Quantum Multicollision-Finding Algorithm

Transcription

1 Quantum Muticoision-Finding Agorithm Akinori Hosoyamada 1, Yu Sasaki 1, and Keita Xagawa 1 NTT Secure Patform Laboratories, , Midori-cho Musashino-shi, Tokyo , Japan. {hosoyamada.akinori,sasaki.yu,xagawa.keita}@ab.ntt.co.jp Abstract. The current paper presents a new quantum agorithm for finding muticoisions, often denoted by -coisions, where an -coision for a function is a set of distinct inputs having the same output vaue. Athough it is fundamenta in cryptography, the probem of finding muticoisions has not received much attention in a quantum setting. The tight bound of quantum query compexity for finding 2-coisions of random functions has been reveaed to be Θ(N 1/3 ), where N is the size of a codomain. However, neither the ower nor upper bound is known for -coisions. The paper first integrates the resuts from existing research to derive severa new observations, e.g. -coisions can be generated ony with O(N 1/2 ) quantum queries for a sma constant. Then a new quantum agorithm is proposed, which finds an -coision of any function that has a domain size times arger than the codomain size. A rigorous ( proof is given ) to guarantee that the expected number of quantum queries is O N (3 1 1)/(2 3 1 ) for a sma constant, which matches the tight bound of Θ(N 1/3 ) for = 2 and improves the known bounds, say, the above simpe bound of O(N 1/2 ). keywords: post-quantum cryptography, muticoision, quantum agorithm, Grover, BHT, rigorous compexity evauation, state-of-art 1 Introduction Finding coisions or muticoisions is a fundamenta probem in theoretica computer sciences and one of the most critica probems especiay in cryptography. For given finite sets X and Y with Y = N, and a function H : X Y, an -coision finding probem is to find a set of distinct inputs x 1,..., x such that H(x 1 ) = = H(x ). Both upper and ower bounds of query and time compexity of the -coision finding probem are fundamenta and have severa appications in cryptography. Appications of muticoisions. We often use the ower bound of query compexity (or the upper bound of the success probabiity) to prove the security of cryptographic schemes. Let us consider a cryptographic scheme based on Pseudo-Random Functions (PRFs). In the security proof, we repace the PRFs with truy random functions (or random oraces) and show the security of the scheme with the random oraces by information-theoretic arguments. In the atter security arguments, we often use the ower bound of queries for finding muticoisions of random functions. For exampe, Chang

2 and Nandi [CN08] proved the indifferentiabiity of the chopmd hash function construction; Jaumes, Joux, and Vaette [JJV02] proved the indistinguishabiity of RMAC; Hirose et a. [HIK + 10] proved the indifferentiabiity of the ISO standard ightweight hash function Lesamnta-LW; Naito and Ohta [NO14] improved the indifferentiabiity of PHOTON and Parazoa hash functions; and Javanovic, Luykx, and Mennink [JLM14] greaty improved the security ower bounds of authenticated-encryption mode of Keyed- Sponge. The upper bound of the probabiity to obtain muticoisions after q queries pays an important roe in their proofs. In addition, studying and improving the upper bound for the -coision finding probem aso hep our understanding, which often eads to the compexity of generic attacks. For exampe, -coisions are expoited in the coision attack on the MDC-2 hash function construction by Knudsen et a. [KMRT09], the preimage attack on the JH hash function by Mende and Thomsen [MT08], the interna state recovery attack on HMAC by Naito et a. [NSWY13], the key recovery attack on iterated Even-Mansour by Dinur et a. [DDKS14], and the key recovery attack on LED bock cipher by Nikoić, Wang, and Wu [NWW13]. Furthermore, muticoisions aso have appications in protocos. An interesting exampe is a micro-payment scheme, MicroMint [RS96]. Here, a coin is a bit-string the vaidity of which can be easiy checked but hard to produce. In MicroMint, coins are 4-coisions of a function. If 4-coisions can be produced quicky, a maicious user can counterfeit coins. Existing resuts for muticoisions in cassica setting. The probem of finding (muti- )coisions has been extensivey discussed in the cassica setting. Suppose that we can access the function H in the cassica query; that is, we can send x X to the orace H and obtain y Y as H(x). For a random function H, making q queries to H can find the coision of H with probabiity at most q 2 /N. The birthday bound shows when q N 1/2, we obtain a coision with probabiity 1/2. This can be extended to the -coision case. Suzuki, Tonien, Kurosawa, and Toyota [STKT08] showed that with N ( 1)/ queries the probabiity of finding an -coision is upper bounded by 1/! and ower bounded by 1/! 1/2(!) 2, which shows that the query compexity can be approximated to N ( 1)/ for a sma constant. To be more precise, it is shown that O ( (!) 1/ N ( 1)/) evauations of the function H finds an -coision with probabiity about 1/2 if H : X Y is a random function. The above argument ony focuses on the number of queries. To impement the - coision finding agorithm, the computationa cost, T, and the memory amount, S, or their tradeoff shoud be considered. The simpe method needs to store a the resuts of the queries. Hence, it requires T = S = N 1/2 for coisions and T = S = O(N ( 1)/ ) for -coisions. The coision finding agorithm can be made memoryess by using Foyd s cyce detecting agorithm [Fo67]. However, no such memoryess agorithm is known for -coisions, thus the researcher s goa is to achieve better compexity with respect to T S or to trade T and S for a given T S. An -coision can be found with T = N and S = O(1) by running a brute-force preimage attack times for a fixed target. Athough this method achieves better T S than the simpe method, it cannot trade T for S. Joux and Lucks [JL09] discovered 2

