Binary GCD Like for Some Complex Quadratic Rings

Saurabh Agarwal and Gudmund Skovbjerg Frandsen

BRICS, Department of Computer Science, University of Aarhus IT-Parken, Abogade˚ 34, DK-8200, Aarhus N, Denmark. {saurabh, gudmund}@daimi.au.dk

Abstract. On the lines of the binary gcd for rational integers, algorithms√ for computing the gcd are presented for the ring of integers in Q( d) where d ∈{−2, −7, −11, −19}. Thus a binary gcd like algorithm is presented for a unique factorization domain which is not Euclidean (case d = −19). Together with the√ earlier known√ binary gcd like algorithms for the ring of integers in Q( −1) and Q( −3), one now has binary gcd like algorithms for all complex quadratic Euclidean domains. The running time of our algorithms is O(n2) in each ring. While there exists an O(n2) algorithm for computing the gcd in quadratic number rings by Erich Kaltofen and Heinrich Rolletschek, it has large constants hidden under the big-oh notation and it is not practical for medium sized inputs. On the other hand our algorithms are quite fast and very simple to implement.

1 Introduction

Greatest common divisor is one of the most fundamental concepts of number the- ory. Elementary texts introduce gcd very early and also present an algorithm to compute it, the Euclid’s algorithm. However, it is not possible to extend Euclid’s algorithm to all number rings. The rings in which one can extend Euclid’s algorithm are called Euclidean rings. A large amount of effort has been put in identifying Euclidean number rings. Franz Lemmermeyer’s pa- per on Euclidean number rings [12] contains an almost complete list of all known Euclidean number rings. In 1965 a different algorithm to compute gcd was presented by J. Stein [19]. Apart from being very simple to understand, this algorithm has the virtue of being efficiently implementable on a computer as the only operations used by the algorithm are addition, subtraction and division by 2. Since divisions by 2 can be performed by right shifts (on a computer), this algorithm essentially has no divisions at all. This algorithm is popularly known as the binary gcd algorithm. In this paper we present extensions of this algorithm to four complex quadratic rings. Basic Research in Computer Science (www.brics.dk), funded by the Danish National Research Foundation.

D.A. Buell (Ed.): ANTS 2004, LNCS 3076, pp. 57–71, 2004. c Springer-Verlag Berlin Heidelberg 2004 58 S. Agarwal and G.S. Frandsen

1.1 Overview of Results

We successfully generalize√ the binary gcd algorithm to compute the gcd in the ring of integers in Q( d) where d ∈{−2, −7, −11, −19}. In each case the time complexity of the algorithm is O(n2) with small constants hidden under the big-oh notation. The only operations used in our algorithms are addition, sub- traction and division by a small fixed number (2 or 3 or 5). One of the main re- sult is an extension of the binary gcd algorithm to a unique factorization domain (ufd) which is not Euclidean (case d = −19). Our extension clearly indicates that the binary gcd like algorithms are not restricted to Euclidean rings.

1.2 Road Map Section 2 contains some preliminaries. In Sect. 3, we review some other algo- rithms for computing the gcd. The main idea of our algorithm is presented in Sect.√ 4. In Sect. 5, the algorithms for computing the gcd in the ring of integers in Q( d) are presented where d ∈{−2, −7, −11, −19}.

2 Preliminaries

The definitions/facts in this section are found in most books on algebra and/or algebraic number theory (for example√ see [10,6,7]). Complex quadratic number fields are of the form Q = Q( d) where√ d is a negative square-free rational√ integer. Any α ∈Qis of the form a + b d where a, b ∈ Q.√ For any α = a + b d, the norm of α is defined as N(α)=αα¯ whereα ¯ = a − b d is the conjugate of α.IfZ denotes the ring of algebraic integers in Q, then  √  Z + Z d if d ≡ 2, 3 (mod 4) Z = √  Z Z 1 − d d ≡ + 2 ( 1+ ) if 1 (mod 4)

There are nine complex√ quadratic rings which are also ufd. These are the ring of integers in Q( d) where d ∈{−1, −2, −3, −7, −11, −19, −43, −67, −163} [18]. From now on we will assume that Z is one of these nine rings. For all α ∈Z, N(α) is a non-negative rational integer and N(α)=0iff α = 0. An element u ∈Z is a unit iff N(u) = 1. Any two elements α, β ∈Z are called associates if α|β and β|α. A non-zero non-unit element ρ ∈Zis a prime if (ρ|αβ) ⇒ (ρ|α or ρ|β). If ρ ∈Z is a prime, then there exists a rational prime p such that N(ρ)=p or p2. In the former case ρ is not associate to any rational prime and in the latter case ρ is an associate to p. The quotient ring Z/ρZ is a finite field with N(ρ) elements. If N(ρ)=p for some odd rational prime p, then − p−1 ,... , ,... , p−1 Z/ρZ 2 0 2 forms a complete set of coset representatives for and if N(ρ) = 2, then {0, 1} forms a complete set of coset representatives for Z/ρZ. Let α, β ∈Zand αβ = 0. Then a non-zero element g ∈Zis said to be (gcd) of α and β if Binary GCD Like Algorithms for Some Complex Quadratic Rings 59

a. g|α and g|β, and b. for any γ ∈Z\{0},ifγ|α and γ|β, then γ|g. For any α = 0, gcd of α and 0 is defined to be α. In the literature, gcd of α and β is denoted by (α, β) and we also use this notation. In general (α, β) is not unique. However if g1 =(α, β) and g2 =(α, β), then g1 and g2 are associates. It is customary to overload the ’=’ operator for gcd. Thus a statement like (α, β)=(γ,η) means that gcd of α, β and gcd of γ,η are associates. The following facts about gcd are easily shown.

Lemma 1. Let α, β ∈Z be arbitrary integers and ρ ∈Z be any prime.

a. If ρ|α and ρ|β, then (α, β)=ρ (α/ρ, β/ρ). b. If ρ|α and ρ β, then (α, β)=(α/ρ, β). c. (α, β)=(α + λβ, β) for all λ ∈Z.

3 Related Work

The main aim of this section is to present some of the algorithms which can possibly be used or extended to compute the gcd in different number rings. There are many different known ways of computing the gcd and the discussed in this section is not exhaustive. In the rest of this section the term ’ring’ will always mean number ring.

3.1

The problem of computing the gcd is as old as number theory itself. Euclid gave an algorithm to compute the gcd of rational integers in 300 B.C. [9]. This algo- rithm is called the Euclidean Algorithm (ea). However ea cannot be extended to all rings. The rings in which one can extend ea are the Euclidean rings. A fairly complete list of all known Euclidean rings can be found in [12]. Let R be any Euclidean ring. Then by definition of Euclidean ring, there exists ϕ: R → N ∪{0} such that for any a, b ∈ R there exits q, r ∈ R such that a = bq + r and ϕ(r)

3.2 Non-euclidean Algorithms

Erich Kaltofen and Heinrich Rolletschek [8] gave an O(n3) algorithm for com- puting the gcd in all complex quadratic ufds. They transform the problem of computing the gcd to that of computing a short vector in a suitable four dimen- sional integer lattice. They have also given an O(n2) algorithm to compute the gcd in any quadratic ring. This algorithm is based on a result which states that, given α and β in some quadratic ring, one can always divide lα by β and have a remainder with norm smaller than N(β) where l is a small rational integer. However the algorithm has large constants under the big-oh notation [8,21]. Henri Cohen has given a general algorithm for computing the extended gcd by reducing the problem to that of computing Hermite normal form of a suitable rational integer matrix [3]. However, he has not given the exact complexity of this algorithm in different rings. The simplicity of the operations used in the binary gcd algorithm makes it the method of choice on real computers [2]. This algorithm√ has been generalized by Andr´e Weilert [21] to the ring of integers in Q( −1)√ and by Ivan Damg˚ard and Gudmund Frandsen [5] to the ring of integers in Q( −3). In both the cases the running time of the algorithm is O(n2) with small constants hidden under the big-oh notation. There have been several variations and enhancements of the original binary gcd algorithm (see the notes at the end of chapter 4 in [2]). Our approach is quite similar to that of Jonathan Sorenson’s [17] k-ary algorithm. The main reason we look at the possibility of extending the binary gcd algorithm is its simplicity and its speed. While the approaches like controlled Euclidean descent are expected to be asymptotically faster, they are impractical for smaller inputs.

4 Binary GCD Like Algorithms in Number Rings

The binary gcd algorithm for Z is shown in Alg. 1. The algorithm is slightly modified to include negative integers. The algorithm is based on the following three facts: a. |a |b a, b a , b If 2 and 2 , then ( )=2 2 2 . b. |a b a, b a ,b If 2 and 2 , then ( )= 2 . c. a b a, b a−b ,b a+b ,b If 2 and 2 , then ( )= 2 = 2 . Thus given two non-zero odd a, b ∈ Z with |a|≥|b|, one can find c ∈ Z in O |a| |c|≤ |a| a, b c, b (log ) time such that 2 and ( )=( ). This fact forms the basis of Binary GCD Like Algorithms for Some Complex Quadratic Rings 61

