Cryptanalysis of TEA Using Quantum-Inspired Genetic Algorithms

The Tiny Encryption Algorithm ( TEA ) is a Feistel block cipher well known for its simple implementation, small memory footprint, and fast execution speed. In two previous studies, genetic algorithms ( GAs ) were employed to investigate the randomness of TEA output, based on which distinguishers for TEA could be designed. In this study, we used quantum-inspired genetic algorithms ( QGAs ) in the cryptanalysis of TEA. Quantum chromosomes in QGAs have the advantage of containing more information than the binary counterpart of the same length in GAs, and therefore generate a more diverse solution pool. We showed that QGAs could discover distinguishers for reduced cycle TEA that are more efficient than those found by classical GAs in two earlier studies. Furthermore, we applied QGAs to break four-cycle and five-cycle TEAs, a considerably harder problem, which the prior GA approach failed to solve.


Introduction
The Tiny Encryption Algorithm (TEA), a Feistel block cipher notable for its simplicity of description and implementation, was developed by David Wheeler and Roger Needham at the Computer Laboratory of Cambridge University and was first presented at the Fast Software Encryption workshop at Cambridge in 1994 [1].Its design goal was to minimize the memory footprint and maximize the speed.There is an excellent article on TEA by Shepherd [2].
The quantity delta in the C code is used to ensure that encryption/decryption in each cycle is different.A cycle in TEA is defined as two Feistel rounds.The SHIFT, ADD, and XOR operations in TEA provide the necessary diffusion of the statistics of the plaintext in the ciphertext and confusion between the ciphertext and key value for a secure encryption algorithm.
The simplicity of TEA's key schedule algorithm made itself susceptible to the related-key attacks; in [3] three such attacks were suggested.Soon after this discovery, the original authors of TEA created a revised version of TEA called XTEA to address this weakness [4].
Differential cryptanalysis is a commonly used cryptanalytic technique introduced by Biham and Shamir [5].It explores the correlations between the difference in an input and the resultant difference at the output of the encryption.The goal is to discover the non-randomness, in the form of differential characteristics, of the cipher, based on which the information about the secret key used in encryption can be uncovered.In a differential cryptanalysis, a large number of plaintext pairs need to be generated following the patterns of differential characteristics of a specific problem.A random selection method will not be the best technique for this purpose.In [4,6,7], genetic algorithms [8] were employed to improve the search process for effective plaintext pairs to attack Data Encryption Standard (DES) [19].In [9], authors suggested differential attacks on 17-cycle TEA and 23cycle XTEA.
The impossible differential cryptanalysis proposed in [10] is a special case of differential cryptanalysis.Differential cryptanalysis seeks out the differential characteristics of a cipher with greater than expected probability, but the impossible differential cryptanalysis looks for differential characteristics with probability zero (impossible).In [11] authors conducted the impossible differential cryptanalysis of 12-cycle TEA and 14-cycle XTEA.It is interesting to note that XTEA is more vulnerable to this kind of attacks than TEA, although the original improvement was aimed at the key-related attacks.
In the study of the block cipher RC6 [12], a candidate for the Advanced Encryption Standard (AES), authors noticed that block ciphers such as TEA and XTEA that use shifting tended to display some non-random distributions in the least significant bits of their output words.For a secure encryption algorithm, the bits patterns of the output are expected to be uniform, i.e., truly random.They employed the chi-square statistic x 2 to measure the deviation of the observed distributions in the least significant bits of the output from a uniform distribution.Their results showed that RC6 with 128-bit blocks could be distinguished from a random permutation with up to 15 rounds, and for some weak keys up to 17 rounds.
In [13] authors were the first to make use of a genetic algorithm (GA) with x 2 statistic and two customized fitness functions to study the same issue with TEA.More specifically, they studied the bit patterns of the least significant eight bits of the first output word of TEA, i.e., v[0] & 255.Their goal was to search bitmasks for the input, both the input data blocks and the input key, which produces a chi-square statistic value as far as possible from the expected ones.They were successful with onecycle, two-cycle, and three cycle TEAs, but not with the four-cycle TEA, which is a much harder problem.
In [14] authors corrected one of the two fitness functions in [13] and used a meta-GA [15] to optimize the parameters in each GA, including population size and mutation rate, to improve the results in [13], but were unable to tackle the four-cycle TEA.Consequently, to find a means to attack TEA of greater than three-cycles remains challenging.Solving this problem calls for a different approach such as designing more effective fitness functions since the performance of GAs heavily depends on the structure of its fitness function or using other evolutionary computation techniques.

