Gleeok-128 Cracked: New Attacks Expose Key Weaknesses

Author: Denis Avetisyan

A comprehensive third-party analysis reveals practical key-recovery attacks against the Gleeok-128 pseudorandom function, challenging its security assumptions.

Gleeok-128 distinguishes itself through specific attacks and branching strategies, evidenced by a comprehensive analysis spanning twelve rounds of operation.

This paper details successful differential and integral cryptanalysis, demonstrating vulnerabilities in Gleeok-128’s linear resistance.

While symmetric ciphers increasingly rely on complex multi-branch structures for performance, evaluating their security margins presents significant analytical challenges. This paper details the first comprehensive third-party cryptanalysis of Gleeok-128, a family of low-latency keyed pseudorandom functions. Through a novel combination of MILP-based differential linear cryptanalysis and integral-based key recovery, we demonstrate practical key-recovery attacks and identify a critical flaw in the original linear security evaluation. Do these findings necessitate a re-evaluation of the design principles guiding modern multi-branch symmetric cipher development?

A Fast Function, Probably Secure (For Now)

Gleeok-128 represents a novel approach to cryptographic design, functioning as a 128-bit pseudorandom function meticulously crafted for applications where speed is paramount. Unlike many cryptographic primitives that prioritize security at the expense of performance, Gleeok-128 is engineered to minimize latency, making it suitable for real-time systems and high-throughput environments. This focus on speed doesn’t come at the cost of security, however; the function is designed with a streamlined architecture that enables rapid computation while still providing a robust defense against common cryptographic attacks. By prioritizing low-latency operation, Gleeok-128 aims to bridge the gap between security and performance, offering a practical solution for resource-constrained devices and demanding applications where every microsecond counts.

Gleeok-128’s architecture builds upon the foundations established by Orthros, a cipher known for its performance and security trade-offs. The designers deliberately incorporated key scheduling and round transformation principles proven effective in Orthros, adapting them to meet the specific demands of low-latency applications. This approach avoids reinventing established cryptographic techniques, instead refining and optimizing existing methods. By leveraging Orthros’ demonstrated efficiency in key expansion and the design of its round functions, Gleeok-128 achieves a balance between robust cryptographic security and minimal computational overhead, making it well-suited for real-time applications where every nanosecond counts. The inheritance from Orthros provides a level of confidence in Gleeok-128’s underlying security, while the targeted modifications ensure optimal performance characteristics.

Gleeok-128 distinguishes itself through a novel three-branch structure, comprising Branch1, Branch2, and Branch3, each meticulously designed to fortify the pseudorandom function against specific attack vectors. This isn’t merely architectural diversity for its own sake; rather, each branch actively contributes a unique security property. Branch1 focuses on diffusion, rapidly spreading input changes throughout the state, while Branch2 prioritizes confusion, obscuring the relationship between the key and the ciphertext. Branch3 serves as a dynamic layer, introducing variability into the round transformations and hindering attempts at differential or linear cryptanalysis. By distributing these crucial security features across independent branches, Gleeok-128 creates a more resilient and robust cryptographic primitive, offering a targeted defense against a broad spectrum of potential threats.

Gleeok-128’s architecture prioritizes cryptographic agility through a deliberately modular design. Rather than relying on a monolithic structure, the function utilizes three distinct branches – Branch1, Branch2, and Branch3 – each engineered to counter specific attack vectors. This targeted approach allows developers to optimize performance by selectively activating or emphasizing branches based on the anticipated threat model. For instance, a system facing primarily linear cryptanalysis might prioritize the security features of Branch2, while minimizing the computational cost of others. Consequently, Gleeok-128 avoids the performance penalties often associated with overly conservative cryptographic designs, delivering robust security precisely where it’s needed without unnecessary overhead, and fostering a system adaptable to evolving threats.

Probing for Weaknesses: A Standard Toolkit

To evaluate the security of Gleeok-128, a suite of established cryptanalytic techniques was implemented. These included Differential Cryptanalysis, which examines differences in ciphertext resulting from differences in plaintext, and Linear Cryptanalysis, which approximates the cipher’s behavior with linear equations to identify correlations with the key. Integral Cryptanalysis was also utilized, focusing on analyzing the cipher’s behavior over sets of plaintexts to reveal imbalances and potential key recovery paths. The application of these standard methods provided a baseline assessment of Gleeok-128’s resistance against well-understood attacks and informed further, more specialized analysis.

