## FOR INFORMATION

July 27, 1998## NTT Develops New Symmetric-Key Encryption Algorithm

Nippon Telegraph and Telephone Corporation (NTT) has developed a new symmetric-key encryption algorithm^{1}, E2. E2 is Japan's first 128-bit block cipher^{2}for commercial use. It is an up-to-date encryption algorithm that features speed and security.In developing the new algorithm, NTT showed E2 to provide practical security against powerful cryptanalysis such as differential cryptanalysis and linear cryptanalysis

^{3}. Furthermore, capable of supporting key lengths^{4}of 128 bits, 192 bits, or 256 bits, and of running on various platforms, E2 satisfies the need for flexibility in cryptographic systems for the next generation.NTT has submitted this algorithm to the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce, as a candidate cipher for the Advanced Encryption Standard (AES)

^{5}.

BackgroundWith the popularization of the Internet and other computer networks, encryption technology has become increasingly important for ensuring the secure exchange of information.

Data Encryption Standard (DES)

^{6}is now over twenty years old, but it is still in widespread use, by financial institutions, in particular. Given the performance of computers and the total number of computers that one person could use at the time DES was developed, it was effectively unbreakable. Now, however, improvements in computing power and the spread of networking have dramatically increased the total computing power available to a single person. Furthermore, great strides have been made in cryptanalysis, with the emergence of potent techniques such as differential cryptanalysis and linear cryptanalysis. All of these developments call into question the security of an algorithm designed for a computing environment twenty years old. There is a growing worldwide need for a new encryption technology that can ensure security. These factors encouraged NTT to develop a fast, secure encryption algorithm for the next century.

Technical highlights(1) Ensured security against differential and linear cryptanalysis

Research is rapidly moving forward on potent cryptanalytic techniques such as differential and linear cryptanalysis, and security against these techniques is a criterion for evaluating the strength of block ciphers. Based on a security evaluation measure

^{7}used to determine a cipher's strength against differential and linear cryptanalysis, NTT evaluated the strength of E2 using the strength of one round function of E2. NTT showed that E2 has reasonable strength against differential and linear cryptanalysis.(2) Fast encryption processing

Most block ciphers, DES included, use what is called a round function, in which data is fed into the data converter and this conversion is repeated a certain number of times (see Figure 1). Generally, the strength of the cipher increases with the number of iterations, but encryption processing speed suffers.

For example, the round function in DES uses S-boxes, data-substitution steps in which the data are replaced by different values and the result is fed into the permutation function, which re-orders the bits of data (see Figure 2).

The round function used by E2, on the other hand, feeds data through S-boxes in the 1st substitution layer, then feeds it through a linear transformation layer, and then uses the S-boxes again in the 2nd substitution layer. This increases the security of the round function against differential and linear cryptanalysis (see Figure 3) and also reduces the total number of iterations required. The result is faster processing and greater security.

(3) Flexibility to run on various platforms

E2 was designed to permit encryption processing in 8-bit units, the basic unit of most computer calculations. This gives it the flexibility to operate in software, on a smartcard, and on various hardware platforms.

(4) Japan's first 128-bit block cipher for commercial use with key lengths of 128, 192, or 256 bits.

One means of breaking a cipher is brute-force attack

^{8}. The security of a block cipher against this attack is dependent upon key length and block length^{9}: the longer the key and the block, the more possibilities need to be searched and the more secure the cipher becomes. DES, the current de facto encryption standard, has a block length of 64 bits and a key length of 56 bits. But to ensure reasonable security, block ciphers for the next generation need to have both longer key length and longer block length. E2 was designed to support a block length of 128 bits and key lengths of 128, 192, or 256 bits. It is being tested as Japan's first 128-bit block cipher for commercial use and meets the requirements for the AES.

Future developmentsNTT plans to offer this technology as one of its encrypted communications services. NTT has submitted E2 as a candidate for the AES, in response to the NIST call for proposals. As E2 is deployed for encrypted communication services, following the results of technical evaluation and analysis by specialists as part of the AES development process, NTT will consider these comments on the technology and offer software and custom chips that implements the very latest technology.

More detailed information on E2 should be presented at the Information Security Technical Meeting of the Institute of Electronics, Information and Communication Engineers (held at Tohoku University, Japan) on July 30 and at the First AES Candidate Conference (held in the USA) on date between August 20 and 22.

Notes:

^{1}Symmetric-key encryption algorithm

^{3}Differential cryptanalysis and linear cryptanalysis

- Reference: About modern cryptography.

NTT NEWS RELEASE