This action might not be possible to undo. Are you sure you want to continue?

**Theory, Applications and Open Problems
**

Laurent Imbert

CNRS, LIRMM, Universit´e Montpellier 2

10 years of collaborations with V. Dimitrov, Univ. of Calgary, Canada

S´eminaire Bipop-Casys, LJK, March 4, 2010

Today’s menu

• (p, q)-ary partitions

• The double-base number system: (p, q) = (2, 3)

• Deﬁnition, representation, properties

• Applications to arithmetic and cryptography

• strictly chained (p, q)-ary partitions

• Open problems

1/1

Integer Partitions

A partition of an integer n is a nonincreasing sequence of positive

integers a

1

, a

2

, . . . , a

k

whose sum is n. Each a

i

is called a part.

For example, the 5 partitions of 4 are:

4 = 4

= 3 + 1

= 2 + 2

= 2 + 1 + 1

= 1 + 1 + 1 + 1

The partitions of n correspond to the set of solutions

(k

1

, k

2

, . . . , k

n

) in nonnegative integers to the diophantine equation

1k

1

+ 2k

2

+ 3k

3

+ + nk

n

= n

2/1

The Partitions Zoo

• Partitions with distinct parts, partitions with odd parts

• Partitions whose largest part is k, partitions with k parts

• Partitions into primes (Goldbach conjecture)

• m-ary partitions: partitions as a sum of powers of m for a ﬁxed

m ≥ 2 (e.g. binary partitions)

• Partitions with parts occuring at most twice or thrice

• Chain, umbrella partitions: partitions constrained by divisibility

conditions

• etc.

3/1

(p, q)-ary Partitions

A (p, q)-ary partition is a partition where the parts are divisible by no

primes other than p or q

Historically, a double-base representation of n > 0 is a (2, 3)-ary

partition of n with distinct parts

n = 2

a

1

3

b

1

+ 2

a

2

3

b

2

+ 2

a

m

3

b

m

with a

i

, b

i

≥ 0 for i = 1, . . . , m

A number of the form 2

a

3

b

is called a ¦2, 3¦-integer

4/1

Representation of (p, q)-ary Partitions

2

a

3

b

314159 = 2

7

3

7

+ 2

7

3

5

+ 2

10

3

1

+ 2

2

3

2

+ 2

0

3

2

+ 2

1

3

0

5/1

Number of Double-Base Representations

b

2

2

a

3

b

One-to-one correspondence with the

solutions (b

0

, . . . , b

r−1

) to the

diophantine equation

n = b

0

+ 3b

1

+ 3

2

b

2

+ + 3

r−1

b

r−1

# Double-base rep. of n > 0 = # 3-ary partitions of n

f(n) =

f(n −1) + f(n/3) if 3[n

f(n −1) otherwise

Sloane’s integer sequence # A005704

f(1) = 1, f(10) = 5, f(50) = 72, f(100) = 402, f(500) = 75171

6/1

Length of Double-Base Representations

The Length of a double-base representation is equal to the number

of parts in

n = 2

a

1

3

b

1

+ + 2

a

m

3

b

m

Theorem [Dimitrov 95]: m ∈ O(log n/ log log n)

Smallest n > 0 requiring m parts

m log n/ log log n

2 5 3.38

3 23 2.74

4 431 3.36

5 18, 431 4.29

6 3, 448, 733 5.55

7 1, 441, 896, 119 6.91

7/1

Canonic Double-Base Representations

Representations of minimal length (shortest partitions)

Example: 127 has 783 representations, among which 6 are canonic

2

a

3

b

2

a

3

b

2

a

3

b

2

a

3

b

2

a

3

b

2

a

3

b

Canonic representations are extremely hard to compute!

8/1

Computing Double-Base Representations

Input: An integer n > 0

Output: The sequence (a

i

, b

i

) s.t. n =

¸

i

2

a

i

3

b

i

with a

i

, b

i

0

1: while n = 0 do

2: Compute the best default approx of n of the form z = 2

a

3

b

3: print (a, b)

4: n ←n −z

5: end while

Does not produce canonic representations...

