Collisions Are Not Incidental: A Compression Function Exploiting Discrete Geometry

We present a new construction of a compression function

$\ensuremath{{\if!! {{H}} \else{{H}_{}}\fi}} \colon \ensuremath{\{0,1\}}^{3\ensuremath{n} } \rightarrow \ensuremath{\{0,1\}}^{2\ensuremath{n} }$

that uses two parallel calls to an ideal primitive (an ideal blockcipher or a public random function) from

${2\ensuremath{n} }$

to

${\ensuremath{n} }$

bits. This is similar to the well-known MDC-2 or the recently proposed MJH by Lee and Stam (CT-RSA’11). However, unlike these constructions, we show already in the compression function that an adversary limited (asymptotically in

n

) to

$\mathcal{O}(2^{2\ensuremath{n} (1-\delta)/3})$

queries (for any

δ

 > 0) has disappearing advantage to find collisions. A key component of our construction is the use of the Szemerédi–Trotter theorem over finite fields to bound the number of full compression function evaluations an adversary can make, in terms of the number of queries to the underlying primitives. Moveover, for the security proof we rely on a new abstraction that refines and strenghtens existing techniques. We believe that this framework elucidates existing proofs and we consider it of independent interest.