Double-Base Chains for Scalar Multiplications on Elliptic Curves · 2020-02-10 · bit op-erations...

Double-Base Chains for Scalar Multiplications onElliptic Curves?

Wei Yu1,2, Saud Al Musa3, and Bao Li1,4

1 State Key Laboratory of Information Security, Institute of Information Engineering,Chinese Academy of Sciences, Beijing 100093, China

[email protected] Data Assurance and Communications Security Research Center, Chinese Academy of

Sciences, Beijing 100093, China3 College of Computer Science and Engineering, Taibah University, Medina, Saudi Arabia

[email protected] School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China

[email protected]

Abstract. Double-base chains (DBCs) are widely used to speed up scalarmultiplications on elliptic curves. We present three results of DBCs. First, wedisplay a structure of the set containing all DBCs and propose an iterativealgorithm to compute the number of DBCs for a positive integer. This isthe first polynomial time algorithm to compute the number of DBCs forpositive integers. Secondly, we present an asymptotic lower bound on average

Hamming weights of DBCslogn8.25 for a positive integer n. This result answers

an open question about the Hamming weights of DBCs. Thirdly, we proposea new algorithm to generate an optimal DBC for any positive integer. The

time complexity of this algorithm is O((

logn)2 loglogn

)bit operations and

the space complexity is O((

logn)2

)bits of memory. This algorithm accelerates

the recoding procedure by more than 6 times compared to the state-of-the-art Bernstein, Chuengsatiansup, and Lange’s work. The Hamming weights ofoptimal DBCs are over 60% smaller than those of NAFs. Scalar multiplicationusing our optimal DBC is about 13% faster than that using non-adjacent formon elliptic curves over large prime fields.

Keywords: Elliptic curve cryptography, Scalar multiplication, Double-basechain, Hamming weight

1 Introduction

A double-base chain (DBC), as a particular double-base number system (DBNS)representation, represents an integer n as

∑li=1 ci 2bi 3ti where ci ∈ ±1, bi , ti are

non-increasing sequences. It is called an unsigned DBC when ci ∈ 1. A DBC wasfirst used in elliptic curve cryptography for its sparseness by Dimitrov, Imbert, andMishra [1], and Ciet, Joye, Lauter, and Montgomery [2]. Scalar multiplication is

? The proceeding version of this paper appears at EUROCRYPT 2020. This is the full version.

2 W. Yu et al.

the core operation in elliptic curve cryptosystems. A DBC allows one to representan integer in a Horner-like fashion to calculate scalar multiplication such that allpartial results can be reused. In the last decade, DBCs were widely investigated tospeed up scalar multiplications [3–5] and pairings [6,7]. The generalizations of DBCswere also applied to the arithmetics of elliptic curves. The generalizations includesimultaneously representing a pair of numbers to accelerate multi-scalar multipli-cations [8–10], using double-base representation to speed up scalar multiplicationon Koblitz curves [11], and representing an integer in a multi-base number systemto promote scalar multiplications [12–14].

Dimitrov, Imbert, and Mishra pointed out that DBC is highly redundant, andcounting the exact number of DBCs is useful to generate optimal DBCs [1]. A preciseestimate of the number of unsigned DBNS representation of a given positive integerwas presented in [15]. 100 has exactly 402 unsigned DBNS representations and1000 has 1295579 unsigned DBNS representations. For unsigned DBC, Imbert andPhilippe [4] introduced an efficient algorithm to compute the number of unsignedDBCs for a given integer. By their algorithm, 100 has 7 unsigned DBCs and 1000has 30 unsigned DBCs. DBCs are more redundant than unsigned DBCs. For a giveninteger n, Doche [16] proposed a recursion algorithm to calculate the number ofDBCs with a leading term dividing 2b3t . His algorithm is efficient to find the numberof DBCs with a leading term dividing 2b3t for integers less than 270 and b, t < 70.But it does not work for calculating the number of DBCs of a positive integer used inelliptic curve cryptography. We will show how to calculate the number of DBCs of a256−bit integer or even a larger integer.

The Hamming weight is one of the most important factors that affect the effi-ciency of scalar multiplications. Dimitrov, Imbert, and Mishra proved an asymptotic

upper bound O(

lognloglogn

)on the Hamming weight of DBNS representation by a greedy

approach [15]. Every integer n has a DBC with Hamming weight O(logn

). The

upper bounds of DBNS representations and DBCs have been well investigated, incontrast, the precise lower bounds of DBCs can not be found in any literature. Docheand Habsieger [3] showed that the DBCs produced by the tree approach is shorterthan those produced by greedy approach [1] for integers with several hundreds ofbits experimentally. They observed that the average Hamming weight of the DBCs

produced by the tree approach is logn4.6419 . They also posed an open question that the

average Hamming weight of DBCs generated by the greedy approach may be not

O(

lognloglogn

). We will give affirmation to this question.

Canonic DBCs are the DBCs with the lowest Hamming weight for a positiveinteger and were introduced by Dimitrov, Imbert, and Mishra [1]. Several algorithmswere designed to produce near canonic DBCs such as greedy algorithm [1], bi-nary/ternary approach [2], multi-base non-adjacent form (mbNAF) [13], and treeapproach [3]. In Asiacrypt 2014, Doche proposed an algorithm to produce a canonicDBC [16] . As Doche’s algorithm was in exponential time, Capuñay and Thériault [7]improved Doche’s algorithm to generate a canonic DBC or an optimal DBC. Thisis the first algorithm to generate an optimal DBC in polynomial time, explicitly

O((

logn)4

)bit operations and O

((logn

)3)

bits of memory. Bernstein, Chuengsa-

Double-Base Chains for Scalar Multiplications on Elliptic Curves 3

tiansup, and Lange [17] presented a directed acyclic graph algorithm (DAG) to

produce a canonic DBC or an optimal DBC. Their algorithm takes time O((

logn)2.5


((logn

)2.5)

bits of memory. As scalar multiplication requires

O((

logn)2 loglogn

)when field multiplications use FFTs, we will focus on producing

a canonic DBC or an optimal DBC in the same order of magnitude.In this paper, we are concerned with the theoretical aspects of DBCs arising from

their study to speed up scalar multiplication and producing a canonic DBC or anoptimal DBC efficiently. The main contributions are detailed as follows.

1. As Doche’s algorithm is in exponential time to compute the number of DBCswith a leading term dividing 2b3t [16], we propose an iterative algorithm in

O((

logn)3

)bit operations and in O

((logn

)2)

bits of memory. Our algorithm

is based on our new structure of the set containing all DBCs. It requires 10milliseconds for 256-bit integers and 360 milliseconds for 1024-bit integers.Using the iterative algorithm, 100 has 2590 DBCs with a leading term dividing23034 and 1000 has 28364 DBCs with a leading term dividing 23036. These resultsshow that DBCs are redundant. We show that the number of DBCs with a leadingterm dividing 2b3t is the same when t ≥ tτ for some tτ. The number of DBCs witha leading term dividing 2b3t minus the number of DBCs with a leading termdividing 2bτ3t is (b −bτ)Cτ when b ≥ bτ for some bτ and Cτ. We also presentthat the number of DBCs with a leading term dividing 2b3t is O

(logn

)−bit whenboth b and t are O

(logn

).

2. Doche and Habsieger posed an open question to decide whether the average

Hamming weight of DBCs produced by the greedy approach is O(

lognloglogn

)or not

[3]. We show that an asymptotic lower bound of the average Hamming weight

of the DBCs returned by any algorithm for a positive integer n is logn8.25 . This

theoretical result answers their open question. Experimental results show thatthe Hamming weight of canonic DBCs is 0.179822logn for 3000-bit integers. It isstill a long way from the theoretical bound. We also show that the theoretical

lower bounds of Hamming weights of DBCs are logn9.57 , logn

10.32 , logn10.84 , logn

11.25 , logn11.57 ,

logn11.85 , logn

12.09 , logn12.30 , logn

12.48 , and logn13.19 for 2,3,4,5,6,7,8,9,10, and 15 pre-computations

respectively.3. We propose a dynamic programming algorithm to generate an optimal DBC.

We introduce an equivalent representative for large integers to improve theefficiency of the dynamic programming algorithm. Our dynamic programming

algorithm using equivalent representatives requires O((

logn)2 loglogn

)bit op-

erations and O((

logn)2

)bits of memory. It accelerates the recoding procedure by

over 6 times compared to Bernstein, Chuengsatiansup, and Lange’s algorithm.Many researches [1–3, 6, 7, 16, 17] indicate that the leading term of an optimalDBC is greater than n

2 and less than 2n. We will prove it in this work.4. Capuñay and Thériault’s algorithm [7], Bernstein, Chuengsatiansup, and Lange’s

DAG algorithm [17], and our algorithms (Algorithms 2 − 4) can generate thesame optimal DBC for a given integer. Using optimal DBCs to speed up pairing

4 W. Yu et al.

computations has been fully investigated by Capuñay and Thériault’s algorithmin [7]. Using optimal DBCs to speed up scalar multiplication on Edwards curveshas been studied by Bernstein, Chuengsatiansup, and Lange in [17]. We willstudy scalar multiplication on Weierstrass curves using optimal DBCs. Over largeprime fields, both theoretical analyses and experimental results show that scalarmultiplication protecting against simple side-channel attack using our optimalDBC is about 13% faster than that using NAF.

This paper is organized as follows. In Section 2, we present background ofelliptic curves and DBCs. In Section 3, we show the structure of the set containingall DBCs, and give an iterative algorithm to compute the number of DBCs. InSection 4, we show an asymptotic lower bound of the average Hamming weightsof DBCs. Section 5 shows a dynamic programming algorithm. Section 6 presentsequivalent representatives for large numbers to improve our dynamic programmingalgorithm and presents the comparisons of several algorithms. Section 7 gives somecomparisons of scalar multiplications. Finally, we conclude this work in Section 8.

2 Preliminaries

We give some basics about elliptic curves and DBCs.

2.1 Elliptic Curves

In what follows, point doubling (2P ), tripling (3P ), and mixed addition [18] (P +Q)are denoted by D , T , and A respectively where P and Q are rational points on anelliptic curve. Cost of scalar multiplications are expressed in terms of field multipli-cations (M) and field squarings (S). To allow easy comparisons, we disregard fieldadditions/subtractions and multiplications/divisions by small constants. Moreover,we assume that S = 0.8M as customary of software implementation (different CPUarchitectures usually imply different S and M ration) and that S = M in the caseof implementations on a hardware platform or protecting scalar multiplicationsagainst some simple side channel attack by side-channel atomicity [19].

Let EW be an elliptic curve over a large prime field Fp defined by the Weierstrassequation in Jacobian projective coordinate: Y 2 = X 3 + aX Z 4 +bZ 6, where a = −3,b ∈ Fp , and 4a3 +27b2 6= 0. The respective cost of a doubling, a mixed addition, anda tripling are 3M+5S, 7M+4S, and 7M+7S on EW respectively [20, 21]. More aboutWeierstrass elliptic curves please refer to [22].

The cost of point operations on EW are summarized in Table 1. EW with S= 0.8Mand EW with S=M are denoted by EW 0.8 and EW 1 respectively.

Table 1. Cost of elliptic curve point operations

operation EW 0.8 EW 1

A 7M+4S(10.2M) 11M

D 3M+5S(7M) 8M

T 7M+7S(12.6M) 14M


2.2 DBCs

DBNS represents an integer as∑l

i=1 ci 2bi 3ti where ci ∈ ±1, and bi , ti are non-negative integers. It was first used in elliptic curve cryptography by Dimitrov, Im-bert, and Mishra [1]. Meloni and Hasan proposed new algorithms using DBNSrepresentation to speed up scalar multiplications [23, 24]. The drawback of DB-NS representation to compute scalar multiplication is that it requires many pre-computations and space to compute scalar multiplication. A DBC is a special caseof DBNS representations. It allows us to represent n in a Horner-like fashion suchthat all partial results can be reused. It is defined as follows.

Definition 1 (DBC [1]) A DBC represents an integer n as∑l

i=1 ci 2bi 3ti where ci ∈C =±1,bl ≥ bl−1 ≥ . . . ≥ b1 ≥ 0 and tl ≥ tl−1 ≥ . . . ≥ t1 ≥ 0. We call 2bi 3ti a term of theDBC, 2bl 3tl the leading term of the DBC, and l the Hamming weight of the DBC.

If C = 1, the DBC is called an unsigned DBC. Since computing the negative of apoint P can be done virtually at no cost, we usually set C = ±1. The leading term ofa DBC encapsulates the total number of point doublings and that of point triplingsnecessary to compute scalar multiplication nP whose total cost is (l −1) · A+bl ·D +tl ·T .

The number 0 has only one DBC that is 0. If a DBC does not exist, we denote it byNULL. We set the Hamming weight of 0 as 0 and that of NULL as a negative integer. ADBC for a negative integer is the negative of the DBC of its absolute value. Therefore,we usually investigate the DBCs of a positive integer.

Some properties of DBCs are useful. Let n = ∑li=1 ci 2bi 3ti be a DBC with ci ∈

±1,bl ≥ bl−1 ≥ . . . ≥ b1 and tl ≥ tl−1 ≥ . . . ≥ t1. We have

1. 2bk 3tk is a factor ofl0∑

i=kci 2bi 3ti , when k ≤ l0 ≤ l ;

2.l0∑

i=kci 2bi 3ti is not equal to 0 when 0 < k ≤ l0 ≤ l ;

3. 2bk+ς3tk+ς2ς−1 >

k∑i=1

ci 2bi 3ti >− 2bk+ς3tk+ς2ς−1 , when 1 ≤ ς≤ l −k [25];

4. 2bl 3tl > n2 ;

5.∑ς

i=1 ci 2bi 3ti > 0 if and only if cς = 1, when 1 ≤ ς≤ l .

Following from Dimitrov, Imbert, and Mishra’s definition of canonic DBC,

Definition 2 (Canonic DBC [15]) The canonic DBCs of a positive integer n are theones with minimal Hamming weight.

The canonic DBCs of a positive integer have the same Hamming weight. When weperform scalar multiplication using a DBC, its Hamming weight is not the only factoraffecting the efficiency of scalar multiplication. The cost of point operations shouldalso be considered. The works in [7,16,17] indicate the definition of an optimal DBCas follows.

6 W. Yu et al.

Definition 3 (Optimal DBC) Let w be a DBC of a positive integer n whose leadingterm is 2bl 3tl and its Hamming weight is l , and the value function of w is definedby val(w) = (l − 1) · A + bl ·D + tl ·T for given numbers A > 0, D ≥ 0, and T ≥ 0. Anoptimal DBC of n is the DBC with the smallest value in the set val(w)|w ∈ X where Xis the set containing all DBCs of n.

Let minLw1,w2, . . . ,wm be a DBC with the smallest Hamming weight amongthese DBCs. If the Hamming weight of w is the smallest in a corresponding set, wesay w is “minimal”. Let minVw1,w2, . . . ,wm be a DBC with the smallest val(wi ) inthe set val(w1), val(w2), . . . ,val(wm). If more than one DBC has the same Hammingweight or the same value of its value function, we choose the one with the smallestposition index i where i is the position index of wi in the set of w1,w2, . . . ,wm. minLis used to generate canonic DBCs, and minV is used to generate optimal DBCs.

An optimal DBC is associated with an elliptic curve. Let log denote binarylogarithm. If the value of T

D is log3, then the optimal DBC is a canonic DBC. In thiscase, we usually set D = T = 0. For canonic DBCs of a positive integer, our concern istheir Hamming weight.

3 The Number of DBCs

DBCs are special cases of DBNS representations. In 2008, Dimitrov, Imbert, andMishra showed an accurate estimate of the number of unsigned DBNS representa-tions for a given positive integer [15]. The number of signed DBNS representation isstill an open question.

Dimitrov, Imbert, and Mishra pointed out that counting the exact number ofDBCs is useful to show DBC is redundant [1] and to generate an optimal DBC.Dimitrov, Imbert, and Mishra [1] and Imbert and Philippe [4] both noticed that eachpositive integer has at least one DBC such as binary representation. Imbert andPhilippe [4] proposed an elegant algorithm to compute the number of unsignedDBCs for a given integer and presented the first 400 values. These values behaverather irregularly. To determine the precise number of DBCs for a positive integeris usually hard, but we are convinced that this number is infinity. The number ofDBCs with a leading term dividing 2b3t for a positive integer was first investigated byDoche [16]. His algorithm is very efficient for less than 70−bit integers with a leadingterm dividing 2b3t for the most b and t . The algorithm requires exponential time.Before we present a polynomial time algorithm to calculate the number of DBCs oflarge integers, a structure of the set containing all DBCs is introduced.

