Information about Tiny Encryption Algorithm

This article is about the TEA encryption algorithm. For other meanings, see TEA (disambiguation).

TEA
Two Feistel rounds (one cycle) of TEA
General
Roger Needham, David Wheeler
1994
XTEA
Cipher detail
Key size(s):| 128 bits
Block size(s):| 64 bits
Feistel network
variable; recommended 64 Feistel rounds (32 cycles)
Best public cryptanalysis|-| colspan=2 | TEA suffers from equivalent keys (Kelsey et al, 1996) and can be broken using a related-key attack requiring 223 chosen plaintexts and a time complexity of 232 (Kelsey et al, 1997).

In cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation (typically a few lines of code). It was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory, and first presented at the Fast Software Encryption workshop in 1994 (Wheeler and Needham, 1994).

The TEA cipher has not been patented. It is completely in the public domain and can be freely used by anyone. There are no restrictions or encumberances whatsoever regarding its use. As a result, anyone is free to incorporate TEA in their software without paying license fees.

Vikram Reddy Andem presented a comprehensive study of TEA and cryptanalysis of the TEA (see below).

Properties

TEA operates on 64-bit blocks and uses a 128-bit key. It has a Feistel structure with a suggested 64 rounds, typically implemented in pairs termed cycles. It has an extremely simple key schedule, mixing all of the key material in exactly the same way for each cycle. Different multiples of a magic constant are used to prevent simple attacks based on the symmetry of the rounds. The magic constant, 2654435769 or is chosen to be where is the Golden Ratio.

TEA has a few weaknesses. Most notably, it suffers from equivalent keys — each key is equivalent to three others, which means that the effective key size is only 126 bits (Kelsey et al., 1996, and Vikram Andem, 2003). This weakness led to a method for hacking Microsoft's Xbox game console, where the cipher was used as a hash function. TEA is also susceptible to a related-key attack which requires 2²³ chosen plaintexts under a related-key pair, with 2³² time complexity (Kelsey et al., 1997). Because of these weaknesses, a number of revisions of TEA have been designed.

The unusually small size of the TEA algorithm would make it a viable option in situations where there are extreme constraints eg legacy hardware systems (perhaps embedded) where the amount of available RAM is minimal.

Versions

The first published version of TEA was supplemented by a second version which incorporated extensions to TEA to make it more secure. 'Block TEA' (sometimes referred to as XTEA), operates on arbitrary-size blocks in place of the 64-bit blocks of the original.

A third version (XXTEA), published in 1998, described Corrections to xtea to enhance the security of the Block TEA algorithm.

Reference code

Following is an adaptation of the reference encryption and decryption routines in C, released into the public domain by David Wheeler and Roger Needham:

void encrypt (unsigned long* v, unsigned long* k) { unsigned long v0=v[0], v1=v[1], sum=0, i; /* set up */ unsigned long delta=0x9e3779b9; /* a key schedule constant */ unsigned long k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ for (i=0; i < 32; i++) { /* basic cycle start */ sum += delta; v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1); v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3); /* end cycle */ } v[0]=v0; v[1]=v1; }

void decrypt (unsigned long* v, unsigned long* k) { unsigned long v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */ unsigned long delta=0x9e3779b9; /* a key schedule constant */ unsigned long k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ for (i=0; i<32; i++) { /* basic cycle start */ v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3); v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1); sum -= delta; /* end cycle */ } v[0]=v0; v[1]=v1; }

