Abstract
This paper investigates some properties of τ-adic expansions of scalars. Such expansions are widely used in the design of scalar multiplication algorithms on Koblitz curves, but at the same time they are much less understood than their binary counterparts. Solinas introduced the width-w τ-adic non-adjacent form for use with Koblitz curves. This is an expansion of integers z = ∑i=0ℓ ziτi, where τ is a quadratic integer depending on the curve, such that z i ≠ 0 implies z w+i-1 = . . . = z i+1 = 0, like the sliding window binary recodings of integers. It uses a redundant digit set, i.e., an expansion of an integer using this digit set need not be uniquely determined if the syntactical constraints are not enforced. We show that the digit sets described by Solinas, formed by elements of minimal norm in their residue classes, are uniquely determined. Apart from this digit set of minimal norm representatives, other digit sets can be chosen such that all integers can be represented by a width-w non-adjacent form using those digits. We describe an algorithm recognizing admissible digit sets. Results by Solinas and by Blake, Murty, and Xu are generalized. In particular, we introduce two new useful families of digit sets. The first set is syntactically defined. As a consequence of its adoption we can also present improved and streamlined algorithms to perform the precomputations in τ-adic scalar multiplication methods. The latter use an improvement of the computation of sums and differences of points on elliptic curves with mixed affine and López-Dahab coordinates. The second set is suitable for low-memory applications, generalizing an approach started by Avanzi, Ciet, and Sica. It permits to devise a scalar multiplication algorithm that dispenses with the initial precomputation stage and its associated memory space. A suitable choice of the parameters of the method leads to a scalar multiplication algorithm on Koblitz Curves that achieves sublinear complexity in the number of expensive curve operations.
Original language | English |
---|---|
Pages (from-to) | 173-202 |
Number of pages | 30 |
Journal | Designs, Codes, and Cryptography |
Volume | 58 |
Issue number | 2 |
DOIs | |
State | Published - Feb 2011 |
Externally published | Yes |
Bibliographical note
Funding Information:This paper was in part written while R. Avanzi and C. Heuberger were visiting the Department of Mathematical Sciences, Stellenbosch University, and during a visit of R. Avanzi at TU Graz supported by the Austrian Science Foundation FWF, project S9606. The information in this document reflects only the authors’ views, is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. This paper is an extended version of [8], with proofs and additional results.
Funding Information:
Acknowledgments R. Avanzi’s research described in this paper has been partly supported by the European Commission through the IST Programme under Contract IST-2002-507932 ECRYPT. C. Heuberger is supported by the Austrian Science Foundation FWF, project S9606, that is part of the Austrian National Research Network “Analytic Combinatorics and Probabilistic Number Theory”. H. Prodinger is supported by the NRF grant 2053748 of the South African National Research Foundation and by the Center of Experimental Mathematics of the University of Stellenbosch.
Keywords
- Digit sets
- Efficient implementation
- Frobenius endomorphism
- Koblitz curves
- Non-adjacent-forms
- Point halving
- Scalar multiplication
- τ-adic expansions
ASJC Scopus subject areas
- Theoretical Computer Science
- Computer Science Applications
- Discrete Mathematics and Combinatorics
- Applied Mathematics