The Double-Base Number System

Theory, Applications and Open Problems

Laurent Imbert
CNRS, LIRMM, Universite Montpellier 2
10 years of collaborations with V. Dimitrov, Univ. of Calgary, Canada
Seminaire Bipop-Casys, LJK, March 4, 2010
Todays menu
(p, q)-ary partitions
The double-base number system: (p, q) = (2, 3)
Denition, representation, properties
Applications to arithmetic and cryptography
strictly chained (p, q)-ary partitions
Open problems
1/1
Integer Partitions
A partition of an integer n is a nonincreasing sequence of positive
integers a
1
, a
2
, . . . , a
k
whose sum is n. Each a
i
is called a part.
For example, the 5 partitions of 4 are:
4 = 4
= 3 + 1
= 2 + 2
= 2 + 1 + 1
= 1 + 1 + 1 + 1
The partitions of n correspond to the set of solutions
(k
1
, k
2
, . . . , k
n
) in nonnegative integers to the diophantine equation
1k
1
+ 2k
2
+ 3k
3
+ + nk
n
= n
2/1
The Partitions Zoo
Partitions with distinct parts, partitions with odd parts
Partitions whose largest part is k, partitions with k parts
Partitions into primes (Goldbach conjecture)
m-ary partitions: partitions as a sum of powers of m for a xed
m 2 (e.g. binary partitions)
Partitions with parts occuring at most twice or thrice
Chain, umbrella partitions: partitions constrained by divisibility
conditions
etc.
3/1
(p, q)-ary Partitions
A (p, q)-ary partition is a partition where the parts are divisible by no
primes other than p or q
Historically, a double-base representation of n > 0 is a (2, 3)-ary
partition of n with distinct parts
n = 2
a
1
3
b
1
+ 2
a
2
3
b
2
+ 2
a
m
3
b
m
with a
i
, b
i
0 for i = 1, . . . , m
A number of the form 2
a
3
b
is called a 2, 3-integer
4/1
Representation of (p, q)-ary Partitions
2
a
3
b
314159 = 2
7
3
7
+ 2
7
3
5
+ 2
10
3
1
+ 2
2
3
2
+ 2
0
3
2
+ 2
1
3
0
5/1
Number of Double-Base Representations
b
2
2
a
3
b
One-to-one correspondence with the
solutions (b
0
, . . . , b
r1
) to the
diophantine equation
n = b
0
+ 3b
1
+ 3
2
b
2
+ + 3
r1
b
r1
# Double-base rep. of n > 0 = # 3-ary partitions of n
f(n) =

f(n 1) + f(n/3) if 3[n

f(n 1) otherwise
Sloanes integer sequence # A005704
f(1) = 1, f(10) = 5, f(50) = 72, f(100) = 402, f(500) = 75171
6/1
Length of Double-Base Representations
The Length of a double-base representation is equal to the number
of parts in
n = 2
a
1
3
b
1
+ + 2
a
m
3
b
m
Theorem [Dimitrov 95]: m O(log n/ log log n)
Smallest n > 0 requiring m parts
m log n/ log log n
2 5 3.38
3 23 2.74
4 431 3.36
5 18, 431 4.29
6 3, 448, 733 5.55
7 1, 441, 896, 119 6.91
7/1
Canonic Double-Base Representations
Representations of minimal length (shortest partitions)
Example: 127 has 783 representations, among which 6 are canonic
2
a
3
b
2
a
3
b
2
a
3
b
2
a
3
b
2
a
3
b
2
a
3
b
Canonic representations are extremely hard to compute!
8/1
Computing Double-Base Representations
Input: An integer n > 0
Output: The sequence (a
i
, b
i
) s.t. n =

