> The rule of thumb in cryptography is "don't roll your own crypto".

This phrase is tiring to hear in this form, and your understanding seems to be incomplete here. Signal also rolled its own crypto, but you don’t see anyone saying it’s insecure for that reason. That phrase is used to tell non-cryptographers not to roll their own crypto because of the high chances of vulnerabilities being introduced. In the case of Telegram, the company defends its protocol saying that it’s been created by people with PhD in mathematics (which is related to and is foundational for, but different from, cryptography). Telegram’s encryption protocol (the second version) has not been broken by anyone till date.

>In the case of Telegram, the company defends its protocol saying that it’s been created by people with PhD in mathematics (which is related to and is foundational for, but different from, cryptography).

It was created by Nikolai Durov who has a PhD in geometry. That's like a gynaecologist performing brain surgery. Specialization matters. Sure both took human anatomy 101 class in college, but somewhere along the way they went and spend their ENTIRE career doing different things. It's easier to get another decree in medical science sure, but in this case the gynaecologist did not, they just started cutting the brain with kitchen knife and just because their patients haven't died yet doesn't mean they have the credentials to abandon best practices.

MTProto 1 was the problematic protocol that continues to haunt Telegram despite its deprecation for MTProto 2 which is built on standard crypto primitives.

This is a fun phrase, that as a non-crypto person seems reasonable, but I always wonder if there's something of a confirmation bias.

> The reason why that statement exists is because there are _countless_ examples of teams coming up with their own, new cryptographic mechanisms that either break...

But aren't there _countless_ examples of this in crypto made by cryptographers?

I'm not playing devil's advocate, I don't really have a stake here. :)

Not a crypto expert either, but from what I've gleaned listening to e.g. Peter Guttman describe evaluating new crypto mechanisms, you'll see that:

1. Actual cryptographers usually design with a set of constraints that make their crypto work: those might be about compute power, or memory bandwidth, or what have you, that make an algorithm difficult to brute force.

2. The algorithm will typically be peer-reviewed to try to weed out mistakes, either fundamental mathematical ones, or in the assumptions.

3. The implementation then needs to be high quality.

There are certainly no shortage of examples where systems which pass 1 & 2 are undermined by failures in 3. All algorithms are susceptible to the context around 1 changing (changes in compute power or whatever).

When you go it alone, you're assuming that you won't make any mistakes any of these. That seems a pretty tall order.

The principle is that cryptography is so hard that even the experts screw up, but non-expert chances of screwing up are so much greater.

I would phrase it more as "there is no margin of error in cryptography".

In machine learning, a model that works 90%, 95% of the time is pretty good.

A glitchy video game can still be fun as long as the glitches don't happen too often or cause a loss of too much progress.

Even a filesystem that doesn't lose most people's data, most of the time, will have a lot of adherents.

But if your cryptography implementation isn't completely perfect, it's frequently just 100% useless for its intended purpose.

What really sets cryptography apart is that for a non-expert, there is no way to tell whether it's correct or not. Most bad software has bugs that can be found by users. A bad ML model will do poorly in validation.

But a bad crypto implementation will work. For all intents and purposes, it will appear completely fine. Users will get their messages. The bitstream will appear completely random. At least, until somebody with expertise in breaking crypto systems digs into it.

>But a bad crypto implementation will work. For all intents and purposes, it will appear completely fine. Users will get their messages. The bitstream will appear completely random. At least, until somebody with expertise in breaking crypto systems digs into it.

And that applies even if they're using AES but wrong mode of operation. That applies even if they're using best practices like AES-GCM but the CPU doesn't support AES-NI and a cache timing attack allows key exfiltration.

Like Swiftonsecurity wrote:

"Cryptography is nightmare magic math that cares what kind of pen you use. Should math care what kind of pen you use to implement it? No, but Fuck You, this is Cryptography."

The attacks are incredibly subtle for even the best systems, and Telegram is so far away from even adaquate it's difficult to emphasize it so I'll try with my best restraint:

TELEGRAM FUCKING LEAKS EVERY GROUP MESSAGE TO THE SERVER WHICH IS THE EXACT EQUIVALENT OF A FUCKING BACK DOOR.

I hope that didn't leave anything unambiguous.

Group messages on Telegram and normal messages are explicitly not encrypted in order to allow multi-device operation. That is explicit. I don't see how that has anything to do with the security of MTProto.

Also notable is that it can't be fixed or patched in the way you'd expect for any other software -- once it's found broken, everything that ever used it is now broken unless they're re-encrypted. There's no migration path to the fixed version

Who would buy the licenses? In a world where the libraries for the Signal protocol are free, lol.

Assuming that money is what they’re after. Are you reading Durov’s channel on Telegram? Also, having invented the Russian Facebook and forcefully selling it to the Kreml - I don’t think he needs any more money. He’s playing a totally different game. I don’t know which one though.

Pavel Durov is so mindboggingly rich that he had a good shot at being a Russian oligarch, and decided not to. I don't think that's an argument.

The thing about crypto is that it works in pieces. I'm sure it takes 12+ libraries to make an end-to-end encryption work. Signal has this same problem.