hamming weight of the non adjacent form under various
play

Hamming Weight of the Non-Adjacent-Form under Various Input - PowerPoint PPT Presentation

Feb 16, 2023 •132 likes •1.19k views

Signed Digit Expansions in Cryptography Given Input Weight Binary and NAF Weight as Random Vector Quasi-Power Theorem Hamming Weight of the Non-Adjacent-Form under Various Input Statistics and a Two-Dimensional Version of Hwangs

  1. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Deriving a Low-Weight Representation Take an integer n . If n is even, we have to take 0 as least significant digit and continue with n / 2. If n ≡ 1 (mod 4), we take 1 as least significant digit and continue with ( n − 1) / 2. This is even and guarantees a zero in the next step. If n ≡ 3 ≡ − 1 (mod 4), we take − 1 as least significant digit and continue with ( n + 1) / 2. This is even and guarantees a zero in the next step. This procedure yields a zero after every non-zero, which should yield a low weight expansion. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  2. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Deriving a Low-Weight Representation Take an integer n . If n is even, we have to take 0 as least significant digit and continue with n / 2. If n ≡ 1 (mod 4), we take 1 as least significant digit and continue with ( n − 1) / 2. This is even and guarantees a zero in the next step. If n ≡ 3 ≡ − 1 (mod 4), we take − 1 as least significant digit and continue with ( n + 1) / 2. This is even and guarantees a zero in the next step. This procedure yields a zero after every non-zero, which should yield a low weight expansion. There are no adjacent non-zeros. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  3. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Non-Adjacent Form Theorem (Reitwiesner 1960) Let n ∈ Z , then there is exactly one signed binary expansion ε ∈ {− 1 , 0 , 1 } N 0 of n such that � ε j 2 j , n = ( ε is a binary expansion of n), j ≥ 0 ε j ε j +1 = 0 for all j ≥ 0 . It is called the Non-Adjacent Form (NAF) of n. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  4. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Non-Adjacent Form Theorem (Reitwiesner 1960) Let n ∈ Z , then there is exactly one signed binary expansion ε ∈ {− 1 , 0 , 1 } N 0 of n such that � ε j 2 j , n = ( ε is a binary expansion of n), j ≥ 0 ε j ε j +1 = 0 for all j ≥ 0 . It is called the Non-Adjacent Form (NAF) of n. It minimises the Hamming weight amongst all signed binary expansions with digits { 0 , ± 1 } of n. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  5. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Non-Adjacent Form: Applications Efficient arithmetic operations (Reitwiesner 1960) Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  6. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Non-Adjacent Form: Applications Efficient arithmetic operations (Reitwiesner 1960) Coding Theory Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  7. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Non-Adjacent Form: Applications Efficient arithmetic operations (Reitwiesner 1960) Coding Theory Elliptic Curve Cryptography (Morain and Olivos 1990) Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  8. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Analysis of the NAF — Known Results Theorem E ( H ℓ ) = 1 3 ℓ + 2 9 + O (2 − ℓ ) , where H ℓ is the Hamming weight of a random NAF of length ≤ ℓ (all NAFs of length ≤ ℓ are considered to be equally likely). Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  9. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Analysis of the NAF — Known Results Theorem E ( H ℓ ) = 1 3 ℓ + 2 9 + O (2 − ℓ ) , V ( H ℓ ) = 2 27 ℓ + 8 81 + O ( ℓ 2 − ℓ ) , where H ℓ is the Hamming weight of a random NAF of length ≤ ℓ (all NAFs of length ≤ ℓ are considered to be equally likely). Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  10. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Analysis of the NAF — Known Results Theorem E ( H ℓ ) = 1 3 ℓ + 2 9 + O (2 − ℓ ) , V ( H ℓ ) = 2 27 ℓ + 8 81 + O ( ℓ 2 − ℓ ) , � h � � H ℓ ≤ ℓ 2 ℓ � 1 e − t 2 / 2 dt , √ ℓ →∞ P lim 3 + h = 27 2 π 0 where H ℓ is the Hamming weight of a random NAF of length ≤ ℓ (all NAFs of length ≤ ℓ are considered to be equally likely). Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  11. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics A Note on Probabilistic Models There are other probabilistic models: Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  12. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics A Note on Probabilistic Models There are other probabilistic models: Random NAF whose corresponding standard binary expansion has length ≤ ℓ , Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  13. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics A Note on Probabilistic Models There are other probabilistic models: Random NAF whose corresponding standard binary expansion has length ≤ ℓ , Random NAF of length ≤ ℓ where all residue classes modulo 2 ℓ have the same probability. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  14. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics A Note on Probabilistic Models There are other probabilistic models: Random NAF whose corresponding standard binary expansion has length ≤ ℓ , Random NAF of length ≤ ℓ where all residue classes modulo 2 ℓ have the same probability. For instance, 101 and ¯ 101 represent the same residue class modulo 2 3 . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  15. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Subblock Occurrences without Restricting to Full Blocks Let b = ( b r − 1 , . . . , b 0 ) � = 0 be an admissible block, ( . . . ε 2 ( n ) ε 1 ( n ) ε 0 ( n )) the NAF of n . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  16. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Subblock Occurrences without Restricting to Full Blocks Let b = ( b r − 1 , . . . , b 0 ) � = 0 be an admissible block, ( . . . ε 2 ( n ) ε 1 ( n ) ε 0 ( n )) the NAF of n . We consider ∞ � � S b ( N ) := [( ε k + r − 1 ( n ) , . . . , ε k ( n )) = b ] , n < N k =0 i.e. the number of occurrences of the block b in the NAFs of the positive integers less than N . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  17. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Subblock Occurrences Theorem (Grabner-H.-Prodinger 2003) If b r − 1 = 0 , then S b ( N ) = Q ( b 0 ) 3 · 2 r N log 2 N + Nh 0 ( b ) + NH b (log 2 N ) + o ( N ) , Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  18. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Subblock Occurrences Theorem (Grabner-H.-Prodinger 2003) If b r − 1 = 0 , then S b ( N ) = Q ( b 0 ) 3 · 2 r N log 2 N + Nh 0 ( b ) + NH b (log 2 N ) + o ( N ) , where Q ( η ) =2 + 2 [ η = 0] � h k ( b ) e 2 k π ix H b ( x ) = k ∈ Z \{ 0 } for explicitly known constants h k ( b ) , k ∈ Z . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  19. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Subblock Occurrences Theorem (Grabner-H.-Prodinger 2003) If b r − 1 = 0 , then S b ( N ) = Q ( b 0 ) 3 · 2 r N log 2 N + Nh 0 ( b ) + NH b (log 2 N ) + o ( N ) , where Q ( η ) =2 + 2 [ η = 0] � h k ( b ) e 2 k π ix H b ( x ) = k ∈ Z \{ 0 } for explicitly known constants h k ( b ) , k ∈ Z . H b ( x ) is a 1 -periodic continuous function. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  20. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics NAF: Counting Subblocks — Explicit constants � � � � 2 k π i 2 k π i ζ log 2 , α min ( b ) − ζ log 2 , α max ( b ) h k ( b ) = for k � = 0 , 2 k π i (1 + 2 k π i log 2 ) h 0 ( b ) = log 2 Γ( α min ( b )) − log 2 Γ( α max ( b )) � � − Q ( b 0 ) r + 1 1 1 6 + + 3 · 2 r − 1 , 3 · 2 r log 2 α min ( b ) = [value( b ) < 0] + 2 − r value( b ) − 1 + [ b 0 even] 3 · 2 r α max ( b ) = [value( b ) < 0] + 2 − r value( b ) + 1 + [ b 0 even] 3 · 2 r ζ ( s , x ) denotes the Hurwitz ζ -function. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  21. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics NAF: Counting Subblocks — Explicit constants � � � � 2 k π i 2 k π i ζ log 2 , α min ( b ) − ζ log 2 , α max ( b ) h k ( b ) = for k � = 0 , 2 k π i (1 + 2 k π i log 2 ) h 0 ( b ) = log 2 Γ( α min ( b )) − log 2 Γ( α max ( b )) � � − Q ( b 0 ) r + 1 1 1 6 + + 3 · 2 r − 1 , 3 · 2 r log 2 α min ( b ) = [value( b ) < 0] + 2 − r value( b ) − 1 + [ b 0 even] 3 · 2 r α max ( b ) = [value( b ) < 0] + 2 − r value( b ) + 1 + [ b 0 even] 3 · 2 r ζ ( s , x ) denotes the Hurwitz ζ -function. The case r = 1 is contained in Thuswaldner (1999). Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  22. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics When does the NAF really have an advantage? Suggestions by various authors: If the standard binary expansion of n has low Hamming weight, there is not much room for improvement of the Hamming weight. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  23. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics When does the NAF really have an advantage? Suggestions by various authors: If the standard binary expansion of n has low Hamming weight, there is not much room for improvement of the Hamming weight. So it might be desirable to keep the standard binary expansion. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  24. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics When does the NAF really have an advantage? Suggestions by various authors: If the standard binary expansion of n has low Hamming weight, there is not much room for improvement of the Hamming weight. So it might be desirable to keep the standard binary expansion. If, on the other hand, the Hamming weight of the standard binary expansion has very high Hamming weight, Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  25. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics When does the NAF really have an advantage? Suggestions by various authors: If the standard binary expansion of n has low Hamming weight, there is not much room for improvement of the Hamming weight. So it might be desirable to keep the standard binary expansion. If, on the other hand, the Hamming weight of the standard binary expansion has very high Hamming weight, the ones’ complement of n has low Hamming weight and could be used: ℓ − 1 ℓ − 1 ε j 2 j = 2 ℓ − (1 − ε j )2 j − 1 � � n = j =0 j =0 The weight of this new expansion is ℓ + 2 − h , where h is the weight of the standard binary expansion. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  26. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Relation Between Weights So, for given input weight (i.e., Hamming weight of the standard binary expansion), what is the expected Hamming weight of the NAF? Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  27. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Relation Between Weights So, for given input weight (i.e., Hamming weight of the standard binary expansion), what is the expected Hamming weight of the NAF? How are the weight of the standard expansion and the weight of the NAF related? Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  28. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Outline of the Remaining Talk Signed Digit Expansions in Cryptography 1 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  29. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Outline of the Remaining Talk Signed Digit Expansions in Cryptography 1 Given Input Weight 2 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  30. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Outline of the Remaining Talk Signed Digit Expansions in Cryptography 1 Given Input Weight 2 Binary and NAF Weight as Random Vector 3 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  31. Signed Digit Expansions in Cryptography Elliptic Curve Cryptography Given Input Weight Signed Digit Expansions and Scalar Multiplication Binary and NAF Weight as Random Vector Non-Adjacent Form Quasi-Power Theorem Other Input Statistics Outline of the Remaining Talk Signed Digit Expansions in Cryptography 1 Given Input Weight 2 Binary and NAF Weight as Random Vector 3 Quasi-Power Theorem 4 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  32. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Signed Digit Expansions in Cryptography 1 Given Input Weight 2 Fixed Input Weight/Length Ratio Fixed Input Weight Large Input Weight Binary and NAF Weight as Random Vector 3 Quasi-Power Theorem 4 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  33. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Fixed Input Weight/Length Ratio Theorem Let 0 < c < d < 1 be real numbers. Then the expected Hamming weight of the NAF of a nonnegative integer less than 2 n with unsigned binary digit expansion of Hamming weight k is asymptotically � k � 2 n − 1 ∼ 1 − 4 2 � 2 n , � k n − 1 3 + 4 2 uniformly for c ≤ k / n ≤ d. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  34. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Fixed Input Weight/Length Ratio Theorem Let 0 < c < d < 1 be real 0.3 numbers. Then the expected 0.25 Hamming weight of the NAF of 0.2 a nonnegative integer less than 0.15 2 n with unsigned binary digit 0.1 0.05 expansion of Hamming weight k is asymptotically 0.2 0.4 0.6 0.8 1 � 2 � k x − 1 � 2 � f ( x ) = 1 − 4 n − 1 ∼ 1 − 4 2 2 � 2 n , � 2 � k x − 1 � 3 + 4 n − 1 3 + 4 2 2 uniformly for c ≤ k / n ≤ d. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  35. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Comments Maximum at k / n = 1 / 2: Density 1 / 3. 0.3 0.25 0.2 0.15 0.1 0.05 0.2 0.4 0.6 0.8 1 � 2 x − 1 � f ( x ) = 1 − 4 2 � 2 x − 1 � 3 + 4 2 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  36. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Comments Maximum at k / n = 1 / 2: Density 1 / 3. 0.3 0.25 This is also the average density 0.2 without any restriction on the 0.15 input weight. 0.1 0.05 0.2 0.4 0.6 0.8 1 � 2 x − 1 � f ( x ) = 1 − 4 2 � 2 x − 1 � 3 + 4 2 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  37. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Comments Maximum at k / n = 1 / 2: Density 1 / 3. 0.3 0.25 This is also the average density 0.2 without any restriction on the 0.15 input weight. 0.1 Reason: There are especially 0.05 many standard binary 0.2 0.4 0.6 0.8 1 expansions of length ≤ n of n � � � 2 weight ≈ n / 2, namely . x − 1 � f ( x ) = 1 − 4 ⌊ n / 2 ⌋ 2 � 2 x − 1 � 3 + 4 2 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  38. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Comments Maximum at k / n = 1 / 2: Density 1 / 3. 0.3 0.25 This is also the average density 0.2 without any restriction on the 0.15 input weight. 0.1 Reason: There are especially 0.05 many standard binary 0.2 0.4 0.6 0.8 1 expansions of length ≤ n of n � � � 2 weight ≈ n / 2, namely . x − 1 � f ( x ) = 1 − 4 ⌊ n / 2 ⌋ 2 For small or large k / n , the � 2 x − 1 � 3 + 4 2 density of the NAF decreases. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  39. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof (1) Let a k ℓ n be the number of nonnegative integers whose unsigned binary expansion has length ≤ n and Hamming weight k and whose NAF has Hamming weight ℓ . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  40. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof (1) Let a k ℓ n be the number of nonnegative integers whose unsigned binary expansion has length ≤ n and Hamming weight k and whose NAF has Hamming weight ℓ . We consider the generating function � a k ,ℓ, n x k y ℓ z n . G ( x , y , z ) = k ,ℓ, n ≥ 0 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  41. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof (1) Let a k ℓ n be the number of nonnegative integers whose unsigned binary expansion has length ≤ n and Hamming weight k and whose NAF has Hamming weight ℓ . We consider the generating function � a k ,ℓ, n x k y ℓ z n . G ( x , y , z ) = k ,ℓ, n ≥ 0 Consider the transducer automaton 0 | 0 1 | 0 1 | 0¯ 1 | ε 1 0 . 1 1 0 | 01 0 | ε converting the standard binary expansion to the NAF. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  42. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof (1) Let a k ℓ n be the number of nonnegative integers whose unsigned binary expansion has length ≤ n and Hamming weight k and whose NAF has Hamming weight ℓ . We consider the generating function � a k ,ℓ, n x k y ℓ z n . G ( x , y , z ) = k ,ℓ, n ≥ 0 Consider the transducer automaton 0 | 0 1 | 0 1 | 0¯ 1 | ε 1 0 . 1 1 0 | 01 0 | ε converting the standard binary expansion to the NAF. This yields x 2 y 2 z 2 − x 2 yz 2 − xyz 2 − xz + xyz + 1 G ( x , y , z ) = x 2 yz 3 + xyz 3 + xz 2 − 2 xyz 2 − xz − z + 1 . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  43. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof (2) � a k ,ℓ, n x k y ℓ z n G ( x , y , z ) = k ,ℓ, n ≥ 0 x 2 y 2 z 2 − x 2 yz 2 − xyz 2 − xz + xyz + 1 = x 2 yz 3 + xyz 3 + xz 2 − 2 xyz 2 − xz − z + 1 . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  44. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof (2) � a k ,ℓ, n x k y ℓ z n G ( x , y , z ) = k ,ℓ, n ≥ 0 x 2 y 2 z 2 − x 2 yz 2 − xyz 2 − xz + xyz + 1 = x 2 yz 3 + xyz 3 + xz 2 − 2 xyz 2 − xz − z + 1 . Taking the derivative w.r.t. y and setting y = 1 yields x 2 z 2 + xz 2 − 1 � � ∂ � xz ℓ a k ,ℓ, n x k z n = � � ∂ y G ( x , y , z ) = ( xz + z − 1) 2 ( xz 2 − 1) . � � y =1 k ,ℓ, n ≥ 0 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  45. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof (2) � a k ,ℓ, n x k y ℓ z n G ( x , y , z ) = k ,ℓ, n ≥ 0 x 2 y 2 z 2 − x 2 yz 2 − xyz 2 − xz + xyz + 1 = x 2 yz 3 + xyz 3 + xz 2 − 2 xyz 2 − xz − z + 1 . Taking the derivative w.r.t. y and setting y = 1 yields x 2 z 2 + xz 2 − 1 � � ∂ � xz ℓ a k ,ℓ, n x k z n = � � ∂ y G ( x , y , z ) = ( xz + z − 1) 2 ( xz 2 − 1) . � � y =1 k ,ℓ, n ≥ 0 Dividing the coefficient of x k z n by the number � n � of standard k binary expansions of length ≤ n and weight k gives the expected Hamming weight. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  46. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof (2) � a k ,ℓ, n x k y ℓ z n G ( x , y , z ) = k ,ℓ, n ≥ 0 x 2 y 2 z 2 − x 2 yz 2 − xyz 2 − xz + xyz + 1 = x 2 yz 3 + xyz 3 + xz 2 − 2 xyz 2 − xz − z + 1 . Taking the derivative w.r.t. y and setting y = 1 yields x 2 z 2 + xz 2 − 1 � � ∂ � xz ℓ a k ,ℓ, n x k z n = � � ∂ y G ( x , y , z ) = ( xz + z − 1) 2 ( xz 2 − 1) . � � y =1 k ,ℓ, n ≥ 0 Dividing the coefficient of x k z n by the number � n � of standard k binary expansions of length ≤ n and weight k gives the expected Hamming weight. Using methods of multivariate asymptotics gives the result: Bender and Richmond’s method is used. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  47. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Fixed Input Weight Other point of view: fixed input Hamming weight, length n → ∞ . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  48. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Fixed Input Weight Other point of view: fixed input Hamming weight, length n → ∞ . Theorem Let k be a fixed integer. Then the expected Hamming weight of the NAF of an integer with standard binary digit expansion of Hamming weight k and length ≤ n is asymptotically � 1 k − k ( k 2 − 3 k + 2) 1 � + O n 3 + , n 2 n k − 1 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  49. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Fixed Input Weight Other point of view: fixed input Hamming weight, length n → ∞ . Theorem Let k be a fixed integer. Then the expected Hamming weight of the NAF of an integer with standard binary digit expansion of Hamming weight k and length ≤ n is asymptotically � 1 k − k ( k 2 − 3 k + 2) 1 � + O n 3 + , n 2 n k − 1 whereas the expected Hamming weight of the NAF of an integer with standard binary digit expansion of Hamming weight ( n − k ) and length ≤ n is asymptotically � 1 ( k + 2) − 2 k n − ( k − 1) k ( k + 2) 1 � + O n 3 + . n 2 n k − 1 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  50. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Comments Fixed input weight k : � 1 k − k ( k 2 − 3 k + 2) 1 � + O n 3 + , n 2 n k − 1 i.e., the main term corresponds to just keeping the input expansion untouched. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  51. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Comments Fixed input weight k : � 1 k − k ( k 2 − 3 k + 2) 1 � + O n 3 + , n 2 n k − 1 i.e., the main term corresponds to just keeping the input expansion untouched. Fixed input weight n − k : � 1 ( k + 2) − 2 k n − ( k − 1) k ( k + 2) 1 � + O n 3 + , n 2 n k − 1 i.e., the main term corresponds passing to the one’s complement and two additional repairing operations. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  52. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Large Input Weight Theorem The expected Hamming weight of the NAF of an integer with unsigned binary expansion of length ≤ n and weight ≥ n / 2 equals √ � 1 2 (7 + ( − 1) n ) √ n − 16 (1 + ( − 1) n ) 3 + 4 n 9 + 2 · 1 · 1 � n + O . 9 π 9 π n 3 / 2 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  53. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Large Input Weight Theorem The expected Hamming weight of the NAF of an integer with unsigned binary expansion of length ≤ n and weight ≥ n / 2 equals √ � 1 2 (7 + ( − 1) n ) √ n − 16 (1 + ( − 1) n ) 3 + 4 n 9 + 2 · 1 · 1 � n + O . 9 π 9 π n 3 / 2 The expected Hamming weight of the NAF of an integer with unsigned binary expansion of length ≤ n and weight ≤ n / 2 equals √ 3 − (1 + ( − 1) n ) 9 + 2 + 2( − 1) n √ n + 4 n 2 3 √ π 3 π − 8 + 8( − 1) n + 23 π + 7( − 1) n π � 1 � √ + O . 2 √ n π 3 / 2 n 6 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  54. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof Apply MacMahon’s Ω-operator. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  55. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof Apply MacMahon’s Ω-operator. Consider � ∂ � ∂ y G ( λ 2 , 1 , z /λ ) b kn λ 2 k − n z n � = � � y =1 k , n ≥ 0 λ 3 z ( λ 2 z 2 + z 2 − 1) = ( z − 1)( z + 1)( z λ 2 − λ + z ) 2 . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  56. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof Apply MacMahon’s Ω-operator. Consider � ∂ � ∂ y G ( λ 2 , 1 , z /λ ) b kn λ 2 k − n z n � = � � y =1 k , n ≥ 0 λ 3 z ( λ 2 z 2 + z 2 − 1) = ( z − 1)( z + 1)( z λ 2 − λ + z ) 2 . We are interested in the cases with 2 k − n ≥ 0. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  57. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof Apply MacMahon’s Ω-operator. Consider � ∂ � ∂ y G ( λ 2 , 1 , z /λ ) b kn λ 2 k − n z n � = � � y =1 k , n ≥ 0 λ 3 z ( λ 2 z 2 + z 2 − 1) = ( z − 1)( z + 1)( z λ 2 − λ + z ) 2 . We are interested in the cases with 2 k − n ≥ 0. Thus all negative powers of λ have to be eliminated by looking at the partial fraction decomposition. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  58. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof Apply MacMahon’s Ω-operator. Consider � ∂ � ∂ y G ( λ 2 , 1 , z /λ ) b kn λ 2 k − n z n � = � � y =1 k , n ≥ 0 λ 3 z ( λ 2 z 2 + z 2 − 1) = ( z − 1)( z + 1)( z λ 2 − λ + z ) 2 . We are interested in the cases with 2 k − n ≥ 0. Thus all negative powers of λ have to be eliminated by looking at the partial fraction decomposition. Afterwards, we set λ = 1 and extract the coefficient of z n . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  59. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Idea of the Proof — Partial Fraction Decomposition λ z + 2 G y ( λ 2 , 1 , z /λ ) = ( z − 1)( z + 1) + 16 z 6 − 24 wz 4 − 40 z 4 + 13 wz 2 + 17 z 2 − 2 w − 2 ( z − 1)( z + 1)(2 z − 1) 2 (2 z + 1) 2 ( w − 2 λ z + 1) 2 z 2 − w − 1 z 2 � � 2 − ( z − 1)( z + 1)(2 z − 1)(2 z + 1)( w − 2 λ z + 1) 2 − 16 z 6 + 24 wz 4 − 40 z 4 − 13 wz 2 + 17 z 2 + 2 w − 2 ( z − 1)( z + 1)(2 z − 1) 2 (2 z + 1) 2 ( w + 2 λ z − 1) 2 z 2 + w − 1 � � z 2 2 − ( z − 1)( z + 1)(2 z − 1)(2 z + 1)( w + 2 λ z − 1) 2 , √ 1 − 4 z 2 has been used. where the abbreviation w := Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  60. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Applying MacMahon’s Operator We have (2 λ z ) m 1 1 � � = w − 2 λ z + 1 = (1 + w ) m +1 , � 1 − 2 λ z (1 + w ) m ≥ 0 1+ w keeping in mind that 2 λ z 1 + w ∼ z , for z → 0 and λ → 1, thus the former survives MacMahon’s Ω Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  61. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Applying MacMahon’s Operator We have (2 λ z ) m 1 1 � � = w − 2 λ z + 1 = (1 + w ) m +1 , � 1 − 2 λ z (1 + w ) m ≥ 0 1+ w (1 − w ) m 1 1 � � = w + 2 λ z − 1 = (2 λ z ) m +1 , 1 − 1 − w � 2 λ z 2 λ z m ≥ 0 keeping in mind that ∼ 2 z 2 2 λ z 1 − w 1 + w ∼ z , 2 z = z 2 λ z for z → 0 and λ → 1, thus the former survives MacMahon’s Ω, while the latter does not. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  62. Signed Digit Expansions in Cryptography Fixed Input Weight/Length Ratio Given Input Weight Fixed Input Weight Binary and NAF Weight as Random Vector Large Input Weight Quasi-Power Theorem Applying MacMahon’s Operator We have (2 λ z ) m 1 1 � � = w − 2 λ z + 1 = (1 + w ) m +1 , � 1 − 2 λ z (1 + w ) m ≥ 0 1+ w (1 − w ) m 1 1 � � = w + 2 λ z − 1 = (2 λ z ) m +1 , 1 − 1 − w � 2 λ z 2 λ z m ≥ 0 keeping in mind that ∼ 2 z 2 2 λ z 1 − w 1 + w ∼ z , 2 z = z 2 λ z for z → 0 and λ → 1, thus the former survives MacMahon’s Ω, while the latter does not. Singularity analysis does the rest. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  63. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Signed Digit Expansions in Cryptography 1 Given Input Weight 2 Binary and NAF Weight as Random Vector 3 Covariance Limiting Distribution Quasi-Power Theorem 4 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  64. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Binary and NAF Weight As a Random Vector Up to now, we always had the input weight k as a parameter. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  65. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Binary and NAF Weight As a Random Vector Up to now, we always had the input weight k as a parameter. Now: n is the only parameter. Study the random variables H (Binary( X n )) and H (NAF( X n )), where Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  66. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Binary and NAF Weight As a Random Vector Up to now, we always had the input weight k as a parameter. Now: n is the only parameter. Study the random variables H (Binary( X n )) and H (NAF( X n )), where X n . . . random nonnegative integer with standard binary expansion of length ≤ n , Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  67. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Binary and NAF Weight As a Random Vector Up to now, we always had the input weight k as a parameter. Now: n is the only parameter. Study the random variables H (Binary( X n )) and H (NAF( X n )), where X n . . . random nonnegative integer with standard binary expansion of length ≤ n , Binary( m ) . . . standard binary expansion of m , Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  68. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Binary and NAF Weight As a Random Vector Up to now, we always had the input weight k as a parameter. Now: n is the only parameter. Study the random variables H (Binary( X n )) and H (NAF( X n )), where X n . . . random nonnegative integer with standard binary expansion of length ≤ n , Binary( m ) . . . standard binary expansion of m , NAF( m ) . . . NAF of m , Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  69. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Binary and NAF Weight As a Random Vector Up to now, we always had the input weight k as a parameter. Now: n is the only parameter. Study the random variables H (Binary( X n )) and H (NAF( X n )), where X n . . . random nonnegative integer with standard binary expansion of length ≤ n , Binary( m ) . . . standard binary expansion of m , NAF( m ) . . . NAF of m , H ( · ) . . . Hamming weight of an expansion. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  70. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Covariance Theorem We have E ( H (Binary( X n ))) = n 2 , E ( H (NAF( X n ))) = n 3 + 4 9 + O (2 − n ) , Var( H (Binary( X n ))) = n 4 , Var( H (NAF( X n ))) = 2 n 27 + 14 81 + O ( n 2 − n ) , Cov( H (Binary( X n )) , H (NAF( X n ))) = 2 3 + O ( n 2 − n ) . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  71. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Limiting Distribution Theorem The random vector V n := ( H (Binary( X n )) , H (NAF( X n ))) is asymptotically normal, i.e., � 1 / 2 √ � 1 � � � � V n − n � = 1 3 3 � 1 / 3 √ n ≤ x 54Φ(2 x 1 )Φ √ x 2 + O √ n , P 2 where � x 1 e − t 2 / 2 dt . √ Φ( x ) = 2 π −∞ Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  72. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Limiting Distribution Theorem The random vector V n := ( H (Binary( X n )) , H (NAF( X n ))) is asymptotically normal, i.e., � 1 / 2 √ � 1 � � � � V n − n � = 1 3 3 � 1 / 3 √ n ≤ x 54Φ(2 x 1 )Φ √ x 2 + O √ n , P 2 where � x 1 e − t 2 / 2 dt . √ Φ( x ) = 2 π −∞ This means that although H (Binary( X n )) and H (NAF( X n )) are correlated, they are asymptotically independent. Their limiting distribution is the product of two normal distributions. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  73. Signed Digit Expansions in Cryptography Given Input Weight Covariance Binary and NAF Weight as Random Vector Limiting Distribution Quasi-Power Theorem Limiting Distribution Theorem The random vector V n := ( H (Binary( X n )) , H (NAF( X n ))) is asymptotically normal, i.e., � 1 / 2 √ � 1 � � � � V n − n � = 1 3 3 � 1 / 3 √ n ≤ x 54Φ(2 x 1 )Φ √ x 2 + O √ n , P 2 where � x 1 e − t 2 / 2 dt . √ Φ( x ) = 2 π −∞ This means that although H (Binary( X n )) and H (NAF( X n )) are correlated, they are asymptotically independent. Their limiting distribution is the product of two normal distributions. This is proved via a 2-dimensional version of Hwang’s Quasi-Power Thm. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  74. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Signed Digit Expansions in Cryptography 1 Given Input Weight 2 Binary and NAF Weight as Random Vector 3 Quasi-Power Theorem 4 Dimension 1 Dimension 2 2-dimensional Berry-Esseen-Inequality Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  75. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 1 Theorem (Hwang) Let { Ω n } n ≥ 1 be a sequence of integral random variables. Suppose that the moment generating function satisfies the asymptotic expression P (Ω n = m ) e ms = e u ( s ) φ ( n )+ v ( s ) (1 + O ( κ − 1 E ( e Ω n s ) = � n )) , m ≥ 0 the O-term being uniform for | s | ≤ τ , s ∈ C , τ > 0 , where Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  76. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 1 Theorem (Hwang) Let { Ω n } n ≥ 1 be a sequence of integral random variables. Suppose that the moment generating function satisfies the asymptotic expression P (Ω n = m ) e ms = e u ( s ) φ ( n )+ v ( s ) (1 + O ( κ − 1 E ( e Ω n s ) = � n )) , m ≥ 0 the O-term being uniform for | s | ≤ τ , s ∈ C , τ > 0 , where 1 u ( s ) and v ( s ) are analytic for | s | ≤ τ and independent of n; and u ′′ (0) � = 0 ; Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  77. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 1 Theorem (Hwang) Let { Ω n } n ≥ 1 be a sequence of integral random variables. Suppose that the moment generating function satisfies the asymptotic expression P (Ω n = m ) e ms = e u ( s ) φ ( n )+ v ( s ) (1 + O ( κ − 1 E ( e Ω n s ) = � n )) , m ≥ 0 the O-term being uniform for | s | ≤ τ , s ∈ C , τ > 0 , where 1 u ( s ) and v ( s ) are analytic for | s | ≤ τ and independent of n; and u ′′ (0) � = 0 ; 2 lim n →∞ φ ( n ) = ∞ ; Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  78. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 1 Theorem (Hwang) Let { Ω n } n ≥ 1 be a sequence of integral random variables. Suppose that the moment generating function satisfies the asymptotic expression P (Ω n = m ) e ms = e u ( s ) φ ( n )+ v ( s ) (1 + O ( κ − 1 E ( e Ω n s ) = � n )) , m ≥ 0 the O-term being uniform for | s | ≤ τ , s ∈ C , τ > 0 , where 1 u ( s ) and v ( s ) are analytic for | s | ≤ τ and independent of n; and u ′′ (0) � = 0 ; 2 lim n →∞ φ ( n ) = ∞ ; 3 lim n →∞ κ n = ∞ . Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  79. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 1, continued P (Ω n = m ) e ms = e u ( s ) φ ( n )+ v ( s ) (1 + O ( κ − 1 E ( e Ω n s ) = � n )) , m ≥ 0 Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  80. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 1, continued P (Ω n = m ) e ms = e u ( s ) φ ( n )+ v ( s ) (1 + O ( κ − 1 E ( e Ω n s ) = � n )) , m ≥ 0 Theorem (Hwang, cont.) Then the distribution of Ω n is asymptotically normal, i.e., � � � � Ω n − u ′ (0) φ ( n ) 1 + 1 P < x = Φ( x ) + O , � � κ n u ′′ (0) φ ( n ) φ ( n ) uniformly with respect to x, x ∈ R , where Φ denotes the standard normal distribution � x 1 � − 1 � 2 y 2 Φ( x ) = √ exp dy . 2 π −∞ Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  81. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 2 Theorem Let { Ω n } n ≥ 1 be a sequence of two dimensional integral random vectors. Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  82. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 2 Theorem Let { Ω n } n ≥ 1 be a sequence of two dimensional integral random vectors. Suppose that the moment generating function satisfies the asymptotic expression P ( Ω n = m ) e � m , s � = e u ( s ) φ ( n )+ v ( s ) (1 + O ( κ − 1 E ( e � Ω n , s � ) = � n )) , m ≥ 0 the O-term being uniform for � s � ∞ ≤ τ , s ∈ C 2 , τ > 0 , where Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  83. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 2 Theorem Let { Ω n } n ≥ 1 be a sequence of two dimensional integral random vectors. Suppose that the moment generating function satisfies the asymptotic expression P ( Ω n = m ) e � m , s � = e u ( s ) φ ( n )+ v ( s ) (1 + O ( κ − 1 E ( e � Ω n , s � ) = � n )) , m ≥ 0 the O-term being uniform for � s � ∞ ≤ τ , s ∈ C 2 , τ > 0 , where 1 u ( s ) and v ( s ) analytic for � s � ≤ τ and independent of n; and the Hessian H u ( 0 ) of u at the origin is nonsingular; Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

