Radix-r Non-Adjacent Form and Its Application to Pairing- Based Cryptosystem Authors: T. Takagi, D. Reis Jr., S.M. Yen and B.C. Wu IEICE Trans. Fundamentals, vol. E89-A, No.1 January Presented by J. Liu

Outline Introduction Generalized Non-Adjacent Form (gNAF) Radix-r NAF (rNAF) Width-w radix-r NAF (wrNAF) Generalized Sliding Window Form (gSWF) Comparisons Example of gNAF rNAF and gSWF Conclusion

Introduction The radix-3 representation can be used for efficient implementation in pairing based cryptosystem.

Generalized Non Adjacent Form Radix-r representation Hamming weight of radix-r rep. is the number of non-zero digits. { density (r-1)/r} Signed radix-r rep. gNAF : { density (r-1)/(r+1)} –  d i +d i+1  <r for all i, –  d i  <  d i+1  if d i d i+1 <0

Radix-r NAF r-NAF of d =(d n-1, d n-2,…, d 0 ) –d j d j-1 =0 for j = 0, 1, …, n, where d n = d -1 =0 –d j  D r = {0,  1,  2,…,  floor[(r 2 -1)/2]}\{  r,  2r,…} –The leftmost non-zero digit is positive Convert (e j, e j-1 ), where e j-1  0, to r-NAF –If e j r+ e j-1 < r 2 /2, then (0, e j r+ e j-1 ) –else (1,0, (e j r+ e j-1 )-r 2 ) {density (r-1)/(2r-1)} proved by Markov chain

Example d mods r: –If d mod r  r/2 then d mods r = (d mod r)-r –else d mods r = d mod r d = 97, r=5 (4, 0, -3) cd 0  d mods r 2 = (97 mod 25)-25 = -3 d  d-(-3)=100, d  d/r=100/5=20 cd 1  0 (20 mod 5 = 0) d  d/r=20/5=4 cd 1  d mods r 2 = 4 mods 25 = 4

Width-w radix-r NAF wr-NAF of d =(d n-1, d n-2,…, d 0 ) –At most 1 non-zero digit among any w adjacent digits –d j  D w,r = {0,  1,  2,…,  floor[(r w -1)/2]}\{  r,  2r,…} –The leftmost non-zero digit is positive. {density (r-1)/(w(r-1)+1)}

Generalized Sliding Window Form Space-time trade-off At most 1 non-zero digit among a width-w sliding window. Convert the w-consecutive by the conversion table.

Conversion table (1,0~)→(1,0~),…, (r-1,0~)→(r-1,0~) (1,1,0~)→(0,r+1,0~), (1,2,0~)→(0,r+2,0~)… (2,1,0~)→(0,2r+1,0~), (2,2,0~)→(0,2r+2,0~) (r-1,1,0~)→(0,r 2 -r+1,0~), (r-1,r-1,0~)→(0, r 2 -1,0~),… (r-1, r-1, r-1,0~)→(0,0,r 3 -1,0~),… (r-1,r-1,…,r-1)→(0,0,…, r w -1)

Comparisons

Conclusion For radix-3, the proposed algorithm with width-w =2 attains non-zero density 0.4 with two additional digits, where g-NAF has 0.5 with one additional digit. The radix-r representation is used for the efficient computation of pairing-based cryptosystem.