This reverts commit 25e3cfbf9b52d2f5afa543f967a73aa8850d2038. The reverted commit was probably based on the assumption that this is about the touched checks cover the secret nonce k instead of r, which is the x-coord of the public nonce. A signature with a zero r is invalid by the spec, so we should return 0 to make the caller retry with a different nonce. Overflow is not an issue.
Then a second commit makes the resulting code constant-time in whether r is zero, in order to pass the new constant-time test.
Fixes #720.