3 the 3-coision finding agorithm with T = N 1 α and S = N α for α < 1/3 by using the parae coision search technique. Nikoić and Sasaki [NS16] achieved the same compexity as Joux and Lucks by using an unbaanced meet-in-the-midde attack. 1.1 Coisions and Muticoisions in Quantum Setting Agorithmic speedup using quantum computers has been activey discussed recenty. For exampe, Grover s semina resut [Gro96] attracted cryptographers attention because of the quantum speedup of database search. Given a function F : X {0, 1} such that there exists a unique x 0 X that satisfies F(x 0 ) = 1, Grover s agorithm finds x 0 in O ( X 1/2) queries. This paper discusses the compexity of quantum agorithms in the quantum query mode. In this mode, a function H is given as a back box, and the compexity of quantum agorithms is measured as the number of quantum queries to H. A quantum query mode is widey adopted, and previous studies on finding coisions in the quantum setting foow this mode [BHT97,Amb07,Be12,Yue14,Zha15]. Previous research on finding coisions and muticoisions can be cassified with respect to two types of dichotomies. Domain size and codomain size. The domain size and codomain size of the function H : X Y is a sensitive probem for quantum agorithms. Some quantum agorithms aim to find coisions and muticoisions of H with X Y, whie others target H with X < Y. The former agorithms can be directy appied to find coisions and muticoisions of rea hash functions such as SHA-3. The atter ones mainy target database search rather than hash functions. The (muti-)coision search on database can sti be converted for hash functions, but it generay requires a huge compexity increase. (On the other hand, the (muti-)coision search for hash functions with X Y cannot be converted for a database with X < Y.) Hereafter, we use H and D to denote the cases with X Y and X < Y, respectivey. We note that our goa is finding a new muticoision agorithm that can be appied to rea hash functions, namey the H setting. Random function and any function. Both in cassica and quantum settings, existing agorithms often assume randomness: they can find coisions ony on average when H is chosen uniformy at random from Map(X, Y ) := { f f : X Y }. If an agorithm finds coisions of any function H Map(X, Y ), it aso finds coisions of randomy chosen functions. Hence agorithms appied to any function are stronger than ones ony appied to a random function. Hereafter, we use Rnd and Arb to denote the cases in which H is chosen uniformy at random and H is chosen arbitrariy, respectivey. We note that the Rnd setting is sufficient for our goa and wi show that our new agorithm can be appied to the Arb setting. In the foowing, we revisit the existing resuts of coision and muticoision-finding agorithms in the quantum setting. Brassard, Høyer, and Tapp [BHT97] proposed a quantum agorithm BHT, which can be cassified as H-Arb for 2-coisions. To be more precise, BHT finds a 2- coision of any -to-one function with O(N 1/3 ) quantum queries and a memory amount of O(N 1/3 ). 3

4 Tabe 1: Summary of existing quantum agorithms to find (muti-)coisions. Random function Rnd Arbitrary function Arb Database D Zhandry + Ambainis (2-co) Ambainis (-co) Beovs (-co) Hash H Zhandry + Ambainis (2-co) BHT (2-co) Yuen (2-co) Converted Ambainis (-co) Converted Beovs (-co) Ours (-co) Ambainis [Amb07] studied an eement distinctness probem rather than the coision finding probem, but his agorithm can be directy appied to find (muti)coisions of functions. The agorithm is for D-Arb for -coisions with O(M /(+1) ) quantum queries, where M is the domain size. Beovs [Be12] improved the compexity of Ambainis agorithm [Amb07]. Zhandry [Zha15] observed that Ambainis agorithm [Amb07] can be modified to H-Rnd for 2-coisions with O(N 1/3 ) quantum queries, when X = Ω(N 1/2 ) and N = Y. Yuen [Yue14] discussed the appication of BHT when X = Y and the target function H is weakened to Rnd. The compexity is O(N 1/3 ) quantum queries. We do not discuss its detais because the discussed case in Yuen s work [Yue14] is a subset of Zhandry s extension of Ambainis agorithm. Regarding the ower bound, O((N/) 1/3 ) of BHT to find 2-coisions against -toone function was proved to be tight by severa researchers [AS04,Amb05,Kut05]. Zhandry proved that O(N 1/3 ) for 2-coisions against random function is tight. That is, any quantum agorithm that finds a 2-coision against a random function requires Ω(N 1/3 ) quantum queries [Zha15].1 Obviousy, Ω(N 1/3 ) can aso be a ower bound for > 2, but no advanced ower bound is known for > 2. Hüsing, Rijneved, and Song [HRS16] studied quantum generic security of hash functions by considering quantum query compexity in the quantum random-orace mode. They successfuy showed the upper and ower bound of quantum query compexity to sove the onewayness, second-preimage resistance, extended target-coision resistance, and their variants.2 Unfortunatey, they did not treat coision and muticoision resistances. The cassifications of the existing agorithms are shown in Tabe 1. As mentioned earier, Ambainis agorithm [Amb07] and its improvement by Beovs [Be12] originay focused on the database search, but they can be converted into the hash function setting with extra compexity. However, a the other approaches for the hash function setting ony anayze 2-coisions. Hence, we can concude that no quantum agorithm exists that is optimized to find -coisions for hash functions. 1 Zhandry showed that any quantum agorithm with q quantum queries finds a 2-coision with probabiity at most O ( (q + 2) 3 /N ) [Zha15]. 2 For exampe, they showed that any quantum agorithm with q quantum queries finds a preimage with probabiity at most O ( (q + 1) 2 /N ) [HRS16]. 4

5 1.2 Our Contributions In this paper, we study quantum agorithms to find -coisions against a function H : X Y. First, the probem of finding -coisions against hash functions has not received much attention in the iterature. Even if the previous work can be directy appied to -coisions against hash functions, nobody has considered this probem and no generic attack is known. This motivates us to provide a systematization of knowedge about existing quantum agorithms. Namey, we, for the first time in this fied, provide the state of the art of the compexity of finding -coisions against hash functions with a direct appication, trivia extension, and simpe combination of existing resuts. This state of the art sheds ight on the probems that require further investigation. For the second but main contribution of this paper, we present a new quantum agorithm to find -coisions against hash functions. Our contributions in each part are detaied beow. Systematization of knowedge (combination of existing resuts). Our first observation is that, when H is a random function and X = Y for a sma constant, the query compexity of the -coision finding probem is owered to O(N 1/2 ) by simpy appying Grover s agorithm. Hence, any meaningfu generic attack in the quantum setting must achieve the query compexity beow O(N 1/2 ). Intuitivey, a preimage of the hash vaue can be generated with O(N 1/2 ) queries in the quantum setting and -coisions are generated by generating preimages. This corresponds to the upper bound of O(N) compexity in the cassica setting. (Note that this upper bound is for the Rnd setting and does not hod for the Arb setting.) The above observation is quite straightforward but usefu to measure the effect of other attacks. For exampe, Ambainis -coision search for database [Amb07] can be converted for hash functions with O(M /(+1) ) compexity where M is the domain size. However, this cannot be beow O(N 1/2 ) for any. The same appies to the improvement by Beovs [Be12]. Those converted agorithms can be meaningfu ony in the Arb setting. Zhandry [Zha15] discussed the appication of Ambainis -coision search in H- Rnd and D-Rnd ony for = 2, athough it can triviay be extended to > 2. If it is extended, the compexity for = 3 reaches O(N 1/2 ). Thus, Zhandry s idea ony works for = 2. Zhandry [Zha15] considered Ambainis -coision search rather than Beovs improvement [Be12]. If we consider Zhandry + Beovs, the compexity in H-Rnd for = 3 becomes O(N 10/21 ), which is faster than the simpe appication of Grover s agorithm. Thus, it is a meaningfu generic attack. For 4, the compexity of Zhandry + Beovs reaches O(N 1/2 ). In summary, for the Rnd setting, the tight agorithm with O(N 1/2 ) compexity exists for = 2. There is a better generic attack than the simpe appication of Grover s agorithm for = 3, athough the ower bound is unknown. For 4, there is no known agorithm better than the appication of Grover s agorithm, and the ower bound is aso unknown. For the Arb setting, direct appication of Beovs agorithm is the existing best attack. 5

