Side channel guarantees?

[davidchisnall]

Most cryptographic libraries are written to be resilient to timing and cache side channels. Looking at your big-num implementation, it appears to do lookups into arrays (leaks values via access patterns in any system with caches) and also to have a lot of loops that terminate early with data-dependent conditions (leaks values to attackers who can measure times, including those on the local network).

Please can you document what your threat model is with respect to key confidentiality?