Cryptology ePrint Archive: Report 2014/305

Collision Attack on 5 Rounds of Grøstl

Florian Mendel and Vincent Rijmen and Martin Schläffer

Abstract: In this article, we describe a novel collision attack for up to 5 rounds of the Grøstl hash function. This significantly improves upon the best previously published results on 3 rounds. By using a new type of differential trail spanning over more than one message block we are able to construct collisions for Grøstl on 4 and 5 rounds with complexity of $2^{67}$ and $2^{120}$, respectively. Both attacks need $2^{64}$ memory. Due to the generic nature of our attack we can even construct meaningful collisions in the chosen-prefix setting with the same attack complexity.

Category / Keywords: secret-key cryptography / hash functions, SHA-3 candidate, Grøstl, collision attack

Original Publication (in the same form): IACR-FSE-2014

Date: received 30 Apr 2014

Contact author: florian mendel at iaik tugraz at

Available format(s): PDF | BibTeX Citation

Version: 20140430:210203 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]