1518:
1546:
157:, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. Grøstl was chosen as one of the five finalists of the competition. It uses the same
305:
Unlike
Rijndael, all rounds are identical and there is no final AddRoundKey operation. 10 rounds are recommended for the 512-bit permutation, and 14 rounds for the 1024-bit version.
1498:
1328:
219:). However, Grøstl maintains a hash state at least twice the size of the final output (512 or 1024 bits), which is only truncated at the end of hash computation.
1181:
1101:
489:
386:
378:
332:
and is then truncated to the desired width. This is equivalent to applying a final iteration of the compression function using an all-zero message block
518:
1607:
408:
Praveen
Gauravaram; Lars R. Knudsen; Krystian Matusiewicz; Florian Mendel; Christian Rechberger; Martin Schläffer; Søren S. Thomsen (2011-03-02),
184:
According to the submission document, the name "Grøstl" is a multilingual play-on-words, referring to an
Austrian dish that is very similar to
1602:
1583:
1045:
878:
1174:
366:
0x 6d3ad29d279110eef3adbd66de2a0345a77baede1557f5d099fce0c03d6dc2ba8e6d4a6633dfbd66053c20faa87d1a11f39a7fbe4a6c2f009801370308fc4ad8
288:(AES) block cipher, but operate on 8×8 or 8×16 arrays of bytes, rather than 4×4. Like AES, each round consists of four operations:
482:
1377:
1086:
571:
523:
150:
77:
873:
1167:
1091:
162:
67:
1612:
1493:
1448:
1261:
860:
502:
498:
369:
Even a small change in the message will (with overwhelming probability) result in a mostly different hash, due to the
146:
89:
1372:
475:
1576:
1488:
1117:
756:
1478:
1468:
1323:
1096:
932:
631:
626:
191:
Like other hash functions in the MD5/SHA family, Grøstl divides the input into blocks and iteratively computes
1473:
1463:
1266:
1226:
1219:
1209:
1204:
1019:
839:
455:
VHDL source code developed by the
Cryptographic Engineering Research Group (CERG) at George Mason University
1214:
1127:
513:
49:
41:
1521:
1367:
1313:
1142:
792:
746:
636:
594:
579:
561:
298:
ShiftBytes (expanded compared to AES, this also differs between P and Q, and 512- and 1024-bit versions)
33:
57:
53:
1569:
1483:
1407:
812:
716:
666:
641:
99:
362:
0x ac353c1095ace21439251007862d6c62f829ddbe6de4f78e68d310a9205a736d8b11d99bffe448f57a1cfa2934f044a5
45:
1246:
1137:
1014:
963:
902:
721:
681:
661:
1352:
1336:
1283:
1071:
1055:
1004:
589:
454:
1412:
1402:
1273:
948:
1553:
1347:
1035:
989:
751:
370:
133:
1050:
999:
994:
782:
166:
113:
1422:
1342:
1303:
1251:
1236:
1040:
768:
336:, followed by a (cryptographically insignificant) exclusive-or with the fixed constant
1596:
1503:
1458:
1417:
1397:
1293:
1256:
1231:
1132:
1009:
711:
126:
1453:
1298:
1288:
1278:
1241:
1190:
170:
154:
37:
295:
SubBytes (this uses the
Rijndael S-box, allowing sharing with AES implementations)
1432:
1122:
968:
897:
893:
802:
185:
1392:
1362:
1357:
1318:
1382:
797:
1545:
1427:
1387:
1076:
973:
958:
953:
943:
907:
827:
741:
621:
292:
AddRoundKey (the Grøstl round keys are fixed, but differ between P and Q)
285:
174:
912:
868:
646:
409:
308:
The final double-width hash receives a final output transformation of
1308:
1081:
822:
817:
787:
777:
736:
731:
726:
706:
701:
676:
671:
656:
616:
178:
117:
391:
0x f48290b1bcacee406a0429b993adb8fb3d065f4b09cbcdb464a631d4a0080aaf
383:
0x 8c7ad62eb26a21297bc39c2d7293b4bd4d3399fa8afab29e970471739e28b301
358:
0x 1a52d11d550039be16107f9c58db9ebcc417f16f736adb2502567119f0083467
807:
696:
651:
599:
556:
551:
545:
428:
427:
Mendel, Florian; Rijmen, Vincent; Schläffer, Martin (2014-04-30),
165:
in a custom construction. The authors claim speeds of up to 21.4
158:
922:
917:
888:
883:
847:
1163:
471:
691:
686:
539:
226:
is based on a pair of 512- or 1024-bit permutation functions
354:
0x f2e180fb5947be964cd584e22e496242c6a329c577fc4ce8c36d34c3
449:
373:. For example, adding a period to the end of the sentence:
301:
MixColumns (using an 8×8 matrix rather than
Rijndael's 4×4)
120:
for 224/256 bit digest; 30.1 cpb for 384/512 bit digest.
