[Cryptography] A "koan" about crypto

[Ralf Senderek]

On Sun, 7 Jun 2015 04:15:10 Lodewijk andré de la porte wrote:

>Afterwards, I had made a crypto-using application. In hindsight, it was
>relatively easy. With better libraries (more foolproof and high-level calls) it
>could have been absolute pie.

like cryptlib-3.4.3

>Likewise, the code implementing the cryptography itself can also be written once
>given the time to learn all about how to write things securely. Things like
>timing, cache, power attacks can all be explained. If more people would go for
>it, more people would be explaining it, and the general quality would improve.
>Perhaps there would even come some sort of framework for validating one another's work.

Such a framework is clearly missing at the moment. And this has nothing to 
do with laziness or lack of time, the primary reason is complexity. Most, 
if not all cryptographic programs can only be assessed in the context of 
the practical use case, where much more than the library itself comes into 
play. Under normal, unclear and confusing circumstances, it's hard to 
reach a substantial conclusion regarding the security of a system.

Without a far-reaching reduction of complexity, there's no incentive for 
well-educated people to contribute to such a framework, as the results
of their validation efforts may become invalid, because of some detail
they might have missed.

And then there is laziness and lack of time.

Maybe, one first step in the right direction is to fight complexity at all 
fronts, and to push yourself to volunteer, once there is a reasonable 
chance for success - and do it.

    --ralf