Actually, there might be a bug in the C++ code. I compiled it and ran a few tests with sign, but the signature that gets generated is different each time i run the program (typically the sign of an uninitialized variable somewhere). The problem appears to happen somewhere in divmod.
It's a normal behavior, not a bug, don't waste too much time on that.
What? Same message, same secret phrase ==> same signature.
Or I am missing something?
One question: are timing attacks an issue for the client software (i.e. the javascript software)?