(E.g: 41 = 36 + 4 + 1 = 32 + 9)

but satisﬁes length in O(log n/ log log n)

Minor modiﬁcations allow to compute signed double-base

representations

n = ±2

a

1

3

b

1

±2

a

2

3

b

2

±2

a

m

3

b

m

9/1

Best Approximations of the Form 2

a

3

b

Compute a, b 0 such that 2

a

3

b

= max¦2

c

3

d

n ; (c, d) ∈ NN¦

cα + d < aα + b log

3

n (α = log

3

2)

Solutions: points with integer coordinates under the line of equation

y = −αx + log

3

n

Best left approx: (a, b) s.t. δ(a) = min¦δ(x) = ¦−αx + log

3

n¦¦

10/1

Single Constant Multiplication (SCM)

Given an integer constant C > 0, ﬁnd a program which computes

C x with as few operations ∈ ¦+/−, <¦ as possible.

Complexity model: + and − have the same cost, < are negligible

• Naive approach: 151 = (10010111)

2

151x = (x <7) + (x <4) + (x <2) + (x <1) + x

• Signed digits: 151 = (1010

¯

100

¯

1)

SD2

151x = (x <7) + (x <5) −(x <3) −x

• Pattern search [Lef`evre 01, Boullis & Tisserand 05]

Lef`evre’s conjecture: SCM is sublinear

11/1

A Double-base Approach to SCM

C = 10599 = (1010010 1100111)

2

= 82 2

7

+ 103

2

0

2

1

2

2

2

3

2

4

2

5

2

6

2

7

2

8

2

9

2

10

2

11

2

12

2

13

3

0

3

1

3

2

103 82 0 2 32 6

x

0

= (x <8)

x

1

= 3x

0

+ (x <5)

x

2

= 3x

1

+ (x <13) + (x <3) −x

12/1

Complexity

If C =

¸

m−1

i=0

±2

a

i

3

b

i

, with b

max

= max

i

¦b

i

¦, then

# add = m + b

max

−1

Theorem [DIZ 07]: Let C > 0 of size n. Then, the multiplication by

C can be computed in O(n/ log n) additions.

Sketch of proof:

1. Split C into log n blocks of size n/ log n each

2. Express each block in double-base gives b

max

∈ O(n/ log n)

3. m =

¸

j

m

j

with m

j

∈ O(n/ log n

2

)

4. m ∈ O(n/ log n)

13/1

Example

The multiplication by any 300-bit constant can be computed with at

most 77 additions.

• Split its binary representation into ten 30-bit blocks

• Every block can be represented with at most six ¦2, 3¦-integers

(Because 2

30

< 1, 441, 896, 119 < 2

31

)

• The highest power of 3 that might occur is 18

(Because 3

18

< 2

30

< 3

19

)

• Therefore, in the worst case, one will need

10 6 + 18 −1 = 77 additions

14/1

Matrix Polynomial

Evaluate the matrix polynomial

G(N, A) = I + A + A

2

+ + A

N−1

without matrix inversion

• Horner: G(N, A) = A(A(. . . (A+I) . . . ) +I) +I (too slow)

• Smart decompositions: If N = JK, then

G(N, A) = G(J, A) G(K, A

J

)

15/1

Binary Decomposition

G(N, A) =

(I + A) G(K, A

2

) if N = 2K

I + (A + A

2

) G(K, A

2

) if N = 2K + 1

The number of matrix multiplications (MM) is ≈ 2 log

2

N

16/1

Ternary Decomposition

G(N, A) =

(I + A + A

2

) G(K, A

3

) if N = 3K

I + (A + A

2

+ A

3

) G(K, A

3

) if N = 3K + 1

I + A (A + A

2

+ A

3

) G(K, A

3

) if N = 3K + 2

The number of MM is between 3 log

3

N ≈ 1.89 log

2

N and

4 log

3

N ≈ 2.52 log

2

N

17/1

Hybrid Decomposition

G(N, A) =

(I + A + A

2

) G(K, A

3

) if N = 3K

I + (A + A

2

+ A

3

) G(K, A

3

) if N = 3K + 1

(I + A) G(3K + 1, A

2

) if N = 6K + 2

I + (A + A

2

) G(3K + 2, A

2

) if N = 6K + 5

The number of MM is between 3 log

3

N ≈ 1.89 log

2

N and 2 log

2

N

18/1

Average Complexity of the Hybrid Approach

G(N, A) =

8

>

>

>

<

>

>

>

:

(I + A + A

2

) ×G(K, A

3

) if N = 3K

I + (A + A

2

+ A

3

) ×G(K, A

3

) if N = 3K + 1

(I + A) ×G(3K + 1, A

2

) if N = 6K + 2

I + (A + A

2

) ×G(3K + 2, A

2

) if N = 6K + 5

0

1

2

3

4

5

¸

¸

¸

¸

¸

¸

¸

1/3 0 1/3 0 1/3 0

1/3 0 1/3 0 1/3 0

0 1/2 0 0 1/2 0

0 1/3 0 1/3 0 1/3

0 1/3 0 1/3 0 1/3

0 0 1/2 0 0 1/2

Stationary probabilities: p

∞

= (1/10 1/5 1/5 1/10 1/5 1/5)

