My question is if the PRF is a collision-resistant hash function, does S2V have the same collision resistance as concatenation (with length encoding for variable-length inputs)?

No, with a public PRF (such as a collision-resistant hash function), the construction does not achieve second preimage resistance (and hence not collision resistance either).

The method for finding second preimages is straight-forward; the construction can be simplified as:

$$Z = f(T( X_n \oplus \text{Other Stuff} ))$$

Where 'Other Stuff' is a public function of the previous parts of the message.

Hence, to find a second preimage to an arbitrary message (with a specific $X_n, \text{Other Stuff}$), you pick an arbitrary second preliminary part of the message, compute the corresponding $\text{Other Stuff'}$ and then set the last full block as:

$$X'_n = X_n \oplus \text{Other Stuff} \oplus \text{Other Stuff'}$$

Now, this observation does not apply either the GCM-SIV or the generalized version in draft-madden-generalised-siv, because those use a keyed PRF that cannot be computed by the adversary. This observation shows that such a keyed PRF is mandatory in this construction.

My question is if the PRF is a collision-resistant hash function, does S2V have the same collision resistance as concatenation (with length encoding for variable-length inputs)?

No, with a public PRF (such as a collision-resistant hash function), the construction does not achieve second preimage resistance (and hence not collision resistance either).

The method for finding second preimages is straight-forward; the construction can be simplified as:

$$Z = f(T( X_n \oplus \text{Other Stuff} ))$$

Where 'Other Stuff' is a public function of the previous parts of the message.

Hence, to find a second preimage to an arbitrary message (with a specific $X_n, \text{Other Stuff}$), you pick an arbitrary second preliminary part of the message, compute the corresponding $\text{Other Stuff'}$ and then set the last full block as:

$$X'_n = X_n \oplus \text{Other Stuff} \oplus \text{Other Stuff'}$$

Now, this observation does not apply either to GCM-SIV or the generalized version in draft-madden-generalised-siv, because those use a keyed PRF that cannot be computed by the adversary who does not know the key. This observation shows that such a keyed PRF is mandatory in this construction.

My question is if the PRF is a collision-resistant hash function, does S2V have the same collision resistance as concatenation (with length encoding for variable-length inputs)?

No, with a public PRF, the construction does not achieve second preimage resistance (and hence not collision resistance either).

The method for finding second preimages is straight-forward; the construction can be simplified as:

$$Z = f(T( X_n \oplus \text{Other Stuff} ))$$

Where 'Other Stuff' is a public function of the previous parts of the message.

Hence, to find a second preimage to an arbitrary message (with a specific $X_n, \text{Other Stuff}$), you pick an arbitrary second preliminary part of the message, compute the corresponding $\text{Other Stuff'}$ and then set the last full block as:

$$X'_n = X_n \oplus \text{Other Stuff} \oplus \text{Other Stuff'}$$

Now, this observation does not apply either the GCM-SIV or the generalized version in draft-madden-generalised-siv, because those use a keyed PRF that cannot be computed by the adversary. This observation shows that such a keyed PRF is mandatory in this construction.

My question is if the PRF is a collision-resistant hash function, does S2V have the same collision resistance as concatenation (with length encoding for variable-length inputs)?

No, with a public PRF (such as a collision-resistant hash function), the construction does not achieve second preimage resistance (and hence not collision resistance either).

The method for finding second preimages is straight-forward; the construction can be simplified as:

$$Z = f(T( X_n \oplus \text{Other Stuff} ))$$

Where 'Other Stuff' is a public function of the previous parts of the message.

Hence, to find a second preimage to an arbitrary message (with a specific $X_n, \text{Other Stuff}$), you pick an arbitrary second preliminary part of the message, compute the corresponding $\text{Other Stuff'}$ and then set the last full block as:

$$X'_n = X_n \oplus \text{Other Stuff} \oplus \text{Other Stuff'}$$

Now, this observation does not apply either the GCM-SIV or the generalized version in draft-madden-generalised-siv, because those use a keyed PRF that cannot be computed by the adversary. This observation shows that such a keyed PRF is mandatory in this construction.