Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Cryptanalysis of Gleeok-128

Siwei Chen, Peipei Xie, Shengyuan Xu, Xiutao Feng, Zejun Xiang, Xiangyong Zeng

TL;DR

This work provides the first independent cryptanalysis of Gleeok-128, a three-branch low-latency PRF. It introduces a two-stage MILP-based differential-linear framework to construct DL distinguishers, and an integral-based framework to enable multi-branch key-recovery, yielding longer DL and integral distinguishers and practical attacks on round-reduced instances. A linear-layer modeling flaw in Branch3 is identified and corrected, with optimized parameter classes that strengthen linear resistance without sacrificing diffusion. The methods extend to Gleeok-256 and offer general tools for analyzing multi-branch SPN designs, advancing understanding of the security margins in such architectures.

Abstract

Gleeok is a family of low latency keyed pseudorandom functions (PRFs) consisting of three parallel SPN based permutations whose outputs are XORed to form the final value. Both Gleeok-128 and Gleeok-256 use a 256 bit key, with block sizes of 128 and 256 bits, respectively. Owing to its multi branch structure, evaluating security margins and mounting effective key recovery attacks present nontrivial challenges. This paper provides the first comprehensive third party cryptanalysis of Gleeok-128. We introduce a two stage MILP based framework for constructing branch wise and full cipher differential linear (DL) distinguishers, together with an integral based key recovery framework tailored to multi branch designs. Our DL analysis yields 7, 7, 8, and 4 round distinguishers for Branch 1, Branch 2, Branch 3, and Gleeok-128, respectively, with squared correlations approximately 2 to the power minus 88.12, 2 to the power minus 88.12, 2 to the power minus 38.73, and 2 to the power minus 49.04, outperforming those in the design document except for the full PRF case. By tightening algebraic degree bounds, we further derive 9, 9, and 7 round integral distinguishers for the three branches and a 7 round distinguisher for the full PRF, extending the designers results by 3, 3, and 2 rounds and by 2 rounds, respectively. These integral properties enable 7 round and 8 round key recovery attacks in the non full codebook and full codebook settings. In addition, we identify a flaw in the original linear security evaluation of Branch 3, showing that it can be distinguished over all 12 rounds with data complexity about 2 to the power 48. We also propose optimized linear layer parameters that significantly improve linear resistance without sacrificing diffusion. Our results advance the understanding of Gleeok-128 and provide general methods for analyzing multi branch symmetric designs.

Cryptanalysis of Gleeok-128

TL;DR

This work provides the first independent cryptanalysis of Gleeok-128, a three-branch low-latency PRF. It introduces a two-stage MILP-based differential-linear framework to construct DL distinguishers, and an integral-based framework to enable multi-branch key-recovery, yielding longer DL and integral distinguishers and practical attacks on round-reduced instances. A linear-layer modeling flaw in Branch3 is identified and corrected, with optimized parameter classes that strengthen linear resistance without sacrificing diffusion. The methods extend to Gleeok-256 and offer general tools for analyzing multi-branch SPN designs, advancing understanding of the security margins in such architectures.

Abstract

Gleeok is a family of low latency keyed pseudorandom functions (PRFs) consisting of three parallel SPN based permutations whose outputs are XORed to form the final value. Both Gleeok-128 and Gleeok-256 use a 256 bit key, with block sizes of 128 and 256 bits, respectively. Owing to its multi branch structure, evaluating security margins and mounting effective key recovery attacks present nontrivial challenges. This paper provides the first comprehensive third party cryptanalysis of Gleeok-128. We introduce a two stage MILP based framework for constructing branch wise and full cipher differential linear (DL) distinguishers, together with an integral based key recovery framework tailored to multi branch designs. Our DL analysis yields 7, 7, 8, and 4 round distinguishers for Branch 1, Branch 2, Branch 3, and Gleeok-128, respectively, with squared correlations approximately 2 to the power minus 88.12, 2 to the power minus 88.12, 2 to the power minus 38.73, and 2 to the power minus 49.04, outperforming those in the design document except for the full PRF case. By tightening algebraic degree bounds, we further derive 9, 9, and 7 round integral distinguishers for the three branches and a 7 round distinguisher for the full PRF, extending the designers results by 3, 3, and 2 rounds and by 2 rounds, respectively. These integral properties enable 7 round and 8 round key recovery attacks in the non full codebook and full codebook settings. In addition, we identify a flaw in the original linear security evaluation of Branch 3, showing that it can be distinguished over all 12 rounds with data complexity about 2 to the power 48. We also propose optimized linear layer parameters that significantly improve linear resistance without sacrificing diffusion. Our results advance the understanding of Gleeok-128 and provide general methods for analyzing multi branch symmetric designs.

Paper Structure

This paper contains 19 sections, 1 theorem, 28 equations, 5 figures, 21 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Our Contributions
  3. Organization of This Paper
  4. Preliminaries
  5. Specification of Gleeok
  6. Differential-Linear Cryptanalysis
  7. Integral Cryptanalysis
  8. Differential-Linear Cryptanalysis of Gleeok-128
  9. A Two-Stage Framework to Explore DL Distinguishers
  10. Searching for DL Distinguishers of Gleeok-128
  11. Integral-Based Key-Recovery Attacks on Gleeok-128
  12. New Integral Distinguishers for Gleeok-128
  13. An Integral-Based Attack Framework
  14. Key-Recovery Attacks on Round-Reduced Gleeok-128
  15. Exploring New Linear-layer Parameters for Branch3 against Linear Attacks
  16. ...and 4 more sections

Key Result

Theorem 1

Let $F$ be a permutation of $\mathbb{F}_2^n$ and let $G$ be a function from $\mathbb{F}_2^n$ to $\mathbb{F}_2^m$. Then we have where $F^{-1}$ represents the inverse of $F$.

Figures (5)

  • Figure 1: (a) Overall structure and (b) round function of Gleeok-128.
  • Figure 2: The structure of DL distinguishers
  • Figure 3: Overview of Algorithm \ref{['alg:second_stage']}
  • Figure 4: Overview of the integral-based key-recovery framework on Gleeok-128
  • Figure 5: Overview of Branch3 in the 7-round attack

Theorems & Definitions (2)

  • Theorem 1: Carlet-bound DBLP:journals/tit/Carlet20a
  • Example 1