Optimality of the Width-ww Non-adjacent Form: General Characterisation and the Case of Imaginary Quadratic Bases

Efficient scalar multiplication in Abelian groups (which is an important operation in public key cryptography) can be performed using digital expansions. Apart from rational integer bases (double-and-add algorithm), imaginary quadratic integer bases are of interest for elliptic curve cryptography, because the Frobenius endomorphism fulfils a quadratic equation. One strategy for improving the efficiency is to increase the digit set (at the prize of additional precomputations). A common choice is the width\nbd-$w$ non-adjacent form (\wNAF): each block of $w$ consecutive digits contains at most one non-zero digit. Heuristically, this ensures a low weight, i.e.\ number of non-zero digits, which translates in few costly curve operations. This paper investigates the following question: Is the \wNAF{}-expansion optimal, where optimality means minimising the weight over all possible expansions with the same digit set? The main characterisation of optimality of \wNAF{}s can be formulated in the following more general setting: We consider an Abelian group together with an endomorphism (e.g., multiplication by a base element in a ring) and a finite digit set. We show that each group element has an optimal \wNAF{}-expansion if and only if this is the case for each sum of two expansions of weight 1. This leads both to an algorithmic criterion and to generic answers for various cases. Imaginary quadratic integers of trace at least 3 (in absolute value) have optimal \wNAF{}s for $w\ge 4$. The same holds for the special case of base $(\pm 3\pm\sqrt{-3})/2$ and $w\ge 2$, which corresponds to Koblitz curves in characteristic three. In the case of $\tau=\pm1\pm i$, optimality depends on the parity of $w$. Computational results for small trace are given

Balanced Non-Adjacent Forms

Integers can be decomposed in multiple ways. The choice of a recoding technique is generally dictated by performance considerations. The usual metric for optimizing the decomposition is the Hamming weight. In this work, we consider a different metric and propose new modified forms (i.e., integer representations using signed digits) that satisfy minimality requirements under the new metric. Specifically, we introduce what we call balanced non-adjacent forms and prove that they feature a minimal Euclidean weight. We also present efficient algorithms to produce these new minimal forms. We analyze their asymptotic and exact distributions. We extend the definition to modular integers and show similar optimality results. The balanced non-adjacent forms find natural applications in fully homomorphic encryption as they optimally reduce the noise variance in LWE-type ciphertexts