NeuralCPA: A Deep Learning Perspective onChosen-Plaintext Attacks

Xuanya Zhu ¹ Liqun Chen ¹ Yangguang Tian ¹ Gaofei Wu ^2* Xiatian Zhu ^1*

¹ University of Surrey ² Xidian University

^*Corresponding author

Abstract

A Chosen-Plaintext Attack (CPA) is a cryptographic analysis game for encryption, where an adversary queries an encryption oracle with plaintexts and observes the mapping to their ciphertexts. At an arbitrary time, it provides two challenge plaintexts but receives only one ciphertext, and finally guesses which of the two challenge plaintexts has been encrypted. Neural distinguishers, as a powerful representative of Artificial Intelligence (AI) methods, have been recently used in cryptographic analysis methods. However, they cannot directly be applied to perform CPA due to different input requirements and objectives. This work aims to address this gap. We provide the first rigorous and systematic formulation of CPA from a deep learning perspective. Specifically, we introduce NeuralCPA, a novel deep neural network-based method designed for the evaluation of block cipher CPA security as an initial effort for AI-based CPA analysis. We empirically validate its effectiveness across a diverse range of block ciphers, including SIMON, SPECK, LEA, HIGHT, XTEA, TEA, PRESENT, AES, and KATAN. Our experimental results confirm that NeuralCPA consistently achieves significant distinguishing advantages in round-reduced settings. Notably, our attack success rate ranges from 51% to 76.4%.

Overview

Problem.
In the CPA game, two plaintexts $m_0$ and $m_1$ are given. A hidden bit $b \in \{0,1\}$ selects one of them, and $m_b$ is encrypted by $E_k$ to produce the challenge ciphertext $c^\star$ . The goal is to guess $b$ .

Idea.
NeuralCPA reformulates this problem as a supervised learning task by leveraging the distinguishing capability of neural networks.

The overall workflow of NeuralCPA is shown below.

Training.

1. Sample positive pairs $\mathcal{P}^+$ (satisfying the preset input difference $\delta$ ) and negative pairs $\mathcal{P}^-$ (not satisfying $\delta$ ) and merge into the plaintext pair set $\mathcal{P}$ .
2. Encrypt all pairs in $\mathcal{P}$ using the block cipher $E_k$ to obtain the ciphertext pairs $\mathcal{C}$ .
3. Train a neural distinguisher on $\mathcal{C}$ to predict whether the corresponding plaintext pair satisfies $\delta$ .

Testing.

1. Construct auxiliary plaintexts as $m_{i,aux} = m_i \oplus \delta$ , $i \in \{0,1\}$ .
2. Encrypt the auxiliary plaintexts using $E_k$ to obtain $c_{i,aux}$ .
3. Use the trained distinguisher to compute a score $p_i$ for each ciphertext pair $(c^\star, c_{i,aux})$ .
4. Output the final guess $i = \arg\max_i p_i$ .

Methodology

When mapped to the standard CPA experiment, NeuralCPA operates in three stages:
(i) Training the neural distinguisher during the pre-challenge phase.
(ii) Construct auxiliary ciphertext pairs using the input difference in the post-challenge phase.
(iii) Choose the plaintext by comparing auxiliary scores in the guess phase.

The formal definition is given below, with the steps introduced by our method highlighted.

Algorithm The NeuralCPA Experiment $ \operatorname{Exp}^{\operatorname{NeuralCPA}}_{\Pi,\mathcal{A}}(\lambda) $

Require: Encryption scheme $ \Pi $, message space $ \mathcal{M} $, key space $ \mathcal{K} $.

Ensure: Experiment outcome (1 if the adversary $ \mathcal{A} $ wins, 0 otherwise).

Initialization: The challenger $ \mathcal{C} $ samples a secret key $ k \xleftarrow{\$} \mathcal{K} $ and gives $ \mathcal{A} $ access to the encryption oracle $ E_k(\cdot) $. $ \mathcal{A} $ chooses a training data size $ n $ and a specific input difference $ \delta $.

Pre-Challenge Phase:

$ \mathcal{A} $ may adaptively issue any encryption-oracle query $ q \in \mathcal{M} $ and receives the corresponding ciphertext $ E_k(q) $.

$ \mathcal{A} $ samples $ n/2 $ plaintext pairs satisfying the preset input difference $ \delta $.

$ \mathcal{A} $ samples $ n/2 $ plaintext pairs not satisfying $ \delta $.

$ \mathcal{A} $ queries the encryption oracle on all $ n $ pairs and obtains their ciphertexts.

$ \mathcal{A} $ trains a $ \mathcal{N}\mathcal{D} $ using these $ n $ ciphertext pairs.

Challenge Phase:

$ \mathcal{A} $ outputs two challenge messages $ m_0, m_1 \in \mathcal{M} $.

$ \mathcal{C} $ samples a random bit $ b \xleftarrow{\$} \{0,1\} $.

$ \mathcal{C} $ returns the challenge ciphertext $ c^\star \leftarrow E_k(m_b) $.

Post-Challenge Phase:

$ \mathcal{A} $ may continue to issue encryption-oracle queries, distinct from the challenge messages $ m_0 $ and $ m_1 $.

$ \mathcal{A} $ derives modified messages $ m_{0,\mathrm{aux}} $ and $ m_{1,\mathrm{aux}} $ by adding the fixed difference $ \delta $.

$ \mathcal{A} $ queries the encryption oracle and obtains the ciphertexts $ c_{0,\mathrm{aux}} $ and $ c_{1,\mathrm{aux}} $.

$ \mathcal{N}\mathcal{D} $ outputs confidence scores $ p_0 \gets \mathcal{N}\mathcal{D}(c^\star, c_{0,\mathrm{aux}}) $ and $ p_1 \gets \mathcal{N}\mathcal{D}(c^\star, c_{1,\mathrm{aux}}) $.

Guess Phase:

$ \mathcal{A} $ outputs a guess $ b' \in \{0,1\} $. $ \mathcal{A} $ outputs $ b' = 0 $ if $ p_0 > p_1 $, otherwise $ b' = 1 $.

Outcome:

Return $ 1 $ if $ b' = b $, otherwise $ 0 $.

Results

We evaluate NeuralCPA across multiple round-reduced ciphers. The table reports the distinguishing Accuracy (Acc.) and CPA Success Rate (CPA SR.), each evaluated on $10^6$ samples with plaintexts disjoint from the training set. The results support the effectiveness of the proposed approach.

Cipher	Full Rounds	Rounds	Acc.	CPA SR.
SIMON32/64	32	9	0.792	0.884
		*10	0.570	0.598
		*11	0.522	0.531
SIMON64/128	44	11	0.640	0.693
		12	0.537	0.552
		*13	0.509	0.514
SIMON128/256	68	17	0.603	0.640
		18	0.538	0.552
		*19	0.510	0.514
SPECK32/64	22	6	0.895	0.954
		7	0.677	0.733
		*8	0.527	0.530
SPECK64/128	27	7	0.821	0.901
SPECK64/128	27	*8	0.586	0.610
SPECK128/256	34	9	0.943	0.981
SPECK128/256	34	*10	0.678	0.725
LEA-128	24	10	0.656	0.694
LEA-128	24	11	0.524	0.534
HIGHT	32	10	0.751	0.764
XTEA	64	4	0.992	0.993
XTEA	64	*5	0.575	0.606
TEA	64	4	0.987	0.991
TEA	64	*5	0.602	0.641
PRESENT-80	31	7	0.819	0.891
		8	0.609	0.687
		*9	0.506	0.510
AES-128	10	2	1.000	1.000
AES-128	10	3	0.518	0.524
KATAN32	254	*55	0.648	0.705
		*60	0.558	0.579
		*65	0.506	0.511
CHACHA20	20	3	0.640	0.693

Notes. Rounds marked with * use a distinguisher pretrained on the previous round (or iteration, e.g., 5-round steps for KATAN) and then fine-tuned.

Contributions

Deep learning formulation of CPA. We present the first rigorous and systematic formulation of CPA from a deep learning perspective, casting the CPA experiment as a supervised learning task.
Analysis for block ciphers. We introduce NeuralCPA, a neural network–based framework for evaluating the CPA security of block ciphers and empirically demonstrate its effectiveness.
Extensions for multi-instance settings. We show that NeuralCPA can be extended to multi-instance settings, where even a marginal advantage can be ideally amplified.

BibTeX

@misc{cryptoeprint:2026/328,
      author = {Xuanya Zhu and Liqun Chen and Yangguang Tian and Gaofei Wu and Xiatian Zhu},
      title = {{NeuralCPA}: A Deep Learning Perspective on Chosen-Plaintext Attacks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/328},
      year = {2026},
      url = {https://eprint.iacr.org/2026/328}
}