Performance should be in the same ballpark, but I'd rather go with whichever achieves its security level most efficiently. Goldilocks looks good by that metric [1], so I'm curious how a Curve41417 implementation compares.
The rationale for an "extra-strength" curve is the hope it might resist future cryptanalytic breakthroughs. The extra bits aren't needed for brute force, but if some cryptanalysis comes along in 20 years and lops a bunch of "security bits" off, you might be glad you had extra ones...
That's a hard thing to quantify, but if we can get, say, 96 extra security bits for only a ~3.5x slowdown over Curve25519, it seems worthwhile.
The rationale for an "extra-strength" curve is the hope it might resist future cryptanalytic breakthroughs. The extra bits aren't needed for brute force, but if some cryptanalysis comes along in 20 years and lops a bunch of "security bits" off, you might be glad you had extra ones...
That's a hard thing to quantify, but if we can get, say, 96 extra security bits for only a ~3.5x slowdown over Curve25519, it seems worthwhile.
[1] https://docs.google.com/a/trevp.net/spreadsheet/ccc?key=0Aie...