
Research Article


Diffusion and Statistical Analysis of STITCH256 

N. Jamil,
R. Mahmod,
M.R. Z`aba,
N.I. Udzir
and
Z.A. Zukarnain



ABSTRACT

Hash function is an important cryptographic primitive used
in a wide range of applications, for example, for message authentication and
in digital signatures. MD 4/5 and SHA0/1/2 are examples of widely used hash
functions, but except for SHA2 (SHA224, 256, 384, 512), they were all broken
in 2005 after more than a decade of use. Since, then, the structure and components
of cryptographic hash functions have been studied and revisited extensively
by the cryptographic community. STITCH256 was introduced to overcome problems
faced by the MD and SHAfamily hash functions. STITCH256 employs the Balanced
Feistel network and its step operation runs in four parallel branches. The algorithm
was claimed to produce good diffusion and its outputs were claimed to be random.
To evaluate its suitability for such purposes, avalanche and empirical statisti
cal tests are commonly employed to show that there is empirical evidence supporting
the claims. In this study, we report on the studies that were conducted on the
1000 sample of 256 bit of output from STITCH256 algorithm. The studies include
the study of diffusion and statistical properties of STITCH256 using avalanche
test and nine statistical tests. The results suggest that the claims were true
where STITCH256 produces good avalanche effect, thus good diffusion property
and its outputs appear random.





Received: March 26, 2013;
Accepted: May 07, 2013;
Published: June 28, 2013


INTRODUCTION
Cryptographic hash function is a function f that accepts arbitrary length of
input message m and produces a fixed length of output message h, f [0, 1]*→f
[0, 1]^{n}. The length of the input message can be a single byte of
an alphabet or hundreds megabytes of a video file. The input message m is sometimes
called preimage and the output message h(m) is called hash value. To be used
in cryptographic applications such as digital signatures, the function has to
satisfy the following:
• 
Preimage resistance: Given a hash value h(m), it is
infeasible to find any message m which hashes to h(m). This property is
also known as one wayness 
• 
Second preimage resistance: Given a hash value h(m) and its corresponding
message m, it is infeasible to find another message m’ such that h(m)
= h(m’) 
• 
Collision resistance: Given a hash value h(m), it is infeasible
to find any two distinct messages m and m’, where m ≠ m’ such
that h(m) = h(m’) 
Finding a preimage or a second preimage by brute force attack would require
2^{n} operations and finding a collision by birthday attack would need
approximately 2^{n/2}. Damgard (1990) showed
that the strongest property is collision resistance where preservation of collision
resistance implies preservation of second preimage resistance and preservation
of second preimage resistance implies preservation of preimage resistance.
Thus, collision resistance is the most important property for cryptographic
hash function and most of the attacks were aimed at breaking this property.
The most popular and widely used hash functions are known as dedicated hash
functions, whose design method is a serial successive iteration of step operation.
These hash functions include MD5 (Rivest, 1992b), HAVAL
(Zheng et al., 1993; FIPS 180,
1993) and SHA1 (NIST, 1995). These hash functions
are also known as MDxclass hash functions since they have some commonalities
in their design, i.e., same design principle with MD4 (Rivest,
1992a). In principle, the design of MDxclass hash functions follow MerkleDamgard
iterative construction (Merkle, 1989; Damgard,
1990). In this construction, the security of the hash function H is reduced
to the security of the compression function of f. However, most of the compression
functions of MDxclass hash functions are light and relatively simple. This
has led to the failure of these hash functions to preserve a property of collision
resistance. After more than a decade of use, all of these hash functions were
broken in series of attacks by Van Rompay et al.
(2003), Wang et al. (2004, 2005a,
b), Wang and Yu (2005), Biham
et al. (2005) and Yu et al. (2006),
to name a few. The successful attacks against these hash functions are differential
attacks. The attacks aimed at producing zero output difference with nonzero
input difference in the input messages (Wang et al.,
2005c). The hash function is considered as insecure if one has successfully
developed an algorithm that can vanishes such difference in its compression
function. As the compression function of MDxclass hash functions is light and
relatively simple, it is easy to construct differential characteristic in it
that leads to collisions. This could probably due to poor diffusion in the step
operation of MDxclass hash function, i.e., did not produce a good avalanche
effect.
STITCH256 (Jamil et al., 2012) was introduced
to recommend a new step operation permuted in a socalled stitching permutation.
The description of the step operation in STITCH256 is given in the following
section. It was claimed that the outputs of STITCH256 appear to be random and
the step operation produces good avalanche effect. To evaluate its suitability
for cryptographic purposes, avalanche and empirical statistical tests are commonly
employed to show that there is empirical evidence supporting the claim. In this
study, we report on the studies that were conducted on the output bits from
STITCH256 algorithm. The results suggest that the claims were true and STITCH256
is suitable to be used for cryptographic purposes.
DESCRIPTION OF STITCH256 Table 1 shows the basic notation used to describe STITCH256.
STITCH256 employs MerkleDamgard iterative construction in order to produce
a fixed size of output from arbitrary length of input and a variant of DaviesMeyer
mode of operation as depicted in Fig. 1. In this variant mode
of operation, it takes a message block M and the previous hash value h_{i}.
For the first iteration, the h_{0} is the IV. The output from left most
and right most branch, B1 and B4, are then added with the previous hash value
h_{i} and output from B2 and B3. The output from this operation is then
XORed together and added once again with h_{i}. The output is h_{i+1}.
This process is repeated until all the message blocks M are processed.

