The third and final day of CHES started slowly, and fuelled by a lot of coffee, after a fantastic conference dinner the night before at the KU Leuven Faculty Club. Although the sessions covered a lot more (e.g., constructive and destructive aspects of RSA, and hardware implementations in general), the two most interesting aspects for me were the first a session on lightweight cryptography and the second, high-octane invited talk.
The session on lightweight cryptography was interested in the sense that it posed a question: what actually does lightweight mean? Before I would have said block ciphers of this type simply have a reduced security margin, and are compact (in memory or gates, depending on your taste) in design. The session did a good job of covering (at least) two other valid metrics in power consumption and latency, but one of the shared problems seemed to be providing a sane comparison of what is a large number of diverse candidate designs and techniques. For me, Miroslav Knezevic made the most interesting observation: when evaluating fully unrolled block cipher implementations in hardware, an odd behaviour occurred when placing constraints on the synthesis tools. More specifically, earlier rounds were larger than later ones: he explained this as a result of earlier rounds driving more later logic, and hence being instantiated with different cell types (but didn't elaborate further). The interesting part was the idea that to best cater for this, one might consider designs with heterogeneous rounds (the later more complex than the former) to balance latency. I wondered whether block cipher designers would be delighted or appalled at this concept!
After lunch Christof Tarnovsky of Flylogic Engineering gave an invited talk; a renowned figure in the area of reverse engineering and physical attacks, I'd guess like me this was what most people were most exited by in the whole CHES program. The tone was set from the start, with Chris (roughly) saying "I've met some nice people from chip vendors at CHES, so I altered my talk to focus on your chips". On one hand, the talk was absorbing: as well as the clear technical prowess that underpins his depackaging and probing attacks, purely the chip imagery on some of his slides was really interesting. On the other hand, it was hard to take too much away from the talk. I guess if you employ Flylogic as a consultant you might get more insight into countermeasures or secure design technique, but the focus was more or less entirely on attacks which seemed a bit of a shame. One very clear message was that protective meshes (active or not) are currently either ill conceived or poorly implemented, but basically weak and quite pointless against an adversary as skilled as he.