A Binary Recursive Gcd Algorithm

Transcription

1 A Binary Recursive Gcd Algorithm Damien Stehlé and Paul Zimmermann LORIA/INRIA Lorraine, 615 rue du jardin otanique, BP 101, F-5460 Villers-lès-Nancy, France, Astract. The inary algorithm is a variant of the Euclidean algorithm that performs well in practice. We present a quasi-linear time recursive algorithm that computes the greatest common divisor of two integers y simulating a slightly modified version of the inary algorithm. The structure of our algorithm is very close to the one of the well-known Knuth-Schönhage fast gcd algorithm; although it does not improve on its O(M(n) log n) complexity, the description and the proof of correctness are significantly simpler in our case. This leads to a simplification of the implementation and to etter running times. 1 Introduction Gcd computation is a central task in computer algera, in particular when computing over rational numers or over modular integers. The well-known Euclidean algorithm solves this prolem in time quadratic in the size n of the inputs. This algorithm has een extensively studied and analyzed over the past decades. We refer to the very complete average complexity analysis of Vallée for a large family of gcd algorithms, see [10]. The first quasi-linear algorithm for the integer gcd was proposed y Knuth in 1970, see [4]: he showed how to calculate the gcd of two n-it integers in time O(n log 5 n log log n). The complexity of this algorithm was improved y Schönhage [6] to O(n log n log log n). A comprehensive description of the Knuth-Schönhage algorithm can e found in [1]. The correctness of this algorithm is quite hard to estalish, essentially ecause of the technical details around the so-called fix-up procedure, and a formal proof is y far out of reach. As an example, several mistakes can e noticed in the proof of [1] and can e found at yap/ook/errata.html. This fix-up procedure is a tedious case analysis and is quite difficult to implement. This usually makes the implementations of this algorithm uninteresting except for very large numers (of length significantly higher than 10 5 its). In this paper, we present a variant of the Knuth-Schönhage algorithm that does not have the fix-up procedure drawack. To achieve this, we introduce a new division (GB for Generalized Binary), which can e seen as a natural generalization of the inary division and which has some natural meaning over the -adic integers. It does not seem possile to use the inary division itself in a Knuth-Schönhage-like algorithm, ecause its definition is asymmetric: it eliminates least significant its ut it also considers most significant its to perform

2 comparisons. There is no such asymmetry in the GB division. The recursive GB Euclidean algorithm is much simpler to descrie and to prove than the Knuth- Schönhage algorithm, while admitting the same asymptotic complexity. This simplification of the description turns out to e an important advantage in practice: we implemented the algorithm in GNU MP, and it ran etween three and four times faster than the implementations of the Knuth-Schönhage algorithm in Magma and Mathematica. The rest of the paper is organized as follows. In we introduce the GB division and give some of its asic properties. In 3, we descrie precisely the new recursive algorithm. We prove its correctness in 4 and analyze its complexity in 5. Some implementation issues are discussed in 6. Notations: The standard notation O(.) is used. The complexity is measured in elementary operations on its. Unless specified explicitly, all the logarithms are taken in ase. If a is a non-zero integer, l(a) denotes the length of the inary representation of a, i.e. l(a) = log a + 1; ν (a) denotes the -adic valuation of a, i.e. the numer of consecutive zeroes in the least significant its of the inary representation of a; y definition, ν (0) =. r := a cmod denotes the centered remainder of a modulo, i.e. a = r mod and < r. We recall that M(n) = Θ(n log n log log n) is the asymptotic time required to multiply two n-it integers with Schönhage-Strassen multiplication [7]. We assume the reader is familiar with asic arithmetic operations such as fast multiplication and fast division ased on Newton s iteration. We refer to [11] for a complete description of these algorithms. The Generalized Binary Division In this section we first recall the inary algorithm. Then we define the generalized inary division GB division for short and give some asic properties aout it. Susection.4 explains how to compute modular inverses from the output of the Euclidean algorithm ased on the GB division..1 The Binary Euclidean Algorithm The inary division is ased on the following properties: gcd(a, ) = gcd(a, ), gcd(a + 1, ) = gcd(a + 1, ), and gcd(a + 1, + 1) = gcd( + 1, a ). It consists of eliminating the least significant it at each loop iteration. Fig. 1 is a description of the inary algorithm. The ehavior of this algorithm is very well understood (see [1] and the references there). Although it is still quadratic in the size of the inputs, there is a significant gain over the usual Euclidean algorithm, in particular ecause there is no need to compute any quotient.. The Generalized Binary Division In the case of the standard Euclidean division of a y with a >, one computes a quotient q such that when q is added to a, the otained remainder

