Quantum Time-Space Tradeoff for Finding Multiple Collision Pairs
This work addresses fundamental limits in quantum computing for cryptography and algorithm design, showing incremental progress by extending classical tradeoffs to the quantum setting.
The paper tackles the problem of finding multiple collision pairs in a random function using a quantum computer, proving that any algorithm with limited memory must satisfy a time-space tradeoff of T^3 S ≥ Ω(K^3 N), which limits quantum advantages compared to classical results.
We study the problem of finding $K$ collision pairs in a random function $f : [N] \rightarrow [N]$ by using a quantum computer. We prove that the number of queries to the function in the quantum random oracle model must increase significantly when the size of the available memory is limited. Namely, we demonstrate that any algorithm using $S$ qubits of memory must perform a number $T$ of queries that satisfies the tradeoff $T^3 S \geq Ω(K^3 N)$. Classically, the same question has only been settled recently by Dinur [Eurocrypt'20], who showed that the Parallel Collision Search algorithm of van Oorschot and Wiener achieves the optimal time-space tradeoff of $T^2 S = Θ(K^2 N)$. Our result limits the extent to which quantum computing may decrease this tradeoff. Our method is based on a novel application of Zhandry's recording query technique [Crypto'19] for proving lower bounds in the exponentially small success probability regime. As a second application, we give a simpler proof of the time-space tradeoff $T^2 S \geq Ω(N^3)$ for sorting $N$ numbers on a quantum computer, which was first obtained by Klauck, Špalek and de Wolf [KŠW07].