... and certainly the simplest!

Director of the Cryptography and Computer Security Laboratory,

Bradford University, England.

The Tiny Encryption Algorithm is one of the fastest and most efficient
cryptographic algorithms in existence. It was developed by
David Wheeler and Roger Needham at the Computer Laboratory of Cambridge
University. It is a Feistel cipher which uses operations from
mixed (orthogonal) algebraic groups - XOR, ADD and SHIFT
in this case. This is a very clever way of providing
Shannon's twin properties of *diffusion* and *confusion*
which are necessary for a secure block cipher, without the explicit need
for P-boxes and S-boxes respectively. It encrypts 64 data
bits at a time using a 128-bit key. It seems highly resistant to differential
cryptanalysis, and achieves complete diffusion (where a one bit difference
in the plaintext will cause approximately 32 bit differences in the
ciphertext) after only six rounds. Performance on a modern desktop
computer or workstation is very impressive.

You can obtain a copy of Roger Needham and David Wheeler's original paper describing TEA, from the Security Group ftp site at the world-famous Cambridge Computer Laboratory at Cambridge University. There's also a paper on extended variants of TEA which addresses a couple of minor weaknesses (irrelevant in almost all real-world applications), and introduces a block variant of the algorithm which can be even faster in some circumstances.

Very. There have been no known successful cryptanalyses of TEA. It's believed to be as secure as the IDEA algorithm, designed by Massey and Xuejia Lai. It uses the same mixed algebraic groups technique as IDEA, but it's very much simpler, hence faster. Also it's public domain, whereas IDEA is patented by Ascom-Tech AG in Switzerland. IBM's Don Coppersmith and Massey independently showed that mixing operations from orthogonal algebraic groups performs the diffusion and confusion functions that a traditional block cipher would implement with P- and S-boxes. As a simple plug-in encryption routine, it's great. The code is lightweight and portable enough to be used just about anywhere. It even makes a great random number generator for Monte Carlo simulations and the like. The minor weaknesses identified by David Wagner at Berkeley are unlikely to have any impact in the real world, and you can always implement the new variant TEA which addresses them. If you want a low-overhead end-to-end cipher (for real-time data, for example), then TEA fits the bill.

**Source code is available in a variety
of forms:**

The new variant, fixing a couple of minor weaknesses, in ANSI C.

The new variant, in 16-bit x86 (i.e. 8086, 80186, 80286) assembler, contributed by Rafael R. Sevilla.

The TEA cipher, in 32-bit x86 (i.e. Pentium and better) assembler, contributed by Farshid Mossaiby. Read the Readme here.

The TEA cipher, in Java, contributed by Saurav Chatterjee and a modification of Saurav's code by Walter Hayden.

Also, both TEA and XTEA in Java, contributed by Thomas Dixon (with some bug fixes thanks to Cliff Biffle at Google).

Two JavaScript implementations. One by Richard Pugh is a simple number encryptor. The second one is a more sophisticated text encryption module with random key generation.

An interesting SQL Server implementation (8 files zipped up) contributed by Joseph Gama.

There is even a version of TEA for Macromedia Flash MX Actionscript contributed by Patrick Bay. The file contains his contact email and he invites discussion from users.

Particularly impressive is the tightness of the PowerPC implementation. The inner loop is eighteen instructions (17 register-to-register shifts, adds and xors plus one branch). The arithmetic instructions are all single-cycle (or better on a superscalar device) and the branch will be folded out of the instruction stream on a 604 or above.

It would be interesting to see if an implementation using the new Velocity Engine (Altivec) technology could be even more efficient. Without looking at this in any detail, I'd surmise that some of the ultra-wide (i.e. 16-byte) arithmetic instructions could yield a substantial performance enhancement, at least in ECB mode.

All the routines have the general form

void encipher(const unsigned long *const v,unsigned long *const w, const unsigned long * const k); void decipher(const unsigned long *const v,unsigned long *const w, const unsigned long * const k);

TEA takes 64 bits of data in `v[0]` and `v[1]`,
and 128 bits of key in `k[0]` - `k[3]`. The result is
returned in `w[0]` and `w[1]`. Returning the result
separately makes implementation
of cipher modes other than Electronic Code Book a little bit easier.

TEA can be operated in any of the modes of DES.

`n` is the number of iterations. 32 is ample,
16 is sufficient, as few as eight should be OK for most applications,
especially ones where the data age quickly (real-time video, for example).
The algorithm achieves good dispersion after
six iterations. The iteration count can be
made variable if required.

Note this algorithm is optimised for 32-bit CPUs with fast shift capabilities. It can very easily be ported to assembly language on most CPUs.

`delta` is chosen to be the
Golden ratio ((5/4)^{1/2} - 1/2 ~ 0.618034)
multiplied by 2^{32}. On entry to `decipher()`,
`sum` is set to be `delta * n`. Which way round you call
the functions is arbitrary:
D_{K}(E_{K}(P)) =
E_{K}(D_{K}(P)) where
E_{K} and D_{K} are encryption and decryption under key
*K* respectively.

Return to Home page