Average base: β = 2

2/5

3

3/5

≈ 2.550849

Average number of MM: (3p

3

+ 2p

2

) log

β

2 ≈ 1.92 log

2

N

19/1

Fast Exponentiation

• Generic: given g ∈ (G, ) and n ≥ 0, compute g

n

• Elliptic curve scalar multiplication: given P ∈ E(K) and k ≥ 0,

compute [k]P = P + P + + P (k times)

• Multi-scalar multiplication: given k

1

, k

2

, P, Q ∈ E(K),

compute [k

1

]P + [k

2

]Q

20/1

Scalar Multiplication Algorithms

Double-and-Add: k =

¸

n−1

i=0

k

i

2

i

, with k

i

∈ ¦0, 1¦

314159 = 1 0 0 1 1 0 0 1 0 1 1 0 0 1 0 1 1 1 1.

n −1 doublings, n/2 additions on average

NAF, CSD: k

i

∈ ¦

¯

1, 0, 1¦

NAF

2

(314159) = 1 0 1 0

¯

1 0 1 0

¯

1 0

¯

1 0 1 0

¯

1 0 0 0

¯

1

n doublings, n/3 additions on average

NAF

w

, Window Methods: [k

i

[ < 2

w−1

(process w bits at a time)

NAF

3

(314159) = 1 0 0 0 3 0 0 1 0 0 3 0 0 0 3 0 0 0

¯

1

n doublings, n/(w + 1) additions on average

21/1

Double-Base Scalar Multiplication

The double-base chain approach:

k =

m−1

¸

i=0

k

i

2

a

i

3

b

i

, where k

i

∈ ¦−1, 1¦ and (a

i

, b

i

) `

314159 = 2

4

3

9

−2

0

3

6

−3

3

−3

2

−3 −1

[314159]P = 3(3(3(3

3

(2

4

3

3

P −P) −P) −P) −P

Yao/Meloni’s approach:

k =

m−1

¸

i=0

D

i

2

i

, where D

i

=

¸

j

d

j

3

j

P with d

j

∈ ¦−1, 0, 1¦

314159 = 2

4

3

9

+ 2

8

3

1

−1

D

0

= −P, D

4

= 3

9

P, D

8

= 3P

[314159]P = 2

4

(2

4

D

8

+ D

4

) + D

0

22/1

Hybrid Binary-Ternary Form (HBTF)

k

k/2 k/3 (k −1)/2

0

0

1

hbtf = [1 0 0 1 0 0 0 1]

base = [2 2 3 2 3 3 3 2]

727 = 2

3

3

4

+ 2

1

3

3

+ 2

0

3

0

23/1

Window Hybrid Binary-Ternary Form (w-HBTF)

k

k/2 k/3 (k −r)/2

0

0

r = k mods w

12-hbtf = [5 0 0 1 0 0

¯

5]

base = [2 3 2 2 3 2 2]

727 = 5 2

4

3

2

+ 2

2

3

1

−5

18-hbtf = [5 0 0 0 0 0 7]

base = [2 3 3 2 2 2 2]

727 = 5 2

4

3

2

+ 7

24/1

Analysis of w-HBTF

Markov analysis provides values which can be used to evaluate the

average complexity of an algorithm

w-NAF 6-HBTF 12HBTF 18-HBTF 24HBTF 36-HBTF

avg base 2 2.38 2.29 2.51 2.23 2.40

avg #2 n + 1 0.46n 0.56n 0.63n 0.34n 0.43n

avg #3 0 0.34n 0.28n 0.42n 0.24n 0.36n

avg #dig n/(w + 1) 0.23n 0.19n 0.17n 0.16n 0.14n

Pre 2

w−2

−1 0 1 2 3 5

Practical cost depends on the relative cost between a cube (tripling)

and the combined square-multiply (double-add)

25/1

Comments on Double-Base Chains

• The w-HBTF generate double-base chains from right to left

• The greedy approach can be adapted to compute left-to-right

double-base chains

• None of these algorithms give a chain of minimal length

26/1

Chain Partitions

A (strictly) chain partition is a partition of the form

n = a

1

+ a

2

+ + a

k

into (distinct) positive integers such that a

k

[a

k−1

[ . . . [a

2

[a

1

.

