Sponsored Links
-->

Saturday, February 10, 2018

The Extended Euclidean algorithm - YouTube
src: i.ytimg.com

In arithmetic and computer programming, the extended Euclidean algorithm is an extension to the Euclidean algorithm, and computes, in addition to the greatest common divisor of integers a and b, also the coefficients of Bézout's identity, which are integers x and y such that

a x + b y = gcd ( a , b ) . {\displaystyle ax+by=\gcd(a,b).}

This is a certifying algorithm, because the gcd is the only number that can simultaneously satisfy this equation and divide the inputs. It allows one to compute also, with almost no extra cost, the quotients of a and b by their greatest common divisor.

Extended Euclidean algorithm also refers to a very similar algorithm for computing the polynomial greatest common divisor and the coefficients of Bézout's identity of two univariate polynomials.

The extended Euclidean algorithm is particularly useful when a and b are coprime, since x is the modular multiplicative inverse of a modulo b, and y is the modular multiplicative inverse of b modulo a. Similarly, the polynomial extended Euclidean algorithm allows one to compute the multiplicative inverse in algebraic field extensions and, in particular in finite fields of non prime order. It follows that both extended Euclidean algorithms are widely used in cryptography. In particular, the computation of the modular multiplicative inverse is an essential step in RSA public-key encryption method.


Video Extended Euclidean algorithm



Description

The standard Euclidean algorithm proceeds by a succession of Euclidean divisions whose quotients are not used, only the remainders are kept. For the extended algorithm, the successive quotients are used. More precisely, the standard Euclidean algorithm with a and b as input, consists of computing a sequence q 1 , ... , q k {\displaystyle q_{1},\ldots ,q_{k}} of quotients and a sequence r 0 , ... , r k + 1 {\displaystyle r_{0},\ldots ,r_{k+1}} of remainders such that

r 0 = a r 1 = b ? r i + 1 = r i - 1 - q i r i and 0 <= r i + 1 < | r i | ? {\displaystyle {\begin{aligned}r_{0}&=a\\r_{1}&=b\\&\,\,\,\vdots \\r_{i+1}&=r_{i-1}-q_{i}r_{i}\quad {\text{and}}\quad 0\leq r_{i+1}<|r_{i}|\\&\,\,\,\vdots \end{aligned}}}

It is the main property of Euclidean division that the inequalities on the right define uniquely q i {\displaystyle q_{i}} and r i + 1 {\displaystyle r_{i+1}} from r i - 1 {\displaystyle r_{i-1}} and r i . {\displaystyle r_{i}.}

The computation stops when one reaches a remainder r k + 1 {\displaystyle r_{k+1}} which is zero; the greatest common divisor is then the last non zero remainder r k . {\displaystyle r_{k}.}

The extended Euclidean algorithm proceeds similarly, but adds two other sequences, as follows

r 0 = a r 1 = b s 0 = 1 s 1 = 0 t 0 = 0 t 1 = 1 ? ? r i + 1 = r i - 1 - q i r i and  0 <= r i + 1 < | r i | (this defines  q i ) s i + 1 = s i - 1 - q i s i t i + 1 = t i - 1 - q i t i ? {\displaystyle {\begin{aligned}r_{0}&=a&r_{1}&=b\\s_{0}&=1&s_{1}&=0\\t_{0}&=0&t_{1}&=1\\&\,\,\,\vdots &&\,\,\,\vdots \\r_{i+1}&=r_{i-1}-q_{i}r_{i}&{\text{and }}0&\leq r_{i+1}<|r_{i}|&{\text{(this defines }}q_{i}{\text{)}}\\s_{i+1}&=s_{i-1}-q_{i}s_{i}\\t_{i+1}&=t_{i-1}-q_{i}t_{i}\\&\,\,\,\vdots \end{aligned}}}

