Stam’s Conjecture and Threshold Phenomena in Collision Resistance

Conference paper

DOI: 10.1007/978-3-642-32009-5_23

Volume 7417 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Steinberger J., Sun X., Yang Z. (2012) Stam’s Conjecture and Threshold Phenomena in Collision Resistance. In: Safavi-Naini R., Canetti R. (eds) Advances in Cryptology – CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg


At CRYPTO 2008 Stam [8] conjectured that if an \((m\!+\!s)\)-bit to s-bit compression function F makes r calls to a primitive f of n-bit input, then a collision for F can be obtained (with high probability) using \(r2^{(nr-m)/(r+1)}\) queries to f, which is sometimes less than the birthday bound. Steinberger [9] proved Stam’s conjecture up to a constant multiplicative factor for most cases in which \(r = 1\) and for certain other cases that reduce to the case \(r = 1\). In this paper we prove the general case of Stam’s conjecture (also up to a constant multiplicative factor). Our result is qualitatively different from Steinberger’s, moreover, as we show the following novel threshold phenomenon: that exponentially many (more exactly, \(2^{s-2(m-n)/(r+1)}\)) collisions are obtained with high probability after \(O(1)r2^{(nr-m)/(r+1)}\) queries. This in particular shows that threshold phenomena observed in practical compression functions such as JH are, in fact, unavoidable for compression functions with those parameters.

Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  1. 1.Institute of Theoretical Computer ScienceTsinghua UniversityBeijingChina
  2. 2.Institute of Computing TechnologyChina Academy of SciencesBeijingChina
  3. 3.Hulu SoftwareBeijingChina