This is the discussions-to thread for the EIP-2494 proposing Baby Jubjub, a twisted Edwards elliptic curve that allows elliptic curve cryptography inside zk-SNARK circuits.

**Abstract**

Two of the main issues behind why blockchain technology is not broadly used by individuals and industry are scalability and privacy guarantees. With a set of cryptographic tools called zero-knowledge proofs (ZKP) it is possible to address both of these problems. More specifically, the most suitable protocols for blockchain are called zk-SNARKs (zero-knowledge Succint Non-interactive ARguments of Knowledge), as they are non-interactive, have succint proof size and sublinear verification time. These types of protocols allow proving generic computational statements that can be modelled with arithmetic circuits defined over a finite field (also called zk-SNARK circuits).

To verify a zk-SNARK proof, it is necessary to use an elliptic curve. In Ethereum, the curve is alt_bn128 (also referred as BN254), which has primer order `r`

. With this curve, it is possible to generate and validate proofs of any `F_r`

-arithmetic circuit. This EIP describes *Baby Jubjub* , an elliptic curve defined over the finite field `F_r`

which can be used inside any zk-SNARK circuit, allowing for the implementation of cryptographic primitives that make use of elliptic curves, such as the Pedersen Hash or the Edwards Digital Signature Algorithm (EdDSA).