I\'m looking for information on known-plaintext attacks against XTEA. I\'m most

Question

I'm looking for information on known-plaintext attacks against XTEA. I'm most interested in the worst case scenario: if an attacker has all 8 bytes of input and all 8 bytes of output, how much information can they learn about the key (and how easily). Or I guess worse than that is if they have multiple such pairs of blocks produced with the same key.

Additionally, suppose an attacker knows all 8 bytes of plaintext, but only X bytes of ciphertext (including their position in the block). Then what kind of information can they determine about the key? (this has applications when other modes, like CTR, are used and a crib occurs in the first block).

Explanation / Answer

I know no published attack against the XTEA algorithm, much less one working with a few plaintext/ciphertext pairs and a random key.

There are published attacks against reduced variants of XTEA, AFAIK either with much less than half of the 64 rounds, or up to 36 rounds but assuming related or/and weak keys in addition of known plaintext. Often, especially as the number of rounds grows, much more than one plaintext/ciphertext pair is required.

By the metric of how much extra rounds this Feistel cipher has above the threshold where it it gets broken, XTEA seems on the safe side.

The single known practical weakness of the XTEA algorithm is its 64-bit block size, which opens the door to attacks on modes of operation and protocols using XTEA, especially when the amount of data involved reaches a few gigabytes processed with the same key. We also must fear attacks against implementations of XTEA, in particular by side-channel cryptanalysis.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.