Information about Extended Euclidean Algorithm

The extended Euclidean algorithm is an extension to the Euclidean algorithm for finding the greatest common divisor (GCD) of integers a and b: it also finds the integers x and y in Bézout's identity

(Typically either x or y is negative).

The extended Euclidean algorithm is particularly useful when a and b are coprime, since x is the modular multiplicative inverse of a modulo b.

Informal formulation of the algorithm

Dividend	Divisor	Quotient	Remainder
120	23	5	5
23	5	4	3
5	3	1	2
3	2	1	1 |2||1||2||0

It is assumed that the reader is already familiar with Euclid's algorithm.

To illustrate the extension of the Euclid's algorithm, consider the computation of gcd(120, 23), which is shown on the table on the left. Notice that the quotient in each division is recorded as well alongside the remainder.

In this case, the remainder in the last but one line (which is 1) indicates that the gcd is 1; that is, 120 and 23 are coprime (also called relatively prime). For the sake of simplicity, the example chosen is a coprime pair; but the more general case of gcd other than 1 also works similarly.

There are two methods to proceed, both using the division algorithm, which will be discussed separately.

The iterative method

This method solves the required equation with the sum replaced by the remainders in each step of the algorithm, which is larger than their gcd, but are decreasing in magnitude, and so will eventually become the required equation. To start with, express each line from the last table with the division algorithm, focusing on the remainder:

Remainder	=	Dividend	-	Quotient	×	Divisor
5	=	120	-	5	×	23
3	=	23	-	4	×	5
2	=	5	-	1	×	3
1	=	3	-	1	×	2 |0||=||2||-||2||×||1

The first line fits the pattern of the original equation, with 120 and 23 as the terms. However from the second line onwards, the terms are decreasing. To proceed, observe that by nature of the Euclidean algorithm:

• In each line, the divisor is the remainder of the previous line
• The dividend is the previous line's divisor, which is then remainder of its previous line(that is, remainder from two lines up)

Thus the terms can be substituted with the previous two line. By mathematical induction, we can then represent each remainder as sum of multiples of the two original numbers, one after another.

Corresponding to this example, notice the divisor on the third line, 3, is the same as the remainder on the second line. Further, the dividend on the third line, 5, is the same as the divisor on the second line, and the remainder on the first line.

In the inductive method, the remainder at each step is written in terms of the integers a and b.

5	=	120	-	5	×	23	=						=	1	×	120	-	5	×	23
3	=	23	-	4	×	5	=	1×23	-	4	×	(1×120 - 5×23)	=	-4	×	120	+	21	×	23
2	=	5	-	1	×	3	=	(1×120 - 5×23)	-	1	×	(-4×120 + 21×23)	=	5	×	120	-	26	×	23 |1|| = ||3|| - ||1||×||2 | = ||(-4×120 + 21×23)|| - ||1||×||(5×120 - 26×23) | = ||-9||×||120|| + ||47||×||23

1. The first line already in the required form.
2. In the second line, substitute 5 with the first line.
3. In the third line, substitute 5 and 3 with the first and second line.
4. In the fourth line, substitute 3 and 2 with the second and third line.

The last line reads 1 = −9×120 + 47×23, which is the required solution: x = −9 and y = 47.

This also means that −9 is the multiplicative inverse of 120 modulo 23, and that 47 is the multiplicative inverse of 23 modulo 120. Restating it using mathematical expression:

−9 × 120 ≡ 1 (mod 23) and also 47 × 23 ≡ 1 (mod 120).

The recursive method

This method attempts to solve the original equation directly, by reducing the dividend and divisor gradually, from the first line to the last line, which can then be substituted with trivial value and work backward to obtain the solution.

Consider the original equation:

120	x	+	23	y	=	1
(5×23+5)	x	+	23	y	=	1
23	(5x+y)	+	5	x	=	1
...
1	a	+	0	b	=	1

Notice that the equation remains unchanged after decomposing the original dividend in terms of the divisor plus a remainder, and then regrouping terms. If we have a solution to the equation in the second line, then we can work backward to find x and y as required. Although we don't have the solution yet to the second line, notice how the magnitude of the terms decreased (120 and 23 to 23 and 5). Hence, if we keep applying this, eventually we'll reach the last line, which obviously has (1,0) as a trivial solution. Then we can work backward and gradually find out x and y.

