Redundant τ-adic expansions I: non-adjacent digit sets and their applications to scalar multiplication

This paper investigates some properties of τ-adic expansions of scalars. Such expansions are widely used in the design of scalar multiplication algorithms on Koblitz curves, but at the same time they are much less understood than their binary counterparts. Solinas introduced the width-wτ-adic non-adjacent form for use with Koblitz curves. This is an expansion of integers $${z = \sum_{i=0}^\ell z_i \tau^i}$$ , where τ is a quadratic integer depending on the curve, such that zi ≠ 0 implies zw+i-1 = . . . = zi+1 = 0, like the sliding window binary recodings of integers. It uses a redundant digit set, i.e., an expansion of an integer using this digit set need not be uniquely determined if the syntactical constraints are not enforced. We show that the digit sets described by Solinas, formed by elements of minimal norm in their residue classes, are uniquely determined. Apart from this digit set of minimal norm representatives, other digit sets can be chosen such that all integers can be represented by a width-w non-adjacent form using those digits. We describe an algorithm recognizing admissible digit sets. Results by Solinas and by Blake, Murty, and Xu are generalized. In particular, we introduce two new useful families of digit sets. The first set is syntactically defined. As a consequence of its adoption we can also present improved and streamlined algorithms to perform the precomputations in τ-adic scalar multiplication methods. The latter use an improvement of the computation of sums and differences of points on elliptic curves with mixed affine and López–Dahab coordinates. The second set is suitable for low-memory applications, generalizing an approach started by Avanzi, Ciet, and Sica. It permits to devise a scalar multiplication algorithm that dispenses with the initial precomputation stage and its associated memory space. A suitable choice of the parameters of the method leads to a scalar multiplication algorithm on Koblitz Curves that achieves sublinear complexity in the number of expensive curve operations.

[1]  Erik Woodward Knudsen,et al.  Elliptic Scalar Multiplication Using Point Halving , 1999, ASIACRYPT.

[2]  Roberto Maria Avanzi,et al.  Extending Scalar Multiplication Using Double Bases , 2006, ASIACRYPT.

[3]  Roberto Maria Avanzi,et al.  Faster Scalar Multiplication on Koblitz Curves Combining Point Halving with the Frobenius Endomorphism , 2004, Public Key Cryptography.

[4]  Douglas R. Stinson,et al.  Alternative Digit Sets for Nonadjacent Representations , 2005, SIAM J. Discret. Math..

[5]  Clemens Heuberger Redundant τ-Adic Expansions II: Non-Optimality and Chaotic Behaviour , 2010, Math. Comput. Sci..

[6]  Roberto Maria Avanzi,et al.  Effects of Optimizations for Software Implementations of Small Binary Field Arithmetic , 2007, WAIFI.

[7]  Roberto Maria Avanzi,et al.  On Redundant tau -Adic Expansions and Non-adjacent Digit Sets , 2006, Selected Areas in Cryptography.

[8]  Tanja Lange,et al.  Handbook of Elliptic and Hyperelliptic Curve Cryptography , 2005 .

[9]  Ricardo Dahab,et al.  Improved Algorithms for Elliptic Curve Arithmetic in GF(2n) , 1998, Selected Areas in Cryptography.

[10]  Roberto Maria Avanzi,et al.  Minimality of the Hamming Weight of the \tau-NAF for Koblitz Curves and Improved Combination with Point Halving , 2005, IACR Cryptol. ePrint Arch..

[11]  Roberto Maria Avanzi Delaying and Merging Operations in Scalar Multiplication: Applications to Curve-Based Cryptosystems , 2006, Selected Areas in Cryptography.

[12]  William J. Gilbert Radix representations of quadratic fields , 1981 .

[13]  이필중 Fast Scalar Multiplication Method using Change-of-Basis Matrix to prevent Power Analysis Attacks on Koblitz Curves , 2003 .

[14]  David M'Raïhi,et al.  Fast Generation of Pairs (k, [k]P) for Koblitz Elliptic Curves , 2001, Selected Areas in Cryptography.

[15]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[16]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[17]  Thomas Peyrin,et al.  Advances in Alternative Non-adjacent Form Representations , 2004, INDOCRYPT.

[18]  David W. Matula,et al.  Basic digit sets for radix representation , 1982, JACM.

[19]  Roberto Maria Avanzi,et al.  Scalar Multiplication on Koblitz Curves Using the Frobenius Endomorphism and Its Combination with Point Halving: Extensions and Mathematical Analysis , 2006, Algorithmica.

[20]  Neal Koblitz,et al.  CM-Curves with Good Cryptographic Properties , 1991, CRYPTO.

[21]  Jerome A. Solinas,et al.  Efficient Arithmetic on Koblitz Curves , 2000, Des. Codes Cryptogr..

[22]  Helmut Prodinger,et al.  Analysis of Alternative Digit Sets for Nonadjacent Representations , 2006 .

[23]  Tsuyoshi Takagi,et al.  Short-Memory Scalar Multiplication for Koblitz Curves , 2008, IEEE Transactions on Computers.

[24]  Zheng Wang,et al.  Rethinking low genus hyperelliptic Jacobian arithmetic over binary fields: interplay of field arithmetic and explicit formulæ , 2008, J. Math. Cryptol..

[25]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[26]  Willi Meier,et al.  Efficient Multiplication on Certain Nonsupersingular Elliptic Curves , 1992, CRYPTO.

[27]  C. Heuberger,et al.  On Redundant τ-Adic Expansions and Non-adjacent Digit Sets , 2006 .

[28]  Jerome A. Solinas An Improved Algorithm for Arithmetic on a Family of Elliptic Curves , 1997, CRYPTO.

[29]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[30]  I. Kátai,et al.  Canonical number systems in imaginary quadratic fields , 1981 .

[31]  Roberto Maria Avanzi,et al.  Scalar Multiplication on Koblitz Curves Using Double Bases , 2006, VIETCRYPT.

[32]  Ramlan Mahmod,et al.  A New Addition Formula for Elliptic Curves over GF(2n) , 2002, IEEE Trans. Computers.