The TEA algorithm - beware of dragons?

Kirby Urner urner at
Tue Aug 13 21:04:36 CEST 2002

hal <hfeinstein at> wrote:

>I have been recommending the Tiny Encryption Algorithm (TEA, actually
>for its small size, speed, etc;  however,  while no *practical* attacks
>are published I still wonder at its security.  Professional (mostly
>university based) cryptographers
>usually grin when I ask about TEA's security.  The better ones tell me
>beware of dragons and recommend staying on the
>beaten path using the usual (but boring) IDEA, 3DES,RC4-128 etc.
>This advice, I'm sure, is sound.  But, they point to no new documented
>vulnerabilities.  Have researchers simply not devoted  time to
>assessing TEA (XTEA) as they did to DES or is it that they have nothing
>to report?   If there is nothing to report then is TEA safe?

Just for fun.


 >>> reload(tea)
 <module 'tea' from 'D:\Program Files\Python22\'>
 >>> tea.main()
 Plaintext: The rain
 [1416127776L, 1918986606L]
 [3529750590L, 166105844L]
 [1416127776L, 1918986606L]
 Deciphered: The rain


Python implementation of Tiny Encryption Algorithm
for instructional purposes (i.e. it's slow -- you'll
want assembly language or C for production environments)

based on ANSI C implementation at

this version by K. Urner Aug 13 2002

Note:  Python typically uses long integers for bitwise
ops, but here long integers means open ended in size, 
not 32 bit unsigned as per algorithm.  Shifting long 
integers to the left just makes them bigger, whereas 
the TEA algorithm pushes leftmost bits off a cliff. 

So that's why I keep ANDing with 2^32-1 -- to chop 
the long ints down to size (as if they were 32 bit
unsigned ints as per C).  I'm cross-posting this to 
comp.lang.python because the Python gurus may want to
point out that this isn't the best way to do it.


from binascii import hexlify, unhexlify

def main():
   v=[0,0] # to be enciphered, 64 bits
   k=[0,0,0,0] # key to use, 128 bits

   # convert ascii to long integer
   v[0] = mkbits("The ")
   v[1] = mkbits("rain")

   k[0] = mkbits("This")
   k[1] = mkbits(" is ")
   k[2] = mkbits("pass")
   k[3] = mkbits("word")

   print "Plaintext: " + mkwords(v[0]) + mkwords(v[1])

   print v

   c = encipher(v,k)
   print c
   d = decipher(c,k)
   print d
   print "Deciphered: " + mkwords(d[0]) + mkwords(d[1])

# a couple utility functions
def mkbits(thestr):
   return long(eval('0x'+hexlify(thestr)))

def mkwords(thebits):
   return unhexlify(hex(thebits)[2:-1])

# see                    
def encipher(v,k):
      y += (z << 4 ^ z >> 5) + z ^ sum + k[sum & 3]
      y &= 4294967295L # maxsize of 32-bit integer
      sum += delta
      z += (y << 4 ^ y >> 5) + y ^ sum + k[sum>>11 & 3]
      z &= 4294967295L
      n -= 1

   w[0]=y; w[1]=z
   return w

def decipher(v,k):
   # sum = delta<<5, in general sum = delta * n 

      z -= (y << 4 ^ y >> 5) + y ^ sum + k[sum>>11 & 3]
      z &= 4294967295L      
      sum -= delta
      y -= (z << 4 ^ z >> 5) + z ^ sum + k[sum&3]
      y &= 4294967295L      
      n -= 1
   w[0]=y; w[1]=z
   return w

More information about the Python-list mailing list