Byte Slicing Grøstl: Improved Intel AES-NI and Vector-Permute Implementations of the SHA-3 Finalist Grøstl

  • Kazumaro Aoki
  • Krystian Matusiewicz
  • Günther Roland
  • Yu Sasaki
  • Martin Schläffer
Part of the Communications in Computer and Information Science book series (CCIS, volume 314)


Grøstl is an AES-based hash function and one of the 5 finalists of the SHA-3 competition. In this work we present high-speed implementations of Grøstl for small 8-bit CPUs, and large 64-bit CPUs with the recently introduced Intel AES-NI and AVX instruction sets. Since Grøstl does not use the same MDS mixing layer as the AES, a direct application of the AES instructions seems difficult. In contrast to previous findings, our Grøstl implementations using the AES instructions are currently by far the fastest known. To achieve optimal performance we parallelize each round of Grøstl by taking advantage of the whole bit width of the used processor. This results in the parallel computation of 16 Grøstl columns using 128-bit registers, and 32 Grøstl columns using 256-bit registers. This way, we get implementations running at 12.2 cylces/byte for Grøstl-256 and 18.6 cylces/byte for Grøstl-512.


Hash function SHA-3 competition Grøstl Software implementation Byte slicing Intel AES new instructions 8-bit AVR 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    National Institute of Standards and Technology: Cryptographic Hash Project (2007),
  2. 2.
    Gueron, S., Intel Corp.: Intel®Advanced Encryption Standard (AES) Instructions Set (2010), (retrieved December 21, 2010)
  3. 3.
    Benadjila, R., Billet, O., Gueron, S., Robshaw, M.: The Intel AES Instructions Set and the SHA-3 Candidates (2009), (retrieved December 22, 2010)
  4. 4.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl – a SHA-3 candidate. Submission to NIST (Round 3) (2011), (retrieved May 03, 2010)
  5. 5.
    Hamburg, M.: Accelerating AES with Vector Permute Instructions. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 18–32. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    National Institute of Standards and Technology: FIPS PUB 197, Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197, U.S. Department of Commerce (2001)Google Scholar
  7. 7.
    Fouque, P.A., Stern, J., Zimmer, S.: Cryptanalysis of Tweaked Versions of SMASH and Reparation. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 136–150. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Intel Corp.: Intel®64 and IA-32 Architectures Software Developers Manual (2010), (retrieved December 21, 2010)
  9. 9.
    Intel Corp.: Using MMXTMInstructions to Transpose a Matrix (1996), (retrieved July 12, 2011)
  10. 10.
    Çalik, Ç.: Multi-stream and Constant-time SHA-3 Implementations. NIST hash function mailing list (2010), (retrieved May 03, 2010)
  11. 11.
    Atmel: 8-bit AVR Microcontroller with 16K Bytes In-System Programmable Flash. ATmega163 (2003), (retrieved December 21, 2010)
  12. 12.
    Roland, G.A.: Efficient Implementation of the Grøstl-256 Hash Function on an ATmega163 Microcontroller (2009), (retrieved May 03, 2010)

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Kazumaro Aoki
    • 1
  • Krystian Matusiewicz
    • 2
  • Günther Roland
    • 3
  • Yu Sasaki
    • 1
  • Martin Schläffer
    • 3
  1. 1.NTT CorporationJapan
  2. 2.Intel TechnologyPoland
  3. 3.IAIK, Graz University of TechnologyAustria

Personalised recommendations