A Combinatorial Interpretation of Double Base Number System and Some Consequences
A Combinatorial Interpretation of Double Base Number System and Some Consequences
org
Volume 2, No. 2, 2008, 159–173
Vassil Dimitrov
Center for Information Security and Cryptography
University of Calgary
2500 University Drive NW
Calgary, AB T2N 1N4, Canada
1. Introduction
For last couple of years, there have been many papers emphasizing the use of
double base number system (DBNS) in cryptography ([2, 1, 6, 8, 9, 10, 14, 16, 17]).
In [5] and [13], authors have discussed elliptic curve scalar multiplication using a
representation of the scalar in more than one base. Double base number system,
first time proposed in [12], is a non-traditional way of representing numbers. Unlike
traditional systems, which use only one radix to represent numbers, DBNS uses 2
radices to represent a number. For example, if 2 and 3 are used as the radices,
an integer n is expressed as sum of terms like ±2bi 3ti , where bi , ti are integers.
159
2008
c AIMS-SDU
160 P. K. Mishra and V. Dimitrov
Recently, in [16] an elliptic curve scalar multiplication scheme has been presented
which uses 3 bases to represent the scalar. The proposed algorithm performs even
better than its 2 base counterparts. This indicates that the DBNS can be easily
generalized to more than 2 bases, which will greatly enhance their applicability
to real life situations. The current article is devoted to analyse and explore some
interesting propeties of double (and multi) base number system using combinatorial
and graph theoretic arguments.
Graphs are very interesting combinatorial objects widely used in discrete math-
ematics and computer science. In the current article we will represent a number in
DBNS by means of a bipartite graph or a diagraph. We will prove some interest-
ing results about DBNS representations using simple combinatorial arguments on
these objects. Usual arithmetic operations like addition, multiplication can now be
described by graph theoretic operations. This representation may be of interest to
people working in various areas of computer science.
Two most interesting properties of DBNS are: (i) sparsity and (ii) redundancies.
Sparsity means that a number can be represented as a sum of very few terms of the
form ±2bi 3ti . This is important in cryptographic applications like exponentiation or
scalar multiplication. In fact, it is the number of point addition operation needed to
compute the scalar multiplication. In [1], it has been proved that in certain DBNS
representations, the number of addition could be sublinear in the size of the scalar.
Redundancy means that such representation is not unique. Redundancy implies
that one can choose a particular representation a given number depending upon
the application in which it is used. Also, these properties raise some interesting
questions about the DBNS representations. Given a number n, what is the shortest
DBNS representation for n requiring the minimum number of summands? Such
representations are called cannonical representations. A number can have several
cannonical representations. Computing a cannonical representation is again a very
difficult computational problem. Also, given an integer n, exactly how many DBNS
representationcan help in finding solutions to these problems.
In the current article, we tackle the problem of redundancy. Let P (n) represent
the number of DBNS representation of the integer n. Then the sequence P (n)
satisifies an interesting recurrence relation. In the current article, we will provide a
graph theoretic proof of the recurrence relation. The relation can be proved using
other mathematical tools. In [9], authors have provided one proof using generating
functions. However, the proof can not be extended to more than 2 bases. The
beauty of the proof given in this article is that it can be generalized to any number
of radices. In the current article we have also provided a general version of the
recurrence relation and proved it using a special type of graphs and combinatorial
arguments.
The double base number system is a representation scheme in which every posi-
tive integer k is represented as the sum or difference of {2, 3}-integers (i.e., numbers
of the form 2b 3t ) as
Xm
(1) k= si 2bi 3ti , with si ∈ {−1, 1}, and bi , ti ≥ 0.
i=1
The term 2-integer is also used for terms of the form 2b 3t . This number representa-
tion scheme is highly redundant. If one considers the DBNS with only positive signs
(si = 1), then it is seen that, 10 has exactly five different DBNS representations,
100 has exactly 402 different DBNS representations and 1000 has exactly 1 295 579
different DBNS representations. Probably, the most important theoretical result
about the double base number system is the following theorem from [11].
Theorem
1. Every positive integer k can be represented as the sum of at most
log k
O {2, 3}-integers.
log log k
The proof is based on Baker’s theory of linear forms of logarithms and more
specifically on a result by R. Tijdeman [20]. Another simpler proof can be found
in [1].
Some of these representations are of special interest, most notably the ones that
require the minimal number of {2, 3}-integers; i.e., an integer can be represented
as the sum of m terms ({2, 3}-integers), but cannot be represented as the sum of
m− 1 or less. These representations are called canonical representations. Even such
representations are not unique for numbers greater than 8. For example, 10 has two
canonical representations, 2+8, 1+9. In Table 1, we present some numerical figures
to demonstrate sparseness of DBNS.
Finding one of the canonical DBNS representations, especially for very large
integers, seems to be a very difficult task. One can apply a greedy algorithm to find
a fairly sparse representation very quickly: given k > 0, find the largest number of
the form z = 2b 3t less than or equal to k, and apply the same procedure with k − z
until reaching zero. The greedy algorithm returns near canonical solutions, but not
the real canonical ones. A small example is 41. Greedy returns 36 + 4 + 1, a 3-term
representation, where as the canonical solution is 32+9. However, greedy algorithm
is easy to implement and it guarantees a representation satisfying the asymptotic
bound given by Theorem 1 (see [11]).
S
of vertices. A DBNS-graph is a bipartite graph whose vertex set is V1 V2 and the
set of edges is a subset of {(2a , 3b ) : a ≥ 0, b ≥ 0}. In practice, we will take V1 and
V2 to be finite sets.
Let n be a natural number and let n = 2a1 3b1 + · · · + 2ak 3bk be a DBNS rep-
resentation of n. We can represent n by a DBNS-graph Dn defined as follows:
Let a = max1≤i≤k {ai } and let b = max1≤i≤k {bi }. Then the vertex set of Dn is
V = {1, 2, · · · 2a } {1, 3, · · · , 3b } and the edge set is E = {(2a1 , 3b1 ), · · · , (2ak , 3bk )}.
S
Due to redundancy of the DBNS, for every natural number n, there are several
DBNS graphs representing n. We can represent 0 by the null bipartite graph.
Thus, the null graph is also a DBNS-graph.
1 0 0 1 1 0 0 1
1 0 0 1 1 0 0 1
2 3 2 3
2 2
2 0 0 2 0 0
2 3 2 3
3 3 3 3
0 0 3 0 0 3
2 2
3.1. Some special DBNS-graphs. It is simple to see that the binary and ternary
representation are special cases of DBNS. In fact, if we restrict the vertex set to V2
to be {30 = 1} only, then we get the binary number system. The DBNS-digraphs
with this restriction will represent the signed binary system with both positive and
negative coefficients. The NAF representation [19] is a further restriction, in which
no two consecutive vertices in V1 (like 2a and 2a+1 ) are of positive degree.
If we impose the restriction V1 = {1, 2} on the DBNS-graphs (resp. digraph),
the representations obtained are the (resp signed) ternary representations.
In [8], the authors use a special type of DBNS representation, in which the
binary and ternary indices form two monotonic sequences. Such representations
have DBNS-graphs with non-intersecting edges.
It is an interesting question to see which numbers are represented S by complete
DBNS-graphs. A DBNS-graph with vertex set V1 = {1, 2, · · · , 2m } {1, 3, · · · , 3n }
is complete if it contains all the edges (2i , 3j ), 0 ≤ i ≤ m, 0 ≤ j ≤ n. It is simple to
Advances in Mathematics of Communications Volume 2, No. 2 (2008), 159–173
Combinatorial interpretation of DBNS 163
Similarly we can define the LT-operation, where LT stands for left-twist and
it is the inverse operation of RT. If in Dn , the vertex 30 is an isolated vertex, then
LT (Dn) is the graph obtained by replacing each edge (2a , 3b ) of Dn by (2a , 3b−1 ).
LT (Dn) is undefined if the vertex 30 is not an isolated vertex in Dn . It is obvious
that if the graph Dn stands for n, then LT (Dn) stands for n/3.
Also, we define the following notation. If S is a set of DBNS-graphs and X is
one of the above operations, then by X(S), we mean the set of graphs obtained
by applying operation X to each member of the set S, provided such application
is possible, otherwise X(S) is undefined. For example, SU CC(S) = {SU CC(G) :
G ∈ S}.
Due to high redundancy of DBNS, every integer n > 3 can be represented by
several DBNS-graphs. Let Sn represent the set of all DBNS-graphs representing n.
Clearly, S1 is {D1 } = {(20 , 30 )}. Also, S2 = SU CC(S1 ) = {D2 } = {(21 , 30 )}. We
know, 1 and 2 have unique DBNS representations. These representations are given
by the singleton sets S1 and S2 respectively.
What is S3 ? We know 3 has two DBNS representations, namely 1 + 2 and 3.
That is, S3 ) = (20 , 30 ), (21 , 30 ), (20 , 31 ). So SU CC(S2 ) is a proper subset of S3 .
This implies that, Sn+1 6= S SU CC(Sn ). How can one obtain Sn+1 from Sn+ ? It is
simple to see that S3 = S2 RT (S1 ). That is the second graph representing 3 can
be obtained by applying RT-operation to the graph representing 1. In fact, we have
the following general theorem.
Proof. We use induction to prove the theorem. Clearly, it is true for n = 1, 2, 3. Let
it be true for all integers less than n. Now let us consider the case of n. Obviously,
the set in the right hand side is a subset of the set in the left hand side. We need
to prove the other inclusion only. Let D ∈ Sn . We wish to show that D is in the
set in the RHS. If D has the edge 1 = (20 , 30 ), then removing this edge from D,
we get a member D′ of Sn−1 . Hence D = SU CC(D′ ) is in the sets in RHS. If D
does not contain the edge 1, let it contain some edge 2j = (2j , 30 ). Let us consider
the graph D′′ ∈ Sn−1 obtained from D by removing the edge 2j and introducing
the edges 1 = (20 , 30 ), 2 = (21 , 30 ), · · · , 2j−1 = (2j−1 , 30 ). Clearly, D′′ ∈ Sn−1 and
SU CC(D′′ ) = D, hence D is in the set in right-hand side also. Suppose, D has no
edge of the form 2j = (2j , 30 ). Then, 30 must be an isolated vertex in D. Then
n must be a multiple of 3. Let us consider the graph D′′′ = LT (D). It is in Sn/3
and D = RT (D′′′ ). Hence, in this case also D belongs to the set in the RHS. This
completes the proof.
Corollary 1. For any positive integer n, let P (n) denote the number of distinct
DBNS representation of n. Then P (1) = 1 and for n > 1, P (n) satisfies the
Advances in Mathematics of Communications Volume 2, No. 2 (2008), 159–173
Combinatorial interpretation of DBNS 165
where k = ⌊n/5⌋ and U0 = T0 = the set containing the null MB-graph only.
As the graphs in Sn−5i ⊕U5i have non-DBNS component 5i, Sn−5i ⊕U5i , 0 ≤ i ≤ k
is a union of pairwise disjoint sets. Taking the cardinality of the sets in (7) we get,
Corollary 3. Let Q(n) be the number of multibase expansion of an integer n using
a bases 2, 3 and 5. Then Q(1) = 1 and
Q(n) = P (n) + P (n − 5)R(5) + · · · + P (n − 5k)R(5k)
(8) = P (n) + P (n − 5)Q(1) + · · · + P (n − 5k)Q(k) (using Equ. (6))
= Σki=0 P (n − 5i)Q(i)
where k = ⌊n/5⌋.
Let us now consider the more general case, i.e. the case of any number of bases.
We choose our bases from the set of primes {2, 3, 5, 7, · · · }. Let Bk be the set of
first k primes. Although, any set of primes or relatively prime integers can be used
as base of a representation, to align with the theory developed so far we use Bk as
(k)
our base set. Let Sn be the set of multi-base graphs representing n using the set
(k)
of bases Bk . Let P (n) be the number of multi-base representation of n using the
base set Bk . The correspondence between this new notation and the older one is:
Sn = Sn(2) ,
Tn = Sn(3) ,
P (l) (n) = P (l−1) (n) + P (l−1) (n − bl )P (l) (1) + · · · + P (l−1) (n − bl k)P (l) (k)
(10)
= Σki=0 P (l−1) (n − 5i)P (l) (i).
For example, if we use 4 bases, namely, the base set B4 = {2, 3, 5, 7}, then the
sequence P (4) (n) of number of multi-base representations of an integer n using B4 ,
satisfies the following recurrence relation:
P (4) (n) = P (3) (n) + P (3) (n − 7)P (4) (1) + · · · + P (3) (n − 7k)P (4) (k)
(11)
= Σki=0 P (3) (n − 7i)P (4) (i)
where k = ⌊n/7⌋.
We have carried out numerous experiments using the above relations. The num-
ber of representations of n grows very fast in the number of base elements. For
example 100 has 402 DBNS representation (base 2 and 3), 8425 representations
using the bases 2, 3 and 5 and has 43777 representations using the bases 2, 3, 5,
and 7. The number of representations for some values of P (l) (n) for l = 2, 3, 4 for
various n have been given in Table 4. This gives some idea about the degree of
redundancy of multi-base representations.
5. Consequences
In this section, we study some properties of the sequence, Ps (n), the number of
double base representations of n using the bases 2 and s. Note that P3 (n), P (2) (n)
and P (n) are the same sequence representing the number of DBNS representation
of n using 2 and 3 as bases. We first establish some properties of P (n)(= P3 (n))
and then generalize them to Ps (n) for any s ≥ 3.
Substituting l = 2 in Equation (10), we get
(12) P (2) (n) = P (1) (n) + P (1) (n − 3)P (2) (1) + · · · + P (1) (n − 3k)P (2) (k)
where k = ⌊n/3⌋. Using the older notation P (n) for P (2) (n) and the fact that
P (1) (n) = 1 for all n, we get
(Necessity) To prove the necessity part, we have to show that if 3 ∤ P (n), then n
is in the form stated in the theorem. Again, we can neglect r.
We will prove that if n is not of the given form, then 3 | P (n). Let ct 3t + · · · +
c1 3 + c0 be the ternary representation of n. Note that, n is of the desired form if
ci = 0 or 1 for 1 ≤ i ≤ t and c0 = 0, 1 or 2. That is the ternary representation
does not contain 2 except possibly for the least significant place. Suppose n is
not in the desired form. So, n has at least one 2 at a place other than the least
significant place in its ternary representation. Also, without loss of generality we
can assume that n has 0 at the least significant place, i. e., n is divisible by 3.
Starting from the most significant place, let k be the first index where ci = 2. That
is n = ct 3t + · · ·+ ck+1 3k+1 + 2.3k + ck−1 3k−1 + · · ·+ c1 3. Let us consider the number
N1 = ct 3t−k+1 + · · · + ck+1 32 + 2 × 3. We have,
(17) n = 3(· · · 3(3(N1 + ck−1 ) + ck−2 ) + · · · + c1 ) + c0 .
Also, let N2 = ct 3t−k + · · · + ck+1 31 + 2, so that N1 = 3N2 . Also, let N3 =
ct 3t−k−1 + · · · + ck+1 , so that N2 = 3N3 + 2.
Now,
P (N1 ) = P (3N2 )
= 1 + P (1) + P (2) + · · · + P (N2 )
= 1 + P (1) + P (2) + · · · + P (3N3 + 2)
(18)
= 1 + P (1) + P (2) + · · · + P (3N3 ) + P (3N3 + 1) + P (3N3 + 2)
= 3 + · · · + 3P (3N3 )
≡0 (mod 3).
Now, applying Lemma 2, we see that
P (3N2 + ck−1 ) ≡ 0 (mod 3).
Continuing likewise and using Equation (17), we conclude that P (n) is a multiple
of 3. This completes the proof of the theorem.
From Theorem 5, we can conclude that there are exactly 3 × 2n−1 numbers be-
tween 0 and 3n − 1 for which P (n) is not divisible by 3.
Generalization to Ps
As defined before, Ps (n) stands for the number of DBNS representation of n
using the bases 2 and s. All the arguments given in the proofs of this section carry
over to this general case. Hence omitting the proofs, we can state the following
results about the sequence Ps (n).
It can be proved that if one uses 2 and s as the bases in the double base number
system and Ps represents the number of representation of an integer n then,
(19) Ps (n) = 1 + Ps (1) + · · · + Ps (⌊n/s⌋).
Lemma 1 and Corollary 4 about Ps (n) can be easily established.
Lemma 3. If s2 | n then Ps (n) ≡ Ps (n/s) (mod s).
Corollary 5. For any l ≥ 0, Ps (sl + r) 6≡ 0 (mod s) for r = 0, 1, · · · , (s − 1).
Lemma 4. If Ps (n) ≡ 0 (mod s), then Ps (sn+r) ≡ 0 (mod s) for r = 0, 1, · · · , (s−
1).