Fig. 1: 
Mode of operation of STITCH256 
Table 1: 
Notation and description of symbols used in algorithm equations 

If the two branches on the right are denoted as a big function E1 and the two
branches on the left are denoted as a different big function E2, this variant
of DaviesMeyer mode can be formulated as:
The update can also be seen as the h_{i }is updated to h_{i+1 }by
computing:
h_{i+1 }= [h_{i}+B1(h_{i},
Σ_{j,1} (M))+B2(h_{i}, Σ_{j,2}(M ))]⊕[h_{i}+B4
(h_{i}, Σ_{j,3}(M))+B3(h_{i}, Σ_{j,4}(M))]+h_{i} 
where, Σ_{j,i}(M ) for j = 1, 2, 3, 4 and 0 = i = 15, is the sum
of sixteen 32 bit message words W_{i }that has been rearranged according
to Fig. 2. Each line needs two Σ_{j,i}(M) and
they are different in each line. This gives a total of eight different orderings
for the compression function.
STITCH256 processes 512 bit blocks of input message and produces 256 bit block
of hash value. The input message is first appended by a single bit 1 to the
least significant bit of the input message, followed by as many zero as possible
until the length of the message is 448 modulo 512 which is filled up by the
64 bit message length modulo 264.
COMPRESSION FUNCTION OF STITCH256
The compression function of STITCH256 runs in parallel of four branches, B1,
B2, B3 and B4 as illustrated in Fig. 1. There are three main
components in the compression function of STITCH256 namely, message expansion,
step operation and Boolean functions.
Message expansion of STITCH256: The message expansion of STITCH256
follows these formulas:
where, s_{0} (w, x, y, z) = w⊕x⊕y⊕z and s_{1}
(w, x, y, z) = w+x+y+ z.
It uses two salt values to support the message expansion of STITCH256, where
SV_{0} = 67452301 and SV_{1} = 41083726. The message expansion
of STITCH256 is illustrated as in Fig. 3. In STITCH256,
the 512 bit message input is expanded to 32 bit message words.

