Using Variational Quantum Algorithm to Solve the LWE Problem

The variational quantum algorithm (VQA) is a hybrid classical–quantum algorithm. It can actually run in an intermediate-scale quantum device where the number of available qubits is too limited to perform quantum error correction, so it is one of the most promising quantum algorithms in the noisy intermediate-scale quantum era. In this paper, two ideas for solving the learning with errors problem (LWE) using VQA are proposed. First, after reducing the LWE problem into the bounded distance decoding problem, the quantum approximation optimization algorithm (QAOA) is introduced to improve classical methods. Second, after the LWE problem is reduced into the unique shortest vector problem, the variational quantum eigensolver (VQE) is used to solve it, and the number of qubits required is calculated in detail. Small-scale experiments are carried out for the two LWE variational quantum algorithms, and the experiments show that VQA improves the quality of the classical solutions.


Introduction
Lattice theory is a classic subject in mathematical research, and it has critical applications in many fields such as the optimization problem and information coding. In 1996, Ajtai [1] proved that the worst-case hardness of the shortest vector problem (SVP) can be reduced to the hardness of SVP in a class of random lattices, thus providing provable security of lattice-based cryptosystems. Since then, various lattice-based cryptosystems are proposed, such as Ajtai-Dwork [2] and the Number Theory Research Unit [3].
In 2005, Regev proposed an encryption algorithm based on LWE [4]. Compared with previous lattice-based cryptosystems, the ciphertext size and key size of LWE-based cryptosystems are greatly reduced. Therefore, LWE began to be applied to many cryptographic primitives, such as Key-Dependent Message [5], Fully Homomorphic Encryption [6] and so forth. In July 2022, The National Institute of Standards and Technology completed the third round of the Post-Quantum Cryptography standardization process, and four candidate algorithms have been announced. Among them, the public-key encryption algorithm CRYSTALS-KYBER [7] and the digital signature algorithm CRYSTALS-Dilithium [8] are constructed based on the module-LWE problem. Therefore, analyzing LWE algorithms is important to the security of post-quantum cryptography.
The analysis methods of LWE can be classified into combinatorial methods, algebraic methods, lattice methods and the exhaustive search. The combinatorial method mainly refers to an extended application of the Gaussian elimination [9], but it requires a large number of samples. The algebraic method refers to the Arora-Ge algorithm [10], and the complexity is also exponential in the number of LWE dimensions. There are three main lattice methods: the dual method is used to attack decision-LWE instances by solving the short integer solution problem on the dual lattice [1]; the decoding method is used to directly solve the bounded distance decoding problem (BDD) on the original lattice [11,12]; Λ = L(b 1 , b 2 , . . . , b n ) = {α 1 b 1 + α 2 b 2 + . . . + α n b n |α 1 , α 2 , . . . , α n ∈ Z}.
In cryptography applications, the lattice dimension is n. Given a matrix A ∈ Z m * n q , the q-ary lattice refers to Λ q (A T ) = {x ∈ Z m |∃y ∈ Z n , s.t.x ≡ yA T modq}.
For a lattice L and its basis matrix B = [b 1 , b 2 , . . . , b n ], the volume of the lattice is vol(L) = det(B T B) and the fundamental domain is P 1/2 (B) = {∑ n i=1 α i b i |α i ∈ [− 1 2 , 1 2 ]}. The distance between L and vector v ∈ R m is dist(v, L) = min{ v − y |y ∈ L}. The i-th successive minima λ i (L) is the minimum radius of the ball centered at the origin, which contains i linearly independent vectors in the lattice. Let L be an n-dimensional lattice; then, the Gaussian heuristic states that λ 1 (L) ≈ n 2πe vol(L) 1/n . Definition 1. (Shortest vector problem, SVP) For a lattice L, the SVP problem asks to find a nonzero lattice vector v that minimizes the Euclidean nonzero norm v .

Definition 2.
(Closest vector problem, CVP) For a lattice L, given a target vector t ∈ R m that is not in L, the CVP problem asks to find a lattice vector v that minimizes the Euclidean norm v − t . Definition 3. (Unique shortest vector problem, Unique-SVP) For a lattice L satisfying λ 2 (L) > γλ 1 (L), where γ 1, the uSVP problem asks to find the shortest nonzero lattice vector.

