skip to main content
research-article
Open Access

Quantum Time–Space Tradeoff for Finding Multiple Collision Pairs

Published:26 June 2023Publication History

Skip Abstract Section

Abstract

We study the problem of finding K collision pairs in a random function f : [N] → [N] by using a quantum computer. We prove that the number of queries to the function in the quantum random oracle model must increase significantly when the size of the available memory is limited. Namely, we demonstrate that any algorithm using S qubits of memory must perform a number T of queries that satisfies the tradeoff T3 S ≥ Ω (K3 N). Classically, the same question has only been settled recently by Dinur [22], who showed that the Parallel Collision Search algorithm of van Oorschot and Wiener [36] achieves the optimal time–space tradeoff of T2 S = Θ (K2 N). Our result limits the extent to which quantum computing may decrease this tradeoff. Our method is based on a novel application of Zhandry’s recording query technique [42] for proving lower bounds in the exponentially small success probability regime. As a second application, we give a simpler proof of the time–space tradeoff T2 S ≥ Ω (N3) for sorting N numbers on a quantum computer, which was first obtained by Klauck, Špalek, and de Wolf [30].

Skip 1INTRODUCTION Section

1 INTRODUCTION

The efficiency of a cryptographic attack is a hard-to-define concept that must express the interplay between different computational resources [11, 12, 39]. Arguably, the two most used criteria are the time complexity, measured for instance as the number of queries to a random oracle, and the space complexity, which is the memory size needed to perform the attack. Time–space tradeoffs aim at connecting these two quantities by studying how much the time increases when the available space decreases. Devising security proofs that are sensitive to memory constraints is a challenging program. Indeed, very few tools are available to quantify the extent to which the space impacts the security level of a scheme. A recent line of work [22, 25, 28, 35] has made some progress for the case of classical attackers with bounded memory. The development of quantum computing asks the question of whether the access to quantum operations and quantum memories may lower the security levels. The answer is unclear when taking space into account. Indeed, many quantum “speed-ups” come at the cost of a dramatic increase in the space requirement [6, 16, 31]. A central open question is whether a speed-up both in term of time and space complexities is achievable for such problems?

The focus of this work is to provide time–space tradeoff lower bounds for the problem of finding multiple collision pairs in a random function. The search for a single collision pair is one of the cornerstones of cryptanalysis. Classically, the birthday attack can be achieved by the mean of a memoryless (i.e., logarithmic-size memory) algorithm using Pollard’s rho method [33]. However, the quantum BHT algorithm [16] requires fewer queries to the random function, but the product of its time and space complexities is higher than that of the classical attack. In this article, we address the more general problem of finding multiple collision pairs in a random function. This task plays a central role in low-memory meet-in-the-middle attacks [22, 36]. It has applications in many problems, such as double and triple encryption [36], subset sum [21, 23], \(k\)-sum [38], 3-collision [29], and so on. Recently, it has also been used to attack the post-quantum cryptography candidates NTRU [37] and SIKE [4]. The celebrated classical Parallel Collision Search algorithm of van Oorschot and Wiener [36] can find as many collision pairs as desired in time that depends on the available memory. The question of whether this algorithm achieves the optimal classical time–space tradeoff has been settled positively only recently by Chakrabarti and Chen [18] (for the case of 2-to-1 random functions) and by Dinur [22] (for the case of uniformly random functions). In the quantum setting, no time–space tradeoff was known prior to our work. In other words, it could have been the case that a memoryless quantum attack outperforms the Parallel Collision Search algorithm with unlimited memory capacity.

We point out that time–space tradeoffs have been studied for a long time in the complexity community [3, 9, 10, 13, 14, 32, 40]. The few results known in the quantum circuit model are for the Sorting problem [30], Boolean Matrix-Vector and Matrix-Matrix Multiplication [30], and Evaluating Solutions to Systems of Linear Inequalities [8]. Apart from our work, all existing quantum tradeoffs are based on the hardness of Quantum Search. We use the machinery developed in our article to give a simpler proof of the tradeoffs obtained in Reference [30].

1.1 Our Results

The Collision Pairs Finding problem asks to find a certain number \(K\) of disjoint collision pairs in a random function1 \(f : [M] \rightarrow [N]\), where \(M \ge N\). A collision pair (or simply collision) is a pair of values \(x_1 \ne x_2\) such that \(f(x_1) = f(x_2)\). Two collisions \((x_1,x_2)\) and \((x_3,x_4)\) are disjoint if \(x_1,\dots ,x_4\) are all different. We define the time \(T\) of an algorithm solving this problem as the number of query accesses to \(f\) and the space \(S\) as the amount of memory used. We assume that the output is produced in an online fashion, meaning that a collision can be output as soon as it is discovered. The length of the output is not counted toward the space bound and the same collision may be output several times (but it contributes only once to the total count). The requirement for the collisions to be disjoint is made to simplify our proofs later. We note that a random function \(f : [N] \rightarrow [N]\) contains \((1-2/e)N\) disjoint collisions on average [24].

Classically, the single-processor Parallel Collision Search algorithm [36] achieves an optimal [22] time–space tradeoff of2 \(T^2 S = \widetilde{\Theta }(K^2 N)\) for any amount of space \(S\) between \(\widetilde{\Omega }(\log N)\) and \(\widetilde{O}(K)\). In the quantum setting, the BHT algorithm [16] can find a single collision in time \(T = \widetilde{O}(N^{1/3})\) and space \(S = \widetilde{O}(N^{1/3})\). In Algorithm 2, we adapt it for finding an arbitrary number \(K\) of collisions at cost \(T^2 S \le \widetilde{O}(K^2 N)\). For the sake of simplicity in the analysis, we do not require these collisions to be disjoint. This is the same tradeoff as classically, except that the space parameter \(S\) can hold larger values up to \(\widetilde{O}(K^{2/3} N^{1/3})\), and hence the existence of a quantum speed-up when there is no memory constraint.

Stated in Proposition 6.7 For any \(1 \le K \le O(N)\) and \(\widetilde{\Omega }(\log N) \le S \le \widetilde{O}(K^{2/3} N^{1/3})\), there exists a quantum algorithm that can find \(K\) collisions in a random function \(f : [N] \rightarrow [N]\) with probability at least \(2/3\) by making \(T = \widetilde{O}(K \sqrt {N/S})\) queries and using \(S\) qubits of memory.

The BHT algorithm achieves the optimal time complexity for finding one collision [2, 41]. Our first main result is to provide a similar lower bound for the problem of finding \(K\) disjoint collisions. We prove that the optimal time complexity must satisfy \(T \ge \Omega (K^{2/3} N^{1/3})\). This bound is matched by Proposition 6.7 when \(S = \Theta (K^{2/3} N^{1/3})\). More precisely, we show that the optimal success probability decreases at an exponential rate in \(K\) below this bound. This property is of crucial importance for proving our time–space tradeoff next. We note that, similarly to Reference [41], the bound is independent of the size \(M\) of the domain.

Stated in Theorem 4.5 The success probability of finding \(K\) disjoint collisions in a uniformly random function \(f : [M] \rightarrow [N]\) is at most \(O(\frac{T^3}{K^2 N})^K\) for any algorithm making \(T \ge K\) quantum queries to \(f\).

Our second main result is the next time–space tradeoff for the same problem of finding \(K\) collisions in a random function. We summarize the tradeoffs known for this problem in Table 1. We note that the tradeoff \(T^2 S \ge \Omega (K^2 N)\) is always stronger than \(T^3 S \ge \Omega (K^3 N)\), since \(T \ge K\).

Table 1.
Classical complexityQuantum complexity
Upper bound:\(T^2 S \le \widetilde{O}(K^2 N)\)\(T^2 S \le \widetilde{O}(K^2 N)\)
when\(\widetilde{\Omega }(\log N) \le S \le \widetilde{O}(K)\)when\(\widetilde{\Omega }(\log N) \le S \le \widetilde{O}(K^{2/3} N^{1/3})\)
Parallel Collision Search [36]Proposition 6.7
Lower bound:\(T^2 S \ge \Omega (K^2 N)\)\(T^3 S \ge \Omega (K^3 N)\)
[22]Theorem 6.1

Table 1. Complexity to Find \(K\) Disjoint Collisions in a Random Function \(f : [M] \rightarrow [N]\)

Stated in Theorem 6.1 Any quantum algorithm for finding \(K\) disjoint collisions in a uniformly random function \(f : [M] \rightarrow [N]\) with success probability \(2/3\) must satisfy a time–space tradeoff of \(T^3 S \ge \Omega (K^3 N)\).

As a simple corollary, we obtain that finding almost all collisions using a memoryless algorithm (i.e., \(S = O(\log N)\)) must require to perform at least \(T \ge \Omega (N^{4/3})\) quantum queries, whereas \(T = N\) classical queries are clearly sufficient when there is no space restriction. We further show that any improvement to this lower bound would imply a breakthrough for the Element Distinctness problem, which consists of finding a single collision in a random function \(f : [N] \rightarrow [N^2]\) (or, more generally, deciding if a function contains a collision). It is a long-standing open question to prove a time–space lower bound for this problem. Although there is some progress in the classical case [10, 13, 40], no result is known in the quantum setting. We give a reduction that converts any tradeoff for finding multiple collisions into a tradeoff for Element Distinctness. We state a particular case of our reduction below.

Stated in Corollary 6.4 Suppose that there exists \(\epsilon \in (0,1)\) such that any quantum algorithm for finding \(\widetilde{\Omega }(N)\) disjoint collisions in a random function \(f : [10N] \rightarrow [N]\) must satisfy a time–space tradeoff of \(T S^{1/3} \ge \widetilde{\Omega }(N^{4/3 + \epsilon })\). Then, any quantum algorithm for solving Element Distinctness on domain size \(N\) must satisfy a time–space tradeoff of \(T S^{1/3} \ge \widetilde{\Omega }(N^{2/3 + 2\epsilon })\).

We point out that \(T S^{1/3} \ge \Omega (N^{2/3})\) can already be deduced from the query complexity of Element Distinctness [2] and \(S \ge 1\). We conjecture that our current tradeoff for finding \(K\) collisions can be improved to \(T^2 S \ge \Omega (K^2 N)\), which would imply \(T^2 S \ge \widetilde{\Omega }(N^2)\) for Element Distinctness (Corollary 6.6). This result would be optimal [6].

Finally, we adapt the machinery developed in our article to study the \(K\)-Search problem, which we define as the task of finding \(K\) marked items (i.e., that evaluate to 1) in a random function \(f : [M] \rightarrow \lbrace 0,1\rbrace\), where \(f(x) = 1\) with probability \(p \in [0,1]\) independently for each \(x\). Several variants of this problem have been considered in the literature before [7, 30, 34], where it was shown that the success probability is exponentially small in \(K\) when the number of quantum queries is a constant fraction smaller than the complexity needed to succeed with probability \(2/3\). Our proof is the first one to consider this generic input distribution when \(K \gt 1\), and it is arguably simpler than previous work. The case of finding a single marked item (i.e., \(K = 1\)) was solved in Reference [27, Theorem 1] using different techniques.

Stated in Theorem 5.5 Let \(p \in [0,1]\). The success probability of finding \(K\) marked items in a random function \(f : [M] \rightarrow \lbrace 0,1\rbrace\), where \(f(x) = 1\) with probability \(p\) for each \(x\) is at most \(O(p(T/K)^2)^K\) for any algorithm making \(T \ge K\) quantum queries to \(f\).

Note that the probability parameter must be at least \(p \ge \Omega (K/M)\) to guarantee the existence of at least \(K\) marked items in \(f\) with high probability. In this regime, we can solve the \(K\)-Search problem with \(T = O(K/\sqrt {p})\) queries and success probability \(2/3\) by running Grover’s search on the first \(O(K/p)\) values of \(f\).

As an application of Theorem 5.5, we reprove in Theorem 6.8 the quantum time–space tradeoff for sorting \(N\) numbers first obtained in Reference [30]. This result requires that the circuit gates producing the output are chosen non-adaptively (we further discuss this condition in Section 6.2).

Stated in Theorem 6.8 Any quantum algorithm for sorting a function \(f : [N] \rightarrow \lbrace 0,1,2\rbrace\) with success probability \(2/3\) must satisfy a time–space tradeoff of \(T^2 S \ge \Omega (N^3)\).

