This article and paper is gaining traction online. Should we put out a blog post letting people know why it doesn’t affect Monero.

xmrack[m]: Sure, but isn't using bad nonces being insecure for ECDSA a widely-known thing?

I don't believe we use the NIST submission code. Our library for keccak appears to be a third-round implementation, yet not the vulnerable submission. Instead, it appears to be a human readable alternative implementation (tiny_sha3).

It also requires a ~4 GB message to trigger, which I'm unsure is reachable in Monero.

So distinct impl, even if we used the buggy impl, we'd probably survive yet should do a release ASAP? But AFAICT, this doesn't affect us, so we don't need to do anything.

From what I’ve heard these attacks have been known for decades. But this one is novel

That's true. Basically as soon as you learn about ECDSA you get told that the nonce must be from a CSRNG

*not a cryptographer

So if someone uses Math.random() when they're writing their custom Bitcoin wallet I'm not sure how that's such a big news story.

But the press is going to love it.

And Monero is also not safe from someone using insecure practices when writing wallet software, so on a very abstract level this issue affects Monero as well.

kayabanerve[m]: the abstract says they have a test for detecting it