Extended Euclidean algorithm explained

In arithmetic and computer programming, the extended Euclidean algorithm is an extension to the Euclidean algorithm, and computes, in addition to the greatest common divisor (gcd) of integers a and b, also the coefficients of Bézout's identity, which are integers x and y such that

ax+by=\gcd(a,b).

This is a certifying algorithm, because the gcd is the only number that can simultaneously satisfy this equation and divide the inputs.It allows one to compute also, with almost no extra cost, the quotients of a and b by their greatest common divisor.

also refers to a very similar algorithm for computing the polynomial greatest common divisor and the coefficients of Bézout's identity of two univariate polynomials.

The extended Euclidean algorithm is particularly useful when a and b are coprime. With that provision, x is the modular multiplicative inverse of a modulo b, and y is the modular multiplicative inverse of b modulo a. Similarly, the polynomial extended Euclidean algorithm allows one to compute the multiplicative inverse in algebraic field extensions and, in particular in finite fields of non prime order. It follows that both extended Euclidean algorithms are widely used in cryptography. In particular, the computation of the modular multiplicative inverse is an essential step in the derivation of key-pairs in the RSA public-key encryption method.

Description

The standard Euclidean algorithm proceeds by a succession of Euclidean divisions whose quotients are not used. Only the remainders are kept. For the extended algorithm, the successive quotients are used. More precisely, the standard Euclidean algorithm with a and b as input, consists of computing a sequence

q1,\ldots,qk

of quotients and a sequence

r0,\ldots,rk+1

of remainders such that

\begin{align} r0&=a\\ r1&=b\\ &\vdots\\ ri+1&=ri-1-qiriand0\leri+1<|ri|(thisdefinesqi)\\ &\vdots \end{align}

It is the main property of Euclidean division that the inequalities on the right define uniquely

qi

and

ri+1

from

ri-1

and

ri.

The computation stops when one reaches a remainder

rk+1

which is zero; the greatest common divisor is then the last non zero remainder

rk.

The extended Euclidean algorithm proceeds similarly, but adds two other sequences, as follows

\begin{align} r0&=a&r1&=b\\ s0&=1&s1&=0\\ t0&=0&t1&=1\\ &\vdots&&\vdots\\ ri+1&=ri-1-qiri&and0&\leri+1<|ri|&(thisdefinesqi)\\ si+1&=si-1-qisi\\ ti+1&=ti-1-qiti\\ &\vdots \end{align}

The computation also stops when

rk+1=0

and gives

rk

is the greatest common divisor of the input

a=r0

and

b=r1.

sk

and

tk,

that is

\gcd(a,b)=rk=ask+btk

sk+1=\pm

b
\gcd(a,b)
and

tk+1=\pm

a
\gcd(a,b)

Moreover, if a and b are both positive and

\gcd(a,b) ≠ min(a,b)

, then

|si|\leq\left\lfloor

b
2\gcd(a,b)

\right\rfloorand|ti|\leq\left\lfloor

a
2\gcd(a,b)

\right\rfloor

for

0\leqi\leqk,

where

\lfloorx\rfloor

denotes the integral part of, that is the greatest integer not greater than .

This implies that the pair of Bézout's coefficients provided by the extended Euclidean algorithm is the minimal pair of Bézout coefficients, as being the unique pair satisfying both above inequalities.

Also it means that the algorithm can be done without integer overflow by a computer program using integers of a fixed size that is larger than that of a and b.

Example

The following table shows how the extended Euclidean algorithm proceeds with input and . The greatest common divisor is the last non zero entry, in the column "remainder". The computation stops at row 6, because the remainder in it is . Bézout coefficients appear in the last two entries of the second-to-last row. In fact, it is easy to verify that . Finally the last two entries and of the last row are, up to the sign, the quotients of the input and by the greatest common divisor .

index iti
0 0
1 1
2 ÷ = − × = − × = 0 − × 1 = −5
3 ÷ = − × = − × = 1 − × −5 = 21
4 ÷ = − × = − × = −5 − × 21 = −26
5 ÷ = − × = − × = 21 − × −26 =
6 ÷ = − × = − × = −26 − × 47 =

Proof

As

0\leri+1<|ri|,

the sequence of the

ri

is a decreasing sequence of nonnegative integers (from i = 2 on). Thus it must stop with some

rk+1=0.

This proves that the algorithm stops eventually.

