Dan Bailey writes:

According to Biham and Shamir's Differential Cryptanalysis of DES, "An interesting feature of the new attack is that it can be applied with the same complexity and success probability even if the key is frequently changed and thus the collected ciphertexts are derived from many different keys. The attack can be carried out incrementally, and one of the keys can be computed in real time while it is still valid. this is particularly important in attacks on bank authentication schemes, in which the opponent needs only one opportunity to forge a multi-million dollar wire transfer, but has to act quickly before the next key changeover invalidates his message. This is the first published attack which is capable of breaking the full DES in less than the complexity of the exhuastive search of 2^55 keys." (7-8) The problem with this attack, of course, is generation and analysis of all the required chosen plaintexts.

If I read this correctly, then the keys used for generation of the chosen plaintext-cyphertext pairs is irrelevant and once the required computation is done, one can crack any '...one of the keys can be cputed in real time while it is still valid.'.. So what, exactly does this mean? Can I do most, if not all of the feeding of chosen plaintext into my personal DES box in my basement, do the required computation (admittedly there is a lot of work to do here), then go out and start breaking wire-transfers with a minimal of chosen plaintext? That is what the above quotation would seem to imply. Seems incredible... I surely must be reading much more into the passage than is really there... andrew