Grøstl – a SHA-3 candidate
What is Grøstl?
Grøstl is a new cryptographic hash function designed in response to the Advanced Hash Standard competition announced by NIST.
Grøstl is an iterated hash function, where the compression function is built from two fixed, large, different permutations. The design of Grøstl is transparent and based on principles very different from those used in the SHA-family.
The two permutations used are constructed using the wide trail design strategy, which makes it possible to give strong statements about the resistance of Grøstl against large classes of cryptanalytic attacks. Moreover, if these permutations are assumed to be ideal, there is a proof for the security of the hash function.
Grøstl is a byte-oriented SP-network which borrows components from the AES. The S-box used is identical to the one used in the block cipher AES and the diffusion layers are constructed in a similar manner to those of the AES. As a consequence there is a very strong confusion and diffusion in Grøstl.
Grøstl is a so-called wide-pipe construction where the size of the internal state is significantly larger than the size of the output. This has the effect that all known, generic attacks on the hash function are made much more difficult.
Grøstl has good performance on a wide range of different platforms, and counter-measures against side-channel attacks are well-understood from similar work on the AES.
It was designed by a team of cryptographers from Technical University of Denmark (DTU) and TU Graz.
Grøstl news
Grøstl in action
A team at the University of Applied Sciences, Wiesbaden Rüsselsheim Geisenheim (Germany), developed FPGA implementations of Grøstl. This paper (ePrint 2009/206) describes the implementations. The team set up a website that allows visitors to upload files to be hashed using their FPGA Grøstl implementation. The website features a webcam showing the board at work.
Grøstl status
The deadline for changing/tweaking SHA-3 candidates was September 15, 2009. However, Grøstl remains the same, i.e., it is defined exactly as specified in the original submission document. We have prepared an addendum for the submission explaining the state of the art with respect to analysis of Grøstl, and we also mention a few interesting alternative descriptions of Grøstl.
Grøstl in the second round
We are very happy to see Grøstl selected for the second round of the SHA-3 competition, along with 13 other candidates. See the full list of algorithms that are still in the competition.
Optimized implementations for Core 2 Duo
A number of Grøstl implementations have been submitted to eBASH for benchmarking. Here are some results. For more results and implementations, go here.
| Digest size | Processor | Mode | Speed |
|---|---|---|---|
| 224/256 | Core 2 Duo | 64-bit | 21.3 cycles/byte |
| Opteron | 64-bit | 19.5 cycles/byte | |
| 384/512 | Core 2 Duo | 64-bit | 29.8 cycles/byte |
| Opteron | 64-bit | 40.7 cycles/byte |
Improved figures for hardware ASIC implementations
Stefan Tillich developed high-speed Grøstl-256 ASIC implementations in 0.18µm technology of UMC. Here are the synthesis results.
| Total area (mm2) | Total area (GE) | Throughput (Gbit/s) |
|---|---|---|
| 547,227.47 | 58,403 | 6.290 |
| 538,462.41 | 57,467 | 6.141 |
| 523,472.74 | 55,867 | 5.690 |
| 471,626.06 | 50,334 | 2.725 |
About this webpage
This webpage is a companion to the submission and will serve as a place for distributing information on Grøstl.