Skip to main content
SpringerLink
Log in

Redundant τ-adic expansions I: non-adjacent digit sets and their applications to scalar multiplication

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

This paper investigates some properties of τ-adic expansions of scalars. Such expansions are widely used in the design of scalar multiplication algorithms on Koblitz curves, but at the same time they are much less understood than their binary counterparts. Solinas introduced the width-w τ-adic non-adjacent form for use with Koblitz curves. This is an expansion of integers \({z = \sum_{i=0}^\ell z_i \tau^i}\) , where τ is a quadratic integer depending on the curve, such that z i ≠ 0 implies z w+i-1 = . . . = z i+1 = 0, like the sliding window binary recodings of integers. It uses a redundant digit set, i.e., an expansion of an integer using this digit set need not be uniquely determined if the syntactical constraints are not enforced. We show that the digit sets described by Solinas, formed by elements of minimal norm in their residue classes, are uniquely determined. Apart from this digit set of minimal norm representatives, other digit sets can be chosen such that all integers can be represented by a width-w non-adjacent form using those digits. We describe an algorithm recognizing admissible digit sets. Results by Solinas and by Blake, Murty, and Xu are generalized. In particular, we introduce two new useful families of digit sets. The first set is syntactically defined. As a consequence of its adoption we can also present improved and streamlined algorithms to perform the precomputations in τ-adic scalar multiplication methods. The latter use an improvement of the computation of sums and differences of points on elliptic curves with mixed affine and López–Dahab coordinates. The second set is suitable for low-memory applications, generalizing an approach started by Avanzi, Ciet, and Sica. It permits to devise a scalar multiplication algorithm that dispenses with the initial precomputation stage and its associated memory space. A suitable choice of the parameters of the method leads to a scalar multiplication algorithm on Koblitz Curves that achieves sublinear complexity in the number of expensive curve operations.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Al-Daoud E., Mahmod R., Rushdan M., Kilicman A.: A new addition formula for elliptic curves over GF(2n). IEEE Trans. Comput. 51(8), 972–975 (2002)

    Article  MathSciNet  Google Scholar 

  2. Avanzi R.: Delaying and merging operations in scalar multiplication: applications to curve-based cryptosystems. In: Biham E., Youssef A.M. (eds.) Selected Areas in Cryptography: 13th International Workshop, SAC 2006, Montreal, Quebec, Canada, August 17–18, 2006, Revised Selected Papers, Lecture Notes in Comput. Sci., vol. 4356, pp. 203–219. Springer, Berlin (2007).

  3. Avanzi R., Ciet M., Sica F.: Faster scalar multiplication on Koblitz curves combining point halving with the Frobenius endomorphism. In: Bao F., Deng R.H., Zhou J. (eds.) Public Key Cryptography—PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1–4, 2004, Lecture Notes in Comput. Sci., vol. 2947, pp. 28–40. Springer (2004).

  4. Avanzi R., Cohen H., Doche C., Frey G., Lange T., Nguyen K.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. CRC Press Series on Discrete Mathematics and its Applications, vol. 34. Chapman & Hall/CRC, Boca Raton, FL (2005).

  5. Avanzi R., Dimitrov V., Doche C., Sica F.: Extending scalar multiplication using double bases. In: Lai X., Chen K. (eds.) Advances in Cryptology—ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3–7, 2006, Proceedings Lecture Notes in Comput. Sci., vol. 4284, pp. 130–144. Springer (2006).

  6. Avanzi R., Heuberger C., Prodinger H.: Minimality of the Hamming weight of the τ-NAF for Koblitz curves and improved combination with point halving. In: Preneel B., Tavares St. (eds.) Selected Areas in Cryptography: 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11–12, 2005, Revised Selected Papers, Lecture Notes in Comput. Sci., vol. 3897, pp. 332–344. Springer, Berlin (2006).

  7. Avanzi R., Heuberger C., Prodinger H.: Scalar multiplication on Koblitz curves. Using the Frobenius endomorphism and its combination with point halving: Extensions and mathematical analysis. Algorithmica 46, 249–270 (2006)

    Article  MATH  MathSciNet  Google Scholar 

  8. Avanzi R., Heuberger C., Prodinger H.: On redundant τ-adic expansions and non-adjacent digit sets. In: Biham E., Youssef A.M. (eds.) Selected Areas in Cryptography: 13th International Workshop, SAC 2006, Montreal, Quebec, Canada, August 17–18, 2006, Revised Selected Papers, Lecture Notes in Comput. Sci., vol. 4356, pp. 285–301. Springer, Berlin (2007).

