> Sometimes I ask myself if this generalized crypto mono-culture is something being implanted in our brain to spare NSA money.

I’m in the industry - I work on cryptography research and I review cryptographic protocols for security and correctness. I can tell you when I warn people not to roll their own crypto it’s not because I’m shilling for the NSA.

It’s really very simple. Cryptography is an extremely complex discipline that requires specialized training. For the most part, engaging in complex disciplines without the requisite training results in errors somewhere. Unlike software from many other such complex disciplines, cryptosystems are 1) safety critical, and 2) compromised by extremely minute errors in design or implementation.

Speaking frankly, I don’t think it’s wise for you to try and develop your own machine learning software for a production system without training, either. But at least if you do that you’re not (likely) compromising your users. We admonish untrained engineers for doing the same with cryptography because it requires either great ignorance or great hubris to believe you can pull it off without disastrous errors along the way.

They'd spend much less, because most private efforts would fail. For a real world example, consider how many crypto locker malware examples have been found broken in a way you can recover your files without paying. These is a proliferation of privately developed apps just using standard ciphers, not even creating new ones. They mostly fail at using the most basic form of symmetric encryption.

I may be biased because I studied crypto for about 9 years. My focus was using geometric properties of elliptic curves to speed up the computation, and I was writing hand-optimized code to prove my results.

I can certainly tell you that you can do tons of mistakes at every layer. Protocol, primitives, composition of primitive, how do you implement them in sw or hw, how do you optimize them.

As an example you can see what happened to TLS1.2, looking after the fact basically everything was wrong with it.

Today I work for a large Internet company. I would be absolutely terrified if I had to see custom crypto implementations. There simply isn’t enough time to validate all that needs to be validated.

Back to your point, though, I’m not against the “build your own crypto”, provided that you have proven expertise. Typically, if you are really an expert, you want to consult with other experts and create a solid team that can verify your implementation.

Isn't that how it works for most complex systems? It can be hard enough to learn a complex system well enough just to use it properly, let alone try to recreate one from scratch. So, for the most part we don't.

That I don't believe that many of those experts spreading this message are paid of by the NSA or similar orgs.

And that being crypto-ignorant is not connected to only using known tools for real systems. In many cases, self-made crypto is done from an uninformed perspective, which is why it often is so bad. Just as using well-known crypto doesn't mean you haven't spent the time trying to understand why it is recommended and how it works internally, why alternatives are bad, or having made your own crypto and learned from that.

If anything the "roll your own crypto" culture might be something being implanted in our brain to spare the NSA money - and provide them with more attack vectors. Crypto astroturfing anyone?

I studied crypto in college on the mathematical side. RSA and ECC are based on very sound maths