Tiny Encryption Algorithm

The Tiny Encryption Algorithm (TEA) is a lightweight block cipher developed by David J. Wheeler and Roger M. Needham at the University of Cambridge Computer Laboratory in 1994, designed for simplicity, speed, and minimal resource requirements on various computing platforms.^[1] It processes data in 64-bit blocks using a 128-bit key through a Feistel network structure consisting of 32 rounds (or cycles, each comprising two Feistel steps), relying on basic operations like addition, subtraction, bitwise XOR, and shifts rather than complex tables or permutations.^[1] This approach enables TEA to achieve full diffusion—where a single-bit change affects the entire output—while being approximately three times faster than software implementations of the Data Encryption Standard (DES) on contemporary systems.^[1] Intended for encrypting short messages or in resource-constrained environments, TEA's code can be implemented in just a few lines, making it suitable for embedded systems and quick prototyping.^[2] TEA's core iteration involves splitting the 64-bit block into two 32-bit halves, v and v^[3], and applying a round function that mixes key material with arithmetic and logical operations using a constant delta value of 0x9E3779B9 (derived from the golden ratio).^[1] The key is divided into four 32-bit subkeys, k to k^[4], incorporated progressively across rounds to ensure dependence on the full key.^[1] Notably, TEA avoids preprocessing or S-boxes, prioritizing ease of implementation over hardware optimization, which contributes to its portability across processors but introduces minor diffusion asymmetries—such as slightly weaker top and bottom bits compared to the middle ones.^[1] Early evaluations confirmed its resistance to basic differential cryptanalysis, with complete avalanche effects after sufficient rounds.^[2] Despite its strengths, TEA exhibits vulnerabilities to related-key attacks, where an adversary exploits differences between multiple keys to recover information, effectively reducing the key strength to about 126 bits; this issue requires around 2³⁴ chosen plaintexts for exploitation under full rounds.^[2] No practical breaks have been found against the full 32-round version in chosen-plaintext or known-plaintext models, and it withstands exhaustive search due to the large key space, though reduced-round variants (e.g., 16 rounds) are more susceptible to collisions or linear approximations.^[4] TEA's simplicity also led to misuse cases, such as in hashing without proper salting, amplifying risks in exposed-key scenarios.^[4] To address these limitations, Wheeler and Needham introduced the eXtended TEA (XTEA) in 1997, modifying the key schedule to introduce key material more gradually and using a session counter derived from round sums, thereby eliminating related-key weaknesses while preserving the 64-bit block size, 128-bit key, and 32-round structure.^[6] XTEA maintains TEA's performance and simplicity, with enhanced diffusion ensuring a single-bit input change impacts roughly half the block immediately.^[6] Further extensions include Block TEA (XXTEA) for variable-length blocks beyond 64 bits, using cyclic shifts for mixing larger data streams efficiently, which is particularly useful for encrypting strings or files without padding.^[2] These variants have found applications in lightweight cryptography for IoT devices, mobile systems, and software like early Xbox saved-game protection, underscoring TEA's enduring influence despite the rise of more modern ciphers like AES.^[2]

Introduction

Overview

The Tiny Encryption Algorithm (TEA) is a lightweight block cipher developed by David J. Wheeler and Roger M. Needham at the University of Cambridge Computer Laboratory. First presented at the Fast Software Encryption workshop in Leuven, Belgium, in December 1994, TEA prioritizes simplicity and efficiency in software implementations to enable secure data encipherment on resource-constrained systems. TEA's design focuses on achieving security through numerous iterations of basic operations rather than intricate transformations, making it suitable for environments where code size and execution speed are critical. The algorithm assumes 32-bit word operations and avoids preset tables or lengthy initialization, allowing straightforward translation into various programming languages. Its minimal structure typically permits a complete implementation in just a few dozen lines of code, facilitating rapid deployment without specialized hardware. In basic operation, TEA encrypts 64-bit plaintext blocks (divided into two 32-bit words) using a 128-bit key (four 32-bit subkeys), processed through a Feistel network consisting of 64 rounds—structured as 32 cycles—for diffusion and confusion. This approach yields performance approximately three times faster than a comparable software implementation of DES in 16 rounds, despite the higher iteration count. Released into the public domain by its designers, TEA carries no patent restrictions, enabling unrestricted use and modification worldwide.^[7]

