Extended Euclidean algorithm

From Wikipedia, the free encyclopedia

The extended Euclidean algorithm is an extension to the Euclidean algorithm for finding the greatest common divisor (GCD) of integers a and b: it also finds the integers x and y in Bézout's identity

Failed to parse (Missing texvc executable; please see math/README to configure.): ax + by = \gcd(a, b). \,

(Typically either x or y is negative).

The extended Euclidean algorithm is particularly useful when a and b are coprime, since x is the modular multiplicative inverse of a modulo b.

1 Informal formulation of the algorithm
2 Formal description of the algorithm
- 2.1 Iterative method
- 2.2 Recursive method
  - 2.2.1 Proof of correctness
3 Computing a multiplicative inverse in a finite field
4 References
5 See also
6 External links

[edit] Informal formulation of the algorithm

Dividend	Divisor	Quotient	Remainder
120	23	5	5
23	5	4	3
5	3	1	2
3	2	1	1
2	1	2	0

It is assumed that the reader is already familiar with Euclid's algorithm.

To illustrate the extension of the Euclid's algorithm, consider the computation of gcd(120, 23), which is shown on the table on the left. Notice that the quotient in each division is recorded as well alongside the remainder.

In this case, the remainder in the last-but-one line (which is 1) indicates that the gcd is 1; that is, 120 and 23 are coprime (also called relatively prime). For the sake of simplicity, the example chosen is a coprime pair; but the more general case of gcd other than 1 also works similarly.

There are two methods to proceed, both using the division algorithm, which will be discussed separately.

[edit] The iterative method

This method computes expressions of the form Failed to parse (Missing texvc executable; please see math/README to configure.): r_i = ax_i+by_i

for the remainder in each step Failed to parse (Missing texvc executable; please see math/README to configure.): i
of the Euclidean algorithm.  Each modulus can written in terms of the previous two remainders and their whole quotient as follows:

Failed to parse (Missing texvc executable; please see math/README to configure.): r_i = r_{i-2} - \left \lfloor \frac{r_{i-2}}{r_{i-1}} \right \rfloor \cdot r_{i-1}

By substitution, this gives:

Failed to parse (Missing texvc executable; please see math/README to configure.): r_i = (ax_{i-2} + by_{i-2}) - \left \lfloor \frac{r_{i-2}}{r_{i-1}} \right \rfloor \cdot (ax_{i-1} + by_{i-1})

Failed to parse (Missing texvc executable; please see math/README to configure.): r_i = a(x_{i-2} - \left \lfloor \frac{r_{i-2}}{r_{i-1}} \right \rfloor \cdot x_{i-1}) + b(y_{i-2} - \left \lfloor \frac{r_{i-2}}{r_{i-1}} \right \rfloor \cdot y_{i-1})

The first two values are the initial arguments to the algorithm:

Failed to parse (Missing texvc executable; please see math/README to configure.): r_1 = a = a(1) + b(0)

Failed to parse (Missing texvc executable; please see math/README to configure.): r_2 = b = a(0) + b(1)

The expression for the last non-zero remainder gives the desired results since this method computes every remainder in terms of a and b, as desired.

Example: Compute the GCD of 120 and 23.

The computation proceeds as follows:

Step	Quotient	Remainder	Substitute	Combine terms
1		120		120 = 120 * 1 + 23 * 0
2		23		23 = 120 * 0 + 23 * 1
3	5	5 = 120 - 23 * 5	5 = (120 * 1 + 23 * 0) - (120 * 0 + 23 * 1) * 5	5 = 120 * 1 + 23 * -5
4	4	3 = 23 - 5 * 4	3 = (120 * 0 + 23 * 1) - (120 * 1 + 23 * -5) * 4	3 = 120 * -4 + 23 * 21
5	1	2 = 5 - 3 * 1	2 = (120 * 1 + 23 * -5) - (120 * -4 + 23 * 21) * 1	2 = 120 * 5 + 23 * -26
6	1	1 = 3 - 2 * 1	1 = (120 * -4 + 23 * 21) - (120 * 5 + 23 * -26) * 1	1 = 120 * -9 + 23 * 47
7	2	0	End of algorithm

The last line reads 1 = −9×120 + 47×23, which is the required solution: x = −9 and y = 47.

This also means that −9 is the multiplicative inverse of 120 modulo 23, and that 47 is the multiplicative inverse of 23 modulo 120.

−9 × 120 ≡ 1 mod 23 and also 47 × 23 ≡ 1 mod 120.

[edit] The recursive method

This method attempts to solve the original equation directly, by reducing the dividend and divisor gradually, from the first line to the last line, which can then be substituted with trivial value and work backward to obtain the solution.

Consider the original equation:

120	x	+	23	y	=	1
(5×23+5)	x	+	23	y	=	1
23	(5x+y)	+	5	x	=	1
...
1	a	+	0	b	=	1

Notice that the equation remains unchanged after decomposing the original dividend in terms of the divisor plus a remainder, and then regrouping terms. If we have a solution to the equation in the second line, then we can work backward to find x and y as required. Although we don't have the solution yet to the second line, notice how the magnitude of the terms decreased (120 and 23 to 23 and 5). Hence, if we keep applying this, eventually we'll reach the last line, which obviously has (1,0) as a trivial solution. Then we can work backward and gradually find out x and y.

Dividend	=	Quotient	x	Divisor	+	Remainder
120	=	5	x	23	+	5
23	=	4	x	5	+	3
...

For the purpose of explaining this method, the full working will not be shown. Instead some of the repeating steps will be described to demonstrate the principle behind this method.

Start by rewriting each line from the first table with division algorithm, focusing on the dividend this time (because we'll be substituting the dividend).

120	x₀	+	23	y₀	=	1
(5×23+5)	x₀	+	23	y₀	=	1
23	(5x₀+y₀)	+	5	x₀	=	1
23	x₁	+	5	y₁	=	1
(4×5+3)	x₁	+	5	y₁	=	1
5	(4x₁+y₁)	+	3	x₁	=	1
5	x₂	+	3	y₂	=	1

Assume that we were given x₂=2 and y₂=-3 already, which is indeed a valid solution.
x₁=y₂=-3
Solve 4x₁+y₁=x₂ by substituting x₁=-3, which gives y₁=2-4(-3)=14
x₀=y₁=14
Solve 5x₀+y₀=x₁ by substituting x₀=14, so y₀=-3-5(14)=-73

[edit] The table method

The table method is probably the simplest method to carry out with a pencil and paper. It is similar to the recursive method, although it does not directly require algebra to use and only requires working in one direction. The main idea is to think of the equation chain Failed to parse (Missing texvc executable; please see math/README to configure.): \gcd(x, y), \gcd(y, x\mod y), \dots, \gcd(z, 1)

as a sequence of divisors Failed to parse (Missing texvc executable; please see math/README to configure.): x, y, x\mod y, \dots, 1

. In the running example we have the sequence 120, 23, 5, 3, 2, 1. Any element in this chain can be written as a linear combination of the original Failed to parse (Missing texvc executable; please see math/README to configure.): x

and Failed to parse (Missing texvc executable; please see math/README to configure.): y

, most notably, the last element, Failed to parse (Missing texvc executable; please see math/README to configure.): \gcd(x, y) , can be written in this way. The table method involves keeping a table of each divisor, written as a linear combination. The algorithm starts with the table as follows:

a	b	d
1	0	120
0	1	23

The elements in the Failed to parse (Missing texvc executable; please see math/README to configure.): d

column of the table will be the divisors in the sequence. Each  Failed to parse (Missing texvc executable; please see math/README to configure.): d_i
can be represented as the linear combination Failed to parse (Missing texvc executable; please see math/README to configure.): d_i = a_i \cdot x + b_i \cdot y

. The Failed to parse (Missing texvc executable; please see math/README to configure.): a

and Failed to parse (Missing texvc executable; please see math/README to configure.): b
values are obvious for the first two rows of the table, which represent Failed to parse (Missing texvc executable; please see math/README to configure.): x
and Failed to parse (Missing texvc executable; please see math/README to configure.): y
themselves. To compute Failed to parse (Missing texvc executable; please see math/README to configure.): d_i
for any Failed to parse (Missing texvc executable; please see math/README to configure.): i > 2

, notice that Failed to parse (Missing texvc executable; please see math/README to configure.): d_i = d_{i-2} \mod d_{i-1} . Suppose Failed to parse (Missing texvc executable; please see math/README to configure.): d_i = d_{i-2} - k \cdot d_{i-1} . Then it must be that Failed to parse (Missing texvc executable; please see math/README to configure.): a_i = a_{i-2} - k \cdot a_{i-1}

and Failed to parse (Missing texvc executable; please see math/README to configure.): b_i = b_{i-2} - k \cdot b_{i-1}

. This is easy to verify algebraically with a simple substitution.

Actually carrying out the table method though is simpler than the above equations would indicate. To find the third row of the table in the example, just notice that 120 divided by 23 goes 5 times plus a remainder. This gives us k, the multiplying factor for this row. Now, each value in the table is the value two rows above it, minus 5 times the value immediately above it. This correctly leads to Failed to parse (Missing texvc executable; please see math/README to configure.): a_3 = 1 - 5 \cdot 0 = 1 , Failed to parse (Missing texvc executable; please see math/README to configure.): b_3 = 0 - 5 \cdot 1 = -5 , and Failed to parse (Missing texvc executable; please see math/README to configure.): d_3 = 1 \cdot 120 - 5 \cdot 23 = 5 . After repeating this method to find each line of the table (note that the remainder written in the table and the multiplying factor are two different numbers!), the final values for Failed to parse (Missing texvc executable; please see math/README to configure.): a

and Failed to parse (Missing texvc executable; please see math/README to configure.): b
will solve Failed to parse (Missing texvc executable; please see math/README to configure.): ax + by = \gcd(x, y)\,

a	b	d
1	0	120
0	1	23
1	-5	5
-4	21	3
5	-26	2
-9	47	1

This method is simple, requiring only the repeated application of one rule, and leaves the answer in the final row of the table with no backtracking. Note also that if you end up with a negative number as the answer for the factor of, in this case b, you will then need to add the modulus in order to make it work as a modular inverse (instead of just taking the absolute value of b). I.e. if it returns a negative number, don't just flip the sign, but add in the other number to make it work. Otherwise it will give you the modular inverse yielding negative one.

[edit] Formal description of the algorithm

[edit] Iterative method

By routine algebra of expanding and grouping like terms (refer to last section), the following algorithm for iterative method is obtained:

Apply Euclidean algorithm, and let q_n(n starts from 1) be a finite list of quotients in the division.
Initialize x₀, x₁ as 1, 0, and y₀, y₁ as 0,1 respectively.
1. Then for each i so long as q_i is defined,
2. Compute x_i+1= x_i-1- q_ix_i
3. Compute y_i+1= y_i-1- q_iy_i
4. Repeat the above after incrementing i by 1.
The answers are the second-to-last of x_n and y_n.

Pseudocode for this method is shown below:

function extended_gcd(a, b)
    x := 0    lastx := 1
    y := 1    lasty := 0
    while b ≠ 0
        temp := b
        quotient := a div b
        b := a mod b
        a := temp
        
        temp := x
        x := lastx-quotient*x
        lastx := temp
        
        temp := y
        y := lasty-quotient*y
        lasty := temp
    return {lastx, lasty, a}

[edit] Recursive method

Solving the general case of the equation in the last corresponding section, the following algorithm results:

If a is divisible by b, the algorithm ends and return the trivial solution x = 0, y = 1.
Otherwise, repeat the algorithm with b and a modulus b, storing the solution as x' and y'.
Then, the solution to the current equation is x = y', and y = x' minus y' times quotient of a divided by b

Which can be directly translated to this pseudocode:

function extended_gcd(a, b)
    if a mod b = 0
        return {0, 1}
    else
        {x, y} := extended_gcd(b, a mod b)
        return {y, x-y*(a div b)}

[edit] Proof of correctness

Let d be the gcd of a and b. We wish to prove that a*x + b*y = d.

