80 bit security from 40 bit exportable products

[Carl Ellison]

>Even if you assume complete independence of key setup, if a successful
>decryption at each layer can be independently detected and verified
>(which seems likely in your example), there're only about 3 * (2 ^ 40)
>total operations in the worst case, NOT 2 ^ (3 * 40) operations needed
>to expose the plaintext.  This is an effective 41.5 bits, not 120.
>

Of course.  It comes down to whether each encryption step plans some known
plaintext to be used for brute force testing of any next layer.