We study the problem of finding $K$ collision pairs in a random function $f : [N] \rightarrow [N]$ by using a quantum computer. We prove that the number of queries to the function in the quantum random oracle model must increase significantly when the size of the available memory is limited. Namely, we demonstrate that any algorithm using $S$ qubits of memory must perform a number $T$ of queries that satisfies the tradeoff $T^3 S \geq \Omega(K^3 N)$. Classically, the same question has only been settled recently by Dinur [Eurocrypt'20], who showed that the Parallel Collision Search algorithm of van Oorschot and Wiener achieves the optimal time-space tradeoff of $T^2 S = \Theta(K^2 N)$. Our result limits the extent to which quantum computing may decrease this tradeoff. Our method is based on a novel application of Zhandry's recording query technique [Crypto'19] for proving lower bounds in the exponentially small success probability regime. As a second application, we give a simpler proof of the time-space tradeoff $T^2 S \geq \Omega(N^3)$ for sorting $N$ numbers on a quantum computer, which was first obtained by Klauck, \v{S}palek and de Wolf [K\v{S}W07].

翻译：我们研究了使用量子计算机在随机函数 $f : [N] \rightarrow [N]$ 中寻找 $K$ 个碰撞对的问题。我们证明，在量子随机预言模型中，当可用内存大小受限时，对该函数的查询次数必须显著增加。具体而言，我们证明任何使用 $S$ 量子比特内存的算法必须执行 $T$ 次查询，且满足权衡 $T^3 S \geq \Omega(K^3 N)$。在经典计算中，同一问题直到最近才由 Dinur [Eurocrypt'20] 解决，他展示了 van Oorschot 和 Wiener 的并行碰撞搜索算法实现了最优时间-空间权衡 $T^2 S = \Theta(K^2 N)$。我们的结果限制了量子计算可能降低这一权衡的程度。我们的方法基于 Zhandry 的记录查询技术 [Crypto'19] 在指数小成功概率场景中的新颖应用，用于证明下界。作为第二项应用，我们给出了在量子计算机上对 $N$ 个数排序的时间-空间权衡 $T^2 S \geq \Omega(N^3)$ 的更简单证明，该结果最初由 Klauck、Špalek 和 de Wolf 获得 [KŠW07]。