1557:
1329:
Cryptographically secure pseudorandom number generator
459:
1441:
1197:
1110:
1064:
1028:
982:
931:
859:
836:
765:
609:
570:
532:
124:
108:
98:
88:
83:
73:
63:
29:
24:
104:10 (digest size 8-256) or 14 (digest size 264-512)
1577:
1175:
483:
94:arbitrary (from 8 to 512 bits in 8-bit steps)
8:
19:
387:The quick brown fox jumps over the lazy dog
379:The quick brown fox jumps over the lazy dog
1584:
1570:
1182:
1168:
1160:
490:
476:
468:
464:
460:
429:"Collision Attack on 5 Rounds of Grøstl"
1552:This cryptography-related article is a
400:
18:
7:
1542:
1540:
1556:. You can help Knowledge (XXG) by
14:
1544:
1517:
1516:
1608:NIST hash function competition
1378:Information-theoretic security
1087:NIST hash function competition
151:NIST hash function competition
1:
348:Hash values of empty string.
1603:Cryptographic hash functions
1092:Password Hashing Competition
503:message authentication codes
499:Cryptographic hash functions
173:, and 9.6 cycles/byte on an
1494:Message authentication code
1449:Cryptographic hash function
1262:Cryptographic hash function
1046:Merkle–Damgård construction
147:cryptographic hash function
16:Cryptographic hash function
1629:
1539:
1373:Harvest now, decrypt later
411:Grøstl - a SHA-3 candidate
276:The permutation functions
1512:
1489:Post-quantum cryptography
1159:
509:
467:
463:
433:Cryptology ePrint Archive
344:Examples of Grøstl hashes
284:are heavily based on the
222:The compression function
132:
1479:Quantum key distribution
1469:Authenticated encryption
1324:Random number generation
840:key derivation functions
1474:Public-key cryptography
1464:Symmetric-key algorithm
1267:Key derivation function
1227:Cryptographic primitive
1220:Authentication protocol
1210:Outline of cryptography
1205:History of cryptography
1118:Hash-based cryptography
1020:Length extension attack
153:by Praveen Gauravaram,
1215:Cryptographic protocol
1128:Message authentication
1368:End-to-end encryption
1314:Cryptojacking malware
234:, and is defined as:
1484:Quantum cryptography
1408:Trusted timestamping
50:Christian Rechberger
42:Krystian Matusiewicz
1247:Cryptographic nonce
1015:Side-channel attack
450:The Grøstl web site
21:
1613:Cryptography stubs
1353:Subliminal channel
1337:Pseudorandom noise
1284:Key (cryptography)
1072:CAESAR Competition
1056:HAIFA construction
1005:Brute-force attack
34:Praveen Gauravaram
1565:
1564:
1534:
1533:
1530:
1529:
1413:Key-based routing
1403:Trapdoor function
1274:Digital signature
1155:
1154:
1151:
1150:
949:ChaCha20-Poly1305
766:Password hashing/
435:, Report 2014/305
149:submitted to the
140:
139:
1620:
1586:
1579:
1572:
1548:
1541:
1520:
1519:
1348:Insecure channel
1184:
1177:
1170:
1161:
1036:Avalanche effect
990:Collision attack
