Loop over nonce is how it is supposed to work by design. I agree that loop inside Transaction.sign is stupid but it was necessary to hide the injected fatal flaw. Now we can get rid of the loop in Transaction.sign and use a loop inside Crypto.sign.
That's what I'm trying to say, patching
Curve25519.sign should allow to avoid those loops at all.
The fact that Curve25519.sign generates WRONG signature FOR SURE wasn't made by design...