Signed bits and fast exponentiation

(1)

J

OURNAL DE

T

HÉORIE DES

N

OMBRES DE

B

ORDEAUX

W

IEB

B

OSMA

Signed bits and fast exponentiation

Journal de Théorie des Nombres de Bordeaux, tome

13, n

o

_{1 (2001),}

p. 27-41

<http://www.numdam.org/item?id=JTNB_2001__13_1_27_0>

L’accès aux archives de la revue « Journal de Théorie des Nombres de Bordeaux » (http://jtnb.cedram.org/) implique l’accord avec les condi-tions générales d’utilisation (http://www.numdam.org/conditions). Toute uti-lisation commerciale ou impression systématique est constitutive d’une infraction pénale. Toute copie ou impression de ce fichier doit conte-nir la présente mention de copyright.

Article numérisé dans le cadre du programme Numérisation de documents anciens mathématiques

(2)

Signed

bits

and

fast

_{exponentiation}

par WIEB BOSMA

RÉSUMÉ. Nous donnons une

analyse précise

du

_gain

obtenu en

utilisant la

_{représentation}

des entiers sous la forme

non-adjacente,

plutôt

que la

représentation binaire, lorsqu’il s’agit

de calculer les

puissances d’éléments dans un _groupedans

_{lequel l’inversion}

est facile. En comptant le nombre de

_{multiplications}

pour un ex-posant aléatoire _ayantun nombre donné de bits dans son écriture

binaire, nous obtenons une version

précise

du résultat

asympto-tique connu, selon

lequel

en _moyenne,un

_parmi

trois bits

_signés

de la forme

_{non-adjacente}

n’est pas nul. Cela montre que l’utilisation

des bits

_signés

réduit le coût de

_{l’exponentiation}

d’un

_neuvième,

par rapport à la méthode ordinaire consistant à des élevations au

carré et à des

_{multiplications répétées.}

ABSTRACT. An exact

_analysis

is

_given

of the benefits of

_using

the

_non-adjacent

form _{representation}for _integers

_(rather

than the

binary

representation),

when

computing

powers of elements in a

group in which

inverting

is easy.

By

counting the number of

multiplications

for a random _{exponent requiring}a

given

number

of Its in its

_binary

representation, we arrive at a _preciseversion of the known _asymptoticresult that on _averageone in three

_signed

bits in the

_non-adjacent

form is non-zero. This shows that the use

of

_signed

bits

_(instead

of bits for

_{ordinary repeated}

_squaringand

multiplication)

reduces the cost of _{exponentiation}

_by

one ninth.

1. Introduction

To raise elements of a monoid into the _powere >

_1,

the method of

repeated

squaring

and

_{multiplication}

is often

_employed.

To calculate

_xe,

where e =

£2=o

bi2i,

with b2 E

10, 11

and bn =1,

the _powers

are

computed by

repeated squaring,

and xe is found

by taking

the

product

of

_{the yi}

for

_{which bi}

= 1. It is clear that

computing xe

this

way takes

l(e) -1

squarings

and

_{w(e) -}

1

_{multiplications,}

where the

_(binary)

_length

Manuscrit reçu le 22 octobre 1999.

(3)

28

l (e) - n

+ 1 and the

_{Hamming weight}

_w(e)

are the total number of bits and the number of non-zero bits

_b2

used to _expressthe

_exponent

e.

If the monoid is a _{group in}which inverses can be

_computed

efhciently,

it may be

_advantageous

to use a different

representation

of the

_exponent.

Writing

e =

si 2i,

where si E

I - 1, 0, I},

_wehave obtained _a

signed

bit

representation

[2]

for e. To determine

xe,

_again

_compute

via

_{repeated squaring,}

and accumulate the

_product

_(for

the non-zero which involves an inversion if _s2= -l.

The

_advantage

of

_signed

bit

_{representations}

is that the

_signed

bit

_weight

ws(e)

may be smaller than

w(e).

