[Fnoord]

None of these changes are big enough; it is still homebrew crypto. If there's issues with cryptography standards you can be sure your OS (such as your Linux distribution) lost CIA in one way or another. Whereas with MTProto, if that is broken, only your Telegram chats lose CIA. Which raises the question why not use standards?

[x092]

They were, actually. MtProto v2 satisfies IND-CCA now as opposed to what the blog post claims: https://core.telegram.org/techfaq#what-about-ind-cca

[raverbashing]

So Signal and others are not "homebrew crypto"?

That criticism is fair a lot of times, but every higher level crypto construction is going to be unproven for a while until checked.

It's not like they were inventing their own hash function and stream cypher.

[tptacek]

Signal is the best-studied multiparty secure messaging protocol; there are academic papers that provide formal analyses. Trevor and Moxie won the Levchin Prize at Real World Crypto for Signal Protocol; the Levchin steering committee is a "Who's Who" of cryptographers, as are the other winners of the prize.

No, Signal is not "homebrew crypto".

[raverbashing]

What would be a good definition of Homebrew crypto?

Sure, if I put some primitives together (even if I had a good knowledge of how to do it) in a closed product and nobody evaluates it (and I add a label like "military security") that's Homebrew, no questions.

But all systems are born "in secret" (at least for a short while). Unless the definition involves appeal to authority.

[tptacek]

Obviously, the term is a straightforward appeal to authority.

[raverbashing]

Which is sometimes unjustly described as fallacious, though even the best can make mistakes.

[tptacek]

Hopefully we agree on the authority here. But I jumped the gun on my response a little as well, because my argument isn't simply an appeal to authority; for instance, you can just go read the formal analyses of Signal Protocol and evaluate them for yourself. Maybe IEEE EuroS&P was wrong to accept the paper!