World Library  
Flag as Inappropriate
Email this Article


Article Id: WHEBN0020394803
Reproduction Date:

Title: Grøstl  
Author: World Heritage Encyclopedia
Language: English
Subject: NIST hash function competition, Spectral Hash, Rebound attack, PMAC (cryptography), SANDstorm hash
Collection: Nist Hash Function Competition
Publisher: World Heritage Encyclopedia


Designers Praveen Gauravaram, Lars Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen
Related to AES
Certification SHA-3 finalist
Digest sizes 256 and 512
Rounds 10 and 14
Speed 21.4 cpb on Core 2 for 224/256 bit digest; 30.1 cpb for 384/512 bit digest.
Best public cryptanalysis
Collision attack on 5 rounds[1]

Grøstl is a cryptographic hash function submitted to the NIST hash function competition by Praveen Gauravaram, Lars Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl was chosen as one of the five finalists of the competition. It uses the same S-box as AES in a custom construction. The authors claim speeds of up to 21.4 cycles per byte on an Intel Core 2 Duo.

According to the submission document, the name "Grøstl" is a multilingual play-on-words, referring to an Austrian dish that is very similar to hash (food).

Like other hash functions in the MD5/SHA family, Grøstl divides the input into blocks and iteratively computes hi = f(hi−1, mi). However, Grøstl maintains a hash state at least twice the size of the final output (512 or 1024 bits), which is only truncated at the end of hash computation.

The compression function f is based on a pair of 256- or 512-bit permutation functions P and Q, and is defined as:

f(h, m) = P(hm) ⊕ Q(m) ⊕ h

The permutation functions P and Q are heavily based on the Rijndael (AES) block cipher, but operate on 8×8 or 8×16 arrays of bytes, rather than 4×4. Like AES, each round consists of four operations:

  1. AddRoundKey (the Grøstl round keys are fixed, but differ between P and Q)
  2. SubBytes (this uses the Rijndael S-box, allowing sharing with AES implementations)
  3. ShiftBytes (expanded compared to AES, this also differs between P and Q, and 512- and 1024-bit versions)
  4. MixColumns (using an 8×8 matrix rather than Rijndael's 4×4)

Unlike Rijndael, all rounds are identical and there is no final AddRoundKey operation. 10 rounds are recommended for the 512-bit permutation, and 14 rounds for the 1024-bit version.

The final double-width hash receives a final output transformation of

Ω(h) = hP(h)

and is then truncated to the desired width. This is equivalent to applying a final iteration of the compression function using an all-zero message block m, followed by a (cryptographically insignificant) exclusive-or with the fixed constant Q(0).


  1. ^ Mendel, Florian; Rijmen, Vincent; Schläffer, Martin (2014-04-30), "Collision Attack on 5 Rounds of Grøstl", Cryptology ePrint Archive, Report 2014/305 

External links

  • The Grøstl web site
  • VHDL source code developed by the Cryptographic Engineering Research Group (CERG) at George Mason University

This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.