6 New quantum muticoision-finding agorithm. Given the above state of the art, our main contribution is a new -coision finding agorithm with O ( N (3 1 1)/2 3 1) quantum queries against an arbitrary function H : X Y with X = Y. By appying this agorithm in the Rnd setting, we achieve a speedup compared with the simpe upper bound of O(N 1/2 ) for any. The compexity of our agorithm matches the tight bound of O(N 1/3 ) for = 2 and is faster than O(10/21) of Zhandry + Beovs for = 3. The compexity of our agorithm for a sma constant is shown in Tabe 2. The compexities are compared in Fig. 1. Unike other agorithms for Arb, our agorithm asymptoticay approaches to O(N 1/2 ) as increases. The previous resuts by Ambainis [Amb07] asymptoticay approaches to O(M), and Beovs [Be12] asymptoticay approaches to O(M 3/4 ), respectivey, where M = X. Our agorithm improves these resuts for M N. The compexities are compared in Fig. 2 for M = N. The core idea of our agorithm is a sophisticated combination of the 3-coision agorithm in the cassica setting by Joux and Lucks [JL09] and the generaized Grover agorithm for the quantum setting [BBHT98]. In short, we recursivey ca a coision finding agorithm and Grover s agorithm. For exampe, to generate 3-coisions, we first iterate the 2-coision finding agorithm of O(N 1/3 ) compexity O(N 1/9 ) times. Then, we search for the preimage of one of O(N 1/9 ) 2-coisions by using Grover s agorithm, which runs with O(N 4/9 ) compexity. To generate 4-coisions, we iterate the 3-coision finding agorithm of O(N 4/9 ) compexity O(N 1/27 ) times, then search for the preimage of one of O(N 1/27 ) 3-coisions with O(N 13/27 ) compexity. In cassica setting, the recursive appication of the agorithm of [JL09] has never been discussed in iterature. This is because the resuting compexity easiy exceeds the information theoreticay upper bound of O(N ( 1)n/ ). In contrast, no such upper bounds are known in quantum compexity, thus we can obtain advantages with the recursive appication. Finay, we provide a rigorous compexity evauation of our agorithm, which is another main focus of this paper. The point of our proof is that ower and upper bounding the number of coisions of H is necessary for ower bound success probabiity. Our evauation suggests that our agorithm finds a 2-coision of SHA3-512 with quantum queries and finds a 3-coision with quantum queries. Tabe 2: Quantum query compexity of our -coision finding agorithm. Query denotes og N (query), which asymptoticay approaches 1/2 as increases Query

7 Query 1/2 Upper bound by Muti-Grover 1/3 Tight bound for = : Our agorithm : Known bound for = 2 our observation for 3 Fig. 1: Quantum query compexity needed to find -coision in H-Rnd setting. Query denotes og N (query). Query 1 3/4 1/2 1/3 : Naïve appication of Ambainis agorithm : Naïve appication of Beovs agorithm : Our agorithm Fig. 2: Quantum query compexity for finding an -coision in H-Arb setting. Query denotes og N (query). 7

8 2 Preiminaries Notation. We define -coision as foows. Definition 2.1 (-coision). Let be a positive integer. Let X and Y be finite spaces. Let H : X Y be a function from X to Y. Let {x 1, x 2,..., x } be a subset of X and et y be an eement of Y. We define ( {x 1, x 2,..., x }, y ) as an -coision of H if the pair satisfies x i x j for i j and y = H(x 1 ) = H(x 2 ) = = H(x ). Two -coisions c = ( {x 1, x 2,..., x }, y ) and c = ( {x 1, x 2,..., x }, y ) are said to be equa if and ony if {x 1, x 2,..., x } = {x 1, x 2,..., x } as sets and y = y. If X = Y and a function H : X Y satisfies H 1 (H(x)) = for any x X, we ca H -to-one function. If is cear by context, we simpy ca H reguar function. Compexity of quantum agorithm. Suppose that we are given a function H as a back box and can query a quantum state to the function H; that is, we can send a quantum superposition, say, x X α x x b to the orace H and obtain x X α x x b H(x). In the quantum query mode, the compexity of a quantum agorithm is measured by the number of quantum queries to H that the agorithm makes. Many existing studies on coision probems in quantum setting foow this mode [BHT97,Amb07,Be12,Zha15], and the quantum query compexity of coision probems must be understood when we make security proofs in the quantum random orace mode [BDF + 11], which corresponds to the random orace mode in a cassica setting. As for time compexity, we wi discuss it in Section 6. In the rest of the paper, we assume that readers aready have sufficient basic knowedge about the quantum circuit mode and omit a detaied expanation of it. 2.1 Grover s Agorithm and Its Generaization Grover s agorithm [Gro96] was proposed for fast database search in a quantum setting. The probem of database search is modeed as foows: Probem 2.1 (Quantum Database Search). Suppose that there is a function F : X {0, 1} such that there is ony one eement x 0 X that satisfies F(x 0 ) = 1. The probem is to find x 0 under the condition that we are aowed to access a quantum orace of F. Grover s agorithm can sove this probem with high probabiity, making quantum queries to F for roughy X times. This means that the compexity needed for an exhaustive search in a quantum setting is the square root of one in the cassica setting. For exampe, an exhaustive key search against AES-128 wi succeed with approximatey 2 64 quantum queries. The database search probem described above is naturay extended so that F has more than one preimage of 1. A forma description is given beow. Probem 2.2 (Generaized Quantum Database Search). Suppose that there is a function F : X {0, 1} and we are aowed to make quantum queries to F. Then, find x 0 that satisfies F(x 0 ) = 1. 8

