XTEA - Wikipedia https://en.wikipedia.

org/wiki/XTEA

XTEA
In cryptography, XTEA (eXtended TEA) is a block cipher
XTEA
designed to correct weaknesses in TEA. The cipher's designers
were David Wheeler and Roger Needham of the Cambridge
Computer Laboratory, and the algorithm was presented in an
unpublished technical report in 1997 (Needham and Wheeler,
1997). It is not subject to any patents.[1]

Like TEA, XTEA is a 64-bit block Feistel cipher with a 128-bit

key and a suggested 64 rounds. Several differences from TEA
are apparent, including a somewhat more complex key-
schedule and a rearrangement of the shifts, XORs, and
additions.

Contents
Implementations
Cryptanalysis
Block TEA
See also
References
Further reading
External links
Two Feistel rounds (one cycle) of XTEA
General
Implementations
Designers Roger Needham, David
This standard C source code, adapted from the reference code Wheeler
released into the public domain by David Wheeler and Roger
First 1997
Needham, encrypts and decrypts using XTEA:
published

#include <stdint.h>
Derived from TEA

/* take 64 bits of data in v[0] and v[1] and 128 bits Successors Corrected Block TEA
of key[0] - key[3] */
Cipher detail
void encipher(unsigned int num_rounds, uint32_t v[2],
uint32_t const key[4]) { Key sizes 128 bits
unsigned int i;
uint32_t v0=v[0], v1=v[1], sum=0, Block sizes 64 bits
delta=0x9E3779B9;
for (i=0; i < num_rounds; i++) {
v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum +
Structure Feistel cipher
key[sum & 3]);
sum += delta; Rounds variable; recommended 64
v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum +
key[(sum>>11) & 3]);
Feistel rounds (32 cycles)

1 de 3 13/10/2019 21:48
XTEA - Wikipedia https://en.wikipedia.org/wiki/XTEA

}
v[0]=v0; v[1]=v1; Best public cryptanalysis
}
A related-key rectangle attack on 36 rounds of
void decipher(unsigned int num_rounds, uint32_t v[2], XTEA (Lu, 2009)
uint32_t const key[4]) {
unsigned int i;
uint32_t v0=v[0], v1=v[1], delta=0x9E3779B9,
sum=delta*num_rounds;
for (i=0; i < num_rounds; i++) {
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum +
key[(sum>>11) & 3]);
sum -= delta;
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum +
key[sum & 3]);
}
v[0]=v0; v[1]=v1;
}

The changes from the reference source code are minor:

The reference source code used the unsigned long type rather than the 64-bit clean uint32_t.
The reference source code did not use const types.
The reference source code omitted redundant parentheses, using C precedence to write the round function as e.g.
v1 += (v0<<4 ^ v0>>5) + v0 ^ sum + k[sum>>11 & 3];
The recommended value for the "num_rounds" parameter is 32, not 64, as each iteration of the loop does two Feistel-
cipher rounds. To additionally improve speed, the loop can be unrolled by pre-computing the values of sum+key[].

Cryptanalysis
In 2004, Ko et al. presented a related-key differential attack on 27 out of 64 rounds of XTEA, requiring 220.5 chosen
plaintexts and a time complexity of 2115.15 (Ko et al., 2004).

In 2009, Lu presented a related-key rectangle attack on 36 rounds of XTEA, breaking more rounds than any previously
published cryptanalytic results for XTEA. The paper presents two attacks, one without and with a weak key
assumption, which corresponds to 264.98 bytes of data and 2126.44 operations, and 263.83 bytes of data and 2104.33
operations respectively.[2]

Block TEA
Presented along with XTEA was a variable-width block cipher termed Block TEA, which uses the XTEA round
function, but Block TEA applies it cyclically across an entire message for several iterations. Because it operates on the
entire message, Block TEA has the property that it does not need a mode of operation. An attack on the full Block TEA
was described in (Saarinen, 1998), which also details a weakness in Block TEA's successor, XXTEA.

See also
RC4 — A stream cipher that, just like XTEA, is designed to be very simple to implement.
XXTEA — Block TEA's successor.
TEA — Block TEA's precursor.

