Stam’s Conjecture and Threshold Phenomena in Collision Resistance

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)

Abstract

At CRYPTO 2008 Stam [8] conjectured that if an \((m\!+\!s)\)-bit to s-bit compression function F makes r calls to a primitive f of n-bit input, then a collision for F can be obtained (with high probability) using \(r2^{(nr-m)/(r+1)}\) queries to f, which is sometimes less than the birthday bound. Steinberger [9] proved Stam’s conjecture up to a constant multiplicative factor for most cases in which \(r = 1\) and for certain other cases that reduce to the case \(r = 1\). In this paper we prove the general case of Stam’s conjecture (also up to a constant multiplicative factor). Our result is qualitatively different from Steinberger’s, moreover, as we show the following novel threshold phenomenon: that exponentially many (more exactly, \(2^{s-2(m-n)/(r+1)}\)) collisions are obtained with high probability after \(O(1)r2^{(nr-m)/(r+1)}\) queries. This in particular shows that threshold phenomena observed in practical compression functions such as JH are, in fact, unavoidable for compression functions with those parameters.

References

  1. 1.
    Bellare, M., Kohno, T.: Hash Function Balance and Its Impact on Birthday Attacks. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 401–418. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Black, J., Cochran, M., Shrimpton, T.: On the Impossibility of Highly-Efficient Blockcipher-Based Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 526–541. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Chung, F., Lu, L.: Concentration Inequalities and Martingale Inequalities: A Survey. Internet Mathematics 3(1), 79–127Google Scholar
  4. 4.
    McDiarmid, C.: Concentration. In: Habib, M., McDiarmid, C., Ramier-Alfonsin, J., Reed, B. (eds.) Probabilistic Methods for Algorithmic Discrete Mathematics. Algorithms and Combinatorics, vol. 16, pp. 195–248. Springer (1998)Google Scholar
  5. 5.
    Rogaway, P., Steinberger, J.: Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 433–450. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Rogaway, P., Steinberger, J.: Security/Efficiency Tradeoffs for Permutation-Based Hashing. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Shrimpton, T., Stam, M.: Building a Collision-Resistant Compression Function from Non-compressing Primitives. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 643–654. Springer, Heidelberg (2008); Also available at the Cryptology ePrint Archive: Report 2007/409CrossRefGoogle Scholar
  8. 8.
    Stam, M.: Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 397–412. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. 9.
    Steinberger, J.: Stam’s Collision Resistance Conjecture. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 597–615. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Wiener, M.: Bounds on birthday attack times. Cryptology ePrint archive (2005)Google Scholar
  11. 11.
    Wu, H.: The JH hash function. NIST SHA-3 competition submission (October 2008)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  1. 1.Institute of Theoretical Computer ScienceTsinghua UniversityBeijingChina
  2. 2.Institute of Computing TechnologyChina Academy of SciencesBeijingChina
  3. 3.Hulu SoftwareBeijingChina

Personalised recommendations