533:Common functions
492:
485:
478:
469:
465:
461:
437:
436:
424:
418:
417:
416:
405:
390:
382:
371:avalanche effect
365:
361:
357:
353:
171:Intel Core 2 Duo
134:Collision attack
58:Søren S. Thomsen
54:Martin Schläffer
22:
1628:
1627:
1623:
1622:
1621:
1619:
1618:
1617:
1593:
1592:
1591:
1590:
1537:
1535:
1526:
1508:
1437:
1193:
1188:
1147:
1106:
1065:Standardization
1060:
1051:Sponge function
1024:
1000:Birthday attack
995:Preimage attack
978:
934:
927:
855:
838:
837:General purpose
832:
767:
761:
610:Other functions
605:
572:SHA-3 finalists
566:
528:
505:
496:
446:
441:
440:
426:
425:
421:
414:
407:
406:
402:
397:
392:
384:
376:
367:
363:
359:
355:
351:
346:
217:
211:
196:
167:cycles per byte
64:Related to
17:
12:
11:
5:
1626:
1624:
1616:
1615:
1610:
1605:
1595:
1594:
1589:
1588:
1581:
1574:
1566:
1563:
1562:
1549:
1532:
1531:
1528:
1527:
1525:
1524:
1513:
1510:
1509:
1507:
1506:
1501:
1499:Random numbers
1496:
1491:
1486:
1481:
1476:
1471:
1466:
1461:
1456:
1451:
1445:
1443:
1439:
1438:
1436:
1435:
1430:
1425:
1423:Garlic routing
1420:
1415:
1410:
1405:
1400:
1395:
1390:
1385:
1380:
1375:
1370:
1365:
1360:
1355:
1350:
1345:
1343:Secure channel
1340:
1334:
1333:
1332:
1321:
1316:
1311:
1306:
1304:Key stretching
1301:
1296:
1291:
1286:
1281:
1276:
1271:
1270:
1269:
1264:
1254:
1252:Cryptovirology
1249:
1244:
1239:
1237:Cryptocurrency
1234:
1229:
1224:
1223:
1222:
1212:
1207:
1201:
1199:
1195:
1194:
1189:
1187:
1186:
1179:
1172:
1164:
1157:
1156:
1153:
1152:
1149:
1148:
1146:
1145:
1140:
1135:
1130:
1125:
1120:
1114:
1112:
1108:
1107:
1105:
1104:
1099:
1094:
1089:
1084:
1079:
1074:
1068:
1066:
1062:
1061:
1059:
1058:
1053:
1048:
1043:
1041:Hash collision
1038:
1032:
1030:
1026:
1025:
1023:
1022:
1017:
1012:
1007:
1002:
997:
992:
986:
984:
980:
979:
977:
976:
971:
966:
961:
956:
951:
946:
940:
938:
929:
928:
926:
925:
920:
915:
910:
905:
900:
891:
886:
881:
876:
871:
865:
863:
857:
856:
854:
853:
850:
844:
842:
834:
833:
831:
830:
825:
820:
815:
810:
805:
800:
795:
790:
785:
780:
774:
772:
769:key stretching
763:
762:
760:
759:
754:
749:
744:
739:
734:
729:
724:
719:
714:
709:
704:
699:
694:
689:
684:
679:
674:
669:
664:
659:
654:
649:
644:
639:
634:
629:
624:
619:
613:
611:
607:
606:
604:
603:
597:
592:
587:
582:
576:
574:
568:
567:
565:
564:
559:
554:
549:
543:
536:
534:
530:
529:
527:
526:
521:
516:
510:
507:
506:
497:
495:
494:
487:
480:
472:
458:
457:
452:
445:
444:External links
442:
439:
438:
419:
399:
398:
396:
393:
375:
364:Grøstl-512("")
360:Grøstl-384("")
356:Grøstl-256("")
352:Grøstl-224("")
350:
345:
342:
330:
329:
303:
302:
299:
296:
293:
274:
273:
215:
206:
194:
138:
137:
130:
129:
122:
121:
110:
106:
105:
102:
96:
95:
92:
86:
85:
81:
80:
78:SHA-3 finalist
75:
71:
70:
65:
61:
60:
