Optimal Average Joint Hamming Weight and Minimal Weight Conversion of d Integers

and Minimal Weight Conversion of

d

Integers

Vorapong Suppakitpaisarn1,2_{, Masato Edahiro}1,3_{, and Hiroshi Imai}1,2

1_{Graduate School of Information Science and Technology, the University of Tokyo}

7-3-1 Hongo, Bunkyo-ku, Tokyo, Japan

2_{ERATO-SORST Quantum Computation and Information Project, JST}

5-28-3 Hongo, Bunkyo-ku, Tokyo, Japan

3_{System IP Core Research Laboratories, NEC Corporation}

1753 Shimonumabe, Nakahara-ku, Kawasaki, Japan

Abstract. In this paper, we propose the minimal joint Hamming weight conversion for any binary expansions ofdintegers. With redundant rep-resentations, we may represent a number by many expansions, and the minimal joint Hamming weight conversion is the algorithm to select the expansion that has the least joint Hamming weight. As the computation time of the cryptosystem strongly depends on the joint Hamming weight, the conversion can make the cryptosystem faster. Most of existing con-versions are limited to some specific representations, and are difficult to apply to other representations. On the other hand, our conversion is ap-plicable to any binary expansions. The proposed can explore the minimal average weights in a class of representation that have not been found. One of the most interesting results is that, for the expansion of integer pairs when the digit set is{0,±1,±3}, we show that the minimal average joint Hamming weight is 0.3575. This improves the upper bound value, 0.3616, proposed by Dahmen, Okeya, and Takagi.

Key words: Elliptic Curve Cryptography, Minimal Weight Conversion, Average Joint Hamming Weight, Digit Set Expansion

1

Introduction

The joint weight is known to affect the computation time of many operations such as the multi-scalar point multiplication of the elliptic curve cryptography,

K= d

X

i=1

riPi=r1P1+· · ·+rdPd,

These include the work by Solinas [1], which proposes the minimal joint weight expansion on an integer pair when the digit set is {0,±1}. Also, the work by Heuberger and Muir [2, 3] presents the expansions for the digit set

{−l,−(l−1), . . . ,−1,0,1, . . . , u−1, u}

for any natural numberl, and positive integeru.

However, the minimal weight conversions of many digit sets have not been found in the literature. This causes by the fact that most of the previous works used the mathematical construction of the representation, which is hard to be found in many digit sets, for finding the conversion and the average weight.

On the other hand, we propose the conversion and the algorithm to find the average weight without concerning that mathematical construction. This enables us to find the conversions and the average weight of many interesting digit sets, in which the mathematical construction is complex. For instance, {0,±1,±3}

[8], that uses the same amount of memory to store the pre-computed points as

{0,±1,±2}, but is proved to has lower minimal average weight whend= 2. As our conversion is proposed for any digit sets, it might not be as fast as most of the algorithms for the specific digit set in the literatures. But, we believe that the implementer can use our algorithm as a framework, and produce more efficient algorithm for their specific digit set.

Then, we propose the algorithm to construct the Markov chain for analyzing the average joint Hamming weight from the minimal weight conversion. The Markov chain can be used for finding the minimal average weight of dintegers, when

{0,±1,±Λ} ⊆Ds, ifDsis the digit set, andΛ= maxDs.

One of the most interesting is the expansion when the digit set is{0,±1,±3}, andd= 2. For this digit set, many previous works have proposed the construc-tion, the conversion, and the analysis. They can find the upper bound for the minimal average joint Hamming weight. We can find the minimal average joint Hamming weight for this digit set, which is 0.3575. This improves the lowest upper bound in the literatures proposed by Dahmen, Okeya, and Takagi [5, 6], that is 0.3616.

To conclude, our contribution is this paper are:

1. We use the dynamic programming technique to propose the minimal weight conversion that can be applied to any digit sets, and we prove the optimality of the algorithm in Appendix B.

2. We propose the algorithm to find the minimal average joint hamming weight for a class of digit sets, and we prove the minimality of the value in Appendix C.

In Section 4, we present the algorithm to construct the Markov chain used for analyzing the digit set expansion from the conversion in Section 3. Then, we use that Markov chain to find the minimal average joint Hamming weight. Last, we conclude the paper in Section 5.

2

Definition

Let Ds be the digit set mentioned in Section 1, n, d be a positive integer, E{Ds, d}be a function fromZd _{to (Ds}n₎d _{such that if}

E{Ds, d}(r1, . . . , rd) =h(e1,n−1 e1,n−2. . . e1,0), . . . ,(ed,n−1ed,n−2. . . ed,0)i

=h(ei,t)n_t=0−1idi=1,

where

n−1

X

t=0

ei,t2t_=ri,

where ri ∈Z andei,t ∈Ds for all 1≤i≤d. We call E{Ds, d} as the conver-sion, and we call h(ei,t)n−1

t=0idi=1 as the expansion ofr1, . . . , rd by the conversion

E{Ds, d}. As a special case, let Eb{d} be the binary conversion changing the integer to its binary representation where Ds={0,1}.

Eb{1}(12) =h(1100)i, Eb{2}(12,21) =h(01100),(10101)i. We also define a tuple oft-th bit ofri as,

Eb{d}(r1, . . . , rd)|t=he1,t, . . . , ed,ti.

Next, we define the joint Hamming weight function of integerr1, . . . rd

rep-resented by the conversionE{Ds, d},JWE{Ds,d}(r1, . . . , rd), that is

wt=

0 ifE{Ds, d}(r1, . . . , rd)|t=h0i,

1 otherwise,

JWE{Ds,d}(r1, . . . , rd) = n−1

X

t=0

wt.

For instances,JWEb{1}(12) = 2,JWEb{2}(12,21) = 4.

The computation time of the scalar point multiplication in Section 1 depends on the joint Hamming weight. This is because we deploy the double-and-add method, that is

K= d

X

i=0

where

Kt= d

X

i=0

ei,tPi.

To complete this, we needn−1 point doubles, andn−1 point additions. However, if E{Ds, d}(r1, . . . , rd)|t = h0i, Kt = O. And, we need not to perform point addition on that case, as K+O = K. Thus, the number of point additions is JWE{Ds,d}(r1, . . . , rd)−1. For instances, if

K= 12P1+ 21P2,

we can computeK as

K= 2(2(2(2P2+P1) +D)) +P2,

if D = P1+P2, that has already been precomputed before the computation

begins. We need 4 point doubles and 3 point additions to find the result. If{0,1} ⊂ Ds, we are able to represent some number ri ∈Z in more than one ways. For instances, ifDs={0,±1},

12 = (01100) = (10¯100) = (1¯1100) =. . . , when ¯1 =−1.

LetEm{Ds, d} be the minimal weight conversion where Em{Ds, d}(r1, . . . , rd) =hei,n−1. . . ei,0iti=1

is the expansion such that for any he0

i,n−1. . . e0i,0iti=1 where

n−1

X

t=0

ei,t2t₌ n_X−1

t=0

e0

i,t2t,

for all 1≤i≤d,

n_X−1

t=0

w0

t≥JWEm{Ds,d}(r1, . . . , rd),

and

w0

t=

0 ifhe0

1,t, . . . , e0d,ti=h0i, 1 otherwise, For instances,

Em{{0,±1},2}(12,21) =h(10¯100),(10101)i, JWEm{{0,±1},2}(12,21) = 3.

Then, the number of point additions needed is 2. Also, we callEm{Ds, d}(r1, . . . , rd)

IfDs2⊆Ds1, it is obvious that

JWEm{Ds2,d}(r1, . . . , rd)≥JWEm{Ds1,d}(r1, . . . , rd).

