Improved Quantum Multicollision-Finding Algorithm (original) (raw)
Abstract:The current paper improves the number of queries of the previous quantum multi-collision finding algorithms presented by Hosoyamada et al. at Asiacrypt 2017. Let an lll-collision be a tuple of lll distinct inputs that result in the same output of a target function. In cryptology, it is important to study how many queries are required to find lll-collisions for random functions of which domains are larger than ranges. The previous algorithm finds an lll-collision for a random function by recursively calling the algorithm for finding (l−1)(l-1)(l−1)-collisions, and it achieves the average quantum query complexity of O(N(3l−1−1)/(2cdot3l−1))O(N^{(3^{l-1}-1) / (2 \cdot 3^{l-1})})O(N(3l−1−1)/(2cdot3l−1)), where NNN is the range size of target functions. The new algorithm removes the redundancy of the previous recursive algorithm so that different recursive calls can share a part of computations. The new algorithm finds an lll-collision for random functions with the average quantum query complexity of O(N(2l−1−1)/(2l−1))O(N^{(2^{l-1}-1) / (2^{l}-1)})O(N(2l−1−1)/(2l−1)), which improves the previous bound for all lge3l\ge 3lge3 (the new and previous algorithms achieve the optimal bound for l=2l=2l=2). More generally, the new algorithm achieves the average quantum query complexity of Oleft(c3/2NNfrac2l−1−12l−1right)O\left(c^{3/2}_N N^{\frac{2^{l-1}-1}{ 2^{l}-1}}\right)Oleft(c3/2NNfrac2l−1−12l−1right) for a random function fcolonXtoYf\colon X\to YfcolonXtoY such that ∣X∣geqlcdot∣Y∣/cN|X| \geq l \cdot |Y| / c_N∣X∣geqlcdot∣Y∣/cN for any 1lecNino(Nfrac12l−1)1\le c_N \in o(N^{\frac{1}{2^l - 1}})1lecNino(Nfrac12l−1). With the same query complexity, it also finds a multiclaw for random functions, which is harder to find than a multicollision.
Submission history
From: Akinori Hosoyamada [view email]
[v1] Tue, 20 Nov 2018 07:10:45 UTC (26 KB)
[v2] Fri, 30 Nov 2018 11:56:56 UTC (28 KB)
[v3] Mon, 28 Jan 2019 09:37:23 UTC (29 KB)