You're describing how to carry out one particular attack that succeeds with probability 2^{-n}
I know this will succeed with a {very low}^N probability, but this is of the same order as checking r<>0 or s<>0 (for example, r=0 only for the two points with x=N).
For example, with OpenSSL it would force you to add your own K generation conversion to R and Rinv
I am not aware of the OpenSSL modules. I imagine this test could be integrated in it.
You might as well just deny K=11, since if they used 11 (or any other specific value) and you know it you could recover the private key too.
Are you kidding me? Using k=d is made obvious by the fact that r=Qx. Using 11 or whatever cannot be guessed.
The subject is not that RNG are broken or bugged or ... I just want to draw attention to a situation on which nobody thinks