Grøstl is one of 14 second round candidates of the NIST SHA-3 competition. Cryptanalytic results on the wide-pipe compression function
of Grøstl-256 have already been published. However, little is known about the hash function, arguably a much more interesting cryptanalytic
setting. Also, Grøstl-512 has not been analyzed yet. In this paper, we show the first cryptanalytic attacks on reduced-round versions of the Grøstl hash functions. These results are obtained by several extensions of the rebound attack. We present a collision attack on
4/10 rounds of the Grøstl-256 hash function and 5/14 rounds of the Grøstl-512 hash functions. Additionally, we give the best collision attack for reduced-round (7/10 and 7/14) versions of the compression
function of Grøstl-256 and Grøstl-512.
Keywords hash function - cryptanalysis - collisions - rebound attack
This work was supported in part by the European Commission through the ICT programme under contract ICT-2007-216676 ECRYPT
II and the fourth author is supported by a grant from the Villum Kann Rasmussen Foundation. Parts of this work were carried
out while the third author was visiting Technical University of Denmark, supported by a grant from DCAMM International Graduate
Research School, Danish Center for Applied Mathematics and Mechanics.