  84. Signed Digit Expansions in Cryptography Dimension 1 Given Input Weight Dimension 2 Binary and NAF Weight as Random Vector 2-dimensional Berry-Esseen-Inequality Quasi-Power Theorem Quasi-Power Theorem, Dimension 2 Theorem Let { Ω n } n ≥ 1 be a sequence of two dimensional integral random vectors. Suppose that the moment generating function satisfies the asymptotic expression P ( Ω n = m ) e � m , s � = e u ( s ) φ ( n )+ v ( s ) (1 + O ( κ − 1 E ( e � Ω n , s � ) = � n )) , m ≥ 0 the O-term being uniform for � s � ∞ ≤ τ , s ∈ C 2 , τ > 0 , where 1 u ( s ) and v ( s ) analytic for � s � ≤ τ and independent of n; and the Hessian H u ( 0 ) of u at the origin is nonsingular; 2 lim n →∞ φ ( n ) = ∞ ; Clemens Heuberger Hamming Weight of the Non-Adjacent-Form

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

/k Content 2/15 1. Introduction 2. Hamming weight 3. Rank weight 4. Extended rank weight

/k Content 2/15 1. Introduction 2. Hamming weight 3. Rank weight 4. Extended rank weight

On defining the generalized rank weight Ruud Pellikaan joint work with Relinde Jurrius Autonomous University Barcelona, 6 November 2014 /k Content 2/15 1. Introduction 2. Hamming weight 3. Rank weight 4. Extended rank weight enumerator

165 views • 15 slides
A Hybrid Implementation of Hamming Weight Enric Morancho Computer Architecture Department

A Hybrid Implementation of Hamming Weight Enric Morancho Computer Architecture Department

A Hybrid Implementation of Hamming Weight Enric Morancho Computer Architecture Department Universitat Politcnica de Catalunya, BarcelonaTech Barcelona, Spain enricm@ac.upc.edu 22 nd Euromicro International Conference on Parallel,

573 views • 35 slides
Advances in Alternative Non-Adjacent Form Representations Gildas Avoine, Jean Monnerat, and

Advances in Alternative Non-Adjacent Form Representations Gildas Avoine, Jean Monnerat, and

Preliminaries Theoretical Results Indocrypt, December 20-22, 2004 Algorithmic Aspects Conclusion Advances in Alternative Non-Adjacent Form Representations Gildas Avoine, Jean Monnerat, and Thomas Peyrin EPFL Lausanne, Switzerland COLE

614 views • 50 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
LPC-1 BABY BRASA &amp; LANDMARK DISTRICT &amp; ENGINEERING, LLP 173 7TH AVE. SOUTH 175 GREAT

LPC-1 BABY BRASA &amp; LANDMARK DISTRICT &amp; ENGINEERING, LLP 173 7TH AVE. SOUTH 175 GREAT

Z:\PROJECTS\173 7th Avenue South\CAD\000000000-A1-Job Name\WIP_A\173 7th Ave South LPC Presentation.rvt E V A H C I W PERRY STREET N E E R G ADJACENT 4 STORY BUILDING ADJACENT 4 STORY BUILDING 45.58 FT. ADJACENT NO. 173-175

528 views • 7 slides
LPC-1 BABY BRASA &amp; LANDMARK DISTRICT ARCHITECTS &amp; ENGINEERS, LLP 173-177 7TH AVE. SOUTH

LPC-1 BABY BRASA &amp; LANDMARK DISTRICT ARCHITECTS &amp; ENGINEERS, LLP 173-177 7TH AVE. SOUTH

E V A H C I W PERRY STREET N E E R G ADJACENT 4 STORY BUILDING ADJACENT 4 STORY BUILDING 45.58 FT. ADJACENT NO. 173-175 BUILDING 2 STORY BUILDING SCOP OPE OF E OF W WORK: : APPLICATION IS TO LEGALIZE THE INSTALLATION OF

350 views • 8 slides
How Downtown Integrates into Adjacent Neighborhoods How Downtown Integrates into Adjacent

How Downtown Integrates into Adjacent Neighborhoods How Downtown Integrates into Adjacent

5/18/2015 How Downtown Integrates into Adjacent Neighborhoods How Downtown Integrates into Adjacent Neighborhoods One important aspect of downtown Florence is the existence of strong urban neighborhoods in North, East, and West Florence.

375 views • 5 slides
Error Detection and Correction: Hamming Code; Reed-Muller Code Greg Plaxton Theory in

Error Detection and Correction: Hamming Code; Reed-Muller Code Greg Plaxton Theory in

Error Detection and Correction: Hamming Code; Reed-Muller Code Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Hamming Code: Motivation Assume a word size of k

315 views • 8 slides
INTRODUCING Connecting Weight Loss Patients Directly to your Weight Loss Center Physicians Weight

INTRODUCING Connecting Weight Loss Patients Directly to your Weight Loss Center Physicians Weight

INTRODUCING Connecting Weight Loss Patients Directly to your Weight Loss Center Physicians Weight Loss Network is a premier patient referral program. We are the industrys largest direct marketer that solely focuses on medical weight loss

393 views • 7 slides
cProbLog: Restricting the Possible Worlds of Probabilistic Logic Programs Dimitar Shterionov

cProbLog: Restricting the Possible Worlds of Probabilistic Logic Programs Dimitar Shterionov

cProbLog: Restricting the Possible Worlds of Probabilistic Logic Programs Dimitar Shterionov Prof. Gerda Janssens 1 Weight: 3 Weight: 4 Weight: 8 Weight: 6 2 Weight: 3 Weight: 4 0.33 Weight: 8 Weight: 6 0.25 0.125 0.16 3 Weight:

671 views • 63 slides
MEASUREMENT Weight ESSENTIAL QUESTION: How do we know which unit to choose to measure weight?

MEASUREMENT Weight ESSENTIAL QUESTION: How do we know which unit to choose to measure weight?