3 Algorithm Binary-Gcd. Input: a, Z. Output: gcd(a, ). 1. If > a, return Binary-Gcd(, a).. If = 0, return a. 3. If a and are oth even then return Binary-Gcd(a/, /). 4. If a is even and is odd then return Binary-Gcd(a/, ). 5. If a is odd and is even then return Binary-Gcd(a, /). 6. Otherwise return Binary-Gcd(( a )/, ). Fig. 1. The inary Euclidean algorithm. is smaller than. Roughly speaking, left shifts of are sutracted from a as long as possile, that is to say until a has lost its l(a) l() most significant its (approximately). The GB division is the dual: in order to GB-divide a y with a >, where a := ν(a) is the -adic norm of a, one computes a quotient q such that when q is added to a, the otained remainder is smaller k k than for the -adic norm. Roughly speaking, right shifts of are sutracted from a as long as possile, that is to say until a has lost its ν () ν (a) least significant its. Lemma 1 (GB Division). Let a, e non-zero integers with ν (a) < ν (). Then there exists a unique pair of integers (q, r) such that: r = a + q, ν() ν(a) (1) q < ν() ν(a), () ν (r) > ν (). (3) The integers q and r are called respectively the GB quotient and the GB remainder of (a, ). We define GB(a, ) as the pair (q, r). a Proof. From (1), q = ( ) 1 mod ν() ν(a)+1. Since q is odd, the ν (a) ν () second condition is fulfilled and gives the uniqueness of q. As a consequence, r is uniquely defined y (1). Moreover, since r = a + q, we have ν () ν (a) r = 0 mod ν()+1, which gives condition (3). The GB division resemles Hensel s odd division, which was introduced y Hensel around A description can e found in [8]. For two integers a and with odd, it computes q and r in Z, such that: a = q + p r and r <, where p = l(a) l() is the difference etween the it lengths of a and. In other words, Hensel s odd division computes r := ( p a) mod, which may e found efficiently as shown in [5]. Besides, there is also some similarity with the PM algorithm of Brent and Kung []. When ν (a) = 0 and ν () = 1, i.e. a is

4 odd and = with odd, the GB division finds q = ±1 such that (a + q )/ is even, which is exactly the PM algorithm. Unlike the inary, Hensel and PM algorithms, the GB division considers only low order its of a and : there is no need comparing a and nor computing their it lengths. It can e seen as a natural operation when considering a and as -adic integers. We now give two algorithms to perform the GB division. The first one is the equivalent of the naive division algorithm, and is asymptotically slower than the second one, which is the equivalent of the fast division algorithm. For most of the input pairs (a, ), the Euclidean algorithm ased on the GB division performs almost all its divisions on pairs (c, d) for which ν (d) ν (c) is small. For this reason the first algorithm suffices in practice. Algorithm Elementary-GB. Input: Two integers a, satisfying ν (a) < ν () <. Output: (q, r) = GB(a, ). 1. q := 0, r := a.. While ν (r) ν () do 3. q := q ν (r) ν (a), 4. r := r ν (r) ν (). 5. q := q cmod ν () ν (a)+1, r := q + a. ν () ν (a) 6. Return (q, r). Fig.. Algorithm Elementary-GB. Lemma. The algorithm Elementary-GB of Fig. is correct and if the input (a, ) satisfies l(a), l() n, then it finishes in time O(n [ν () ν (a)]). It is also possile to compute GB(a, ) in quasi-linear time, in the case of Schönhage-Strassen multiplication, y using Hensel s lifting (which is the p-adic dual of Newton s iteration). Lemma 3. The algorithm Fast-GB of Fig. 3 is correct and with Schönhage- Strassen multiplication, if a and satisfy the conditions l(a), l() n and ν () ν (a) n, then it finishes in time O(M(n))..3 The GB Euclidean Algorithm A GB Euclidean algorithm can e derived very naturally from the definition of the GB division, see Fig. 4. Lemma 4. The GB Euclidean algorithm of Fig. 4 is correct, and if we use the algorithm Elementary-GB of Fig., then for any input (a, ) satisfying l(a), l() n, it finishes in time O(n ).

