Maresias,AofA2008,April16 ,2008 ClemensHeuberger HammingWeightoftheNon-Adjacent-FormunderVariousInputStatisticsandaTwo-DimensionalVersionofHwang’sQuasi-Power-Theorem

(1)

Signed Digit Expansions in Cryptography Given Input Weight Binary and NAF Weight as Random Vector Quasi-Power Theorem

Hamming Weight of the Non-Adjacent-Form under Various Input Statistics

and a Two-Dimensional Version of Hwang’s Quasi-Power-Theorem

Clemens Heuberger

Graz University of Technology, Austria partly based on joint work with

H. Prodinger, Stellenbosch University, South Africa

Supported by the Austrian Science Foundation , project S9606, that is part of the Austrian National Research Network

“Analytic Combinatorics and Probabilistic Number Theory.”

Maresias, AofA 2008, April 16^th, 2008

Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

(2)

Elliptic Curve Cryptography

Signed Digit Expansions and Scalar Multiplication Non-Adjacent Form

Other Input Statistics

Elliptic curve cryptography

Elliptic Curve E :y² =x³+ax²+bx+c For P ∈E andn∈Z,nP can be calculated easily.

No efficient algorithm to calculate n from P and nP?

Fast calculation of nP desirable!

P Q

P+Q

−P R

2R E

(3)

Elliptic curve cryptography

Elliptic Curve E :y² =x³+ax²+bx+c For P ∈E andn∈Z,nP can be calculated easily.

No efficient algorithm to calculate n from P and nP?

Fast calculation of nP desirable!

P Q

P+Q

−P R

2R E

(4)

Double-and-Add Algorithm

Calculating27P via a doubling and adding scheme using the standard binary expansionof 27:

27=(11011)₂,

27P =2(2(2(2(P) +P) +0) +P) +P.

Number of additions∼ Hamming weightof the binary expansion (Number of nonzero digits)

Number of multiplications∼length of the expansion

(5)

Double-and-Add Algorithm

27=(11011)₂,

27P =2(2(2(2(P) +P) +0) +P) +P.

Number of additions∼Hamming weight of the binary expansion (Number of nonzero digits)

(6)

Double-and-Add Algorithm

27=(11011)₂,

27P =2(2(2(2(P) +P) +0) +P) +P.

Number of additions∼Hamming weight of the binary expansion (Number of nonzero digits)

(7)

Double, Add, and Subtract Algorithm

Subtraction is as cheap as addition!

27=(100¯10¯1)2,

27P =2(2(2(2(2(P) +0) +0)−P) +0)−P. (¯1 :=−1)

=⇒ Use of signed digit expansions

Number of additions/subtractions ∼Hamming weight of the binary expansion

Number of multiplications ∼length of the expansion

There are (infinitely) manysigned binary

expansions of an integer (Redundancy)=⇒ find expansion of minimalHamming weight.

P Q

P+Q

−P R

2R E

(8)

Double, Add, and Subtract Algorithm

27=(100¯10¯1)2,

27P =2(2(2(2(2(P) +0) +0)−P) +0)−P. (¯1 :=−1)

P Q

P+Q

−P R

2R E

(9)

Double, Add, and Subtract Algorithm

27=(100¯10¯1)2,

27P =2(2(2(2(2(P) +0) +0)−P) +0)−P. (¯1 :=−1)

P Q

P+Q

−P R

2R E

(10)

Double, Add, and Subtract Algorithm

27=(100¯10¯1)2,

27P =2(2(2(2(2(P) +0) +0)−P) +0)−P. (¯1 :=−1)

P Q

P+Q

−P R

2R E

(11)

Double, Add, and Subtract Algorithm

27=(100¯10¯1)2,

27P =2(2(2(2(2(P) +0) +0)−P) +0)−P. (¯1 :=−1)

There are (infinitely) manysigned binary expansions of an integer (Redundancy)

=⇒ find expansion of minimalHamming weight.

P Q

P+Q

−P R

2R E

(12)

Double, Add, and Subtract Algorithm

27=(100¯10¯1)2,

27P =2(2(2(2(2(P) +0) +0)−P) +0)−P. (¯1 :=−1)

expansions of an integer (Redundancy)=⇒ find

P Q

P+Q

−P R

2R E

(13)

Deriving a Low-Weight Representation

Take an integern.

Ifn is even, we have to take0 as least significant digitand continue with n/2.

Ifn ≡1 (mod 4), we take1 asleast significant digit and continue with (n−1)/2. This isevenandguarantees a zeroin the next step.

