[raverbashing]

So Signal and others are not "homebrew crypto"?

That criticism is fair a lot of times, but every higher level crypto construction is going to be unproven for a while until checked.

It's not like they were inventing their own hash function and stream cypher.

[tptacek]

Signal is the best-studied multiparty secure messaging protocol; there are academic papers that provide formal analyses. Trevor and Moxie won the Levchin Prize at Real World Crypto for Signal Protocol; the Levchin steering committee is a "Who's Who" of cryptographers, as are the other winners of the prize.

No, Signal is not "homebrew crypto".

[raverbashing]

What would be a good definition of Homebrew crypto?

Sure, if I put some primitives together (even if I had a good knowledge of how to do it) in a closed product and nobody evaluates it (and I add a label like "military security") that's Homebrew, no questions.

But all systems are born "in secret" (at least for a short while). Unless the definition involves appeal to authority.

[tptacek]

Obviously, the term is a straightforward appeal to authority.

[raverbashing]

Which is sometimes unjustly described as fallacious, though even the best can make mistakes.

[tptacek]

Hopefully we agree on the authority here. But I jumped the gun on my response a little as well, because my argument isn't simply an appeal to authority; for instance, you can just go read the formal analyses of Signal Protocol and evaluate them for yourself. Maybe IEEE EuroS&P was wrong to accept the paper!