Dividend	=	Quotient	x	Divisor	+	Remainder
120	=	5	x	23	+	5
23	=	4	x	5	+	3 |align="center" colspan=7|...

For the purpose of explaining this method, the full working will not be shown. Instead some of the repeating steps will be described to demonstrate the principle behind this method.

Start by rewriting each line from the first table with division algorithm, focusing on the dividend this time (because we'll be substituting the dividend).

120	x0	+	23	y0	=	1
(5×23+5)	x0	+	23	y0	=	1
23	(5x0+y0)	+	5	x0	=	1
23	x1	+	5	y1	=	1
(4×5+3)	x1	+	5	y1	=	1
5	(4x1+y1)	+	3	x1	=	1 |5||x2||+||3||y2||=||1

1. Assume that we were given x₂=2 and y₂=-3 already, which is indeed a valid solution.
2. x₁=y₂=-3
3. Solve 4x₁+y₁=x₂ by substituting x₁=-3, which gives y₁=2-4(-3)=14
4. x₀=y₁=14
5. Solve 5x₀+y₀=x₁ by substituting x₀=14, so y₀=-3-5(14)=-73

The table method

The table method is probably the simplest method to carry out with a pencil and paper. It is similar to the recursive method, although it does not directly require algebra to use and only requires working in one direction. The main idea is to think of the equation chain as a sequence of divisors . In the running example we have the sequence 120, 23, 5, 3, 2, 1. Any element in this chain can be written as a linear combination of the original and , most notably, the last element, , can be written in this way. The table method involves keeping a table of each divisor, written as a linear combination. The algorithm starts with the table as follows:

a	b	d
1	0	120 |0||1||23

The elements in the column of the table will be the divisors in the sequence. Each can be represented as the linear combination . The and values are obvious for the first two rows of the table, which represent and themselves. To compute for any , notice that . Suppose . Then it must be that and . This is easy to verify algebraically with a simple substitution.

Actually carrying out the table method though is simpler than the above equations would indicate. To find the third row of the table in the example, just notice that 120 divided by 23 goes 5 times plus a remainder. This gives us k, the multiplying factor for this row. Now, each value in the table is the value two rows above it, minus 5 times the value immediately above it. This correctly leads to , , and . After repeating this method to find each line of the table, the final values for and will solve :

a	b	d
1	0	120
0	1	23
1	-5	5
-4	21	3
5	-26	2 | -9 ||47||1

This method is simple, requiring only the repeated application of one rule, and leaves the answer in the final row of the table with no backtracking. Note also that if you end up with a negative number as the answer for the factor of, in this case b, you will then need to add a in order to make it work as a modular inverse (instead of just taking the absolute value of b). I.e. if it returns a negative number, don't just flip the sign, but add in the other number to make it work. Otherwise it will give you the modular inverse yielding negative one.

Formal description of the algorithm

Iterative method

By routine algebra of expanding and grouping like terms (refer to last section), the following algorithm for iterative method is obtained:

1. Apply Euclidean algorithm, and let q_n(n starts from 1) be a finite list of quotients in the division.
2. Initialize x₀, x₁ as 1, 0, and y₀, y₁ as 0,1 respectively.
3. Then for each i so long as q_i is defined,
4. Compute x_i+1= x_i-1- q_ix_i
5. Compute y_i+1= y_i-1- q_iy_i
6. Repeat the above after incrementing i by 1.
7. The answers are the second-to-last of x_n and y_n.

