> [Discussion of how to erase secret data in a garbage collected language.]

Another problem that always plagues crypto implementations is timing
attacks. Once again, OpenBSD has timingsafe_memcmp()
<http://man.openbsd.org/timingsafe_memcmp>.

I expect it would be quite difficult to guarantee predictable timing in
Scheme code, especially in portable code. Perhaps so difficult that it'd
be best to write the core transforms in assembler and simply call out to
them using the FFI.

The alternative would be to pick a particular implementation and
religiously read (disassemble my-procedure) output until it looks right,
praying that relevant implementation details don't change...