3.1 The Structure of the Set Containing All DBCs

Let Φ(b, t ,n) be the set containing all DBCs of an integer n ≥ 0 with a leading termstrictly dividing 2b3t . “Strictly” indicates that the leading term of a DBC 2bl 3tl divides2b3t but is not equal to 2b3t . Let Φ(b, t ,n) be the set containing all DBCs of aninteger n ≤ 0 with a leading term strictly dividing 2b3t . Both definitions of Φ(b, t ,n)and Φ(b, t ,n) arise from Imbert and Philippe’s structure of unsigned DBCs [4] and


Capuñay and Thériault’s definition of the set containing all DBCs (see Definition 5of [7]).

Let z be 2b′3t ′ or −2b′

3t ′ with integers b′ ≥ 0 and t ′ ≥ 0. The set w+ z| w ∈Φ isdenoted by zΦ (the similar is for Φ). zΦ is inspired by Imbert and Philippe’s mark [4].If 2b3t |z, zΦ(b, t ,n) are the DBCs of n + z. Let z1,z2Φ = z1 (z2Φ). Take Φ(1,4,100) =34 +33 −32 +1 for example, 2·34

Φ(1,4,100) = 2 ·34 +34 +33 −32 +1.Some properties ofΦ and Φ are given.

1. IfΦ=;, then zΦ=;; if Φ=;, then zΦ=;.2. IfΦ= 0, then zΦ= z; if Φ= 0, then zΦ= z.3. If n < 0 or n ≥ 2b3t or b < 0 or t < 0, thenΦ(b, t ,n) = Φ(b, t ,−n) =;.4. Φ(0,0,0) = Φ(0,0,0) = 0.5. A DBC 0 plus z equals to z.6. A DBC NULL plus z equals to NULL.

Imbert and Philippe’s structure of the set containing unsigned DBCs [4] can beused to calculate the number of unsigned DBCs. Since the terms of DBCs of n maybe larger than n, calculating the number of DBCs is usually difficult. Following fromCapuñay and Thériault’s definition [7],

nb,t ≡ n (mod 2b3t ) where 0 ≤ nb,t < 2b3t .

We redefinenb,t = nb,t −2b3t .

To calculate the number of DBCs, Φ(b, t ) and Φ(b, t ) are introduced to describethe structure of the set containing DBCs shown as Lemma 1 whereΦ(b, t ) and Φ(b, t )representΦ(b, t ,nb,t ) and Φ(b, t , nb,t ) respectively.

Lemma 1 Let n be a positive integer, b ≥ 0, t ≥ 0, and b+ t > 0. The structure ofΦ(b, t )and that of Φ(b, t ) are described as follows.

1. If nb,t < 2b3t−1, i.e., nb,t = nb−1,t = nb,t−1, then

Φ(b, t ) =Φ(b −1, t )⋃(

2b−13tΦ(b −1, t )

)⋃Φ(b, t −1)

⋃(2b 3t−1

Φ(b, t −1))

,

Φ(b, t ) =(−2b−13t

Φ(b −1, t ))

.

2. If 2b3t−1 ≤ nb,t < 2b−13t , i.e., nb,t = nb−1,t = nb,t−1 +2b3t−1, then

Φ(b, t ) =Φ(b −1, t )⋃(

2b−13tΦ(b −1, t )

)⋃(2b 3t−1

Φ(b, t −1))

,

Φ(b, t ) =(−2b−13t

Φ(b −1, t ))⋃(

−2b 3t−1Φ(b, t −1)

).

3. If 2b−13t ≤ nb,t < 2 ·2b3t−1, i.e., nb,t = nb−1,t +2b−13t = nb,t−1 +2b3t−1, then

Φ(b, t ) =(

2b−13tΦ(b −1, t )

)⋃(2b 3t−1

Φ(b, t −1))

,

Φ(b, t ) =(−2b−13t

Φ(b −1, t ))⋃

Φ(b −1, t )⋃(

−2b 3t−1Φ(b, t −1)

).

8 W. Yu et al.

4. If nb,t ≥ 2 ·2b3t−1, i.e., nb,t = nb−1,t +2b−13t = nb,t−1 +2×2b3t−1, then

Φ(b, t ) =(

2b−13tΦ(b −1, t )

),

Φ(b, t , ) =(−2b−13t

Φ(b −1, t ))⋃

Φ(b −1, t )⋃(

−2b 3t−1Φ(b, t −1)

)⋃Φ(b, t −1).

The proof is shown as Appendix A.1.The definitions of nb,t and nb,t indicate that both nb,t = nb−1,t = nb,t−1+2b+13t−1

and nb,t = nb−1,t +2b−13t = nb,t−1 are impossible. From Lemma 1,Φ(b, t ) and Φ(b, t )only rely onΦ(b−1, t ), Φ(b−1, t ),Φ(b, t −1) and Φ(b, t −1). By the definitions of nb,t

and nb,t , the structure of Φ(b, t ) and that of Φ(b, t ) still work for nb,t = 0 in Case 1,nb,t = 2b3t−1 in Case 2, nb,t = 2b−13t in Case 3, and nb,t = 2 ·2b3t−1 in Case 4.

This is the first structure of the set containing all DBCs with a leading term strictlydividing 2b3t in the literature. Based on this structure, we will show the number ofDBCs with a leading term dividing 2b3t for a positive integer n.

3.2 The Number of DBCs

Let |S | be the cardinality of the set S . The number of DBCs with a leading termdividing 2b3t for representing nb,t is |Φ(b, t )|+ |Φ(b, t )|. We will provide some initialvalues of |Φ| and |Φ|. If n < 0 or n ≥ 2b3t or b < 0 or t < 0, |Φ(b, t ,n)| = |Φ(b, t ,−n)| = 0.|Φ(0,0,0)| = |Φ(0,0,0)| = 1.

Based on Lemma 1, the cardinality of Φ(b, t ) and that of Φ(b, t ) are shown asTheorem 1. Its proof is given in Appendix A.2.

Theorem 1 Let n be a positive integer, b ≥ 0, t ≥ 0, and b + t > 0. We have

1. If nb,t < 2b−13t−1, then

|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(b −1, t )|+ |Φ(b, t −1)|+ |Φ(b, t −1)|− |Φ(b −1, t −1)|− |Φ(b −1, t −1)|,

|Φ(b, t )| =|Φ(b −1, t )|.2. If 2b−13t−1 ≤ nb,t < 2b3t−1, then

|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(b −1, t )|+ |Φ(b, t −1)|+ |Φ(b, t −1)|− |Φ(b −1, t −1)|,

|Φ(b, t )| =|Φ(b −1, t )|.3. If 2b3t−1 ≤ nb,t < 2b−13t , then

|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(b −1, t )|+ |Φ(b, t −1)|,|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(b, t −1)|.

4. If 2b−13t ≤ nb,t < 2 ·2b3t−1, then

|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(b, t −1)|,|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(b −1, t )|+ |Φ(b, t −1)|.


5. If 2 ·2b3t−1 ≤ nb,t < 5 ·2b−13t−1, then

|Φ(b, t )| =|Φ(b −1, t )|,|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(b −1, t )|+ |Φ(b, t −1)|

+ |Φ(b, t −1)|− |Φ(b −1, t −1)|.

6. If nb,t ≥ 5 ·2b−13t−1, then

|Φ(b, t )| =|Φ(b −1, t )|,|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(b −1, t )+|Φ(b, t −1)|

+ |Φ(b, t −1)|− |Φ(b −1, t −1)|− |Φ(b −1, t −1)|.

Based on Theorem 1, we have

Corollary 1 1. If b ≥ 0 and t ≥ 0, then |Φ(b, t )| ≥ |Φ(b −1, t )|, |Φ(b, t )| ≥ |Φ(b, t −1)|,|Φ(b, t )| ≥ |Φ(b −1, t )|, and |Φ(b, t )| ≥ |Φ(b, t −1)|.

2. If b ≥ 0 and t ≥ 0, then |Φ(b, t )| ≤ 4b+t and |Φ(b, t )| ≤ 4b+t .

By Corollary 1, |Φ(b, t )| and |Φ(b, t )| are both O (logn)-bit integers when both band t are O (logn).

Based on Theorem 1, we employ an iterative algorithm to compute the number ofDBCs with a leading term strictly dividing 2b3t for nb,t and nb,t shown as Algorithm1. The number of DBCs with a leading term dividing 2b3t for n is

1. |Φ(b, t )|+ |Φ(b, t )| when 2b3t > n;2. |Φ(b, t )| when n

2 < 2b3t ≤ n;

3. 0 when 2b3t ≤ n2 .

Algorithm 1 Iterative algorithm to compute the number of DBCsInput: A positive integer n, b ≥ 0, and t ≥ 0Output: The number of DBCs with a leading term strictly dividing 2b 3t for nb,t and nb,t1. |Φ(0,0)|← 1, |Φ(0,0)|← 02. For i from 0 to b, |Φ(i ,−1)| = |Φ(i ,−1)|← 03. For j from 0 to t , |Φ(−1, j )| = |Φ(−1, j )|← 04. For j from 0 to t5. For i from 0 to b6. If i + j > 0, using Theorem 1 to compute |Φ(i , j )| and |Φ(i , j )|7. return |Φ(b, t )|, |Φ(b, t )|

Algorithm 1 terminates in O((

logn)3


((logn

)2)

bits of

memory when b and t are both in O(logn

).

Miracl lib [26] is used to implement big number arithmetic. Our experimentsin this paper are compiled and executed on Intelr CoreTM i7−6567U 3.3 GHZ

10 W. Yu et al.

with Skylake architecture (our algorithms may have different running time onother architectures). Algorithm 1 requires 34,177,551, and 1184 million cpu cycles(10,50,170, and 360 milliseconds) for 256−bit, 512−bit, 768−bit, and 1024−bit inte-gers respectively. The details are shown in Table 2.

Table 2. Cost of Algorithm 1

bits of n 256 512 768 1024

b, t 128,81 256,161 384,242 512,323

cost(million cpu cycles) 34 177 551 1184

By Algorithm 1, the number of DBCs of⌊π×10120

⌋with a leading term dividing

22403120 is 4056945126898033285704752724480203323844361795450467273281157843672719846213086211542270726702592261797036105303878574879. The number ofDBCs with a leading term dividing 2b3t for 100 when b < 50 and t < 50 is shown asTable 3. There exist 405 DBCs with a leading term dividing 2734 for representing 100.These results all show a redundance of DBCs for a positive integer. The number ofDBCs with a leading term dividing 2b3t of 100 is the same for 4 ≤ t < 50. For the sameb, we guess the number is the same when t ≥ 50. For each 8 ≤ b < 50, the numberof DBCs with a leading term dividing 2b3t of 100 minus the number of DBCs with aleading term dividing 2b−13t of 100 is 7. We guess this result is still true for b ≥ 50.

Table 3. Number of DBCs with a leading term dividing 2b 3t for 100

t = 0 t = 1 t = 2 t = 3 t < 50

b = 0 0 0 0 0 1

b = 1 0 0 0 0 7

b = 2 0 0 0 11 24

b = 3 0 0 18 51 70

b = 4 0 0 57 112 137

b = 5 0 13 111 188 219

b = 6 3 35 174 273 310

b = 7 10 61 241 362 405

b < 50 10+7∗ (b −7) 61+26∗ (b −7) 241+67∗ (b −7) 362+89∗ (b −7) 405+95∗ (b −7)

3.3 The Number of DBCs for Large b or t

If b or t is large, the number of DBCs are shown as Corollary 2. Its proof is shown asAppendix A.3.

Corollary 2 Let n be a given positive integer, tτ be a positive integer satisfying 3tτ−1 >n and 3tτ−2 ≤ n, and bτ be a positive integer satisfying 2bτ > 3n and 2bτ−1 ≤ 3n. Then

1. If t ≥ tτ and b ∈Z, then |Φ(b, t )| = |Φ(b, tτ)|.2. If b ≥ bτ and t ∈Z, then |Φ(b, t )| = |Φ(bτ, t )|+(b−bτ)Cτ where Cτ =∑t

i=0 |Φ(bτ, i )|.3. If b ≥ bτ and t ≥ tτ, then |Φ(b, t )| = |Φ(bτ, t )|+(b−bτ)Cτ where Cτ =∑tτ

i=0 |Φ(bτ, i )|.These three properties of Corollary 2 are used to compute the number of DBCs

with a leading term dividing 2b3t for some large b and t . The number of DBCs with


a leading term dividing 2b3t is a constant when t > tτ. The number of DBCs with aleading term dividing 2b3t adds a constant

∑ti=0 |Φ(bτ, i )| is the number of DBCs with

a leading term dividing 2b+13t when b > bτ. Take 100 for example, 100 has 137 DBCswith a leading term dividing 243t for each t ≥ tτ, and has 405+95∗ (b−7) DBCs witha leading term dividing 2b3t for each b ≥ 9 and t ≥ 6. These results may be associatedwith that 1 = 2b −∑b−1

i=0 2i as b becomes larger and that 1 = 30 can not be representedas other ternary representation with its coefficients in ±1.

4 Hamming Weight of DBCs

For a positive integer n, Chalermsook, Imai, and Suppakitpaisarn [27] showed thatthe Hamming weight of unsigned DBNS representations obtained from the greedy

approach proposed by Dimitrov, Imbert, and Mishra [1] is θ(

lognloglogn

). And they

showed that the Hamming weight of unsigned DBCs produced by greedy approach[1] is θ

(logn

).

For the Hamming weights of (signed) DBNS representations and DBCs, Dimitrov,Imbert, and Mishra [1] showed that every integer n has a DBNS representation

with Hamming weight O(

lognloglogn

). Every integer n has a DBC with Hamming weight

O (logn). These are upper bounds on the Hamming weight of DBNS representationsand DBCs. The number of DBCs of a positive integer is infinite and the leading termof its DBC may be infinite. The range of the leading term of canonic DBCs is usefulto show the lower bounds of the Hamming weight of DBCs.

4.1 The Range of the Leading Term of Optimal DBCs and Canonic DBCs

Doche [16] proved that a DBC with leading term 2b3t belongs to the interval[

3t+12 ,

2b+13t − 3t+12

]. His result showed the range of integers for a leading term. The leading

term of a DBC 2bl 3tl for a positive integer does not have an upper bound for 1 =2bl −2bl−1− . . .−2−1 where bl is an arbitrary positive integer. We will show the rangeof the leading term of optimal DBCs and that of canonic DBCs for a given integer inLemma 2. Its proof is in Appendix A.4.

Lemma 2 Let n be a positive integer represented as w :∑l

i=1 ci 2bi 3ti , cl = 1,ci ∈ ±1

for 1 ≤ i ≤ l−1. Then n2 < 2bl 3tl < 2n when w is an optimal DBC, and 16n

21 < 2bl 3tl < 9n7

when w is a canonic DBC.

The range of the leading term of optimal DBCs is useful to prove that the DBCproduced by Capuñay and Thériault’s algorithm [7] and that produced by Bernstein,Chuengsatiansup, and Lange’s algorithm [17] both are optimal DBCs. The leadingterm of canonic DBCs of n is in the interval

( 16n21 , 9n

7

). It is useful to prove that

the DBCs generated by Doche’s algorithm is a canonic DBC [16], and to prove theasymptotic lower bound on the Hamming weights of DBCs in the following.

12 W. Yu et al.

4.2 A Lower Bound on the Hamming Weights of DBCs

Dimitrov and Howe proved that there exist infinitely many integers n whose shortest

DBNS representations have Hamming weights Ω(

lognloglogn logloglogn

)[28]. The mini-

mum Hamming weight of DBCs for a positive integer n is also called Kolmogorovcomplexity [29] of a DBC of n, i.e., the Hamming weight of canonic DBCs of n.Lou, Sun, and Tartary [5] proved a similar result for DBCs: there exists at leastone

⌊logn

⌋−bit integer such that any DBC representing this integer needs at leastΩ

(⌊logn

⌋)terms. We will give a stronger result in Lemma 3.

Lemma 3 For arbitrary α ∈ (0,1) and 0 <C < α2

8.25 , more than n −nα integers in [1,n]satisfy that the Hamming weight of the canonic DBCs of each integer is greater thanC logn when n > N (N is some constant shown as Claim 1).

For convenience, we first give some conventions and definitions. s(m) denotesthe Hamming weight of canonic DBCs of m, and e is the base of the naturallogarithm. Let ϕl be the number of DBCs

∑li=1 ci 2bi 3ti with 2bl 3tl < 9n

7 ,ci ∈ ±1,and cl = 1.

Definition 4 (ϕ(L)) For a given positive integer n and a constant L, ϕ(L) = ∑Ll=1ϕl ,

i.e., ϕ(L) is the number of DBCs∑l

i=1 ci 2bi 3ti with 2bl 3tl < 9n7 ,1 ≤ l ≤ L.

By Lemma 2, in a canonic DBC, 16n21 < 2bl 3tl < 9n

7 . Then, the number of integersof m in [1,n] represented as a canonic DBC with Hamming weight no greater than Lis not more than the number of integers of m in [1,n] represented as a DBC witha leading term dividing 2bl 3tl < 9n

7 , l ≤ L. Since every DBC corresponds to onlyone integer and each integer has at least one DBC, the number of integers in [1,n]represented as a canonic DBC with Hamming weight no greater than L is no greaterthan ϕ(L).

An outline of the proof of Lemma 3 is as follows. The number of integers of m in[1,n] can not be represented as a DBC of Hamming weight j , 0 < j ≤ L is equal to nminus the number of integers of m in [1,n] represented in that way. There are at leastn −ϕ(L) integers of m in [1,n] can not be represented as a DBC of Hamming weightj with 2b j 3t j ≤ 9n

7 , 0 < j ≤ L. Thus there are at least n −ϕ(L) integers of m in [1,n]satisfying s(m) > L. Hence, ϕ(C logn) < nα is enough to prove Lemma 3.

Since ϕ j where 0 < j ≤C logn is the number of DBCs of Hamming weight j with2bl 3tl < 9n

7 , we have

ϕ j ≤ 2 j−1∑

α+γ log3<log 9n7

(α+ j

j −1

)(γ+ j

j −1

).

Then

ϕ(C logn) =C logn∑

j=1ϕ j ≤

C logn∑j=1

2 j−1∑

α+γ log3<log 9n7

(α+ j

j −1

)(γ+ j

j −1

) . (1)

For this estimate ofϕ(C logn) is too complex to be dealt with, we simplify its estimateby Claim 1 and its proof requires the tools of Pascal’s triangle and Stirling’s formulashown in Appendix A.5.


Claim 1 For any 0 < C < 1, when n > N where N satisfies that N > 210000·(3−0.5log3 7)

and log N < 1.0001C log N ,

C logn∑j=1

2 j−1∑

α+γ log2 3<log 9n7

(α+ j

j −1

)(γ+ j

j −1

)< nC log

(2.0002e2(0.5001log3 2+C )2

C 2

).

According to Equation (1) and Claim 1, we have

ϕ(C logn) < nC log

(2.0002e2 log3·(0.5001log3 2+C )2

C 2

).

For some larger N , the coefficients of log3 2 and e2 will be smaller than 0.50001 and2.0002 respectively in this inequation, and for some smaller N , the coefficients oflog3 2 and e2 will be larger than 0.50001 and 2.0002. The proof of Lemma 3 is asfollows.

Proof. To prove Lemma 3, it is sufficient to show that the number of integers of m in[1,n], represented as a DBC of Hamming weight j with j ≤C logn and 2b j 3t j < 9n

7 , isno greater than nα.

The number of integers of m in [1,n] can be represented as DBCs of Hammingweight j with 2b j 3t j < 9n

7 , 0 < j ≤ C logn is no greater than ϕ(C logn). This result issufficient to show that ϕ(C logn) < nα, i.e., the number of DBCs of Hamming weightj with j ≤C logn is less than nα.

Since ϕ(C logn) < nC log

(2.0002e2 log3·(0.5001log3 2+C )2

C 2

), then

nC log

(2.0002e2 log3·(0.5001log3 2+C )2

C 2

)< nα. We have

2.0002e2 log3 · (0.5001log3 2+C )2

C 2 < 2αC .

When 0 <C < α2

8.25 , this inequality holds.

Thus, for any real numbers α and C with 0 <α< 1 and 0 <C < α2

8.25 , when n > N ,at least n −nα integers of m in [1,n] satisfy s(m) >C logn.

As a corollary of Lemma 3, for any given positive number α < 1, there exist twoefficiently computable constants C and N , such that when n > N , there are at leastn −nα integers m in [1,n] satisfying s(m) > C logn > C logm. This result is easy tounderstand and more advanced than Lou, Sun, and Tartary’s result [5].

Doche and Habsieger [3] showed that the DBC produced by the tree approachis shorter than that produced by greedy approach experimentally. The average

Hamming weight of the DBCs produced by the tree approach is logn4.6419 . Then they

posed an open question that the average Hamming weight of DBCs generated by the

greedy approach may be not O(

lognloglogn

). Lemma 3 is sufficient to solve this question.

The average Hamming weight of DBCs of (logn)−bit integers is the average valueof the Hamming weights of the DBCs of all (logn)−bit integers where we choose oneDBC for each integer. An asymptotic lower bound of the Hamming weights of DBCsis shown in Theorem 2. Its proof is shown in Appendix A.6.

14 W. Yu et al.

Theorem 2 An asymptotic lower bound of the average Hamming weights of canonic

DBCs for (logn)−bit integers is logn8.25 .

All existing algorithms confirm the asymptotic lower bound of Theorem 2. The

average Hamming weight of binary representation is 0.5logn, that of NAF is logn3 ,

that of the DBC produced by binary/ternary approach is 0.2284logn [2], and that ofthe DBC produced by tree approach is 0.2154logn [3]. The Hamming weights of the

DBCs produced by these algorithms are still a long way from the lower bound logn8.25 in

Theorem 2.

Fig. 1. The Hamming weight of canonic DBCs of integers

0 100 200 300 400 500 600 700 800 900 1,0000.18

0.19

0.2

bits of integers (logn)

Ham

min

gw

eigh

tdiv

ided

by

log

n

The average Hamming weight of canonic DBCs of integers is shown as Figure1. The data is gained by Algorithm 3 which will be given in Section 6 for 1000random integers for each size. It is 0.19713logn for 100−bit integers, 0.190165lognfor 200−bit integers, 0.18773logn for 300−bit integers, 0.186158logn for 400−bitintegers, 0.185124logn for 500−bit integers, 0.184568logn for 600−bit integers,0.183913logn for 700−bit integers, 0.183579logn for 800−bit integers, 0.183153lognfor 900−bit integers, 0.182887logn for 1000−bit integers, 0.181867logn for 1500−bitintegers, 0.181101logn for 2000−bit integers, 0.180495logn for 2500−bit integers,and 0.179822logn for 3000−bit integers. This value of the Hamming weight givenfor 3000−bit integers still has a distance from the lower bound given in Theorem 2.The Hamming weight divided by logn is decreased as the integers become larger.

The bound of the average Hamming weight of extended DBCs [30] where C =±1,±3, . . . is logn

9.57 when |C | = 4, logn10.32 when |C | = 6, logn

10.84 when |C | = 8, logn11.25 when

|C | = 10, logn11.57 when |C | = 12, logn

11.85 when |C | = 14, logn12.09 when |C | = 16, logn

12.30 when

|C | = 18, logn12.48 when |C | = 20, and logn

13.19 when |C | = 30.


We will propose an efficient algorithm to generate optimal DBCs.

5 Dynamic Programming Algorithm to Produce Optimal DBCs

Several algorithms were designed to produce near optimal DBCs such as greedyapproach [1], binary/ternary approach [2], tree approach [3], and mbNAF [13].Doche [16] generalized Erdös and Loxton’s recursive equation of the number ofunsigned chain partition [31] and presented an algorithm to produce a canonic DBC.As Doche’s algorithm requires exponential time, in 2015, Capuñay and Thériault [7]generalized tree approach and improved Doche’s algorithm to produce a canonic

DBC or an optimal DBC in polynomial time, explicitly in O((

logn)4

)bit operations

and O((

logn)3

)bits of memory. This is the first polynomial algorithm to compute

an optimal DBC. In 2017, Bernstein, Chuengsatiansup, and Lange [17] presented

a DAG algorithm to produce an optimal DBC in O((

logn)2.5

)bit operations and

O((

logn)2.5

)bits of memory. Bernstein, Chuengsatiansup, and Lange’s algorithm

was the state-of-the-art.We will employ dynamic programming [32] to produce an optimal DBC.

5.1 Basics for Dynamic Programming Algorithm

Dynamic programming [32] solves problems by combining the solutions of subprob-lems. Optimal substructure and overlapping subproblems are two key characteristicsthat a problem must have for dynamic programming to be a viable solution tech-nique.

Optimal Substructure We will show our problem has optimal substructure, i.e., anoptimal solution to a problem contains optimal solutions to subproblems. First, wedefine sub-chain.

Definition 5 (Sub-chain) A DBCl∑

i=1ci 2bi 3ti is a sub-chain of a DBC

l0∑j=1

a j 2d j 3e j , if

it satisfies both of the following conditions:

1. bl ≤ dl0 , tl ≤ el0 , and l ≤ l0;2. For each i satisfies 1 ≤ i ≤ l , there exists one j satisfying ci = a j ,bi = d j , and

ti = e j .

Let w(b, t ) (resp. w(b, t )) be one of the DBCs in Φ(b, t ) (resp. Φ(b, t )) with thesmallest Hamming weight. The optimal substructure of the problem of findingw(b, t ) (resp. w(b, t )) is shown in Lemma 4. Its proof is shown in Appendix A.7.

Lemma 4 Let w(b, t ) be a minimal chain for nb,t in Φ(b, t ) and w(b, t ) be a minimalchain for nb,t in Φ(b, t ). If w(b, t ) or w(b, t ) contains a sub-chain w(i , j ) for ni , j , thenw(i , j ) is minimal for ni , j inΦ(i , j ); If w(b, t ) or w(b, t ) contains a sub-chain w(i , j ) forni , j , then w(i , j ) is minimal for ni , j in Φ(i , j ).

16 W. Yu et al.

Lemma 4 shows that the problem of finding a minimal chain has optimalsubstructure. We can partition this problem into subproblems. These subproblemsmay share the same new problems. For example, subproblems for nb,t−1 and sub-problems for nb−1,t share the same problems for nb−1,t−1 and for nb−1,t−1.

Overlapping Subproblems When a recursive algorithm revisits the same problemover and over again rather than always generating new problems, we say thatthe optimization problem has overlapping subproblems. Dynamic programmingalgorithms typically take advantage of overlapping subproblems by solving eachsubproblem once and then storing the solution in a table where it can be lookedup when needed.

Based on Lemma 1, using the range of the leading term of a canonic DBC inLemma 2, we simplify the possible sources of w(b, t ) and w(b, t ) shown as Lemma5. Its proof is shown in Appendix A.8.

Lemma 5 Let n be a positive integer, b ≥ 0, t ≥ 0, and b + t > 0.

1. Ifnb,t

2b−13t−1 < 2, then

w(b, t ) =minL

w(b −1, t ),w(b, t −1),2b3t−1 + w(b, t −1)

,

w(b, t ) =−2b−13t + w(b −1, t ).

2. If 2 ≤ nb,t

2b−13t−1 < 3, then

w(b, t ) =minL

w(b −1, t ),2b−13t + w(b −1, t ),2b3t−1 +w(b, t −1)

,

w(b, t ) =−2b−13t + w(b −1, t ).

3. If 3 ≤ nb,t

2b−13t−1 < 4, then

w(b, t ) =2b−13t +w(b −1, t ),

w(b, t ) =minL−2b−13t +w(b −1, t ), w(b −1, t ),−2b3t−1 + w(b, t −1)

.

4. Ifnb,t

2b−13t−1 ≥ 4, then

w(b, t ) =2b−13t +w(b −1, t ),

w(b, t ) =minL

w(b −1, t ),−2b3t−1 +w(b, t −1),w(b, t −1)

.

We give some conventions for initial values of w(b, t ) and w(b, t ). If b < 0 or t < 0,w(b, t ) = w(b, t ) = NULL. If b ≥ 0, t ≥ 0, and nb,t = 0, then w(b, t ) = 0 and w(b, t ) =NULL.

Lemma 5 reveals the relationship between problems of finding w(b, t ) and w(b, t )and problems of finding their subproblems. Dynamic programming is efficient whena given subproblem may arise from more than one partial set of choices. Eachproblem of finding w(b, t ) and w(b, t ) has at most 4 partial sets of choices. Thekey technique in the overlapping subproblems is to store the solution of each suchsubproblem in case it should reappear.


5.2 Dynamic Programming to Compute an Optimal DBC

The main blueprint of our dynamic programming algorithm to produce an optimalDBC contains four steps.

1. Characterize the structure of an optimal solution whose two key ingredients areoptimal substructure and overlapping subproblems.

2. Recursively define the value of an optimal solution by minL.3. Compute a DBC with the smallest Hamming weight and its leading term dividing

2b3t for each nb,t and nb,t in a bottom-up fashion.4. Construct an optimal DBC from computed information.

The dynamic programming algorithm to compute an optimal DBC is shown asAlgorithm 2. In Algorithm 2, set B = 2n in general cases, and set B = 9n

7 in the caseD = T = 0 by Lemma 2.

Algorithm 2 Dynamic programming to compute an optimal DBCInput: a positive integer n, its binary representation nbinary, three non-negative constantsA > 0,D ≥ 0,T ≥ 0Output: an optimal DBC for n1. If D = 0 and T = 0, B ← 9n

7 , else B ← 2n. w(0,0) ← 0, w(0,0) ← NULL, wmin ← nbinary

2. For b from 0 to⌊

logB⌋

, w(b,−1) ← NULL, w(b,−1) ← NULL

3. For t from 0 to⌊

log3 B⌋

, w(−1, t ) ← NULL, w(−1, t ) ← NULL, bBound[t ] ←⌊

log B3t

⌋4. For t from 0 to

⌊log3 B

⌋5. For b from 0 to bBound[t ]6. If b + t > 0, compute w(b, t ) and w(b, t ) using Lemma 5

7. If n > nb,t , wmin ← minV

2b 3t +w(b, t ),wmin

8. else if n = nb,t , wmin ← minV

w(b, t ),2b 3t + w(b, t ),wmin

9. return wmin

In Lines 1−3 of Algorithm 2, the initial values of w(0,0), w(0,0), wmin, w(b,−1),w(b,−1), w(−1, t ) and w(−1, t ) are given. wmin stores the resulting DBC for n whoseinitial value is nbinary, i.e., the binary representation of n.

In the Lines 4− 8 of Algorithm 2, a two-layer cycle computes a DBC wmin. Line6 shows that the problem of computing w(b, t ) and w(b, t ) are partitioned intosubproblems of computing w(b − 1, t ), w(b − 1, t ), w(b, t − 1), and w(b, t − 1) usingLemma 5. This is a bottom-up fashion. For the same t , we compute w(0, t ) (the samefor w(0, t )); next, compute w(1, t ), . . ., w

(⌊log B

3t

⌋, t

). Since w(b, t −1) and w(b, t − 1)

have been computed by Lines 4 and 6 in the last loop of t and w(b−1, t ) and w(b−1, t )have been computed by Lines 5 and 6 in the last loop of b, we compute w(b, t ) andw(b, t ) successfully. Using these results to solve the subproblems recursively, we canavoid calculating a problem twice or more.

By Lemma 4 and the bottom-up fashion, w(b, t ) and w(b, t ) have been computedby Algorithm 2 for all b and t satisfying 2b3t < B . We will show that the DBC returnedby Algorithm 2 is an optimal DBC in Theorem 3. Its proof is shown in Appendix A.9.

18 W. Yu et al.

Theorem 3 Algorithm 2 produces a canonic DBC when D = T = 0, and an optimalDBC when D +T > 0.

Algorithm 2 has a procedure of 4 steps of dynamic programming. Step 1 is shownas Section 5.1. We employ minL to define the value of an optimal solution recursivelyin Step 2. Lines 4− 6 are the Step 3 of the sequence of this dynamic programming.Lines 4,7, and 8 are the Step 4 of the sequence of this dynamic programmingalgorithm. By the definition of nb,t and nb,t , only one of n −nb,t = 2b3t and n = nb,t

is executed (Lines 7,8). When we generate an optimal DBC and B = 2n, Line 8 will beexecuted.

The Lines 4 and 5 of Algorithm 2 show a two-layer cycle and can be replaced as

“4. For b from 0 to⌊

logB⌋

, 5. For t from 0 to⌊

log3B2b

⌋". The replacement does not

affect the DBC returned by Algorithm 2. The variable of b is in outer cycle, and thevariable of t is in the inner cycle in Algorithm 2. Then this algorithm requires moreoperations of 3 or 3t . The change may lead to the recoding process of this algorithma bit slower for original Algorithm 2 requires more operation of 2 or 2b . If we chooseB = 2n, Algorithm 2 still generates a canonic DBC when A > 0,D = 0,T = 0. This alsoleads to a slower recoding procedure.

Three examples of generating canonic DBC for 100 and generating optimal DBCsfor 100 and 1000 are shown in Appendix B.2.