  9. Avanzi R., Sica F.: Scalar multiplication on Koblitz curves using double bases. In: Nguyen P.Q. (ed.) Progress in Cryptology—VIETCRYPT 2006, First International Conference on Cryptology in Vietnam, Hanoi, Vietnam, September 25–28, 2006, Revised Selected Papers, Lecture Notes in Comput. Sci., vol. 4341, pp. 131–146. Springer (2006).

  10. Avanzi R., Thériault N.: Effects of optimizations for software implementations of small binary field arithmetic. In: Carlet C., Sunar B. (eds.) WAIFI 2007: International Workshop on the Arithmetic of Finite Fields, Lecture Notes in Comput. Sci., vol. 4547, pp. 69–84. Springer, Berlin (2007).

  11. Avanzi R., Thériault N., Wang Z.: Rethinking low genus hyperelliptic Jacobian arithmetic over binary fields: interplay of field arithmetic and explicit formulæ. J. Math. Cryptol. 2(3), 227–255 (2008)

    Article  MATH  MathSciNet  Google Scholar 

  12. Avoine G., Monnerat J., Peyrin, Th.: Advances in alternative non-adjacent form representations. Progress in cryptology—INDOCRYPT 2004, Lecture Notes in Comput. Sci., vol. 3348, pp. 260–274. Springer, Berlin (2004).

  13. Blake I.F., Murty V.K., Xu G.: A note on window τ-NAF algorithm. Inform. Process. Lett. 95, 496–502 (2005)

    Article  MATH  MathSciNet  Google Scholar 

  14. Corless R.M., Gonnet G.H., Hare D.E.G., Jeffrey D.J., Knuth D.E.: On the Lambert W function. Adv. Comput. Math. 5(4), 329–359 (1996)

    Article  MATH  MathSciNet  Google Scholar 

  15. Coron J.-S., M’Raïhi D., Tymen C.: Fast generation of pairs (k,[k]P) for Koblitz elliptic curves. In: Vaudenay S., Youssef A.M. (eds.) Selected Areas in Cryptography, 8th Annual International Workshop, SAC 2001 Toronto, Ontario, Canada, August 16–17, 2001, Revised Papers, Lecture Notes in Comput. Sci., vol. 2259, pp. 151–164. Springer, Berlin (2001).

  16. Gilbert W.J.: Radix representations of quadratic fields. J. Math. Anal. Appl. 83(1), 264–274 (1981)

    Article  MATH  MathSciNet  Google Scholar 

  17. Heuberger C.: Redundant τ-adic expansions II: Non-optimality and chaotic behaviour. Math. Comput. Sci. 3, 141–157 (2010)

    Article  MathSciNet  Google Scholar 

  18. Heuberger C., Prodinger H.: Analysis of alternative digit sets for nonadjacent representations. Monatsh. Math. 147, 219–248 (2006)

    Article  MATH  MathSciNet  Google Scholar 

  19. IEEE Std 1363-2000: IEEE standard specifications for public-key cryptography. IEEE Computer Society, August 29 (2000).

  20. Kátai I., Kovács B.: Canonical number systems in imaginary quadratic fields. Acta Math. Hungar. 37, 159–164 (1981)

    Article  MATH  Google Scholar 

  21. Kátai I., Szabó J.: Canonical number systems for complex integers. Acta Sci. Math. (Szeged) 37, 255–260 (1975)

    MATH  MathSciNet  Google Scholar 

  22. Knudsen E.W.: Elliptic scalar multiplication using point halving. In: Lam K.-Y., Okamoto E., Xing C. (eds.) Advances in Cryptology— ASIACRYPT ’99, International Conference on the Theory and Applications of Cryptology and Information Security, Singapore, November 14–18, 1999, Proceedings, Lecture Notes in Comput. Sci., vol. 1716, pp. 135–149. Springer, Berlin (1999).

  23. Koblitz N.: Elliptic curve cryptosystems. Math. Comp. 48(177), 203–209 (1987)

    Article  MATH  MathSciNet  Google Scholar 

  24. Koblitz N.: CM-curves with good cryptographic properties. In: Feigenbaum J. (ed.) Advances in Cryptology—CRYPTO ’91, 11th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11–15, 1991, Proceedings, Lecture Notes in Comput. Sci., vol. 576, pp. 279–287. Springer, Berlin (1992).

  25. López J., Dahab R.: Improved algorithms for elliptic curve arithmetic in \({{GF}\left(2^n\right)}\) . Selected areas in cryptography (Kingston, ON, 1998), Lecture Notes in Comput. Sci., vol. 1556, pp. 201–212. Springer, Berlin (1999).

  26. Matula D.W.: Basic digit sets for radix representation. J. Assoc. Comput. Mach. 29(4), 1131–1143 (1982)

    MATH  MathSciNet  Google Scholar 

  27. Meier W., Staffelbach O.: Efficient multiplication on certain nonsupersingular elliptic curves. In: Brickell E.F. (ed.) Advances in Cryptology—CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16–20, 1992, Proceedings, Lecture Notes in Comput. Sci., vol. 740, pp. 333–344. Springer, Berlin (1993).

  28. Miller V.S.: Use of elliptic curves in cryptography. In: Williams H.C. (ed.) Advances in Cryptology—CRYPTO ’85, Santa Barbara, California, USA, August 18–22, 1985, Proceedings, Lecture Notes in Comput. Sci., vol. 218, pp. 417–426. Springer, Berlin (1986).

  29. Muir J.A., Stinson D.R.: Alternative digit sets for nonadjacent representations. In: Matsui M., Zuccherato R.J. (eds.) Selected Areas in Cryptography, 10th Annual International Workshop, SAC 2003, Ottawa, Canada, August 14–15, 2003, Revised Papers, Lecture Notes in Comput. Sci., vol. 3006, pp. 306–319. Springer, Berlin (2004).

  30. Muir J.A., Stinson D.R.: Alternative digit sets for nonadjacent representations. SIAM J. Discrete Math. 19, 165–191 (2005)

    Article  MATH  MathSciNet  Google Scholar 

  31. National Institute of Standards and Technology: Digital signature standard, FIPS Publication, vol. 186–2, February (2000).

  32. Okeya K., Takagi T., Vuillaume C.: Short memory scalar multiplication on Koblitz curves. In: Rao J.R., Sunar B. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2005, 7th International Workshop, Edinburgh, UK, August 29–September 1, 2005, Proceedings, Lecture Notes in Comput. Sci., vol. 3659, pp. 91–105. Springer, Berlin (2005).

  33. Park D.J., Sim S.G., Lee P.J.: Fast scalar multiplication method using change-of-basis matrix to prevent power analysis attacks on koblitz curves. In: Chae K., Yung M. (eds.) Information Security Applications 4th International Workshop, WISA 2003, Jeju Island, Korea, August 25–27, 2003, Revised Papers, Lecture Notes in Comput. Sci., vol. 2908, pp. 474–488. Springer (2004).

  34. Schroeppel R.: Elliptic curve point ambiguity resolution apparatus and method. International Application Number PCT/US00/31014, filed 9 November (2000).

  35. Schroeppel R.: Point halving wins big, Talk at the ECC 2001 Workshop, University of Waterloo, Ontario, Canada, October 29–31, (2001).

  36. Solinas J.A.: An improved algorithm for arithmetic on a family of elliptic curves. In: Kaliski B.S., Jr. (ed.) Advances in Cryptology—CRYPTO ’97. 17th Annual International Cryptology Conference. Santa Barbara, CA, USA. August 17–21, 1997. Proceedings, Lecture Notes in Comput. Sci., vol. 1294, pp. 357–371. Springer, Berlin (1997).

  37. Solinas J.A.: Efficient arithmetic on Koblitz curves, Des. Codes Cryptogr. 19, 195–249 (2000)

    Article  MATH  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Mathematics and Horst Görtz Institute for IT Security, Ruhr-University, Bochum, Germany

    Roberto Avanzi

  2. Institut für Mathematik B, Technische Universität, Graz, Austria

    Clemens Heuberger

  3. Department of Mathematics, University of Stellenbosch, Stellenbosch, South Africa

    Helmut Prodinger

Authors
  1. Roberto Avanzi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Clemens Heuberger
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Helmut Prodinger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Clemens Heuberger.

Additional information

Communicated by P. Wild.

This paper was in part written while R. Avanzi and C. Heuberger were visiting the Department of Mathematical Sciences, Stellenbosch University, and during a visit of R. Avanzi at TU Graz supported by the Austrian Science Foundation FWF, project S9606.The information in this document reflects only the authors’ views, is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.

This paper is an extended version of [8], with proofs and additional results.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Avanzi, R., Heuberger, C. & Prodinger, H. Redundant τ-adic expansions I: non-adjacent digit sets and their applications to scalar multiplication. Des. Codes Cryptogr. 58, 173–202 (2011). https://doi.org/10.1007/s10623-010-9396-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-010-9396-6

Keywords

Mathematics Subject Classification (2000)

Search

Navigation