With a 256 bit tag (they quote the construction used in the draft), AEGIS-256 could claim 256 bit security against forgery.
But with AEGIS-128L and a 256 bit tag, probably of a successful forgery is 2^-216, so > 2^-256.
The fact that a state collision on AEGIS-128L has a complexity above 2^128 but below 2^256 isn't new. This is why in the security guarantees section, we only guarantee 128 bit security regardless of the variant.
What's new is the fact that we could claim 256 bit security against forgeries for AEGIS-256.
I don't know if we should, or if we should remain conservative as this has little practical implications and further analysis may invalidate that claim.
New analysis: https://link.springer.com/chapter/10.1007/978-981-97-7737-2_1
I got a copy of the paper. To summarize:
The fact that a state collision on AEGIS-128L has a complexity above 2^128 but below 2^256 isn't new. This is why in the security guarantees section, we only guarantee 128 bit security regardless of the variant.
What's new is the fact that we could claim 256 bit security against forgeries for AEGIS-256.
I don't know if we should, or if we should remain conservative as this has little practical implications and further analysis may invalidate that claim.
Regardless, that's one more paper we can cite.