Grøstl Addendum

This document is an addendum to the submission document of Grøstl, which was selected for the second round of NIST’s SHA-3 competition [18]. We stress that we do not change the specification of Grøstl. In other words, Grøstl is defined exactly as specified in the original submission document [8]. In this document we mention a few alternative descriptions of our SHA-3 candidate Grøstl and describe recent analysis results on Grøstl. We briefly recall that the Grøstl compression function is based on two large and distinct `bit permutations P and Q (where ` ≥ 2n, n being the output size of the hash function), and is defined as f(h,m) = P (h ⊕ m) ⊕ Q(m) ⊕ h, where h is the chaining value and m is the message block. The permutations P and Q are built using the wide trail design strategy. A Merkle-Damg̊ard iteration [6, 17] of the compression function is applied, and it is followed by an output transformation defined as ω(x) = truncn(P (x) ⊕ x), where truncn indicates truncation to n bits. When n ≤ 256, we have ` = 512, and when n > 256 we have ` = 1024.