Taking

e = 15 for

example,

the

binary

rep-resentation consists of four bits

_equal

to 1. But 15 =

24 -1,

so a

_signed

bit

representation

of

_weight

2 and

_length

5 exists. At the cost of one inversion and an extra

_squaring

we have done _awaywith two

_{multiplications.}

There exist better ways to

_compute

_{xe, using}

_arbitrary

addition chains or addition-subtraction chains. We

_briefly

discuss them in Section 3.

A

_complication

in

_{considering signed}

bits _mayseem that

signed

bit

rep-resentations of

_integers

are

_by

no means

_unique.

_Indeed,

_using

that the

integer

1 has a

_{representation}

1 =

2k

₊

~~=o 20131-2~,

for

any

_>

1,

it is seen that _every

integer

admits

infinitely

_many

signed

bit

representations.

In Section 2 we describe the

_non-adjacent

form,

which selects a

_unique

signed

bit

_{representation}

for _any

_{non-negative integer}

e. We indicate how

it,

and a modified version of

_it,

can be determined

efhciently,

and we show

that these

_{special representations}

have certain

_{optimal properties.}

In Sections 4 and 5 we will

_{analyze exactly}

the

_weight

of

_non-adjacent

forms for

_integers

e. It is shown

(in

a

_precise

sense)

that on _averagethis

weight

is a third of the

_length

of _e,as

_opposed

to a half for the

_binary

form. In

_general

the

_gain

that can be achieved from this in

_{exponentiation}

will

_depend

on the relative costs of

_inverting,

_multiplying,

and

_squaring

in the _group. The standard

_application

for

_signed

bit

_{exponentiation}

is

to the arithmetic of

_elliptic

_curves,

_{[7], [9].}

The _groupof

_points

on an

elliptic

curve over a field in Weierstrass form has the desired

_property

that

inverting

is

_(almost)

for free. When

_inverting

is free the results of Section

5 show that a reduction

_by

a ninth in

_cost,

on _{average, is}obtained

by using

the

_non-adjacent

form rather than the

_binary

form. This makes

_precise

a result that so far

_only

seems to be known

heuristically

or

asymptotically

~1~,

[7], [9]. (Note

that in the

_elliptic

curve case

squarings

are

usually slightly

more

_expensive

than

_ordinary

_{multiplications,}

which means that the cost reduction from

_using

_signed

bits is in fact

_less.)

(4)

2.

_Signed

Bits

To fix the

notation,

let a

signed-bit

_{representation}

of length

l (e)

for a

posi-t.. b h h

I(e)-l

_si2’,

tive

_integer

e be a _sequence

_81(e)-l,

_{st e -2 - - - ,}

_sosuch that e =

with si E

I - 1, 0, 11

and = 1. Sometimes _wewill write _m=

L(e) -1;

the sequence of

signed

bits si

is

usually

written without comma’s with

most-significant digit

_81(e)-i

first. In a _sequenceof

_signed

bits the

symbol

1

will denote -1. Thus

10001

is a

signed

bit

_{representation}

for 15.

As we have seen

_already,

e will in

_general

have

_signed-bit

_{representations}

of various

_lengths;

_indeed,

since we _may

replace

the

leading

2m

by

2m+1

-2r’’L,

a _processwhich can be

repeated,

we find

infinitely

_many

_{representations}

for _any_e,of

_arbitrary

_{(large enough)}

_length.

With our

application

of

minimizing

costs of

_{exponentiation}

in

_mind,

we are

particularly

interested

in short

_{representations}

of low

_weight.

We will call a

signed

bit

_{representation}

for e

optirrzal

if it has least

possible

weight

and among all

representations

of minimal

weight

it has minimal

length clearly

the

_length

of the

_binary

_expansion

is a lower bound for the

_length

of a

_signed-bit

_{representation.}

But note that

_optimality

does not determine a

_{unique representation}

in

general,

as the

example

11 =

23+2+1

= 2~ + 2~ -

1 shows.

Let us first _worryabout

uniqueness.

The

non-adjacent

form

representa-tion is the

_signed

bit

_{representation}

for e characterized

by

the

_property:

Proposition

1. Positive

_integers

have

_unique

_{non-adjacent form}

represen-tations.

Proof. Suppose

that there exist

_{positive integers}

e with two different

non-adjacent

forms.

_Among

all such e select _eo

_having

a

_non-adjacent

form of minimal

_length.

The

_minimality

condition

_requires

that the least

_significant

bit in the minimal

_{representation}

of eo differs from that in any other. The

only

admissible

_pairs

for the two

_{least-significant}

bits in

_non-adjacent

forms are

00, 01, 01, 10,

TO;

only

10

and 10 determine the same value modulo

_4,

but their

_{least-significant}

bits are

equal.

This ends the

_proof.

D

It _{is easy}to obtain the

_non-adjacent

form from the

_{ordinary binary}

ex-pansion : apply

the

_following

rule

_{repeatedly, working}

from

_right

to left

(least-significant

first):

replace

any sequence 01 ... 1

by

10 ... 01

where the number of consecutive 0’s in the latter is one less than the number of consecutive 1’s in the former.

(5)

30

Since

_{Ek =}

_{2k+1 - 1,}

it is clear that the result will

_always

be a

non-adjacent

form

_{representation}

for the

_{given integer}

determined

_by

the

_binary

expansion.

It will also be clear that the

_length

of the

_non-adjacent

form is

either

_equal

to or one

_larger

than that of the

binary

expansion.

Example. Starting

with the

_binary

_expansion

for 3190 =

211

₊

210

₊

2 6+

25

+

24

+

22

+

_2,

the rule

_produces:

for 3190 =

2 12 -210+2 7-2 3 -2.

In fact the above

_procedure

can be

generalized

to transform _any

given

signed

bit

_{representation}

into the

_{non-adjacent form;}

first

_apply

the

follow-ing

rule

_{repeatedly working}

from left to

_right:

and then

_apply

the

_{following repeatedly}

_(working

from

_right

to

_left):

followed

_by

a

_step

of the form

(I)

if _necessary.

Proposition

2. For _any

_integer

the

_{non-adjacent form}

has minimal

_weight.

Proof.

Apply

the above two rule-transformation to _any

_signed

bit repre-sentation of minimal

_weight;

the result is the

_non-adjacent

form. The

transformation does not increase the

_weight.

D

Corollary

3. For _every

_integer

there is a

_unique

signed

bit

representation

satisfying:

moreover this

_expansion

is

optimal.

Proof.

Let _titobe the

_non-adjacent

form for e. If the three most

significant

bits are

101,

then let n = _{m -}1 and define

In all other cases let n = m

and si

_{= ti}for 0

i

n. This _{way s is}

equal

to the

_non-adjacent

form

except

when the

_{leading digits}

for the

_non-adjacent

(6)

form are

_1010,

in which case we

replace

them

by

the shorter

_expansion

with

leading digits

110.

_{Clearly s}

satisfies the

_{non-adjacency}

conditions of the

statement; we will show that it is

optimal

too.

In the

_exceptional

case the

_weights

of s and t are

equal,

but the

length

of s

_equals

that of the

binary

_expansion.

Hence s is

optimal

in that case. We will _provethat in all other cases the

_non-adjacent

form t itself is

optimal.

Suppose

that e is an

_integer

with

non-adjacent

form

_tlto

of minimal

_length

that is not

_optimal.

Since the

_{non-adjacent weight}

is

_always

minimal,

this can

only

occur if the

length

of the

non-adjacent

form of e exceeds that of its

_binary

_expansion

_by

1. This

_only

_happens

if in the final transformation

_step

a _sequence 2

adjacent

l ’s is

replaced by

io ... 01-,

where the number of 0’s 1. If k = 2 _{we are}in the

exceptional

case,

so we will assume that 1~ > 2. The

_binary

_expansion

uo has

=

um-2 = =

_1,

while = 0 _or1.

Since the

_{non-adjacent weight}

is

_minimal,

there must exist a

_signed

bit

representation

VO of

length

m, and it

necessarily

has = =

Vm-3 =

1,

and Vm-4 = Um-4 E

f 0, 11

since u and v _represent the same number e. If =

1,

an extra reduction

step

reduces

_length

plus

weight,

which contradicts

_optimality

of v. So =

0;

but then u contradicts

minimality

of m since

_represents

the same number as with lower

weight.

That ends the

_proof.

D

We will refer to the

_optimal

_{representation}

of

_Corollary

3 as the

modified

non-adjacent form.

It is the same as the

_non-adjacent

_form,

_except

that

non-adjacency

is allowed in the most

_significant

two

_bits,

that is 110 is

not transformed to

_1010,

because such transformation increases the

_length

without

_decreasing

the

_weight.

Note that this does not mean that the modified version is different for

precisely

those

_integers

for which the

_leading

bits in the

_binary

_expansion

are 110 because of the

_propagation

of carries in the transformations:

non-adjacent

and modified

_non-adjacent

forms for 27 = 11011 =

100101

_arethe

same, but for 25 = 11001

they

_are

different,

namely

101001 and 11001. It is not so difficult to obtain the

(modified)

non-adjacent

form

directly

from e, without

computing

the

binary

(or

another

signed-bit)

expansion

first. The method resembles the method for

finding

the

_binary

_expansion

producing

the least

_significant

bit first:

_starting

with k = _e

repeat:

if k even:

produce

0 and divide

by

2;

if k odd:

_produce

_1,

subtract 1 from k and divide 1~

_by

_2;

until k is 0.

For the

_non-adjacent

form one

proceeds

as follows.

Starting

with = _e_>0

(7)

(8)

1~ mod

_{4=s~{2013l,l}~}

_{produce signed}

bits s and

_0,

and

_{replace k by}

(k -

s)/4;

I~ mod 4 - s E

_{~0, 2~:}

_produce

0 and

_replace

_by

_1~/2.

until is less than or

equal

to

3,

after which

if k = 0:

produce nothing;

produce

1;

if k = 2:

_produce

0 and

_1;

if k = 3:

_produce

1

and 0 and

_1;

and terminate.

For the modified version the

_{only change}

_{necessary is}to

_produce

11 in the case that I~ = 3.

Note the similarities with the continued fraction

_algorithm,

where divi-sion

_by

2 is

_{replaced by inverting,}

and truncation

_replaces

_extracting

bits. The

_algorithm

to obtain the

_non-adjacent

form is similar to the nearest

integer

continued fraction

_algorithm.

The table shows

_binary

_expansion,

_non-adjacent

_form,

and modified

non-adjacent

form for the first few

_{positive integers.}

3. Addition-subtraction chains

The method of

_{repeated squaring}

and

_{multiplication}

does not

_necessarily

give

the fastest _{way to}evaluate _{powers. It is}well-known

_[6]

that there are

ways to find xe

using

fewer

multiplications.

An addition chain for a

_{positive integer}

e is a _{sequence 1}=

eo, el, ... ,

ek = _ewith the

property

that for 1 i 1~ it holds that ei =

eu + ev with 0 u, v i. Each term is thus the sum of two

_(possibly

the

_same)

_previous

terms. One

_usually

_arrangesthe ei in

ascending

order. The

length

of the

addition chain is the

_integer

1~. It will be clear that an addition chain for e can be used to

_compute

xe : for _anyi the _powerxei can be

computed

from

xe~ , ... ,

by

a

_single

multiplication.

The

_binary

_expansion

e =

En 0

b222 of

any e of length

n + 1 defines an addition chain of

length

n +

_{w(e) -}

1 for _e,

_{corresponding}

to

_repeated

squaring

and

_{multiplication}

as described in Section

_1,

as follows. Write down the _powers_pi=

2’, i

=

0, ... ,

_nof 2 less than _or

equal

_to_e. Next take ro = 0 and let rj be

rj-I +Pij’

where

i1, ... , ik

are those i from 0 to n for

_{which bi}

_#

0. The addition chain for e then consists of the the _pi

(with

1 i C

_n)

_{and r j}

_{(with j > 1)}

in

_ascending

order.

There is an alternative addition chain associated with the

binary

expan-sion,

obtained

_{by reading}

the bits from left to

_right

_(most

_significant

_{first) .}

Starting

with eo = 1 _one

repeats

for i =

1, ... ,

_n: if

_bn-i

= 1:

append

2ej

and

_2ei

+ 1 to the

_existing

_sequence_{eo, ...}_{e~ ;} otherwise:

_append

_2ej

to the

_existing

_sequence_eo,...

(9)

34

There are two

_problems

with

_general

addition chains. In the first

_place

is it hard to find a shortest chain for

_given

e

[6].

Secondly, general

addition chains make _{it necessary}to remember entries

_{xe°, ... ,}

xez-1

_along

the _way to

_compute

_{xi .}

Note that this is not true for the

_{left-to-right binary}

addition

chain,

as _eiis either

_{2e2_1}

or

ei-1 + 1,

that

is,

_every

_step

is either a

_squaring

or a

multiplication by x

([4],

[8]

for the

_special

case of

integer

exponentiation) .

Taking

the

_possibility

of

_subtracting

into account as

well,

we arrive at addition-subtraction chains

_[11].

In

_general

we cannot insist on

_ascending

entries _anymore.

_Again,

it will be clear that _any

_signed-bit

_{representation}

of e will

_give

rise to two addition-subtraction

_{chains, by reading}

the

_signed

bits either _way. It is also obvious

_that,

since the

_weight

of a

signed

bit

representation

can be smaller than that of the

_binary

_expansion,

that the

corresponding

chain _maybe shorter.

Examples.

Let e =

_43;

reading

its bits 101011

right-to-left

_toobtain the

sequence of

p2’s l, 2, 4, 8,16, 32

and of

rj’s

3,11, 43,

we obtain an addition chain

_by

_merging

and

_ordering:

_{1, 2, 3, 4, 8,11,16, 32, 43}

of

_length

8.

Reading

the

_binary

_expansion

101011

_{left-to-right produces}

eo =

1,

then

ei =

2,

and _e2=

4,

e3 =

5,

then e4 =

10,

and _e5=

20,

e6 =

_21,

and

finally

e7 =

42,

e8 = 43.

Indeed,

length

8 for 5

doublings

and 3

multiplications.

Reading

the modified

_non-adjacent

form 43 =

110101

left-to-right

gives

the addition-subtraction chain

_{1, 2, 3, 6,12,11, 22, 44, 43,}

_reading

it

right-to-left the chain

_{-1, 2,}

_{4, -5, 8, 16, 11, 32,}

43. Both have

_length

8. The

non-adjacent

form

_gives

chains of

_length

9.

There exists an addition chain of

length

7 for 43:

_{1, 2, 4, 8, 9,17, 34, 43.}

The addition-subtraction chain

_{1, 2, 4, 8,16,15}

associated with 15 =

24 -20,

is shorter than the chain

_{1, 2, 3, 6, 7, 14, 15 arising}

from the

_binary

ex-pansion ~ 15

=

23 +2 2

₊

21

₊

20.

In this _casethere is _anaddition chain of

length

5 as

_well,

however:

_{1, 2, 3, 5, 10, 15}

for

_example.

In

_general,

for e =

2~ 2013

1 the

binary

expansion gives

rise to _anaddition chain of

_length

2k - 2 while the

_non-adjacent

form leads to an addition-subtraction chain of

_{length k}

+ 1.

Outside numbers of this

_form,

e = 23 is the first

example

where the modified

_non-adjacent

form for e leads to an addition-subtraction chain

(1,

2, 3, 6,12, 24,

23 of

_length

₆₎

that is

_strictly

shorter than the

_binary

ad-dition chains

_{(l, 2, 4, 5,10,11, 22, 23}

and

_{l, 2, 3, 4, 7, 8,16,}

23 of

_length

_7).

