On 01/02/2016 05:42 PM, Tim Wilson-Brown - teor wrote:
And if we can't use the reference implementation, we have some decent
programmers…
(On the other hand, if there's no reference implementation, then that
makes it hard to recommend that particular crypto scheme.)
That sounds pretty close to a "roll your own crypto" idea, which as I'm
sure you know is almost always a poor idea. Classical algorithms like
RSA and Diffie-Hellman are ~40 years old but they have many
side-channels and are still hard to implement correctly. There are so
many subtleties with ECDHE and ECDSA, with the notable exception of the
safer *25519 cryptosystems from djb. Post-quantum cryptography is over
my head, but considering the pattern and the newness of the field I
wouldn't trust any implementation unless it was written or at least
vetted by the authors of the respective post-quantum crypto system.