Fig. 2: 
Message orderings for four branches in STITCH256 
This gives the output of message expansion as 1024 bits. All the message words
W_{i}…W_{31 }are then reordered to give different message
ordering in each line. The compression function of STITCH256 requires eight
Σ_{j} (M) for the whole function as described earlier and the orderings
are depicted in Fig. 3. It shows the input order of message
words M_{0},…, M_{15} applied to Bj(1≤j≤4) branches.
The number with an asterisk denotes the message words W_{i} for 16≤i≤31.
This means 1’ refers to message words W_{16}, 2’ refers to
message word W_{17}, so on and so forth.
Step operation of STITCH256: Step operation of STITCH256 is designed
as shown in Fig. 4. The step operation of STITCH256 can be
seen as a Balanced Feistel Network where registers A, B, C, D is one half and
registers E, F, G, H is the other half. Here, we simply name the division as
the left and right wings, respectively. Each wing has different step operation,
different Boolean functions and different constants. We divide the step operations
in STITCH256 into two phases; the first phase serves as a heavy step operation
and the second phase involves only permutation. We will use the notation of
left and right wings throughout this study.
In the step operations of STITCH256, two distinct Boolean functions F3, F4
are used in the right wing and one Boolean function F2 is used in the left wing.
In the right wing, the registers and message words are processed through seven
steps whereas for the left wing the registers are processed through six steps,
prior to the initial permutation. Registers A_{i}, B_{i}, C_{i}
and Di are first processed in the left wing during the first phase, followed
by initial permutation and finally processed in the first phase of right wing.

Fig. 3: 
Message expansion of STITCH256 

Fig. 4: 
Step operation of STITCH256 
This means the registers are processed in two sets of nonoverlapping step
operations. After being processed in the right wing, registers A_{i},
B_{i}, C_{i} and D_{i} are permuted in the second phase
and used to update the values of E_{i+1}, F_{i+1}, G_{i+1}
and H_{i+1}. This process occurs vice versa and in parallel, for registers
E_{i}, F_{i}, G_{i} and H_{i}, where they finally
update the values of A_{i+1}, B_{i+1}, C_{i+1} and D_{i+1}.
Let the outputs for A_{i}, B_{i}, C_{i}, D_{i},
E_{i}, F_{i}, G_{i} and H_{i} after the first
stage are denoted as A’, B’, C’, D’, E’, F’, G’
and H’, respectively, defined as follows:
A’_{i } 
= 
Di+F2((A_{i}+B_{i }), C_{i}, D_{i}) 
B’_{i } 
= 
φ_{i,j}+F 2((A_{i}+B_{i}), C_{i},
D_{i }) 
C’_{i } 
= 
B_{i}+F2((A_{i}+B_{i}),C_{i}, D_{i}) 
D’_{i } 
= 
C_{i}+F2((A_{i}+B_{i}), C_{i}, D_{i}) 
F’_{i } 
= 
E_{i}+F4 (E_{i}, W_{i}, F 3(F_{i}, G_{i},
H_{i})) 
G’_{i } 
= 
F_{i}+F 4(E_{i}, W_{i}, F 3(F_{i}, G_{i
}, H_{i})) 
H’_{i } 
= 
G_{i}+F 4(E_{i}, W_{i}, F 3(F_{i},G_{i
},H_{i})) 
E’_{i } 
= 
«^{7} (φ_{i,j}+F 4(E_{i}, W_{i}, F 3(F_{i},
G_{i }, H_{i})) 
A single step operation in each wing updates its new registers A_{i+1},
B_{i+1}, C_{i+1}, D_{i+1}, E_{i+1}, F_{i+1},
G_{i+1 }and H_{i+1} by producing the following outputs:
A_{i+1 } 
= 
F2((E_{i}+F_{i }), G_{i}, H_{i})+H_{i} 
B_{i+1 } 
= 
φ_{i,j}+F 2((E_{i}+F_{i}), G_{i},
H_{i}) 
C_{i+1 } 
= 
F 2((E_{i}+F_{i}), G_{i}, H_{i})+F_{i} 
D_{i+1 } 
= 
F 2((E_{i}+F_{i }), G_{i}, H_{i})+G_{i} 
E_{i+1 } 
= 
«^{7 }(φ_{i,j},+F 4(A_{i}, W_{i}, F 3(B_{i},
C_{i }, D_{i}))) 
F_{i+1 } 
= 
A_{i}+F 4(A_{i}, W_{i}, F 3(B_{i}, C_{i},
D_{i})) 
G_{i+1 } 
= 
B_{i}+F 4(A_{i}, W_{i}, F 3(B_{i}, C_{i},
D_{i})) 
H_{i+1 } 
= 
C_{i}+F 4(A_{i}, W_{i}, F 3(B_{i}, C_{i},
D_{i})) 
where, φ_{i,j }is different for each branch and the details can
be found by Jamil et al. (2012). The step operation
of STITCH256 is illustrated in Fig. 4.
As described earlier, the outputs after initial permutation in the left wing,
A’, B’, C’, D’, are processed in the first phase of the
right wing. They are not only permuted, but also become the new value for E_{i+1},
F_{i+1}, G_{i+1}, H_{i+1} after the permutation in the
second phase of the right wing. Then, the new values in registers E, F, G, H
are iterated in the first stage of the right wing step operation, permuted and
become the new value for A_{i+1}, B_{i+1}, C_{i+1},
D_{i+1}. This happens similarly for the output after initial permutation
in the right wing.
Note that the initial permutation is the same as the permutation in the second
phase, where it permutes the registers one block to their right. The entire
process looks like a stitching permutation when one views it from top. Thus
it gives the name as STITCH256. The stitching permutation is designed to maximize
the propagation of intermediate chaining variables, thus lower the probability
to construct differential characteristics. The stitching permutation when it
is viewed from top is illustrated in Fig. 5. Finally, each
wing in a branch processes sixteen message words and this makes each branch
in the compression function of STITCH256 to have only sixteen rounds of step
operation.
Boolean Functions in STITCH256: STITCH256 derives its Boolean functions
from a set of onedimensional Cellular Automata (CA) rules (Wolfram,
1984). Table 2 shows the CA rules represented as Boolean
functions, used in STITCH256.

