Rebound Attacks on the Reduced Grøstl Hash Function

Florian Mendel, C. Rechberger, Martin Schlaffer, Søren S. Thomsen

    Research output: Contribution to journalConference articleResearchpeer-review


    Grøstl is one of 14 second round candidates of the NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression function of Grøstl-256 have already been published. However, little is known about the hash function, arguably a much more interesting cryptanalytic setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show the first cryptanalytic attacks on reduced-round versions of the Grøstl hash functions. These results are obtained by several extensions of the rebound attack. We present a collision attack on 4/10 rounds of the Grøstl-256 hash function and 5/14 rounds of the Grøstl-
    512 hash functions. Additionally, we give the best collision attack for reduced-round (7/10 and 7/14) versions of the compression function of Grøstl-256 and Grøstl-512.
    Original languageEnglish
    Book seriesLecture Notes in Computer Science
    Pages (from-to)350–365
    Publication statusPublished - 2010
    EventCT-RSA 2010: The Cryptographers’ Track at the RSA Conference 2010 - San Francisco, CA, United States
    Duration: 1 Mar 20105 Mar 2010


    ConferenceCT-RSA 2010
    Country/TerritoryUnited States
    CitySan Francisco, CA


    • Hash function
    • Cryptanalysis
    • Collisions
    • Rebound attack


    Dive into the research topics of 'Rebound Attacks on the Reduced Grøstl Hash Function'. Together they form a unique fingerprint.

    Cite this