Yawning Angel

> I tried out implementing it as a simple loop of the Square body, manually inlining `carryPropagate`, and I don't see any improvement on high-level group functions. Are we missing...

As another concrete example of where this would be nice would be `ECVRF_prove` from the [VRF draft](https://www.ietf.org/archive/id/draft-irtf-cfrg-vrf-09.txt). Benchmarking my (unpublished) edwards25519 based version, Invert + Pow22523 account for ~23.5% of...

I question the wisdom of recommending something that is not guaranteed to be timing side-channel free. https://github.com/golang/go/commit/850e55b8c028440f2fe282858b332cb810a06864

> @probakowski See #248 for a PR that adds your repository to the third-party compatibility test suite for `avo`. Unfortunately, the test failed in Github Actions with an illegal instruction...

> I agree with all of these, although if implementations may ignore KeepAlive, is it still useful in any way? We couldn't terminate the connection based on not getting a...

I am in favor of this for the following reasons: * I am going to have to do the work anyway when Oasis moves beyond tendermint 0.34.x * We (Oasis)...

As a reminder (mostly for myself), #6414 also needs to be integrated. If I were to do the work I would probably add support for batch verification (without concrete implementations...

Note that my implementation makes certain assumptions that may not be valid for a more general wrapper (omits some locking, destination host is assumed to be static), but there's comments...

> Or perhaps @Yawning can agree to dual license his uTLS changes so we can pull them here. I'll need to think about this.

Some performance numbers, that should be taken with a huge grain of salt: test nacl::bench::crypto_secretbox_10 ... bench: 767 ns/iter (+/- 100) = 13 MB/s test nacl::bench::crypto_secretbox_1k ... bench: 9994 ns/iter...