Some Basic Concepts in Quantum Mechanics
In quantum mechanics, particles move from one point to another as if they are waves, reflecting the dual nature of both waves and particles.The shape of these waves depends on the particle's angular momentum and energy level.Particles are in a low energy state on one observation, and in a high energy state on the next.There is no transition at all.The location of quantum particles, such as electrons and photons, can be described by a quantum state vector  , a weighted sum which in the case of two possible locations equals 0 1

  
, where  and  are two weights influencing the particle being in locations 0 or 1 , respectively. represents a linear superposition of the particle given individual quantum state vectors.However, in the act of observing a quantum state, it collapses to a single state [16].This fact will be important when we introduce the quantum-inspired genetic algorithms in Subsection 2.5.

Quantum Bit
The basic unit of information in quantum computing is not a traditional bit but a quantum system with two states such as a photon that has two polarized directions.This quantum system is called qubit.A qubit, quantum bit, is represented as where and are complex numbers and defines the probability that the qubit will be found in state "0" and | | 2 defines the probability that the qubit will be found in state "1".A qubit may be in the state "0", state "1", or a linear superposition of the two.

Quantum Chromosome
Like the other evolutionary algorithms, the quantuminspired genetic algorithms have a representation of individual or chromosome.An m-qubit chromosome is defined as: This expression has the capability to represent a linear superposition of states, from which all possible combinations of different values can be derived.Let us look at one such example of 3qubit chromosome: The states of this chromosome can be represented as The above expression induces a probability distribution such that the probabilities that the chromosome is seen to be in the 8 states 000 , 000 , 001 , 010 , 011 , 100 , 101 , 110 and 111 are the squares of the weights.This 3-qubit chromosome is capable of representing 8 states, and 8 3-bit classical binary chromosomes are required to represent 8 states (000), ( 001), (010), ( 011), (100), ( 101), (110), and (111).A qubit represents probabilities of being in state "0", "1", or a superposition of both, whereas a classical bit must be in either state "0" or "1".It is evident that a qubit contains more information than a classical bit.

Quantum Mutation and Crossover
The mutation operation of a bit in a binary chromosome is flipping that bit.We made use of two types of mutations, rotational mutation and point mutation, in the quantum genetic algorithms used in this work.The rotational mutation operation of a qubit proposed in [17] is defined by a quantum rotation matrix which satisfies = = I, where is the Hermitian adjoint matrix of matrix and I is an identity matrix.In this paper, we only used the following real-valued quantum rotation matrix: where  represents the angle of counterclockwise rotation.
The point mutation is to switch the values of and   in a qubit, and the crossover operation of a quantum chromosome is defined similarly to that of a binary chromosome.The original version of quantuminspired evolutionary algorithm proposed in [17] did not contain such operations.We observed in our experiments that our solutions tended to be trapped at local maxima, so we introduced these two operations to increase the diversity of our solution pool.Other similar definitions of mutation and crossover could be found in the literature.

Quantum Genetic Algorithms
Encouraged by the excellent performance of the quantum-inspired evolutionary algorithm in [17], we adapted the following quantum-inspired genetic algorithm (QGA) for our current study.The structure of QGA is described in the following pseudo code: QGA: Begin t←0 1) initialize quantum population Q(t) of N qubit chromosomes 2) make binary population P(t) by observing the states of Q(t) 3) evaluate P(t) 4) store the best solutions among P(t) into b while( t < T) t←t+1 1) evaluate P(t-1) 2) select the top 50% of Q(t-1) to undergo rotational mutation, point mutation, and crossover to produce N/2 new qubit chromosomes 3) Q(t)= (the top 50% of Q(t-1)) + (N/2 new qubit chromosomes) 4) make P(t) by observing the states of Q(t) 5) store the best solutions among P(t) into b end while End In our implementation of QGA, we chose    1 2  for all qubits in each chromosome when t = 0, so that each qubit had equal probability to be in state "0" or "1".
The quantum rotation angle  was chosen according to Table 1 as in [18], where 0.001