As

ri+1=ri-1-riqi,

the greatest common divisor is the same for

(ri-1,ri)

and

(ri,ri+1).

This shows that the greatest common divisor of the input

a=r0,b=r1

is the same as that of

rk,rk+1=0.

This proves that

rk

is the greatest common divisor of a and b. (Until this point, the proof is the same as that of the classical Euclidean algorithm.)

As

a=r0

and

b=r1,

we have

asi+bti=ri

for i = 0 and 1. The relation follows by induction for all

i>1

:r_ = r_ - r_i q_i = (as_+bt_) - (as_i+bt_i)q_i = (as_-as_iq_i) + (bt_-bt_iq_i) = as_+bt_.

Thus

sk

and

tk

are Bézout coefficients.

Consider the matrixA_i=\begin s_ & s_i\\ t_ & t_i \end.

The recurrence relation may be rewritten in matrix formA_ = A_i \cdot \begin 0 & 1\\ 1 & -q_i \end.

The matrix

A1

is the identity matrix and its determinant is one. The determinant of the rightmost matrix in the preceding formula is −1. It follows that the determinant of

Ai

is

(-1)i-1.

In particular, for

i=k+1,

we have

sktk+1-tksk+1=(-1)k.

Viewing this as a Bézout's identity, this shows that

sk+1

and

tk+1

are coprime. The relation

ask+1+btk+1=0

that has been proved above and Euclid's lemma show that

sk+1

divides, that is that

b=dsk+1

for some integer . Dividing by

sk+1

the relation

ask+1+btk+1=0

gives

a=-dtk+1.

So,

sk+1

and

-tk+1

are coprime integers that are the quotients of and by a common factor, which is thus their greatest common divisor or its opposite.

To prove the last assertion, assume that a and b are both positive and

\gcd(a,b) ≠ min(a,b)

. Then,

ab

, and if

a<b

, it can be seen that the s and t sequences for (a,b) under the EEA are, up to initial 0s and 1s, the t and s sequences for (b,a). The definitions then show that the (a,b) case reduces to the (b,a) case. So assume that

a>b

without loss of generality.

It can be seen that

s2

is 1 and

s3

(which exists by

\gcd(a,b) ≠ min(a,b)

) is a negative integer. Thereafter, the

si

alternate in sign and strictly increase in magnitude, which follows inductively from the definitions and the fact that

qi\geq1

for

1\leqi\leqk

, the case

i=1

holds because

a>b

. The same is true for the

ti

after the first few terms, for the same reason. Furthermore, it is easy to see that

qk\geq2

(when a and b are both positive and

\gcd(a,b) ≠ min(a,b)

). Thus, noticing that

|sk+1|=|sk-1|+qk|sk|

, we obtain|s_|=\left |\frac \right | \geq 2|s_k| \qquad \text \qquad |t_|= \left |\frac \right | \geq 2|t_k|.

This, accompanied by the fact that

sk,tk

are larger than or equal to in absolute value than any previous

si

or

ti

respectively completed the proof.

Polynomial extended Euclidean algorithm

For univariate polynomials with coefficients in a field, everything works similarly, Euclidean division, Bézout's identity and extended Euclidean algorithm. The first difference is that, in the Euclidean division and the algorithm, the inequality

0\leri+1<|ri|

has to be replaced by an inequality on the degrees

\degri+1<\degri.

Otherwise, everything which precedes in this article remains the same, simply by replacing integers by polynomials.

A second difference lies in the bound on the size of the Bézout coefficients provided by the extended Euclidean algorithm, which is more accurate in the polynomial case, leading to the following theorem.

If a and b are two nonzero polynomials, then the extended Euclidean algorithm produces the unique pair of polynomials (s, t) such that

as+bt=\gcd(a,b)

and

\degs<\degb-\deg(\gcd(a,b)),\degt<\dega-\deg(\gcd(a,b)).

A third difference is that, in the polynomial case, the greatest common divisor is defined only up to the multiplication by a non zero constant. There are several ways to define unambiguously a greatest common divisor.

In mathematics, it is common to require that the greatest common divisor be a monic polynomial. To get this, it suffices to divide every element of the output by the leading coefficient of

rk.

This allows that, if a and b are coprime, one gets 1 in the right-hand side of Bézout's inequality. Otherwise, one may get any non-zero constant. In computer algebra, the polynomials commonly have integer coefficients, and this way of normalizing the greatest common divisor introduces too many fractions to be convenient.

