[marcan_42]

ECDSA is easy to fuck up due to needing a "random" number for signatures (among other things, but that's the one Sony did and many others have since). Thankfully, we've figured out an easy fix for that: just hash the private key and the message, and use that instead of the randomness. That's in the spec for ed25519, so unless you're completely ignoring chunks of the spec (which would be unlikely to work for an algorithm like this, and wouldn't pass test vectors) you're probably fine on that front if you use it, even if you're reimplementing it.

[Retr0id]

It's not just the randomness requirement, but also the requirement that k (the "random" nonce) remains secret. Without a sufficiently constant-time implementation, you leak information about k through timing sidechannels - and with clever tricks like lattice reduction you can recover the key with surprisingly little information.