Keeping classical distinguisher and neural distinguisher in balance

At CRYPTO 2019, Gohr pioneered the use of the neural distinguisher (ND) for differential cryptanalysis, sparking growing interest in this approach. However, a key limitation of ND is its inability to analyze as many rounds as the classical differential distinguisher (CD). To overcome this, researchers have begun combining ND with CD into a classical-neural distinguisher (CND) for differential cryptanalysis. Nevertheless, the optimal integration of CD and ND remains an under-studied and unresolved challenge. In this paper, we introduce a superior approach for constructing the (r+s)-round differential distinguisher CND_r+s by keeping the r-round classical distinguisher CD_r and the s-round neural distinguisher ND_s in balance. Through experimental analysis, we find that the data complexity of CND_r+s closely approximates the product of that for CD_r and ND_s. This finding highlights the limitations of current strategies. Subsequently, we introduce an enhanced scheme for constructing CND_r+s, which comprises three main components: a new method for searching the suitable differential characteristics, a scheme for constructing the neural distinguisher, and an accelerated evaluation strategy for the data complexity of CND_r+s. To validate the effectiveness of our approach, we apply it to the round-reduced Simon32, Speck32 and Present64, achieving improved results. Specifically, for Simon32, our CND₁₂ and CND₁₃ exhibit data complexities of 2¹⁶ and 2²¹, respectively, whereas CND₁₂ in prior work required a data complexity of 2²². In the case of Speck32, Our scheme reduce the data complexity of CND₉ form 2²⁰ to 2¹⁸. For Present64, We construct CND₈ with a data complexity of 2¹³, a significant improvement over the classical distinguisher of 2³². These results demonstrate the superiority of our scheme.