5 Algorithm Fast-GB. Input: Two integers a, satisfying ν (a) < ν () <. Output: (q, r) = GB(a, ). 1. A := a, B :=, n := ν ν (a) ν () ν (a) + 1. (). q := For i from 1 to log n do 4. q := q + q(1 Bq) mod i. 5. q := Aq cmod n. 6. r := a + q. n 1 7. Return (q, r). Fig. 3. Algorithm Fast-GB. Algorithm GB-gcd. Input: Two integers a, satisfying ν (a) < ν (). g Output: The odd part of the greatest common divisor g of a and. ν (g) a ν (a). 1. If = 0, return. (q, r) := GB(a, ). 3. Return GB-gcd (, r). Fig. 4. The GB Euclidean algorithm. Proof. Let r 0 = a, r 1 =, r,... e the sequence of remainders that appear in the execution of the algorithm. We first show that this sequence is finite and thus that the algorithm terminates. For any k 0, Eqs. (1) and () give r k+ r k+1 + r k, so that r k n+1 ( 1+ 5 ) k. Moreover, k divides r k, which gives k r k n+1 ( 1+ 5 and (1 log 1+ 5 )k n+1. Therefore there are O(n) remainders in the remainder sequence. Let t = O(n) e the length of the remainder sequence. Suppose that r t is the last non-zero remainder. From Lemma, we know that each of the calls to a GB-division involves a numer of it operations ounded y O(log r k [ν (r k+1 ) ν (r k )]) = O(n [ν (r k+1 ) ν (r k )]), so that the overall complexity is ounded y O(n ν (r t )). For the correctness, remark that the GB remainder r from a and satisfies r = a mod where = is the odd part of, thus gcd(a, ) = gcd(r, ). ν () Remark. For a practical implementation, one should remove factors of two in Algorithm GB-gcd. If one replaces the return value in Step 1 y a, and in Step 3 y ν(a) r GB-gcd(, ), the algorithm directly computes g = gcd(a, ). ν () ν () A etter ound on r k and thus on t is proved in 5.1. Nonetheless the present ound is sufficient to guarantee the quasi-linear time complexity of the recursive ) k

6 algorithm. The improved ound only decreases the multiplying constant of the asymptotic complexity. ( ) 0 For n 1 and q [ n + 1, n n 1] we define the matrix [q] n = n. q Let r 0, r 1 e two non-zero integers with 0 = ν (r 0 ) < ν (r 1 ), and r 0, r 1, r,... e their GB remainder sequence, and q 1, q,... e the corresponding quotients: r r i+1 = r i 1 + q i i for any i 1. Then the following relation holds ν (r i ) ν (r i 1 ) for any i 1: ( ) ri = 1 ( ) r i+1 [q r0 i] ν(ri) ni... [q 1 ] n1, r 1 where n j = ν (r j ) ν (r j 1 ) 1 for any j 1. In what follows, we use implicitly the following simple fact several times. Lemma 5. Let r 0, r 1 e two non-zero integers with 0 = ν (r 0 ) < ν (r 1 ), and r 0, r 1, r,... e their GB remainder sequence. Let d 0. Then there exists a unique i 0 such that ν (r i ) d < ν (r i+1 )..4 Computing Modular Inverses This susection is independent of the remainder of the paper ut is justified y the fact that computing modular inverses is a standard application of the Euclidean algorithm. Let a, e two non-zero integers with 0 = ν (a) < ν () and l(a), l() n. Suppose that we want to compute the inverse of modulo a, y using an extended version of the Euclidean algorithm ased on the GB division. The execution of the extended GB Euclidean algorithm gives two integers A and B such that Aa + B = α g, where α = O(n) and g = gcd(a, ). From such a relation, it is easy to check that g = 1. Suppose now that the inverse B of modulo a does exist. From the relation Aa + B = α, we know that: B = B mod a. α Therefore, in order to otain B, it is sufficient to compute the inverse of α modulo a. By using Hensel s lifting (like in the algorithm Fast-GB of Fig. 3), we otain the inverse of a modulo α. This gives x and y satisfying: xa+y α = 1. Clearly y is the inverse of α modulo a. Since multiplication, Hensel s lifting and division on numers of size O(n) can e performed in time O(M(n)) (see [11]), given two n-it integers a and, the additional cost to compute the inverse of modulo a given the output of an extended Euclidean algorithm ased on the GB division is O(M(n)). 3 The Recursive Algorithm We now descrie the recursive algorithm ased on the GB division. This description closely resemles the one of [1]. It uses two routines: the algorithm

