ANALYSIS AND OPTIMALITY OF THE WIDTH-w
NON-ADJACENT FORM TO IMAGINARY QUADRATIC BASES
DANIEL KRENN
(Extended abstract, based on joint work with Clemens Heuberger, TU Graz, Austria.)
1. Abstract and Introduction
We consider digital expansions to the base τ , where τ is an imaginary quadratic,
algebraic integer. Let w be an integer with w ≥ 2. Our digit set D consists of 0
and one representative with minimal norm of every residue class modulo τ w which
is not divisible by τ . Such expansions result in redundancy, i.e., each element of
Z[τ ] has more than one representations. One special expansion is the so called
width-w non-adjacent form, w-NAF for short. There every block of w consecutive
digits contains at most one non-zero digit. Such constructs can be efficiently used
in elliptic curve cryptography in conjunction with Koblitz curves.
A quite natural first question is, whether each element of Z[τ ] admits a unique
w-NAF for all w ≥ 2. We could give a positive answer to this question. Further, the
presented work deals with analyzing the number of occurrences of a fixed non-zero
digit. We give an explicit expression for the expectation and the variance of the
occurrence of such a digit in all expansions of a fixed length. Further a central limit
theorem is proved in this setting. Moreover, we found an asymptotic formula for the
number of occurrence of a digit in the w-NAFs of all elements of Z[τ ] in some region
(e.g. a disc). The main term coincides with the full block length analysis mentioned
above, but a periodic fluctuation in the second order term is also exhibited. The
proof follows Delange’s method, but several technical problems have to be taken
into account.
Another interesting question is the following: Is the w-NAF-expansion optimal,
where optimal means minimizing Hamming-weight, i.e., the number of non-zero
digits? The answer to this question is affirmative for most of the cases. More
precisely, suppose τ is a solution of τ 2 − pτ + q = 0, where p and q are integers, then
we could show optimality if |p| ≥ 3 and w ≥ 4 or if |p| ≥ 5 and w = 3. Moreover,
optimality and non-optimality results were shown for some special configurations.
2. Expansions
We start with giving a formal definition of an expansion.
Z
Definition (Expansion). Let D be a digit set, i.e., a finite subset of [τ ] containing
0. A sequence η = (ηj )j∈N0 ∈ DN0 is called an expansion if there are only finitely
many non-zero ηj in it. We call
X
value(η) :=
ηj τ j
j∈
N
0
the value of η.
Let z ∈ [τ ]. An expansion of z is an expansion η with value(η) = z.
Z
Daniel Krenn is supported by the Austrian Science Fund (FWF), project W1230 Doctoral
Program “Discrete Mathematics”.
1
2
DANIEL KRENN
(a) Digit set
√ for
τ = 21 + 12 −7
and w = 2.
(b) Digit set
√ for
τ = 1 + −1
and w = 4.
(c) Digit set
√ for
τ = 23 + 12 −3
and w = 2.
(d) Digit set
√ for
τ = 32 + 12 −3
and w = 3.
Figure 2.1. Minimal norm representatives digit sets modulo τ w for different
τ and w. For each digit η, the corresponding Voronoi cell Vη is drawn. The
large scaled Voronoi cell is τ w V .
One special expansion is the so called width-w non-adjacent form, which is defined in the following:
Definition (Width-w Non-Adjacent Form). Let w be an integer with w ≥ 2 and
D be a digit set. Let η = (ηj )j∈N0 ∈ DN0 . The sequence η is called a width-w
non-adjacent form, or w-NAF for short, if each factor ηj+w−1 . . . ηj , i.e., each block
of length w, contains at most one non-zero digit.
Z
A first question that arises is, whether each element of [τ ] has a w-NAFexpansion. Before answering this question we have to define an appropriate digit
set. This is done in the following definition.
Definition (Minimal Norm Representatives Digit Set). Let τ be an algebraic integer, let D ⊆ [τ ], and w be a positive integer. The set D is called a reduced residue
digit set modulo τ w , if it consists of 0 and exactly one representative of each residue
class of [τ ] modulo τ w that is not divisible by τ .
If each representative has minimal norm among all representatives in that residue
class, then we will call such a digit set minimal norm representatives digit set modulo
τ w.
Z
Z
Some examples of minimal norm representative digit sets are shown in Figure 2.1.
With the digit set defined above, we now we can state the existence theorem, cf.