Definition 4.
(Bounded distance decoding, BDD) For a target vector t ∈ R m that is not in the given lattice L, which satisfies dist(t, L) < γλ 1 (L), where γ < 1/2, the BDD problem asks to find a nonzero lattice vector v that minimizes the Euclidean norm v − t .
Algorithms for hard problems on lattices usually perform lattice basis reduction as a preprocessing module, because a sufficiently good basis improves the algorithms' success probability. The LLL (Lenstra-Lenstra-Lovász) algorithm [22] and the BKZ (block-Korkin-Zolotarev) algorithm [23] are two famous basis reduction algorithms.
Before introducing the LLL reduction algorithm, we first explain the Gram-Schmidt orthogonalization. With a lattice basis B = [b 1 , b 2 , . . . , b n ], one can calculate its Gram-Schmidt The LLL algorithm was proposed in 1982, and the formal description of LLL reduction is detailed as shown in Algorithm 1.
The BKZ algorithm is derived from the KZ (Korkine-Zolotarev) reduction. BKZ uses the block reduction to improve the LLL algorithm and outputs an (δ, β)-BKZ reduced basis. To be specific, the BKZ algorithm runs the enumeration algorithm on the sub-lattice with block size β and obtains its shortest vector. After inserting the shortest vector into the original basis, LLL reduction with parameter δ is applied on the entire basis to remove the linear dependency. BKZ performs the above steps iteratively until the basis is no longer updated.

The LWE Problem
Definition 5. (Learning with errors distribution) Let n, q > 0 be integers, and α ∈ {0, 1}. Let s ∈ Z n q be a secret vector. The LWE distribution χ s,α refers to (a, a, s + e) ∈ Z n q × Z q , where a ∈ Z n q is uniformly selected randomly and e is a discrete Gaussian error with standard deviation αq.

Definition 6.
(Learning with errors problem) Let n, m, q > 0 be integers, α > 0. Given m samples (a i , a i , s + e i ), i = 1, 2, . . . , m, the search-LWE problem asks to recover the secret vector s ∈ Z n q , and the decision-LWE problem asks to determine whether the samples are sampled according to χ s,α or the uniform distribution. Now, we review some lattice-based methods for analyzing the LWE problem. In general, the decision-LWE can be solved by the short integer solution strategy, and the search-LWE can be attacked by the BDD strategy or the inhomogeneous short integer solution strategy. Now, we mainly describe the decoding method and the primal method in the BDD strategy.
The LWE problem can be written in a matrix form c = As + emodq. Given q ∈ Z, c ∈ Z m q , A = [a 1 , . . . , a m ] T ∈ Z m×n q , the problem recovers s. The basic idea of the decoding method is to regard c as the target vector and then use the Nearest Plane algorithm to find the closest vector in Λ q (A). Assuming the basis of Λ q (A) is B, before applying the Babai's Nearest Plane algorithm, B should be preprocessed to a Gram-Schmidt basis B * . The strategy outputs s if and only if e lies in s + P 1/2 (B * ), which is determined by the quality of the basis. Lindner and Peikert improved Babai's algorithm by admitting a time/success trade-off. To be specific, in each iteration, the Lindner-Peikert Nearest Plane algorithm chooses several close hyperplanes instead of only the closest hyperplane. The idea stretches P 1/2 (B * ) to a cube-like shape and amplifies the success probability.
The primal method is to solve LWE by reducing BDD to the Unique-SVP problem using an embedding technique. The embedding method is to construct a (m + 1)-dimensional lattice B = B c 0 t . Obviously, the short vector [−e, t] ∈ Z m+1 q is in B . Therefore, solving the Unique-SVP instance recovers the error vector and the secret vector in passing.

