I will have printed copies of the paper at the Cypherpunks meeting this weekend. Folks in other locations, please print the PostScript version from ftp.eff.org:/pub/crypto/des_key_search.ps, rather than asking me to mail printed copies. Kudos to Michael Wiener for doing the work, and for making the paper freely available online! By the way, with 60,000 chips, it takes 3.5 hours to brute-force a 56 bit key. If you lop 16 bits off, you lose a factor of ~60,000: it takes ONE chip a few hours to brute-force it -- or a third of a second if you use the whole machine. I wondered where those ``40-bit keys'' came from... Oho! I now suspect why RC2 and RC4 must remain trade-secret...NSA doesn't want people to know what particular internal algorithm features their brute-force chips are capable of handling! I recall the discussion of how RC2/4 were invented; NSA told the designer (since identified as Ron Rivest): "No, this is too big; weaken this over here; do fewer rounds here; etc..." What resulted was suitable for NSA brute-force using chips they had readily available. It's possible that simple changes to the algorithm would render it much less penetrable by NSA's current hardware. Ron even knows *which* changes, and I encourage him to tell us. John