UMBC CMSC203, Discrete Structures, Fall 2010

The Extended Euclid Algorithm

Richard Chang, CSEE Dept, University of Maryland Baltimore County
Updated: March 3, 2009

Consider the following theorem in number theory:

Theorem. For all positive integers a and b there exist integers s and t such that

as + bt = gcd(a, b).

The proof of this theorem can be found in an exercise in the Rosen textbook. However, the proof merely shows that s and t exist. It doesn't show how to find s and t. The Extended Euclid algorithm can be used to find s and t.

Finding s and t is especially useful when we want to compute multiplicative inverses. Suppose that gcd(a, n) = 1. (That is, a and n are relatively prime.) We have seen that in this situation a has a multiplicative inverse modulo n. That is, there exists an integer, which we call a-1, such that

aa-1 ≡ 1    (mod n).
Using the theorem above, we can find s and t so that
as + nt = 1.
Since gcd(a, n) = 1. Now, notice that
as = 1 - nt.
Now, nt ≡ 0 modulo n, so
as ≡ 1    (mod n).
Therefore, sa-1 modulo n and we have found the multiplicative inverse of a.

The Algorithm

Here's the pseudo-code for the Extended Euclid algorithm: ExtEuclid (a,b) { // returns a triple (d,s,t) such that d = gcd(a,b) and // d == a*s + b*t if (b == 0) return (a,1,0) ; (d1, s1, t1) = ExtEuclid(b,a%b) ; d = d1 ; s = t1 ; t = s1 - (a div b) * t1 ; // note: div = integer division return (d,s,t) ; } Note that when the triple (d,s,t) is returned and assigned to the triple (d1,s1,t1) then d is assigned to d1, s is assigned to s1 and t is assigned to t1. Also, we use div to indicate integer division. For example, 5 div 2 evaluates to 2.

Proof of Correctness:   So, why should this work? Technically, this requires a proof by induction, which we haven't covered yet. But, informally, the proof that the function ExtEuclid() works correctly depends on the fact that the recursive calls to ExtEuclid() work correctly. Since the value of the second parameter is smaller in each recursive call, we won't have infinite recursion. That is, the value of b becomes smaller and smaller until it finally gets to 0.

When b is 0 (this is called the base case), ExtEuclid(a,0) returns the right value because the value returned is (a, 1, 0) and a is indeed equal to a*1 + 0*0.

For larger values of b, consider the values of d1, s1 and t1 right after the recursive call:

(d1, s1, t1) = ExtEuclid(b,a%b) ; Assuming that ExtEuclid() works correctly so far, we must have: d1 == b * s1 + (a % b) * t1 Note that we can rewrite a % b as (a - b * (a div b) ). (This is how you might calculate a % b on a basic calculator that doesn't do remainders.) So, we have: d1 == b * s1 + (a - b * (a div b) ) * t1 Rearraning the terms gives us: d1 == a * t1 + b * (s1 - (a div b) * t1) Thus, returning the value (d, s, t) where d is d1, s is t1 and t is s1 - (a div b) * t1 has the desired effect.

Note that we have already argued for the regular Euclid's algorithm that gcd(a, b) == gcd(b, a%b) So, this completes the proof.

QED

An Example

Now, let's do an example. We let a = 99 and b = 78 and call ExtEuclid(99,78). We use the following table to keep track of recursive calls to ExtEuclid.

  a b a div b d s t
199781
2
3
4
5
6

Since 78 is not 0, we call ExtEuclid() recursively with parameters 78 and 21 because 99 % 78 is 21. Our table becomes:

  a b a div b d s t
199781
278213
3
4
5
6

The recursive calls to ExtEuclid continues until we have b == 0. Then ExtEuclid returns the triple (3,1,0) and our table looks like:

  a b a div b d s t
199781
278213
321151
415 62
5 6 32
6 3 0-310

The 5th call to ExtEuclid now receives the return values from the 6th call and has d1 = 3, s1 = 1 and t1 = 0. Still within the 5th call, we calculate that d = d1 = 3, s = t1 = 0 and

t = s1 - (a div b) * t1 = 1 - 2 * 0 = 1 So the table becomes:

  a b a div b d s t
199781
278213
321151
415 62
5 6 32301
6 3 0-310

The 4th receives the values d1 = 3, s1 = 0 and t1 = 1 from the 5th call, then computes s = t1 = 1 and

t = s1 - (a div b) * t1 = 0 - 2 * 1 = -2 Note that the value of d will remain the same. Our table becomes:

  a b a div b d s t
199781
278213
321151
415 6231-2
5 6 32301
6 3 0-310

In the 3rd call, s = -2 and

t = s1 - (a div b) * t1 = 1 - 1 * (-2) = 3

  a b a div b d s t
199781
278213
3211513-23
415 6231-2
5 6 32301
6 3 0-310

In the 2nd call, s = 3 and

t = s1 - (a div b) * t1 = -2 - 3 * (3) = -11

  a b a div b d s t
199781
27821333-11
3211513-23
415 6231-2
5 6 32301
6 3 0-310

Finally, in the 1st call, s = -11 and

t = s1 - (a div b) * t1 = 3 - 1 * (-11) = 14

  a b a div b d s t
1997813-1114
27821333-11
3211513-23
415 6231-2
5 6 32301
6 3 0-310

Now, we can verify that 99 ⋅ (-11) + 78 ⋅ 14 = 3. So, we've found the s and t such that a s + b t = gcd(a,b).

An Example for Multiplicative Inverses

Suppose that we want to find the multiplicative inverse of 60 modulo 13. We know this inverse exists because gcd(60,13) = 1. Running ExtEuclid(60,13) will give us this table. (We won't produce the table step by step, but you should confirm the calculations yourself.)

  a b a div b d s t
16013415-23
213 811-35
3 8 5112-3
4 5 311-12
5 3 2111-1
6 2 12101
7 1 0-110

We can check the final return value is correct: 60 ⋅ 5 + 13 ⋅ (-23) = 300 − 299 = 1. This also shows that 5 is the multiplicative inverse of 60, because (60 * 5) % 13 = 300 % 13 = 1.

Last Modified: 22 Jul 2024 11:29:45 EDT by Richard Chang
to Fall 2010 CMSC 203 Homepage