If I got an incorrect signature I would use another ephemeral key.
Edit: About "HOW exactly" - I would use SHA256(privateKey + message + nonce) instead of SHA256(privateKey + message).
And add a loop over nonce? Don't you see a problem in that?
It's not the math that is wrong in Curve25519.sign(),
it's the
implementation that is wrong... and afaik, you wanted to pay 10 BTC to do audit of the
code...
PS, you know, that thanks to this change, we could most likely get rid of that stupid loop inside Transaction.sign...