**Redundant $\tau$-adic Expansions II: Non-Optimality and Chaotic Behaviour**

*Clemens Heuberger*

**Abstract: **When computing scalar multiples on Koblitz curves, the Frobenius endomorphism can be used to replace the usual doublings on the curve. This involves digital expansions of the scalar to the complex base $\tau=(\pm 1\pm \sqrt{-7})/2$ instead of binary expansions. As in the binary case, this method can be sped up by enlarging the set of valid digits at the cost of precomputing some points on the curve. In the binary case, it is known that a simple syntactical condition (the so-called $w$-NAF-condition) on the expansion ensures that the number of curve additions is minimised. The purpose of this paper is to show that this is not longer true for the base $\tau$ and $w\in\{4,5,6\}$. Even worse, it is shown that there is no longer an online algorithm to compute an optimal expansion from the digits of some standard expansion from the least to the most significant digit, which can be interpreted as chaotic behaviour. The proofs heavily depend on symbolic computations involving transducer automata.

**Category / Keywords: **implementation / Koblitz curves; Frobenius endomorphism; Scalar Multiplication; $tau$-adic expansions; Non-Adjacent-Forms; Digit Sets; Efficient Implementation

**Date: **received 4 Apr 2008

**Contact author: **clemens heuberger at tugraz at

**Available format(s): **PDF | BibTeX Citation

**Version: **20080408:091834 (All versions of this report)

**Short URL: **ia.cr/2008/153

[ Cryptology ePrint archive ]