Affiliation:
1. University of California, Berkeley, California
2. University of Michigan, Ann Arbor, Michigan
Abstract
Given a function
f
as an oracle, the collision problem is to find two distinct indexes
i
and
j
such that
f
(
i
) =
f
(
j
), under the promise that such indexes exist. Since the security of many fundamental cryptographic primitives depends on the hardness of finding collisions, our lower bounds provide evidence for the existence of cryptographic primitives that are immune to quantum cryptanalysis. We prove that any quantum algorithm for finding a collision in an
r
-to-one function must evaluate the function Ω((
n
/
r
)
1/3
) times, where
n
is the size of the domain and
r
|
n
. This matches an upper bound of Brassard, Høyer, and Tapp. No lower bound better than constant was previously known. Our result also implies a quantum lower bound of Ω(
n
2/3
) queries for the element distinctness problem, which is to determine whether
n
integers are all distinct. The best previous lower bound was Ω(√
n
) queries.
Publisher
Association for Computing Machinery (ACM)
Subject
Artificial Intelligence,Hardware and Architecture,Information Systems,Control and Systems Engineering,Software
Reference26 articles.
1. Ambainis A. 2003a. Quantum lower bounds for collision and element distinctness with small range. Pre-print: quant-ph/0305179. Ambainis A. 2003a. Quantum lower bounds for collision and element distinctness with small range. Pre-print: quant-ph/0305179.
2. Ambainis A. 2003b. Quantum walk algorithm for element distinctness. Pre-print: quant-ph/0311001. Ambainis A. 2003b. Quantum walk algorithm for element distinctness. Pre-print: quant-ph/0311001.
Cited by
159 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献