7 Half-GB-gcd and the algorithm Fast-GB-gcd. Given two non-zero integers r 0 and r 1 with 0 = ν (r 0 ) < ν (r 1 ), the algorithm Half-GB-gcd outputs the GB remainders r i and r i+1 of the GB remainder sequence of (r 0, r 1 ) that satisfy ν (r i ) l(r 0 )/ < ν (r i+1 ). It also outputs the corresponding matrix (n1+...+ni) [q i ] ni... [q 1 ] n1. Then we descrie the algorithm Fast-GB-gcd, which, given two integers a and, outputs the gcd of a and y making successive calls to the algorithm Half-GB-gcd. The algorithm Half-GB-gcd works as follows: a quarter of the least significant its of a and are eliminated y doing a recursive call on the low l(a)/ of the its of a and. The crucial point is that the GB quotients computed for the truncated numers are exactly the same as the first GB quotients of a and. Therefore, y multiplying a and y the matrix otained recursively one gets two remainders (a, ) of the GB remainder sequence of (a, ). A single step of the GB Euclidean algorithm is performed on (a, ), which gives a new remainder pair (, r). Then there is a second recursive call on approximately l(a)/ of the least significant its of (, r). The size of the inputs of this second recursive call is similar to the one of the first recursive call. Finally, the corresponding remainders (c, d) of the GB remainder sequence of (a, ) are computed using the returned matrix R, and the output matrix R is calculated from R 1, R and the GB quotient of (a, ). Fig. 5 illustrates the execution of this algorithm. Note that in the description of the algorithm Half-GB-gcd in Fig. 6, a routine GB is used. This is a simple modification of the GB division: given a r ν () and as input with 0 = ν (a) < ν (), it outputs their GB quotient q, and if r is their GB remainder. The algorithm Fast-GB-gcd uses several times the algorithm Half-GB-gcd to decrease the lengths of the remainders quickly. The main advantage over the other quasi-linear time algorithms for the integer gcd is that if a matrix R is returned y a recursive call of the algorithm Half-GB-gcd, then it contains only correct quotients. There is no need to go ack in the GB remainder sequence in order to make the quotients correct, and thus no need to store the sequence of quotients. The underlying reason is that the remainders are shortened y the least significant its, and since the carries go in the direction of the most significant its, these two phenomena do not interfere. For that reason, the algorithm is as simple as the Knuth-Schönhage algorithm in the case of polynomials. 4 Correctness of the Recursive Algorithm In this section, we show that the algorithm Fast-GB-gcd of Fig. 7 is correct. We first give some results aout the GB division, and then we show the correctness of the algorithm Half-GB-gcd which clearly implies the correctness of the algorithm Fast-GB-gcd. 4.1 Some Properties of the GB Division The properties descried elow are very similar to the ones of the standard Euclidean division that make the Knuth-Schönhage algorithm possile. The first

8 n 3n/4 n/ n/4 0 a, Truncation a0,0 Recursive Call R1 c1,d1 x R1 a, GB Division,r Truncation 0,r0 Recursive Call R c,d x R c,d Fig. 5. The recursive structure of the algorithm Half-GB-gcd. result states that the ν () ν (a) + 1 last non-zero its of a and of suffice to compute the GB quotient of two integers a and. Lemma 6. Let a,, a and e such that a = a mod l and = mod l with l ν () + 1. Assume that 0 = ν (a) < ν (). Let (q, r) = GB(a, ) and (q, r ) = GB(a, ). Then q = q and r = r mod l ν(). Proof. By definition, q := a ( ) 1 ν cmod ν ()+1. Therefore, since l () ν ()+1, = ν () ν ( ) mod ν()+1, we have a = a mod ν()+1 and q = q. Moreover, r = a+q and r = a +q ν () ν ( ). Consequently r = r mod l ν(). This result can e seen as a continuity statement: two pairs of -adic integers (a, ) and (a, ) which are sufficiently close for the -adic norm (i.e. some least

