I've been implementing a hobbyist cryptography library, and I'm at the part where elliptic-curve cryptography is being implemented. I've already implemented and tested ECDSA with P-256 and P-384, where static and ephemeral private keys are 256-bit and 384-bit each, so far so good.
What's bothering me is P-521. I'm planning to generate 512-bit static ($d$) and ephemeral keys ($k$) to ease implementation, since most hash functions (excluding XOFs) have at most 512-bit output (I'm not using hash functions to generate the keys directly, I'm just allocating stack space according to the output length of typical hash functions).
If I do this, the resulting signature component $s$ may have some kind of bias, but since the product of $d \cdot k^{-1}$ will overflow $n$, I'm having the pseudo-belief that this is not too serious a problem.
So I ask 2 related question:
Q1: can I get away with generating 512-bit static and ephemeral keys for ECDSA over P-521 and not harm security?
Q2: for general case, given a prime modulus $n$, an adversary is given $s = k \cdot r + d \pmod n$ and $r$, where $d$ is static and $r$ is deterministically randomly computed from $k$; both $k$ and $d$ have less than $\lceil {\log_2{n} \over 4} \rceil$ of top bits chopped off; can the adversary obtain any part of $d$ or $k$?