The second way to normalize the greatest common divisor in the case of polynomials with integer coefficients is to divide every output by the content of

rk,

to get a primitive greatest common divisor. If the input polynomials are coprime, this normalisation also provides a greatest common divisor equal to 1. The drawback of this approach is that a lot of fractions should be computed and simplified during the computation.

A third approach consists in extending the algorithm of subresultant pseudo-remainder sequences in a way that is similar to the extension of the Euclidean algorithm to the extended Euclidean algorithm. This allows that, when starting with polynomials with integer coefficients, all polynomials that are computed have integer coefficients. Moreover, every computed remainder

ri

is a subresultant polynomial. In particular, if the input polynomials are coprime, then the Bézout's identity becomes

as+bt=\operatorname{Res}(a,b),

where

\operatorname{Res}(a,b)

denotes the resultant of a and b. In this form of Bézout's identity, there is no denominator in the formula. If one divides everything by the resultant one gets the classical Bézout's identity, with an explicit common denominator for the rational numbers that appear in it.

Pseudocode

To implement the algorithm that is described above, one should first remark that only the two last values of the indexed variables are needed at each step. Thus, for saving memory, each indexed variable must be replaced by just two variables.

For simplicity, the following algorithm (and the other algorithms in this article) uses parallel assignments. In a programming language which does not have this feature, the parallel assignments need to be simulated with an auxiliary variable. For example, the first one, (old_r, r) := (r, old_r - quotient * r)is equivalent to prov := r; r := old_r - quotient × prov; old_r := prov;and similarly for the other parallel assignments.This leads to the following code:

function extended_gcd(a, b) (old_r, r) := (a, b) (old_s, s) := (1, 0) (old_t, t) := (0, 1) while r ≠ 0 do quotient := old_r div r (old_r, r) := (r, old_r − quotient × r) (old_s, s) := (s, old_s − quotient × s) (old_t, t) := (t, old_t − quotient × t) output "Bézout coefficients:", (old_s, old_t) output "greatest common divisor:", old_r output "quotients by the gcd:", (t, s)

The quotients of a and b by their greatest common divisor, which is output, may have an incorrect sign. This is easy to correct at the end of the computation but has not been done here for simplifying the code. Similarly, if either a or b is zero and the other is negative, the greatest common divisor that is output is negative, and all the signs of the output must be changed.

Finally, notice that in Bézout's identity,

ax+by=\gcd(a,b)

, one can solve for

y

given

a,b,x,\gcd(a,b)

. Thus, an optimization to the above algorithm is to compute only the

sk

sequence (which yields the Bézout coefficient

x

), and then compute

y

at the end:

function extended_gcd(a, b) s := 0; old_s := 1 r := b; old_r := a while r ≠ 0 do quotient := old_r div r (old_r, r) := (r, old_r − quotient × r) (old_s, s) := (s, old_s − quotient × s) if b ≠ 0 then bezout_t := (old_r − old_s × a) div b else bezout_t := 0 output "Bézout coefficients:", (old_s, bezout_t) output "greatest common divisor:", old_r

However, in many cases this is not really an optimization: whereas the former algorithm is not susceptible to overflow when used with machine integers (that is, integers with a fixed upper bound of digits), the multiplication of old_s * a in computation of bezout_t can overflow, limiting this optimization to inputs which can be represented in less than half the maximal size. When using integers of unbounded size, the time needed for multiplication and division grows quadratically with the size of the integers. This implies that the "optimisation" replaces a sequence of multiplications/divisions of small integers by a single multiplication/division, which requires more computing time than the operations that it replaces, taken together.

Simplification of fractions

A fraction is in canonical simplified form if and are coprime and is positive. This canonical simplified form can be obtained by replacing the three output lines of the preceding pseudo code by if then output "Division by zero" if then ; (for avoiding negative denominators) if then output (for avoiding denominators equal to 1) output

The proof of this algorithm relies on the fact that and are two coprime integers such that, and thus

a
b

=-

t
s
. To get the canonical simplified form, it suffices to move the minus sign for having a positive denominator.

If divides evenly, the algorithm executes only one iteration, and we have at the end of the algorithm. It is the only case where the output is an integer.

Computing multiplicative inverses in modular structures

The extended Euclidean algorithm is the essential tool for computing multiplicative inverses in modular structures, typically the modular integers and the algebraic field extensions. A notable instance of the latter case are the finite fields of non-prime order.