Again

there exist addition chains of

_length

_6,

like

_{1, 2, 3, 5,10,13, 23.}

For e = 27 there _areaddition chains

(such

_as

1, 2, 3, 6,

9,18, 27)

that _are shorter than both the chains obtained from the

_binary

_expansion

_{(1, 2, 3, 6,}

12,13, 26, 27)

and the addition-subtraction chain

_gotten

from the

(modi-fied)

non-adjacent

form

_(1,

_{2, 4, 8, 7, 14, 28,}

_27).

For e = 47 the

length

of the chain

_given

_by

the modified

non-adjacent

form

_(1,

_{2, 3, 6, 12, 24,}

(10)

length

8:

_{1, 2, 3, 4, 7,10, 20, 27, 47}

for

_example,

while the

_{binary gives}

_length

9:

_{1,2,4,5,10,11,22,23,46,47);}

in this case there is no shorter addition-subtraction chain either.

There are methods to construct short addition chains - these

are not

necessarily

shortest,

but shorter than those obtained from the

_binary

ex-pansion.

The results from the

_present

_paperindicate the

_gain

that can be obtained

_by

_using

_signed

bits rather than

_bits;

_perhaps

this will lead to a more

general

analysis

of the

advantages

of addition-subtraction chains over addition chains

_(in

situations where

_they

are

applicable).

4.

_Analysis

To

_analyze

the benefits of

_using

the

_signed

bit

_{representations,}

we first

prove some results on

(average)

_length

of

_non-adjacent

and modified

non-adjacent

forms. Let denote the number of

_{positive integers requiring}

exactly

n bits in their

binary

representation,

and let

cn

and

c~

be the number of

_{positive integers requiring}

_exactly

n

signed

bits in the

non-adjacent

form and in the modified

_non-adjacent

form

_{representation,}

_{respectively.}

_Also,

let

_Cn,

_Cn

and

_Cn

_similarly

define the number of

_{positive integers requiring}

at most n bits in the three

_{representations.}

Proposition

4. The number

_of

_{positive integers}

with

_expansions

_of

_length

n is

_{given by}

ci =

c’

=

c" =

1,

and

_for

n > 2:

Hence,

for

n> 0:

Proof. Only

1

_requires

one bit in any

_expansion.

It is also clear that there are

exactly

2n-1 integers

with most

significant

bit 1

(of

length

n),

so

2n-1

and

Cn =

2n .

The easiest way to count

integers

with n

signed

bits in their

_non-adjacent

form is to observe that the

_following

recursion holds:

Namely,

the

_c~

_{positive integers}

of

_{length n}

_(all

_having

_{- 1 ) ,}

when

’prepended’

with sn =

0 and 1 all contribute. We

_get

another contribution of size

_cn

_by

_flipping

the n-th bit to -1. This accounts for all

_{positive integers}

_requiring

n + 2 bits for which 0. We obtain those with

bn-1

= 0

by taking

the

cn+l

representations

of

_{length n}

+ 1 and

replacing

the

_{leading digit}

bn =

1

_by

_{bn =}

0 and

_putting

1. This

way the

validity

of the recursion can be seen to hold. With

_starting

values

(11)

36

then

_{easily proved,}

for

_{example by}

induction. The formula for

_C£

is

_simply

obtained

_by

summation:

One _wayto count

_integers

with modified

_non-adjacent

form of

_{length n}

is to use that their number also satisfies the recursion:

This time one takes the

_{representations}

of

_length

_n,and obtains from each

two valid

_{representations}

of

_{length n}

+ 2

_{by shifting}

over 2

places

and

inserting bl -

0 and From the

_{length n}

+ 1

_{representations}

one

_gets

length n

+ 2

_{representations}

_{by shifting}

one

place

and

taking

bo -

0. This

_clearly

leads to

_2cn

+ valid

_{representations}

of

_length

n + 2

_(taking

care that n > 1 to

_prevent

the

_illegal

_{representation 101}

for

3)

that are all distinct

(look

at

_bo);

it is not

_terribly

hard to see that we obtain all valid modified

_signed

bit

_{representations}

this _way.The

_starting

values for the recursion are

c"

= 2 and

c3

= 3.

