Transactions on Alogorithms 1 (2005), 123–142 ANALYSIS OF LINEAR COMBINATION ALGORITHMS IN CRYPTOGRAPHY

Several cryptosystems rely on fast calculations of linear combinations in groups. One way to achieve this is to use joint signed binary digit expansions of small “weight.” We study two algorithms, one based on non adjacent forms of the coefficients of the linear combination, the other based on a certain joint sparse form specifically adapted to this problem. Both methods are sped up using the sliding windows approach combined with precomputed lookup tables. We give explicit and asymptotic results for the number of group operations needed assuming uniform distribution of the coefficients. Expected values, variances and a central limit theorem are proved using generating functions. Furthermore, we provide a new algorithm which calculates the digits of an optimal expansion of pairs of integers from left to right. This avoids storing the whole expansion, which is needed with the previously known right to left methods, and allows an online computation.