Collision-resistant hashing, a fundamental primitive in modern cryptography, ensures that there is no efficient way to find distinct inputs that produce the same hash value. This property underpins the security of various cryptographic applications, making it crucial to understand its complexity. The complexity of this problem is well-understood in the classical setting and $\Theta(N^{1/2})$ queries are needed to find a collision. However, the advent of quantum computing has introduced new challenges since quantum adversaries $\unicode{x2013}$ equipped with the power of quantum queries $\unicode{x2013}$ can find collisions much more efficiently. Brassard, H\"oyer and Tapp and Aaronson and Shi established that full-scale quantum adversaries require $\Theta(N^{1/3})$ queries to find a collision, prompting a need for longer hash outputs, which impacts efficiency in terms of the key lengths needed for security. This paper explores the implications of quantum attacks in the Noisy-Intermediate Scale Quantum (NISQ) era. In this work, we investigate three different models for NISQ algorithms and achieve tight bounds for all of them: (1) A hybrid algorithm making adaptive quantum or classical queries but with a limited quantum query budget, or (2) A quantum algorithm with access to a noisy oracle, subject to a dephasing or depolarizing channel, or (3) A hybrid algorithm with an upper bound on its maximum quantum depth; i.e., a classical algorithm aided by low-depth quantum circuits. In fact, our results handle all regimes between NISQ and full-scale quantum computers. Previously, only results for the pre-image search problem were known for these models by Sun and Zheng, Rosmanis, Chen, Cotler, Huang and Li while nothing was known about the collision finding problem.

翻译：抗碰撞哈希作为现代密码学的基础原语，确保不存在高效方法找到产生相同哈希值的不同输入。这一性质支撑着众多密码应用的安全性，因此理解其复杂性至关重要。该问题在经典环境下的复杂性已得到充分认知——需要Θ(N^{1/2})次查询才能找到碰撞。然而，量子计算的出现带来了全新挑战：具备量子查询能力的量子敌手能以更高效率发现碰撞。Brassard、Høyer与Tapp以及Aaronson和Shi的研究表明，全尺度量子敌手仅需Θ(N^{1/3})次查询即可找到碰撞，这迫使哈希输出长度必须增加，进而影响安全密钥长度的效率。本文探讨了噪声中等规模量子（NISQ）时代量子攻击的潜在影响。我们研究了三种NISQ算法模型，并为所有模型给出了紧界：（1）自适应量子或经典查询但受限于量子查询预算的混合算法；（2）可访问噪声预言机（受退相干或退极化信道影响）的量子算法；（3）最大量子深度受限的混合算法，即由低深度量子电路辅助的经典算法。事实上，我们的结果覆盖了从NISQ到全尺度量子计算机的所有区间。此前，Sun与Zheng、Rosmanis、Chen、Cotler、Huang和Li仅针对这些模型下的原像搜索问题取得成果，而碰撞查找问题尚属空白。