Quantum Multicollision-Finding Algorithm

  • Akinori Hosoyamada
  • Yu Sasaki
  • Keita Xagawa
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10625)


The current paper presents a new quantum algorithm for finding multicollisions, often denoted by l-collisions, where an l-collision for a function is a set of l distinct inputs having the same output value. Although it is fundamental in cryptography, the problem of finding multicollisions has not received much attention in a quantum setting. The tight bound of quantum query complexity for finding 2-collisions of random functions has been revealed to be \(\varTheta (N^{1/3})\), where N is the size of a codomain. However, neither the lower nor upper bound is known for l-collisions. The paper first integrates the results from existing research to derive several new observations, e.g. l-collisions can be generated only with \(O(N^{1/2})\) quantum queries for a small constant l. Then a new quantum algorithm is proposed, which finds an l-collision of any function that has a domain size l times larger than the codomain size. A rigorous proof is given to guarantee that the expected number of quantum queries is \(O\left( N^{(3^{l-1}-1)/(2 \cdot 3^{l-1})} \right) \) for a small constant l, which matches the tight bound of \(\varTheta (N^{1/3})\) for \(l=2\) and improves the known bounds, say, the above simple bound of \(O(N^{1/2})\).


Post-quantum cryptography Multicollision Quantum algorithm Grover BHT Rigorous complexity evaluation State-of-art 

Supplementary material


  1. [Amb05]
    Ambainis, A.: Polynomial degree and lower bounds in quantum complexity: collision and element distinctness with small range. Theory Comput. 1, 37–46 (2005). MathSciNetCrossRefzbMATHGoogle Scholar
  2. [Amb07]
    Ambainis, A.: Quantum walk algorithm for element distinctness. SIAM J. Comput. 37(1), 210–239 (2007). The preliminary version appeared in FOCS 2004. See MathSciNetCrossRefzbMATHGoogle Scholar
  3. [AS04]
    Aaronson, S., Shi, Y.: Quantum lower bounds for the collision and the element distinctness problems. J. ACM 51(4), 595–605 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  4. [BBHT98]
    Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortsch. Phys. 46(4–5), 493–505 (1998). CrossRefGoogle Scholar
  5. [BCJ+13]
    Belovs, A., Childs, A.M., Jeffery, S., Kothari, R., Magniez, F.: Time-efficient quantum walks for 3-distinctness. In: Fomin, F.V., Freivalds, R., Kwiatkowska, M., Peleg, D. (eds.) ICALP 2013. LNCS, vol. 7965, pp. 105–122. Springer, Heidelberg (2013). See and
  6. [BDF+11]
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  7. [Bel12]
    Belovs, A.: Learning-graph-based quantum algorithm for \(k\)-distinctness. In: FOCS 2012, pp. 207–216 (2012).
  8. [Ber09]
    Bernstein, D.J.: Cost analysis of hash collisions: will quantum computers make SHARCS obsolete? In: SHARCS 2009 (2009)Google Scholar
  9. [BHT97]
    Brassard, G., Høyer, P., Tapp, A.: Quantum algorithm for the collision problem. CoRR, quant-ph/9705002 (1997). See also Quantum cryptanalysis of hash and claw-free functions. In: LATIN 1998, pp. 163–169 (1998). See
  10. [CN08]
    Chang, D., Nandi, M.: Improved indifferentiability security analysis of chopMD hash function. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 429–443. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  11. [DDKS14]
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Cryptanalysis of iterated even-mansour schemes with two keys. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 439–457. Springer, Heidelberg (2014). Google Scholar
  12. [Flo67]
    Floyd, R.W.: Nondeterministic algorithms. J. ACM 14(4), 636–644 (1967)CrossRefzbMATHGoogle Scholar
  13. [GR03]
    Grover, L., Rudolph, T.: How significant are the known collision and element distinctness quantum algorithms? CoRR, quant-ph/0309123 (2003). See GR04Google Scholar
  14. [Gro96]
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: STOC 1996, pp. 212–219 (1996).
  15. [HIK+10]
    Hirose, S., Ideguchi, K., Kuwakado, H., Owada, T., Preneel, B., Yoshida, H.: A lightweight 256-bit hash function for hardware and low-end devices: Lesamnta-LW. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 151–168. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  16. [HRS16]
    Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  17. [Jef14]
    Jeffery, S.: Frameworks for Quantum Algorithms. Ph.D. thesis, University of Waterloo (2014)Google Scholar
  18. [JJV02]
    Jaulmes, É., Joux, A., Valette, F.: On the security of randomized CBC-MAC beyond the birthday paradox limit a new construction. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 237–251. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  19. [JL09]
    Joux, A., Lucks, S.: Improved generic algorithms for 3-collisions. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 347–363. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  20. [JLM14]
    Jovanovic, P., Luykx, A., Mennink, B.: Beyond 2c/2 security in sponge-based authenticated encryption modes. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 85–104. Springer, Heidelberg (2014). Google Scholar
  21. [KMRT09]
    Knudsen, L.R., Mendel, F., Rechberger, C., Thomsen, S.S.: Cryptanalysis of MDC-2. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 106–120. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  22. [Kut05]
    Kutin, S.: Quantum lower bound for the collision problem with small range. Theory Comput. 1, 29–36 (2005). MathSciNetCrossRefzbMATHGoogle Scholar
  23. [MT08]
    Mendel, F., Thomsen, S.S.: An observation on JH-512 (2008).
  24. [NO14]
    Naito, Y., Ohta, K.: Improved indifferentiable security analysis of PHOTON. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 340–357. Springer, Cham (2014). Google Scholar
  25. [NS16]
    Nikolić, I., Sasaki, Y.: A new algorithm for the unbalanced meet-in-the-middle problem. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 627–647. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  26. [NSWY13]
    Naito, Y., Sasaki, Y., Wang, L., Yasuda, K.: Generic state-recovery and forgery attacks on ChopMD-MAC and on NMAC/HMAC. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 83–98. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  27. [NWW13]
    Nikolić, I., Wang, L., Wu, S.: Cryptanalysis of round-reduced LED. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 112–129. Springer, Heidelberg (2014). Google Scholar
  28. [RS96]
    Rivest, R.L., Shamir, A.: PayWord and MicroMint: two simple micropayment schemes. In: Lomas, M. (ed.) Security Protocols 1996. LNCS, vol. 1189, pp. 69–87. Springer, Heidelberg (1997). CrossRefGoogle Scholar
  29. [Sho08]
    Shoup, V.: A Computational Introduction to Number Theory and Algebra, 2nd edn. Cambridge University Press, Cambridge (2008)CrossRefzbMATHGoogle Scholar
  30. [STKT08]
    Suzuki, K., Tonien, D., Kurosawa, K., Toyota, K.: Birthday paradox for multi-collisions. IEICE Trans. 91-A(1), 39–45 (2008). The preliminary version is in ICISC 2006Google Scholar
  31. [Yue14]
    Yuen, H.: A quantum lower bound for distinguishing random functions from random permutations. Quant. Inf. Comput. 14(13–14), 1089–1097 (2014). MathSciNetGoogle Scholar
  32. [Zha15]
    Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Inf. Comput. 15(7–8), 557–567 (2015)MathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.NTT Secure Platform LaboratoriesMusashino-shiJapan

Personalised recommendations