Fig. 5: 
Stitching permutation in STITCH256 
Table 2: 
CA rules used in STITCH256 

AVALANCHE EFFECT OF STITCH256
Having a strong avalanche effect is seen as a continuous effect where small
differences are mapped to big differences. However, as we only work on discrete
spaces here, all functions are also continuous. Therefore, continuity itself
cannot be of any help for quantifying the avalanche effect. In our study, we
are interested in the average behavior of the step operations of STITCH256.
Here, we present our empirical results on the effects of inducing small differences.
In particular, we study the behavior of the output bits in the full round of
step operations in STITCH256 for various samples.
Experiment: In principle, any cryptographic algorithm must have a property
that the redundancies at the input should not leak any information in the output.
Based on this understanding, we construct three types of data sets, each having
different structures. Then, we observe the avalanche effect in the output bits
and observe the structure in some of the test vector samples. The types of data
sets are as follows:
• 
Low density message: The low density message is a message
formed by binary strings of low weight. In our case, the number of ‘1’s
in the binary strings is less or equal to 3 
• 
High density message: The high density message is a message formed
by binary strings of high weight. In other words, the inputs of the low
density messages are complemented bitwise 
• 
Random message: The random message is a message formed by a random
distribution between bits 0 and 1 in the sequence 
For each of the data type, we prepare 1000 sequences of 512 input bits each
which makes up a total of 512000x3 = 1536000 bits tested in the experiments.
Empirical results and analysis: Here, we present our empirical results
on the effects of inducing a single bit difference for a full round of STITCH256
algorithm in three different data categories. For our analysis, we chose the
following parameter:
• 
The number of steps s that we consider. In our experiment,
we measure the avalanche effect of STITCH256 algorithm for s = 16 and 32 
• 
Size δ of the induced input difference is 1. It means that we are
mainly interested in a smallest value here to observe the property of Strict
Avalanche Criterion (SAC) in STITCH256 
The changes or the effects from a single bit flip in the input are calculated
and stored. Table 3 describes the breakdowns of the results
obtained from the experiment conducted on three data categories.
It can be seen from Table 3 the 3000 sequences of 256 bit
hash values of STITCH256 produced the desired avalanche effect and also satisfy
Strict Avalanche Criterion (SAC). Figure 6 shows the avalanche
effect of a single flipping in input bit for low density data. It can be seen
that the avalanche effect for 1000 sequences of 256 bit hash values for low
density data is well scattered around 0.5. Figure 7 shows
the total number of 512 bit output sequences with respect to the avalanche effect.
From Fig. 7, it can be seen that the avalanche effects of
all the output sequences lie between 0.4950.504. This shows that on average,
half of the output bits were changed with a single input bit flipping.
The similar effect applies to the high density data and random data, where
their avalanche effect for the same length of sequences and output bits are
well scattered around 0.5. This is depicted in Fig. 811.
Figure 8 shows the total number of 512 bit output sequences
of high density data with respect to its avalanche effect. From Fig.
9 it can be seen that the avalanche effects of all the output sequences
lie between 0.4960.504.