Historical Development

The Tiny Encryption Algorithm (TEA) was developed in 1994 by David J. Wheeler and Roger M. Needham, researchers at the University of Cambridge Computer Laboratory.^[1] Their work aimed to produce a lightweight block cipher that could be easily implemented in software environments lacking specialized hardware support.^[1] TEA was first publicly presented at the Second International Workshop on Fast Software Encryption, held in Leuven, Belgium, from December 14–16, 1994.^[8] The algorithm's design emphasized simplicity and efficiency, using basic arithmetic operations and a high number of iterations to achieve security without complex structures or precomputed tables, making it particularly suitable for resource-constrained systems such as early embedded devices.^[1] This approach was motivated by the need for a fast alternative to established ciphers like DES, which required more computational overhead in pure software implementations.^[1] Upon its publication, TEA received praise for its elegant minimalism and portability, enabling implementation across diverse programming languages with minimal code—often just a few dozen lines.^[2] However, consistent with the rapid scrutiny typical of new cryptographic proposals, it was quickly analyzed by the community, and shortly after release, cryptanalyst David Wagner identified minor weaknesses, including susceptibility to related-key attacks and a slightly reduced effective key strength.^[2] These findings prompted further refinements by the designers while highlighting TEA's role in advancing accessible software encryption.^[2]

Algorithm Design

Core Structure

The Tiny Encryption Algorithm (TEA) is structured as a Feistel network, a symmetric-key block cipher design that divides the input data into two halves and iteratively applies a round function to one half before combining it with the other, ensuring invertibility for decryption.^[1] TEA processes 64-bit plaintext blocks, represented as two 32-bit words denoted as v_0 and v_1, which serve as the initial left and right halves of the Feistel structure.^[1] The algorithm employs 32 cycles, with each cycle consisting of two rounds, yielding a total of 64 rounds to achieve diffusion and confusion across the block.^[1] In the data flow, the halves alternate roles in each round: the round function is applied to one half (e.g., the right half v_1), mixed with portions of the 128-bit key, and the result is added to the other half (e.g., the left half v_0) to produce an updated value, which then becomes the input for the next round.^[1] This process repeats symmetrically in the second round of the cycle, updating the previously modified half using the newly updated counterpart, promoting balanced mixing without requiring bitwise XOR for the combination step.^[1] For decryption, the Feistel structure's reversibility allows the process to be inverted by performing the same cycles in reverse order, substituting subtractions for additions to retrieve the original plaintext block.^[1]

Key Schedule

The 128-bit key in the Tiny Encryption Algorithm (TEA) is divided into four 32-bit subkeys, denoted as k_0, k_1, k_2, k_3, which are used directly without further expansion or transformation in the key schedule.^[1] These subkeys are incorporated into each round of the Feistel structure to mix with the data halves.^[1] A key component of the schedule is the magic constant \delta = 0x9E3779B9, which is derived from the golden ratio \phi = (1 + \sqrt{5})/2 as the integer part of (( \sqrt{5} - 1)/2 ) \times 2^{32}, approximately equal to $2^{32} / \phi.^[1] This value ensures that successive additions produce a sequence with good diffusion properties across the 32-bit words.^[1] In each encryption round, a running sum s is initialized to 0 at the start and updated by adding [\delta](/page/Delta) once per cycle before the two half-rounds, resulting in s taking values \delta, 2\delta, \dots, 32\delta across the 32 cycles.^[1] The current value of s is then combined with the subkeys—specifically, added to the data in the XOR term, with k_0 and k_1 used in the first half-round and k_2 and k_3 in the second half-round—to generate round-specific key material for mixing with the data.^[1] For decryption, s starts at $32[\delta](/page/Delta) and subtracts \delta each cycle to reverse the process.^[1] A notable weakness in TEA's key schedule arises from equivalent keys, where certain distinct 128-bit keys produce identical subkey sequences and thus identical ciphertexts for the same plaintext.^[9] Specifically, each key has three equivalents, such as those differing by $0x80000000 in k_2 and k_3, reducing the effective key strength from 128 bits to 126 bits.^[9]

