I am only dimly following this, but I have two thoughts: I see the point that running randomness tests will not detect a well-engineered attack. But it probably will detect a large class of implementation bugs, so it seems worth doing. Randomness tests on input, not normally accessible, could detect a further class of bugs. I think agc's point is that all tests which are reasonably feasible might as well be done, vs a claim that they will detect intentional attacks.
Attachment:
signature.asc
Description: PGP signature