# GCD and Euclid's Algorithm

We will first review some grade school number theory and an _ancient_ algorithm attributed to Euclid in his book _Elements_. 

First, we review the concept of the greatest common divisor (GCD) of two numbers.
<div class="alert alert-block alert-info">

  Given two  integers $m, n$ that are not both zero, their greatest common divisor $GCD(m, n)$ is the largest number $k$ that divides both $m, n$.

</div>

By convention, we will have (a)  $GCD(m, n)$ be a positive number, (b) $GCD(m, n) = GCD(n, m)$,  (c) $GCD(m, 0) = m$ for $m \not= 0$ and (d) $GCD(0,0)$  be undefined.

### Examples
 - $GCD(15, 12) = 3$
 - $GCD(35, 14) = 7$
 - $GCD(75, 15) = 15$
 - $GCD(7, 9) = 1$
 - $GCD(18, 18) = 18$
 - $GCD(n, 1) = 1$ for all $n$.
 
 
<div class="alert alert-block alert-warning">

  Two numbers $m, n$ are <i> relatively prime </i> if $GCD(m,n) = 1$.

</div>

Given two numbers $m, n$, we can find their GCDs using Euclid's algorithm. The key insight into Euclid's algorithm is as follows:

<div class="alert alert-block alert-info">

For all integers $m$ and $n \not= 0$, $GCD(m, n) = GCD(n,\ m \bmod n)$ (recall $m \bmod n$ is the reminder when $m$ is divided by $n$).

</div>

**Proof** Let $r = (m \bmod n)$. Therefore, $m = q n +r $ for some quotient $q$.  We will prove that any number that divides both $m, n$  will also divide both $n, r$, and vice-versa.  

Let $k$ divide $m, n$. 
Therefore, $m = q_1 k$ and $n = q_2 k$ for integers $q_1, q_2$. Hence, $r = m - q n = q_1 k - q q_2 k = (q_1 - q q_2)k$. Therefore, $k$ divides $r$.

Similarly, suppose $k$ divides $n, r$, then $n = k_1 k$ and $r = k_2 k$ for some integers $k_1, k_2$. Thus, 
$m = q n + r = q k_1 k + k_2 k = (q k_1 + k_2) k$. Therefore, $k$ divides $m$ as well. 

The _common divisors_ of $m, n$ are all common divisors of $n, r$ and vice-versa. Therefore, $GCD(m, n) = GCD(n, r)$. __QED__

Therefore, Euclid's algorithm for finding the GCD of two numbers $m, n$ where $m \geq n$, recursively seeks to find the GCD of $n, m \bmod n$. 

In [None]:
def euclids_algorithm(m, n):
    if m < 0: 
        m = -m  # make them positive
    if n < 0: 
        n = -n 
    if m < n:
        (m, n) = (n, m) 
    assert m >= n and m >= 1 and n >= 0
    if n == 0:
        return m if m != 0 else None 
    
    print(f'GCD({m}, {n})')
    
    while n > 0:
        (m, n) = (n, m % n) # the new value of m = n, and new value n = m % n
        print(f'= GCD({m}, {n})')

    assert n == 0
    print(f'= {m}')
    return m

In [None]:
euclids_algorithm(15, 12)

In [None]:
euclids_algorithm(35, 14)

In [None]:
euclids_algorithm(10, 10)

In [None]:
euclids_algorithm(75, 15)

In [None]:
euclids_algorithm(7, 9)

In [None]:
euclids_algorithm(10909014081, 1092091)

## Running Time of Euclid's Algorithm 

How fast is Euclid's algorithm? Suppose we have two numbers $m, n$ as input, we need to figure out a bound on the number of times the while loop in Euclid's algorithm runs in terms of the sizes of $m, n$.

<div class="alert alert-block alert-warning">

  The size of a number is measured in terms of the number of bits in its binary representation. Typically, the size of a number $n$ is given by (the smallest whole number greater than or equal to) $1+\log_2(n)$.