Variational Quantum Algorithm
VQA is a quantum-classical hybrid algorithm that is considered to be implemented on NISQ devices. Therefore, VQA is expected to demonstrate quantum advantages over classical computers when solving some specific problems. The workflow of VQA is shown in Algorithm 2. There are four important modules in VQA [24,25]: the objective function refers to the cost function that needs to be minimized; the parameterized quantum circuit refers to a set of unitary operators that manipulate parameters in the optimization process; the measurement scheme calculates the expectation value; the classical optimizer outputs the parameters that minimize the objective function.
First, VQA encodes the problem into an objective function O. Let the probability of measuring qubit q in state |0 be p q ; then, the objective function of VQA can be expressed as min θ O(θ, {p(θ)}).
Because it is inconvenient to obtain the function value directly by the measurement probability, the expectation value of a Hamiltonian is introduced, and constructing the objective function is equivalent to constructing its corresponding Hamiltonian. The Hamiltonian is a quantum operator that encodes the information of a physical system. Its expectation value corresponds to the energy of a quantum state. The ground state of the Hamiltonian is often used as the minimization target of a VQA problem. In practice, the expectation value is used to describe the measurement results of the quantum state produced by U(θ). Therefore, the objective function is If the objective function is defined more compactly, it can be described as min θ H U(θ) . The objective functions or cost functions constructed in this paper are all in the compact form.
Second, parameterized quantum circuits are a set of unitary operations that depend on parameters. The parameterized quantum circuit acting on quantum state |ψ 0 can be expressed as where θ are variational parameters. Most ansatz U can be classified as problem-inspired or hardware-efficient. The construction of problem-inspired ansatz requires the information of specific problems. For example, the united coupled cluster ansatz in quantum chemistry is constructed by a parameterized cluster operator T(θ) and acts on the ground state |ψ HF in the way of |ψ(θ) = e T(θ)−T † (θ) |ψ HF . Ansatz in the QAOA algorithm is also problem-inspired, and its construction is shown in Section 3. Hardware-efficient ansatz is usually expressed as Third, in order to obtain the information of quantum state, we need to measure it in the computational basis and calculate the expectation value of the objective function. The expectation value of the operator σ z can be obtained by σ z = ψ|σ z |ψ = |α| 2 − |β| 2 , where |α| 2 and |β| 2 are the probabilities to measure |ψ in state |0 and |1 . The measurement defined by σ x and σ y is first transformed into the basis of σ z by σ x = R † y (π/2)σ z R y (π/2), σ y = R † x (π/2)σ z R x (π/2) and then measured on a σ z basis. Any Pauli string is measured in the same way, except that it is measured on each qubit separately.
QAOA and VQE are two quantum variational algorithms, so they can be used to solve optimization problems. Since a quantum circuit is equivalent to a tensor product, it can be represented on a classical computer, and the expectation value of the cost function can be calculated, but the memory it consumes grows exponentially with the size of the problem. For a quantum computer, repeating the preparation of ansatz state and the quantum measurements, the expectation can be obtained. The quantum resources it consumes increase polynomially with the scale of the problem, thus showing its superiority over classical algorithms.

The Decoding Method for Solving LWE
This section applies the decoding method to solve LWE. When solving BDD, we use QAOA to improve Babai's Nearest Plane algorithm.
First, construct a q-ary lattice Λ q (A) = {v ∈ Z m q |∃x ∈ Z n , s.t.v ≡ Axmodq}, whose lattice basis is equivalent to B = [A|qI m ] T ∈ Z (m+n)×m . Second, perform elementary row transformations on B and obtain a basis matrix [b 1 , . . . , b m ] T ∈ Z m×m . Third, solve CVP with the target vector c, and finally output the closest vector w. The last step is to use the Gaussian elimination to recover s = A −1 w. Now, introduce the application of QAOA when improving Babai's Nearest Plane algorithm. Babai's Nearest Plane algorithm consists of two steps: first, perform the LLL reduction on the input lattice basis, and then find the linear combination in the reduced basis so that it forms the closest lattice vector to the given target vector. The formal description is detailed as Algorithm 3.
In the loop, only takes one value by the "round to the nearest integer" function. Through experiments, it is found that when the value range is expanded to {u j + x|x = 0, 1, −1}, a better solution is often obtained. In a classical algorithm, the process requires an exponential increase in computation with respect to the lattice dimension n. In quantum computing, due to quantum properties, the computing complexity can be greatly reduced. Therefore, we now introduce the method of encoding the random floating in u j in two qubits and solving the optimization problem by QAOA.

Input: lattice basis
1: Perform the LLL reduction on B with parameter δ = 3/4. 2: Use the Gram-Schmidt orthogonalization on the reduced basis and obtain First, apply Babai's Nearest Plane algorithm to calculate the classical optimal solution, that is, the shortest distance vector . Then, the result is improved by QAOA. Let the LLL-reduced basis in Babai's algorithm be D = [d 1 , d 2 , . . . , d m ], and construct the optimization function , which is a quantum operator encoded in the Pauli-Z basis. The eigenvalues of operatorx i are −1, 0, 1, which exactly encodes the value of the variable x i . Therefore, the corresponding problem Hamiltonian is Obviously, for an m-dimensional lattice, the number of qubits required to optimize Babai's algorithm is 2m.
To solve the problem, it is necessary to introduce a mixing Hamiltonian i is the Pauli-X operator acting on the ith bit. The quantum circuit of QAOA is defined by the problem Hamiltonian H C , the mixing Hamiltonian H M and parameters (γ, β). For D-layer QAOA circuits, there are usually 2D variational parameters. The process of using QAOA to solve the optimization problem is shown in Figure 1, and the algorithm description is shown in Algorithm 4.  (γ, β) to a classical optimizer. Update the parameters (γ, β). 6: Repeat Steps 2-5 until the result meets a fixed threshold and the parameters are updated to (γ * , β * ). 7: return |Ψ C = |Ψ(γ * , β * ) Now, we explain the steps in Algorithm 4.
Step 1 performs H ⊗m on |0 ⊗m , and we obtain |+ ⊗m , which is an eigenvector of the Pauli-X operator.
Step 2 applies operators e −iγ k H C and e −iβ k H M , k = 1, 2, . . . , D, alternately. So, we generate a variational wave function The wave function has 2D parameters {γ 1 , . . . , γ D , β 1 , . . . , β D }. The expectation value means which can be obtained by repeatedly preparing |Ψ(γ, β) on the quantum processor and measuring it on a computational basis. Then, the classical computer performs classical optimization algorithms to find the optimal parameter. For example, the optimizers use the gradient descent algorithm to minimize the cost function in an iterative manner. The method calculates the first-order derivative of the function to compute the gradient. Then, it moves in the negative direction of the gradient. The termination condition of the gradient descent method is that the slope of the gradient is below a very small threshold. In the actual experiment, the algorithm is terminated by setting the empirical number of iterations. In fact, classical optimization problems are often mapped to a simple Hamiltonian, which is diagonal in the computational basis. However, it does not mean that the problem is easy to solve or does not require a quantum solver. First, for example, Max-Cut is a classical NP-hard problem, and the design of MaxCut problem Hamiltonian is [16]. In computational complexity theory, P is a set of relatively easy problems, and NP indicates hard problems. If MaxCut can be solved by classical computers easily, then P = NP, which completely overturns the theoretical basis of a range of fields. Second, processing classical optimization by QAOA usually requires a mixing Hamiltonian consisting of σ x or σ y , so quantum computers still work when solving classical optimization problems.

The Primal Method for Solving LWE
In this section, we propose a quantum primal method for solving LWE, where the Unique-SVP problem is solved by VQE. Although the quantum advantage of solving classical optimization by VQE is not as obvious as it is in quantum chemistry, understanding the evolution of the algorithm process is still crucial for improving algorithms running on classical hardware. We detail the number of qubits required and estimate the quantum resources when attacking the KYBER cryptosystem. With the development of quantum computers, resource estimation can also be used as a direction for comparison with pure classical algorithms.

LWE Algorithm
Algotithm 5 shows the procedure of the LWE algorithm.