References

• David J. Wheeler and Roger M. Needham. TEA, a tiny encryption algorithm. In Bart Preneel, editor, Fast Software Encryption: Second International Workshop, volume 1008 of Lecture Notes in Computer Science, pages 363-366, Leuven, Belgium, 14–16 December 1994.
• Vikram Reddy Andem. A Cryptanalysis of the Tiny Encryption Algorithm, Masters thesis, The University of Alabama, Tuscaloosa, 2003.
• John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. Lecture Notes in Computer Science, 1109: 237–251, 1996.
• John Kelsey, Bruce Schneier, and David Wagner. Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X NewDES, RC2, and TEA. Lecture Notes in Computer Science, 1334: pp233–246, 1997.
• Julio César Hernández, Pedro Isasi, and Arturo Ribagorda. An application of genetic algorithms to the cryptoanalysis of one round TEA. Proceedings of the 2002 Symposium on Artificial Intelligence and its Application, 2002.
• Julio César Hernández, José María Sierra, Pedro Isasi, and Arturo Ribargorda. Finding efficient distinguishers for cryptographic mappings, with an application to the block cipher TEA. In Proceedings of the 2003 Congress on Evolutionary Computation, 2003.
• Julio César Hernández, José María Sierra, Arturo Ribagorda, Benjamín Ramos, and J. C. Mex-Perera. Distinguishing TEA from a random permutation: Reduced round versions of TEA do not have the SAC or do not generate random numbers. In Proceedings of the IMA Int. Conf. on Cryptography and Coding 2001, pages 374-377, 2001.
• Dukjae Moon, Kyungdeok Hwang, Wonil Lee, Sangjin Lee, and Jongin Lim. Impossible differential cryptanalysis of reduced round XTEA and TEA. Lecture Notes in Computer Science, 2365: 49-60, 2002. ISSN 0302-9743.
• Seokhie Hong, Deukjo Hong, Youngdai Ko, Donghoon Chang, Wonil Lee, and Sangjin Lee. Differential cryptanalysis of TEA and XTEA. In Proceedings of ICISC 2003, 2003b.

External links

• A Cryptanalysis of the Tiny Encryption Algorithm
• A web page advocating TEA and providing a variety of implementations
• A note on the JavaScript implementations at that site
• Test vectors for TEA
• A survey of TEA and XTEA and their cryptanalysis
• JavaScript implementation of XXTEA with Base64
• PHP implementation of XTEA
• JavaScript implementation of TEA
• JavaScript and PHP implementations of XTEA (English text)
• JavaScript and PHP implementation of XXTEA
• Ruby implementation of XXTEA with Base64

Block ciphers  •  • [ e]
Algorithms: 3-Way | AES | Akelarre | Anubis | ARIA | BaseKing | Blowfish | C2 | Camellia | CAST-128 | CAST-256 | CIKS-1 | CIPHERUNICORN-A | CIPHERUNICORN-E | CMEA | Cobra | COCONUT98 | Crab | CRYPTON | CS-Cipher | DEAL | DES | DES-X | DFC | E2 | FEAL | FROG | G-DES | GOST | Grand Cru | Hasty Pudding Cipher | Hierocrypt | ICE | IDEA | IDEA NXT | Iraqi | Intel Cascade Cipher | KASUMI | KHAZAD | Khufu and Khafre | KN-Cipher | Libelle | LOKI89/91 | LOKI97 | Lucifer | M6 | MacGuffin | Madryga | MAGENTA | MARS | Mercy | MESH | MISTY1 | MMB | MWA | MULTI2 | NewDES | NOEKEON | NUSH | Q | RC2 | RC5 | RC6 | REDOC | Red Pike | S-1 | SAFER | SC2000 | SEED | Serpent | SHACAL | SHARK | Skipjack | SMS4 | Square | TEA | Triple DES | Twofish | UES | Xenon | xmx | XTEA | XXTEA | Zodiac
Design: Feistel network | Key schedule | Product cipher | S-box | SPN Attacks: Brute force | Linear / Differential / Integral cryptanalysis | Mod n | Related-key | Slide | XSL
Standardization: AES process | CRYPTREC | NESSIE Misc: Avalanche effect | Block size | IV | Key size | Modes of operation | Piling-up lemma | Weak key
Cryptography  •  • [ e]
History of cryptography | Cryptanalysis | | Topics in cryptography
Symmetric-key algorithm | Block cipher | Stream cipher | Public-key cryptography | Cryptographic hash function | Message authentication code | Random numbers