九州大学学術情報リポジトリ
Kyushu University Institutional Repository
自己準同型写像を用いた楕円曲線暗号の効率的なア ルゴリズム
伯田, 恵輔
https://doi.org/10.15017/1398315
出版情報:Kyushu University, 2013, 博士(機能数理学), 課程博士 バージョン:
権利関係:Fulltext available.
Ecient Algorithms for Elliptic Curve Cryptosystems using Endomorphisms
Keisuke Hakuta
Graduate School of Mathematics Kyushu University
A thesis submitted for the degree of
Doctor of Functional Mathematics
c
◦ Copyright by Keisuke Hakuta, 2013 All Rights Reserved.
i
This thesis is dedicated to my wife and my sons for their support.
Acknowledgements
It would not have been possible to write this dissertation without the assistance, patience, and support of many individuals. I would like to express my deepest appreciation to all those who provided me the possibility to complete this dissertation.
I would like to extend my gratitude rst and foremost to Professor Tsuyoshi Takagi for his supervision, guidance and the continuous sup- port during my research at Kyushu University.
Besides my advisor, deepest gratitude are also due to the members of my committee, Professor Hiroyuki Ochiai, Professor Kouichi Sakurai, Associate Professor Yasuro Gon, without whose insightful comments, hard questions, and especially the revision process that has lead to this document, this study would not have been successful.
I would also like to extend my appreciation to Hisayoshi Sato for his immense and continued support, valuable advice, technical and non- technical assistance, and encouragements in a number of ways.
I would like express my gratitude to all the current and former Hi- tachi crypto team: Eriko Ando, Soichi Furuya, Yasuo Hatano, Kota Ideguchi, Shugo Mikami, Kunihiko Miyazaki, Ken Naganuma, Kat- suyuki Okeya, Toru Owada, Hisao Sakazaki, Dai Watanabe, and Masayuki Yoshino, for their support and many technical and non-technical dis- cussions. I also would like express my gratitude to Hirotaka Yoshida for not only his support and many technical and non-technical discus- sions, but also for the English correction of this thesis.
I am grateful for the Hitachi directors who have supported me, in- cluding Kazuo Takaragi, Yasuko Fukuzawa, Seichi Susaki, Takahiro Fujishiro, Masahiro Mimura, and Tadashi Kaji.
Last but not the least, I would like to thank my family members Tatsumi, Megumi, and Yusuke for encouragement, and my wife Aki, and my sons Sosuke and Rensuke for their endless support, patience and extreme understanding while I have pursued this degree.
Contents
Contents iv
List of Tables vii
List of Figures ix
1 Introduction and Motivation 1
1.1 Introduction and Motivation . . . 1
1.2 Contribution and Organization of the thesis . . . 2
2 Background 4 2.1 Notation . . . 4
2.2 Elliptic curves, Frobenius endomorphism . . . 5
2.3 Public Key Cryptography . . . 6
2.4 Cryptographic Applications of Endomorphisms . . . 7
3 Ecient Arithmetic on Subeld Elliptic Curves over Small Finite Fields of Odd Characteristic 9 3.1 Introduction . . . 9
3.1.1 Contribution of this chapter . . . 11
3.2 Preliminaries . . . 12
3.2.1 GNAF,rNAF . . . 12
3.2.2 Subeld elliptic curves, Frobenius expansion, and Scalar multiplication . . . 13
3.2.3 τ-NAF on binary Koblitz curves and supersingular Koblitz curves . . . 15
iv
CONTENTS
3.3 Proposed Methods (Two classes ofϕ-NAF) . . . 17
3.3.1 ϕ-GNAF onFq-Koblitz curves of t= 1 . . . 18
3.3.2 ϕ-rNAF on Fq-Koblitz curves oft= 1 . . . 28
3.3.3 ϕ-rNAF on Fq-Koblitz curves oft= 1 . . . 38
3.4 Scalar Multiplication Costs . . . 40
3.4.1 Estimates . . . 40
3.4.2 Timings . . . 44
3.5 Sample Parameters . . . 46
3.6 Summary of this chapter . . . 49
4 Explicit lower bound for the length of minimal weight τ-adic expansions on Koblitz curves 51 4.1 Introduction . . . 51
4.2 Key Lemma . . . 55
4.3 Lower Bound for the Length . . . 62
4.4 Another Proof of the Minimality . . . 64
4.4.1 The Main Idea of Our New Proof . . . 64
4.4.2 Our New Proof . . . 66
4.5 τ-adic Minimal Length Form and Its Cryptographic Application . 69 4.5.1 τ-adic Minimal Length Form . . . 69
4.5.2 Cryptographic Application of τ-MLF . . . 72
4.6 Summary of this chapter . . . 72
5 Batch verication suitable for eciently verifying a limited num- ber of signatures 74 5.1 Introduction . . . 74
5.1.1 Motivation . . . 75
5.1.2 Contribution of this chapter . . . 76
5.2 Preliminaries . . . 77
5.2.1 Batch Verication . . . 77
5.2.2 Small Exponents Test . . . 78
5.2.3 Complex Exponent Test . . . 78
5.2.4 Improved Complex Exponent Test . . . 80
v
CONTENTS
5.3 Our Proposed Method . . . 80
5.3.1 Properties of Certain Types of Elliptic Curves . . . 81
5.3.2 Our Proposed Test using the Curve E7,b . . . 82
5.3.3 Our Proposed Test using the Curve E5,a . . . 88
5.4 Sample Parameters . . . 94
5.5 Comparison . . . 97
5.5.1 Timings . . . 97
5.5.2 Estimate . . . 98
5.6 Summary of this chapter . . . 100
6 Conclusion and Open Problems 101 6.1 Conclusion . . . 101
6.2 Open Problems . . . 102
Bibliography 107
Index 115
vi
List of Tables
3.1 Forms ofℓ digits ϕ-GNAF representations . . . 25
3.2 Forms ofℓ digits ϕ-rNAF representations . . . 36
3.3 The number of curve operations for each recoding method (q= 3) 41 3.4 The number of curve operations for each recoding method (q≥5) 41 3.5 The number ofFqm-eld arithmetic operations (bit length of scalar = 192,224,256,384) and total number of multiplications (S = 0.8M, I/M = 8) for each recoding method . . . 42
3.6 Timings of the Finite Field Operations . . . 45
3.7 Timings of Recoding Methods . . . 45
3.8 Timings of Scalar Multiplications on F3-Koblitz Curve K(3,1)-173 (online precomputation case) . . . 46
3.9 Sample Parameters for F3-Koblitz Curves oft = 1 . . . 47
3.10 Sample Parameters for F3-Koblitz Curves oft = 1 . . . 48
4.1 Conversion of the τ-NAF into the τ-MLF (ℓ <6) . . . 70
4.2 Conversion of the τ-NAF into the τ-MLF (ℓ ≥6) . . . 71
5.1 Classication of elliptic curves of the formE7,b . . . 83
5.2 Classication of elliptic curves of the formE5,a . . . 89
5.3 Sample Parameters for the elliptic curvesE5,a/F5 . . . 94
5.4 Sample Parameters for the elliptic curvesE7,b/F7 . . . 96
5.5 Timings of the Finite Field Operations. . . 98
5.6 Estimate the computational costs of CE test and our test . . . 99
5.7 Values kj and kω such that #Sj ≈2kbv,#SE≈2kbv . . . 99
vii
LIST OF TABLES
5.8 the number of signatures N for which our method is faster than CE test . . . 100
viii
List of Figures
5.1 A typical IP camera surveillance system . . . 76
ix
Chapter 1
Introduction and Motivation
1.1 Introduction and Motivation
Nowadays, Information and communication technology (ICT) assists us in many areas of our lives (e.g. business, education, our personal lives, and so on). The role of ICT is becoming more and more important. The number and variety of ICT devices is growing rapidly and dierent types of devices are widely communicated with each other through dierent types of networks. ICT systems, however, may pose security risks such as spoong, tampering, repudiation, information disclosure, etc.
Public key schemes provide encryption, digital signature, and key exchange ca- pabilities. Moreover, some schemes have homomorphic properties, namely, these schemes allow anyone in possession of the public key to perform computations on encrypted data without decrypting it. Many public key schemes are based on the diculties of number-theoretic problems such as integer factoring problem, discrete logarithm problem in nite elds or elliptic curves, problem of solv- ing a multivariate polynomial system over a nite eld. In public key schemes, number-theoretic computations are the dominant operations. For instance, com- puting scalar multiplication (or point multiplication) is the most time consuming operation in elliptic curve cryptosystems (ECC for short). Therefore it is an important task to accelerate number-theoretic computations.
On the other hand, endomorphisms of algebraic varieties play an important
1
role in modern mathematics. For example, the endomorphisms on an elliptic curve play a central role in the arithmetic study of elliptic curves. Polynomial automorphisms play a key role in several open problems in ane algebraic geom- etry such as Jacobian conjecture, tame generators problem.
This thesis deals with endomorphisms of algebraic varieties. In the crypto- graphic community, endomorphisms of algebraic varieties are often used not only to improve the eciency of public key schemes, but also to evaluate the security of public key schemes. More precisely, in ECC the Frobenius endomorphism of an elliptic curve is especially attractive because of the fact that the Frobenius endomorphism can be computed very eciently. Roughly speaking, for a given subeld elliptic curve (i.e. an elliptic curve over a nite eld which are actu- ally dened over some subeld), Frobenius expansions are special representations of element in the endomorphism ring as polynomials in the Frobenius endomor- phism with cryptographically appropriate integer coecients. For the purpose of improve the performance, it is desirable to construct Frobenius expansions with low Hamming weight (i.e. the the number of nonzero coecients). In addi- tion, theoretical analysis of eciency of Frobenius expansions with low Hamming weight may be important to explore the Hamming weight of other representations.
Frobenius expansions are also attractive for signature verication, especially, in batch verication (a method to verify multiple signatures simultaneously). Frobe- nius expansions are used in order to randomize the verication process and to improve the eciency. To use Frobenius expansions for batch verication, it is necessary to investigate some properties of Frobenius expansions.
The motivation for the results in this thesis comes from the importance to explore some properties of Frobenius expansions.
1.2 Contribution and Organization of the thesis
The rest of this thesis is organized as follows. Section 2 reviews some back- ground. In Section 3, we propose ecient scalar multiplication algorithms for subeld elliptic curves of trace ±1. The results are extensions of Solinas's τ- adic non adjacent form (τ-NAF for short) on Koblitz curves. We also present implementation results of our new algorithms and previous methods.
2
In Section 4, we derive an explicit lower bound for the length of minimal Hamming weight τ-adic expamsions on Koblitz curves. We also give a new proof of the minimality of the Hamming weight of the τ-NAF on Koblitz curves. Fur- thermore, we classify a minimal lengthτ-adic expansion with minimal Hamming weight except for two special cases.
Finally, in Section 5, we present two ecient batch verication techniques suitable for verifying a limited number of signatures in real-time. Our method can only be applied to elliptic curve based signatures, and uses one of the two special families of elliptic curves.
3
Chapter 2 Background
This section provides necessary background on elliptic curves and public key cryptography.
2.1 Notation
Throughout this thesis, we use the symbols N,Z,Q,C,Fqto represent the natural numbers, the integers, the rational numbers, complex numbers, and a nite eld with q elements respectively, where q = pr (r ∼ 1), p = char(Fq). For any eld k, we denote by p = char(k) the characteristic of the eld k. For a eld k, the n-dimensional projective space over k is denoted byPnk. For a positive integer n, we denote the residue class ring modulo n by Zn=Z/nZ. For a nite set S, we denote the cardinality of S by #S. Denote by Z>0 the set of positive integers.
For x C, we denote by \x\the absolute value of x. We denote a by ¯a for any natural number a
For any non-zero complex number ψ C√}0, we denote ψ-adic expansion −1
i=0ciψiwithci Zby(c−1, . . . , c0)ψ, and denote the number of non-zeroci's by wt((c−1,×××, c0)ψ). The symbol `±' means a non-zero digit of ψ-adic expansions.
We call the length of the ψ-adic expansion. Let E be an elliptic curve dened over a nite eld Fq, φ : E ⇐E, (x, y)∪⇐ (xq, yq) be the qth-power Frobenius map on E. We put tm := qm + 1 #E(Fqm), t := t1, and call tm the trace of E(Fqm). We can regard φ as a complex number which satises the characteristic
4
ϕ2 tϕ+q=0 Fqm
E #E(Fqm) =hn h n P∈E(Fqm) n A F
E(Fqm)qth E(Fqm)
Ea τ
Ea D:=D2={0,±1}
a∈F2 D={0,±µ}
α Z[τ] α=∑ℓ−1
i=0biτibi∈D τ α α=∑ℓ′−1
i=0 ciτi(ci∈D) τ α
τ α ℓτ (α) ℓ (α)
τ τ
D
ℓ >ℓ′ cℓ′= cℓ′+1 = ···= cℓ−1=0 bℓ= bℓ+1 =
···= bℓ′−1=0 max{ℓ,ℓ′} ℓ
Sα:={i∈{0,1,...,ℓ 1}|bi̸=0} Tα:={i∈{0,1,...,ℓ 1}|ci̸=0}
k
k E k
P2k
F(x,y,z) F(x,y,z)=y2z+(a1x+a3z)yz (x3+a2x2z+a4xz2+a6z3) O=(0,1,0)
E/K Z
(K)=0
p
X Fp FX:X →
X OX→ OX a∪→ap
X
f:X → Y Fp FY◦f=f◦FX
x∈X FX(x)=x
0 1 {0,1}∗
(G,E,D)
1n G
(e,d) G(1n) α∈{0,1}∗
E D
Pr[D(d,E(e,α))=α]=1
E D
n (e,d)
G(1n)
E(e,α) α ∈{0,1}∗
e D(d,β) β
d
(G,S,V)
1n G
(s,v) G(1n) α∈{0,1}∗
S V
Pr[V(v,α,S(s,α))=1]=1
S V
n (s,v)
G(1n)
S(s,α) α
s V(v,α,β)=1 β
α v
α s α
v v
s
2. Bilinear pairing: Weil pairing and Tate pairing are well known in mathemat- ics. In addition to these pairings, other pairings such as Ate pairing have been proposed to accelerate pairing computation and/or to construct new cryptographic primitives. Endomorphisms on (hyper-)elliptic curves are also used to construct bilinear pairings. For more details, see for instance [27].
3. Map to point hash function: Several public key schemes need a map to point hash function. The function maps a bit string of arbitrary length to a point on an elliptic curve dened over a nite eld. Eciently computable endomorphisms on elliptic curves play a central role in the construction of map to point hash functions.
4. Random point generation: In many public key schemes based on elliptic curves, it requires generation of a random point on an elliptic curve. For a given point P on an elliptic curve E(Fq), the standard method to generate a random point is to choose a random number r and to compute scalar multiplication rP. Some methods have been proposed in order to avoid the direct computation of scalar multiplication. For more details, see for instance [51].
8
Chapter 3
Ecient Arithmetic on Subeld Elliptic Curves over Small Finite Fields of Odd Characteristic
3.1 Introduction
Elliptic curve cryptosystems (ECC) were proposed in 1985 independently by Vic- tor Miller [56] and by Neal Koblitz [44]. Since ECC provide many advantages, for example, shorter key length and faster computation speed than those of RSA cryptosystems, ECC have been the focus of much attention. In ECC, each proto- col such as ECDH, EC-ElGamal, and ECDSA involves scalar multiplications for given points on an elliptic curve by positive integers. These multiplications have much eect on the eciency of the schemes, and many ecient methods have been proposed.
