feat: merge-train/barretenberg

barretenberg/cpp/scripts/audit/audit_scopes/chonk_audit_scope.md

@@ -19,50 +19,50 @@ Note: Paths relative to `aztec-packages/barretenberg/cpp/src/barretenberg`
 6. `hypernova/hypernova_verifier.hpp`
 7. `hypernova/hypernova_decider_verifier.cpp`
 8. `hypernova/hypernova_decider_verifier.hpp`
-9. `hypernova/types.hpp`
 
 ### Multilinear Batching Components
-10. `multilinear_batching/multilinear_batching_prover.cpp`
-11. `multilinear_batching/multilinear_batching_prover.hpp`
-12. `multilinear_batching/multilinear_batching_claims.hpp`
-13. `multilinear_batching/multilinear_batching_verifier.cpp`
-14. `multilinear_batching/multilinear_batching_verifier.hpp`
+9. `multilinear_batching/multilinear_batching_prover.cpp`
+10. `multilinear_batching/multilinear_batching_prover.hpp`
+11. `multilinear_batching/multilinear_batching_claims.hpp`
+12. `multilinear_batching/multilinear_batching_verifier.cpp`
+13. `multilinear_batching/multilinear_batching_verifier.hpp`
 
 ### Merge Protocol
-15. `goblin/merge_prover.cpp`
-16. `goblin/merge_prover.hpp`
-17. `goblin/merge_verifier.cpp`
-18. `goblin/merge_verifier.hpp`
+14. `goblin/merge_prover.cpp`
+15. `goblin/merge_prover.hpp`
+16. `goblin/merge_verifier.cpp`
+17. `goblin/merge_verifier.hpp`
 
 ### Chonk Core
-19. `chonk/chonk.cpp`
-20. `chonk/chonk.hpp`
-21. `chonk/private_execution_steps.cpp`
-22. `chonk/chonk_proof.cpp`
-23. `chonk/chonk_proof.hpp`
+18. `chonk/chonk.cpp`
+19. `chonk/chonk.hpp`
+20. `chonk/private_execution_steps.cpp`
+21. `chonk/chonk_proof.cpp`
+22. `chonk/chonk_proof.hpp`
 
 ### Relations
-24. `relations/multilinear_batching/multilinear_batching_relation.hpp`
+23. `relations/multilinear_batching/multilinear_batching_relation.hpp`
 
 ### Special Public Inputs
-25. `special_public_inputs/special_public_inputs.hpp`
-26. `stdlib/primitives/public_input_component/public_input_component.hpp`
+24. `special_public_inputs/special_public_inputs.hpp`
+25. `stdlib/primitives/public_input_component/public_input_component.hpp`
 
 ### Flavor
-27. `flavor/multilinear_batching_flavor.hpp`
-28. `flavor/multilinear_batching_flavor.cpp`
-29. `flavor/multilinear_batching_recursive_flavor.hpp`
+26. `flavor/multilinear_batching_flavor.hpp`
+27. `flavor/multilinear_batching_flavor.cpp`
+28. `flavor/multilinear_batching_recursive_flavor.hpp`
 
 ### Databus
-30. `stdlib/primitives/databus/databus.hpp`
-31. `stdlib/primitives/databus/databus.cpp`
-32. `dsl/acir_format/block_constraint.cpp` (only the databus parts: `CallData`/`ReturnData` handling. The RAM/ROM parts are covered by the RAM/ROM audit scope.)
+29. `stdlib/primitives/databus/databus.hpp`
+30. `stdlib/primitives/databus/databus.cpp`
+31. `dsl/acir_format/block_constraint.cpp` (only the databus parts: `CallData`/`ReturnData` handling. The RAM/ROM parts are covered by the RAM/ROM audit scope.)
 
 ### ACIR Integration
-33. `dsl/acir_format/hypernova_recursion_constraint.hpp`
-34. `dsl/acir_format/hypernova_recursion_constraint.cpp`
-35. `dsl/acir_format/recursion_constraint.cpp` (only `process_hn_recursion_constraints()` method)
-36. `dsl/acir_format/recursion_constraint.cpp`
+32. `dsl/acir_format/hypernova_recursion_constraint.hpp`
+33. `dsl/acir_format/hypernova_recursion_constraint.cpp`
+34. `dsl/acir_format/recursion_constraint.cpp` (only `process_hn_recursion_constraints()` method)
+35. `dsl/acir_format/chonk_recursion_constraints.hpp`
+36. `dsl/acir_format/chonk_recursion_constraints.cpp`
 ---
 
 ## Critical Files
@@ -112,6 +112,6 @@ Note: Paths relative to `aztec-packages/barretenberg/cpp/src/barretenberg`
 
 | Component | Documentation | Key Topics |
 |-----------|--------------|------------|
-| **Chonk** | [README.md](README.md) | HyperNova folding, multilinear batching, databus, proof structure, verification architecture, soundness mechanisms |
+| **Chonk** | [chonk/README.md](../../../src/barretenberg/chonk/README.md) | HyperNova folding, multilinear batching, databus, proof structure, batched verification architecture, soundness mechanisms |
 | **Merge Protocol** | [MERGE_PROTOCOL.md](../goblin/MERGE_PROTOCOL.md) | Concatenation identities, degree bounds, PREPEND/APPEND modes, Chonk integration |
 | **Transcripts** | [transcript/README.md](../transcript/README.md) | Manifest structure, transcript isolation, origin tags, VK binding |

barretenberg/cpp/scripts/audit/audit_scopes/sumcheck_pcs_chonk_verifier_audit_scope.md

