Nonce covert channel attack


What are your thoughts after reading the following articles?

Why isn’t trezor using it?

There is actually an open issue:

Simply put, it has not been a priority because the existing implementation is “good enough”. Trezor source code is of course fully auditable, and it is using deterministic nonces from RFC 6979.
That can be verified by the host computer, given knowledge of the private key. So if you want to validate that the code is doing what it says it is doing, you can generate a seed, load it into your PC, sign a bunch of transactions and check that the nonces have the expected values. If you do this a couple (or a couple thousand) times, you can probabilistically trust that Trezor is not smuggling out secret bits, and load your actual seed.

This is of course not a 100% thing, so using Anti-Klepto would still have some merit. But implementing it counts against implementing other things, so, again, not a priority so far.