LogoLogo
LogoLogo
  • Introduction
    • About Us
    • Notations & Definitions
      • MPC
      • ZK
    • Contribute to this Site!
  • Primitives
    • Multiplication
      • Karatsuba Multiplication
      • Toom-Cook Multiplication
    • NAF (Non-adjacent form)
    • Chinese Remainder Theorem (CRT)
    • Euclidean Algorithm
      • Extended Euclidean Algorithm
      • Binary Euclidean Algorithm
      • Extended Binary Euclidean Algorithm
    • Coding Theory
      • Linear Code
    • Number Theoretic Transform
    • Abstract Algebra
      • Group
        • -Morphisms
        • Batch Inverse
      • Elliptic Curve
        • Weierstrass Curve
          • Coordinate Forms
          • Fast Elliptic Curve Arithmetic and Improved WEIL Pairing Evaluation
        • Edwards Curve
          • Coordinate Forms
          • Twisted Edwards ↔ Short Weierstrass Transformation
        • Batch Inverse for Batch Point Additions
        • Scalar Multiplication
          • Double-and-add
          • GLV Decomposition
        • MSM
          • Pippenger's Algorithm
          • Signed Bucket Index
          • CycloneMSM
          • EdMSM
          • cuZK
        • 2-Chain and 2-Cycle of Elliptic Curves
    • Encryption Scheme
      • ElGamal Encryption
    • Modular Arithmetic
      • Modular Reduction
        • Barrett Reduction
        • Montgomery Reduction
      • Modular Inverse
        • Bernstein-Yang's Inverse
    • Multiset Check
    • Sumcheck
    • Commitment Scheme
      • Fflonk
      • SHPlonk
      • Zeromorph
  • MPC
    • Yao's Garbled Circuits
    • GMW
    • BMR
  • ZK
    • Arithmetization
      • R1CS
      • PLONK
      • AIR
    • Folding
      • LatticeFold
      • Nova
        • Nova over Cycles of Curves
    • Lookup
      • Lasso
      • LogUp-GKR
    • SNARK
      • Groth16
      • HyperPlonk
      • Spartan
        • SPARK
    • STARK
      • Additive NTT
      • Basefold
      • Binius
      • Brakedown
      • CircleSTARK
      • FRI
        • FRI Security Features and Optimizations
      • DEEP FRI
      • STIR
      • WHIR
    • Distributed ZK
      • Ryan's Trick for Distributed Groth16
  • Application
    • zkLogin
    • zkHoldem
    • zkTLS
      • DECO
      • Proxying is enough
  • zkVM
Powered by GitBook
On this page
  • What is Batch Inverse?
  • How Does It Work?
  • 1. Compute Prefix Products
  • 2. Compute Inverse of the Final Product
  • 3. Compute Each Inverse in Reverse
  • Computational Complexity
Export as PDF
  1. Primitives
  2. Abstract Algebra
  3. Group

Batch Inverse

Reduction of the number of field inverse operations when computing batch operations.

Previous-MorphismsNextElliptic Curve

Last updated 1 month ago

What is Batch Inverse?

Batch Inverse is a technique used to efficiently compute the inverses of multiple values (v1,…,vn)(v_1, \dots, v_n)(v1​,…,vn​) at once. Normally, calculating each inverse separately requires n×INVn \times \mathsf{INV}n×INV (inverse operations), but with Batch Inversion, you can compute all the inverses using just a single inverse operation.

As inverse operations are significantly more expensive than multiplications, this method is especially useful in performance-sensitive contexts—such as in ZK provers.

How Does It Work?

Let’s walk through an example of computing the inverses of four values: (a,b,c,d)(a, b, c, d)(a,b,c,d)

1. Compute Prefix Products

Multiply the values one by one, keeping track of intermediate results:

  • P1=aP_1 = aP1​=a

  • P2=abP_2 = abP2​=ab

  • P3=abcP_3 = abcP3​=abc

  • P4=abcdP_4 = abcdP4​=abcd

So we get:

P=(P1,P2,P3,P4)P = (P_1, P_2, P_3, P_4)P=(P1​,P2​,P3​,P4​)

2. Compute Inverse of the Final Product

Compute the inverse of the final product:

This is the only inverse operation required.

3. Compute Each Inverse in Reverse

Now, traverse the values in reverse to compute individual inverses:

This phase involves only multiplication operations.

Computational Complexity

Total:

t=P4−1=(abcd)−1t = P_4^{-1} = (abcd)^{-1}t=P4−1​=(abcd)−1

d−1=P3×td^{-1} = P_3 \times td−1=P3​×t, then update t=t×d=(abc)−1t = t \times d = (abc)^{-1}t=t×d=(abc)−1

c−1=P2×tc^{-1} = P_2 \times tc−1=P2​×t, then update t=t×c=(ab)−1t = t \times c = (ab)^{-1}t=t×c=(ab)−1

b−1=P1×tb^{-1} = P_1 \times tb−1=P1​×t, then update t=t×b=(a)−1t = t \times b = (a)^{-1}t=t×b=(a)−1

a−1=ta^{-1} = ta−1=t

If the vector has length nnn, the total computational cost is:

Prefix Product Computation: (n−1)×MUL(n - 1) \times \mathsf{MUL}(n−1)×MUL

One Inverse Operation: 1×INV1 \times \mathsf{INV}1×INV

Reverse Traversal: 2(n−1)×MUL2(n - 1) \times \mathsf{MUL}2(n−1)×MUL

3(n−1)×MUL+1×INV3(n - 1) \times \mathsf{MUL} + 1 \times \mathsf{INV}3(n−1)×MUL+1×INV

Written by of

A41
ryan Kim