Thus, we can increase the efficiency of the scalar-point multiplication by increase the size ofDs. However, the biggerDsneed more precomputation tasks. Ifd= 2, we need one precomputed point whenDs={0,1}, but we need 12 precomputed points whenDs={0,±1,±3}.

Then, one of the contribution of this paper is to evaluate the digit setDs. We use the average joint hamming weight defined as

AJW(E{Ds, d}) = lim k→∞

2k₋₁

X

r1=0 · · ·

2k₋₁

X

rd=0

JWE{Ds,d}(r1, . . . , rd)

k2dk .

It is obvious that AJW(Eb{d}) = 1− 1

2d. In this paper, we find the value

AJW(Em{Ds, d}) of someDsandd. Some of these values have been found in the literatures such as

AJW(Em{{0,±1,±3, . . . ,±(2p_{−1)},1}) =} 1 p+ 1[4]. Also,

AJW(Em{{−l,−(l−1), . . . ,−1,0,1, u−1, u}, d})

for any positive numberd,u, and natural numberl, have been found by Heuberger and Muir [2, 3].

3

Minimal Weight Conversion

In this section, we propose the minimal weight conversion. It is based on the dynamic programming scheme. The input is hr1, . . . , rdi, and the output is

Em{Ds, d}(r1, . . . , rd), which is the minimal weight expansion of the input using

the digit setDs. The algorithm begins from the most significant bit (bitn−1), Rn−1=Eb{d}(r1, . . . , rd)|t=n−1=he1,n−1, . . . , ed,n−1i,

and processes left-to-right to the least significant bit (bit 0), R0=Eb{d}(r1, . . . , rd)|t=0=he1,0, . . . , ed,0i.

For eacht (n > t≤0), we calculate minimal weight expansions of the first n−tbits of the input r1, . . . , rd (

_r

1

2t

, . . . ,rd

2t

) for all carryGtdefined below. We define components in our algorithm as follows:

to each possible output

R∗t =he∗1,t, . . . , e∗d,ti ∈Dsd. Let

Ct=hc1,t, . . . , cd,ti

be the carry from bitt−1 to bitt, i.e.C0=h0iand Cn =h0i. For eacht,

1≤t≤n−1, the arrayCtsatifies the relation Rt+Ct=R∗

t + 2Ct+1.

For instance, let the input be 1. If−1∈Ds, we can output −1 in this bit, and carry 1 to more significant bit, because

1 = 1×2 + (−1).

If 3∈Ds, we can carry−1 to more significant bit and output 3, as 1 =−1×2 + 3.

We define the carry setCsas the set of possible carry. When the digit set Ds ={0,±1,±3}, the carry set is Cs = {0,±1,±2,±3}. We propose the algorithm to find the setCsin Appendix A.

– Theminimal weight array wt is the array of the positive integer wt,Gt for

anyGt∈Csd_{. The integerwt,G}

t is the minimal joint weight of the firstn−t

bits of the inputr1, . . . , rd (

_r

1

2t

, . . . ,rd

2t

) when we carryGt = hgi,tid i=1,

e.g.

wt,Gt =JWEm{Ds,d}(

j_r

1

2t

k

+g1,t, . . . ,

j_rd

2t

k

+gd,t).

– Thesubsolution arrayQtis the array of the stringQt,hi,Gtifor any 1≤i≤d

andGt∈Csd_{. EachQt,}

hi,Gtirepresents the minimal weight expansion of the

firstn−tbits of the inputr1, . . . , rd when we carryGt=hgi,tidi=1, e.g.

wt,Gt =Em{Ds, d}(

j_r

1

2t

k

+g1,t, . . . ,

j_rd

2t

k

+gd,t).

We note that the length of the stringQt,hi,Gtiisn−t, andwt,Gt is the joint

Hamming weight of the stringQt,h1,Gti, . . . ,Qt,hd,Gti. There may exist some

gi,t∈Dssuch thatr1

2t

+gi,tcan not be represented using the string length n−t of Ds. In that case, we represent Qt,hi,Gti with the null string, and

assignwt,Gt to ∞.

When we process the bit t, we find the minimal weight array wt and the subsolution arrayQtfrom the input

Rt=Eb{d}(r1, . . . , rd)|t=he1,t, . . . , ed,ti

We define the function M W :Z|Csd_|

×((Dsn−t₎d₎|Csd_|

× {0,1}d_×Csd_→Z×((Dsn−t+1₎d₎ such that

(wt,Gt, Qt,Gt) =M W(wt+1, Qt+1, Rt, Gt),

where wt+1 is the minimal weight array from bitn−1 to bitt+ 1, and wt is

the minimal weight array from bitn−1 to bitt.Qt+1 is the subsolution string

from bitn−1 to bitt+ 1, andQtis the subsolution string from bitn−1 to bit t. Sincewt=hwt,GtiGt∈Csd andQt=hQt,GtiGt∈Csd, we also define

(wt, Qt) =M W(wt+1, Qt+1, Rt).

It is important to note thatwtis only depend on wt+1 andRt, we use only

2 arrays w and lw to represent wt and wt+1 to reduce memory consumption.

Similarly, we storeQtandQt+1 byQandlQ.

When we implement this idea, we use 2 arrays to represent wt and wt+1,

calledwandlwrespectively. We store the arraywt+1 inlwand use the array to

compute the array w, which is used for representing wt. After that, we replace the array lw withw, decrease t by 1, and continue calculating the subsolution for less significant bits. Similarly, we storeQtandQt+1 byQandlQ.

Example 1. Compute the minimal weight expansion of 3 and 7 when the digit set is{0,±1,±3},Em{{0,±1,±3},2}(3,7). Note thatEb{2}(3,7) =h(011),(111)i.

– Step 1Consider the most significant bit, the input R2=Eb{2}(3,7)|t=2=h0,1i.

There is the carry from less significant bit. Table 1 shows the Hamming weight of the most significant bit for each carry G2 ∈Cs2, lwG2. To

sum-marize the result from the table, ifG2 =h0,−1i, the input with the carry

from less significant bit,

R2+G2=h0,1i+h0,−1i=h0,0i,

and the Hamming weightw2,h0,−1i= 0.

IfG2=h1,0i, the input with the carry,

R2+G2=h0,1i+h1,0i=h1,1i,

andw2,h1,0i= 1. The Hamming weightw2,G is 1 for anyG, such that

R2+G2∈Dsd− {h0i}.

IfG2=h0,1i,

and w2,h0,1i = ∞. The Hamming weight w2,G is ∞ for any G2, such that

R2+G2∈/ Dsd.

As we want to keep the length of the bit string unchanged, we do not generate the carry from the most significant bit. Then, we need to represent the input with the carry,R2+G2using the single bit. As a result, the hamming weight,

w2,G is 0 if R2+G2 = h0i. w2,G is ∞ ifR2+G2 ∈/ Dsd. And, w2,G is 1 otherwise.

– Step 2Next, we consider bit 1. In this bit,

R1=Eb{2}(3,7)|t=1=h1,1i.

Consider the case when the carry from the least significant bitG1=h1,0i.

Then,R1+G1=h2,1i. There are 4 ways to writeh2,1iin the form 2Gt+1+R∗t whereGt+1 ∈Csd is the carry to the most significant bit andR∗t ∈Dsd is the candidate for the output. That is

h2,1i= 2× h1,0i + h0,1i

= 2× h1,−1i+ h0,3i

= 2× h1,1i +h0,−1i

= 2× h1,2i +h0,−3i

If we outputR∗

t for this bit, the Hamming weight is wt,Gt = min_G

t+1,R∗t

[wt+1,Gt+1+JW(R ∗

t)],

whenJW(D) = 0 ifD=h0i,JW(D) = 1 otherwise. From Table 1, w2,h1,0i=w2,h1,−1i=w2,h1,2i= 1,

w2,h1,1i=∞.

