AztecProtocol · johnathan79717 · Mar 3, 2026 · Feb 20, 2026 · Feb 20, 2026 · Feb 24, 2026
diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.hpp
@@ -51,9 +51,20 @@ template <class Curve> class CommitmentKey {
      * @param num_points Number of points needed for commitments
      */
     CommitmentKey(const size_t num_points)
-        : srs(srs::get_crs_factory<Curve>()->get_crs(num_points))
-        , srs_size(num_points)
+        : srs(srs::get_crs_factory<Curve>()->get_crs(std::max(num_points, minimum_crs_size())))
+        , srs_size(std::max(num_points, minimum_crs_size()))
     {}
+
+    // SmallSubgroupIPA (used in ZK proofs) commits polynomials up to size SUBGROUP_SIZE + 3.
+    // Enforce this as a minimum so callers don't need to special-case ZK.
+    static constexpr size_t minimum_crs_size()
+    {
+        if constexpr (requires { Curve::SUBGROUP_SIZE; }) {
+            return Curve::SUBGROUP_SIZE + 3;
+        } else {
+            return 0;
+        }
+    }
     /**
      * @brief Checks the commitment key is properly initialized.
      *

diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.cpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/commitment_key.test.cpp
@@ -69,7 +69,7 @@ template <typename Curve> class CommitmentKeyTest : public ::testing::Test {
         for (size_t n : { size_t{ 10 }, size_t{ 100 }, size_t{ 1000 }, size_t{ 1234 } }) {
             CK ck(n);
 
-            EXPECT_EQ(ck.srs_size, n);
+            EXPECT_EQ(ck.srs_size, std::max(n, CK::minimum_crs_size()));
             // Note: get_monomial_size() may be >= n since it returns the underlying SRS size
             EXPECT_GE(ck.get_monomial_size(), n);
 

diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp
@@ -125,6 +125,7 @@ template <typename Curve> class GeminiProver_ {
     class PolynomialBatcher {
 
         size_t full_batched_size = 0; // size of the full batched polynomial (generally the circuit size)
+        size_t actual_data_size_ = 0; // max end_index across all polynomials (actual data extent)
 
         Polynomial batched_unshifted;            // linear combination of unshifted polynomials
         Polynomial batched_to_be_shifted_by_one; // linear combination of to-be-shifted polynomials
@@ -133,10 +134,11 @@ template <typename Curve> class GeminiProver_ {
         RefVector<Polynomial> unshifted;            // set of unshifted polynomials
         RefVector<Polynomial> to_be_shifted_by_one; // set of polynomials to be left shifted by 1
 
-        PolynomialBatcher(const size_t full_batched_size)
+        PolynomialBatcher(const size_t full_batched_size, const size_t actual_data_size = 0)
             : full_batched_size(full_batched_size)
-            , batched_unshifted(full_batched_size)
-            , batched_to_be_shifted_by_one(Polynomial::shiftable(full_batched_size))
+            , actual_data_size_(actual_data_size == 0 ? full_batched_size : actual_data_size)
+            , batched_unshifted(actual_data_size_, full_batched_size)
+            , batched_to_be_shifted_by_one(Polynomial::shiftable(actual_data_size_, full_batched_size))
         {}
 
         bool has_unshifted() const { return unshifted.size() > 0; }
@@ -191,8 +193,8 @@ template <typename Curve> class GeminiProver_ {
          */
         std::pair<Polynomial, Polynomial> compute_partially_evaluated_batch_polynomials(const Fr& r_challenge)
         {
-            // Initialize A₀₊ and compute A₀₊ += F as necessary
-            Polynomial A_0_pos(full_batched_size); // A₀₊
+            // Initialize A₀₊ with only the actual data extent; virtual zeroes cover the rest
+            Polynomial A_0_pos(actual_data_size_, full_batched_size); // A₀₊
 
             if (has_unshifted()) {
                 A_0_pos += batched_unshifted; // A₀₊ += F

diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/shplonk/shplonk.hpp
@@ -61,10 +61,6 @@ template <typename Curve> class ShplonkProver_ {
                 max_poly_size = std::max(max_poly_size, claim.polynomial.size());
             }
         }
-        // The polynomials in Sumcheck Round claims and Libra opening claims are generally not dyadic,
-        // so we round up to the next power of 2.
-        max_poly_size = numeric::round_up_power_2(max_poly_size);
-
         // Q(X) = ∑ⱼ νʲ ⋅ ( fⱼ(X) − vⱼ) / ( X − xⱼ )
         Polynomial Q(max_poly_size);
         Polynomial tmp(max_poly_size);

diff --git a/barretenberg/cpp/src/barretenberg/flavor/prover_polynomials.hpp b/barretenberg/cpp/src/barretenberg/flavor/prover_polynomials.hpp
@@ -64,6 +64,16 @@ class ProverPolynomialsBase : public AllEntitiesBase {
         }
     }
 