9 Algorithm Half-GB-gcd. Input: a, satisfying 0 = ν (a) < ν (). Output: An integer j, an integer «matrix R and «two integers c and d with c a 0 = ν (c) < ν (d), such that = j R, and c = j c, d = j d d are the two consecutive remainders of the GB remainder sequence of (a, ) that satisfy ν (c ) l(a)/ < ν (d ). 1. k := l(a)/.. If ν () > k, then return 0, «1 0, a, k 1 := k/. 4. a := a 1 k1+1 + a 0, := 1 k with 0 a 0, 0 < k j 1, R 1, c 1, d 1 := Half-GB-gcd(a 0, 0). 6. «a := k 1+1 j 1 R 1 a1 1 «+ c1 d 1 «, j 0 := ν ( ). 7. If j 0 + j 1 > k, then return j 1, R 1, a,. 8. (q, r) := GB (a, ). 9. k := k (j 0 + j 1). 10. j 0 := 1 k+1 + 0, r := r 1 k+1 + r 0 with 0 0, r 0 < k j, R «, c, d := Half-GB-gcd( «0, r 0). c 1. := k +1 j R 1 c + d r 1 d «. 13. Return j 1 + j 0 + j, R [q] j0 R 1, c, d. Fig. 6. Algorithm Half-GB-gcd. significant its of a and a, and some of and are equal) have the same quotient and similar remainders (the closer the pairs, the closer the remainders). The second lemma extends this result to the GB continued fraction expansions: if (a, ) and (a, ) are sufficiently close, their first GB quotients are identical. We otain this result y applying the first one several times. Lemma 7. Let a,, a and such that a = a mod k+1 and = mod k+1, with k 0. Suppose that 0 = ν (a) < ν (). Let r 0 = a, r 1 =, r,... e the GB remainder sequence of (a, ), and let q 1, q,... e the corresponding GB quotients: r r j+1 = r j 1 + q j j n j, with n j = ν (r j ) ν (r j 1 ). Let r 0 = a, r 1 =, r,... e the GB remainder sequence of (a, ), and let q 1, q,... e the corresponding GB r j quotients: r j+1 = r j 1 + q j, with n n j = ν (r j ) ν (r j 1 ). j Then, if r i+1 is the first remainder such that ν (r i+1 ) > k, we have q j = q j and r j+1 = r j+1 mod k+1 ν(rj), for any j i.

10 Algorithm Fast-GB-gcd. Input: a, satisfying 0 = ν (a) < ν (). Output: g = gcd(a, ). 1. j, R, a, := Half-GB-gcd(a, ).. If = 0, return a. 3. (q, r) := GB (a, ). 4. Return Fast-GB-gcd(, r ). Fig. 7. Algorithm Fast-GB-gcd. Proof. We prove this result y induction on j 0. This is true for j = 0, ecause a = a mod k+1 and = mod k+1. Suppose now that 1 j i. We use r j 1 r, j r, j 1, ν (r j 1 ) ν (r j 1 ) ν (r j 1 ) Lemma 6 with and l = k+1 ν ν (r j 1 ) (r j 1 ). By induction, modulo k+1 ν(rj 1), r j 1 = r j 1 and r j = r j. Since j i, we have, y definition of i, k +1 ν (r j 1 ) (ν (r j ) ν (r j 1 ))+1, and consequently we can apply Lemma 6. Thus q j = q j and r j+1 = r j+1 mod k+1 ν(rj). Practically, this lemma says that k its can e gained as regard to the initial pair (a, ) y using only k its of a and k its of. This is the advantage of using the GB division instead of the standard division: in the case of the standard Euclidean division, this lemma is only almost true, ecause some of the last quotients efore gaining k its can differ, and have to e repaired. r j 4. Correctness of the Half-GB-gcd Algorithm To show the correctness of the algorithm Fast-GB-gcd, it suffices to show the correctness of the algorithm Half-GB-gcd, which is estalished in the following theorem. (Since each call to Fast-GB-gcd which does not return in Step performs at least one GB division, the termination is ensured.) Theorem 1. The algorithm Half-GB-gcd of Fig. 6 is correct. Proof. We prove the correctness of the algorithm y induction on the size of the inputs. If l(a) = 1, then the algorithm finishes at Step ecause ν () 1. Suppose now that k and that ν () k. Since k + 1 < l(a), Step 5 is a recursive call ( (its ) inputs satisfy ( the ) input c1 a0 conditions). By induction j 1, R 1, c 1 and d 1 satisfy = d j1 R 1, and 1 0 j1 c 1 and j1 d 1 are the consecutive remainders r i 1 and r i 1+1 of the GB remainder sequence of r 0 = a 0 and r 1 = 0 that satisfy ν (r i 1 ) k 1 < ν (r i 1+1 ). From ( ) a Lemma 7, we know that j1 R 1 are two consecutive remainders j1 a = r i1 and j1 = r i1+1 of the GB remainder sequence of r 0 = a and r 1 =, and they

