**Optimal Merging in Quantum k-xor and k-sum Algorithms**

*María Naya-Plasencia and André Schrottenloher*

**Abstract: **The k-xor or Generalized Birthday Problem aims at finding, given k lists of bit-strings, a k-tuple among them XORing to 0. If the lists are unbounded, the best classical (exponential) time complexity has withstood since Wagner's CRYPTO 2002 paper. If the lists are bounded (of the same size) and such that there is a single solution, the dissection algorithms of Dinur et al. (CRYPTO 2012) improve the memory usage over a simple meet-in-the-middle.

In this paper, we study quantum algorithms for the k-xor problem. With unbounded lists and quantum access, we improve previous work by Grassi et al. (ASIACRYPT 2018) for almost all k. Next, we extend our study to lists of any size and with classical access only.

We define a set of ``merging trees'' which represent the best known strategies for quantum and classical merging in k-xor algorithms, and prove that our method is optimal among these. Our complexities are confirmed by a Mixed Integer Linear Program that computes the best strategy for a given k-xor problem. All our algorithms apply also when considering modular additions instead of bitwise xors.

This framework enables us to give new improved quantum k-xor algorithms for all k and list sizes. Applications include the subset-sum problem, LPN with limited memory and the multiple-encryption problem.

**Category / Keywords: **secret-key cryptography / generalized birthday problem, quantum cryptanalysis, list-merging algorithms, k-list problems, multiple encryption, MILP

**Date: **received 15 May 2019, last revised 11 Oct 2019

**Contact author: **andre schrottenloher at inria fr, maria naya_plasencia at inria fr

**Available format(s): **PDF | BibTeX Citation

**Version: **20191011:114010 (All versions of this report)

**Short URL: **ia.cr/2019/501

[ Cryptology ePrint archive ]