Algorithm 5 The LWE algorithm.
Input: LWE samples (A, c = As + e) ∈ Z m×n q × Z m q Output: secret vector s ∈ Z n q 1: Construct a q-ary lattice Λ q (A) = {v ∈ Z m q |∃x ∈ Z n , s.t.v ≡ Axmodq}, whose lattice basis is equivalent to B = [A|qI m ] T ∈ Z (m+n)×m . 2: Perform elementary row transformations on B and obtain the lattice basis 3: Using Kannan's embedding technique, reduce BDD to Unique-SVP and obtain Step 3 expands the q-ary basis by one dimension and embeds the target vector c and the embedding factor M into matrix B 2 . When M = e , there exists (e, −M) ∈ L(B 2 ) [26]. In this case, proposing the first m bits of the vector recovers e. In the experiment, we generally take M = 1.
Unique-SVP can be seen as a special case of SVP, and step 4 in Algorithm 5 solves SVP by VQE. The detailed description is shown in Algorithm 6. The VQE procedure is visualized in Figure 2. Now, we explain the steps in Algorithm 6 in detail. In step 1, the larger the lattice size, the more quantum resources it occupies. In order to reduce the required qubits, a new basis matrix is first obtained by performing the BKZ reduction. Step 2 constructs the problem Hamiltonian. For Lattice B, SVP is to find a nonzero vector x satisfying min x∈L(B) x . Let the row vector of coefficients be z and z = 0; then, we have x = zB. Let G = BB T ; then, we have x 2 = zBB T z T = zGz T . According to Algorithm 5, the dimension of the lattice is m = m + 1. So, the SVP problem is equivalent to Before mapping the SVP problem into a Hamiltonian, we first introduce the method of reducing numbers in the integer interval [−d, d] to a Boolean variable polynomial. Let t = logd , introducing t + 1 Boolean variables β 0 , β 1 , β 2 , . . . , β t ; the number in the interval can be expressed as ∑ t−1 In the above formula, it is required to find the parameter vector β = (β 10 , . . . , β 1t 1 , . . . , β m 0 , . . . , β m t m ) (5) to minimize the function Encoding the cost function into a Hamiltonian requires a mapping β ij → (1 − γ ij )/2, where γ ij ∈ {−1, 1}. Then, substitute γ ij → σ z ij and 1 → I ij to obtain the problem Hamiltonian where ij, kl ∈ {10, . . . , 1t 1 , m 0, . . . , m t m } and σ z i is the Pauli-Z operator acting on the ith bit. The Hamiltonian acts on a Hilbert space spanned by QNum qubits, and it can also be written as a sum over many local interactions.
To find the ground state of H, step 3 generates a hardware-efficient trial wavefunction, which is more suitable for available quantum devices [27]. Let |Ψ(θ) = (U(θ)U ENT ) D |Ψ 0 and the reference state is set to |00..0 . U(θ) are a group of single-qubit rotations determined by rotation angles θ. U ENT are entangling drift operations generating sufficient entanglement. D defines the level of the quantum circuit. Obviously, with the increase of D, the convergence speed increases, but the fidelity decreases.
Step 4 calculates C(θ) = Ψ(θ)|H|Ψ(θ) . Each iteration requires measuring N times and the cost obtained for the i-th time is C i . Then, the expectation value is If the Hilbert space is too large, because the interaction is local, the Hamiltonian can be split into a summation over many terms. The expectation calculations for one term are relatively simple, and we can speed up the computation by parallelizing the quantum expectation-value estimation algorithm [28]. After calculating the expectation of each item on the quantum processor, multiply it by the weight and sum on the classical processor to obtain the final expectation value.
However, the shortest vector is 0 in this algorithm, so the restriction x = 0 needs to be added. The idea is to increase C when appearing as 0. We assume that among the N measurements, there are N 0 results that are not 0, Obviously, the larger the N 0 , the smaller the C.
Step 5 uses the classical optimization algorithm to update θ until the expectation value converges and the process is similar to QAOA.
We give a toy example to illustrate the process on the quantum processor. For a more convenient description, the LWE dimension is further limited, and the example also supports simple experiments on the IBM quantum system. Let q = 3.n = 1, m = 2. The samples are s + e 1 = 1mod3, 2s + e 2 = 2mod3. The LLL-reduced matrix after Kannan's embedding is  To simplify the model, suppose z i , i = 1, 2, 3, are already Boolean variables. Then, the SVP problem can be reduced into finding the minimum value of C = z 1 + 2z 2 + 5z 3 + 2z 2 z 3 . The problem Hamilton is Now, construct a hardware-efficient Ansatz consisting of several parameterized singlequbit rotation operations and controlled-NOT gates. Using the parameterized circuit shown in Figure 3, any 3-qubit quantum state |Ψ(θ) can be prepared, and different quantum states can be output by adjusting the six parameters. After preparing the ansatz state and measuring it repeatedly, we calculate the expectation value. Then, we perform the optimization process on the classical processor. Iterate the above process, and finally, the parameters corresponding to the optimal result are (0, π, 0, 0, 0, π) and [z 1 , z 2 , z 3 ] = [1, 0, 0]. So, [e 1 , e 2 ] = [0, 0], s = 1.

