[pvg]

The cryptopals things aren't really about cryptanalysis. And it's, in hindsight, easy to convince yourself the problems of cryptography engineering obviously follow from the properties of the cryptography maths. But, historically and empirically, that's exactly how it hasn't worked out.

[loup-vaillant]

Wait a minute, that depends at what level you are. Sure, you have to devise attacks to come up with the relevant mathematical properties. For instance, to protect against snooping, you encrypt, and you formalise the chosen plaintext attack. To protect against forgery, you formalise the chosen ciphertext attack, and we protect against it with authentication. I expect the same happened with man in the middle, forward secrecy, and others.

Me, I don't try to push the state of the art. I just try to protect against known attacks, and I trust we won't come up with new attacks too quickly, the same way I trust we won't break existing crypto too quickly.

From there, I just have to make sure a number of mathematical properties are followed, and voilà I have a secure system according to current standards. It will be guaranteed to hold out as long as no one comes up with some new unforeseen attack. And even then, I suspect everything has been pretty much worked out. The primitives themselves, with few exceptions, are still not proven secure, but the constructions have sound security models.

Which is why now, we don't need to do stuff like the cryptopal challenges to build secure systems. We just need to avoid the relevant pitfalls, which have already been figured out by smarter people.

---

Then there are side channels, but those are whole 'nother can of worm (except maybe timings, which are pretty well understood by now).

[pvg]

Maybe I'm not following something but it seems to me you're saying an understanding of the mathematical properties of the primitives invariably leads to their secure implementation, combination and deployment. On its face, this is demonstrably untrue.

From there, I just have to make sure a number of mathematical properties are followed, and voilà I have a secure system

Or, et voilà, you have SSL.

[loup-vaillant]

This was an oversimplification. First, take a look at my crypto library, Monocypher¹. I went for the simplest things I could find. The AEAD construction is a simple XChacha20/Poly1305. I didn't invent a single thing. So on that front, we're safe.

Then all I have to do is weed out the bugs. It's not trivial, but it is pretty simple. Thanks to all primitives being constant time, the memory access patterns are identical for every input of the same length. Test all the lengths from zero to some threshold, and you pretty much test all the code paths. Then you sanitise the hell out of the code, because this is Unsafe™ C we're talking about, and then you have a secure crypto library. Extend that philosophy to the entire system, and you're good to go.

Now let's say I did invent something. I was close to such invention when I implemented XChacha20 from first principles (that is, from reading the XSalsa20 paper, and doing the same to Chacha20). Making sure the "invention" was sound just required I understood the relevant maths, which in this case wasn't complicated at all (it's basically "reveal only the bytes the attacker could have guessed anyway").

The same apply when one designs a protocol. One must be aware of the relevant properties the protocol must achieve, and understand the maths required to ensure those properties. Once that's figured out, it's just a matter of not screwing up the implementation.

Crypto is often underestimated, leading to horrible security issues. But I think it is also often overestimated, that with "don't touch it unless Bruce Shneier said you could" or something. Really, applying crypto is not hard. A couple weeks of full time learning is more than enough.

[1]: https://monocypher.org