{"id":13809808,"url":"https://github.com/daira/pluto-eris","last_synced_at":"2026-02-14T02:02:46.134Z","repository":{"id":145276681,"uuid":"356922065","full_name":"daira/pluto-eris","owner":"daira","description":"Generator and supporting evidence for security of the Pluto/Eris half-pairing cycle of elliptic curves","archived":false,"fork":false,"pushed_at":"2021-04-18T21:19:30.000Z","size":6164,"stargazers_count":32,"open_issues_count":1,"forks_count":1,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-09-19T14:41:45.005Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Sage","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daira.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-11T16:38:50.000Z","updated_at":"2025-09-19T03:43:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"32966d52-9147-477a-9dc2-d6f2d2f3e8bf","html_url":"https://github.com/daira/pluto-eris","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/daira/pluto-eris","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Fpluto-eris","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Fpluto-eris/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Fpluto-eris/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Fpluto-eris/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daira","download_url":"https://codeload.github.com/daira/pluto-eris/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Fpluto-eris/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29431593,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-13T22:20:51.549Z","status":"online","status_checked_at":"2026-02-14T02:00:07.626Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T02:00:36.492Z","updated_at":"2026-02-14T02:02:46.101Z","avatar_url":"https://github.com/daira.png","language":"Sage","readme":"# Pluto/Eris supporting evidence\n\nThis repository contains supporting evidence on the security of the half-pairing\ncycle of prime-order curves:\n\n* Ep : y\u003csup\u003e2\u003c/sup\u003e = x\u003csup\u003e3\u003c/sup\u003e + 57 over GF(p) of order q, called Pluto;\n* Eq : y\u003csup\u003e2\u003c/sup\u003e = x\u003csup\u003e3\u003c/sup\u003e + 57 over GF(q) of order p, called Eris;\n\nwith\n\n* p = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5cda8a6c7be4a7a5fe8fadffd6a2a7e8c30006b9459ffffcd300000001\n* q = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5c7a8a6c7be4a775fe8e177fd69ca7e85d60050af41ffffcd300000001\n\nPluto is a Barreto–Naehrig (BN) pairing-friendly curve, with embedding degree 12.\nEris is a non-pairing-friendly curve.\n\nThe BN parameter for Pluto (used in pairing implementation) is:\n\n* u = -0x4000000000001000008780000000\n\nIf we represent GF(p\u003csup\u003e2\u003c/sup\u003e) as GF(p)[z]/(z\u003csup\u003e2\u003c/sup\u003e + 5), then the curve\nEp' used for G\u003csub\u003e2\u003c/sub\u003e is:\n\n* Ep' : y\u003csup\u003e2\u003c/sup\u003e = x\u003csup\u003e3\u003c/sup\u003e + (z + 3) over GF(p\u003csup\u003e2\u003c/sup\u003e) of\n  order q·(2·p - q), called Triton.\n\n(This definition of Triton has not been finalized and is subject to change.)\n\n\n## Security and engineering properties\n\nThe size of 446 bits follows\n[recommendations by Aurore Guillevic](https://members.loria.fr/AGuillevic/pairing-friendly-curves/)\nfor BN curves at the 128-bit security level (but any errors are my own).\nMore precisely, by using the STNFS cost simulator associated with [[GS2019]], we obtain\nan estimate of roughly 132 bits of security for Pluto, Triton, and their pairing.\nThe security margin of Eris is larger since attacks on the pairing are not applicable:\nit has a Pollard rho security level of 221.6 bits.\n\n446 bits is the maximum that can be implemented in seven 64-bit limbs, with two bits\nto spare for carries, which provides a good security/efficiency trade-off. The \"spare\"\ntwo bits can also for used for infinity and compressed y-coordinate flags in a 56-byte\npoint representation.\n\nBoth curves have j-invariant 0, enabling use of endomorphisms for scalar multiplication\nin a similar way to the [Pasta curves](https://github.com/zcash/pasta) and to secp256k1.\nThe values ζ\u003csub\u003ep\u003c/sub\u003e and ζ\u003csub\u003eq\u003c/sub\u003e used in these endomorphisms are of length 335\nor 336 bits, which is only 3/4 of the field size; this allows a particularly efficient\nimplementation of scalar multiplications by partially random scalars with entropy\nup to ~220 bits.\n\nEach curve has an isogeny of degree 3 from a curve with j-invariant not equal to 0 or 1728,\nallowing use of the \"simplified SWU\" method for hashing to an elliptic curve. This is based\non code from Appendix A of [[WB2019](https://eprint.iacr.org/2019/403.pdf)].