Extended Euclidean algorithm

The standard Euclidean algorithm proceeds by a succession of Euclidean divisions whose quotients are not used. Only the remainders are kept. For the extended algorithm, the successive quotients are used. More precisely, the standard Euclidean algorithm with a and b as input, consists of computing a sequence ${\displaystyle q_{1},\ldots ,q_{k}}$ of quotients and a sequence ${\displaystyle r_{0},\ldots ,r_{k+1}}$ of remainders such that

${\displaystyle {\begin{aligned}r_{0}&=a\\r_{1}&=b\\&\,\,\,\vdots \\r_{i+1}&=r_{i-1}-q_{i}r_{i}\quad {\text{and}}\quad 0\leq r_{i+1}<|r_{i}|\quad {\text{(this defines }}q_{i})\\&\,\,\,\vdots \end{aligned}}}$

It is the main property of Euclidean division that the inequalities on the right define uniquely ${\displaystyle q_{i}}$ and ${\displaystyle r_{i+1}}$ from ${\displaystyle r_{i-1}}$ and ${\displaystyle r_{i}.}$

The computation stops when one reaches a remainder ${\displaystyle r_{k+1}}$ which is zero; the greatest common divisor is then the last nonzero remainder ${\displaystyle r_{k}.}$

The extended Euclidean algorithm proceeds similarly, but adds two other sequences, as follows

${\displaystyle {\begin{aligned}r_{0}&=a&r_{1}&=b\\s_{0}&=1&s_{1}&=0\\t_{0}&=0&t_{1}&=1\\&\,\,\,\vdots &&\,\,\,\vdots \\r_{i+1}&=r_{i-1}-q_{i}r_{i}&{\text{and }}0&\leq r_{i+1}<|r_{i}|&{\text{(this defines }}q_{i}{\text{)}}\\s_{i+1}&=s_{i-1}-q_{i}s_{i}\\t_{i+1}&=t_{i-1}-q_{i}t_{i}\\&\,\,\,\vdots \end{aligned}}}$

The computation also stops when ${\displaystyle r_{k+1}=0}$ and gives

• ${\displaystyle r_{k}}$ is the greatest common divisor of the input ${\displaystyle a=r_{0}}$ and ${\displaystyle b=r_{1}.}$
• The Bézout coefficients are ${\displaystyle s_{k}}$ and ${\displaystyle t_{k},}$ that is ${\displaystyle \gcd(a,b)=r_{k}=as_{k}+bt_{k}}$
• The quotients of a and b by their greatest common divisor are given by ${\displaystyle s_{k+1}=\pm {\frac {b}{\gcd(a,b)}}}$ and ${\displaystyle t_{k+1}=\pm {\frac {a}{\gcd(a,b)}}}$

Moreover, if a and b are both positive and ${\displaystyle \gcd(a,b)\neq \min(a,b)}$, then

${\displaystyle |s_{i}|\leq \left\lfloor {\frac {b}{2\gcd(a,b)}}\right\rfloor \quad {\text{and}}\quad |t_{i}|\leq \left\lfloor {\frac {a}{2\gcd(a,b)}}\right\rfloor }$

for ${\displaystyle 0\leq i\leq k,}$ where ${\displaystyle \lfloor x\rfloor }$ denotes the integral part of x, that is the greatest integer not greater than x.

This implies that the pair of Bézout's coefficients provided by the extended Euclidean algorithm is the minimal pair of Bézout coefficients, as being the unique pair satisfying both above inequalities.

It also means that the algorithm can be done without integer overflow by a computer program using integers of a fixed size that is larger than that of a and b.

The following table shows how the extended Euclidean algorithm proceeds with input 240 and 46. The greatest common divisor is the last nonzero entry, 2 in the column "remainder". The computation stops at row 6, because the remainder in it is 0. Bézout coefficients appear in the last two columns of the second-to-last row. In fact, it is easy to verify that −9 × 240 + 47 × 46 = 2. Finally the last two entries 23 and −120 of the last row are, up to the sign, the quotients of the input 46 and 240 by the greatest common divisor 2.

As ${\displaystyle 0\leq r_{i+1}<|r_{i}|,}$ the sequence of the ${\displaystyle r_{i}}$ is a decreasing sequence of nonnegative integers (from i = 2 on). Thus it must stop with some ${\displaystyle r_{k+1}=0.}$ This proves that the algorithm stops eventually.