i
2
a
i
3
b
i
with a
i
, b
i
0
1: while n = 0 do
2: Compute the best default approx of n of the form z = 2
a
3
b
3: print (a, b)
4: n n z
5: end while
Does not produce canonic representations...
(E.g: 41 = 36 + 4 + 1 = 32 + 9)
but satises length in O(log n/ log log n)
Minor modications allow to compute signed double-base
representations
n = 2
a
1
3
b
1
2
a
2
3
b
2
2
a
m
3
b
m
9/1
Best Approximations of the Form 2
a
3
b
Compute a, b 0 such that 2
a
3
b
= max2
c
3
d
n ; (c, d) NN
c + d < a + b log
3
n ( = log
3
2)
Solutions: points with integer coordinates under the line of equation
y = x + log
3
n
Best left approx: (a, b) s.t. (a) = min(x) = x + log
3
n
10/1
Single Constant Multiplication (SCM)
Given an integer constant C > 0, nd a program which computes
C x with as few operations +/, < as possible.
Complexity model: + and have the same cost, < are negligible
Naive approach: 151 = (10010111)
2
151x = (x <7) + (x <4) + (x <2) + (x <1) + x
Signed digits: 151 = (1010

100

1)
SD2
151x = (x <7) + (x <5) (x <3) x
Pattern search [Lef`evre 01, Boullis & Tisserand 05]
Lef`evres conjecture: SCM is sublinear
11/1
A Double-base Approach to SCM
C = 10599 = (1010010 1100111)
2
= 82 2
7
+ 103
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
2
10
2
11
2
12
2
13
3
0
3
1
3
2
103 82 0 2 32 6
x
0
= (x <8)
x
1
= 3x
0
+ (x <5)
x
2
= 3x
1
+ (x <13) + (x <3) x
12/1
Complexity
If C =

m1
i=0
2
a
i
3
b
i
, with b
max
= max
i
b
i
, then
# add = m + b
max
1
Theorem [DIZ 07]: Let C > 0 of size n. Then, the multiplication by
C can be computed in O(n/ log n) additions.
Sketch of proof:
1. Split C into log n blocks of size n/ log n each
2. Express each block in double-base gives b
max
O(n/ log n)
3. m =

j
m
j
with m
j
O(n/ log n
2
)
4. m O(n/ log n)
13/1
Example
The multiplication by any 300-bit constant can be computed with at
most 77 additions.
Split its binary representation into ten 30-bit blocks
Every block can be represented with at most six 2, 3-integers
(Because 2
30
< 1, 441, 896, 119 < 2
31
)
The highest power of 3 that might occur is 18
(Because 3
18
< 2
30
< 3
19
)
Therefore, in the worst case, one will need
10 6 + 18 1 = 77 additions
14/1
Matrix Polynomial
Evaluate the matrix polynomial
G(N, A) = I + A + A
2
+ + A
N1
without matrix inversion
Horner: G(N, A) = A(A(. . . (A+I) . . . ) +I) +I (too slow)
Smart decompositions: If N = JK, then
G(N, A) = G(J, A) G(K, A
J
)
15/1
Binary Decomposition
G(N, A) =

(I + A) G(K, A
2
) if N = 2K
I + (A + A
2
) G(K, A
2
) if N = 2K + 1
The number of matrix multiplications (MM) is 2 log
2
N
16/1
Ternary Decomposition
G(N, A) =

(I + A + A
2
) G(K, A
3
) if N = 3K
I + (A + A
2
+ A
3
) G(K, A
3
) if N = 3K + 1
I + A (A + A
2
+ A
3
) G(K, A
3
) if N = 3K + 2
The number of MM is between 3 log
3
N 1.89 log
2
N and
4 log
3
N 2.52 log
2
N
17/1
Hybrid Decomposition
G(N, A) =

(I + A + A
2
) G(K, A
3
) if N = 3K
I + (A + A
2
+ A
3
) G(K, A
3
) if N = 3K + 1
(I + A) G(3K + 1, A
2
) if N = 6K + 2
I + (A + A
2
) G(3K + 2, A
2
) if N = 6K + 5
The number of MM is between 3 log
3
N 1.89 log
2
N and 2 log
2
N
18/1
Average Complexity of the Hybrid Approach
G(N, A) =
8
>
>
>
<
>
>
>
:
(I + A + A
2
) G(K, A
3
) if N = 3K
I + (A + A
2
+ A
3
) G(K, A
3
) if N = 3K + 1
(I + A) G(3K + 1, A
2
) if N = 6K + 2
I + (A + A
2
) G(3K + 2, A
2
) if N = 6K + 5
0
1
2
3
4
5

1/3 0 1/3 0 1/3 0

1/3 0 1/3 0 1/3 0
0 1/2 0 0 1/2 0
0 1/3 0 1/3 0 1/3
0 1/3 0 1/3 0 1/3
0 0 1/2 0 0 1/2

Stationary probabilities: p

= (1/10 1/5 1/5 1/10 1/5 1/5)

Average base: = 2
2/5
3
3/5
2.550849
Average number of MM: (3p
3
+ 2p
2
) log

2 1.92 log
2
N
19/1
Fast Exponentiation
Generic: given g (G, ) and n 0, compute g
n
Elliptic curve scalar multiplication: given P E(K) and k 0,
compute [k]P = P + P + + P (k times)
Multi-scalar multiplication: given k
1
, k
2
, P, Q E(K),
compute [k
1
]P + [k
2
]Q
20/1
Scalar Multiplication Algorithms
Double-and-Add: k =

n1
i=0
k
i
2
i
, with k
i
0, 1
314159 = 1 0 0 1 1 0 0 1 0 1 1 0 0 1 0 1 1 1 1.
n 1 doublings, n/2 additions on average
NAF, CSD: k
i

1, 0, 1
NAF
2
(314159) = 1 0 1 0

1 0 1 0

1 0

1 0 1 0

1 0 0 0

1
n doublings, n/3 additions on average
NAF
w
, Window Methods: [k
i
[ < 2
w1
(process w bits at a time)
NAF
3
(314159) = 1 0 0 0 3 0 0 1 0 0 3 0 0 0 3 0 0 0

1
n doublings, n/(w + 1) additions on average
21/1
Double-Base Scalar Multiplication
The double-base chain approach:
k =
m1

i=0
k
i
2
a
i
3
b
i
, where k
i
1, 1 and (a
i
, b
i
) `
314159 = 2
4
3
9
2
0
3
6
3
3
3
2
3 1
[314159]P = 3(3(3(3
3
(2
4
3
3
P P) P) P) P
Yao/Melonis approach:
k =
m1

i=0
D
i
2
i
, where D
i
=

j
d
j
3
j
P with d
j
1, 0, 1
314159 = 2
4
3
9
+ 2
8
3
1
1
D
0
= P, D
4
= 3
9
P, D
8
= 3P
[314159]P = 2
4
(2
4
D
8
+ D
4
) + D
0
22/1
Hybrid Binary-Ternary Form (HBTF)
k
k/2 k/3 (k 1)/2
0
0
1
hbtf = [1 0 0 1 0 0 0 1]
base = [2 2 3 2 3 3 3 2]
727 = 2
3
3
4
+ 2
1
3
3
+ 2
0
3
0
23/1
Window Hybrid Binary-Ternary Form (w-HBTF)
k
k/2 k/3 (k r)/2
0
0
r = k mods w
12-hbtf = [5 0 0 1 0 0

5]
base = [2 3 2 2 3 2 2]
727 = 5 2
4
3
2
+ 2
2
3
1
5
18-hbtf = [5 0 0 0 0 0 7]
base = [2 3 3 2 2 2 2]
727 = 5 2
4
3
2
+ 7
24/1
Analysis of w-HBTF
Markov analysis provides values which can be used to evaluate the
average complexity of an algorithm
w-NAF 6-HBTF 12HBTF 18-HBTF 24HBTF 36-HBTF
avg base 2 2.38 2.29 2.51 2.23 2.40
avg #2 n + 1 0.46n 0.56n 0.63n 0.34n 0.43n
avg #3 0 0.34n 0.28n 0.42n 0.24n 0.36n
avg #dig n/(w + 1) 0.23n 0.19n 0.17n 0.16n 0.14n
Pre 2
w2
1 0 1 2 3 5
Practical cost depends on the relative cost between a cube (tripling)
and the combined square-multiply (double-add)
25/1
Comments on Double-Base Chains
The w-HBTF generate double-base chains from right to left
The greedy approach can be adapted to compute left-to-right
double-base chains
None of these algorithms give a chain of minimal length
26/1
Chain Partitions
A (strictly) chain partition is a partition of the form
n = a
1
+ a
2
+ + a
k
into (distinct) positive integers such that a
k
[a
k1
[ . . . [a
2
[a
1
.
873 = 512 + 256 + 64 + 32 + 8 + 1
= 720 + 120 + 24 + 6 + 2 + 1
= 696 + 174 + 3
[Erdos-Loxton 1979]
# partitions of this type: p(n) log
2
n for n 6
# partitions of this type whose smallest part is 1:
p
1
(n)
1
2
log
2
n for n 27 and n 1 not a prime
P(x) =

