The Euclidean Algorithm

Klaus Pommerening
Fachbereich Mathematik
der Johannes-Gutenberg-Universität
Saarstraße 21
D-55099 Mainz

January 16, 2000—english version November 30, 2011—last change

February 21, 2016

1 The Algorithm
Euclid’s algorithm gives the greatest common divisor (gcd) of two integers,

gcd(a, b) = max{d ∈ Z | d|a, d|b}

If for simplicity we define gcd(0, 0) = 0, we have a function

gcd : Z × Z −→ N

with the following properties:

Lemma 1 For any a, b, c, q ∈ Z we have:

(i) gcd(a, b) = gcd(b, a).

(ii) gcd(a, −b) = gcd(a, b).

(iii) gcd(a, 0) = |a|.

(iv) gcd(a − qb, b) = gcd(a, b).

Proof. Trivial; for (iv) use the equivalence d|a, b ⇐⇒ d|a − qb, b. 3

One usually writes Euclid’s algorithm as a sequence of divisions with

remainder:
r0 = |a|, r1 = |b|, . . . , ri−1 = qi ri + ri+1 ,
where qi is the integer quotient and ri+1 is the unique division remainder
with 0 ≤ ri+1 < ri . As soon as rn 6= 0 and rn+1 = 0, we have rn = gcd(a, b).
For from Lemma 1 we get

gcd(a, b) = gcd(r0 , r1 ) = gcd(r1 , r2 ) = . . . = gcd(rn , 0) = rn .

1
Since moreover
r1 > r2 > . . . > ri ≥ 0 for all i,
we reach the terminating condition rn+1 = 0 after at most n ≤ |b| iteration
steps (i. e. divisions).
A small additional consideration even gives more. Note that each ri is an
integer linear combination of the two preceeding division remainders, hence
of |a| and |b|:

ri+1 ∈ Zri + Zri−1 ⊆ . . . ⊆ Zr1 + Zr0 = Za + Zb;

for r0 and r1 this is immediate, and in the general case it follows by induction:
Let rj = |a|xj + |b|yj for 0 ≤ j ≤ i. Then

ri+1 = ri−1 − qi ri = |a|xi−1 + |b|yi−1 − qi |a|xi − qi |b|yi

= |a|(xi−1 − qi xi ) + |b|(yi−1 − qi yi ).

This consideration even gives an explicit construction for the coefficients;

for they sastisfy the recursive formulas

xi+1 = xi−1 − qi xi with x0 = 1, x1 = 0,

yi+1 = yi−1 − qi yi with y0 = 0, y1 = 1,

that agree with the formula for the ri except for the start values:

ri+1 = ri−1 − qi ri with r0 = |a|, r1 = |b|.

The extended Euclidean algorithm (sometimes called algorithm of La-

grange) is the synopsis of these three recursive formulas. In summary we
have shown (if we properly adjust the signs of xn and yn ):

Proposition 1 The extended Euclidean algorithm gives the greatest com-

mon divisor d of two integers a and b and integer coefficients x and y with
ax + by = d in finitely many steps.

Remarks
1. The least common multiple is efficiently calculated by the formula
ab
lcm(a, b) = .
gcd(a, b)

2. One calculates the greatest common divisor of several inegers by the

formula
gcd(. . . (gcd(gcd(a1 , a2 ), a3 ) . . . , ar );
this allows for a bit of optimisation. An analogous statement holds for
the least common multiple.

2
2 Analysis of Euclid’s Algorithm
The algorithm of the last section has a hidden problem: Though the quo-
tients and division remainders are safely bounded by the input parameters,
the coefficients xi and yi are uncontrolled at first sight. How can we guar-
antee that we don’t get an overflow, if we use the usual integer arithmetic
with bounded precision? Now, the following reasoning controls the growth:

Lemma 2 For the coefficients xi and yi in the extended Euclidean algorithm

we have:

(i) xi > 0, if i is even, xi ≤ 0, if i is odd, and |xi+1 | ≥ |xi | for i = 1, . . . , n.

(ii) yi ≤ 0, if i is even, yi > 0, if i is odd, and |yi+1 | ≥ |yi | for i = 2, . . . , n.

(iii) xi+1 yi − xi yi+1 = (−1)i+1 for i = 0, . . . , n; in particular the xi and yi

are always coprime for i = 0, . . . , n + 1.

(iv) |xi | ≤ |b|, |yi | ≤ |a| for i = 0, . . . , n + 1, if b 6= 0 resp. a 6= 0.

Proof. (Sketch.) Show (i), (ii), and (iii) by induction. From 0 = rn+1 =
|a|xn+1 + |b|yn+1 then follows xn+1 |b and yn+1 |a. 3

The Euclidean algorithm is very efficient—the number of iteration steps

grows only linearly with the number of digits of the input parameters, the
entire execution time only quadratically. In the following we perform a quite
exact analysis. Without loss of generality we may assume b 6= 0.
Given the length n of the division chain—how large must b be? We have
rn ≥ 1, rn−1 ≥ 2, and ri−1 ≥ ri + ri+1 . The Fibonacci numbers Fn are
recursively defined by

F0 = 0, F1 = 1, Fn = Fn−1 + Fn−2 for n ≥ 2.

Hence by induction we get ri ≥ Fn+2−i , where the induction starts with

rn ≥ 1 = F2 , rn−1 ≥ 2 = F3 ; in particular we get |b| ≥ Fn+1 . In other words:

Proposition 2 (Binet 1841) For a, b ∈ Z with 0 < b < Fn+1 the Eucliden
algorithm finds the greatest common divisor in at most n − 1 iteration steps.
Addendum. This is true also for b = Fn+1 , except if a ≡ Fn+2 ≡ Fn
(mod b).

This gives a quite elegant mathematical formulation, but not yet an ex-
plicit bound. However the growth of the Fibonacci numbers
√ is well-known.
1+ 5
One can express it by the golden section ϕ = 2 , that is defined by
ϕ2 − ϕ − 1 = 0.

3
Lemma 3 For a real number c ∈ R and an index k ∈ N let Fk > c · ϕk and
Fk+1 > c · ϕk+1 . Then Fn > c · ϕn for all n ≥ k.

Proof. (By induction.)

Fn = Fn−1 + Fn−2 > cϕn−1 + cϕn−2 = cϕn−2 (ϕ + 1) = cϕn

for n ≥ k + 2. 3

Corollary 1 Fn+1 > 0.43769 · ϕn+1 for n ≥ 2.

Proof.
√
2 3+ 5
ϕ = ϕ+1= ,
2 √
ϕ3 = ϕ2 + ϕ = 2 + 5,
√
7+3 5
ϕ4 3
= ϕ +ϕ =2
.
2
Therefore
√
F3 2 2( 5 − 2) √
= √ = = 2 5 − 4 > 0.47,
ϕ3 2+ 5 1
√ √
F4 3·2 6(7 − 3 5) 21 − 9 5
= √ = = > 0.43769
ϕ4 7+3 5 49 − 45 2
which proves the assertion. 3

Corollary 2 Let a, b ∈ Z with b ≥ 2. Then the number of iteration steps in

the Euclidean algorithm for gcd(a, b) is less then 0.718 + 4.785 ·10 log(b).

Proof. If the division chain has length n, then b ≥ Fn+1 ,

b ≥ Fn+1 > 0.43769 · ϕn+1 ,

10
log(b) >10 log(0.43769) + (n + 1) ·10 log(ϕ) > −0.35884 + 0.20898 · (n + 1),
hence n < 0.718 + 4.785 ·10 log(b). 3

Somewhat coarser, but easily to remember, is the following version:

Corollary 3 Let a, b ∈ Z with b ≥ 2. Then the number of iteration steps

in the Euclidean algorithm for gcd(a, b) is less then five times the number
of digits of b except for b = 8, a ≡ 5 (mod 8), where 5 iteration steps are
needed.

4
 If we additionally consider the costs for the multiplication and division
of large numbers depending on their number of digits, we get a working time
that grows quadratically with the number of digits as shown in the following.
If a has m digits (with respect to a base B of the integers), and b has p
digits, then the expense for the first division alone is already ≤ c · (m − p) · p;
here c is a constant that is at most twice as large as the constant that
bounds the expense for “multiplying quotient × divisor back”. Considering
actual computer architectures we would take B = 232 or 264 , and count
the basic operations addition, subtraction, multiplication, division with re-
mainder, and comparision of 1-digit numbers (in base B) as primitive steps.
Fortunately the involved numbers shrink in an exponential way along the
Euclidean division chain. The division step

ri−1 = qi ri + ri+1

yet requires ≤ c ·B log(qi )B log(ri ) primitive operations, hence the entire di-
vision chain needs
n
X n
X
B
A(a, b) ≤ c · log(qi )B log(ri ) ≤ c ·B log |b| · B
log(qi )
i=1 i=1
= c · log |b| ·B log(q1 · · · qn ).
B

We further estimate the product of the qi :

|a| = r0 = q1 r1 + r2 = q1 (q2 r2 + r3 ) + r2 = . . . = q1 · · · qn rn + · · · ≥ q1 · · · qn

and get the coarse bound

A(a, b) ≤ c ·B log |b| ·B log |a| .

Proposition 3 The number of primitive operations in the Euclidean algo-

rithm for two integers a and b with ≤ m digits is ≤ c · m2 .

Note that c is a known small constant.

