Deterministic Nonce (RFC 6979)

A deterministic nonce, specified in RFC 6979, is a way of generating the secret per-signature value k used in ECDSA without relying on a random number generator. Instead, k is computed as a pseudorandom function of the message hash and the private key, so the same key and message always yield the same nonce.

Why the nonce is dangerous

ECDSA fails catastrophically if the nonce k is ever reused across two different signatures: an attacker who sees two signatures sharing a nonce can solve a simple pair of equations and recover the private key outright. History is littered with such failures, from the recovery of Sony's PlayStation 3 signing key to automated Bitcoin wallet sweeps that drained funds the moment a weak nonce appeared on-chain. Any bias or repetition in k is exploitable.

How RFC 6979 fixes it

By deriving k deterministically with HMAC-DRBG from the key and message, RFC 6979 removes the dependence on a possibly-broken random source entirely. Two signatures over different messages get different nonces, and a hardware wallet with a poor RNG can still sign safely. This is now standard in Bitcoin Core and most wallet libraries. The newer Schnorr scheme in BIP340 uses a related deterministic, but also auxiliary-randomness-mixed, nonce construction for the same reason.

Because a leaked nonce exposes the private key behind every signature, deterministic nonces are a quiet but essential pillar of self-custody. See related entries on HASH160 and the aggregate-signing concerns in MuSig2 (BIP327).