[I'm sorry, I didn't send this to the correct list. I forgot that there was a separate security list.]
An update: I'm still working on this. Following last week's revelations [1] it seems to me that a faster implementation of (integer) D-H is even more important. I've spent a couple of days tracking down an extremely odd feature (bug?) in MutableBigInteger which was breaking everything, but I'm past that now. I'm trying to produce an intrinsic implementation of the core modular exponentiation which is as fast as any state-of-the- art implementation while disrupting the common code as little as possible; this is not easy. I hope to have something which is faster on all processors, not just those for which we have hand-coded assembly-language implementations. I don't think that my work should be any impediment to Sadya's patch for squareToLen at http://cr.openjdk.java.net/~kvn/8069539/webrev.01/ being committed. It'll still be useful. Andrew. [1] Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice https://weakdh.org/imperfect-forward-secrecy.pdf