Algorithm 1 Binary Gcd algorithm for Z (a, b are inputs) 1. Find i, j ≥ 0 such that 2i|a, 2i+1  a, 2j |b and 2j+1  b. 2. a = a/2i, b = b/2j 3. Assert that |a|≥|b|.Swapa and b if needed. 4. while true 5. if |a − b|≤|a + b| then c = a − b 6. else c = a + b 7. if c =0then break 8. Find h ≥ 1 such that 2h|c and 2h+1  c. 9. c = c/2h 10. if |c|≥|b| then a = c 11. else a = b, b = c 12. return 2min{i,j}a

the while loop in Alg. 1 and guarantees that the algorithm will terminate in at most (log |a||b| + 1) iterations of the while loop. This algorithm may not work for algebraic integers. This is because if α and β are algebraic integers such that 2 α and 2 β then 2 need not divide α + β or α − β. Thus the argument for termination of the above algorithm fails for algebraic integers. Our aim is to create an algorithm similar to Alg. 1 for complex quadratic rings. As a first step we will generalize the binary gcd algorithm to use ratio- nal primes other than 2. This generalization can be seen as a special case of Sorenson’s k-ary algorithm [17]. Suppose we have a, b ∈ Z such that a and b are co-prime to an odd prime p, then p|(a + lb) for some l ∈ Zp where Zp= Z/pZ p − p−1 ,... , ,... , p−1 is the finite field of residues modulo . The set 2 0 2 forms a complete set of coset representatives for Zp and hence we can always choose l |l|≤ p−1 p p such that 2 . Therefore by using in place of 2 in Alg. 1, we have a -ary algorithm for calculation of gcd in Z as shown in Alg. 2. In Alg. 2 assuming |a|≥|b|, it takes O(log |a|) time to compute a suitable c in steps 5 and 6. Thus a c a, b c, b |c|≤ 1 1 |a| we can replace with such that ( )=( ) and 2 + 2p and the complexity of Alg. 2 is the same as the complexity of the binary gcd algorithm. Let Z be an imaginary quadratic number ring. If ρ is a prime in Z, then F = Z/ρZ is a field. Thus if α and β are any two integers co-prime to ρ, then there exists a λ ∈Fsuch that α+λβ is divisible by ρ. By Lemma 1 we know that α, β α λβ, β − p−1 ,... , ,... , p−1 F ( )=( + ). Thus by replacing 2 0 2 with in step 5 of Alg. 2 one can construct an algorithm similar to Alg. 2 for computing the gcd Z.IfN(α + λβ) ≤ fN(ρα) for some f<1, then one can show that such an algorithm will terminate. However for a fixed choice of F, it is not guaranteed that there will exist a λ ∈Fsatisfying the√ above termination condition.√ For example consider the ring of integers in Q( −2). In this ring ζ = −2isa prime of norm 2. If α and β are any two integers in this ring and co-prime to ζ, then α ± β is divisible by ζ.Ifγ is the norm-wise smaller of {α + β,α − β}, then N(γ) ≤ 2N(α) (it follows using Lemma 2 which is mentioned later). Thus N(γ/ζ) ≤ N(α) and the above argument for termination breaks down. However 62 S. Agarwal and G.S. Frandsen

Algorithm 2 p-ary Gcd Algorithm for Z (p ∈ Z is a fixed odd prime and inputs are a, b ∈ Z) 1. Find i, j ≥ 0 such that pi|a, pi+1  a, pj |b and pj+1  b. 2. a = a/pi, b = b/pj 3. Assert that |a|≥|b|.Swapa and b if needed. 4. while true   5. l ∈ p−1 ,... ,0,... , p−1 (a + lb) ≡ 0 (mod p) Find 2 2 such that 6. c = a + lb 7. if c =0then break 8. Find h ≥ 1 such that ph|c and ph+1  c. 9. c = c/ph 10. if |c|≥|b| then a = c 11. else a = b, b = c 12. return pmin{i,j}a

one can get around this problem in some imaginary quadratic rings as follows (one can get around the termination problem in this particular ring in another way which is mentioned in conclusion). Suppose p is a rational prime. Then either p splits or ramifies or remains inert in a quadratic ring Z. Suppose p splits into ρ andρ ¯. In this situation ρ and ρ¯ are not associates and are co-prime to each other. Since N(ρ)=N(¯ρ)=p, − p−1 ,... , ,... , p−1 { , } 2 0 2 or 0 1 forms a complete set of coset representatives for both Z/ρZ and Z/ρ¯Z depending on if p is odd or even. Now if α and β are any two integers co-prime to both ρ andρ ¯, then we have two choices of λ (λ1 and λ2 such that ρ|(α + λ1β) andρ ¯|(α + λ2β)). The idea is now to use both primes and then choose λ which makes α+λβ small. However this trick is useful only when there is at most one choice of λ ∈Fwhich can result in α + λβ having a large norm. One can verify that this favorable situation occurs only when N(ρ) ≤ 5.