Specifications

Parameters

The Tiny Encryption Algorithm (TEA) operates on a fixed block size of 64 bits, which is divided into two 32-bit unsigned integers, typically denoted as the left and right halves of the plaintext or ciphertext block.^[1] This structure aligns with the algorithm's Feistel network design, where the block is processed symmetrically across multiple rounds.^[1] The key size is 128 bits, consisting of four 32-bit words, which provides the material for the key schedule to generate round subkeys.^[1] TEA employs 64 rounds in total, structured as 32 cycles where each cycle performs two Feistel rounds (one for each half of the block); however, the designers note that 32 rounds (16 cycles) may suffice for many applications, though they recommend the full 64 for maximum security.^[1] The algorithm relies on a minimal set of operations for efficiency: 32-bit modular addition (to avoid overflow issues in word-sized arithmetic), bitwise XOR for combining values, a fixed left shift by 4 bits, and a right shift by 5 bits to introduce diffusion.^[1] Additionally, a key scheduling constant δ, defined as the hexadecimal value 0x9E3779B9 (approximately equal to 2^{32}/φ, where φ is the golden ratio), is used to derive the round keys and ensure non-periodic mixing.^[1] These parameters contribute to TEA's simplicity and suitability for resource-constrained environments.^[1]

Round Function

The round function of the Tiny Encryption Algorithm (TEA) operates within a Feistel-like structure, where each of the 32 cycles (equivalent to 64 rounds) updates the two 32-bit halves of the 64-bit block, denoted as y (left) and z (right), using four 32-bit subkeys k_0, k_1, k_2, k_3 derived from the 128-bit key and a running sum s initialized to 0 for encryption.^[1] In each encryption round, the sum is first incremented by the delta constant \delta = 0x9E3779B9 (approximately $2^{32}/\phi, where \phi is the golden ratio), modulo $2^{32}, to produce s. The left half is then updated as

y \leftarrow y + \left( (z \ll 4) + k_0 \right) \oplus (z + s) \oplus \left( (z \gg 5) + k_1 \right),

where z is the current right half, \ll and \gg denote left and right bitwise shifts, + is addition modulo $2^{32}, and \oplus is bitwise XOR; all operations mix linear and nonlinear components to diffuse changes across the block.^[1] The right half is subsequently updated using the new y:

z \leftarrow z + \left( (y \ll 4) + k_2 \right) \oplus (y + s) \oplus \left( (y \gg 5) + k_3 \right).

^[1] Decryption employs an identical computational structure but reverses the process: the sum starts at s = \delta \times 32 (computed as \delta \ll 5) and decrements by \delta each round, with updates applied in opposite order using subtractions instead of additions. Specifically, assuming x (left) and y (right) are the ciphertext halves, the right half is first updated:

y \leftarrow y - \left( (x \ll 4) + k_2 \right) \oplus (x + s) \oplus \left( (x \gg 5) + k_3 \right),

followed by the left half:

x \leftarrow x - \left( (y \ll 4) + k_0 \right) \oplus (y + s) \oplus \left( (y \gg 5) + k_1 \right).

The shifts remain 4 left and 5 right, ensuring invertibility through the modular arithmetic and XOR properties.^[1] The full encryption pseudocode outline is as follows: initialize y (left) and z (right) to the plaintext halves, s = 0, and loop 32 times, incrementing s by \delta, updating y using z, then z using the new y, before assigning the final y and z as ciphertext halves. For decryption, initialize y (left) and z (right) to ciphertext halves, s = \delta \ll 5, and loop 32 times, first updating z using y, then y using the new z, decrementing s by \delta each iteration, yielding the plaintext halves upon completion.^[1]

Security Analysis

Initial Strengths

The Tiny Encryption Algorithm (TEA) was designed with a focus on simplicity, employing only basic arithmetic and logical operations—specifically addition, exclusive-or (XOR), and bit shifts—to process 32-bit words in a Feistel network structure. This minimalistic approach, consisting of just 32 iterations without any substitution boxes or permutation tables, allowed for straightforward comprehension and reduced the risk of implementation errors, making it accessible even to non-experts in cryptography.^[1] TEA's efficiency stemmed from its low computational overhead and small memory footprint, as it required no preprocessing or large data structures, enabling rapid execution directly on general-purpose processors. On contemporary hardware at the time of its publication, implementations achieved speeds approximately three times faster than software versions of the Data Encryption Standard (DES), thanks to the algorithm's reliance on native CPU instructions for its core operations. This performance profile was particularly advantageous for resource-constrained environments, where it could encrypt data without significant delays or additional hardware support.^[1]^[2] The algorithm's portability was a key strength, as its code could be easily adapted across programming languages and platforms supporting 32-bit arithmetic, with the entire routine fitting into a few dozen lines that could even be handwritten or memorized. It avoided platform-specific optimizations, running effectively on most general-purpose computers without modifications, which facilitated widespread adoption in diverse software applications.^[1] At publication, TEA demonstrated resistance to basic forms of cryptanalysis prevalent in the early 1990s, particularly differential cryptanalysis, achieving full diffusion—where a single-bit change in plaintext affects roughly half the bits in ciphertext—after just six rounds. The design's use of a 128-bit key and numerous rounds was intended to thwart exhaustive searches and linear approximations, with initial analyses showing no exploitable weaknesses under standard attack models.^[1]^[2]

