On 01/02/2016 05:42 PM, Tim Wilson-Brown - teor wrote:
And if we can't use the reference implementation, we have some decent programmers… (On the other hand, if there's no reference implementation, then that makes it hard to recommend that particular crypto scheme.)
That sounds pretty close to a "roll your own crypto" idea, which as I'm sure you know is almost always a poor idea. Classical algorithms like RSA and Diffie-Hellman are ~40 years old but they have many side-channels and are still hard to implement correctly. There are so many subtleties with ECDHE and ECDSA, with the notable exception of the safer *25519 cryptosystems from djb. Post-quantum cryptography is over my head, but considering the pattern and the newness of the field I wouldn't trust any implementation unless it was written or at least vetted by the authors of the respective post-quantum cryptosystem.
That being said, I'd like to thank Schanck, Whyte, and Zhang for their work, their paper, and their reference implementation.