What output size resists collisions in a xor of independent expansions?

Bellare and Micciancio proposed compressing m1, m2, . . . to f1(m1) ⊕ f2(m2) ⊕ . . .. Collisions are easy to find for long messages but are much more difficult to find for short messages. Exactly how secure is the 4-xor compression function (m1, m2, m3, m4) 7→ f1(m1) ⊕ f2(m2) ⊕ f3(m3) ⊕ f4(m4), with an output size of 4b bits? This paper analyzes, under constraints on machine cost and computation time, the chance of finding 4b-bit collisions using an improved version of Wagner’s generalized-birthday algorithm. In particular, as the machine cost grows past 2, the price-performance ratio of this paper’s attack drops below 2, eventually reaching a limit of 2. This paper also proposes the Rumba20 compression function, reusing large components of the Salsa20 stream cipher as a specific choice of functions f1, f2, f3, f4.