Binary GCD algorithm

Template:Short description Template:Use dmy dates

File:Binary GCD algorithm visualisation.svg

Visualisation of using the binary GCD algorithm to find the greatest common divisor (GCD) of 36 and 24. Thus, the GCD is 2² × 3 = 12.

The binary GCD algorithm, also known as Stein's algorithm or the binary Euclidean algorithm,Template:R is an algorithm that computes the greatest common divisor (GCD) of two nonnegative integers. Stein's algorithm uses simpler arithmetic operations than the conventional Euclidean algorithm; it replaces division with arithmetic shifts, comparisons, and subtraction.

Although the algorithm in its contemporary form was first published by the physicist and programmer Josef Stein in 1967,<ref name="Stein"/> it was known by the 2nd century BCE, in ancient China.Template:R

AlgorithmEdit

The algorithm finds the GCD of two nonnegative numbers <math>u</math> and <math>v</math> by repeatedly applying these identities:

<math>\gcd(u, 0) = u</math>: everything divides zero, and <math>u</math> is the largest number that divides <math>u</math>.
<math>\gcd(2u, 2v) = 2 \cdot \gcd(u, v)</math>: <math>2</math> is a common divisor.
<math>\gcd(u, 2v) = \gcd(u, v)</math> if <math>u</math> is odd: <math>2</math> is then not a common divisor.
<math>\gcd(u, v) = \gcd(u, v - u)</math> if <math>u, v</math> odd and <math>u \leq v</math>.

As GCD is commutative (<math>\gcd(u, v) = \gcd(v, u)</math>), those identities still apply if the operands are swapped: <math>\gcd(0, v) = v</math>, <math>\gcd(2u, v) = \gcd(u, v)</math> if <math>v</math> is odd, etc.

ImplementationEdit

While the above description of the algorithm is mathematically correct, performant software implementations typically differ from it in a few notable ways:

eschewing trial division by <math>2</math> in favour of a single bitshift and the count trailing zeros primitive; this is functionally equivalent to repeatedly applying identity 3, but much faster;
expressing the algorithm iteratively rather than recursively: the resulting implementation can be laid out to avoid repeated work, invoking identity 2 at the start and maintaining as invariant that both numbers are odd upon entering the loop, which only needs to implement identities 3 and 4;
making the loop's body branch-free except for its exit condition (<math>v = 0</math>): in the example below, the exchange of <math>u</math> and <math>v</math> (ensuring <math>u \leq v</math>) compiles down to conditional moves;<ref name="rust disassembly"/> hard-to-predict branches can have a large, negative impact on performance.<ref name="intel"/><ref name="lemire"/>

The following is an implementation of the algorithm in Rust exemplifying those differences, adapted from uutils:

<syntaxhighlight lang="rust"> use std::cmp::min; use std::mem::swap;

pub fn gcd(mut u: u64, mut v: u64) -> u64 {

   // Base cases: gcd(n, 0) = gcd(0, n) = n
   if u == 0 {
       return v;
   } else if v == 0 {
       return u;
   }

   // Using identities 2 and 3:
   // gcd(2ⁱ u, 2ʲ v) = 2ᵏ gcd(u, v) with u, v odd and k = min(i, j)
   // 2ᵏ is the greatest power of two that divides both 2ⁱ u and 2ʲ v
   let i = u.trailing_zeros();  u >>= i;
   let j = v.trailing_zeros();  v >>= j;
   let k = min(i, j);

   loop {
       // u and v are odd at the start of the loop
       debug_assert!(u % 2 == 1, "u = {} should be odd", u);
       debug_assert!(v % 2 == 1, "v = {} should be odd", v);

       // Swap if necessary so u ≤ v
       if u > v {
           swap(&mut u, &mut v);
       }

       // Identity 4: gcd(u, v) = gcd(u, v-u) as u ≤ v and u, v are both odd 
       v -= u;
       // v is now even

       if v == 0 {
           // Identity 1: gcd(u, 0) = u
           // The shift by k is necessary to add back the 2ᵏ factor that was removed before the loop
           return u << k;
       }

       // Identity 3: gcd(u, 2ʲ v) = gcd(u, v) as u is odd
       v >>= v.trailing_zeros();
   }

} </syntaxhighlight>

Note: The implementation above accepts unsigned (non-negative) integers; given that <math>\gcd(u, v) = \gcd(\pm{}u, \pm{}v)</math>, the signed case can be handled as follows: <syntaxhighlight lang="rust"> /// Computes the GCD of two signed 64-bit integers /// The result is unsigned and not always representable as i64: gcd(i64::MIN, i64::MIN) == 1 << 63 pub fn signed_gcd(u: i64, v: i64) -> u64 {

   gcd(u.unsigned_abs(), v.unsigned_abs())

} </syntaxhighlight>

ComplexityEdit

Asymptotically, the algorithm requires <math>O(n)</math> steps, where <math>n</math> is the number of bits in the larger of the two numbers, as every two steps reduce at least one of the operands by at least a factor of <math>2</math>. Each step involves only a few arithmetic operations (<math>O(1)</math> with a small constant); when working with word-sized numbers, each arithmetic operation translates to a single machine operation, so the number of machine operations is on the order of <math>n</math>, i.e. <math>\log_{2}(\max(u, v))</math>.

For arbitrarily large numbers, the asymptotic complexity of this algorithm is <math>O(n^2)</math>,<ref name="gmplib"/> as each arithmetic operation (subtract and shift) involves a linear number of machine operations (one per word in the numbers' binary representation). If the numbers can be represented in the machine's memory, i.e. each number's size can be represented by a single machine word, this bound is reduced to: <math display="block"> O\left(\frac{n^2}{\log_2 n}\right) </math>

This is the same as for the Euclidean algorithm, though a more precise analysis by Akhavi and Vallée proved that binary GCD uses about 60% fewer bit operations.<ref name="bit-complexity"/>

ExtensionsEdit

The binary GCD algorithm can be extended in several ways, either to output additional information, deal with arbitrarily large integers more efficiently, or to compute GCDs in domains other than the integers.

The extended binary GCD algorithm, analogous to the extended Euclidean algorithm, fits in the first kind of extension, as it provides the Bézout coefficients in addition to the GCD: integers <math>a</math> and <math>b</math> such that <math>a\cdot{}u + b\cdot{}v = \gcd(u, v)</math>.<ref name="egcd-knuth"/><ref name="egcd-applied-crypto"/><ref name="egcd-cohen"/>

In the case of large integers, the best asymptotic complexity is <math>O(M(n) \log n)</math>, with <math>M(n)</math> the cost of <math>n</math>-bit multiplication; this is near-linear and vastly smaller than the binary GCD algorithm's <math>O(n^2)</math>, though concrete implementations only outperform older algorithms for numbers larger than about 64 kilobits (i.e. greater than 8×10¹⁹²⁶⁵). This is achieved by extending the binary GCD algorithm using ideas from the Schönhage–Strassen algorithm for fast integer multiplication.<ref name="stehlé-zimmermann"/>

The binary GCD algorithm has also been extended to domains other than natural numbers, such as Gaussian integers,<ref name="weilert"/> Eisenstein integers,<ref name="eisenstein"/> quadratic rings,<ref name="some-quadratic-rings"/><ref name="UFD-quadratic-rings"/> and integer rings of number fields.<ref name="integer-rings" />

Historical descriptionEdit

An algorithm for computing the GCD of two numbers was known in ancient China, under the Han dynasty, as a method to reduce fractions:

Template:Quote

The phrase "if possible halve it" is ambiguous,<ref name="Knuth98"/>

if this applies when either of the numbers become even, the algorithm is the binary GCD algorithm;
if this only applies when both numbers are even, the algorithm is similar to the Euclidean algorithm.

ReferencesEdit

<references> <ref name="Stein">Template:Citation</ref>

<ref name="Knuth98">Template:Citation</ref>

<ref name="intel">{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

<ref name="lemire">{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

<ref name="rust disassembly">{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

<ref name="egcd-knuth">Template:Harvnb, answer to exercise 39 of section 4.5.2</ref>

<ref name="egcd-applied-crypto">Template:Cite book</ref>

<ref name="egcd-cohen">Template:Cite book</ref>

<ref name="gmplib">{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> <ref name="stehlé-zimmermann">Template:Citation.</ref> <ref name="bit-complexity">Template:Citation</ref> <ref name=brenta>Template:Cite conference</ref> <ref name=brentb>Template:Cite tech report</ref> <ref name="weilert">Template:Cite journal</ref> <ref name="eisenstein">Template:Cite conference</ref> <ref name="some-quadratic-rings">Template:Cite conference</ref> <ref name="UFD-quadratic-rings">Template:Cite conference</ref> <ref name="integer-rings">Template:Cite conference</ref> </references>

External linksEdit

NIST Dictionary of Algorithms and Data Structures: binary GCD algorithm
Cut-the-Knot: Binary Euclid's Algorithm at cut-the-knot
Analysis of the Binary Euclidean Algorithm (1976), a paper by Richard P. Brent, including a variant using left shifts

Template:Number theoretic algorithms