The computation also stops when r k + 1 = 0 {\displaystyle r_{k+1}=0} and gives

  • r k {\displaystyle r_{k}} is the greatest common divisor of the input a = r 0 {\displaystyle a=r_{0}} and b = r 1 . {\displaystyle b=r_{1}.}
  • The Bézout coefficients are s k {\displaystyle s_{k}} and t k , {\displaystyle t_{k},} that is gcd ( a , b ) = r k = a s k + b t k {\displaystyle \gcd(a,b)=r_{k}=as_{k}+bt_{k}}
  • The quotients of a and b by their greatest common divisor are given by s k + 1 = ± b gcd ( a , b ) {\displaystyle s_{k+1}=\pm {\frac {b}{\gcd(a,b)}}} and t k + 1 = ± a gcd ( a , b ) {\displaystyle t_{k+1}=\pm {\frac {a}{\gcd(a,b)}}}

Moreover, if a and b are both positive and gcd ( a , b ) ? min ( a , b ) {\displaystyle \gcd(a,b)\neq \min(a,b)} , then

| s i | < b gcd ( a , b ) and | t i | < a gcd ( a , b ) {\displaystyle |s_{i}|<{\frac {b}{\gcd(a,b)}}\quad {\text{and}}\quad |t_{i}|<{\frac {a}{\gcd(a,b)}}}

for 0 <= i <= k {\displaystyle 0\leq i\leq k} . This means that the pair of Bézout's coefficients provided by the extended Euclidean algorithm is one of the two minimal pairs of Bézout coefficients. In addition it means that the algorithm can be done without integer overflow when a and b are representable integers.

Example

The following table shows how the extended Euclidean algorithm proceeds with input 240 and 46. The greatest common divisor is the last non zero entry, 2 in the column "remainder". The computation stops at row 6, because the remainder in it is 0. Bézout coefficients appear in the last two entries of the second-to-last row. In fact, it is easy to verify that -9 × 240 + 47 × 46 = 2. Finally the last two entries 23 and -120 of the last row are, up to the sign, the quotients of the input 46 and 240 by the greatest common divisor 2.

Proof

As 0 <= r i + 1 < | r i | , {\displaystyle 0\leq r_{i+1}<|r_{i}|,} the sequence of the r i {\displaystyle r_{i}} is a decreasing sequence of nonnegative integers (from i = 2 on). Thus it must stop with some r k + 1 = 0. {\displaystyle r_{k+1}=0.} This proves that the algorithm stops eventually.

As r i + 1 = r i - 1 - r i q i , {\displaystyle r_{i+1}=r_{i-1}-r_{i}q_{i},} the greatest common divisor is the same for ( r i - 1 , r i ) {\displaystyle (r_{i-1},r_{i})} and ( r i , r i + 1 ) . {\displaystyle (r_{i},r_{i+1}).} This shows that the greatest common divisor of the input a = r 0 , b = r 1 {\displaystyle a=r_{0},b=r_{1}} is the same as that of r k , r k + 1 = 0. {\displaystyle r_{k},r_{k+1}=0.} This proves that r k {\displaystyle r_{k}} is the greatest common divisor of a and b. (Until this point, the proof is the same as that of the classical Euclidean algorithm.)

As a = r 0 {\displaystyle a=r_{0}} and b = r 1 , {\displaystyle b=r_{1},} we have a s i + b t i = r i {\displaystyle as_{i}+bt_{i}=r_{i}} for i = 0 and 1. The relation follows by induction for all i > 1 {\displaystyle i>1} :

r i + 1 = r i - 1 - r i q i = ( a s i - 1 + b t i - 1 ) - ( a s i + b t i ) q i = ( a s i - 1 - a s i q i ) + ( b t i - 1 - b t i q i ) = a s i + 1 + b t i + 1 . {\displaystyle r_{i+1}=r_{i-1}-r_{i}q_{i}=(as_{i-1}+bt_{i-1})-(as_{i}+bt_{i})q_{i}=(as_{i-1}-as_{i}q_{i})+(bt_{i-1}-bt_{i}q_{i})=as_{i+1}+bt_{i+1}.}

Thus s k {\displaystyle s_{k}} and t k {\displaystyle t_{k}} are Bézout coefficients.