9 Boyer, Brassard, Høyer, and Tapp proposed a quantum agorithm soving this probem [BBHT98]. The advantage of their agorithm is that it can be appied without knowing the number of x X that satisfies F(x) = 1 in advance. Theorem 2.1 ([BBHT98] Theorem 3). Let X be a finite set and F : X {0, 1} be a function. Let t = {x X F(x) = 1}. If t 3 4 X, there exists a quantum agorithm BBHT that finds x X that satisfies F(x) = 1 with an expected number of quantum queries to F at most 9/2 X /t, without knowing t in advance. When t = 0, this agorithm wi never abort. The above agorithm BBHT is appicabe ony to the case t 3 4 X, but we want an agorithm that is aso appicabe to the case t > 3 4 X. Now we consider the foowing agorithm A. A runs BBHT, and simutaneousy choose random eements from X independenty and uniformy at random, and make queries to F. A makes exacty one query when BBHT makes one query, and A stops at once if it finds x X such that F(x) = 1. This agorithm A is aso appicabe to the case t > 3 4 X, and it finds x X such that F(x) = 1 with an expected number of quantum queries to F at most max 2 9 X, 2 4 X 2 t 3 = 9. t We aso ca this agorithm BBHT. Now we have the foowing coroary. Coroary 2.1. Let X be a finite set and F : X {0, 1} be a function. Let t = {x X F(x) = 1}. There exists a quantum agorithm BBHT that finds x X that satisfies F(x) = 1 with an expected number of quantum queries to F at most 9 X /t, without knowing t in advance. When t = 0, this agorithm wi never abort. 3 Systematization of Knowedge on Quantum Muticoision Agorithms In the cassica setting, -coision on hash functions can be found with O(N ( 1)/ ) queries for a sma constant. However, the probem has not received much attention in the quantum setting. This section surveys previous work and integrates the findings of different researchers to make severa new observations on this topic. 3.1 Survey of Previous Work We review the agorithm BHT [BHT97] because our new agorithm expained in Section 4 is an extension of it. We aso survey previous studies, cassifying them in two types: eement -distinctness probem (D-Arb), and coision finding probem on random functions (D-Rnd and H-Rnd). 9

10 BHT: Coision finding probem on -to-one functions. For simpicity, we describe BHT ony for the case = 2. Let X, Y be sets that satisfy X = 2 Y, Y = N, and H : X Y be a 2-to-one function. The basic idea of BHT is as foows. First, we choose a parameter k (k = N 1/3 wi turn out to be optima) and a subset X X of cardinaity k. We then make a ist L = {(x, H(x))} x X. Second, we use the BBHT agorithm to find an eement x X such that there exists x 0 X that satisfies (x 0, H(x)) L and x x 0, i.e., we try to find a pair (x 0, H(x 0 )) L that can be extended to a coision ({x, x 0 }, H(x 0 )). The precise description of BHT is as foows. Definition 3.1 (BHT(H, k)). 1. Choose an arbitrary subset X X of cardinaity k. 2. Make a ist L = {( x, H(x) )} x X by querying x X to H. 3. Sort L in accordance with H(x). 4. Check whether L contains a 2-coision, i.e., there exist (x, H(x)), (y, H(y)) L such that x y and H(x) = H(y). If so, output the 2-coision ({x, y}, H(x)). Otherwise proceed to the next step. 5. Construct the orace F : X {0, 1} by defining F(x) = 1 if and ony if there exists x 0 X such that (x, H(x 0 )) L and x x Run BBHT(F) to find x X such that F( x) = Find x 0 X that satisfies H( x) = H(x 0 ) from the ist L. Output the 2-coision ({ x, x 0 }, H(x 0 )). This agorithm makes k quantum queries in Step 2 and O( N/k) quantum queries in Step 6 (in fact, in constructing the ist L, we need no advantage of quantum cacuation, so queries in Step 2 can aso be made cassicay if we are aowed to access a cassica orace of H). Thus, the tota number of quantum queries is O(k + N/k), which is minimized when k = N 1/3. Brassard et a. gave the foowing theorem [BHT97]. Theorem 3.1 ([BHT97, Theorem 1]). Suppose that X and Y are finite sets that satisfy X = 2 Y, and H : X Y is a 2-to-one function. Let N = Y and k be an integer such that 1 k N. BHT finds a 2-coision of H with an expected quantum query compexity O(k + N/k) and memory compexity O(k). In particuar, when k = N 1/3, BHT finds a 2-coision of H with expected quantum query compexity O(N 1/3 ) and memory compexity O(N 1/3 ). Eement -distinctness probem (-coisions in D-Arb). Consider the eement - distinctness probem, in which we are given access to the orace H : X Y to find whether there exist distinct x 1,..., x such that H(x 1 ) = = H(x ), i.e., there exits an -coision of H. Note that H obviousy has an -coision if X ( 1) Y, and the eement -distinctness probem considers the coision detecting probem on the database rather than the hash function. Ambainis [Amb07] proposed a quantum agorithm based on quantum waks that soves the eement -distinctness probem. His agorithm finds not ony whether there exists an -coision but aso an actua -coision vaue ({x 1,..., x }, y) and can be appied even for finding coisions in X ( 1) Y. His agorithm requires O ( X /(+1)) 10

11 quantum queries to H. This agorithm was ater improved by Beovs [Be12], who deveoped an agorithm that requires O ( X /(2 1) ) = o( X 3/4 ) quantum queries.3 Athough the agorithms by Ambainis and Beovs can be appied to find an -coision for X ( 1) Y, the compexity increases as the domain size X increases. These agorithms are inefficient to find coisions of hash functions, since the domain size of cryptographic hash functions is exponentiay arger than the codomain size, and we often regard the probem size as dependent on the codomain size Y not the domain size X. Hence we need another dedicated quantum agorithm to efficienty find coisions of hash functions. The back circes and rectanges in Fig. 2 correspond to the query compexity for naïve appications of Ambainis agorithm and Beovs agorithm for hash functions, respectivey. Coision finding probem on random functions (-coisions in D-Rnd and H-Rnd). Among variants of the coision probem, the coision finding probem on random functions is the most significant probem in the context of cryptography. We introduce agorithms for = 2 in the foowing. A modification of BHT. Let us consider a modification of BHT, denoted BHT, in which we choose a subset X uniformy at random. This sma modification yieds two important improvements of BHT: Brassard et a. [BHT97] mentioned that if X Y,then BHT (H, N 1/3 ) finds a coision with quantum query compexity O(N 1/3 ) with constant probabiity. Yuen [Yue14] showed that if X = Y and H is random, then BHT (H, N 1/3 ) finds a coision with quantum query compexity O(N 1/3 ) with constant probabiity. Zhandry s agorithm. Zhandry [Zha15] proposed a quantum agorithm finding a coision with O(N 1/3 )-quantum queries even if X = Ω(N 1/2 ) and H is random. This improves the restrictions of BHT and BHT, X 2 Y [BHT97], or X = Y and H is random [Yue14]. His agorithm is summarized as foows: 1. Choose a random subset X X of size N 1/2. 2. Invoke Ambainis agorithm for H X : X Y and obtain a coision. The coision exists if H is random because of the birthday bound and the query compexity is O ( X 2/3 ) = O ( (N 1/2 ) 2/3) = O(N 1/3 ). 3.2 New Observations This section gives our new observations, which are summarized as: 1. In quantum setting, the trivia upper bound for finding an -coision of a random function is O(N 1/2 ). 3 For = 3, there exists a further improvement of time compexity by Beovs, Chids, Jeffery, Kothari, and Magniez [BCJ + 13] and Jeffery [Jef14]. However, the quantum query compexity is sti Õ ( X /(2 3 1) ) = Õ( X 5/7 ). 11