If one wants to generate a different optimal DBC or canonic DBC, one possibilityis to adjust the function minL and minV when two or more DBCs have the samevalue. Doing this, we can favor doubling or tripling. In our algorithm, we favortripling.

Optimal DBCs are usually varied with Hamming weight by different costs of pointoperations. Canonic DBCs returned by Algorithm 2 are with the same Hammingweight and are not affected by the cost of point operations. Take a positive integer⌊π×1020

⌋ = 314159265358979323846 for example. Its optimal DBC returned byAlgorithm 2 is 23033+22832+22032−21731−21630−2830+2330−2030 with Hammingweight 8 for EW 0.8. The value of the cost of this DBC is 319.2. Its optimal DBCreturned by Algorithm 2 is 219310 + 213310 − 21238 + 2936 + 2635 + 2332 − 2030 withHamming weight 7 for EW 1. The value of the cost of this DBC is 358. This DBCwith Hamming weight 7 is one of the canonic DBCs of

⌊π×1020

⌋. The canonic and

optimal DBCs of⌊π×10240

⌋is shown in Appendix C.3 and C.4.

5.3 The Time Complexity and Space Complexity of Algorithm 2

The running time of a dynamic programming algorithm depends on the product oftwo factors: the number of subproblems overall and how many choices we look atfor each subproblem. Our dynamic programming algorithm has (logn+1)(log3 n+1)subproblems. If we store the value of nb,t and n/(2b3t ) for the use of next cycle, each

subproblems requires O(logn

)bit operations. Algorithm 2 terminates in O

((logn

)3)

bit operations. The details are illustrated by Figure 2. Each node (b, t ) of computing⌊nb,t

2b−13t−1

⌋, w(b, t ), and w(b, t ) requires O

(logn

)bit operations.


Fig. 2. The procedure of our dynamic programming algorithm

b

t

1

2

3

...

log3 n −1

log3 n

log3 n +1

0 1 2 3 4 5 6 7 8 . . .logn

b + log3 · t = logB

requires O(logn

)bit operations

If the powers of 2 and 3 are recorded by their differences as Remark 5 of Capuñay

and Thériault’s work [6], our algorithm terminates in O((

logn)2

)bits of memory.

The details are shown as follows. The term ci 2bi 3ti in the chain is stored as thepair (ci ,bi , ti ). For example, 1000 = 210 −25 +23 is recorded as (1,3,0), (−1,2,0), and(1,5,0). If DBCs are recorded as their difference with the previous term, then the

memory requirement per chain is O(logn

). Thus, Algorithm 2 requires O

((logn

)2)

bits of memory.We will focus on improving the time complexity of Algorithm 2.

6 Equivalent Representatives for Large Numbers

The most time-consuming part of Lemma 5 is to computenb,t

2b−13t−1 . It can beimproved by reduced representatives for large numbers [17]. Bernstein, Chuengsa-tiansup, and Lange [17] noticed that arbitrary divisions of O

(logn

)−bit numbers

take time(logn

)1+o(1) shown in pages 81−86 of “on the minimum computation timeof functions” by Cook [33]. Based on this novel representative, the time complexityof dynamic programming algorithm is shown as Figure 3. In Figure 3, α′ = (logB)0.5

and β′ = (log3 B)0.5. Each node (b, t ) satisfyingα′|b or β′|t is named a boundary nodein Figure 3. Each boundary node requires logn bit operations and each of the other

nodes requires(logn

)0.5 bit operations. Then Algorithm 2 terminates in O((

logn)2.5

)bit operations using reduced representatives.

Motivated by their reduced representatives for large numbers, we will give a newrepresentative named equivalent representative.

Definition 6 (Equivalent representative) If one expression of an integer n′ is equal

to the value of⌊

nb,t

2b−13t−1

⌋in Lemma 5, then n′ is an equivalent representative of n.

Our equivalent representative is a generalization of Bernstein, Chuengsatiansup,and Lange’s reduced representative. Reduced representatives for large numbers do

20 W. Yu et al.

Fig. 3. The procedure of our dynamic programming algorithm using the trick in [17]

b

t

0

1

...

β′−1

β′β′+1

...

2β′−1

2β′2β′+1

...

log3 n

log3 n +1

1 2 . . .α′ −2 α′ −1 α′ α′ +1 α′ +2 . . . 2α′ −1 2α′ 2α′ +1 . . . logn


requires O(logn

)bit operations requires O

((logn

)0.5)

bit operations

not work for logn+ log3 n boundary nodes. Our equivalent representatives will solvethis problem.

6.1 Use Equivalent Representatives in Algorithm 2

We employ equivalent representatives to improve the recode procedure of Algorithm2 shown as Algorithm 3. n1 is an equivalent representative in Algorithm 3 shown byClaim 2. The proof is shown as Appendix A.10.

Claim 2 Let n1′ =

⌊6·n

2ii1 ·α21 3jj1 ·β2

1

⌋%

(2α

21+13β

21+1

), n1 =

⌊n1

′2i1 ·α1 3 j1 ·β1

⌋%

(2α1+13β1+1

),α1 =⌊(

logB) 1

3

⌋, β1 =

⌊(logB

) 13

⌋, b = ii1 ·α2

1 + i1 ·α1 + i , t = jj1 ·β21 + j1 ·β1 + j , i1 ≥ 0, j1 ≥ 0,

0 ≤ i <α, 0 ≤ j <β shown as Algorithm 3. Then(⌊

n12i 3 j

⌋%6

)=

⌊nb,t

2b−13t−1

⌋.

Notice that t = jj1 ·β21 + j1 ·β1 + j , b = ii1 ·α2

1 + i1 ·α1 + i in Line 11 of Algorithm 3.Algorithm 3 is similar as Algorithm 2 whose total cycles are at most logB log3 B .

Algorithm 3 uses a trick of an equivalence representative n1. The middle variablen′

1 is used to calculate the equivalent representative n1. Each n′1 is a O

(α2

1

)-bit

integers shown as Algorithm 3. There are at most

(⌊log3 B

β21

⌋+1

)(⌊logBα2

1

⌋+1

)such

numbers n′1, i.e., O

(α2

1

). Calculating each n′

1 requires O(logn

)bit operations. Calcu-

lating all n′1 requires O

((logn

) 53

)bit operations. Calculating each representative n1

requires O(α2

1

)bit operations. Then calculating equivalent representatives requires

O((

logn)2

)bit operations.

Based on equivalent representatives, each node (b, t ) requires O (α1) bit opera-

tions.(logB

)·(log3 B)

nodes requiring O((

logn) 7

3

)bit operations. The time complex-

ity of Algorithm 3 is shown in Lemma 6.


Algorithm 3 Dynamic programming to compute an optimal DBC using equivalentrepresentatives onceInput: a positive integer n and its binary representation nbinary, three non-negative constantsA > 0,D ≥ 0,T ≥ 0Output: an optimal DBC for n1. Lines 1−3 of Algorithm 2

2. α0 ← ⌊logB

⌋, β0 ← ⌊

log3 B⌋

, α1 ←⌊(

logB) 1

3⌋

, β1 ←⌊(

logB) 1

3⌋

3. For jj1 from 0 to⌊

log3 Bβ2

1

⌋+1

4. For ii1 from 0 to⌊

bBound[ j ·β21]

α21

⌋+1

5. n1′ ←

⌊6·n

2ii1 ·α21 3jj1 ·β2

1

⌋%

(2α

21+13β

21+1

)6. For j1 from 0 to β1 −17. For i1 from 0 toα1 −1

8. n1 ←⌊

n1′

2i1 ·α1 3 j1 ·β1

⌋%

(2α1+13β1+1

)9. For j from 0 to β1 −110. For i from 0 toα1 −111. t ← jj1 ·β2

1 + j1 ·β1 + j ,b ← ii1 ·α21 + i1 ·α1 + i

12. If b + t > 0& b <bBound[t]& t ≤ ⌊log3 B

⌋13. compute w(b, t ), w(b, t ) using Lemma 5

.⌊

nb,t

2b−13t−1

⌋is calculated by

(⌊n1

2i 3 j

⌋%6

)14. else if b = bBound[t ] & t ≤ ⌊

log3 B⌋

, Lines 7,8 of Algorithm 215. return wmin

Lemma 6 Algorithm 3 terminates in O((

logn)2+ 1

3

)bit operations.

The details of the time cost of Algorithm 3 are shown as Figure 4.Remark: In the implementation of Algorithm 3, Line 8 can be implemented as 1.

Before Line 7, we calculaten′

1

3 j1 ·β1. 2. In Line 8, calculate n1 ←

ÌÌÌÊ n′13 j1 ·β1

2i1 ·α1

ÍÍÍË%2α1+13β1+1.

Calculating n′1 and t also can use this trick. This version of Algorithm 3 is easy to

understand and easy to explain the process of equivalent representatives. Moreover,this trick can be used in Algorithm 4.

An example to find an optimal DBC for 1000 on Weierstrass form elliptic curve byAlgorithm 3 using equivalent representatives is shown in Appendix B.3.

Based on Algorithm 3, we will use equivalent representatives repeatedly.

6.2 Dynamic Programming using Equivalent Representatives k-th

We generate Algorithm 3 and use equivalent representatives k-th in Algorithm 2

shown as Algorithm 4.⌊

nb,t

2b−13t−1

⌋in Lemma 5 is calculated by

(⌊nk

2i 3 j

⌋%6

). Algorithm

3 is a special case of Algorithm 4 with k = 1.

22 W. Yu et al.

Fig. 4. The procedure of Algorithm 3 using equivalent representatives

b

t

0

1

...

β1 −1

β1

β1 +1

...

β21 −1

β21

β21 +1

...

log3 n

log3 n +1

......

. . .

. . .

1 2 . . . α1 −2 α1 −1 α1 α1 +1 α1 +2 . . .α2

1 −2 α21 −1 α2

1α2

1 +1 α21 +2

. . .logn


requires O (logn) bit operations requires O((

logn)2/3

)bit operations requires O

((logn

)1/3)

bit operations

When y = 0, α0 in Line 4 of Algorithm 4 can be replaced by bBound[ j ·β21] to get

a high speed. The condition of Line 12 of Algorithm 4 is that βy is a factor of βy−1

and αy is a factor of αy−1 for 2 ≤ y ≤ k. Otherwise, let ty = j +∑kx=y

(jjx ·β2

x + jx ·βx)

and by = i +∑kx=y

(iix ·β2

x + ix ·βx). For 2 ≤ y ≤ k, by < αy is required when αy is not

a factor of αy−1, and ty <βy is required when βy is not a factor of βy−1.The time complexity of Algorithm 4 is shown in Theorem 4. Its proof is shown in

Appendix A.11.

Theorem 4 Algorithm 4 terminates in O((

logn)2

((logn

) 13k +k + loglogn

))bit oper-

ations. It requires O((

logn)2 loglogn

)bit operations when k = log3 logn.

Notice that α2 ≤ 7 when n < 2134217728. Then k in Algorithm 4 is usually 1 or 2.Algorithms 2, 3, and 4 generate the same DBC with the same A, D , T , and n.

6.3 Comparison of These Algorithms

The time complexity, space complexity, and method of Doche’s algorithm [16],Capuñay and Thériault’s algorithm [7], Bernstein , Chuengsatiansup, and Lange’salgorithm [17], and Algorithms 2− 4 are summarized in Table 4. Table 4 shows theadvantage of our dynamic programming algorithms.

From the time costs of different algorithms to generate optimal DBCs in Table 5,Algorithm 4 is about 20,25,28,32, and 40 times faster than Capuñay and Thériault’salgorithm and 6.1,6.6,7.7,8.7, and 9.3 times faster than Bernstein, Chuengsatiansupand Lange’s algorithm for each size ranges in 256,384,512,640, and 768 respectively.As the integer becomes larger, Algorithm 4 will gain more compared to Bernstein,Chuengsatiansup and Lange’s algorithm.


Algorithm 4 Dynamic programming to compute an optimal DBC using equivalentrepresentatives k-thInput: a positive integer n, a positive integer k, and its binary representation nbinary, threenon-negative constants A > 0,D ≥ 0,T ≥ 0Output: an optimal DBC for n1. Lines 1−3 of Algorithm 2, n0 ← 6 ·n

2. For y from 0 to k, αy ←⌊(

logB) 1

3y⌋

,βy ←⌊(

log3 B) 1

3y⌋

3. For jjy from 0 to⌊βy−1

β2y

⌋+1

4. For iiy from 0 to⌊αy−1

α2y

⌋+1

5. ny′ ←

⌊ny−1

2iiy ·α2

y 3jjy ·β2

y

⌋%

(2α

2y+13β

2y+1

)6. For jy from 0 to βy −17. For i y from 0 toαy −1

8. ny ←⌊

ny′

2i y ·αy 3 jy ·βy

⌋%

(2αy+13βy+1

). For each y from 1 to k, Lines 3-8 are repeatedly as y is outer loop and y +1 is inner loop9. For j from 0 to βk −110. For i from 0 toαk −1

11. t ←∑ky=1

(jjy ·β2

y + jy ·βy

)+ j ,b ←∑k

y=1

(iiy ·α2

y + i y ·αy

)+ i

12. If b + t > 0& b < bBound[t ]& t ≤ ⌊log3 B

⌋13. compute w(b, t ), w(b, t ) using Lemma 5

.⌊

nb,t

2b−13t−1

⌋is calculated by

(⌊nk

2i 3 j

⌋%6

)14. else if b = bBound[t ] & t ≤ ⌊

log3 B⌋

, Lines 7,8 of Algorithm 215. return wmin

Table 4. Comparison of algorithms to generate optimal DBCs

algorithm time complexity (O ) space complexity (O ) method

Doche [16] exponential(logn

)2 enumeration

CT [7](logn

)4 (logn

)3 two cycles

BCL [17](logn

)2.5 (logn

)2.5 DAG

Algorithm 2 (new)(logn

)3 (logn

)2 dynamic programming


)2+ 13

(logn

)2 using equivalent representatives


)2 loglogn(logn

)2 using equivalent representatives (log3 logn)−th

Table 5. Time Costs of different algorithms to generate optimal DBCs in million cpu cycles forintegers with different size

256−bit 384−bit 512−bit 640−bit 768−bit

CT [7] 41.9 106 217 386 645

BCL [17] 12.1 28.9 60.1 108 164

Algorithm 4 (new) 1.98 4.32 7.72 11.8 18.0

6.4 The Hamming Weights and Leading Terms of Canonic DBCs and OptimalDBCs

The Hamming weights and leading terms of the DBC produced by greedy ap-proach [1] (greedy-DBC), canonic DBCs, and optimal DBCs are shown in Table 6

24 W. Yu et al.

for the same 1000 integers by Algorithm 3. The Hamming weight of NAF is logn3 .

The Hamming weight of mbNAF, that of the DBC produced by binary/ternaryapproach(bt-DBC), and that of the DBC produced by tree approach (tree-DBC) are0.2637logn, 0.2284logn, and 0.2154logn respectively and the leading terms are20.791logn30.1318logn , 20.4569logn30.3427logn , and 20.5569logn30.2796logn respectively. TheHamming weights of canonic DBCs are usually smaller than those of optimal DBCs.By Table 6, the Hamming weights of optimal DBCs are over 60% smaller than thoseof NAFs. As the integer becomes larger, the Hamming weight dividing logn will besmaller with a limitation 1

8.25 by Theorem 2. Please refer to Figure 1 to get more detailsof the Hamming weight of canonic DBCs.

Table 6. Hamming weights and leading terms of optimal DBCs on elliptic curves with differentsize

256−bit 384−bit 512−bit 640−bit 768−bit

Hamming weight 62.784 94.175 125.48 155.307 188.764greedy-DBC [1]

leading term(bl , tl ) 124.282,82.168 183.256,125.779 258.908,159.309 314.954,204.158 384.604,240.957

Hamming weight 48.319 71.572 94.75 118.108 141.097canonic DBC

leading term(bl , tl ) 128.275,80.316 197.183,117.582 261.227,157.903 328.541,196.231 396.162,234.330

optimal DBC Hamming weight 50.027 74.163 98.234 122.544 146.493

EW 0.8 leading term(bl , tl ) 176.675,49.750 265.369,74.549 353.175,99.895 444.538,123.015 532.690,148.162

optimal DBC Hamming weight 49.393 73.210 96.993 121.134 144.684

EW 1 leading term(bl , tl ) 169.026,54.578 253.989,81.731 338.509,109.154 426.218,134.577 509.540,162.764

We will discuss scalar multiplications using our optimal DBCs.

