In 2009, D J Bernstein wrote one of the early papers on this topic available here:
The abstract states:
Current proposals for special-purpose factorization hardware
will become obsolete if large quantum computers are built: the numberfield sieve scales much more poorly than Shor’s quantum algorithm for
factorization. Will all special-purpose cryptanalytic hardware become
obsolete in a post-quantum world?
A quantum algorithm by Brassard, Høyer, and Tapp has frequently been
claimed to reduce the cost of $b$-bit hash collisions from $2^{b/2}$
to $2^{b/3}.$
This paper analyzes the Brassard–Høyer–Tapp algorithm and shows that
it has fundamentally worse price-performance ratio than the classical
van Oorschot–Wiener hash-collision circuits, even under optimistic assumptions regarding the speed of quantum computers.
More recently some partial progress was reported by Hosoyamada and Sasaki in CRYPTO 2021 on reduced round versions of SHA-256 and SHA-512, see here; there may also be a publicly accessible version in the iacr.org preprint server. Edit: The slides and talk are available here
The abstract states:
In this paper, we study dedicated quantum collision attacks on SHA-256 and SHA-512 for the first time. The attacks reach 38 and 39 steps, respectively, which significantly improve the classical attacks for 31 and 27 steps. Both attacks adopt the framework of the previous work that converts many semi-free-start collisions into a 2-block collision, and are faster than the generic attack in the cost metric of time-space tradeoff. We observe that the number of required semi-free-start collisions can be reduced in the quantum setting, which allows us to convert the previous classical 38 and 39 step semi-free-start collisions into a collision. The idea behind our attacks is simple and will also be applicable to other cryptographic hash functions.