Again,

Cn

can be derived

by

summation. D

Here are the first few values for each of the functions:

Remarks. Note that c, also satisfies the recursion that

cn

and

cn

satisfy.

The _sequence

_cn

has been called the Jacobsthal _sequence

_(A001045

in

_[10];

[5]).

Next we count the total

_weight

of all

_{representations}

of fixed

_length.

Define

sn to be the total number of ones in all different n-bit

integers;

we use

sn

and

_sn

for the total number of non-zero

_signed

bits in all different

non-adjacent

forms and modified

_non-adjacent

forms of

_length

n.

Similarly, by

,S’n,

Sn

and we denote the total number of non-zeroes in in all

_binary,

non-adjacent

and modified

_non-adjacent

_{representations}

of

_length

at most

n.

(12)

Also,

_ ... _ -.

Proof.

To count the total number of non-zero bits in n-bit

_words,

note that n + 1 bit words can be formed out of n-bit words

_{by shifting}

and

’appending’

a

single

bit

(0

or

1).

Since there are _cnsuch n-bit

_integers,

having sn

non-zero

_bits,

we find

From and 82 = 3 _we

get

the result

_by

induction.

To prove the formula for note that

This follows

_immediately

from the

_proof

of the

_previous

_Proposition.

Then use verification

of s1 = s2

= 1 and induction.

For s"

one derives

similarly

that

For

Sun

and

_~5’n

we sum

_only

_using

that

Here are the first few values for each of the functions

_again:

As a _consequencewe can determine how _manynon-zero

_(signed)

bits there are on _{average in}all

_{integers requiring}

_exactly

or at most n bits in

(13)

38

Corollary

6. For all n > 2:

and

This

_Corollary,

the

_proof

of which is an _easy

_computation,

tells us that on

average half the bits in a

binary

expansion

are non-zero

(as expected),

one

in three

_signed

bits in the

_non-adjacent

form are non-zero

(compare

[1,

3,

9]).

For the modified

_non-adjacent

form also a third of the bits are non-zero

asymptotically,

but the _{convergence is}

_slightly

slower because there are fewer zeroes in the

_exceptional

case.

To

_give

a fair

_comparison,

we need to count the number of bits used for

_integer

with

_binary

_expansion

of

_length

n. An n-bit

integer

is a

non-negative integer

for which the

_{ordinary binary}

_{representation}

has

_length

n

exactly.

5.

_Analysis

for

_integers

of

_{given length}

First we count the total

_length

and the total

_weight

of n-bit

_integers

in

the various

_{representations.}

As usual we denote

by

l,

l’, l"

and

L,

L’,

L" the values for

_{ordinary binary, non-adjacent}

form and modified

_non-adjacent

form

_{representation.}

Proposition

7. The total

_{length of}

all numbers that take

_exactly

n bits in

(14)

The total

_{length of}

all numbers that take at most n bits

(in

the

_ordinary

representation):

Proof. Obviously

the cn

length n integers

give

One _wayto

_{count Ln}

is to determine which

_length

n

integers

contribute to

length

n

_non-adjacent

forms. These are the

_binary

_expansions

of

_length

n for which

_bn-2

= 0 and for which the

non-adjacent

form of

bn-3bn-4 ... bo

has

_length

n - 2. Of those there are

_exactly

Cn_2.

The

_others,

_{cn -}

Cn-2

=

Cn-2

=

Cn_1-1

in number

_(compare

_(*)),

contribute

_length

n + 1

each,

so

Using Proposition

4

_immediately

_gives

the desired result.

Similarly

it can be _proventhat

For

_Ln

we

merely

sum:

and likewise for

_L’

and

_L~.