Heuberger and Krenn [1].
Theorem. Let τ be an imaginary quadratic, algebraic integer, w an integer with
w ≥ 2, and D be the corresponding minimal norm representatives digit set modulo
τ w . Then each lattice point z ∈ [τ ] admits a unique w-NAF-expansion ξ ∈ DN0 ,
i.e., z = value(ξ).
Z
3. Analysis
This section is dedicated to the analysis of the occurrence of a digit. First a “full
block length”-analysis is given, i.e., we analyse the number of occurrences of a digit
in all w-NAFs of a given length. Then, we count digits in all w-NAFs in a certain
region. The results can be found in Heuberger and Krenn [1].
Theorem (Full Block Length Distribution Theorem). Let τ be an algebraic integer,
N (τ ) its norm, and w an integer with w ≥ 2. We denote the number of w-NAFs
of length n ∈ 0 by Cn,w , i.e., Cn,w = #(NAFnw ), and we get
1
n+w
Cn,w =
N (τ )
+ O((ρ N (τ ))n ) ,
(N (τ ) − 1)w + 1
N
ANALYSIS AND OPTIMALITY OF THE WIDTH-w NON-ADJACENT FORM
3
where ρ = (1 + N (τ1)w3 )−1 < 1.
Further let 0 6= η ∈ D be a fixed digit and define the random variable Xn,w,η to
be the number of occurrences of the digit η in a random w-NAF of length n, where
every w-NAF of length n is assumed to be equally likely.
Then the following explicit expressions hold for the expectation and the variance
of Xn,w,η :
E(Xn,w,η ) = ew n +
(N (τ ) − 1)(w − 1)w
N (τ )
w−1
((N (τ ) − 1)w + 1)2
+ O(nρn )
V(Xn,w,η ) = vw n
+
(w−1)w(−(w−1)2 −N (τ )2 w2 +(N (τ )−1) N (τ )w−1 ((N (τ )−1)w+1)2 +2 N (τ )(w2 −w+1))
2w−2
N (τ )
+ O n2 ρ
n
((N (τ ) − 1)w + 1)4
,
where
ew =
1
,
w−1
((N (τ ) − 1)w + 1)
w−1
((N (τ ) − 1)w + 1)2 − (N (τ ) − 1)w2 + 2w − 1
N (τ )
and
vw =
N (τ )
2w−2
N (τ )
((N (τ ) − 1)w + 1)3
.
Furthermore, Xn,w,η satisfies the central limit theorem
1
Xn,w,η − ew n
≤ x = Φ(x) + O √
,
P
√
vw n
n
R
2
uniformly with respect to x ∈ , where Φ(x) = (2π)−1/2 t≤x e−t /2 dt is the standard normal distribution.
R
Theorem. Let τ be an imaginary quadratic, algebraic integer, w an integer with
w ≥ 2, and D be the corresponding minimal norm representatives digit set modulo
τ w . Let 0 6= η ∈ D and N ∈
with N ≥ 0. Further let U be the unit disc in
. We denote the number of occurrences of the digit η in all width-w non-adjacent
forms with value in the region N U by
X
X
Zτ,w,η (N ) =
[jth digit of z in its w-NAF-expansion equals η] .
R
C
Z
N
z∈N U ∩ [τ ] j∈
0
Then we get
Zτ,w,η (N ) = 2πN 2 ew log|τ | N + N 2 ψη log|τ | N + O N α log|τ | N ,
where ew is the constant of the expectation, i.e.,
ew =
1
2(w−1)
|τ |
2
|τ | − 1 w + 1
the function ψη is 1-periodic and continuous, and α = 2 + log|τ | ρ < 2 with ρ =
−1
< 1.
1 + |τ |21w3
The proof of the theorem above follows Delange’s method. There some technical
problems had to be solved. This resulted in several auxiliary results, for example
some properties of the fundamental domain, i.e., w-NAF-expansions of type 0.η.