\n\nBoth curves have a 2-adicity of 32 (i.e. 2\u003csup\u003e32\u003c/sup\u003e divides p-1 and q-1), which\nenables support for fast FFT operations, used in many zero-knowledge proving systems.\n\nThe parameter u has low Hamming weight (7), to speed up pairing computations.\nIt can be expressed in [2-NAF form](https://en.wikipedia.org/wiki/Non-adjacent_form) as\n-(2\u003csup\u003e110\u003c/sup\u003e + 2\u003csup\u003e60\u003c/sup\u003e + 2\u003csup\u003e39\u003c/sup\u003e + 2\u003csup\u003e35\u003c/sup\u003e - 2\u003csup\u003e31\u003c/sup\u003e)\nwhich has weight 5.\n\nBoth curves are twist-secure to over 149 bits.\n\nα is relatively prime to each of p-1 and q-1 for α ∊ {5, 7, 11, 13}, allowing use\nof x\u003csup\u003eα\u003c/sup\u003e for those values as an S-box in algebraic hashes such as Poseidon and\nRescue.\n\n\n## Applications\n\nHalf-pairing cycles are potentially useful to combine Halo-style recursion\n[[BGH2019](https://eprint.iacr.org/2019/1021)] [[BCMS2020](https://eprint.iacr.org/2020/499)]\n[[BDFG2020](https://eprint.iacr.org/2020/1536)] [[BCLMS2020](https://eprint.iacr.org/2020/1618)]\nwith any protocol that uses pairings.\n\nThat could include pairing-based proving systems with trusted setup such as Groth16 and\nPLONK, but it could also include schemes without trusted setup such as BLS signatures,\nsome identity-based or forward-secure encryption schemes, tripartite Diffie–Hellman, and\n[[BMMTV](https://eprint.iacr.org/2019/1177)] polynomial commitments.\n\nSignificant additional research and engineering work might be needed to adapt any\nparticular protocol to this setting. If you don't need the pairing, use\n[Pallas/Vesta](https://github.com/zcash/pasta) instead — it will be simpler and more\nefficient!\n\n\n## Naming\n\nPluto and Eris are [planets](https://www.hou.usra.edu/meetings/lpsc2017/pdf/1448.pdf)\nin the solar system's Kuiper belt. They are close in size and mass; Pluto is slightly\nlarger (about 32% the volume of Earth's moon vs Eris' 30%), and Eris is slightly more\nmassive (about 22% the mass of Earth's moon vs Pluto's 18%).\n\nCorrespondingly, the Pluto curve is defined over the larger base field than the\nEris curve (p \u003e q), but has the smaller order. The name of the Pluto curve starts\nwith 'P' which is mnemonic for pairing-friendly.\n\nTriton is originally another Kuiper belt object, larger than Pluto, that was captured\nas a satellite of Neptune.\n\n\n## Generation\n\nPluto/Eris is the first cycle output by\n``sage halfpairing.sage --sequential --requireisos --sortqp 446 32``.\n\n(The `--sequential` option makes the output completely deterministic and so resolves\nambiguity about which result is \"first\". For exploratory searches it is faster not to\nuse `--sequential`.)\n\nThe output of ``halfpairing.sage`` with the above options includes the isogenies of\ndegree 3 mentioned above.\n\nPrerequisites:\n\n* ``apt-get install sagemath``\n\nRun ``sage verify.sage Ep`` and ``sage verify.sage Eq`` to test each curve against\n[SafeCurves criteria](https://safecurves.cr.yp.to/index.html); or ``./run.sh`` to test\nboth curves and also print out the results.\n\nThe SafeCurves criteria that are *not* satisfied are, in summary:\n\n* large-magnitude CM discriminant (both curves have CM discriminant of absolute value 3,\n  as a consequence of how they were constructed);\n* completeness (complete formulae are possible, but not according to the Safe curves\n  criterion);\n* ladder support (not possible for prime-order curves);\n* Elligator 2 support (indistinguishability is possible using\n  [Elligator Squared](https://ifca.ai/pub/fc14/paper_25.pdf), but not using Elligator 2);\n* Pluto is pairing-friendly and therefore cannot satisfy the embedding degree criterion.\n\nTo check the estimated cost of a STNFS attack against the Pluto curve, you will need the\n(experimental) software supporting the paper [[GS2019]] by Aurore Guillevic and Shashank Singh:\n\n* run ``git clone https://gitlab.inria.fr/tnfs-alpha/alpha.git`` (the resulting checkout\n  must be in the ``alpha`` subdirectory of this repo).\n* run ``./check_stnfs.sh``.\n\nThe special form of the prime p and the presence of endomorphisms for BN curves is taken\ninto account.\n\nNote that this script requires a version of Sage that uses Python 3 (unlike the other\nSage scripts in this repo that can work with versions of Sage using either Python 2 or 3).\nIt takes several hours to run, and the output is quite verbose. The estimated security\nlevel against STNFS is given by the minimum of the \"total time\" outputs.\n\n[GS2019]: https://eprint.iacr.org/2019/885\n","funding_links":[],"categories":["Links"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaira%2Fpluto-eris","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaira%2Fpluto-eris","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaira%2Fpluto-eris/lists"}