Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Verifiable Quantum Advantage via Optimized DQI Circuits

Tanuj Khattar, Noah Shutty, Craig Gidney, Adam Zalcman, Noureldin Yosri, Dmitri Maslov, Ryan Babbush, Stephen P. Jordan

TL;DR

The paper identifies Decoded Quantum Interferometry (DQI) applied to the Optimal Polynomial Intersection (OPI) problem as a landmark route to verifiable quantum advantage. It develops highly optimized, end-to-end reversible Reed-Solomon decoding integrated into DQI, introducing explicit and implicit Bézout coefficient strategies (including the Dialog representation) to minimize qubit footprint to $2nb+ ilde{O}( obreak \, obreak ceil{ obrace{n}})$ and dramatically reduce gate counts. Over GF$(2^b)$, the authors show that classically intractable OPI instances (e.g., >$10^{23}$ trials) can be solved with roughly $5.72 imes10^6$ Toffoli gates and a few thousand logical qubits, underscoring a substantial quantum advantage over RSA-like tasks. They further provide a near-term physical-cost blueprint with fault-tolerant lattice-surgery layouts, suggesting a runtime of ~1 hour on ~8e5 physical qubits under reasonable error assumptions. The work also analyzes classical hardening via Extended Prange-type attacks and develops a framework for asymptotically optimal quantum speedups, while outlining open questions and potential extensions to algebraic-geometry codes and improved constraint-encoders in DQI.

Abstract

Decoded Quantum Interferometry (DQI) provides a framework for superpolynomial quantum speedups by reducing certain optimization problems to reversible decoding tasks. We apply DQI to the Optimal Polynomial Intersection (OPI) problem, whose dual code is Reed-Solomon (RS). We establish that DQI for OPI is the first known candidate for verifiable quantum advantage with optimal asymptotic speedup: solving instances with classical hardness $O(2^N)$ requires only $\widetilde{O}(N)$ quantum gates, matching the theoretical lower bound. Realizing this speedup requires highly efficient reversible RS decoders. We introduce novel quantum circuits for the Extended Euclidean Algorithm, the decoder's bottleneck. Our techniques, including a new representation for implicit Bézout coefficient access, and optimized in-place architectures, reduce the leading-order space complexity to the theoretical minimum of $2nb$ qubits while significantly lowering gate counts. These improvements are broadly applicable, including to Shor's algorithm for the discrete logarithm. We analyze OPI over binary extension fields $GF(2^b)$, assess hardness against new classical attacks, and identify resilient instances. Our resource estimates show that classically intractable OPI instances (requiring $>10^{23}$ classical trials) can be solved with approximately 5.72 million Toffoli gates. This is substantially less than the count required for breaking RSA-2048, positioning DQI as a compelling candidate for practical, verifiable quantum advantage.

Verifiable Quantum Advantage via Optimized DQI Circuits

TL;DR

The paper identifies Decoded Quantum Interferometry (DQI) applied to the Optimal Polynomial Intersection (OPI) problem as a landmark route to verifiable quantum advantage. It develops highly optimized, end-to-end reversible Reed-Solomon decoding integrated into DQI, introducing explicit and implicit Bézout coefficient strategies (including the Dialog representation) to minimize qubit footprint to and dramatically reduce gate counts. Over GF, the authors show that classically intractable OPI instances (e.g., > trials) can be solved with roughly Toffoli gates and a few thousand logical qubits, underscoring a substantial quantum advantage over RSA-like tasks. They further provide a near-term physical-cost blueprint with fault-tolerant lattice-surgery layouts, suggesting a runtime of ~1 hour on ~8e5 physical qubits under reasonable error assumptions. The work also analyzes classical hardening via Extended Prange-type attacks and develops a framework for asymptotically optimal quantum speedups, while outlining open questions and potential extensions to algebraic-geometry codes and improved constraint-encoders in DQI.

Abstract

Decoded Quantum Interferometry (DQI) provides a framework for superpolynomial quantum speedups by reducing certain optimization problems to reversible decoding tasks. We apply DQI to the Optimal Polynomial Intersection (OPI) problem, whose dual code is Reed-Solomon (RS). We establish that DQI for OPI is the first known candidate for verifiable quantum advantage with optimal asymptotic speedup: solving instances with classical hardness requires only quantum gates, matching the theoretical lower bound. Realizing this speedup requires highly efficient reversible RS decoders. We introduce novel quantum circuits for the Extended Euclidean Algorithm, the decoder's bottleneck. Our techniques, including a new representation for implicit Bézout coefficient access, and optimized in-place architectures, reduce the leading-order space complexity to the theoretical minimum of qubits while significantly lowering gate counts. These improvements are broadly applicable, including to Shor's algorithm for the discrete logarithm. We analyze OPI over binary extension fields , assess hardness against new classical attacks, and identify resilient instances. Our resource estimates show that classically intractable OPI instances (requiring classical trials) can be solved with approximately 5.72 million Toffoli gates. This is substantially less than the count required for breaking RSA-2048, positioning DQI as a compelling candidate for practical, verifiable quantum advantage.