4
DANIEL KRENN
(0, 9)
(0, 8)
(0, 7)
(0, 6)
(0, 5)
(0, 4)
(1, 9)
(1, 8)
(1, 7)
(1, 6)
(1, 5)
(1, 4)
(2, 10)
(2, 9)
(2, 8)
(2, 7)
(2, 6)
(2, 5)
(3, 11)
(3, 10)
(3, 9)
(3, 8)
(3, 7)
(3, 6)
(2, 4)
(0, 3)
(4, 12)
(4, 11)
(4, 10)
(4, 9)
(4, 8)
(2, 3)
(6, 17)
(5, 14)
(6, 16)
(5, 13)
(6, 15)
(5, 12)
(6, 14)
(5, 11)
(6, 13)
(5, 10)
(6, 12)
(5, 9)
(6, 11)
(4, 6)
(3, 4)
(1, 2)
(6, 18)
(5, 15)
(4, 7)
(3, 5)
(1, 3)
(0, 2)
(4, 13)
(5, 8)
(6, 10)
(4, 5)
(2, 2)
(3, 3)
(5, 7)
Figure 4.1. Optimality of the w-NAF-expansions for different τ and w. The
pairs (p, q) represent τ , which is a solution of τ 2 − pτ + q = 0. For each “point”
the symbols stand for the different w, starting with w = 2 from the left. Green
means the w-NAF-expansion is optimal, red means non-optimal, and black
means not covered by the results given here.
4. Optimality
In this section we give some optimality results on the non-adjacent form. We
start by explaining what we mean if an expansion is “optimal”.
Z
Definition (Optimal Expansion). Let D be a digit set, and let z ∈ [τ ]. We write
weight(η), the (Hamming-)weight of η, for the number of non-zero digits in the
expansion η ∈ DN0 . The expansion η of z is called optimal, if for any expansion
ξ ∈ DN0 of z we have
weight(η) ≤ weight(ξ) ,
i.e., η minimises the weight among all expansions. Otherwise the expansion η is
called non-optimal.
Let w be an integer with w ≥ 2. Further let τ be a solution of τ 2 − pτ + q = 0
with integers p and q fulfilling q −p2 /4 > 0, and let D be the corresponding minimal
norm representatives digit set modulo τ w . In this setting the following optimality
results can be given for the non-adjacent form, cf. Heuberger and Krenn [2]. The
results are also shown in Figure 4.1.
Theorem. Suppose that one of the following conditions hold:
(i) w ≥ 4 and |p| ≥ 3,
(ii) w = 3 and |p| ≥ 5,
(iii) w = 3, |p| = 4, and 5 ≤ q ≤ 9,
(iv) w = 2, p even, and
2 1
2
p2
q−
+ 1 < 1,
√ +
q
q
4
ANALYSIS AND OPTIMALITY OF THE WIDTH-w NON-ADJACENT FORM
(v) w = 2, p odd, and
2 2 −1
1
2
p2
1
p2
< 1.
+
q
−
+
q
−
√
q
q
4
4
4
Then the width-w non-adjacent form expansion for each element of
5
Z[τ ] is optimal.
The same ideas to prove the theorem above can be used to prove some other
results. In the case that our τ comes from a Koblitz curve in characteristic 3, we
obtain the following result.
Theorem. Let p ∈ {−3, 3}, q = 3, τ and D as above, and w be an integer with
w ≥ 2. Then the width-w non-adjacent form expansion for each element of [τ ] is
optimal.
Z
Another special case is given in the theorem below. It shows optimality if and
only if w is odd.
Theorem. Let p ∈ {−2, 2}, q = 2, τ and D as above, and w be an integer with
w ≥ 2. If w is odd, then the width-w non-adjacent form expansion for each element
of [τ ] is optimal. If w is even, then there is an element of [τ ] whose w-NAFexpansion is non-optimal.
Z
Z
The following result is a non-optimality result in the case that p = 0.
Proposition. Let p = 0, q ≥ 2, τ and D as above, and w be an odd integer with
w ≥ 3. Then there is an element of [τ ] whose w-NAF-expansion is non-optimal.
Z
References
[1] C. Heuberger and D. Krenn, Analysis of width-w non-adjacent forms to imaginary quadratic bases, Tech. Report 2010-10, Graz University of Technology, 2010, available at http:
//www.math.tugraz.at/fosp/pdfs/tugraz_0168.pdf, also available at arXiv:1009.0488v2
[math.NT].
, Optimality of the width-w non-adjacent form to imaginary quadratic bases, in prepa[2]
ration, 2011.
Daniel Krenn
Institute of Optimisation and Discrete Mathematics (Math B)
Graz University of Technology
Steyrergasse 30/II, A-8010 Graz, Austria
E-mail address: [email protected] or [email protected]