Fig. 6: 
Avalanche effect for 1000 sequences of 512 bit low density
data 

Fig. 7: 
Number of 256 bit output sequences vs. avalanche effect 

Fig. 8: 
Avalanche effect for 1000 sequences of 512 bit high density
data 
Table 3: 
Results from the avalanche experiments for three different
data types 

This shows that, on average, half of the output bits were changed with a single
input bit flipping. From Fig. 11, it can be seen that the
avalanche effects of all the output sequences lie between 0.4950.505. This
shows that on average, half of the output bits were changed with a single input
bit flipping in random data.
From the results of our experiment, it was shown that the output of STITCH256
algorithm appears to provide Strict Avalanche Criterion for all three data categories.

Fig. 9: 
Number of 256 bit output sequences vs avalanche effect 

Fig. 10: 
Avalanche effect for 1000 sequences of 512 bit random data 

Fig. 11: 
Number of 256 bit output sequences vs avalanche effect 
Next, we showed that stitching permutation in STITCH256 increases the diffusion
property of the algorithm. This can be seen from Fig. 12
that the avalanche factor for STITCH256 if it runs without stitching permutation
lies at 0.240.26. The main property in stitching permutation is it swaps the
intermediate chaining variables from the left wing to the right wing and vice
versa, in each iteration. It means that each register has its step operation
changed every after a single iteration. This provides high bit propagation through
a single iteration.

Fig. 12: 
The avalanche factor for STITCH256 without stitching permutation 
RANDOMNESS OF STITCH256
For the outputs of the hash function to be indistinguishable from a random
oracle, they have to be tested in terms of randomness tests. It means the outputs
or the hash value of hash function has to be shown to be random. This evaluation
of the randomness can be done by using statistical test. In our case, we consider
using NIST statistical test suites that contains 15 tests that, under different
data category, can be viewed as 48 statistical tests. The list of the tests
are frequency test, block frequency test, runs test, long runs of ones test,
rank test, discrete Fourier transform test, nonoverlapping template matching
test, overlapping template matching test, linear complexity test, universal
statistical test, approximate entropy test, cumulative sums test, random excursion
test, random excursion variant test and serial test.
Experiments: some of the tests, for example overlapping template matching
test, universal statistical test, random excursion test, linear complexity test
and random excursions variant test, require the sequence length to be more than
1000000 bits and Rank Test requires the sequence to be minimum 38,912 bits.
Due to the hardware constraint, we only provide 768000 bits (3000 sequences
of 256 bit) for the entire experiments, i.e., these six tests were not performed.
Thus the appropriate NIST tests are only nine which are frequency test, block
frequency test, runs test, long runs test, cumulative sum test, approximate
entropy test, serial test, discrete Fourier transform test and nonoverlapping
template matching test. Table 4 shows the breakdown of the
9 statistical tests applied during the experiments.
Table 4: 
Test ID for 9 NIST statistical tests 