873 = 512 + 256 + 64 + 32 + 8 + 1

= 720 + 120 + 24 + 6 + 2 + 1

= 696 + 174 + 3

[Erd¨os-Loxton 1979]

• # partitions of this type: p(n) ≥ log

2

n for n ≥ 6

• # partitions of this type whose smallest part is 1:

p

1

(n) ≥

1

2

log

2

n for n ≥ 27 and n −1 not a prime

• P(x) =

¸

1≤n≤x

p(n) ≈ cx

ρ

, where c is an unknown constant

and ρ is the unique root of ζ(s) −2, where ζ is the Riemann

zeta function.

27/1

Strictly Chained (p, q)-ary Partitions

Strictly chained (p, q)-ary partitions are chain partitions with distinct

parts of the form p

a

q

b

, where p, q ≥ 2 and (p, q) = 1.

Notations:

• Ω(U): The set of all strictly chained (p, q)-ary partitions of U

• Ω

∗

(U): The subset of partitions ω ∈ Ω(U) with no part 1

• W(U) = #Ω(U)

• W

∗

(U) = #Ω

∗

(U)

Special cases of interest:

• min(p, q) = 2

• (p, q) = (2, 3)

28/1

Graphic Representation and Encoding

Example with (p, q) = (2, 3).

Ω(19) = ¦(16, 2, 1), (12, 4, 2, 1), (12, 6, 1), (18, 1)¦

2

a

3

b

11003

2

a

3

b

1133

2

a

3

b

3013

2

a

3

b

3203

The couples of exponents (a, b) form a chain in N

2

. They can be

encoded with words on ¦0,1,2,3¦

∗

. (Conventions: words end with

’3’, we go North before going East) If min(p, q) = 2, the binary

amount of a partition is equal to the sum of all its binary parts (

parts) or 0 if none.

29/1

Complete Generation

Lemma: (+ denotes union of disjoint sets)

Ω(U) = Ω

∗

(U) +

1

Ω

∗

(U −1), Ω

∗

(U) =

p

Ω(U/p) ∪

q

Ω(U/q)

Formula for (p, q) = (2, 3)

Ω(3U) =

3

Ω(U) +

1

Ω(3U −1)

Ω(6U −1) =

12

Ω(3U −1)

Ω(6U + 1) =

13

Ω(2U) +

11

Ω(6U −1)

Ω(6U + 2) =

2

Ω(3U + 1)

Ω(6U + 4) =

13

Ω(2U + 1) +

2

Ω(3U + 2)

30/1

Examples

Ω(217) = ¦ 3000133, 30001003, 322033, 3220003, 3200013,

10011013, 1001333, 10013003 ¦

Ω(95) = ¦ 1111103 ¦

Ω(6143) = ¦ 1111111111103 ¦

W(3 2

a

−1) = 1

Ω(575) = ¦ 1111110003, 111111033 ¦

Ω(959) = ¦ 1111110113, 1111110303 ¦

W(9 2

a

−1) = W(15 2

a

−1) = 2

31/1

Transitions

1 + 2 = 3 4 = 3 + 1 (and generalizations)

The transition graph is symmetric and connected

Example: G(27) for (p, q) = (2, 3)

1333 2133 2213 2223

11013 13003 21003

32/1

The sequence W

For any pair (p, q), the sequence W behaves rather irregularly

0

10

20

30

40

50

60

70

80

90

0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000

The sequence W

x

0.435

2.011 . x

0.435

33/1

Shortest Partitions

Our formula can be adapted to compute the length σ(U) of a

shortest unsigned double-base chain for U

Size of U greedy shortest

(in bits) unsigned signed unsigned signed

64 26.09 18.55 17.22 −

128 54.52 34.88 33.27 −

160 72.21 44.96 40.85 −

256 119.26 75.78 64.35 −

Average values for 10, 000 random integers

Numerical experiments suggest σ(U) ≈ log

2

(U)/4

34/1

Double-Base Representations of Minimal Length

Smallest n > 0 requiring m parts

m unsigned signed

2 5 5

3 23 103

4 431 4, 985

5 18, 431 641, 687

6 3, 448, 733 326, 552, 783

7 1, 441, 896, 119 −

8 − −

How far is the greedy from optimal in the signed case?

35/1

Negative Exponents

Every nonnegative real number can be approximated in the form

2

a

3

b

with any precision ε > 0, a, b ∈ Z

Conjecture 1: For every suﬃciently large n, there exists (a, b) such

that

1. [b[ < n

2.

