CSE 311 Lecture 14:
Euclidean Algorithm and Modular Equations

Emina Torlak and Kevin Zatloukal

Topics

Primes and GCD
A quick review of Lecture 13.
Euclidean algorithm
Computing GCDs with the Euclidean algorithm.
Extended Euclidean algorithm
Bézout’s theorem and the extended Euclidean algorithm.
Modular equations
Solving modular equations with the extended Euclidean algorithm.
Modular exponentiation
A fast algorithm for computing $a^k\ \text{mod}\ m$.

Primes and GCD

A quick review of Lecture 13.

Primes and composites: definitions and theorems

Prime number
An integer $p > 1$ is called prime if its only positive factors are $1$ and $p$.
Composite number
An integer $c > 1$ is called composite if it is not prime.
Fundamental theorem of arithmetic
Every positive integer greater than 1 has a unique prime factorization.
Euclid’s theorem
There are infinitely many primes.

Greatest common divisor (GCD): definition

Greatest common divisor (GCD)
The greatest common divisor of integers $a$ and $b$, written as $\gcd{a}{b}$, is the largest integer $d$ such that $d\vert a$ and $d\vert b$.

We can compute GCDs efficiently using the Euclidean algorithm. Invented in 300 BC!

Euclidean algorithm

Computing GCDs with the Euclidean algorithm.

Euclidean algorithm is based on two useful facts

$\gcd{a}{0}$
If $a$ is a positive integer, then $\gcd{a}{0} = a$.

Proof follows straightforwardly from the definition of GCD and divisibility.

GCD and modulo
If $a$ and $b$ are positive integers, then $\gcd{a}{b} = \gcd{b}{\mod{a}{b}}$.
Proof:
First note that by definition of mod, $a = qb + \mod{a}{b}$ for some integer $q=\div{a}{b}$.
Now, let $d$ be a common divisor of $a$ and $b$. Then $d\vert a$ and $d\vert b$, so $a=kd$ and $b=jd$ for some $k,j\in\Z$. Therefore, $\mod{a}{b} = a - qb = kd - qjd = d(k-qj)$. So, $d\vert (\mod{a}{b})$.
Next, let $e$ be a common divisor of $b$ and $\mod{a}{b}$. Then $e\vert b$ and $e\vert (\mod{a}{b})$, so $b=me$ and $\mod{a}{b}=ne$ for some $m,n\in\Z$. Therefore, $a = qb + \mod{a}{b} = qme + ne $. So, $e\vert a$. This shows that $a,b$ and $b, \mod{a}{b}$ have the same set of common divisors, and must therefore have the same greatest common divisor. $\qed$

Euclidean algorithm

Apply $\gcd{a}{b} = \gcd{b}{\mod{a}{b}}$ until you get $\gcd{a}{0} = a$.

Example implementation:

// Assumes a >= b >= 0.
public static int gcd(int a, int b) {
  if (b == 0)
    return a;             // GCD(a, 0) = a
  else  
    return gcd(b, a % b); // GCD(a, b) = GCD(b, a mod b)
}
$\gcd{660}{126}$
$= \gcd{126}{\mod{660}{126}} = \gcd{126}{30}$
$= \gcd{30}{\mod{126}{30}} = \gcd{30}{6}$
$= \gcd{6}{\mod{30}{6}} = \gcd{6}{0}$
$= 6$

In tableau form:

660 = 5 * 126 + 30
126 = 4 * 30 + 6
30 = 5 * 6 + 0

Extended Euclidean algorithm

Bézout’s theorem and the extended Euclidean algorithm.

Bézout’s theorem about GCDs

Bézout’s theorem
If $a$ and $b$ are positive integers, then there exist integers $s$ and $t$ such that $\gcd{a}{b} = sa + tb$.

We can extend Euclidean algorithm to find $s$ and $t$ in addition to computing $\gcd{a}{b}$.

Extended Euclidean algorithm

  1. Compute GCD and keep the tableau.

$\gcd{35}{27} = 35s + 27t$.

$a$ $=$ $q$ $*$ $b$ $+$ $r$
$35$ $=$ $1$ $*$ $27$ $+$ $8$
$27$ $=$ $3$ $*$ $8$ $+$ $3$
$8$ $=$ $2$ $*$ $3$ $+$ $2$
$3$ $=$ $1$ $*$ $2$ $+$ $1$
$\gcd{a}{b}$   $\gcd{b}{\mod{a}{b}}$   $r=\mod{a}{b}$
$\gcd{35}{27}$ $=$ $\gcd{27}{\mod{35}{27}}$ $=$ $\gcd{27}{8}$
  $=$ $\gcd{8}{\mod{27}{8}}$ $=$ $\gcd{8}{3}$
  $=$ $\gcd{3}{\mod{8}{3}}$ $=$ $\gcd{3}{2}$
  $=$ $\gcd{2}{\mod{3}{2}}$ $=$ $\gcd{2}{1}$
  $=$ $\gcd{1}{\mod{2}{1}}$ $=$ $\gcd{1}{0}$

Extended Euclidean algorithm

  1. Compute GCD and keep the tableau.
  2. Solve the equations for $r$ in the tableau.

$\gcd{35}{27} = 35s + 27t$.