Modular integers

See main article: Modular arithmetic. If is a positive integer, the ring may be identified with the set of the remainders of Euclidean division by, the addition and the multiplication consisting in taking the remainder by of the result of the addition and the multiplication of integers. An element of has a multiplicative inverse (that is, it is a unit) if it is coprime to . In particular, if is prime, has a multiplicative inverse if it is not zero (modulo). Thus is a field if and only if is prime.

Bézout's identity asserts that and are coprime if and only if there exist integers and such that

ns+at=1

Reducing this identity modulo gives

at\equiv1\modn.

Thus, or, more exactly, the remainder of the division of by, is the multiplicative inverse of modulo .

To adapt the extended Euclidean algorithm to this problem, one should remark that the Bézout coefficient of is not needed, and thus does not need to be computed. Also, for getting a result which is positive and lower than n, one may use the fact that the integer provided by the algorithm satisfies . That is, if, one must add to it at the end. This results in the pseudocode, in which the input n is an integer larger than 1. function inverse(a, n) t := 0; newt := 1 r := n; newr := a while newr ≠ 0 do quotient := r div newr (t, newt) := (newt, t − quotient × newt) (r, newr) := (newr, r − quotient × newr) if r > 1 then return "a is not invertible" if t < 0 then t := t + n return t

Simple algebraic field extensions

The extended Euclidean algorithm is also the main tool for computing multiplicative inverses in simple algebraic field extensions. An important case, widely used in cryptography and coding theory, is that of finite fields of non-prime order. In fact, if is a prime number, and, the field of order is a simple algebraic extension of the prime field of elements, generated by a root of an irreducible polynomial of degree .

K[X]/\langlep\rangle,

, and its elements are in bijective correspondence with the polynomials of degree less than . The addition in is the addition of polynomials. The multiplication in is the remainder of the Euclidean division by of the product of polynomials. Thus, to complete the arithmetic in, it remains only to define how to compute multiplicative inverses. This is done by the extended Euclidean algorithm.

The algorithm is very similar to that provided above for computing the modular multiplicative inverse. There are two main differences: firstly the last but one line is not needed, because the Bézout coefficient that is provided always has a degree less than . Secondly, the greatest common divisor which is provided, when the input polynomials are coprime, may be any non zero elements of ; this Bézout coefficient (a polynomial generally of positive degree) has thus to be multiplied by the inverse of this element of . In the pseudocode which follows, is a polynomial of degree greater than one, and is a polynomial.

function inverse(a, p) t := 0; newt := 1 r := p; newr := a while newr ≠ 0 do quotient := r div newr (r, newr) := (newr, r − quotient × newr) (t, newt) := (newt, t − quotient × newt) if degree(r) > 0 then return "Either p is not irreducible or a is a multiple of p" return (1/r) × t

Example

For example, if the polynomial used to define the finite field GF(28) is, and is the element whose inverse is desired, then performing the algorithm results in the computation described in the following table. Let us recall that in fields of order 2n, one has -z = z and z + z = 0 for every element z in the field). Since 1 is the only nonzero element of GF(2), the adjustment in the last line of the pseudocode is not needed.

stepquotient r, newrs, newst, newt
10
01
11
2
3
4

Thus, the inverse is, as can be confirmed by multiplying the two elements together, and taking the remainder by of the result.

The case of more than two numbers

One can handle the case of more than two numbers iteratively. First we show that

\gcd(a,b,c)=\gcd(\gcd(a,b),c)

. To prove this let

d=\gcd(a,b,c)

. By definition of gcd

d

is a divisor of

a

and

b

. Thus

\gcd(a,b)=kd

for some

k

. Similarly

d

is a divisor of

c

so

c=jd

for some

j

. Let

u=\gcd(k,j)

. By our construction of

u

,

ud|a,b,c

but since

d

is the greatest divisor

u

is a unit. And since

ud=\gcd(\gcd(a,b),c)

the result is proven.

So if

na+mb=\gcd(a,b)

then there are

x

and

y

such that

x\gcd(a,b)+yc=\gcd(a,b,c)

so the final equation will be

x(na+mb)+yc=(xn)a+(xm)b+yc=\gcd(a,b,c).

So then to apply to n numbers we use induction

\gcd(a1,a2,...,an)=\gcd(a1,\gcd(a2,\gcd(a3,...,\gcd(an-1,an))),...),

with the equations following directly.

See also

References

External links

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Extended Euclidean algorithm".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.