We use the same data categories as that used in avalanche test. A full round
of STITCH256 is run and repeated many times. The sequences of 256 bit hash
values are concatenated to produce large data input to the statistical test.
We follow the same procedure as described by Soto and Bassham
(2000). The statistical tests are applied only to the compression functions
of STITCH256. It means that the padding procedure is omitted. The output from
the experiments is 9 results for each data category. Statistical tests were
performed using the strategies as follows.
Finally, we show the avalanche effect of 32 rounds of STITCH256. This is depicted
in Fig. 13. It is shown in the figure that the avalanche
factors for 32 rounds of STITCH256 have not much different from that of 16
rounds of STITCH256. As 32 rounds incur more processing and time, STITCH256
employs only 16 rounds with almost similar avalanche effect with 32 rounds.
This provides STITCH256 with comparable efficiency and security with other
hash functions:
Step 1: 
For each data category, all input parameters such the sequence
length, sample size and significance level were fixed. They are defined
as 256, 256000 and 0.01, respectively. For each binary sequence and each
statistical test, a pvalue was reported 
Step 2: 
The status of success or failure was made based on whether or not for
each pvalue exceeded or fell below the preselected significance level 
Step 3: 
Two evaluations were made for each statistical test and each sample. Firstly,
we calculated the proportion of binary sequences in a sample that passed
the statistical test. The pvalue for this proportion is equal to the probability
of observing a value that is equal to or greater than the calculated proportion.
Secondly, we calculated an additional pvalue based on a χ^{2}
test (with nine degrees of freedom) applied to the pvalues in the entire
sample to guarantee uniformity 
Step 4: 
An assessment was made for both steps done in step 3. A sample was considered
to pass a statistical test if it satisfied both the proportion and uniformity
assessments. If one of the two pvalues in step 2 fell below 0.0001, then
the sample is labeled as suspect. In this case, then additional samples
needed to be evaluated. Otherwise, the sample is said to satisfy the criterion
for being random from the perspective of a specific statistical test (Rukhin
et al., 2001) 

Fig. 13: 
The avalanche factor for 32 rounds of STITCH256 
Empirical results and analysis: Given the empirical results for a particular
test, we computed the proportion of sequences that pass. In our case, we tested
1000 binary sequences for each data category, i.e., m = 1000. The significance
level, σ, for our experiment is set at σ = 0.01. We use the confidence
interval formula defined by Soto and Bassham (2000) as:
where p = 1σ.

Fig. 14: 
Proportion of low density sequences undergoing 9 statistical
tests 

Fig. 15: 
Proportion of high density sequences undergoing 9 statistical
tests 
The data is classified as nonrandom if the calculated proportion is not in
this interval. In our case, the confidence interval is 0.99±0.0094392.
This means that the proportion should be above 0.980560. The calculated confidence
interval is an approximation to the binomial distribution which is reasonably
for m = 1000. Figure 1416 show the proportion
of sequences that undergo nine statistical tests for each of data category.

Fig. 16: 
Proportion of random sequences undergoing 9 statistical tests 
From the results of the experiments, it showed that the outputs from the full
round of STITCH256 algorithm appeared to be random for all nine statistical
tests.
CONCLUSION
In this study, the avalanche effect of STITCH256 algorithm was measured by
testing 3000 sequences of 256 bit hash values. The empirical results from the
avalanche test showed that STITCH256 exhibits Strict Avalanche Criterion (SAC)
which is a desired property in any cryptographic algorithm. The contributing
factors to this property are the implementation of different message orderings
in each line in the compression function of STITCH256 and stitching permutation
which maximizes the diffusion property of STITCH256. Finally, 3000 sequences
of 256 bit hash values of different data categories were tested with NIST statistical
test suites. The tests spanned many wellknown cryptographic properties which
have to be satisfied by any cryptographic algorithm. One of the properties included
the absence of any detectable correlation between input/output pairs and also
the absence of any detectable bias resulting from a single bit flip in input.
Nine statistical tests were identified from the test suite that are relevant
with 256 bit output from any cryptographic algorithm and run the test for three
different data categories separately. The proportion of pvalues of the data
sequences were then computed and compared with the confidence interval. The
empirical results showed that the outputs from three different data categories
in full round of STITCH256 passed all the nine tests, i.e., appeared to be
random. From the avalanche and statistical tests conducted, we showed that the
claim made with regards to high diffusion and random output of STITCH256 is
correct.

