A new secret-key block cipher is proposed as a candidate for a new encryption standard. In the proposed cipher, the plaintext and the ciphertext are 64 bit blocks, while the secret key is 128 bit long. The cipher is based on the design concept of "mixing operations from different algebraic groups". The cipher structure was chosen to provide confusion and diffusion and to facilitate both hardward and softward implementations.

DNA密码是伴随着DNA计算的研究而出现的密码学前沿领域。文中结合现代基因工程技术和密码学技术设计了一个对称加密系统-DNASC。在DNASC中，加密钥和解密钥是DNA探针，密文是特殊设计的DNA芯片。系统的安全性主要基于生物学困难问题而不是传统的计算问题，因而对未来的量子计算机的攻击免疫。加密过程是制作特殊设计的DNA芯片（微阵列），解密过程是进行芯片杂交。在DNASC中，数以万亿计的DNA探针被方便地同时进行杂交并识别出来，从一定程度上体现了DNA在超大规模并行计算和超高容量数据存储方面的巨大潜力。

This paper considers the security of iterated block ciphers against the differential cryptanalysis introduced by Biham and Shamir. Differential cryptanalysis is a chosen-plaintext attack on secret-key block ciphers that are based on iterating a cryptographically weak function r times (e.g., the 16-round Data Encryption Standard (DES)). It is shown that the success of such attacks on an r-round cipher depends on the existence of (r-l)-round differentials that have high probabilities, where an i-round differential is defined as a couple (α,β) such that a pair of distinct plaintexts with difference α can result in a pair of i-th round outputs that have difference β, for an appropriate notion of "difference". The probabilities of such differentials can be used to determine a lower bound on the complexity of a differenbtial cryptanalysis attack and to show when an r-round cipher is notvulnerable to such attacks. The concept of "Markov ciphers" is introduced for iterated ciphers because of its significance in differential cryptanalysis. If an iterated cipher is Markov and its round subkeys are independent, then the sequence of differences at each round output forms a Markov chain. It follows from a result of Biham and Shamir that DES is a Markov cipher. It is shown that, for the appropriate notion of "differendce", the Proposed Encryption Standard (PES) of Lai and Massey, which is an 8-round iterated cipher, is a Markov cipher, as are also the mini-version of PES with block length 8, 16 and 32 bits. It is shown that PES (8) and PES (16) are immune to differential cryptanalysis after sufficiently many rounds. A detailed cryptanlaysis of the full-size PES is given and shown that the very plausibly most probable 7-round differential has a probability about 2-58. A differential cryptanalysis attack of PES (64) based on this differential is shown to require all 2 64 possible encryptions. This cryptanalysis of PES suggested a new design principle for Markov ciphers, viz., that their transition probability matrices should not be symmetric. A minor modification of PES, consisten with all the original design principle, is proposed that satisfies this new design criterion. This modified cipher, called Improved PES (IPES), is described and shown to be highly resitant to differential cryptanalysis.

MD4 is a hash function developed by Rivest in 1990. It serves as the basis for most of the dedicated hash functions such as MD5, SHAx, RIPEMD, and HAVAL. In 1996, Dobbertin showed how to find collisions of MD4 with complexity equivalent to 220 MD4 hash computations. In this paper, we present a new attack on MD4 which can find a collision with probability 2−2 to 2−6, and the complexity of finding a collision doesn't exceed 28 MD4 hash operations. Built upon the collision search attack, we present a chosen-message pre-image attack on MD4 with complexity below 28. Furthermore, we show that for a weak message, we can find another message that produces the same hash value. The complexity is only a single MD4 computation, and a random message is a weak message with probability 2−122. The attack on MD4 can be directly applied to RIPEMD which has two parallel copies of MD4, and the complexity of finding a collision is about 218 RIPEMD hash operations.

Iterated hash functions based on block ciphers are treated. Five attacks on an iterated hash function and on its round function are formulated. The wisdom of strengthening such liash funcitons by constraining the last block of the message to be hashed is stressed. Schemes for constructing m-bit and 2m-bit hash round functions from m-bit block ciphers are studied. A principle is formalized for cvaluating the strength of hash round functions, viz., that applying computationally simple (in both directions) invertible transformations to the input and output of a hash round function yields a new hash round function with the same security. By applying this principle, four attacks on three greviously proposed 2m-bit hash round functions are formulated. Finally, three new hash round functions based on an m-bit block cipher with a2-m-bit key are proposed.