Let us consider the matrix

A i = ( s i - 1 s i t i - 1 t i ) . {\displaystyle A_{i}={\begin{pmatrix}s_{i-1}&s_{i}\\t_{i-1}&t_{i}\end{pmatrix}}.}

The recurrence relation may be rewritten in matrix form

A i + 1 = A i ? ( 0 1 1 - q i ) . {\displaystyle A_{i+1}=A_{i}\cdot {\begin{pmatrix}0&1\\1&-q_{i}\end{pmatrix}}.}

The matrix A 1 {\displaystyle A_{1}} is the identity matrix and its determinant is one. The determinant of the rightmost matrix in the preceding formula is -1. It follows that the determinant of A i {\displaystyle A_{i}} is ( - 1 ) i - 1 . {\displaystyle (-1)^{i-1}.} In particular, for i = k + 1 , {\displaystyle i=k+1,} we have s k t k + 1 - t k s k + 1 = ( - 1 ) k . {\displaystyle s_{k}t_{k+1}-t_{k}s_{k+1}=(-1)^{k}.} Viewing this as a Bézout's identity, this shows that s k + 1 {\displaystyle s_{k+1}} and t k + 1 {\displaystyle t_{k+1}} are coprime. The relation a s k + 1 + b t k + 1 = 0 {\displaystyle as_{k+1}+bt_{k+1}=0} that has been proved above and Euclid's lemma shows that s k + 1 {\displaystyle s_{k+1}} divides b and t k + 1 {\displaystyle t_{k+1}} divides a. As they are coprime, they are, up to their sign the quotients of b and a by their greatest common divisor.

To prove the last assertion, assume that a and b are both positive and gcd ( a , b ) ? min ( a , b ) {\displaystyle \gcd(a,b)\neq \min(a,b)} . Then, a ? b {\displaystyle a\neq b} , and if a < b {\displaystyle a<b} , it can be seen that the s and t sequences for (a,b) under the EEA are, up to initial 0s and 1s, the t and s sequences for (b,a). The definitions then show that the (a,b) case reduces to the (b,a) case. So assume that a > b {\displaystyle a>b} without loss of generality.

It can be seen that s 2 {\displaystyle s_{2}} is 1 and s 3 {\displaystyle s_{3}} (which exists by gcd ( a , b ) ? min ( a , b ) {\displaystyle \gcd(a,b)\neq \min(a,b)} ) is a negative integer. Thereafter, the s i {\displaystyle s_{i}} alternate in sign and strictly increase in magnitude, which follows inductively from the definitions and the fact that q i >= 1 {\displaystyle q_{i}\geq 1} for 1 <= i <= k {\displaystyle 1\leq i\leq k} , the case i = 1 {\displaystyle i=1} holds because a > b {\displaystyle a>b} . The same is true for the t i {\displaystyle t_{i}} after the first few terms, for the same reason. Thus,

| s k + 1 | = | b gcd ( a , b ) | and | t k + 1 | = | a gcd ( a , b ) | {\displaystyle |s_{k+1}|=\left|{\frac {b}{\gcd(a,b)}}\right|\qquad {\text{and}}\qquad |t_{k+1}|=\left|{\frac {a}{\gcd(a,b)}}\right|}

are strictly larger in absolute value than any previous s i {\displaystyle s_{i}} or t i {\displaystyle t_{i}} , respectively.


Maps Extended Euclidean algorithm



Polynomial extended Euclidean algorithm

For univariate polynomials with coefficients in a field, everything works in a similar way, Euclidean division, Bézout's identity and extended Euclidean algorithm. The first difference is that, in the Euclidean division and the algorithm, the inequality 0 <= r i + 1 < | r i | {\displaystyle 0\leq r_{i+1}<|r_{i}|} has to be replaced by an inequality on the degrees deg r i + 1 < deg r i . {\displaystyle \deg r_{i+1}<\deg r_{i}.} Otherwise, everything which precedes in this article remains the same, simply by replacing integers by polynomials.

A second difference lies in the bound on the size of the Bézout coefficients provided by the extended Euclidean algorithm, which is more accurate in the polynomial case, leading to the following theorem.

