You are right, that it probably wouldn't require changes in verify, but in such case...
I was thinking about it for a while, and tell me, HOW exactly would you like to alter
x value?
a) values passed to Curve25519.sign and Curve25519.verify are in PACKED form
b) x still needs to be valid priv key and Y it's corresponding public key (I call this pair "session key", as it's generated based on message and secret key)
c) you need to
make sure that (x-h) will NOT be "negative" in the meaning defined by 'xmath':
Note that there isn't actually such a thing as positive or negative in
a finite field, but you should just pick some definition. My favorite
is to define elements with the least significant bit set (when fully
reduced) to be negative, and non-zero elements with the least
significant bit clear (when fully reduced) to be positive. This makes
sure that if x is positive then -x (= p-x) is negative and vice versa.
- xmath
If I got an incorrect signature I would use another ephemeral key.
Edit: About "HOW exactly" - I would use SHA256(privateKey + message + nonce) instead of SHA256(privateKey + message).