2

a

3

b

−n

<

1

2

Conjecture 2: For every suﬃciently large n, there exists two pairs of

integers (a, b) and (c, d) such that

1. [b[ , [d[ <

√

n

2.

2

a

3

b

±2

c

3

d

−n

<

1

2

36/1

Thank you!

http://www.lirmm.fr/

∼

imbert

Laurent.Imbert@lirmm.fr

Today’s menu

• (p, q)-ary partitions • The double-base number system: (p, q) = (2, 3) • Deﬁnition, representation, properties • Applications to arithmetic and cryptography • strictly chained (p, q)-ary partitions • Open problems

1/1

Integer Partitions

A partition of an integer n is a nonincreasing sequence of positive integers a1 , a2 , . . . , ak whose sum is n. Each ai is called a part. For example, the 5 partitions of 4 are: 4=4 =3+1 =2+2 =2+1+1 =1+1+1+1 The partitions of n correspond to the set of solutions (k1 , k2 , . . . , kn ) in nonnegative integers to the diophantine equation 1k1 + 2k2 + 3k3 + · · · + nkn = n

2/1

g.The Partitions Zoo • Partitions with distinct parts. binary partitions) • Partitions with parts occuring at most twice or thrice • Chain. partitions with k parts • Partitions into primes (Goldbach conjecture) • m-ary partitions: partitions as a sum of powers of m for a ﬁxed m ≥ 2 (e. 3/1 . partitions with odd parts • Partitions whose largest part is k. umbrella partitions: partitions constrained by divisibility conditions • etc.

. m A number of the form 2a 3b is called a {2. bi ≥ 0 for i = 1. q)-ary Partitions A (p. a double-base representation of n > 0 is a (2. . q)-ary partition is a partition where the parts are divisible by no primes other than p or q Historically. 3)-ary partition of n with distinct parts n = 2a1 3b1 + 2a2 3b2 · · · + 2am 3bm with ai . . . 3}-integer 4/1 .(p.

q)-ary Partitions 3b 2a 314159 = 27 37 + 27 35 + 210 31 + 22 32 + 20 32 + 21 30 5/1 .Representation of (p.

. br−1 ) to the diophantine equation b2 2 a n = b0 + 3b1 + 32 b2 + · · · + 3r−1 br−1 # Double-base rep. f (10) = 5. f (500) = 75171 6/1 . of n > 0 = # 3-ary partitions of n f (n) = f (n − 1) + f (n/3) if 3|n f (n − 1) otherwise Sloane’s integer sequence # A005704 f (1) = 1. f (50) = 72. .Number of Double-Base Representations 3b One-to-one correspondence with the solutions (b0 . f (100) = 402. . .

448.38 2. 119 log n/ log log n 3. 441.91 7/1 .36 4. 431 3.74 3. 733 1.55 6. 896.Length of Double-Base Representations The Length of a double-base representation is equal to the number of parts in n = 2a1 3b1 + · · · + 2am 3bm Theorem [Dimitrov 95]: m ∈ O(log n/ log log n) Smallest n > 0 requiring m parts m 2 3 4 5 6 7 5 23 431 18.29 5.

Canonic Double-Base Representations Representations of minimal length (shortest partitions) Example: 127 has 783 representations. among which 6 are canonic 3b 3b 3b 2a 3b 3b 2a 3b 2a 2a 2a 2a Canonic representations are extremely hard to compute! 8/1 .

(E. b) 4: n←n−z 5: end while Does not produce canonic representations.g: 41 = 36 + 4 + 1 = 32 + 9) but satisﬁes length in O(log n/ log log n) Minor modiﬁcations allow to compute signed double-base representations n = ±2a1 3b1 ± 2a2 3b2 ± 2am 3bm 9/1 . bi ) s. n = i 2ai 3bi with ai ... bi 0 1: while n = 0 do 2: Compute the best default approx of n of the form z = 2a 3b 3: print (a.Computing Double-Base Representations Input: An integer n > 0 Output: The sequence (ai .t.

d) ∈ N × N} cα + d < aα + b (α = log3 2) Solutions: points with integer coordinates under the line of equation y = −αx + log3 n Best left approx: (a.t. (c. b) s. b 0 such that 2a 3b = max{2c 3d log3 n n . δ(a) = min{δ(x) = {−αx + log3 n}} 10/1 .Best Approximations of the Form 2a3b Compute a.

