so as for why the PuTTY P-521 bug happened: they wrote the implementation in September 2001, which is a month before Windows XP was released. Win9x had no good random number generator APIs, so they came up with an alternative trick using SHA512 to generate deterministic but non-predictable nonces. but, of course, SHA512 outputs are 512 bits long, not 521 bits, and they just left the other 9 bits at zero, which resulted in this problem. the code was not reviewed since, so it never got fixed.
