Security levels in NIST Post-quantum project: e.g. AES-128 vs SHA-256

Question

In an article about NIST Post-quantum Standardization project I read about the security criteria of the proposed schemes and there was this table (Level I lowest security, level V highest):

Level I: At least as hard to break as AES-128 (exhaustive key search)

Level II: At least as hard to break as SHA-256 (collision search)

Level III: At least as hard to break as AES-192 (exhaustive key search)

Level IV: At least as hard to break as SHA-384 (collision search)

Level V: At least as hard to break as AES-256 (exhaustive key search)

If I understand it correctly, then (in classical way, not using quantum computers and the Grover's algorithm) for exhaustive key seach on AES-128 we need to go through $2^{128}$ possibilities and in collision search of SHA-256 we need to go through $2^{128}$ possibilities to find a collision (thx to the Birthday paradox).

So my question is - how does the security Level I and Level II differ? And the same - why is security of AES-192 lower than security of SHA-384.

Answer 1

This is due to the Brassard et al.'s method on hash functions. That has $\mathcal{O}(\sqrt[3]{n})$ attack time for n-bit hash function where as the Grover's method has $\mathcal{O}(\sqrt{n})$-time.

• Level I: At least as hard to break as AES-128 $\mathcal{O}(\sqrt{2^{128}}) = \mathcal{O}(2^{64})$ - by Grover
• Level II: At least as hard to break as SHA-256 $\mathcal{O}(\sqrt[3]{2^{256}}) \approx \mathcal{O}(2^{85})$ - by Brassard et al.
• Level III: At least as hard to break as AES-192 $\mathcal{O}(\sqrt{2^{192}}) = \mathcal{O}(2^{96})$ - by Grover
• Level IV: At least as hard to break as SHA-384 $\mathcal{O}(\sqrt[3]{2^{384}}) = \mathcal{O}(2^{128})$ - by Brassard et al.
• Level V: At least as hard to break as AES-256 $\mathcal{O}(\sqrt{2^{256}}) = \mathcal{O}(2^{128})$ by Grover

The space-time comparisons of the two quantum hash collisions methods.

\begin{array} {|c|c|}\hline & \text{time} & \text{space} \\ \hline \text{Grover} & \mathcal{O}(\sqrt{n}) & \mathcal{O}(\log{n}) \\ \hline \text{Brassard et al.} & \mathcal{O}(\sqrt[3]{n}) & \mathcal{O}(\sqrt[3]{n}) \\ \hline \end{array}

Bernstein has a nice article "Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete" about comparison with parallelized van Oorschot–Wiener. You can also read Squeamish Ossifrage's answer.