Ifn ≡3≡ −1 (mod 4), we take−1as least significant digit and continue with (n+ 1)/2. This isevenand guarantees a zero in the next step.

This procedure yields a zero after every non-zero, which should yield a low weight expansion. There areno adjacent non-zeros.

(14)

Deriving a Low-Weight Representation

Take an integern.

Ifn is even, we have to take0 asleast significant digit and continue with n/2.

Ifn ≡1 (mod 4), we take1 asleast significant digit and continue with (n−1)/2. This isevenandguarantees a zeroin the next step.

(15)

Deriving a Low-Weight Representation

Take an integern.

Ifn ≡1 (mod 4), we take1 asleast significant digit and continue with (n−1)/2. This is evenandguarantees a zeroin the next step.

(16)

Deriving a Low-Weight Representation

Take an integern.

(17)

Deriving a Low-Weight Representation

Take an integern.

This procedure yields a zero after every non-zero, which should yield a low weight expansion.

There are no adjacent non-zeros.

(18)

Deriving a Low-Weight Representation

Take an integern.

(19)

Non-Adjacent Form

Theorem (Reitwiesner 1960)

Let n∈Z, then there isexactly onesigned binary expansion ε∈ {−1,0,1}^N⁰ of n such that

n=X

j≥0

ε_j2^j, (εis a binary expansion of n),

εjεj+1= 0 for all j ≥0.

It is called theNon-Adjacent Form (NAF) of n.

Itminimises theHamming weightamongst all signed binary expansions with digits{0,±1} of n.

(20)

Non-Adjacent Form

Theorem (Reitwiesner 1960)

Let n∈Z, then there isexactly onesigned binary expansion ε∈ {−1,0,1}^N⁰ of n such that

n=X

j≥0

ε_j2^j, (εis a binary expansion of n),

εjεj+1= 0 for all j ≥0.

It is called theNon-Adjacent Form (NAF) of n.

Itminimises theHamming weightamongst all signed binary expansions with digits{0,±1} of n.

(21)

Non-Adjacent Form: Applications

Efficient arithmetic operations (Reitwiesner 1960)

Coding Theory

Elliptic Curve Cryptography (Morain and Olivos 1990)

(22)

Non-Adjacent Form: Applications

Efficient arithmetic operations (Reitwiesner 1960) Coding Theory

(23)

Non-Adjacent Form: Applications

Efficient arithmetic operations (Reitwiesner 1960) Coding Theory

(24)

Analysis of the NAF — Known Results

Theorem

E(H_`) = 1 3`+ 2

9+O(2^−`),

V(H_`) = 2 27`+ 8

81 +O(`2^−`),

`→∞lim P

H`≤ ` 3+h

r2` 27

= 1

√ 2π

Z h

0

e^−t²^/2dt,

whereH` is theHamming weight of a random NAF of length ≤` (all NAFs of length≤`are considered to be equally likely).

(25)

Analysis of the NAF — Known Results

Theorem

E(H_`) = 1 3`+ 2

9+O(2^−`), V(H_`) = 2

27`+ 8

81 +O(`2^−`),

`→∞lim P

H`≤ ` 3+h

r2` 27

= 1

√ 2π

Z h

0

e^−t²^/2dt,

(26)

Analysis of the NAF — Known Results

Theorem

E(H_`) = 1 3`+ 2

9+O(2^−`), V(H_`) = 2

27`+ 8

81 +O(`2^−`),

`→∞lim P

H_`≤ ` 3+h

r2`

27

= 1

√ 2π

Z h

0

e^−t²^/2dt,

(27)

A Note on Probabilistic Models

There are otherprobabilistic models:

Random NAF whose corresponding standard binary expansion haslength ≤`,

Random NAF of length ≤`where all residue classesmodulo 2^` have the same probability.

For instance, 101 and ¯101 represent the same residue class modulo 2³.

(28)

A Note on Probabilistic Models

(29)

A Note on Probabilistic Models

(30)

A Note on Probabilistic Models

(31)

Subblock Occurrences without Restricting to Full Blocks

Letb= (br−1, . . . ,b0)6=0be anadmissible block, (. . . ε₂(n)ε₁(n)ε₀(n))the NAF ofn.

We consider

Sb(N) := X

n<N

∞

X

k=0

[(εk+r−1(n), . . . , εk(n)) =b],

i.e. thenumber of occurrences of the blockb in the NAFs of the positiveintegers less than N.

(32)

Subblock Occurrences without Restricting to Full Blocks

Letb= (br−1, . . . ,b0)6=0be anadmissible block, (. . . ε₂(n)ε₁(n)ε₀(n))the NAF ofn.

