AztecProtocol · notnotraju · Mar 4, 2026 · Feb 18, 2026 · Feb 19, 2026 · Feb 19, 2026
diff --git a/barretenberg/cpp/src/barretenberg/ecc/curves/secp256k1/secp256k1.hpp b/barretenberg/cpp/src/barretenberg/ecc/curves/secp256k1/secp256k1.hpp
@@ -217,15 +217,14 @@ struct FrParams {
     static constexpr uint64_t endo_b2_lo = 0xe86c90e49284eb15ULL;
     static constexpr uint64_t endo_b2_mid = 0x3086d221a7d46bcdULL;
 
-    static constexpr uint64_t endo_g1_lo = 0xE893209A45DBB031ULL;
-    static constexpr uint64_t endo_g1_mid = 0x3DAA8A1471E8CA7FULL;
-    static constexpr uint64_t endo_g1_hi = 0xE86C90E49284EB15ULL;
-    static constexpr uint64_t endo_g1_hihi = 0x3086D221A7D46BCDULL;
-
-    static constexpr uint64_t endo_g2_lo = 0x1571B4AE8AC47F71ULL;
-    static constexpr uint64_t endo_g2_mid = 0x221208AC9DF506C6ULL;
-    static constexpr uint64_t endo_g2_hi = 0x6F547FA90ABFE4C4ULL;
-    static constexpr uint64_t endo_g2_hihi = 0xE4437ED6010E8828ULL;
+    // 256-bit-shift constants: g1 = floor((-b1) * 2^256 / r), g2 = floor(b2 * 2^256 / r)
+    // See endomorphism_scalars.py compute_splitting_constants() for derivation.
+    static constexpr uint64_t endo_g1_lo = 0x6F547FA90ABFE4C4ULL;
+    static constexpr uint64_t endo_g1_mid = 0xE4437ED6010E8828ULL;
+    static constexpr uint64_t endo_g1_hi = 0x0ULL;
+
+    static constexpr uint64_t endo_g2_lo = 0xE86C90E49284EB15ULL;
+    static constexpr uint64_t endo_g2_mid = 0x3086D221A7D46BCDULL;
 
     // Not used in secp256k1
     static constexpr uint64_t primitive_root_0 = 0UL;

diff --git a/barretenberg/cpp/src/barretenberg/ecc/curves/secp256k1/secp256k1_endo_notes.hpp b/barretenberg/cpp/src/barretenberg/ecc/curves/secp256k1/secp256k1_endo_notes.hpp
@@ -14,11 +14,9 @@ struct basis_vectors {
     uint64_t endo_g1_lo = 0;
     uint64_t endo_g1_mid = 0;
     uint64_t endo_g1_hi = 0;
-    uint64_t endo_g1_hihi = 0;
     uint64_t endo_g2_lo = 0;
     uint64_t endo_g2_mid = 0;
     uint64_t endo_g2_hi = 0;
-    uint64_t endo_g2_hihi = 0;
     uint64_t endo_minus_b1_lo = 0;
     uint64_t endo_minus_b1_mid = 0;
     uint64_t endo_b2_lo = 0;
@@ -108,19 +106,17 @@ struct basis_vectors {
     }
 
     uint512_t minus_b1 = -b1;
-    uint512_t shift256 = uint512_t(1) << 384;
+    uint512_t shift256 = uint512_t(1) << 256;
     uint512_t g1 = (-b1 * shift256) / uint512_t(secp256k1::fr::modulus);
     uint512_t g2 = (b2 * shift256) / uint512_t(secp256k1::fr::modulus);
 
     basis_vectors result;
     result.endo_g1_lo = g1.lo.data[0];
     result.endo_g1_mid = g1.lo.data[1];
     result.endo_g1_hi = g1.lo.data[2];
-    result.endo_g1_hihi = g1.lo.data[3];
     result.endo_g2_lo = g2.lo.data[0];
     result.endo_g2_mid = g2.lo.data[1];
     result.endo_g2_hi = g2.lo.data[2];
-    result.endo_g2_hihi = g2.lo.data[3];
     result.endo_minus_b1_lo = minus_b1.lo.data[0];
     result.endo_minus_b1_mid = minus_b1.lo.data[1];
     result.endo_b2_lo = b2.lo.data[0];