We study the problem of finding $K$ collision pairs in a random function $f : [N] \rightarrow [N]$ by using a quantum computer. We prove that the number of queries to the function in the quantum random oracle model must increase significantly when the size of the available memory is limited. Namely, we demonstrate that any algorithm using $S$ qubits of memory must perform a number $T$ of queries that satisfies the tradeoff $T^3 S \geq \Omega(K^3 N)$. Classically, the same question has only been settled recently by Dinur [Eurocrypt'20], who showed that the Parallel Collision Search algorithm of van Oorschot and Wiener achieves the optimal time-space tradeoff of $T^2 S = \Theta(K^2 N)$. Our result limits the extent to which quantum computing may decrease this tradeoff. Our method is based on a novel application of Zhandry's recording query technique [Crypto'19] for proving lower bounds in the exponentially small success probability regime. As a second application, we give a simpler proof of the time-space tradeoff $T^2 S \geq \Omega(N^3)$ for sorting $N$ numbers on a quantum computer, which was first obtained by Klauck, \v{S}palek and de Wolf [K\v{S}W07].
翻译:我们研究在随机函数中找到 $K$ 相撞对方的问题 : {N]\rightrow [N] 美元 。 我们证明, 当可用内存的大小有限时, 量子随机神器模型中函数的查询数量必须大幅增加。 也就是说, 我们证明, 任何使用 $S 的记忆Qbits 的算法都必须执行数量T$T的查询, 能够满足 $T}3 S\geq\ omega (K}3 N) 美元。 典型地说, 同一问题直到最近才由 Dinur [EurCrypt'20] 解决。 他显示, vanorschot 和 Wiener 的平行串通搜索算算算算法能够达到 $T+2 S =\ Theta (K) $2 N) 的最佳时空交易。 我们的结果限制了量计算能够减少这一交易的幅度。 我们的方法基于Zhandry 所录取的查询技术的新应用 [Cryto'19] (Cry'Noxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx