You need to trust the software you're using. It's a lot more difficult to compromise a coin flip than it is to compromise a recently sold paper wallet website.
You have to trust software to spend your coin when you spend it. When you sign a message or transaction, you combine what should be a random value with your private key to generate the signature. If you know one, it is trivial to calculate the other with a given signature. Malicious software could possibly leak information via this random value.Whenever I sign a message offline, I use different software to decode the raw transaction and see if it still does what I want. I've never seen a problem there, but it doesn't hurt to be sure.
Quote
Creating a kay "by hand" also has a greater potential to make mistakes.
If only the random part is done "by hand" and the key is generated by software, I don't expect mistakes. But I'd want to make sure the same private key is generated with at least 2 different pieces of software (I imagine malicious software can produce a private key that's not based on your random input).And just in case, after creating the paper wallet and before funding it, I'd reboot a fresh offline LIVE OS to test if the private key still produces the same address, again using different software.
Quote
The scope of possible attacks is also greater when using a paper wallet than using an encrypted wallet.
So encrypt the paper wallet ![Smiley](https://bitcointalk.org/Smileys/default/smiley.gif)
Even if I have the most malicious software wallet in existence on my airgapped computer, there is nothing it can do to steal my coins. If it signs a transaction to the wrong address, for example, I can easily pick that up before moving the transaction to my live computer to be broadcast.
This is not entirely true, see this thread. In addition to leaking your private key, it could leak additional information.If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values.
Have you ever checked this much before broadcasting a transaction?