diff --git a/CHANGELOG b/CHANGELOG
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,14 @@
 # Changelog
 
+- 0.5.4 (2026-02-04)
+  * Nonce generation for ECDSA is now more secure due to recent
+    improvements in ppad-hmac-drbg. The DRBG state is now guaranteed
+    to live in only one location on the heap, and it is now wiped
+    explicitly after use.
+
+  * ECDSA signing now allocates about 1.5 orders of magnitude less than
+    it did previously.
+
 - 0.5.3 (2026-01-10)
   * Bumps the ppad-sha256 and ppad-hmac-drbg dependencies.
 
diff --git a/lib/Crypto/Curve/Secp256k1.hs b/lib/Crypto/Curve/Secp256k1.hs
--- a/lib/Crypto/Curve/Secp256k1.hs
+++ b/lib/Crypto/Curve/Secp256k1.hs
@@ -105,7 +105,7 @@
 
 import Control.Monad (guard)
 import Control.Monad.ST
-import qualified Crypto.DRBG.HMAC as DRBG
+import qualified Crypto.DRBG.HMAC.SHA256 as DRBG
 import qualified Crypto.Hash.SHA256 as SHA256
 import qualified Data.Bits as B
 import qualified Data.ByteString as BS
@@ -1261,13 +1261,10 @@
     -- RFC6979 sec 3.3a
     let entropy = int2octets _SECRET
         nonce   = bits2octets h
-    drbg <- DRBG.new hmac entropy nonce mempty
+    drbg <- DRBG.new entropy nonce mempty
     -- RFC6979 sec 2.4
     sign_loop drbg
   where
-    hmac k b = case SHA256.hmac k b of
-      SHA256.MAC mac -> mac
-
     d  = S.to _SECRET
     hm = S.to (bits2int h)
     h  = case hf of
@@ -1283,21 +1280,24 @@
                 s  = (hm + d * r) * ki
             pure $! (S.retr r, S.retr s)
       case mpair of
-        Nothing -> pure Nothing
+        Nothing -> do
+          DRBG.wipe g
+          pure Nothing
         Just (r, s)
           | W.eq_vartime r 0 -> sign_loop g -- negligible probability
-          | otherwise ->
+          | otherwise -> do
+              DRBG.wipe g
               let !sig = Just $! ECDSA r s
-              in  case ty of
-                    Unrestricted -> pure sig
-                    LowS -> pure (fmap low sig)
+              pure $ case ty of
+                Unrestricted -> sig
+                LowS -> fmap low sig
 {-# INLINE _sign_ecdsa #-}
 
 -- RFC6979 sec 3.3b
 gen_k :: DRBG.DRBG s -> ST s Wider
 gen_k g = loop g where
   loop drbg = do
-    bytes <- DRBG.gen mempty (fi _CURVE_Q_BYTES) drbg
+    bytes <- DRBG.gen drbg mempty (fi _CURVE_Q_BYTES)
     case bytes of
       Left {}  -> error "ppad-secp256k1: internal error (please report a bug!)"
       Right bs -> do
diff --git a/ppad-secp256k1.cabal b/ppad-secp256k1.cabal
--- a/ppad-secp256k1.cabal
+++ b/ppad-secp256k1.cabal
@@ -1,6 +1,6 @@
 cabal-version:      3.0
 name:               ppad-secp256k1
-version:            0.5.3
+version:            0.5.4
 synopsis:           Schnorr signatures, ECDSA, and ECDH on the elliptic curve
                     secp256k1
 license:            MIT
@@ -36,8 +36,8 @@
   build-depends:
       base >= 4.9 && < 5
     , bytestring >= 0.9 && < 0.13
-    , ppad-hmac-drbg >= 0.2.1 && < 0.3
-    , ppad-sha256 >= 0.3 && < 0.4
+    , ppad-hmac-drbg >= 0.3.1 && < 0.4
+    , ppad-sha256 >= 0.3.2 && < 0.4
     , ppad-fixed >= 0.1.3 && < 0.2
     , primitive >= 0.8 && < 0.10
 