5 GCD Algorithms for Complex Quadratic Rings

In this section we materialize the ideas presented in the last section and√ construct algorithms for computing the gcd in the ring of integers in Q = Q( d) where d ∈{−2, −7, −11, −19}. These algorithms can be seen as an instance of the abstract algorithm shown in Alg. 3. The main difference from Alg. 2 is that we use a pair of conjugate primes instead of one fixed prime. Let ρ andρ ¯ be the primes used in Alg. 3. The equivalent of c from Alg. 2 is C(α, β) and is denoted by γ. For different rings, ρ and C are different. In the rest of this section we will show how to choose ρ and C in different rings and prove the termination of the algorithm in each case. Note that if Alg. 3 terminates, it will terminate with correct answer if (α, β)=(C(α, β),β). In all the rings, our choice of C(α, β)isα + lβ for some rational integer l. Thus the Binary GCD Like Algorithms for Some Complex Quadratic Rings 63

Algorithm 3 Gcd algorithm for Z (inputs are α, β and primes ρ, ρ¯ are fixed) 1. Let p1 = ρ, p2 =¯ρ it it+1 jt jt+1 2. Find i1, i2, j1 and j2 such that pt |α, pt  α, pt |β and pt  β for t =1, 2. i1 i2 j1 j2 3. α = α/p1 p2 , β = β/p1 p2 4. Assert that N(α) ≥ N(β).Swapα and β if needed. 5. While true 6. γ = C(α, β) 7. if γ =0then break ht ht+1 8. Find (h1,h2) such that pt |γ and pt  γ for t =1, 2. h1 h2 9. η = γ/p1 p2 10. if N(η) ≥ N(β) then α = η 11. else α = β, β = η min{i1,j1} min{i2,j2} 12. return p1 p2 α

correctness follows from Lemma 1. The following lemma will be the major tool in proving the termination results. Lemma 2. Let Z be an imaginary quadratic ring. Let α, β ∈Z and l, m ∈ Z. If N(α) ≥ N(β), then a. N(lα + mβ) ≤ (|l| + |m|)2N(α), b. min{N(lα + mβ),N(lα − mβ)}≤(l2 + m2)N(α). Proof. We note that for any integer α, N(α) is the same as the complex norm of α when α is viewed as a complex number. Proof of above statements now follows by elementary properties of complex norm. For d ∈{−2, −7, −11}, we show that N(η) ≤ fN(α) for some f<1 and the termination of the algorithm is trivial. For d = −19, we show that in at most two iterations of the while loop, the product N(α)N(β) will decrease by a factor f>1 and hence the algorithm will terminate. The time complexity of Alg. 3 is the same in all rings and we discuss this in Sect. 5.5. In the rest of this section we will compare algebraic integers with respect to the norm. Thus whenever we say that α<β, it means that N(α)

Lemma 3. Let α, β ∈Z be the algebraic integers at the start of the while loop in Alg. 3 with {ρ, ρ¯} = {ω, ω¯} and C(α, β) as described above. If C(α, β) = min{α +2β,α − 2β}, then after one iteration of the while loop, the quantity N α N β 5 ( ) ( ) decreases by a factor of at least 4 . Proof. Without loss of generality assume that N(α) ≥ N(β) and min{α+2β,α− 2β} = α − 2β.Ifγ = C(α, β) = min{α +2β,α − 2β}, then either γ = α ± β or γ = α +2β. Suppose γ = α±β. Then from Lemma 2, N(γ) ≤ (1+1)2N(α) ≤ 4N(α). By γ C α, β γ ω ω η γ the description of = ( ), note that is divisible by or ¯.Thus = ωiω¯ j where i and j are non-negative rational integers with i + j ≥ 1. As i + j ≥ 1, N(ωiω¯j) ≥ 5 and hence,

N(γ) N(γ) 4 N(η) ≤ ≤ ≤ N(α) . N(ωiω¯j) 5 5

η α N α N β 5 Since will replace , ( ) ( ) will decrease by a factor of at least 4 in this case. Now suppose γ = α +2β. Again using Lemma 2, N(γ) ≤ (1+2)2N(α) ≤ N α C α, β ωω|γ η γ 9 ( ). From the description of ( ), note that ¯ .Thus = ωiω¯ j for some rational integers i, j ≥ 1. Thus,

N(γ) N(γ) 9 N(η) ≤ ≤ ≤ N(α) . N(ωiω¯j) 25 25

25 > 5 Hence the product of norms will decrease by a factor of at-least 9 4 in this case.

Lemma 4. Let α, β ∈Zbe the algebraic integers at the start of the while loop in Alg. 3 with {ρ, ρ¯} = {ω, ω¯} and C(α, β) as described above. If C(α, β) = min{α+ 2β,α − 2β}, then N(α)N(β) never increases and either after one iteration or after two iterations of the while loop, the quantity N(α)N(β) decreases by a factor of at least 1.16.

Proof. From the description of C(α, β) we know that γ = C(α, β) is divisible by ω orω ¯.Ifγ is divisible by both ω andω ¯,orγ is divisible by ζi where ζ = ω or ζ =¯ω and i ≥ 2, then on the lines of proof of Lemma 3, it follows that the product of norms will decrease by a factor of at least 5. Thus we need to consider only the case where γ is divisible by either ω orω ¯ and exactly once. Let γ be divisible by ζ where ζ = ω orω ¯. Binary GCD Like Algorithms for Some Complex Quadratic Rings 65

A complex quadratic integer can also be viewed as a point on the complex plane. On the complex plane, N(α) is same as the square of distance of α from origin i.e, N(α)=|α|2. It is an elementary result in geometry that

|α +2β|2 = |α|2 + |2β|2 +2|α||2β| cos θ and |α − 2β|2 = |α|2 + |2β|2 − 2|α||2β| cos θ where θ is the angle between α and β. Without loss of generality we assume ≤ θ ≤ π N α − β ≤ N α β that 0 2 . Then ( 2 ) ( +2 ) and the algorithm will choose γ = α − 2β. Also assume that |α|≥|β|.Thus|α| = k|β| where k ∈ R and k ≥ 1. Thus N(α)=k2N(β) ≥ N(β) and hence

N(γ)=|α − 2β|2 =(k2 +4− 4k cos θ)|β|2 .

As η = γ/ζ,

N(γ) k2 +4− 4k cos θ N(η)= = |β|2 . N(ζ) 5 Since the algorithm will replace α by η, the product of norms will change by a factor f, where N(η) N(η) 1 4 4 cos θ f = = = + − . (5.1) N(α) k2N(β) 5 5k2 5k k ≥ ≤ θ ≤ π f ≤ As 1 and 0 2 , 1 and hence the algorithm will not increase the product of norms by replacing α by η. However, as f can get arbitrarily close to 1, we are not assured that there will be substantial decrease in the product of θ π f norms. However intuitively we can see that if is away from 2 , then will be θ ≈ π small. The idea of the proof is to show that when 2 , then the angle between η β π and is away from 2 . Thus while there may not be substantial decrease in the product of norms in this iteration, there will be enough decrease in the next iteration. Concretely, we now show that the product of norms will decrease by a factor of 1.16 as long as k ≥ 1.1orθ ≤ 0.444π. Then we show that if 1 ≤ k<1.1 . π<θ≤ π η β and 0 444 2 , then the acute angle between and (if the angle between η and β is obtuse then angle between η and −β is acute) is less than 0.444π.Thus in the next iteration either by Lemma 3 or by the arguments in the previous lines, the product of norms will decrease by a factor of at least 1.16. Case 1 : Suppose that k ≥ 1.1. Then from (5.1) 1 4 f ≤ + < 0.862 . 5 5 ∗ 1.21 On the other hand if θ ≤ 0.444π. Then cos θ>0.175 and hence from (5.1), 1 4 4 f< + − (0.175) . 5 5k2 5k The expression on right takes maximum value at k = 1 (in the range 1 ≤ k<∞ as k<1 is not possible). Evaluating, f<0.86. Thus whenever k ≥ 1.1or 66 S. Agarwal and G.S. Frandsen

0 ≤ θ ≤ 0.444π, the product of norms will decrease by a factor of at least 1 > . 0.862 1 16. . π<θ≤ π ≤ k< . k< . |α| k|β| < Case 2 : Now let 0 444 2 and 1 1 1. Since 1 1, = |2β|. The situation is something like as shown in Fig. 1. In the figure, the dashed cone indicates the region in which all integers making an angle (acute) greater than 0.444π with ±β can lie. √ √ √ − − − − − ω 1+ 19 eιωθ ω 1 19 √ On the complex plane, =√ 2 = 5 and ¯ = 2 = −ιωθ −1 5e , where ωθ = π − tan √19. Thus after dividing γ by ω orω ¯ we get η, which is γ reduced in length by 5 and rotated by angle ±ωθ. Now we wish to

show that η is outside the dashed cone.

­

« ­  ×Ò  «



  Ç



¾¬

¾¬

«  Ó×

­ )

≤ k< . . π<θ≤ π Fig. 1. A typical situation when 1 1 1 and 0 444 2 . The dashed conical region contains points which can make an acute angle greater than 0.444π with ±β. α lies in this cone and inside the dotted region which is got by placing requirement |β|≤|α| < 1.1|β|. Once γ =√C(α, β)=α − 2β is divided by ω orω ¯, the resulting√ point −1 gets reduced in length by 5 and rotated by ±ωθ where ωθ = π − tan 19. The lengths of line segment γD and (−2β)D are |α| sin θ and |α| cos θ respectively, which are got by completing the parallelogram Oαγ(−2β).

