[x092]

What I find interesting is that this article is very recent, however the calculations on Crypto are not up to date. MtProto has had some big changes some time ago already:

- SHA-256 is used instead of SHA-1;

- Padding bytes are involved in the computation of msg_key;

- msg_key depends not only on the message to be encrypted, but on a portion of auth_key as well;

- 12..1024 padding bytes are used instead of 0..15 padding bytes in v.1.0.

See https://core.telegram.org/mtproto/description

[Fnoord]

None of these changes are big enough; it is still homebrew crypto. If there's issues with cryptography standards you can be sure your OS (such as your Linux distribution) lost CIA in one way or another. Whereas with MTProto, if that is broken, only your Telegram chats lose CIA. Which raises the question why not use standards?

[x092]

They were, actually. MtProto v2 satisfies IND-CCA now as opposed to what the blog post claims: https://core.telegram.org/techfaq#what-about-ind-cca

[raverbashing]

So Signal and others are not "homebrew crypto"?

That criticism is fair a lot of times, but every higher level crypto construction is going to be unproven for a while until checked.

It's not like they were inventing their own hash function and stream cypher.

[tptacek]

Signal is the best-studied multiparty secure messaging protocol; there are academic papers that provide formal analyses. Trevor and Moxie won the Levchin Prize at Real World Crypto for Signal Protocol; the Levchin steering committee is a "Who's Who" of cryptographers, as are the other winners of the prize.

No, Signal is not "homebrew crypto".

[raverbashing]

What would be a good definition of Homebrew crypto?

Sure, if I put some primitives together (even if I had a good knowledge of how to do it) in a closed product and nobody evaluates it (and I add a label like "military security") that's Homebrew, no questions.

But all systems are born "in secret" (at least for a short while). Unless the definition involves appeal to authority.

[tptacek]

Obviously, the term is a straightforward appeal to authority.

[raverbashing]

Which is sometimes unjustly described as fallacious, though even the best can make mistakes.

[acdha]

The fact that they spent so long using SHA-1 after it’d is a red flag for their hand-rolled crypto. They had no legacy install base but were deploying new services while the rest of the industry was deprecating it – even the U.S. federal government was ahead on that.