</div>

For instance, the size of the number $256$ is $9$ since it can be represented by a $1$ followed by $8$ zeros in binary.  However, we will simply write $\log_2(n)$ to denote the size of the number $n$, dispensing with the rounding up to the nearest whole number or the extra bit etc..


The question thus becomes: Given two numbers $m, n$ whose sizes are $\log_2(m)$ and $\log_2(n)$ respectively, how long does Euclid's algorithm take _in the worst case_.

We will turn the question on its head and instead answer the following question: How big do $m, n$ have to be for the while loop in Euclid's algorithm to run $k$ steps. For instance, see above for an instance where Euclid's algorithm runs $7$ steps. But the numbers involved are fairly big. If we wanted to make Euclid's algorithm run $15$ steps, how big do the numbers have to be?

Recall Fibonacci numbers are given by the sequence: 
$$ F_0 = 0, F_1 = 1, F_2 = 1, F_3 = 2, F_4 = 3, F_5 = 5, F_6 = 8, F_7 = 13, F_8 = 21, \ldots $$

In other words, they are formed by setting $F_0 = 0, F_1 = 1$ and the rule $F_{k+2} = F_k + F_{k+1}$ for all $k \geq 0$.

Assume, we are running Euclid's algorithm on twwo numbers $m, n$ where $m \geq n$, $m > 0$ and $n \geq 0$.

<div class="alert alert-block alert-info">

<b> Theorem: </b> 

For Euclid's algorithm's while loop to run at least $k$ steps, we need  $n \geq F_{k}$ and $m \geq F_{k+1}$.

</div> 

Proof is by induction on $k$, the number of times Euclid's algorithm runs. 

**Base Case** For $k = 0$, we verify (trivially) that if the algorithm runs for at least $0$ steps, 
then $n \geq 0$  and $m \geq 1$. This holds trivially from what we assumed about the algorithm's inputs.
    
**Induction** Suppose for some $k \geq 0$, if Euclid's algorithm runs at least $k$ iterations of the while loop then $n \geq F_{k}$ and $m \geq F_{k+1}$. 

Let us assume for some $\hat{m}, \hat{n}$ inputs that Euclid's algorithm runs at least $k+1$ steps of the while loop. Note that $\hat{m} \geq \hat{n}$. 

The very first iteration sets $m_1 = \hat{n}$ and $n_1 = (\hat{m} \bmod \hat{n})$. Now, if we input $(m_1, n_1)$ to Euclid's algorithm, it would run at least $k$ steps. Therefore, by induction hypothesis, 
$m_1 \geq F_{k+1}$ and $n_1 \geq F_k$.  In otherwords, $\hat{n} = m_1 \geq F_{k+1}$. Also,

$$F_{k} \leq n_1 = \hat{m} \bmod \hat{n} \leq \hat{m} - \hat{n} \,.$$ 
Rearranging, we have $ \hat{m} \geq F_k + \hat{n} \geq F_k + F_{k+1} \geq F_{k+2}$. 

The theorem is thus established by induction. __QED__

As an illustration, let us make Euclid's algorithm run $15$ steps.


In [None]:
euclids_algorithm(987, 610)

Notice how Fibonacci numbers appear in the successive iterations of the algorithm. Next, we note the following well known fact:

<div class="alert alert-block alert-info">

  For all $k \geq 2$, $F_k \geq (1.6)^{k-2}$.

</div>

**Proof** Proof is by induction. We verify the base cases: the result holds for $k = 2$, $F_2 = 1 \geq 1.6^0 \geq 1$ and $k = 3$,  $F_3 = 2 \geq 1.6^1 = 1.6$.

Suppose it holds two consecutive numbers $k, k+1$ where $k \geq 2$.
$$F_{k+2} = F_k + F_{k+1} \geq 1.6^{k-2} + 1.6^{k-1} \geq 1.6^{k} \left(\frac{1}{1.6^2} + \frac{1}{1.6}\right) = 1.015625 \times 1.6^{k} \geq 1.6^{k}\,.$$
The result is thus proven using induction. __QED__

<div class="alert alert-block alert-info">

The running time of Euclid's algorithm on two inputs $m, n$ each of size $l$ bits is $O(l)$.