Known Weaknesses and Attacks

The Tiny Encryption Algorithm (TEA) exhibits several cryptographic weaknesses stemming primarily from its simplistic key schedule and round function design. One significant issue is the presence of equivalent keys, where each 128-bit key is indistinguishable from three others due to symmetries in the key schedule; for instance, complementing the most significant bits of key words K0 and K1, or K2 and K3, produces equivalent encryption outputs, effectively reducing the key space to 126 bits.^[10] TEA is vulnerable to related-key attacks, which exploit differences between key pairs to recover the master key. A notable differential related-key attack breaks the full 64-round TEA using approximately 2^{23} chosen plaintexts under one related-key query, with a time complexity of about 2^{32} encryptions; this leverages a 63-round characteristic with probability roughly 2^{-11} by combining rotational and differential properties.^[11] Differential cryptanalysis techniques, including impossible differentials, can break reduced-round versions of TEA but struggle against the full 64 rounds. For example, an impossible differential attack recovers the key for 11-round TEA using approximately 2^{53} chosen plaintexts and 2^{84} time, based on a 10-round impossible differential characteristic; while the full cipher resists such attacks, the margin is narrow given the algorithm's simplicity.^[12] More advanced zero-correlation linear cryptanalysis further undermines TEA's security for reduced rounds. This method identifies zero-correlation linear approximations over 15 rounds, enabling a key-recovery attack on 21-round TEA with 2^{62.62} known plaintexts and 2^{121.51} time complexity; a distinguishing attack extends to 23 rounds using the full codebook in 2^{119.64} time.^[13] TEA is particularly unsuitable for use as a cryptographic hash function, as its equivalent keys facilitate easy collisions in modes like Davies-Meyer. This flaw was exploited in a practical attack on Microsoft's original Xbox console, where hackers modified boot code by leveraging TEA-based hashing collisions to bypass security checks without altering the hash value.^[10]^[14] Due to these vulnerabilities, TEA is considered outdated for security-critical applications and is not recommended for new systems; modern alternatives like AES or ChaCha20 provide stronger resistance to known attacks with comparable or better efficiency.

Variants

Block TEA

Block TEA, also known as the initial block extension of the Tiny Encryption Algorithm (TEA), was developed by David Wheeler and Roger Needham as a means to accommodate variable-length plaintext blocks larger than the original 64-bit fixed size of TEA.^[2] Introduced in 1997 alongside XTEA, it aimed to provide greater flexibility for encrypting messages of arbitrary size without relying on external block cipher modes, thereby maintaining the algorithm's simplicity while extending its applicability to larger data units.^[2] The mechanism of Block TEA simulates a larger block by treating the input as an array of multiple 32-bit words and applying a cyclic mixing process across the entire structure, effectively chaining the words in a key-dependent manner to achieve diffusion throughout the block.^[2] Specifically, the plaintext is divided into n words (where n ≥ 2 for blocks beyond 64 bits), and the encryption proceeds by performing multiple rounds of the core mixing function derived from XTEA, which updates each word based on its value, the subsequent word (wrapping around cyclically at the block's end), and portions of the 128-bit key.^[2] This key-dependent chaining ensures that changes in one part of the block propagate across the entire structure, mimicking the Feistel-like diffusion of the original TEA but adapted for scalability; for instance, with four or more words, the process becomes computationally more efficient than applying TEA sequentially to fixed 64-bit sub-blocks.^[2] Decryption reverses this by applying the inverse operations in the opposite direction. Despite its innovative approach to block size flexibility, Block TEA inherits several security limitations from the original TEA and does not constitute a complete redesign, leaving it susceptible to certain cryptanalytic attacks. In particular, its security against differential cryptanalysis was shown to be inadequate. A notable weakness was demonstrated in 1998 by Markku-Juhani Saarinen, who described a chosen-ciphertext attack that could recover the key using about 2^{34} chosen ciphertexts, highlighting the need for further refinements in subsequent variants.^[15] Overall, while effective for its era in providing a lightweight solution for larger blocks, Block TEA's design prioritizes simplicity over robust long-term security guarantees.

