[anologwintermut]

It's a terrible piece of self reflection in that case. His thesis is his stuff never got adopted because of the NSA? DJB is very smart, but he doesn't necessarily play well with others (as tptacek alluded to) and sometimes does some odd things.

As a random example: Nacl, which is pretty good, isn't portable. The portable version that someone made, Sodium ripped out a bunch of the platform specific stuff to make it portable, but because no one knows which parts were security critical and which weren't,there more than some doubts. These kind of things matter.

Put another way, as a piece of self reflection at least he could figure out how to make it harder for the NSA to marginalize his ideas if that's really the reason they haven't been adopted.

[tptacek]

It isn't self-reflection. It's a talk he gave to an audience that puts his research into a current events context and provides a backhanded roadmap to the kinds of crypto research topics that are important to the project of securing the Internet against the NSA. As that, it's pretty effective.

It's pretty hard to make a credible argument that Bernstein and Schwabe and Lange did a poor job with Nacl, since the next best alternative is Keyczar, which might not even be maintained anymore. What's the other credible high-level crypto library?

[Tomte]

Gutmann's cryptlib (if you stick to the high-level API, which is documented as such).

It's "anciently conservative" (not based on fancy new ciphers, you can like it or not), by a competent cryptographer, and battle-tested.

[anologwintermut]

There aren't. Nacl certainly is credible. But it isn't (at least last time I looked) portable. As I understand this is because of a bunch of x86 assembly meant to generate very fast and constant time crypto code.

This is Bernstein's entire stick. Which is fine, but if you can't use it on ARM and therefor on mobile, you've killed a large area where adoption of new crypto could actually happen. Arguably, a slower constant time cross platform library would have been a better idea if he actually wanted to see it used widely. This is what Sodium claims to be ....but well who knows if that's secure.

And I don't think I agree with you that this is Bernstein merely saying here's why you need what I've done. It's an explanation of why it didn't happen that basically argues that people' are being so stupid about crypto that they might as well be NSA shills. As a narrative it ignores a lot of reasons this stuff didn't happen and a lot of lessons that should be applied in getting it right this time.

[tptacek]

Virtually none of the ideas that Bernstein talks about in here have anything to do with people adopting his implementations. Bernstein's packaging isn't why TLS uses PKCS1v15. It's not why elliptic curve signatures almost always require random ephemeral keys. It's not why userland programs scatter broken RNGs throughout their codebases instead of just tapping urandom. It's certainly not why the most popular modern cipher is one that requires either modern Intel hardware or side channel leaks to be performant.

It's also worth remembering that Bernstein has this reputation you're alluding to among Unix nerds. In cryptography, he has no such stigma; he's a world-class cryptographer and I can't find any indication of interpersonal DJB drama in that field at all. I'm almost inclined to attribute the problem to the Unix nerds.

[kragen]

NaCl includes portable C implementations of all its operations, but it's possible that they might not be constant-time on a given compiler. SUPERCOP now has ARM assembly implementations of the NaCl operations (contributed by Peter Schwabe), but they haven't been integrated into a NaCl release yet.

Schwabe has even written AVR versions of many of the NaCl operations, so maybe you can do your crypto not only on mobile but on an 8-bit microcontroller.

[rikkus]

I think DJB works hard enough and it's a bit much to expect him to not only work on his passions but also figure out how to get his work and ideas adopted. We're all good at some things and not others.

What I'd like to see is a way for others to support his efforts.

How can I, for example, currently working as a software developer working at a reasonably 'high' level (currently I'm mainly a consumer of libraries and frameworks) push for better quality in the crypto that I depend on, knowing that DJB has at least partial answers to some of the problems?