Furthermore, given the number of subtle failure modes, a new scheme (even one designed by an expert) is likely to be insecure until shown to be secure by time and peer review (i.e., after it has been extensively attacked). Experts know this; amateurs assume that because they can't see a flaw, their new scheme is secure enough to deploy.

And it's not hard because of the mathematical theory behind it. It's because there are so many subtleties in cryptography that in order to call yourself a "cryptographer", you not only need to have understood all the mathematical theory but also have thought about and understand all the subtle edge cases. And once you do get to that point, you become super careful about making certain claims.

Unlike engineering problems where a small error can be fixed somehow through monkey patching, a subtle loophole brings down the usefulness of the entire cryptographic algorithm. So no matter how powerful your next big cryptography algorithm is, if someone finds a very very small loop hole, it's fucked, and the entire algorithm is unusable.

This is so important that the WebCrypto API even named their main API endpoint as "crypto.subtle" (instead of just using the "crypto" prefix) to warn people.

So TLDR: it's not because people don't trust the expertise of a non-cryptographer, but because people trust that an actual "professional cryptographer" is humble enough to not make claims unless they can prove it.

My impression with IOTA is that it makes a lot of mind-bending claims which no one can easily prove or disprove. And also they don't use the proven-by-time cryptographic algorithm. This makes it impossible for anyone to make a trustworthy peer review. (It doesn't help that the founder acts like an asshole so nobody wants to waste their time doing a peer review on it anyway)

Cryptographers are modern day real world occultists and wizards. It really is an esoteric area of computational and mathematical lore that requires many years of diligent study before one can even attempt to do anything that isn't a toy.

The gods (intelligence agencies, organized crime) laugh at those who attempt to roll crypto without knowing what they're doing.

Note again that I'm talking about core primitive (cipher, hash, etc.) design. I do think that mere mortals can implement crypto, though doing so competently still requires a lot of study and respect for the difficulty of the domain. I don't repeat the "never implement crypto" mantra. Instead I prefer the modified version: "do not attempt to implement crypto unless you know how to break crypto." If you don't understand how crypto is often broken and can't name and explain a few recent examples, you should not be implementing crypto.

I believe that it stems from the fact that it's easy to get wrong, and hard to know you got it wrong. Furthermore, other than a few special cases like one-time pads, there's no known way to prove that a cipher is secure, only that it's insecure. A cipher designer, therefore, must by necessity be an expert on all the known ways to break a cipher, so as to avoid all the known traps, and defend against the yet-to-be-discovered ones.

* Computer science, specifically complexity theory and circuits

* Galois field theory (AKA finite field theory)

* Group theory

* Number theory

* Specialities include elliptic curves and modular forms, lattices (in the ordered/on-the-plane way, not the algebraic structures)

In general, cryptographic design and analysis is all about a guess that we have in mathematics: We think that one-way functions exist. We think that we have certain specific tools, such as the discrete logarithm problem and Feistel networks, which can be carried from one domain to another reusably, and as a result the bleeding edge of research is currently concerned with finding new domains, as quantum computers will rapidly be obsoleting our current ones.

This isn't the hardest thing ever, but you're going to have to spend a few years getting your maths up to snuff. I've personally spent over a decade and while I've done a lot of things, I've still yet to contribute usefully to the cryptographic community; I haven't accrued enough knowledge to do more than analyze basic protocols and read some classic cryptanalysis papers.

Hope this helps; everything should be Googlable or on Wikipedia.

Given that DCI appears to have outsmarted the IOTA developers here, it's not a crazy attitude.

It’s not literally the hardest thing ever, but it’s probably in that category of difficulty with a few other domains. There are several reasons why this is the case.

First, to understand cryptography well enough to safely design a novel cryptosystem requires significant knowledge of information theory, complexity theory and approximately all of undergraduate mathematics. If you’re only developing symmetric encryption cryptosystems or primitives like hash functions, you can probably stop there. If you’re developing a novel public-key cryptosystem, you will be adding on graduate-level study in number theory and algebra; in particular for advanced topics in elliptic curves, coding theory and vector spaces (lattices). Throw in game thory while you’re at it to model cryptosystems and their security proofs. You don’t need everything from every course, and it doesn’t have to happen in a strictly academic setting, but you still need to acquire that knowledge if you want to design novel systems.

Second, while a lot of “hard” fields require knowledge of very advanced topics in math, cryptography is somewhat unique in that the incentive to identify a mistake in your design is extraordinary. Designing an imperfect alternative to bcrypt or scrypt results in absolute catastrophe for real-world user privacy and monetary assets if a serious vulnerability is found after it’s widely adopted. Simply put: this is an arms race, and most software does not need to be designed to be fault-tolerant in an actively hostile environment. This elevates the design difficulty to what you could call the “military setting.”

Finally, and corollary my second point, cryptography is very difficult to implement. It’s fairly easy to choose the wrong parameter when you’re implementing a cryptographic primitive from a specification, or to accidentally destroy the security of the cryptosystem in an attempt to make it a bit faster (e.g. lattice reduction). And other than that you need to defend against a battery of side channel attacks, which introduces another level of complexity.

I personally understand a lot of academic cryptography (but the more you learn the less you actually know...), and I’d say that, categorically speaking, cryptography is comparable to rocket science. I’m not claiming it’s absolutely as hard, but it shares many of the broad strokes. It’s not brain meltingly difficult in any single dimension (I find cryptography papers far easier to read than some blog posts by Terence Tao, for example), but the conceptual addition of a “safety” requirement makes everything more complex. It elevates the requisite mathematical knowledge and engineering rigor needed to design and implement a good cryptosystem.