2022.08.06 08:56:20 (1555809983601582080) from Daniel J. Bernstein, replying to "Anton Tutoveanu (@AntonTutoveanu)" (1555728126629785600):
Sure, the traditional view is that the evaluation of (proposed) cryptographic standards should assume perfect implementations, blaming the implementor for any deviations. Unfortunately, this allows a saboteur to select designs that predictably produce implementation errors.
2022.08.06 08:58:28 (1555810520111857664) from Daniel J. Bernstein:
Rivest's 1992 critique of DSA in https://people.csail.mit.edu/rivest/pubs/RHAL92.pdf is worth reading. In particular, regarding DSA nonces, he wrote "The poor user is given enough rope with which to hang himself---something a standard should not do"; this is a useful counterpoint to the traditional view.