The first few values for these functions are:

Let wn,

w’, w"

denote the total

weight

of all

non-negative

integers

requir-ing

exactly

n bits in

binary

representation,

and

Wn,

Wn, Wn

the same for

(15)

40

Proposition

8.

Proof. Obviously again,

The

_weight

of

_non-adjacent

and modified

_non-adjacent

forms are the _same, so

wn - wn

and

Wn

=

W#.

The first

integer

that

requires n

binary

bits is

_{fn _}

2n-1.

For _every

_{integer h larger than fn}

for which the

_length

of

its

_non-adjacent

form is n, there is an

integer g

smaller than

fn

that has

non-adjacent

form of

_{length n -1}

and the same

_weight

as h:

_simply

reverse all bits of h

_except

for the most

_significant

one. Thus the

_integers

with

non-adjacent

forms of

_{length n}

other than

_{f n}

_(which

has

_weight

₁₎

contribute

exactly

half their total

_weight,

that is

_{(sn - 1)/2,}

to

_wn.

On the other

hand,

for the same reason

exactly

half the total

weight

of the

_length

non-adjacent

forms contribute to the

_{binary length n}

_count,

which

_implies

that

the +1

_being

the contribution of

_fn

itself. Substitution then

_gives

the

result. 0

A small table

_again:

Corollary

9. The number

_{of multiplications}

necessary to

compute

xe

_for

a random

_integer

e

_{of exactly}

n bits

_using

the

binary

_expansion,

the

(16)

If

e is randorra

of

at most n

digits,

the cost

_functions

are:

As

_expected

we see

_that,

for e of

_{binary length}

_n,it takes n -1

multipli-cations

_{(all squarings)}

and on _average

(n -1)/2

multiplications using

the

binary

expansion

for _e;

_using

the

_non-adjacent

form the number of

mul-tiplications

can be reduced to

(n -1)/3,

where on _averagewe save

1/3

multiplication

using

the modified form. References

[1] S. _ARNO,F. S. _WHEELER,_{Signed digit representations}of minimal _Hammingweight. IEEE Transactions on _Computers42 _(1993),1007-1010.

[2] A. D. _BOOTH,A _{signed binary multiplication}technique. Quart. Journ. Mech. and Applied Math. 4 _(1951),236-240.

[3] D. M. GORDON, A survey of fast exponentiation methods. Journal of Algorithms 27 (1998), 129-146.

[4] R. L. GRAHAM, A. C.-C. YAO, F.-F. YAO, Addition chains with multiplicative cost. Discrete Math. 23 _{(1978), 115-119.}

[5] A. F. HORADAM, Jacobsthal representation numbers. Fibonacci Quart. 34 _(1996),40-54. [6] D. E. KNUTH, The Art of Computer Programming 2: Seminumerical _Algorithms_(third

edition), Reading: Addison _Wesley,1998.

[7] NEAL KOBLITZ, CM-curves with _good_{cryptographic}_properties,in: _Feigenbaum_(ed),

Ad-vances in _Cryptology2014

Proceedings of _Crypto_’91,Lecture Notes in _ComputerScience _576,

(1991), 279-296.

[8] D. P. McCARTHY, Effect of improved multiplication efficiency on _{exponentiation}_algorithms

derived from addition chains. Math. _Comp.46 _(1976),603-608.

[9] F. _MORAIN,J. _OLIVOS,_Speedingup the computations on an _ellipticcurve _using

addition-subtraction chains. RAIRO Inform. _Theory24 _(1990),531-543.

[10] N. J. A. _SLOANE,S. _PLOUFFE,The _encyclopedia_{of integer}sequences. San Diego: Academic

Press, 1995. _{http://www.research.att.com/ njas/sequences/}

[11] HUGO VOLGER, Some results on addition/subtraction chains. Information _ProcessingLetters

20 _(1985),155-160.

Wieb BOSMA Vakgroep Wiskunde

Universiteit van _Nijmegen

The Netherlands