ΛΛnemosyne  /  Documentation  /  The Apollo Elliptic Curve

The Apollo Elliptic Curve

A 1024-bit Twisted Edwards Curve from the dalos-crypto family. Used for Codex Identity. Two halves give 2048 bits of total entropy per Codex.

At a glance

Curve familyTwisted Edwards Curve (TEC)
Formal nameTEC_S1024_Pr1029p639_m729
Common nameApollo
Used forCodex Identity (Standard + Smart halves)
Safe scalar size1024 bits per curve invocation
Possible private keys per half21024 ≈ 1.8 × 10308
Address encoding160 glyphs from the Dalos Character Set
Reference impl.DALOS_Crypto/Elliptic/Parameters.go (Go), @stoachain/dalos-crypto (TypeScript)

The curve equation, at a glance

Twisted Edwards form — instantiated for Apollo

x2 + y2  =  1  −  729 · x2 · y2

General Twisted Edwards form: a · x² + y² = 1 + d · x² · y². Apollo plugs in a = 1, d = −729, and works over the prime field defined below.

Curve parameters

Prime field P 21029 + 639 (1030-bit prime defining the finite field the curve lives in)
Subgroup order Q 21027 + 9418258840691661048958693280848051387209299408194089012775090979625514940291099061879232380228215863338991692577868713164205283324554730781862605682126581 (1028-bit prime — the order of the generator's subgroup; private-key scalars are reduced mod this)
Trace T −37673035362766644195834773123392205548837197632776356051100363918502059761164396247516929520912863453355966770311474852656821133298218923127450422728505684 (curve trace — relates to cofactor via R · Q = P + 1 − T)
Cofactor R 4 (computed from R = (P + 1 − T) / Q; small cofactor required for safe Schnorr)
a coefficient 1
d coefficient −729
Safe scalar S 1024 bits (size of the private-key search space, after cofactor accounting)
Generator G Gx = 18
Gy = 215278369951571488896917596155404324026002302190181825431681175816997859909367143653000579666656344456792257669605762582468610930751115704301503268336066379058325768607564533090162357247378501333085803173440477981455490888754538866823680129180124913908161391361773138634347515375569488540295649449731695734303 (public base point — every Apollo public key is a scalar multiple of G)

Apollo's specific coefficients give it the strong properties required for Schnorr signatures: complete addition formulas (no edge cases), constant-time scalar multiplication, and resistance to side-channel attacks. The frozen parameters above are the canonical reference — any implementation that deviates produces incompatible keys.

Why two halves for Codex Identity

A Codex Identity is not a single Apollo keypair — it's two. The 2048-bit seed material splits in half (1024 bits each), and each half runs through Apollo independently to produce a separate keypair:

The full Codex Identity address is the concatenation: ₱.STANDARD_160_GLYPHS:Π.SMART_160_GLYPHS. See the landing page section for the cosign authorization model.

Entropy scale

Combined Codex Identity entropy

With two independent Apollo halves, the total Codex Identity space is:

21024 × 21024 = 22048 ≈ 10616

For context: the observable universe is estimated to contain 1080 atoms. The Codex Identity space exceeds the atom count by a factor of 10536. Random collision between two Codex Identities is not "extremely improbable" — it is unphysical.

Comparison to other curves

Curve Safe scalar (bits) Approx. key space Used for
Ed25519 (Bitcoin, Ethereum, Solana, Kadena) ~252 ≈ 1075 Most modern blockchains
secp256k1 (Bitcoin original) ~256 ≈ 1077 Bitcoin, Ethereum legacy
Apollo 1024 ≈ 10308 Codex Identity (this curve)
Apollo × 2 (Codex Identity) 2048 ≈ 10616 Codex Identity total
Dalos 1600 ≈ 10481 Ouronet accounts

Apollo's 1024-bit safe scalar puts it firmly in the "post-classical-computing-infinity" tier. Even speculative quantum attacks (Shor's algorithm on elliptic-curve discrete log) require a quantum computer with thousands of stable logical qubits to break — far beyond current or near-term hardware. The 2048-bit Codex Identity total puts the identity layer comfortably ahead of the underlying Ouronet account layer.

Signatures: Schnorr on Apollo

Apollo signatures use the Schnorr scheme — simpler, more provably-secure, and more efficient than ECDSA. Each signature is a pair (R, s) where R is an Apollo point and s is a scalar mod Q. Standard Schnorr verification: check that s·G = R + e·P, where P is the public key, G is the generator, and e is the challenge hash.

Apollo Schnorr signatures are verified off-chain — by Mnemosyne's web app and backend, by Codex Consumers, and by any third-party tool that wants to validate a Codex Identity proof. The StoaChain Pact runtime does not natively verify Apollo signatures (Pact's native verifier is for Stoa-native ED25519 via the CodexGuard key). The two curves serve different layers and don't compete.

Why not just use Ed25519?

Ed25519 (~252-bit safe scalar) is excellent for blockchain account keys — fast, small signatures, well-understood, hardware-supported. Apollo isn't trying to replace it. Apollo exists for one specific role: cryptographic identity that needs to outlive everything else.

A Codex Identity is meant to be the user's permanent public handle — the thing they register on chain, the thing other people address them by. If it ever needs to be replaced because the curve was broken, the user effectively loses their identity. That makes "extra cryptographic margin" worth far more for identity than for an everyday signing key.

Apollo's 4× larger safe scalar (1024 vs 256 bits) gives the identity layer a permanence ceiling that exceeds any individual blockchain account by an enormous margin. Even if quantum or algebraic attacks chip away at smaller curves over decades, Apollo identities should still stand.

Related

The Dalos Character Set →
The 256-glyph alphabet that addresses are encoded in.
The Dalos Elliptic Curve →
The 1600-bit twin used for Ouronet account keys.

Reference implementation: github.com/StoaChain/DALOS_Crypto