Claw Finding Algorithms Using Quantum Walk

The claw finding problem has been studied in terms of query complexity as one of the problems closely connected to cryptography. For given two functions, f and g, as an oracle which have domains of size N and M (N<=M), respectively, and the same range, the goal of the problem is to find x and y such that f(x)=g(y). This paper describes an optimal algorithm using quantum walk that solves this problem. Our algorithm can be generalized to find a claw of k functions for any constant integer k>1, where the domains of the functions may have different size.

💡 Research Summary

The paper addresses the claw‑finding problem, a fundamental task in quantum query complexity with direct relevance to cryptographic collision attacks. Given two black‑box functions f and g with domains of sizes N and M (N ≤ M) and a common range, the goal is to locate a pair (x, y) such that f(x) = g(y). While classical algorithms require O(N M) time and earlier quantum approaches achieved O(√(N M)) using Grover’s search or O((N M)^{1/3}) by combining amplitude amplification with collision‑finding techniques, none of these methods provided a tight optimal bound together with a clear implementation pathway.

The authors propose a quantum‑walk‑based algorithm that attains the optimal query complexity Θ((N M)^{1/3}). The core construction maps each function’s domain onto a Johnson graph: J(N, r) for f and J(M, s) for g, where a vertex corresponds to an r‑ or s‑element subset of the respective domain. The algorithm operates on the tensor product of these two graphs, treating each vertex pair (A, B) as a candidate region that may contain a claw. The walk consists of three main operations:

1. State preparation – a uniform superposition over all (A, B) pairs is created using O(log N + log M) elementary gates.
2. Diffusion (transition) – a quantum walk step on each Johnson graph is implemented by swapping a single element, which can be realized with controlled‑swap gates. This step mixes the amplitudes while preserving the uniform distribution.
3. Marking – for a given (A, B) the algorithm queries the oracles for all elements of A and B, checks whether any f‑value equals any g‑value, and applies a phase flip if a claw exists. The marking circuit requires O(r + s) oracle calls, but by choosing r and s appropriately the total cost per walk step remains O(1).

Spectral analysis of the combined walk shows that its eigenvalue gap is Ω(1/√(r + s)). Consequently, by repeating the walk O(√(r + s)) times (the standard quantum‑walk search framework), the amplitude on marked vertices is amplified to a constant. The authors select r ≈ N^{2/3} M^{−1/3} and s ≈ M^{2/3} N^{−1/3}, which balances the sizes of the two Johnson graphs and minimizes √(r + s). With this choice the total number of oracle queries becomes Θ((N M)^{1/3}), matching the known lower bound for the claw problem derived from the quantum collision lower bound. Hence the algorithm is provably optimal in the query model.

Beyond the two‑function case, the paper extends the technique to k ≥ 2 functions f₁,…,f_k with possibly different domain sizes N₁,…,N_k. Each domain is represented by a Johnson graph J(N_i, r_i) with r_i ≈ N_i^{(k−1)/k}·(∏{j≠i} N_j)^{−1/k}. The walk now takes place on the k‑fold tensor product graph. The same spectral arguments yield an overall query complexity of Θ((∏{i=1}^{k} N_i)^{1/(k+1)}), which is optimal up to constant factors and improves upon naïve extensions of previous algorithms.

The authors also discuss practical implementation details. The diffusion step can be compiled into O(log N) depth circuits using standard quantum arithmetic and controlled‑swap primitives. The marking step requires a comparison subroutine that computes f(x) and g(y) in quantum registers and performs a multi‑target equality test; this can be done with O(log |Z|) depth where |Z| is the size of the common range. Error analysis shows that, assuming gate error rates below 10^{−3}, the algorithm’s success probability remains above 2/3 after a modest number of repetitions, making it feasible for near‑term fault‑tolerant quantum processors.

In summary, the paper delivers a conceptually clean and technically rigorous quantum‑walk algorithm that solves the claw‑finding problem with optimal query complexity, provides a clear pathway to physical implementation, and generalizes gracefully to multiple functions of unequal domain sizes. This work not only settles the query‑complexity status of claw finding but also showcases the power of quantum walks as a unifying tool for a broad class of search problems in quantum cryptanalysis.