As ${\displaystyle r_{i+1}=r_{i-1}-r_{i}q_{i},}$ the greatest common divisor is the same for ${\displaystyle (r_{i-1},r_{i})}$ and ${\displaystyle (r_{i},r_{i+1}).}$ This shows that the greatest common divisor of the input ${\displaystyle a=r_{0},b=r_{1}}$ is the same as that of ${\displaystyle r_{k},r_{k+1}=0.}$ This proves that ${\displaystyle r_{k}}$ is the greatest common divisor of a and b. (Until this point, the proof is the same as that of the classical Euclidean algorithm.)

As ${\displaystyle a=r_{0}}$ and ${\displaystyle b=r_{1},}$ we have ${\displaystyle as_{i}+bt_{i}=r_{i}}$ for i = 0 and 1. The relation follows by induction for all ${\displaystyle i>1}$: $${\displaystyle r_{i+1}=r_{i-1}-r_{i}q_{i}=(as_{i-1}+bt_{i-1})-(as_{i}+bt_{i})q_{i}=(as_{i-1}-as_{i}q_{i})+(bt_{i-1}-bt_{i}q_{i})=as_{i+1}+bt_{i+1}.}$$

Thus ${\displaystyle s_{k}}$ and ${\displaystyle t_{k}}$ are Bézout coefficients.

Consider the matrix $${\displaystyle A_{i}={\begin{pmatrix}s_{i-1}&s_{i}\\t_{i-1}&t_{i}\end{pmatrix}}.}$$

The recurrence relation may be rewritten in matrix form $${\displaystyle A_{i+1}=A_{i}\cdot {\begin{pmatrix}0&1\\1&-q_{i}\end{pmatrix}}.}$$

The matrix ${\displaystyle A_{1}}$ is the identity matrix and its determinant is one. The determinant of the rightmost matrix in the preceding formula is −1. It follows that the determinant of ${\displaystyle A_{i}}$ is ${\displaystyle (-1)^{i-1}.}$ In particular, for ${\displaystyle i=k+1,}$ we have ${\displaystyle s_{k}t_{k+1}-t_{k}s_{k+1}=(-1)^{k}.}$ Viewing this as a Bézout's identity, this shows that ${\displaystyle s_{k+1}}$ and ${\displaystyle t_{k+1}}$ are coprime. The relation ${\displaystyle as_{k+1}+bt_{k+1}=0}$ that has been proved above and Euclid's lemma show that ${\displaystyle s_{k+1}}$ divides b, that is that ${\displaystyle b=ds_{k+1}}$ for some integer d. Dividing by ${\displaystyle s_{k+1}}$ the relation ${\displaystyle as_{k+1}+bt_{k+1}=0}$ gives ${\displaystyle a=-dt_{k+1}.}$ So, ${\displaystyle s_{k+1}}$ and ${\displaystyle -t_{k+1}}$ are coprime integers that are the quotients of a and b by a common factor, which is thus their greatest common divisor or its opposite.

To prove the last assertion, assume that a and b are both positive and ${\displaystyle \gcd(a,b)\neq \min(a,b)}$. Then, ${\displaystyle a\neq b}$, and if ${\displaystyle a<b}$, it can be seen that the s and t sequences for (a,b) under the EEA are, up to initial 0s and 1s, the t and s sequences for (b,a). The definitions then show that the (a,b) case reduces to the (b,a) case. So assume that ${\displaystyle a>b}$ without loss of generality.

It can be seen that ${\displaystyle s_{2}}$ is 1 and ${\displaystyle s_{3}}$ (which exists by ${\displaystyle \gcd(a,b)\neq \min(a,b)}$) is a negative integer. Thereafter, the ${\displaystyle s_{i}}$ alternate in sign and strictly increase in magnitude, which follows inductively from the definitions and the fact that ${\displaystyle q_{i}\geq 1}$ for ${\displaystyle 1\leq i\leq k}$, the case ${\displaystyle i=1}$ holds because ${\displaystyle a>b}$. The same is true for the ${\displaystyle t_{i}}$ after the first few terms, for the same reason. Furthermore, it is easy to see that ${\displaystyle q_{k}\geq 2}$ (when a and b are both positive and ${\displaystyle \gcd(a,b)\neq \min(a,b)}$). Thus, noticing that ${\displaystyle |s_{k+1}|=|s_{k-1}|+q_{k}|s_{k}|}$, we obtain $${\displaystyle |s_{k+1}|=\left|{\frac {b}{\gcd(a,b)}}\right|\geq 2|s_{k}|\qquad {\text{and}}\qquad |t_{k+1}|=\left|{\frac {a}{\gcd(a,b)}}\right|\geq 2|t_{k}|.}$$

This, accompanied by the fact that ${\displaystyle s_{k},t_{k}}$ are larger than or equal to in absolute value than any previous ${\displaystyle s_{i}}$ or ${\displaystyle t_{i}}$ respectively completed the proof.

For univariate polynomials with coefficients in a field, everything works similarly, Euclidean division, Bézout's identity and extended Euclidean algorithm. The first difference is that, in the Euclidean division and the algorithm, the inequality ${\displaystyle 0\leq r_{i+1}<|r_{i}|}$ has to be replaced by an inequality on the degrees ${\displaystyle \deg r_{i+1}<\deg r_{i}.}$ Otherwise, everything which precedes in this article remains the same, simply by replacing integers by polynomials.

A second difference lies in the bound on the size of the Bézout coefficients provided by the extended Euclidean algorithm, which is more accurate in the polynomial case, leading to the following theorem.

If a and b are two nonzero polynomials, then the extended Euclidean algorithm produces the unique pair of polynomials (s, t) such that

${\displaystyle as+bt=\gcd(a,b)}$

and

${\displaystyle \deg s<\deg b-\deg(\gcd(a,b)),\quad \deg t<\deg a-\deg(\gcd(a,b)).}$

A third difference is that, in the polynomial case, the greatest common divisor is defined only up to the multiplication by a nonzero constant. There are several ways to define unambiguously a greatest common divisor.

In mathematics, it is common to require that the greatest common divisor be a monic polynomial. To get this, it suffices to divide every element of the output by the leading coefficient of ${\displaystyle r_{k}.}$ This allows that, if a and b are coprime, one gets 1 in the right-hand side of Bézout's inequality. Otherwise, one may get any nonzero constant. In computer algebra, the polynomials commonly have integer coefficients, and this way of normalizing the greatest common divisor introduces too many fractions to be convenient.

The second way to normalize the greatest common divisor in the case of polynomials with integer coefficients is to divide every output by the content of ${\displaystyle r_{k},}$ to get a primitive greatest common divisor. If the input polynomials are coprime, this normalisation also provides a greatest common divisor equal to 1. The drawback of this approach is that a lot of fractions should be computed and simplified during the computation.

A third approach consists in extending the algorithm of subresultant pseudo-remainder sequences in a way that is similar to the extension of the Euclidean algorithm to the extended Euclidean algorithm. This allows that, when starting with polynomials with integer coefficients, all polynomials that are computed have integer coefficients. Moreover, every computed remainder ${\displaystyle r_{i}}$ is a subresultant polynomial. In particular, if the input polynomials are coprime, then the Bézout's identity becomes

${\displaystyle as+bt=\operatorname {Res} (a,b),}$

where ${\displaystyle \operatorname {Res} (a,b)}$ denotes the resultant of a and b. In this form of Bézout's identity, there is no denominator in the formula. If one divides everything by the resultant one gets the classical Bézout's identity, with an explicit common denominator for the rational numbers that appear in it.

To implement the algorithm that is described above, one should first remark that only the two last values of the indexed variables are needed at each step. Thus, for saving memory, each indexed variable must be replaced by just two variables.

For simplicity, the following algorithm (and the other algorithms in this article) uses parallel assignments. In a programming language which does not have this feature, the parallel assignments need to be simulated with an auxiliary variable. For example, the first one,

(old_r, r) := (r, old_r - quotient × r)

is equivalent to

prov := r;
r := old_r - quotient × prov;
old_r := prov;

and similarly for the other parallel assignments. This leads to the following code:

function extended_gcd(a, b)
    (old_r, r) := (a, b)
    (old_s, s) := (1, 0)
    (old_t, t) := (0, 1)
    
    while r ≠ 0 do
        quotient := old_r div r
        (old_r, r) := (r, old_r − quotient × r)
        (old_s, s) := (s, old_s − quotient × s)
        (old_t, t) := (t, old_t − quotient × t)
    
    output "Bézout coefficients:", (old_s, old_t)
    output "greatest common divisor:", old_r
    output "quotients by the gcd:", (t, s)

The quotients of a and b by their greatest common divisor, which is output, may have an incorrect sign. This is easy to correct at the end of the computation but has not been done here for simplifying the code. Similarly, if either a or b is zero and the other is negative, the greatest common divisor that is output is negative, and all the signs of the output must be changed.

