#shor's algorithm

L'informatique quantique pourrait-elle faire tomber Bitcoin ?

L'informatique quantique pourrait bientôt faire vaciller la sécurité de Bitcoin et des systèmes cryptos sur lesquels repose notre monde.

A terrible pun for my man Friday through Thursday, that makes no fucking sense, but fuck it, you didn’t come to this blog to make sense.  I recently heard your usual NPR wank about quantum computers, saying one may soon be real.  That reminds me of all the brilliant idiots who don’t know the difference between quantum TMs and nondeterministic TMs.  (So called because they were trademarked by the famed Pokemon trainer Satoshi Turing.)  So let me be clear: a quantum computer, at least as the term is generally understood in academic circles would probably not be able to solve NP-complete problems efficiently.  (Of course, it’s not proven, since that would imply that an ordinary computer couldn’t solve NP-complete problems efficiently, and you may have heard about that little hurdle.)  In fact, it’s thought a nondeterministic machine can do things a quantum machine can’t.

So, first, what’s a quantum computer?  It might be quantum effects can do more (hell, ordinary IC gates already rely on quantum effects) or less (although it has been implemented successfully on small scales) than this, but it's a mathematical abstraction  It could be a QTM, but it’s easier to use the circuit model.  A circuit model is traditionally a bunch of and/or/not gates, but in this case the gates map all the possible probabilities of configurations to all the new ones.  From there, you can get probabilities that are entangled, which allows things that probably aren't possible with a probabilistic computer alone, chief among these being factorization.

Factorization's easy, obviously, if you have time to count up to the number's square root, but what about when you don't?  What if the time you have is proportional to the bits, or the bits squared, or to the sixth power, or whatever constant power?  There's certainly no known way, and may be demonstrably no way, to do it under a Turing-equivalent model.  (That is, no way to do it that quickly - obviously you can do it if you have time proportional to the square root of the number itself, just like with pen and paper.)

Basically, if it's not a power of a prime (it's pretty easy to check if something's a power of a prime - you just need the ceiling and floor of the roots up to root 2... that and primality testing, but that's not too hard - I think there's a less idiotic way, but I don't happen to know it), then there'll be a square root of 1 mod the input that's neither 1 nor -1.  So, for instance, for 21, there's 8.  (Basically, break it down into coprime factors and make it mod something of odd order to one and something of even order to the other to prove it - order is how many times you multiply it by itself to get 1.)  Once you have that, you'll always be one greater than a number with a common factor (in our case seven).  The trick is getting it.  You do that by taking Fourier transforms and spinning them around randomly, like tops.  Then you'll with a well-defined probability have what you need.