+    // Returns the maximum end_index across all polynomials (i.e. the actual data extent)
+    [[nodiscard]] size_t max_end_index() const
+    {
+        size_t result = 0;
+        for (const auto& poly : this->get_all()) {
+            result = std::max(result, poly.end_index());
+        }
+        return result;
+    }
+
     void increase_polynomials_virtual_size(const size_t size_in)
     {
         for (auto& polynomial : this->get_all()) {

diff --git a/barretenberg/cpp/src/barretenberg/polynomials/polynomial.cpp b/barretenberg/cpp/src/barretenberg/polynomials/polynomial.cpp
@@ -184,16 +184,15 @@ template <typename Fr> Polynomial<Fr>& Polynomial<Fr>::operator+=(PolynomialSpan
     return *this;
 }
 
-template <typename Fr> Fr Polynomial<Fr>::evaluate(const Fr& z, const size_t target_size) const
-{
-    BB_ASSERT(size() == virtual_size());
-    return polynomial_arithmetic::evaluate(data(), z, target_size);
-}
-
 template <typename Fr> Fr Polynomial<Fr>::evaluate(const Fr& z) const
 {
-    BB_ASSERT(size() == virtual_size());
-    return polynomial_arithmetic::evaluate(data(), z, size());
+    // Evaluate only the backing data; virtual zeroes beyond backing contribute nothing.
+    // When start_index > 0, multiply by z^start_index to account for the offset.
+    Fr result = polynomial_arithmetic::evaluate(data(), z, size());
+    if (start_index() > 0) {
+        result *= z.pow(start_index());
+    }
+    return result;
 }
 
 template <typename Fr> Fr Polynomial<Fr>::evaluate_mle(std::span<const Fr> evaluation_points, bool shift) const

diff --git a/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp b/barretenberg/cpp/src/barretenberg/polynomials/polynomial.hpp
@@ -224,7 +224,6 @@ template <typename Fr> class Polynomial {
      */
     void factor_roots(const Fr& root) { polynomial_arithmetic::factor_roots(coeffs(), root); };
 
-    Fr evaluate(const Fr& z, size_t target_size) const;
     Fr evaluate(const Fr& z) const;
 
     /**

diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp
@@ -22,7 +22,7 @@ namespace bb {
 template <typename Flavor> void OinkProver<Flavor>::prove()
 {
     BB_BENCH_NAME("OinkProver::prove");
-    commitment_key = CommitmentKey(prover_instance->dyadic_size());
+    commitment_key = CommitmentKey(prover_instance->polynomials.max_end_index());
     send_vk_hash_and_public_inputs();
     commit_to_masking_poly();
     commit_to_wires();

diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp
@@ -60,12 +60,12 @@ template <typename Flavor> void UltraProver_<Flavor>::generate_gate_challenges()
 
 template <typename Flavor> typename UltraProver_<Flavor>::Proof UltraProver_<Flavor>::construct_proof()
 {
-    size_t key_size = prover_instance->dyadic_size();
-    if constexpr (Flavor::HasZK) {
-        constexpr size_t log_subgroup_size = static_cast<size_t>(numeric::get_msb(Curve::SUBGROUP_SIZE));
-        key_size = std::max(key_size, size_t{ 1 } << (log_subgroup_size + 1));
-    }
-    commitment_key = CommitmentKey(key_size);
+    // The CRS only needs to accommodate the actual data extent (max_end_index) rather than the
+    // full dyadic_size. All committed polynomials fit within this bound: witness/selector polys
+    // have backing ≤ max_end_index, Gemini fold polys have size ≤ dyadic_size/2 < max_end_index,
+    // Shplonk quotient Q is sized at max(claim sizes), and KZG opening proof is sized at Q.size().
+    // For ZK, the gemini_masking_poly (at dyadic_size) is already reflected in max_end_index.
+    commitment_key = CommitmentKey(prover_instance->polynomials.max_end_index());
 
     OinkProver<Flavor> oink_prover(prover_instance, honk_vk, transcript);
     oink_prover.prove();
@@ -120,7 +120,7 @@ template <typename Flavor> void UltraProver_<Flavor>::execute_pcs()
 
     auto& ck = commitment_key;
 
-    PolynomialBatcher polynomial_batcher(prover_instance->dyadic_size());
+    PolynomialBatcher polynomial_batcher(prover_instance->dyadic_size(), prover_instance->polynomials.max_end_index());
     polynomial_batcher.set_unshifted(prover_instance->polynomials.get_unshifted());
     polynomial_batcher.set_to_be_shifted_by_one(prover_instance->polynomials.get_to_be_shifted());
-Original file line number
+Diff line change
@@ Expand Up / @@ -224,7 +224,6 @@ template <typename Fr> class Polynomial { @@
          */
         void factor_roots(const Fr& root) { polynomial_arithmetic::factor_roots(coeffs(), root); };
-        Fr evaluate(const Fr& z, size_t target_size) const;
         Fr evaluate(const Fr& z) const;
         /**
@@ Expand Down @@