I review roughly 1 cryptosystem per quarter in my practice, have been doing so for several years, and I can't think of a single system that survived as far as "I'd have to mount a side channel attack to break this". If your biggest problem is timing leaks, you win.
The stuff that breaks most cryptosystems is much more basic than "side channels" and "key management". It's using ECB mode, encrypting without a MAC, inventing your own SHA1 MAC, leaking errors, colliding IVs or nonces, failure modes that collide session keys, not checking parameters; I could go on and on.
I'd hate for people to think that side channels is the thing they have to be on the lookout for. Writing their own crypto constructions is what they need to be on the lookout for.
Point noted. I don't review cryptosystems for a living.
I guess my point was that most of the cryptosystems /I've/ used over the years have seen significant vulnerabilities exposed in key management and side channel attacks. Insufficient entropy for key generation is another one. That said, I probably benefit from people like you weeding out the REALLY bad implementations.
I do agree that you're likely to see a lot of extraordinarily poorly designed cryptosystems if you regularly look at work product from people who are unfamiliar with attack methodologies in general.
I work in app security, and maybe 1% of the testers I know (I know a lot of testers) are familiar with crypto attack methodologies. It's still a dark art. I don't know where a company that wasn't "plugged in" would ever find expertise.
The stuff that breaks most cryptosystems is much more basic than "side channels" and "key management". It's using ECB mode, encrypting without a MAC, inventing your own SHA1 MAC, leaking errors, colliding IVs or nonces, failure modes that collide session keys, not checking parameters; I could go on and on.
I'd hate for people to think that side channels is the thing they have to be on the lookout for. Writing their own crypto constructions is what they need to be on the lookout for.