$a$ $=$ $q$ $*$ $b$ $+$ $r$
$35$ $=$ $1$ $*$ $27$ $+$ $8$
$27$ $=$ $3$ $*$ $8$ $+$ $3$
$8$ $=$ $2$ $*$ $3$ $+$ $2$
$3$ $=$ $1$ $*$ $2$ $+$ $1$
$r$ $=$ $a$ $-$ $q$ $*$ $b$
$8$ $=$ $35$ $-$ $1$ $*$ $27$
$3$ $=$ $27$ $-$ $3$ $*$ $8$
$2$ $=$ $8$ $-$ $2$ $*$ $3$
$1$ $=$ $3$ $-$ $1$ $*$ $2$

Extended Euclidean algorithm

  1. Compute GCD and keep the tableau.
  2. Solve the equations for $r$ in the tableau.
  3. Back substitute the equations for $r$.

$\gcd{35}{27} = 35s + 27t$.

$r$ $=$ $a$ $-$ $q$ $*$ $b$
$8$ $=$ $35$ $-$ $1$ $*$ $27$
$3$ $=$ $27$ $-$ $3$ $*$ $8$
$2$ $=$ $8$ $-$ $2$ $*$ $3$
$1$ $=$ $3$ $-$ $1$ $*$ $2$
$r_i = r_{i-2} - q_i*r_{i-1}$
$r_0 = a = 35$
$r_1 = b = 27$
$r_2 = r_0 - q_2*r_1 = 8$
$r_3 = r_1 - q_3*r_2 = 3$
$r_4 = r_2 - q_4*r_3 = 2$
$r_5 = r_3 - q_5*r_4 = 1$
$1\ $ $ = \ra{3} - 1 * \rb{2}$ $r_5 = \ra{r_3} - q_5 * \rb{r_4}$.
  $ = 3 - 1 * (\ra{8} - 2 * \rb{3})$ Plug in $r_4 = \ra{r_2} - q_4 * \rb{r_3}$.
  $ = (-1) * \ra{8} + 3*\rb{3}$ Combine $\ra{r_2}, \rb{r_3}$ terms.
  $ = (-1) * 8 + 3*(\ra{27} - 3*\rb{8})$ Plug in $r_3 = \ra{r_1} - q_3 * \rb{r_2}$.
  $ = 3 * \ra{27} + (-10) * \rb{8}$ Combine $\ra{r_1}, \rb{r_2}$ terms.
  $ = 3 * 27 + (-10) * (\ra{35} - 1*\rb{27})$ Plug in $r_2 = \ra{r_0} - q_2 * \rb{r_1}$.
  $ = (-10) * \ra{35} + 13 * \rb{27}$ Combine $\ra{r_0}, \rb{r_1}$ terms.

Multiplicative inverse $\mod{}{m}$

Suppose $\gcd{a}{m} = 1$.

By Bézout’s theorem, there exist integers $s$ and $t$ such that $sa + tm = 1$.

$\mod{s}{m}$ is the multiplicative inverse of $a$ modulo $m$
$1 = \mod{(sa+tm)}{m} = \mod{sa}{m}$

In other words, $\mod{s}{m}$ is the multiplicative inverse of $\mod{a}{m}$ iff $\congruent{sa}{1}{m}$.

So, we can compute multiplicative inverses with the extended Euclidean algorithm. These inverses let us solve modular equations.

Modular equations

Solving modular equations with the extended Euclidean algorithm.

Using multiplicative inverses to solve modular equations

Solve: $\congruent{7x}{1}{26}$

① Compute GCD and keep the tableau.

② Solve the equations for $r$ in the tableau.

$a$ $=$ $q$ $*$ $b$ $+$ $r$
$26$ $=$ $3$ $*$ $7$ $+$ $5$
$7$ $=$ $1$ $*$ $5$ $+$ $2$
$5$ $=$ $2$ $*$ $2$ $+$ $1$
$r$ $=$ $a$ $-$ $q$ $*$ $b$
$5$ $=$ $26$ $-$ $3$ $*$ $7$
$2$ $=$ $7$ $-$ $1$ $*$ $5$
$1$ $=$ $5$ $-$ $2$ $*$ $2$

③ Back substitute the equations for $r$.

④ Solve for $x$.

  • Multiplicative inverse of 7 mod 26
    • $\mod{(-11)}{26}=15$
  • So, $x=26k + 15$ for $k\in\Z$.