As one such method, the use of subeld elliptic curves (i.e. elliptic curves over nite elds which are actually dened over some subeld [12]) is especially attractive because by using the Frobenius maps, which is eciently computed, scalar multiplication on subeld elliptic curves can be performed much faster than that on curves over prime elds. Koblitz [46] suggested anomalous binary curves, and Müller [60] extended Koblitz's idea to achieve the Frobenius expansions over small elds of characteristic two. Smart [70] generalized Müller's result to elliptic
9
d∈Z[ϕ] d=∑ℓ−1
i=0diϕi q
Fq E ϕ q
E di∈{0,±1,...,±(q 1)/2} t ϕ (q,t)̸=(5,±4),(7,±5) ℓ
ϕ
r r
τ
τ τ
τ
τ w
τ
ϕ ϕ ϕr
r
{0,±1} {0,±1,...,±(q 1)/2}
τ
r τ
ϕ ϕr 3,5
ϕ ϕr
ϕr
ϕ ϕr
ϕ
ϕ
ϕ ϕr w
r τ
τ ϕ
ϕ
ϕr
r
r rα
Dr,α
Dr,α:=
{{0,±1,...,±α} α<r, {0,±1,...,±α}\{±r,±2r,...,±⌊α/r⌋r}
r≥2 r
r
d d=∑ℓ−1
i=0eiri ei∈Dr,r−1,eℓ−1̸=0 i ei+1ei=0 ei+1ei>0
|ei+1+ei|<r ei+1ei<0 |ei+1|>|ei| ℓ a,b∈Dr,r−1 a,b ab=0 ab>0
|a+b|<r ab<0 |a|>|b| a,b r a,b r
r r r
d d=∑ℓ−1
i=0eiri ei∈Dr,(r2−1)/2 eℓ−1̸=0
i ei+1ei=0 eℓ=0 r
ℓ a,b∈Dr,(r2−1)/2 ab=0 a,b r a,b r
r=2 r r
r
r
d r
r d
d Dr,r−1 Dr,(r2−1)/2
r (r
1)/(r+1) (r 1)/(2r 1)
Fq p q=pr
p Fq q
Fq Fq
Fqm E(Fqm) m≥2 Fq
E
y2+a1xy+a3y=x3+a2x2+a4x+a6,
ai∈Fq q≥ 5 Fq E
y2=x3+ax+b,
a,b∈Fq ϕ qth E
ϕ:E→ E, (x,y)∪→(xq,yq),
tm :=qm+1 #E(Fqm)t:=t1 E(Fqm) Fqm
E ϕ
ϕ2 tϕ+q=0
dP P
d w
[
DP+(2w−2 1)AP
] +
[ ℓ
w+1AS+ℓDS
] , AP,DP AS,DS
w
d=(dℓ−1,...,d0)w ∈Z>0
di∈Dw
={0,±1,±3,...,±(2w−1 1)}
ℓ≤⌈
log2(d)⌉ +1 P∈E(Fqm)
dPPi=iP
i∈{1,3,5,...,2w−1 1}
Q← Oi ℓ 1 0 Q← 2Q
Q← Q+Pdi
Q
d=(dℓ−1,...,d0)ϕ∈Z>0
di∈Dϕ
={0,±1,±2,...,±α}
ℓ≤⌈
2logq2√
NZ[ϕ]/Z(d)
⌉+4 P∈E(Fqm)
dPPi=iP i∈{1,2,...,α} Q← Oi ℓ 1 0
Q← ϕ(Q) Q← Q+Pdi
Q ϕ
q
d∈Z[ϕ]
ϕ
E Fq ϕ qth E t
ϕ (q,t)̸=(5,±4) (7,±5) d∈Z[ϕ]
d=∑ℓ−1
i=0ciϕi ci∈{0,±1,...,±(q 1)/2} ℓ≤⌈
2logq2√
NZ[ϕ]/Z(d)⌉ +4
ℓϕ (d) ϕ d∈Z[ϕ]
dP {iP|i=1,2,...,(q 1)/2}
dP=
(ℓ−1
∑
i=0
ciϕi )
P=ϕ···ϕ(cℓ−1ϕ(P)+cℓ−2P)+···+c1P) +c0P.
Dϕ={0,±1,±2,...,±α}
α=(q 1)/2 Dϕ=Dq,(q−1)/2
[q 1
q ℓAS+ℓFS
]
(q=3), [
DP+q 5 2 AP
] +
[q 1
q ℓAS+ℓFS
]
(q≥5), FS
5 di< 0
Q← Q P−di(=Q+Pdi) di=0 Q←
Q+Pdi
τ
τ
τ Ea
F2
Ea:y2+xy=x3+ax2+1, a=0or1.
τ Ea
τ:Ea→ Ea, (x,y)∪→(x2,y2).
τ
τ2 µτ+2=0 µ=( 1)1−a. τ τ d∈Z[τ] d=∑ℓ−1
i=0eiτi ei∈D2,1,eℓ−1̸=0 ei
τ ℓ
τ d∈Z[τ] τ
τ d D2,1
τ 1/3
Ea:y2=x3 x ( 1)a/F3 a=0 1
τ
2/5 τ
τ
cases, it is necessary to know the non-zero densities and the maximum lengths of the proposed methods. In the next section, we will propose two classes of φ-NAF on a family of subeld elliptic curves. In the following, we call these two classes of φ-NAF φ-GNAF and φ-rNAF, respectively.
3.3 Proposed Methods (Two classes of φ -NAF)
In this section, we investigate how to expand two classes of φ-NAF on a family of subeld elliptic curves. We call the family of subeld elliptic curves Fq -Koblitz curves.
Denition 3.5 (Fq-Koblitz curves) Let p be a prime, q = pr a power of p, and Fq the nite eld with q-elements. Let E be an elliptic curve dened over Fq
which is given by a Weierstrass equation
≡p= 2: y2+xy=x3+ax2+b (a, b Fq),
≡p= 3: y2 =x3 +ax2+b (a, b Fq),
≡p∼5: y2 =x3+ax+b (a, b Fq).
If the trace of the qth-power Frobenius map t = ∓1, we call E Fq -Koblitz curve.
In the above denitions, note that for q = 2, F2-Koblitz curves are the above binary Koblitz curves Ea. Since the trace of the Frobenius map τ of Ea is μ = ( 1)(1−a) = ∓1, Fq-Koblitz curve is a natural generalization of binary Koblitz curve.
