In small devices, the choice ofwfor exponentiation using the sliding window or window NAF technique described in section 6.2 may be dictated by memory limitations. The exponentiation algorithms given in section 6.1 need storage for 1 + 2w−1 elements ofG, and thus memory may be wasted: e.g., if sufficient storage is available for up to four elements, only three elements can actually be used (w= 2).
In this section, we will see how the efficiency of exponentiation can be improved by using
fractional windows, a generalization of the sliding window and window NAF techniques. Section 6.3.1 describes this new encoding technique for the case that negative digits are allowed (signed fractional windows). Section 6.3.2 describes a simpler variant for the case that only non-negative digits are permissible (unsigned fractional windows).
6.3.1 Signed Fractional Windows
Let w ≥ 2 be an integer and m an odd integer such that 1 ≤ m ≤ 2w −3. (We could additionally allow the the border cases m = −1 and m = 2w−1, which would turn out to yield the width-(w+ 1) and width-(w+ 2) NAF, respectively.) The digit set for the signed fractional window representation with parameterswand m is
B=
±1,±3, . . .,±(2w+m) . Let the mapping
digit:{0,1, . . .,2w+2} →B∪ {0} be defined as follows:
• If x is even, thendigit(x) = 0;
• otherwise if 0< x≤2w+m, thendigit(x) =x;
• otherwise if 2w+m < x <3·2w−m, thendigit(x) =x−2w+1; • otherwise we have 3·2w−m≤x <2w+2 and letdigit(x) =x−2w+2.
Observe that ifxis odd, thenx−digit(x)∈ {0,2w+1,2w+2}. The following algorithm encodese
into signed fractional window representation:
d←LSBw+2(e) c← be/2w+2c i←0 whiled6= 0 ∨ c6= 0 do b←digit(d) bi ←b;i←i+ 1 d←d−b d←LSB(c)·2w+1+d/2 c← bc/2c return bi−1, . . ., b0
6.3 Fractional Windows 65
This algorithm is a direct variant of the window NAF generation algorithm shown in sec- tion 6.2, but based on the new mapping digit. Here we have expressed the algorithm in a way that shows that the loop is essentially a finite state machine (with 2w+1 + 1 states for storing, after b has been subtracted from the previous value of d, the even number d with 0≤d≤2w+2); new bits taken fromcare considered input symbols and the generated digitsbi are considered output symbols.
The following table shows what can happen in the loop in the example case w = 2,
m= 1. d b=digit(d) d−b 00012 1 00002 00112 3 00002 01012 5 00002 01112 −1 10002 10012 1 10002 10112 −5 100002 11012 −3 100002 11112 −1 100002
The average density achieved by the signed fractional window representation with param- eters wand m is
1
w+ m2+1w + 2
for e → ∞. (Assume that an endless sequence of random bits is the input to the finite state machine described above: whenever the state machine is about to output a non-zero digit, the intermediate value dmod 2w+2 consists of w+ 1 independent random bits plus the least significant bit, which is necessarily set. Thus with probability p = 12 − m+1
2w+1, we have
d−digit(d) = 2w+1, and with probability 1−p, we have d−digit(d) ∈ {0,2w+2}. In the first case, the next non-zero output digit will follow after exactly w intermediate zeros; in the second case, the next non-zero output digit will follow after w+ 2 intermediate zeros on average. Thus the total average for the number of intermediate zeros isp·w+(1−p)·(w+2) =
w+ m2+1w + 1, which yields the above expression for the density.) Comparing this with the 1/(w+ 2) density for width-(w+ 1) NAFs, we see that the effective window size has been increased by (m+ 1)/2w, which is why we speak of “fractional windows”.
As in section 6.2.1, length expansion can be avoided in many cases by modifying the representation. The modified signed fractional window representation is obtained as follows: if the w+ 2 most significant digits are of the form
1 0 0. . .0 | {z } wzeros b, then substitute 0 1 0. . .0 | {z } w−1 zeros β
where β= 2w−b; if thew+ 3 most significant digits are of the form 1 0 0. . .0
| {z }
w+ 1 zeros
Table 6.1: Left-to-right exponentiation with window NAFs or signed fractional windows,
`= 160
w= 2 w= 3 w= 4
wNAF s. fract. wNAF s. fract. s. fract. s. fract. wNAF m= 1 m= 1 m= 3 m= 5 precomputation stage: table entries 2 3 4 5 6 7 8 squarings 1 1 1 1 1 1 1 multiplications 1 2 3 4 5 6 7 evaluation stage: squarings ≤160 ≤160 ≤160 ≤160 ≤160 ≤160 ≤160 multiplications ≈40.0 ≈35.6 ≈32.0 ≈30.5 ≈29.1 ≈27.8 ≈26.7
withb >2w, then substitute
0 1 0. . .0
| {z }
wzeros
β
whereβ= 2w+1−b; and if thew+ 3 most significant digits are of the form 1 0 0 0. . .0
| {z }
w+ 1 zeros
b
withb <2w, then substitute
0 0 3 0. . .0
| {z }
w−1 zeros
β
whereβ= 2w−b.