12 2. We can find a 3-coision of a random function with quantum query compexity O(N 10/21 ). Observation 1 is obtained by appying a generaized Grover agorithm, and Observation 2 is obtained by combining the idea of Zhandry [Zha15] and the resut of Beovs [Be12]. Trivia upper-bound for finding -coisions in quantum setting. In the cassica setting, the trivia upper bound for finding an -coision is O(N) because of the foowing agorithm: 1. Choose an eement x 1 X uniformy at random. 2. Operate exhaustive search to find x i for i = 2,..., that satisfies H(x i ) = H(x). 3. Output ({x 1,..., x }, H(x 1 )) as an -coision. In the quantum setting, we can repace the exhaustive search with BBHT. We ca this agorithm Muti-Grover, described as foows: Definition 3.2 (Muti-Grover(H)). 1. Choose an eement x 1 X uniformy at random and set L = {x 1 }. 2. Whie L <, do: (a) Invoke BBHT(F) to find x X such that H(x) = H(x 1 ), where we impement F : X {0, 1} as F(x) = 1 if and ony if H(x) = H(x 1 ). (b) If x L, then L L {x}. 3. Output (L, H(x 1 )) as an -coision. Roughy speaking, each step in the oop requires O(N 1/2 ) queries to find x i. Thus, the tota query compexity is O(N 1/2 ) for a sma constant. Therefore, to achieve a meaningfu improvement, we need to find an -coision with fewer than O(N 1/2 ) quantum queries. We note that the ower bound of 2-coisions in [Zha15] aso appies to muticoisions. Hence, compexity of any muticoision-finding agorithm is between O(N n/3 ) by 2-coisions and O(N n/2 ) by the trivia upper bound. This corresponds to between birthday bound and preimage bound in the cassica setting. Extension of eement -distinctness to -coision. We observe that agorithms for - distinctness probem can be used to find -coisions of a random function H : X Y by extending Zhandry s idea. Let X, Y be finite sets with Y = N and X (!) 1/ N ( 1)/. Let H : X Y be a random function. 1. Choose a random subset X X of size (!) 1/ N ( 1)/ 2. Invoke Beovs agorithm for H X : X Y and obtain an -coision According to Suzuki, Tonien, Kurosawa, and Toyota [STKT08], H X has an -coision with probabiity approximatey 1/2. Thus, we observe that Beovs agorithm can find 12

13 an -coision of H X with quantum query compexity O ( (N /(2 1) ) ( 1)/).4 This matches the tight bound Θ(N 1/3 ) for = 2 [Zha15] and gives a new upper bound O(N 10/21 ) for = 3, which is cruciay ower than the trivia bound O(N 1/2 ) (see section 3.2). The white rectanges for = 2, 3 in Figure 1 correspond to this agorithm. Note that for the case of H-Rnd, if 4, (N /(2 1) ) ( 1)/ becomes greater than or equa to N 1/2, which matches the trivia bound for finding -coisions. Therefore, we have to make another quantum agorithm if we want to find -coisions for 4 with fewer than N 1/2 quantum queries. Our agorithm given in the next section finds an -coision with the same query compexity as existing work for = 2, and ess query compexity than observations above for 3. 4 New Quantum Agorithm for Finding Muticoisions Now we describe our agorithm for finding muticoisions. We begin with intuitive arguments about how to come up with an agorithm for finding muticoisions by extending the BHT agorithm and then give a forma description of our agorithm. 4.1 Intuitive Discussion from 2-Coisions to -Coisions First, we intuitivey assume that BHT(H, k) can find a coision for a function H : X Y if X = 2N without any modification, because the expected number of preimages H 1 (y) for each y Y is 2 when H is chosen uniformy at random from Map(X, Y ). (See Section 3.1 and the origina paper [BHT97] for this justification.) Reca that the principe of BHT(H, k) is to make a ist L of 1-coisions the size of which is k and to extend 1-coisions in L to 2-coisions with the BBHT agorithm. Constructing the ist L requires k quantum queries, and BBHT makes O( N/k) quantum queries, so the tota number of quantum queries is O(k + N/k). The optima k that minimizes k + N/k satisfies k = N/k, which is k = N 1/3 and then O(k + N/k) = O(N 1/3 ). Next we consider to find a 3-coision of a function H : X Y under the condition X = 3N. We take a simiar strategy to that of BHT, i.e., we make a ist L of 2- coisions the size of which is k, and extend 2-coisions in L to 3-coisions with the BBHT agorithm. We can find a 2-coision of H with BHT(H, N 1/3 ), which makes O(N 1/3 ) quantum queries. Constructing the ist L requires k N 1/3 queries, and BBHT makes O( N/k) quantum queries, so the tota number of quantum queries is O(k N 1/3 + N/k). The optima k that minimizes k N 1/3 + N/k satisfies k N 1/3 = N/k. This is k = N 1/9 and then O(k N 1/3 + N/k) = O(N 4/9 ). Hence, our new agorithm improves the bound O ( N 10/21) for = 3, which we observed in the previous section. 4 The approach is not improved by picking a smaer random subset. For exampe, consider finding 3-coision of random function H. If we pick a smaer random subset X of size N b with b < 2/3,, then the probabiity that X contains a 3-coision is roughy N 3b /N 2. Thus, we need to iterate Beovs agorithm N 2 /N 3b times, where each iteration makes N 5b/7 queries. Therefore, the tota number of queries is N (14 16b)/7 > N 10/21 for b < 2/3. 13

14 Simiary to above, we can find -coisions of a function H : X Y under the condition X = N, i.e., we construct a ist L of ( 1)-coisions of the size k, and extend ( 1)-coisions in L to -coisions using BBHT. By inductive argument, we can find that constructing the ist L requires k N (3 2 1)/(2 3 2) queries, and BBHT makes O( N/k) quantum queries, so the tota number of quantum queries is O(k N (3 2 1)/(2 3 2) + N/k). The optima k that minimizes k N (3 2 1)/(2 3 2) + N/k satisfies k N (3 2 1)/(2 3 2) = N/k, which is k = N 1/3 1, and then O ( k N (3 2 1)/(2 3 2) + N/k ) = O ( N (3 1 1)/(2 3 1 ) ) hods. Again, our new agorithm improves the trivia bound N 1/2 for -coisions, 4. If there exists an agorithm finding -coisions in the case X = N, then we can use it to find -coisions in the case X > N with the same number of queries and the same memory size, by choosing a subset X X of size N and by operating the agorithm on H X. 4.2 Forma Description of Our Agorithm Formaizing the above arguments, we obtain a quantum agorithm that finds -coisions of any function H : X Y with Y = N and X N. As briefy introduced in Section 4.1, our main idea is to construct a recursive agorithm MCo. The agorithm beow focuses on the procedure. Compexity anaysis of MCo wi be given in the next section. Athough our agorithm is an extension of BHT, the definition of the function F is sighty modified to simpify the compexity anaysis. MCo(H, ) 1. If X > N, then choose a subset X X such that X = N uniformy at random and operate MCo(H X, ). Otherwise proceed to the next step. 2. If = 1, then choose x from X uniformy at random and output ({x}, H(x)). Otherwise proceed to the next step. 3. Operate MCo(H, 1) repeatedy for N 1/3 1 times and obtain ( 1)-coisions c (i) = ({x (i) 1, x(i) 2,..., x(i) 1 }, y(i) ). Store these ( 1)-coisions in a ist L. 4. Sort L in accordance with y (i). 5. Check whether L contains dupication, i.e., there exist indices i j such that c (i) = c (j). If it does, then stop and restart from Step 3. Otherwise proceed to the next step. 6. Check whether L contains an -coision. If there is an -coision, then output it. Otherwise proceed to the next step. 7. Define F : X {0, 1} by F(x) = 1 if and ony if H(x) = y (i) hods for 1 i N 1/3 1 (F can be impemented in a quantum circuit by caing H twice as shown in Fig. 3). 8. Operate BBHT(F). Let x X be the obtained answer, which satisfies F( x) = Find i 0 that satisfies H( x) = y (i0) from the ist L. If x {x (i 0) 1, x (i 0) 2,..., x (i 0) }, then 1 stop and restart from Step 3. Otherwise output an -coision ({x (i 0) 1, x (i 0) 2,..., x (i 0) 1, x}, y (i0) ). 14

