next up previous
Next: Interpolation and Rational Reconstruction Up: The Euclidean Algorithm Previous: The Euclidean Algorithm

The Extended Euclidean Algorithm

Remark 3   Let r0 = a, r1 = b, r2 = r0 rem r1,... mathend000#, ri = ri-2 rem ri-1,... mathend000#, gcd(a, b) = rk = rk-2 rem rk-1 mathend000# be as in Algorithm 1. For i = 2 ... k mathend000# let qi mathend000# be the quotient of ri-2 mathend000# w.r.t. ri-1 mathend000# that is

ri-2  =  qi ri-1 + ri (9)

Hence we have

r2 = r0 - q2 r1
r3 = r1 - q3 r2
$\displaystyle \vdots$ $\displaystyle \vdots$ $\displaystyle \vdots$
ri = ri-2 - qi ri-1
$\displaystyle \vdots$ $\displaystyle \vdots$ $\displaystyle \vdots$
rk = rk-2 - qk rk-1
(10)

Observe that each ri mathend000# writes si a + ti b mathend000#. Indeed we have

r0 = s0 a + t0 b with s0 = 1 and t0 = 0
r1 = s1 a + t1 b with s1 = 0 and t1 = 1
r2 = s2 a + t2 b with s2 = s0 - q2 s1 and t2 = t0 - q2 t1
r3 = s3 a + t3 b with s3 = s1 - q3 s2 and t3 = t1 - q2 t2
$\displaystyle \vdots$ $\displaystyle \vdots$ $\displaystyle \vdots$ $\displaystyle \vdots$ $\displaystyle \vdots$
ri = si a + ti b with si = si-2 - qi si-1 and ti = ti-2 - qi ti-1
$\displaystyle \vdots$ $\displaystyle \vdots$ $\displaystyle \vdots$ $\displaystyle \vdots$ $\displaystyle \vdots$
rk = sk a + tk b with sk = sk-2 - qk sk-1 and tk = tk-2 - qk tk-1
(11)

The elements sk mathend000# and tk mathend000# are called the Bézout coefficients of gcd(a, b) mathend000#. In order to compute a gcd together with its Bézout coefficients Algorithm 1 needs to be transformed as follows. The resulting algorithm (Algorithm 2) is called the Extended Euclidean Algorithm. Finally Algorithm 3 shows how to compute the gcd together with its Bézout coefficients.

Algorithm 2  

\fbox{ \begin{minipage}{10 cm} \begin{description} \item[{\bf Input:}] $a,b \in ... ...\ \> {\bf return}($r_{i-2}, s_{i-2}, t_{i-2}$) \\ \end{tabbing}\end{minipage}} mathend000#

Algorithm 3  

\fbox{ \begin{minipage}{11 cm} \begin{description} \item[{\bf Input:}] $a,b \in ... ...\ \> {\bf return}($r_{i-2}, s_{i-2}, t_{i-2}$) \\ \end{tabbing}\end{minipage}} mathend000#

In order to analyze Algorithms 2 and 3 we introduce the following matrices

R0 = $\displaystyle \left(\vphantom{ \begin{array}{cc} s_0 & t_0 \\ s_1 & t_1 \end{array} }\right.$$\displaystyle \begin{array}{cc} s_0 & t_0 \\ s_1 & t_1 \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} s_0 & t_0 \\ s_1 & t_1 \end{array} }\right)$  and  Qi = $\displaystyle \left(\vphantom{ \begin{array}{cc} 0 & 1 \\ u^{-1}_{i+1} & - q_{i+1} u^{-1}_{i+1} \end{array} }\right.$$\displaystyle \begin{array}{cc} 0 & 1 \\ u^{-1}_{i+1} & - q_{i+1} u^{-1}_{i+1} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} 0 & 1 \\ u^{-1}_{i+1} & - q_{i+1} u^{-1}_{i+1} \end{array} }\right)$  for  1 $\displaystyle \leq$ i $\displaystyle \leq$ k (12)

with coefficients in R mathend000#. Then, we define

Ri = Qi ... Q1R0  for  1 $\displaystyle \leq$ i $\displaystyle \leq$ k. (13)

The following proposition collects some invariants of the Extended Euclidean Algorithm.

