子比特数的多项式时间电路；该电路同时实现了亚线性深度与近线性门数。我们的工作建立在Li、Peng、Du和Suter（《自然·科学报告》2012年）发现的用于无平方因子分解的量子算法基础之上，该算法依赖于在量子叠加态中计算雅可比符号。我们的电路能够完全分解任何素数分解中指数互不相同的数N，并在并非所有指数相同时至少找到一个非平凡因子。具体而言，要分解一个n位整数N=P²Q（其中P和Q为素数，且对于某个m有Q<2ᵐ），我们的电路使用Õ(m)个量子比特，深度至多为Õ(m + n/m)，并具有Õ(n)个量子门。当m=Θ(nᵃ)且2/3 < a < 1时，空间和深度相对于n均为亚线性，然而目前尚无已知经典算法能利用Q相对较小的特性以比通用分解算法更快的速度运行。因此我们相信，分解此类数有望成为当前已知最具具体效率的、可经典验证的量子优越性证明。我们贡献的技术核心是一种新的空间高效且可并行化的量子算法，用于在B为经典数且远大于A的情形下计算A模B的雅可比符号。在用于分解N=P²Q的更大雅可比算法框架中，这将总量子比特数减少到大致与Q的长度成正比，而非与N的长度成正比。最后，我们指出计算雅可比符号的电路可推广至相关问题，例如计算最大公约数（GCD）。