Does RFC 6979 unconditionally prevent nonce-reuse attacks?

What if a block cipher with a width equal to the output size of the hash function was used to encrypt the to-be-sighed hash?

@Melab: the hash function would have collisions, hence two different messages (which hash to the same value) would have the same nonce

And that value was used as the nonce?

How would that impact the nonce-reuse scenario which enables the calculation of the private key? Only one to-be-signed hash $h$, when encrypted with a fixed key, can produce the same value, no?

It's not about collisions in the hash of the message.

@Melab: that is a good point - using the same nonce on two different messages is not an issue if those two messages hash to the same value (and so, as far as the core ECDSA signing is concerned, they are the same message). It occurs to me that you have to be careful about the encryption mode used; it feels like it would be an exploitable weakness if the attacker could have two different hashes that generate related ciphertexts. Your suggestion of a 'wide block cipher' is good; a FPE mode set to the hash output size (or larger) would be work as well...

The nonce is secret. The attacker wouldn't have access to it. If they did, then the private signing key can be recalculated.

Why FPE instead of a wide block cipher (which I didn't suggest in so many words)?

@Melab: well, there are some ciphers with 256 bit block sizes; not much beyond that. As far FPE, it can be any width you want (e.g. if you are using SHA-384 as your hash function, you can configure FPE to that size). FPE is a bit computationally costly; however it's still small compared to the cost of the ECC operations...

I sit in a Tesla and translated this thread with Ai: