In a similar way I have a simulation script in python https://github.com/iceland2k14/rsz/blob/main/LLL_nonce_leakage.py  where some Random signatures are prepared with Leakage in 128 bits and then assuming they are are from Real Tx, they are solved using LLL reduction to print the PrivateKey.

In short, the attacker influences the selection of the nonce in such a way that a portion of a secret can be derived from each signature.

The secret to be leaked can be anything, but it is just a random value in the example code:


The nonce, k, is computed by multiplying a small portion, s_i, of the secret, S, by a value, b, known only to the attacker. Since b is known by the attacker and s_i is a small value, k and s_i can be recovered. k = s_i * b obfuscates the fact that k is not random.