Abstract
When computing scalar multiples on Koblitz curves, the Frobenius endomorphism can be used to replace the usual doublings on the curve. This involves digital expansions of the scalar to the complex base \({\tau=(\pm 1\pm \sqrt{-7})/2}\) instead of binary expansions. As in the binary case, this method can be sped up by enlarging the set of valid digits at the cost of precomputing some points on the curve. In the binary case, it is known that a simple syntactical condition (the so-called w-NAF-condition) on the expansion ensures that the number of curve additions is minimised. The purpose of this paper is to show that this is not longer true for the base τ and w ∈ {4, 5, 6}. Even worse, it is shown that there is no longer an online algorithm to compute an optimal expansion from the digits of some standard expansion from the least to the most significant digit, which can be interpreted as chaotic behaviour. The proofs heavily depend on symbolic computations involving transducer automata.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Avanzi, R.: A note on the signed sliding window integer recoding and a left-to-right analogue. In: Handschuh, H., Hasan, M.A. (eds.) Selected Areas in Cryptography: 11th International Workshop, SAC 2004, Waterloo, Canada, August 9–10, 2004, Revised Selected Papers. Lecture Notes in Comput. Sci., vol. 3357, pp. 130–143. Springer, Berlin (2004)
Avanzi, R.M., Heuberger, C., Prodinger, H.: Minimality of the Hamming weight of the τ-NAF for Koblitz curves and improved combination with point halving. In: Preneel, B., Tavares, St. (eds.) Selected Areas in Cryptography: 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11–12, 2005, Revised Selected Papers. Lecture Notes in Comput. Sci., vol. 3897, pp. 332–344. Springer, Berlin (2006)
Avanzi R.M., Heuberger C., Prodinger H.: Scalar multiplication on Koblitz curves. Using the Frobenius endomorphism and its combination with point halving: extensions and mathematical analysis. Algorithmica 46, 249–270 (2006)
Avanzi, R.M., Heuberger, C., Prodinger, H.: On redundant τ-adic expansions and non-adjacent digit sets. In: Biham, E., Youssef, A. (eds.) Selected Areas in Cryptography: 13th International Workshop, SAC 2006, Montreal, Canada, August 2006, Revised Selected Papers. Lecture Notes in Comput. Sci., vol. 4356, pp. 285–301. Springer, Berlin (2007)
Avanzi, R.M., Heuberger, C., Prodinger, H.: Redundant τ-adic expansions. I: Non-adjacent digit sets and their applications to scalar multiplication. Cryptology ePrint Archive, Report 2008/148, 2008. http://eprint.iacr.org/
Ciet, M., Lange, T., Sica, F., Quisquater, J.-J.: Improved algorithms for efficient arithmetic on elliptic curves using fast endomorphisms. Advances in Cryptology—EUROCRYPT 2003. In: Biham, E. (ed.) International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4–8, 2003. Proceedings. Lecture Notes in Comput. Sci., vol. 2656, pp. 388–400. Springer, Berlin (2003)
Gordon D.M.: A survey of fast exponentiation methods. J. Algorithms 27, 129–146 (1998)
Grabner P.J., Heuberger C., Prodinger H.: Distribution results for low-weight binary representations for pairs of integers. Theoret. Comput. Sci. 319, 307–331 (2004)
Heuberger C.: Minimal redundant digit expansions in the Gaussian integers. J. Théor. Nombres Bordeaux 14, 517–528 (2002)
Heuberger C., Muir J.: Minimal weight and colexicographically minimal integer representations. J. Math. Cryptol. 1, 297–328 (2007)
Heuberger C., Prodinger H.: Analysis of alternative digit sets for nonadjacent representations. Monatsh. Math. 147, 219–248 (2006)
Kátai I., Kovács B.: Canonical number systems in imaginary quadratic fields. Acta Math. Hungar. 37, 159–164 (1981)
Kátai I., Szabó J.: Canonical number systems for complex integers. Acta Sci. Math. (Szeged) 37, 255–260 (1975)
Knuth D.E.: Seminumerical Algorithms, 3rd edn. The Art of Computer Programming, vol. 2. Addison-Wesley, Reading (1998)
Koblitz, N.: CM-curves with good cryptographic properties. Advances in cryptology—CRYPTO ’91 (Santa Barbara, CA, 1991). Lecture Notes in Comput. Sci., vol. 576, pp. 279–287. Springer, Berlin (1992)
Lothaire M.: Algebraic combinatorics on words. Encyclopedia of Mathematics and its Applications, vol. 90. Cambridge University Press, Cambridge (2002)
Morain F., Olivos J.: Speeding up the computations on an elliptic curve using addition-subtraction chains. RAIRO Inform. Théor. Appl. 24, 531–543 (1990)
Muir, J.A., Stinson, D.R.: New minimal weight representations for left-to-right window methods. In: Menezes, A.J. (ed.) Topics in Cryptology—CT-RSA 2005 The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14–18, 2005, Proceedings. Lecture Notes in Comput. Sci., vol. 3376, pp. 366–384. Springer, Berlin (2005)
Muir J.A., Stinson D.R.: Minimality and other properties of the width-w nonadjacent form. Math. Comp. 75, 369–384 (2006)
Phillips B., Burgess N.: Minimal weight digit set conversions. IEEE Trans. Comput. 53, 666–677 (2004)
Proos, J.: Joint sparse forms and generating zero columns when combing. Technical Report CORR 2003-23, Centre for Applied Cryptographic Research, University of Waterloo, 2003. Available at http://www.cacr.math.uwaterloo.ca/techreports/2003/corr2003-23.ps
Reitwiesner G.W.: Binary Arithmetic. Advances in Computers, vol. 1, pp. 231–308. Academic Press, New York (1960)
Solinas, J.A.: An improved algorithm for arithmetic on a family of elliptic curves. In: Kaliski, B.S. Jr. (ed.) Advances in Cryptology—CRYPTO ’97. 17th Annual International cryptology conference, Santa Barbara, CA, USA, August 17–21, 1997. Proceedings. Lecture Notes in Comput. Sci., vol. 1294, pp. 357–371. Springer, Berlin (1997)
Solinas J.A.: Efficient arithmetic on Koblitz curves. Des. Codes Cryptogr. 19, 195–249 (2000)
Solinas, J.A.: Low-weight binary representations for pairs of integers. Technical Report CORR 2001-41, Centre for Applied Cryptographic Research, University of Waterloo, 2001. Available at http://www.cacr.math.uwaterloo.ca/techreports/2001/corr2001-41.ps
Straus E.: Addition chains of vectors (Problem 5125). Am. Math. Monthly 71, 806–808 (1964)
Zhu, Y.F., Kuang, B.J., Zhang, Y.J.: An improved algorithm for up + vq on a family of elliptic curves. In: 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS’05)—Workshop 17, p. 294. IEEE Computer Society, Los Alamitos (2005)
Author information
Authors and Affiliations
Corresponding author
Additional information
C. Heuberger is supported by the Austrian Science Foundation FWF, project S9606, that is part of the Austrian National Research Network “Analytic Combinatorics and Probabilistic Number Theory”.
Rights and permissions
About this article
Cite this article
Heuberger, C. Redundant τ-Adic Expansions II: Non-Optimality and Chaotic Behaviour. Math.Comput.Sci. 3, 141–157 (2010). https://doi.org/10.1007/s11786-009-0014-9
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11786-009-0014-9