11 satisfy r i1 = r i 1 and r i1+1 = r i modulo 1+1 k1+1. From these last equalities, we have that ν (r i1 ) = ν (r i 1 ) k 1 < ν (r i1+1) ν (r i 1+1 ). Thus, if the execution of the algorithm stops at Step 7, the output is correct. Otherwise, r i1+ is computed at Step 8. At Step 9 we compute k = k ν (r i1+1). Step 7 ensures that k 0. Since ν (r i1+1) > k/, we have k k/ 1. Therefore Step 11 is a recursive call (and( the) inputs satisfy the) input c conditions). By induction, j, S, c and d satisfy: = d j R 0 (, and r 0 j c and j d are the consecutive remainders r i and r i +1 of the GB remainder sequence of ( 0, r 0 ). Moreover, ν (r i ) k < ν (r i +1 ). From Lemma 7, ( ) j 1 we know that j S j1 r are two consecutive remainders r i and r i+1 r (with i = i 1 + i + 1) of the GB remainder sequence of (a, ), that i j 1 +ν ( ) = j c mod k+ r and that i+1 j 1 +ν ( ) = j d mod k+1. Therefore the following sequence of inequalities is valid: ν (r i ) = j 1 + j + ν ( ) k < ν (r i+1 ). This ends the proof of the theorem. 5 Analysis of the Algorithms In this section, we first study the GB Euclidean algorithm. In particular we give a worst-case ound regarding the length of the GB remainder sequence. Then we ound the complexity of the recursive algorithm in the case of the use of Schönhage-Strassen multiplication, and we give some intuition aout the average complexity. 5.1 Length of the GB Remainder Sequence In this susection, we ound the size of the matrix 1 ν (r i ) [q i ] ni... [q 1 ] n1, where the q j s are the GB quotients of a truncated GB remainder sequence r 0,..., r i+1 with ν (r i ) ν (r 0 ) + d < ν (r i+1 ) for some d 0. This will make possile the analysis of the lengths and the numer of the GB remainders. As mentioned in, this susection is not necessary to prove the quasi-linear time complexity of the algorithm. Theorem. Let d 1. Let r 0, r 1 with 0 = ν (r 0 ) < ν (r 1 ), and r 0, r 1,..., r i+1 their first GB remainders, where i is such that ν (r i ) d < ν (r i+1 ). We consider the matrix [q 1 ν (r i ) i ] ni... [q 1 ] n1, where the q j s are the GB quotients and n j = ν (r j ) ν (r j 1 ) for any 1 j i. Let M e the maximum of the asolute values of the four entries of this matrix. Then we have: If d = 0 or 1, M = 1, If d = 3, M 11/8, If d = 5, M 67/3, ( ( If d =, 4 or d 6, M 1+ ) d+1 ( 4 1 ) ) d+1 4.