So the expense for the Euclidean algorithm with input a and b is not
significantly larger then the expense for multiplying a and b. We won’t dis-
cuss sharper estimates or potential enhancements of this bound. But note
that an algorithm by Lehmer allows replacing a great amount of divisions
of large numbers in the division chain by primitive operations.

3 Congruence Division
The extended Euclidean algorithm also provides a solution of the—not
entirely trivial—problem of efficient division in the ring Z/nZ of integers
mod n.

5
Proposition 4 Let n ∈ N, n ≥ 2, and a, b ∈ Z with gcd(b, n) = d. Then a
is divisible by b in Z/nZ, if and only if d|a. In this case there are exactly d
solutions z of zb ≡ a (mod n) with 0 ≤ z < n, and any two of them differ
by a multiple of n/d. If d = xn + yb and a = td, then z = yt is a solution.

Proof. If b divides a, then a ≡ bz (mod n), so a = bz + kn, hence d|a. For

the converse let a = td. By Proposition 1 we find x, y with nx + by = d;
hence nxt + byt = a and byt ≡ a (mod n). If also a ≡ bw (mod n), then
b(z − w) ≡ 0 (mod n), hence z − w a multiple of n/d. 3

Proposition 4 contains an explicit algorithm for the division. An impor-

tant special case is d = 1 with a notably simple formulation:

Corollary 1 If b and n are coprime, then each a in Z/nZ is divisible by b

in a unique way.

Since d = 1 the calculation of the inverse y of b follows immediately from

the formula 1 = nx + by; for by ≡ 1 (mod n).

Corollary 2 (Z/nZ)× = {b mod n | gcd(b, n) = 1}.

Therefore the invertible elements of the ring Z/nZ are exactly the equiv-
alence classes of the integers coprime with n. The most important case is:
n = p prime:

Corollary 3 Fp := Z/pZ is a field.

Proof. For b ∈ Fp , b 6= 0 there is exactly one c ∈ Fp with bc = 1. 3

Corollary 4 (Fermat’s Little Theorem) ap ≡ a (mod p) for all a ∈ Z.

Proof. The elements 6= 0 of Fp form the multiplicative group F×

p . Because
the order of an element always divides the group order, we have ap−1 ≡ 1
(mod p) for a coprime with p. Otherwise we have p|a, hence a ≡ 0 ≡ ap
(mod p). 3

4 The Chinese Remainder Algorithm

The Chinese remainder problem asks for the solution of simultaneous con-
gruences. The simplest case worth of mention is:

6
Proposition 5 (Chinese Remainder Theorem) Let m and n coprime nat-
ural numbers ≥ 1, and a, b arbitrary integers. Then there is exactly one
integer x, 0 ≤ x < mn, such that

x ≡ a (mod m), x ≡ b (mod n).

Proof. Let us first show the uniqueness: If y is another solution, then y =

x + km = x + ln with integers k und l, and km = ln. Since m and n are
coprime we conclude n|k, k = cn,

y = x + cmn ≡ x (mod mn).

For the existence proof we try x = a + tm; then necessarily x ≡ a (mod m)

and
x ≡ b (mod n) ⇐⇒ b − a ≡ x − a ≡ tm (mod n).
Such a t exists by Proposition 4. Reduce this solution x mod(mn). 3

The proof was constructive and easily leads to an algorithm. In the

general case, for multiple congruences, the Chinese remainder problem looks
like follows:

• Given q pairwise coprime integers n1 , . . . , nq ≥ 1 and q integers

a1 , . . . , a q ,

• find an integer x such that x ≡ ai (mod ni ) for i = 1, . . . q.

One approach is suitably adapting Proposition 5. More interesting is an

abstract formulation that also comprises interpolation of polynomials; also
in this more general formulation we recognise Proposition 5 together with
its proof, if we bear in mind that for integers m and n with greatest common
divisor d we have the equivalences:

m, n coprime ⇐⇒ d = 1 ⇐⇒ Zm + Zn = Z.

Proposition 6 (General Chinese Remainder Theorem) Let R be a commu-

tative ring with 1, q ≥ 1, a1 , . . . , aq  R ideals with ai + aj = R for i 6= j.
Let a1 , . . . , aq ∈ R be given. Then there exists an x ∈ R with x − ai ∈ ai
for i = 1, . . . , q, and the equivalence class x mod a1 ∩ · · · ∩ aq is uniquely
determined.