7 Comparison of Scalar Multiplications

The scalar multiplication algorithm using a DBC is a Horner-like scheme for theevaluation of nP utilizing the DBC of n = ∑l

i=1 ci 2bi 3ti as nP = ∑li=1 ci 2bi 3ti P .

Theoretical cost of scalar multiplications on elliptic curves using NAF, greedy-DBC,bt-DBC, mbNAF, tree-DBC, canonic DBC, and optimal DBC on EW 0.8 and EW 1 areshown in Table 7.

Table 7 shows that scalar multiplication using an optimal DBC is more efficientthan that using a canonic DBC. Scalar multiplication using an optimal DBC on EW 0.8and EW 1 is about 13% and 13% faster than that using NAF, 7.5% and 7.1% faster thanthat using greedy-DBC, 6.5% and 6% faster than that using bt-DBC, 7% and 7% fasterthan that using mbNAF, 4% and 4% faster than that using a tree-DBC, and 0.9% and0.7% faster than that using a canonic DBC respectively. Scalar multiplication usingan optimal DBC is usually faster than that using a canonic DBC. Take

⌊π×10240

⌋on EW 1 for example, scalar multiplication using our optimal DBC is 14% faster and3.8% faster than that using NAF and tree-DBC respectively. The details are shown inAppendix C.

In Table 7, the value of TD on EW 0.8 is greater than that on EW 1. The ratio of

the cost of scalar multiplication using an optimal DBC to that using NAF on EW

0.8 is greater than that on EW 1 for integers of each size in Table 7. The ratio of


Table 7. Theoretical costs of scalar multiplications on elliptic curves using optimal DBC,canonic DBC, tree-DBC, and NAF in M

bits of n representation 256−bit 384−bit 512−bit 640−bit 768−bit

NAF 2652 3983 5315 6646 7977

greedy-DBC [1] 2535 3818 5089 6351 7643

bt-DBC [2] 2510 3771 5031 6291 7552

EW 0.8 mbNAF [13] 2521 3787 5052 6318 7583

tree-DBC [3] 2452 3683 4914 6146 7377

canonic DBC(this work) 2393 3582 4774 5967 7155

optimal DBC(this work) 2364 3543 4722 5902 7080

NAF 2976 4469 5962 7456 8949

greedy-DBC [1] 2824 4252 5671 7075 8516

bt-DBC [2] 2796 4200 5603 7007 8410

EW 1 mbNAF [13] 2824 4241 5659 7076 8494

tree-DBC [3] 2738 4113 5488 6862 8237

canonic DBC(this work) 2671 4000 5332 6664 7991

optimal DBC(this work) 2649 3970 5292 6615 7936

the improvement of scalar multiplication using an optimal DBC compared to NAFis increasing as the value of T

D becomes larger.A constant-time software implementation is used to protect the scalar multipli-

cation algorithms for avoiding some side-channel attacks by side channel atomicity.Multiplication and squaring are both executed by one multiplication and two addi-tions. For each size ranges in 256,384,512,640, and 768, we generate a prime numberp with the same size and create a random curve for EW over a finite field Fp . Scalarmultiplications using NAF, greedy-DBC, bt-DBC, mbNAF, tree-DBC, canonic DBC,and optimal DBC are shown in Table 8.

Table 8. Experimental cost of scalar multiplications on elliptic curves using optimal DBC,canonic DBC, tree-DBC, and NAF on EW in million cpu cycles

representation 256−bit 384−bit 512−bit 640−bit 768−bit

NAF 4.038 8.151 13.94 22.34 34.05

greedy-DBC [1] 3.836 7.751 13.27 21.23 32.43

bt-DBC [2] 3.798 7.656 13.12 21.02 32.03

mbNAF [13] 3.837 7.731 13.25 21.23 32.35

tree-DBC [3] 3.734 7.575 12.92 20.68 31.54

canonic DBC(this work) 3.624 7.279 12.44 19.95 30.35

optimal DBC(this work) 3.594 7.168 12.37 19.83 30.17

Experimental results show that scalar multiplication using an optimal DBC is13% faster than that using NAF, 7% faster than that using greedy-DBC, 6% fasterthan that using bt-DBC, 7% faster than that using mbNAF, and 4.1% faster than thatusing a tree-DBC on EW respectively. Within the bounds of the errors, the practicalimplementations are consistent with these theoretical analyses. The theoreticalanalyses and practical implementations both show that the Hamming weight isnot the only factor affecting the efficiency of scalar multiplications and that scalarmultiplications using optimal DBCs are the fastest.

Those computations do not take the time of producing the expansions intoaccount. The recoding of our optimal DBC takes up a small amount of time to

26 W. Yu et al.

compute scalar multiplication where both take time O((

logn)2 loglogn

)when field

multiplications use FFTs. It can’t be ignored. Optimal DBCs are suitable for comput-ing scalar multiplications when the multiplier n is fixed.

8 Conclusion

We first proposed a polynomial time algorithm to compute the number of DBCsfor a positive integer with a leading term dividing 2b3t . We showed theoreticalresults of the number of DBCs for large b and t and gave an estimate of thisnumber. The asymptotic lower bound of the Hamming weights of DBCs produced

by any algorithm for n is linear logn8.25 . This result changed the traditional idea that

the asymptotic lower bound of the Hamming weight of a DBC produced by any

algorithm may be sub-linear lognloglogn . The time complexity and the space complexity

of our dynamic programming algorithm to produce an optimal DBC were both thestate-of-the-art. The recoding procedure of our algorithm was more than 20 timesfaster than Capuñay and Thériault’s algorithm and more than 6 times faster thanBernstein, Chuengsatiansup, and Lange’s algorithm.

Let S(i ) denote the smallest positive integer whose Hamming weight of itscanonic DBCs is i . Our dynamic programming algorithm allowed us to find S(i )for i ≤ 12 immediately where S(1) = 1, S(2) = 5, S(3) = 29, S(4) = 173, S(5) = 2093,S(6) = 14515, S(7) = 87091, S(8) = 597197, S(9) = 3583181, S(10) = 34936013, S(11) =263363789, and S(12) = 1580182733. This numerical fact provides a good impressionabout the sparseness of DBCs.

The cost function in this study was associated with P +Q, 2P , and 3P for scalarmultiplications. A direct promotion of the cost function is defined by P +Q, P −Q,2P , 2P +Q, 3P , and 3P +Q. As the cost function is defined more precisely, an optimalDBC will improve scalar multiplications more. The optimal DBC can be directlygeneralized to a DBC with a large coefficient set of integers. Algorithm 1 can begenerated to calculate the number of triple-base chains, and Algorithms 2− 4 canbe extended to produce optimal extended DBCs and optimal triple-base chains.

Acknowledgments

The authors would like to thank the anonymous reviewers for many helpful com-ments of Eurocrypt 2020 and thank Guangwu Xu, Kunpeng Wang, Song Tian andBei Liang for their helpful suggestions, especially for Guangwu Xu’s suggestions onthe parts of "Abstract" and "Introduction". This work is supported by the NationalNatural Science Foundation of China (Grants 61872442, 61502487, and 61772515)and the National Cryptography Development Fund (No.MMJJ20180216). W. Yu issupported by China Scholarship Council (No. 201804910201).

References

1. Dimitrov V., Imbert L., Mishra P.K.: Efficient and secure elliptic curve point multiplicationusing double-base chains, Advances in Cryptology - ASIACRYPT 2005, Springer, LNCS3788, pp. 59-78, 2005. 1, 3, 2.2, 1, 3, 4, 5, 6.4, 6, 7, 8


2. Ciet M., Joye M., Lauter K., Montgomery P.L.: Trading inversions for multiplications inelliptic curve cryptography, Designs, codes and cryptography 39(6), pp. 189-206, 2006. 1,3, 4.2, 5, 7, 8

3. Doche C., Habsieger L.: A tree-based approach for computing double-base chains, ACISP2008, LNCS 5107, pp. 433-446, 2008. 1, 2, 3, 4.2, 4.2, 5, 7, 8

4. Imbert L., Philippe F.: strictly chained (p, q)−ary partitions, Contibutions to DiscreteMatheimatics 2010, pp.119-136, 2010. 1, 3, 3.1, 3.1

5. Lou T., Sun X., Tartary C.: Bounds and trade-offs for double-base number systems,Information Processing Letters, vol. 111, no. 10, pp. 488-493, 2011. 1, 4.2, 4.2

6. Zhao C.A., Zhang F.G., Huang J.W.: Efficient Tate pairing computation using double-basechains, Sci. China Ser. F 51 , no. 8, pp. 1096-1105, 2008. 1, 3, 5.3

7. Capuñay A., Thériault N.: Computing optimal 2-3 chains for pairings. LATINCRYPT 2015,Springer-Verlag, volume 9230, pp. 225-244, 2015. 1, 3, 4, 2.2, 3.1, 3.1, 4.1, 5, 6.3, 4, 5

8. Doche C., Kohel D., Sica F.: Double base number system for multi-scalar multiplications,EUROCRYPT 2009, LNCS 5479, pp. 502-519, Springer, 2009. 1

9. Adikari J., Dimitrov V.S., Imbert L.: Hybrid binary ternary number system for elliptic curvecryptosystems, IEEE Trans. Computers, vol. 60, pp. 254-265, Feb. 2011. 1

10. Doche C., Sutantyo D.: New and improved methods to analyze and compute double-scalar multiplications, IEEE Trans. Computers, 63(1), pp. 230-242, 2014. 1

11. Avanzi R.M., Dimitrov V.S., Doche C., Sica F.: Extending scalar multiplication using doublebases. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 130-144. Springer,Heidelberg, 2006. 1

12. Mishra P.K., Dimitrov V.S.: Efficient quintuple formulas for elliptic curves and efficientscalar multiplication using multibase number representation, ISC 2007, Springer-Verlag,volume 4779, pp. 390-406, 2007. 1

13. Longa P., Gebotys C.: Fast multibase methods and other several optimizations for ellipticcurve scalar multiplication, in PKC 2009: Proceedings of Public Key Cryptography, LNCS5443, Springer, pp. 443-462, 2009. 1, 5, 7, 8

14. Yu W., Wang K., Li B., Tian S.: Triple-base number system for scalar multiplications,AFRICACRYPT 2013, LNCS 7918, pp. 433-451, 2013. 1

15. Dimitrov V.S., Imbert L., Mishra P.K.: The double-base number system and its applicationto elliptic curve cryptography, Math. Comp. 77, no. 262, pp. 1075-1104, 2008. 1, 2, 3

16. Doche C.: on the enumeration of double-base chains with applications to elliptic curvecryptography, ASIACRYPT 2014, LNCS 8873, pp. 297-316, 2014. 1, 1, 3, 2.2, 3, 4.1, 4.1, 5,6.3, 4

17. Bernstein D.J., Chuengsatiansup C., Lange T.: Double-base scalar multiplication revisited.http://eprint.iacr.org/2017/037 1, 3, 4, 2.2, 4.1, 5, 6, 3, 6.3, 4, 5

18. Cohen H., Miyaji A., Ono T.: Efficient elliptic curve exponentiation using mixedcoordinates, ASIACRYPT 1998, LNCS 1514, Springer, pp.51-65, 1998. 2.1

19. Chevallier-Mames B., Ciet M., Joye M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity, IEEE Trans. Computers, vol. 53, no. 6, pp. 760-768, June 2004. 2.1

20. Longa P., Miri A.: Fast and flexible elliptic curve point arithmetic over prime fields, IEEETrans. Computers, VOL. 57, NO. 3, pp. 289-302, March 2008. 2.1

21. Bernstein D.J., Lange T.: Explicit-formulas database, http://www.hyperelliptic.org/EFD/ 2.1

22. Renes J., Costello C., Batina L.: Complete addition formulas for prime order elliptic curves.Advances in Cryptology - EUROCRYPT 2016, pp. 403-428. Springer, Heidelberg, 2016. 2.1

23. Meloni N., Hasan M.: Elliptic curve scalar multiplication combining Yao’s algorithm anddouble Bases. CHES 2009, LNCS 5747, pp. 304-316, 2009. 2.2

http://eprint.iacr.org/2017/037

http://www.hyperelliptic.org/EFD/

http://www.hyperelliptic.org/EFD/

28 W. Yu et al.

24. Meloni N., Hasan M.: Efficient double bases for scalar multiplication. IEEE Trans.Computers, 64(8), pp. 2204-2212, 2015. 2.2

25. Disanto F., Imbert L., Philippe F.: On the maximal weight of (p,q)-ary chain partitions withbounded parts. https://www.emis.de/journals/INTEGERS/vol14.html 3

26. Scott M.: MIRACL-Multiprecision integer and rational arithmetic cryptographic library,C/C++ Library, ftp://ftp.computing.dcu.ie/pub/crypto/miracl.zip 3.2

27. Chalermsook P., Imai H., Suppakitpaisarn V.: Two Lower Bounds for Shortest Double-BaseNumber System. IEICE Transactions on Fundamentals of Electronics, Communicationsand Computer Sciences, Vol.E98-A, No.6, pp.1310-1312, 2015 4

28. Dimitrov V.S., Howe E.W.: Lower bounds on the lengths of double-base representations,Proceedings of the American mathematical society, vol. 139, Number 10, October,pp.3423-3430, 2011. 4.2

29. Kolmogorov A.N.: On tables of random numbers. Theoretical Computer Science. 207, pp.387-395, 1998. 4.2

30. C. Doche., L. Imbert.: Extended Double-base number system with applications to ellipticcurve cryptography. INDOCRYPT 2006, LNCS 4329, pp. 335-348, 2006. 4.2

31. Erdös P., Loxton J.H.: Some problems in partitio numerorum. J. Austral. Math. Soc. Ser. A27(3), pp. 319-331, 1979. 5

32. Cormen T.H., Leiserson C.E., Rivest R.L., Stein C.: Introduction to algorithms, thirdedition. The MIT Press, Cambridge, Massachusetts London, England, 2009. 5, 5.1

33. Cook S.A.: On the minimum computation time of functions, Ph.D. thesis, Depatment ofMathematics, Harvard University, 1966. URL: https://cr.yp.to/bib/1966/cook.html. 6

A Proofs

A.1 Proof of Lemma 1

Proof.

1. If nb,t = nb−1,t = nb,t−1, nb,t with leading term strictly divides 2b3t . There are

at most four possible sources for Φ(b, t ) including Φ(b − 1, t ), 2b−13tΦ(b − 1, t ),

Φ(b, t −1), and 2b 3t−1Φ(b, t −1).

In this case, Φ(b, t ) has one source(−2b−13t

Φ(b −1, t )). The conclusion is proved.

2. The other cases are discussed similarly.

A.2 Proof of Theorem 1

Proof. We will prove the first case. The other cases are discussed similarly.By Lemma 1, if nb,t < 2b−13t−1,

Φ(b, t ) =Φ(b −1, t )⋃(

2b−13tΦ(b −1, t )

)⋃Φ(b, t −1)

⋃(2b 3t−1

Φ(b, t −1))

,

Φ(b, t ) =(−2b−13t

Φ(b −1, t ))

.

ftp://ftp.computing.dcu.ie/pub/crypto/miracl.zip


|Φ(b−1, t )⋃Φ(b, t −1)| is equal to the cardinality of setΦ(b−1, t ) adds the cardi-

nality of the setΦ(b, t−1) and minuses the cardinality of the setΦ(b−1, t )⋂Φ(b, t−1).

When nb,t < 2b−13t−1, Φ(b −1, t )⋂Φ(b, t −1) is the number of the DBCs of nb−1,t−1

with a leading term dividing 2b−13t−1 which is |Φ(b −1, t −1)|+ |Φ(b −1, t −1)|. Then|Φ(b −1, t )

⋃Φ(b, t −1)| = |Φ(b −1, t )|+ |Φ(b, t −1)|− |Φ(b −1, t −1)|− |Φ(b −1, t −1)|.

Thus

|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(b −1, t )|+ |Φ(b, t −1)|+ |Φ(b, t −1)|− |Φ(b −1, t −1)|− |Φ(b −1, t −1)|,

|Φ(b, t )| =|Φ(b −1, t )|.

When nb,t = i · 2b−13t−1,0 < i ≤ 5, the variants nb−1,t−1, nb,t−1, or nb−1,t mayappear irregularly. For example, in Case 2 of Theorem 1, nb−1,t−1 = 0 when nb,t =2b−13t−1. Then we should specially verify the cases nb,t = i · 2b−13t−1,0 < i ≤ 5.Fortunately, Φ(b, t ), and Φ(b, t ) are still correctly calculated in this special situationby the definitions of nb,t and nb,t .

A.3 Proof of Corollary 2

Proof. 1. By Theorem 1, if n < 2b3t−1, then |Φ(b, t )| = |Φ(b −1, t )|. Thus |Φ(b, t )| = 0when t ≥ tτ.

