In this tutorial, we’ll explain the extended Euclidean algorithm (EEA). It’s a tool widely used in cryptography and one of the fundamental algorithms in number theory. In addition to its recursive version, we’ll present its iterative variant.
2. Bézout’s Identity
Bézout’s identity states that the greatest common divisor (GCD) of any two integers is their linear combination. So, if is the GCD of and , then there exist integers and such that:
For example, if and , then and:
In what follows, we’ll assume that and are both positive and that . We lose no generality under those assumptions because:
which means that we can consider only the case :
- If either of and is zero, then we output the other number as their GCD and set the corresponding coefficients to and .
- If (or ) is negative, then we replace it with its absolute value.
- Finally, we can switch and if .
3. The Euclidean Algorithm (EA)
The Euclidean algorithm (EA) finds the GCD of and by using the fact that:
and applying Euclidean division until it gets zero as the remainder:
The last nonzero remainder () is the GCD of and . As we see, the recursion is:
where . We’ll find it useful to re-formulate the recursive rule so that we express the remainder in terms of the dividend and the divisor:
4. The Recursive Version of the Extended Euclidean Algorithm
The recursive extension of EA (REEA) runs just like the regular EA until it computes , the GCD of the input numbers and . At that point, it starts recursing back to the beginning, revisiting the division steps of backward. After backtracking to a division step, REEA expresses the GCD as a combination of the step’s divisor and dividend.
So, from the second-to-last division, we get:
Now, backtracking to , we replace with , so we have:
In general, let’s say we revisited the division step and expressed as a linear combination of and :
Recursing one step back, we substitute with in Equation (4):
Therefore, we obtain the following backward recursive rules:
We apply them going backward through the division steps until we finally represent the GCD as a linear combination of and :
Let’s say that and . Applying the algorithm, we do five Euclidean divisions:
Or, using recurrence (3):
After identifying the GCD, we go backward one division step. From there, we get and climb one step up to see what to substitute with:
After some elementary algebra, we get that . Then, we go up a step again to see what to replace with:
and get . In the end, we backtrack to the first division step:
and obtain Bézout’s coefficients:
5. The Iterative Version of the Extended Euclidean Algorithm
We can compute the coefficients without backtracking. The idea is to express each step’s remainder as a linear combination of and . To do so, we start by noting that:
In general, we’ll have:
and we want rules for calculating the coefficients in a step given those from the previous steps. As it turns out, we need only the coefficients from the previous two steps. So, let’s suppose that we know , , , and for some :
Using Equation (3), we get:
Hence, these are our forward recurrences for the coefficients:
We start from and and gradually work our way through division steps until we calculate the GCD, at which point we also obtain the sought Bézout’s coefficients:
This is how it’ll look like step by step:
This iterative form of the EEA is equivalent to the Blankinship method for two numbers, which extends EA to find the GCD and Bézout’s coefficients of numbers, not just two.
Let’s reuse the example for REEA. Here, we compute the coefficients as we perform Euclidean divisions. The first remainder, , is a direct linear combination of and :
Next, we divide with . Then, we express the remainder as a linear combination of and and replace with the expression we got in the previous step:
We obtain the coefficients repeating the step. After each division step, we express the remainder in terms of the current dividend and the divisor. Since both have appeared as remainders previously, we replace them with the corresponding linear combinations and simplify the expressions:
W get the same result as with REEA in the end, but without recursion. Generally, the iterative variant should be faster because it avoids recursive calls and keeps the same frame.
5.2. Speeding up the Algorithm
As we see from the recurrences (10), the -coefficients and -coefficients don’t depend on one another. Moreover, from the final form:
we can calculate the final if we know the final :
and the other way around. So, there’s no need to compute both coefficients as we make division steps. That cuts the number of operations by a third.
6. How Many Coefficients Are There?
The Bézout’s coefficients are not unique, In fact, if is one pair of Bézout’s coefficients for and , then all the coefficients are of the form:
Only two pairs satisfy:
and EEA always finds one such pair.
In this article, we presented the recursive and iterative forms of the Extended Euclidean Algorithm. It’s used for finding Bézout’s coefficients of two integer numbers and has applications in cryptography.