Proof. As before the uniqueness is quite simple: If x − ai , y − ai ∈ ai , then

x − y ∈ ai ; if this is true for all i, then x − y ∈ a1 ∩ · · · ∩ aq .
We prove the existence by induction on q. In the case q = 1 we simply
take x = a1 . Now let q ≥ 2, and assume y with y − ai ∈ ai for i = 1, . . . , q − 1
is already found. Idea: We can add to y an s ∈ a1 ∩ · · · ∩ aq−1 without giving
up what we already have, the solution of the first q −1 congruences. We need

7
the statement: For each r ∈ R there is an s ∈ a1 ∩ · · · ∩ aq−1 with r − s ∈ aq ,
or in other words,
(a1 ∩ · · · ∩ aq−1 ) + aq = R.
To prove this intermediate assertion we choose ci ∈ ai for i = 1, . . . , q − 1
and b1 , . . . , bq−1 ∈ aq with bi + ci = 1. Then

1 = (b1 + c1 ) · · · (bq−1 + cq−1 ) = c1 · · · cq−1 + b

with c1 · · · cq−1 ∈ a1 ∩ · · · ∩ aq−1 and b ∈ aq .

Now for aq − y ∈ R choose an s ∈ a1 ∩ · · · ∩ aq−1 with aq − y − s ∈ aq ,
and set x = y + s. Then x ≡ y ≡ ai (mod ai ) for i = 1, . . . , q − 1, and
x ≡ y + s ≡ aq (mod aq ). 3

Remarks and examples

1. For R = Z or any principal ideal domain, and ai = Rni we have
a1 ∩ · · · ∩ aq = R(n1 · · · nq ). From this we get the usual formulation of
the Chinese Remainder Theorem.

2. If R is a principal ideal domain, then the construction of the solution

proceeds as follows: If ai = Rni , then choose s in the intermediate
assertion such that s = tn1 · · · nq−1 with

r − tn1 · · · nq−1 ∈ Rnq

(congruence division mod nq ). Therefore an explicit algorithm for the

Chinese remainder problem exists in R, if one exists for the congruence
division, in any case for R = Z.

3. In the case R = Z we iteratively calculate

x1 = a1 mod n1 , s1 = n1 ,
ti with 0 ≤ ti ≤ ni − 1 and ai − xi−1 − ti si−1 ∈ Rni ,
xi = xi−1 + ti si−1 , si = si−1 ni .

In particular sk = n1 · · · nk . By induction one immediately proves

0 ≤ xi ≤ si − 1 for all i. Finally one gets the solution x = xq . This
consideration guarantees that none of the intermediate results causes
an overflow. The expense essentially consists of q − 1 congruence di-
visions and 2 · (q − 1) ordinary integer multiplications. Therefore the
total expense is of order cq× (the expense for a multiplication of long
integers) with a small constant c.

4. The general look of the solution formula is

x = x1 + t1 n1 + · · · + tq−1 n1 · · · nq−1 .

8
 5. As an example we treat Sun-Tsu’s problem from the 1st Century. In
our notation its formulation is: Find x such that

x≡2 (mod 3), x≡3 (mod 5), x≡2 (mod 7).

Our algorithm gives step by step:

x1 = 2, s1 = 3,
1 − 3t2 ∈ 5Z, t2 = 2,
x2 = 2 + 2 · 3 = 8, s2 = 15,
−6 − 15t3 ∈ 7Z, t3 = 1,
x = x3 = 8 + 1 · 15 = 23.

6. For the polynomial ring K[T ] over a field K the interpolation problem
is a special case of the Chinese remainder problem. Our algorithm in
this case is just Newton’s interpolation procedure.

5 Euler’s Phi Function

An important application of the Chinese Remainder Theorem follows; we
assume n ≥ 2. The integers mod n form the ring Z/nZ. The multiplicative
group mod n consists of the invertible elements of this ring, and is compactly
denoted by
Mn := (Z/nZ)× .
Its order is given by the Euler ϕ function:

ϕ(n) = #Mn = #{a ∈ [0 · · · n − 1] | a coprime with n}.

Corollary 1 For m and n coprime, ϕ(mn) = ϕ(m)ϕ(n).

Proof. The Chinese Remainder Theorem just says that the natural ring
homomorphism

F : Z/mnZ −→ Z/mZ × Z/nZ, x 7→ (x mod m, x mod n),

is bijective, hence even a ring isomorphism. Moreover F (Mmn ) = Mm × Mn .

Therefore
ϕ(mn) = #Mmn = #Mm · #Mn = ϕ(m)ϕ(n),
as was to be shown. 3

If p is prime, then ϕ(p) = p − 1. More generally ϕ(pe ) = pe − pe−1 =

pe (1 − p1 ),
if e ≥ 1, because pe exactly has the divisors px with 1 ≤ x ≤ pe−1 .
From Corollary 1 we conclude:

9
Corollary 2 Let n = pe11 · · · perr be the prime decomposition (all ei ≥ 1).
Then
r
Y 1
ϕ(n) = n · (1 − ).
pi
i=1

10