1.2 Our Techniques

Recording Query Technique. We use the recording query framework of Zhandry [42] to upper bound the success probability of a query-bounded algorithm in finding \(K\) collision pairs. This method intends to reproduce the classical strategy where the queries made by an algorithm (the attacker) are recorded and answered with on-the-fly simulation of the oracle. Zhandry brought this technique to the quantum random oracle model by showing that, for the uniform input distribution, one can record in superposition the queries made by a quantum algorithm. Our first technical contribution (Section 3) is to simplify the analysis of Zhandry’s technique and, as a byproduct, to generalize it to any product distribution on the input. We notice that there has been other independent work on extending Zhandry’s recording technique [19, 20, 26]. Our approach does not require moving to the Fourier domain (as in Reference [20] for instance). Instead, it is based on defining a “recording query operator” that is specific to the input distribution under consideration. This operator can replace the standard quantum query operator without changing the success probability of the algorithm, but with the effect of “recording” the quantum queries in an additional register. We detail two recording query operators corresponding to the uniform distribution (Lemma 4.1) and to the product of Bernoulli distributions (Lemma 5.1).

Finding collisions with time-bounded algorithms. Our application of the recording technique to the Collision Pairs Finding problem has two stages. We first bound the probability that the algorithm has forced the recording of many collisions after \(T\) queries. Namely, we show that the norm of the quantum state that records a new collision at the \(t\)th query is on the order of \(\sqrt {t/N}\) (Proposition 4.3). This is related to the probability that a new random value collides with one of the at most \(t\) previously recorded queries. The reason why the collisions have to be disjoint is to avoid the recording of more than one new collision in one query. By solving a simple recurrence relation, one gets that the amplitude of the basis states that have recorded at least \(K\) collisions after \(T\) queries is at most \(O(T^3/(K^2 N))^{K/2}\). We note that Liu and Zhandry [31, Theorem 5] carried out a similar analysis for the multi-collision finding problem, where they obtained the same type of bound. The second stage of our proof relates the probability of having recorded many collisions to the actual success probability of the algorithm. If we used previous approaches (notably Reference [42, Lemma 5]), then this step would degrade the upper bound on the success probability by adding a term that is polynomial in \(K/N\). We preserve the exponentially small dependence on \(K\) by doing a more careful analysis of the relation between the recording and the standard query models (Proposition 4.4). We adopt a similar approach for analyzing the \(K\)-Search problem in Section 5.

Finding collisions with time–space bounded algorithms. We convert the above time-only bound into a time–space tradeoff by using the time-segmentation method [14, 30]. Given a quantum circuit that solves the Collision Pairs Finding problem in time \(T\) and space \(S\), we slice it into \(T/(S^{2/3} N^{1/3})\) consecutive subcircuits, each of them using \(S^{2/3} N^{1/3}\) queries. If no slice can output more than \(\Omega (S)\) collisions with high probability, then there must be at least \(\Omega (K/S)\) slices in total, thus proving the desired tradeoff. Our above lower bound implies that it is impossible to find \(\Omega (S)\) collisions with probability larger than \(4^{-S}\) in time \(S^{2/3} N^{1/3}\). We must take into account that the initial memory at the beginning of each slice carries out information from previous stages. As in previous work [1, 30], we can “eliminate” this memory by replacing it with the completely mixed state while decreasing the success probability by a factor of \(2^{-S}\). Thus, if a slice outputs \(\Omega (S)\) collisions, then it can be used to contradict the lower bound proved before.

Element Distinctness. We connect the Collision Pairs Finding and Element Distinctness problems by showing how to transform a low–space algorithm for the latter into one for the former (Proposition 6.2). If there exists a time-\(\bar{T}\) space-\(\bar{S}\) algorithm for Element Distinctness on domain size \(\sqrt {N}\), then we can find \(\widetilde{\Omega }(N)\) collisions in a random function \(f : [N] \rightarrow [N]\) by repeatedly sampling a subset \(H \subset [N]\) of size \(\sqrt {N}\) and using that algorithm on the function \(f\) restricted to the domain \(H\). Among other things, we must ensure that the same collision does not occur many times and that storing the set \(H\) does not use too much memory (it turns out that 4-wise independence is sufficient for our purpose). We end up with an algorithm with time \(T = O(N \bar{T})\) and space \(S = O(\bar{S})\) for finding \(\widetilde{\Omega }(N)\) collisions. Consequently, if the Element Distinctness problem on domain size \(\sqrt {N}\) can be solved with a time–space tradeoff of \(\bar{T} \bar{S}^{1/3} \le O(N^{1/3 + \epsilon })\), then there is an algorithm for finding \(\widetilde{\Omega }(N)\) collisions that satisfies a time–space tradeoff of \(T S^{1/3} \le O(N^{4/3 + \epsilon })\).

Skip 2MODELS OF COMPUTATION Section

2 MODELS OF COMPUTATION

We first present the standard model of quantum query complexity in Section 2.1. This model is used for investigating the time complexity of the Collision Pairs Finding problem in Section 4, and of the \(K\)-Search problem in Section 5. Then, we describe the more general circuit model that also captures the space complexity in Section 2.2. It is used in Section 6 for studying time–space tradeoffs.

2.1 Query Model

The (standard) model of quantum query complexity [17] measures the number of quantum queries an algorithm (also called an “attacker”) needs to make on an input function \(f : [M] \rightarrow [N]\) to find an output \(w_\mathrm{out}\) satisfying some predetermined relation \(\mathrm{R}(f,w_\mathrm{out})\). We present this model in more detail below.

Quantum Query Algorithm. . A \(T\)-query algorithm is specified by a sequence \(U_0, \dots , U_T\) of unitary transformations acting on a same memory. The state \(|\psi \rangle\) of that memory is made of three registers \(\mathsf {Q}, \mathsf {P}, \mathsf {W}\), where the query register \(\mathsf {Q}\) holds \(x \in [M]\), the phase register \(\mathsf {P}\) holds \(u \in [N]\) and the working register \(\mathsf {W}\) holds some value \(w\). We represent a basis state in the corresponding Hilbert space as \(|x,u,w\rangle _{\mathsf {Q}\mathsf {P}\mathsf {W}}\). We may drop the subscript \(\mathsf {Q}\mathsf {P}\mathsf {W}\) when it is clear from the context. The state \(|\psi ^f_t\rangle\) of the algorithm after \(t \le T\) queries to some input function \(f : [M] \rightarrow [N]\) is \(\begin{equation*} |\psi ^f_t\rangle = U_t \mathcal {O}_f U_{t-1} \cdots U_1 \mathcal {O}_f U_0 |0\rangle , \end{equation*}\) where the oracle \(\mathcal {O}_f\) is defined by \(\begin{equation*} \mathcal {O}_f |x,u,w\rangle = \omega _N^{u f(x)} |x,u,w\rangle \quad \mbox{and} \quad \omega _N = e^{\frac{2{\bf i}\pi }{N}}. \end{equation*}\) Note that the value of \(f(x)\) is returned in the phase rather than in a state \(|x,u + f(x) \bmod N,w\rangle\) as it is sometimes defined in the literature. The two kinds of queries are equivalent up to a unitary transformation but the phase encoding is more convenient to use with our framework.

The output of the algorithm is written on some dedicated substring \(w_\mathrm{out}\) of \(w\). The success probability \(\sigma _f\) of the algorithm on input \(f\) is the probability that the output value \(w_\mathrm{out}\) obtained by measuring the working register of \(|\psi ^f_T\rangle\) in the computational basis satisfies the relation \(\mathrm{R}(f,w_\mathrm{out})\). In other words, if we let \(\Pi ^f_{\mathrm{succ}}\) be the projector whose support consists of all basis states \(|x,u,w\rangle\) such that the output substring \(w_\mathrm{out}\) of \(w\) satisfies \(\mathrm{R}(f,w_\mathrm{out})\), then \(\sigma _f = \Vert \Pi ^f_{\mathrm{succ}} |\psi ^f_T\rangle \Vert ^2\).

Oracle Register. . Here, we describe the variant used in the adversary method [5] and in Zhandry’s work [42]. It is represented as an interaction between an algorithm that aims at finding a correct output \(w_\mathrm{out}\), and a superposition of oracle inputs that respond to the queries from the algorithm.

The memory of the oracle is made of an oracle register \(\mathsf {F}\) holding the description of a function \(f : [M] \rightarrow [N]\). This register is divided into \(M\) subregisters \(\mathsf {F}_1, \dots , \mathsf {F}_M\), where \(\mathsf {F}_x\) holds \(f(x) \in [N]\) for each \(x \in [M]\). The basis states in the corresponding Hilbert space are denoted by \(|f\rangle _{\mathsf {F}} := \text{$\bigotimes$}_{x \in [M]} |f(x)\rangle _{\mathsf {F}_x}\). Given an input distribution \(\mathcal {D}\) on the set of functions \([N]^M\), the initial state of the oracle register is defined as \(|\mathcal {\mathcal {D}}\rangle _{\mathsf {F}} := \sum _{f \in [N]^M} \sqrt {\Pr [{f \leftarrow \mathcal {D}}]} |f\rangle\).

The query operator \(\mathcal {O}\) is a unitary transformation acting on the memory of the algorithm and the oracle. Its action is defined on each basis state by \(\begin{equation*} \mathcal {O}|x,u,w\rangle |f\rangle = (\mathcal {O}_f |x,u,w\rangle)|f\rangle . \end{equation*}\)

The joint state \(|\psi _t\rangle\) of the algorithm and the oracle after \(t\) queries is equal to \(|\psi _t\rangle = U_t \mathcal {O}U_{t-1} \cdots U_1 \mathcal {O}U_0 (|0\rangle |\mathcal {D}\rangle) = \sum _{f \in [N]^M} \sqrt {\Pr [{f \leftarrow \mathcal {D}}]} |\psi ^f_t\rangle |f\rangle\), where the unitaries \(U_i\) have been extended to act as the identity on \(\mathsf {F}\). The success probability \(\sigma\) of a quantum algorithm on an input distribution \(\mathcal {D}\) is the probability that the output value \(w_\mathrm{out}\) and the input \(f\) obtained by measuring the working and oracle registers of the final state \(|\psi _T\rangle\) satisfy the relation \(\mathrm{R}(f,w_\mathrm{out})\). In other words, if we let \(\Pi _{\mathrm{succ}}\) be the projector whose support consists of all basis states \(|x,u,w\rangle |f\rangle\) such that the output substring \(w_\mathrm{out}\) of \(w\) satisfies \(\mathrm{R}(f,w_\mathrm{out})\), then \(\sigma = \Vert {\Pi _{\mathrm{succ}} |\psi _T\rangle }\Vert ^2\).

2.2 Space-bounded Model

We use the quantum circuit model augmented with the oracle gates of the query model defined in the above section. The time complexity, denoted by \(T\), is defined as the number of oracle gates in the circuit (which is a lower bound on the total gate complexity). The space complexity, denoted by \(S\), is the number of qubits on which the circuit is operating. The result of the computation is written on some dedicated write-only output register \(|w_\mathrm{out}\rangle\) whose size is not counted toward the space bound. This allows us to consider problems for which the solutions may be larger than the space bound. Formally, the output register is initially filled with some special character \(|w_\mathrm{out}\rangle = |\$\$\dots \$\rangle\) and the algorithm has access to a Boolean flag register \(|b\rangle\). The only operation permitted on \(|w_\mathrm{out}\rangle\) is to copy a piece of the output (e.g., a collision pair) from the working space of the algorithm to the first locations holding \(\$\) conditioned on \(b = 1\). This model is more general than the one described in References [8, 30], since the flag register allows the algorithm to choose when the output is effectively updated. We will nevertheless have to revert to the older model when analyzing the Sorting problem in Section 6.2.

We notice that, by the deferred measurement principle, any space-bounded computation that uses \(T\) queries can be transformed into a \(T\)-query unitary algorithm as defined in Section 2.1. Thus, any lower bound on the query complexity of a problem is also a lower bound on the time complexity of that problem in the space-bounded model. This explains our use of the query model in Sections 4 and 5.

Skip 3RECORDING QUERY MODEL Section

3 RECORDING QUERY MODEL

The quantum recording query model is a modification of the standard query model defined in Section 2.1 that is unnoticeable by the algorithm, but that allows us to track more easily the progress made toward solving the problem under consideration. The original recording model was formulated by Zhandry [42]. Here, we propose a simplified and more general version of this framework that only requires the initial state of the oracle \(|\mathcal {D}\rangle _{\mathsf {F}}\) to be a product state \(\text{$\bigotimes$}_{x \in [M]} |\mathcal {D}_x\rangle _{\mathsf {F}_x}\) (instead of the uniform distribution over all basis states as in Reference [42]).