15 Fig. 3: Quantum circuit of F. H is the function we want to find coisions, and BL: Y {0, 1} is the binary function that is defined by BL(y) = 1 if and ony if there exists c (i) = ( {x (i) 1,..., x(i) 1 }, y(i)) L such that y = y (i). Here BL corresponds to a quantum circuit x y x y BL(x). 5 Compexity Anaysis of MCo In this section we anayze the compexity of MCo. First, we discuss compexity intuitivey in Section 5.1 and then give forma arguments and proofs in Section Intuitive Anaysis We intuitivey discuss the compexity of our agorithm. In the foowing, we show that MCo(H, ) finds that an -coision with memory compexity is approximatey N 1/3 and the expected quantum query compexity is at most approximatey! N (3 1 1)/(2 3 1). First, we consider memory compexity. The caim obviousy hods for = 1. In the case 2, the agorithm uses memory ony for storing the ist L. The memory size needed for L is N 1/3 1, which is ess than or equa to N 1/3. Thus, the memory compexity is at most N 1/3. Next, we consider quantum query compexity. We upper bound the expected number of quantum queries by approximatey Q := (N/P )! N (3 1 1)/(2 3 1), where P is the number of the points in Y that have at east preimages for a fixed H. Regarding (N/P ) as constant, we obtain the desired bound. The caim obviousy hods for = 1. Assume that the caim hods for ( 1). Since Step 3 makes N 1/3 1 -times cas of MCo(H, 1), the number of queries made in operating Step 3 once is approximatey N 1/3 1 Q 1 = N 1/3 1 ((N/P 1 ) ( 1)! N (3 2 1)/(2 3 2 ) ) = (N/P 1 ) ( 1)! N (3 1 1)/(2 3 1). (1) Note that BBHT(F) finds an eement x that satisfies F(x) = 1 with approximatey 1/p queries to F, where p = Pr x X [F(x) = 1]. Since L contains N 1/3 1 eements, here we approximatey argue that p N 1/3 1 / X N (1 3 1 )/3 1 and thus the number of queries to F is approximatey 1/p, which is further approximated to N (3 1 1)/(2 3 1). 15

16 From the construction of F, the number of queries to H in Step 8 is twice the number of queries to F (see Fig. 3), so the number of queries to H is 2 N (3 1 1)/(2 3 1). (2) Summing up the numbers of queries in Steps 3 and 8 in Eqs. (1) and (2), we obtain the number of queries to H in the case that MCo(H, ) does not stop in Steps 5 or 9 as ((N/P 1 ) ( 1)! + 2) N (3 1 1)/(2 3 1) (N/P 1 ) ( 1)! N (3 1 1)/(2 3 1). (3) Now et q denote the probabiity that MCo(H, ) outputs without being terminated at Steps 5 or 9. Then the overa quantum query compexity is approximatey (1/q) ( (N/P 1 ) ( 1)! N (3 1 1)/2 3 1). We assume that q equas the probabiity that an -coision is outputted in Step 9, since the probabiity that Step 5 finds a dupication in L is very sma when is a sma constant, and ignoring Step 6 ony decreases q and increases the overa compexity. Intuitivey, we can assume that q equas the product of two probabiities in Step 9: 1. The probabiity that the ( 1)-coision {x (i 0) 1, x (i 0) 2,..., x (i 0) } can be extended to 1 an -coision. 2. The probabiity that x {x (i 0) 1, x (i 0) 2,..., x (i 0) } hods, under the condition in which 1 {x (i 0) 1, x (i 0) 2,..., x (i 0) } can be extended to an -coision. 1 The probabiity of 1. is approximatey P /P 1, and the probabiity of 2. is ower bounded by 1/. Thus, we have q (P /P 1 ) (1/). Consequenty, we have overa approximated compexity which is at most This vaidates the caim. (1/q) ((N/P 1 ) ( 1)! N (3 1 1)/(2 3 1 ) ), Q = (N/P )! N (3 1 1)/ Precise Anaysis The discussion in the previous section is very informa with many approximations. This section gives the precise bound and proof. The main theorem in this section is as foows: Theorem 5.1. Let X and Y be finite sets with Y = N and X Y. Let H : X Y be an arbitrary function. For 1, MCo(H, ) finds an -coision with expected quantum query compexity at most ( ) ( e 2N 1/3 2N 1/3 1 ) 1! N (3 1 1)/(2 3 1 ) and memory compexity N 1/3. 16

17 Remark 5.1. Expected time compexity of MCo(H, ) is upper bounded by the product of expected quantum query compexity and O(T H + g N), where T H is the time needed to make a quantum query to H once, using O(N 1/3 ) qubits. See Section 6 for detais. Proof. It suffices to show that the caim hods in the case X = Y. The proof for memory compexity is the same as that we described in the previous section. In the foowing, we consider quantum query compexity. For 1, define A as A := the tota number of quantum queries to H that MCo(H, ) makes, and for 2, define B, C as B := the number of quantum queries to H made in Step 3, C := the number of quantum queries to H made in Step 8. For 2, we consider a modification of MCo(H, ), denoted by MCo (H, ), which never restarts from Step 3 once it stops in Steps 5 or 9. Let D be the tota number of quantum queries to H that MCo (H, ) makes. Let success denote the event such that MCo (H, ) outputs an -coision. Then we have E[D ] = E[B ] + E[C ] and E[A ] = E[D ] Pr[success] = E[B ] + E[C ] Pr[success] (4) for 2. In addition, since E[B ] = N 1/3 1 E[A 1 ] for 2, we have N1/3 1 E[A 1 ] + E[C ] E[A ] =. (5) Pr[success] We wi show two emmas on bounds for E[C ] and Pr[success] in Sects. 5.3 and 5.4, respectivey: Lemma 5.1. For 2, E[C ] 18 1 N hods. Lemma 5.2. For 2, Pr[success] 1 1 (1 12 N 2 1) 3 1 hods. Putting them in the inequaity (5), we obtain E[A ] N 1/3 1 E[A 1 ] N f 1, (6) where 1 f = N

