# An Analysis of Exponentiation Based on Formal Languages

## Abstract

A recoding rule for exponentiation is a method for reducing the cost of the exponentiation *a* ^{ e } by reducing the number of required multiplications. If *w*(*e*) is the (hamming) weight of *e*, and ē the result of applying the recoding rule A to e, then the purpose is to reduce *w* _{ A }(ē) as compared to *w*(*e*). A well-known example of a recoding rule is to convert a binary exponent into a signed-digit representation in terms of the digits {1; \(
\bar 1\), 0} where \(
\bar 1\) = −1, by recoding runs of 1’s. In this paper we show how three recoding rules can be modelled via regular languages to obtain precise information about the resulting weight distributions. In particular we analyse the recoding rules employed by the 2^{ k }-ary, sliding window and optimal signed-digit exponentiation algorithms. We prove that the sliding window method has an expected recoded weight of approximately *n*/(*k* +1) for relevant *k*-bit windows and *n*-bit exponents, and also that the variance is small. We also prove for the optimal signed digit method that the expected weight is approximately *n*/3 with a variance of 2*n*/27. In general the sliding window method provides the best performance, and performs less than 85% of the multiplications required for the other methods for a majority of exponents.

## Keywords

Elliptic Curve Formal Language Regular Expression Binary String Regular Language## References

- 1.See the Maple homepage at http://www.maplesoft.com.
- 2.S. Arno and F. Wheeler. Signed digit representations of minimal hamming weight.
*IEEE Transactions on Computers*, 42(8):1007–1010, 1993.CrossRefGoogle Scholar - 3.E. A. Bender and S. G. Williamson.
*Foundations of Applied Combinatorics*. Addison-Wesley Publishing Company, 1991.Google Scholar - 4.J. Bos and M. Coster. Addition chain heuristics.
*Advances in Cryptology, CRYPTO 89*,*Lecture Notes in Computer Science*,*vol. 218*, G. Brassard*ed.*,*Springer-Verlag*, pages 400–407, 1990.CrossRefGoogle Scholar - 5.N. Chomsky and P. Schutzenberger. The algebraic theory of context-free languages. In P Braffort and North Holland Hirchberg, D., editors,
*Computer programming and formal languages*, pages 118–161, 1963.Google Scholar - 6.W. Diffie and M. Hellman. New directions in cryptography.
*IEEE Transactions on Information Theory*, 22(6):472–492, 1976.CrossRefMathSciNetGoogle Scholar - 7.T. ElGamal. A public key cryptosystem and signature system based on discrete logarithms.
*IEEE Transactions on Information Theory*, 31(4):473–481, 1985.CrossRefMathSciNetGoogle Scholar - 8.D. Gollman, Y. Han, and C. Mitchell. Redundant integer representations and fast exponentiation.
*Designs, Codes and Cryptography*, 7:135–151, 1996.Google Scholar - 9.R. L. Graham, D. E. Knuth, and O. Patshnik.
*Concrete Mathematics, A Foundation for Computer Science, First Edition*. Addison Wesley, 1989.Google Scholar - 10.J. Hopcroft and J. Ullman.
*An Introduction to Automata, Languages and Computation*. Reading, MA: Addison Wesley, 1979.Google Scholar - 11.L. Hui and K.-Y. Lam. Fast square-and-multiply exponentiation for RSA.
*Electronics Letters*, 30(17):1396–1397, 1994.CrossRefGoogle Scholar - 12.J. Jedwab and C. Mitchell. Minimum weight modified signed-digit representations and fast exponentiation.
*Electronics Letters*, 25:1171–1172, 1989.zbMATHCrossRefGoogle Scholar - 13.C. K. Koc. High-radix and bit encoding techniques for modular exponentiation.
*International Journal of Computer Mathematics*, 40:139–156, 1991.CrossRefzbMATHGoogle Scholar - 14.C. K. Koc. Analysis of sliding window techniques for exponentiation.
*Computers and Mathematics with Applications*, 30(10):17–24, 1995.zbMATHCrossRefMathSciNetGoogle Scholar - 15.D. E. Knuth.
*The Art of Computer Programming: Volume 2, Seminumerical Algorithms*. Addsion Wesley, 1981.Google Scholar - 16.N. Koblitz. CM curves with good cryptographic properties.
*Advances in Cryptology, CRYPTO 91*,*Lecture Notes in Computer Science*,*vol. 576*,*J. Feigenbaum ed.*,*Springer-Verlag*, pages 279–287, 1992.Google Scholar - 17.K. Koyama and T. Tsuruoka. Speeding up elliptic curve cryptosystems using a signed binary window method. In
*Advances in Cryptology, CRYPTO 92*,*Lecture Notes in Computer Science*,*vol. 740*,*E. F. Brickell ed.*,*Springer-Verlag*, pages 345–357, 1992.Google Scholar - 18.A. Menezes, P. van Oorschot, and S. Vanstone.
*Handbook of Applied Cryptography*. CRC press, 1996.Google Scholar - 19.F. Morain and J. Olivos. Speeding up the computations on an elliptic curve using addition-subtraction chains.
*Theoretical Informatics and Applications*, 24(6):531–544, 1990.zbMATHMathSciNetGoogle Scholar - 20.G. Reitwiesener. Binary arithmetic. In F. L. Alt, editor,
*Advances in Computers*, pages 232–308, 1960.Google Scholar - 21.R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public key cryptosystems.
*Communications of the ACM*, 21(2):120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar - 22.R Sedgewick and P. Flajolet.
*An introduction to the analysis of algorithms*. Addison-Wesley Publishing Company, 1996.Google Scholar - 23.J. A. Solinas. An improved algorithm for arithmetic on a family of elliptic curves.
*Advances in Cryptology, CRYPTO 97*,*Lecture Notes in Computer Science*,*vol. 1294*,*B. S. Kaliski ed.*,*Springer-Verlag*, pages 357–371, 1997.CrossRefGoogle Scholar - 24.Y. Yacobi. Exponentiating faster with addition chains.
*Advances in Cryptology, EUROCRYPT 90*,*Lecture Notes in Computer Science*,*vol. 473*,*I. B. Damgård ed.*,*Springer-Verlag*, pages 222–229, 1991.Google Scholar