Results
The input of TEA is 128 bits long, which is made of 64 bit blocks of data and a 128 bit key, and the output of TEA is the encrypted 64 bit data stored in v[0] and v [1], where v[0] and v [1] are defined in the C code introduced at the beginning of this paper.
We used a qubit chromosome to represent a bitmask.To evaluate each bitmask in a QGA, a logical AND operation between the bitmask and a randomly generated input pair, data-key, of 128 bits was performed.The resultant values were then passed to TEA to yield the output.There were 211 such randomly generated data-key pairs for each bitmask.
The focus of our work is studying the distribution of the bit patterns of v[0] & 255 in the output of TEA.We recorded the counts of different values of v[0] & 255 from the outputs of TEA.The important question is whether the observed counts were significantly different from the expected ones.There are a variety of ways to assess this difference including Pearson's chi-square, G test, and Fisher's exact test.We utilized the chi-square statistic in this work as in [13] and [14].The Pearson's chi-square is In this equation, N is the number of observations, is the observed counts and is the expected counts.In the current study, the expected counts follow a uniform distribution, which implies the bit patterns are truly random.
There are 256 possible values from v[0] & 255, therefore the maximum value of the chi-square is 522,240 with 255 degrees of freedom and 2 11 observations (See [14] for detailed calculation).

Two-Cycle TEA
where f is the fitness function, x and best are a solution and the best solution respectively, x i and best i are the i-th bit component of x and best.
Since the two-cycle TEA is more difficult than one-cycle TEA, no bitmasks of heavy enough weights can produce the maximal deviation of 522,240.In [13] and [14], authors In this section, we will compare different bitmasks found in each cycle of TEA using QGAs in our study and using GAs in [13] and [14].
modified the fitness function in Equation ( 1) to create the following fitness function to break the two-cycle TEA,

One-Cycle TEA
We used the following fitness function as in [13] and , The idea behind this fitness function is to divide thesearch process of GA into two steps.The first step is to find bitmasks with weights above the thresholdvalue 403.4579, which is about 0.5 percentile of all x 2 values where w represents the weight, the number of 1's, of the bitmask.This fitness function was first introduced in [6], but incorrectly used 522,480 in place of 522,240.This piece-wisely defined fitness function aims to find bitmasks that have maximal deviation from a uniform probability distribution.
and has a P-value of 5 * 10 -9 .The second is to increase the weights of those bitmasks.For one-cycle TEA, we found bitmasks that had maximal deviation from the random distribution with x 2 = 522.240.In [13], the authors found their best solution at weight 153, and [14] found their best solutions to be at weights 154 and 155.The bitmasks of higher weight are preferred since they permit a bigger set of inputs to be used for the test.In [13] authors used a GA with a population size of 100 to find the best bitmask of weight 153 and in [14] authors used a GA with a population size of 185 to find the best bitmasks of weights 154 and 155.To provide a baseline for comparison of different GA techniques, we ran our QGA with a population size of 100 to find the best bitmasks of weights ranging from 151 to 155, which are listed in Table 2.The two bitmasks of weights 151 and 152 in Table 2 were not reported in [13] and [14].Because one-cycle TEA is relatively easier to break, all the bitmasks in Table 2 have their x 2 = 522.240,which is the maximal value for this statistic.In [13], authors employed the fitness function defined in Equation ( 2) to find the following best bitmask with a weight of 155 and an average x 2 statistic of 508.15 on 30 random input-key datasets: {0xBFFFF0FA, 0xFFFE7388, 0xFFFFF7F8, 0xFFFFF3F8, 0xFFFFEF85, 0xFFFFEF8C} In [14] authors found ten bitmasks using the fitness function in Equation ( 2) and calculated the average x 2 statistic across 30 different random input-key datasets, each having 2 11 input-key pairs.Their results are summarized in Table 3.
In [13] and [14], both authors used the same threshold in the fitness function as in Equation ( 2) for two-cycle, three-cycle, and four-cycle TEAs, and the bitmasks found for four-cycle TEA were not usable due to their low weights.We suspected that using a different threshold in the fitness function for each cycle might be more appropriate since the average x 2 values of various cycles are different.Based on this belief, we selected different thresholds in the fitness function for each different cycle.
We used the following fitness function for two-cycle TEA, , The idea behind this fitness function is to ensure the minimum value for x 2 first, then find a bitmask of large weight.
Our QGA discovered ten bitmasks whose average x 2 statistic across 30 different random input-key datasets and weight are included in Table 4.
In Table 4, the average x 2 statistic was 602 and the average bitmask weight was 171, whereas the results from [14] in Table 3 had corresponding values of 453.3875 and 157 respectively.
Our results in Table 4 demonstrated a big improvement over those in [13] and [14].As the cycles of TEA increase, our QGAs show their apparent advantage over GAs as illustrated in the following sections.In all the subsequent experiments below, we used a QGA with population size of 100, generation number of 200, and 0.001  in rotational mutation.

