Loading the Bases · Vassil S. Dimitrov University of Calgary Department of Electrical and Computer Engineering 2500 University Drive NW Calgary AB Canada T2N 1N4 V. S. Dimitrov (U

Loading the Bases

Vassil S. Dimitrov

University of CalgaryDepartment of Electrical and Computer Engineering

2500 University Drive NWCalgary AB

Canada T2N 1N4

V. S. Dimitrov (U of C) Tartu 1 / 50

Agenda

Matrix Polynomial

Comparing Binary & Ternary Formulae

Modular exponentiation

Hybrid Binary Ternary Number System

The Single Constant Multiplication Problem

Double Base Number System

Koblitz Curves

Open Problems Associated with DBNS

Conclusions


Matrix Polynomial

Matrix Polynomial

G(N ,A) = I +A+A2 + · · ·+AN−1

How to compute G(N ,A) without (matrix) inversion?

a) Horner Rule - too slow

b) smart decompositions:

if N = KJ ⇒ G(N ,A) = G(J ,A) ∗ G(K,AJ )


Matrix Polynomial

Binary Decomposition

G(N ,A) =

{

(I +A) ∗ G(K,A2) N = 2KI + (A+A2) ∗ G(K,A2) N = 2K + 1


Matrix Polynomial

Ternary Decomposition

G(N ,A) =

(I +A+A2) ∗ G(K,A3) N = 3KI + (A+A2 +A3) ∗ G(K,A3) N = 3K + 1

I +A ∗ (A+A2 +A3) ∗ G(K,A3) N = 3K + 2



Comparison between the binary & ternary formulae

G(N ,A)

G(N/2,A2)

2MM

G(N/2,A2)

2MM

The number of matrix multiplications≈ 2 log2N

G(N ,A)

G(N/3,A3)

3MM

G(N/3,A3)

3MM

G(N/3,A3)

4MM

The number of matrixmultiplications between3 log3N and 4 log3N or

1.89 log2N and 2.52 log2N



Hybrid Decomposition

Combine the binary and ternary method by getting the best of bothformulae:

G(N ,A) =

(I +A+A2) ∗ G(K,A3) N = 3KI + (A+A2 +A3) ∗ G(K,A3) N = 3K + 1

(I +A) ∗ G(3K + 1,A2) N = 6K + 2

I + (A+A2) ∗ G(3K + 2,A2) N = 6K + 5

The number of matrix multiplications is between3 log3N = 1.89.. log2N (best) and 2 log2N (worst)

The expected number of MM is 1.94.. log2N



Examples

Binary approach:

G (1536,A) =(I + A) · (I + A2) · (I + A4)

· (I + A8) · (I + A16) · (I + A32) · (I + A64)

· (I + A128) · (I + A256) · (I + A512 + A1024)

Number of matrix multiplication is 19.



Examples cntd.

Ternary Approach:

G (1536,A) =(I + A + A2) · (I + A3 · (A3 + A6 + A9))

· (I + A9 · (A9 + A18 + A27)

· (I + A27 · (A27 + A54 + A81)

· (I + A81 + A162) · (I + A243 + A486)

· (I + A729))))




Examples cntd.

Hybrid Approach:

G (1536,A) =(I + A + A2) · (I + A3)

· (I + (A6 + A12 + A18) · (I + (A18 + A36 + A54)

· (I + A27 · (A27 + A54 + A81)

· (I + (A54 + A108 + A162) · (I + A162 + A324)

· (I + A486 + A972))))







Hybrid Binary Ternary Number System (HBTNS)Input : number, n

Output : Arrays digits[], base[]

1. i = 0;2. while (n > 0)

if (n mod 3 == 0)base[i ] = 3; n = n/3; digits[i ] = 0;

elseif (n mod 2 == 0)

base[i ] = 2; n = n/2; digits[i ] = 0;else

base[i ] = 2; n = (n − 1)/2; digits[i ] = 1;3. return digits[] and base[]

The hybrid binary-ternary representation of 703 = (1010111111)2

digits[] = [1, 0, 0, 0, 1, 0, 0, 1]

base[] = [2, 3, 3, 3, 2, 3, 2, 2].



Stair Case Representation for HBTNS

20 21 22 23

30

31

32

33

34 1

1

1

Figure: Staircase walk for a double-base chain representing 703



Analysis of HBTNS

◮ define 6 states based on remainders of mod 6 of the number: 0, · · · , 5.