Algorithm Analysis
First, we analyze the range of d i in the restriction condition |z i | < d i , i = 1, 2, . . . , m .
where δ( B)). For a KZ-reduced matrix B, its orthogonality defect satisfies [29] Substituting into Equation (8), we have Therefore, the maximum number of qubits is O(m logm ). Now, we review the value of d i , i = 1, 2, . . . , m when using VQE for enumeration. In practice, each z i is represented by QNum/m qubits and the range of In Kannan's embedding, the lattice dimension is m + 1, where m is the sample number. In most cases, an LWE-based scheme produces only m = poly(n) LWE samples (and the polynomial bound can be as small as m = Θ(n)). In the LWE-based cryptosystem proposed in paper [12], m = nlg(q)/lg(δ) and δ here means the root-Hermite factor. The theoretical worst-case reduction for LWE requires αq ≥ 2 √ n [4], so we set αq = 2 √ n. Now, we analyze the average number of qubits required, and its LWE parameters are shown in Table 1. There are 4 groups of parameters in the table. For each group, 10 experiments are performed, and the average value of the cost function C is obtained. Finally, we calculate the average number of qubits required, and the result is illustrated in Figure 4. The four curves with different colors represent that the preprocessing method for the lattice basis is LLL, BKZ-20, BKZ-40 and BKZ-80, respectively. By the regression analysis, taking BKZ-20 as an example, we have QNum = 92.54nlogn − 612.27n + 1343.8logn − 1234.37.
For example, for a 40-dimensional LWE problem, the maximum number of qubits required is 1126, which is a scale that is considered achievable in the near future. With the further development of quantum computers, LWE with larger dimensions can also be solved successively.

Attacks on Existing Cryptosystems
In this section, we calculate the number of qubits required for a VQE attack on the KYBER cryptosystem. KYBER is a key encapsulation mechanism based on the module-LWE problem, which means it is based on Ring R = Z[X]/(X 256 + 1). KYBER has three modes to satisfy 128/192/256-bit security, respectively. The parameters are listed in Table 2. In the table, n, k, q represents the maximum degree of polynomial, the number of polynomials in each vector and the modulus. The most famous attack on the MLWE problem does not utilize the special structure of a lattice, so we still analyze it as an LWE problem. Paper [7] mentioned that the number of samples is between 0 and (k + 1)n. To analyze the worst case, let m = (k + 1)n. Therefore, in the primal attack, the lattice dimension d = m + 1 = (k + 1)n + 1. Using the conclusion in Section 4.2, for the above three parameter settings, the required maximum qubits are 13,768, 19,538, and 25,482, respectively. Although the quantum computers made at this stage are all NISQ devices, after IBM launched the 127-QubitEagle processor in 2021, it plans to launch the 1121-QubitCondor processor in 2023. At the same time, the IBM team also fully considered the future millionqubit system when designing the world's largest dilution refrigerator "Goldeneye", which is an important part of the IBM's roadmap for scaling quantum technology.