18 Let {g } 1 be a sequence of numbers defined by g 1 = 1 and for 2. g = We show the foowing caims: ( g ) /( 1) f ( 1) ( 1)! Caim. For 1, E[A ] g! N hods. Caim. For 1, g ( e ) ( ) 2N 1/3 1 2N 1/3 1 hods. Combining them, we obtain for 1, E[A ] ( e ) ( 2N 1/3 2N 1/3 1 ) 1! N as we wanted. Proof (Proof of Caim). We give a proof of this caim by induction on. Since E[A 1 ] = 1, the caim hods for = 1. Now we assume that the caim hods for ( 1). By the induction, we have E[A ] N 1/3 1 E[A 1 ] N f 1 ( ) N 1/3 1 g 1 ( 1) ( 1)! N ( = g ) /( 1) f! N ( 1) ( 1)! 1 = g! N N f 1 and the caim aso hods for any 1. Proof (Proof of Caim). Finay, we upper bound g. Letting h = 18 /( 1) ( 1) ( 1)!, we have g = (g 1 + h ) f. Since f 1 hods for 2, we have g = (g 1 + h ) f = ((g 2 + h 1 ) f 1 + h ) f (g 2 + h 1 + h ) f 1 f. 18

19 Continuing cacuations, we obtain g ( 1 + i=2 h i ) i=2 f i. Thus, we have g 1 + = 1 + i=2 i=2 h i i=2 f i 18 i/(i 1) (i 1) (i 1)! (i 1)! i= i! i=0 as we wanted. i=2 i= N 2 3i N 1/3 (i 1)! i=2 i=2 ( 2N 1/3 ) 1 2N 1/3 = ( e ) ( 2N 1/3 ) 1 1 2N 1/3, 1 2N 1/3 2N 1/ Proof of Lemma 5.1 Note that E[C ] E[C Step 8 is operated] hods, and we upper bound the conditiona expectation E[C Step 8 is operated]. When the agorithm operates in Step 8, it has aready passed Steps 5 and 6. Thus, L has neither dupication nor -coision. In particuar, we can assume that L is a ist of competey distinct ( 1) coisions of H, i.e., y (i 1) = y (i 2) hods if and ony if i 1 = i 2. Thus, we have and F 1 (1) = N 1/3 1 i=1 H 1 (y (i) ) = F 1 (1) X N 1/3 1 i=1 H 1 (y (i) ) ( 1) N 1/3 1 ( 1) N1/3 1. N Since MCo makes two quantum queries to H whie making one query to F (See Fig. 3), we have N E[C Step 8 is operated] 2 9 = 18 1/3 1 ( 1) N 1 N by Coroary 2.1 as we wanted. 5.4 Proof of Lemma 5.2 Next, we ower bound Pr[success]. Note that Pr[success] = Pr [ c (i) c (j) for i j ] Pr [ success c (i) c (j) for i j ] 19

20 hods. We need two emmas. For the proof of Lemma 5.3, we refer readers to Shoup s textbook [Sho08]. The proof of Lemma 5.4 is given in Appendix A. Lemma 5.3 ([Sho08, Theorem 8.26]). Let [d] be the set of integers {1, 2,..., d}, and [d] n be the n-array Cartesian power set of [d] for positive integers d, n. If s = (s 1, s 2,..., s n ) is chosen uniformy at random from [d] n, then the probabiity that s i s j hods for a i j is ower bounded by 1 n 2 /(2d). Lemma 5.4. Let X and Y be finite sets with Y = N and X = N. Let H be a function from X to Y. Then the number of -coisions and ( 1)-coisions of H are greater than or equa to N and N, respectivey. First, we ower bound Pr [ c (i) c (j) for i j ]. From the construction of MCo, we can assume that MCo(H, 1) outputs an ( 1)-coision of H uniformy at random. Thus, we can assume that eements c (i) L are chosen independenty and uniformy at random from the set of ( 1)-coisions of H. By Lemma 5.4, the number of ( 1)- coisions of H is at east N. Moreover, if n is fixed, 1 n 2 /2d is a monotonicay increasing function on d. Therefore, by Lemma 5.3, we have Pr [ c (i) c (j) for i j ] 1 (N1/3 1 ) 2 2N = N (7) Second, we ower bound Pr [ success c (i) c (j) for i j ]. Note that the event success occurs if and ony if y (i) = y (j) for some i j, (8) or c (i 0) can be extended to an -coision, and x { x (i 0) 1, x (i 0) 2,..., x (i 0) 1}. (9) occurs. Reca that x is the output of Step 8 and i 0 is an index satisfying H( x) = y (i 0). The event (8) corresponds to the event in which MCo finds an -coision in Step 6, and the event (9) corresponds to the event in which MCo finds an -coision in Step 9. Now, et L be a the possibe ists L that satisfy c (i) c (j) for i j. Let L 1 L denote the set of ists in which there exists -coisions, i.e., there are two indices i j such that y (i) = y (j), and L 2 L denotes the set of ists in which there is no -coision, i.e., y (i) y (j) hods for i j. Then we have L = L 1 L2. MCo finds an -coision in Step 6 if and ony if L L 1. In the foowing, we ignore Step 4 and consider that L is not sorted for simpicity. For a fixed L L, et A L and B L denote the sets of eements in L that can and cannot be extended to -coisions, respectivey. We have that L = A L B L, A L equas the number of y (i) such that H 1 (y (i) ), and B L equas the number of y (i) such that H 1 (y (i) ) = 1. Define A L, B L by A L := H 1 (y (i) ) and B L := c (i) =(...,y (i) ) A L H 1 (y (i) ), c (i) =(...,y (i) ) B L 20

