E2　algorithm　is　one　of　the　15　candidate　algorithms　in　the　first　round　of　AES　collection.　In　this　paper,　taking　E2-128　as　an　example,　the　quantum　security　analysis　on　E2　algorithm　is　proposed　for　the　first　time　in　quantum　chosen-plaintext　attack　setting.　First,　a　polynomial-time　distinguisher　on　4-round　E2-128　is　constructed　with　212.1　quantum　queries　by　taking　the　properties　of　the　internal　round　function　into　consideration.　Then,　by　extending　the　distinguisher　2　rounds　backward,　a　6-round　quantum　key　recovery　attack　is　achieved　with　the　help　of　Grover-meet-Simon　algorithm,　whose　time　complexities　gain　a　factor　of　276,　where　the　subkey　length　that　can　be　recovered　is　152　bits　with　the　occupation　of　560　qubits.　Furthermore,　when　attacking　r＞6　rounds,　152+(r-6)×128-bit　subkey　needs　to　be　guessed　in　time　276+(r-6)×64,　which　is　1252　of　Grover’s　quantum　brute　force　search.　Finally,　we　present　a　quantum　attack　against　E2-128　with　288.1　quantum　queries　by　taking　initial　transformation　and　terminal　transformation　into　consideration.　The　result　shows　that　the　time　complexity　of　the　quantum　attack　is　significantly　reduced,　and　E2　algorithm　is　safe　enough　to　resist　quantum　attack.　©　The　Author(s),　under　exclusive　licence　to　Springer　Science+Business　Media,　LLC,　part　of　Springer　Nature　2025.