Construction. . The range \([N]\) is augmented with a new symbol \(\bot\). The oracle register \(\mathsf {F}\) can now contain \(f : [M] \rightarrow [N] \cup \lbrace \bot \rbrace\), where \(f(x) = \bot\) represents the absence of knowledge from the algorithm about the image of \(x\). Unlike in the standard query model, the initial state of the oracle register is independent of the input distribution and is fixed to be \(|\bot ^M\rangle _{\mathsf {F}}\) (which represents the fact that the algorithm knows nothing about the oracle initially). We extend the query operator \(\mathcal {O}\) defined in the standard query model by setting \(\begin{equation*} \mathcal {O}|x,u,w\rangle |f\rangle = |x,u,w\rangle |f\rangle \quad \text{when $f(x) = \bot $.} \end{equation*}\) We take the convention that any state \(|x,u,w\rangle |f\rangle\) containing \(\bot\) is outside the support of \(\Pi _{\mathrm{succ}}\).

Given a product distribution \(\mathcal {D}= \mathcal {D}_1 \otimes \cdots \otimes \mathcal {D}_M\) on the set \([N]^M\), the initial state of the oracle register in the standard query model can be decomposed as the product state \(|\mathcal {D}\rangle _{\mathsf {F}} = \text{$\bigotimes$}_{x \in [M]} |\mathcal {D}_x\rangle _{\mathsf {F}_x}\), where \(|\mathcal {D}_x\rangle _{\mathsf {F}_x} := \sum _{y \in [N]} \sqrt {\Pr [{y \leftarrow \mathcal {D}_x}]} |y\rangle _{\mathsf {F}_x}\). The “recording query operator” \(\mathcal {R}_{\mathcal {D}}\) is defined with respect to a family \((\mathcal {S}_x)_{x\in [M]}\) of unitary operators satisfying \(\mathcal {S}_x |\bot \rangle _{\mathsf {F}_x} = |\mathcal {D}_x\rangle _{\mathsf {F}_x}\) for all \(x\) as follows.

Definition 3.1.

Given a product distribution \(\mathcal {D}= \mathcal {D}_1 \otimes \cdots \otimes \mathcal {D}_M\) on the set \([N]^M\), define for each \(x \in [M]\) the unitary operator \(\mathcal {S}_x\) acting on the register \(\mathsf {F}_x\) such that

where \(|\mathcal {D}_x\rangle := \sum _{y \in [N]} \sqrt {\Pr [{y \leftarrow \mathcal {D}_x}]} |y\rangle\). Define \(\mathcal {T}_{\mathcal {D}}\), \(\mathcal {S}_{\mathcal {D}}\) and the recording query operator \(\mathcal {R}_{\mathcal {D}}\) acting on all the registers \(\mathsf {Q}\mathsf {P}\mathsf {W}\mathsf {F}\) such that

Later in the article, we study the recording query operators \(\mathcal {R}_{\mathcal {U}}\) and \(\mathcal {R}_{\mathcal {B}}\) related to the uniform distribution (Lemma 4.1) and to the product of Bernoulli distributions (Lemma 5.1).

Indistinguishability. . The joint state of the algorithm and the oracle after \(t\) queries in the recording query model is defined as \(|\phi _t\rangle = U_t \mathcal {R}_{\mathcal {D}}U_{t-1} \cdots U_1 \mathcal {R}_{\mathcal {D}}U_0(|0\rangle |\bot ^M\rangle)\). Notice that the query operator \(\mathcal {R}_{\mathcal {D}}\) can only change the value of \(f(x^{\prime })\) (contained in the register \(\mathsf {F}_{x^{\prime }}\)) when it is applied to a state \(|x,u,w\rangle |f\rangle\) such that \(x = x^{\prime }\). As a result, we have the following simple fact.

Fact 3.2.

The state \(|\phi _t\rangle\) is a linear combination of basis states \(|x,u,w\rangle |f\rangle\), where \(f\) contains at most \(t\) entries different from \(\bot\).

The entries of \(f\) that are different from \(\bot\) represent what the oracle has learned (or “recorded”) from the queries made by the algorithm so far. In the next theorem, we show that \(|\phi _t\rangle\) is related to \(|\psi _t\rangle\) (defined in Section 2.1) by \(|\psi _t\rangle = \mathcal {T}_{\mathcal {D}}|\phi _t\rangle\). In particular, the states \(|\psi _t\rangle\) and \(|\phi _t\rangle\) cannot be distinguished by the algorithm, since the reduced states on the algorithm registers are identical.

Theorem 3.3.

Let \(\mathcal {D}\) be a product distribution and \((U_0, \dots , U_T)\) be a \(T\)-query quantum algorithm. Then, the states \(|\psi _T\rangle = U_T \mathcal {O}\cdots U_1 \mathcal {O}U_0(|0\rangle |\mathcal {D}\rangle)\) and \(|\phi _T\rangle = U_T \mathcal {R}_{\mathcal {D}}\cdots U_1 \mathcal {R}_{\mathcal {D}}U_0(|0\rangle |\bot ^M\rangle)\) obtained in the standard and recording query models respectively satisfy \(|\psi _T\rangle = \mathcal {T}_{\mathcal {D}}|\phi _T\rangle\).

Proof.

We start by introducing the intermediate operator \(\bar{\mathcal {R}}_{\mathcal {D}}= \mathcal {T}_{\mathcal {D}}^\dagger \mathcal {O}\mathcal {T}_{\mathcal {D}}\). Observe that for any basis state \(|x,u,w\rangle |f\rangle\) the operators \(\bar{\mathcal {R}}_{\mathcal {D}}\) and \(\mathcal {R}_{\mathcal {D}}\) act the same way on the registers \(\mathsf {Q}\mathsf {P}\mathsf {F}_x\), and they do not depend on the other registers. Thus, we have \(\bar{\mathcal {R}}_{\mathcal {D}}= \mathcal {R}_{\mathcal {D}}\). We further observe that \(U_t\) and \(\mathcal {T}_{\mathcal {D}}\) commute for all \(t\), since they depend on disjoint registers. Consequently, we have that

Skip 4TIME LOWER BOUND FOR COLLISION PAIRS FINDING Section

4 TIME LOWER BOUND FOR COLLISION PAIRS FINDING

In this section, we upper bound the success probability of finding \(K\) disjoint collisions in the query-bounded model of Section 2.1. The problem is formally defined below. We place no restriction on the number or the repetition of collision pairs in the solution, except that at least \(K\) of them must be disjoint. This will be relevant when using the space-bounded model, since the algorithm needs not remember which collision pairs have been output. For simplicity in the proof, we also assume that the solution contains the image of each collision pair under \(f\).

Problem 1.

Let \(\mathcal {U}\) be the uniform distribution over \([N]^M\). Given an integer \(K\) and a function \(f \sim \mathcal {U}\), the Collision Pairs Finding problem is to find a list of triples \((x_1,x_2,y_1),\dots , (x_{2L-1},x_{2L},y_L) \in [M]^2 \times [N]\) for some \(L \ge K\) such that

(Collision pairs) \(x_{2i-1} \ne x_{2i}\) and \(f(x_{2i-1}) = f(x_{2i}) = y_i\) for all \(1 \le i \le L\).

(Mutually disjoint) There are \(K\) indices \(\lbrace i_1,\dots ,i_K\rbrace \subseteq \lbrace 1,\dots ,L\rbrace\) such that the sets \(\lbrace x_{2i_1-1},x_{2i_1}\rbrace , \lbrace x_{2i_2-1},x_{2i_2}\rbrace ,\dots ,\lbrace x_{2i_K-1},x_{2i_K}\rbrace\) are mutually disjoint.

The proof uses the recording query model of Section 3. We first describe in Section 4.1 the recording query framework associated with our input distribution. In Section 4.2, we study the probability that an algorithm has recorded at least \(k\) collisions after \(t\) queries. We prove by induction on \(t\) and \(k\) that this quantity is exponentially small in \(k\) when \(t \le O(k^{2/3} N^{1/3})\) (Proposition 4.3). Finally, in Section 4.3, we relate this progress measure to the actual success probability (Proposition 4.4), and we conclude that the latter quantity is exponentially small in \(K\) after \(T \le O(K^{2/3} N^{1/3})\) queries (Theorem 4.5).

4.1 Recording Query Operator

The next lemma gives an alternative definition of the recording operator \(\mathcal {R}_{\mathcal {U}}\), associated with the uniform distribution \(\mathcal {U}\), in the standard basis. This expression will be more convenient to use later on in the proof.

Lemma 4.1.

If the recording query operator \(\mathcal {R}_{\mathcal {U}}\) is applied to a basis state \(|x,u,w\rangle |f\rangle\), where \(u \ne 0\), then the register \(|f(x)\rangle _{\mathsf {F}_x}\) is mapped to

and the other registers are unchanged. If \(u = 0\), then none of the registers are changed.

Proof.

We assume that \(u \ne 0\) as the query operator \(\mathcal {O}\) acts as the identity otherwise. It will be more convenient to work in the Fourier basis defined by the vectors \(|\widehat{v}\rangle := \sum _{y \in [N]} \frac{\omega _N^{vy}}{\sqrt {N}} |y\rangle\), where \(v \in [N]\). By Definition 3.1, the action of \(\mathcal {R}_{\mathcal {U}}\) on the register \(\mathsf {F}_x\) is as follows:

If \(f(x) = \bot\), then \(|f(x)\rangle \overset {\mathcal {S}_x} {\longmapsto} |\widehat{0}\rangle \overset {\mathcal {O}}{\longmapsto} |\widehat{u}\rangle \overset {\mathcal {S}_x}{\longmapsto} |\widehat{u}\rangle\).

If \(f(x) \in [N]\), then \(|f(x)\rangle \overset {\mathcal {S}_x}{\longmapsto} \frac{1}{\sqrt {N}} |\bot \rangle + \sum \limits _{v \ne 0} \frac{\omega _N^{-vf(x)}}{\sqrt {N}} |\widehat{v}\rangle \overset {\mathcal {O}}{\longmapsto} \frac{1}{\sqrt {N}} |\bot \rangle + \sum \limits _{v \ne 0} \frac{\omega _N^{-vf(x)}}{\sqrt {N}} |\widehat{u+v}\rangle \overset {\mathcal {S}_x}{\longmapsto} \frac{1}{\sqrt {N}} |\widehat{0}\rangle + \frac{\omega _N^{uf(x)}}{\sqrt {N}} |\bot \rangle + \sum \limits _{v \ne 0,u} \frac{\omega _N^{-vf(x)}}{\sqrt {N}} |\widehat{u+v}\rangle .\)

One can finally check that \(\sum \limits _{v \ne 0,u} \frac{\omega _N^{-vf(x)}}{\sqrt {N}} |\widehat{u+v}\rangle = \frac{\omega _N^{uf(x)}(N-2)}{N} |f(x)\rangle - \sum _{y \in [N] \setminus \lbrace f(x)\rbrace } \frac{\omega _N^{uy} + \omega _N^{uf(x)}}{N} |y\rangle\).□

The unitary \(\mathcal {R}_{\mathcal {U}}\) is close to the mapping \(|\bot \rangle _{\mathsf {F}_x} \mapsto \sum _{y \in [N]} \frac{\omega _N^{uy}}{\sqrt {N}} |y\rangle\) and \(|f(x)\rangle _{\mathsf {F}_x} \mapsto \frac{\omega _N^{uf(x)}}{\sqrt {N}} |\bot \rangle + \omega _N^{uf(x)} |f(x)\rangle\) (if \(f(x) \ne \bot\)) up to lower-order terms of amplitude \(O(1/N)\). This is analogous to a “lazy” oracle that would choose the value of \(f(x)\) uniformly at random the first time it is queried.

4.2 Analysis of the Recording Progress

We define a measure of progress based on the number of disjoint collisions contained in the oracle register of the recording query model. We first give some projectors related to this quantity.

Definition 4.2.

We define the following projectors by giving the basis states on which they project:

\(\Pi _{= k}\) and \(\Pi _{\ge k}\): all basis states \(|x,u,w\rangle |f\rangle\) such that \(f\) contains respectively exactly or at least \(k\) disjoint collisions (the entries with \(\bot\) are not considered as collisions).

\(\Pi _{= k, y}\) for \(y \in \lbrace \bot \rbrace \cup [N]\): all basis states \(|x,u,w\rangle |f\rangle\) such that (1) \(f\) contains exactly \(k\) disjoint collisions, (2) the phase multiplier \(u\) is nonzero, and (3) \(f(x) = y\).

We can now define the measure of progress \(\Delta _{t,k}\) for \(t\) queries and \(k\) collisions as \(\begin{equation*} \Delta _{t,k} = \Vert {\Pi _{\ge k} |\phi _t\rangle }\Vert , \end{equation*}\) where \(|\phi _t\rangle\) is the state after \(t\) queries in the recording query model. The main result of this section is the following bound on the growth of \(\Delta _{t,k}\).

