Optimality of the Width$w$ Nonadjacent Form: General Characterisation and the Case of Imaginary Quadratic Bases
Abstract
Efficient scalar multiplication in Abelian groups (which is an important operation in public key cryptography) can be performed using digital expansions. Apart from rational integer bases (doubleandadd algorithm), imaginary quadratic integer bases are of interest for elliptic curve cryptography, because the Frobenius endomorphism fulfils a quadratic equation. One strategy for improving the efficiency is to increase the digit set (at the prize of additional precomputations). A common choice is the width\nbd$w$ nonadjacent form (\wNAF): each block of $w$ consecutive digits contains at most one nonzero digit. Heuristically, this ensures a low weight, i.e.\ number of nonzero digits, which translates in few costly curve operations. This paper investigates the following question: Is the \wNAF{}expansion optimal, where optimality means minimising the weight over all possible expansions with the same digit set? The main characterisation of optimality of \wNAF{}s can be formulated in the following more general setting: We consider an Abelian group together with an endomorphism (e.g., multiplication by a base element in a ring) and a finite digit set. We show that each group element has an optimal \wNAF{}expansion if and only if this is the case for each sum of two expansions of weight 1. This leads both to an algorithmic criterion and to generic answers for various cases. Imaginary quadratic integers of trace at least 3 (in absolute value) have optimal \wNAF{}s for $w\ge 4$. The same holds for the special case of base $(\pm 3\pm\sqrt{3})/2$ and $w\ge 2$, which corresponds to Koblitz curves in characteristic three. In the case of $\tau=\pm1\pm i$, optimality depends on the parity of $w$. Computational results for small trace are given.
 Publication:

arXiv eprints
 Pub Date:
 October 2011
 arXiv:
 arXiv:1110.0966
 Bibcode:
 2011arXiv1110.0966H
 Keywords:

 Mathematics  Number Theory;
 11A63;
 94A60
 EPrint:
 J. Th\'eor. Nombres Bordeaux 25 (2013), no. 2, 353386