Go is as susceptible to timing side channels as C, if not less. (The difference being that while there is one major Go compiler, which usually does not go overboard with optimizations, when writing C you have to do increasingly complex tricks to defend against the compiler realizing what you are trying to do and replacing it with a more efficient variable-time branch.) This implementation was written to avoid any secret dependent code path.

Power side channels, which require physical access, are indeed outside the threat model of Go.

> All critical operations are performed in constant time.

Should have clicked all the way through links to the project docs--looks like they're keeping this in mind.

Just for context, the OP (FiloSottile) was in charge of cryptography and security on the Go team until recently.

Is there a language that is invulnerable to power side channel attacks? The idea seems nonsensical to me.

As far timing attacks, what about Go makes it more susceptible to timing side channels than any other language?