Gleeok is a family of low latency keyed pseudorandom functions (PRFs) consisting of three parallel SPN based permutations whose outputs are XORed to form the final value. Both Gleeok-128 and Gleeok-256 use a 256 bit key, with block sizes of 128 and 256 bits, respectively. Owing to its multi branch structure, evaluating security margins and mounting effective key recovery attacks present nontrivial challenges. This paper provides the first comprehensive third party cryptanalysis of Gleeok-128. We introduce a two stage MILP based framework for constructing branch wise and full cipher differential linear (DL) distinguishers, together with an integral based key recovery framework tailored to multi branch designs. Our DL analysis yields 7, 7, 8, and 4 round distinguishers for Branch 1, Branch 2, Branch 3, and Gleeok-128, respectively, with squared correlations approximately 2 to the power minus 88.12, 2 to the power minus 88.12, 2 to the power minus 38.73, and 2 to the power minus 49.04, outperforming those in the design document except for the full PRF case. By tightening algebraic degree bounds, we further derive 9, 9, and 7 round integral distinguishers for the three branches and a 7 round distinguisher for the full PRF, extending the designers results by 3, 3, and 2 rounds and by 2 rounds, respectively. These integral properties enable 7 round and 8 round key recovery attacks in the non full codebook and full codebook settings. In addition, we identify a flaw in the original linear security evaluation of Branch 3, showing that it can be distinguished over all 12 rounds with data complexity about 2 to the power 48. We also propose optimized linear layer parameters that significantly improve linear resistance without sacrificing diffusion. Our results advance the understanding of Gleeok-128 and provide general methods for analyzing multi branch symmetric designs.

翻译：Gleeok是一类低延迟密钥伪随机函数（PRF）族，由三个并行的基于SPN的置换构成，其输出经异或运算形成最终值。Gleeok-128和Gleeok-256均使用256位密钥，分组长度分别为128位和256位。由于其多分支结构，评估安全边界和发起有效的密钥恢复攻击面临显著挑战。本文首次对Gleeok-128进行了全面的第三方密码分析。我们提出了一个基于MILP的两阶段框架，用于构建分支级和全密码的差分-线性（DL）区分器，并结合一个专为多分支设计定制的基于积分的密钥恢复框架。我们的DL分析为分支1、分支2、分支3和Gleeok-128分别得到了7轮、7轮、8轮和4轮的区分器，其平方相关性约为2^{-88.12}、2^{-88.12}、2^{-38.73}和2^{-49.04}，除全PRF情况外，均优于设计文档中的结果。通过收紧代数次数界限，我们进一步推导出三个分支的9轮、9轮和7轮积分区分器，以及全PRF的7轮区分器，分别将设计者的结果扩展了3轮、3轮、2轮和2轮。这些积分特性使得在非全码本和全码本设置下能够进行7轮和8轮的密钥恢复攻击。此外，我们发现了分支3原始线性安全性评估中的一个缺陷，表明其所有12轮均可在数据复杂度约为2^{48}的情况下被区分。我们还提出了优化的线性层参数，在不牺牲扩散性的情况下显著提升了线性抵抗能力。我们的研究结果增进了对Gleeok-128的理解，并为分析多分支对称设计提供了通用方法。