Stam's Collision Resistance Conjecture

摘要

At CRYPTO 2008 Stam [7] made the following conjecture: if an m + s-bit to s-bit compression function F makes r calls to a primitive f of n-bit input, then a collision for F can be obtained (with high probability) using r2~((nr-m)/(r+1)) queries of f. For example, a 2n-bit to n-bit compression function making two calls to a random function of n-bit input cannot have collision security exceeding 2~(n/3). We prove this conjecture up to a constant multiplicative factor and under the condition m' := (2m - n(r - l))/(r + l) ≥ log_2(17). This covers nearly all cases r = 1 of the conjecture and the aforementioned example of a 2n-bit to n-bit compression function making two calls to a primitive of n-bit input.