Pseudocode for this method is shown below:

function extended_gcd(a, b) x := 0 lastx := 1 y := 1 lasty := 0 while b ≠ 0 temp := b quotient := a div b b := a mod b a := temp

temp := x x := lastx-quotient*x lastx := temp

temp := y y := lasty-quotient*y lasty := temp return {lastx, lasty, a}

Recursive method

Solving the general case of the equation in the last corresponding section, the following algorithm results:

1. If a is divisible by b, the algorithm ends and return the trivial solution x=0, y=1.
2. Otherwise, repeat the algorithm with b and a modulus b, storing the solution as x' and y'.
3. Then, the solution to the current equation is x=y', and y = x' minus y' times quotient of a divided by b

Which can be directly translated to this pseudocode: function extended_gcd(a, b) if a mod b = 0 return {0, 1} else {x, y} := extended_gcd(b, a mod b) return {y, x-y*(a div b)}

Proof of correctness

Let d be the gcd of a and b. We wish to prove that a*x + b*y = d.

• If b evenly divides a (i.e. a mod b = 0),
• then d is b and a*0 + b*1 = d.
• So x and y are 0 and 1.
• Otherwise given the recursive call we know that b*x + (a mod b) * y = d,
• then b*x - b*(a div b)*y + (a mod b) * y + b*(a div b)*y= d,
• and b*(x - (a div b)*y) + a*y=d.
• So the new x and y are y and x - (a div b)*y.

See the Euclidean algorithm for the proof that the gcd(a,b) = gcd(b,a mod b) which this proof depends on in the recursive call step.

Computing a multiplicative inverse in a finite field

The extended Euclidean algorithm can also be used to calculate the multiplicative inverse in a finite field.

Pseudocode

Given the irreducible polynomial f(x) used to define the finite field, and the element a(x) whose inverse is desired, then a form of the algorithm suitable for determining the inverse is given by the following. NOTE: remainder() and quotient() are functions different from the arrays remainder[ ] and quotient[ ]. remainder() refers to the remainder when two numbers are divided, and quotient() refers to the integer quotient when two numbers are divided. For example, remainder(5/3) = 2 and quotient(5/3) = 1. Equivalent operators in the C language are % and / respectively.

pseudocode:

remainder[1] := f(x) remainder[2] := a(x) auxiliary[1] := 0 auxiliary[2] := 1 i := 2 do while remainder[i] > 1 i := i + 1 remainder[i] := remainder(remainder[i-2] / remainder[i-1]) quotient[i] := quotient(remainder[i-2] / remainder[i-1]) auxiliary[i] := -quotient[i] * auxiliary[i-1] + auxiliary[i-2] inverse := auxiliary[i]

Note

The minus sign is not necessary for some finite fields in the step.

auxiliary[i] := -quotient[i] * auxiliary[i-1] + auxiliary[i-2]

This is true since in the finite field GF(2⁸), for instance, addition and subtraction are the same. In other words, 1 is its own additive inverse in GF(2⁸).

Example

For example, if the polynomial used to define the finite field GF(2⁸) is f(x) = x⁸ + x⁴ + x³ + x + 1, and x⁶ + x⁴ + x + 1 = {53} in big-endian hexadecimal notation, is the element whose inverse is desired, then performing the algorithm results in the following:

i	remainder[i]	quotient[i]	auxiliary[i]
1	x8 + x4 + x3 + x + 1		0
2	x6 + x4 + x + 1		1
3	x2	x2 + 1	x2 + 1
4	x + 1	x4 + x2	x6 + x4 + x4 + x2 + 1
5	1	x + 1	x7 + x6 + x3 + x2 + x2 + x + 1 + 1

Note: Addition in a binary finite field is XOR.

Thus, the inverse is x⁷ + x⁶ + x³ + x = {CA}, as can be confirmed by multiplying the two elements together.

References

• Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. Introduction to Algorithms, Second Edition. MIT Press and McGraw-Hill, 2001. ISBN 0-262-03293-7. Pages 859–861 of section 31.2: Greatest common divisor.

See also

• Bézout's identity

External links

• A php implementation of the Extended Euclidean Algorithm showing line-by-line working and outputs
• A javascript implementation of the Extended Euclidean Algorithm shown above
• How to use the algorithm by hand
• Extended Euclidean Algorithm Applet
• Source for the form of the algorithm used to determine the multiplicative inverse in GF(2^8)
• A simple explain of Euclidean Algorithm