MS =

13

12 0 0 0 0

0 0 12

13 0 0

13 0 0 0 1

212

0 12 0 1

3 0 013 0 1

2 0 0 0

0 0 0 13

12

12

◮ stationary probabilities for each state:

π∞[i ] = 3/26 if i ∈ {0, 3}π∞[i ] = 2/13 if i ∈ {1, 4}π∞[i ] = 3/13 if i ∈ {1, 4}

◮ P2 = 10/13, P3 = 3/13, PZ = 8/13 and PNZ = 5/13.

◮ Average base ≈ 13√

21033 ≈ 2.196..



Comparison Between Binary, Ternary & Hybrid

Scheme Av. # of Mult.

Binary 1.5logNTernary 1.68logNHybrid 1.42logN



The Single Constant Multiplication Problem (SCM)

◮ Multiply an (unknown) integer x by a constant integerc using as few additions and shifts as possible.

◮ Unknown Complexity.

◮ Minimize the cost.

Previous Works

◮ Recoding Techniques ? naıve double and add method,

SD method.

◮ Bernstein, Lefevre, Boullis & Tisserand, Dempster &

MacLeod.



Examples

Example 1:

7 89 9 9 x

7 0 27 0 2

7 0 2

7 7 9 2 2

78 x 999 = 78 x (1000 − 1)

= 78000 − 78

= 77922

Example 2:

45 x n

needs 3 Shifts and 3 Additions.

9 x (5 x n)

needs 2 Shifts and 2 Additions.



Improving Current Algorithms

Sublinearity of SCMAlgorithms:

- Conjectured by Lefevrein 2003



Double Base Number SystemDefinition 1: Given p and q two prime integers the double base numbersystem (DBNS) is a representation scheme into which every positiveinteger n is represented as the sum or difference of {p, q}-integers (i.e.numbers of the form paqb.)

n =

l∑

i=1

sipaqb, si ∈ {−1, 1}

The size, or length of a DBNS expansion is equal to the number l of termsin the equation above. A DBNS representation for a specific constant isreferred to as a Double Base Number Representation, or DBNR.



Redundancy & SparsenessLet n be a positive integer and q a prime 2. The number of unsigned

DBNRs of n with base 2 and q is given by f (1) = 1, and for n ≥ 1:

f (n) =

{

f (n − 1) + f (n/q) if n ≡ 0f (n − 1) otherwise

Very redundant:

- 10 has exactly 5 differentunsigned DBNRs.

- 100 has exactly 402 differentunsigned DBNRs.

- 1000 has exactly 1,295,579different unsigned DBNRs.

x smallest integer requiring x

unsigned {2,3}-integers

1 12 53 234 4315 18,4316 3,448,7337 1,441,896,1198 ?



x smallest integer requiring x

signed {2,3}-integers

1 12 53 1034 4985 ?

Conjecture:The Diophantine equations ± 2a3b ± 2c3d ± 2e3f = 4985 do not havesolutions in integers.



Greedy Algorithm[DIM96] - Every positive integer c of size n (bits) can be represented as

the sum (or difference) of at most O(

nlog n

)

{p, q}-integers.

Algorithm 1: Greedy Algorithm

Input: A positive integer n.Output: The sequences (si , ai , bi )i≥0 s.t. n =

∑li=1 sip

aqb, with si ∈{−1, 1} , ai , bi ≥ 0 and (ai , bi ) 6= (aj , bj) for i 6= j .

1: s ← 1 {to keep track of the sign}2: while n 6= 0 do3: find the best aproximation of n of the form z = paqb

4: print (s, a, b)5: if n < z then6: s ← −s

7: n = |n − z |



A DBNS Approach

c = 10, 59910 = (10100101100111)2 → 1010010||1100111= 82 ∗ 27 + 103

x0 = (x ≪ 8)

x1 = 3x0 + (x ≪ 5)

x2 = 3x1 + (x ≪ 13) + (x ≪ 3)− x



DBNS Blocking

#ADD/SUB = l + bmax − 1

[DIZ07] - Let n be the bit-length of c. If bmax ∈ O(

nlog n

)

, then the

number of additions/subtractions in the multiplication by c belongs to

O(

nlog n

)

.

split c into log n blocks of size nlog n

◮ bmax ∈ O(

nlog n

)

.

◮ lblock ∈ O(

n(log n)2

)

.