Proposition 4.3.

For all \(k \le t\), we have that \(\Delta _{t,k} \le \binom{t}{k} (\frac{4\sqrt {t}}{\sqrt {N}})^k\).

Proof.

First, \(\Delta _{0,0} = 1\) and \(\Delta _{0,k} = 0\) for all \(k \ge 1\), since the initial state is \(|\phi _0\rangle = |0\rangle |\bot ^M\rangle\). Then, we prove that \(\Delta _{t,k}\) satisfies the following recurrence relation: (1) \(\begin{equation} \Delta _{t+1,k+1} \le \Delta _{t,k+1} + 4 \sqrt {\frac{t}{N}} \Delta _{t,k}. \end{equation}\) From this result, we obtain that \(\Delta _{t,k} \le \binom{t}{k} (\frac{4\sqrt {t}}{\sqrt {N}})^k\) by a simple inductive proof. To prove Equation (1), we first observe that \(\Delta _{t+1,k+1} = \Vert {\Pi _{\ge k+1} U_{t+1} \mathcal {R}_{\mathcal {U}} |\phi _t\rangle }\Vert = \Vert {\Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}|\phi _t\rangle }\Vert \), since the unitary \(U_{t+1}\) applied by the algorithm at time \(t+1\) does not modify the state of the oracle register. Then, on any basis state \(|x,u,w\rangle |f\rangle\), the recording query operator \(\mathcal {R}_{\mathcal {U}}\) acts as the identity on the registers \(\mathsf {F}_{x^{\prime }}\) for \(x^{\prime } \ne x\). Consequently, the basis states \(|x,u,w\rangle |f\rangle\) in \(|\phi _t\rangle\) that may contribute to \(\Delta _{t+1,k+1}\) must either already contain \(k+1\) disjoint collisions in \(f\), or exactly \(k\) disjoint collisions in \(f\) and \(u \ne 0\). This implies that, by the triangle inequality, \(\begin{equation*} \Delta _{t+1,k+1} \le \Delta _{t,k+1} + \Vert {\Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}\Pi _{= k, \bot } |\phi _t\rangle }\Vert + \sum _{y \in [N]} \Vert {\Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}\Pi _{= k, y} |\phi _t\rangle }\Vert . \end{equation*}\)

We first bound the term \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}\Pi _{= k, \bot } |\phi _t\rangle \Vert\). Consider any basis state \(|x,u,w\rangle |f\rangle\) in the support of \(\Pi _{= k, \bot } |\phi _t\rangle\). By Lemma 4.1, we have \(\mathcal {R}_{\mathcal {U}}|x,u,w\rangle |f\rangle = \sum _{y \in [N]} \frac{\omega _N^{uy}}{\sqrt {N}} |x,u,w\rangle |y\rangle _{\mathsf {F}_x} \otimes \mathop {\text{$\bigotimes$}}_{x^{\prime } \ne x} |f(x^{\prime })\rangle _{\mathsf {F}_{x^{\prime }}}\). There are at most \(t\) entries in \(f\) that can collide with the value contained in the register \(\mathsf {F}_x\) by Fact 3.2. Thus, we have \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}|x,u,w\rangle |f\rangle \Vert \le \sqrt {t/N}\). Since any two basis states in the support of \(\Pi _{= k, \bot }\) remain orthogonal after \(\Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}\) is applied, we obtain that \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}\Pi _{= k, \bot } |\phi _t\rangle \Vert \le \sqrt {t/N} \Vert \Pi _{= k, \bot } |\phi _t\rangle \Vert \le \sqrt {t/N} \Delta _{t,k}\).

We now bound the term \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}\Pi _{= k, y} |\phi _t\rangle \Vert\) for any \(y \in [N]\). Consider any state \(|x,u,w\rangle |f\rangle\) in the support of \(\Pi _{= k, y}|\phi _t\rangle\). By Lemma 4.1, we have \(\mathcal {R}_{\mathcal {U}}|x,u,w\rangle |f\rangle = |x,u,w\rangle (\frac{\omega _N^{uf(x)}}{\sqrt {N}} |\bot \rangle _{\mathsf {F}_x} + \frac{1 + \omega _N^{uf(x)}(N-2)}{N} |f(x)\rangle _{\mathsf {F}_x} + \sum _{y^{\prime } \ne f(x)} \frac{1 - \omega _N^{uy^{\prime }} - \omega _N^{uf(x)}}{N} |y^{\prime }\rangle _{\mathsf {F}_x}) \otimes \mathop {\text{$\bigotimes$}}_{x^{\prime } \ne x} |f(x^{\prime })\rangle _{\mathsf {F}_{x^{\prime }}}\). By Fact 3.2, there are at most \(t\) terms in this sum that can be in the support of \(\Pi _{\ge k+1}\). Thus, \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}|x,u,w\rangle |f\rangle \Vert \le 3\sqrt {t}/N\) and \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {U}}\Pi _{= k, y} |\phi _t\rangle \Vert \le 3\sqrt {t}/N \Vert \Pi _{= k, y} |\phi _t\rangle \Vert\).

We conclude that \(\Delta _{t+1,k+1} \le \Delta _{t,k+1} + \sqrt {t/N} \Delta _{t,k} + \sum _{y \in [N]} 3\sqrt {t}/N \Vert \Pi _{= k, y} |\phi _t\rangle \Vert \le \Delta _{t,k+1} + \sqrt {t/N} \Delta _{t,k} + 3\sqrt {t/N} \sqrt {\sum _{y \in [N]} \Vert \Pi _{= k, y} |\phi _t\rangle \Vert ^2} \le \Delta _{t,k+1} + \sqrt {t/N} \Delta _{t,k} + 3\sqrt {t/N} \Delta _{t,k}\), where the second step is by Cauchy–Schwarz’ inequality.□

4.3 From the Recording Progress to the Success Probability

We connect the success probability \(\sigma = \Vert {\Pi _{\mathrm{succ}} |\psi _T\rangle }\Vert ^2\) in the standard query model to the final progress \(\Delta _{T,k}\) in the recording query model after \(T\) queries. We show that if the algorithm has made no significant progress for recording more than \(k \le K\) collisions then it needs to “guess” the positions of \(K - k\) other collisions. Classically, the probability to find the values of \(K-k\) collisions that have not been queried would be at most \(1/N^{K-k}\). Here, we show similarly that if a unit state contains at most \(k\) collisions in the quantum recording model, then after mapping it to the standard query model (by applying the operator \(\mathcal {T}_{\mathcal {U}}\) of Definition 3.1) the probability that the output register contains the correct positions of \(K\) collisions is at most \((2K+1)^2 (2 K/N)^{K-k}\).

Proposition 4.4.

For any state \(|\phi \rangle\), we have \(\Vert \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}\Pi _{= k} |\phi \rangle \Vert \le (2K+1) (\sqrt {\frac{2K}{N}})^{K-k} \Vert \Pi _{= k} |\phi \rangle \Vert\).

Proof.

We assume that the output \(w_\mathrm{out}\) of the algorithm consists of exactly \(K\) collision pairs \((x_1,x_2,y_1),\dots , (x_{2K-1},x_{2K},y_K) \in [M]^2 \times [N]\) (if there are \(L \ge K\) triples, we can copy the first \(K\) disjoint collisions to a new register \(w_\mathrm{out}^{\prime }\) to which the rest of the proof is applied). The output is correct if the input function \(f : [M] \rightarrow [N]\) (in the standard query model) satisfies \(f(x_{2i-1}) = f(x_{2i}) = y_i\) for all \(1 \le i \le K\), and the values \(x_1,x_2,\dots ,x_{2K}\) are all different. By definition, the support of \(\Pi _{\mathrm{succ}}\) consists of all basis states \(|x,u,w\rangle |f\rangle\) such that the output substring \(w_\mathrm{out}\) of \(w\) satisfies these conditions.

We define a new family of projectors \(\tilde{\Pi }_{a,b}\), where \(0 \le a + b \le 2K\), whose supports consist of all basis states \(|x,u,w\rangle |f\rangle\) satisfying the following conditions:

(A)

The output substring \(w_\mathrm{out}\) is made of \(K\) triples \((x_1,x_2,y_1),\dots , (x_{2K-1},x_{2K},y_K) \in [M]^2 \times [N]\), where the \(x_i\) are all different.

(B)

There are exactly \(a\) indices \(i \in [2K]\) such that \(f(x_i) = \bot\).

(C)

There are exactly \(b\) indices \(i \in [2K]\) such that \(f(x_i) \ne \bot\) and \(f(x_i) \ne y_{\lceil i/2 \rceil }\).

For any state \(|x,u,w\rangle |f\rangle\) in the support of \(\tilde{\Pi }_{a,b}\), we claim that (2) \(\begin{equation} \Vert {\Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}|x,u,w\rangle |f\rangle }\Vert \le \bigg (\frac{1}{\sqrt {N}}\bigg)^a \bigg (\frac{1}{N}\bigg)^b. \end{equation}\) Indeed, we have \(\mathcal {T}_{\mathcal {U}}= \mathbb {I}\otimes \text{$\bigotimes$}_{x^{\prime } \in [M]} \mathcal {S}_{x^{\prime }}\) and by Definition 3.1 the action of \(\mathcal {S}_{x_i}\) on the register \(|f(x_i)\rangle _{\mathsf {F}_{x_i}}\) is \(|f(x_i)\rangle \mapsto \frac{1}{\sqrt {N}} \sum _{y \in [N]} |y\rangle\) if \(f(x_i) = \bot\), and \(|f(x_i)\rangle \mapsto \frac{1}{\sqrt {N}} |\bot \rangle + (1 - \frac{1}{N}) |f(x_i)\rangle - \frac{1}{N} \sum _{y \in [N] \setminus \lbrace f(x_i)\rbrace } |y\rangle\) otherwise. The projector \(\Pi _{\mathrm{succ}}\) only keeps the term \(|y_{\lceil i/2 \rceil }\rangle\) in these sums, which implies Equation (2).

Let us now consider any linear combination \(|\varphi \rangle = \sum _{x,u,w,f} \alpha _{x,u,w,f} |x,u,w\rangle |f\rangle\) of basis states that are in the support of \(\tilde{\Pi }_{a,b}\). We claim that (3) \(\begin{equation} \Vert \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}|\varphi \rangle \Vert \le \bigg (\sqrt {\frac{2K}{N}}\bigg)^{a+b} \Vert |\varphi \rangle \Vert . \end{equation}\) Given two states \(|x,u,w\rangle |f\rangle\) and \(|\bar{x},\bar{u},\bar{w}\rangle |\bar{f}\rangle\), where \(w_\mathrm{out}= ((x_1,x_2,y_1),\dots , (x_{2K-1}, x_{2K},y_K))\) is the output of \(w\), if the tuples \((x, u, w, (f(x^{\prime }))_{x^{\prime } \notin \lbrace x_1,\dots ,x_{2K}\rbrace })\) and \((\bar{x}, \bar{u}, \bar{w}, (\bar{f}(x^{\prime }))_{x^{\prime } \notin \lbrace x_1,\dots ,x_{2K}\rbrace })\) are different then \(\Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}|x,u,w\rangle |f\rangle\) must be orthogonal to \(\Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}|\bar{x},\bar{u},\bar{w}\rangle |\bar{f}\rangle\). Moreover, for any \(w_\mathrm{out}=((x_1,x_2,y_1),\dots ,(x_{2K-1},x_{2K},y_K))\) that satisfies condition (A), there are \(\binom{2K}{a}\binom{2K-a}{b}(N-1)^b \le (2K)^{a+b} N^b\) different ways to choose \((f(x_i))_{i \in [2K]}\) that satisfy conditions (B) and (C). Let us write \(w_{\vec{x}} = \lbrace x_1,\dots ,x_{2K}\rbrace\) when the output substring \(w_\mathrm{out}\) of \(w\) contains \(x_1,\dots ,x_{2K}\). Then, by using the Cauchy–Schwarz inequality and Equation (2), we get that \(\begin{align*} \Vert \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}|\varphi \rangle \Vert ^2 & = \sum _{x, u, w, (f(x^{\prime }))_{x^{\prime } \notin w_{\vec{x}}}} \Vert [\Vert \Big ]{\sum _{(f(x^{\prime }))_{x^{\prime } \in w_{\vec{x}}}} \alpha _{x,u,w,f} \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}|x,u,w\rangle |f\rangle }^2 \\ & \le \sum _{x, u, w, (f(x^{\prime }))_{x^{\prime } \notin w_{\vec{x}}}} \bigg (\sum _{(f(x^{\prime }))_{x^{\prime } \in w_{\vec{x}}}} \vert \alpha _{x,u,w,f}\vert ^2\bigg) \bigg (\sum _{(f(x^{\prime }))_{x^{\prime } \in w_{\vec{x}}}} \Vert \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}|x,u,w\rangle |f\rangle \Vert ^2\bigg)\\ & \le \Vert |\varphi \rangle \Vert ^2 \cdot (2K)^{a+b} N^b \bigg (\frac{1}{N}\bigg)^a \bigg (\frac{1}{N^2}\bigg)^b \\ & = \bigg (\frac{2K}{N}\bigg)^{a+b} \Vert {|\varphi \rangle }\Vert ^2, \end{align*}\) which proves Equation (3). Observe now that the support of \(\Pi _{= k}\) is contained into the union of the supports of \(\tilde{\Pi }_{a,b}\) for \(a+b \ge K-k\), augmented with the basis states \(|x,u,w\rangle |f\rangle\) that do not satisfy the condition (A) described above (these states are zeroed out when applying \(\Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}\)). Thus, by the triangle inequality, \(\Vert {\Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}\Pi _{= k} |\phi \rangle }\Vert \le \sum _{a+b \ge K-k} \Vert \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}\tilde{\Pi }_{a,b} \Pi _{= k} |\phi \rangle \Vert\). This is at most \(\sum _{a+b \ge K-k} (\sqrt {\frac{2K}{N}})^{a+b} \Vert \tilde{\Pi }_{a,b} \Pi _{= k} |\phi \rangle \Vert\) by Equation (3). Finally, by Cauchy–Schwarz’s inequality and the fact that the supports of the projectors \(\tilde{\Pi }_{a,b}\) are disjoint, we have \(\Vert {\Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {U}}\Pi _{= k} |\phi \rangle }\Vert \le \sqrt {\sum _{K-k \le a+b \le 2K} \bigg (\frac{2K}{N}\bigg)^{a+b}} \sqrt {\sum _{a,b} \Vert \tilde{\Pi }_{a,b} \Pi _{= k} |\phi \rangle \Vert ^2} \le (2K+1) (\sqrt {\frac{2K}{N}})^{K-k} \Vert {\Pi _{= k} |\phi \rangle }\Vert \).□