Cryptanalysis of Gleeok-128 focused on identifying vulnerabilities within its round functions and key schedule, specifically examining each branch of the cipher’s structure. This involved detailed inspection of the transformations applied in each round to determine if exploitable patterns or statistical biases existed. The round functions were analyzed for potential weaknesses in their non-linear components and diffusion properties, while the key schedule was assessed for any predictability or correlation that could facilitate key recovery. Particular attention was given to how these components interacted across multiple rounds, as cumulative effects could amplify minor weaknesses into significant vulnerabilities. The goal was to determine if the design adequately prevented attacks that leverage imperfections in these core components to reduce the computational effort required for key recovery or plaintext reconstruction.

Integral Cryptanalysis of Gleeok-128 leveraged the Algebraic-degree-bound Approach to limit the complexity of the distinguisher. This technique focuses on bounding the algebraic degree of the distinguisher function to maintain computational feasibility. Further optimization was achieved through the application of the Division Property, a refinement that allows for more efficient construction of distinguishers by exploiting specific properties of the cipher’s internal state. The Division Property enables the identification of partial key recoveries with reduced data requirements compared to standard integral distinguishers, thereby enhancing the practical applicability of the attack.

Differential Linear (DL) distinguishers were successfully developed against Gleeok-128, targeting both Branch1 and Branch2 of the cipher. These distinguishers demonstrate a distinguishing advantage against the ciphertexts. Specifically, a 4-round DL distinguisher was constructed with a squared correlation of $2^{-49.04}$, indicating a relatively low complexity attack against the initial rounds. Further analysis yielded a 7-round DL distinguisher exhibiting a squared correlation of $2^{-88.12}$. This demonstrates an increased resistance with additional rounds, though the squared correlation remains a key metric in assessing the cipher’s security margin against this specific cryptanalytic approach.

The cryptanalytic evaluation of Gleeok-128 was specifically designed to establish the minimum number of rounds required to provide a demonstrable security margin against known attacks. Analyses, including Differential, Linear, and Integral Cryptanalysis, were not merely exploratory; they aimed to define a threshold beyond which the cipher’s resistance to these methods became statistically significant. Successful construction of 4-round and 7-round distinguishers with correlations of $2^{-49.04}$ and $2^{-88.12}$ respectively, provided concrete data points for this determination, informing the necessary round count to achieve a robust security level and mitigate the identified vulnerabilities.

Pushing for a Break: Key Recovery Attempts

Key-recovery attacks against Gleeok-128 were conducted to evaluate its practical security margin, utilizing both full-codebook and non-full-codebook settings. Full-codebook attacks leverage access to the complete codebook, simplifying computations but potentially underestimating security in real-world scenarios. Non-full-codebook attacks, conversely, model more realistic attack constraints where only a subset of the codebook is available. This dual approach provides a comprehensive assessment of Gleeok-128’s resistance to attacks aimed at directly revealing the secret key, as opposed to exploiting differential or linear characteristics. The investigation focused on determining the number of rounds susceptible to key recovery given varying levels of attacker resources, including computational complexity and data requirements.

Key-recovery attacks, in contrast to differential or linear cryptanalysis, attempt to directly determine the cryptographic key used in encryption. While differential and linear attacks evaluate the strength of the cipher by assessing its resistance to specific statistical patterns, successful key recovery conclusively breaks the cipher. This approach provides a more definitive security assessment; demonstrating key recovery with a feasible computational effort indicates a critical vulnerability, as the attacker gains complete control over encryption and decryption. Consequently, key-recovery attacks represent a stronger security benchmark than analyses focused solely on approximation probabilities.

Practical key-recovery attacks against Gleeok-128 were successfully demonstrated. A 7-round attack requires $2^{124}$ chosen plaintexts and has a time complexity of $2^{133.6}$. Furthermore, an 8-round attack capable of recovering all 256 key bits was achieved with a time complexity of $2^{129}$. These attacks represent the first demonstrated practical key recovery against Gleeok-128, providing a direct measure of the cipher’s security margin against these specific attack vectors.

The demonstrated 8-round key-recovery attack on Gleeok-128 is executed within a full-codebook setting, necessitating the storage and manipulation of the complete codebook during the attack process. This attack achieves full key recovery of the 256-bit key with a time complexity of $2^{129}$. The computational requirements are significant, demanding $2^{133}$ bytes of memory to store the necessary data for the full-codebook approach. This memory footprint represents a substantial practical consideration for implementing the attack.

A Mixed Integer Linear Programming (MILP)-based framework was implemented to automate the identification and evaluation of differential-linear distinguishers for Gleeok-128. This framework facilitates the systematic search for optimal differential-linear characteristics by modeling the constraints of the cipher as linear inequalities and employing an integer programming solver to find solutions. Automation of this process significantly reduces the manual effort required for security assessment, enabling efficient exploration of a large search space and rigorous verification of attack complexities. The MILP formulation allows for precise calculation of the probability and complexity of distinguishers, providing quantifiable security margins and facilitating a more comprehensive analysis of Gleeok-128’s resistance to differential-linear cryptanalysis.

