crypto: fast fe_batch_invert using Montgomery's trick

j-berman · jeffro256 · j-berman · commit 4e9adb73ef28 · 2025-09-26T19:05:05.000-07:00
https://iacr.org/archive/pkc2004/29470042/29470042.pdf 2.2 Co-authored-by: Jeffro <jeffro256@tutanota.com>
diff --git a/src/crypto/crypto-ops.c b/src/crypto/crypto-ops.c
@@ -313,6 +313,33 @@ void fe_invert(fe out, const fe z) {
   return;
 }
 
+// Montgomery's trick
+// https://iacr.org/archive/pkc2004/29470042/29470042.pdf 2.2
+int fe_batch_invert(fe *out, const fe *in, const int n) {
+  if (n == 0) {
+    return 0;
+  }
+
+  // Step 1: collect initial muls
+  fe_copy(out[0], in[0]);
+  for (int i = 1; i < n; ++i) {
+    fe_mul(out[i], out[i-1], in[i]);
+  }
+
+  // Step 2: get the inverse of all elems multiplied together
+  fe a;
+  fe_invert(a, out[n-1]);
+
+  // Step 3: get each inverse
+  for (int i = n; i > 1; --i) {
+    fe_mul(out[i-1], a, out[i-2]);
+    fe_mul(a, a, in[i-1]);
+  }
+  fe_copy(out[0], a);
+
+  return 0;
+}
+
 /* From fe_isnegative.c */
 
 /*
diff --git a/src/crypto/crypto-ops.h b/src/crypto/crypto-ops.h
@@ -164,6 +164,7 @@ void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);
 void fe_add(fe h, const fe f, const fe g);
 void fe_tobytes(unsigned char *, const fe);
 void fe_invert(fe out, const fe z);
+int fe_batch_invert(fe *out, const fe *in, const int n);
 void fe_mul(fe out, const fe, const fe);
 void fe_0(fe h);
 
diff --git a/tests/performance_tests/CMakeLists.txt b/tests/performance_tests/CMakeLists.txt
@@ -36,6 +36,7 @@ set(performance_tests_headers
   construct_tx.h
   derive_public_key.h
   derive_secret_key.h
+  fe_batch_invert.h
   ge_frombytes_vartime.h
   generate_key_derivation.h
   generate_key_image.h
diff --git a/tests/performance_tests/fe_batch_invert.h b/tests/performance_tests/fe_batch_invert.h
@@ -0,0 +1,79 @@
+// Copyright (c) 2025, The Monero Project
+// 
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are
+// permitted provided that the following conditions are met:
+// 
+// 1. Redistributions of source code must retain the above copyright notice, this list of
+//    conditions and the following disclaimer.
+// 
+// 2. Redistributions in binary form must reproduce the above copyright notice, this list
+//    of conditions and the following disclaimer in the documentation and/or other
+//    materials provided with the distribution.
+// 
+// 3. Neither the name of the copyright holder nor the names of its contributors may be
+//    used to endorse or promote products derived from this software without specific
+//    prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+// EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+// THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+// PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+// STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+// THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+// 
+// Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
+
+#pragma once
+
+#include "crypto/crypto.h"
+
+template<bool batched>
+class test_fe_batch_invert
+{
+public:
+  static const size_t loop_count = 50;
+  static const size_t n_elems = 1000;
+
+  bool init()
+  {
+    m_fes = (fe *) malloc(n_elems * sizeof(fe));
+
+    for (std::size_t i = 0; i < n_elems; ++i)
+    {
+      crypto::secret_key r;
+      crypto::random32_unbiased((unsigned char*)r.data);
+
+      ge_p3 point;
+      ge_scalarmult_base(&point, (unsigned char*)r.data);
+
+      memcpy(m_fes[i], &point.Y, sizeof(fe));
+    }
+
+    return true;
+  }
+
+  bool test()
+  {
+    fe *inv_fes = (fe *) malloc(n_elems * sizeof(fe));
+
+    if (batched)
+      fe_batch_invert(inv_fes, m_fes, n_elems);
+    else
+    {
+      for (std::size_t i = 0; i < n_elems; ++i)
+        fe_invert(inv_fes[i], m_fes[i]);
+    }
+
+    free(inv_fes);
+
+    return true;
+  }
+
+private:
+  fe *m_fes;
+};
diff --git a/tests/performance_tests/main.cpp b/tests/performance_tests/main.cpp
@@ -43,6 +43,7 @@
 #include "derive_public_key.h"
 #include "derive_secret_key.h"
 #include "derive_view_tag.h"
+#include "fe_batch_invert.h"
 #include "ge_frombytes_vartime.h"
 #include "ge_tobytes.h"
 #include "generate_key_derivation.h"
@@ -198,6 +199,8 @@ int main(int argc, char** argv)
   TEST_PERFORMANCE0(filter, p, test_generate_key_image);
   TEST_PERFORMANCE0(filter, p, test_derive_public_key);
   TEST_PERFORMANCE0(filter, p, test_derive_secret_key);
+  TEST_PERFORMANCE1(filter, p, test_fe_batch_invert, true); // batched
+  TEST_PERFORMANCE1(filter, p, test_fe_batch_invert, false); // individual inversions
   TEST_PERFORMANCE0(filter, p, test_ge_frombytes_vartime);
   TEST_PERFORMANCE0(filter, p, test_ge_tobytes);
   TEST_PERFORMANCE0(filter, p, test_generate_keypair);
diff --git a/tests/unit_tests/crypto.cpp b/tests/unit_tests/crypto.cpp
@@ -345,3 +345,39 @@ TEST(Crypto, generator_consistency)
   // ringct/rctTypes.h
   ASSERT_TRUE(memcmp(H.data, rct::H.bytes, 32) == 0);
 }
+
+TEST(Crypto, batch_inversion)
+{
+  const std::size_t MAX_TEST_ELEMS = 1000;
+
+  // Memory allocator
+  auto alloc = [](const std::size_t n) -> fe*
+  {
+    fe *ptr = (fe *) malloc(n * sizeof(fe));
+    if (!ptr)
+      throw std::runtime_error("failed to malloc fe *");
+    return ptr;
+  };
+
+  // Init test elems and individual inversions
+  fe *init_elems    = alloc(MAX_TEST_ELEMS);
+  fe *norm_inverted = alloc(MAX_TEST_ELEMS);
+  for (std::size_t i = 0; i < MAX_TEST_ELEMS; ++i)
+  {
+    const cryptonote::keypair kp = cryptonote::keypair::generate(hw::get_device("default"));
+    ASSERT_EQ(fe_frombytes_vartime(init_elems[i], (unsigned char*)kp.pub.data), 0);
+    fe_invert(norm_inverted[i], init_elems[i]);
+  }
+
+  // Do batch inversions and compare to individual inversions
+  for (std::size_t n_elems = 1; n_elems <= MAX_TEST_ELEMS; ++n_elems)
+  {
+    fe *batch_inverted = alloc(n_elems);
+    ASSERT_EQ(fe_batch_invert(batch_inverted, init_elems, n_elems), 0);
+    ASSERT_EQ(memcmp(batch_inverted, norm_inverted, n_elems * sizeof(fe)), 0);
+    free(batch_inverted);
+  }
+
+  free(init_elems);
+  free(norm_inverted);
+}
