imported>Kylras: /* growthexperiments-addlink-summary-summary:1|1|0 */

2025-07-01T16:09:17Z

growthexperiments-addlink-summary-summary:1|1|0

New page

{{Short description|Block cipher}}
{{About-distinguish-text|the Tiny Encryption Algorithm|the [[Terrestrial Trunked Radio#Air interface encryption|TETRA encryption algorithm]]}}{{Use dmy dates|date=April 2022}}
{{Infobox block cipher
| name = TEA
| image = [[Image:TEA InfoBox Diagram.png|250px|center]]
| caption = Two Feistel rounds (one cycle) of TEA<ref>{{cite web|title=Tinyness: An Overview of TEA and Related Ciphers|author=Matthew D. Russell|date=27 Feb 2004|url=http://www-users.cs.york.ac.uk/~matthew/TEA/ |archive-url=https://web.archive.org/web/20070812222155/http://www-users.cs.york.ac.uk/~matthew/TEA/ |archive-date=12 August 2007}}</ref>
| designers = [[Roger Needham]], [[David Wheeler (computer scientist)|David Wheeler]]
| publish date = 1994
| derived from =
| derived to = [[XTEA]]
| key size = 128 bits
| block size = 64 bits
| structure = [[Feistel network]]
| rounds = variable; recommended 64 Feistel rounds (32 cycles)
| cryptanalysis = TEA suffers from equivalent keys (see text; Kelsey et al., 1996) and can be broken using a [[related-key attack]] requiring 223 [[chosen plaintext]]s and a time complexity of 232.<ref name="kelsey1997" /> The best structural cryptanalysis of TEA in the standard single secret key setting is the zero-correlation cryptanalysis breaking 21 rounds in 2121.5 time with less than the full code book <ref name="bogdanovwang2012">{{cite book | first = Andrey | last = Bogdanov |author2=Wang, Meiqin | title = Fast Software Encryption | chapter = Zero Correlation Linear Cryptanalysis with Reduced Data Complexity | series = Lecture Notes in Computer Science | volume = 7549 | pages = 29–48 | year = 2012 | url = http://www2.compute.dtu.dk/~anbog/fse12-zerocorrelation.pdf | doi = 10.1007/978-3-642-34047-5_3| isbn = 978-3-642-34046-8 }}</ref>
}}

In [[cryptography]], the '''Tiny Encryption Algorithm''' ('''TEA''') is a [[block cipher]] notable for its simplicity of description and [[implementation]], typically a few lines of code. It was designed by [[David Wheeler (computer scientist)|David Wheeler]] and [[Roger Needham]] of the [[Cambridge University Computer Laboratory|Cambridge Computer Laboratory]]; it was first presented at the [[Fast Software Encryption]] workshop in [[Leuven]] in 1994, and first published in the proceedings of that workshop.<ref name="teapaper">{{cite book | first = David J. | last = Wheeler |author2=Needham, Roger M. | title = Fast Software Encryption | chapter = TEA, a tiny encryption algorithm | series = Lecture Notes in Computer Science |
url = http://citeseer.ist.psu.edu/viewdoc/download;jsessionid=C08E8409ADF484095568965A1EBF3E5E?doi=10.1.1.45.281&rep=rep1&type=pdf |
volume = 1008 |
pages = 363–366 |
location = Leuven, Belgium | date = 1994-12-16 | doi=10.1007/3-540-60590-8_29| isbn = 978-3-540-60590-4 }}</ref>

The cipher is not subject to any [[patent]]s.

==Properties==

TEA operates on two 32-bit [[unsigned integers]] (could be derived from a 64-bit data [[block size (cryptography)|block]]) and uses a 128-bit [[key (cryptography)|key]]. It has a [[Feistel network|Feistel structure]] with a suggested 64 rounds, typically implemented in pairs termed ''cycles''. It has an extremely simple [[key schedule]], mixing all of the key material in exactly the same way for each cycle. Different multiples of a [[magic number (programming)|magic constant]] are used to prevent simple attacks based on the [[symmetry]] of the rounds. The magic constant, 2654435769 or 0x9E3779B9 is chosen to be {{math|⌊2{{sup|32}}{{fraction}}{{phi}}⌋}}, where {{math|{{phi}}}} is the [[golden ratio]] (as a [[nothing-up-my-sleeve number]]).<ref name="teapaper"/>

TEA has a few weaknesses. Most notably, it suffers from equivalent keys—each key is equivalent to three others, which means that the effective [[key size]] is only 126 [[bit]]s.<ref name="kelsey1996">{{cite book |first1=John |last1=Kelsey |last2=Schneier |first2=Bruce |author-link2=Bruce Schneier |last3=Wagner |first3=David |title=Advances in Cryptology — CRYPTO '96 |chapter=Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES |series=Lecture Notes in Computer Science |url=http://www.schneier.com/paper-key-schedule.pdf |volume=1109 |pages=237–251 |year=1996 |doi=10.1007/3-540-68697-5_19 |isbn=978-3-540-61512-5 |access-date=25 February 2008 |archive-date=8 February 2012 |archive-url=https://web.archive.org/web/20120208081900/http://www.schneier.com/paper-key-schedule.pdf |url-status=dead }}</ref> As a result, TEA is especially bad as a [[cryptographic hash function]]. This weakness led to a method for [[Hacker (hobbyist)|hacking]] [[Microsoft]]'s [[Xbox (console)|Xbox]] [[game console]], where the cipher was used as a hash function.<ref>{{cite web |url=http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System#Startup_Security.2C_Take_Two |title=17 Mistakes Microsoft Made in the Xbox Security System |author=Michael Steil |archive-url=https://web.archive.org/web/20090416175601/http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System |archive-date=16 April 2009}}</ref> TEA is also susceptible to a [[related-key attack]] which requires 223 [[chosen plaintext]]s under a related-key pair, with 232 time complexity.<ref name="kelsey1997">{{cite book |first1=John |last1=Kelsey |last2=Schneier |first2=Bruce |author-link2=Bruce Schneier |last3=Wagner |first3=David |title=Information and Communications Security |chapter=Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA |series=Lecture Notes in Computer Science |
url = http://www.schneier.com/paper-relatedkey.html |
volume = 1334 | pages = 233–246 | year = 1997 |
doi = 10.1007/BFb0028479|
isbn = 978-3-540-63696-0 |
citeseerx = 10.1.1.35.8112 }}</ref> Because of these weaknesses, the [[XTEA]] cipher was designed.

==Versions==

The first published version of TEA was supplemented by a second version that incorporated extensions to make it more secure. ''Block TEA'' (which was specified along with [[XTEA]]) operates on arbitrary-size blocks in place of the 64-bit blocks of the original.

A third version ([[XXTEA]]), published in 1998, described further improvements for enhancing the security of the Block TEA algorithm.

==Reference code==

Following is an adaptation of the reference encryption and decryption routines in [[C (programming language)|C]], released into the public domain by David Wheeler and Roger Needham:<ref name="teapaper"/>
{{Clear}}
<syntaxhighlight lang="C">
#include <stdint.h>

void encrypt (uint32_t v[2], const uint32_t k[4]) {
uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */
uint32_t delta=0x9E3779B9; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i<32; i++) { /* basic cycle start */
sum += delta;
v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
} /* end cycle */
v[0]=v0; v[1]=v1;
}

void decrypt (uint32_t v[2], const uint32_t k[4]) {
uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up; sum is (delta << 5) & 0xFFFFFFFF */
uint32_t delta=0x9E3779B9; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i<32; i++) { /* basic cycle start */
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
} /* end cycle */
v[0]=v0; v[1]=v1;
}
</syntaxhighlight>
Note that the reference implementation acts on multi-byte numeric values. The original paper does not specify how to derive the numbers it acts on from binary or other content.

==See also==
* [[RC4]] – A [[stream cipher]] that, just like TEA, is designed to be very simple to implement.
* [[XTEA]] – First version of Block TEA's successor.
* [[XXTEA]] – Corrected Block TEA's successor.
* [[Treyfer]] – A simple and compact encryption algorithm with 64-bit key size and block size.

