Side-Channel on Base64?!

Looking the source code it uses the base64.RawURLEncoding:

Lines 18 to 20 in be3d31d

    
           "x":   base64.RawURLEncoding.EncodeToString(prv.X.Bytes()), 
        
           "y":   base64.RawURLEncoding.EncodeToString(prv.Y.Bytes()), 
        
           "d":   base64.RawURLEncoding.EncodeToString(prv.D.Bytes()),

It uses a table-lookup. Since this lookup is not constant-time, maybe can leak some information about the encoded value, the key itself.

I don't know if a pratical attack already exist at this time, but othres already spot the same problem. Some libraries alraedy uses a constant-time decoding/encoding;

LibSodium:

The function always returns hex. It evaluates in constant time for a given size.

BoringSSL:

Since PEM is sometimes used to carry private keys, we decode base64 data itself in constant-time.

Should webcrypto uses this kind of functions?

	"x": base64.RawURLEncoding.EncodeToString(prv.X.Bytes()),
	"y": base64.RawURLEncoding.EncodeToString(prv.Y.Bytes()),
	"d": base64.RawURLEncoding.EncodeToString(prv.D.Bytes()),