July 27, 1998

NTT Develops New Symmetric-Key Encryption Algorithm

Nippon Telegraph and Telephone Corporation (NTT) has developed a new symmetric-key encryption algorithm1, E2. E2 is Japan's first 128-bit block cipher2 for commercial use. It is an up-to-date encryption algorithm that features speed and security.

In developing the new algorithm, NTT showed E2 to provide practical security against powerful cryptanalysis such as differential cryptanalysis and linear cryptanalysis3. Furthermore, capable of supporting key lengths4 of 128 bits, 192 bits, or 256 bits, and of running on various platforms, E2 satisfies the need for flexibility in cryptographic systems for the next generation.

NTT has submitted this algorithm to the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce, as a candidate cipher for the Advanced Encryption Standard (AES) 5.


With the popularization of the Internet and other computer networks, encryption technology has become increasingly important for ensuring the secure exchange of information.

Data Encryption Standard (DES)6 is now over twenty years old, but it is still in widespread use, by financial institutions, in particular. Given the performance of computers and the total number of computers that one person could use at the time DES was developed, it was effectively unbreakable. Now, however, improvements in computing power and the spread of networking have dramatically increased the total computing power available to a single person. Furthermore, great strides have been made in cryptanalysis, with the emergence of potent techniques such as differential cryptanalysis and linear cryptanalysis. All of these developments call into question the security of an algorithm designed for a computing environment twenty years old. There is a growing worldwide need for a new encryption technology that can ensure security. These factors encouraged NTT to develop a fast, secure encryption algorithm for the next century.

Technical highlights

(1) Ensured security against differential and linear cryptanalysis

Research is rapidly moving forward on potent cryptanalytic techniques such as differential and linear cryptanalysis, and security against these techniques is a criterion for evaluating the strength of block ciphers. Based on a security evaluation measure7 used to determine a cipher's strength against differential and linear cryptanalysis, NTT evaluated the strength of E2 using the strength of one round function of E2. NTT showed that E2 has reasonable strength against differential and linear cryptanalysis.

(2) Fast encryption processing

Most block ciphers, DES included, use what is called a round function, in which data is fed into the data converter and this conversion is repeated a certain number of times (see Figure 1). Generally, the strength of the cipher increases with the number of iterations, but encryption processing speed suffers.

For example, the round function in DES uses S-boxes, data-substitution steps in which the data are replaced by different values and the result is fed into the permutation function, which re-orders the bits of data (see Figure 2).

The round function used by E2, on the other hand, feeds data through S-boxes in the 1st substitution layer, then feeds it through a linear transformation layer, and then uses the S-boxes again in the 2nd substitution layer. This increases the security of the round function against differential and linear cryptanalysis (see Figure 3) and also reduces the total number of iterations required. The result is faster processing and greater security.

(3) Flexibility to run on various platforms

E2 was designed to permit encryption processing in 8-bit units, the basic unit of most computer calculations. This gives it the flexibility to operate in software, on a smartcard, and on various hardware platforms.

(4) Japan's first 128-bit block cipher for commercial use with key lengths of 128, 192, or 256 bits.

One means of breaking a cipher is brute-force attack8. The security of a block cipher against this attack is dependent upon key length and block length9: the longer the key and the block, the more possibilities need to be searched and the more secure the cipher becomes. DES, the current de facto encryption standard, has a block length of 64 bits and a key length of 56 bits. But to ensure reasonable security, block ciphers for the next generation need to have both longer key length and longer block length. E2 was designed to support a block length of 128 bits and key lengths of 128, 192, or 256 bits. It is being tested as Japan's first 128-bit block cipher for commercial use and meets the requirements for the AES.

Future developments

NTT plans to offer this technology as one of its encrypted communications services. NTT has submitted E2 as a candidate for the AES, in response to the NIST call for proposals. As E2 is deployed for encrypted communication services, following the results of technical evaluation and analysis by specialists as part of the AES development process, NTT will consider these comments on the technology and offer software and custom chips that implements the very latest technology.

More detailed information on E2 should be presented at the Information Security Technical Meeting of the Institute of Electronics, Information and Communication Engineers (held at Tohoku University, Japan) on July 30 and at the First AES Candidate Conference (held in the USA) on date between August 20 and 22.


1 Symmetric-key encryption algorithm

An encryption algorithm that uses the same key to both encrypt and decrypt data. Widely used to quickly encrypt large quantities of data in messages or files.

2 Block cipher

There are two kinds of symmetric-key encryption: block ciphers and stream ciphers. Block ciphers bundle data into blocks of a certain length and encrypt each block. Stream ciphers, on the other hand, encrypt data bit by bit.

3 Differential cryptanalysis and linear cryptanalysis

Currently, these techniques are the most effective methods of attacking block ciphers. Both rely on using huge quantities of plaintext-ciphertext pairs to find the key. Compared with brute-force attack (see note 8), these can break some block ciphers with fewer computing resources.

4 Key length

Determines the total number of available keys. For example, DES uses a 56-bit key, which means there are 256 possible keys. Longer keys result in encryption that is stronger against brute-force attacks.


NIST is seeking to establish a successor symmetric-key block cipher to DES by the year 2000. NIST has accepted proposals from around the world and ended the submission period on June 15. It will now hold a series of AES conferences that will elaborate the principles for selecting a candidate.


Literally "Data Encryption Standard." A symmetric-key encryption algorithm designated as the standard for encryption by National Bureau of Standards (now NIST) in 1977. Still widely used for encrypting data sent between banks.

7 Security evaluation measure

This is a quantitative scale to determine a cipher's strength against differential and linear cryptanalysis, etc. It determines the security of the whole cipher by evaluating the security of round function of the cipher.

8 Brute-force attack

A technique for attacking encryption algorithms that involves trying every possible key and testing to see which one is correct. A longer key length means more possible keys, which makes this attack less feasible.

9 Block length

The size of the bundle used in block ciphers. DES uses a block length of 64 bits. NIST has mandated a block length of 128 bits for the Advanced Encryption Standard to improve security.

    - Reference: About modern cryptography.