[ninly]

The "don't roll your own" argument isn't against having lots of encryption algorithms, though. It's because it's nearly impossible for a nonspecialist to implement tools that other specialists can't fairly easily recognize as broken and exploit (whether cryptologically broken or due to side-channel exploits).

[bosswipe]

> other specialists can't fairly easily recognize as broken and exploit

Is there any supporting evidence for this claim? If I took an AES library and changed the order of some inner loop wouldn't it require extensive statistical analysis to notice the difference? Which means instead of throwing a bunch of compute at decrypting me, along with the masses 10 years from now, you would need to get a specialist to specifically target me and spend considerable time.

[EthanHeilman]

Maybe it would be safe, but there would be a decent chance you would accidentally mess up sometime simple and makee the algorithm trivial to decrypt. How do I know? I've experimented with variants of hash functions and seen that happen.

IIRC Groestl if you switch the inputs between the P and Q functions you'll introduce fixed points ino Groestl. Or take your example of AES, if you changed AES such that the loop which ran shift rows and increase it to run four times, you'd massively damage diffusion and probably have a trivially breakable block cipher. Modern cryptographic primitives are very carefully built, minor changes can be disastrous.

[Mirioron]

I've wondered this as well. Are there tools that will automatically run through all kinds of existing cryptographic algorithms to figure out which ones you're dealing with? Because it sounds to me like throwing enough layers of shoddy algorithms would obfuscate things enough that somebody would actually have to look at it and try to explicitly figure out a way to bypass what you're doing.

[tsimionescu]

There's also a good chance that your change would break some assumptions/guarantees of AES, perhaps fatally (e.g. the result could be that your result only depends on just a few bits of the key).

True, if your threat model is exclusively future untargetted attacks ,your algorithm may be safer,but that is not a commonly accepted threat model I think, even for terrorists or banks.

[throw0101a]

> If I took an AES library and changed the order of some inner loop wouldn't it require extensive statistical analysis to notice the difference?

Unless you knew why it was organized the way it is in the original spec, altering it may weaken it. The DES S-boxes were altered by the NSA and everyone was suspicious, but it turns out they had made things stronger:

* https://en.wikipedia.org/wiki/Differential_cryptanalysis

Turns out the NSA was (at the time) over a decade ahead in crypto knowledge than the public.

As it stands, AES is approved for even TOP SECRET labelled information:

* https://en.wikipedia.org/wiki/NSA_Suite_B_Cryptography#Comme...

As are the various ECDH NIST curves that so many people are anxious about.