And,

JW(h1,0i) =JW(h0,3i) =JW(h0,−1i) =JW(h0,−3i) = 1. Then,

w1,h1,0i= min

G2,R∗t

[w2,G2+JW(R ∗

1)] = 1 + 1 = 2.

We show the arrayw1,G1 on this bit in Table 2.

– Step 3On the least significant bit, the inputR0=h1,1i. The valuew0,h0,0i

is the minimal Hamming weight, and we need not to compute w0,G0 for

G06=h0i. WhenG0=h0,0i, R0+G0=h1,1i. Similar to bit 1, we find

w0,h0,0i= min

G1,R∗0

[w1,G1+JW(R ∗

0)],

such that 2×G1+R∗0=h1,1i, andG1∈Csd,R∗0∈Dsd. We show the value

of each possibleG1, R∗0 withw1,G1,JW(R0∗), andw1,G1+JW(R∗0) in Table

3. Shown in the table, the minimal Hamming weight is min

G1,R∗0

[w1,G1+JW(R ∗

Table 1.The minimal Hamming weight of the most significant bit,w=w2,G2, when

the input bitR2=h0,1i

G2 w G2 w G2 w G2 w G2 w G2 w G2 w

h−3,−3i ∞ h−2,−3i ∞ h−1,−3i ∞ h0,−3i ∞ h1,−3i ∞ h2,−3i ∞ h3,−3i ∞ h−3,−2i 1 h−2,−2i ∞ h−1,−2i 1 h0,−2i 1 h1,−2i 1 h2,−2i ∞ h3,−2i 1 h−3,−1i 1 h−2,−1i ∞ h−1,−1i 1 h0,−1i 0 h1,−1i 1 h2,−1i ∞ h3,−1i 1 h−3,0i 1 h−2,0i ∞ h−1,0i 1 h0,0i 1 h1,0i 1 h2,0i ∞ h3,0i 1 h−3,1i ∞ h−2,1i ∞ h−1,1i ∞ h0,1i ∞ h1,1i ∞ h2,1i ∞ h3,1i ∞ h−3,2i 1 h−2,2i ∞ h−1,2i 1 h0,2i 1 h1,2i 1 h2,2i ∞ h3,2i 1 h−3,3i ∞ h−2,3i ∞ h−1,3i ∞ h0,3i ∞ h1,3i ∞ h2,3i ∞ h3,3i ∞

Table 2. The minimal Hamming weight of bit 1, w = w1,G1, when the input bit

R1=h1,1i, and the arrayw1,G1 of the most significant bit is shown in Table 1

G1 w G1 w G1 w G1 w G1 w G1 w G1 w

h−3,−3i 1 h−2,−3i 1 h−1,−3i 0 h0,−3i 1 h1,−3i 1 h2,−3i 1 h3,−3i ∞ h−3,−2i 2 h−2,−2i 1 h−1,−2i 1 h0,−2i 1 h1,−2i 2 h2,−2i 1 h3,−2i ∞ h−3,−1i 1 h−2,−1i 2 h−1,−1i 1 h0,−1i 2 h1,−1i 1 h2,−1i 2 h3,−1i ∞ h−3,0i 2 h−2,0i 1 h−1,0i 1 h0,0i 1 h1,0i 2 h2,0i 1 h3,0i ∞ h−3,1i ∞ h−2,1i ∞ h−1,1i ∞ h0,1i ∞ h1,1i ∞ h2,1i ∞ h3,1i ∞ h−3,2i 2 h−2,2i 2 h−1,2i 2 h0,2i 2 h1,2i 2 h2,2i 2 h3,2i ∞ h−3,3i 1 h−2,3i 2 h−1,3i 1 h0,3i 2 h1,3i 1 h2,3i 2 h3,3i ∞

Table 3. List of possible G1, R∗0 such that 2× G1 +R∗0 = h1,1i and G1 ∈

{0,±1,±2,±3}2_,R∗

0 ∈ {0,±1,±3}2, withw1,G1 (refer to Table 2), JW(R

∗

0),w1,G1+

JW(R∗

0) of eachG1,R∗0

G1 R∗0 w1,G1 JW(R

∗

0)w1,G1+JW(R

∗

0)

h−1,−1i h3,3i 1 1 2

h−1,0i h3,1i 1 1 2

h−1,1i h3,−1i ∞ 1 ∞

h−1,2i h3,−3i 2 1 3

h0,−1i h1,3i 2 1 3

h0,0i h1,1i 1 1 2

h0,1i h1,−1i ∞ 1 ∞

h0,2i h1,−3i 2 1 3

h1,−1i h−1,3i 1 1 2

h1,0i h−1,1i 2 1 3

h1,1i h−1,−1i ∞ 1 ∞

h1,2i h−1,−3i 2 1 3

h2,−1i h−3,3i 2 1 3

h2,0i h−3,1i 1 1 2

h2,1i h−3,−1i ∞ 1 ∞

We show the algorithm in detail Algorithm 1,2. The algorithm can be de-scribed as follows:

– We set the arraywn−1 =hwn−1,Gn−1iGn−1∈Csd in Algorithm 1 Line 2. We setwn−1,h0i←0 andwn−1,Gn−1 ← ∞for any G6=h0i. The reason behind

this is that we do not carry any things from the most significant bit to keep the length of the bit string unchanged.

– We define the array Qt = hQt+1,hi,Gii for 1 ≤ i ≤ d, and G ∈ Csd in

Algorithm 1 Line 3. Obviously, allQn−1,hi,Giare set to the null string.

– The size of the arraywtandQtis equal to||Cs||d_anddn||Cs||d_{respectively.} That number makes the memory required by our algorithms larger than the previous works. As this algorithm is generalized for any digit sets, further optimization is difficult. We suggest implementers to make the array size lower when they implement the method on their specific digit set.

– Shown in Algorithm 1 Lines 4-7, we run the algorithm from left to right (the most significant bit to the least significant bit). Left-to-right algorithms is said to be faster than right-to-left algorithms, as the more significant bits usually arrive to the system before. However, Algorithm 1,2 is not online; as it cannot produce the subsolution before all input bits arrive.

– The loop in Algorithm 2 explores all the possible values of the carry tuple Gt∈Csd_{from less significant bits. As a result, we getwe=hweR∗}

tiR∗t∈Dsd.

weE shows the minimal Hamming weight in the case that the carry tuple is Gt =hgi,tid

i=1, and the output is R∗t =hri,t∗ idi=1. Each weR∗t is assigned at

the loop in Algorithm 2 Lines 3-10. In Line 5, we compute the arrayGt+1 as

the carry to more significant bits, in the case that we outputR∗

t. And in Line 6,weR∗

t is assigned to wt+1,Gt+1 ifR ∗

t =h0i, and wt+1,Gt+1+ 1 otherwise.

– In Algorithm 2 Line 11, we select the output for each carry tupleGt, which produce the minimal weight substring. The output isEA=heaiid

i=1∈Dsd

such thatweEA has the minimal value amongwe. We define the arrayCE as the carry to more significant bits, in the case that we outputEAin Line 15. Obviously, the minimal weight of the suboutputwt,Gt is equal to weEA,

and the suboutputQt,hi,Gti is the concatenation of the subsolution of more

significant bits when the carry isCE,Qt+1,hi,CEi, withEA.

– We define the solution in Algorithm 1 Line 8. Obviously, the solution is the one from the least significant bit when the carry tuple ish0i.

Example 2. ComputeEm{{0,±1,±3},2}(23,5) using Algorithm 1,2.

– Eb{2}(23,5) =h(10111),(00101)i.

– WhenDs={0,±1,±3},Cs={0,±1,±2,±3}.