12 Moreover, all these ounds are reached, in particular, the last one is reached when n j = 1 and q j = 1 for any 1 j i. The proof resemles the worst case analysis of the Gaussian algorithm in [9]. Proof. We introduce a partial order on the matrices: A < B if and only if for any coordinate [i, j], A[i, j] B[i, j]. First, the proof can e restricted to the case where the q j s are non-negative integers, ecause we have the inequality [q i ] ni... [q 1 ] n1 [ q i ] ni... [ q 1 ] n1. This can e easily showed y induction on i y using the properties: A B A B, and if the entries of A, A, B, B are non-negative, A A and B B implies A B A B. Consequently we are looking for the maximal elements for the partial order > in the set: {Π n1+...+n i d [q i ] ni... [q 1 ] n1 / 1 j i, 0 < q j nj 1 and n j 1}. We can restrict the analysis to the case where n n i = d and all the q j s are maximal, which gives the set: {Π n1+...+n i=d [ ni 1] ni... [ n1 1] n1 }. Remark now that [ n 1] n [1] n 1 for any n 3. Therefore, it is sufficient to consider the case where the n j s are in {1, }. Moreover, for any integer j 0, [3] [1] j 1 [3] [1] j+4 1, and we also have the inequalities [3] [1]4 1, [1]51 [3] [1] 7, [3] [1] 5 1 [1]7 and [1] 1 [3] [1] 1 [1]6 1. From these relations, we easily otain the maximal elements: For d = 1, [1] 1. For d =, [1] 1 and [3]. For d = 3, [1] 3 1, [3] [1] 1 and [1] 1 [3]. For d = 4, [1] 4 1, [3] [1] 1, [1] 1 [3] [1] 1 and [1] 1 [3]. For d = 5, [1] 5 1, [3] [1] 3 1, [1] 1 [3] [1] 1, [1] 1 [3] [1] 1 and [1]3 1 [3]. For d = 6, [1] 6 1, [3] [1] 4 1, [1]3 1 [3] [1] 1, [1] 1 [3] [1] 3 1 and [1]4 1 [3]. For d = 7, [1] 7 1, [1] 1 [3] [1] 4 1 and [1] 4 1 [3] [1] 1. For d 8, [1] d 1. ( ) The end of the proof is ovious once we note that d [1] d 1 = ud 1 u d, u d u d+1 where u 0 = 0, u 1 = 1 and u i = u i + 1 u i 1. From this result on the quotient matrices, we can easily deduce the following on the size of the remainders and on the length of the remainder sequence. Theorem 3. Let r 0, r 1 e two non-zero integers with 0 = ν (r 0 ) < ν (r 1 ), and r 0, r 1,..., r t+1 their complete GB remainder sequence, i.e. with r t+1 = 0. Assume that 9 j t. Then: ν(rj) r j ( r 0 ( + r ) ν(r j) 1 ( ) ν(r j) ( 4 1 ) ν(r j) ) ν(r j) 4.

13 ( ) r0 The upper ound is reached y = [1] t r 1 1 ( t 0 ). Moreover, if l(r 0 ), l(r 1 ) n, then we have: t n/ log( 1 ). Proof. (Sketch) For the inequations concerning r j, use the maximal element [1] d 1 from the proof of Theorem, with d = ν (r i ), where i = j 1. Remark then that the upper ound grows far slower with ν (r j ) than the lower ound: this fact gives an upper ound on ν (r t ) and therefore on t. As a comparison, we recall that the worst case for the standard Euclidean division corresponds to the Fionacci sequence, with d n/ log( 1+ 5 ) + o(n). Remark that 1/ log( 1+ 5 ) and 1/ log( 1 ) Complexity Bound for the Recursive Algorithm In what follows, H(n) and G(n) respectively denote the maximum of the numer of it operations performed y the algorithms Half-GB-gcd and Fast-GB-gcd, given as inputs two integers of lengths at most n. Lemma 8. Let c = 1 log The following two relations hold: G(n) = H(n) + G( cn ) + O(n), H(n) = H( n + 1) + O(M(n)). Proof. The first relation is an ovious consequence of Theorem. We now prove the second relation. The costs of Steps 1,, 3, 4, 7, 9 and 10 are negligile. Steps 5 and 11 are recursive calls and the cost of each one is ounded y H( n + 1). Steps 6, 1 and 13 consist of multiplications of integers of size O(n). Finally, Step 8 is a single GB division, and we proved in Lemma 3 that it can e performed in time O(M(n)). From this result and the fact that c < 1, one easily otains the following theorem: Theorem 4. The algorithm Fast-GB-gcd of Fig. 7 runs in quasi-linear time. More precisely, G(n) = O(M(n) log n). The constants that one can derive from the previous proofs are rather large, and not very significant in practice. In fact, for randomly chosen n-it integers, the quotients of the GB remainder sequence are O(1), and therefore Step 8 of the algorithm Half-GB-gcd has a negligile cost. Moreover, the worst-case analysis on the size of the coefficients of the returned matrices gives a worst-case (( ound O 1+ ) n ), which happens to e O( n ) in practice. With these two heuristics, the practical cost of the algorithm Half-GB-gcd satisfies the same recurrence than the Knuth-Schönhage algorithm: H(n) H( n ) + km(n), where the constant k depends from the implementation [11].

