Integer Factorization via Tensor Network Schnorr's Sieving

TL;DR

This work presents Tensor Network Schnorr’s Sieving (TNSS), a classical yet quantum-inspired approach that recasts RSA factorization as a lattice Closest Vector Problem and uses tree tensor networks to efficiently sample low-energy lattice configurations. By encoding rounding choices in a spin-glass Hamiltonian and employing TTN-based variational optimization plus OPES sampling, TNSS extracts smooth-relations and constructs a congruence $X^2 \equiv Y^2 \pmod{N}$ to factor $N$. In numerical experiments, TNSS factors random RSA semiprimes up to 100 bits (and explores up to 130-bit keys) with resources that appear polynomial in the key length within the simulated regime, though the dominant classical steps still outpace current cryptanalytic capabilities for large keys. The results suggest a promising classical, quantum-inspired framework for lattice-based cryptographic problems and underscore the urgency of post-quantum cryptography while illustrating limitations and scaling behaviors of the proposed method.

Abstract

Classical public-key cryptography standards rely on the Rivest-Shamir-Adleman (RSA) encryption protocol. The security of this protocol is based on the exponential computational complexity of the most efficient classical algorithms for factoring large semiprime numbers into their two prime components. Here, we address RSA factorization building on Schnorr's mathematical framework where factorization translates into a combinatorial optimization problem. We solve the optimization task via tensor network methods, a quantum-inspired classical numerical technique. This tensor network Schnorr's sieving algorithm displays numerical evidence of polynomial scaling of resources with the bit-length of the semiprime. We factorize RSA numbers up to 100 bits and assess how computational resources scale through numerical simulations up to 130 bits, encoding the optimization problem in quantum systems with up to 256 qubits. Only the high-order polynomial scaling of the required resources limits the factorization of larger numbers. Although these results do not currently undermine the security of the present communication infrastructure, they strongly highlight the urgency of implementing post-quantum cryptography or quantum key distribution.

Figures (9)