Double Base Number System (DBNS)

◮ Consider the sequence of the numbers of the form 2a · 3b (increasingorder):1, 2, 3, 4, 6, 8, 9, 12, 16, 18, 24, 27, 32, 36, 48, 54, 64, 72, 81, 96, 108, · · ·

◮ Let Sn denotes the nth order of this sequence. Then we have:

limn→∞

Sn

Sn−1= 1 (Polia, 1930)

◮ Consider the following representation of n:

n =∑

i ,j

di ,j2i3j di ,j ∈ {0, 1}

◮ Example:◮ 54 = 20 · 30 + 21 · 30 + 21 · 31 + 20 · 32 + 22 · 32

◮ 54 = 21 · 33

◮ We can use signed DBNS representation as well. Then di ,j ∈ {1, 0, 1}.



Tijdeman’s Theorem

Theorem:Let x and y be two consecutive {2, 3}-integers, x > y . Then there existeffectively computable constants, c1 and c2, such that

x(log x)c1 < x − y < x

(log x)c2 .



DBNS Map

Two DBNS Representations of 54

◮ Note that squarings and cubic operations are involved in thecalculation.

◮ Sparsity and the less number of 1’s are the main properties of DBNSrepresentation.



Notes on DBNS Representation

◮ To use this representation, we need to find the canonic DBNSrepresentation.

◮ The canonic DBNS representation of 54 is 21 · 33.◮ 127 has six canonic DBNS representations. Three of them are

(20 · 30 + 21 · 32 + 22 · 33), (20 · 31 + 22 · 33 + 24 · 30) and(22 · 30 + 20 · 33 + 25 · 32)

◮ Signed DBNS representation will give more redundantrepresentations.

◮ Unsigned DBNS representation of 23 is 21 · 32 + 22 · 30 + 20 · 30.◮ Signed DBNS representation of 23 is 23 · 31 − 20 · 30.

◮ We use the greedy algorithm to find near-canonic DBNSrepresentation.



Notes on DBNS Representation

◮ Number of elements in DBNS representation of a given number, n is:

O(

log n

log log n

)

◮ The total number of DBNS numbers less than 2w is given by(w = 1, 2, 3, · · · ):

≈ 0.317 × w2



Notes on DBNS Representation, cntd.

◮ Some facts based on DBNS:◮ 10 has exactly 5 different DBNS representations◮ 100 has exactly 402 different DBNS representations◮ 1,000 has exactly 1,295,579 different DBNS representations◮ 10,000 has exactly 234,538,027,767 different DBNS representations◮ 20,000 has exactly 20,381,413,429,530 different DBNS representations◮ 30,000 has exactly 332,991,893,992,788 different DBNS representations◮ 40,000 has exactly 2,611,771,518,060,603 different DBNS

representations

◮ Canonic DBNS representation - CDBNR (Minimal DBNSrepresentation)

◮ 23 is the smallest integer requiring 3 ones in its CDBNR◮ 431 is the smallest integer requiring 4 ones in its CDBNR◮ 18,431 is the smallest integer requiring 5 ones in its CDBNR◮ 3,448,733 is the smallest integer requiring 6 ones in its CDBNR◮ 1,441,896,119 is the smallest integer requiring 7 ones in its CDBNR



Ones Distribution of DBNS Representation

◮ Graph shows the ones distribution of DBNS canonical representationfor integers from 1 to 1000.

◮ Note that any number can be represented using less than five DBNSelements.



Ones Distribution of DBNS Representation, cntd.


◮ Note that any number can be still represented using less than five

DBNS elements.V. S. Dimitrov (U of C) Tartu 32 / 50


Ones Distribution of DBNS Representation, cntd.


◮ Note that any number can be represented using less than six DBNSelements.



Number of DBNS Representations

◮ Graph shows the number of DBNS representations up to 1000.

◮ Note the sub exponential growth () in the number of DBNSrepresentations is .



Number of Ones in DBNS Representations

◮ Graph shows the expected number of ones in DBNS with the largestternary exponent allowed.

◮ Number of ones drastically goes down even if we use very smallternary exponent.



Example :Show that the multiplication by any 300-bit constant can be achieved byusing at most 77 additions.

Let us consider the binary representation of a 300-bit number and let usbreak this representation into ten 30-bit blocks. Every 30-bit integer canbe represented by using at most six {2, 3}-integers (because 230 <1,441,896,119 < 231). Since 318 < 230 < 319, the execution of GreedyAlgorithm will return a DBNS expansion of any 300-bit number of lengthat most 10 (the number of 30-bit blocks) × 6 (the maximal number of{2, 3}-integers per block)= 60. The highest power of three that mightoccur in this expansion is 18; therefore, in the worst case one will need60 + 18− 1 = 77 additions.


