2019.05.22 15:38:39 (1131192651338829825) from Daniel J. Bernstein:

Cryptographers working on "verifiable delay functions" (VDF) seem to think that all known algorithms to compute x^2^T mod pq (unknown p,q) need T times the latency of a single squaring. Sorenson and I have a 2007 paper https://cr.yp.to/papers.html#meecrt beating this in some hardware models.

2019.05.22 16:09:01 (1131200296288477184) from Daniel J. Bernstein:

Offhand I'd expect the real speedup to grow as Theta(log(hardware)). Of course there's no substitute for implementation measurements. This is yet another part of the ongoing denial-of-service attack against cryptanalysts: there's far too much new cryptography to seriously review.