Searching for collisions in random functions is a fundamental computational problem, with many applications in symmetric and asymmetric cryptanalysis. When one searches for a single collision, the known quantum algorithms match the query lower bound. This is not the case for the problem of finding multiple collisions, despite its regular appearance as a sub-component in sieving-type algorithms. At EUROCRYPT 2019, Liu and Zhandry gave a query lower bound $\Omega(2^{m/3 + 2k/3})$ for finding $2^k$ collisions in a random function with m-bit output. At EUROCRYPT 2023, Bonnetain et al. gave a quantum algorithm matching this bound for a large range of $m$ and $k$, but not all admissible values. Like many previous collision-finding algorithms, theirs is based on the MNRS quantum walk framework, but it chains the walks by reusing the state after outputting a collision. In this paper, we give a new algorithm that tackles the remaining non-optimal range, closing the problem. Our algorithm is tight (up to a polynomial factor) in queries, and also in time under a quantum RAM assumption. The idea is to extend the chained walk to a regime in which several collisions are returned at each step, and the ``walks'' themselves only perform a single diffusion layer.

翻译：在随机函数中搜索碰撞是一个基础的计算问题，在对称与非对称密码分析中具有诸多应用。当搜索单个碰撞时，已知的量子算法已达到查询下界。然而对于寻找多重碰撞的问题——尽管其常作为筛类型算法的子组件出现——情况却非如此。在EUROCRYPT 2019上，Liu与Zhandry针对在输出为m比特的随机函数中寻找$2^k$个碰撞的问题，给出了$\Omega(2^{m/3 + 2k/3})$的查询下界。在EUROCRYPT 2023上，Bonnetain等人提出了一种量子算法，在大部分$m$和$k$的取值范围内匹配该下界，但未能覆盖所有允许的取值范围。与许多先前的碰撞搜索算法类似，他们的算法基于MNRS量子游走框架，但通过输出碰撞后重复利用状态来实现游走的链式连接。本文提出一种新算法，解决了剩余的非最优取值范围，从而完整解决了该问题。我们的算法在查询复杂度上达到紧致（至多项式因子），在量子随机存取存储器假设下时间复杂度亦为紧致。核心思想是将链式游走扩展至一种新机制：每一步可返回多个碰撞，且“游走”本身仅执行单次扩散层操作。