If t > tτ, nb,t < 2b−13t−1.

Then |Φ(b, t )|− |Φ(b, t −1)| = |Φ(b −1, t )|− |Φ(b −1, t −1)|.Thus,

|Φ(b, t )|− |Φ(b, t −1)| =|Φ(b −1, t )|− |Φ(b −1, t −1)|=|Φ(b −2, t )|− |Φ(b −2, t −1)|= . . .

=|Φ(0, t )|− |Φ(0, t −1)|=0.

The conclusion |Φ(b, t )| = |Φ(b, tτ)| when t ≥ tτ has been proved.

2. By Theorem 1, if n < 2b3t−1, then |Φ(b, t )| = |Φ(b − 1, t )|. We have |Φ(b, t )| =|Φ(bτ, t )| when b > bτ.

Thus, when b > b0,

|Φ(b, t )| =|Φ(b −1, t )|+ |Φ(bτ, t )|+ |Φ(b, t −1)|− |Φ(b −1, t −1)|.

30 W. Yu et al.

We deduce as follows.

|Φ(b, t )|− |Φ(b −1, t )|=|Φ(b, t −1)|− |Φ(b −1, t −1)|+ |Φ(bτ, t )|

=|Φ(b, t −2)|− |Φ(b −1, t −2)|+t∑

i=t−1|Φ(bτ, i )|

...

=|Φ(b,0)|− |Φ(b −1,0)|+t∑

i=1|Φ(bτ, i )|

=|Φ(b −1,0)|+t∑

i=1|Φ(bτ, i )|

=|Φ(bτ,0)|+t∑

i=1|Φ(bτ, i )|

=t∑

i=0|Φ(bτ, i )|.

Thus

|Φ(b, t )|− |Φ(bτ, t )| = (b −bτ)

(t∑

i=0|Φ(bτ, i )|

).

3. It is deduced from Items 1 and 2.


Proof of the range of the leading term of optimal DBCs

Proof. Let ri = 2bi 3ti . Then n =∑li=1 ci ri , cl = 1,ci ∈ ±1 for 1 ≤ i ≤ l−1 is an optimal

DBC. The total cost is bl D+ tl T +(l −1)A. Let ai = riri−1

, 2 ≤ i ≤ l . If rl < n, then rl > n2 .

We first prove that there is at most one term of each optimal DBC is greater thanor equal to n. Let j be the index satisfying that r j Ê n and r j−1 < n. Then r j |∑l

i= j ci ri .

Let∑l

i= j ci ri = a · r j . If a Ê 2 which leads a contradiction that n = a · r j +∑ ji=1 ci ri >

a · r j −2r j+1 Ê r j Ê n. Thus, at most one term of an optimal DBC is greater than orequal to n.

If rl Ê 3n, then n = rl +∑l−1

i=1 ci ri > rl −2rl−1 > n. Thus, rl < 3n.We will prove that 2n ≤ rl < 3n is impossible. If l = 1, rl = n is the only possible

optimal DBC of n. If l = 2, 2n ≤ rl < 3n and rl−1 < 3n lead to a contradiction. Now,we address the case of l ≥ 3. If cl−1 = 1, then rl < n. If cl−1 =−1,

1. al = 2.∑l

i=1 ci ri = rl−1 +∑l−2

i=1 ci ri leads to a contradiction.2. al = 3. if cl−2 = 1, rl < 2n. If cl−2 =−1

(a) al−1 = 2 leads to a contradiction or al−1 ≥ 4 leads to rl < 2n.


(b) al−1 = 3. If cl−2 = 1, rl < 2n.If cl−2 =−1,

al−2 = 2 leads to a contradiction or al−2 ≥ 4 leads to rl < 2n.al−2 ≥ 3. If l = 3, rl < 2n. We need to discuss the case l ≥ 4. if cl−3 = 1,

rl < 2n. In the case of cl−3 = −1, al−3 = 2 leads to a contradiction oral−3 ≥ 4 leads torl < 2n; if al−3 = 3, we discuss it similarly and finally getrl < 2n.

3. al ≥ 4. rl < 2n for n > rl −2rl−1 ≥ rl2 .

Thus, the leading term of an optimal DBC satisfies that n2 < rl < 2n.

For the case of l = 3, when n = 4, 32−3−1 may be an optimal DBC for 2D (4 = 22)may be not smaller than 2T +2A.

Proof of the range of the leading term of canonic DBCs

Proof. Let ri = 2bi 3ti . Then n =∑li=1 ci ri , cl = 1,ci ∈ ±1 for 1 ≤ i ≤ l −1 is a canonic

DBC. Let al = rlrl−1

, al−1 = rl−1rl−2

. We will prove that this result is true when l = 1 andl = 2.

If l = 1, r1 = n. If l = 2, n = r2 + r1 or n = r2 − r1.

1. n = r2 + r1. If a2 < 4, n is with the form 2b3t . It reaches a contradiction. Hence,r2 Ê 4r1. Then r2 Ê 4n

5 .

2. n = r2−r1. If a2 < 6, n is with the form 2b3t . This reaches a contradiction. Hence,r2 Ê 6r1. Thus, r2 ≤ 6n

5 .

16n21 < rl < 9n

7 is proved when l ≤ 2.When l Ê 3, we will classify cl−1, al ,cl −2, al−1 into different cases and show that

in each case 16n21 < rl < 9n

7 .When cl−1 = 1, rl < n.If cl−2 =−1, n = rl + rl−1 − rl−2 . . . < rl + rl−1. Then rl > 4n

5 .If cl−2 = 1, n = rl + rl−1 + rl−2 + . . .+ r1. Classify al into different cases.

1. al ≤ 3. It reaches a contradiction that∑l

i=1 ci ri is a canonic DBC.2. al = 4, i.e., Rl = 4rl−1.

(a) al−1 = 2. rl + rl−1 + rl−2 = 12rl−2 − rl−2. It reaches a contradiction that∑li=1 ci ri is a canonic DBC.

(b) al−1 = 3,4,6. These cases are deduced similar to Case (a).(c) al−1 Ê 8. n = rl + rl−1 + rl−2 . . . < rl + rl−1 +2rl−2. Then rl > 16n

21 .3. al = 6, i.e., rl = 6rl−1.

(a) al−1 = 2. rl + rl−1 + rl−2 = 12rl−2 + 3rl−2. It reaches a contradiction that∑li=1 ci ri is a CDBC.

(b) al−1 = 3. This case is deduced similar to Case (a).(c) al−1 Ê 4. n = rl + rl−1 + rl−2 . . . < rl + rl−1 +2rl−2. Then rl > 4n

5 .

4. al Ê 8. n = rl + rl−1 + . . .+ r1 < rl +2rl−1, then rl > 4n5 .

32 W. Yu et al.

Thus 16n21 < rl < n when cl−1 = 1.

When cl−1 = −1, rl > n. If cl−2 = 1, n > rl − rl−1. Then rl < 6n5 . If cl−2 = −1, then

n = rl − rl−1 − rl−2 + . . .+ c1r1. Classify al into different cases.

1. al ≤ 4. It reaches a contradiction that∑l

i=1 ci ri is a canonic DBC.2. al = 6.

(a) al−1 = 2. rl − rl−1 − rl−2 = 9rl−2. It reaches a contradiction.(b) al−1 = 3,4. Both cases can be deduced similar to Case (a).(c) al−1 Ê 6. n > rl − rl−1 −2rl−2. Then rl < 9n

7 .

3. al = 8. This case is deduced similar to Case (2) and we have rl < 6n5 .

4. al Ê 9. rl − rl−1 + . . .+ r1 > rl −2rl−1, we obtain rl < 9n7 .

Overall, 16n21 < rl < 9n

7 .

A.5 Proof of Claim 1

Proof.∑α+γ log2 3<log 9n

7

((α+ j

j −1

)(γ+ j

j −1

))

is equal to∑γ log2 3<log 9n

7

((γ+ j

j −1

)∑α+γ log2 3<log 9n

7

(α+ j

j −1

)).

It is less than

∑γ<log3

9n7

(γ+ j

j −1

)(log 9n

7 −γ log2 3+ j +1

j

)

< ∑γ<log3

9n7

(γ+ j +1

j

)(log 9n

7 −γ log2 3+ j +1

j

).

It is equal to

∑γ<log3

9n7

(log3

9n7 −γ+ j +1

j

)(γ+ j +1

j

) (γ log3+ j +1

j

)(γ+ j +1

j

)

< ∑γ<log3

9n7

(log3

9n7 −γ+ j +1

j

)(γ+ j +1

j

)(γ log3+2

γ+2

) j

<(

log39n7 log3+2

log39n7 +2

) j ∑γ<log3

9n7

(log3

9n7 −γ+ j +1

j

)(γ+ j +1

j

)

< log39n

7

(log3

) j

(0.5log3

9n7 + j +1

j

)2

.


Thus,

C logn∑j=1

2 j−1∑

α+γ log2 3<log 9n7

(α+ j

j −1

)(γ+ j

j −1

)<0.5log3

9n

7

C logn∑j=1

(2log3

) j

(0.5log3

9n7 + j +1

j

)2

≤0.5log39n

7

(2log3

)C lognC logn∑

j=1

(0.5log3

9n7 + j +1

j

)2

≤0.5log39n

7

(2log3

)C logn

(C logn∑

j=1

(0.5log3

9n7 + j +1

j

))2

.

By Pascal’s triangle,

C logn∑j=1

(0.5log3

9n7 + j +1

j

)<

(0.5log3

9n7 +2+C logn

C logn

).

By Stirling’s formula,

(0.5log3

9n7 +2+C logn

C logn

)2

<(

e[0.5log39n7 +2+C logn]

C logn

)2C logn

.

There exists a positive integer N , satisfying N > 210000(2+0.5log397 ) and log N < 1.0001C log N .

When n Ê N ,

0.5log39n

7

(2log3

)C logn

(e[0.5log3

9n7 +2+C logn]

C logn

)2C logn

<1.0001C logn (2log3

)C logn(

e[0.5001log3 n +C logn]

C logn

)2C logn

=nC log

(2e2 log3(0.5001log3 2+C )2

C 2

).

Hence, this claim has been proved.


Proof. Let n be a γ-bit integer. We need to prove that the average Hamming weight ofDBCs of γ-bit integers produced by any algorithm has a lower bound Hm(γ) =Ω(

γ).

By Lemma 3, when 2γ > N , there are at least 2γ−2α·γ integers m in [1,2γ] satisfying

s(m) >C ·γ, where 0 <α< 1 and 0 <C < α2

8.25 , N = max

2100,21C

.

34 W. Yu et al.

When γ> 21−α , 2γ−1−2α·γ

2γ−1 > 12 . We have

Hm(γ) Ê 1

2γ−1

2γ−1∑j=2γ−1

s( j )

Ê 1

2r−1

((2γ−1 −2α·γ) ·C ·γ+2α·γ ·1

)>2γ−1 −2α·γ

2γ−1 ·C ·γ.

It follows that Hm(n) > C ·γ2 when 2γ−1 > max

N ,2

21−α+1

.

Thus

Hm(γ) =Ω(γ)

.

Notice that Hm(γ) > 2γ−1−2α·γ2γ−1 ·C ·γ. When γ tends to infinity andα< γ−1

γ , Hm(γ) >C ·γ.

When γ tends to infinity and α tends to 1, an asymptotic lower bound of theaverage Hamming weights of canonic DBCs for γ-bit integers is γ

8.25 .


Proof. If w(i , j ) is not minimal for ni , j , then there exists a chain w′(i , j ) which hasa lower Hamming weight than the Hamming weight of w(i , j ). Replacing w(i , j ) byw′(i , j ) in w(b, t ), we gain a new DBC for nb,t with a lower Hamming weight thanw(b, t ). Thus, it contradicts that w(b, t ) is a minimal DBC for nb,t inΦ(b, t ).

The similar result is suitable for w(b, t ).


Proof.

1. By Lemma 1, if nb,t < 2b3t−1, then

w(b, t ) =minLw(b −1, t ),2b−13t + w(b −1, t ),

w(b, t −1),2b3t−1 + w(b, t −1),

w(b, t ) =−2b−13t + w(b −1, t ).

By Lemma 2, 2b−13t + w(b−1, t ) is not minimal inΦ(b, t ). Then we prove Case 1.2. The other cases are discussed the similar as Case 1.



Proof. Let us show the DBC of wmin returned by Algorithm 2 is a canonic DBC whenD = T = 0 and an optimal DBC when D +T > 0.

1. When D = T = 0.For each b and t satisfying 2b3t < 9n

7 , Algorithm 2 has computed w(b, t ) and

w(b, t ). If n = nb,t+2b3t , then w(b, t )+2b3t may be a canonic DBC of n. If n = nb,t ,then both w(b, t ) and w(b, t ) + 2b3t may be canonic DBCs of n. In Algorithm2, checking the case b = ⌊

log B3t

⌋for each t is enough to generate an optimal

DBC or a canonic DBC. If n = nb,t + 2b3t , this case has been considered inwmin. If n = nb,t , the case n = nb−1,t + 2b−13t should be considered in wmi n .That is w(b, t ) = w(b − 1, t ) + 2b−13t . This is equivalent to check all b, t wheren2 < 2b3t < 9n

7 to compute wmin. By Lemma 2, wmin is one of canonic DBCs. Thus,Algorithm 2 produces one canonic DBC of n.

2. When D +T > 0.This case can be proved using Lemma 2 and discussed as Case 1.

A.10 Proof of Claim 2

Proof. The value of n′1 is

⌊6·n

2ii1 ·α21 3jj1 ·β2

1

⌋%

(2α

21+13β

21+1

). It is equal to

⌊6nb,t

2ii1 ·α21 3jj1 ·β2

1

⌋%

(2α

21+13β

21+1

).

n1’s value⌊

n′1

2i1 ·α1 3 j1 ·β1

⌋%

(2α1+13β1+1

)is equal to

⌊6nb,t

2ii1 ·α21+i1 ·α1 3jj1 ·β2

1+ j1 ·β1

⌋%

(2α1+13β1+1

).

Then⌊

n12i 3 j

⌋%6 can be represented as

ÌÌÌÌÊ(

6nb,t

2ii1 ·α2

1+i1 ·α1 3jj1 ·β2

1+ j1 ·β1

)2i 3 j

ÍÍÍÍË%6.

That is⌊

nb,t

2b−13t−1

⌋%6. As the value of

⌊nb,t

2b−13t−1

⌋is nonnegative and less than 6.

Thus(⌊

n12i 3 j

⌋%6

)=

⌊nb,t

2b−13t−1

⌋.


Proof. In Algorithm 4, calculating each n′y requires O

((logn

)2− 13y

)for 1 ≤ y ≤ k.

Calculating each equivalent representative ny requires O((

logn)2

)for 1 ≤ y ≤ k.

Then calculating all n′y and ny requires O

(k

(logn

)2).

Calculating each(⌊

nk2i 3 j

⌋%6

)requires O

((logn

) 13k

). There are O

((logn

)2)

such

expressions. These expressions require O((

logn)2+ 1

3k).

In Line 10, we need to calculate the value of b and t . These operations require

O((

logn)2 loglogn

). Algorithm 4 may require to calculate by or ty for 2 ≤ y ≤ k.

36 W. Yu et al.

Calculating by and ty , 2 ≤ y ≤ k requires O(loglogn

)bit operations. These require

O((

logn)2 loglogn

).

B Examples

B.1 Two Examples for Algorithm 1

b = 0, t = 4, n = 100 Since 1002 < 2034 < 100, there exist |Φ(0,4)| DBCs with a leading

term dividing by 2034 for n = 100. Let us show the details of procedure of Algorithm1. At first, the initial values are |Φ(0,0)| = 1 and |Φ(0,0)| = 0.

Since 2031−1 ≤ n0,1 = 1 < 20−131, we employ the Item 3 of Theorem 1 to calculate|Φ(0,1)| = 1 and |Φ(0,1)| = 0. Since n0,2 = 1 < 20−132−1, we employ the Item 1 ofTheorem 1 to calculate |Φ(0,2)| = 1, |Φ(0,2)| = 0.

Since 4 ·20−133−1 ≤ n0,3 = 19 < 5 ·20−133−1, we employ the Item 5 of Theorem 1 tocalculate |Φ(0,3)| = 0, |Φ(0,3)| = 1.

Since 20−134−1 ≤ n0,4 = 19 < 2 ·20−134−1, we employ the Item 2 of Theorem 1 tocalculate |Φ(0,4)| = 1, |Φ(0,4)| = 0.