We can now conclude the proof of the main result of this section.

Theorem 4.5.

The success probability of finding \(K\) disjoint collisions in a uniformly random function \(f : [M] \rightarrow [N]\) is at most \(O(T^3/(K^2 N))^K\) for any algorithm making \(T \ge K\) quantum queries to \(f\).

Proof.

Let \(|\psi _T\rangle\) (respectively, \(|\phi _T\rangle\)) denote the state of the algorithm after \(T\) queries in the standard (respectively, recording) query model. We recall that \(|\psi _T\rangle = \mathcal {T}_{\mathcal {U}}|\phi _T\rangle\) (Theorem 3.3). Thus, by using the fact that \(\mathbb {I}= \sum _{k=0}^{K-1} \Pi _{= k} + \Pi _{\ge K}\), the success probability \(\sigma = \Vert \Pi _{\mathrm{succ}} |\psi _T\rangle \Vert ^2\) satisfies

Skip 5Time Lower Bound for K-Search Section

5 Time Lower Bound for K-Search

In this section, we illustrate the use of the recording query model to upper bound the success probability of a query-bounded algorithm on a non-uniform input distribution. Specifically, we consider the following variant of the \(K\)-Search problem.

Problem 2.

Let \(p \in [0,1]\) and define the distribution \(\mathcal {B}\) over the functions \(f : [M] \rightarrow \lbrace 0,1\rbrace\), where \(f(x)=1\) with probability \(p\) independently for each \(x\). Given an integer \(K\) and a function \(f \sim \mathcal {B}\), the \(K\)-Search problem is to find \(K\) distinct values \(x_1,\dots ,x_K \in [M]\) such that \(f(x_i) = 1\) for all \(i\).

We show that, similarly to the classical setting where a query can reveal a marked item with probability \(p\), the amplitude of the basis states that record a new 1 increases by a factor of \(\sqrt {p}\) after each query (Proposition 5.3). Thus, the amplitude of the basis states that have recorded at least \(K\) ones after \(T\) queries is at most \(O(T\sqrt {p}/K)^K\). This implies that any algorithm with \(T \ll O(K/\sqrt {p})\) queries is likely to output coordinates that have not been recorded, each of which decreases the success probability by a factor of \(O(p)\) (Proposition 5.4).

Although the proof consists again of bounding a certain progress measure related to the success probability, the analysis differs from that of the above section by requiring to adapt the projectors (Definition 5.2) and the orthogonality arguments (Proposition 5.4) to the new input distribution and type of progress.

5.1 Recording Query Operator

The next lemma gives an alternative definition of the recording operator \(\mathcal {R}_{\mathcal {B}}\), associated with the distribution \(\mathcal {B}\), in the standard basis.

Lemma 5.1.

If the recording query operator \(\mathcal {R}_{\mathcal {B}}\) is applied to a basis state \(|x,u,w\rangle |f\rangle\), where \(u = 1\), then the register \(|f(x)\rangle _{\mathsf {F}_x}\) is mapped to

and the other registers are unchanged. If \(u = 0\), then none of the registers are changed.

Proof.

We assume that \(u = 1\) as the query operator \(\mathcal {O}\) acts as the identity otherwise. Let \(|+\rangle = \sqrt {1-p} |0\rangle + \sqrt {p} |1\rangle\) and \(|-\rangle = \sqrt {p} |0\rangle - \sqrt {1-p} |1\rangle\). Define the following \(3 \times 3\) matrices, \(\begin{equation*} M_B = \begin{pmatrix} 1 & 0 & 0 \\ 0 & \sqrt {p} & \sqrt {1-p} \\ 0 & -\sqrt {1-p} & \sqrt {p} \end{pmatrix}, \quad M_{\mathcal {S}} = M_B^{\perp }\begin{pmatrix} 0 & 1 & 0 \\ 1 & 0 & 0 \\ 0 & 0 & 1 \end{pmatrix}M_B,\quad M_{\mathcal {O}} = \begin{pmatrix} 1 & 0 & 0 \\ 0 & 1 & 0 \\ 0 & 0 & -1 \end{pmatrix}. \end{equation*}\) The matrix \(M_B\) represents the change of basis from \(\lbrace |\bot \rangle ,|0\rangle ,|1\rangle \rbrace\) to \(\lbrace |\bot \rangle ,|+\rangle ,|-\rangle \rbrace\). The matrix \(M_{\mathcal {S}}\) corresponds to \(\mathcal {S}_x\) (Definition 3.1) expressed in the \(\lbrace |\bot \rangle ,|0\rangle ,|1\rangle \rbrace\) basis. The matrix \(M_{\mathcal {O}}\) corresponds to the action of the query operator \(\mathcal {O}\) on the register \(\mathsf {F}_x\), expressed in the \(\lbrace |\bot \rangle ,|0\rangle ,|1\rangle \rbrace\) basis, when it is applied to a state \(|x,u,w\rangle |f\rangle\) with \(u = 1\). The three equations in the lemma are given by the columns of the matrix product \(M_{\mathcal {S}} M_{\mathcal {O}} M_{\mathcal {S}}\) by definition of \(\mathcal {R}_{\mathcal {B}}= \mathcal {S}_{\mathcal {B}}^{\dagger } \mathcal {O}\mathcal {S}_{\mathcal {B}}\).□

If \(p \ll 1\), then the above lemma shows that \(\mathcal {R}_{\mathcal {B}}\) is close to the mapping \(|\bot \rangle _{\mathsf {F}_x} \mapsto |\bot \rangle - 2\sqrt {p} |1\rangle\), \(|0\rangle _{\mathsf {F}_x} \mapsto |0\rangle + 2\sqrt {p} |1\rangle\), \(|1\rangle _{\mathsf {F}_x} \mapsto - |1\rangle + 2\sqrt {p}(|0\rangle - |\bot \rangle)\) up to lower-order terms of amplitude \(O(p)\). This is again similar to the behavior of a lazy oracle.

5.2 Analysis of the Recording Progress

The measure of progress is based on the number of ones contained in the oracle register. We first give some projectors related to this quantity.

Definition 5.2.

We define the following projectors by giving the basis states on which they project:

\(\Pi _{= k}\) and \(\Pi _{\ge k}\): all basis states \(|x,u,w\rangle |f\rangle\) such that \(f\) contains respectively exactly or at least \(k\) coordinates equal to 1.

\(\Pi _{= k, \bot }\) and \(\Pi _{= k, 0}\): all basis states \(|x,u,w\rangle |f\rangle\) such that (1) \(f\) contains exactly \(k\) coordinates equal to 1, (2) the phase multiplier is \(u = 1\), and (3) \(f(x) = \bot\) or \(f(x) = 0\), respectively.

We define the measure of progress \(\Delta _{t,k} = \Vert {\Pi _{\ge k} |\phi _t\rangle }\Vert \), where \(|\phi _t\rangle\) is the state after \(t\) queries in the recording query model. We obtain the following bound on the growth of \(\Delta _{t,k}\).

Proposition 5.3.

For all \(k \le t\), we have that \(\Delta _{t,k} \le \binom{t}{k} (4 \sqrt {p})^k\).

Proof.

First, \(\Delta _{0,0} = 1\) and \(\Delta _{0,k} = 0\) for all \(k \ge 1\). Then, we prove that \(\Delta _{t,k}\) satisfies the following recurrence relation: (4) \(\begin{equation} \Delta _{t+1,k+1} \le \Delta _{t,k+1} + 4 \sqrt {p} \Delta _{t,k}. \end{equation}\) From this result, we obtain that \(\Delta _{t,k} \le \binom{t}{k} (4 \sqrt {p})^k\) by induction. Similarly to Proposition 4.3, the proof of Equation (4) uses that \(\begin{equation*} \Delta _{t+1,k+1} \le \Delta _{t,k+1} + \Vert {\Pi _{\ge k+1} \mathcal {R}_{\mathcal {B}}\Pi _{= k, \bot } |\phi _t\rangle }\Vert + \Vert {\Pi _{\ge k+1} \mathcal {R}_{\mathcal {B}}\Pi _{= k, 0} |\phi _t\rangle }\Vert . \end{equation*}\)

We first bound the term \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {B}}\Pi _{= k, \bot } |\phi _t\rangle \Vert\). Consider any state \(|x,u,w\rangle |f\rangle\) in the support of \(\Pi _{= k, \bot } |\phi _t\rangle\). We have \(\Pi _{\ge k+1} \mathcal {R}_{\mathcal {B}}|x,u,w\rangle |f\rangle = - 2\sqrt {p}(1-p) |x,u,w\rangle |1\rangle _{\mathsf {F}_x} \otimes \mathop {\text{$\bigotimes$}}_{x^{\prime } \ne x} |f(x^{\prime })\rangle _{\mathsf {F}_{x^{\prime }}}\) by Lemma 5.1. Since any two basis states in the support of \(\Pi _{= k, \bot }\) remain orthogonal after \(\Pi _{\ge k+1} \mathcal {R}_{\mathcal {B}}\) is applied, we have \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {B}}\Pi _{= k, \bot } |\phi _t\rangle \Vert = 2 \sqrt {p}(1-p) \Vert {\Pi _{= k, \bot } |\phi _t\rangle }\Vert \le 2 \sqrt {p}(1-p) \Delta _{t,k}\).

Similarly, for \(|x,u,w\rangle |f\rangle\) in the support of \(\Pi _{= k, 0} |\phi _t\rangle\) we have \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {B}}|x,u,w\rangle |f\rangle \Vert = 2\sqrt {p}(1-p)^{3/2}\). Thus, \(\Vert \Pi _{\ge k+1} \mathcal {R}_{\mathcal {B}}\Pi _{= k, 0} |\phi _t\rangle \Vert = 2\sqrt {p}(1-p)^{3/2} \Vert \Pi _{= k, 0} |\phi _t\rangle \Vert \le 2 \sqrt {p}(1-p)^{3/2} \Delta _{t,k}\). We can now conclude the proof, \(\begin{equation*} \Delta _{t+1,k+1} \le \Delta _{t,k+1} + 2\sqrt {p}(1-p) \Delta _{t,k} + 2 \sqrt {p}(1-p)^{3/2} \Delta _{t,k} \le \Delta _{t,k+1} + 4 \sqrt {p} \Delta _{t,k}. \end{equation*}\)

5.3 From the Recording Progress to the Success Probability

We connect the success probability \(\sigma = \Vert \Pi _{\mathrm{succ}} |\psi _T\rangle \Vert ^2\) in the standard query model to the final progress \(\Delta _{T,k}\) in the recording query model. Classically, the probability to find \(K\) \(-\) \(k\) marked items at positions that have not been queried would be \(p^{K-k}\). Here, we show similarly that if a unit state contains \(k\) ones in the quantum recording model then, after mapping it to the standard query model, the probability that the output register contains the correct positions of \(K\) marked items is at most \(3^K p^{K-k}\).

