TEA, the Tiny Encryption Algorithm, is a block cipher designed by David Wheeler and Roger Needham in 1994 while at the Computer Laboratory at Cambridge University. The idea was that unlike more complicated algorithms (such as Twofish or DES) it could be programmed quickly from memory, or from a text description. In this sense it is similar to RC4 (another easy to remember algorithm), though a block cipher is actually much more useful than a stream cipher like RC4, as it is easy to turn it into a stream cipher or hash function if needed.

The design of TEA is based around the idea of taking a quite simple structure and iterating it a lot of times. In this case, 32 times, rather than the more typical 12-16 rounds used by other block ciphers (a notable exception being Serpent, which also uses 32 rounds). In fact, the algorithm is so simple that it is described using the following C code (taken from the paper, but cleaned up a bit).

/* v holds the 64 bit data block, k holds the 128 bit key */
void code(unsigned int v[2], unsigned int k[4])
   /* set up */
   unsigned int sum = 0, n = 32;
   unsigned int y=v[0], z=v[1];   /* set up */
   unsigned int delta=0x9e3779b9; /* a key schedule constant */
   while (n-->0)
      { /* basic cycle start */
      sum += delta;
      y += (z<<4)+k[0] ^ z+sum ^ (z>>5)+k[1];
      z += (y<<4)+k[2] ^ y+sum ^ (y>>5)+k[3];
      } /* end cycle */

I've changed the code to use int instead of long, because these days long is often 64 bits, which is not what was intended (remember, this code was written in 1994, when DOS was everywhere and very few 64-bit machines existed). I've also changed the brace formatting to Whitesmith, because everyone knows this is the one true brace style (just kidding, put the torches away...)

TEA is, if nothing else, very cute, but there are some problems that arise from its simplicity. In particular, the complete lack of a real key schedule opened it up to several attacks, which were later fixed by a modification, called XTEA. Another problem is that an ambiguity in the C code (not helped by the lack of test vectors or textual description), resulted in two different implementations of TEA, one correct, and one not. Also, no endian conventions were ever defined (though almost universally, implementations use big-endian).

So, in conclusion, TEA is kind of neat, but not something you should be using in any product; the simplicity of it is nice, but not worth it given the number of problems it has.

  • TEA, a Tiny Encryption Algorithm; http://www.ftp.cl.cam.ac.uk/ftp/papers/djw-rmn/djw-rmn-tea.html
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2 and TEA; http://www.funet.fi/~bande/docs/crypt/analysis/keysched-icics97.ps
  • Tea Extensions; http://www.funet.fi/~bande/docs/crypt/system/xtea.ps.gz