We consider

Sb(N) := X

n<N

∞

X

k=0

[(εk+r−1(n), . . . , εk(n)) =b],

i.e. thenumber of occurrences of the blockb in the NAFs of the positiveintegers less than N.

(33)

Subblock Occurrences

Theorem (Grabner-H.-Prodinger 2003) If br−1 = 0, then Sb(N) =

Q(b₀)

3·2^r Nlog₂N+Nh₀(b) +NH_b(log₂N) +o(N),

where

Q(η) =2 + 2 [η = 0] Hb(x) = X

k∈Z\{0}

hk(b)e^2kπix

for explicitly known constants h_k(b), k ∈Z. H_b(x) is a1-periodic continuous function.

(34)

Subblock Occurrences

Q(b₀)

3·2^r Nlog₂N+Nh₀(b) +NH_b(log₂N) +o(N), where

Q(η) =2 + 2 [η = 0]

Hb(x) = X

k∈Z\{0}

hk(b)e^2kπix

for explicitly known constants h_k(b), k ∈Z.

H_b(x) is a1-periodic continuous function.

(35)

Subblock Occurrences

Q(b₀)

3·2^r Nlog₂N+Nh₀(b) +NH_b(log₂N) +o(N), where

Q(η) =2 + 2 [η = 0]

Hb(x) = X

k∈Z\{0}

hk(b)e^2kπix

for explicitly known constants h_k(b), k ∈Z. Hb(x) is a1-periodic continuous function.

(36)

NAF: Counting Subblocks — Explicit constants

h_k(b) = ζ

2kπi

log 2, α_min(b)

−ζ

2kπi

log 2, α_max(b)

2kπi(1 +^2kπi_{log 2}) for k 6= 0, h₀(b) = log₂Γ(α_min(b))−log₂Γ(α_max(b))

−Q(b₀) 3·2^r

r+1

6 + 1 log 2

+ 1

3·2^r⁻¹, α_min(b) = [value(b)<0] + 2^−rvalue(b)− 1 + [b₀ even]

3·2^r αmax(b) = [value(b)<0] + 2^−rvalue(b) + 1 + [b0 even]

3·2^r

The caser = 1 is contained in Thuswaldner (1999).

(37)

NAF: Counting Subblocks — Explicit constants

h_k(b) = ζ

2kπi

log 2, α_min(b)

−ζ

2kπi

log 2, α_max(b)

2kπi(1 +^2kπi_{log 2}) for k 6= 0, h₀(b) = log₂Γ(α_min(b))−log₂Γ(α_max(b))

−Q(b₀) 3·2^r

r+1

6 + 1 log 2

+ 1

3·2^r⁻¹, α_min(b) = [value(b)<0] + 2^−rvalue(b)− 1 + [b₀ even]

3·2^r αmax(b) = [value(b)<0] + 2^−rvalue(b) + 1 + [b0 even]

3·2^r ζ(s,x) denotes the Hurwitz ζ-function.

The caser = 1 is contained inThuswaldner (1999).

(38)

When does the NAF really have an advantage?

Suggestions by various authors:

If the standard binary expansion of n haslow Hamming weight, there is not much room for improvement of the Hamming weight.

So it might be desirable to keep the standard binary expansion.

If, on the other hand, the Hamming weight of the standard binary expansion has veryhigh Hamming weight, theones’ complementof n has low Hamming weight and could be used:

n=

`−1

X

j=0

εj2^j = 2^`−

`−1

X

j=0

(1−εj)2^j −1

The weight of this new expansion is `+ 2−h, whereh is the weight of the standard binary expansion.

(39)

When does the NAF really have an advantage?

If the standard binary expansion of n haslow Hamming weight, there is not much room for improvement of the Hamming weight. So it might be desirable to keep the standard binary expansion.

If, on the other hand, the Hamming weight of the standard binary expansion has veryhigh Hamming weight,

theones’ complementof n has low Hamming weight and could be used:

n=

`−1

X

j=0

εj2^j = 2^`−

`−1

X

j=0

(1−εj)2^j −1

(40)

When does the NAF really have an advantage?

If, on the other hand, the Hamming weight of the standard binary expansion has veryhigh Hamming weight,

theones’ complementof n has low Hamming weight and could be used:

n =

`−1

X

j=0

εj2^j = 2^`−

`−1

X

j=0

(1−εj)2^j −1

(41)

When does the NAF really have an advantage?