Thus, there is 1 DBC with a leading term dividing 2034 for 100.

b = 1, t = 3, n = 100 Since 1002 < 2133 < 100, there exist |Φ(1,3)| DBCs with a leading

term dividing by 2133 for n = 100.Let us show the details of procedure of Algorithm 1 for this example. At first, the

initial values are |Φ(0,0)| = 1, |Φ(0,0)| = 0.Since n1,0 = 0 < 21−130−1, we employ the Item 1 of Theorem 1 to calculate

|Φ(1,0)| = 1, |Φ(1,0)| = 0.Since 2031−1 ≤ n0,1 = 1 < 20−131, we employ the Item 3 of Theorem 1 to calculate

|Φ(0,1)| = 1, |Φ(0,1)| = 0.Since 2 · 2131−1 ≤ n1,1 = 4 < 5 · 21−131−1, we employ the Item 5 of Theorem 1 to

calculate |Φ(1,1)| = 1, |Φ(1,1)| = 2.Since n0,2 = 1 < 20−132−1, we employ the Item 1 of Theorem 1 to calculate

|Φ(0,2)| = 1, |Φ(0,2)| = 0.Since 21−132 ≤ n1,2 = 10 < 2 · 2132−1, we employ the Item 4 of Theorem 1 to

calculate |Φ(1,2)| = 2, |Φ(1,2)| = 3.Since 2 ·2033−1 ≤ n0,3 = 19 < 5 ·20−133−1, we employ the Item 5 of Theorem 1 to

calculate |Φ(0,3)| = 0, |Φ(0,3)| = 1.Since n1,3 = 46 ≥ 5 · 21−133−1, we employ the Item 6 of Theorem 1 to calculate

|Φ(1,3)| = 0, |Φ(1,3)| = 5.Thus, there is no DBC with a leading term dividing 2133 for 100.

B.2 Three Examples For Algorithm 2

We will show the procedures of Algorithm 2 to produce a canonic DBC for 100 andoptimal DBCs for 100 and 1000.


A Canonic DBC for 100 Take 100 for example to produce a canonic DBC for 100by Algorithm 2. Then A > 0,B = 0,T = 0. w(0,0) ← 0, w(0,0) ← NULL. Set wmin =26 +25 +22. First, B = 900

7 , blogBc = 7, blog3 Bc = 4.When t = 0,

1. b = 1, n1,0 = 0, w(1,0) = 0,w(1,0) = NULL (Lemma 5, Case 1).2. b = 2, n2,0 = 0, w(2,0) = 0,w(2,0) = NULL (Lemma 5, Case 1).3. b = 3, n3,0 = 4, w(3,0) = 22, w(3,0) =−22 (Lemma 5, Case 3).4. b = 4, n4,0 = 4, w(4,0) = 22, w(4,0) =−23 −22 (Lemma 5, Case 1).5. b = 5, n5,0 = 4, w(5,0) = 22, w(5,0) =−24 −23 −22 (Lemma 5, Case 1).6. b = 6, n6,0 = 36, w(6,0) = 25 +22, w(6,0) =−25 +22 (Lemma 5, Case 3).7. b = 7, n7,0 = 100, w(7,0) = 26 +25 +22, w(7,0) =−25 +22 (Lemma 5, Case 4).

Using Line 8 of Algorithm 2, wmin = 26 +25 +22.When t = 1,

1. b = 0, n0,1 = 1, w(0,1) = 1,w(0,1) = NULL (Lemma 5, Case 2).2. b = 1, n1,1 = 4, w(1,1) = 31 +1,w(1,1) =−2 (Lemma 5, Case 4).3. b = 2, n2,1 = 4, w(2,1) = 22, w(2,1) =−2 ·3−2 (Lemma 5, Case 2).4. b = 3, n3,1 = 4, w(3,1) = 22, w(3,1) =−223−2 ·3−2 (Lemma 5, Case 1).5. b = 4, n4,1 = 4, w(4,1) = 22, w(4,1) =−233−223−2 ·3−2 (Lemma 5, Case 1).6. b = 5, n5,1 = 4, w(5,1) = 22, w(5,1) =−243−233−223−2 ·3−2 (Lemma 5, Case 1).

Using Line 7 of Algorithm 2, wmin = 2531 +22.When t = 2,

1. b = 0, n0,2 = 1, w(0,2) = 1,w(0,2) = NULL (Lemma 5, Case 1).2. b = 1, n1,2 = 10, w(1,2) = 32 +1,w(1,2) =−32 +1 (Lemma 5, Case 3).3. b = 2, n2,2 = 28, w(2,2) = 2132 +32 +1,w(2,2) =−32 +1 (Lemma 5, Case 4).4. b = 3, n3,2 = 28, w(3,2) = 2331 +22, w(3,2) =−2232 −32 +1 (Lemma 5, Case 2).


1. b = 0, n0,3 = 19, w(0,3) = NULL,w(0,3) =−32 +1 (Lemma 5, Case 4).2. b = 1, n1,3 = 46, w(1,3) = NULL,w(1,3) =−32 +1 (Lemma 5, Case 4).3. b = 2, n2,3 = 100, w(2,3) = NULL,w(2,3) =−32 +1 (Lemma 5, Case 4).


1. b = 0, n0,4 = 19, w(0,4) = 33 −32 −1,w(0,4) = NULL (Lemma 5, Case 1).

Using Line 7 of Algorithm 2, wmin = 2531 +22.Thus, one of the canonic DBC of 100 is 2531 +22.

38 W. Yu et al.

An optimal DBC for 100 Generating an optimal DBC for 100 on Weierstrass formelliptic curve is similar as producing a canonic DBC. It means that A = 11,B = 8,T =14. This example is similar to the previous example. w(0,0) ← 0, w(0,0) ← NULL. Setwmin = 26 +25 +22. First, B = 200, blogBc = 7, blog3 Bc = 4.

When t = 0,

1. b = 1, n1,0 = 0, w(1,0) = 0,w(1,0) = NULL (Lemma 5, Case 1).2. b = 2, n2,0 = 0, w(2,0) = 0,w(2,0) = NULL (Lemma 5, Case 1).3. b = 3, n3,0 = 4, w(3,0) = 22, w(3,0) =−22 (Lemma 5, Case 3).4. b = 4, n4,0 = 4, w(4,0) = 22, w(4,0) =−23 −22 (Lemma 5, Case 1).5. b = 5, n5,0 = 4, w(5,0) = 22, w(5,0) =−24 −23 −22 (Lemma 5, Case 1).6. b = 6, n6,0 = 36, w(6,0) = 25 +22, w(6,0) =−25 +22 (Lemma 5, Case 3).7. b = 7, n7,0 = 100, w(7,0) = 26 +25 +22, w(7,0) =−25 +22 (Lemma 5, Case 4).

Using Line 8 of Algorithm 2, wmin = 26 +25 +22.When t = 1,

1. b = 0, n0,1 = 1, w(0,1,n0,1) = 1,w(0,1, n0,1) = NULL (Lemma 5, Case 2).2. b = 1, n1,1 = 4, w(1,1) = 31 +1,w(1,1) =−2 (Lemma 5, Case 4).3. b = 2, n2,1 = 4, w(2,1) = 22, w(2,1) =−2 ·3−2 (Lemma 5, Case 2).4. b = 3, n3,1 = 4, w(3,1) = 22, w(3,1) =−223−2 ·3−2 (Lemma 5, Case 1).5. b = 4, n4,1 = 4, w(4,1) = 22, w(4,1) =−233−223−2 ·3−2 (Lemma 5, Case 1).6. b = 5, n5,1 = 4, w(5,1) = 22, w(5,1) =−243−233−223−2 ·3−2 (Lemma 5, Case 1).


1. b = 0, n0,2 = 1, w(0,2) = 1,w(0,2) = NULL (Lemma 5, Case 1).2. b = 1, n1,2 = 10, w(1,2) = 32 +1,w(1,2) =−32 +1 (Lemma 5, Case 3).3. b = 2, n2,2 = 28, w(2,2) = 2132 +32 +1,w(2,2) =−32 +1 (Lemma 5, Case 4).4. b = 3, n3,2 = 28, w(3,2) = 2331 +22, w(3,2) =−2232 −32 +1 (Lemma 5, Case 2).5. b = 4, n4,2 = 100, w(4,2) = 2322+2331+22, w(4,2) =−2431+22 (Lemma 5, Case 4).


1. b = 0, n0,3 = 19, w(0,3) = NULL,w(0,3) =−32 +1 (Lemma 5, Case 4).2. b = 1, n1,3 = 46, w(1,3) = NULL,w(1,3) =−32 +1 (Lemma 5, Case 4).3. b = 2, n2,3 = 100, w(2,3) = NULL,w(2,3) =−32 +1 (Lemma 5, Case 4).


1. b = 0, n0,4 = 19, w(0,4) = 33 −32 −1,w(0,4) = NULL (Lemma 5, Case 1).

Using Line 7 of Algorithm 2, wmin = 2531 +22.Thus, one of the optimal DBC of 100 on Weierstrass form elliptic curve is 2531+22.


An optimal DBC for 1000 An optimal DBC for 1000 on Weierstrass form ellipticcurve by Algorithm 2 will be shown as follows where A = 11,B = 8,T = 14. w(0,0) ←0, w(0,0) ← NULL. Set wmin = 29 + 28 + 27 + 26 + 25 + 23. First, B = 2000, blogBc =10, blog3 Bc = 6.

When t = 0,

1. b = 1, n1,0 = 0, w(1,0) = 0,w(1,0) = NULL (Lemma 5, Case 1).2. b = 2, n2,0 = 0, w(2,0) = 0,w(2,0) = NULL (Lemma 5, Case 1).3. b = 3, n3,0 = 0, w(3,0) = 0,w(3,0) = NULL (Lemma 5, Case 1).4. b = 4, n4,0 = 8, w(4,0) = 23, w(4,0) =−23 (Lemma 5, Case 3).5. b = 5, n5,0 = 8, w(5,0) = 23, w(5,0) =−24 −23 (Lemma 5, Case 1).6. b = 6, n6,0 = 40, w(6,0) = 25 +23, w(6,0) =−25 +23 (Lemma 5, Case 3).7. b = 7, n7,0 = 104, w(7,0) = 26 +25 +23, w(7,0) =−25 +23 (Lemma 5, Case 4).8. b = 8, n8,0 = 232, w(8,0) = 27 +26 +25 +23, w(8,0) =−25 +23 (Lemma 5, Case 4).9. b = 9, n9,0 = 488, w(9,0) = 28 +27 +26 +25 +23, w(9,0) =−25 +23 (Lemma 5, Case

4).10. b = 10, n10,0 = 1000, w(10,0) = 29+28+27+26+25+23, w(10,0) =−25+23 (Lemma

5, Case 4).

Using Line 8 of Algorithm 2, wmin = 210 −25 +23.When t = 1,

1. b = 0, n0,1 = 1, w(0,1) = 1,w(0,1) = NULL (Lemma 5, Case 2).2. b = 1, n1,1 = 4, w(1,1) = 31 +1,w(1,1) = NULL (Lemma 5, Case 4).3. b = 2, n2,1 = 4, w(2,1) = 22, w(2,1) = NULL (Lemma 5, Case 2).4. b = 3, n3,1 = 16, w(3,1) = 223+22, w(3,1) =−23 (Lemma 5, Case 4).5. b = 4, n4,1 = 40, w(4,1) = 233+223+22, w(4,1) =−23 (Lemma 5, Case 4).6. b = 5, n5,1 = 40, w(5,1) = 243−23, w(5,1) =−243−23 (Lemma 5, Case 2).7. b = 6, n6,1 = 40, w(6,1) = 243−23, w(6,1) =−253−243−23 (Lemma 5, Case 1).8. b = 7, n7,1 = 232, w(7,1) = 263+243−23, w(7,1) =−263+243−23 (Lemma 5, Case

3).9. b = 8, n8,1 = 232, w(8,1) = 263+243−23, w(8,1) =−273−263+243−23 (Lemma 5,

Case 1).10. b = 9, n9,1 = 1000, w(9,1) = 283+263+243−23, w(9,1) =−29 −25 +23 (Lemma 5,

Case 3).

Using Line 8 of Algorithm 2, wmin = 210 −25 +23.When t = 2,

1. b = 0, n0,2 = 1, w(0,2) = 1,w(0,2) = NULL (Lemma 5, Case 1).2. b = 1, n1,2 = 10, w(1,2) = 32 +1,w(1,2) =−32 +1 (Lemma 5, Case 3).3. b = 2, n2,2 = 28, w(2,2) = 2132 +32 +1,w(2,2) =−32 +1 (Lemma 5, Case 4).4. b = 3, n3,2 = 64, w(3,2) = 2232 +2132 +32 +1,w(3,2) =−23 (Lemma 5, Case 4).5. b = 4, n4,2 = 136, w(4,2) = 2332+2232+2132+32+1,w(4,2) =−23 (Lemma 5, Case

4).6. b = 5, n5,2 = 136, w(5,2) = 2432 −23, w(5,2) =−2432 −23 (Lemma 5, Case 2).7. b = 6, n6,2 = 424, w(6,2) = 2532+2432−23, w(6,2) =−2432−23 (Lemma 5, Case 4).

40 W. Yu et al.

8. b = 7, n7,2 = 1000, w(7,2) = 2632+2532+2432−23, w(7,2) =−2432−23 (Lemma 5,Case 4).

Using Line 8 of Algorithm 2, wmin = 210 −25 +23.

When t = 3,

1. b = 0, n0,3 = 1, w(0,3) = 1,w(0,3) = NULL (Lemma 5, Case 1).

2. b = 1, n1,3 = 28, w(1,3) = 33 +1,w(1,3) =−33 +1 (Lemma 5, Case 3).

3. b = 2, n2,3 = 28, w(2,3) = 33 +1,w(2,3) =−2133 −33 +1 (Lemma 5, Case 1).

4. b = 3, n3,3 = 136, w(3,3) = 2233 +33 +1,w(3,3) =−2332 −23 (Lemma 5, Case 3).

5. b = 4, n4,3 = 136, w(4,3) = 2432−23, w(4,3) =−2333−2332−23 (Lemma 5, Case 1).

6. b = 5, n5,3 = 136, w(5,3) = 2432−23, w(5,3) =−2533+2432−23 (Lemma 5, Case 1).

7. b = 6, n6,3 = 1000, w(6,3) = 2533+2432−23, w(6,3) =−2533+2432−23 (Lemma 5,Case 3).


When t = 4,

1. b = 0, n0,4 = 28, w(0,4) = 33 +1,w(0,4) = NULL (Lemma 5, Case 2).



4. b = 3, n3,4 = 352, w(3,4) = 2234+33+1,w(3,4) =−2234+32+1 (Lemma 5, Case 3).

5. b = 4, n4,4 = 1000, w(4,4) = 2234 +33 +1,w(4,4) =−2234 +32 +1 (Lemma 5, Case4).


When t = 5,




4. b = 3, n3,5 = 1000, w(3,5) = 2235 +33 +1,w(3,5) =−2235 +32 +1 (Lemma 5, Case3).


When t = 6,

1. b = 0, n0,6 = 271, w(0,6) = 35 +33 +1,w(0,6) = NULL (Lemma 5, Case 2).

2. b = 1, n1,6 = 1000, w(1,6) = 36+35+33+1,w(1,6) =−2135+33+1 (Lemma 5, Case4).


Thus, one of the optimal DBC of 1000 on Weierstrass form elliptic curve is 210 −25 +23.


B.3 An example to find an optimal DBC for 1000 on Weierstrass form ellipticcurve by Algorithm 3 using equivalent representatives

A = 11,B = 8,T = 14. w(0,0) ← 0, w(0,0) ← NULL. Set wmin = 29+28+27+26+25+23.First, B = 2000, blogBc = 10, blog3 Bc = 6,α1 = 2,β1 = 1.

When jj1 = 0,

1. ii1=0, n′1 = 240

(a) j1 = 0,i1 = 0, n1 = 24i. j = 0, i = 1: t = 0, b = 1, w(1,0) = 0,w(1,0) = NULL (Lemma 5, Case 1).

(b) j1 = 0,i1 = 1, n1 = 60i. j = 0, i = 0: t = 0, b = 2, w(2,0) = 0,w(2,0) = NULL (Lemma 5, Case 1).

ii. j = 0, i = 1: t = 0, b = 3, w(3,0) = 0,w(3,0) = NULL (Lemma 5, Case 1).2. ii1=1, n′

1 = 87(a) i ′ = 2, n1 = 15

i. j = 0, i = 0: t = 0, b = 4, w(4,0) = 23, w(4,0) =−23 (Lemma 5, Case 3).ii. j = 0, i = 1: t = 0, b = 5, w(5,0) = 23, w(5,0) =−24−23 (Lemma 5, Case 1).