Proposition 1   With the convention that rk+1 = 0 mathend000# and uk+1 = 1 mathend000#, for 0 $ \leq$ i $ \leq$ k mathend000# we have
(i) mathend000#
Ri$ \left(\vphantom{ \begin{array}{c} a \\ b \end{array} }\right.$$ \begin{array}{c} a \\ b \end{array}$$ \left.\vphantom{ \begin{array}{c} a \\ b \end{array} }\right)$ = $ \left(\vphantom{ \begin{array}{c} r_i \\ r_{i+1} \end{array} }\right.$$ \begin{array}{c} r_i \\ r_{i+1} \end{array}$$ \left.\vphantom{ \begin{array}{c} r_i \\ r_{i+1} \end{array} }\right)$ mathend000#,
(ii) mathend000#
Ri = $ \left(\vphantom{ \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array} }\right.$$ \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array}$$ \left.\vphantom{ \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array} }\right)$ mathend000#,
(iii) mathend000#
gcd(a, b) = gcd(ri, ri+1) = rk mathend000#,
(iv) mathend000#
sia + tib = ri mathend000# and sk+1a + tk+1b = 0 mathend000#,
(v) mathend000#
siti+1 - tisi+1 = (- 1)i(u0 ... ui+1)-1 mathend000#,
(vi) mathend000#
gcd(si, ti) = 1 mathend000#,
(vii) mathend000#
gcd(ri, ti) = gcd(a, ti) mathend000#,
(viii) mathend000#
the matrices Ri mathend000# and Qi mathend000# are invertible; Qi-1 = $ \left(\vphantom{ \begin{array}{cc} q_{i+1} & u_{i+1} \\ 1 & 0 \end{array} }\right.$$ \begin{array}{cc} q_{i+1} & u_{i+1} \\ 1 & 0 \end{array}$$ \left.\vphantom{ \begin{array}{cc} q_{i+1} & u_{i+1} \\ 1 & 0 \end{array} }\right)$ mathend000# and Ri-1 = (- 1)i(u0 ... ui+1)$ \left(\vphantom{ \begin{array}{cc} t_{i+1} & -t_i \\ - s_{i+1} & s_i \end{array} }\right.$$ \begin{array}{cc} t_{i+1} & -t_i \\ - s_{i+1} & s_i \end{array}$$ \left.\vphantom{ \begin{array}{cc} t_{i+1} & -t_i \\ - s_{i+1} & s_i \end{array} }\right)$ mathend000#,
(ix) mathend000#
a = (- 1)i(u0 ... ui+1)(ti+1ri - tiri+1) mathend000#,
(x) mathend000#
b = (- 1)i+1(u0 ... ui+1)(si+1ri - siri+1) mathend000#.

Proof. We prove (i) mathend000# and (ii) mathend000# by induction on i mathend000#. The case i = 0 mathend000# follows immediately from the definitions of s0, r0, s1, r1 mathend000# and R0 mathend000#. We assume that (i) mathend000# and (ii) mathend000# hold for 0 $ \leq$ i < k mathend000#. By induction hypothesis, we have

