Cryptology ePrint Archive: Report 2020/424

Low-gate Quantum Golden Collision Finding

Samuel Jaques and André Schrottenloher

Abstract: The golden collision problem asks us to find a single, special collision among the outputs of a pseudorandom function. This generalizes meet-in-the-middle problems, and is thus applicable in many contexts, such as cryptanalysis of the NIST post-quantum candidate SIKE.

The main quantum algorithms for this problem are memory-intensive, and the costs of quantum memory may be very high. The quantum circuit model implies a linear cost for random access, which annihilates the exponential advantage of the previous quantum collision-finding algorithms over Grover's algorithm or classical van Oorschot-Wiener.

Assuming that quantum memory is costly to access but free to maintain, we provide new quantum algorithms for the golden collision problem with high memory requirements but low gate costs. Under the assumption of a two-dimensional connectivity layout, we provide better quantum parallelization methods for generic and golden collision finding. This lowers the quantum security of the golden collision and meet-in-the-middle problems, including SIKE.

Category / Keywords: public-key cryptography / Quantum cryptanalysis, golden collision search, quantum walks, SIKE

Date: received 14 Apr 2020

Contact author: samuel jaques at materials ox ac uk, andre schrottenloher@inria fr

Available format(s): PDF | BibTeX Citation

Version: 20200415:175911 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]