FYI-- Likely faster constant time modular inverse

[gmaxwell]

I know you're not currently actively developing this (though maybe there is more interest in weird curves now that the GLV patent has expired...), but I thought I'd send you a note-- close the issue when you've seen it. :p

Your existing fermat inverse is super duper fast because you mostly only need to work over the base field and mersenne numbers result in really nice ladders but there is a new approach that could be faster that you might be interested in: See https://github.com/bitcoin-core/secp256k1/blob/master/doc/safegcd_implementation.md which describes the implementation in libsecp256k1 (and links to the safegcd paper that inspired the work).

At 256 bits the speedup over a ladder is enormous, for 2^127-1 I expect it to be faster but it's possible that it wouldn't be. If you're ever interested in trying it out, feel free to drop me a line. It should be trivial to modify our code for your sized numbers (it already works but will waste some time due to working with 256 bit numbers) -- I would have done it just to post benchmarks but that would have required me to figure out how to benchmark your code. :P

[catid]

Thanks for the heads up!