Byte slicing grøstl: Improved Intel AES-NI and vector-permute implementations of the SHA-3 finalist Grøstl

Abstract

Grøstl is an AES-based hash function and one of the 5 finalists of the SHA-3 competition. In this work we present high-speed implementations of Grøstl for small 8-bit CPUs, and large 64-bit CPUs with the recently introduced Intel AES-NI and AVX instruction sets. Since Grøstl does not use the same MDS mixing layer as the AES, a direct application of the AES instructions seems difficult. In contrast to previous findings, our Grøstl implementations using the AES instructions are currently by far the fastest known. To achieve optimal performance we parallelize each round of Grøstl by taking advantage of the whole bit width of the used processor. This results in the parallel computation of 16 Grøstl columns using 128-bit registers, and 32 Grøstl columns using 256-bit registers. This way, we get implementations running at 12.2 cylces/byte for Grøstl-256 and 18.6 cylces/byte for Grøstl-512. © Springer-Verlag Berlin Heidelberg 2012.