Using QAOA Algorithm to Improve the Decoding Method
In this section, we discuss the quantum advantage of the algorithm introduced in Section 3. Since it is difficult to estimate the computing complexity of QAOA, the QAOA process is regarded as a black box; that is, it is assumed that QAOA returns the solution to the optimization problem in a limited time. Now, without considering the actual complexity of QAOA, we only analyze the results of the algorithm through small-scale experiments.
The LWE instance is (A, c = As + e) ∈ Z m×n q × Z m q . Thus, after reducing to the BDD problem, the target vector is c. Algorithm 3 outputs a classical closest vector w, and the error vector can be obtained by e = c − w. Then, Algorithm 4 updates vectors w and e by QAOA. The result quality r = e , which means the norm of the error vector. It is obvious that the smaller the r, the higher the quality.
Taking the dimension of the secret vector as n = 3 and n = 5, the experiment generates 50 groups of random LWE samples, respectively. Each group forms an LWE instance. For each instance, after obtaining the closest vector by Babai's algorithm and calculating the result quality r, we use QAOA for optimization to obtain a new approximate closest vector and calculate the quality. Figure 5 shows the comparison of r between classical solutions and solutions after quantum optimization when n = 3, and Figure 6 illustrates the comparison when n = 5.  In Figures 5 and 6, the horizontal axis represents 50 groups of random samples, and the vertical axis represents the result quality r. The red columns represent the results of the classical Babai's algorithm, and the blue columns represent the results after quantum optimization. According to the definition r = e , a smaller r indicates a closer vector and higher quality. As evident in the figures, quantum results have higher quality than classical results in many cases, while in other cases, the results are the same. Therefore, the conclusion that can be drawn from the experiment is that quantum results obtained by QAOA are no worse than their classical counterparts.

Using VQE Algorithm to Realize the Primal Method
In this section, we present the experiments of solving LWE by the primal method. When quantum simulation is performed in a classical computer, the underlying quantum simulation uses QuSET [30], and the front-end interface to implement the algorithm uses C++. In the experiment, better results can be obtained by using the Conditional Vale at Risk (CVaR) method [31]. Specifically, assuming C 1 , C 2 , . . . C n are sorted in non-decreasing order and in each loop, Paper [21] proposes that p = 0.175 gives better results.
On the simulation platform, due to memory constraints, the maximum lattice dimension does not exceed 30, which means the LWE dimension n is much smaller than 30. If the input lattice matrix already contains the shortest vector, since the initial parameters of VQE are random and the algorithm still outputs the shortest vector after several iterations, it verifies the correctness of the algorithm. Therefore, when the VQE input is the reduced basis or the shortest vector can be obtained by simple vector addition or subtraction of the input matrix, the solution obtained by VQE is the same as that of the classical algorithm.
When the input is an arbitrary basis, the actual experimental results of the VQE are of poorer quality. The reason is that the simulation platform occupies classical memory, and the qubits for representing entries of the coefficient vector are limited. So, the correct coefficient vector cannot be accurately obtained. As the number of available qubits increases in the future, its coefficient representation will become more and more accurate, and the solution quality of the VQE algorithm will be better.

Discussion and Conclusions
VQA uses a classical optimizer to train parameterized quantum circuits, and it is one of the most promising quantum algorithms to achieve quantum supremacy. When researchers envision applications for quantum computers, it is almost impossible to bypass VQA algorithms. In this paper, we first present two LWE attacking tools, using QAOA to improve Babai's algorithm when solving BDD and utilizing VQE to solve Unique-SVP. The two algorithms combine classical optimization techniques and variational quantum techniques, providing ideas for solving LWE when the quantum resources are limited. Second, we estimate the number of qubits required for both algorithms. Third, for the two algorithms, experimental simulations are carried out, respectively. The experimental results show that for the first algorithm, QAOA improves the result quality of classical algorithms, and for the second algorithm, when the memory is large enough, the quality of quantum solutions is at least comparable to that of the classical solutions. How to further reduce the number of qubits by using the structure of the modular lattice is the direction that needs to be studied in the future.

Data Availability Statement:
The data presented in this study are available within the article.

Conflicts of Interest:
The authors declare no conflict of interest.