If, on the other hand, the Hamming weight of the standard binary expansion has veryhigh Hamming weight, theones’

complementof n has low Hamming weight and could be used:

n =

`−1

X

j=0

εj2^j = 2^`−

`−1

X

j=0

(1−εj)2^j −1

(42)

Relation Between Weights

So, forgiven input weight (i.e., Hamming weight of the standard binary expansion), what is the expected Hamming weight of the NAF?

How are the weight of the standard expansion and the weight of the NAF related?

(43)

Relation Between Weights

So, forgiven input weight (i.e., Hamming weight of the standard binary expansion), what is the expected Hamming weight of the NAF?

How are the weight of the standard expansion and the weight of the NAF related?

(44)

Outline of the Remaining Talk

1 Signed Digit Expansions in Cryptography

2 Given Input Weight

3 Binary and NAF Weight as Random Vector

4 Quasi-Power Theorem

(45)

Outline of the Remaining Talk

(46)

Outline of the Remaining Talk

(47)

Outline of the Remaining Talk

(48)

Fixed Input Weight/Length Ratio Fixed Input Weight

Large Input Weight

(49)

Large Input Weight

Fixed Input Weight/Length Ratio

Theorem

Let0<c <d <1be real numbers. Then the expected Hamming weightof the NAF of a nonnegative integer less than 2ⁿ with unsigned binary digit expansion of Hammingweight k is asymptotically

∼ 1−4 ^k_n−¹₂2

3 + 4 ^k_n−¹₂2n, uniformly for c ≤k/n≤d.

0.2 0.4 0.6 0.8 1

0.05 0.1 0.15 0.2 0.25 0.3

f(x) = 1−4 x− ¹₂2

3 + 4 x− ¹₂2

(50)

Large Input Weight

Fixed Input Weight/Length Ratio

Theorem

Let0<c <d <1be real numbers. Then the expected Hamming weightof the NAF of a nonnegative integer less than 2ⁿ with unsigned binary digit expansion of Hammingweight k is asymptotically

∼ 1−4 ^k_n−¹₂2

3 + 4 ^k_n−¹₂2n,

0.2 0.4 0.6 0.8 1

0.05 0.1 0.15 0.2 0.25 0.3

f(x) = 1−4 x− ¹₂2

3 + 4 x− ¹₂2

(51)

Large Input Weight

Comments

Maximum atk/n = 1/2:

Density 1/3.

This is also the average density without any restriction on the input weight.

Reason: There are especially many standard binary expansionsof length≤n of weight ≈n/2,namely _bn/2cⁿ

. For small or large k/n, the density of the NAF decreases.

0.2 0.4 0.6 0.8 1

0.05 0.1 0.15 0.2 0.25 0.3

f(x) = 1−4 x− ¹₂2

3 + 4 x− ¹₂2

(52)

Large Input Weight

Comments

Density 1/3.

This is also the average density without any restrictionon the input weight.

0.2 0.4 0.6 0.8 1

0.05 0.1 0.15 0.2 0.25 0.3

f(x) = 1−4 x− ¹₂2

3 + 4 x− ¹₂2

(53)

Large Input Weight

Comments

Density 1/3.

.

For small or large k/n, the density of the NAF decreases.

0.2 0.4 0.6 0.8 1

0.05 0.1 0.15 0.2 0.25 0.3

f(x) = 1−4 x− ¹₂2

3 + 4 x− ¹₂2

(54)

Large Input Weight

Comments

Density 1/3.

0.2 0.4 0.6 0.8 1

0.05 0.1 0.15 0.2 0.25 0.3

f(x) = 1−4 x− ¹₂2

3 + 4 x− ¹₂2

(55)

Large Input Weight

Idea of the Proof (1)

Letak`n be the number of nonnegative integers whose unsigned binary expansion has length≤n and Hamming weightk and whose NAF has Hamming weight`.

We consider the generating function G(x,y,z) = X

k,`,n≥0

ak,`,nx^ky^`zⁿ. Consider thetransducer automaton

0 .1 1

0|0

1|ε 0|01

1|0¯1 0|ε

1|0

converting the standard binary expansion to the NAF. This yields G(x,y,z) = x²y²z²−x²yz²−xyz²−xz+xyz+ 1

x²yz³+xyz³+xz²−2xyz²−xz−z+ 1.

(56)

Large Input Weight

Idea of the Proof (1)

Letak`n be the number of nonnegative integers whose unsigned binary expansion has length≤n and Hamming weightk and whose NAF has Hamming weight`. We consider the generating function

G(x,y,z) = X

k,`,n≥0

ak,`,nx^ky^`zⁿ.