Ri+1$\displaystyle \left(\vphantom{ \begin{array}{c} a \\ b \end{array} }\right.$$\displaystyle \begin{array}{c} a \\ b \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{c} a \\ b \end{array} }\right)$ = Qi+1Ri$\displaystyle \left(\vphantom{ \begin{array}{c} a \\ b \end{array} }\right.$$\displaystyle \begin{array}{c} a \\ b \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{c} a \\ b \end{array} }\right)$
  = Qi+1$\displaystyle \left(\vphantom{ \begin{array}{c} r_i \\ r_{i+1} \end{array} }\right.$$\displaystyle \begin{array}{c} r_i \\ r_{i+1} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{c} r_i \\ r_{i+1} \end{array} }\right)$
  = $\displaystyle \left(\vphantom{ \begin{array}{cc} 0 & 1 \\ u^{-1}_{i+2} & - q_{i+2} u^{-1}_{i+2} \end{array} }\right.$$\displaystyle \begin{array}{cc} 0 & 1 \\ u^{-1}_{i+2} & - q_{i+2} u^{-1}_{i+2} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} 0 & 1 \\ u^{-1}_{i+2} & - q_{i+2} u^{-1}_{i+2} \end{array} }\right)$$\displaystyle \left(\vphantom{ \begin{array}{c} r_i \\ r_{i+1} \end{array} }\right.$$\displaystyle \begin{array}{c} r_i \\ r_{i+1} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{c} r_i \\ r_{i+1} \end{array} }\right)$
  = $\displaystyle \left(\vphantom{ \begin{array}{c} r_{i+1} \\ u^{-1}_{i+2} (r_i - q_{i+2} r_{i+1}) \end{array} }\right.$$\displaystyle \begin{array}{c} r_{i+1} \\ u^{-1}_{i+2} (r_i - q_{i+2} r_{i+1}) \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{c} r_{i+1} \\ u^{-1}_{i+2} (r_i - q_{i+2} r_{i+1}) \end{array} }\right)$
  = $\displaystyle \left(\vphantom{ \begin{array}{c} r_{i+1} \\ r_{i+2} \end{array} }\right.$$\displaystyle \begin{array}{c} r_{i+1} \\ r_{i+2} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{c} r_{i+1} \\ r_{i+2} \end{array} }\right)$.
(14)

Similarly, we have

Ri+1 = Qi+1Ri
  = Qi+1$\displaystyle \left(\vphantom{ \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array} }\right.$$\displaystyle \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array} }\right)$
  = $\displaystyle \left(\vphantom{ \begin{array}{cc} 0 & 1 \\ u^{-1}_{i+2} & - q_{i+2} u^{-1}_{i+2} \end{array} }\right.$$\displaystyle \begin{array}{cc} 0 & 1 \\ u^{-1}_{i+2} & - q_{i+2} u^{-1}_{i+2} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} 0 & 1 \\ u^{-1}_{i+2} & - q_{i+2} u^{-1}_{i+2} \end{array} }\right)$$\displaystyle \left(\vphantom{ \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array} }\right.$$\displaystyle \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array} }\right)$
  = $\displaystyle \left(\vphantom{ \begin{array}{cc} s_{i+1} & t_{i+1} \\ s_{i+2} & t_{i+2} \end{array} }\right.$$\displaystyle \begin{array}{cc} s_{i+1} & t_{i+1} \\ s_{i+2} & t_{i+2} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} s_{i+1} & t_{i+1} \\ s_{i+2} & t_{i+2} \end{array} }\right)$.
(15)

Property (iii) mathend000# follows from our study of Algorithm 1. Claim (iv) mathend000# follows (i) mathend000# and (ii) mathend000#. Taking the determinant of each side of (ii) mathend000# we prove (v) mathend000# as follows:

siti+1 - tisi+1 = det$\displaystyle \left(\vphantom{ \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array} }\right.$$\displaystyle \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} s_i & t_i \\ s_{i+1} & t_{i+1} \end{array} }\right)$
  = detRi
  = detQi ... detQ1det$\displaystyle \left(\vphantom{ \begin{array}{cc} s_0 & t_0 \\ s_1 & t_1 \end{array} }\right.$$\displaystyle \begin{array}{cc} s_0 & t_0 \\ s_1 & t_1 \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} s_0 & t_0 \\ s_1 & t_1 \end{array} }\right)$
  = (- 1)i(ui+1 ... u2)-1(u0-1u1-1 - 0).
(16)

