To modify the script for a 128-bit nonce and 136-bit private key:
Set ell = 128 to reflect the nonce size.
Heuristically set b1 = 2^72 and c1 = 2^64 (refine based on the exact leakage model).
Increase the matrix size to 35x35 and adjust loop ranges (17 bytes for d d d, 16 bytes for k k k).
Update matrix indices to match the new size.
The computation of b1 and c1 depends on the leakage model, not the curve, but the curve order n n n must be considered in the lattice.
The exact values of b1 and c1 require the specific challenge context (e.g., AMOSSYS CTF). Without it, the heuristic values may need testing. The attack is curve-agnostic as long as n>2136 n > 2^{136} n>2136. For ECDSA or nonce bits set to 1, additional modifications are needed, but the latter may invalidate the signature.