==Notes==
<references />

==References==

* {{cite web | first = Vikram Reddy | last = Andem | title = A Cryptanalysis of the Tiny Encryption Algorithm, Masters thesis | publisher = The University of Alabama | location = Tuscaloosa | year = 2003 | url = https://www.tayloredge.com/reference/Mathematics/VRAndem.pdf}}
* {{cite book | first = Julio César | last = Hernández |author2=Isasi, Pedro |author3=Ribagorda, Arturo | chapter= An application of genetic algorithms to the cryptoanalysis of one round TEA | title = Proceedings of the 2002 Symposium on Artificial Intelligence and Its Application | year = 2002 |chapter-url = http://www.actapress.com/PDFViewer.aspx?paperId=26972}}
* {{cite book | doi = 10.1109/CEC.2003.1299943 | first = Julio César | last = Hernández |author2=Sierra, José María |author3=Isasi, Pedro |author4=Ribargorda, Arturo | title = The 2003 Congress on Evolutionary Computation, 2003. CEC '03 | chapter = Finding efficient distinguishers for cryptographic mappings, with an application to the block cipher TEA | volume = 3 | pages = 2189–2193 | year = 2003 | hdl = 10016/3944 | isbn = 978-0-7803-7804-9 | s2cid = 62216777 }}
* {{cite book | first = Julio César | last = Hernández | author2 = Sierra, José María | author3 = Ribagorda, Arturo | author4 = Ramos, Benjamín | author5 = Mex-Perera, J. C. | title = Cryptography and Coding | chapter = Distinguishing TEA from a Random Permutation: Reduced Round Versions of TEA do Not Have the SAC or do Not Generate Random Numbers | volume = 2260 | pages = 374–377 | year = 2001 | url = http://163.117.174.60/downloads/Publicaciones/2001/HernandezSRRM01.pdf | archive-url = https://web.archive.org/web/20120426091456/http://163.117.174.60/downloads/Publicaciones/2001/HernandezSRRM01.pdf | url-status = dead | archive-date = 2012-04-26 | doi = 10.1007/3-540-45325-3_34 | series = Lecture Notes in Computer Science | isbn = 978-3-540-43026-1 }}
* {{cite book | first = Dukjae | last = Moon |author2=Hwang, Kyungdeok |author3=Lee, Wonil |author4=Lee, Sangjin |author5=Lim, Jongin | title = Fast Software Encryption | chapter = Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA | series = Lecture Notes in Computer Science | volume = 2365 | pages = 49–60 | year = 2002 | url = https://www.iacr.org/archive/fse2002/23650050/23650050.pdf | doi = 10.1007/3-540-45661-9_4| isbn = 978-3-540-44009-3 }}
* {{cite book | first = Seokhie | last = Hong |author2=Hong, Deukjo |author3=Ko, Youngdai |author4=Chang, Donghoon |author5=Lee, Wonil |author6= Lee, Sangjin | title = Information Security and Cryptology - ICISC 2003 | chapter = Differential Cryptanalysis of TEA and XTEA | volume = 2971 | pages = 402–417 | doi = 10.1007/978-3-540-24691-6_30| series = Lecture Notes in Computer Science | date = 2004 | isbn = 978-3-540-21376-5 }}

==External links==

* [http://www.cix.co.uk/~klockstone/teavect.htm Test vectors for TEA]
* [http://www.farfarfar.com/scripts/encrypt/ JavaScript implementation of XXTEA with Base64] {{Webarchive|url=https://web.archive.org/web/20060428132257/http://www.farfarfar.com/scripts/encrypt/ |date=28 April 2006 }}
* [http://www.php-einfach.de/sonstiges_generator_xtea.php PHP implementation of XTEA (German language)]
* [http://www.movable-type.co.uk/scripts/tea-block.html JavaScript implementation of XXTEA]
* [http://www.babelfish.nl/?view=actTEA JavaScript and PHP implementations of XTEA (Dutch text)]
* [https://code.google.com/p/tea-asm-avr/ AVR ASM implementation]
* [http://cba.mit.edu/docs/papers/05.07.SEA.pdf SEA Scalable Encryption Algorithm for Small Embedded Applications (Standaert, Piret, Gershenfeld, Quisquater - July 2005 UCL Belgium & MIT USA)]
{{Cryptography navbox | block}}

[[Category:Broken block ciphers]]
[[Category:Computer security in the United Kingdom]]
[[Category:Feistel ciphers]]
[[Category:Free ciphers]]
[[Category:History of computing in the United Kingdom]]
[[Category:University of Cambridge Computer Laboratory]]
[[Category:Articles with example C code]]

Tiny Encryption Algorithm - Revision history

imported>Kylras: /* growthexperiments-addlink-summary-summary:1|1|0 */