Milagro Rust implementation seems very slow

[mratsim]

I run your benchmark on my machine and confirmed your result:

However, I wrapped Milagro C in Nim at https://github.com/status-im/nim-blscurve
and did preliminary benchmarks status-im/nim-blscurve#47 (comment)

Note that the scalar multiplication was done with 381-bit scalar instead of 255-bit as I forgot to take into account the curve order. so there is 50% more operations (Milagro is constant-time for scalar-mul)

Generation of 1000 signatures should take about 1s (HashToG2) + 280ms (scalar mul via 1/(2.4*1.50)) not 27s. This is about 27 slower than expected.

Signature verification should also be much faster despite Milagro not doing the subgroup checks as required by the hash-to-curve draft

---

Also the repo you are linking to is archived and its hash-to-curve is not the common hash-to-curve draft v7 that Algorand, Ethereum 2 and other blockchain are targeting. See https://github.com/apache/incubator-milagro-crypto-rust cc @kirk-baird who might have more recent benches.

If Milagro Rust is still much slower than C, I do have some idea on the reasons, the Rust code for example is returning huge objects like ECP on the stack while the C code never does that (https://github.com/apache/incubator-milagro-crypto-rust/blob/23d1fac6f/src/ecp.rs#L980) and I expect the compiler does not try to optimize those away via return-value-optimization or copy-elision.

[kirk-baird]

Let me know if you'd like some bench marks for apache milagro rust :)