If a and b are two nonzero polynomials, then the extended Euclidean algorithm produces the unique pair of polynomials (s, t) such that

a s + b t = gcd ( a , b ) {\displaystyle as+bt=\gcd(a,b)}

and

deg s < deg b - deg ( gcd ( a , b ) ) , deg t < deg a - deg ( gcd ( a , b ) ) . {\displaystyle \deg s<\deg b-\deg(\gcd(a,b)),\quad \deg t<\deg a-\deg(\gcd(a,b)).}

A third difference is that, in the polynomial case, the greatest common divisor is defined only up to the multiplication by a non zero constant. There are several ways to define the greatest common divisor unambiguously.

In mathematics, it is common to require that the greatest common divisor be a monic polynomial. To get this, it suffices to divide every element of the output by the leading coefficient of r k . {\displaystyle r_{k}.} This allows that, if a and b are coprime, one gets 1 in the right-hand side of Bézout's inequality. Otherwise, one may get any non-zero constant. In computer algebra, the polynomials commonly have integer coefficients, and this way of normalizing the greatest common divisor introduces too many fractions to be convenient.

The second way to normalize the greatest common divisor in the case of polynomials with integers coefficients is to divide every output by the content of r k , {\displaystyle r_{k},} to get a primitive greatest common divisor. If the input polynomials are coprime, this normalization provides also a greatest common divisor equal to 1. The drawback of this approach is that a lot of fractions should be computed and simplified during the computation.

A third approach consists in extending the algorithm of subresultant pseudo-remainder sequences in a way that is similar to the extension of the Euclidean algorithm to the extended Euclidean algorithm. This allows that, when starting with polynomials with integer coefficients, all polynomials that are computed have integer coefficients. Moreover, every computed remainder r i {\displaystyle r_{i}} is a subresultant polynomial. In particular, if the input polynomials are coprime, then the Bézout's identity becomes

a s + b t = Res ( a , b ) , {\displaystyle as+bt=\operatorname {Res} (a,b),}

where Res ( a , b ) {\displaystyle \operatorname {Res} (a,b)} denotes the resultant of a and b. In this form of Bézout's identity there is no denominator in the formula. If one divides everything by the resultant one gets the classical Bézout's identity, with an explicit common denominator for the rational numbers that appear in it.


Extended Euclidean Algorithm - Integer Foundations | Coursera
src: d3c33hcgiwev3.cloudfront.net


Pseudocode

To implement the algorithm that is described above, one should first remark that only the two last values of the indexed variables are needed at each step. Thus, for saving memory, each indexed variable must be replaced by only two variables.

For simplicity, the following algorithm (and the other algorithms in this article) uses parallel assignments. In a programming language which does not have this feature, the parallel assignments need to be simulated with an auxiliary variable. For example, the first one,

  (old_r, r) := (r, old_r - quotient *r)  

is equivalent to

  prov := r;  r := old_r - quotient * prov;  old_r := prov;  

and similarly for the other parallel assignments. This leads to the following code:

  function extended_gcd(a, b)      s := 0;    old_s := 1      t := 1;    old_t := 0      r := b;    old_r := a      while r ? 0          quotient := old_r div r          (old_r, r) := (r, old_r - quotient * r)          (old_s, s) := (s, old_s - quotient * s)          (old_t, t) := (t, old_t - quotient * t)      output "Bézout coefficients:", (old_s, old_t)      output "greatest common divisor:", old_r      output "quotients by the gcd:", (t, s)  

The quotients of a and b by their greatest common divisor, which are output, may have an incorrect sign. This is easy to correct at the end of the computation, but has not been done here for simplifying the code. Similarly, if either a or b is zero and the other is negative, the greatest common divisor that is output is negative, and all the signs of the output must be changed.


Extended Euclidean Algorithm - YouTube
src: i.ytimg.com


Simplification of fractions

A fraction a/b is in canonical simplified form if a and b are coprime and b is positive. This canonical simplified form can be obtained by replacing the three output lines of the preceding pseudo code by

  if s = 0 then output "Division by zero"  if s < 0 then s := -s;  t := -t   (for avoiding negative denominators)  if s = 1 then output -t        (for avoiding denominators equal to 1)  output -t/s  

The proof of this algorithm relies on the fact that s and t are two coprime integers such that as + bt = 0, and thus a b = - t s {\displaystyle {\frac {a}{b}}=-{\frac {t}{s}}} . To get the canonical simplified form, it suffices to move the minus sign for having a positive denominator.

If b divides a evenly, the algorithm executes only one iteration, and we have s = 1 at the end of the algorithm. It is the only case where the output is an integer.


Introduction to Modular Arithmetic and Public Key Cryptography ...
src: images.slideplayer.com


Computing multiplicative inverses in modular structures

The extended Euclidean algorithm is the basic tool for computing multiplicative inverses in modular structures, typically the modular integers and the algebraic field extensions. An important instance of the latter case are the finite fields of non-prime order.

Modular integers

If n is a positive integer, the ring Z/nZ may be identified with the set {0, 1, ..., n-1} of the remainders of Euclidean division by n, the addition and the multiplication consisting in taking the remainder by n of the result of the addition and the multiplication of integers. An element a of Z/nZ has a multiplicative inverse (that is, it is a unit) if it is coprime to n. In particular, if n is prime, a has a multiplicative inverse if it is not zero (modulo n). Thus Z/nZ is a field if and only if n is prime.

Bézout's identity asserts that a and n are coprime if and only if there exist integers s and t such that

n s + a t = 1 {\displaystyle ns+at=1}

Reducing this identity modulo n gives

a t = 1 mod n . {\displaystyle at=1\mod n.}

Thus t, or, more exactly, the remainder of the division of t by n, is the multiplicative inverse of a modulo n.

To adapt the extended Euclidean algorithm to this problem, one should remark that the Bézout coefficient of n is not needed, and thus does not need to be computed. Also, for getting a result which is positive and lower than n, one may use the fact that the integer t provided by the algorithm satisfies |t| < n. That is, if t < 0, one must add n to it at the end. This results in the pseudocode, in which the input n is an integer larger than 1.

  function inverse(a, n)      t := 0;     newt := 1;          r := n;     newr := a;          while newr ? 0          quotient := r div newr          (t, newt) := (newt, t - quotient * newt)           (r, newr) := (newr, r - quotient * newr)      if r > 1 then return "a is not invertible"      if t < 0 then t := t + n      return t  

Simple algebraic field extensions

Extended Euclidean algorithm is also the main tool for computing multiplicative inverses in simple algebraic field extensions. An important case, widely used in cryptography and coding theory is that of finite fields of non-prime order. In fact, if p is a prime number, and q = pd, the field of order q is a simple algebraic extension of the prime field of p elements, generated by a root of an irreducible polynomial of degree d.

A simple algebraic extension L of a field K, generated by the root of an irreducible polynomial p of degree d may be identified to the quotient ring K [ X ] / ? p ? , {\displaystyle K[X]/\langle p\rangle ,} , and its elements are in bijective correspondence with the polynomials of degree less than d. The addition in L is the addition of polynomials. The multiplication in L is the remainder of the Euclidean division by p of the product of polynomials. Thus, to complete the arithmetic in L, it remains only to define how to compute multiplicative inverses. This is done by the extended Euclidean algorithm.

The algorithm is very similar to that provided above for computing the modular multiplicative inverse. There are two main differences: firstly the last but one line is not needed, because the Bézout coefficient that is provided has always a degree less than d. Secondly, the greatest common divisor which is provided, when the input polynomials are coprime, may be any non zero element of K; this Bézout coefficient (a polynomial generally of positive degree) has thus to be multiplied by the inverse of this element of K. In the pseudocode which follows, p is a polynomial of degree greater than one, and a is a polynomial. Moreover, div is an auxiliary function that computes the quotient of the Euclidean division.