Koblitz Curves

Koblitz Curves

Koblitz curves (defined over F2):

Ea : y2 + xy = x3 + ax2 + 1, a ∈ {0, 1}

|Ea(F2m)| easily computed for any integer m > 0

Frobenius endomorphism τ(x , y) = (x2, y2) for (x , y) ∈ Ea(F2m) :

◮ almost free to compute

◮ satisfies minimal polynomial x2 − µx + 2 = 0 where µ = (−1)1−a

◮ can view τ as a root, i.e., τ = (µ +√−7)/2

◮ leads to efficient τ -adic point multiplication algorithms (eg. τNAF)


Koblitz Curves

Double Base Expansions

Dimitrov, Jullien, Miller (1998): compute kP using k =∑±2a3b

◮ requires only O(log k/(log log k)) (2, 3)-integers

◮ find closest ±2a3b to k, subtract and repeat

Our contribution: efficient point multiplication on Koblitz curves

◮ first provably sublinear point multiplication algorithm (3 complexbases)

◮ efficient method using bases τ and τ − 1 (no proof, conjecturalsublinearity)

◮ no precomputations based on k or P

◮ efficient FPGA implementation


Koblitz Curves

Kleinian Integer Expansions

Kleinian integers: x + yτ ∈ Z[τ ]

◮ (τ, τ − 1)-Kleinian integers: ±τ a(τ − 1)b

◮ (τ, τ − 1, τ2 − τ − 1)-Kleinian integers: ±τ a(τ − 1)b(τ2 − τ − 1)c

Theorem: k ∈ Z[τ ] can be represented by a sum ofO(log N(k)/(log log N(k))) (τ, τ − 1, τ2 − τ − 1)-Kleinian integers

Conjecture: same for (τ, τ − 1)-Kleinian integers

◮ Proof for bases 2 and 3 doesn’t generalize (only for real bases)

◮ Greedy algorithm doesn’t generalize well:◮ hard to find closest (τ, τ − 1)-Kleinian integer to k


Koblitz Curves

Conversion Algorithm

Compute k =

d∑

i=1

±τ ai (τ − 1)bi for k ∈ Z[τ ]

Precomputation: minimal representation for every q =w−1∑

i=0

diτi , di ∈ {0, 1}

1. Compute unsigned τ -adic expansion of k.

2. Divide τ -adic expansion into blocks of length w .

3. Substitute each block with minimal (τ, τ − 1)-expansion timesappropriate power of τ

Assuming the conjecture, d and max(bi ) are both sublinear in log N(k)


Koblitz Curves

Example

k = 6465, E1(F2163), τ = (1 +√−7)/2

◮ partial reduction modulo (τ163 − 1)/(τ − 1) : k ≡ ξ = −104 + 50τ

Using block size 7 we have:

ξ = τ13 + τ12 + τ11 + τ9 + τ5 + τ2


Koblitz Curves

Example

k = 6465, E1(F2163), τ = (1 +√−7)/2



ξ = τ13 + τ12 + τ11 + τ9 + τ5 + τ2

= τ7(

τ6 + τ5 + τ4 + τ2)

+(

τ5 + τ2)


Koblitz Curves

Example

k = 6465, E1(F2163), τ = (1 +√−7)/2



ξ = τ13 + τ12 + τ11 + τ9 + τ5 + τ2

= τ7(

τ6 + τ5 + τ4 + τ2)

+(

τ5 + τ2)

= τ7(

τ(τ − 1) + τ(τ − 1)6)


Koblitz Curves

Example

k = 6465, E1(F2163), τ = (1 +√−7)/2



ξ = τ13 + τ12 + τ11 + τ9 + τ5 + τ2

= τ7(

τ6 + τ5 + τ4 + τ2)

+(

τ5 + τ2)

= τ7(

τ(τ − 1) + τ(τ − 1)6)

+(

τ2(τ − 1)2)


Koblitz Curves

Example

k = 6465, E1(F2163), τ = (1 +√−7)/2



ξ = τ13 + τ12 + τ11 + τ9 + τ5 + τ2

= τ7(

τ6 + τ5 + τ4 + τ2)

+(

τ5 + τ2)

= τ7(

τ(τ − 1) + τ(τ − 1)6)

+(

τ2(τ − 1)2)

