TEA Padlock Logo

The Tiny Encryption Algorithm (TEA)

The principal web resource for one of the most secure cipher algorithms ever devised ...
... and certainly the simplest!

Maintained by Simon Shepherd, Professor of Computational Mathematics
Director of the Cryptography and Computer Security Laboratory,
Bradford University, England.



What is the Tiny Encryption Algorithm?

The Tiny Encryption Algorithm is one of the fastest and most efficient cryptographic algorithms in existence. It was developed by David Wheeler and Roger Needham at the Computer Laboratory of Cambridge University. It is a Feistel cipher which uses operations from mixed (orthogonal) algebraic groups - XOR, ADD and SHIFT in this case. This is a very clever way of providing Shannon's twin properties of diffusion and confusion which are necessary for a secure block cipher, without the explicit need for P-boxes and S-boxes respectively. It encrypts 64 data bits at a time using a 128-bit key. It seems highly resistant to differential cryptanalysis, and achieves complete diffusion (where a one bit difference in the plaintext will cause approximately 32 bit differences in the ciphertext) after only six rounds. Performance on a modern desktop computer or workstation is very impressive.

You can obtain a copy of Roger Needham and David Wheeler's original paper describing TEA, from the Security Group ftp site at the world-famous Cambridge Computer Laboratory at Cambridge University. There's also a paper on extended variants of TEA which addresses a couple of minor weaknesses (irrelevant in almost all real-world applications), and introduces a block variant of the algorithm which can be even faster in some circumstances.

How secure is TEA?

Very. There have been no known successful cryptanalyses of TEA. It's believed to be as secure as the IDEA algorithm, designed by Massey and Xuejia Lai. It uses the same mixed algebraic groups technique as IDEA, but it's very much simpler, hence faster. Also it's public domain, whereas IDEA is patented by Ascom-Tech AG in Switzerland. IBM's Don Coppersmith and Massey independently showed that mixing operations from orthogonal algebraic groups performs the diffusion and confusion functions that a traditional block cipher would implement with P- and S-boxes. As a simple plug-in encryption routine, it's great. The code is lightweight and portable enough to be used just about anywhere. It even makes a great random number generator for Monte Carlo simulations and the like. The minor weaknesses identified by David Wagner at Berkeley are unlikely to have any impact in the real world, and you can always implement the new variant TEA which addresses them. If you want a low-overhead end-to-end cipher (for real-time data, for example), then TEA fits the bill.

The Routines

Source code is available in a variety of forms:

ANSI C

Motorola PowerPC

Motorola 680x0

The new variant, fixing a couple of minor weaknesses, in ANSI C.

The new variant, in 16-bit x86 (i.e. 8086, 80186, 80286) assembler, contributed by Rafael R. Sevilla.

The TEA cipher, in 32-bit x86 (i.e. Pentium and better) assembler, contributed by Farshid Mossaiby. Read the Readme here.

The TEA cipher, in Java, contributed by Saurav Chatterjee and a modification of Saurav's code by Walter Hayden.

Also, both TEA and XTEA in Java, contributed by Thomas Dixon (with some bug fixes thanks to Cliff Biffle at Google).

Two JavaScript implementations. One by Richard Pugh is a simple number encryptor. The second one is a more sophisticated text encryption module with random key generation.

An interesting SQL Server implementation (8 files zipped up) contributed by Joseph Gama.

There is even a version of TEA for Macromedia Flash MX Actionscript contributed by Patrick Bay. The file contains his contact email and he invites discussion from users.

Particularly impressive is the tightness of the PowerPC implementation. The inner loop is eighteen instructions (17 register-to-register shifts, adds and xors plus one branch). The arithmetic instructions are all single-cycle (or better on a superscalar device) and the branch will be folded out of the instruction stream on a 604 or above.

It would be interesting to see if an implementation using the new Velocity Engine (Altivec) technology could be even more efficient. Without looking at this in any detail, I'd surmise that some of the ultra-wide (i.e. 16-byte) arithmetic instructions could yield a substantial performance enhancement, at least in ECB mode.

Notes

All the routines have the general form

void encipher(const unsigned long *const v,unsigned long *const w,
   const unsigned long * const k);

void decipher(const unsigned long *const v,unsigned long *const w,
   const unsigned long * const k);

TEA takes 64 bits of data in v[0] and v[1], and 128 bits of key in k[0] - k[3]. The result is returned in w[0] and w[1]. Returning the result separately makes implementation of cipher modes other than Electronic Code Book a little bit easier.

TEA can be operated in any of the modes of DES.

n is the number of iterations. 32 is ample, 16 is sufficient, as few as eight should be OK for most applications, especially ones where the data age quickly (real-time video, for example). The algorithm achieves good dispersion after six iterations. The iteration count can be made variable if required.

Note this algorithm is optimised for 32-bit CPUs with fast shift capabilities. It can very easily be ported to assembly language on most CPUs.

delta is chosen to be the Golden ratio ((5/4)1/2 - 1/2 ~ 0.618034) multiplied by 232. On entry to decipher(), sum is set to be delta * n. Which way round you call the functions is arbitrary: DK(EK(P)) = EK(DK(P)) where EK and DK are encryption and decryption under key K respectively.

Last updated 24 February 2006

Back Home Return to Home page