Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Bézout's identity says that for any two integers , there exist integers with . That sentence has more cryptographic consequences than almost anything else in this course: it's how you compute modular inverses (set , then is ), how you solve linear Diophantine equations, how RSA recovers the private exponent from and , and how the Chinese remainder theorem stitches residues together. The extended Euclidean algorithm is the constructive proof — it doesn't just show exist, it produces them in the same number of steps as plain gcd. Building this is the project for the module, so spend time here.
Bézout's identity: for any (not both zero) there exist with . The extended Euclidean algorithm computes alongside the gcd by maintaining the invariant for the running remainder at each step. Concretely, if at step we have , then .
xgcd(1071, 462) and verify by direct multiplication that . Then compute by hand on paper — back-substitute through the Euclidean steps from the previous task.xgcd(240, 46). You should get , with some satisfying . Verify the equation holds.Use these three in order. Each builds on the one before.
In one paragraph, state Bézout's identity in plain English and give a concrete example with small numbers (say $a=12, b=8$). Why is it surprising that you can always write the gcd as an integer combination of $a$ and $b$?
Walk me through how the extended Euclidean algorithm maintains the invariant $a s_i + b t_i = r_i$ at every step. Start from $(s_0, t_0, r_0) = (1, 0, a)$ and $(s_1, t_1, r_1) = (0, 1, b)$, and show how the update rule preserves it.
Given that Bézout's identity gives us $a s + b t = 1$ when $\gcd(a, b) = 1$, derive the formula for $a^{-1} \bmod b$ from it. Then explain how RSA's key generation uses this exact computation to derive the private exponent $d$ from the public exponent $e$ and $\varphi(n)$.
xgcd to find the modular inverse of 7 modulo 26: call xgcd(7, 26). Since , the in the output (mod 26) is . Verify .xgcd(0, 5) and xgcd(5, 0) — what do you get? These are the edge cases your project implementation needs to handle correctly.xgcd(-12, 18). Bézout's identity holds for negative inputs too — verify the equation on the result.// main.go
package main
import "fmt"
// xgcd returns (g, s, t) with a*s + b*t = g = gcd(a, b).
func xgcd(a, b int) (int, int, int) {
oldR, r := a, b
oldS, s := 1, 0
oldT, t := 0, 1
for r != 0 {
q := oldR / r
oldR, r = r, oldR-q*r
oldS, s = s, oldS-q*s
oldT, t = t, oldT-q*t
}
return oldR, oldS, oldT
}
func main() {
g, s, t := xgcd(1071, 462)
fmt.Printf("gcd = %d, s = %d, t = %d\n", g, s, t)
fmt.Printf("verify: 1071*%d + 462*%d = %d\n", s, t, 1071*s+462*t)
// gcd = 21, s = -3, t = 7
// 1071*(-3) + 462*7 = -3213 + 3234 = 21
}
go run main.go