Proposition 5.4.

For any \(|\phi \rangle\), we have \(\Vert \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {B}}\Pi _{= k} |\phi \rangle \Vert \le 3^{K/2} p^{(K-k)/2} \Vert \Pi _{= k} |\phi \rangle \Vert\).

Proof.

Let \(|x,u,w\rangle |f\rangle\) be any basis state in the support of \(\Pi _{= k}\). The output value \(w_\mathrm{out}\) is a substring of \(w\) made of \(K\) distinct values \(x_1, \dots , x_K \in [M]\) indicating positions, where the input \(f\) is supposed to evaluate to 1. By definition of \(\Pi _{= k}\), we have \(f(x_i) \ne 1\) for at least \(K - k\) indices \(i \in [K]\). For each such index \(i\), after applying \(\mathcal {T}_{\mathcal {B}}= \mathbb {I}\otimes \text{$\bigotimes$}_{x^{\prime } \in [M]} \mathcal {S}_{x^{\prime }}\), the amplitude of \(|1\rangle _{\mathsf {F}_{x_i}}\) is \(\sqrt {p}\) (if \(f(x_i) = \bot\)) or \(-\sqrt {p(1-p)}\) (if \(f(x_i) = 0\)) by Definition 3.1. Consequently, (5) \(\begin{equation} \Vert {\Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {B}}|x,u,w\rangle |f\rangle }\Vert \le p^{(K-k)/2}. \end{equation}\)

We define \(w_{\vec{x}} = \lbrace x_1,\dots ,x_{K}\rbrace\) when the output substring \(w_\mathrm{out}\) of \(w\) contains \(x_1,\dots ,x_{K}\). For any two basis states \(|x,u,w\rangle |f\rangle\) and \(|\bar{x}, \bar{u}, \bar{w}\rangle |\bar{f}\rangle\), if \((x, u, w, (f(x^{\prime }))_{x^{\prime } \notin w_{\vec{x}}}) \ne (\bar{x}, \bar{u}, \bar{w}, (\bar{f}(x^{\prime }))_{x^{\prime } \notin w_{\vec{x}}})\), then \(\Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {B}}|x,u,w\rangle |f\rangle\) is orthogonal to \(\Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {B}}|\bar{x}, \bar{u}, \bar{w}\rangle |\bar{f}\rangle\). There are \(3^K\) choices for \(|x,u,w\rangle |f\rangle\) once we set the value of \((x, u, w, (f(x^{\prime }))_{x^{\prime } \notin w_{\vec{x}}})\), since it remains to choose \(f(x^{\prime }) \in \lbrace \bot ,0,1\rbrace\) for \(x^{\prime } \in w_{\vec{x}}\). Consider now any state \(|\phi \rangle\) and denote \(|\varphi \rangle = \Pi _{= k} |\phi \rangle = \sum _{x,u,w,f} \alpha _{x,u,w,f} |x,u,w\rangle |f\rangle\). By using the Cauchy–Schwarz inequality and Equation (5), we get that \(\begin{align*} \Vert \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {B}}|\varphi \rangle \Vert ^2 & = \sum _{x, u, w, (f(x^{\prime }))_{x^{\prime } \notin w_{\vec{x}}}} \bigg \Vert \sum _{(f(x^{\prime }))_{x^{\prime } \in w_{\vec{x}}}} \alpha _{x,u,w,f} \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {B}}|x,u,w\rangle |f\rangle \bigg \Vert ^2 \\ & \le \sum _{x, u, w, (f(x^{\prime }))_{x^{\prime } \notin w_{\vec{x}}}} \bigg (\sum _{(f(x^{\prime }))_{x^{\prime } \in w_{\vec{x}}}} \vert \alpha _{x,u,w,f}\vert ^2\bigg) \bigg (\sum _{(f(x^{\prime }))_{x^{\prime } \in w_{\vec{x}}}} \Vert \Pi _{\mathrm{succ}} \mathcal {T}_{\mathcal {B}}|x,u,w\rangle |f\rangle \Vert ^2\bigg)\\ & \le \Vert |\varphi \rangle \Vert ^2 \cdot 3^K p^{K-k}. \end{align*}\)

We can now conclude the proof of the main result.

Theorem 5.5.

Let \(p \in [0,1]\). The success probability of finding \(K\) marked items in a random function \(f : [M] \rightarrow \lbrace 0,1\rbrace\), where \(f(x) = 1\) with probability \(p\) for each \(x\) is at most \(O(p(T/K)^2)^K\) for any algorithm making \(T \ge K\) quantum queries to \(f\).

Proof.

Let \(|\psi _T\rangle\) (respectively, \(|\phi _T\rangle\)) denote the state of the algorithm after \(T\) queries in the standard (respectively, recording) query model. According to Theorem 3.3, we have \(|\psi _T\rangle = \mathcal {T}_{\mathcal {B}}|\phi _T\rangle\). Thus, by using the fact that \(\mathbb {I}= \sum _{k=0}^{K-1} \Pi _{= k} + \Pi _{\ge K}\), the success probability \(\sigma = \Vert \Pi _{\mathrm{succ}} |\psi _T\rangle \Vert ^2\) satisfies \(\begin{align*} \begin{array}{lr}\sqrt {\sigma } \le \sum\limits_{k = 0}^{K-1} \Vert \Pi_{\mathrm{succ}} {\mathcal{T}}_{\mathcal{B}}\Pi_{= k} \vert\phi_T\rangle \Vert + \Vert \Pi_{\mathrm{succ}} {\mathcal{T}}_{\mathcal {B}}\Pi_{\ge K} \vert\phi_T\rangle \Vert &\text{by the triangle inequality}\\ \qquad\le \sum\limits_{k = 0}^{K-1} 3^{K/2} p^{(K-k)/2} \Vert \Pi_{= k} |\phi_T\rangle \Vert + \Vert \Pi_{\ge K} |\phi_T\rangle \Vert&\text{by Proposition~5.4}\\ \qquad\le \sum\limits_{k = 0}^{K} 3^{K/2} p^{(K-k)/2} \binom{T}{k} (4\sqrt{p})^k&\text{by Proposition~5.3} \\ \qquad\le \bigg (\frac{4e\sqrt {3p}T}{K}\bigg)^K&\text{since} \sum _{k = 0}^{K} \binom{T}{k} \le (eT/K)^K. \end{array}\end{align*}\)

Skip 6TIME–SPACE TRADEOFFS Section

6 TIME–SPACE TRADEOFFS

6.1 Time–Space Tradeoff for Collision Pairs Finding

We use the time lower bound obtained in Section 4 to derive a time–space tradeoff for the problem of finding \(K\) disjoint collisions in a random function \(f : [M] \rightarrow [N]\). We recall that the output is produced in an online fashion (Section 2.2), meaning that a collision can be output as soon as it is discovered. The length of the output is not counted toward the space bound. We allow the same collision to be output several times, but it contributes only once to the total count.

Theorem 6.1.

Any quantum algorithm for finding \(K\) disjoint collisions in a random function \(f : [M] \rightarrow [N]\) with success probability \(2/3\) must satisfy a time–space tradeoff of \(T^3 S \ge \Omega (K^3 N)\).

Proof.

We necessarily have \(T \ge \Omega (K^{2/3}N^{1/3})\) by the time lower bound proved in Theorem 4.5. If \(S \ge K\), then it readily implies that \(T^3 S \ge \Omega (K^3 N)\). Thus, in the rest of the proof we can also assume that \(S \lt K\). Our approach relies on the time-segmentation method for large-output problems, which is used for instance in References [14, 30]. Fix any quantum circuit \(\mathcal {C}\) in the space-bounded model of Section 2.2 running in time \(T\) and using \(S \gt \Omega (\log N)\) qubits of memory. The circuit \(\mathcal {C}\) is partitioned into \(L = T/T^{\prime }\) consecutive sub-circuits \(\mathcal {C}_1 \mathbin \Vert \mathcal {C}_2 \mathbin \Vert \dots \mathbin \Vert \mathcal {C}_L\) each running in time \(T^{\prime } = c S^{2/3}N^{1/3}\) (for some small-enough constant \(c\)), where the circuit \(\mathcal {C}_j\) takes as input the output memory of \(\mathcal {C}_{j-1}\) for each \(j \in [L]\). Define \(X_j\) to be the random variable that counts the number of (mutually) disjoint collisions that \(\mathcal {C}\) outputs between time \((j-1) T^{\prime }\) and \(j T^{\prime }\) (i.e., in the sub-circuit \(\mathcal {C}_j\)) when the input is a random function \(f : [M] \rightarrow [N]\). More precisely, \(X_j\) is the increment in the number of disjoint collisions observed by measuring the output register at time \((j-1) T^{\prime }\) and then at time \(j T^{\prime }\). The algorithm must satisfy \(\sum _{j=1}^L \mathbb {E} [{X_j}] \ge \Omega (K)\) to be correct. We claim that it outputs at most \(3S\) collisions in expectation in each segment of the computation. Assume toward a contradiction that \(\mathbb {E} [{X_j}] \ge 3S\) for some \(j\). Since \(X_j\) is bounded between 0 and \(N\) we have \(\Pr [{X_j \gt 2S}] \ge S/N\). Consequently, by running \(\mathcal {C}_j\) on the completely mixed state on \(S\) qubits we obtain \(2S\) disjoint collisions with probability at least \(S/N \cdot 2^{-S}\) in time \(T^{\prime }\) (this is akin to a union-bound argument). However, by Theorem 4.5, no quantum algorithm can find more than \(2S\) disjoint collisions in time \(T^{\prime } = c S^{2/3}N^{1/3}\) with success probability larger than \(4^{-S}\) (when \(c\) is small enough). This contradiction implies that \(\mathbb {E} [{X_j}] \le 3S\) for all \(j\). Consequently, there must be at least \(L \ge \Omega (K/S)\) sub-circuits to have \(\sum _{j=1}^L \mathbb {E} [{X_j}] \ge \Omega (K)\). Since each sub-circuit runs in time \(c S^{2/3}N^{1/3}\) the overall running time of \(\mathcal {C}\) is \(T \ge \Omega (L \cdot S^{2/3}N^{1/3}) \ge \Omega (K N^{1/3}/S^{1/3})\).□

As an illustration of the above result, we obtain that any quantum algorithm for finding \(\Theta (N)\) disjoint collisions in a random function must satisfy a time–space tradeoff of \(T S^{1/3} \ge \Omega (N^{4/3})\). We prove that any improvement to this lower bound would imply a breakthrough for the Element Distinctness problem.

Problem 3.

The Element Distinctness problem \(\mathrm{ED}_N\) on domain size \(N\) consists of finding a collision in a random function \(f : [N] \rightarrow [N^2]\).

It is well-known that the query complexity of Element Distinctness is \(T = \Theta (N^{2/3})\) [2, 6]. However, it is a long-standing open problem to find any quantum time–space lower bound (even classically the question is not completely settled yet [10, 40]). Here we show that any improvement to Theorem 6.1 would imply a non-trivial time–space tradeoff for Element Distinctness. This result relies on a reduction presented in Figure 1 and analyzed in Proposition 6.2 (the constants \(c_0\), \(c_1\), \(c_2\) are chosen in the proof).

Fig. 1.

Fig. 1. Finding collisions by using \(\mathrm{ED}_{\sqrt {N}}\) .

Proposition 6.2.

Let \(N\) be a square number. If there is an algorithm solving \(\mathrm{ED}_N\) in time \(T_N\) and space \(S_N\), then the algorithm in Figure 1 \(O(N T_{\sqrt {N}})\) and space \(O(S_{\sqrt {N}})\), and it finds \(c_1 N\) collisions in any function \(f : [N] \rightarrow [N]\) containing at least \(c_0 N\) collisions.

Proof.

The space complexity is fulfilled by using any space-efficient construction of 4-wise independent hash functions. For the time complexity, we choose \(c_0 = 150\), \(c_1 = 1/10^4\) and \(c_2 = 8\). We study the probabilities of the following events to occur in a fixed round of the algorithm in Figure 1:

Event A: The function \(h\) is collision free (i.e., \(h(i) \ne h(j)\) for all \(i \ne j\)).

Event B: The image of \(h\) does not contain any pair of values output in a previous round.

Event C: The function \(f \circ h : [\sqrt {N}] \rightarrow [N]\) contains a collision.

Event D: The algorithm for \(\mathrm{ED}_{\sqrt {N}}\) finds a collision at step 2.b.