46:Florian Mendel
31:
27:
26:
15:
13:
10:
9:
6:
4:
3:
2:
1625:
1614:
1611:
1609:
1606:
1604:
1601:
1600:
1598:
1587:
1582:
1580:
1575:
1573:
1568:
1567:
1561:
1559:
1555:
1550:
1547:
1543:
1538:
1523:
1515:
1514:
1511:
1505:
1504:Steganography
1502:
1500:
1497:
1495:
1492:
1490:
1487:
1485:
1482:
1480:
1477:
1475:
1472:
1470:
1467:
1465:
1462:
1460:
1459:Stream cipher
1457:
1455:
1452:
1450:
1447:
1446:
1444:
1440:
1434:
1431:
1429:
1426:
1424:
1421:
1419:
1418:Onion routing
1416:
1414:
1411:
1409:
1406:
1404:
1401:
1399:
1398:Shared secret
1396:
1394:
1391:
1389:
1386:
1384:
1381:
1379:
1376:
1374:
1371:
1369:
1366:
1364:
1361:
1359:
1356:
1354:
1351:
1349:
1346:
1344:
1341:
1338:
1335:
1330:
1327:
1326:
1325:
1322:
1320:
1317:
1315:
1312:
1310:
1307:
1305:
1302:
1300:
1297:
1295:
1294:Key generator
1292:
1290:
1287:
1285:
1282:
1280:
1277:
1275:
1272:
1268:
1265:
1263:
1260:
1259:
1258:
1257:Hash function
1255:
1253:
1250:
1248:
1245:
1243:
1240:
1238:
1235:
1233:
1232:Cryptanalysis
1230:
1228:
1225:
1221:
1218:
1217:
1216:
1213:
1211:
1208:
1206:
1203:
1202:
1200:
1196:
1192:
1185:
1180:
1178:
1173:
1171:
1166:
1165:
1162:
1158:
1144:
1141:
1139:
1136:
1134:
1133:Proof of work
1131:
1129:
1126:
1124:
1121:
1119:
1116:
1115:
1113:
1109:
1103:
1100:
1098:
1095:
1093:
1090:
1088:
1085:
1083:
1080:
1078:
1075:
1073:
1070:
1069:
1067:
1063:
1057:
1054:
1052:
1049:
1047:
1044:
1042:
1039:
1037:
1034:
1033:
1031:
1027:
1021:
1018:
1016:
1013:
1011:
1010:Rainbow table
1008:
1006:
1003:
1001:
998:
996:
993:
991:
988:
987:
985:
981:
975:
972:
970:
967:
965:
962:
960:
957:
955:
952:
950:
947:
945:
942:
941:
939:
936:
933:Authenticated
930:
924:
921:
919:
916:
914:
911:
909:
906:
904:
901:
899:
895:
892:
890:
887:
885:
882:
880:
877:
875:
872:
870:
867:
866:
864:
862:
861:MAC functions
858:
851:
849:
846:
845:
843:
841:
835:
829:
826:
824:
821:
819:
816:
814:
811:
809:
806:
804:
801:
799:
796:
794:
791:
789:
786:
784:
781:
779:
776:
775:
773:
770:
764:
758:
755:
753:
750:
748:
745:
743:
740:
738:
735:
733:
730:
728:
725:
723:
720:
718:
715:
713:
710:
708:
705:
703:
700:
698:
695:
693:
690:
688:
685:
683:
680:
678:
675:
673:
670:
668:
665:
663:
660:
658:
655:
653:
650:
648:
645:
643:
640:
638:
635:
633:
630:
628:
625:
623:
620:
618:
615:
614:
612:
608:
601:
598:
596:
593:
591:
588:
586:
583:
581:
578:
577:
575:
573:
569:
563:
560:
558:
555:
553:
550:
548:(compromised)
547:
544:
542:(compromised)
541:
538:
537:
535:
531:
525:
524:Known attacks
522:
520:
517:
515:
512:
511:
508:
504:
500:
493:
488:
486:
481:
479:
474:
473:
470:
466:
462:
456:
453:
451:
448:
447:
443:
434:
430:
423:
420:
413:
412:
404:
401:
394:
388:
380:
374:
372:
349:
343:
341:
339:
335:
327:
323:
319:
315:
311:
310:
309:
306:
300:
297:
294:
291:
290:
289:
287:
283:
279:
272:
268:
264:
260:
256:
252:
248:
244:
240:
237:
236:
235:
233:
229:
225:
220:
218:
209:
205:
201:
197:
189:
187:
182:
180:
176:
172:
168:
164:
160:
156:
152:
148:
144:
135:
131:
128:
127:cryptanalysis
123:
119:
115:
111:
107:
103:
101:
97:
93:
91:
87:
82:
79:
76:
74:Certification
72:
69:
66:
62:
59:
55:
51:
47:
43:
39:
35:
32:
28:
23:
1558:expanding it
1551:
1536:
1454:Block cipher
1299:Key schedule
1289:Key exchange
1279:Kleptography
1242:Cryptosystem
1191:Cryptography
584:
432:
422:
410:
403:
385:Grøstl-256("
377:Grøstl-256("
368:
347:
337:
333:
331:
325:
321:
317:
313:
307:
304:
281:
277:
275:
270:
266:
262:
258:
254:
250:
246:
242:
238:
231:
227:
223:
221:
213:
207:
203:
199:
192:
190:
183:
155:Lars Knudsen
142:
141:
125:Best public
90:Digest sizes
38:Lars Knudsen
1442:Mathematics
1433:Mix network
1123:Merkle tree
1111:Utilization
1097:NSA Suite B
186:hash (food)
136:on 5 rounds
1597:Categories
1393:Ciphertext
1363:Decryption
1358:Encryption
1319:Ransomware
935:encryption
712:RadioGatún
519:Comparison
395:References
1383:Plaintext
852:KDF1/KDF2
771:functions
757:Whirlpool
30:Designers
1522:Category
1428:Kademlia
1388:Codetext
1331:(CSPRNG)
1077:CRYPTREC
908:Poly1305
828:yescrypt
742:Streebog
622:CubeHash
602:(winner)
286:Rijndael
175:Intel i7
1198:General
983:Attacks
913:SipHash
869:CBC-MAC
803:LM hash
783:Balloon
647:HAS-160
25:General
1309:Keygen
1143:Pepper
1082:NESSIE
1029:Design
823:scrypt
818:PBKDF2
793:Catena
788:bcrypt
778:Argon2
737:Snefru
732:Shabal
727:SWIFFT
707:RIPEMD
702:N-hash
677:MASH-2
672:MASH-1
657:Kupyna
617:BLAKE3
600:Keccak
585:Grøstl
562:BLAKE2
179:AES-NI
169:on an
143:Grøstl
118:Core 2
100:Rounds
84:Detail
56:, and
20:Grøstl
1339:(PRN)
937:modes
813:Makwa
808:Lyra2
798:crypt
747:Tiger
697:MDC-2
652:HAVAL
637:Fugue
595:Skein
580:BLAKE
557:SHA-3
552:SHA-2
546:SHA-1
415:(PDF)
340:(0).
177:with
159:S-box
145:is a
112:21.4
109:Speed
1554:stub
1138:Salt
1102:CNSA
969:IAPM
923:VMAC
918:UMAC
903:PMAC
898:CMAC
894:OMAC
889:NMAC
884:HMAC
879:GMAC
848:HKDF
717:SIMD
667:Lane
642:GOST
627:ECOH
514:List
501:and
316:) =
280:and
269:) ⊕
261:) ⊕
249:) =
230:and
974:OCB
964:GCM
959:EAX
954:CWC
944:CCM
874:DAA
752:VSH
722:SM3
692:MD6
687:MD4
682:MD2
662:LSH
632:FSB
540:MD5
389:.")
163:AES
161:as
116:on
114:cpb
68:AES
1599::
590:JH
431:,
381:")
320:⊕
312:Ω(
257:⊕
245:,
212:,
210:−1
198:=
188:.
181:.
52:,
48:,
44:,
40:,
36:,
1585:e
1578:t
1571:v
1560:.
1183:e
1176:t
1169:v
896:/
491:e
484:t
477:v
338:Q
334:m
328:)
326:h
324:(
322:P
318:h
314:h
282:Q
278:P
271:h
267:m
265:(
263:Q
259:m
255:h
253:(
251:P
247:m
243:h
241:(
239:f
232:Q
228:P
224:f
216:i
214:m
208:i
204:h
202:(
200:f
195:i
193:h
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.