###### NIST Recommendations

- Modes of operation for block ciphers approved by NIST (source, updated February 12, 2018)
- Encryption: 6
- Authentication: 1
- Encryption with Authentication: 5
- Format-Preserving Encryption: 2

- Minimum key sizes approved by NIST (source, published January 2016)
- AES: 128 bits
- Diffie-Hellman: 2048 bits (617 digits)
- RSA: 2048 bits (617 digits)
- Digital Signature Algorithm: 2048 bits (617 digits) for public key, 224 bits (68 digits) for private key
- Elliptic Curve Cryptography: 224 bits (68 digits)

###### Record-Breaking Computations

- Record for factoring a product of two large primes of general form (source, announced February 28, 2020):

*n *= 2140324650240744961264423072839333563008614715144755017797754920881418023447140136643345519095804679610992851872470914587687396261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937

= 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367

×

33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711

(“RSA-250“, 829 bits, 250 digits)

- Record for finding a discrete logarithm modulo a prime (source, announced December 2, 2019):

*p *= RSA-240 + 49204 (the first safe prime above “RSA-240“, 795 bits, 240 digits)

774356626343973985966622216006087686926705588649958206166317147722421706101723470351970238538755049093424997

≡ 5^{92603135928144195363094955331732855502961099191437611616729420475898744562365366788100548099072093487548258752802923326447367244150096121629264809207598195062213366889859186681126928982506005127728321426751244111412371767375547225045851716}

(mod *p*)

- Record for finding a discrete logarithm in a finite field (source, announced July 10, 2019): Finite field has 2
^{30750}elements; size of the field is 30750 bits (14672 digits).

The finite field was obtained by taking polynomials in two variables,*x*and*t*, and reducing them modulo*t*^{30 }+*t*+ 1, modulo*x*^{1025 }+*x*+*t*^{3}, and modulo 2.The challenge was to take the logarithm ofwith respect to the generator*g*=*x*+*t*^{9 }.

- Record for finding a discrete logarithm on an elliptic curve of general form modulo
*p*(source, announced June 16, 2020):

*p *= 2^{256} – 2^{32} – 2^{9} – 2^{8} – 2^{7} – 2^{6} – 2^{4} – 1 = 115792089237316195423570985008687907853269984665640564039457584007908834671663

*A* ≡ 31464123230573852164273674364426950 *G *(mod *p*)

The logarithm was from the 100 BTC Bitcoin Challenge and was specified to have at most 115 bits (35 digits).

- Record for finding the shortest vector in a randomly generated lattice (source, announced February 8, 2021): A point in a lattice in 180 dimensions which is distance 3509 from the origin.
- Record for solving the Learning With Errors problem in the highest dimension (source, announced June 12, 2022): A point in a lattice in 90 dimensions with a relative error size of 0.005.
- Record for solving the Learning With Errors problem with the largest relative error (source, announced March 6, 2022): A point in a lattice in 40 dimensions with a relative error size of 0.035.

###### Quantum Computing Records

- Largest number reported factored using Shor’s Algorithm for fast quantum computing: 21 (source, published October 21, 2012)
- Largest number reported factored using quantum computation at any speed: 249919 (source, published December 5, 2018)

###### Quantum Cryptography Records

- Fastest quantum key agreement systems:
- Longest quantum key agreement systems:

###### Post-Quantum Cryptography

- Submissions to the NIST Post-Quantum Cryptography Standardization process (source, presented April 11, 2018)
- Submissions received by NIST: 82
- Submissions meeting minimum specified requirements: 69
- Submissions still in contention as of the First PQC Standardization Conference: 64
- Submitters involved: 278, from “25 Countries, 16 States, 6 Continents”

- Submissions selected for standardization after Round 3 (source, announced July 5, 2022)
- CRYSTALS-KYBER (key-establishment for most use cases)
- CRYSTALS-Dilithium (digital signatures for most use cases)
- FALCON (digital signatures for use cases requiring smaller signatures)
- SPHINCS+ (digital signatures not relying on the security of lattices)

- Public-key encryption and key-establishment algorithms deferred to Round 4 of the NIST Post-Quantum Cryptography Standardization process: BIKE, Classic McEliece, HQC, SIKE
- 4th NIST PQC Standardization Conference: November 29-December 1, 2022
- Draft standards available for public comment: 2022-2024

- New Call for Proposals: Digital Signature Algorithms with Short Signatures and Fast Verification, Due June 1, 2023

###### Lightweight Cryptography

- Submissions to the NIST Lightweight Cryptography Standardization process (source, updated April 19, 2019)
- Submissions received by NIST: 57
- Submissions meeting minimum specified requirements: 56

- Submissions surviving to Round 2 of the NIST Lightweight Cryptography Standardization process (source, announced August 30, 2019)
- Round 2 candidate submissions: 32
- 3rd NIST Lightweight Cryptography Workshop: November 4-6, 2019
- 4th NIST Lightweight Cryptography Workshop (virtual): October 19-21, 2020

- Submissions surviving to Round 3 of the NIST Lightweight Cryptography Standardization process (source, announced March 29, 2021)
- Round 3 candidate submissions: 10 (ASCON, Elephant, GIFT-COFB, Grain128-AEAD, ISAP, Photon-Beetle, Romulus, Sparkle, TinyJambu, and Xoodyak)
- 5th NIST Lightweight Cryptography Workshop (virtual): May 9-11, 2022
- The final round of evaluation is (as of July 2022) expected to conclude late in 2022.