To show that η lies outside the dashed the cone, we have to find out the θ ≤ k< . . π<θ≤ π extremal values of d subject to 1 1 1 and 0 444 2 . From the figure,

|α| sin θ k sin θ tan θd = = . 2|β|−|α| cos θ 2 − k cos θ Binary GCD Like Algorithms for Some Complex Quadratic Rings 67

Since k cos θ<2, θd is always acute. Analytically or graphically one can verify that in the region under consideration θd attains its maximum value at k =1.1 and θ =0.444π and attains its minimum value at k = 1 and θ = π . Evaluating we 2 θ −1 1 > . π θ −1 1.1 sin(0.444π) < . π get, dmin = tan 2 0 147 and dmax = tan 2−1.1 cos(0.444π) 0 172 . Thus we have,

0.147π<θd < 0.172π. Let φ be the angle between η and β. If it lies inside the dashed cone, then we should have 0.444π<φ<0.556π or −0.556π<φ<−0.444π. As mentioned√ −1 already, after division by ω orω ¯, γ will be rotated by ±ωθ = ±(π − tan 19). By direct computation, 0.571π<ωθ < 0.572π. Now suppose that γ is rotated by ωθ. Then using above extremal values of θd and ωθ one sees that 0.718π< φ<0.744π. Thus in this case η cannot lie in the cone. Similarly if γ is rotated by −ωθ, then −0.425π<φ<−0.399π. Thus again η cannot lie in the cone. Thus in two iterations the product of norms will decrease by a factor of 1.16. We wish to note here that by a similar reasoning one can verify that if ϑ =(α +2β)/ζ where ζ = ω or ζ =¯ω, then ϑ also lies outside the forbidden cone. While this is not crucial to the proof, it becomes crucial later when we use approximate norms. √ Z Z 1 − − 5.2 GCD Algorithm for = 2 ( 1+ 11) √ α a bω ω −1+ −11 The integers in this ring are of form = + where = 2 and a, b ∈ Z. Here ω andω ¯ are non-associate primes of norm 3. Since there are no integers of norm 2 in this ring, ω andω ¯ are the smallest non-rational prime. As {−1, 0, 1} forms a complete set of coset representatives for Z/ωZ and Z/ω¯Z,if α, β ∈Zare co-prime to both ω andω ¯, then ω divides one of {α + β,α− β} and ω¯ divides one of {α + β,α − β}. Based on this observation, we construct a gcd algorithm in this ring by taking {ρ, ρ¯} = {ω, ω¯} and defining C(α, β) as follows. Let λ = min{α + β,α− β} and Λ = max{α + β,α− β}.Ifλ is divisible by either ω orω ¯, we pick λ. Else we pick Λ and we now know that Λ is divisible by both ω andω ¯. The following lemma shows that the product of norms decreases by a 3 factor of at least 2 in each iteration of the while loop and hence the algorithm will terminate in at most (log 3 N(αβ) + 1) iterations of the while loop. 2 Lemma 5. Let α, β ∈Z be the algebraic integers at the start of the while loop in Alg. 3 with {ρ, ρ¯} = {ω, ω¯} and taking C(α, β) as described above. Then in each iteration of the while loop, the quantity N(α)N(β) decreases by a factor of 3 at least 2 . Proof is similar to the proof of Lemma 3. √ Z Z 1 − − 5.3 GCD Algorithm for = 2 ( 1+ 7) √ α a bω ω −1+ −7 a, b ∈ Z The integers in this ring are of form = + where = 2 and . Here ω andω ¯ are non-associate primes of norm 2. If α, β ∈Zare co-prime to 68 S. Agarwal and G.S. Frandsen both ω andω ¯, then ωω¯|(α + β) and ωω¯|(α − β). Based on this observation, we choose {ρ, ρ¯} = {ω, ω¯} and C(α, β) = min{α + β,α − β} for Alg. 3 for this ring. Next lemma shows that the product of norms decreases by a factor of 2 in each iteration of the while loop and hence the algorithm will terminate in at most (log N(αβ) + 1) iterations of the while loop.

Lemma 6. Let α, β ∈Z be the algebraic integers at the start of the while loop in Alg. 3 with {ρ, ρ¯} = {ω, ω¯} and C(α, β) = min{α + β,α − β}. Then in each iteration of the while loop, the quantity N(α)N(β) decreases by a factor of at least 2.

Proof is similar to the proof of Lemma 3.

√ 5.4 GCD Algorithm for Z = Z −2 √ The integers√ in this ring are√ of form α = a + b −2 where a, b ∈ Z. In this ring ρ =1+ −2 andρ ¯ =1− −2 are non-associate primes of norm 3. The gcd algorithm in this ring is Alg. 3 with choices of ρ andρ ¯ as above, and C(α, β)is the same as in the case of d = −11. The fact that the algorithm terminates also follows from a lemma similar to Lemma 5.

