[tptacek]

Signal is the best-studied multiparty secure messaging protocol; there are academic papers that provide formal analyses. Trevor and Moxie won the Levchin Prize at Real World Crypto for Signal Protocol; the Levchin steering committee is a "Who's Who" of cryptographers, as are the other winners of the prize.

No, Signal is not "homebrew crypto".

[raverbashing]

What would be a good definition of Homebrew crypto?

Sure, if I put some primitives together (even if I had a good knowledge of how to do it) in a closed product and nobody evaluates it (and I add a label like "military security") that's Homebrew, no questions.

But all systems are born "in secret" (at least for a short while). Unless the definition involves appeal to authority.

[tptacek]

Obviously, the term is a straightforward appeal to authority.

[raverbashing]

Which is sometimes unjustly described as fallacious, though even the best can make mistakes.

[tptacek]

Hopefully we agree on the authority here. But I jumped the gun on my response a little as well, because my argument isn't simply an appeal to authority; for instance, you can just go read the formal analyses of Signal Protocol and evaluate them for yourself. Maybe IEEE EuroS&P was wrong to accept the paper!