A Flaw Revealed: Branch3’s Weakness

A recent and thorough review of Branch3’s design revealed a critical error in the specification of how linear masks are propagated within the θ Operation. This operation, intended to obscure sensitive data, unexpectedly allowed for a predictable relationship between the mask and the underlying data. Specifically, the propagation wasn’t fully randomizing the mask as intended, creating a vulnerability. This flawed implementation meant the masking process wasn’t achieving its desired security goals, potentially enabling an attacker to deduce information about the encrypted data with significantly reduced effort. The error stemmed from a subtle miscalculation in the bitwise operations used to update the mask, ultimately compromising the confidentiality that Branch3 was designed to provide.

A recently identified vulnerability within Branch3 of the Gleeok-128 cryptographic design stemmed from a subtle flaw that allowed a determined attacker to differentiate the intended output from random noise with a surprisingly low computational effort. Specifically, researchers demonstrated the existence of a linear distinguisher – a statistical test capable of revealing the weakness – requiring only $2^{48}$ data samples to reliably expose the compromised security. This data complexity represents a significant reduction in the effort needed to mount a successful attack, highlighting how even seemingly minor specification errors can drastically undermine the robustness of a cryptographic system and necessitate immediate correction to maintain its integrity.

The identified flaw in the linear mask propagation within Branch3 of Gleeok-128 necessitates immediate correction to maintain the cipher’s robust security profile. While previous analyses suggested a strong resistance to known attacks, the discovery of a linear distinguisher – capable of differentiating correct encryption from random noise with a data complexity of just $2^{48}$ bits – demonstrates a critical vulnerability. Addressing this design imperfection isn’t merely a refinement; it’s fundamental to upholding the integrity of the entire Gleeok-128 system, preventing potential exploitation and ensuring continued confidence in its ability to protect sensitive information. Without this correction, the cipher’s security guarantees are demonstrably compromised, leaving it susceptible to attacks that were previously considered infeasible.

The recent discovery of a flaw in Branch3 of Gleeok-128 underscores a fundamental tenet of robust cryptographic design: the absolute necessity of rigorous verification and validation. Security protocols, by their nature, rely on mathematical precision; even seemingly minor oversights in specification or implementation can create vulnerabilities exploitable with surprisingly low complexity, as demonstrated by the $2^{48}$ distinguisher. This incident serves as a potent reminder that formal methods, comprehensive testing, and independent code review are not merely best practices, but essential safeguards against potentially devastating security breaches. The cost of neglecting these processes far outweighs the investment required, emphasizing that a proactive, verification-focused approach is paramount in building trustworthy cryptographic systems.

The analysis detailed within this paper feels…predictable. Gleeok-128, despite its initial promise, succumbed to key-recovery attacks – differential cryptanalysis and integral distinguishers proving effective. It’s a recurring pattern; elegant designs clash with the brutal reality of implementation and exploitation. As Andrey Kolmogorov observed, “The most important thing in science is not to be right, but to be useful.” Usefulness, in this case, means confirming yet another cryptographic scheme isn’t impervious. The paper meticulously documents how the linear resistance faltered, highlighting vulnerabilities that, while perhaps unforeseen by the designers, were inevitable given enough scrutiny. It’s not a failure of the idea of Gleeok-128, merely a confirmation that everything new is old again, just renamed and still broken.

What’s Next?

The successful key-recovery attacks against Gleeok-128, detailed within, are less a revelation than a reminder. Every pseudorandom function, no matter how elegantly constructed, eventually yields to sufficient scrutiny – or, more accurately, to the relentless application of automated fuzzing. The claim of ‘linear resistance’ now appears… optimistic. One suspects that any metric measuring resistance will be retroactively redefined after the next round of attacks.

The field will, of course, move on to patching, to increasing key sizes, to layering additional, equally breakable, transformations. The pursuit of cryptographic perfection is a Sisyphean task, and the stones are getting heavier. The real question isn’t whether Gleeok-128 is ‘secure enough’, but whether the resources spent defending it could have been better allocated to simpler, more auditable designs. Better one well-understood algorithm than a dozen baroque constructions.

Future work will undoubtedly focus on variations, on ‘Gleeok-192’ or ‘Gleeok-256’. The inevitable scaling-up of parameters rarely addresses fundamental flaws. The true test will be when this, too, finds its way into production, and the logs begin to tell a different story. The pattern is always the same, and it’s rarely surprising.

Original article: https://arxiv.org/pdf/2512.04675.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

A Fast Function, Probably Secure (For Now)

Probing for Weaknesses: A Standard Toolkit

Pushing for a Break: Key Recovery Attempts

A Flaw Revealed: Branch3’s Weakness

What’s Next?

See also: