Basic Arithmetic. Chapter Integer Arithmetic

Transcription

1 Chapter 1 Basic Arithmetic All rings in this lecture are unitary and commutative. In this chapter, we will analyze basic arithmetic operations with the point of view of implementing them on a computer. All computers provide basic integer arithmetic, but in general only in a very specific way. More precisely, computes usually allow to do arithmetic in Z/2 k Z for a fixed k, the machine word-width, where k {8, 16, 32, 64, 128}. (Most modern computers have k = 64.) Since 2 64 = is quite large, this is often no restriction. But sometimes, especially when doing computations in mathematics, numbers tend to grow larger than that. If one still wants to know the precise result, one has to invest some work to simulate larger integers with what the CPU supports. The basic approach to do this is covered in Section 1.1. Afterwards, we will introduce some notation from complexity theory to simplify discussing the running time needed for arithmetic. We will count the running time in different units, most prominently basic b-operations, which correspond to what the CPU can do natively with one operation, and to ring or field operations, which obviously depend on the underlying ring respectively field. The next topics we will cover are univariate polynomials and the Euclidean Algorithm, one of the most important algorithms in arithmetic. The later sections in this chapter are merely applications of the content of the first four sections, which will enable us to do arithmetic in the rational numbers Q, in residue class rings Z/nZ of the integers, in residue class rings of K[X], and in finite fields. 1.1 Integer Arithmetic A very fundamental problem in computer algebra is integer arithmetic. The basic questions are: How to represent integers on a computer? How to do basic arithmetic addition, subtraction, multiplication, division with remainder in this representation? How fast can we do arithmetic? The most used representation is a positional notation; 1 the decimal notation we learned in school is also one. 1 The first counting system with positional notation was used by the Babylonians with base 60. 1

2 2 CHAPTER 1. BASIC ARITHMETIC Definition Let N N be a natural number and b 2 be another natural number. An (n + 1)-tuple (a n,..., a 0 ) {0,..., b 1} n+1 is called a b-adic representation of N if and only if n N = a i b i. i=0 In case n = 0 or a n 0, we say that this representation is reduced. We say that this representation has size n. The number system we use is the one of reduced 10-adic representations. Remarks (a) For every b 2, every natural number has a unique reduced b-adic representation. (b) One could also accept n = 1, which corresponds to the empty list (). This would introduce another representation of zero (compare Section 1.3). The reason why this is usually not done for integers is that in this way, one can work more efficiently with integers which fit into one digit because no list size changes are necessary as long as the result fits into one digit. (c) If (a n,..., a 0 ) and (c m,..., c 0 ) are b-adic representations of the same number, then a i = c i for i = 0,..., min{n, m} and a i = 0 for m < i n and c j = 0 for n < j m. (d) The maximal number b-adicly representable with (a n,..., a 0 ) is n (b 1)b i = (b 1) i=0 n i=0 b i = (b 1) bn+1 1 b 1 = b n+1 1. If N is an arbitrary number, this shows that it can be represented b-adicly by (a n,..., a 0 ) if and only if N b n+1 1 N + 1 b n+1 log b (N + 1) n + 1 log b (N + 1) 1 n. Moreover, since N is an integer and (b n+1 1) + 1 = b n+1, we also obtain N b n+1 1 log b N < n + 1. (e) Therefore, the size of the reduced b-adic representation of N > 0 is size b (N) := log b (N + 1) 1 = log b (N + 1) 1 = log b (N). Moreover, for N > 0, size b (N) C b log N D b for C b := 1 log b > 0 and D b := max{1, log 2 log b } = 1. For N = 0, size b(0) = 0 = log(n + 1) 1.

3 1.1. INTEGER ARITHMETIC 3 (f) Internally, a computer uses non-reduced 2-adic representations with a fixed n. This n is usually one less than a power of two, for example 31 = or 63 = Therefore, a computer can internally represent natural numbers {0,..., } respectively {0,..., }. Such an internal representation is called a CPU integer. We exploit this to represent larger numbers by choosing b as 2 32 respectively An arbitrary natural number is thus given as a list of CPU integers together with its length. Note that we identify the set of CPU integers with Z/2 32 Z respectively Z/2 64 Z. Also note that in fact, negative numbers can be represented as well by choosing a fitting representative system of the residue class ring Z/2 m Z, for example in case m is even. 2 2 m/2, 2 m/2 + 1,..., 1, 0, 1,..., 2 m/2 2, 2 m/2 1 (g) To represent arbitrary integers and not just natural numbers, we add a sign bit, an element in {+, } which indicates the sign of the number. Note that the number 0 has two such representations. We will now explain how to do basic arithmetic with such b-adic representations. We will assume that we already know how to do all required operations with arguments in the range {0,..., b 1}; we refer to such operations as basic b-operations. We define them in more detail in the following: Remarks Let a, c {0,..., b 1}. (a) Let γ {0, 1}. The sum a + c + γ is either in {0,..., b 1}, or a + c + γ b {0,..., b 1}. Write a + c + γ = q b + r with q, r N and r < b; thus q {0, 1}. We define a b,γ c := r and Carry add,b (a, c, γ) := q {0, 1}. The latter is called the carry bit. 3 (b) Let γ {0, 1}. In case a c γ 0, define a b,γ c := a c γ, and in case a c γ < 0, define a b,γ c := b+a c γ. We also define 4 Carry sub,b (a, c, γ) := 0 in case a c γ 0 and Carry sub,b (a, c, γ) := 1 in case a c γ < 0. 5 (c) Write a c = q b + r with q, r N and r < b. We define a b c := r and Carry mul,b (a, c) := q {0,..., b 2}. 6 (Note that a, c b 1 implies a c (b 1) 2 = b 2 2b + 1, whence q b 2.) 2 This system of representing negative numbers is called two s complement. If an element of Z/2 m Z is represented by a bitstring, one can compute the negative by flipping all bits and adding 1 to the result. 3 In x86 assembler, this is done by the ADC instruction (add with carry). If γ = 0 is known, one can use the ADD instruction. The value of Carry add,b is returned via the carry flag. 4 Instead of carry, a more meaningful name would be borrow. To minimize the number of different names, we use carry here as well. In x86 assembler, the borrow bit is stored and retrieved from the carry flag. 5 In x86 assembler, this is done by the SBB instruction (subtraction with borrow). If γ = 0 is known, one can use the SUB instruction. The value of Carry sub,b is returned via the carry flag. 6 In x86 assembler, this is done by the MUL instruction (unsigned multiplication). This command returns simultaneously q and r, and indicates via the overflow and carry flag whether q 0 or not.

4 4 CHAPTER 1. BASIC ARITHMETIC (d) Note that ({0,..., b 1}, b,0, b ) is a model of the residue class ring Z/bZ. Also note that b equals subtraction of natural numbers modulo b. 7 (e) Assume that c 0 and let a {0,..., b 2 1}. We assume that a is given in the form a 1 b + a 2, where a 1, a 2 {0,..., b 1}, and we assume that a/c < b (if this is not satisfied, the values of the following expressions will not be defined). Let q, r N with 0 r < c such that a = q c + r. We denote a div b c := q and a rem b c := r. Obtaining q and r is also called Euclidean (long) division. 8 (f) By basic b-operation, we mean the operations b,, b,, b, div b, rem b, Carry add,b, Carry sub,b and Carry mul,b, as well as comparisons of elements in {0,..., b 1}. Using these basic operations, we can explain how to do arithmetic with b-adic representations: Theorem (Basic Integer Arithmetic). Let b 2 be a natural number, and let N and M be two natural numbers with reduced b-adic representations (a n,..., a 0 ) of N and (c m,..., c 0 ) of M. (a) Testing whether N < M, N = M or N > M can be done in at most min{n, m}+ 2 comparisons of elements {0,..., b 1}. (b) Computing a reduced b-adic representation of N + M can be done in at most max{n, m} + 1 evaluations of b, and Carry add,b. (c) Computing a reduced b-adic representation of N M together with 9 sgn(n M) can be done in at most max{n, m} + 2 evaluations of b, and Carry sub,b and min{n, m} + 2 comparisons of elements {0,..., b 1}. (d) Computing a reduced b-adic representation of N M can be done in at most (m + 1)(n + 1) evaluations of b and Carry mul,b, at most (2m + 1)(n + 1) + m evaluations of b, and at most (2m + 1)n + 2m evaluations of Carry add,b. (e) Assume that M 0. Computing reduced b-adic representations of two numbers Q, R N with N = Q M + R and R < M can be done in at most max{0, 2m(n m)+4n+2m+6} evaluations of b and Carry mul,b, max{0, 5m(n m) + 12n + 3m + 21} evaluations of b,, max{0, 5m(n m) + 9n + 6m + 12} evaluations of Carry add,b, max{0, 3m(n m) + 9n 6m + 9} evaluations of b, and Carry sub,b and comparisons of elements {0,..., b 1}, n + 2 evaluations of div b and m + 1 evaluations of rem b. We will later see that except for comparison, addition and subtraction, we can improve upon these operations by making them faster, at least in case n and m are sufficiently large. Proof of Theorem The x86 assembler also features a signed multiplication instruction, IMUL. If the result modulo b = 2 l is taken, where l is the bit-width of the CPU, the output is identical to the one of MUL. The main difference is the handling of the flags and sign extension for the q part of the result. 8 In x86 assembler, this is done by the DIV instruction (unsigned division). The numerator can actually be in range {0,..., b 2 1}, and the instruction computes both q and r. In case the quotient does not fit into the range {0,..., b 1}, or if the divisor is zero, an error will occur. If the numerator is in range {0,..., b 1} and the denominator is 0, no error will occur. 9 Here, sgn(x) = 1 for x < 0, sgn(0) = 0 and sgn(x) = 1 for x > 0.

5 1.1. INTEGER ARITHMETIC 5 (a) In case n m, we right away know that N > M (in case of n > m) or N < M (in case of n < m). If n = m, we find the largest index i with a i c i. If no such index exists, N = M. Otherwise, we know that N < M in case a i < c i, and N > M in case a i > c i. Therefore, we need at most n + 1 comparisons to find the index i, and at most one more comparison to distinguish between a i < c i and a i > c i. (b) For i > n, we interpret a i = 0, and for i > m, we interpret c i = 0. To compute a reduced b-adic representation of N + M, we start with γ := 0 and iterate i from 0 up to max{n, m}. In step i, we compute d i := a i b,γ c i and γ := Carry add,b (a i, c i, γ). After the last iteration, (d max{n,m},..., d 0 ) is the reduced b-adic representation of N + M in case γ = 0, and (1, d max{n,m},..., d 0 ) is the reduced b-adic representation of N + M in case γ = 1. In case i > n (or i > m) and γ = 0, we do not need to use b,γ and Carry add,b anymore to determine the last d i s. In fact, in case i > n, we will have that the resulting reduced b-adic representation is (c m,..., c i+1, d i,..., d 0 ). This shows that we need at most max{n, m} + 1 evaluations of b,γ and Carry add,b. (c) We proceed as in (a) to find out whether N < M, N = M or N > M, and to find the largest k with a k c k in case N M, where again we interpret a i = 0 for i > n and c i = 0 for i > m. In case N = M, return (). Otherwise, swap N and M if necessary so that N > M, set γ := 0 and iterate i = 0,..., k. In iteration i, compute d i := a i b,γ c i and γ := Carry sub,b (a i, c i, γ). After all iterations, we must have γ = 0 as N > M. We then find the largest index i {0,..., k} with d i 0 and return (d i,..., d 0 ). Since k max{n, m}, we need at most max{n, m} + 1 evaluations of b, and Carry sub,b. For the comparison, we need at most k (for finding i) +(max{n, m} k + 2) (for finding k) comparisons, which yields max{n, m} + 2 comparisons in total. (d) Note that M = m i=0 c ib i. Therefore, MN = m i=0 (c in)b i. Multiplication of N by b i is easy: in case N > 0, N b i has the reduced representation (a n,..., a 0, 0,..., 0), where at the end we have added i zeros. We call such multiplications also shifts by i positions. 10 Therefore, to compute NM, we compute c i N for i = 0,..., m (as long as c i 0), and add the correctly shifted results together. To compute c i N, we use b and Carry mul,b together with b, and Carry add,b : first note that c i N = n j=0 a jc i b j. The following diagram shows how a (not necessarily reduced) b-ary representation (d n+1, d n,..., d 0 ) of c i N can be com- 10 Computers usually offer special instructions to multiply with powers of 2, since they can be implemented very efficiently in the same way. The same is true for division by powers of 2. In x86 assembler, the instructions SHL and SHR execute shifts to the left (multiplication) and right (division).

6 6 CHAPTER 1. BASIC ARITHMETIC puted: a 0 c i a 1 c i... a 2 c i a n c i = d n+1 d n d 3 d 2 d 1 d 0 (The long boxes with the multiplications inside should be interpreted as two entries, the left one being Carry mul,b (a j, c i ) and the right one being a j b c i. The bend arrows should be interpreted as Carry add,b.) Here, we execute n + 1 evaluations of b and Carry mul,b, one assignment, n + 1 evaluations of b,, and n evaluations of Carry add,b (note that in the last addition, which computes d n+1, there will be no carry, since Carry mul,b (a n, c i ) b 2. If k 1 i=0 c inb i is already computed and we just computed c k N, we need at most n + 2 evaluations of b, and Carry add,b to compute k i=0 c inb i (see (b)). This is only needed for k = 1,..., m. Therefore, the maximum total number of operations are: at most (m + 1)(n + 1) evaluations of b and Carry mul,b, (m + 1)(n + 1) + m(n + 2) = (2m + 1)(n + 1) + m evaluations of b,, and (m + 1)n + m(n + 2) = (2m + 1)n + 2m evaluations of Carry add,b. (e) [Knu81, Section 4.3.1] In case n < m, we set Q = (0) and R = (a n,..., a 0 ) and we are done. If this is not the case, we proceed with two simplifications: We first normalize N and M so that c m b/2. If this is not already the case, we multiply 11 both N and M by x := b/(c m + 1) {1,..., b/2 }, and after the whole computation, we divide R by x. We then reduce to n m + 1 divisions for two numbers of almost the same size as follows: first, compute Q, R such that (0, a n,..., a n m ) = (c m,..., c 0 ) Q + R with (r m,..., r 0 ) := R < (c m,..., c 0 ); then 0 Q b 1. Multiplying this identity with b n m and adding (a n m 1,..., a 0 ), we obtain (a n,..., a 0 ) = (c m,..., c 0 ) (Q, 0,..., 0 ) + (r }{{} m,..., r 0, a n m 1,..., a 0 )), n m times 11 To see that this works, first note that c mx b/2 : this is clear for c m = 1, and for c m 2, we consider the two cases c m b/4 and c m < b/4. In case c m < b/4, 2c 2 m/(c m 1) 4c < b implies c m(b c m)/(c m + 1) b/2, which in turn implies c m b/(c m + 1) b/2. In case c m b/4 we have b/4 < c m + 1 b/2, which yields 2 b/ b/2 < b/(c m + 1) < 4, whence x {2, 3}. Now b/2 b/2 2c m 3c m completes the proof that c mx { b/2,..., b 1}. We now want to show that xm < b m+1, which shows that the reduced b-adic representation of xm has size m; the above then shows that the leading digit is at least b/2. Note that M/b m < c m + 1, whence xm < x (c m + 1)b m b/(c m + 1) (c m + 1)b m = b m+1.

7 1.1. INTEGER ARITHMETIC 7 where (r m,..., r 0, a n m 1,..., a 0 ) < (c m,..., c 0 )b n m. We then continue by dividing (r m,..., r 0, a n m 1) by (c m,..., c 0 ) to compute the next digit of Q. This will be iterated until we are done. For the above, we have to discuss two special cases: (i) Exact division by a number in {1,..., b 1}; (ii) Long division with remainder for two numbers (a m+1,..., a 0 ) by (c m,..., c 0 ), where (a m+1,..., a 0 ) < (c m,..., c 0 )b and c m b/2. Note that for (ii), the quotient will be in {0,..., b 1}. We now discuss the two steps (i) and (ii) in more detail. (i) We can essentially proceed as in the second reduction mentioned above, since the long division of a two-digit b-adic number by a one-digit b-adic number is a basic b-operation. Given N = (e k,..., e 0 ) and q {2,..., b 1}, we want to compute N/q, knowing that N/q N. We proceed by extending N to (e k+1, e k,..., e 0 ) with e k+1 = 0; then (e k+1, e k,..., e 0 ) < qb k+1. We compute (q k,..., q 0 ) {0,..., b 1} k+1 by iterating i = k,..., 0. In iteration i, we compute q i := (e i+1 b + e i ) div b q and e i := (e i+1 b + e i ) rem b q. Before iteration i, if we have (e i+1, e i,..., e 0 ) < qb i+1, then (e i+1, e i ) < qb, whence (e i+1 b + e i ) div b q and (e i+1 b + e i ) rem b q are defined. Since ((e i+1 b + e i ) rem b q) b 1, we will have that (e i, e i 1,..., e 0 ) < qb i after e i is redefined. Hence, during all iterations, div b and rem b are well-defined. Note that here, we have used k + 1 evaluations of div b and rem b. This shows that the whole normalization process needs at most 2(n + 1) + 2(m + 1) evaluations of b and Carry mul,b, 5(n + 1) + 5(m + 1) + 4 evaluations of b,, 5n + 5m + 8 evaluations of Carry add,b (to multiply N and M by x; compare (d)), and m + 1 evaluations of div b and rem b (to divide R by x). (ii) Define ˆq := min{ (a m+1 b + a m )/c m, b 1}. If q is the quotient q = (a m+1,..., a 0 )/(c m,..., c 0 ), then ˆq is a good approximation of q: Claim: ˆq q ˆq 2. [Knu81, p. 256, Theorems A and B] For the first inequality, assume that ˆq = (a m+1 b + a m )/c m, since q < b implies the claim when ˆq = b 1. Now c mˆq a m+1 b + a m (c m 1), whence (a m+1,..., a 0 ) ˆq(c m,..., c 0 ) m+1 i=0 m+1 i=0 a i b i (a m+1 b + a m c m + 1)b m a i b i ˆqc m b m m 1 = (c m 1)b m + a i b i < c m b m (c m,..., c 0 ), i=0

8 8 CHAPTER 1. BASIC ARITHMETIC which implies ˆq q. For the other inequality, assume that ˆq 3 q. We have ˆq a m+1b + a m c m = a m+1b m+1 + a m b m c m b m (a m+1,..., a 0 ) c m b m < (a m+1,..., a 0 ) (c m,..., c 0 ) b m, where the last denominator is > 0 since otherwise, c m = 1 and c m 1 = = c 0 = 0 would imply q = ˆq. As q > (a m+1,..., a 0 )/(c m,..., c 0 ) 1, 3 ˆq q < (a m+1,..., a 0 ) (c m,..., c 0 ) b m (a m+1,..., a 0 ) + 1 (c m,..., c 0 ) = (a m+1,..., a 0 ) b m (c m,..., c 0 ) (c m,..., c 0 ) b m + 1. This implies We conclude with (a m+1,..., a 0 ) (c m,..., c 0 ) > 2 (c m,..., c 0 ) b m b m m 1 = 2(c m 1) + 2 c i b i m 2(c m 1) Z. i=0 b 4 ˆq 3 q = (am+1,..., a 0 ) (c m,..., c 0 ) 2(c m 1) 2 b = b 3, a contradiction. Therefore, ˆq 3 < q, whence q ˆq 2. Thus we first compute (a m+1,..., a 0 ) max{0, ˆq 2} (c m,..., c 0 ) and compare it to (c m,..., c 0 ). If the former is less than the latter, we subtract (c m,..., c 0 ), and repeat if necessary. After at most two subtractions, the remainder will be less than (c m,..., c 0 ). For the one multiplication and (at most) two comparisons and three subtractions, we need at most such many basic b-operations (compare (c) and (d)): 2(m + 1) evaluations of b and Carry mul,b, 5(m + 1) + 2 evaluations of b,, 5m + 4 evaluations of Carry add,b, 3(m + 3) evaluations of b, and Carry sub,b, 3(m + 3) comparisons of elements {0,..., b 1}. For computation of ˆq, we need one evaluation of div b. Now, to sum up, we need to do the normalization step at most once, and the division in (ii) at most n m+1 times. Therefore, the total number of operations needed at most are:

9 1.2. A BIT OF COMPLEXITY THEORY 9 2(n + 1) + 2(m + 1) + 2(m + 1)(n m + 1) = 2m(n m) + 4n + 2m + 6 evaluations of b and Carry mul,b, 5(n+1)+5(m+1)+4+(5(m+1)+2)(n m+1) = 5m(n m)+12n+3m+21 evaluations of b,, 5n + 5m (5m + 4)(n m + 1) = 5m(n m) + 9n + 6m + 12 evaluations of Carry add,b, 3(m + 3)(n m + 1) = 3m(n m) + 9n 6m + 9 evaluations of b, and Carry sub,b and comparisons of elements {0,..., b 1}, m (n m + 1) = n + 2 evaluations of div b, m + 1 evaluations of rem b. Note that it is in general not recommended to implement such integer arithmetic by one-selves, but to use libraries which provide such arithmetic. A prime example is the GNU Multiprecision library [GMP]. In some programming languages, such as Python [Py], support for multiprecision arithmetic is already included. In fact, while Python offers two integer types, int (for CPU integers) and long (for arbitrary precision integers), values of type int will automatically 12 turn into type long if the result of an expression does not fit into int. 1.2 A Bit of Complexity Theory In the last section we have seen how to do integer arithmetic using b-adic representations. For example, multiplying two b-adic representations of integers N and M require assuming a reduced representation (size b (M) + 1)(size b (N) + 1) evaluations of b and Carry mul,b, at most (2 size b (M) + 1)(size b (N) + 1) + size b (M) evaluations of b, and at most (2 size b (M) + 1) size b (N) + 2 size b (M) evaluations of Carry add,b. Carrying these numbers around is quite annoying, and in many cases does not say a lot. If we just use basic b-operations as the measure, it gets simpler: multiplication of two b-adic reduced representations of integers N and M requires at most 2(size b (M) + 1)(size b (N) + 1) + (2 size b (M) + 1)(size b (N) + 1) + size b (M) + (2 size b (M) + 1) size b (N) + 2 size b (M) = 6 size b (N) size b (M) + 7 size b (M) + 4 size b (N) + 3 basic b-operations. This expression is still somewhat complicated. Moreover, since we have seen that size b (N) log N log b in Remark (d), we see that the number of basic b-operations is 6 7 log N log M + log b log b log M + 4 log b log N + 3 log b 6 log N log M, log b where for the last, we assume that both N and M are large. Note that except for the constant, the expression only depends on log N and log M, and not at all on the choice of b. Thus, in case b is fixed which it usually is, after fixing a 12 This was implemented in Python 2.2. In Python 3, there is only one integer type. Also see Section

10 10 CHAPTER 1. BASIC ARITHMETIC concrete architecture on which we implement algorithms on, what only matters is the expression following the constant, namely the log N log M. In the following, for a set K, we will consider functions f : N K R. If K = {1,..., m}, then f : N K R is a function in m natural variables to the reals. For a, b N K we will write a b if and only if a k b k for all k K. Definition Let K be an index set and let f, g : N K R be two functions. (a) We write f O(g) if and only if n 0 N K c > 0 n N K : n n 0 f(n) c g(n). We say that f is in big-o of g. (b) We write f o(g) if and only if We say that f is in little-o of g. (c) We write f Θ(g) if and only if We say that f is in Theta of g. f O(g) g O(f). f O(g) g O(f). Remarks For (a), (b) and (c), assume that g(n) 0 for all n K. f(n) (a) Then f o(g) if and only if lim n g(n) this case. 13 (b) Moreover, f O(g) if and only if lim sup n f(n) g(n) <. = 0. In particular, the limit exists in (c) Finally, f Θ(g) if and only if g Θ(f), which is the case if and only if f(n) 0 < lim inf n g(n) lim sup f(n) n g(n) <. (d) If f = a m X m + a m 1 X m a 0 is a univariate polynomial with a m 0, then f O(g), where g(x) := x m. That is, we only take the largest term of the polynomial and are only interested in the exponent, but not in its coefficient. Using the big-o notation, we can simply state that multiplication of two b-adic reduced representations of positive integers N and M can be done with O(log N log M) basic b-operations. A restatement of Theorem using the new notation is the following: Corollary (Basic Integer Arithmetic). Let b 2 be a natural number, and let N and M be two integers. Assume that we are given reduced b-adic representations of N and M. We assume that the sign is given separately as a value in { 1, +1}. (a) Testing whether N < M, N = M or N > M using the reduced b-adic representations of N and M can be done in O(min{log N, log M}) basic b-operations. 13 Here, with n, we mean that n = (n k k K) is a family of variables which all converge to uniformly. For K <, this is equivalent to pointwise convergence of the n k.

11 1.3. POLYNOMIAL ARITHMETIC 11 (b) Computing a reduced b-adic representation of N + M using the reduced b-adic representations of N and M can be done in O(max{log N, log M}) basic b- operations. (c) Computing a reduced b-adic representation of N M using the reduced b-adic representations of N and M can be done in O(max{log N, log M}) basic b- operations. (d) Computing a reduced b-adic representation of N M using the reduced b-adic representations of N and M can be done in O(log M log N) basic b-operations. (e) Assume that M 0. Computing reduced b-adic representations of two numbers Q, R N with N = Q M +R and R < M using the reduced b-adic representations of N and M can be done in O(max{log M (log N log M + 1), 1}) basic b-operations. 1.3 Polynomial Arithmetic Two fundamental arithmetics in computer algebra are arithmetic in Z and polynomial arithmetic. As with integers, one first has to think on how to represent polynomials on a computer. There are essentially two general representations: A dense representation: a polynomial n i=0 a ix i over a ring R is specified by a list (a n,..., a 0 ) R n+1 of coefficients. A sparse representation: a polynomial n i=1 a ix e i with e 1 < < e n is specified by a list ((a 1, e 1 ),..., (a n, e n )) of pairs (a i, e i ) R N. Both representations have advantages and disadvantages, depending on how they are used. In some cases, mixing these two representations can yield improvements. For example, when representing the polynomial X q X for a huge prime power q, the sparse representation is the representation of choice. On the other hand, to represent the quotient Xn 1 X 1 of the two sparse polynomials Xn 1 and X 1 as a polynomial, one obtains n 1 i=0 Xi, for which a dense representation is better suited. In this lecture, and in particular for the rest of this section, we will almost exclusively work with dense representations of polynomials. Remark (a) Similar to b-adic representations of natural numbers, the dense representation (a n,..., a 0 ) of n i=0 a ix i can be made unique by forcing n = 1 (the empty list () ) or a n 0. As before, we call such representations reduced. (b) We define the degree of the zero polynomial as 1. (As opposed to, which is common in many parts of mathematics.) Then the degree of the polynomial equals the length of the list minus one for the reduced dense representation. (c) We denote the leading coefficient a n of a polynomial f = n i=0 a ix i with a n 0 by LC(f). In case f = 0, we define LC(0) := 0. (d) If (a n,..., a 0 ) represents the polynomial f = n i=0 a ix i, we will often write f = (a n,..., a 0 ) in the following. The four basic operations for polynomials are

12 12 CHAPTER 1. BASIC ARITHMETIC addition and subtraction, multiplication, and Euclidean (long) division with remainder. We present some simple algorithms for these operations and analyze their running time in terms of operations in the underlying ring R. Note that in particular for R = Z and R = Q, these operations can be very expensive, and for such rings, special algorithms can perform much faster. Theorem (Polynomial Arithmetic). Let f, g R[X] be two polynomials with n = deg f and m = deg g, given by their dense representation. Let λ R. (a) We can compute a dense representation of λf using at most n+1 multiplications and n + 2 comparisons in R. (If R is zero-divisor free, one comparison suffices to check whether λ 0). The total number of operations in R is thus in O(n). (b) We can compute a dense representation of f + g and f g using min{n, m} + 1 additions respective subtractions in R, max{n, m} min{n, m} duplication of elements or negations, and at most min{n, m} + 1 comparisons. The total number of operations in R is thus in O(max{n, m}). (c) We can compute a dense representation of f g using mn additions and (m + 1)(n + 1) multiplications in R and at most n + m + 1 comparisons in R. The total number of operations in R is thus in O(mn). (d) Assume that LC(g) is a unit in R. We can compute a dense representation of q, r R[X] with f = qg+r and deg r < m = deg g using one inversion of a unit, at most (n m + 1)m subtractions, at most (n m + 1)(m + 1) multiplications in R, at most n + 1 duplications of elements of R and at most m comparisons in R. The total number of operations in R is thus in O(nm). In case LC(g) = 1, it suffices to do at most (n m + 1)m subtractions, (n m + 1)m multiplications and m comparisons in R. Proof. Let f = (a n,..., a 0 ) and g = (b m,..., b 0 ). (a) In case λ = 0, the result is (). Otherwise, λf = (λa n,..., λa 0 ). In case R is zero-divisor free, this representation is already reduced; otherwise, one can start with λa n ; if λa n = = λa i = 0 and λa i+1 0, then (λa i+1,..., λa 0 ) is reduced and can be returned. In case no such i exists, return (). This algorithm clearly requires n + 1 multiplications in R (in case λ 0). Normalization of the result requires at most n+1 comparisons of the coefficients to 0 R. (b) Without loss of generality, assume that n m. Then f ± g = (±b m,..., ±b n+1, a n ± b n,..., a 0 ± b 0 ). In case m > n, this is already a reduced representation; in case m = n, one starts with the largest index i such that a i ± b i 0, or returns () in case no such index exists. We need at most min{n, m} + 1 comparisons to 0 R for this. In case n = m, we have n+1 additions resp. subtractions and 0 duplications. In case n < m, we have n + 1 additions resp. subtractions and m n duplications resp. negations (for ( b m,..., b n+1 )). In case n > m, we have m + 1 additions resp. subtractions and n m duplications.

13 1.4. EUCLIDEAN ALGORITHM 13 (c) Note that f g = (c m+n,..., c 0 ), where c i = min{i,n} j=max{0,i m} a j b i j. This coefficient can be computed using N i := min{i, n} max{0, i m} additions and N i + 1 multiplications. Therefore, all coefficients together can be computed using n+m i=0 N i = n+m i=0 ( n = i + i=0 ( 1 = = 1 2 n+m min{i, n} n+m i=n+1 n(n + 1) + mn 2 i=0 max{0, i m} ) ( m n 0 + ) i=0 ( m+n i=0 m+n i=m+1 i m i=0 ) (i m) ) i nm ( n(n + 1) + m(m + 1) + 4mn (m + n)(m + n + 1) ) = mn additions and n+m i=0 (N i+1) = mn+(n+m+1) = (m+1)(n+1) multiplications. Finally, to normalize the result, we need at most n + m + 1 comparisons with 0 R. (d) In case n < m, we set q := () and r := f. This requires n + 1 duplications. Now assume n m. Then deg q = n m. In case LC(g) 1, we invert LC(g) and store it, say in u. We start with r := f = (a n,..., a 0 ) =: (r n,..., r 0 ) and q := (c n m,..., c 0 ) with all c i = 0 in the beginning. We proceed iteratively from i = n m down to i = 0. Before and after each iteration, f = q g + r. For each i, we set c i := ur m+i and subtract c i X i g from r. For the latter, we subtract c i b j from r j+i, j = 0,..., m. (Note that c i b m = r m+i ub m = r m+i, whence after this, r m+i = 0. In fact, we do not subtract c i b m from r i+m, but simply set r i+m = 0.) Therefore, in iteration i, we do m + 1 (or just m if u = 1) multiplications and m subtractions in case c i 0, and nothing in case c i = 0. After all iterations, we will have r m = = r n+m = 0, and we determine the smallest i such that r i = = r n+m = 0 and set r = (r i 1,..., r 0 ); in case no such i exists, we set r = (). As we have n m + 1 iterations, we perform at most (n m + 1)(m + 1) multiplications (or just (n m+1)m if u = 1), at most (n m+1)m subtractions and at most m comparisons (to normalize r) to compute q and r. 1.4 Euclidean Algorithm A class of integral domains with very nice division properties are Euclidean rings, rings in which one has an Euclidean division. Prime examples are the integers (Z) and polynomial rings over fields (K[x]).

14 14 CHAPTER 1. BASIC ARITHMETIC Definition An integral domain R is called Euclidean if there exists a function ν : R Z { }, ν(r \ {0}) N such that (a) for every a, b R, b 0, we have ν(a) ν(ab); and (b) for every a, b R, b 0, there exist q, r N with a = qb + r and ν(r) < ν(b). We will call ν an (Euclidean) valuation. Remarks (a) [Rog71] Note that any ring R with valuation ν which satisfies the definition except part (a) can be made Euclidean by defining ˆν(x) := min{ν(xa) a R, a 0}: then (R, ˆν) satisfies both (a) and (b). (b) [vzgg03, p. 60, Exercise 3.5] Moreover, one can consider the set X R := {ν ν satisfies condition (b)} and define ν min (x) := min{ν(x) ν X R }. Then ν min satisfies both (a) and (b). (c) Note that if a, b R are associated, i.e. a = be with e R, then ν(a) = ν(b). 14 (d) Moreover, note that ν(0) < ν(1) < ν(a) for every non-zero non-unit a R \ (R {0}). 15 Example For R = Z, the function ν : Z N, x x satisfies the conditions of the definition. Here, ν(a) = ν(b) if and only if a and b are associated, which is the case if and only if a = ±b. One can show that the minimal function ν min is ν min (x) = log 2 x with ν min (0) = [vzgg03, p. 61, Exercise 3.5 (vi)]. Example For R = K[x], ν = deg satisfies the conditions of the definition. (In fact, ν = ν min [vzgg03, p. 61, Exercise 3.5 (vi)].) Here, q and r are uniquely determined by a and b: if a = qb+r = q b+r for q, q, r, r K[x] with deg r, deg r < deg b, then r r = b(q q ) implies deg(r r ) = deg b + deg(q q ), which is only possible if r r = 0 = q q. In this case, ν(a) = ν(b) does not imply that a and b are associated: for example, consider a = x and b = x + 1. Euclidean domains are principal ideal domains and thus also factorial, which means that they have unique factorization of non-zero elements as a product of a unit and prime elements. Another advantage is that they allow to compute greatest common divisors very efficiently. The basic technique of doing this was first described by Euclid in his books Elements VII and X. His original treatment only uses subtraction and comparison of integers, but it can be sped up dramatically by using Euclidean (long) division. This yields the modern form of one of the most fundamental algorithms, which we will now state in full detail: Theorem (Euclidean Algorithm). Let R be an Euclidean domain with valuation ν. Assume that we are given a 0, a 1 R \ {0}. Define sequences (a i ) i 0, (b i ) i 0, (c i ) i 0, (q i ) i 0, (T i ) i 0, as follows: 14 We have ν(a) = ν(be) ν(bee 1 ) = ν(b) by part (a), and conversely, ν(b) = ν(ae 1 ) ν(ae 1 e) = ν(a). 15 First, ν(1) ν(1 a) = ν(a) shows that every non-zero non-unit s valuation is at least ν(1). Hence, 0 = q 1+r with ν(r) < ν(1) implies that r = 0 and ν(0) < ν(1). Finally, consider 1 = q a+r with ν(r) < ν(a). It is not possible that r = 0, as this implies 1 = q a, which is absurd as a is a non-unit. Therefore, ν(1) ν(r) < ν(a).

15 1.4. EUCLIDEAN ALGORITHM 15 ( ) b0 b define 1 := c 0 c 1 ( ) 1 0 ; 0 1 if a i 2 and a i 1 are defined, define q i, a i, T i, b i and c i as follows: (i) let q i, a i R with a i 2 = q i a i 1 + a i such that ν(a i ) < ν(a i 1 ) (Euclidean division) in case a i 1 0, and q i = a i = 0 in case a i 1 = 0; ( ) 0 1 (ii) define T i := R 1 q 2 2 ; i (iii) define ( ) bi 2 c (b i, c i ) := (1, q i ) i 2. Then there exists an index i with a i = 0. Let n 1 be the largest index such that a n 0. Then the following holds: (a) for 1 j i n + 1, ( ) ai 1 b i 1 c i 1 a i b i c i b i 1 c i 1 ( ) aj 1 b = T i T i 1 T j 1 c j 1 j+1 ; a j b j c j (b) for i = 1,..., n + 1, ( ) bi 1 c A i := i 1 = T i T i 1 T 2 b i c i and det A i = ( 1) i 1 ; (c) for i = 1,..., n + 1, a i = b i a 0 + c i a 1 and b i, c i are coprime; (d) a n = b n a 0 + c n a 1 (Bézout equation) is a greatest common divisor of a 0 and a 1 ; (e) ( 1) i 1 a 0 = c i a i 1 c i 1 a i and ( 1) i a 1 = b i a i 1 b i 1 a i for i = 1,..., n + 1; in particular, a 0 = ( 1) n c n+1 a n and a 1 = ( 1) n+1 b n+1 a n ; (f) we have q i 0, 2 < i n+1, and for i = 2, we have q i = 0 only if ν(a 1 ) > ν(a 0 ). During the rest of this section, as well as the next section, we will always use the notation from the theorem. Note that if we are only interested in a greatest common divisor of a 0 and a 1, we do not have to carry b i, c i around. In fact, one can implement this algorithm in very few lines, as the following Python example for integers shows: 1 def gcd (a, b): Listing 1.1: GCD of Integers 2 " Compute GCD of its two inputs " 3 while b!= 0: 4 a, b = b, a % b 5 return a If we want to compute x, y Z such that ax+by = gcd(a, b), we need to invest more work. This processes is often called the Extended Euclidean Algorithm. Fortunately, we can read off the required formulas directly from the theorem:

16 16 CHAPTER 1. BASIC ARITHMETIC 1 def gcdex (a, b): Listing 1.2: Extended GCD of Integers 2 " Compute extended GCD ( with Bé zout equation ) of its two inputs. Returns the GCD followed by the coefficients of the linear combination." 3 ai = b # ai stands for : a with index i 4 aim1 = a # aim1 stands for : a with index i -1 5 bi = 0 # bi stands for : b with index i 6 bim1 = 1 # bim1 stands for : b with index i -1 7 ci = 1 # ci stands for : c with index i 8 cim1 = 0 # cim1 stands for : c with index i -1 9 while ai!= 0: 10 q, r = divmod ( aim1, ai) # compute both quotient and remainder 11 aim1, ai = ai, r 12 bim1, bi = bi, bim1 - q * bi 13 cim1, ci = ci, cim1 - q * ci 14 return aim1, bim1, cim1 Note that divmod(a, b) for integers a, b does an Euclidean division: it returns a pair (q, r) with a = q * b + r and abs(r) < abs(b). In fact, q = a b. Instead of q, r = divmod(aim1, ai), we could have also written q, r = aim1 / ai, aim1 % ai, or q = aim1 / ai; r = aim1 % ai. We can accelerate the algorithm, since in the first loop iteration, bi and ci are very easy to compute: 1 def gcdex (a, b): Listing 1.3: Optimized Extended GCD of Integers 2 " Compute extended GCD ( with Bé zout equation ) of its two inputs. Returns the GCD followed by the coefficients of the linear combination." 3 ai = b # ai stands for : a with index i 4 aim1 = a # aim1 stands for : a with index i -1 5 # We can accelerate the first step 6 if ai!= 0: 7 q, r = divmod ( aim1, ai) # compute both quotient and remainder 8 aim1, ai = ai, r 9 bim1, bi = 0, 1 # before : bi = 0, bim1 = 1 10 cim1, ci = 1, - q # before : ci = 1, cim1 = 0 11 # Now continue 12 while ai!= 0: 13 q, r = divmod ( aim1, ai) # compute both quotient and remainder 14 aim1, ai = ai, r 15 bim1, bi = bi, bim1 - q * bi 16 cim1, ci = ci, cim1 - q * ci 17 else : 18 bim1 = 1 19 cim1 = 0 20 return aim1, bim1, cim1 Here, in lines 7 to 10, we essentially unroll 16 the first loop iteration and specialize it. We can test the function as follows: 16 Unrolling loops is an important optimization done by many compilers, which translate (human-

17 1.4. EUCLIDEAN ALGORITHM 17 1 a,b = 5, 7 2 d,x,y = gcdex (a, b) 3 print d == x*a + y*b 4 a, b = , d,x,y = gcdex (a, b) 6 print d == x*a + y*b Python instantaneous prints out the answer True in both cases. Note that 1 = ( ) , whence the two large numbers are coprime. Proof. Note that ν(a 1 ) > ν(a 2 ) > ν(a 3 ) >. Since ν(a i ) 0 is an integer while a i 0, there must be some index i such that a i = 0. As further a 0 0 a 1, a maximal n 1 exists with a n 0. (a) one checks this quickly for j = i 1, and it is trivial for j = i; the general case then follows by induction on i j. ( ) ( ) b0 b (b) Apply (a) for j = 2 and use = ; this yields A c 0 c i = T i T i 1 T 2. Now det T i = 1, whence det A i = ( 1) i 1. ( ) (c) Since (0, 1) (1, 0, 0) a i T = a i, we can apply (a) and (b) to obtain a i = ( 0 1 )( )( ) b i 1 c i 1 a0 b 0 c = ( ) ( ) a b b i c i a 1 b 1 c i c 0 i, 1 a 0 1 which simplifies to b i a 0 + c i a 1. Since 1 = det A i = b i 1 c i c i 1 b i, we see that c i and b i are coprime. readable) program code into machine code. The rationale is that conditional jumps (like: repeat the code block if the counter is less than something) are costly on modern CPUs, since the CPUs try to look ahead what will happen soon and might even already execute later instructions (out of order execution) under very special circumstances. In case of a conditional jump, the CPU does not know in advance whether it will jump or not, and so cannot really look ahead. Therefore, code such as 1 for i in xrange (4) : 2 x[i] = i will often automatically be translated to 1 x [0] = 0 2 x [1] = 1 3 x [2] = 2 4 x [3] = 3 by the compiler.

18 18 CHAPTER 1. BASIC ARITHMETIC (d) That a n = b n a 0 + c n a 1 follows from (c); this equation implies that every divisor of a 0 and a 1 also divides a n. So we are left to show a n a 0, a 1. For that, we show by induction on j that a n divides both a n+1 j and a n j, for j = 0,..., n. For j = 0, a n+1 j = a n+1 = 0 and a n j = a n, whence this is clear. Now assume a n a n+1 j, a n j. As a n+1 (j+1) = a n j and a n (j+1) = a n j 1 = q n+1 j a n j + a n+1 j, we see using the induction hypothesis that a n also divides a n+1 (j+1) and a n (j+1). (e) Note that for i = 1,..., n + 1, we have ( ) i = ( 1) i 1 ci c i 1 b i b i 1 A 1 (since det A i = ( 1) i 1 ). Using this together with parts (a) and (b), we obtain ( 1) i 1 a 0 = c i a i 1 c i 1 a i and ( 1) i a 1 = b i a i 1 b i 1 a i. (1.1) Plugging in i = n + 1, we obtain ( 1) n a 0 = c n+1 a n and ( 1) n+1 a 1 = b n+1 a n. (f) If ν(a i 2 ) > ν(a i 1 ) (which is always satisfied for i = 3,..., n + 1), then we cannot have q i = 0, as otherwise a i = a i 2 and thus ν(a i ) > ν(a i 1 ), which contradicts the construction of q i and a i. In the following lemma, we prove two further results for the special cases of integers with a more rigid definition of Euclidean division and polynomials over a field. These will be very useful when analyzing the algorithm in the next section. Lemma Assume that we have either of the following two cases: R = Z, ν(x) = x and for Euclidean division a = qb + r, we assume that a r < a in case r 0, which is equivalent to ar 0; R = K[X] for some field K and ν(f) = deg f. Further assume that ν(a 0 ) ν(a 1 ). Then during the Euclidean algorithm, the following properties hold: (a) For i = 2,..., n + 1, ν(b i 1 ) ν(b i ) and ν(c i 1 ) ν(c i ). In the case of R = Z, we have strict inequality except possibly ν(b 3 ) = ν(b 2 ), which happens if and only if ν(q 3 ) = 1, and ν(c 2 ) = ν(c 1 ), which happens if and only if ν(q 2 ) = 1. In the case of R = K[X], we have strict inequality except possibly ν(c 1 ) ν(c 2 ), which happens if and only if ν(a 0 ) = ν(a 1 ). (b) For i = 1,..., n + 1, ν(b i a i 1 ) ν(a 1 ) and ν(c i a i 1 ) ν(a 0 ), and in the case of R = K[X], we have equality. Remark Note that in case R = Z of Lemma 1.4.6, we need the additional assumption that a r 0 (which is equivalent to a r < a if r 0). Consider a 0 = 7 and a 1 = 5. Since 7 = and 3 < 5,

19 1.4. EUCLIDEAN ALGORITHM 19 we could choose q 2 = 2 and a 2 = 3. This would result in b 2 = 1 and c 2 = 2, whence ν(c 2 a 1 ) = 10 > 7 = ν(a 0 ). If we continue as follows: 5 = ( 2) ( 3) 1 since 1 < 3, we obtain q 3 = 2, a 3 = 1, b 3 = 6 and c 3 = 9. Here, both ν(c 3 a 2 ) = 9 > 7 = ν(a 0 ) and ν(b 3 a 2 ) = 6 > 5 = ν(a 1 ). This violates part (b) of the lemma. Proof of Lemma Note that since det T i = 1, we have that gcd(b i 1, b i ) = 1 = gcd(c i 1, c i ) for i = 2,..., n + 1; we also have the coprimeness for i = 1, since b 0 = 1 = c 1. Therefore, for i = 2,..., n + 1, we have b i = b i 2 q i b i 1 0 and c i = c i 2 q i c i 1 0 except possibly c 2 = 0 if q 2 = 0. But since ν(a 0 ) ν(a 1 ) we must have q 2 0 as well, whence also c 2 0. We consider the two cases R = Z and R = K[X] separately. We begin with R = K[X]. First note that except possibly for i = 2 (where it could happen that deg a 0 = deg a 1 ), deg q i > 0 since deg a i 2 > deg a i 1. (a) We proceed by induction on i. For i = 2, b 1 = 0, b 2 = 1 and c 1 = 1, c 2 = q 2 0. Now assume that the statement holds for some i 2. Since b i+1 = b i 1 q i+1 b i and deg b i 1 < deg b i, deg b i+1 = deg(q i+1 b i ) = deg q i+1 + deg b i > deg b i since deg q i+1 > 0. The claim holds analogous for c i+1. (b) Since ( 1) i 1 a 0 = c i a i 1 c i 1 a i and deg c i > deg c i 1 and deg a i 1 > deg a i, deg a 0 = deg(c i a i 1 ). The claim holds analogous for deg a 1 = deg(b i a i 1 ). Now we consider R = Z. We begin with proving some auxiliary claims. Claim (iii) directly implies (a), and claim (v) directly implies (b). (i) Claim: If a 0 and a 1 have the same sign, then all q i 0, i = 2,..., n; otherwise, all q i 0, i = 2,..., n. First note that a i always has the same sign as a i+2. If both a 0 and a 1 have the same sign, then all a i 0. As a i < a i 1 a i 2 and a i 2 = q i a i 1 + a i, it must be that q i 0. If a 0 a 1 < 0, we have that a i 2 and q i a i 1 have the same sign. Since a i 2 a i 1 0, it must be that q i 0. (ii) Claim: If a 0 and a 1 have the same sign, ( 1) i b i, ( 1) i+1 c i 0 for i = 0,..., n + 1, and if a 0 and a 1 have different signs, b i, c i 0 for i = 0,..., n + 1. First assume that a 0 a 1 > 0. We prove the claim by induction on (i 1, i). For i = 0, ( 1) i b i = 1 0 and ( 1) i+1 c i = 0 0. For i = 1, ( 1) i b i = 0 0 and ( 1) i+1 c i = 1 0. Now assume that the claim is true for i 1 and i. Then ( 1) i+1 b i+1 = ( 1) i+1 b i 1 q i+1 ( 1) i+1 b i = ( 1) i 1 b i 1 + q i+1 ( 1) i b i. Since by claim (i), q i+1 0, and by induction hypothesis, ( 1) i 1 b i 1, ( 1) i b i 0, we get ( 1) i+1 b i+1 0. Similarly, ( 1) (i+1)+1 c i+1 = ( 1) i+2 c i 1 q i+1 ( 1) i+2 c i = ( 1) (i 1)+1 c i 1 + q i+1 ( 1) i+1 c i 0.

20 20 CHAPTER 1. BASIC ARITHMETIC Now assume that a 0 a 1 < 0. We again proceed by induction on (i 1, i). For i = 0 and i = 1, all b i and c i are 0 by definition. Now assume that the claim is true for i 1 and i. Then b i+1 = b i 1 q i+1 b i 0 since by induction hypothesis, b i 1, b i 0 and by claim (i), q i 0. The proof for c i+1 0 proceeds the same way. (iii) Claim: We have b i = q i b i 1 + b i 2 > b i 1 and c i = q i c i 1 + c i 2 > c i 1 for i = 2,..., n + 1. First assume that a 0 a 1 > 0. By claim (ii), b i = ( 1) i b i, whence b i = ( 1) i b i 2 ( 1) i q i b i 1 = ( 1) i 2 b i 2 + q i ( 1) i 1 b i 1. Using claim (ii) again yields b i 2 = ( 1) i 2 b i 2 and b i 1 = ( 1) i 1 b i 1, and by claim (i), q i = q i. Therefore, b i = q i b i 1 + b i 1. Similarly, c i = q i c i 1 + c i 1. Now assume that a 0 a 1 < 0. By claim (ii), b i = b i = b i 2 q i b i 1 = b i 2 + ( q i )b i 1. By claim (ii), b i 2 = b i 2 and b i 1 = b i 1, and by claim (i), q i = q i. Therefore, b i = q i b i 1 + b i 1. Similarly, c i = q i c i 1 + c i 1. We now prove the statement on the inequality by strong induction on i. Note that b 0 = 1, b 1 = 0, b 2 = 1 and b 3 = q 3. Therefore, b 2 > b 1 and q 3 = b 3 b 2 = 1 as q 3 0 (part (f) of theorem); moreover, we have b 3 > b 2 if and only if q 3 1. Now c 0 = 0, c 1 = 1, c 2 = q 2 and c 3 = 1 + q 2 q 3. As q 2 q 3 0 by claim (i) and q 2, q 3 0 by part (f) of the theorem, c 3 = 1 + q 2 q q 2 > q 2 = c 2 c 1 = 1; moreover, we have c 2 > c 1 if and only if q 2 1. Finally, assume that i > 3 and that the (not necessarily strict) inequality statement is true for all less i. The above show that b i 0 c i for i > 1, whence b i = q i b i 1 + b i 1 > q i b i 1 b i 1 since q i 0. Similarly, c i = q i c i 1 + c i 1 > q i c i 1 c i 1. (iv) Claim: If i, j {0,..., n+1} with i j (mod 2), we have ( 1) j a i b j a 1 0 and ( 1) i a i c j a 0 0. We have ( 1) i a i has the same sign as a 0 and ( 1) i+1 a i has the same sign as a 1. (See note in claim (i).) Now first consider that a 0 and a 1 have the same sign; then all a i have the same sign. By claim (ii), ( 1) j b j, ( 1) j+1 c j 0. Combining this yields 0 ( 1) j b j ai a 1 and 0 ( 1) j+1 c j ai a 0. Now assume that a 0 and a 1 have different signs. By claim (ii), b j, c j 0 for all j. Now 0 b j ( 1)i+1 a i a 1 and 0 c j ( 1)i a i a 0, and since ( 1) i+1 = ( 1) j and ( 1) j+1 = ( 1) i the claim follows. (v) Claim: For i = 1,..., n + 1, b i a 1 /a i 1 and c i a 0 /a i 1.

21 1.4. EUCLIDEAN ALGORITHM 21 We show this claim by induction over i. For i = 1, b i = 0, c i = 1 and a 0 /a i 1 = a 0 /a 0 = 1. Hence, b i = 0 a 0 /a i 1 and c i = 1 = a 0 /a i 1. Now assume that the statement is true for some i. As a i+1 < a i 1, the induction hypothesis yields a i+1 b i a 1 < a i 1 b i 1 and a i+1 c i < a i 1 c i 1. a 1 By claim (iv), ( 1) i a i+1 b i a 1 0, whence the above yields a i+1 b i ( 1) i a 1 = a i+1b i a 1 ( 1)i 1 a 1 1. Since a i+1 b i ( 1) i a 1 = a i b i+1 by part (e) of the theorem, we obtain a i b i+1 a 1. Similarly, by claim (iv), ( 1) i+1 a i+1 c i a 0 0, whence the above yields a i+1 c i + ( 1) i a 0 = ( 1) i+1 a i+1 c i a 0 1 a 0 1. Since a i+1 c i + ( 1) i a 0 = a i c i+1 by part (e) of the theorem, we finally obtain a i c i+1 a Analyzing the Euclidean Algorithm In this section, we still use the notation of Theorem Theorem (Euclidean Algorithm for Polynomials). Let K be a field and f, g K[x] \ {0} two non-zero polynomials given via their dense representation. Assume that we use the basic polynomial arithmetic described in Section 1.3 with dense representations. (a) Then the Euclidean algorithm needs at most 2 deg f deg g + deg f + deg g + 1 field operations (without inversion), min{deg f, deg g} + 1 comparisons (with 0 K) and at most min{deg f, deg g} 2 inversions in K to compute a dense representation of a greatest common divisor of f and g. (b) The Euclidean algorithm needs at most 6 deg f deg g 2 max{deg f, deg g} 4 min{deg f, deg g}+6 field operations (without inversion), min{deg f, deg g}+1 comparisons (with 0 K) and at most min{deg f, deg g} 2 inversions in K to compute both a dense representation of a greatest common divisor d K[x] of f and g as well as dense representations of x, y K[x] such that d = fx + gy. Proof. Set m i := deg a i, 0 i n + 1, and assume that m 0 m 1 ; then m 0 m 1 > m 2 > > m n+1. Since the number of field operations to compute Euclidean long division for polynomials of degree m i 1 and m i is at most (2m i + 1)(m i 1 m i + 1) (Theorem (d)), and additionally m i m i+1 comparisons (since m i+1 is the degree of the remainder), the total number of field operations required for the Euclidean algorithm for just computing a GCD is at most n i=1 (2m i + 1)(m i 1 m i + 1) and n i=1 (m i m i+1 ) = m comparisons. For a sequence m 0 m 1 > > m n 0, define f(m 0,..., m n ) := n i=1 (2m i + 1)(m i 1 m i + 1). We will show the following three claims: a 0 a 0