@foone yup. and after thinking about it, their weird deterministic solution definitely would've worked if they had extended the hash to the full 521 bits, since it doesn't count as nonce reuse if it's the exact same message and key (you're basically just doing the same computation again, so the result is no different). such a tiny oversight - nine bits! but unfortunately with ECDSA any bias in k is catastrophic.