At CRYPTO 2008 Stam [7] made the following conjecture: if an m + s-bit to s-bit compression function F makes r calls to a primitive f of n-bit input, then a collision for F can be obtained (with high probability) using r2(nr-m)/(r+1) queries to f. For example, a 2n-bit to n-bit compression function making two calls to a random function of n-bit input cannot have collision security exceeding 2n/3 . We prove this conjecture up to a constant multiplicative factor and under the condition m := (2m - n(r - 1))/(r + 1) log2(17). This covers nearly all cases r = 1 of the conjecture and the aforementioned example of a 2n-bit to n-bit compression function making two calls to a primitive of n-bit input.
John P. Steinberger