EIP-2494: Baby Jubjub Elliptic Curve

This is the discussions-to thread for the EIP-2494 proposing Baby Jubjub, a twisted Edwards elliptic curve that allows elliptic curve cryptography inside zk-SNARK circuits.


Two of the main issues behind why blockchain technology is not broadly used by individuals and industry are scalability and privacy guarantees. With a set of cryptographic tools called zero-knowledge proofs (ZKP) it is possible to address both of these problems. More specifically, the most suitable protocols for blockchain are called zk-SNARKs (zero-knowledge Succint Non-interactive ARguments of Knowledge), as they are non-interactive, have succint proof size and sublinear verification time. These types of protocols allow proving generic computational statements that can be modelled with arithmetic circuits defined over a finite field (also called zk-SNARK circuits).

To verify a zk-SNARK proof, it is necessary to use an elliptic curve. In Ethereum, the curve is alt_bn128 (also referred as BN254), which has primer order r . With this curve, it is possible to generate and validate proofs of any F_r -arithmetic circuit. This EIP describes Baby Jubjub , an elliptic curve defined over the finite field F_r which can be used inside any zk-SNARK circuit, allowing for the implementation of cryptographic primitives that make use of elliptic curves, such as the Pedersen Hash or the Edwards Digital Signature Algorithm (EdDSA).