We study representations of integers n in binary expansions using the digits 0, ±1. We analyze the average number of such representations of minimal “weight” ( = number of non-zero digits). The asymptotic main term of this average involves a periodically oscillating function, which is analyzed in some detail. The main tool is the construction of a measure on [−1, 1], which encodes the number of representations.

Abstract. The recent development of side channel attacks has lead implementers to use increasingly sophisticated countermeasures in critical operations such as modular exponentiation, or scalar multiplication on elliptic curves. A new class of countermeasures is based on inserting random decisions when choosing one representation of the secret scalar out of a large set of representations of the same value. For instance, this is the case of countermeasures proposed by Oswald and Aigner, or Ha and Moon, both based on randomized Binary Signed Digit (BSD) representations. Their advantage is to offer excellent speed performances. However, the first countermeasure and a simplified version of the second one were already broken using Markov chain analysis. In this paper, we take a different approach to break the full version of Ha-Moon’s countermeasure using a novel technique based on detecting local collisions in the intermediate states of computation. We also show that randomized BSD representations present some fundamental problems and thus recommend not to use them as a protection against side-channel attacks. 1

Applications of signed digit representations of an integer include computer arith-metic, cryptography, and digital signal processing. An integer of length n bits can have several binary signed digit (BSD) representations and their number depends on its value and varies with its length. In this paper, we present an algorithm that calculates the exact number of BSD representations of an integer of a certain length. We formulate the integer that has the maximum number of BSD representations among all integers of the same length. We also present an algorithm to generate a random BSD representation for an integer starting from the most significant end and its modified version which gener-ates all possible BSD representations. We show how the number of BSD representations of k increases as we prepend 0s to its binary representation. 1

Elliptic curve cryptosystems have become increasingly popular due to their efficiency and the small size of the keys they use. Particularly, the anomalous curves introduced by Koblitz allow a complex representation of the keys, denoted τNAF, that make the computations over these curves more efficient. In this report, we propose an efficient method for randomizing a τNAF to produce different equivalent representations of the same key to the same complex base τ. We prove that the average Hamming density of the resulting representations is 0.5. We identify the pattern of the τNAFs yielding the maximum number of representations and the formula governing this number. We also present deterministic methods to compute the average and the exact number of possible representations of a τNAF. 1