– To simplify the explanation, we present it when the loop in Algorithm 1 Line 4-6 assigned t to 0, that is the last time on this loop. This means we have computed w1 and Q1. In this example, wt = wt,Gt where Gt ∈ {0,±1,±2,±3}2_{. Asw}

1, Q1has 49 elements, we are not able to list them all.

To show some elements ofw1, Q1,

Algorithm 1 Minimum joint weight conversion to any digit sets Ds in the binary expansion

Require: r1, . . . , rd

The desired digit setDs Ensure: Em{Ds, d}(r1, . . . , rd)

1: LetCsbe a carry set such that for allc∈Csandd∈Ds, c+d 2 ,

c+d+1 2 ∈Cs.

2: Letwt be an array ofwt,Gt for anyGt∈Cs

d_.

wn,Gn←0 ifGn−1=h0i.

wn,Gn← ∞otherwise.

3: LetQt← hQt,hi,Gtiifor any 1≤i≤dandGt∈Cs

d_.

AllQn,hi,Gtiare initiated to a null string.

4: fort←n−1 to 0do

5: Rt←Eb{d}(r1, . . . , rd)|t.

6: (wt, Qt)←M W(wt+1, Qt+1, Rt) (We define the functionM W in Algorithm 2)

7: end for

8: LetZ ← h0i.

Em{Ds, d}(r1, . . . , rd)← hQ0,hi,Ziidi=1

Q1,h1,h0,0ii= (1011), Q1,h1,h1,0ii= (0300), Q1,h1,h2,0ii= (0301).

Q1,h2,h0,0ii= (0010), Q1,h2,h1,0ii= (0010), Q1,h2,h2,0ii= (0010).

– Although, the loop in Algorithm 2 examines all G0 ∈ Cs2, we focus our

interested the step whereG0=h0i. Note that in this case

AE← h1,1i+h0,0i=h1,1i.

– Now, we focus our interested to the loop in Algorithm 2 Line 3-10. IfR∗

0= h0,0i,ae1−r0∗,1= 1 and 2-(ae1−r0∗,1). Then,weh0,0i← ∞.

– IfR∗

0=h1,1i,

G1← h

ae1−r0∗,1

2 ,

ae2−r0∗,2

2 i=h0,0i.

As stated on the first paragraph,w1,h0,0i= 3. Then, weh1,1i←3 + 0 = 3 by

Line 6.

– IfR∗

0=h−1,−3i,

G1← h

ae1−r0∗,2

2 ,

ae1−r0∗,2

2 i=h1,2i.

Then, we refer tow1,h1,2i which is 1. Then,weh−1,−3i←1 + 1 = 2.

– In Line 11, we select the least number amongwe, and the minimum value is weh−1,−3i= 2. Then,w0,h0,0i= 2.

Q0,h1,h0,0ii← hQ1,h1,h1,2ii,−1i= (0300¯1).

Q0,h2,h0,0ii← hQ1,h2,h1,2ii,−3i= (0100¯3),

Algorithm 2FunctionM W compute the subsolution for bittgiven the subso-lution of bit t+ 1 and the input in bitt

Require: The minimal weight array of more significant bitswt+1, the subsolution of

more significant bitsQt+1, and the inputRt

Ensure: The minimal weight arraywtand the subsolutionQt

1: for allGt=hgi,tidi=1∈Csddo

2: AE=haeiidi=1←Rt+Gt

3: for allR∗

t =hr∗i,tidi=1∈Dsddo

4: if 2|(aei−r∗i,t) for all 1≤i≤dthen

5: Gt+1← h aei−r∗i,t

2 i d i=1

6: weR∗

t ←wt+1,Gt+1 ifGt+1=h0i.

weR∗

t ←wt+1,Gt+1+ 1 otherwise.

7: else

8: weR∗

t ← ∞

9: end if

10: end for

11: LetweEAis the minimal value amongwe.

12: wt,Gt←weEA

13: LetEA=heaiidi=1.

14: CE=hceiii=1d ← haei−2eaii d i=1

15: Qt,hi,Gti← hQt+1,hi,CEi, eaiifor all 1≤i≤d

16: end for

4

Analysis

In this section, we propose the algorithm to analyze the average joint Hamming weight for each digit set. For this purpose, we propose a Markov chain where its states are minimal weight arrays w, and transition is functionM W. As we will focus on only the joint Hamming weight without regarding which bit we are computing, we represent wt+1,wtwith lw, wrespectively. Also, we referGt as

G.

As we have seen in the previous section, we do not have to considerQ in functionM W when we are interested only the Hamming weight. Then, we can redefine the functionM W as

M W :Z|Csd_|

× {0,1}d_→Z|Csd_|

,

wy=M W(wx, R).

4.1 Analysis Method

From Algorithm 1,2, we propose Algorithm 3 to construct the Markov chain A= (QA, Σ, σA, IA, PA),

– QA is a set of states,

– Σis the alphabet,

– σA⊆QA×Σ×QA is a set of transitions,

– IA:QA→R+ _{is an initial-state probabilities for each state inQA,}

– PA:σA→R+ _{is the transition probabilities for each transition inσA.}

The algorithm is described as follows:

– We define the setQA as the set of equivalence classes of the possible value ofwt in Algorithm 1,2. Letwx=hwx,GiG∈Csd and wx0 =hwx0_,Gi_G∈Csd be

the possible value ofwt. We considerwxandwx0 equivalent if and only if

∃p∀G(wx,G+p=wx0,G)

when p ∈ Z and G ∈ Csd_{. In Appendix C, we show the proof that the} number of equivalence classes is finite when

{0,±1,±Λ} ⊆Ds, ifΛ= maxDs.

– The number of states becomes very large when the digit set becomes larger. For example, the number of states is 1,216,376 ford= 3 and

Ds={0,±1,±3}.

This makes us unable to find the average joint Hamming weight in many cases.

– To find the average joint Hamming weight, we need to find the possibility that the Markov chain is on each equivalence class after we input a bit string lengthn→ ∞. That is the stationary distribution of the Markov chain. We consider the function M W, defined in Algorithm 2, as the transition from the equivalence class of wx to the equivalence class of wy, where the input of the transition isR. It is obvious that ifwx is equivalentwx0 and

wy=M W(wx, R), wy0 =M W(w0_x, R),

wα andwβ are equivalent. Then, the transition is well-defined. By this defi-nition,

Σ={0,1}d,

as in Line 1 of Algorithm 3. Also, the set of transitionσA is defined as σA={(wx, R, wy)∈QA×Σ×QA|wy =M W(wx, R)}.

– We generate the set of stateQA using the algorithm based on the breadth-first search scheme starting from wI. This is shown in Algorithm 3 Lines 5-17.

– Since the occurence possibility of all alphabets is equal, the transform prob-abilityPA(γ) = 1

|Σ| for allγ∈σA. This is shown in Algorithm 3 Line 11.

We illustrate how Algorithm 3 works with Example 3,4,5.

Algorithm 3Construct the Markov chain used for finding the average minimal weight

Require: the digit setDs

The number of scalarsd

Ensure: Markov chainA= (QA, Σ, σA, IA, PA)

1: Σ← {0,1}d_,Q

A← ,σA←

2: Cs: carry set forDs

3: wI← hwI,GiG∈Csd, where

wI,h0i←0 andwI,G← ∞otherwise

4: Qu← {wI}

5: whileQu6=do

6: letπ∈Qu

7: wx←π,Qu←Qu−π

8: for allR∈Σdo

9: wy←M W(wx, R)

10: σA←σA∪ {(wx, R, wy)}

11: PA(wx, R, wy)← _|Σ1_|

12: if wy∈/QA andwy6=wx then

13: Qu←Qu∪ {wy}

14: end if

15: end for

16: QA←QA∪ {wx}

17: end while

18: IA(w)←1 ifw=wI,IA(w)←0 otherwise.