5.5 Runtime

s x x α a bω Let ( )√ denote number of bits required to represent√ . Let = + (where ω −1+ d d ∈{− , − , − } ω − d − = 2 for 7 11 19 and = 2 for = 2). For any given ring ω is constant. Hence we represent input as a pair (a, b) where a, b ∈ Z. Let α = a+bω and β = c+dω be inputs to Alg. 3. If 2n−1 ≤ max{|a|, |b|, |c|, |d|} < 2n, then s(α) ≤ 2n + O(1) and s(β) ≤ 2n + O(1). The main focus of this section is to show that the time complexity of Alg. 3 is O(n2) in all the rings, with small constants hidden under the big-oh notation. The following lemma is easily shown.

Lemma 7. If α ∈Z, then s(α) ≤ s(N(α)) ≤ 2s(α)+O(1).

First consider the steps 2-3 of Alg. 3. Divisions are by a fixed prime and d ∈{− , − , − } α b − a − a ω α −b a−b ω easily performed. For 7 11 19 , ω = p p and ω¯ = + p where p = N(ω) = 2 or 3 or 5 in the respective ring. For d = −2, √α = √ √ 1+ −2 a+2b + b−a −2 and √α = a−2b + b+a −2. Thus each single division step 3 3 1− −2 3 3 takes at most O(n) time. Since every single division decreases the product of norms of α and β by a factor of p (where p = 2 or 3 or 5), if a total of τ divisions are performed, then using Lemma 7 it follows that τ = O(n). Thus steps 2-3 take at most O(n2) time. As the while loop contains norm computations, the complexity of step 4 can be ignored. The following lemma will be useful before we consider the while loop in Alg. 3. Binary GCD Like Algorithms for Some Complex Quadratic Rings 69

Lemma 8. Let α, β ∈Z be the algebraic integers at the start of the while loop in Alg. 3. Then the algorithm halts in at most k · (s(α)+s(β)) + O(1) iterations of the while loop for some positive real number k. √ Z Z 1 − − Proof. Let = 2 ( 1+ 7) . Then from Lemma 3 we know that in each iteration of the while loop the quantity N(αβ) decreases by a factor of 2. Thus the algorithm will halt in at most (log N(αβ) + 1) iterations of the while loop. But,

log N(αβ)+1≤ s(N(α)) + s(N(β))+1≤ 2(s(α)+s(β)) + O(1) .

Similarly we can show this in every ring. The exact values of constant k are shown in the fourth column of Table 1.

From Lemma 8 it follows that the number of iterations of the while loop in the Alg. 3 are O(n) for every ring. In each iteration of the while loop the operations performed are addition, subtraction, division by 2 or 3 or 5 and computation of norm. Addition and subtraction can be done in O(n) time. A single divisibility test and a single division step can also be done in O(n) time. There are now two issues. First, the number of divisions performed in each iteration and second, th the computation of norm. Let us assume that there are ti divisions in the i iteration and the norm can be computed in T (n) time. Since there are O(n) iterations of the while loop, the combined time complexity of all the iterations of the while loop is O(n(n + T (n)+Σiti)). We will now estimate Σiti. We know that product of norms will decrease ti−2 by a factor of at least p in each iteration where p = 2 or 3 or 5. Hence ti−2 ti i p ≤ N(α)N(β). Since there are only O(n) number of iterations, i p ≤ O(n) p N(αβ) and hence Σiti = O(n). Thus the combined time complexity of all the iterations of the while loop is O(n2 + nT (n)). Since startup to while loop takes O(n2) time, the time complexity of Alg. 3 is O(n2 + nT (n)). Let us now concentrate on T (n). Norm computation involves a fixed number of multiplications and additions. Hence T (n) is of the order of multiplication of two n bit numbers. However it is not necessary to compute the norm exactly. The algorithm uses the norm to compare integers. When norms are very close, it does not make much difference which one the algorithm picks. If the algorithm uses approximate norms to compare integers, then it may have to do more iterations to get the gcd, but the number of iterations still remain O(n). For details we√ refer to the earlier√ known binary gcd like algorithms for ring of integers in Q( −1) [21] and Q( −3) [5]. The approximate norm can be computed in O(n) time [5] and hence the complexity of Alg. 3 becomes O(n2). The fact that the approximate norm will terminate the algorithm is quite easy to show for the cases d ∈{−2, −7, −11}.Ford = −19 one needs the fact mentioned at the end of the proof of Lemma 4. The effect of approximation on the number of iterations of the while loop in Alg. 3 is shown in Table 1. In Table 1, the second column is the factor by which the product of norms would decrease if we computed the norm accurately. The third column lists the factor by which product of norms would decrease if we compute an approximate norm along the 70 S. Agarwal and G.S. Frandsen lines of lemma 1 in [5] by using only 16 most significant bits in multiplications. The number of iterations performed is quantified by the constant k of Lemma 8. The fourth column lists the value this constant when the norm is computed accurately. The revised values of this constant with approximate norm are listed in the last column. As a conclusion to this section we have the following theorem

Theorem 1. The running time of Alg. 3 is O(n2) where n is the number of bits in the representation of input and where norm is computed approximately.

