5

Why are there so many types of TEA, for example TEA, XTEA, and XXTEA? What are the differences?

forest
  • 15,253
  • 2
  • 48
  • 103
Wei Wen
  • 305
  • 3
  • 10

1 Answers1

10

The original algorithm is TEA, which is a very lightweight Feistel cipher. However, its extremely simple key schedule has two weaknesses. The first weakness allows what's called a related key attack, which is not an issue if the keys are chosen randomly. The second weakness causes equivalent keys. This means that, for TEA, any given key is equivalent to three other keys. This effectively weakens the keyspace from 2128 to 2126, which is bad, but not terrible. This is not normally a major problem unless the cipher is used in ways it shouldn't, such as for a hash.

XTEA was designed to fix the weaknesses in the original algorithm, in particular by adding a more complex key schedule. However, it was found that XTEA introduces some related key vulnerabilities of its own and did not meet the intended security target. This lead to another revision called XXTEA. However XXTEA is also vulnerable, in particular to a chosen-plaintext attack requiring only 259 queries (although the attack is impractical). The wide-block variation which avoids the usual downsides of a 64-bit block cipher is highly vulnerable as well, negating yet another benefit of XXTEA. In the end, it turns out that TEA itself is still quite secure as a cipher. It remains secure as long as it is used correctly, i.e. as a block cipher with uniform random and unrelated keys.

forest
  • 15,253
  • 2
  • 48
  • 103
  • 4
    Note: the two XXTEA attacks referred to in the answer are the same. Addition: one of XXTEA's feature is a block size parameter. However the algorithm's reduction in the number of rounds as the block size grows is too aggressive, making it vulnerable to differential cryptanalysis, with an attack for $2^{59}$ chosen plaintexts when the block is widened from 8 to 212 bytes or more. I know no published attack for less, and it would require a major advance to break XXTEA with a block size of 8 to 24 bytes, or if it was strengthened by replacing 6 with 12 in the formula for the number of rounds. – fgrieu Sep 17 '18 at 05:46
  • These three published attacks on XTEA are for reduced round-versions, and require impractically much work. However these attack break more rounds for XTEA than for TEA, which (beside TEA having been more scrutinized) is reason why I would recommend TEA over XTEA when equivalent keys are not an issue. – fgrieu May 16 '23 at 15:17