Choosing Distinguishers for Di erential Power Analysis Attacks

Di erential power analysis attacks are among the `classical' non-invasive types of attacks against physical devices. Attacks belonging to that class are well studied in the literature, however a seemingly simple yet very important question has proven to be exceptionally di cult to answer: given a cryptographic device, how do I best choose a distinguisher to actually perform a di erential power analysis attack? This question needs to be unpicked before an attempt to an answer can be made: what is known about the power consumption characteristics of the device (everything i.e. power pro les are available, not much i.e. one can realistically assume a certain standard power model such as Hamming weight can be used, or nothing). Does the device allow control over its inputs to the cryptographic routine that is targeted? Are there any countermeasures built in, and if so which? In this article we aim to illuminate one particular aspect of such considerations. Namely, is there any best distinguisher, and consequently, can the choice of distinguisher and the modelling of the power consumption be made independently? Our approach in answering these questions is to draw from our own recent results and research into evaluation strategies for distinguishers, and linking them to other recent works. The conclusion that we can draw is that there is no generally best distinguisher, but for well de ned scenarios there are best choices for a distinguisher in conjunction with a power model.