Interestingly it looks like there was a bug in every Argon2 implementation specifically because everyone just used the reference implementation.
Personally, I think the intention of the phrase "don't roll your own crypto" was lost over time. It was advice to companies to use standard cryptographic algorithms rather than everyone coming up with their own thing for no good reason. It doesn't mean that only some blessed individuals should be allowed to write cryptographic software. I think OpenSSL has taught us that not rolling your own crypto results in a monoculture of self-professed experts that didn't follow that advice.
Those are two separate arguments. Of course there should be competition in crypto libraries. However the "don't roll your own" advice is to prevent people who don't have sufficient experience, education nor resources to write their own library that can compete - effectively leaving their systems vulnerable.
The thing about the "don't roll your own" advice is it's aimed at people who don't competently know what they're doing rather than those who do.
How do you expect people to become competent if you constantly tell them to not do something? All that will happen is that people who don't listen to warnings will write crypto libraries and everyone will be forced to use them because nobody else wrote one.
The fact that there was no independent implementation of Argon2 that found there was a bug in the reference implementation shows that the "don't roll your own" advice is discouraging competition in crypto libraries to the point where the reference implementation wasn't sufficiently verified to produce correct output.
Again I feel the need to reiterate that the rule only needs to apply to those it needs explaining to. Ie nobody who is smart enough to roll their library would not do so for a production system without it having undergone rigorous testing first. Sure we might write hobby projects (I've written my own encryption ciphers for fun) but that's very different from actually using said cipher on live and/or business critical systems.
Simply put, the rule is there to remind people that rolling your own crypto libraries is dangerous. It's not meant to be taken literally to the daft extremes that yourself and a few others on here have. It's just meant to stop those lacking common sense from leaving themselves vulnerable.
I agree with what you're saying in general, that people should not write a crypto library unless they have a strong need to and are going to have it thoroughly audited.
> Simply put, the rule is there to remind people that rolling your own crypto libraries is dangerous. It's not meant to be taken literally to the daft extremes that yourself and a few others on here have.
My problem is that this nuance is not present in the statement "don't roll your own crypto". And that lack of nuance leads to no competing Argon2 implementation, and having OpenSSL control the future of TLS.
It's not just a few people who have taken it "literally to the daft extremes". Nobody in the entire crypto community re-implemented Argon2, not even as a hobby project. The message "don't roll your own crypto" is too strong because it results in nobody implementing their own crypto for any reason (which should not be surprising given the mantra).
I think it's a bit of a stretch to say nobody implemented Argon2 because of the aforementioned rule when it's also been pointed out in this thread the vast number of times that people have rolled their own crypto libraries. That would suggest to me that there are other factors at play with your example. Possibly due to the relatively young age of that specific KDF, or perhaps it's lesser known compared to many of the others? I don't really know enough about Argon2 to make any specific comments there but in the more general sense it has been proven on here already that many people do make hobby projects of rolling their own libraries.
I used Argon2 as an example because it was mentioned in TFA, as the author discovered that the test vectors were wrong because the reference implementation was wrong. That author noted that if someone else had implemented it from scratch they would've noticed this immediately when testing the test vectors.
I got why you used that as a reference. I was just saying it's a bit of a stretch to say your arguments about the aforementioned rule are the reason nobody else attempted to implement Argon2 when we already have a long list of examples of people who do roll their own ciphers.
The point of the rule is to discourage those who don't know what they're doing from compromising live systems. The kinds of people interested in Argon2 are the kind who are already security minded so will understand the point behind the rule and will understand it's fine to ignore that rule if you understand the caveats that rule implies.
The fact Argon2 hadn't been reimplemented can easily be explained for a number of other reasons too.
Most people with even a casual interest in security do understand that point behind the "don't roll your own" rule so I think it's odd to suggest that we are all too literally minded. As evidenced by the fact that a great many people do write their own hobby libraries.
Personally, I think the intention of the phrase "don't roll your own crypto" was lost over time. It was advice to companies to use standard cryptographic algorithms rather than everyone coming up with their own thing for no good reason. It doesn't mean that only some blessed individuals should be allowed to write cryptographic software. I think OpenSSL has taught us that not rolling your own crypto results in a monoculture of self-professed experts that didn't follow that advice.