Absolute lower limits to the cost of cryptanalytic attacks are quantified, via a theory of guesswork. Conditional guesswork naturally expresses limits to known and chosen plaintext attacks. New inequalities are derived between various forms of guesswork and variation distance. The machinery thus offers a new technique for establishing the security of a cipher: When the work-factor of the optimal known or chosen plaintext attack against a cipher is bounded below by a prohibitively large number, then no practical attack against the cipher can succeed. As an example, we apply the technique to iterated cryptosystems, as the Markov property which results from an independent subkey assumption makes them particularly amenable to analysis.