In the following, we consider a scalar multiplication for a given integer d and for a given point P E(Fqm), where q ∼5 and E is a Fq-Koblitz curve. In this case, it satises that
φ2φ+q = 0 (1,1, q)φ= 0 ,
and by easy calculation, we have
∓φ3+ (q 1)φ2+q2 = 0 (∓1, q 1,0, q2)φ= 0 .
17
E
Fq Fqm m≥2
P∈E(Fqm)(ϕm 1)P=O dP=(dmod(ϕm 1))P
d Q,d′∈ Z[ϕ] d=
Q(ϕm 1)+d′ d′=0 Ψ(d′)<λΨ(ϕm 1) Ψ d
ϕ ϕr
ϕ α=a+bϕ∈Z[ϕ](a,b∈Z) ϕ|α ⇐⇒ q|a.
a∈Z ϕ|a⇐⇒ q|a
ϕ F
qt=1
d E(Fqm) ϕ
t=1 ϕ
ϕ d∈Z[ϕ]
q≥7
ϕ E Fq d∈Z[ϕ] ϕ
ϕ d E d=∑ℓ−1
i=0eiϕi ei∈Dq,q−1
ieℓ−1̸=0 ei+1ei=0
ei+1ei>0 |ei+1+ei|<q ei+1ei<0 |ei+1|>|ei|
a,b∈Dq,q−1 (a,b)ϕ ab=0 ab >0 |a+b|<q ab <0 |a|> |b|
(a,b)ϕ ϕ (a,b)ϕ ϕ
ℓϕGNAF(d) ϕ d∈Z[ϕ]
d=∑ℓ−1
i=0eiϕi∈Z[ϕ] ϕ (ei+1,ei)ϕ ϕ
ϕ q=7
d=314 ∈ Z[ϕ] d=
(¯1,3,¯3,2,3,3,¯1)ϕ ϕ d=314 d
(3,¯1)ϕ
ϕ e0=¯1
(3,3)ϕ ϕ
e1=3
(2,3)ϕ ϕ
e2=3
(¯3,2)ϕ ϕ e3=2
(3,¯3)ϕ ϕ
b4=¯3<0 b6=¯1+1=0 b5=3 1=2 e4=¯3+7=4
(0,2)ϕ ϕ
e5=2
ϕ d=(2,4,2,3,3,¯1)ϕ 0
ϕ d
d
ϕ
ϕ Fq t=1 q≥7 d∈Z[ϕ]
ϕ d
d′← dmod(ϕm 1) ℓ←⌈
2logq2√
NZ[ϕ]/Z(d)⌉ +4
(cℓ−1,cℓ−2,...,c1,c0)ϕ d′ b0← c0 b1← c1,bℓ← 0,bℓ+1← 0
i← 0 i≤ℓ bi+1,bi ϕ
bi+2← ci+2,ei← bi
bi>0
bi+2← ci+2 1,bi+1← bi+1+1,ei← bi q bi+2← ci+2+1,bi+1← bi+1 1,ei← bi+q i← i+1
(eℓ+1,eℓ,...,e1,e0)ϕ
ϕ
Dq,q−1
ϕ
ϕ ϕ
b∈Dq,(q+1)/2 b′∈Dq,(q−1)/2 e∈Dq,q−1
(b′,e)ϕ ϕ (b,b′)ϕ ϕ (b,b′,e)ϕ∪→
{(¯1,c,c′,e)ϕ:=(¯1,b+1,b′ q,e)ϕ b′>0, (1,c,c′,e)ϕ:=(1,b 1,b′+q,e)ϕ
(c,c′)ϕ (c′,e)ϕ ϕ
ϕ d∈Z[ϕ] ℓ=ℓϕEXP(d)
d d ϕ
Dq,q−1 ℓ+2
ℓ′=ℓϕ (d) ℓ=ℓϕ (d)
d=(c,b,b′,eℓ−4,...,e1,e0)ϕ ei∈Dq,q−1
c∈Dq,(q−1)/2,b∈Dq,(q+1)/2,b′∈Dq,(q+3)/2 (b′,eℓ−4,...,e1,e0)ϕ ϕ (b,b′)ϕ (c,b)ϕ (b,b′)ϕ ϕ
ℓ′= ℓ (b,b′)ϕ ϕ
(c,b,b′)ϕ∪→(˜c,c′,eℓ−3)ϕ:=
{(c 1,b+1,b′ q)ϕ b′>0, (c+1,b 1,b′+q)ϕ
(˜c,c′)ϕ ϕ ℓ′=ℓ (˜c,c′)ϕ∪→(a,a′,eℓ−2)ϕ:=
{(¯1,˜c+1,c′ q)ϕ c′>0, (1,˜c 1,c′+q)ϕ
a=1 ¯1 a′∈Dq,(q+3)/2 (a,a′)ϕ ϕ ℓ′=ℓ+1
(a,a′)ϕ ϕ ϕ
a=1,a′<0 a=¯1,a′>0 (a,a′)ϕ∪→
{(¯1,0,a′ q)ϕ a′>0, (1,0,a′+q)ϕ a′<0.
