Why are there so many versions of the TEA block cipher?

Question

Why are there so many types of TEA, for example TEA, XTEA, and XXTEA? What are the differences?

Answer 1

The original algorithm is TEA, which is a very lightweight Feistel cipher. However, its extremely simple key schedule has two weaknesses. The first weakness allows what's called a related key attack, which is not an issue if the keys are chosen randomly. The second weakness causes equivalent keys. This means that, for TEA, any given key is equivalent to three other keys. This effectively weakens the keyspace from 2¹²⁸ to 2¹²⁶, which is bad, but not terrible. This is not normally a major problem unless the cipher is used in ways it shouldn't, such as for a hash.

XTEA was designed to fix the weaknesses in the original algorithm, in particular by adding a more complex key schedule. However, it was found that XTEA introduces some related key vulnerabilities of its own and did not meet the intended security target. This lead to another revision called XXTEA. However XXTEA is also vulnerable, in particular to a chosen-plaintext attack requiring only 2⁵⁹ queries (although the attack is impractical). The wide-block variation which avoids the usual downsides of a 64-bit block cipher is highly vulnerable as well, negating yet another benefit of XXTEA. In the end, it turns out that TEA itself is still quite secure as a cipher. It remains secure as long as it is used correctly, i.e. as a block cipher with uniform random and unrelated keys.