{"id":22711303,"url":"https://github.com/daira/tweedle","last_synced_at":"2026-02-01T01:05:19.824Z","repository":{"id":72465538,"uuid":"207130987","full_name":"daira/tweedle","owner":"daira","description":"Generator and supporting evidence for security of the Tweedledum/Tweedledee pair of elliptic curves suitable for Halo","archived":false,"fork":false,"pushed_at":"2022-10-25T20:09:03.000Z","size":3081,"stargazers_count":20,"open_issues_count":1,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-10-11T06:34:53.771Z","etag":null,"topics":["cryptography","elliptic-curves","mathematics","sagemath"],"latest_commit_sha":null,"homepage":"","language":"Sage","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daira.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-09-08T15:15:28.000Z","updated_at":"2024-01-14T00:00:21.000Z","dependencies_parsed_at":"2023-07-20T21:48:52.777Z","dependency_job_id":null,"html_url":"https://github.com/daira/tweedle","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/daira/tweedle","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Ftweedle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Ftweedle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Ftweedle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Ftweedle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daira","download_url":"https://codeload.github.com/daira/tweedle/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daira%2Ftweedle/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28963214,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T00:42:38.011Z","status":"ssl_error","status_checked_at":"2026-02-01T00:42:35.920Z","response_time":128,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","elliptic-curves","mathematics","sagemath"],"created_at":"2024-12-10T12:15:41.926Z","updated_at":"2026-02-01T01:05:19.819Z","avatar_url":"https://github.com/daira.png","language":"Sage","funding_links":[],"categories":[],"sub_categories":[],"readme":"Tweedledum/Tweedledee supporting evidence\n-----------------------------------------\n\nThis repository contains supporting evidence that the amicable pair of\nprime-order curves:\n\n* Ep : y^2 = x^3 + 5 over GF(p) of order q, called Tweedledum;\n* Eq : y^2 = x^3 + 5 over GF(q) of order p, called Tweedledee;\n\nwith\n\n* p = 2^254 + 4707489545178046908921067385359695873\n* q = 2^254 + 4707489544292117082687961190295928833\n\nsatisfy *some* of the [SafeCurves criteria](https://safecurves.cr.yp.to/index.html).\n\nThe criteria that are *not* satisfied are, in summary:\n\n* large-magnitude CM discriminant (both curves have CM discriminant of absolute value 3,\n  as a consequence of how they were constructed);\n* completeness (complete formulae are possible, but not according to the Safe curves\n  criterion);\n* ladder support (not possible for prime-order curves);\n* Elligator 2 support (indistinguishability is possible using\n  [Elligator Squared](https://ifca.ai/pub/fc14/paper_25.pdf), but not using Elligator 2).\n\nTweedledum/Tweedledee is the first cycle output by\n``sage amicable.sage --sequential --nearpowerof2 255 32``.\n\n(The `--sequential` option makes the output completely deterministic and so resolves\nambiguity about which result is \"first\". For exploratory searches it is faster not to\nuse `--sequential`.)\n\n**The cycle we call Tweedledum/Tweedledee has changed from the initial (September 2019) draft of the Halo paper.**\n\nNote that although there is no known security problem with the Tweedle cycle, there are efficiency\nand interoperability reasons to prefer the [Pasta cycle](https://github.com/zcash/pasta), as\nexplained in [this blog post](https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/).\n\nPrerequisites:\n\n* ``apt-get install sagemath``\n\nRun ``sage verify.sage Ep`` and ``sage verify.sage Eq``; or ``./run.sh`` to run both\nand also print out the results.\n\n``amicable.sage`` also outputs isogenies (of degree up to ``ISOGENY_DEGREE_MAX``) suitable\nfor use with the \"simplified SWU\" method for hashing to an elliptic curve. This is based\non code from Appendix A of [Wahby and Boneh 2019](https://eprint.iacr.org/2019/403.pdf).\nNote that simplified SWU is not necessarily the preferred method to hash to a given curve.\nIn particular it probably is not for the Tweedle curves; they only have suitable isogenies\nof degree 23, which is rather large.\n\nTo check the correctness of the endomorphism optimization described in the Halo paper, run\n``python3 injectivitylemma.py`` and ``python3 checksumsets.py``. To also generate animations\nshowing the minimum distances between multiples of ζ used in the proof, run ``./animation.sh``.\n\n``animation.sh`` has the following prerequisites:\n\n* ``apt-get install ffmpeg ffcvt``\n* ``pip3 install bintrees Pillow``\n\n``checksumsets.py`` on its own only requires the ``bintrees`` Python package.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaira%2Ftweedle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaira%2Ftweedle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaira%2Ftweedle/lists"}