TEA/XTEA/XXTEA Encryption & Decryption

TEA (Tiny Encryption Algorithm) was designed by David Wheeler and Roger Needham at the Computer Laboratory, Cambridge University in 1994. Its core distinction is radical simplicity: the entire encryption loop is expressible in fewer than 10 lines of C, yet achieves 64-bit block cipher security through 32 iterations of a Feistel-like double round. The magic constant δ = 0x9E3779B9 (approximately φ × 2³², where φ is the golden ratio) is added to the running sum each round to prevent weak-key fixed points.

The TEA family evolved specifically to fix discovered weaknesses: XTEA (1997) addressed related-key attacks in TEA by redesigning the key schedule to permute all four 32-bit key words differently across rounds. XXTEA (1998) extended the design to variable-length blocks using a whole-message Feistel mixing technique. All three variants share the same 128-bit key size and the characteristic delta-based round structure, but differ significantly in security properties and block-size flexibility.

Algorithm Comparison

Key Features

• TEA core loop: just 7 lines of C — famously the most compact block cipher suitable for production use
• 128-bit key split into four 32-bit words; each round uses a different subkey permutation (XTEA/XXTEA)
• 32 double-rounds (64 single-round operations) using δ = 0x9E3779B9 as the round constant
• XXTEA supports variable-length blocks — key advantage for encrypting data of arbitrary size without padding

Encryption Modes (TEA/XTEA only)

• CBC: Cipher Block Chaining — each 64-bit TEA/XTEA block is XORed with the preceding ciphertext block before the 32 double-rounds. The 64-bit IV links blocks into a dependent chain; identical payloads in different positions yield different ciphertext.
• ECB: Electronic Codebook — each 64-bit block is independently processed through the 32 double-rounds with the same key. Two identical 64-bit plaintext blocks always produce identical ciphertext — data structure leaks. Not recommended beyond single-block use cases.
• CFB: Cipher Feedback — TEA/XTEA acts as a keystream generator; the previous ciphertext is encrypted and XORed with the next plaintext segment. Converts the 64-bit block cipher into a byte-granularity stream cipher, useful for game data streams with arbitrary lengths.
• OFB: Output Feedback — the keystream is produced by iterating TEA/XTEA encryption on the IV, independent of the plaintext. Error non-propagation means a corrupted byte affects exactly one byte of recovered plaintext — suited for embedded telemetry where bit errors must be contained.
• RAW: Raw Block - Direct single block encryption without any chaining mode. No IV required.

Security Considerations

• TEA original: David Wagner (1997) demonstrated related-key attacks; avoid TEA when the attacker can choose related keys — use XTEA or XXTEA instead for any new implementation
• XTEA fixed TEA's related-key vulnerability by redesigning the key schedule, but the 64-bit block size still caps security at 2³² blocks (~32 GB) per key before birthday-bound collisions become probable
• XXTEA's whole-message mixing requires at least 2 passes for correctness; for very small blocks (≤ 2 words), the reduced number of mixing steps weakens security — pad short data to at least 3 words
• All three TEA variants are unsuitable for new general-purpose applications; for modern embedded systems, prefer ChaCha20 or AES-128-CTR — reserve TEA family for legacy file format compatibility or extremely resource-constrained environments where code size is the primary constraint

Common Use Cases

• Xbox and Xbox 360 game save file protection: Microsoft's original Xbox used XTEA internally to sign and verify console save data, preventing tampering via memory cards
• QQ instant messenger: Tencent's early QQ protocol used a modified XTEA variant for encrypting session data between clients and servers, documented in open-source QQ protocol reverse-engineering projects
• Cocos2d-x and Unity game asset encryption: TEA/XTEA is popular in game engines for obfuscating resource files (textures, audio, scripts) due to its tiny code footprint in striped-down mobile builds
• Microcontroller and FPGA implementations where ROM is measured in kilobytes: TEA's 7-line core loop compiles to under 100 bytes of ARM Thumb-2 machine code, making it viable on MCUs with very limited flash

References

• Wikipedia - Tiny Encryption Algorithm
• Wikipedia - XTEA
• Wikipedia - XXTEA