where v(2w − 1) points P[v ][u] for v [0, v − 1] and u [1, 2w − 1] are precomputed. A point multiplication algorithm based on this method is expected to require approxi-

3.44 and 3.45 are the cases v = 1 and v = 2, respectively.

3.3.3Multiple point multiplication

One method to potentially speed the computation of k P + l Q is simultaneous multiple point multiplication (Algorithm 3.48), also known as Shamir’s trick. If k and l are t-bit numbers, then their binary representations are written in a 2×t matrix known as the exponent array. Given width w, the values i P + j Q are calculated for 0 ≤ i, j < 2w . At each of t/w steps, the accumulator receives w doublings and an addition from the table of values i P + j Q determined by the contents of a 2×w window passed over the exponent array; see Figure 3.7.

Algorithm 3.48 Simultaneous multiple point multiplication

INPUT: Window width w, k = (kt−1, . . . , k0)2, l = (lt−1, . . . , l0)2, P, Q E(Fq ).

OUTPUT: k P + l Q.

1.Compute i P + j Q for all i, j [0, 2w − 1].

2.Write k = (K d−1, . . . , K 1, K 0) and l = (Ld−1, . . . , L1, L0) where each K i , Li is a bitstring of length w, and d = t/w .

3.R ← ∞.

4.For i from d − 1 downto 0 do

4.1R ← 2w R.

4.2R ← R + (K i P + Li Q).

5.Return(R).

110 3. Elliptic Curve Arithmetic

Algorithm 3.48 can be improved by use of a sliding window. At each step, placement of a window of width at most w is such that the right-most column is nonzero. Precomputation storage is reduced by 22(w−1) − 1 points. The improved algorithm is expected to have t/(w + (1/3)) point additions in the evaluation stage, a savings of

approximately 9% (in evaluation stage additions) compared with Algorithm 3.48 for w {2, 3}.

Joint sparse form

If k and l are each written in NAF form, then the expected number of zero columns in the exponent array increases, so that the expected number of additions in the evaluation stage of a suitably modified Algorithm 3.48 (processing one column at a time) is 5t/9. The expected number of zero columns can be increased by choosing signed binary expansions of k and l jointly. The joint sparse form (JSF) exponent array of positive integers k and l is characterized by the following properties.

1.At least one of any three consecutive columns is zero.

2.Consecutive terms in a row do not have opposite signs.

3.If k j+1k j = 0 then l j+1 = 0 and l j = 0. If l j+1l j = 0 then k j+1 = 0 and k j = 0.

The representation has minimal weight among all joint signed binary expansions, where the weight is defined to be the number of nonzero columns.

If Algorithm 3.48 is modified to use JSF, processing a single column in each iteration, then t/2 additions (rather than 5t/9 using NAFs) are required in the evaluation stage. Algorithm 3.50 finds the joint sparse form for integers k1 and k2 . Although it is written in terms of integer operations, in fact only simple bit arithmetic is required; for example, evaluation modulo 8 means that three bits must be examined, and ki /2 discards the rightmost bit.

Algorithm 3.50 Joint sparse form

INPUT: Nonnegative integers k1 and k2, not both zero.

OUTPUT: JSF(k2, k1), the joint sparse form of k1 and k2.

1.l ← 0, d1 ← 0, d2 ← 0.

2.While (k1 + d1 > 0 or k2 + d2 > 0) do

2.11 ← d1 + k1, 2 ← d2 + k2.

2.2For i from 1 to 2 do

If i is even then u ← 0; Else

u ← i mods 4.

If i ≡ ±3 (mod 8) and 3−i ≡ 2 (mod 4) then u ← − u. kli ← u.

2.3 For i from 1 to 2 do

If 2di = 1 + kli then di ← 1 − di . ki ← ki /2 .

Interleaving

The simultaneous and comb methods process multiple point multiplications using precomputation involving combinations of the points. Roughly speaking, if each precomputed value involves only a single point, then the associated method is known as interleaving.

In the calculation of k j Pj for points Pj and integers k j , interleaving allows different methods to be used for each k j Pj , provided that the doubling step can be done jointly. For example, width-w NAF methods with different widths can be used, or some point multiplications may be done by comb methods. However, the cost of the doubling is determined by the maximum number of doublings required in the methods for k j Pj , and hence the benefits of a comb method may be lost in interleaving.

doubling of the accumulator at each stage; Figure 3.8 illustrates the case v = 2. The algorithm has an expected running time of approximately

Figure 3.8. Computing k1 P1 + k2 P2 using interleaving with NAFs. The point multiplication accumulation step is shown for the case v = 2 points. Scalar k j is written in width-w j NAF form.

Algorithm 3.51 Interleaving with NAFs

l Q, where k and l are approximately the same bitlength. The simultaneous sliding and interleaving methods require essentially the same number of point doublings regardless of the window widths. For a given w, simultaneous sliding requires 3 · 22(w−1) points of storage, and approximately t/(w + (1/3)) point additions in the evaluation stage, while interleaving with width 2w + 1 on k and width 2w on l requires the same amount of storage, but only (4w + 3)t/(4w2 + 5w + 2) < t/(w + (1/2)) additions in evaluation. Interleaving may also be preferable at the precomputation phase, since operations involving a known point P may be done in advance (encouraging the use of a wider width for NAFw(k)), in contrast to the joint computations required in the simultaneous method. Table 3.6 compares operation counts for computing k P + l Q in the case that P (but not Q) is known in advance.