Here is why they claim this is possible. Basically, it's a form of timing attack.
> As observed in the papers presenting the Minerva [8] and TPM-FAIL [9] attacks, many common cryptographic libraries optimize the computation time of ECDSA signing by truncating any leading zeros. This optimization results in a variable number of loop iterations that is associated with a variable execution time for the entire main loop, which is determined by the number of leading zeros in the randomly generated nonce.
> Thus, by measuring the signing time, attackers can detect the number of loop iterations and determine the number of leading zeros in the nonce k, which can be used to extract the target’s private key using lattice techniques, in which the signatures whose nonces have many leading zeros are used to construct a hidden number problem, which is reduced to a shortest vector problem and solved using lattice reduction (see [8] for details).
Schnorr-like (including DSA and ECDSA) signature schemes use a parameter "k" that has to be uniformly random, secret and non repeating for the security of the system, calling that a "nonce" is slightly weird.
Edit: the intuitive reasoning for why it has to be secret and uniformly random is that half of the resulting signature is essentially an linear function of private key, k and the other half of the signature. So if attacker knows k he can trivially recover the whole private key. (EC)DSA uses slightly different representation of the signature, but it is only about shuffling stuff around (presumably to sidestep Schnorr's patent on the scheme) and the same attack still works.
DJB cipher suites do that, but a lotta people have no idea how to select cryptographic primitives so they go for something that was popular 30 years ago.
Some fun slides with examples of timing attacks: https://cr.yp.to/talks/2014.10.18/slides-djb-20141018-a4.pdf. Old standards like RFC 5246 often say shit like "it is not believed to be large enough to be exploitable, due to the large block size of existing MACs and the small size of the timing signal" and then get exploited 5 years later.
> As observed in the papers presenting the Minerva [8] and TPM-FAIL [9] attacks, many common cryptographic libraries optimize the computation time of ECDSA signing by truncating any leading zeros. This optimization results in a variable number of loop iterations that is associated with a variable execution time for the entire main loop, which is determined by the number of leading zeros in the randomly generated nonce.
> Thus, by measuring the signing time, attackers can detect the number of loop iterations and determine the number of leading zeros in the nonce k, which can be used to extract the target’s private key using lattice techniques, in which the signatures whose nonces have many leading zeros are used to construct a hidden number problem, which is reduced to a shortest vector problem and solved using lattice reduction (see [8] for details).