Automatically merged updates to draft EIP(s) 2494 (#2994)

Hi, I'm a bot! This change was automatically merged because:

 - It only modifies existing Draft or Last Call EIP(s)
 - The PR was approved or written by at least one author of each modified EIP
 - The build is passing

EIPS/eip-2494.md

@@ -110,14 +110,14 @@ Note that both addition and doubling of points can be computed using a single fo
 
 The search for Baby Jubjub was motivated by the need for an elliptic curve that allows the implementation of elliptic-curve cryptography in `F_r`-arithmetic circuits. The curve choice was based on three main factors: type of curve, generation process and security criteria. This section describes how these factors were addressed. 
 
-**Form of the curve**
+**Form of the Curve**
 
 Baby Jubjub is a **twisted Edwards** curve birationally equivalent to a **Montgomery** curve. The choice of this form of curve was based on the following facts: 
 1. The Edwards-curve Digital Signature Scheme is based on twisted Edwards curves.
 2. Twisted Edwards curves have a single complete formula for addition of points, which makes the implementation of the group law inside circuits very efficient [[Crypto08/013, Section 6]](https://eprint.iacr.org/2008/013.pdf).
 3. As a twisted Edwards curve is generally birationally equivalent to a Montgomery curve [[Crypto08/13,Theorem 3.2]](https://eprint.iacr.org/2008/013.pdf), the curve can be easily converted from one form to another. As addition and doubling of points in a Montgomery curve can be performed very efficiently, computations outside the circuit can be done faster using this form and sped up inside circuits by combining it with twisted Edwards form (see [here](http://hyperelliptic.org/EFD/g1p/index.html)) for more details).
 
-**Generation of the curve**
+**Generation of the Curve**
 
 Baby Jubjub was conceived as a solution to the circuit implementation of cryptographic schemes that require elliptic curves. As with any cryptographic protocol, it is important to reduce the possibility of a backdoor being present. As a result, we designed the generation process to be **transparent** and **deterministic** -- in order to make it clear that no external considerations were taken into account, and to ensure that the process can be reproduced and followed by anyone who wishes to do so.
 
@@ -132,7 +132,7 @@ which is the order of alt_bn128, the curve used to verfiy zk-SNARK proofs in Eth
 - **Choice of generator** : the generator point `G` is the point of order `n` with smallest positive `x`-coordinate in `F_r`. 
 - **Choice of base point**: the base point `B` is chosen to be `B = 8*G`, which has order `l`. 
 
-**Security considerations**
+**Security Criteria**
 
 It is crucial that Baby Jubjub be safe against well-known attacks. To that end, we decided that the curve should pass [SafeCurves](https://safecurves.cr.yp.to/) security tests, as they are known for gathering the best known attacks against elliptic curves. Supporting evidence that Baby Jubjub satisfies the SafeCurves criteria can be found [here](https://github.com/barryWhiteHat/baby_jubjub).
 
@@ -147,7 +147,7 @@ Below are the three representations and the birational maps that make it possibl
 
 All generators and base points are written in the form (x,y).
 
-**Twisted Edwards form** (standard)
+**Twisted Edwards Form** (standard)
 
 - Equation: ``ax^2 + y^2 = 1 + dx^2y^2``
 - Parameters: ``a = 168700, d = 168696``
@@ -160,7 +160,7 @@ All generators and base points are written in the form (x,y).
     (5299619240641551281634865583518297030282874472190772894086521144482721001553, 16950150798460657717958625567821834550301663161624707787222815936182638968203)
     ```
 
-**Montgomery form**
+**Montgomery Form**
 
 - Equation: ``By^2 = x^3 + A x^2 + x``
 - Parameters: ``A = 168698, B = 1``
@@ -173,7 +173,7 @@ All generators and base points are written in the form (x,y).
     (7117928050407583618111176421555214756675765419608405867398403713213306743542, 14577268218881899420966779687690205425227431577728659819975198491127179315626)
     ```
 
-**Reduced twisted Edwards form**
+**Reduced Twisted Edwards Form**
 
 - Equation: ``a' x^2 + y^2 = 1 + d' x^2y^2``
 - Parameters: 
@@ -190,7 +190,7 @@ All generators and base points are written in the form (x,y).
     (9671717474070082183213120605117400219616337014328744928644933853176787189663, 16950150798460657717958625567821834550301663161624707787222815936182638968203)
     ```
 
-### Conversion of points
+### Conversion of Points
 
 Following formulas allow to convert points from one form of the curve to another. We will denote the coordinates
 
@@ -256,7 +256,31 @@ y = y'
 ```
 ## Security Considerations
 
-TBA
+This section specifies the safety checks done on Baby Jubjub. The choices of security parameters are based on [SafeCurves criteria](https://safecurves.cr.yp.to), and supporting evidence that Baby Jubjub satisfies the following requisites can be found [here](https://github.com/barryWhiteHat/baby_jubjub).
+
+**Curve Parameters**
+
+Check that all parameters in the specification of the curve describe a well-defined elliptic curve over a prime finite field.
+
+- The number `r` is prime.
+- Parameters `a` and `d` define an equation that corresponds to an elliptic curve.
+- The product of `h` and `l` results into the order of the curve and the `G` point is a generator.
+- The number `l` is prime and the `B` point has order `l`.
+
+**Elliptic Curve Discrete Logarithm Problem**
+
+Check that the discrete logarithm problem remains difficult in the given curve. We checked Baby Jubjub is resistant to the following known attacks.
+
+- *Rho method* [[Blake-Seroussi-Smart, Section V.1]](https://www.cambridge.org/core/books/elliptic-curves-in-cryptography/16A2B60636EFA7EBCC3D5A5D01F28546): we require the cost for the rho method, which takes on average around `0.886*sqrt(l)` additions, to be above `2^100`.
+- *Additive and multiplicative transfers* [[Blake-Seroussi-Smart, Section V.2]](https://www.cambridge.org/core/books/elliptic-curves-in-cryptography/16A2B60636EFA7EBCC3D5A5D01F28546): we require the embedding degree to be at least `(l − 1)/100`.
+- *High discriminant* [[Blake-Seroussi-Smart, Section IX.3]](https://www.cambridge.org/core/books/elliptic-curves-in-cryptography/16A2B60636EFA7EBCC3D5A5D01F28546): we require the complex-multiplication field discriminant `D` to be larger than `2^100`.
+
+**Elliptic Curve Cryptography**
+
+- *Ladders* [[Montgomery]](https://wstein.org/edu/Fall2001/124/misc/montgomery.pdf): check the curve supports the Montgomery ladder.
+- *Twists* [[SafeCurves, twist]](https://safecurves.cr.yp.to/twist.html): check it is secure against the small-subgroup attack, invalid-curve attacks and twisted-attacks.
+- *Completeness* [[SafeCurves, complete]](https://safecurves.cr.yp.to/complete.html): check if the curve has complete single-scalar and multiple-scalar formulas.
+- *Indistinguishability* [[IACR2013/325]](https://eprint.iacr.org/2013/325): check availability of maps that turn elliptic-curve points indistinguishable from uniform random strings.
 
 ## Test Cases