Single Constant Multiplication (SCM) Given an integer constant C > 0. ﬁnd a program which computes C × x with as few operations ∈ {+/−. } as possible. Boullis & Tisserand 05] e Lef`vre’s conjecture: SCM is sublinear e 11/1 . • Naive approach: 151 = (10010111)2 are negligible 151x = (x 7) + (x 4) + (x 5) − (x 2) + (x 3) − x 1) + x • Signed digits: 151 = (1010¯ ¯ SD2 1001) 151x = (x 7) + (x • Pattern search [Lef`vre 01. Complexity model: + and − have the same cost.

A Double-base Approach to SCM C = 10599 = (1010010 1100111)2 = 82 × 27 + 103 32 31 30 20 21 22 23 24 25 26 27 28 29 210 211 212 213 103 32 0 82 6 2 x0 = (x 8) x1 = 3x0 + (x x2 = 3x1 + (x 5) 13) + (x 3) − x 12/1 .

Split C into log n blocks of size n/ log n each 2. then # add = m + bmax − 1 Theorem [DIZ 07]: Let C > 0 of size n.Complexity If C = m−1 i=0 ±2ai 3bi . Sketch of proof: 1. m ∈ O(n/ log n) 13/1 . Express each block in double-base gives bmax ∈ O(n/ log n) 3. with bmax = maxi {bi }. the multiplication by C can be computed in O(n/ log n) additions. m = j mj with mj ∈ O(n/ log n2 ) 4. Then.

119 < 231 ) • The highest power of 3 that might occur is 18 (Because 318 < 230 < 319 ) • Therefore. one will need 10 × 6 + 18 − 1 = 77 additions 14/1 . in the worst case. 896. • Split its binary representation into ten 30-bit blocks • Every block can be represented with at most six {2. 441.Example The multiplication by any 300-bit constant can be computed with at most 77 additions. 3}-integers (Because 230 < 1.

A) = G(J. . A) × G(K. . ) + I) + I • Smart decompositions: If N = JK. . A) = I + A + A2 + · · · + AN −1 without matrix inversion • Horner: G(N. then (too slow) G(N. (A + I) . .Matrix Polynomial Evaluate the matrix polynomial G(N. AJ ) 15/1 . A) = A(A(.

A2 ) if N = 2K I + (A + A2 ) × G(K. A) = (I + A) × G(K.Binary Decomposition G(N. A2 ) if N = 2K + 1 The number of matrix multiplications (MM) is ≈ 2 log2 N 16/1 .

A3 ) if N = 3K + 2 The number of MM is between 3 log3 N ≈ 1.52 log2 N 17/1 .89 log2 N and 4 log3 N ≈ 2.Ternary Decomposition (I + A + A2 ) × G(K. A3 ) if N = 3K + 1 I + A × (A + A2 + A3 ) × G(K. A) = I + (A + A2 + A3 ) × G(K. A3 ) if N = 3K G(N.

A2 ) if N = 6K + 2 if N = 6K + 5 The number of MM is between 3 log3 N ≈ 1. A2 ) I + (A + A2 ) × G(3K + 2.89 log2 N and 2 log2 N 18/1 . A) = (I + A + A2 ) × G(K. A3 ) if N = 3K I + (A + A2 + A3 ) × G(K.Hybrid Decomposition G(N. A3 ) if N = 3K + 1 (I + A) × G(3K + 1.

A) = 2 > >(I + A) × G(3K + 1. A ) > : I + (A + A2 ) × G(3K + 2. A3 ) G(N. A2 ) if if if if N N N N = = = = 3K 3K + 1 6K + 2 6K + 5 0 5 1 4 3 2 1/3 0 1/3 0 1/3 0 1/3 0 1/3 0 1/3 0 0 1/2 0 0 1/2 0 0 1/3 0 1/3 0 1/3 0 1/3 0 1/3 0 1/3 0 0 1/2 0 0 1/2 Stationary probabilities: p∞ = (1/10 1/5 1/5 1/10 1/5 1/5) Average base: β = 22/5 33/5 ≈ 2.Average Complexity of the Hybrid Approach 8 >(I + A + A2 ) × G(K.92 log2 N 19/1 . A3 ) > > <I + (A + A2 + A3 ) × G(K.550849 Average number of MM: (3p3 + 2p2 ) logβ 2 ≈ 1.

×) and n ≥ 0. compute g n • Elliptic curve scalar multiplication: given P ∈ E(K) and k ≥ 0.Fast Exponentiation • Generic: given g ∈ (G. compute [k]P = P + P + · · · + P (k times) • Multi-scalar multiplication: given k1 . k2 . Q ∈ E(K). P. compute [k1 ]P + [k2 ]Q 20/1 .