ℓ′=ℓ+2 ℓϕ (d) ℓϕ (d) □ q=3 5
bi q bi
q (bi+1,bi)ϕ∪→( bi/q,bi+1+bi/q,0)ϕ
bi q bi= ±q
i |bi+1| ≤(q+1)/2 |bi| ≤(q+3)/2 bi+1
q
Algorithm 4 φ-GNAF on Fq-Koblitz curves of t= 1 (q = 3 or q= 5) Input: d Z[φ]
Output: φ-GNAF of d
1: d →dmod (φm 1)
2: →
2 logq2 NZ[φ]/Z(d)
+ 4
3: Compute the Frobenius expansion (c−1, c−2, . . . , c1, c0)φ of d
4: b0 →c0, b1 →c1, b →0, b+1 →0
5: i→0
6: while i≥ do
7: if bi modq = 0 then
8: bi+1 →bi+1 bi/q, bi+2 →ci+2+bi/q, ei →0
9: else if (bi+1, bi) :φ-admissible pair then
10: bi+2 →ci+2, ei →bi
11: else if bi >0 then
12: bi+2 →ci+2 1, bi+1 →bi+1+ 1, ei →bi q
13: else
14: bi+2 →ci+2+ 1, bi+1 →bi+1 1, ei →bi+q
15: end if
16: i→i+ 1
17: end while
18: return (e+1, e, . . . , e1, e0)φ
Let φ-GNAF be the set of φ-GNAF of length . We put A = #φ-GNAF, S =
d∈φ-GNAF( w(d)), and C = #}d φ-GNAF \w(d) =, where w(d) means the Hamming weight of d. In other words, C is the number of φ-GNAF with length such that all digits are non-zero. Then the non-zero density of φ-GNAF is dened by
1 lim
→∞S/(A).
φ-GNAF has properties same as GNAF except for the minimality of the Ham- ming weight. Althoughφ-GNAF does not have minimal Hamming weight, asymp- totic average non-zero density of φ-GNAF is same as GNAF. This indicates that the average number of point additions required by the φ-GNAF is smaller than
22
ϕ d∈Z[ϕ] ϕ
ϕ ℓ
(q 1)/(q+1)+(3q 1)/((q+1)2ℓ)+O(q−ℓ) q
ϕ (q 1)/(q+1)
ϕ
Dq,q−1
d∈Z[ϕ]
d=∑
eiϕi=∑
e′iϕi.
i0 ei=e′i 0≤ i≤ i0 1 ei0̸=e′i0 d (d ∑i0−1
i=0 eiϕi)/ϕi0=∑ℓ−1
i=i0eiϕi−i0 d=∑ℓ−1
i=0
eiϕi=∑ℓ−1
i=0
e′iϕi, e0̸=e′0, ℓ
q|(e0 e′0) |e0|,|e′0|≤q 1
|e0 e′0|≤|e0|+|e′0|≤2q 2 e0 e′0=±q e0 e′0=q
e0 e′0=q e0,e′0∈Dq,q−1 1≤e0≤q 1 (q 1)≤
e′0≤ 1 q=(e0 e′0)=∑ℓ−1
i=1(e′i ei)ϕi ϕ ϕ ϕ2=∑ℓ−1
i=1(e′i ei)ϕi (e1 e′1+1)=(e′2 e2+1)ϕ+
∑ℓ−1 i=3
(e′i ei)ϕi−1. q|(e1 e′1+1) e′1∈{e1+1 q,e1+1,e1+1+q}
Case 1. Suppose that e1 = e1+ 1 q. We have (q 1) ≥ e1 ≥ 0 and 0 ≥ e1 ≥ (q 1). We assume that (q 1) ≥ e1 ≥ 1. Then from e0e1 > 0, we have e0 e1 ≥q 1. By substituting e0 q for e0 and e1 (q 1) for e1, we obtain e0 +e1 ∼ q. On the other hand, since e0 > 0 and e1 ∼ 0, we have e0+e1 ≥q 1. This is a contradiction. If e1 = 0, thene1 =q 1. From e0 ∼1, we have e0+e1 ∼q. This is a contradiction.
Case 2. Suppose that e1 = e1+ 1. We have (q 2) ≥ e1 ≥ q 1 and (q 1)≥e1 ≥(q 2). We assume that 2≥e1 ≥q 1. Then 1≥e1 ≥(q 2). Since e0e1 <0, we have e0+e1 >0. By substituting e0 q for e0 and e1 + 1 for e1, we obtaine0+e1 = (e0 q) +e1+ 1 >0. Thuse0+e1 ∼q. On the other hand, by e0 >0,e1 >0, we havee0+e1 ≥q 1. This is a contradiction. Next, suppose that e1 = 1. In this case, e1 = 0. Since e0e1 <0, we must havee1 = 1 > e0 >0. However there does not exist e0 which satises the above inequality. This is a contradiction. Suppose thate1 = 0. In this case, e1 = 1. By a similar argument as in the case of e1 = 1, one can obtain that e1 = 1 > e0 >0. However there does not exist e0 which satises the above inequality. This is a contradiction.
Finally, we assume that (q 2)≥ e1 ≥ 1. Then (q 1) ≥e1 ≥ 2. Since e0e1 >0, we have e0 e1 ≥q 1. By substituting e0 q for e0 and e1+ 1 for e1, we obtain e0 e1 = (e0 q) (e1+ 1)≥q 1. Thus e0+e1 ∼0. On the other hand, by e0 >0, e1 <0, we have e0 +e1 <0. This is a contradiction.
Case 3. Suppose that e1 =e1+ 1 +q. We have 2≥e1 ≥q 1and (q 1)≥ e1 ≥ 2. Since e0e1 <0, we have e0+e1 >0. By substituting e0 q for e0 and e1 + 1 +q for e1, we obtain e0 q+e1+ 1 +q > 0. Hence e0+e1 ≥ 0. On the other hand, since e0 >0and e1 <0, we have e0+e1 <0. This is a contradiction.
This concludes the proof.