Table 1.

Ring ff kk √  Z −  √2  1.5 1.49 3.42 3.48 Z 1 − −  2 ( 1+√ 7)  2 1.99 2 2.02 Z 1 − −  2 ( 1+√ 11) 1.5 1.49 3.42 3.48 Z 1 − − 2 ( 1+ 19) 1.16 1.15 18.7 19.84

6 Conclusion

We have presented binary gcd like algorithms for computing the gcd for four com- plex quadratic rings. The main contribution of the paper is that this approach can be made to work for unique factorization domains which are not Euclidean. Our algorithms are quite simple to implement and are practical in use. Its an open question if it is possible to extend these algorithms to the remaining three imaginary quadratic unique factorization domains.√ Z 1 − − The two step analysis used for 2 ( 1+ 19) is not restricted to conju- gate primes. Using similar√ analysis one can show that√ algorithms similar to√ Alg. 3 Z − − Z 1 − − can be constructed for 2 using the prime 2 and for 2 ( 1+ 3) using the prime 2. More details are available in [1].

References

1. Saurabh Agarwal. Binary gcd like algorithms in some number rings. Department of Computer Science, University of Aarhus, 2004. 2. Eric Bach and Jeffrey Shallit. Algorithmic number theory. Vol. 1. Foundations of Computing Series. MIT Press, Cambridge, MA, 1996. Efficient algorithms. 3. Henri Cohen. Hermite and Smith normal form algorithms over Dedekind domains. Math. Comp., 65(216):1681–1699, 1996. 4. George E. Collins. A fast Euclidean algorithm for Gaussian integers. J. Symbolic Comput., 33(4):385–392, 2002. Binary GCD Like Algorithms for Some Complex Quadratic Rings 71

5. Ivan Bjerre Damg˚ard and Gudmund Skovbjerg Frandsen. Efficient algorithms for gcd and cubic residuosity in the ring of Eisenstein integers. In Fundamentals of Computation Theory—FCT 2003 (Malm¨o, , August 2003), volume 2751 of Lecture Notes in Comput. Sci., pages 109–117. Springer, Berlin, 2003. 6. Thomas W. Hungerford. Algebra, volume 73 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1980. Reprint of the 1974 original. 7. Kenneth Ireland and Michael Rosen. A classical introduction to modern number theory, volume 84 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1990. 8. Erich Kaltofen and Heinrich Rolletschek. Computing greatest common divisors and factorizations in quadratic number fields. Math. Comp., 53(188):697–720, 1989. 9. Donald E. Knuth. The art of computer programming. Vol. 2. Addison-Wesley Publishing Co., Reading, Mass., second edition, 1981. Seminumerical algorithms. 10. Serge Lang. Algebra. Addison-Wesley Publishing Company, third edition, 1993. 11. D. H. Lehmer. Euclid’s algorithm for large numbers. 45:227–233, 1938. 12. Franz Lemmermeyer. The Euclidean algorithm in algebraic number fields. Exposi- tion. Math., 13(5):385–416, 1995. An updated version is available at the webpage, http://www.rzuser.uni-heidelberg.de/˜hb3/prep.html. 13. H. W. Lenstra, Jr. Euclid’s algorithm in cyclotomic fields. J. London Math. Soc. (2), 10(4):457–465, 1975. 14. Heinrich Rolletschek. On the number of divisions of the Euclidean algorithm ap- plied to Gaussian integers. J. Symbolic Comput., 2(3):261–291, 1986. 15. Renate Scheidler and Hugh C. Williams. A public-key cryptosystem utilizing cy- clotomic fields. Des. Codes Cryptogr., 6(2):117–131, 1995. 16. A. Sch¨onhage. Schnelle Berechnung von Kettenbruchentwilungen. Acta Informat- ica, 1:139–144, 1971. 17. Jonathan Sorenson. Two fast GCD algorithms. J. Algorithms, 16(1):110–144, 1994. 18. H. M. Stark. A complete determination of the complex quadratic fields of class- number one. Michigan Math. J., 14:1–27, 1967. 19. J. Stein. Computational problems associated with Racah algebra. J. Comput. Phys., (1):397–405, 1967. 20. Andr´e Weilert. Effiziente Algorithmen zur Berechnung von Idealsummen in Quadratischen Ornungen. Dissertation, Universitaet Bonn, 2000. 21. Andr´e Weilert. (1 + i)-ary GCD computation in Z[i] as an analogue to the binary GCD algorithm. J. Symbolic Comput., 30(5):605–617, 2000. 22. Andr´e Weilert. Asymptotically fast GCD computation in Z[i]. In Algorithmic number theory (Leiden, 2000), volume 1838 of Lecture Notes in Comput. Sci., pages 595–613. Springer, Berlin, 2000.