MEASUREMENT Weight ESSENTIAL QUESTION: How do we know which unit to choose to measure weight? What am I measuring when I measure weight ? What words do I use to describe weight? ounce gram ton kilogram pound STANDARD METRIC Match the

350 views • 16 slides
Formulation and development of foods for weight management Paola Vitaglione Weight control and

Formulation and development of foods for weight management Paola Vitaglione Weight control and

Formulation and development of foods for weight management Paola Vitaglione Weight control and energy balance Weight Weight Weight maintenance gain loss ENERGY IN ENERGY OUT Food intake: Physical activity (15-30%) Carbohydrates

921 views • 69 slides
Gemstones a Unit of Weight Gemstones a Unit of Weight The historical unit of weight

Gemstones a Unit of Weight Gemstones a Unit of Weight The historical unit of weight

Gemstones a Unit of Weight Gemstones a Unit of Weight The historical unit of weight for gemstones has been the Carat - the weight of a single seed from the seedpod of the carob tree (Ceratonia Siliqua) hence latin - siliqua

498 views • 12 slides
Wha hat t do do yo you REALLY u REALLY want want from from w weight eight l loss? oss?

Wha hat t do do yo you REALLY u REALLY want want from from w weight eight l loss? oss?

Exercise and Weight Loss the good news! Janet Huehls, MA, RCEP, CYT Clinical Exercise Physiologist UMass Memorial Weight Center Janet.huehls@umassmemorial.org 774-441-6248 The Weight Center Exercise Program A benefit to you as a Weight

102 views • 8 slides
Grouping of Adjacent Media in SDP draft-jennings-mmusic-adjacent-grouping-02 IETF 79 November

Grouping of Adjacent Media in SDP draft-jennings-mmusic-adjacent-grouping-02 IETF 79 November

Grouping of Adjacent Media in SDP draft-jennings-mmusic-adjacent-grouping-02 IETF 79 November 2010 Cullen Jennings and Ali C. Begen {fluffy, abegen}@cisco.com 1 Ali C. Begen (abegen@cisco.com) Large Video Walls It is increasingly common to

74 views • 6 slides
Cyclic Sieving of Dual Hamming Codes Alex Mason 1 Shruthi Sridhar 2 1 Washington University, St.

Cyclic Sieving of Dual Hamming Codes Alex Mason 1 Shruthi Sridhar 2 1 Washington University, St.

Cyclic Sieving of Dual Hamming Codes Alex Mason 1 Shruthi Sridhar 2 1 Washington University, St. Louis masona@wustl.edu 2 Cornell University ss2945@cornell.edu Research work from UMN Twin Cities REU 2017 July 31, 2017 Mason, Sridhar Dual Hamming

452 views • 17 slides
A Generalized Fifth Order WENO Finite Difference Scheme with Z-Type Nonlinear Weights

A Generalized Fifth Order WENO Finite Difference Scheme with Z-Type Nonlinear Weights

A Generalized Fifth Order WENO Finite Difference Scheme with Z-Type Nonlinear Weights International Conference Advances in Applied Mathematics in memorial of Professor Saul Abarbanel December 18 - 20, 2018, Tel Aviv University Wai-Sun Don

1.01k views • 55 slides
Math236 Discrete Maths with Applications P. Ittmann UKZN, Pietermaritzburg Semester 1, 2012

Math236 Discrete Maths with Applications P. Ittmann UKZN, Pietermaritzburg Semester 1, 2012

Math236 Discrete Maths with Applications P. Ittmann UKZN, Pietermaritzburg Semester 1, 2012 Ittmann (UKZN PMB) Math236 2012 1 / 24 Edge weights Sometimes it is desirable to have graphs in which edges have different lengths For example,

489 views • 24 slides
Approximation Strategies for Incomplete MaxSAT Saurabh Joshi 1 Prateek Kumar 1 Ruben Martins 2

Approximation Strategies for Incomplete MaxSAT Saurabh Joshi 1 Prateek Kumar 1 Ruben Martins 2

Approximation Strategies for Incomplete MaxSAT Saurabh Joshi 1 Prateek Kumar 1 Ruben Martins 2 Sukrut Rao 1 1 IIT Hyderabad 2 Carnegie Mellon University SAT+SMT School 2019, IIT Bombay 8th December 2019

960 views • 53 slides
Search Algorithms for Discrete Optimization Problems Ananth Grama, Anshul Gupta, George Karypis,

Search Algorithms for Discrete Optimization Problems Ananth Grama, Anshul Gupta, George Karypis,

Search Algorithms for Discrete Optimization Problems Ananth Grama, Anshul Gupta, George Karypis, and Vipin Kumar To accompany the text Introduction to Parallel Computing, Addison Wesley, 2003. Topic Overview Discrete Optimization

941 views • 65 slides
Design for Optimizability A Case Study in Routing Mung Chiang Electrical Engineering Department,

Design for Optimizability A Case Study in Routing Mung Chiang Electrical Engineering Department,

Design for Optimizability A Case Study in Routing Mung Chiang Electrical Engineering Department, Princeton DIMACS Workshop November 12, 2009 Internet Routing and Traffic Engineering Joint work with Dahai Xu and Jennifer Rexford Most large IP

609 views • 24 slides
Com puter Vision Extraction of scene content from images and video Traditional

Com puter Vision Extraction of scene content from images and video Traditional

Com puter Vision Extraction of scene content from images and video Traditional applications in robotics and control Com puter Vision and E.g., driver safety Object Recognition More recently in film and television E.g., ad

578 views • 9 slides
Parametric Signal Modeling and Linear Prediction Theory 1. Discrete-time Stochastic Processes

Parametric Signal Modeling and Linear Prediction Theory 1. Discrete-time Stochastic Processes

1 Discrete-time Stochastic Processes Appendix: Detailed Derivations Parametric Signal Modeling and Linear Prediction Theory 1. Discrete-time Stochastic Processes Electrical &amp; Computer Engineering University of Maryland, College Park

1.89k views • 166 slides
Week 3: Linear Regression Instructor: Sergey Levine 1 Recap In the previous lecture we saw how

Week 3: Linear Regression Instructor: Sergey Levine 1 Recap In the previous lecture we saw how

Week 3: Linear Regression Instructor: Sergey Levine 1 Recap In the previous lecture we saw how linear regression can solve the following problem: given a dataset D = { ( x 1 , y 1 ) , . . . , ( x N , y N ) } , learn to predict y from x . In

319 views • 5 slides

More recommend