NIST Recommendations
 Modes of operation for block ciphers approved by NIST (source, updated February 12, 2018)
 Encryption: 6
 Authentication: 1
 Encryption with Authentication: 5
 FormatPreserving Encryption: 2
 Minimum key sizes approved by NIST (source, published January 2016)
 AES: 128 bits
 DiffieHellman: 2048 bits (617 digits)
 RSA: 2048 bits (617 digits)
 Digital Signature Algorithm: 2048 bits (617 digits) for public key, 224 bits (68 digits) for private key
 Elliptic Curve Cryptography: 224 bits (68 digits)
RecordBreaking Computations
 Record for factoring a product of two large primes of general form (source, announced February 28, 2020):
n = 2140324650240744961264423072839333563008614715144755017797754920881418023447140136643345519095804679610992851872470914587687396261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937
= 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367
×
33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711
(“RSA250“, 829 bits, 250 digits)
 Record for finding a discrete logarithm modulo a prime (source, announced December 2, 2019):
p = RSA240 + 49204 (the first safe prime above “RSA240“, 795 bits, 240 digits)
774356626343973985966622216006087686926705588649958206166317147722421706101723470351970238538755049093424997
≡ 5^{92603135928144195363094955331732855502961099191437611616729420475898744562365366788100548099072093487548258752802923326447367244150096121629264809207598195062213366889859186681126928982506005127728321426751244111412371767375547225045851716}
(mod p)
 Record for finding a discrete logarithm in a finite field (source, announced July 10, 2019): Finite field has 2^{30750} elements; size of the field is 30750 bits (14672 digits).
The finite field was obtained by taking polynomials in two variables, x and t, and reducing them modulo t^{30 }+ t + 1, modulo x^{1025 }+ x + t^{3}, and modulo 2.The challenge was to take the logarithm ofwith respect to the generator g = x + t^{9 }.
 Record for finding a discrete logarithm on an elliptic curve of general form modulo p (source, announced June 16, 2020):
p = 2^{256} – 2^{32} – 2^{9} – 2^{8} – 2^{7} – 2^{6} – 2^{4} – 1 = 115792089237316195423570985008687907853269984665640564039457584007908834671663
A ≡ 31464123230573852164273674364426950 G (mod p)
The logarithm was from the 100 BTC Bitcoin Challenge and was specified to have at most 115 bits (35 digits).
 Record for finding the shortest vector in a randomly generated lattice (source, announced February 8, 2021): A point in a lattice in 180 dimensions which is distance 3509 from the origin.
 Record for solving the Learning With Errors problem in the highest dimension (source, announced June 12, 2022): A point in a lattice in 90 dimensions with a relative error size of 0.005.
 Record for solving the Learning With Errors problem with the largest relative error (source, announced March 6, 2022): A point in a lattice in 40 dimensions with a relative error size of 0.035.
 Record for solving the syndrome decoding problem (as used in Classic McEliece) with the longest length solution (source, announced February 26, 2023): A string of 1347 bits, 25 of which had value 1.
 Record for recovering a McEliece (with Goppa code) secret key from a public key (source, announced May 30, 2024): Public key is a matrix with 40 rows and 253 columns.
 Record for recovering a McEliece (with Goppa code) plaintext from a public key and a ciphertext (source, announced May 30, 2024): Public key is a matrix with 230 rows and 988 columns.
 Record for solving the quasicyclic syndrome decoding problem (as used in BIKE) with the longest length solution (source, announced April 18, 2022): A string of 3138 bits, 56 of which had value 1.
 Record for breaking reducedsize Kyber with the largest secret key size (source, announced August 3, 2023): A 1536bit secret key.
Quantum Computing Records
 Largest number reported factored using Shor’s Algorithm for fast quantum computing: 21 (source, published October 21, 2012)
 Largest number reported factored using quantum computation at any speed: 249919 (source, published December 5, 2018)
Quantum Cryptography Records
 Fastest quantum key agreement systems:
 Longest quantum key agreement systems:
PostQuantum Cryptography
 Submissions to the NIST PostQuantum Cryptography Standardization process (source, presented April 11, 2018)
 Submissions received by NIST: 82
 Submissions meeting minimum specified requirements: 69
 Submissions still in contention as of the First PQC Standardization Conference: 64
 Submitters involved: 278, from “25 Countries, 16 States, 6 Continents”
 Submissions selected for standardization after Round 3 (source, announced July 5, 2022)
 CRYSTALSKYBER (keyestablishment for most use cases)
 CRYSTALSDilithium (digital signatures for most use cases)
 FALCON (digital signatures for use cases requiring smaller signatures)
 SPHINCS+ (digital signatures not relying on the security of lattices)
 Publickey encryption and keyestablishment algorithms deferred to Round 4 of the NIST PostQuantum Cryptography Standardization process: BIKE, Classic McEliece, HQC, SIKE
 4th NIST PQC Standardization Conference: November 29December 1, 2022

Draft standards for KYBER, Dilithium, and SPINCS+ available for public comment: August 24, 2023
 FALCON draft standard available for public comment: 2024
 Submissions to the New Call for Proposals: Digital Signature Algorithms with Short Signatures and Fast Verification (source, announced June 9, 2023)
 Fifth PQC standardization conference: April 1012, 2024.
Lightweight Cryptography
 Submissions to the NIST Lightweight Cryptography Standardization process (source, updated April 19, 2019)
 Submissions received by NIST: 57
 Submissions meeting minimum specified requirements: 56
 Submissions surviving to Round 2 of the NIST Lightweight Cryptography Standardization process (source, announced August 30, 2019)
 Round 2 candidate submissions: 32
 3rd NIST Lightweight Cryptography Workshop: November 46, 2019
 4th NIST Lightweight Cryptography Workshop (virtual): October 1921, 2020
 Submissions surviving to Round 3 of the NIST Lightweight Cryptography Standardization process (source, announced March 29, 2021)
 Round 3 candidate submissions: 10 (ASCON, Elephant, GIFTCOFB, Grain128AEAD, ISAP, PhotonBeetle, Romulus, Sparkle, TinyJambu, and Xoodyak)
 5th NIST Lightweight Cryptography Workshop (virtual): May 911, 2022
 NIST selects Ascon as the family of algorithms for the new Lightweight Cryptography Standard! (source, announced February 7, 2023)
 Unofficial brief description of Ascon
 6th NIST Lightweight Cryptography Workshop (virtual): June 2122, 2023
 Draft standards available for public comment: 2023