Three-Cycle TEA
For three-cycle TEA, authors in [14] used the same fitness function defined in Equation ( 2) as for the two-cycle TEA to find ten bitmasks.Their average x 2 statistic across 30 different random input-key datasets and weight are presented in Table 5.
In [13], authors used fitness function defined in Equation (2) to get the following best bitmask with a weight of 116 and an average x 2 statistic of 466.5 on 30 random input-key datasets: We identified ten bitmasks using the following fitness function for three-cycle TEA, x otherwise The only difference between this function and that in Equation ( 3) is the threshold employed in the function definition.The information about these bitmasks is summarized in Table 6.The average X 2 statistic was 530.756 and the average bitmask weight was 117.8 in Table 6, while the results from [14] in Table 5 had corresponding values of 420.8242 and 100.2 respectively.For two-cycle and three-cycle TEAs, we obtained better bitmasks than those found in [13] and [14] in terms of both chi-square statistic and weight.

Four-Cycle TEA
The task of finding efficient bitmasks becomes more complicated as the cycles of TEA increase.The approaches in [13] and [14] were sufficient to find efficient bitmasks for TEA of cycles less than four, but failed to attack TEA of cycles greater than or equal to four.
In [13], using the fitness function in Equation ( 2) authors found bitmasks of relatively low weights, less than 47.They then took up a different approach.Instead of using chi-square statistic, they used Strict Avalanche Criterion (SAC), a more sensitive measure, to assess the deviation of the output of TEA from randomness.The best bitmask they found was {0x96922A0C, 0x42C06402, 0x35B11001, 0x97000000, 0xF0000001, 0xBEB00001} with a weight of 50 and an average x 2 statistic of 673.40 on 30 random input-key datasets.Since TEA takes input data of 64 bits, any bitmask of weight less than 64 cannot be useful for different cryptanalysis of TEA.
In [14], authors were unable to find any useful bitmasks for four-cycle TEA.They suspected that with more rounds of calculations in their GA, it might be possible to discover some adequate bitmasks.
Based on the principle that we should approach each cycle differently, the following fitness function was applied to four-cycle TEA, x otherwise Our QGA uncovered five bitmasks.For each of these bitmask, we computed the average x 2 statistic across 30 random input-key datasets.The results are listed in Table 7.All these x 2 statistic values have a P-value less than 5 * 10 -9 .The output v[0] & 255 of the first bitmask in Table 7, from two separate sample runs of TEA on one random input-key dataset of 2 11 pairs, is displayed in the form of histograms in Figure 1.As illustrated in Figure 1, there is a clear peak or bias at the same position 152 for both runs although the frequencies at all other positions are relatively the same.The x 2 statistic values produced by these two sample runs of TEA were 927 and 941 respectively.The significance of these x 2 statistic values, which measure the deviation of TEA output from randomness, can be evaluated by their P-value.We thought it is more helpful if the plots like those in Figure 1 can be exhibited.

Five-Cycle TEA
In both [13] and [14], no results were reported for five-cycle TEA.We used the following fitness function in this case, x otherwise We found the following bitmask: {0xE4822346, 0x830CA317, 0xCE9522DC, 0x3E13C130, 0x33C18B0A, 0x128A11A0} This bitmask has a weight of 76, an average x 2 statistic of 631.74 on 30 random input-key datasets, and a P-value less than 5 * 10 -9 .
For five-cycle TEA, we only reported one bitmask that has a high chi-square statistic and a high weight.It was not the intent of our current study to conduct an exhaustive search of all bitmasks of interest, but rather to demonstrate the effectiveness of QGAs in the cryptanalysis of TEA.

Conclusions
In this paper, QGAs were utilized in the cryptanalysis of TEA.We not only significantly improved the results in [13] and [14] in terms of both bitmask chi-square statistic and weight, but also were able to break TEA of cycles greater than or equal to four, a challenge previous studies could not resolve.With these improved bitmasks, efficient distinguishers for TEA can be constructed.These distinguishers require few inputs to get high distinguishing probability [13].Our success, we believed, was based on designing new fitness functions and the fact that the qubit chromosomes in QGAs are more informative than the bit chromosomes of same length in traditional GAs.

Figure 1 .
Figure 1.The two plots show the histograms of the output of the first bitmask in Table 7.The x-axis represents the possible 256 positions, and the y-axis represents the frequencies of the bit patterns of TEA output at various positions

Table 1 . Rotation angle  updating rules
i