21 which are the numbers of preimages of y (i) s in A L and B L, respectivey. Note that Pr[success c (i) c (j) for i j] = Pr[success L] Pr[L]. hods. If L L 2, then success occurs if and ony if the event (9) occurs, that is, x can be used to construct an -coision with an ( 1)-coision in L. Note that x is chosen uniformy at random from the set L L H 1 (y (i) ) H 1 (y (i) ), c (i) =(...,y (i) ) A L c (i) =(...,y (i) ) B L and the event (9) occurs if and ony if x H 1 (y (i) ) x x (i) j for a i and j c (i) =(...,y (i) ) A L hods. Now we have Pr x H 1 (y (i) ) L A L c (i) A L = A L + B L, and Pr x x (i) j for a i and j L, x H 1 (y (i) ) 1 c (i) A L, which suggests that Pr[success L] = Pr x H 1 (y (i) ) x x (i) j for a i and j L c (i) A L = Pr x H 1 (y (i) ) L c (i) A L Pr x x (i) j for a i and j L, x H 1 (y (i) ) c (i) A L A L A L + B L 1. In addition, we have A L A L since y (i) y (j) hods for i j if L L 2. Thus, we have A L A L ( 1) A L and B L = ( 1) B L. This yieds that A L A L + B L = 1 1 B L ( 1) BL = A L A L ( 1) A L AL + B L. 21

22 Thus, we have Pr[success L] A L A L + B L 1 for L L 2. Moreover, since Pr[success L] = 1 for L L 1, the inequaity (10) aso hods for L L 1. Therefore, we have Pr [ success c (i) c (j) for i j ] = Pr[success L] Pr[L] 1 L L A L A L + B L Pr[L]. Now we use the foowing emmas the proofs of which are given in Appendix B and Appendix C, respectivey. Lemma 5.5. Let X, Y be finite sets such that X = Y, and H be a function from X to Y. Let A, B denote the sets of ( 1)-coisions of H that can and cannot be extended to -coisions, respectivey. Then we have A A + B L L 1. Lemma 5.6. Let X, Y be finite sets such that X = Y, and H be a function from X to Y. Let A, B denote the sets of ( 1)-coisions of H that can and cannot be extended to -coisions, respectivey. Then we have A L A L + B L Pr[L] = A A + B. L L By the above emmas, we have Pr [ success c (i) c (j) for i j ] 1 1. Consequenty, Pr[success] is ower bounded as Pr[success] 1 1 (1 12 N 2 that competes the proof. (10) 3 1 1), 6 Discussions on Time Compexity The previous section ony focused on quantum query compexity. This section discusses time compexity of MCo. We measure the unit of time compexity by the number of executions of quantum gates, which operate primary binary cacuations on g N-bit strings such as NOT, AND, OR, and XOR. For a function F : X {0, 1}, BBHT finds an x 0 such that F(x 0 ) = 1 in time O( X /t T ), where t = {x X F(x) = 1} and T is the time for evauating F once. To begin with, we show the foowing theorem. 22

23 Theorem 6.1. Let X, Y be finite sets with Y = N and X Y. For any function H : X Y, MCo(H, ) runs in expected time ( 2N 1/3 ) 1 C 2N 1/3! N (3 1 1)/2 3 1 (T H + g N) 1 for some constant C, using O(N 1/3 ) qubits, where T H denotes the time needed to make a quantum query to H. Proof. Let A be the running time of MCo(H, ) for 1. For 2, et B, G, C, K be the running time of Steps 3, 4, 8, and 9, respectivey. Simiary to the inequaity 4, we have E[A ] = E[B ] + E[G ] + E[C ] + E[K ] (11) Pr[success] for 2. We have E[B ] = N1/3 1 E[A 1 ], E[G ] = O ( N 1/3 1 g N 1/3 1 ) = O ( N 1/3 1 g N ), E[K ] = O ( g N 1/3 1 ) = O ( g N ), since Steps 4 and 9 can be done cassicay. In addition, we have that E[C ] = E[C ] (T H + O ( )) ( g N 1/3 1 = O E[C ] (T )) H + g N 1/3 1 = O 1 N (T H + g N ), which foows from the construction of the quantum circuit of F (See Fig. 3) and the caim beow. See Appendix D for detais of this caim. Caim. The quantum circuit BL can be constructed so that it runs in time O(g N 1/3 1 ) using O(N 1/3 1 ) qubits. Eventuay, we have E[A ] = O N 1/3 1 E[A 1 ] + N1/3 1 g N + 1 N (T H + g N ) + g N Pr[success] O N 1/3 1 E[A 1 ] + 1 N (T H + g N ) Pr[success] = O N 1/3 1 E[A 1 ] + 1 N f 1 (T H + g N ). The above equation yieds the caim of Theorem 6.1 due to the same argument as that in the proof of Theorem

24 Remark 6.1. From the viewpoint of time compexity, there are a few criticisms of existing quantum 2-coision finding agorithms [GR03,Ber09]. They are based on the observation that memory size is essentiay the same as machine size for quantum machines, since we have to embed data that we use in a quantum agorithm into the quantum circuit of the agorithm. Note that these criticisms ony focus on coisions of random functions and thus are invaid when we consider finding coisions of any function. Furthermore, the target of these criticisms is time compexity, and our main resut (Theorem 5.1), which focuses on quantum query compexity, is out of the scope of these criticisms. 7 Concusion Finding muticoisions is one of the most important probems in cryptoogy, both for attack and provabe security. In the post-quantum era, this probem needs to be studied in a quantum setting to reaize quantum-secure cryptographic schemes. This paper systematized knowedge on the muticoision-finding probem in a quantum setting and proposed a new quantum muticoision-finding agorithm. Our agorithm finds an - coision of any function H : X Y, where X Y, with expected quantum query compexity O(N (3 1 1)/2 3 1 ) = o(n 1/2 ) and memory compexity O(N 1/3 ) for a sma constant. If our agorithm is appied to the random function, the compexity matches the known tight bound for = 2, improves the simpe combination of Zhandry and Beovs resuts for = 3, and for the first time improves the simpe bound of O(N 1/2 ) for 4. Getting rid of the condition X Y and proving a ower bound to find an -coision are eft for future work. The quantum stuff in this paper is encapsuated in Grover s agorithm, and the resuts can equay we be understood as query compexity given a Grover back-box without assuming any knowedge of quantum theory on the reader. We hope this paper encourages researchers in cassica setting to activey discuss quantum agorithms. References Amb05. Andris Ambainis. Poynomia degree and ower bounds in quantum compexity: Coision and eement distinctness with sma range. Theory of Computing, 1:37 46, Amb07. Andris Ambainis. Quantum wak agorithm for eement distinctness. SIAM J. Comput., 37(1): , The preiminary version appeared in FOCS See https: AS04. //arxiv.org/abs/quant-ph/ Scott Aaronson and Yaoyun Shi. Quantum ower bounds for the coision and the eement distinctness probems. J. ACM, 51(4): , Juy BBHT98. Miche Boyer, Gies Brassard, Peter Høyer, and Aain Tapp. Tight bounds on quantum searching. Fortsch. Phys., 46(4-5): , June quant-ph/ BCJ Aeksandrs Beovs, Andrew M. Chids, Stacey Jeffery, Robin Kothari, and Frédéric Magniez. Time-efficient quantum waks for 3-distinctness. In ICALP 2013, Part I, pages , See and arxiv.org/abs/