  function inverse(a, p)      t := 0;     newt := 1;          r := p;     newr := a;          while newr ? 0          quotient := r div newr          (r, newr) := (newr, r - quotient * newr)          (t, newt) := (newt, t - quotient * newt)       if degree(r) > 0 then           return "Either p is not irreducible or a is a multiple of p"      return (1/r) * t  

Example

For example, if the polynomial used to define the finite field GF(28) is p = x8 + x4 + x3 + x + 1, and a = x6 + x4 + x + 1 is the element whose inverse is desired, then performing the algorithm results in the computation described in the following table. Let us recall that in fields of order 2n, one has -z = z and z + z = 0 for every element z in the field). Note also that 1 being the only nonzero element of GF(2), the adjustment in the last line of the pseudocode is not needed.

Thus, the inverse is x7 + x6 + x3 + x, as can be confirmed by multiplying the two elements together, and taking the remainder by p of the result.


Extended Euclidean Algorithm and Inverse Modulo Tutorial - YouTube
src: i.ytimg.com


The case of more than two numbers

One can handle the case of more than two numbers iteratively. First we show that gcd ( a , b , c ) = gcd ( gcd ( a , b ) , c ) {\displaystyle \gcd(a,b,c)=\gcd(\gcd(a,b),c)} . To prove this let d = gcd ( a , b , c ) {\displaystyle d=\gcd(a,b,c)} . By definition of gcd d {\displaystyle d} is a divisor of a {\displaystyle a} and b {\displaystyle b} . Thus gcd ( a , b ) = k d {\displaystyle \gcd(a,b)=kd} for some k {\displaystyle k} . Similarly d {\displaystyle d} is a divisor of c {\displaystyle c} so c = j d {\displaystyle c=jd} for some j {\displaystyle j} . Let u = gcd ( k , j ) {\displaystyle u=\gcd(k,j)} . By our construction of u {\displaystyle u} , u d | a , b , c {\displaystyle ud|a,b,c} but since d {\displaystyle d} is the greatest divisor u {\displaystyle u} is a unit. And since u d = gcd ( gcd ( a , b ) , c ) {\displaystyle ud=\gcd(\gcd(a,b),c)} the result is proven.

So if n a + m b = gcd ( a , b ) {\displaystyle na+mb=\gcd(a,b)} then there are x {\displaystyle x} and y {\displaystyle y} such that x gcd ( a , b ) + y c = gcd ( a , b , c ) {\displaystyle x\gcd(a,b)+yc=\gcd(a,b,c)} so the final equation will be

x ( n a + m b ) + y c = ( x n ) a + ( x m ) b + y c = gcd ( a , b , c ) . {\displaystyle x(na+mb)+yc=(xn)a+(xm)b+yc=\gcd(a,b,c).\,}

So then to apply to n numbers we use induction

gcd ( a 1 , a 2 , ... , a n ) = gcd ( a 1 , gcd ( a 2 , gcd ( a 3 , ... , gcd ( a n - 1 , a n ) ) ) , ... ) , {\displaystyle \gcd(a_{1},a_{2},\dots ,a_{n})=\gcd(a_{1},\,\gcd(a_{2},\,\gcd(a_{3},\dots ,\gcd(a_{n-1}\,,a_{n}))),\dots ),}

with the equations following directly.


The Extended Euclidean algorithm - Video Dailymotion
src: s1-ssl.dmcdn.net


See also

  • Euclidean domain
  • Linear congruence theorem
  • Ku??aka

GCD and Modular Inverse: Extended Euclidean Algorithm - Part 1 ...
src: i.ytimg.com


References

  • Knuth, Donald. The Art of Computer Programming. Addison-Wesley.  Volume 2, Chapter 4.
  • Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. Introduction to Algorithms, Second Edition. MIT Press and McGraw-Hill, 2001. ISBN 0-262-03293-7. Pages 859-861 of section 31.2: Greatest common divisor.

MA/CSSE 473 Day 07 Extended Euclid's Algorithm Modular Division ...
src: slideplayer.com


External links

  • Source for the form of the algorithm used to determine the multiplicative inverse in GF(2^8)

Source of article : Wikipedia