Existing quantum algorithms for multicollision search in random functions fail to achieve the known query lower bound across certain parameter regimes. Method: We extend the chained quantum walk framework to enable the generation of multiple collisions per step; we further improve efficiency via quantum state reuse and simplified diffusion operations. Under the quantum RAM assumption, we match time complexity to query complexity. Contribution/Results: We present the first quantum algorithm for multicollision search that is tight—i.e., simultaneously optimal in both query and time complexity—across the entire parameter space. Its query complexity is Ω(2^{m/3 + 2k/3}), precisely matching the established lower bound. This resolves a long-standing theoretical gap in quantum multicollision search, providing the first complete characterization of its fundamental complexity limits.

Searching for collisions in random functions is a fundamental computational problem, with many applications in symmetric and asymmetric cryptanalysis. When one searches for a single collision, the known quantum algorithms match the query lower bound. This is not the case for the problem of finding multiple collisions, despite its regular appearance as a sub-component in sieving-type algorithms. At EUROCRYPT 2019, Liu and Zhandry gave a query lower bound $Ω(2^{m/3 + 2k/3})$ for finding $2^k$ collisions in a random function with m-bit output. At EUROCRYPT 2023, Bonnetain et al. gave a quantum algorithm matching this bound for a large range of $m$ and $k$, but not all admissible values. Like many previous collision-finding algorithms, theirs is based on the MNRS quantum walk framework, but it chains the walks by reusing the state after outputting a collision. In this paper, we give a new algorithm that tackles the remaining non-optimal range, closing the problem. Our algorithm is tight (up to a polynomial factor) in queries, and also in time under a quantum RAM assumption. The idea is to extend the chained walk to a regime in which several collisions are returned at each step, and the ``walks'' themselves only perform a single diffusion layer.