If I got an incorrect signature I would use another ephemeral key.
Edit: About "HOW exactly" - I would use SHA256(privateKey + message + nonce) instead of SHA256(privateKey + message).
And add a loop over nonce? Don't you see a problem in that?
It's not the math that is wrong in Curve25519.sign(),
it's the
implementation that is wrong... and afaik, you wanted to pay 10 BTC to do audit of the
code...
PS, you know, that thanks to this change, we could most likely get rid of that stupid loop inside Transaction.sign...
Loop over nonce is how it is supposed to work by design. I agree that loop inside Transaction.sign is stupid
. Now we can get rid of the loop in Transaction.sign and use a loop inside Crypto.sign.