Hello, For the particular vulnerability, I don't think Gnuk is affected.
Here are (at least) three different things to discuss; (1) whether or not key generation on device uses secret parameters, (2) prime number generation method, and (3) entropy source. Since key generation takes time and requires larger memory, some devices use two-phase method; that is, generating partially at factory beforhand to allow faster generation on device. Data generated at factory is considered secret parameters (since it limits the space of key, somehow significantly), and this could be weakest link. For Gnuk, it has no secret parameters. FST-01 shipped from Seeed Studio uses Gnuk 1.0.1. IIUC, (a version of) Nitrokey Start also uses Gnuk 1.0.4. In the release note of Gnuk 1.0.x, key generation was explained as experimental. Gnuk 1.0.x uses PolarSSL 0.14's simple prime number generator and random number generator of NeuG 0.01. The prime number generation is not uniform. Nevertheless, I haven't heard of any effective attack to keys generated by such a simple prime number generator, yet. I think that NeuG 0.01 is OK. Gnuk 1.1.0 or later (up to current 1.2.6) uses Fouque Tibouchi method for prime number generation [0]. This change was intended to minimize bias. And it uses newer NeuG, which structure is updated according to the draft of NIST SP 800-90B. So, I think that it's safe. Well, in general, I recommend generating keys on host machine (with enough entropy), so that user can control well. For a device with possible secret parameters (for example, the key generation is too quick), it is wise to avoid generating on that device. [0] Close to Uniform Prime Number Generation With Fewer Random Bits Pierre-Alain Fouque and Mehdi Tibouchi https://eprint.iacr.org/2011/481 # I'm temporarily subscribing this list, so that I can join this # discussion. Thanks to Hideki Yamane to inform me. --