1} 314159 = 1 0 0 1 1 0 0 1 0 1 1 0 0 1 0 1 1 1 1. CSD: ki ∈ {¯ 0. n/(w + 1) additions on average 21/1 . with ki ∈ {0. n/2 additions on average NAF. n/3 additions on average NAFw . Window Methods: |ki | < 2w−1 (process w bits at a time) ¯ NAF3 (314159) = 1 0 0 0 3 0 0 1 0 0 3 0 0 0 3 0 0 0 1 n doublings.Scalar Multiplication Algorithms Double-and-Add: k = n−1 i=0 ki 2i . n − 1 doublings. NAF2 (314159) = 1 0 1 0 ¯ 0 1 0 ¯ 0 ¯ 0 1 0 ¯ 0 0 0 ¯ 1 1 1 1 1 n doublings. 1} 1.

bi ) 314159 = 24 39 − 20 36 − 33 − 32 − 3 − 1 [314159]P = 3(3(3(33 (24 33 P − P ) − P ) − P ) − P Yao/Meloni’s approach: m−1 k= i=0 Di 2i . 1} 314159 = 24 39 + 28 31 − 1 D0 = −P. D4 = 39 P. 0. where Di = j dj 3j P with dj ∈ {−1.Double-Base Scalar Multiplication The double-base chain approach: m−1 k= i=0 ki 2ai 3bi . D8 = 3P [314159]P = 24 (24 D8 + D4 ) + D0 22/1 . where ki ∈ {−1. 1} and (ai .

Hybrid Binary-Ternary Form (HBTF) k 0 0 k/2 1 k/3 (k − 1)/2 hbtf = [1 0 0 1 0 0 0 1] base = [2 2 3 2 3 3 3 2] 727 = 23 34 + 21 33 + 20 30 23/1 .

Window Hybrid Binary-Ternary Form (w-HBTF) k 0 k/3 0 k/2 r = k mods w (k − r)/2 12-hbtf = [5 0 0 1 0 0 ¯ 5] base = [2 3 2 2 3 2 2] 727 = 5 · 24 32 + 22 31 − 5 18-hbtf = [5 0 0 0 0 0 7] base = [2 3 3 2 2 2 2] 727 = 5 · 24 32 + 7 24/1 .

16n 3 36-HBTF 2.23n 0 12HBTF 2.23 0.38 0.19n 1 18-HBTF 2.43n 0.46n 0.63n 0.28n 0.40 0.29 0.Analysis of w-HBTF Markov analysis provides values which can be used to evaluate the average complexity of an algorithm w-NAF avg avg avg avg Pre base #2 #3 #dig 2 n+1 0 n/(w + 1) 2w−2 − 1 6-HBTF 2.56n 0.34n 0.34n 0.14n 5 Practical cost depends on the relative cost between a cube (tripling) and the combined square-multiply (double-add) 25/1 .24n 0.36n 0.17n 2 24HBTF 2.51 0.42n 0.

Comments on Double-Base Chains • The w-HBTF generate double-base chains from right to left • The greedy approach can be adapted to compute left-to-right double-base chains • None of these algorithms give a chain of minimal length 26/1 .

where ζ is the Riemann zeta function. where c is an unknown constant and ρ is the unique root of ζ(s) − 2.Chain Partitions A (strictly) chain partition is a partition of the form n = a1 + a2 + · · · + ak into (distinct) positive integers such that ak |ak−1 | . 27/1 . |a2 |a1 . . . 873 = 512 + 256 + 64 + 32 + 8 + 1 = 720 + 120 + 24 + 6 + 2 + 1 = 696 + 174 + 3 [Erd¨s-Loxton 1979] o • # partitions of this type: p(n) ≥ log2 n for n ≥ 6 • # partitions of this type whose smallest part is 1: p1 (n) ≥ 1 log2 n for n ≥ 27 and n − 1 not a prime 2 • P (x) = 1≤n≤x p(n) ≈ cxρ .

q) = 1. q)-ary partitions are chain partitions with distinct parts of the form pa q b . q) = 2 • (p. where p. 3) 28/1 . Notations: • Ω(U ): The set of all strictly chained (p. q)-ary Partitions Strictly chained (p. q)-ary partitions of U • Ω∗ (U ): The subset of partitions ω ∈ Ω(U ) with no part 1 • W (U ) = #Ω(U ) • W ∗ (U ) = #Ω∗ (U ) Special cases of interest: • min(p. q ≥ 2 and (p.Strictly Chained (p. q) = (2.

