Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Those other mantras work but the crypto one is dangerous because it actually implicitly discourages people from playing with it and learning about it


The fundamental problem with cryptography (that doesn't apply as much to other areas) is that it's not a subject you can learn by playing with it. That's a result of the complexity of building a correct solution, the ease of building a solution that _looks_ correct at first glance but isn't, and the extreme adversarial nature of the problem. In most of software a "looks correct at first glance" solution is fine -- the 1% that is broken will not have significant consequences. In cryptography, your adversary will find that 1% and abuse it.


You mostly learn cryptography by doing cryptanalysis, and that certainly is a form of playing with ciphers. To be fair, modern cryptanalysis also involves a bit of math and reading some papers.

None of this is something that hobby cryptographers can't do. In fact, there is no real difference between "professional" and hobby cryptographers. Many of the professional ones started as hobby cryptographers, and there are plenty of allegedly professional "cryptographers" who do not have sufficient experience in cryptanalysis. Moreover, anybody can make a fairly secure Feistel cipher, for example, it's just hard to create an efficient one. Note that proofs of security either don't exist or are based on unreasonable assumptions. Cryptography is still mostly a black art, not a science.

In a nutshell, you really shouldn't reinforce the "don't roll your own crypto" mantra. It just means you'll get less skilled cryptographers in the end. Bear in mind that nearly all debacles in cryptography were caused by professional cryptographers.


The "don't roll your own crypto" is a mantra mostly useful for deciding what to put into production, not as a general ban on even touching the stuff before you become some kind of mythical, long-bearded, tome-possessing wizard.

I thought this was pretty obvious but I guess this important context was not sufficiently disseminated given the prevalence of the latter position.


Almost all mantras that are stated in absolutes will be accepted by the public in every single possible way. Unfortunately, and I know it sounds unbelievable, for a lot of people it really has become "don't even think of learning about crypto", not just "don't use your own crypto in prod"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: