Loop over nonce is how it is supposed to work by design. I agree that loop inside Transaction.sign is stupid but it was necessary to hide the injected fatal flaw. Now we can get rid of the loop in Transaction.sign and use a loop inside Crypto.sign.
That's what I'm trying to say, patching
Curve25519.sign should allow to avoid those loops at all.
The fact that Curve25519.sign generates WRONG signature FOR SURE wasn't made by design...
I give 99% that fix of Curve25519 is safe, but the rest 1% doesn't let me to use the fix coz this part is the most critical part of Nxt. So without a formal proof I'll stick to loop inside Crypto.sign.