In a double spend attack (including a "51% attack) the attacker would be the one generating the sequence of blocks. That means each block relies on the prior block also made by the attacker. The attacker signs a block and if it doesn't allow him to forge the next block, just keeps resigning it until it does (as pointed out a single digest can have an infinite number of unique signatures by changing the k value). The attacker attempts signatures until he produces a one which allows him to sign the next block as well. The attacker then moves on to the next block. If this seems kind of like a PoW it is.
Let me correct this nonsense.
As no ECDSA is involved and the only thing that can be used in
generation_signature_hash = sha256(generation_signature_of_current_block + my_public_key) <<<<< + means concat
to manipulate are:
generation_signature_of_current_block << fixed by the previous block
my_public_key << fixed by the number of accounts an attacker has
So, the only thing he can do, is to create billions of accounts holding at least >0 NXT to try out each of them.