Improved Collision Attacks on the Reduced-Round Grostl Hash Function

We analyze the Grostl hash function, which is a 2nd-round candidate of the SHA-3 competition. Using the start-from-the-middle variant of the rebound technique, we show collision attacks on the Grostl-256 hash function reduced to 5 and 6 out of 10 rounds with time complexities 248 and 21127 respectively. Furthermore, we demonstrate semi-free-start collision attacks on the Grostl-224 and -256 hash functions reduced to 7 rounds and the Grostl-224 and -256 compression functions reduced to 8 rounds. Our attacks are based on differential paths between the two permutations P and Q of Grostl, a strategy introduced by Peyrin to construct distinguishers for the compression function. In this paper, we extend this approach to construct collision and semi-free-start collision attacks for both the hash and the compression function. Finally, we present improved distinguishers for reduced-round versions of the Grostl-224 and -256 permutations.