• Figure 1: Sketch of the tensor network Schnorr’s sieving (TNSS) algorithm. The factorization of the RSA number $N = p \cdot q$ into its prime components is mapped into an optimization problem on a lattice (Lattice problem mapping). This problem is initially approached by searching for approximate solutions to a series of $N$-related CVPs, each defined by a lattice-target pair $(\Lambda, \bm{t})$ in $n + 1$ dimensions schnorr2021_classicalSchnorr. A representative of the CVP set for the simplest case $n = 1$ is depicted. The lattice basis $\mathcal{B}$ contains only one vector $\bm{b}_1 \in \mathbb{Z}^{2}$, which generates the infinite discrete set of lattice points $\bm{b} \in \Lambda$ (black points). The blue point is the target point $\bm{t} \in \mathbb{Z}^2$ defining the CVP $(\Lambda, \bm{t})$. A single approximate solution $\bm{b}^{cl} \in \Lambda$ (orange point) to the CVP $(\Lambda, \bm{t})$ is provided by Babai’s classical algorithm babai1986_BabaiAlgorithm. To improve over the classical solution, we look for additional lattice points potentially encoding sr-pairs in the eigenstates of a spin glass Hamiltonian describing an $n$-qubit system (Spin glass mapping) yan2022_quantumSchnorr. The $2^n$ configurations correspond to the set of lattice points (light grey area) around Babai’s solution. The form of the Hamiltonian is defined in Eq. \ref{['eqn:cvp_hamiltonian']}. To compute the eigenstate of the spin glass Hamiltonian, we exploit TN methods (Tree Tensor Network sieving). By variationally minimizing the energy, we obtain a tree tensor network (TTN) state representing a superposition of low-energy eigenstates of $\mathcal{H}$silvi2019_anthology. Finally, we sample a sufficient number of classical eigenstate configurations and extract their probabilities ballarin2025_sampling. We discard all states violating the sr-pairs condition on the smoothness basis $\mathrm{P}_2$ (gray lattice points) and collect the sr-pairs (green lattice points) from each CVP. These pairs are then combined to compute the two prime components $p$ and $q$ of the input RSA number $N$ in the final processing step.
• Figure 2: Scaling of the relevant resources in the TNSS algorithm.(a) The rescaled average number of sr-pairs per lattice (AsrPL) $\rho_{sr}^{\text{eff}} = \rho_{sr} \mathbin{/} \ell^\gamma$ as a function of the effective bit-length $\ell_{\text{eff}} = \ell \mathbin{/} {n}^{1 \mathbin{/} {\omega}}$ of the input RSA number. The data are consistent with an exponential decay, see Eq. \ref{['eqn:sr_pairs_density_scaling']}, (dashed black line), characterized by fitted parameters $C_1 = 2.0 \pm 0.6$, $C_2 = 0.04 \pm 0.01$, and $\mu = 1.38 \pm 0.05$. The grey-shaded area around the dashed black line accounts for the uncertainty in the fitted parameters and corresponds to a $3\sigma$ confidence interval. Each data point is obtained by averaging $\rho_{sr}$ over $10$ random RSA keys. Each $\rho_{sr}$ is estimated using $n_{\mathrm{ CVP}} = 50$ lattices. (b) Scaling of the number of qubits --- see Eq. \ref{['eqn:n_qubits_scaling']} --- as a function of the bit-length $\ell$ and $\gamma$. The hyperparameter $\gamma$ tunes the number of samples extracted from each CVP Hamiltonian spectrum to achieve AsrPL $\rho_{sr} = 1$. The extrapolated number of qubits $n$ is required for factoring in a polynomial number of lattices within the $B_2 = 2 n \ell$ smoothness bound. Vertical dotted lines denote three RSA challenges kaliski2005_encyclopedia: RSA-250 ($829$ bits), marking the largest RSA key factorized to date boudot2020_RSA-250record, RSA-1024 and RSA-2048.
• Figure 3: Sampling smooth-relation pairs from a single lattice via tree tensor networks.(a)--(b) Lattice points sampled from a CVP Hamiltonian using the efficient TTN OPES method ballarin2025_sampling with bond dimension $m = 8$. The input RSA key has a bit-length of $\ell = 70$ (dashed black horizontal line), and the CVP problem is characterized by $n = 32$ qubits. The number of samples is approximately $70^3$. No-sr pairs are denoted by gray dots in (a), while green dots represent sr-pairs in (b). The x-axis indicates the square root of the energy of the extracted eigenstate, i.e., the Euclidean distance to the target $\Vert \bm{t} - \bm{b}_j \Vert$ of the pair $j$ identified with the lattice point $\bm{b}_j$. The y-axis represents the size of the sampled pair $\ell_j$ measured in bits. The measured average number of sr-pairs per lattice (AsrPL) on the chosen smoothness bound $\pi_2 = 2 n \ell = 4480$ is $\rho_{sr} = 432$. For both scatter plots, we also illustrate the probability distribution of the pairs with respect to their distance from the target (top panel) and their bit-length (right panel). (c) The probability of sampling the first $400$ pairs, ordered from most to least probable for both sr (green bars) and no-sr (gray bars). (d) The maximum values of the TTN bond dimension $m$ as a function of the number of qubits $n$. The data show the sublinear scaling with the number of qubits $m(n) \sim A {n}^\zeta$ with fitted parameters $A = 6.6 \pm 0.7$ and $\zeta = 0.42 \pm 0.02 \approx 2 \mathbin{/} 5$ (dashed dark blue curve).
• Figure 4: Scaling of the number of operations for the TNSS algorithm. Scaling of the number of operations as a function of the input size $\ell$ for the TNSS algorithm derived from the predicted scaling of the number of qubits in Eq. \ref{['eqn:n_qubits_scaling']} and Eq. \ref{['eqn:tnss_time_complexity']}. We set the average number of sr-pairs per lattice (AsrPL) in Eq. \ref{['eqn:n_qubits_scaling']} to $\rho_{sr} = 1$. Solid curves represent Babai’s contribution $\mathcal{T}_1$ (first term in Eq. \ref{['eqn:tnss_time_complexity']}), dashed curves the TTN sieving term $\mathcal{T}_2$ in Eq. \ref{['eqn:tnss_time_complexity']}, for various values of the hyperparameter $\gamma$. Vertical dotted lines denote three RSA challenges kaliski2005_encyclopedia: RSA-250 (829 bits) marking the largest RSA key factorized to date boudot2020_RSA-250record, RSA-1024, and RSA-2048. The leading contribution in the algorithm varies with the number of sampled pairs: below $\gamma = 8$, Babai’s algorithm prevails over the computation required for sampling lattice points in the range of currently relevant bit-lengths of $\ell \sim 10^3$. Within this range, the TN term $\mathcal{T}_2$ in Eq. \ref{['eqn:tnss_time_complexity']} becomes the leading one for $\gamma > 8$.
• Figure 5: Relation between bond dimension and sampling smooth-relation pairs from a single lattice via tree tensor networks. We plot both no-sr (gray points) and sr-pairs (green points) sampled from a lattice using the efficient TTN OPES method at different bond dimensions $m$ in the first row. The input RSA key has a bit-length of $\ell = 70$, and the CVP problem is characterized by $n = 32$. The number of samples is approximately $\ell^3 = 70^3$. The x-axis indicates the square root of the energy $\lVert\bm{t} - \bm{b}_j \rVert$ of the extracted eigenstate, i.e., the Euclidean distance to target $\bm{t}$ of the sampled pair identified with the lattice point $\bm{b}_j$. The y-axis represents the bit-length $\ell_j$ of the integer $u - vN$ associated with the sampled pair. Bond dimensions greater than $m = 8$ do not notably impact the sieving performance. Indeed, the average number of sr-pairs per lattice (AsrPL), i.e., the number of green points, is approximately $\rho_{sr} \approx 400$ for each bond dimension. The second row shows the corresponding sampling probability for the first $400$ no-sr and sr-pairs ordered by decreasing probability. The x-axis denotes the pair’s numbering index $j$, while the y-axis shows the probability of the associated bit-string (gray bars for no-sr pairs, green bars for sr-pairs).