Example 3. Letd= 2 andDs={0,±1,±3},Cs={0,±1,±2,±3}and

w=hwiG∈Cs2

=hwh−3,−3i, wh−3,−2i, wh−3,−1i, wh−3,0i, wh−3,1i, wh−3,2i, wh−3,3i,

wh−2,−3i, wh−2,−2i, wh−2,−1i, wh−2,0i, wh−2,1i, wh−2,2i, wh−2,3i,

wh−1,−3i, wh−1,−2i, wh−1,−1i, wh−1,0i, wh−1,1i, wh−1,2i, wh−1,3i,

wh0,−3i, wh0,−2i, wh0,−1i, wh0,0i, wh0,1i, wh0,2i, wh0,3i,

wh1,−3i, wh1,−2i, wh1,−1i, wh1,0i, wh1,1i, wh1,2i, wh1,3i,

wh2,−3i, wh2,−2i, wh2,−1i, wh2,0i, wh2,1i, wh2,2i, wh2,3i,

Then, the initial statew=wI ∈QA is

h∞,∞,∞,∞,∞,∞, ∞,

∞, ∞,∞,∞,∞,∞, ∞,

∞, ∞,∞,∞,∞,∞, ∞,

∞, ∞,∞, 0, ∞,∞, ∞,

∞, ∞,∞,∞,∞,∞, ∞,

∞, ∞,∞,∞,∞,∞, ∞,

∞, ∞,∞,∞,∞,∞,∞i.

Refered to Example 1, if wt+1 =wI and the input bit is h0,1i (as seen in the

most significant bit of the example), Algorithm 2 output wt=wB =h∞,∞,∞,∞,∞,∞, ∞,

1, ∞, 1, 1, 1, ∞, 1, 1, ∞, 1, 0, 1, ∞, 1, 1, ∞, 1, 1, 1, ∞, 1,

∞, ∞,∞,∞,∞,∞, ∞, 1, ∞, 1, 1, 1, ∞, 1,

∞, ∞,∞,∞,∞,∞,∞i,

as shown in Table 1.wB∈QA, and (wI,h0,1i, wB)∈σA. Similarly, if the input iswB andh1,1ias seen in bit 1 of the example, the algorithm input

wC=h1, 1, 0, 1, 1, 1, ∞, 2, 1, 1, 1, 2, 1, ∞, 1, 2, 1, 2, 1, 2, ∞, 2, 1, 1, 1, 2, 1, ∞,

∞,∞,∞,∞,∞,∞, ∞, 2, 2, 2, 2, 2, 2, ∞, 1, 2, 1, 2, 1, 2, ∞i, as shown in Table 2. Also,wC∈QA, (wB,h1,1i, wC)∈σA.

Example 4. Construct the Markov chain A = (QA, Σ, σA, IA, PA) for finding AJW(Em{{0,±1},1}).

– AsDs={0,±1},Cs={0,±1}. Then,

w=hwh−1i, wh0i, wh1ii.

The initial value ofw,wI is

wI =h∞,0,∞i.

– Consider the loop in Lines 5-17. On the first iteration,wx=wI in Line 7. If Ris assigned toh0iin Line 8, the result of the functionM W in Line 9,wy is

Then, we add α = hwI,h0i, wAi to the set σA as shown in Line 10. The probability of the transitionαis 1

|Σk = |{01,1}| = 12. Also, we addwA to the

setQu.

– Similarly, ifR=h1i,wy is

wB=h0,1,∞i. Then,wB ∈QA, andhwI,h1i, wBi ∈σA.

– Next, we explore the statewA, as we explore the setQAby the breadth-first search algorithm. IfR =h0i, wy ish1,0,1i. And ifR =h1i,wy ish1,1,0i. Then,

hh1,0,1i,h0i,h1,0,1ii ∈σA,

hh1,0,1i,h1i,h0,1,1ii ∈σA.

The first transition is the self-loop. Hence, we need not to explore it again.

– We explore the statewB, the result is

hh0,1,∞i,h0i,h1,1,2ii ∈σA,

hh0,1,∞i,h1i,h1,2,∞ii ∈σA.

We note thath1,1,2iis equivalent toh0,0,1i, and we denote it ash0,0,1i. Also,h1,2,∞iis equivalent to h0,1,∞i. Then, the second transition is the self-loop.

– Then, we explore the stateh0,1,1i. We get the condition

hh0,1,1i,h0i,h1,1,2ii ∈σA,

hh0,1,1i,h1i,h1,2,1ii ∈σA.

We denoteh1,1,2iandh1,2,1ibyh0,0,1i,h0,1,0irespectively.

– We exploreh0,0,1iand get the condition

hh0,0,1i,h0i,h1,0,1ii ∈σA,

hh0,0,1i,h1i,h0,1,1ii ∈σA.

– Exploringh0,1,0imakes we get

hh0,1,0i,h0i,h1,1,1ii ∈σA,

hh0,1,0i,h1i,h1,1,0ii ∈σA. We denoteh1,1,1iash0,0,0i.

– From the stateh0,0,0i, we get

hh0,0,0i,h0i,h1,0,1ii ∈σA,

Fig. 1. The Markov chain constructed by Algorithm 3 used for finding

AJW(Em{{0,±1},1})

– From the stateh1,1,0i, we get

hh1,1,0i,h0i,h2,1,1ii ∈σA,

hh1,1,0i,h1i,h1,1,0ii ∈σA. We denoteh2,1,1iash1,0,0i.

– Last, from the stateh1,0,0i, we get

hh1,0,0i,h0i,h1,0,1ii ∈σA,

hh1,0,0i,h1i,h0,1,0ii ∈σA.

– We show the Markov chain in Figure 2.

Example 5. Construct the Markov chain A = (QA, Σ, σA, IA, PA) for finding AJW(Em{{0,±1},2}).

– AsDs={0,±1},Cs={0,±1}. Then,

w=hwh−1,−1i, wh−1,0i, wh−1,1i,

wh0,−1i, wh0,0i, wh0,1i,

wh1,−1i, wh1,0i, wh1,1ii.

The initial value ofw,wI is

wI =h∞,∞, ∞,

∞, 0, ∞,

Fig. 2.The Markov chain constructed by Algorithm 3 after the second iteration of the loop in Lines 8-17

– Consider the loop in Lines 5-17. On the first iteration,wx=wI in Line 7. IfRis assigned toh0,0iin Line 8, the result of the functionM W in Line 9, wy is

wy =wA=h1,1, 1, 1, 0, 1, 1, 1,1i.

Then, we addα= hwI,h0,0i, wAito the set σA as shown in Line 10. The probability of the transitionαis _|Σ1_k = _|{0,1_1}2_| =1₄. Also, we addwAto the

setQu.

– The algorithm explores allR∈ {0,1}2_{. The result is shown in Figure 3.}

– On the second iteration,wx = wA. If R is assigned to h0,0i, the result of the functionM W iswA itself. Therefore, the Markov chain consists of the self-loop at the state corresponding towA.

Let C be a number of states. We number each state d ∈ QA as dp where 1 ≤ p ≤ C. Let πT _{= (π}T

i ) be a probabilistic distribution at time T, i.e.πTi is the possibility that we are on state dp after received input length T. Let P = (Ppq)∈R|QA|×|QA|_{be the transition matrix such that}

Ppq= X R∈Σ

PA(dp, R, dq).

Without loss of generality, assume d1 representing the state that corresponds

eigen decomposition. In Appendix C, we prove that the stationary distribution always exists for any finite Markov chain generated from Algorithm 3.

