Optimal 2-3 Chains for Scalar Multiplication

Abstract

Using double-base chains to represent integers, in particular chains with bases 2 and 3, can be beneficial to the efficiency of scalar multiplication. However, finding an optimal 2-3 chain as long been thought to be more expensive than the scalar multiplication itself, complicating the use of 2-3 chains in practical applications where the scalar is used only a few time (as in the Diffie-Hellman key exchange).

In the last few years, important progress has been made in obtaining the shortest possible double-base chain for a varying integer n. In 2008, Doche and Habsieger used a binary-tree based approach to get a (relatively close) approximation of the minimal chain. In 2015, Capuñay and Thériault presented the first deterministic polynomial-time algorithm to compute the minimal chain for a scalar, but the complexity of \(O((\log n)^{3+\epsilon })\) is too high for use with a varying scalars. More recently, Bernstein, Chuengsatiansup, and Lange used a graph-based approach to obtain an algorithm with running time \(O((\log n)^{2.5+\epsilon })\).

In this work, we adapt the algorithm of Capuñay and Thériault to obtain minimal chains in \(O((\log n)^2 \log \log n)\) bit operations and \(O((\log n)^2)\) bits of memory. This allows us to obtain minimal chains for 256-bits integers in the 0.280 ms range, making it useful to reduce scalar multiplication costs randomly-selected scalars.

We also show how to extend the result to other types of double-base and triple-base chains (although the complexity for triple-base chains is cubic instead of quadratic). In the case of environments with restricted memory, our algorithm can be adapted to compute the minimal chain in \(O((\log n)^2(\log \log n)^2)\) bit operations with only \(O(\log n(\log \log n)^2)\) bits of memory.

N. Thériault—This research was supported by FONDECYT grant 1151326 (Chile).

A Triple-base chains

The algorithms to obtain optimal 2-3-chains and 2-5-chains in Sects. 3 and 4 can be combined to obtain a polynomial time algorithm to compute optimal tripple-base (2-3-5) chains for n, which is described in Algorithm 3.

Since we are now working in three dimension, each plane corresponding a coordinate k (the power of 5 in \(2^i 3^j 5^k\)) must have access to the subchains for \(k-1\), so the array \(C_i\) is replaced by a double array \(C_{i,j}\).

Theorem 4

Let n be a positive integer, then Algorithm 3 returns a minimal 2-3-5 chain in \(O((\log n)^3 \log \log n)\) bit operations, and requires \(O((\log n)^3)\) bits of memory.

Proof

Similar to the proof of Theorem 3.

The ideas of Sect. 5 can also be applied to Algorithm 3, reducing its memory requirements to \(O((\log n)^2 (\log \log n)^2)\) bits, at the expense of increasing its complexity to \(O((\log n)^3 (\log \log n)^2)\).