What is the reason for using elliptic curve groups in crypto? Are they just the best known groups with efficient computation and not-known-broken security, or is there a deeper reason?
Very compact public keys and private keys, reasonably fast operations, less reliance on very good random number generation/bad keypair rejection than RSA, especially for signing where you can have deterministic signatures. I'm not sure constant time implementation is "easier" (probably don't try it still), but it's still somewhat nicer than the bignum and blinding stuff needed for RSA.
One nice thing about X25519 in particular is that if your math operations are constant time (not always a given in bignum libraries...), then the easiest implementation (a montgomery ladder) does happen to be constant time. This was the reason for choosing a Montgomery curve for Curve25519 instead of the more usual Weierstrass curve form.
The ladder procedure is spelled out in https://datatracker.ietf.org/doc/html/rfc7748, though you'll also need to provide your own constant-time conditional variable swap (they give the xor swap trick as an example).
But why elliptic curve groups instead of, I don't know, some subgroup of GL(n, F_p) or something. Is it just that they happen to be the best known groups right now?
I think a lot of the rain might just be that the proof of Fermat's last theorem led to the development of a lot of theory for elliptic curves which happened to show that they work well for crypto.