Now, we prove (vi) mathend000#. If si mathend000# and ti mathend000# would have a non-invertible common factor, then it would divide siti+1 - tisi+1 mathend000#. This contradicts (v) mathend000# and proves (vi) mathend000#. We prove (vii) mathend000#. Let p $ \in$ R mathend000# be a divisor of ti mathend000#. If p | a mathend000#, then p | ri mathend000# holds since we have ri = sia + tib mathend000# from (i) mathend000#. If p | ri mathend000#, then p | sia mathend000# and, thus, p | a mathend000# since ti mathend000# and si mathend000# are relatively prime, from (vi) mathend000#. Therefore, (vii) mathend000# holds. We prove (viii) mathend000#. From (v) mathend000#, we deduce that Qi mathend000# is invertible. Then, the invertibility of Ri mathend000# follows easily from that of Qi mathend000#. It is routine to check that the proposed inverses are correct. Finally, claims (ix) mathend000# and (x) mathend000# are derived from (i) mathend000# by multiplying each side with the inverse of Ri mathend000# given in (viii) mathend000#. $ \qedsymbol$

In the case R = $ \bf k$[x] mathend000# where $ \bf k$ mathend000# is a field, the following Proposition 2 shows that the degrees of the Bézout coefficients of the Extended Euclidean Algorithm grow linearly whereas Proposition 3 shows that Bézout coefficients are essentially unique, provided that their degrees are small enough.

Proposition 2   With the same notations as in Proposition 1, we assume that R = $ \bf k$[x] mathend000# where $ \bf k$ mathend000# is a field. Then, for 2 $ \leq$ i $ \leq$ k + 1 mathend000#, we have

degsi = $\displaystyle \sum_{{{3 \leq j \leq i}}}^{{}}$degqj = n1 - ni-1 (17)

and, for 2 $ \leq$ i $ \leq$ k + 1 mathend000#, we have

degti = $\displaystyle \sum_{{{2 \leq j \leq i}}}^{{}}$degqj = n0 - ni-1 (18)

where ni = degri mathend000# for 0 $ \leq$ i $ \leq$ k mathend000#.

Proof. We only prove the first equality since the second one can be verified in a similar way. In fact, we prove this first equality together with

degsi-1 < degsi (19)

by induction on 2 $ \leq$ i $ \leq$ k + 1 mathend000#. For i = 2 mathend000#, the first equality holds since we have

degsi = deg(s0 - q2s1) = deg(1 - 0 q2) = 0 = n1 - ni-1 (20)

and the inequality holds since we have

- $\displaystyle \infty$ = degs1 < degs2 = 0. (21)

Now we consider i $ \geq$ 2 mathend000# and we assume that both properties hold for 2 $ \leq$ j $ \leq$ i mathend000#. Then, by induction hypothesis, we have

degsi-1 < degsi < ni-1 - ni + degsi = degqi+1 + degsi = deg(qi+1si) (22)

which implies

degsi+1 = deg(si-1 - qi+1si) = deg(qi+1si) > degsi (23)

and

degsi+1 = degqi+1 + degsi = degqi+1 + $\displaystyle \sum_{{{3 \leq j \leq i}}}^{{}}$degqj = $\displaystyle \sum_{{{3 \leq j \leq i+1}}}^{{}}$degqj (24)

where we used the induction hypothesis also. $ \qedsymbol$

Proposition 3   With the same notations as in Proposition 1, we assume that R = $ \bf k$[x] mathend000# where $ \bf k$ mathend000# is a field. We recall n = dega mathend000#. Let r, s, t $ \in$ $ \bf k$[x] mathend000#, with t $ \neq$ 0 mathend000#, be polynomials such that

r = sa + tb  and  degr + degt < dega. (25)

Let j $ \in$ {1,..., k + 1} mathend000# be such that

degrj $\displaystyle \leq$ degr < degrj-1. (26)

Then, there exists a non-zero $ \alpha$ $ \in$ $ \bf k$[x] mathend000# such that we have

r = $\displaystyle \alpha$rj, s = $\displaystyle \alpha$sj  and  t = $\displaystyle \alpha$tj. (27)

Proof. First, we observe that the index j mathend000# exists and is unique. Indeed, we have - $ \infty$ < degr < n mathend000# and,

- $\displaystyle \infty$ = degrk+1 < degrk < ... < degri+1 < degri < ... < dega = n. (28)

