Keeping classical distinguisher and neural distinguisher in balance

At CRYPTO 2019, Gohr pioneered the use of the neural distinguisher ($ND$) for differential cryptanalysis, sparking growing interest in this approach. However, a key limitation of $ND$ is its inability to analyze as many rounds as the classical differential distinguisher ($CD$). To overcome this, researchers have begun combining $ND$ with $CD$ into a classical-neural distinguisher ($CND$) for differential cryptanalysis. Nevertheless, the optimal integration of $CD$ and $ND$ remains an under-studied and unresolved challenge.

In this paper, we introduce a superior approach for constructing the $(r+s)$-round differential distinguisher $CN{D}_{r+s}$ by keeping the $r$-round classical distinguisher $C{D}_r$ and the $s$-round neural distinguisher $N{D}_s$ in balance. Through experimental analysis, we find that the data complexity of $CN{D}_{r+s}$ closely approximates the product of that for $C{D}_r$ and $N{D}_s$. This finding highlights the limitations of current strategies. Subsequently, we introduce an enhanced scheme for constructing $CN{D}_{r+s}$, which comprises three main components: a new method for searching the suitable differential characteristics, a scheme for constructing the neural distinguisher, and an accelerated evaluation strategy for the data complexity of $CN{D}_{r+s}$. To validate the effectiveness of our approach, we apply it to the round-reduced Simon32, Speck32 and Present64, achieving improved results. Specifically, for Simon32, our $CN{D}_{12}$ and $CN{D}_{13}$ exhibit data complexities of $2^{16}$ and $2^{21}$, respectively, whereas $CN{D}_{12}$ in prior work required a data complexity of $2^{22}$. In the case of Speck32, Our scheme reduce the data complexity of $CN{D}_9$ form $2^{20}$ to $2^{18}$. For Present64, We construct $CN{D}_8$ with a data complexity of $2^{13}$, a significant improvement over the classical distinguisher of $2^{32}$. These results demonstrate the superiority of our scheme.