REFERENCES 
1: Biham, E., R. Chen, A. Joux, P. Carribault, C. Lemuet and W. Jalby, 2005. Collisions of SHA0 and Reduced SHA1. In: Advances in CryptologyEUROCRYPT 2005, Cramer, R. (Ed.). Vol. 3494, SpringerVerlag, Germany, ISBN: 9783540259107, pp: 3657.
2: Damgard, I.B., 1990. A Design Principle for Hash Functions. In: Advances in Cryptology, Brassard, G. (Ed.). SpringerVerlag, New York, pp: 416427.
3: FIPS 180, 1993. Secure Hash Standard (SHS). National Institute of Standards and Technology, May 1993. US Department of Commerce.
4: NIST, 1995. FIPS 1801. Secure Hash Standard (SHS). National Institute of Standards and Technology, USA.
5: Jamil, N., R. Mahmod, M.R. Z'aba, N.I. Udzir and Z.A. Zukarnain, 2012. STITCH256: A new dedicated cryptographic hash function. J. Appl. Sci., 15: 15261536.
6: Merkle, R.C., 1989. One Way Hash Functions and DES. In: Advances in Cryptology, Brassard, G., (Ed.). Vol. 435. SpringerVerlag, USA., pp: 428446.
7: Rivest, R.L., 1992. The MD4 messagedigest algorithm. Request for Comments (RFC) 1320, Internet Activities Board, Internet Privacy Task Force, April 1992.
8: Rivest, R.L., 1992. The MD5 messagedigest algorithm. Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992.
9: Rukhin, A., J. Soto, J. Nechvatal, M. Smid and E. Barker et al., 2001. A statistical test suite for random and pseudorandom number generators for cryptographic applications. NIST Special Publication 80022, May 15, 2001, National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, MD., USA.
10: Soto, J. and L. Bassham, 2000. Randomness testing of the advanced encryption standard finalist candidates. NIST IR 6483, National Institute of Standards and Technology, U.S. Department of Commerce, Gaithersburg, MD., USA., March 2000.
11: Van Rompay, B., A. Biryukov, B. Preneel and J. Vandewalle, 2003. Cryptanalysis of 3pass HAVAL. Proceedings of the 9th International Conference on the Theory and Application of Cryptology and Information Security, Advances in Cryptology, November 30December 4, 2003, Taipei, Taiwan, pp: 228245.
12: Wang, X., X. Lai, D. Feng, and H. Yu, 2004. Collisions for hashfunctions MD4, MD5, HAVAL128 and RIPEMD. http://eprint.iacr.org/2004/199.pdf.
13: Wang, X., X. Lai, D. Feng, H. Chen and X. Yu, 2005. Cryptanalysis of the hash functions MD4 and RIPEMD. Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, May 2226, 2005, Aarhus, Denmark, pp: 118.
14: Wang, X., Y.L. Yin and H. Yu, 2005. Finding Collisions in the Full SHA1. In: Advances in CryptologyCRYPTO 2005, Shoup, V. (Ed.). Springer Verlag, New York, USA., ISBN: 9783540281146, pp: 1736.
15: Wang, X. and H. Yu, 2005. How to break MD5 and other hash functions. Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, May 2226, 2005, Aarhus, Denmark, pp: 1935.
16: Wang, X., H. Yu and Y.L. Yin, 2005. Efficient collision search attacks on SHA0. Adv. Cryptol., 3621: 116. CrossRef 
17: Wolfram, S., 1984. Universality and complexity in cellular automata. Physica, 10: 135.
18: Yu, H., X. Wang, A. Yun and S. Park, 2006. Cryptanalysis of the Full Haval with 4 and 5 Passes. In: Fast Software Encryption, Robshaw, M. (Ed.). Springer, New York, ISBN: 9783540365976, pp: 89110.
19: Zheng, Y., J. Pieprzyk and J. Seberry, 1993. HAVAL: A OneWay Hashing Algorithm With Variable Length Of Output. In: Advances in Cryptology Auscrypt 92, Seberry, J. and Y. Zheng (Eds.). Vol. 718, Springer Verlag, Germany, ISBN13: 9783540572206, pp: 83104.



