I've noticed such risk mentioned in this answer to another question, where a presentation (page 28) by Nicolas T. Courtois, studying Monero cryptography, was referred to.
I'm interested to better understand what it means, and what would be the consequences of such bad RNG.
The note reads:
apparently 2 bad random r in monero same user, make the attacker who has 2 view keys v also, able to compute a linear relation between their e keys used to spend...
What does it mean bad random r? That the sender's (Bob's) RNG is such that the sequence of r's could be predicted knowing some 2 r's? But how do you find any r? Anyone can see R, but with view key, you can only see the shared secret rA=aR. If you know 2 private view keys from the same transaction, you could brute-force the r used? Is that what it means? How would finding r work?
Then, by guessing the next r, he could spend any transaction sent to Alice, if he knows Alice's private view key?
Also, what about the linear relation between e keys? Note: e refers to x in the CN whitepaper, meaning the one-time destination private key. Would it mean that the attacker could spend anything sent by Bob, provided that he could "find" those transactions by knowing any of the Bob's recipients private view keys, and not just Alice's?
