[hadcomplained]

I agree with the sentiment. The common argument against rolling out your own encryption just baffles me. Because there are plenty of ways to roll out your own encryption safely and in such a way that drastically eliminates the possibility of getting broken. Following is just a few ideas easily implemented even by a mediocre engineer.

For the easiest, you can just apply multiple encryption algorithms in succession (of course with different keys). Although the algorithm of AES is considered safe, it can be broken through a side-channel such as a backdoor, which secretly stores keys used somewhere. But if you apply another algorithm after AES, be it ChaCha20 or Blowfish, it can only gets reinforced.

Another trivial way to safely roll out your own encryption is to increase the number of rounds in ciphers that are considered safe. The increased number of rounds only strengthen the algorithm. And it's just changing a few magic numbers in the source code - you can get extra security for little expense of time.

Both methods provide esay-to-implement ways to safely 'invent' a new encryption algorithm without a proper knowledge of cryptography. If people start doing any of the above regularly, it would be a headache for those enjoying to exploit vulnerabilities in common crypto implementations.

[UncleMeat]

This isn't really "roll your own". This is "run with non-standard parameters". This is a much smaller footgun, though you can really screw this up.

World experts in practical crypto regularly ship implementations that have serious errors that remain undetected by other world experts for years. This shit is hard.

[pfundstein]

To support both sides on this one, you could roll your own crypto on top of a third party crypto like AES. That way you get the benefits of both: You have the tried and true AES backing you up if your custom crypto is cracked, and you get security and obfuscation benefits from rolling your own crypto.

[hadcomplained]

For downvoters - constructive counterarguments are welcome.

[lawnchair_larry]

I don’t mean to be rude, but it’s quite obvious by what you wrote that you are barely literate in cryptography, yet you are fairly certain of yourself. Your confidence is misplaced. This isn’t the type of thing that encourages actual experts to bother replying.

Examples: “side channel such as a backdoor that secretly stores keys used somewhere”, “blowfish”, nonsensical mixing of block ciphers and stream ciphers without regard for the complete construction or the implementation (by far the largest weak point), etc.

[maqp]

"by far the largest weak point"

Well, if the nested ciphers are all properly implemented AEAD schemes, use unique keys, and don't rely on public key crypto for key exchange, cascading crypto is fine.

Other than that their discourse was that of a novice, sure.

[kazinator]

Combining standard algorithms doesn't constitute rolling your own crypto. Arguably, even increasing the number of rounds in a standard cipher doesn't, either.

A back door is not a side channel.

[maqp]

Rolling one's own crypto has become a catch-all phrase. It's of course very important to remember implementing standard algorithms in non-standard way can be incredibly dangerous too. I've seen unauthenticated AES-CBC way too many times. I've seen fingerprints calculated by hashing pre-master secrets (completely insecure), I've seen crypto libraries that rely on completely insecure structures for their RNGs (worst was probably LCG fed from math.random). I've seen fixed IVs with fixed keys, E2EE without fingerprints (way too often), ones with expired primitives (SHA-1 in PGP). I've seen RSA PKCS #1.5 deployed in brand new products (https://trailofbits.files.wordpress.com/2019/07/image13-1.pn...).

So the correct advice is, "don't deviate from best practices, and hire a cryptographer."