Lightweight cryptography is primarily driven by NIST, the U.S. National Institute of Standards and Technology, which ran a multi-year public competition to find the best encryption algorithms for small, resource-constrained devices. The winning algorithm, called Ascon, was designed by a team of four European cryptographers. But the broader effort involves dozens of research groups, universities, and companies across the globe.
NIST and the Standardization Competition
NIST launched its Lightweight Cryptography (LWC) project to find encryption methods that work on devices too small or power-limited for conventional security standards. Think sensors in industrial equipment, RFID tags, medical implants, and the billions of connected gadgets that make up the Internet of Things. Existing NIST cryptographic standards were designed for laptops and servers, not for chips with a fraction of a kilobyte of memory.
The process followed the same model NIST used for selecting its post-quantum cryptography standards: an open, international competition. Researchers from around the world submitted candidate algorithms, which were then publicly analyzed, attacked, and debated over several years. NIST narrowed the field to 10 finalists before selecting Ascon as the winner in February 2023. The final standard, published as SP 800-232, was officially released in August 2025. Meltem Sönmez Turan and Kerry McKay were among the NIST researchers who guided the evaluation and selection process.
The Team Behind Ascon
Ascon was designed in 2014 by four cryptographers: Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer. Their affiliations span several European institutions, including Graz University of Technology in Austria, Infineon Technologies (a major semiconductor manufacturer), Lamarr Security Research, and Radboud University in the Netherlands. Dobraunig worked on the design partly during a stint as a visiting postdoctoral researcher at Radboud’s Digital Security group.
Ascon is not a single algorithm but a family of related tools. It handles authenticated encryption (keeping data both secret and tamper-proof), hashing (creating fixed-length fingerprints of data), and extendable output functions. This flexibility is one reason NIST chose it: a single lightweight design can cover multiple security needs on a tiny device.
The 10 Finalist Teams
While Ascon won, nine other finalist algorithms reflect the global research community that shaped the competition. Each was built by a different team, often mixing academic and industry talent:
- Elephant: Tim Beyne, Yu Long Chen, Christoph Dobraunig, and Bart Mennink
- GIFT-COFB: A large team including Subhadeep Banik, Avik Chakraborti, Tetsu Iwata, Thomas Peyrin, and others from institutions in Japan, Singapore, and India
- Grain-128AEAD: Martin Hell, Thomas Johansson, and Willi Meier, among others
- ISAP: Dobraunig, Eichlseder, and Mendel again (several Ascon designers), alongside Stefan Mangard, Bart Mennink, and Robert Primas
- PHOTON-Beetle: Zhenzhen Bao, Avik Chakraborti, Jian Guo, Thomas Peyrin, and collaborators
- Romulus: Tetsu Iwata, Mustafa Khairallah, Thomas Peyrin, and others
- SPARKLE: Alex Biryukov, Johann Großschädl, and a team from the University of Luxembourg
- TinyJambu: Hongjun Wu and Tao Huang
- Xoodyak: Joan Daemen (co-inventor of the AES encryption standard), along with Michaël Peeters, Gilles Van Assche, and collaborators
Several names appear across multiple finalist teams. Christoph Dobraunig, for example, contributed to three of the 10 finalists. Thomas Peyrin from Nanyang Technological University in Singapore was involved in three as well. This kind of overlap is common in academic cryptography, where a relatively small community of specialists collaborates and competes simultaneously.
Universities and Research Labs
A handful of institutions show up repeatedly across the competition and its surrounding workshops. Graz University of Technology has been central, producing several of the Ascon designers and hosting related security research. Radboud University’s Digital Security group in the Netherlands is another hub, with researchers like Bart Mennink and Lejla Batina contributing both finalist designs and later analysis of the standard’s security against side-channel attacks.
George Mason University, through researchers like Jens-Peter Kaps and Kris Gaj, has focused on hardware benchmarking, testing how efficiently these algorithms run on actual chips. The University of Luxembourg contributed the SPARKLE family through Johann Großschädl and Alex Biryukov. The Indian Statistical Institute, Brno University of Technology, East China Normal University, and Worcester Polytechnic Institute all presented research at NIST’s workshops as well. The field is genuinely international, with active contributors from Europe, Asia, and the Americas.
Industry Players
Infineon Technologies, one of the world’s largest semiconductor manufacturers, has been involved since the beginning. Florian Mendel, one of Ascon’s four co-designers, works at Infineon, giving the company a direct hand in shaping the standard it will eventually implement in hardware. This is significant because Infineon produces the secure chips found in passports, payment cards, and automotive systems.
Other companies have contributed through the workshop and review process. Ericsson, through researcher John Preuß Mattsson, has explored how lightweight cryptography fits into communication protocols for constrained IoT networks. Seagate’s research group, with Mustafa Khairallah (also a Romulus finalist designer), has examined how lightweight encryption applies to data storage. Qualcomm also participated through researcher Nicolas Courtois. These companies have a direct commercial interest: they build the devices and infrastructure that need encryption small enough to run on minimal hardware.
What Comes Next
With SP 800-232 finalized, the core standard is set, but NIST has signaled it is not finished. The agency plans to consider additional functionalities that the community has requested, such as a dedicated message authentication code. This would let devices verify the integrity of messages without full encryption, useful in scenarios where speed matters more than secrecy. NIST has said it intends to start evaluating these additions soon, building on the Ascon foundation rather than starting a new competition.