The next step is to find the average weight from the stationary distribution π. Define W K as a function fromσAto the set of integer by

W K(τ) =wy,h0i−wx,h0i,

when τ = (wx, G, wy) ∈ σA. The function can be described as the change of the Hamming weight in the case that the carry tuple is h0i. We compute the average Hamming weight by the average value of the change in the Hamming weight whennis increased by 1 in the stationary distribution formalized as

AJW(Em{Ds, d}) = X τ∈σA

πf(τ)W K(τ) |Σ| ,

whenf(τ) =wxifτ= (wx, G, wy).

4.2 Analysis Results

By using the analysis method proposed in Subsection 4.1, we can find many interesting results on the average joint Hamming weight. We show some inter-esting results in Table 4. Our results match many existing result [1, 4, 9, 7]. And, we discover some results that have not been found in the literatures. We can describe the results as follows:

– When d = 1, we can find the average joint Hamming weight of all digit setsDs={0,±1,±3, . . . ,±(2h+ 1)} whenh≤31. Ifh= 2p_{−1 for some} p∈Z, our results match the existing results by Muir and Stinson [4]. And, we observe from the result that there is a relation betweenhand the average joint hamming weight. Letpbe an integer such that

2p−1−1< h <2p−1,

AJW({0,±1,±3, . . . ,±(2h+ 1)},1) = 2 p

(p+ 1)2p_{+ (h+ 1)}.

– When d = 2, we can find the average joint Hamming weight of Ds =

Table 4. The average joint Hamming weight, AJW(Em{Ds, d}), when Ds =

{0,±1,±3, . . . ,±(2h+ 1)}found by our analysis method, with the number of states in the Markov chain on each case

h/d 1 2 3 4

1

3 ≈0.3333

1 2 = 0.5

23

39 ≈0.5897

115

179 ≈0.6424

0 (Existing work [9]) (Existing work [1]) (Existing work [7]) (Existing work [7]) (9 states) (64 states) (941 states) (16782 states)

1 4 = 0.25

281

786 ≈0.3575

20372513

49809043 ≈0.4090

1 (Existing work [4]) (Improved result) (New result) (38 states) (3189 states) (1216376 states)

2

9 ≈0.2222

1496396

4826995 ≈0.3100

2 (New result) (New result) (70 states) (19310 states)

1

5 = 0.2 0.2660

3 (Existing work [4]) (New result) (119 states) (121601 states)

4

21 ≈0.1904 0.2574

4 (New result) (New result) (160 states) (130262 states)

2

11 ≈0.1818 0.2342

5 (New result) (New result) (207 states) (525620 states)

Table 5.Comparing our result with the other preliminary researches when expand a pair of integers using{0,±1,±3}

Research Average Joint Hamming Weight

Avanzi, 2002 [10] 3

8 = 0.3750

Kuang et al., 2004 [11] 121

326 ≈0.3712

Moller, 2004 [12] 4

11 ≈0.3636

Dahmen et al., 2007 [5] 239

661 ≈0.3616

Our Result 281

5

Conclusion

In this paper, we propose the generalized minimal weight conversion algorithm fordintegers. The algorithm can be applied to any finite digit setDs. Then, we propose the algorithm to construct a Markov chain which can be used for finding the average joint Hamming weight automatically. As a result, we can discover some minimal average joint Hamming weights automatically without the prior knowledge of the structure of the digit set. This helps us able to explore the average weight of the unstructured set. For example, we find that the minimal average weight is 281

786 ≈0.3575 whend= 2 andDs={0,±1,±3}. This improves

the upper bound presented by Dahmen et al., that is 239

661≈0.3616.

However, there are some gaps to improve this work as follows:

– Compared to the algorithm for each specific digit set, the generalized algo-rithm proposed in this paper is slower and consumes more memory. However, the efficient minimal weight conversion algorithm on the digit set that have never been explored might be able to derive from the algorithm.

– The number of the states in the Markov chain produced by Algorithm 3 is comparatively large. More efficient algorithm to generate the Markov chain will help us to be able to explore the average joint Hamming weight for the larger set.

– Our method is able to apply on the double-based number system [13, 14]. We have successfully proposing the minimal weight conversion for anydandDs on this number system. However, we cannot find the fast analysis method from that conversion. In this state, we can improve the upper bound for the minimal average weight whend= 2 andDs={0,±1} from 0.3945 [15] to 0.3883, but we still cannot find the exact value.

References

1. Solinas, J.A.: Low-weight binary representation for pairs of integers. Centre for Applied Cryptographic Research, University of Waterloo, Combinatorics and Op-timization Research Report CORR (2001)

2. Heuberger, C., Muir, J.A.: Minimal weight and colexicographically minimal integer representation. Journal of Mathematical Cryptology1(2007) 297–328

3. Heuberger, C., Muir, J.A.: Unbalanced digit sets and the closest choice strategy for minimal weight integer representations. Designs, Codes and Cryptography52(2) (August 2009) 185–208

4. Muir, J.A., Stinson, D.R.: New minimal weight representation for left-to-right win-dow methods. Department of Combinatorics and Optimization, School of Com-puter Science, University of Waterloo (2004)

5. Dahmen, E., Okeya, K., Takagi, T.: A new upper bound for the minimal density of joint representations in elliptic curve cryptosystems. IEICE Trans. Fundamentals

E90-A(5) (May 2007) 952–959

6. Dahmen, E., Okeya, K., Takagi, T.: An advanced method for joint scalar multi-plications on memory constraint devices. LNCS3813(2005) 189–204

8. Okeya, K.: Joint sparse forms with twelve precomputed points. Technical Report of IEICE. ISEC109(42) (May 2009) 43–50 In Japanese.

9. Egecioglu, O., Koc, C.K.: Exponentiation using canonical recoding. Theoretical Computer Science129(1994) 407–417

10. Avanzi, R.: On multi-exponentiation in cryptography. Cryptology ePrint Archive

154(2002)

11. Kuang, B., Zhu, Y., Zhang, Y.: An improved algorithm foruP+vQusing JSF1 3.

LNCS3089(2004) 467–478

12. Moller, B.: Fractional windows revisited: Improved signed-digit representations for efficient exponentiation. LNCS3506(2005) 137–153

13. Dimitrov, V., Cooklev, T.V.: Two algorithms for modular exponentiation based on nonstandard arithmetics. IEICE Trans. Fundamentals E78-A(1) (January 1995) 82–87 special issue on cryptography and information security.

14. Dimitrov, V., Imbert, L., Mishra, P.K.: Efficient and secure elliptic curve point multiplication using double-base chains. In: Proc. of ASIACRYPT 2005. (2005) 59–78

15. Adikari, J., Dimitrov, V.S., Imbert, L.: Hybrid binary-ternary number system for elliptic curve cryptosystems. In: Proc. of EUROCRYPT 2009. (2009) 76–83 16. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete

logarithms. IEEE Trans. on Information TheoryIT-31(1985) 469–472

17. Haggstrom, O.: Finite Markov Chains and Algorithmic Application. 1 edn. Vol-ume 52 of London Mathematical Society, Student Texts. Cambride University, Coventry, United Kingdom (2002)

18. Schmidt, V.: Markov Chains and Monte-Carlo Simulation. Department of Stochas-tics, University Ulm (July 2006)

19. Suppakitpaisarn, V.: Optimal average joint hamming weight and digit set expan-sion on integer pairs. Master’s thesis, The University of Tokyo (2009)

20. Suppakitpaisarn, V., Edahiro, M.: Fast scalar-point multiplication using enlarged digit set on integer pairs. Proc. of SCIS 2009 (2009) 14

Appendix A: The Carry Set

In this section, we present the algorithm to find the carry setCsin Algorithm 1,2. We show the method in Algorithm 4. It is based on breadth-first search scheme. And, we find the upper bound of the cardinality of the carry set in Lemma 1.

