## JMI2010A-7 Explicit lower bound for the length of minimal weight $\tau$-adic expansions on Koblitz curves (pp.75-83)

Author(s)： Keisuke Hakuta, Hisayoshi Sato and Tsuyoshi Takagi

J. Math-for-Ind. 2A (2010) 75-83.

Abstract
Elliptic curve cryptosystems (ECC) are emerging cryptographic standards which can be used instead of RSA cryptosystems, and are practically used. In ECC, scalar multiplication (or point multiplication) is the dominant operation, namely computing an integer multiple for a given integer and a point on an elliptic curve. However, for practical use, it is a very important matter to improve the efficiency of scalar multiplication. The $\tau$-adic non-adjacent form ($\tau$-NAF) proposed by Solinas, is one of the most efficient algorithms to compute scalar multiplications on Koblitz curves. Avanzi, Heuberger, and Prodinger have proven the minimality of the Hamming weight of the $\tau$-NAF on Koblitz curves. However, the lower bound for the length of minimal Hamming weight $\tau$-adic expansions is not known yet. In this paper, we shall derive an explicit lower bound for the length of minimal Hamming weight $\tau$-adic expansions. We shall also give a new proof of the minimality of the Hamming weight of the $\tau$-NAF on Koblitz curves. Further, by using the proof of the lower bound and the new proof of the minimality, we classify a minimal length $\tau$-adic expansion with minimal Hamming weight except for two special cases. The classification shows that the $\tau$-NAF has almost minimal length among all $\tau$-adic expansions of minimal Hamming weight and we can easily convert the $\tau$-NAF into a minimal length $\tau$-adic expansion without changing the Hamming weight. This fact follows immediately from the proof of the lower bound and our new proof.

Keyword(s).　 Koblitz Curves (Anomalous Binary Curves), Scalar Multiplication, $\tau$-adic Non-AdjacentForm ($\tau$-NAF), Minimal Length