## Cryptology ePrint Archive: Report 2014/305

Collision Attack on 5 Rounds of Grøstl

Florian Mendel and Vincent Rijmen and Martin Schläffer

Abstract: In this article, we describe a novel collision attack for up to 5 rounds of the Grøstl hash function. This significantly improves upon the best previously published results on 3 rounds. By using a new type of differential trail spanning over more than one message block we are able to construct collisions for Grøstl on 4 and 5 rounds with complexity of $2^{67}$ and $2^{120}$, respectively. Both attacks need $2^{64}$ memory. Due to the generic nature of our attack we can even construct meaningful collisions in the chosen-prefix setting with the same attack complexity.

Category / Keywords: secret-key cryptography / hash functions, SHA-3 candidate, Grøstl, collision attack

Original Publication (in the same form): IACR-FSE-2014