14 6 Implementation Issues We have implemented the algorithms descried in this paper in GNU MP [3]. In this section, we first give some tricks that we implemented to improve the efficiency of the algorithm, and then we give some enchmarks. 6.1 Some Savings First of all, note that some multiplications can e saved easily from the fact that when the algorithm Fast-GB-gcd calls the algorithm Half-GB-gcd, the returned matrix is not used. Therefore, for such top-level calls to the algorithm Half-GB-gcd, there is no need to compute the product R [q] j0 R 1. Note also that for interesting sizes of inputs (our implementation of the recursive algorithm is faster than usual Euclidean algorithms for several thousands of its), we are in the domains of Karatsua and Toom-Cook multiplications, and elow the domain of FFT-ased multiplication. This leads to some improvements. For example, the algorithm Fast-GB-gcd should use calls to the algorithm Half-GB-gcd in order to gain γn its instead of n, with a constant γ 1 that has to e optimized. Below a certain threshold in the size of the inputs (namely several hundreds of its), a naive quadratic algorithm that has the requirements of algorithm Half-GB-gcd is used. Moreover, each time the algorithm has to compute a GB quotient, it computes several of them in order to otain a matrix with entries of length as close to the size of machine words as possile. This is done y considering only the two least significant machine words of the remainders (which gives a correct result, ecause of Lemma 6). 6. Comparison to Other Implementations of Suquadratic Gcd Algorithms We compared our implementation in GNU MP using the ordinary integer interface mpz with those of Magma V.10-1 and Mathematica 5.0, which oth provide a suquadratic integer gcd. This comparison was performed on laurent3.medicis.polytechnique.fr, an Athlon MP 00+. Our implementation wins over the quadratic gcd of GNU MP up from aout 500 words of 3 its, i.e. aout 4000 digits. We used as test numers oth the worst case of the classical suquadratic gcd, i.e. consecutive Fionacci numers F n and F n 1, and the worst case of the inary variant, i.e. G n and G n 1, where G 0 = 0, G 1 = 1, G n = G n 1 + 4G n, which gives all inary quotients equal to 1. Our experiments show that our implementation in GNU MP of the inary recursive gcd is 3 to 4 times faster than the implementations of the classical recursive gcd in Magma or Mathematica. This ratio does not vary much with the inputs. For example, ratios for F n and G n are quite similar.

15 type, n Magma V.10-1 Mathematica 5.0 Fast-GB-gcd (GNU MP) F n, F n, F n, F n, G n, G n, Fig. 8. Timings in seconds of the gcd routines of Magma, Mathematica and our implementation in GNU MP. Acknowledgements. The first author thanks Brigitte Vallée for introducing him to fast gcd algorithms and for very helpful discussions on that topic. We thank Jean Vuillemin for the pointer to Hensel s odd division, the Medicis center for allowing the comparison to Magma and Mathematica, and Richard Brent for his comments, which helped to improve oth the contents and the form of the paper. References 1. R. P. Brent. Twenty years analysis of the inary Euclidean algorithm. In A. W. Roscoe J. Davies and J. Woodcock, editors, Millenial Perspectives in Computer Science: Proceedings of the 1999 Oxford-Microsoft Symposium in honour of Professor Sir Antony Hoare, pages 41 53, Palgrave, New York, R. P. Brent and H. T. Kung. A systolic VLSI array for integer GCD computation. In K. Hwang, editor, Proceedings of the 7th Symposium on Computer Arithmetic (ARITH-7). IEEE CS Press, T. Granlund. GNU MP: The GNU Multiple Precision Arithmetic Lirary, 4.1. edition, D. Knuth. The analysis of algorithms. In Actes du Congrès International des Mathématiciens de 1970, volume 3, pages 69 74, Paris, Gauthiers-Villars. 5. P. L. Montgomery. Modular multiplication without trial division. Math. Comp., 44(0):519 51, A. Schönhage. Schnelle Berechnung von Kettenruchentwicklungen. Acta Informatica, 1: , A. Schönhage and V. Strassen. Schnelle Multiplikation grosser Zahlen. Computing, 7:81 9, M. Shand and J. E. Vuillemin. Fast implementations of RSA cryptography. In E. E. Swartzlander, M. J. Irwin, and J. Jullien, editors, Proceedings of the 11th IEEE Symposium on Computer Arithmetic (ARITH-11), pages IEEE Computer Society Press, Los Alamitos, CA, B. Vallée. Gauss algorithm revisited. Journal of Algorithms, 1:556 57, B. Vallée. Dynamical analysis of a class of Euclidean algorithms. Th. Computer Science, 97(1-3): , J. von zur Gathen and J. Gerhard. Modern Computer Algera. Camridge University Press, nd edition, C. K. Yap. Fundamental Prolems in Algorithmic Algera. Oxford University Press, 000.