(b) i ′ = 3, n1 = 21i. j = 0, i = 0: t = 0, b = 6, w(6,0) = 25 + 23, w(6,0) = −25 + 23 (Lemma 5,

Case 3).ii. j = 0, i = 1: t = 0, b = 7, w(7,0) = 26 +25 +23, w(7,0) = −25 +23 (Lemma

5, Case 4).3. ii1=2, n′

1 = 23(a) i ′ = 4, n1 = 23

i. j = 0, i = 0: t = 0, b = 8, w(8,0) = 27+26+25+23, w(8,0) =−25+23 (Lemma5, Case 4).

ii. j = 0, i = 1: t = 0, b = 9, w(9,0) = 28 +27 +26 +25 +23, w(9,0) = −25 +23

(Lemma 5, Case 4).(b) i ′ = 5, n1 = 5

i. j = 0, i = 0: t = 0, b = 10, w(10,0) = 29 +28 +27 +26 +25 +23, w(10,0) =−25 +23 (Lemma 5, Case 4).

Using Line 8 of Algorithm 2, wmin = 210 −25 +23.When jj1 = 1,

1. ii1=0, n′1 = 272


ii. j = 0, i = 1: t = 1, b = 1, w(1,1) = 31 +1,w(1,1) = NULL (Lemma 5, Case4).

(b) i ′ = 1, n1 = 68i. j = 0, i = 0: t = 1, b = 2, w(2,1) = 22, w(2,1) = NULL (Lemma 5, Case 2).

ii. j = 0, i = 1: t = 1, b = 3, w(3,1) = 223+22, w(3,1) = −23 (Lemma 5, Case4).

2. ii1=1, n′1 = 240

(a) j1 = 0,i1 = 0, n1 = 24(b) i ′ = 2, n1 = 53

42 W. Yu et al.

i. j = 0, i = 0: t = 1, b = 4, w(4,1) = 233+223+22, w(4,1) =−23 (Lemma 5,Case 4).

ii. j = 0, i = 1: t = 1, b = 5, w(5,1) = 243−23, w(5,1) =−243−23 (Lemma 5,Case 2).

(c) i ′ = 3, n1 = 31i. j = 0, i = 0: t = 1, b = 6, w(6,1) = 243−23, w(6,1) =−253−243−23 (Lemma

5, Case 1).ii. j = 0, i = 1: t = 1, b = 7, w(7,1) = 263+243−23, w(7,1) = −263+243−23

(Lemma 5, Case 3).3. ii1=2, n′

1 = 240(a) i ′ = 4, n1 = 7

i. j = 0, i = 0: t = 1, b = 8, w(8,1) = 263+243−23, w(8,1) =−273−263+243−23 (Lemma 5, Case 1).

ii. j = 0, i = 1: t = 1, b = 9, w(9,1) = 283+263+243−23, w(9,1) =−29−25+23

(Lemma 5, Case 3).


1. ii1=0, n′1 = 90


ii. j = 0, i = 1: t = 2, b = 1, w(1,2) = 32 +1,w(1,2) =−32 +1 (Lemma 5, Case3).

(b) i ′ = 1, n1 = 22i. j = 0, i = 0: t = 2, b = 2, w(2,2) = 2132 +32 +1,w(2,2) = −32 +1 (Lemma

5, Case 4).ii. j = 0, i = 1: t = 2, b = 3, w(3,2) = 2232+2132+32+1,w(3,2) =−23 (Lemma

5, Case 4).2. ii1=1, n′

1 = 41(a) i ′ = 2, n1 = 41

i. j = 0, i = 0: t = 2, b = 4, w(4,2) = 2332 +2232 +2132 +32 +1,w(4,2) =−23

(Lemma 5, Case 4).ii. j = 0, i = 1: t = 2, b = 5, w(5,2) = 2432 −23, w(5,2) = −2432 −23 (Lemma

5, Case 2).(b) i ′ = 3, n1 = 10

i. j = 0, i = 0: t = 2, b = 6, w(6,2) = 2532 + 2432 − 23, w(6,2) = −2432 − 23

(Lemma 5, Case 4).ii. j = 0, i = 1: t = 2, b = 7, n7,2 = 1000, w(7,2) = 2632 + 2532 + 2432 −

23, w(7,2) =−2432 −23 (Lemma 5, Case 4).


1. ii1=0, n′1 = 222



ii. j = 0, i = 1: t = 3, b = 1, w(1,3) = 33 +1,w(1,3) =−33 +1 (Lemma 5, Case3).

(b) i ′ = 1, n1 = 55i. j = 0, i = 0: t = 3, b = 2, w(2,3) = 33 +1,w(2,3) =−2133 −33 +1 (Lemma

5, Case 1).ii. j = 0, i = 1: t = 3, b = 3, w(3,3) = 2233+33+1,w(3,3) =−2332−23 (Lemma

5, Case 3).2. ii1=1, n′

1 = 13(a) i ′ = 2, n1 = 13

i. j = 0, i = 0: t = 3, b = 4, w(4,3) = 2432 − 23, w(4,3) = −2333 − 2332 − 23

(Lemma 5, Case 1).ii. j = 0, i = 1: t = 3, b = 5, w(5,3) = 2432 − 23, w(5,3) = −2533 + 2432 − 23

(Lemma 5, Case 1).(b) i ′ = 3, n1 = 3

i. j = 0, i = 0: t = 3, b = 6, w(6,3) = 2533+2432−23, w(6,3) =−2533+2432−23

(Lemma 5, Case 3).


1. ii1=0, n′1 = 74

(a) j1 = 0,i1 = 0, n1 = 2i. j = 0, i = 0: t = 4, b = 0, w(0,4) = 33 +1,w(0,4) = NULL (Lemma 5, Case

2).ii. j = 0, i = 1: t = 4, b = 1, w(1,4) = 33 +1,w(1,4) = NULL (Lemma 5, Case

1).(b) i ′ = 1, n1 = 18

i. j = 0, i = 0: t = 4, b = 2, w(2,4) = 33 +1,w(2,4) = NULL (Lemma 5, Case1).

ii. j = 0, i = 1: t = 4, b = 3, w(3,4) = 2234 + 33 + 1,w(3,4) = −2234 + 32 + 1(Lemma 5, Case 3).

2. ii1=1, n′1 = 4

(a) i ′ = 2, n1 = 4i. j = 0, i = 0: t = 4, b = 4, w(4,4) = 2234 + 33 + 1,w(4,4) = −2234 + 32 + 1

(Lemma 5, Case 4).


1. ii1=0, n′1 = 24

(a) j1 = 0,i1 = 0,n1 = 24i. j = 0, i = 0: t = 5, b = 0, w(0,5) = 33 +1,w(0,5) = NULL (Lemma 5, Case

1).ii. j = 0, i = 1: t = 5, b = 1, w(1,5) = 33 +1,w(1,5) = NULL (Lemma 5, Case

1).(b) i ′ = 1, n1 = 6

i. j = 0, i = 0: t = 5, b = 2, w(2,5) = 33 +1,w(2,5) = NULL (Lemma 5, Case1).

44 W. Yu et al.

ii. j = 0, i = 1: t = 5, b = 3, w(3,5) = 2235 + 33 + 1,w(3,5) = −2235 + 32 + 1(Lemma 5, Case 3).


When jj1 = 5,

1. ii1=0, n′1 = 8

(a) j1 = 0,i1 = 0, n1 = 8

i. j = 0, i = 0: t = 6, b = 0, w(0,6) = 35 +33 +1,w(0,6) = NULL (Lemma 5,Case 2).

ii. j = 0, i = 1: t = 6, b = 1, w(1,6) = 36 +35 +33 +1,w(1,6) = −2135 +33 +1(Lemma 5, Case 4).


Thus, one of the optimal DBC of 1000 on Weierstrass form elliptic curve is 210 −25 +23.

C DBCs for⌊π×10240

⌋on EW 1

C.1 NAF of⌊π×10240

⌋2799−2795+2791+2789−2786+2784−2781−2776−2774+2771−2769−2767+2763−2761+2758+2755−2751+2747−2740−2736+2733−2730+2727−2725−2722+2719+2716−2714−2712−2708−2705−2703+2700−2698+2696−2694+2690+2687−2685+2681−2679+2677+2674−2671+2669+2666−2664−2660−2658+2655+2652−2650+2648+2646+2638−2634−2632−2630+2625+2620−2618+2614+2611−2609+2607−2602−2596−2594+2590+2587−2584+2582−2579−2575+2573+2570+2561−2559+2556−2553+2549+2546−2543−2541−2537−2535−2533+2531+2528−2526−2524−2518+2516+2514−2512+2510+2507−2503+2501−2499−2496−2491+2487+2485+2483−2480+2478+2476+2473+2468−2466−2464+2459−2457+2452−2450−2443−2441+2439−2437−2434−2432+2430−2427+2422+2419+2415+2410+2407−2402−2399−2397−2394+2392−2390+2388+2385+2383−2381+2379−2376−2374−2372+2370+2368+2365+2363−2356−2354−2351−2349+2346−2343−2340+2337−2333+2331−2329−2319−2317+2315+2313−2309+2305−2302−2300−2298+2296−2290−2288−2283+2280−2278+2276+2272−2269−2266−2262−2259−2257+2255+2252−2250−2247−2242+2240−2238−2235+2232−2229−2226−2224+2222−2219+2217+2215+2213−2210+2207+2205−2202−2200−2198−2194+2191−2189+2187+2185+2182−2180−2178+2176+2173−2171−2168+2166−2163+2161+2158+2156+2154+2150−2148+2146+2144−2142−2140−2138−2134+2130−2128−2126−2124+2121+2115−2112−2110−2108−2104+298+296−293−291−287+285+272+270−267−265−263+261+259−256−254−252+250−247−245−243−241−237+235+233+229+227−225+223+221+219−216+214−211−29−26−22+20

Its Hamming weight is 276. Scalar multiplication using NAF costs 9417 M on EW

1.


C.2 A DBC of⌊π×10240

⌋Produced by Tree Approach

24603214 − 24593213 − 24533213 − 24503212 + 24453211 + 24413211 + 24363210 + 24323209 −24313208 − 24303207 − 24293206 + 24273204 − 24253202 + 24243201 + 24203201 + 24123200 −24113199 − 24053199 + 24033198 − 24023197 + 24013194 − 23963194 + 23943193 + 23883190 −23873188 + 23863186 − 23833186 + 23823185 + 23783185 − 23763182 + 23753181 + 23693181 −23653181 + 23643180 + 23633179 + 23623178 + 23613177 − 23563177 + 23523175 + 23493173 +23433173 − 23423169 + 23403168 + 23383167 + 23353166 − 23343163 + 23333159 − 23263159 +23243158 − 23223157 + 23213155 + 23183154 − 23163153 − 23143152 + 23133151 + 23123149 +23093147 − 23083146 + 23053145 − 23033144 − 23023142 + 23003141 + 22943141 − 22933137 +22893136 + 22863135 − 22823134 + 22803133 − 22793132 − 22783130 − 22713129 − 22693127 −22673125 + 22643124 + 22613122 − 22563121 − 22553119 − 22513118 + 22503116 + 22493115 −22473113 − 22453112 + 22433110 − 22413109 − 22393108 + 22363108 − 22353105 − 22323103 +22303102−22283101−22213100+2220399−2215399−2212399−2211397+2208397−2202397+2201396 +2198395 +2194395 +2193392 −2191391 +2190390 +2186388 +2185386 +2183384 +2181383 −2180382 +2179378 −2176377 +2174376 −2173373 +2170373 −2168372 +2167371 −2165370 −2163369 +2162368 +2160367 −2159366 −2158365 −2156364 −2152361 +2150360 −2145360 +2139359 +2137358 +2135357 −2134354 −2128354 −2126353 +2121353 −2119352 −2117351+2114351+2113349+2107348+2103346−2100346+297345−295344−291344−288344+284344 +282342 +281338 +275338 −271338 −268338 −265338 −261337 −257337 −256333 −254330 −251327 −248324 −244323 +241320 −240317 −238316 −236315 −233314 −229314 −224314−221313+219312+21838−21538+21138−21034−2733−2631−2031. Its Hammingweight is 173. Scalar multiplication using this DBC costs 8568 M on EW 1.

C.3 A Canonic DBC of⌊π×10240

⌋produced by Algorithm 2

A canonic DBC of a 799-bit integer bπ× 10240c is 24283234 + 24243233 + 24243231 −24243224 + 24243222 + 24233219 + 24163219 − 24113215 − 24073214 − 24033214 + 23993214 +23973214 + 23943213 − 23923210 − 23843210 + 23833208 − 23803206 + 23803202 − 23733201 +23713200 − 23643200 + 23603199 − 23543199 + 23533197 − 23523195 − 23513193 − 23503190 +23503187 − 23483185 + 23433181 + 23433179 − 23433176 + 23423174 + 23423173 − 23423169 +23403168 + 23383167 + 23353166 − 23343163 + 23333159 − 23293157 − 23293154 − 23293151 −23283150 + 23283148 + 23273140 + 23203140 + 23203137 + 23203135 + 23183132 − 23153129 +23093128 − 23023125 + 23023122 + 23023120 − 23013116 + 22943113 − 22853113 − 22833112 +22813111 + 22723111 − 22723108 + 22693106 + 22613106 − 22583106 − 22543106 + 22533104 +22533101 −2252399 −2246398 +2243397 +2239397 +2235397 −2234396 +2227396 −2223396 +2215396 +2214396 −2212395 +2211393 −2205392 −2203391 −2202389 −2199388 +2195387 +2195384 +2190383 +2189381 +2186379 −2183377 +2182375 −2182370 +2182365 +2179363 +2175361 −2174359 −2173357 +2172356 −2172354 +2170353 +2161347 +2159346 +2159341 −2159339 +2153338 +2153336 −2145335 +2143334 −2138333 −2138331 +2138329 −2137326 −2122326 − 2120326 + 2113326 + 2109326 − 2108324 − 2105322 + 2102321 − 293321 + 291321 +283321 +279321 +275321 +273321 +266321 +261321 −259320 +254319 −245318 +244316 −242315 +241313 −240312 −24038 −23037 +22437 +22337 +21936 −21734 +21034 −2733 −2631−2031. Its Hamming weight is 144. Scalar multiplication using this canonic DBCcosts 8273 M on EW 1.

46 W. Yu et al.

C.4 An optimal DBC of⌊π×10240

⌋produced by Algorithm 2

An optimal DBC of bπ×10240c is 25393164 −25333164 +25303164 +25283163 +25233163 +25223163 + 25073163 − 25033163 − 24973163 + 24933163 + 24923162 + 24883161 − 24833161 −24833158 − 24803157 + 24753157 + 24683157 − 24653157 − 24633156 + 24603154 − 24573153 +24513152 + 24473152 + 24393149 − 24343149 − 24333148 + 24263148 − 24223148 − 24193148 −24163148 − 24143148 + 24113147 − 24093146 + 23973146 − 23943146 − 23933145 + 23873145 +23863145 + 23833145 + 23793145 + 23743145 + 23733144 + 23723143 − 23663143 + 23643143 −23593143 + 23543143 + 23533143 + 23433143 + 23413141 + 23353141 + 23353139 − 23273139 +23233138 + 23223137 + 23203135 + 23183132 − 23153129 + 23093128 − 23023125 + 23023122 +23023120 − 23013116 + 22943113 − 22853113 − 22833112 + 22813111 + 22723111 − 22723108 +22693106+22613106−22583106−22543106+22533104+22533101−2252399−2246398+2243397+2239397 +2235397 −2234396 +2227396 −2223396 +2215396 +2214396 −2212395 +2211393 −2205392 −2203391 −2202389 −2199388 +2195387 +2195384 +2190383 +2189381 +2186379 −2183377 +2182375 −2182370 +2182365 +2179363 +2175361 −2174359 −2173357 +2172356 −2172354 +2170353 +2161347 +2159346 +2159341 −2159339 +2153338 +2153336 −2145335 +2143334 −2138333 −2138331 +2138329 −2137326 −2122326 −2120326 +2113326 +2109326 −2108324−2105322+2102321−293321+291321+283321+279321+275321+273321+266321+261321−259320+254319−245318+244316−242315+241313−240312−24038−23037+22437+22337 +21936 −21734 +21034 −2733 −2631 −2031. Its Hamming weight is 151. Scalarmultiplication using this DBC costs 8258 M on EW 1.

Double-Base Chains for Scalar Multiplications on Elliptic Curves · 2020-02-10 · bit op-erations...

Documents

Transcript of Double-Base Chains for Scalar Multiplications on Elliptic Curves · 2020-02-10 · bit op-erations...