If b evenly divides a (i.e. a mod b = 0),
- then d is b and a*0 + b*1 = d.
- So x and y are 0 and 1.
Otherwise given the recursive call we know that b*x + (a mod b) * y = d,
- then b*x - b*(a div b)*y + (a mod b) * y + b*(a div b)*y= d,
- and b*(x - (a div b)*y) + a*y=d.
- So the new x and y are y and x - (a div b)*y.

See the Euclidean algorithm for the proof that the gcd(a,b) = gcd(b,a mod b) which this proof depends on in the recursive call step.

[edit] Computing a multiplicative inverse in a finite field

The extended Euclidean algorithm can also be used to calculate the multiplicative inverse in a finite field.

[edit] Pseudocode

Given the irreducible polynomial f(x) used to define the finite field, and the element a(x) whose inverse is desired, then a form of the algorithm suitable for determining the inverse is given by the following. NOTE: remainder() and quotient() are functions different from the arrays remainder[ ] and quotient[ ]. remainder() refers to the remainder when two numbers are divided, and quotient() refers to the integer quotient when two numbers are divided. For example, remainder(5/3) = 2 and quotient(5/3) = 1. Equivalent operators in the C language are % and / respectively.

pseudocode:

remainder[1] := f(x)
remainder[2] := a(x)
auxiliary[1] := 0
auxiliary[2] := 1
i := 2
do while remainder[i] > 1
    i := i + 1
    remainder[i] := remainder(remainder[i-2] / remainder[i-1])
    quotient[i] := quotient(remainder[i-2] / remainder[i-1])
    auxiliary[i] := -quotient[i] * auxiliary[i-1] + auxiliary[i-2]
inverse := auxiliary[i]

[edit] Note

The minus sign is not necessary for some finite fields in the step.

auxiliary[i] := -quotient[i] * auxiliary[i-1] + auxiliary[i-2]

This is true since in the finite field GF(2⁸), for instance, addition and subtraction are the same. In other words, 1 is its own additive inverse in GF(2⁸).

[edit] Example

For example, if the polynomial used to define the finite field GF(2⁸) is f(x) = x⁸ + x⁴ + x³ + x + 1, and x⁶ + x⁴ + x + 1 = {53} in big-endian hexadecimal notation, is the element whose inverse is desired, then performing the algorithm results in the following:

i	remainder[i]	quotient[i]	auxiliary[i]
1	x⁸ + x⁴ + x³ + x + 1		0
2	x⁶ + x⁴ + x + 1		1
3	x²	x² + 1	x² + 1
4	x + 1	x⁴ + x²	x⁶ + x⁴ + x⁴ + x² + 1
5	1	x + 1	x⁷ + x⁶ + x³ + x² + x² + x + 1 + 1

Note: Addition in a binary finite field is XOR.

Thus, the inverse is x⁷ + x⁶ + x³ + x = {CA}, as can be confirmed by multiplying the two elements together.

[edit] References

Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. Introduction to Algorithms, Second Edition. MIT Press and McGraw-Hill, 2001. ISBN 0-262-03293-7. Pages 859–861 of section 31.2: Greatest common divisor.

[edit] See also

Bézout's identity

[edit] External links

v • d • e Number-theoretic algorithms
Primality tests	AKS · APR · Ballie-PSW · ECPP · Fermat · Lucas–Lehmer · Lucas–Lehmer (Mersenne numbers) · Proth's theorem · Pépin's · Solovay-Strassen · Miller-Rabin · Trial division
Sieving algorithms	Sieve of Atkin · Sieve of Eratosthenes · Sieve of Sundaram · Wheel factorization
Integer factorization algorithms	CFRAC · Dixon's · ECM · Euler's · Pollard's rho · P - 1 · P + 1 · QS · GNFS · SNFS · rational sieve · Fermat's · Shanks' square forms · Trial division · Shor's algorithm
Other algorithms	Ancient Egyptian multiplication · Aryabhata · Binary GCD · Chakravala · Euclidean · Extended Euclidean · integer relation algorithm · integer square root · Modular exponentiation · Shanks-Tonelli
Italics indicate that algorithm is for numbers of special forms; bold indicates deterministic algorithm for primality tests.