At CRYPTO 2008 Stam [7] made the following conjecture: if an m + s-bit to s-bit compression function F makes r calls to a primitive f of n-bit input, then a collision for F can be obtained (with high probability) using r2(nr − m)/(r + 1) queries to f. For example, a 2n-bit to n-bit compression function making two calls to a random function of n-bit input cannot have collision security exceeding 2n/3. We prove this conjecture up to a constant multiplicative factor and under the condition m′ : = (2m − n(r − 1))/(r + 1) ≥ log2(17). This covers nearly all cases r = 1 of the conjecture and the aforementioned example of a 2n-bit to n-bit compression function making two calls to a primitive of n-bit input.


  1. 1.
    Bellare, M., Kohno, T.: Hash function imbalance and its impact on birthday attacks. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 401–418. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Black, J., Cochran, M., Shrimpton, T.: On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 526–541. Springer, Heidelberg (2005)Google Scholar
  3. 3.
    Gauravaram, P., Knudsen, L., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.: Grøstl, a SHA-3 candidate, NIST SHA-3 competition submission (October 2008)Google Scholar
  4. 4.
    Rogaway, P., Steinberger, J.: Constructing cryptographic hash functions from fixed-key blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 433–450. Springer, Heidelberg (2008)Google Scholar
  5. 5.
    Rogaway, P., Steinberger, J.: Security/Efficiency Tradeoffs for Permutation-Based Hashing. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Shrimpton, T., Stam, M.: Building a Collision-Resistant Compression Function from Non-Compressing Primitives. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 643–654. Springer, Heidelberg (2008), Cryptology ePrint Archive: Report 2007/409CrossRefGoogle Scholar
  7. 7.
    Stam, M.: Beyond uniformity: Better Security/Efficiency Tradeoffs for Compression Functions. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 397–412. Springer, Heidelberg (2008)Google Scholar
  8. 8.
    Wiener, M.: Bounds on birthday attack times. Cryptology ePrint archive (2005)Google Scholar
  9. 9.
    Wu, H.: The JH hash function, NIST SHA-3 competition submission (October 2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • John Steinberger
    • 1
  1. 1.Institute of Theoretical Computer ScienceTsinghua UniversityBeijing

Personalised recommendations