1nx
p(n) cx

, where c is an unknown constant

and is the unique root of (s) 2, where is the Riemann
zeta function.
27/1
Strictly Chained (p, q)-ary Partitions
Strictly chained (p, q)-ary partitions are chain partitions with distinct
parts of the form p
a
q
b
, where p, q 2 and (p, q) = 1.
Notations:
(U): The set of all strictly chained (p, q)-ary partitions of U

(U): The subset of partitions (U) with no part 1

W(U) = #(U)
W

(U) = #

(U)
Special cases of interest:
min(p, q) = 2
(p, q) = (2, 3)
28/1
Graphic Representation and Encoding
Example with (p, q) = (2, 3).
(19) = (16, 2, 1), (12, 4, 2, 1), (12, 6, 1), (18, 1)
2
a
3
b
11003
2
a
3
b
1133
2
a
3
b
3013
2
a
3
b
3203
The couples of exponents (a, b) form a chain in N
2
. They can be
encoded with words on 0,1,2,3

. (Conventions: words end with

3, we go North before going East) If min(p, q) = 2, the binary
amount of a partition is equal to the sum of all its binary parts (
parts) or 0 if none.
29/1
Complete Generation
Lemma: (+ denotes union of disjoint sets)
(U) =

(U) +
1

(U 1),

(U) =
p
(U/p)
q
(U/q)
Formula for (p, q) = (2, 3)
(3U) =
3
(U) +
1
(3U 1)
(6U 1) =
12
(3U 1)
(6U + 1) =
13
(2U) +
11
(6U 1)
(6U + 2) =
2
(3U + 1)
(6U + 4) =
13
(2U + 1) +
2
(3U + 2)
30/1
Examples
(217) = 3000133, 30001003, 322033, 3220003, 3200013,
10011013, 1001333, 10013003
(95) = 1111103
(6143) = 1111111111103
W(3 2
a
1) = 1
(575) = 1111110003, 111111033
(959) = 1111110113, 1111110303
W(9 2
a
1) = W(15 2
a
1) = 2
31/1
Transitions
1 + 2 = 3 4 = 3 + 1 (and generalizations)
The transition graph is symmetric and connected
Example: G(27) for (p, q) = (2, 3)
1333 2133 2213 2223
11013 13003 21003
32/1
The sequence W
For any pair (p, q), the sequence W behaves rather irregularly
0
10
20
30
40
50
60
70
80
90
0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000
The sequence W
x
0.435
2.011 . x
0.435
33/1
Shortest Partitions
Our formula can be adapted to compute the length (U) of a
shortest unsigned double-base chain for U
Size of U greedy shortest
(in bits) unsigned signed unsigned signed
64 26.09 18.55 17.22
128 54.52 34.88 33.27
160 72.21 44.96 40.85
256 119.26 75.78 64.35
Average values for 10, 000 random integers
Numerical experiments suggest (U) log
2
(U)/4
34/1
Double-Base Representations of Minimal Length
Smallest n > 0 requiring m parts
m unsigned signed
2 5 5
3 23 103
4 431 4, 985
5 18, 431 641, 687
6 3, 448, 733 326, 552, 783
7 1, 441, 896, 119
8
How far is the greedy from optimal in the signed case?
35/1
Negative Exponents
Every nonnegative real number can be approximated in the form
2
a
3
b
with any precision > 0, a, b Z
Conjecture 1: For every suciently large n, there exists (a, b) such
that
1. [b[ < n
2.

2
a
3
b
n

<
1
2
Conjecture 2: For every suciently large n, there exists two pairs of
integers (a, b) and (c, d) such that
1. [b[ , [d[ <

n
2.

2
a
3
b
2
c
3
d
n

<
1
2
36/1
Thank you!
http://www.lirmm.fr/

imbert
[email protected]