The algorithm succeeds if the event \(A \wedge B \wedge C \wedge D\) occurs during at least \(c_1 N\) rounds. We now lower bound the probability of this event happening.

For event A, consider the random variable \(X = \sum _{i \ne j \in [\sqrt {N}]} 1_{h(i) = h(j)}\). Using that \(h\) is pairwise independent, we have \(\mathbb {E} [{X}] = \binom{\sqrt {N}}{2} \frac{1}{N} \le \frac{1}{2}\). By Markov’s inequality, \(\Pr [{ A}] = 1 - \Pr [{X \ge 1}] \ge \frac{1}{2}\).

For event B, let us assume that \(k \lt c_1 N\) collisions \((x_1,x_2),\dots ,(x_{2k-1},x_{2k})\) have been output so far. For any \(i \in [k]\), the probability that both \(x_{2i-1}\) and \(x_{2i}\) belong to \(\lbrace h(1), \dots , h(\sqrt {N})\rbrace\) is at most \(\binom{\sqrt {N}}{2} \frac{2}{N^2} \le \frac{1}{N}\), since \(h\) is pairwise independent. By a union bound, \(\Pr [{ B}] \ge 1 - \frac{k}{N} \ge 1 - c_1\).

For event C, let us consider the binary random variables \(Y_{i,j} = 1_{f \circ h (i) = f \circ h (j)}\) for \(i \ne j \in [\sqrt {N}]\), and let \(Y = \sum _{i \ne j} Y_{i,j}\) be twice the number of collisions in \(f \circ h\). Note that we may have \(Y_{i,j} = 1\), because \(h(i) = h(j)\) (this is taken care of in event A). For each \(y \in [N]\), let \(N_y = \vert \lbrace x : f(x) = y\rbrace \vert\) denote the number of elements that are mapped to \(y\) by \(f\). Using that \(h\) is 4-wise independent, for any \(i \ne j \ne k \ne \ell\) we have \(\begin{equation*} \left\lbrace \! \begin{array}{l} \Pr [{Y_{i,j} = 1}] = \frac{1}{N^2} \sum _{y \in [N]} N_y^2, \\ {[}6pt] \Pr [{Y_{i,j} = 1 \wedge Y_{i,k} = 1}] = \frac{1}{N^3} \sum _{y \in [N]} N_y^3, \\ {[}10pt] \Pr [{Y_{i,j} = 1 \wedge Y_{k,\ell } = 1}] = \Pr [{Y_{i,j} = 1}] \cdot \Pr [{Y_{k,\ell } = 1}]. \end{array} \right. \end{equation*}\) Thus, \(\mathbb {E} [{Y}] = \binom{\sqrt {N}}{2} \frac{1}{N^2} \sum _{y \in [N]} N_y^2\) and \(\mathrm{Var} [{Y}] = \sum _{\lbrace i,j\rbrace } \mathrm{Var} [{Y_{i,j}}] + \sum _{\lbrace i,j\rbrace \ne \lbrace i,k\rbrace } \mathrm{Cov}[Y_{i,j},Y_{i,k}] + \sum _{\lbrace i,j\rbrace \cap \lbrace k,\ell \rbrace = \varnothing } \mathrm{Cov}[Y_{i,j},Y_{k,\ell }] \le \sum _{\lbrace i,j\rbrace } \mathbb {E} [{Y_{i,j}^2}] + \sum _{\lbrace i,j\rbrace \ne \lbrace i,k\rbrace } \mathbb {E} [{Y_{i,j}Y_{i,k}}] = \mathbb {E} [{Y}] + 6\binom{\sqrt {N}}{3} \frac{1}{N^3} \sum _{y} N_y^3,\) where we used that \(Y_{i,j}\) and \(Y_{k,\ell }\) are independent when \(i \ne j \ne k \ne \ell\). The term \(\sum _{y \in [N]} N_y^2\) is equal to the number of pairs \((x,x^{\prime }) \in [N]^2\) such that \(f(x) = f(x^{\prime })\). Each collision in \(f\) gives two such pairs, and we must also count the pairs \((x,x)\). Thus, \(\sum _{y \in [N]} N_y^2 \ge (1+2c_0)N\). Moreover, \(\sum _{y \in [N]} N_y^3 \le (\sum _{y \in [N]} N_y^2)^{3/2}\). Consequently,

Finally, according to Chebyshev’s inequality, \(\Pr [{Y = 0}] \le \Pr [{\vert Y - \mathbb {E} [{Y}]\vert \ge \mathbb {E} [{Y}]}] \le \frac{\mathrm{Var} [{Y}]}{\mathbb {E} [{Y}]^2}\). Thus, \(\Pr [{ C}] = 1 - \Pr [{Y = 0}] \ge 1 - \frac{4 + 8\sqrt {1+2c_0}}{1+2c_0}\).

For event D, we have \(\Pr [{ D A \wedge B \wedge C}] \ge 2/3\) assuming the algorithm for solving \(\mathrm{ED}_{\sqrt {N}}\) succeeds with probability \(2/3\).

The probability of the four events happening together is \(\Pr [{ A \wedge B \wedge C \wedge D}] = \Pr [{ D A \wedge B \wedge C}] \cdot \Pr [{ A \wedge B \wedge C}] \ge \Pr [{ D A \wedge B \wedge C}] \cdot (\Pr [{ A}] + \Pr [{ B}] + \Pr [{ C}] - 2) \ge \frac{2}{3} \cdot ({\frac{1}{2} - c_1 - \frac{4 + 8\sqrt {1+2c_0}}{1+2c_0}}) \ge 1/250\). Let \(\tau\) be the number of rounds after which \(c_1 N\) collisions have been found (i.e., \(A \wedge B \wedge C \wedge D\) has occurred \(c_1 N\) times). We have \(\mathbb {E} [{\tau }] \le 250 c_1 N\) and by Markov’s inequality \(\Pr [{\tau \ge c_2 N}] \le 250 c_1/c_2 \le 1/3\). Thus, with probability at least \(2/3\), the algorithm outputs at least \(c_1 N\) collisions in \(f\).□

We now use the above reduction to transform any low-space algorithm for Element Distinctness into one for finding \(\Omega (N / \log N)\) disjoint collisions in a random function. Observe that Algorithm 1 does not necessarily output collisions that are mutually disjoint. Nevertheless, there is a small probability that a random function \(f : [M] \rightarrow [N]\) contains multi-collisions of size larger than \(\log N\) when \(M \approx N\) [24]. Thus, there is only a \(\log N\) loss in the analysis.

Proposition 6.3.

Suppose that there exists a quantum algorithm for solving Element Distinctness on domain size \(N\) that satisfies a time–space tradeoff of \(T^{\alpha } S^{\beta } \le \widetilde{O}(N^{2(\gamma - \alpha)})\) for some constants \(\alpha , \beta , \gamma\). Then, there exists a quantum algorithm for finding \(\Omega (N / \log N)\) disjoint collisions in a random function \(f : [10 N] \rightarrow [N]\) that satisfies a time–space tradeoff of \(T^{\alpha } S^{\beta } \le \widetilde{O}(N^{\gamma })\).

Proof.

We use the constants \(c_0, c_1, c_2\) specified in the proof of Proposition 6.2. First, we note that a random function \(f: [10N] \rightarrow [N]\) contains \(c_0 N\) collisions and no multi-collisions of size larger than \(\log (N)\) with large probability [24]. Consequently, any set of \(c_1 N\) collisions contains at least \(c_1 N / \log N\) disjoint collisions with large probability. Assume now that there exists an algorithm solving \(\mathrm{ED}_{\sqrt {10N}}\) in time \(T_{\sqrt {10N}}\) and space \(S_{\sqrt {10N}}\) such that \((T_{\sqrt {10N}})^{\alpha } S_{\sqrt {10N}}^{\beta } \le \widetilde{O}(N^{\gamma -\alpha })\). Then, by plugging it into the algorithm in Figure 1, one can find \(c_1 N / \log N\) disjoint collisions in a random function \(f: [10N] \rightarrow [N]\) in time \(T = O(N T_{\sqrt {10N}})\) and space \(S = O(S_{\sqrt {10N}})\). We derive from the above tradeoff that \(T^{\alpha } S^{\beta } \le \widetilde{O}(N^{\gamma })\).□

As an application of Proposition 6.3, we obtain the following result regarding the hardness of finding \(\widetilde{\Omega }(N)\) collisions.

Corollary 6.4.

Suppose that there exists \(\epsilon \in (0,1)\) such that any quantum algorithm for finding \(\widetilde{\Omega }(N)\) disjoint collisions in a random function \(f : [10N] \rightarrow [N]\) must satisfy a time–space tradeoff of \(T S^{1/3} \ge \widetilde{\Omega }(N^{4/3 + \epsilon })\). Then, any quantum algorithm for solving Element Distinctness on domain size \(N\) must satisfy a time–space tradeoff of \(T S^{1/3} \ge \widetilde{\Omega }(N^{2/3 + 2\epsilon })\).

We conjecture that the optimal tradeoff for finding \(K\) collisions is \(T^2 S = \Theta (K^2 N)\), which would imply an optimal time–space tradeoff of \(T^2 S \ge \widetilde{\Omega }(N^2)\) for Element Distinctness.

Conjecture 6.5.

Any quantum algorithm for finding \(K\) disjoint collisions in a random function \(f : [M] \rightarrow [N]\) with success probability \(2/3\) must satisfy a time–space tradeoff of \(T^2 S \ge \Omega (K^2 N)\).

Corollary 6.6.

If Conjecture 6.5 is true, then any quantum algorithm for solving Element Distinctness with success probability \(2/3\) must satisfy a time–space tradeoff of \(T^2 S \ge \widetilde{\Omega }(N^2)\).

Finally, we describe a quantum algorithm that achieves the tradeoff of \(T^2 S \le \widetilde{O}(K^2 N)\). To simplify the analysis, we do not require the collisions to be disjoint.

Proposition 6.7.

For any \(1 \le K \le O(N)\) and \(\widetilde{\Omega }(\log N) \le S \le \widetilde{O}(K^{2/3} N^{1/3})\), there exists a quantum algorithm that can find \(K\) collisions in a random function \(f : [N] \rightarrow [N]\) with probability at least \(2/3\) by making \(T = \widetilde{O}(K \sqrt {N/S})\) queries and using \(S\) qubits of memory.

Proof.

We prove that the algorithm in Figure 2 satisfies the statement of the proposition. For simplicity, we do not try to tune the hidden factors in the big O notations.

Fig. 2.

Fig. 2. Finding \(K\) collision pairs in \(f : [N] \rightarrow [N]\) using a memory of size \(S\) .

The probability that a fixed pair \((x,x^{\prime })\) satisfies \((x,x^{\prime }) \in G \times ([N] \setminus G)\) for at least one iteration of step 1 is \(\Omega (K/S \cdot S/N \cdot (1-S/N)) = \Omega (K/N)\). Since a random function \(f : [N] \rightarrow [N]\) contains \(\Omega (N)\) collisions with high probability, the algorithm encounters \(\Omega (K)\) collisions in total. Thus, if the Grover search algorithm never fails, then we obtain the desired number of collisions.

The expected number of pre-images of 1 under \(g\) is \(O(S)\). Consequently, the complexity of Grover’s search at step 1.c is \(O(\sqrt {SN})\). The overall query complexity is \(T = \widetilde{O}(K/S \cdot \sqrt {SN}) = \widetilde{O}(K \sqrt {N/S})\), and the space complexity is \(\widetilde{O}(S)\).□

6.2 Time–Space Tradeoff for Sorting

We use the time lower bound obtained in Section 5 to reprove the time–space tradeoff for the Sorting problem described in Reference [30, Theorem 21]. The input to the Sorting problem is represented as a function \(f : [N] \rightarrow \lbrace 0,1,2\rbrace\) (we do not need to consider a larger range for the proof). The objective is to output in order a sequence \(x_1,\dots ,x_N \in [N]\) of distinct integers such that \(f(x_1) \ge f(x_2) \ge \dots \ge f(x_N)\) with probability at least \(2/3\).

We weaken the space-bounded model described in Section 2.2 by removing the flag register that allowed the algorithm to choose when to update the output register. As a consequence, each of the \(N\) elements of the sorted sequence must be written on the output register at a predetermined time of the computation. Note that, without this condition, it is easy to sort a function \(f : [N] \rightarrow \lbrace 0,1,2\rbrace\) in time \(T = O(N)\) and space \(S = O(\log N)\). The same limitation was present in previous work [30] and it is an open problem to get rid of it. It will require considering input functions with a larger range, as is the case in classical tradeoffs (e.g., Reference [9]).

Theorem 6.8.