References
1. Roger M. Needham, David J. Wheeler (October 1997). Tea extensions (http://www.cix.co.uk/~klockstone/xtea.pdf)

2 de 3 13/10/2019 21:48
XTEA - Wikipedia https://en.wikipedia.org/wiki/XTEA

(PDF). Computer Laboratory, University of Cambridge (Technical report).

2. Lu, Jiqiang (2 July 2008). "Related-key rectangle attack on 36 rounds of the XTEA block cipher". International
Journal of Information Security. 8 (1): 1–11. doi:10.1007/s10207-008-0059-9 (https://doi.org/10.1007%2Fs10207-0
08-0059-9). ISSN 1615-5262 (https://www.worldcat.org/issn/1615-5262).

Further reading
Sekar, Gautham; Mouha, Nicky; Velichkov, Vesselin; Preneel, Bart (2011). Kiayias, A. (ed.). Meet-in-the-Middle
Attacks on Reduced-Round XTEA (https://www.cosic.esat.kuleuven.be/publications/article-1505.ps). Topics in
Cryptology – CT-RSA 2011. Lecture Notes in Computer Science. 6558. pp. 250–267.
doi:10.1007/978-3-642-19074-2_17 (https://doi.org/10.1007%2F978-3-642-19074-2_17).
ISBN 978-3-642-19073-5. Retrieved 2018-10-10.
Ko, Youngdai; Hong, Seokhie; Lee, Wonil; Lee, Sangjin; Kang, Ju-Sung (2004). Related Key Differential Attacks
on 27 Rounds of XTEA and Full-Round GOST (https://www.iacr.org/archive/fse2004/30170298/30170298.pdf)
(PDF). Fast Software Encryption. Lecture Notes in Computer Science. 3017. pp. 299–316.
doi:10.1007/978-3-540-25937-4_19 (https://doi.org/10.1007%2F978-3-540-25937-4_19).
ISBN 978-3-540-22171-5. Retrieved 2018-10-10.
Hong, Seokhie; Hong, Deukjo; Ko, Youngdai; Chang, Donghoon; Lee, Wonil; Lee, Sangjin (2004). Differential
Cryptanalysis of TEA and XTEA. Information Security and Cryptology - ICISC 2003. Lecture Notes in Computer
Science. 2971. pp. 402–417. doi:10.1007/978-3-540-24691-6_30 (https://doi.org/10.1007%2F978-3-540-24691-6_
30). ISBN 978-3-540-21376-5.
Moon, Dukjae; Hwang, Kyungdeok; Lee, Wonil; Lee, Sangjin; Lim, Jongin (2002). Impossible Differential
Cryptanalysis of Reduced Round XTEA and TEA (https://iacr.org/archive/fse2002/23650050/23650050.ps). Fast
Software Encryption. Lecture Notes in Computer Science. 2365. pp. 49–60. doi:10.1007/3-540-45661-9_4 (https://
doi.org/10.1007%2F3-540-45661-9_4). ISBN 978-3-540-44009-3. Retrieved 2018-10-10.
Andem, Vikram Reddy (2003). A cryptanalysis of the Tiny Encryption Algorithm (https://www.tayloredge.com/refer
ence/Mathematics/VRAndem.pdf) (PDF) (Masters thesis). The University of Alabama, Tuscaloosa. Retrieved
2018-10-10.
Saarinen, Markku-Juhani (1998-08-20). "Cryptanalysis of block tea" (https://www.researchgate.net/publication/228
548968). Retrieved 2018-10-10.
Lu, Jiqiang (January 2009), "Related-key rectangle attack on 36 rounds of the XTEA block cipher" (http://jiqiang.go
oglepages.com/IJIS8.pdf) (PDF), International Journal of Information Security, 8 (1): 1–11,
doi:10.1007/s10207-008-0059-9 (https://doi.org/10.1007%2Fs10207-008-0059-9), ISSN 1615-5262 (https://www.
worldcat.org/issn/1615-5262)

3 de 3 13/10/2019 21:48