[cronokirby]

That is true.

That said, there are few situations where the modulus being used is not a public parameter of a protocol, and it is very difficult to perform operations with a secret modulus in constant-time, as your comment points out.

You'll always be able to get an approximate guess of the size of the modulus too, since larger moduli will need more registers to represent data.

[some_furry]

We don't consider "leaks the length of a SHA256 hash" to be a valid timing attack in most protocols for similar reasons (i.e. it's public knowledge).

When developers encounter timing attacks in their code, they often invent really dumb ways to side-step the length "leaking".

This might be understandable if it was a MAC then Encrypt protocol with PKCS padding (hello lucky13), but instead this comes up in the context of "validate this HMAC-SHA256 tag for our JWT-like protocol".