2^64
single processor: 2^56 * m * 2^{-26} / 3600, where m is the number of plaintext-ciphertext pairs for DES
214 processors: 2^56 * m * 2^{-26} / (214 * 3600), where m is the number of plaintext-ciphertext pairs for DES
F(data, round key) = output 32 bits
distinguishable attack = an algorithm that uses black box function and computes either block cipher X or an ideal block cipher.
No, since you need to find combinations of all 48-bit key values out of the 56 bit keyspace twice.
2^48*2^48 = 2^96 > 2^56
So my algorithm cannot be converted into a distinguishable attack that requires fewer operations than exhaustive search.
Unless we can accept probablistic approach. Say we search only m bits out of 48 bits in each round key, where m < 28. Then 2^m * 2^m = 2^2m < 2^56.
50% chance cipher was the ideal cipher. 50% chance cipher was not ideal cipher, and 28/48 chance key was among those attacker tried GIVEN the block cipher was used.
.5 + .5 * 28/48 = .79