Consider thetransducer automaton

0 .1 1

0|0

1|ε 0|01

1|0¯1 0|ε

1|0

converting the standard binary expansion to the NAF. This yields G(x,y,z) = x²y²z²−x²yz²−xyz²−xz+xyz+ 1

(57)

Large Input Weight

Idea of the Proof (1)

G(x,y,z) = X

k,`,n≥0

0 .1 1

0|0

1|ε 0|01

1|0¯1 0|ε

1|0

converting the standard binary expansion to the NAF.

This yields G(x,y,z) = x²y²z²−x²yz²−xyz²−xz+xyz+ 1

(58)

Large Input Weight

Idea of the Proof (1)

G(x,y,z) = X

k,`,n≥0

0 .1 1

0|0

1|ε 0|01

1|0¯1 0|ε

1|0

converting the standard binary expansion to the NAF. This yields x²y²z²−x²yz²−xyz²−xz+xyz+ 1

(59)

Large Input Weight

Idea of the Proof (2)

G(x,y,z) = X

k,`,n≥0

a_k,`,nx^ky^`zⁿ

= x²y²z²−x²yz²−xyz²−xz+xyz+ 1 x²yz³+xyz³+xz²−2xyz²−xz−z+ 1.

Taking the derivative w.r.t. y and setting y = 1 yields

∂

∂yG(x,y,z) y=1

= X

k,`,n≥0

`a_k,`,nx^kzⁿ= xz x²z²+xz²−1 (xz+z−1)²(xz²−1). Dividing the coefficient ofx^kzⁿ by the number ⁿ_k

of standard binary expansions of length≤n and weightk gives the expected Hamming weight.

Using methods ofmultivariate asymptoticsgives the result: Bender and Richmond’s method is used.

(60)

Large Input Weight

Idea of the Proof (2)

G(x,y,z) = X

k,`,n≥0

a_k,`,nx^ky^`zⁿ

= x²y²z²−x²yz²−xyz²−xz+xyz+ 1 x²yz³+xyz³+xz²−2xyz²−xz−z+ 1. Taking the derivative w.r.t. y and setting y = 1 yields

∂

∂yG(x,y,z) y=1

= X

k,`,n≥0

`a_k,`,nx^kzⁿ= xz x²z²+xz²−1 (xz+z−1)²(xz²−1).

Dividing the coefficient ofx^kzⁿ by the number ⁿ_k

(61)

Large Input Weight

Idea of the Proof (2)

G(x,y,z) = X

k,`,n≥0

a_k,`,nx^ky^`zⁿ

∂

∂yG(x,y,z) y=1

= X

k,`,n≥0

(62)

Large Input Weight

Idea of the Proof (2)

G(x,y,z) = X

k,`,n≥0

a_k,`,nx^ky^`zⁿ

∂

∂yG(x,y,z) y=1

= X

k,`,n≥0

(63)

Large Input Weight

Fixed Input Weight

Other point of view: fixed input Hamming weight, lengthn→ ∞.

Theorem

Let k be a fixed integer. Then theexpected Hamming weightof the NAF of an integer with standard binary digit expansion of Hammingweight k and length ≤n is asymptotically

k−k(k²−3k+ 2)

n² +O

1 n³ + 1

n^k−1

,

whereas theexpected Hamming weight of the NAF of an integer with standard binary digit expansion of Hamming weight(n−k) and length≤n is asymptotically

(k+ 2)−2k

n −(k−1)k(k+ 2)

n² +O

1 n³ + 1

n^k−1

.

(64)

Large Input Weight

Fixed Input Weight

Theorem

k−k(k²−3k+ 2)

n² +O

1 n³ + 1

n^k−1

,

(k+ 2)−2k

n −(k−1)k(k+ 2)

n² +O

1 n³ + 1

n^k−1

.

(65)

Large Input Weight

Fixed Input Weight

Theorem

k−k(k²−3k+ 2)

n² +O

1 n³ + 1

n^k−1

,

(k+ 2)−2k

n −(k−1)k(k+ 2)

n² +O

1 n³ + 1

n^k−1

.

(66)

Large Input Weight

Comments

Fixed input weightk:

k−k(k²−3k+ 2)

n² +O

1 n³ + 1

n^k−1

,

i.e., themain term corresponds to justkeeping theinput expansion untouched.

Fixed input weightn−k:

(k+ 2)−2k

n −(k−1)k(k+ 2)

n² +O

1 n³ + 1

n^k−1

, i.e., themain term corresponds passing to the one’s complement and two additional repairing operations.