(2) At rst, we show that C+1 = (q 2)C, C1 = 2(q 1). We x an element d= (e−1, . . . , e0)φ ofZ[φ]which is φ-GNAF such that each ei = 0. For the xed d, we count the number of e which satisfy 1 ≥ \e\≥ q 1, and (e−1, . . . , e0, e)φ is φ-GNAF. We can assume that e0 >0. If e0e >0, e satisfy 1≥e ≥q 1 e0 and otherwise 1≥e < e0. Thus we have that the number of eis q 2, hence the recurrence equation for C. It is trivial that C1 = 2(q 1).
24
Next, we show thatA and S satisfy the recurrence equations A1 = 2(q 1), A2 = 2(q 1)2,A+2 (q 1)A+1 qA = 0 (∼1), and S1 = 0,S2 = 2(q 1),
S+2 (q 1)S+1 qS = 2(q 1)
1 + 2(q 1) (q+ 1)
q(q 1) q 1
( 1) 1
2 .
Table 3.1: Forms of digits φ-GNAF representations forms #of representations # of 0digits (±0± ××× ) C1A−2 C1A−2+C1S−2 (±00± ××× ) C1A−3 2C1A−3 +C1S−3 (±000± ××× ) C1A−4 3C1A−4 +C1S−4
... ... ...
(±0000 ×××0±) C1A2 ( 3)C1A2+C1S2 (±0000 ×××00±) C1A1 ( 2)C1A1+C1S1
(±0000 ×××000) C1 ( 1)C1
(±±0± ××× ) C2A−3 C2A−3+C2S−3 (±±00± ××× ) C2A−4 2C2A−4 +C2S−4 (±±000±××× ) C2A−5 3C2A−5 +C2S−5
... ... ...
(±±000 ×××0±) C2A2 ( 4)C2A2+C2S2 (±±000 ×××00±) C2A1 ( 3)C2A1+C2S1
(±±000 ×××000) C2 ( 2)C2
... ... ...
(±±± ×××±0±) C−2A1 C−2A1+C−2S1 (±±± ×××±00) C−2 2C−2 (±±± ×××±±0) C−1 C−1
(±±± ×××±±±) C 0
In Table 3.1, the symbol `±' means a non-zero digit. We explain how to interpret Table 3.1. The left column stands for forms of digits φ-GNAF, the central column stands for the number of each φ-GNAF corresponding to each form of the left column, and the right column stands for each number of 0 digits corresponding to each form of the left column. From Table 3.1, we can derive
25
A =
−2 j=1
Cj
−1−j
i=1
Ai+ 1
+C−1+C,
S=
−2 j=1
Cj
−1−j
i=1
Si+ ( i j)Ai
+
−1 i=1
( i)Ci.
From these equations, we have the desired recurrence equations, and by ele- mentary calculations, we have A = 2(q 1) q ( 1)
/(q+ 1), and S= 2(q 1)
(q+ 1)2
(2q (q 1)( 1)) 3q 1
q+ 1 (q ( 1))
.
From the equations of A, S, the average number of non-zero digits for digits numbers in Z[φ] is equal to S/A. We put
f() :=
1 S A
q 1
q+ 1 + 3q 1 ((q+ 1)2)
.
Then
f() = q 3 q+ 1 ×
( 1) q ( 1)
. Let us take g() :=q−. Since it satises that
f()
g() = q 3
q+ 1 × ( 1) 1 ( q)−,
we obtain
f() g()
= q 3
q+ 1 × 1
1 ( q)− ⇐ q 3
q+ 1 (⇐ ∈ ).
Hencef() = O(g()). Thus1 lim→∞S/(A) = 1 2/(q+1) = (q 1)/(q+1). Hence we have the desired result.
(3) We give a counter example that is an element α Z[φ] that does not have minimal Hamming weight. Let qis a power of odd primep, andα= φ (q 1) Z[φ]. An Frobenius expansion of α with digit set Dq,q−1 is ( 1,1 q)φ and its Hamming weight is 2. But φ-GNAF of α is (1,0, q 2,1)φ and its Hamming weight is 3. Therefore φ-GNAF does not have minimal Hamming weight among
all Frobenius expansion with digit set Dq,q−1.
26
ϕ d∈Z[ϕ]
d ϕ
ϕ
ϕ Fq t=1
d∈Z[ϕ]
ϕ d
d′:=d0+d1ϕ← dmod(ϕn 1)(d0,d1∈Z) ℓ←⌈
2logq2√
NZ[ϕ]/Z(d)⌉ +4
Q,b∈Z d0=Qq+bb∈Dq,(q−1)/2
d0← Q+d1 d1← Q i← 1
i≤ℓ+1
Q,a∈Z d0=Qq+a a∈Dq,(q−1)/2
d0← Q+d1d1← Q a,b ϕ
ei−1← b,b← a b>0
ei−1← b q,b← a+1,d0← d0 1 ei−1← b+q,b← a 1,d0← d0+q
(eℓ+1,eℓ,...,e1,e0)ϕ
(i+1)P=P+iP 1≤i≤q 2
ϕ ϕ α=q 1
Dϕ=Dq,q−1
[
DP+q 1
q+1ℓAS+ℓFS
]
(q=3), [
DP+(q 3)AP+q 1
q+1ℓAS+ℓFS
]
(q≥5).
