XXTEA

Corrected Block TEA (XXTEA)
	One round of XXTEA
General
Designers	David Wheeler, Roger Needham
First published	October 1998
Derived from	Block TEA
Cipher detail
Key sizes	128 bits
Block sizes	arbitrary, at least two words (64 bits)
Structure	Unbalanced Feistel Network
Rounds	depends on the block size; ~52+6*words (6-32 full cycles)
Best public cryptanalysis
	XXTEA is vulnerable to a chosen-plaintext attack requiring 259 queries and negligible work.

Last updated October 28, 2022

In cryptography, Corrected Block TEA (often referred to as XXTEA) is a block cipher designed to correct weaknesses in the original Block TEA.^[2]^[3]

Formally speaking, XXTEA is a consistent incomplete source-heavy heterogeneous UFN (unbalanced Feistel network) block cipher. XXTEA operates on variable-length blocks that are some arbitrary multiple of 32 bits in size (minimum 64 bits). The number of full cycles depends on the block size, but there are at least six (rising to 32 for small block sizes). The original Block TEA applies the XTEA round function to each word in the block and combines it additively with its leftmost neighbour. Slow diffusion rate of the decryption process was immediately exploited to break the cipher. Corrected Block TEA uses a more involved round function which makes use of both immediate neighbours in processing each word in the block.

XXTEA is likely to be more efficient than XTEA for longer messages.^{[ citation needed ]}

Needham & Wheeler make the following comments on the use of Block TEA:

For ease of use and general security the large block version is to be preferred when applicable for the following reasons.
A single bit change will change about one half of the bits of the entire block, leaving no place where the changes start.
There is no choice of mode involved.
Even if the correct usage of always changing the data sent (possibly by a message number) is employed, only identical messages give the same result and the information leakage is minimal.
The message number should always be checked as this redundancy is the check against a random message being accepted.
Cut and join attacks do not appear to be possible.
If it is not acceptable to have very long messages, they can be broken into chunks say of 60 words and chained analogously to the methods used for DES.

However, due to the incomplete nature of the round function, two large ciphertexts of 53 or more 32-bit words identical in all but 12 words can be found by a simple brute-force collision search requiring 2^96−N memory, 2^N time and 2^N+2^96−N chosen plaintexts, in other words with a total time*memory complexity of 2⁹⁶, which is actually 2^{wordsize*fullcycles/2} for any such cipher. It is currently unknown if such partial collisions pose any threat to the security of the cipher. Eight full cycles would raise the bar for such collision search above complexity of parallel brute-force attacks.^{[ citation needed ]}

The unusually small size of the XXTEA algorithm would make it a viable option in situations where there are extreme constraints e.g. legacy hardware systems (perhaps embedded) where the amount of available RAM is minimal, or alternatively single-board computers such as the Raspberry Pi, Banana Pi or Arduino.

Cryptanalysis

An attack published in 2010 by E. Yarrkov presents a chosen-plaintext attack against full-round XXTEA with wide block, requiring 2⁵⁹ queries for a block size of 212 bytes or more, and negligible work. It is based on differential cryptanalysis.^[1]

To cipher "212 bytes or more" algorithm performs just 6 rounds, and carefully chosen bit patterns allows to detect and analyze avalanche effect. The paper notices adding two additional rounds (i.e. 8 rounds instead of 6) fixes this problem.

Reference code

The original formulation of the Corrected Block TEA algorithm, published by David Wheeler and Roger Needham, is as follows:^[4]

#define DELTA 0x9e3779b9#define MX ((z>>5^y<<2) + (y>>3^z<<4) ^ (sum^y) + (k[p&3^e]^z))longbtea(long*v,longn,long*k){unsignedlongz=v[n-1],y=v[0],sum=0,e,DELTA=0x9e3779b9;longp,q;if(n>1){/* Coding Part */q=6+52/n;while(q-->0){sum+=DELTA;e=(sum>>2)&3;for(p=0;p<n-1;p++)y=v[p+1],z=v[p]+=MX;y=v[0];z=v[n-1]+=MX;}return0;}elseif(n<-1){/* Decoding Part */n=-n;q=6+52/n;sum=q*DELTA;while(sum!=0){e=(sum>>2)&3;for(p=n-1;p>0;p--)z=v[p-1],y=v[p]-=MX;z=v[n-1];y=v[0]-=MX;sum-=DELTA;}return0;}return1;}

According to Needham and Wheeler:

BTEA will encode or decode n words as a single block where n > 1
v is the n word data vector
k is the 4 word key
n is negative for decoding
if n is zero result is 1 and no coding or decoding takes place, otherwise the result is zero
assumes 32 bit 'long' and same endian coding and decoding

Note that the initialization of z is Undefined behavior for n < 1 which may cause a segmentation fault or other unwanted behavior – it would be better placed inside the 'Coding Part' block. Also, in the definition of MX some programmers would prefer to use bracketing to clarify operator precedence.

