The current paper presents a new quantum algorithm for finding multicollisions, often denoted by ℓ-collisions, where an ℓ-collision for a function is a set of ℓ distinct inputs that are mapped by the function to the same value. In cryptology, it is important to study how many queries are required to find an ℓ-collision for a random function of which domain is larger than its range. However, the problem of finding ℓ-collisions for random functions has not received much attention in the quantum setting. The tight bound of quantum query complexity for finding a 2-collisions of a random function has been revealed to be $\mathrm{\Theta }(N^{1/3})$, where N is the size of the range of the function, but neither the lower nor upper bounds are known for general ℓ-collisions. The paper first integrates the results from existing research to derive several new observations, e.g., ℓ-collisions can be generated only with $O(N^{1/2})$ quantum queries for any integer constant ℓ. It then provides a quantum algorithm that finds an ℓ-collision for a random function with the average quantum query complexity of $O(N^{(2^{\ell -1}-1)/(2^{\ell }-1)})$, which matches the tight bound of $\mathrm{\Theta }(N^{1/3})$ for $\ell =2$ and improves upon the known bounds, including the above simple bound of $O(N^{1/2})$. More generally, the algorithm achieves the average quantum query complexity of $O(c_N\cdot N^{(2^{\ell -1}-1)/(2^{\ell }-1)})$, and runs over $\tilde{O}(c_N\cdot N^{(2^{\ell -1}-1)/(2^{\ell }-1)})$ qubits in $\tilde{O}(c_N\cdot N^{(2^{\ell -1}-1)/(2^{\ell }-1)})$ expected time for a random function $F:X\to Y$ such that $|X|\ge \ell \cdot |Y|/c_N$ for any $1\le c_N\in o(N^{1/(2^{\ell }-1)})$, where it is assumed that QRAM is available. With the same query complexity, it is actually able to find a multiclaw for random functions, which is harder to find than a multicollision.

当前提出了用于发现multicollisions，经常表示为一个新的量子算法ℓ -collisions，其中一个ℓ为函数-collision是一组ℓ了由功能映射到相同的值不同的输入。在密码学中，重要的是研究要为某个随机函数找到coll碰撞所需的查询数量，该function函数的域大于其范围。然而，找到的问题ℓ随机函数-collisions一直没有得到重视量子设置。已经发现寻找随机函数的2碰撞的量子查询复杂度的严格界限是$\mathrm{\Theta }（{ñ}^{\mathrm{1个}/3}）$，其中N是函数范围的大小，但是对于一般ℓ冲突，上下界都不是已知的。本文首先将现有研究的结果进行整合，以得出一些新的观察结果，例如，only-碰撞只能通过以下方式产生：$Ø（{ñ}^{\mathrm{1个}/2}）$量子查询为任何整数常量ℓ。然后，它提供了找到一个量子算法ℓ -collision用于与平均量子查询的复杂的随机函数$Ø（{ñ}^{（2^{\ell -\mathrm{1个}}-\mathrm{1个}）/（2^{\ell }-\mathrm{1个}）}）$，它与 $\mathrm{\Theta }（{ñ}^{\mathrm{1个}/3}）$ 对于 $\ell =2$ 并改进了已知范围，包括上述的简单范围 $Ø（{ñ}^{\mathrm{1个}/2}）$。更一般而言，该算法可实现平均量子查询复杂度为$Ø（C_{ñ}\cdot {ñ}^{（2^{\ell -\mathrm{1个}}-\mathrm{1个}）/（2^{\ell }-\mathrm{1个}）}）$，并跑过去 $\stackrel{〜}{Ø}（C_{ñ}\cdot {ñ}^{（2^{\ell -\mathrm{1个}}-\mathrm{1个}）/（2^{\ell }-\mathrm{1个}）}）$ 量子比特 $\stackrel{〜}{Ø}（C_{ñ}\cdot {ñ}^{（2^{\ell -\mathrm{1个}}-\mathrm{1个}）/（2^{\ell }-\mathrm{1个}）}）$ 随机函数的预期时间 $F：X\to ÿ$ 这样 $|X|\ge \ell \cdot |ÿ|/C_{ñ}$ 对于任何 $\mathrm{1个}\le C_{ñ}\in Ø（{ñ}^{\mathrm{1个}/（2^{\ell }-\mathrm{1个}）}）$，假设QRAM可用。在具有相同查询复杂度的情况下，它实际上能够为随机函数找到多爪，这比多碰撞更难找到。