ϕr F
qt=1
d E(Fqm)
ϕ r
t=1 ϕr
ϕr d∈Z[ϕ] q≥7
ϕr E Fq d∈Z[ϕ] ϕ
r ϕr d E d=∑ℓ−1
i=0eiϕi ei∈Dq,(q2−1)/2 eℓ−1̸=0 ei+1ei=0 i a,b∈Dq,(q2−1)/2
ab=0 (a,b)ϕϕ (a,b)ϕϕ ℓϕrNAF(d) ϕr d∈Z[ϕ]
d=∑ℓ−1
i=0eiϕi∈Z[ϕ] ϕr (ei+1,ei)ϕ ϕ
ϕr q=7 d=314∈Z[ϕ]
d (¯1,3,¯3,2,3,3,¯1)ϕ ϕr d=314 d
(3,¯1)ϕ
ϕ |3×7 1|=20<24 b3=2,b2=3+3=6,e1= 0,e0=3×7 1=20
(2,6)ϕ ϕ
|2×7+6|=20<24 b5=3,b4= 3+2= 1,e3=0,e2=2×7+6=20
(3,¯1)ϕ ϕ
|3×7 1|=20<24 b7=0,b6= 1+3=2,e5=0,e4=3×7 1=20 (0,2)ϕ ϕ
e6=2
ϕr d=(2,0,20,0,20,0,20)ϕ
0 ϕr
d d
ϕr d ϕ d
ϕr Fq t=1 q≥7
d∈Z[ϕ]
ϕr d
d′← dmod(ϕm 1) ℓ←⌈
2logq2√
NZ[ϕ]/Z(d)⌉ +4
(cℓ−1,cℓ−2,...,c1,c0)ϕ d′ b0← c0 b1← c1,bℓ← 0,bℓ+1← 0,bℓ+2← 0,bℓ+3← 0
i← 0
i≤ℓ+2 bi=0
bi+2← ci+2,ei← 0,i← i+1
|bi+1q+bi|≤(q2 1)/2
bi+3← ci+3,bi+2← ci+2+bi+1,ei+1← 0,ei← bi+1q+bi,i← i+2 bi+1q+bi< (q2 1)/2
bi+3← ci+3+1,bi+2← ci+2+bi+1+(q 1),ei+1← 0,ei← bi+1q+bi+ q2,i← i+2
bi+3← ci+3 1,bi+2← ci+2+bi+1 (q 1),ei+1← 0,ei← bi+1q+bi
q2,i← i+2
(eℓ+3,eℓ+2,...,e1,e0)ϕ
r
(bi+1,bi)ϕ∪→
{(¯b′i,bi+1+b′i,0)ϕ bi=b′iq b′i∈Z\{0}, (¯b′i+1,b′i+1,0,bi)ϕ bi+1=b′i+1q b′i+1∈Z\{0}.
bi bi+1 q (bi+1,bi)ϕ
c,c′,c′′∈Dq,(q−1)/2 b∈Dq,(q+1)/2 b′∈Dq,2q−1
(c,c′,c′′,b,b′)ϕ
(a,a′,e,e′,e′′,e′′′)ϕ
(a,b)ϕ
a̸=0,b̸=0 (a,b)ϕ
(a,b)ϕ∪→
(a,0,aq+b)ϕ |aq+b|≤(q2 1)/2, (1,a+(q 1),0,(aq+b)+q2)ϕ aq+b< (q2 1)/2, (¯1,a (q 1),0,(aq+b) q2)ϕ
a̸=0,b=0 b
a
a=0,b=0 a b
a
(e,e′,e′′,e′′′)ϕ ϕr a∈Dq,(q+1)/2,a′∈
Dq,2q−1 a a′ q
(c,c′,c′′,b,b′)ϕ
i (i+1) ♭ (i+
2) (i+3) ♯ a′ q
|a′|≤2q 2 a′=q a′= q a′=q
a′=q a′= q
a′ q (♯,♭)=((1),(2)),((2),(1)),((2),(2)),((3),(2))
1 2
(♯,♭) =((1),(2)) a′= c+c′+(q 1) c′= c+1 (c,c′,c′′,b,b′)ϕ e′=( c+1)q+c′′+b+q2
e′>(q2 1)/2 |e′|≤(q2 1)/2
(♯,♭)=((2),(1)) a′=c+c′+1 c=c′= (q 1)/2 (c,c′,c′′,b,b′)ϕ e′′′=bq+b′+q2 e′= c′′+b+(q2+3q 2)/2 b= (q 3)/2, (q 1)/2, (q+1)/2
b≤ q |b|≤(q+1)/2
(♯,♭)=((2),(2)) a′=c+c′+q c′= c (c,c′,c′′,b,b′)ϕ e′′′=bq+b′+q2 e′=( c+1)q+
c′′+b+(q 1)+q2 b= (q 3)/2, (q 1)/2, (q+1)/2 cq+c′′< (q2 1)/2
c′′,c
(♯,♭) =((3),(2)) a′= c+c′+q 2 c′= c+2 (c,c′,c′′,b,b′)ϕ e′′′=bq+b′ q2 e′=( c+1)q+c′′+b (q 1)+q2 b=(q 3)/2,(q 1)/2,(q+1)/2 cq+c′′< (q2 1)/2
c′′,c
a′ q □
ϕr d∈Z[ϕ] ℓϕ (d)
d ϕr Dq,(q2−1)/2 ℓϕrNAF(d)
ℓ+4
ℓ′=ℓϕr (d)
d=(b,b′,eℓ−3,eℓ−4,...,e1,e0)ϕ (b′,eℓ−3,...,e0)ϕ ϕr (b,b′)ϕ eℓ−3=0
eℓ−3̸=0 (b,b′)ϕ
ϕ ℓ′=ℓ (b,b′)ϕ
(b,b′)ϕ∪→
(b,0,bq+b′)ϕ |bq+b′|≤(q2 1)/2, (1,b+(q 1),0,bq+b′+q2)ϕ bq+b′< (q2 1)/2, (¯1,b (q 1),0,bq+b′ q2)ϕ bq+b′>(q2 1)/2,