Precomputation for left-to-right exponentiation can be done in one squaring and 2w−1+ (m−1)/2 multiplications (see section 6.1.1), and the result stage for right-to-left exponenti- ation can be implemented in 2w−1+ (m−1)/2 squarings and 2w+m−1 multiplications (see section 6.1.2).
Table 6.1 shows expected performance figures for left-to-right exponentiation using the signed fractional window method in comparison with the usual window NAF method for 160-bit scalars; a typical application is elliptic curve cryptography. (The expected number of evaluation stage multiplications for`-bit scalars is approximately
` w+ m2+1w + 2 for the signed fractional window method, and
` w+ 2
for the window NAF method.) The signed fractional window method with w = 2, m = 1 achieves an evaluation stage speed-up of about 2.3 % compared with the window NAF method withw = 2, assuming that squarings take as much time as general multiplications. In fact, squarings can be faster, which will increase the relative speed-up (this is usually the case when projective coordinates are used for representing points on an elliptic curve).
Table 6.2 is for right-to-left exponentiation; it takes into account the optimizations to the right-to-left stage noted in section 6.1.2. (As one multiplication can be saved for each
6.3 Fractional Windows 67
Table 6.2: Right-to-left exponentiation with window NAFs or signed fractional windows,
`= 160
w= 2 w= 3 w= 4
wNAF s. fract. wNAF s. fract. s. fract. s. fract. wNAF m= 1 m= 1 m= 3 m= 5 right-to-left stage: squarings ≤160 ≤160 ≤160 ≤160 ≤160 ≤160 ≤160 multiplications ≈39.0 ≈33.6 ≈29.0 ≈26.5 ≈24.1 ≈21.8 ≈19.7 result stage: input variables 2 3 4 5 6 7 8 squarings 1 2 3 4 5 6 7 multiplications 2 4 6 8 10 12 14
additional accumulator, usually in the right-to-left stage, the expected number of right-to-left stage multiplications for `-bit scalars is approximately
` w+m2+1w + 2
+ 1−2w−1−m−1 2 for the signed fractional window method, and
`
w+ 2+ 1−2 w−1
for the window NAF method.) The table shows that at this exponent bit length, for w = 3 fractional windows bring hardly any advantage for right-to-left exponentiation due to the relatively high computational cost of the result stage. For ` = 160, the fractional window method with w= 2, m= 1 achieves a 1.2 % total speed-up compared with the window NAF method with w= 2, assuming that squarings take as much time as general multiplications.
6.3.2 Unsigned Fractional Windows
The unsigned fractional window representation uses the digit set
B={1,3, . . .,2w+m}
and can be obtained by a variant of the technique from section 6.3.1. Here, let the mapping
digit:{0,1, . . .,2w+1} →B∪ {0} be defined as follows:
• If x is even, thendigit(x) = 0;
• otherwise if 0< x≤2w+m, thendigit(x) =x; • otherwise let digit(x) =x−2w.
If x is odd, then x−digit(x) ∈ {0,2w}. The following algorithm encodes e into unsigned fractional window representation:
Table 6.3: Left-to-right exponentiation with sliding windows or unsigned fractional windows,
`= 1023
w= 2 w= 3 w= 4
slid. w. u. fract. slid. w. u. fract. u. fract. u. fract. slid. w. m= 1 m= 1 m= 3 m= 5 precomputation stage: table entries 2 3 4 5 6 7 8 squarings 1 1 1 1 1 1 1 multiplications 1 2 3 4 5 6 7 evaluation stage: squarings ≤1023 ≤1023 ≤1023 ≤1023 ≤1023 ≤1023 ≤1023 multiplications ≈341.0 ≈292.3 ≈255.8 ≈240.7 ≈227.3 ≈215.4 ≈204.6 d←LSBw+1(e) c← be/2w+1c i←0 whiled6= 0 ∨ c6= 0 do b←digit(d) bi ←b;i←i+ 1 d←d−b d←LSB(c)·2w+d/2 c← bc/2c return bi−1, . . ., b0
Similarly to the signed case, it can be seen that the average density of the unsigned fractional window representation is
1
w+ m2+1w + 1
for e→ ∞. The precomputation or result stage is as before.
Table 6.3 shows expected performance figures for left-to-right exponentiation using the unsigned fractional window method in comparison with the usual sliding window method for 1024-bit scalars; a typical application is exponentiation in the multiplicative semigroup (Z/nZ) for an integern. (The expected number of evaluation stage multiplications for (`+ 1)- bit scalars is approximately
` w+ m2+1w + 1 for the unsigned fractional window method, and
` w+ 1
for the sliding window method.) If squarings take as much time as general multiplications, the unsigned fractional window method withw= 2,m= 1 is approximately 3.7 % faster than the sliding window method with w= 2.
Table 6.4 shows the figures for right-to-left exponentiation, taking into account the opti- mizations to the right-to-left stage noted in section 6.1.2. (As one multiplication can be saved