Lemma 1. Given the finite digit setDs, Algorithm 3 always terminates. And,

||Cs|| ≤maxDs−minDs+ 2,

whenCsis the output carry set.

Proof. Since

Cs={c−d

2 ∈Z|d∈Ds∧c∈Cs} ∪ {

c−d+ 1

2 ∈Z|d∈Ds∧c∈Cs},

minCs≥minCs−maxDs

Algorithm 4Find the carry set of the given digit set Require: the digit setDs

Ensure: the carry setCs

1: Ct← {0},Cs← 2: whileCt6=do

3: letx∈Ct

4: Ct←Ct∪({x+d

2 ∈Z|d∈Ds} −Cs− {x})

5: Ct←Ct∪({x+d+1

2 ∈Z|d∈Ds} −Cs− {x})

6: Cs←Cs∪ {x} 7: Ct←Ct− {x} 8: end while

Then,

minCs≥ −maxDs. Also,

maxCs≤ −minDs+ 1.

We conclude that if Ds is finite, Cs is also finite. And, Algorithm 3 always terminates.

||Cs|| ≤maxDs−minDs+ 2.

u t

Appendix B: The Optimality of Algorithm 1,2

In this subsection, we present the mathematical proof that Algorithm 1,2 pro-posed in Section 3 is the minimal weight conversion.

Lemma 2. For any positive integer 0 ≤ t ≤ n−1. Qt+1,hi,Gt+1i, which are assigned in Line 7 of Algorithm 1, represent the minimal weight expansion of the prefix string lengthn−t of the bit string Eb{d}(r1, . . . , rd), when the carry from less significant bits to the prefix isG. And,wt+1,Gt+1 is the joint hamming weight of Qt+1,h1,Gt+1i, . . . , Qt+1,hd,Gt+1i.

Proof. We use the mathematic induction for proving this lemma.

We begin the proof by the case whent=n−1. In this case, allQn−1,hi,Gn−1i have length (n−(n−1)) = 1. The subsolution Qn−1,hi,Gn−1i should satisfy

Qn−1,hi,Gn−1i=haeii,

ifAE ∈Dsd_{, because it does not produce any carries to more significant bits.} Then,wn−1,Gn−1 = 0 whenAE=h0iandwn−1,Gn−1 = 1 otherwise.

We initializelw in Algorithm 1 Line 2 such thatwn,Gn = 0 ifG=h0i, and

wn,Gn = ∞ otherwise. Then, weR∗n−1, which is assigned in Algorithm 2 Line

6, is ∞ ifGn 6= h0i. If there are some finite elements among we, weR∗

not be the minimal element on Algorithm 2 Line 11 and will not be assigned to Qn−1,hi,Gi in Algorithm 2 Line 15. Hence, all selectedEA=heaiidi=1 satisfy

cei= aei−eai 2 = 0,

for all 1≤i≤d. That meansaei=eai, and we can conclude that Qn−1,hi,Gi= haeii. Also, we prove thatwn−1,Gn−1 = 0 whenGn−1=h0iand wn−1,Gn−1 = 1

otherwise by Algorithm 2. We prove the statement whenT =n−1.

It is left to show that if the lemma holds when t = K, it also holds when t=K−1, for anyK≥1.

Assume that whent =K, wK+1,GK+1, QK+1,GK+1 are the optimal weight

and the optimal expansion of the prefix string lengthn−K for anyG∈Csd_. We claim thatwK,GK,QK,GK are also the prefix string lengthn−K+ 1.

First, we prove thatwK,GK is the joint Hamming weight of

QK,h1,GKi, . . . , QK,hd,GKi

for any GK ∈ Csd_{. It is obvious that weEA selected in Algorithm 2 Line 11} equals wK+1,CE, whenEA=h0iand wK+1,CE+ 1 otherwise, by Algorithm 2 Line 6 (CE is defined in Algorithm 2 Line 14). By the assignment in Algorithm 2 Line 15,

QK,hi,GKi=hQK+1,hi,CEi, eaii.

Since, the joint hamming weight of QK+1,h1,CEi, . . . , QK+1,hd,CEi is equal to

wK+1,CE by induction, the property also holds for eachQK,GK.

Next, we prove the optimality ofQK,hi,GKi. Assume contradiction that there

are some stringPK,hi,GKi such that

PK,hi,GKi6=QK,hi,GKi

for some 1 ≤ i ≤ d, and some GK ∈ Csd_{. And, the joint hamming weight of} PK,h1,GKi, . . . , PK,hd,GKiis less thanQK,h1,GKi, . . . , QK,hd,GKi. Let the last digit

ofPK,hi,GKi belpi. Iflpi=eai for all 1≤i≤d, the carry is

haei−eai

2 i

d

i=1=CE.

By induction, the joint Hamming weight QK+1,h1,CEi, . . . , QK+1,hd,CEi is the

minimal joint Hamming weight. Then, the joint hamming weight ofP is greater or equal toQ. Iflpi6=eai for some 1≤i≤d, the carry is

H =hhiidi=1=h

aei−lpi

2 i

d i=1.

By induction,QK+1,hi,Hiis the minimal weight expansion. Then,

JW(PK,h1,Hi, . . . , PK,hd,Hi)≥JW(QK+1,h1,Hi, . . . , QK+1,hd,Hi)+JW(hlp1i, . . . ,hlpdi),

By the definition ofW E, it is clear that

JW(QK+1,h1,Hi, . . . , QK+1,hd,Hi) +JW(hlp1i, . . . ,hlpdi) =weI,

whenI=hlp1, . . . , lpdi.

In Algorithm 2 Line 11, we select the minimal value ofweEA. That is weEA≤weI.

As

weEA=JW(QK,h1,GKi, . . . , QK,hd,GKi),

we can conclude that

JW(PK,h1,GKi, . . . , PK,hd,GKi)≥JW(QK,h1,Gi, . . . , QK,hd,Gi).

This contradicts our assumption. ut

Theorem 1. Let Z =h0i. hQ0,hi,Ziidi=1 in Algorithm 1 Line 9 is the minimal joint weight expansion ofr1, . . . , rd on digit set Ds.

Proof. hQ0,hi,Giidi=1are the optimal binary expansion of the least significant bit

by Lemma 2. Since there is no carry to the least significant bit,hQ0,hi,{0}iidi=1 is

the optimal solution. ut

Appendix C: The Markov Chain from Algorithm 3

In this section, we prove that the set of statesQA defined in Section 4 is finite. We also show that the Markov chain automatically generated by Algorithm 3 has a unique stationary distribution.

Lemma 3. Let Λ be a largest integer of Ds, and {0,±1,±Λ} ⊆ Ds. For any possible values of lw=hlwiG∈Csd, there existsc∈Zsuch that

lwG1−lwG2 < c,

for any G1, G2∈Csd such thatlwG1, lwG2 is a finite integer.

Proof. Let l be the possible value of lw, and α1, . . . , αd are the prefix string

lengthβ of the input that move the Markov chain to the statel. Let ν= max(maxCs,−minCs),

and γ1, . . . , γd are the prefix string length β−ν. They move the Markov chain

to the statell.

First, we show that for anyG∈Csd

We consider the case that the last bit of α is 0, for all ∈ {1, . . . , d}, and G∈ {0,±1}d_{. Since{0,±1} ∈Ds,}

lG≤llh0i+µ≤llh0i+ν,

when µ is the joint Hamming weight of the substring of the input from the (β−ν+ 1)th _{significant bits to theβ}th_{significant bit, λ}

1, . . . , λd.