Paper Structure

This paper contains 43 sections, 24 theorems, 144 equations, 12 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Methods for Optimized Implementation
  3. The DQI Quantum Circuit: An Improved Construction for Qubit Efficiency
  4. Efficient Quantum Circuits for Extended Euclidean Algorithm
  5. Explicit versus Implicit Access to Bézout Coefficients
  6. Synchronized Reversible EEA for Explicit Bézout coefficients
  7. Dialog Representation for Implicit Bézout coefficients
  8. Optimal Polynomial Intersection (OPI) over binary extension fields
  9. Decoding Reed Solomon Codes using the Extended Euclidean Algorithm
  10. Solving the Key Equation:
  11. Chien Search and Forneys algorithm:
  12. Classical Attacks on OPI
  13. Optimizing Prange's Algorithm
  14. Extended Prange's Algorithm over Extension Fields
  15. Expectation-Optimal XP Allocation Strategies via Linear Programming
  16. ...and 28 more sections

Key Result

Theorem 1.0

There is an NP-search / optimization problem where the runtime of the best-known classical algorithm for the problem is $2^N$ and which can be solved with a circuit of $\widetilde{O}(N)$ quantum gates.

Figures (12)

  • Figure 1: Evolution of the state of the system for our improved construction of Zalka's reversible EEA kaye2004optimizedquantumimplementationellipticproos2004shorsdiscretelogarithmquantum with in-register quotient storage which deterministically reduces the qubit counts to $2nb + \mathcal{O}(\log{n})$. Step-0 shows the initial configuration of the system. Empty space corresponds to qubits in the $\ket{0}$ state. The direction of the arrow denotes the order in which the coefficients of the polynomials are stored, where the tip of the arrow stores the highest degree coefficients and the tail stores the lowest degree coefficient. At each step, three key invariants are satisfied - (a) $\deg(u_i) + \deg(r_i) \leq n$, (b) $\deg(r_{i}) < \deg(r_{i-1})$ and $\deg(u_{i}) > \deg(u_{i-1})$ and (c) $\deg(u_{i}) + \deg(r_{i-1}) = n$. Step-1 iteratively computes each term of the quotient $q_{i+1} = \lfloor r_{i-1} / r_{i} \rfloor$ where $\deg(q_{i + 1}) = \deg(r_{i - 1}) - \deg(r_{i}) = m - \deg(u_i) - \deg(r_{i})$, and thus the quotient is stored in-place within the shared register storing $u_{i}$ and $r_{i}$. Step-2 performs right shift until the leader order coefficient of $r_{i+1}$ is non-zero, such that at the end of step 2, the polynomial long division is finished and we have successfully computed both $r_{i+1}$ and $q_{i+1}$Step-3 iteratively right shifts $u_{i-1}$ until $\deg(u_{i-1}) = \deg(u_{i})$. Step-4 iteratively computes $u_{i+1} = u_{i - 1} - q_{i + 1} u_{i}$ by iteratively performing $u_{i - 1} = (u_{i} \times q_{i+1, j} - u_{i - 1})\times x$ for all $j \text{ in } [0, \dots, \deg(q_{i + 1})]$. The multiplication by $x$ corresponds to a right shift for $u_{i - 1}$. Step-5 Swaps the two registers and finishes one logical iteration of the EEA.
  • Figure 2: Spacetime layout for - a primitive for synthesizing linear reversible circuits. For GF2 arithmetic, field operations like multiplication by a constant polynomial and squaring reduce to maslov2025asymptotic.
  • Figure 3: Lattice surgery compilation for two Parity Control Toffoli gates using magic state cultivation. See gidney2025classicalquantumadderconstantworkspace and \ref{['sec:improved_gf2_arithmetic']} for more discussion on Parity Control Toffoli gates. Acts as a building block for compiling quantum-quantum multiplication () circuits for GF($2^b$).
  • Figure 4: Lattice Surgery diagram for compiling GF2 Multiplication () using Karatsuba algorithm by stacking the Parity Control Toffoli primitive from \ref{['fig:two_generalized_toffoli_pipes']}. In \ref{['sec:improved_gf2_arithmetic']}, we show how the Karatsuba algorithm for GF2 multiplication can be viewed entirely as a sequence of Parity Control Toffoli gates. For $b=10$, the we use the modified Karatsuba quantum circuit maslov2025asymptotic, which uses exactly $45$ (parity) Toffolis.
  • Figure 5: Mockup of a physical layout for $(m=4095, n=70, b=12, r=2016)$ OPI instance requiring $1885$ logical qubits and $5.72 \times 10^6$ Toffoli gates (see \ref{['tbl:resource_estimates']}). The blue region stores logical qubits in cold storage, where logical qubits are stored as densely as possible but are not operated upon. The orange region stores logical qubits in hot storage, where each logical qubit is stored "normally" using a surface code patch taking $2\times(d+1)^2$ physical qubits and is actively operated upon. For a logical error rate (LER) of $10^{-13}$, a $d=21$ surface code with $968$ physical qubits per logical qubit is used for hot storage and a 2D Yoked Surface Code gidney2025yoked with $350$ physical qubits per logical qubit is used for cold storage gidney2025factor2048bitrsa.
  • ...and 7 more figures

Theorems & Definitions (50)

  • Theorem 1.0
  • Definition 1.1: max-LINSAT jordan2024optimizationdecodedquantuminterferometry
  • Theorem 1.2: DQI Semicircle Law (Informal) jordan2024optimizationdecodedquantuminterferometry
  • Definition 1.3: Optimal Polynomial Intersection (OPI)
  • Definition 2.1: OPI over $\text{GF}(2^b)$
  • Lemma 3.1: Recursive Structure Formulas
  • proof
  • Remark 3.1
  • Lemma 3.2: Proxy expression for mixed recursive structure formulas with two terms
  • proof
  • ...and 40 more