Paper 2020/424

Low-gate Quantum Golden Collision Finding

Samuel Jaques and André Schrottenloher


The golden collision problem asks us to find a single, special collision among the outputs of a pseudorandom function. This generalizes meet-in-the-middle problems, and is thus applicable in many contexts, such as cryptanalysis of the NIST post-quantum candidate SIKE. The main quantum algorithms for this problem are memory-intensive, and the costs of quantum memory may be very high. The quantum circuit model implies a linear cost for random access, which annihilates the exponential advantage of the previous quantum collision-finding algorithms over Grover's algorithm or classical van Oorschot-Wiener. Assuming that quantum memory is costly to access but free to maintain, we provide new quantum algorithms for the golden collision problem with high memory requirements but low gate costs. Under the assumption of a two-dimensional connectivity layout, we provide better quantum parallelization methods for generic and golden collision finding. This lowers the quantum security of the golden collision and meet-in-the-middle problems, including SIKE.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. MAJOR revision.Selected Areas in Cryptography 2020
Quantum cryptanalysisgolden collision searchquantum walksSIKE
Contact author(s)
samuel jaques @ materials ox ac uk
andre schrottenloher @ inria fr
2020-10-18: revised
2020-04-15: received
See all versions
Short URL
Creative Commons Attribution


      author = {Samuel Jaques and André Schrottenloher},
      title = {Low-gate Quantum Golden Collision Finding},
      howpublished = {Cryptology ePrint Archive, Paper 2020/424},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.