The design of the round function f and the key scheduling algorithm provides an avalanche effect for DES. The avalanche effect is when a change in of one plaintext bit, or one key bit, changes about half the ciphertext bits. This helps with security against differential analysis, where the attacker analyzes how the difference in plaintext affects the difference in ciphertext. For example, if a block cipher does not provide an avalanche effect and a change of one plaintext bit changes smaller number of bits in the ciphertext, then the cryptanalyst can use that information to infer how close the current plaintext is to a normal plaintext. Similar cryptanalysis is possible even if a change in plaintext results in many number of bits, more than half in the cypher text. DES provides avalanche effect that can prevent such cryptanalysis. Let's discuss about the brute force resistance of DES. Because DES uses a 56-bit long key, the brute force attack, or computation effort, is O(2 to the 56- 1) Or O(2 to the 55th power), on average. More specifically, given the cypher text, the attacker needs to perform 2 to the 55th power decryptions, on average, to find the correct plaintext. While such key length provided reasonable resistance in the 1970s and 1980s, and it took too long to find a key to make the brute force attack practical then, such key length is no longer sufficient these days, due to the advances in computing technology. In fact, even when DES first emerged in the 1970s, many cryptographers voiced concerns about the short length of the key. There was a controversy as of why the key was reduced to 56 bits, from the original 128 bits of the Lucifer algorithm by IBM. In many people's view, it was only a matter of time that DES Brute forcing becomes practically feasible. In the late 1990s, there has been a series of demonstrations that reduced the time of such brute force attacks on DES. In 1997, using a network of computers, DES was brute forced in a few months. In 1998, that brute force time reduced to a few days using dedicated hard ware for DES brute forcing. And in 1999, the DES brute forcing was shown to be feasible in 22 hours. In a span of less than three years, the feasible time to brute force a DES key decreased from a few months to tens of hours. Brute force is less sophisticated than cryptanalysis and is typically the last resort for attackers, as it merely requires computation to perform repetitive decryption trials until you recognize the correct plaintext. While brute force attack may already be enough to make the DES applications nervous about security, there are cryptanalysis attacks that can even further educe the computational effort to break the DES keys. For example, there's a differential cryptanalytical technique that requires many known plaintext, which requirement of knowing many plaintext limited the practically of such attack. In addition, there's a timing based vulnerability as different keys result in different computation durations. And an attacker exploiting such vulnerability can use the correlation between the computational duration and the key values to infer the key. Due to brute force threat, which vulnerability comes from the small key size, key length and other threats on DES, DES is considered broken now and is not recommended for securing systems and applications.