The question is whether it's doable remotely and if yes, what would be the price of such attack.

Also, what is the difference of power consumption if you read 36 bytes from one location VS reading 36 bytes from other location... If it causes data to be read from flash in one case and not in the othere, you would see it. Otherwise I doubt so. Maybe DPA attack is feasible agains the lib (but not against the Trezor), but as I said, SPA would be hard.

Edit: Also, if the two precomputed arrays were interleaved instead one after the other, it would make memory access pattern more difficult do distinguish. How would you say this would affect the security of the lib?