Second, we claim that

sjt = stj (29)

holds. Suppose that the claim is false and consider the following linear system over R mathend000# with $ \left(\vphantom{\begin{array}{c} f \\ g \end{array}}\right.$$ \begin{array}{c} f \\ g \end{array}$$ \left.\vphantom{\begin{array}{c} f \\ g \end{array}}\right)$ mathend000# as unknown:

$\displaystyle \left(\vphantom{ \begin{array}{cc} s_j & t_j \\ s & t \end{array} }\right.$$\displaystyle \begin{array}{cc} s_j & t_j \\ s & t \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{cc} s_j & t_j \\ s & t \end{array} }\right)$$\displaystyle \left(\vphantom{ \begin{array}{c} f \\ g \end{array} }\right.$$\displaystyle \begin{array}{c} f \\ g \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{c} f \\ g \end{array} }\right)$ = $\displaystyle \left(\vphantom{ \begin{array}{c} r_j \\ r \end{array} }\right.$$\displaystyle \begin{array}{c} r_j \\ r \end{array}$$\displaystyle \left.\vphantom{ \begin{array}{c} r_j \\ r \end{array} }\right)$ (30)

Since the matrix of this linear system is non-singular, we can solve for f mathend000# over the field of fractions of R mathend000#. Moreover, we know that $ \left(\vphantom{\begin{array}{c} f \\ g \end{array}}\right.$$ \begin{array}{c} f \\ g \end{array}$$ \left.\vphantom{\begin{array}{c} f \\ g \end{array}}\right)$ = $ \left(\vphantom{ \begin{array}{c} a \\ b \end{array} }\right.$$ \begin{array}{c} a \\ b \end{array}$$ \left.\vphantom{ \begin{array}{c} a \\ b \end{array} }\right)$ mathend000# is the solution. Hence, using Cramer's rule we obtain:

a = $\displaystyle {\frac{{ {\rm det} \left( \begin{array}{cc} r_j & t_j \\ r & t \... ... {\rm det} \left( \begin{array}{cc} s_j & t_j \\ s & t \end{array} \right) }}}$. (31)

The degree of the left hand side is n mathend000# while the degree of the right hand side is equal or less than:

deg(rjt - rtj) $\displaystyle \leq$ max(degrj + degt, degr + degtj)
  $\displaystyle \leq$ max(degr + degt, degr + n - degrj-1)
  < max(n, degrj-1 + n - degrj-1)
  = n,
(32)

by virtue of the definition of j mathend000#, Relation (25) and Proposition 2. This leads to a contradiction. Hence, we have sjt = stj mathend000#. This implies that tj mathend000# divides tsj mathend000#. Since sj mathend000# and tj mathend000# are relatively prime (Point (vi) mathend000# of Proposition 1) we deduce that tj mathend000# divides t mathend000#. So let $ \alpha$ $ \in$ $ \bf k$[x] mathend000# such that we have

t = $\displaystyle \alpha$tj. (33)

Hence we obtain sj$ \alpha$tj = stj mathend000#. Since t $ \neq$ 0 mathend000# holds, we have tj $ \neq$ 0 mathend000#, leading to

s = sj$\displaystyle \alpha$. (34)

Finally, plugging Equation (33) and Equation (34) in Equation (25), we obtain r = $ \alpha$rj mathend000#, as claimed. $ \qedsymbol$

Proposition 4   Let a, b $ \in$ $ \bf k$[x] mathend000# where $ \bf k$ mathend000# is a field. Assume deg(a) = n $ \geq$ deg(b) = m mathend000#.

Proof. See Theorem 3.11 in [GG99]. $ \qedsymbol$

Proposition 5   Let a, b $ \in$ $ \mbox{${\mathbb Z}$}$ mathend000# be multi-precision integers written with m mathend000# and m mathend000# words. Algorithm 3 can be performed in $ \cal {O}$(m n) mathend000# word operations.

Proof. See Theorem 3.13 in [GG99]. $ \qedsymbol$

next up previous
Next: Interpolation and Rational Reconstruction Up: The Euclidean Algorithm Previous: The Euclidean Algorithm
Marc Moreno Maza
2007-01-10