Advances in Mathematics of Communications Volume 2, No. 2 (2008), 159–173
Combinatorial interpretation of DBNS 171
6. Conclusion
In the current article, we have proposed a graph theoretic representation of in-
tegers using double and multi-base number system. The representation can be
a powerful tool to study the structure of these system of representation. These
number representations are highly redundant. We have proposed and proved some
interesting relations satisfied by the number of double/multi- base representation
of an integer n. Most of the proofs are based on simple graph theoretic arguments.
where ψ(x) is a certain periodic function with period 1. Formula (23) allows us
to obtain an extremely accurate estimation of the number of partitions of n as the
sum of integers of the form 2a sb :
nC1 log n nC2 (log n)C1 log log n
(24) Ps (sn) = eO(1) ( )
n2C1 log log n log nC3 log n
where C1 , C2 and C3 are constants depending upon s only. Our numerical simu-
lations the term eO(1) fluctuated between 1 and 2. We have investigated the case
s = 3 and found that formula (24) very well approximates the exact number of
partitions of positive integers as the sum of positive integers of the form 2a 3b . For-
mula (24) also gives a very precise idea about the redundancy of the double-base
representations.
References
[1] R. M. Avanzi, V. Dimitrov, C. Doche and F. Sica, Extending scalar multiplication to double
bases, in “ASIACRYPT 2006” (eds. X. Lai and K. Chen), Springer-Verlag, (2006), 130–144.
[2] R. M. Avanzi and F. Sica, Scalar multiplication on Koblitz curves using double bases, in
“Progressin Cryptology - VIETCRYPT 2006,” Springer-Verlag, (2006), 131–146.
[3] V. Berthé and L. Imbert, On converting numbers to the double-base number system, in “Ad-
vanced Signal Processing Algorithms, Architecture and Implementations XIV” (ed. F.T. Luk),
SPIE, (2004), 70–78.
[4] W. Bosma, Signed bits and fast exponentiation, J. Théor. Nombres Bordeaux, 13 (2001),
27–41.
[5] M. Ciet, M. Joye, K. Lauter and P. L. Montgomery, Trading inversions for multiplications
in elliptic curve cryptography, Des. Codes Cryptogr., 39 (2006), 189–206.
[6] M. Ciet and F. Sica, An analysis of double base number systems and a sublinear scalar
multiplication algorithm, in “Progress in Cryptology - Proceedings of Mycrypt 2005” (eds. E.
Dawson and S. Vaudenay), Springer, (2005), 171–182.
[7] B. M. M. de Weger, “Algorithms for Diophantine Equations,” Centrum voor Wiskunde en
Informatica, Amsterdam, 1989.
[8] V. Dimitrov, L. Imbert and P. K. Mishra, Efficient and secure elliptic curve point multiplica-
tion using double-base chains, in “Advances in Cryptology—ASIACRYPT 2005,” Springer,
(2005), 59–78.
[9] V. Dimitrov, L. Imbert and P. K. Mishra, The double base number system and its application
to elliptic curve cryptography, Math. Comp., 77 (2008), 1075–1104.
[10] V. Dimitrov, K. U. Järvinen, M. J. Jacobson, W. F. Chan and Z. Huang, FPGA implemen-
tation of point multiplication on Koblitz curves using Kleinian integers, in “Cryptographic
Hardware and Embedded Systems - CHES 2006” (eds. L. Goubin and M. Matsui), Springer-
Verlag, (2006), 445–459.
[11] V. S. Dimitrov, G. A. Jullien and W. C. Miller, An algorithm for modular exponentiation,
Inform. Process. Lett., 66 (1998), 155–159.
[12] V. S. Dimitrov, G. A. Jullien and W. C. Miller, Theory and applications of the double-base
number system, IEEE Transactions on Computers, 48 (1999), 1098–1106.
[13] C. Doche, T. Icart and D. Kohel, Efficient scalar multiplication by isogeny decompositions,
in “Proceedings of PKC 2006,” Springer-Verlag, (2006), 191–206.
[14] C. Doche and L. Imbert, Extended double-base number system with applications to ellip-
tic curve cryptography, in “Progress in Cryptology - INDOCRYPT 2006,” Springer-Verlag,
(2006), 335–348.
[15] K. Mahler, On a special functional equation, J. London Math. Soc., 15 (1940), 115–123.
[16] P. K. Mishra and V. Dimitrov, Efficient quintuple formulas and efficient elliptic curve scalar
multiplication using multibase number representation, in “Information Security Conference
2007,” Springer-Verlag, (2007), 390–404.
[17] P. K. Mishra and V. Dimitrov, Window-based elliptic curve scalar multiplication using double
base number representation, to appear in Inscrypt 2007.