> It’s absolutely worth it to roll your own crypto if you want to learn from it.
It's essentially a waste of your time. Because of Schneier's Law: "Any person can invent a security system so clever that she or he can't think of how to break it".
The thing that you might learn from, if you put the work in, would be breaking other people's stuff. Ideally you would find something that's actually in use and vulnerable enough that with some time you'll be able to break it, but that's tricky.
I think Thomas Ptacek is wrong about a bunch of stuff when it comes to security (there's presumably some way to find HN back-and-forth between us if you decide you care about that), but he wasn't wrong about the Cryptopals exercises. By the time you're doing Set 2 exercises this is stuff real people, who were getting paid and thought they knew what they were doing, got wrong.
Strongly disagree. I'm pretty sure rolling your own crypto will strengthen your understanding of crypto (and potential flaws) a lot. Obviously don't use it in production but by all means, do it for the sake of learning. How can this be a waste of time? That's like saying "never implement a search/sort algorithm, just use libraries"...yeah sure use libraries but also implement the stuff to learn.
There are a lot of subdomains within cryptography where "rolling your own" will not meaningfully strengthen your understanding of the underlying concept.
RSA is really good example of this: you can "implement" RSA in Python in an hour, and your understanding will include some of the mathematical fundamentals (prime generation, modular exponentiation, &c.). What it won't include is why or how each of those fundamentals comes with a laundry list of caveats that can completely break any scheme that uses your particular implementation of RSA.
I second the recommendation for cryptopals, as well as all of the resources that Matt Green lists[1].
Right, but if you've improved your knowledge of the fundamentals by rolling your own RSA you'll be in a much better position to fully understand detailed articles that explain those caveats.
I'm actually skeptical that this is true: there isn't (in my mind) an intuitive bridge between "select two large primes" and "you have to make sure that there are enough different upper bits between p and q or your system is completely hosed." The former is the "direct" understanding of what makes RSA cryptographically sound, and what rolling your own will teach you; the latter is a weird result in number theory.
RSA is a particularly easy punching bag in this regard, but I think it's true generally (and is generally becoming more true, as we see increasingly clever sidechannels and oracles).
Edit: That being said, I want to moderate my position by saying that I don't think there's anything wrong with playing around with cryptosystems in an attempt to learn them. I do it! I think the risk that people talk about when they say "DRYAC" is that engineers will take their relatively painless experience getting it 10% right in their spare time and think they can get it 100% right without an asymmetric amount of additional effort.
The fact this is even a question shows me how many engineers are just cargo culting whatever they hear someone else say. If you can't understand that a toy project has different trade offs than the NSA you really shouldn't be engineering anything, trade offs are the entire job. Nobody is going to spend the time to implement this guide instead of importing a library.
I think this is unnecessarily harsh. Most of the people who implement cryptographic systems are professional engineers, and are not otherwise incorrect in evaluating their skillsets or capabilities. The problem isn't cargo culting, but the fact that cryptography is much more subtle and un-engineering-like that the rest of our discipline.
If no one is allowed to roll their own crypto, even just to learn how it works (and not use it for anything), then how does one become one of those exalted crypto experts who is allowed to create the libraries that everyone else who doesn't roll their own crypto uses?
First, break stuff. That's what the Cryptopals exercises are doing, but because in our actual world there's lot of good stuff out there now these exercises provide bad examples† you can break. If, in your hypothetical, there is no good crypto, this will be very easy to do just by taking anything you find in the real world, right?
Now, use what you learned (from breaking stuff) to make something which resists the attacks you learned. Congratulations, you have improved the state of the art. This is how actual experts (not sure any of them are or should be "exalted") did it.
† Bad, but, in many cases, very real. Because people stubbornly will not learn this lesson and keep rolling their own we are still finding broken garbage in the real world it's just becoming gradually rarer.
That is certainly valuable. But, so is actually implementing cryptographic algorithms, in a context where if you make a mistake it doesn't really matter, because it isn't in "production."
Or even if you just want to understand how an algorithm works, implementing it yourself will probably help you understand it more than reading, or finding problems in someone else's implementation.
It's essentially a waste of your time. Because of Schneier's Law: "Any person can invent a security system so clever that she or he can't think of how to break it".
The thing that you might learn from, if you put the work in, would be breaking other people's stuff. Ideally you would find something that's actually in use and vulnerable enough that with some time you'll be able to break it, but that's tricky.
So, if you're a programmer try something like "Cryptopals": https://cryptopals.com/
I think Thomas Ptacek is wrong about a bunch of stuff when it comes to security (there's presumably some way to find HN back-and-forth between us if you decide you care about that), but he wasn't wrong about the Cryptopals exercises. By the time you're doing Set 2 exercises this is stuff real people, who were getting paid and thought they knew what they were doing, got wrong.