= τ8(τ − 1) + τ8(τ − 1)6 + τ2(τ − 1)2


Koblitz Curves

Point Multiplication Algorithm

Given k =

d∑

i=1

siτai (τ − 1)bi can write

k =

max(bi )∑

j=0

(τ − 1)j

max(ai,j )∑

i=1

si ,jτai,j

Compute kP using max(bi) τ -adic expansions

Cost:

◮ multiply by (τ − 1) : one τ, one point subtraction

◮ overall: max(bi ) + d − 1 point adds/subs

◮ number of point additions required is sublinear in N(k)


Koblitz Curves

Numerical Evidence

Avg number of point adds to compute kP on Ea(F2m)

Blockingm τNAF Greedy w = 5 w = 10 w = 16

163 54.25 36.37 47.86 40.00 37.22233 77.59 49.31 66.23 54.96 50.76283 94.25 58.64 79.37 65.66 60.49409 137.12 81.84 113.64 93.63 85.68571 190.25 111.90 154.98 127.21 117.04

Fewer point adds than τNAF in all cases

◮ w = 5 requires < 1 KB ROM (no points need to be stored)


Koblitz Curves

Computation of Algorithms

Specifications

NIST curve K-163F2163 , normal basis


Koblitz Curves


Specifications


Point multiplication algorithm

Input: k, P

Output: Q = kP

P0 ← P ; Q ← Ofor i = 0 to max(bi ) do

S ← ri (k)Pi

Pi+1 ← τPi − Pi

Q ← Q + S

end for

Computed one row, i.e.(∑

j ki ,jτj)(τ − 1)iP , at a time

◮ Each row is computed as aτNAF point multiplication


Koblitz Curves


Specifications



Input: k, P

Output: Q = kP


S ← ri (k)Pi


Q ← Q + S

end for




Point addition in mixed coordinates(LD/A) and Frobenius map in LD

◮ S ← S ± Pi ; S ← τS


Koblitz Curves


Specifications



Input: k, P

Output: Q = kP


S ← ri (k)Pi


Q ← Q + S

end for





◮ S ← S ± Pi ; S ← τS

Frobenius map and pointsubtraction in A

◮ Pi+1 ← τPi − Pi


Koblitz Curves


Specifications



Input: k, P

Output: Q = kP


S ← ri (k)Pi


Q ← Q + S

end for





◮ S ← S ± Pi ; S ← τS



Point addition in LD◮ Q ← Q + S


Koblitz Curves


Specifications



Input: k, P

Output: Q = kP


S ← ri (k)Pi


Q ← Q + S

end for





◮ S ← S ± Pi ; S ← τS



Point addition in LD◮ Q ← Q + S

LD 7→ A mapping




Conjecture 1:

The Diophantine equations ± 2a3b ± 2c3d ± 2e3f = 4985 do not havesolutions in integers.



Negative Exponents

Every non-negative real number can be approximated in the form 2a3b

with any precision ε > 0, a, b ∈ Z

E.g.: 5 ≈ 2−69 × 345 ≈ 5.0048



Conjecture 2:

For every sufficiently large n there exist a pair of integers (a, b) such that:

1. |b| < n and

2.∣

∣2a3b − n∣

∣ < 12



Conjecture 3:

There exist two pair of integers (a, b), (c , d) such that:

1. |b| , |d | < √n and

2.∣

∣

(

2a3b ± 2c3d)

− n∣

∣ < 12


Conclusions

Conclusions


Conclusions

Conclusions

◮ Mixing recursive formulae smartly may lead to substantialimprovements.


Conclusions

Conclusions


◮ The number systems associated with these algorithms use differentbases and leads to interesting computational number theory problems.


Conclusions

Conclusions



◮ DBNS allows us to obtain provable and highly non-trivial bounds fordifferent computational problems, multiplication, matrix polynomialcomputations, single and multiple point multiplications in ellipticcurves.


Conclusions

Conclusions



◮ DBNS allows us to obtain provable and highly non-trivial bounds fordifferent computational problems, multiplication, matrix polynomialcomputations, single and multiple point multiplications in ellipticcurves.

◮ Extremely well suited for hardware implementations.


Conclusions

Thank You!

c©Vassil S. Dimitrov 2010

e-mail: [email protected]


Documents

Loading the Bases · Vassil S. Dimitrov University of Calgary Department of Electrical and Computer Engineering 2500 University Drive NW Calgary AB Canada T2N 1N4 V. S. Dimitrov (U