Theoretical Computer Science ( IF 0.9 ) Pub Date : 2020-08-04 , DOI: 10.1016/j.tcs.2020.07.039 Akinori Hosoyamada , Yu Sasaki , Seiichiro Tani , Keita Xagawa
The current paper presents a new quantum algorithm for finding multicollisions, often denoted by ℓ-collisions, where an ℓ-collision for a function is a set of ℓ distinct inputs that are mapped by the function to the same value. In cryptology, it is important to study how many queries are required to find an ℓ-collision for a random function of which domain is larger than its range. However, the problem of finding ℓ-collisions for random functions has not received much attention in the quantum setting. The tight bound of quantum query complexity for finding a 2-collisions of a random function has been revealed to be , where N is the size of the range of the function, but neither the lower nor upper bounds are known for general ℓ-collisions. The paper first integrates the results from existing research to derive several new observations, e.g., ℓ-collisions can be generated only with quantum queries for any integer constant ℓ. It then provides a quantum algorithm that finds an ℓ-collision for a random function with the average quantum query complexity of , which matches the tight bound of for and improves upon the known bounds, including the above simple bound of . More generally, the algorithm achieves the average quantum query complexity of , and runs over qubits in expected time for a random function such that for any , where it is assumed that QRAM is available. With the same query complexity, it is actually able to find a multiclaw for random functions, which is harder to find than a multicollision.
中文翻译:
多碰撞问题的量子算法
当前提出了用于发现multicollisions,经常表示为一个新的量子算法ℓ -collisions,其中一个ℓ为函数-collision是一组ℓ了由功能映射到相同的值不同的输入。在密码学中,重要的是研究要为某个随机函数找到coll碰撞所需的查询数量,该function函数的域大于其范围。然而,找到的问题ℓ随机函数-collisions一直没有得到重视量子设置。已经发现寻找随机函数的2碰撞的量子查询复杂度的严格界限是,其中N是函数范围的大小,但是对于一般ℓ冲突,上下界都不是已知的。本文首先将现有研究的结果进行整合,以得出一些新的观察结果,例如,only-碰撞只能通过以下方式产生:量子查询为任何整数常量ℓ。然后,它提供了找到一个量子算法ℓ -collision用于与平均量子查询的复杂的随机函数,它与 对于 并改进了已知范围,包括上述的简单范围 。更一般而言,该算法可实现平均量子查询复杂度为,并跑过去 量子比特 随机函数的预期时间 这样 对于任何 ,假设QRAM可用。在具有相同查询复杂度的情况下,它实际上能够为随机函数找到多爪,这比多碰撞更难找到。