A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithms

note: this is an updated paper about work that was disclosed last year; I posted a link to the blog of one of the authors to /c/cryptography at the time