XTEA

XTEA (eXtended Tiny Encryption Algorithm) is a block cipher released in 1997 by David J. Wheeler and Roger M. Needham of the University of Cambridge Computer Laboratory as an improved version of the original TEA to rectify vulnerabilities in its key schedule, particularly equivalent keys and susceptibility to related-key attacks.^[16] Like TEA, XTEA operates on 64-bit blocks using a 128-bit key divided into four 32-bit subkeys and employs 64 rounds in a Feistel structure, but it introduces a key-dependent mechanism for subkey selection to enhance security. The core modification lies in the round function, where an accumulating sum value—initialized to zero and updated each round by adding the fixed constant \delta = 0x9E3779B9 (derived from the golden ratio)—determines the subkeys via bitwise indexing: the first subkey as k[\text{sum} \land 3] and the second as k[(\text{sum} \gg 11) \land 3]. This replaces TEA's fixed subkey usage and constant shifts with a more dynamic mixing, expressed in the update steps as:

y \leftarrow y + ((z \ll 4) \oplus (z \gg 5)) + z \oplus \text{sum} + k[\text{sum} \land 3]

z \leftarrow z + ((y \ll 4) \oplus (y \gg 5)) + y \oplus \text{sum} + k[(\text{sum} \gg 11) \land 3]

All operations are modulo $2^{32}.^[2] These changes eliminate the related-key weaknesses identified in TEA, such as those allowing attacks with minimal chosen plaintexts, by ensuring the effective diffusion of key material across rounds and achieving a security level approaching the full 128-bit key strength without notable key equivalences.^[16]

XXTEA

XXTEA, also known as Corrected Block TEA, is a block cipher variant introduced in 1998 by David J. Wheeler and Roger M. Needham of the Cambridge University Computer Laboratory to address vulnerabilities identified in the earlier Block TEA design.^[17] This algorithm evolved from XTEA by extending its corrections to support arbitrary block sizes while enhancing overall efficiency and security.^[17] The core design of XXTEA accommodates variable-length blocks consisting of n words, where n ≥ 2, employing a generalized Feistel-like structure that processes the data in a cyclic manner across multiple rounds.^[17] Key mixing incorporates the 128-bit key through dependent rotations and modular additions, combined with XOR operations for added nonlinearity, ensuring diffusion across the block.^[17] The number of rounds is dynamically set to 6 + 52/n, which scales the computational effort appropriately for different block sizes, typically ranging from 6 to 32 rounds per word.^[17] XXTEA offers significant advantages over its predecessor Block TEA by resolving propagation issues in difference analysis and improving resistance to related attacks, while maintaining simplicity in its interface.^[17] It performs faster than the original TEA for large blocks exceeding 16 characters, making it suitable for encrypting longer data streams without requiring additional modes of operation.^[17] Like the TEA family, XXTEA is released into the public domain, allowing unrestricted use in software implementations.^[17]

Implementations

Reference Code

The reference implementation of the Tiny Encryption Algorithm (TEA), provided by its designers David Wheeler and Roger Needham, consists of compact C functions for encryption and decryption operating on 64-bit blocks represented as two 32-bit words in an array of unsigned longs (treated as signed longs in the function signatures for compatibility).^[1] This implementation uses a 128-bit key split into four 32-bit words and performs 32 Feistel rounds, though the number of rounds is configurable (e.g., scalable to 64 for enhanced security).^[1] The algorithm's core loop iterates over these rounds, accumulating a sum based on the delta constant (derived from the golden ratio, approximately 2^32 / φ, where φ is the golden ratio), and applies a series of 32-bit additions, exclusive ORs (XORs), and left/right shifts (by 4 and 5 bits) to mix the data and key material, ensuring diffusion across the block.^[1] The code assumes 32-bit longs and performs arithmetic modulo 2^32, with shifts treated as logical (unsigned) operations on the internal unsigned long variables; it is largely machine-independent but may require byte-order adjustments for non-little-endian systems when handling multi-byte data.^[1] The encryption function, named code, initializes the sum to 0 and adds the delta each round before updating the two data words (y and z) via the round function logic, which involves shifting and XORing with key portions and the sum.^[1] Decryption reverses this by starting with the maximum sum (delta * 32) and subtracting delta each round, applying the inverse operations in reverse order.^[1] Below is the complete reference C code as published by the designers:

c
void code(long* v, long* k) {
    unsigned long y = v[0], z = v[1], sum = 0, delta = 0x9e3779b9, n = 32;
    while (n-->0) {
        sum += delta;
        y += (z<<4) + k[0] ^ z + sum ^ (z>>5) + k[1];
        z += (y<<4) + k[2] ^ y + sum ^ (y>>5) + k[3];
    }
    v[0] = y; v[1] = z;
}
void code(long* v, long* k) {
    unsigned long y = v[0], z = v[1], sum = 0, delta = 0x9e3779b9, n = 32;
    while (n-->0) {
        sum += delta;
        y += (z<<4) + k[0] ^ z + sum ^ (z>>5) + k[1];
        z += (y<<4) + k[2] ^ y + sum ^ (y>>5) + k[3];
    }
    v[0] = y; v[1] = z;
}

c
void decode(long* v, long* k) {
    unsigned long n = 32, sum, y = v[0], z = v[1], delta = 0x9e3779b9;
    sum = delta<<5;  /* sum = delta*32 */
    while (n-->0) {
        z -= (y<<4) + k[2] ^ y + sum ^ (y>>5) + k[3];
        y -= (z<<4) + k[0] ^ z + sum ^ (z>>5) + k[1];
        sum -= delta;
    }
    v[0] = y; v[1] = z;
}
void decode(long* v, long* k) {
    unsigned long n = 32, sum, y = v[0], z = v[1], delta = 0x9e3779b9;
    sum = delta<<5;  /* sum = delta*32 */
    while (n-->0) {
        z -= (y<<4) + k[2] ^ y + sum ^ (y>>5) + k[3];
        y -= (z<<4) + k[0] ^ z + sum ^ (z>>5) + k[1];
        sum -= delta;
    }
    v[0] = y; v[1] = z;
}

This implementation is explicitly placed in the public domain by its designers, permitting unrestricted use, modification, and distribution without licensing fees or restrictions.^[2]

Notable Applications

The Tiny Encryption Algorithm (TEA) was utilized in the original Microsoft Xbox console, released in 2001, as part of its security architecture to hash and verify the integrity of the second-stage bootloader within the secret ROM.^[14] This implementation aimed to protect against unauthorized code execution but suffered from a critical design flaw: Microsoft employed TEA as a hash function in Davies-Meyer mode, despite it being a block cipher, which enabled attackers to construct equivalent keys and collisions easily.^[14] As a result, these weaknesses facilitated widespread modding exploits, including the development of modchips and homebrew software like Xbox Linux, undermining the console's copy protection mechanisms.^[14] In resource-constrained environments, TEA's minimal code footprint and efficiency make it suitable for embedded systems requiring lightweight encryption. For example, it was proposed for securing SMS communications in IoT mobile setups, leveraging its fast Feistel structure to encrypt short messages without significant overhead on low-power hardware.^[18] This adoption stems from TEA's ability to perform 32 rounds of processing with basic operations like XOR and shifts, ideal for platforms where more complex ciphers may be demanding.^[19] TEA and its variants, such as XTEA, have been incorporated into open-source software libraries for symmetric encryption needs. The PEAR Crypt_XTEA package for PHP provides a standalone implementation of the extended variant, bypassing the deprecated mcrypt extension while supporting block-based encryption in web applications.^[20] Similarly, TEA has been experimentally implemented and compared to AES in academic work using the Android-based open-source Cryptomator library for client-side file encryption.^[21] In game-related contexts, TEA's simplicity has influenced custom integrations in open-source projects, though specific engine adoptions remain niche due to evolving security standards. Following the NIST standardization of AES in 2001, developers have generally shifted to AES for its superior resistance to cryptanalysis and broader hardware acceleration support. Today, TEA persists mainly in legacy firmware of older embedded devices and pre-AES software, where upgrading is impractical, but its known vulnerabilities—such as related-key attacks—have relegated it to non-critical or historical uses.^[4]