Solving a more general equation

Solve: $\congruent{7y}{3}{26}$

We computed that 15 is the multiplicative inverse of 7 modulo 26:
That is, $\congruent{7 * 15}{1}{26}$.
By the multiplication property of mod, we have
That is, $\congruent{7 * 15 * 3}{1 * 3}{26}$.
So, any $\congruent{y}{15 * 3}{26}$ is a solution.
That is, $y = 19 + 26k$ for any $k\in\Z$ is a solution.

Solving equations modulo a prime number

$\gcd{a}{m}=1$ if $m$ is prime and $0 < a < m$, so we can always solve modular equations for prime $m$.

$+$ 0 1 2 3 4 5 6
0 0 1 2 3 4 5 6
1 1 2 3 4 5 6 0
2 2 3 4 5 6 0 1
3 3 4 5 6 0 1 2
4 4 5 6 0 1 2 3
5 5 6 0 1 2 3 4
6 6 0 1 2 3 4 5
$*$ 0 1 2 3 4 5 6
0 0 0 0 0 0 0 0
1 0 1 2 3 4 5 6
2 0 2 4 6 1 3 5
3 0 3 6 2 5 1 4
4 0 4 1 5 2 6 3
5 0 5 3 1 6 4 2
6 0 6 5 4 3 2 1

Modular exponentiation

A fast algorithm for computing $a^k\ \text{mod}\ m$.

The modular exponentiation problem: $\mod{a^k}{m}$

How would you compute $\mod{78365^{81453}}{104729}$?

Naive approach
First compute ${78365^{81453}}$.
Then take the result modulo $104729$.
This works but is very inefficient …
The intermediate result ${78365^{81453}}$ is a 1,324,257-bit number!
But we only need the remainder mod 104,729, which is 17 bits.

To keep the intermediate results small, we use fast modular exponentiation.

Repeated squaring: $\mod{a^k}{m}$ for $k = 2^i$

If $k = 2^i$, we can compute $\mod{a^k}{m}$ in just $i$ steps.

Note that $\congruent{\mod{a}{m}}{a}{m}$ and $\congruent{\mod{b}{m}}{b}{m}$. So, we have $\mod{ab}{m} = \mod{((\mod{a}{m})(\mod{b}{m}))}{m}$.

For example:

What if $k$ is not a power of 2?

Fast exponentiation: $\mod{a^k}{m}$ for all $k$

Example implementation:

// Assumes a > 0, k >= 0, m > 0.
public static long fastModExp(long a, long k, long m) {
    if (k == 0) {            // k = 0
        return 1;
    } else if (k % 2 == 0) { // k is even
        long tmp = fastModExp(a, k/2, m);
        return (tmp * tmp) % m;
    } else {                // k is odd
        long tmp = fastModExp(a, k-1, m);
        return (a * tmp) % m;
    }
}

$\mod{78365^{81453}}{104729} = 45235$

Fast exponentiation: how fast is it?

Note that 81453 is 10011111000101101 in binary.
$81453 = 2^{16} + 2^{13} + 2^{12} + 2^{11} + 2^{10} + 2^{9} + 2^{5} + 2^{3} + 2^{2} + 2^{0}$
$a^{81453} = a^{2^{16}} * a^{2^{13}} * a^{2^{12}} * a^{2^{11}} * a^{2^{10}} * a^{2^{9}} * a^{2^{5}} * a^{2^{3}} * a^{2^{2}} * a^{2^{0}}$

The fast exponentiation algorithm computes $\mod{a^k}{m}$ using $\leq 2\log k$ multiplications mod $m$.

Using fast modular exponentiation: RSA encryption

Alice chooses random 512-bit (or 1024-bit) primes $p, q$ and exponent $e$.
Alice computes $m=pq$ and broadcasts $(m, e)$, which is her public key.
She also computes the multiplicative inverse $d$ of $\mod{e}{(p-1)(q-1)}$, which serves as her private key.
To encrypt a message $a$ with Alice’s public key, Bob computes $C = \mod{a^e}{m}$.
This computation uses fast modular exponentiation.
Bob sends the ciphertext $C$ to Alice.
To decrypt $C$, Alice computes $\mod{C^d}{m}$.
This computation also uses fast modular exponentiation.
It works because $\mod{C^d}{m} = a$ for $0 < a < m$ unless $p\vert a$ or $q \vert a$.

Summary

$\gcd{a}{b}$ is the greatest integer that divides both $a$ and $b$.
It can be computed efficiently using the Euclidean algorithm.
By Bézout’s theorem, $\gcd{a}{b} = sa + tb\,$ for some integers $s, t$.
$s, t$ can be computed using the extended Euclidean algorithm.
If $\gcd{a}{b} = 1$, $\mod{s}{b}$ is the multiplicative inverse of $a$ modulo $b$.
Multiplicative inverses can be used to solve modular equations.
Fast modular exponentiation efficiently computes $\mod{a^k}{m}$.
Important practical applications include public-key cryptography (RSA).