Any quantum algorithm for sorting any function \(f : [N] \rightarrow \lbrace 0,1,2\rbrace\) with success probability \(2/3\) must satisfy a time–space tradeoff of \(T^2 S \ge \Omega (N^3)\).

Proof.

The proof is a modified version of Reference [30, Theorem 21] adapted to our version of the \(K\)-Search problem and to our slightly more general computational model. Given a circuit \(\mathcal {C}\) that runs in time \(T\) and space \(S \ge \Omega (\log N)\), we partition it into \(L = T/T^{\prime }\) consecutive sub-circuits \(\mathcal {C}_1 \mathbin \Vert \mathcal {C}_2 \mathbin \Vert \dots \mathbin \Vert \mathcal {C}_L\) each running in time \(T^{\prime } = c\sqrt {SN}\) (for some small-enough constant \(c\)). Assume toward a contradiction that a circuit \(\mathcal {C}_j\) outputs the elements of ranks \(r, r+1, \dots , r+2S-1\) for some \(r \le N/2\). We use \(\mathcal {C}_j\) to solve the \(K\)-search problem for \(K = 2S\) as follows. Given an input \(g : [N/2] \rightarrow \lbrace 0,1\rbrace\) to the \(K\)-search problem, where \(g(x) = 1\) with probability \(p = \frac{6S}{N}\) for each \(x\), define the function \(f : [N] \rightarrow \lbrace 0,1,2\rbrace\), where \(\begin{equation*} f(x) = \left\lbrace \!\! \begin{array}{ll} 2 & \text{if $x \lt r$,} \\ g(x-r+1) & \text{if $r \le x \lt r + N/2$,} \\ 0 & \text{if $x \ge r + N/2$.} \end{array} \right. \end{equation*}\) Note that the function \(g\) contains at least \(2S\) marked items with probability at least \(2S/N\). Thus, if the circuit \(\mathcal {C}\) is run on the input \(f\), then the indices output by the sub-circuit \(\mathcal {C}_j\) contain the position of \(2S\) marked items with probability at least \(2/3 \cdot 2S/N\). Consequently, by running \(\mathcal {C}_j\) on the completely mixed state on \(S\) qubits we can find \(2S\) marked items under \(g\) with probability at least \(2/3 \cdot 2S/N \cdot 2^{-S}\) in time \(T^{\prime }\). However, by Theorem 5.5, any such algorithm must succeed with probability at most \(4^{-S}\) (when \(c\) is small enough). This contradiction implies that there must be at least \(L \ge \Omega (N/S)\) sub-circuits in \(\mathcal {C}\). Thus, the running time of \(\mathcal {C}\) is \(T \ge \Omega (L \cdot \sqrt {SN}) \ge \Omega (N^{3/2}/\sqrt {S})\).□

The time–space tradeoffs for the Boolean matrix-vector product [30, Theorem 23] and the Boolean matrix product [30, Theorem 25] problems can be reproved in a similar way.

Skip ACKNOWLEDGMENTS Section

ACKNOWLEDGMENTS

The authors thank the anonymous referees for their valuable comments and suggestions, which helped to improve this article.

Footnotes

  1. 1 The notation \([m]\) for \(m \in \mathbb {N}\) represents the set \(\lbrace 0,1,\dots ,m-1\rbrace\).

    Footnote
  2. 2 The notation \(\widetilde{\phantom{o}}\) is used to denote the presence of hidden polynomial factors in \(\log (N)\) or \(1/\log (N)\).

    Footnote

REFERENCES

  1. [1] Aaronson Scott. 2005. Limitations of quantum advice and one-way communication. Theory Comput. 1, 1 (2005), 128. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  2. [2] Aaronson Scott and Shi Yaoyun. 2004. Quantum lower bounds for the collision and the element distinctness problems. J. ACM 51, 4 (2004), 595605. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. [3] Abrahamson Karl. 1990. A time-space tradeoff for boolean matrix multiplication. In Proceedings of the 31st Symposium on Foundations of Computer Science (FOCS’90). 412419. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. [4] Adj Gora, Cervantes-Vázquez Daniel, Chi-Domínguez Jesús-Javier, Menezes Alfred, and Rodríguez-Henríquez Francisco. 2018. On the cost of computing isogenies between supersingular elliptic curves. In Proceedings of the 25th Conference on Selected Areas in Cryptography (SAC’18). 322343. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. [5] Ambainis Andris. 2002. Quantum lower bounds by quantum arguments. J. Comput. Syst. Sci. 64, 4 (2002), 750767. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. [6] Ambainis Andris. 2007. Quantum walk algorithm for element distinctness. SIAM J. Comput. 37, 1 (2007), 210239. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. [7] Ambainis Andris. 2010. A new quantum lower bound method, with an application to a strong direct product theorem for quantum search. Theory Comput. 6, 1 (2010), 125. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  8. [8] Ambainis Andris, Špalek Robert, and Wolf Ronald de. 2009. A new quantum lower bound method, with applications to direct product theorems and time-space tradeoffs. Algorithmica 55, 3 (2009), 422461. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. [9] Beame Paul. 1991. A general sequential time-space tradeoff for finding unique elements. SIAM J. Comput. 20, 2 (1991), 270277. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. [10] Beame Paul, Saks Michael, Sun Xiaodong, and Vee Erik. 2003. Time-space trade-off lower bounds for randomized computation of decision problems. J. ACM 50, 2 (2003), 154195. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. [11] Bernstein Daniel J.. 2005. Understanding brute force. In Proceedings of theECRYPT STVL Workshop on Symmetric Key Encryption.Google ScholarGoogle Scholar
  12. [12] Bernstein Daniel J.. 2009. Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete? In Proceedings of the 4th Workshop on Special-purpose Hardware for Attacking Cryptograhic Systems (SHARCS’09). 105116.Google ScholarGoogle Scholar
  13. [13] Borodin Allan, Fich Faith E., Heide Friedhelm Meyer auf der, Upfal Eli, and Wigderson Avi. 1987. A time-space tradeoff for element distinctness. SIAM J. Comput. 16, 1 (1987), 9799. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. [14] Borodin Allan, Fischer Michael J., Kirkpatrick David G., Lynch Nancy A., and Tompa Martin. 1981. A time-space tradeoff for sorting on non-oblivious machines. J. Comput. Syst. Sci. 22, 3 (1981), 351364. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  15. [15] Boyer Michel, Brassard Gilles, Høyer Peter, and Tapp Alain. 1998. Tight bounds on quantum searching. Fortschr. Phys. 46, 4-5 (1998), 493505. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  16. [16] Brassard Gilles, Høyer Peter, and Tapp Alain. 1998. Quantum cryptanalysis of hash and claw-free functions. In Proceedings of the 3rd Latin American Symposium on Theoretical Informatics (LATIN’98). 163169. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  17. [17] Buhrman Harry and Wolf Ronald de. 2002. Complexity measures and decision tree complexity: A survey. Theor. Comput. Sci. 288, 1 (2002), 2143. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. [18] Chakrabarti Amit and Chen Yining. 2017. Time-space tradeoffs for the memory game. arxiv:cs.CC/1712.01330. Retrieved from https://arxiv.org/abs/1712.01330.Google ScholarGoogle Scholar
  19. [19] Chiesa Alessandro, Manohar Peter, and Spooner Nicholas. 2019. Succinct arguments in the quantum random oracle model. In Proceedings of the 17th Conference on Theory of Cryptography (TCC’19). 129. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. [20] Czajkowski Jan, Majenz Christian, Schaffner Christian, and Zur Sebastian. 2019. Quantum lazy sampling and game-playing proofs for quantum indifferentiability. arxiv:quant-ph/1904.11477. Retrieved from https://arxiv.org/abs/1904.11477.Google ScholarGoogle Scholar
  21. [21] Delaplace Claire, Esser Andre, and May Alexander. 2019. Improved low-memory subset sum and LPN algorithms via multiple collisions. In Proceedings of the 17th IMA International Conference on Cryptography and Coding (IMACC’19). 178199. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  22. [22] Dinur Itai. 2020. Tight time-space lower bounds for finding multiple collision pairs and their applications. In Proceedings of the 39th International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’20). 405434. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. [23] Dinur Itai, Dunkelman Orr, Keller Nathan, and Shamir Adi. 2012. Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In Proceedings of the 32th International Cryptology Conference (CRYPTO’12). 719740. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. [24] Flajolet Philippe and Odlyzko Andrew M.. 1989. Random mapping statistics. In Proceedings of the 7th Workshop on the Theory and Application of Cryptographic Techniques (EUROCRYPT’89). 329354. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  25. [25] Ghoshal Ashrujit, Jaeger Joseph, and Tessaro Stefano. 2020. The memory-tightness of authenticated encryption. In Proceedings of the 40th International Cryptology Conference (CRYPTO’20). 127156. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. [26] Hosoyamada Akinori and Iwata Tetsu. 2019. 4-round luby-rackoff construction is a qPRP. In Proceedings of the 25th International Conference on the Theory and Applications of Cryptology and Information Security (ASIACRYPT’19). 145174. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  27. [27] Hülsing Andreas, Rijneveld Joost, and Song Fang. 2016. Mitigating multi-target attacks in hash-based signatures. In Proceedings of the 19th International Conference on Public-Key Cryptography (PKC’16). 387416. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. [28] Jaeger Joseph and Tessaro Stefano. 2019. Tight time-memory trade-offs for symmetric encryption. In Proceedings of the 38th International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’19). 467497. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  29. [29] Joux Antoine and Lucks Stefan. 2009. Improved generic algorithms for 3-collisions. In Proceedings of the 15th International Conference on the Theory and Applications of Cryptology and Information Security (ASIACRYPT’09). 347363. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. [30] Klauck Hartmut, Špalek Robert, and Wolf Ronald de. 2007. Quantum and classical strong direct product theorems and optimal time-space tradeoffs. SIAM J. Comput. 36, 5 (2007), 14721493. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. [31] Liu Qipeng and Zhandry Mark. 2019. On finding quantum multi-collisions. In Proceedings of the 38th International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’19). 189218. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  32. [32] Mansour Yishay, Nisan Noam, and Tiwari Prasoon. 1993. The computational complexity of universal hashing. Theor. Comput. Sci. 107, 1 (1993), 121133. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. [33] Pollard John M.. 1975. A Monte Carlo method for factorization. BIT Numer. Math. 15, 3 (1975), 331334.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. [34] Špalek Robert. 2008. The multiplicative quantum adversary. In Proceedings of the 23rd Conference on Computational Complexity (CCC’08). 237248. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. [35] Tessaro Stefano and Thiruvengadam Aishwarya. 2018. Provable time-memory trade-offs: Symmetric cryptography against memory-bounded adversaries. In Proceedings of the 16th Conference on Theory of Cryptography (TCC’18). 332. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. [36] Oorschot Paul C. van and Wiener Michael J.. 1999. Parallel collision search with cryptanalytic applications. J. Cryptol. 12, 1 (1999), 128. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. [37] Vredendaal Christine van. 2016. Reduced memory meet-in-the-middle attack against the NTRU private key. LMS J. Comput. Math. 19, A (2016), 4357. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  38. [38] Wagner David. 2002. A generalized birthday problem. In Proceedings of the 22nd International Cryptology Conference (CRYPTO’02). 288304. DOI:Google ScholarGoogle ScholarCross RefCross Ref
  39. [39] Wiener Michael J.. 2004. The full cost of cryptanalytic attacks. J. Cryptol. 17, 2 (2004), 105124. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. [40] Yao Andrew Chi-Chih. 1994. Near-optimal time-space tradeoff for element distinctness. SIAM J. Comput. 23, 5 (1994), 966975. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. [41] Zhandry Mark. 2015. A note on the quantum collision and set equality problems. Quant. Inf. Comput. 15, 7&8 (2015), 557567. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. [42] Zhandry Mark. 2019. How to record quantum queries, and applications to quantum indifferentiability. In Proceedings of the 39th International Cryptology Conference (CRYPTO’19). 239268. DOI:Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Quantum Time–Space Tradeoff for Finding Multiple Collision Pairs

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Computation Theory
        ACM Transactions on Computation Theory  Volume 15, Issue 1-2
        June 2023
        58 pages
        ISSN:1942-3454
        EISSN:1942-3462
        DOI:10.1145/3605363
        Issue’s Table of Contents

        Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s).

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 26 June 2023
        • Online AM: 13 April 2023
        • Accepted: 29 March 2023
        • Received: 9 February 2022
        Published in toct Volume 15, Issue 1-2

        Check for updates

        Qualifiers

        • research-article
      • Article Metrics

        • Downloads (Last 12 months)104
        • Downloads (Last 6 weeks)84

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!