Quantum lower bounds for the collision and the element distinctness problems

Given a function f as an oracle, the collision problem is to find two distinct indexes i and j such that f(i) = f(j), under the promise that such indexes exist. Since the security of many fundamental cryptographic primitives depends on the hardness of finding collisions, our lower bounds provide evidence for the existence of cryptographic primitives that are immune to quantum cryptanalysis. We prove that any quantum algorithm for finding a collision in an r-to-one function must evaluate the function Omega((n/r)(1/3)) times, where n is the size of the domain and r\n. This matches an upper bound of Brassard, Hoyer, and Tapp. No lower bound better than constant was previously known. Our result also implies a quantum lower bound of Omega(n(2/3)) queries for the element distinctness problem, which is to determine whether n integers are all distinct. The best previous lower bound was Omega(rootn) queries.