256 bit Field Operation: 64 bit * 4 vs 52 bit * 5

[ashWhiteHat]

Thank you @tarcieri for the conversation (tag: @fjarri )

I would like to know the pros and cons of field arithmetic by 64 bit * 4 and 52 bit * 5.

In bitcoin-core and rust crypto implementations, these use 52 bit 5 limbs for 256 bit field operation. We can also perform 256 bit field operation by 64 bit 4 limbs.

The main issue is how we deal with the mod operation. In 52 bit * 5, it manages the number of arithmetic by magnitude and performs naive modulus reduction. In 64 bit * 4, it performs reduction for each arithmetic and causes sub operation overhead for addition, and montogomery reduction for multiplication but doesn't perform naive modulus reduction instead.

In my opinion, for specific operation such as sign and encryption, number of arithmetic is less so we should do it with 64 bit * 4. for arbitrary operation, number of arithmetic is unknown so we should do it with 52 bit * 5.

I would like to know if you have any idea about this comparison. Thank you.