1) I found this
csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf4.A.5 Security Strength Categories NIST anticipates that there will be significant
uncertainties in estimating the security strengths of these post-quantum cryptosystems.
These uncertainties come from two sources: first, the possibility that new quantum
16
algorithms will be discovered, leading to new cryptanalytic attacks; and second, our
limited ability to predict the performance characteristics of future quantum computers,
such as their cost, speed and memory size.
In order to address these uncertainties, NIST proposes the following approach. Instead of
defining the strength of a submitted algorithm using precise estimates of the number of
“bits of security,” NIST will define a collection of broad security strength categories.
Each category will be defined by a comparatively easy-to-analyze reference primitive,
whose security will serve as a floor for a wide variety of metrics that NIST deems
potentially relevant to practical security. A given cryptosystem may be instantiated using
different parameter sets in order to fit into different categories. The goals of this
classification are:
1) To facilitate meaningful performance comparisons between the submitted
algorithms, by ensuring, insofar as possible, that the parameter sets being
compared provide comparable security.
2) To allow NIST to make prudent future decisions regarding when to transition to
longer keys.
3) To help submitters make consistent and sensible choices regarding what
symmetric primitives to use in padding mechanisms or other components of their
schemes requiring symmetric cryptography.
4) To better understand the security/performance tradeoffs involved in a given
design approach.
In accordance with the second and third goals above, NIST will base its classification on
the range of security strengths offered by the existing NIST standards in symmetric
cryptography, which NIST expects to offer significant resistance to quantum
cryptanalysis. In particular, NIST will define a separate category for each of the
following security requirements (listed in order of increasing strength2
):
1) Any attack that breaks the relevant security definition must require computational
resources comparable to or greater than those required for key search on a block
cipher with a 128-bit key (e.g. AES128)
2) Any attack that breaks the relevant security definition must require computational
resources comparable to or greater than those required for collision search on a
256-bit hash function (e.g. SHA256/ SHA3-256)
3) Any attack that breaks the relevant security definition must require computational
resources comparable to or greater than those required for key search on a block
cipher with a 192-bit key (e.g. AES192)
2 Note that, barring some truly surprising technological development during the
standardization process, NIST will assume that the five security strengths are correctly
ordered in terms of practical security. (E.g., NIST will assume that a brute-force collision
attack on SHA256 will be technologically feasible before a brute-force key search attack
on AES192.)
17
4) Any attack that breaks the relevant security definition must require computational
resources comparable to or greater than those required for collision search on a
384-bit hash function (e.g. SHA384/ SHA3-384)
5) Any attack that breaks the relevant security definition must require computational
resources comparable to or greater than those required for key search on a block
cipher with a 256-bit key (e.g. AES 256)
2) I also found this
crypto.stackexchange.com/questions/46523/why-does-kangarootwelve-only-use-12-roundsKangarooTwelve aims at fast hashing but also claims 128-bits security. This can be seen in the fact that the capacity is set to 256 allowing a rate of 1344 for a faster absorption.
I. Intuition: collision only on 6 rounds.
KangarooTwelve aims at fast hashing but also claims 128-bits security. This can be seen in the fact that the capacity is set to 256 allowing a rate of 1344 for a faster absorption.
Note that while the base sponge construction uses only the 12 finals rounds of Keccak, it is applied twice on each bit in the case of a message longer than 8129 bytes. You compute first the CVs values and then hash it with the first string (see bellow).
KangarooTwelve(M,C): S_0 || S_1 || ... || S_n = M || C
F = Sponge[Keccak-p[1600,nr=12],r=1344,c=256] (or mini Keccak)
Other reasons that lead to consider K12 safe are the current absence of collisions for more than 6 rounds, implying a security margin of 100%. This same round-reduced approach is also used in Keyak and Ketje.
If you want to have more security, you can use Marsupilami 14, it is Kangaroo 12 but with the last 14 rounds of Keccak instead of 12 and a capacity of 512 bits.
II. The complexity arguments.
Joan pointed this to me: in this note, it is noted that the complexity of the zero-sum distinguisher are
for 18 rounds: $2^{1370}$
for 14 rounds: $2^{257}$
for 12 rounds: $2^{129}$
In the case of KangarooTwelve, the capacity is 256 bits. A generic attack on a sponge with such capacity leads to a complexity of $2^{128}$, thus the complexity of the zero-sum distinguisher for 12 rounds is higher, rendering the efficiency of this attack worse than bruteforce.
As for the 14 rounds of MarsupilamiFourteen and its capacity of 512 bits, the arguments is the same.
Notice what it says about rounds and increasing bit depth.