How to defeat Ed25519 and EdDSA using faults (blog post) and Practical fault attack against the Ed25519 and EdDSA signature schemes (paper)

We demonstrated it on an Arduino Nano, using the Arduino Libs’ Crypto Ed25519 implementation and simple voltage glitches. We were able to cause single byte random errors at the end of the computation of H(R,A,M), allowing us to efficiently brute-force the error location and value, thus recovering half of the secret key. This allowed us to generate seemingly valid signatures for any message, thanks to randomly generated r values, in a way that is indistinguishable from the real signer to the verifier, since the value r has to be kept secret by the signer.

Basically, use voltage faults to make embedded systems using deterministic signature scheme (e.g. Ed25519) sign the same message with related nonces.