2. 1)} 3b 3b 3b 3b 2a 2a 2a 2a 11003 1133 3013 3203 The couples of exponents (a. 1). . 1). (12. (12. b) form a chain in N2 . 4. 3).Graphic Representation and Encoding Example with (p. They can be encoded with words on {0. (18. q) = (2. the binary amount of a partition is equal to the sum of all its binary parts ( 29/1 parts) or 0 if none.3}∗ . (Conventions: words end with ’3’. 1). 6. we go North before going East) If min(p.1. 2. Ω(19) = {(16. q) = 2. 2.

q) = (2.Complete Generation Lemma: (+ denotes union of disjoint sets) Ω∗ (U ) = p Ω(U/p) ∪ q Ω(U/q) Ω(U ) = Ω∗ (U ) + 1 Ω∗ (U − 1). 3) Ω(3U ) = 3 Ω(U ) + 1 Ω(3U − 1) Ω(6U − 1) = 12 Ω(3U − 1) Ω(6U + 1) = 13 Ω(2U ) + 11 Ω(6U − 1) Ω(6U + 2) = 2 Ω(3U + 1) Ω(6U + 4) = 13 Ω(2U + 1) + 2 Ω(3U + 2) 30/1 . Formula for (p.

322033. 111111033 } Ω(959) = { 1111110113. 10011013. 1111110303 } W (9 · 2a − 1) = W (15 · 2a − 1) = 2 31/1 . 30001003.Examples Ω(217) = { 3000133. 3220003. 1001333. 3200013. 10013003 } Ω(95) = { 1111103 } Ω(6143) = { 1111111111103 } W (3 · 2a − 1) = 1 Ω(575) = { 1111110003.

q) = (2.Transitions 1+2=3 4 = 3 + 1 (and generalizations) The transition graph is symmetric and connected Example: G(27) for (p. 3) 1333 11013 13003 2133 21003 2213 2223 32/1 .

435 90 80 70 60 50 40 30 20 10 0 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 33/1 . the sequence W behaves rather irregularly The sequence W x0. q).435 2.011 .The sequence W For any pair (p. x0.

88 44.55 34.26 18.35 Average values for 10. 000 random integers Numerical experiments suggest σ(U ) ≈ log2 (U )/4 34/1 .96 75.Shortest Partitions Our formula can be adapted to compute the length σ(U ) of a shortest unsigned double-base chain for U Size of U (in bits) 64 128 160 256 greedy shortest signed − − − − unsigned signed unsigned 26.78 17.21 119.85 64.52 72.27 40.22 33.09 54.

733 326. 441. 552. 431 641. 687 3. 448. 119 − − − How far is the greedy from optimal in the signed case? 35/1 .Double-Base Representations of Minimal Length Smallest n > 0 requiring m parts m 2 3 4 5 6 7 8 unsigned signed 5 5 23 103 431 4. 783 1. 896. 985 18.

2a 3b ± 2c 3d − n < 2 36/1 . there exists (a. a. 2a 3b − n < 1 2 Conjecture 2: For every suﬃciently large n. |b| < n 2. d) such that √ 1. b) such that 1. b ∈ Z Conjecture 1: For every suﬃciently large n. |d| < n 1 2. b) and (c. |b| .Negative Exponents Every nonnegative real number can be approximated in the form 2a 3b with any precision ε > 0. there exists two pairs of integers (a.

lirmm.fr/∼imbert Laurent.fr .Thank you! http://www.Imbert@lirmm.

- 2004E
- EXCEL FUNCTION
- Final Sol
- 5. Indices Log
- Logarithmic Equations Worksheet
- Logarithms 2
- Algebra Workshop 2013 Student Copy
- BGVa08
- indices and logs.ppt
- Indices and Logarithms
- Laws of Logarithms
- EM algo
- Suppose You Wanted to Know if Log x n Was
- Untitled
- Tutorial
- Solution to Information Theory
- CE_WRNSK
- Logs Sample Test
- Kelantan 2013 M1(Q&A)
- CSE 150 HW1
- BAB III akh
- Integers Form 1
- Exercise 15.20
- 2011TweediesFormula[1]
- nwerc09
- Assignment Wireless Numerical
- Ceramah Add Math
- Maximum Likelihood Estimation of the.pdf
- l4
- TIPS CEMERLANG ADDMATH SPM
- Dbns Theo Appl Handout

Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

We've moved you to where you read on your other device.

Get the full title to continue

Get the full title to continue reading from where you left off, or restart the preview.

scribd