Finally, notice that in Bézout's identity, ${\displaystyle ax+by=\gcd(a,b)}$, one can solve for ${\displaystyle y}$ given ${\displaystyle a,b,x,\gcd(a,b)}$. Thus, an optimization to the above algorithm is to compute only the ${\displaystyle s_{k}}$ sequence (which yields the Bézout coefficient ${\displaystyle x}$), and then compute ${\displaystyle y}$ at the end:

function extended_gcd(a, b)
    s := 0;    old_s := 1
    r := b;    old_r := a
         
    while r ≠ 0 do
        quotient := old_r div r
        (old_r, r) := (r, old_r − quotient × r)
        (old_s, s) := (s, old_s − quotient × s)
    
    if b ≠ 0 then
        bezout_t := (old_r − old_s × a) div b
    else
        bezout_t := 0
    
    output "Bézout coefficients:", (old_s, bezout_t)
    output "greatest common divisor:", old_r

However, in many cases this is not really an optimization: whereas the former algorithm is not susceptible to overflow when used with machine integers (that is, integers with a fixed upper bound of digits), the multiplication of old_s × a in computation of bezout_t can overflow, limiting this optimization to inputs which can be represented in less than half the maximal size. When using integers of unbounded size, the time needed for multiplication and division grows quadratically with the size of the integers. This implies that the "optimisation" replaces a sequence of multiplications/divisions of small integers by a single multiplication/division, which requires more computing time than the operations that it replaces, taken together.

A fraction ⁠a/b⁠ is in canonical simplified form if a and b are coprime and b is positive. This canonical simplified form can be obtained by replacing the three output lines of the preceding pseudo code by

if s = 0 then output "Division by zero"
if s < 0 then s := −s;  t := −t   (for avoiding negative denominators)
if s = 1 then output −t        (for avoiding denominators equal to 1)
output ⁠−t/s⁠

The proof of this algorithm relies on the fact that s and t are two coprime integers such that as + bt = 0, and thus ${\displaystyle {\frac {a}{b}}=-{\frac {t}{s}}}$. To get the canonical simplified form, it suffices to move the minus sign for having a positive denominator.

If b divides a evenly, the algorithm executes only one iteration, and we have s = 1 at the end of the algorithm. It is the only case where the output is an integer.

The extended Euclidean algorithm is the essential tool for computing multiplicative inverses in modular structures, typically the modular integers and the algebraic field extensions. A notable instance of the latter case are the finite fields of non-prime order.

If n is a positive integer, the ring Z/nZ may be identified with the set {0, 1, ..., n-1} of the remainders of Euclidean division by n, the addition and the multiplication consisting in taking the remainder by n of the result of the addition and the multiplication of integers. An element a of Z/nZ has a multiplicative inverse (that is, it is a unit) if it is coprime to n. In particular, if n is prime, a has a multiplicative inverse if it is not zero (modulo n). Thus Z/nZ is a field if and only if n is prime.

Bézout's identity asserts that a and n are coprime if and only if there exist integers s and t such that

${\displaystyle ns+at=1}$

Reducing this identity modulo n gives

${\displaystyle at\equiv 1\mod n.}$

Thus t, or, more exactly, the remainder of the division of t by n, is the multiplicative inverse of a modulo n.

To adapt the extended Euclidean algorithm to this problem, one should remark that the Bézout coefficient of n is not needed, and thus does not need to be computed. Also, for getting a result which is positive and lower than n, one may use the fact that the integer t provided by the algorithm satisfies |t| < n. That is, if t < 0, one must add n to it at the end. This results in the pseudocode, in which the input n is an integer larger than 1.

function inverse(a, n)
    t := 0;     newt := 1
    r := n;     newr := a

    while newr ≠ 0 do
        quotient := r div newr
        (t, newt) := (newt, t − quotient × newt) 
        (r, newr) := (newr, r − quotient × newr)

    if r > 1 then
        return "a is not invertible"
    if t < 0 then
        t := t + n

    return t

The extended Euclidean algorithm is also the main tool for computing multiplicative inverses in simple algebraic field extensions. An important case, widely used in cryptography and coding theory, is that of finite fields of non-prime order. In fact, if p is a prime number, and q = p^d, the field of order q is a simple algebraic extension of the prime field of p elements, generated by a root of an irreducible polynomial of degree d.

A simple algebraic extension L of a field K, generated by the root of an irreducible polynomial p of degree d may be identified to the quotient ring ${\displaystyle K[X]/\langle p\rangle ,}$, and its elements are in bijective correspondence with the polynomials of degree less than d. The addition in L is the addition of polynomials. The multiplication in L is the remainder of the Euclidean division by p of the product of polynomials. Thus, to complete the arithmetic in L, it remains only to define how to compute multiplicative inverses. This is done by the extended Euclidean algorithm.

The algorithm is very similar to that provided above for computing the modular multiplicative inverse. There are two main differences: firstly the last but one line is not needed, because the Bézout coefficient that is provided always has a degree less than d. Secondly, the greatest common divisor which is provided, when the input polynomials are coprime, may be any nonzero element of K; this Bézout coefficient (a polynomial generally of positive degree) has thus to be multiplied by the inverse of this element of K. In the pseudocode which follows, p is a polynomial of degree greater than one, and a is a polynomial.

function inverse(a, p)
    t := 0;     newt := 1
    r := p;     newr := a

    while newr ≠ 0 do
        quotient := r div newr
        (r, newr) := (newr, r − quotient × newr)
        (t, newt) := (newt, t − quotient × newt)

    if degree(r) > 0 then 
        return "Either p is not irreducible or a is a multiple of p"

    return (1/r) × t

For example, if the polynomial used to define the finite field GF(2⁸) is p = x⁸ + x⁴ + x³ + x + 1, and a = x⁶ + x⁴ + x + 1 is the element whose inverse is desired, then performing the algorithm results in the computation described in the following table. Let us recall that in fields of order 2ⁿ, one has −z = z and z + z = 0 for every element z in the field). Since 1 is the only nonzero element of GF(2), the adjustment in the last line of the pseudocode is not needed.

Thus, the inverse is x⁷ + x⁶ + x³ + x, as can be confirmed by multiplying the two elements together, and taking the remainder by p of the result.

One can handle the case of more than two numbers iteratively. First we show that ${\displaystyle \gcd(a,b,c)=\gcd(\gcd(a,b),c)}$. To prove this let ${\displaystyle d=\gcd(a,b,c)}$. By definition of gcd ${\displaystyle d}$ is a divisor of ${\displaystyle a}$ and ${\displaystyle b}$. Thus ${\displaystyle \gcd(a,b)=kd}$ for some ${\displaystyle k}$. Similarly ${\displaystyle d}$ is a divisor of ${\displaystyle c}$ so ${\displaystyle c=jd}$ for some ${\displaystyle j}$. Let ${\displaystyle u=\gcd(k,j)}$. By our construction of ${\displaystyle u}$, ${\displaystyle ud|a,b,c}$ but since ${\displaystyle d}$ is the greatest divisor ${\displaystyle u}$ is a unit. And since ${\displaystyle ud=\gcd(\gcd(a,b),c)}$ the result is proven.

So if ${\displaystyle na+mb=\gcd(a,b)}$ then there are ${\displaystyle x}$ and ${\displaystyle y}$ such that ${\displaystyle x\gcd(a,b)+yc=\gcd(a,b,c)}$ so the final equation will be

${\displaystyle x(na+mb)+yc=(xn)a+(xm)b+yc=\gcd(a,b,c).\,}$

So then to apply to n numbers we use induction

${\displaystyle \gcd(a_{1},a_{2},\dots ,a_{n})=\gcd(a_{1},\,\gcd(a_{2},\,\gcd(a_{3},\dots ,\gcd(a_{n-1}\,,a_{n}))),\dots ),}$

with the equations following directly.

• Euclidean domain
• Linear congruence theorem
• Kuṭṭaka