A clarified version including those improvements is as follows:

#include<stdint.h>#define DELTA 0x9e3779b9#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))voidbtea(uint32_t*v,intn,uint32_tconstkey[4]){uint32_ty,z,sum;unsignedp,rounds,e;if(n>1){/* Coding Part */rounds=6+52/n;sum=0;z=v[n-1];do{sum+=DELTA;e=(sum>>2)&3;for(p=0;p<n-1;p++){y=v[p+1];z=v[p]+=MX;}y=v[0];z=v[n-1]+=MX;}while(--rounds);}elseif(n<-1){/* Decoding Part */n=-n;rounds=6+52/n;sum=rounds*DELTA;y=v[0];do{e=(sum>>2)&3;for(p=n-1;p>0;p--){z=v[p-1];y=v[p]-=MX;}z=v[n-1];y=v[0]-=MX;sum-=DELTA;}while(--rounds);}}

Related Research Articles

Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard (AES) now receives more attention, and Schneier recommends Twofish for modern applications.

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks. They are specified elementary components in the design of many cryptographic protocols and are widely used to encrypt large amounts of data, including in data exchange protocols. It uses blocks as an unvarying transformation.

<span class="mw-page-title-main">Cryptanalysis</span> Study of analyzing information systems in order to discover their hidden aspects

Cryptanalysis refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key.

In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.

In cryptography, unicity distance is the length of an original ciphertext needed to break the cipher by reducing the number of possible spurious keys to zero in a brute force attack. That is, after trying every possible key, there should be just one decipherment that makes sense, i.e. expected amount of ciphertext needed to determine the key completely, assuming the underlying message has redundancy.

In cryptography, RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code". The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.

<span class="mw-page-title-main">Serpent (cipher)</span>

Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, where it was ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

In cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation, typically a few lines of code. It was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory; it was first presented at the Fast Software Encryption workshop in Leuven in 1994, and first published in the proceedings of that workshop.

In cryptography, XTEA is a block cipher designed to correct weaknesses in TEA. The cipher's designers were David Wheeler and Roger Needham of the Cambridge Computer Laboratory, and the algorithm was presented in an unpublished technical report in 1997. It is not subject to any patents.

In cryptography, NewDES is a symmetric key block cipher. It was created in 1984–1985 by Robert Scott as a potential DES replacement.

In cryptography, REDOC II and REDOC III are block ciphers designed by Michael Wood (cryptographer) for Cryptech Inc and are optimised for use in software. Both REDOC ciphers are patented.

Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. ChaCha is a modification of Salsa20 published in 2008. It uses a new round function that increases diffusion and increases performance on some architectures.

In cryptography, an interpolation attack is a type of cryptanalytic attack against block ciphers.

In cryptography, M6 is a block cipher proposed by Hitachi in 1997 for use in the IEEE 1394 FireWire standard. The design allows some freedom in choosing a few of the cipher's operations, so M6 is considered a family of ciphers. Due to export controls, M6 has not been fully published; nevertheless, a partial description of the algorithm based on a draft standard is given by Kelsey, et al. in their cryptanalysis of this family of ciphers.

In cryptography, Treyfer is a block cipher/MAC designed in 1997 by Gideon Yuval. Aimed at smart card applications, the algorithm is extremely simple and compact; it can be implemented in just 29 bytes of 8051 machine code.

In cryptography, M8 is a block cipher designed by Hitachi in 1999. It is a modification of Hitachi's earlier M6 algorithm, designed for greater security and high performance in both hardware and 32-bit software implementations. M8 was registered by Hitachi in March 1999 as ISO/IEC 9979-0020.

The following outline is provided as an overview of and topical guide to cryptography:

Turingery or Turing's method was a manual codebreaking method devised in July 1942 by the mathematician and cryptanalyst Alan Turing at the British Government Code and Cypher School at Bletchley Park during World War II. It was for use in cryptanalysis of the Lorenz cipher produced by the SZ40 and SZ42 teleprinter rotor stream cipher machines, one of the Germans' Geheimschreiber machines. The British codenamed non-Morse traffic "Fish", and that from this machine "Tunny".

Speck is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations. Speck is an add–rotate–xor (ARX) cipher.

References

1 2 Elias Yarrkov (2010-05-04). "Cryptanalysis of XXTEA". Cryptology ePrint Archive.
↑ Matthew D. Russell (2004-02-27). "Tinyness: An Overview of TEA and Related Ciphers". Archived from the original on 2007-08-12.
↑ Roger M. Needham and David J. Wheeler (October 1997). "Tea extensions" (PDF). Computer Laboratory, Cambridge University, England. Retrieved 2008-07-04.
↑ David J. Wheeler and Roger M. Needham (October 1998). "Correction to XTEA" (PDF). Computer Laboratory, Cambridge University, England. Retrieved 2008-07-04.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[yarrkov-broken-1] 1 2 Elias Yarrkov (2010-05-04). "Cryptanalysis of XXTEA". Cryptology ePrint Archive.

[tea-2] Matthew D. Russell (2004-02-27). "Tinyness: An Overview of TEA and Related Ciphers". Archived from the original on 2007-08-12.

[xtea-3] Roger M. Needham and David J. Wheeler (October 1997). "Tea extensions" (PDF). Computer Laboratory, Cambridge University, England. Retrieved 2008-07-04.

[xxtea-4] David J. Wheeler and Roger M. Needham (October 1998). "Correction to XTEA" (PDF). Computer Laboratory, Cambridge University, England. Retrieved 2008-07-04.

[1]

[2]

[3]

[4]