Theory of Cryptography

Volume 7194 of the series Lecture Notes in Computer Science pp 303-320

Collisions Are Not Incidental: A Compression Function Exploiting Discrete Geometry

  • Dimitar JetchevAffiliated withLaboratory for Cryptologic Algorithms, EPFL
  • , Onur ÖzenAffiliated withLaboratory for Cryptologic Algorithms, EPFL
  • , Martijn StamAffiliated withDepartment of Computer Science, University of Bristol


We present a new construction of a compression function \(\ensuremath{{\if!! {{H}} \else{{H}_{}}\fi}} \colon \ensuremath{\{0,1\}}^{3\ensuremath{n} } \rightarrow \ensuremath{\{0,1\}}^{2\ensuremath{n} }\) that uses two parallel calls to an ideal primitive (an ideal blockcipher or a public random function) from \({2\ensuremath{n} }\) to \({\ensuremath{n} }\) bits. This is similar to the well-known MDC-2 or the recently proposed MJH by Lee and Stam (CT-RSA’11). However, unlike these constructions, we show already in the compression function that an adversary limited (asymptotically in n ) to \(\mathcal{O}(2^{2\ensuremath{n} (1-\delta)/3})\) queries (for any δ > 0) has disappearing advantage to find collisions. A key component of our construction is the use of the Szemerédi–Trotter theorem over finite fields to bound the number of full compression function evaluations an adversary can make, in terms of the number of queries to the underlying primitives. Moveover, for the security proof we rely on a new abstraction that refines and strenghtens existing techniques. We believe that this framework elucidates existing proofs and we consider it of independent interest.