Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!decwrl!decvax!ucbvax!cbosgd!osu-cis!apr!whp
From: whp@apr.UUCP (Wayne Pollock)
Newsgroups: sci.crypt
Subject: Re: An interesting message from SECURITY-DIGEST@RUTGERS
Message-ID: <289@apr.UUCP>
Date: Mon, 12-Oct-87 21:12:02 EDT
Article-I.D.: apr.289
Posted: Mon Oct 12 21:12:02 1987
Date-Received: Wed, 14-Oct-87 05:31:23 EDT
References: <7449@reed.UUCP-> <1409@osiris.UUCP>
Reply-To: whp@apr.UUCP (Wayne Pollock)
Organization: APR, Columbus, OH
Lines: 14
Keywords: NSA, DES, STU-III
Summary: Time/Cost to break DES

There was a paper produced in 1977 by Diffe & Hellman in Computer (June 77),
entitlled "Exhaustive Cryptanalysis of the NBS Data Encryption Standard".
In this paper the authors show how using 1977 technology, DES can be broken
by exhaustive search in 12 hours (average), at a cost of $5000 per solution.
Hellman later showed that using a chosen-plaintext attack, the cost per solution
drops to $10.  The cost of the machines is $20 million and $5 million
respectively (well within the reach of many countries and corparations), using
LSI (not VLSI).  In 1980, Diffe increased his estimate by double but even so,
it is likely that several DES breakers have been available for many years now.

Using custom VLSI the time and cost should drop quite a bit, perhaps to only
a few hours and several cents per solution using 1986 technology.

Wayne Pollock,	...!{cbatt, ihnp4}!cbosgd!apr!whp