In particular, if $2n$ is the squeezing rate then the preimage security is approximately $(\text{log\textsubscript{2}}(\frac{3}{4}))^{-n} \times 2^{\frac{3n}{4}} \times (\text{log\textsubscript{2}}(3))^{\frac{n}{2}}$. For $n = 64$, 96 and 128, the former bound translates to $2^{125.28}$, $2^{187.92}$ and $2^{250.57}$, respectively.
Category / Keywords: secret-key cryptography / KNOT, NIST lightweight cryptography project, Preimage Date: received 24 Apr 2019, withdrawn 29 Apr 2019 Contact author: rsrohit at uwaterloo ca Available format(s): (-- withdrawn --) Note: Thanks to the KNOT designers for pointing out the inconsistencies in Step 1 and Step 2 of the attack (Section 3). The time complexities indeed exceed the claimed security level and hence the mentioned attack does not work in the current scenario. Version: 20190429:223635 (All versions of this report) Short URL: ia.cr/2019/424