Certain number-theoretic cryptographic hash functions, such as $x^2\bmod N$, are known to be broken by a quantum computer. For example, one could use Shor's algorithm to factor $N$ into its product of two primes $(p_1,p_2)$, and use these primes to find collisions at-will. It's also been a long-open problem to find a hash that satisfies a version of Simon's promise; if such a hash could be found, then it would likewise be susceptible to easy inversion with a quantum computer.
Other common hash functions such as SHA256 have much less structure, and a quantum computer could likely only afford a "modest" polynomial speedup, via Grover's algorithm. Even still, estimates for the depth of a quantum circuit to evaluate even one call to Grover's oracle for a function like SHA256 is on the order of tens- to hundreds-of-thousand gates. With $f(x)$ being the SHA256 output of $n$-bit strings $x$; even to implement SHA256 to prepare $\frac{1}{\sqrt{2^n}}|x\rangle|f(x)\rangle$ with a quantum computer would likely require significant error correction. I'm not sure the details but I think the nature of SHA256's scrambling is difficult to realize with good quantum gates such as CCNOT gates or CSWAP gates.
It's this last point that I'm interested in. I'm looking for a nice family of cryptographic hash functions $f$ on $n$ bits (qubits) that are likely secure against a quantum computer, still requiring a brute-force Grover/birthday style attack to find collisions, but are nonetheless easy to evaluate in superposition with a quantum computer, i.e. having a shallow(ish) depth quantum circuit of CCNOT/CSWAP/CNOT gates.
For example, I'd like to see about preparing $\frac{1}{\sqrt{2^n}}|x\rangle|f(x)\rangle$ with a quantum computer, for a nice enough cryptographic function $f$ that is still designed with a small-depth quantum circuit. Are there any such hash functions commonly used, or is it straightforward to modify existing hash functions?