</div>

Let $m, n$ be two numbers of at most $l$ bits. Therefore, $m \leq 2^l$ and $n \leq 2^l$. Suppose Euclid's algorithm ran for $k$ steps on $m, n$ then we conclude that $m \geq F_{k+1}$, the $(k+1)^{th}$ Fibonacci number. 
Therefore, $2^l \geq m \geq 1.6^{k-1}$. Hence, $ (k-1) \log(1.6) \leq l$. Therefore, $k \leq 1 + \frac{l}{\log(1.6)} = O(l)$. __QED__


<div class="alert alert-block alert-info">

  Euclid's algorithm runs in time linear in the number of bits needed to represent its inputs $m, n$.

</div>


## Bezout's Theorem and Extended Euclid's Algorithm

Next, we will go over a simple extension to Euclid's algorithm that will be quite helpful in developing the RSA cryptosystem. This is a theorem by the famous French mathematician Etienne Bezout.

Given two numbers say $16$ and $12$, we consider all numbers that can be written in the form 
$16s + 12t$ for integers $16, 12$. 
  - With $s = t = 1$, we get $28$.
  - With $s= 1, t= -1$, we get $4$.
  - With $s = -2, t = 3$, we get $4$.
  - With $s = 2, t= -2$, we obtain $8$.
  - ...

What can we say about the (non-negative) numbers that we can generate in this fashion? Notice that they are all multiples of $4$ and in fact, $4$ is the smallest such natural number. In fact, we cannot write
$16s + 12t = 1$ for any choice of integers $s, t$.


<div class="alert alert-block alert-warning">

  Given $m, n$ where $m \geq 1$ and $n \geq 0$, we can write $GCD(m, n) = s \times m + t \times n$ for integers $s, t$.

</div> 

We will give an "algorithmic" proof by extending Euclid's algorithm to not just generate the GCD of two numbers but also provide the "Bezout coefficients".

In [None]:
def extended_euclid(m, n):
    assert m >= 1 and n >= 0 and m >= n
    m0, n0 = m, n # let's rememver the initial values
    (s, t) = (1, 0)# m = s * m0 + t * n0
    (s_hat, t_hat) = (0, 1) # n = s_hat * m0 + t_hat * n0
    while n > 0:
        assert m == s * m0 + t * n0
        assert n == s_hat * m0 + t_hat * n0
        q = m // n # compute the integer quotient 
        r = m % n # the reminder 
        # m = q * n + r, or alternatively, r = m - q * n = (s-q*s_hat) * m_0 + (t - q * t_hat)* n_0  
        a, b = (s - q*s_hat, t - q * t_hat)
        (m, n, s, t, s_hat, t_hat) = (n, r, s_hat, t_hat, a, b)
        print(f'GCD({m0}, {n0}) = GCD({m}, {n})')
        print(f'\t {m} = {s}*{m0} + {t} * {n0}')
        print(f'\t {n} = {s_hat}*{m0} + {t_hat} * {n0}')
    return m, s, t
        

In [None]:
(g, s, t) = extended_euclid(16, 12)

In [None]:
(g, s, t) = extended_euclid(19, 17)

The actual proof of Bezout's theorem is through induction. But the extended Euclid's algorithm shows that we can systematically construct/maintain the Bezout coefficients as we run Euclid's algorithm.

Here is a corollary we will use in our derivation of the RSA cryptosystem.

<div class="alert alert-block alert-info">

  If two numbers $m, n$ are relatively prime, then there exists integers $s, t$ such that 
  $s m + tn = 1$.

</div>

Note that two numbers are relatively prime iff their GCD is $1$. The rest is by Bezout's theorem. 

In [None]:
extended_euclid(60, 13)

Hopefully, the small primer on number theory brings back some memories from high-school and undergraduate mathematics. If not, welcome to the party!! Please get comfortable with the concepts in these notes and review the proofs, especially proof by induction.  Next, we will derive the RSA scheme for _public key_ cryptography.