Assume the last bit of α is 1, for some ∈ {1, . . . , d}. If G ∈ {0,−1}, ae∈Ds. Next, we consider the case whenG= 1, and ae = 2. If 2∈Ds, we prove the case. If not, we need to carry something to more significant bit. That carry can be dissolved if there exists 0 in some bit in λ. If all number in λ is 1, we might need to carry 1 intoγ. If there exists 0 inγ, it might be changed to 1, that increase the joint Hamming weight at most 1. If not, the carry must be dissolved by changing somec1 ∈Ds− {0} to c2∈Ds− {0}, that does not

change the joint Hamming weight. Then, we prove the case. Next, we prove the claim that

lG ≤luH+ 1,

whenluis the state of the Markov chain moved by the prefix string lengthβ−1 of the input, andH is defined as

H=

   

  

G G∈ {0,±1}

G

2 |G| ≥2 and|G| is even

G−1

2 |G| ≥2 and|G|is odd and last digit ofαis 0

G+1

2 otherwise.

By the above equation,

|H| ≤ |G| −1 if|G| ≥2. Then, by this claim

lG≤llH+ν, whenH ∈ {0,±1}d_{. Hence,}

lG≤llh0i+ν+d.

In this paragraph, we show that the claim is correct. We considerG as the carry to the bit, andH as the carry to more significant bit. Let ω be theβth significant bit ofr. In case that 2|G, we can carry G

2 to more significant bits

and leave this bit toω. If 2|(G+1) andωis 0, we carryG−2 1 to more significant

bit, and leave 1. If the input is 1, we carry G+1

2 , and leave 0.

On the second part of the proof, we show the upper bound of lwh0i. Let

α1, . . . , αd be a string lengthβ, andγi be a prefix ofαi lengthβ−ν, for some

ν ∈Z.αimoves the Markov chain to the statelandγimoves the Markov chain to the statell. We show that for any G∈Cd_,

when ll is induced by the substring of the string which induce l. Refer to Al-gorithm 2, we select the best input in each output among Dsd_{, by carrying} CA∈Csd_{. But, we cannot output every possibleDs}d _{by the condition in Line} 8. LetD⊆Dsd_{be a set of possible output, andC∈Cs}d_{be a set of the possible} carry from the bit. It is obvious that

lh0i≤llG+ 1,

for anyG∈C. LetCin⊆Csbe a set of possible carry to the input bitI∈ {0,1}

andCou⊆Csis the possible carry produced by the bit and the setCin. Define a function∆:P(Cs)× {0,1} →P(Cs) such that∆(Ci, I) =Co. We claim that if

αi∈ {/ w|w∈(0+₁+₎|Cs|+1_},

for some positive integerp, we can show that

Cs=∆ . . . ∆(∆(h0i,Iβ−|Cs|),Iβ−|Cs|+1). . . ,Iβ),

whenItis thetth_{significant bit of the stringαi. LetΛbe an odd number. It is} clear that ifc∈CinandCou=∆(Cin, I),

{c+I+ 1

2 ,

c+I−1

2 ,

c+I+Λ

2 ,

c+I−Λ

2 } ⊆Cou, whenc+I is odd, and

{c+I

2 } ⊆Cou,

whenc+I is even. We start withCin={0}. Sinceαi∈ {/ w|w∈(0+₁+₎|Cs|+1_},

there exist 1 in the bit string ofαi. And,

∆({0},1) ={0,1,Λ+ 1 2 ,

−Λ+ 1 2 }.

The set ∆({0},1) contains both the odd and the even integer. Also, the set

{c+I−Λ

2 ,c+I2−1,c+I2+1,c+I2+Λ}, for any c ∈ Cs. If c+I =6 Λ, c+I2+Λ > c+I.

Then, the largest odd number of Couis larger than the largest odd number of Cin. Also, the smallest odd number of Cou is smaller than the smallest odd number ofCou. Hence, if the largest or the smallest number is the odd number, we get the bigger set. As we have c+I−1

2 ,c+I2+1 ∈Cs, the numbers lying between

the smallest and the biggest number are filled with a small number of loop. Last, we consider the case when αi is the string in the regular language (0+₁+₎|Cs|+1_{. Since {0,±1} ⊆Ds, we can representαi by NAF. The Hamming}

weight of representing the bit stringαi by NAF is at most|Cs|+ 2.

u t

Proof. Letlwa=hlwaGiG∈Csd be a possible value oflw such that

α= min G∈CsdlwaG.

Letlwn=hlwnGiG∈Csd such that

lwnG=lwaG−α,

for anyG∈Csd_{. It is obvious thatlwnis equivalent tolwa, and they represent} the same class inQA. The minimal value oflwnis 0, and the maximal value is c, as in Lemma 3. Then, there is (c+ 1)||Cs||d

possible classes of lw. And, the number of the members of the set QA is bounded by that number. ut

Lemma 4. For any possible values of lw =hlwiG∈Csd, there exists a sequence of members ofσA such that

h(lw,h0i,q1),(q1,h0i,q2), . . . ,(qβ,h0i,lwc)i,

where lw, q1, . . . , qβ, qC ∈ QA. lwc = hlwcGiG∈Csd is the constant value such that

lwcG=JW(Em{Ds, d}(g1, . . . , gd)), whereG=hgiid

i=1.

Proof. For any possible values oflw,lwa∈QA. Let the inputsr1, . . . , rd be as

follows:

– Letn=maxi(log2(ri)).

– The firstn−αbits of the inputs,

Ebn−1, d(r1, . . . , rd), . . . , Ebα, d(r1, . . . , rd),

make the Markov chain be on that statelwa. Aslwais the possible value of lw, there always exists the bit string.

– The remaining of the bit string

Ebα−1, d(r1, . . . , rd), . . . , Eb0, d(r1, . . . , rd)

areh0i.

We claim that ifαis large enough, the arraylwislwcwhen Algorithm 1 termi-nates.

First, we prove that

lwcG=lwah0i+JW(hg1i, . . . ,hgdi),

hkiid

i=1 which make the joint weight lower. Let β be the joint Hamming weight

of the zero-input part of the bit string,

lwah0i+JW(Em{Ds, d}(g1, . . . , gd)< lwaL+β,

for some L ∈Csd _{that can be carry to the α}th _{when the carry from the least} significant bit isK. It is obvious thatL6=h0i, as

β≥JW(Em{Ds, d}(g1, . . . , gd).

Similaryly, it is also obvious that the carry between the bit numbertand t+ 1 is noth0i.

SinceCsis a finite set, let

maxCs <2γ_. And, let

α >(c+ 1)·γ+,

whenis the length of the shortest string that can represent Em{Ds, d}(g1, . . . , gd).

Let the first n−α bits of r1, . . . , rd can be converted to the integer as

rf1, . . . , rfd. CarryingL=hliidi=1 makes us have to represent the number

rf1·2α+l1, . . . , rf2·2α+ld

using the prefix lengthn−1 of the solution. Sinceli is less than 2γ_{, we cannot} make the string that is all zeros between the bit numberγ+ 1 to 1 represent the value. This means the joint Hamming weight of the sub-solution between the bit number γ+ 1 to 1 has to be more than 0.

Since the carry to the bit numberα cannot be h0i, the carry from the bit numberγ+1 is noth0i. As a result, the joint Hamming weight of the sub-solution between the bit number 2γ+ 2 to γ+ 2 has to be more than 0. Similarly, the joint Hamming weight of the sub-solution between the bit numberαto the bit number 1 is more thanc+ 1.

From Lemma 3,

lwaL−lwah0i< c.

Asβ ≥c+ 1, andJW(Em{Ds, d}(g1, . . . , gd)≤1, this contradicts our

assump-tion that

lwah0i+JW(Em{Ds, d}(g1, . . . , gd)< lwaL+β.

When,G /∈Dsd_{, we start with the bit number , and use the same method}

to prove this lemma. ut