@@ -63,15 +63,21 @@ Note: Paths relative to `aztec-packages/barretenberg/cpp/src/barretenberg`
 42. `chonk/chonk_verifier.hpp`
 43. `chonk/chonk_verifier.cpp`
 
+### Batched Honk + Translator (Joint MegaZK + Translator Sumcheck/PCS)
+44. `chonk/batched_honk_translator/batched_honk_translator_prover.hpp`
+45. `chonk/batched_honk_translator/batched_honk_translator_prover.cpp`
+46. `chonk/batched_honk_translator/batched_honk_translator_verifier.hpp`
+47. `chonk/batched_honk_translator/batched_honk_translator_verifier.cpp`
+
 ### In-Circuit (Recursive) Verifier Components
-44. `stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp`
-45. `stdlib/eccvm_verifier/verifier_commitment_key.hpp`
-46. `stdlib/translator_vm_verifier/translator_recursive_flavor.hpp`
-47. `stdlib/honk_verifier/ipa_accumulator.hpp`
-48. `stdlib/honk_verifier/ultra_verification_keys_comparator.hpp`
+48. `stdlib/eccvm_verifier/eccvm_recursive_flavor.hpp`
+49. `stdlib/eccvm_verifier/verifier_commitment_key.hpp`
+50. `stdlib/translator_vm_verifier/translator_recursive_flavor.hpp`
+51. `stdlib/honk_verifier/ipa_accumulator.hpp`
+52. `stdlib/honk_verifier/ultra_verification_keys_comparator.hpp`
 
 ### Supporting Types
-49. `goblin/types.hpp`
+53. `goblin/types.hpp`
 
 ---
 
@@ -102,7 +108,9 @@ Note: Paths relative to `aztec-packages/barretenberg/cpp/src/barretenberg`
 | File | Description |
 |------|-------------|
 | `chonk/chonk_verifier.test.cpp` | Native and recursive verifier correctness |
+| `chonk/chonk_batch_verifier.test.cpp` | Batch Chonk verification with IPA batching |
 | `chonk/chonk_transcript_invariants.test.cpp` | Transcript consistency, tampering detection |
+| `chonk/batched_honk_translator/batched_honk_translator.test.cpp` | Joint MegaZK+Translator: ProveAndVerify, ProofSize, ManifestConsistency |
 | `goblin/goblin_verifier.test.cpp` | Goblin verifier tests |
 | `goblin/merge.test.cpp` | Merge protocol correctness, transcript pinning |
 | `eccvm/eccvm.test.cpp` | ECCVM prover/verifier tests |
@@ -155,3 +163,4 @@ Note: Paths relative to `aztec-packages/barretenberg/cpp/src/barretenberg`
 - `commitment_schemes/kzg/README.md` - KZG commitment scheme
 - `commitment_schemes/small_subgroup_ipa/README.md` - SmallSubgroupIPA documentation
 - `chonk/README.md` - Chonk architecture and verification flow
+- `chonk/batched_honk_translator/README.md` - Joint MegaZK + Translator sumcheck/PCS protocol

barretenberg/cpp/scripts/test_chonk_standalone_vks_havent_changed.sh

@@ -16,7 +16,7 @@ script_path="$root/barretenberg/cpp/scripts/test_chonk_standalone_vks_havent_cha
 # - Generate a hash for versioning: sha256sum bb-chonk-inputs.tar.gz
 # - Upload the compressed results: aws s3 cp bb-chonk-inputs.tar.gz s3://aztec-ci-artifacts/protocol/bb-chonk-inputs-[hash(0:8)].tar.gz
 # Note: In case of the "Test suite failed to run ... Unexpected token 'with' " error, need to run: docker pull aztecprotocol/build:3.0
-pinned_short_hash="b99f5b94"
+pinned_short_hash="831712f6"
 pinned_chonk_inputs_url="https://aztec-ci-artifacts.s3.us-east-2.amazonaws.com/protocol/bb-chonk-inputs-${pinned_short_hash}.tar.gz"
 
 function update_pinned_hash_in_script {

barretenberg/cpp/src/barretenberg/chonk/README.md

@@ -74,40 +74,54 @@ App₀ → Kernel₀ → App₁ → Kernel₁ → ... → Appₙ → Reset → T
 
 ### Proof Structure
 
-A Chonk proof (`ChonkProof_<IsRecursive>`) is a unified template structure that works for both native and recursive verification modes:
+A Chonk proof (`ChonkProof_<IsRecursive>`) contains five segments produced on a shared Fiat-Shamir transcript:
 
 ```cpp
 template <bool IsRecursive>
 struct ChonkProof_ {
-    HonkProof mega_proof;      // MegaZK proof of Hiding kernel
-    GoblinProof goblin_proof;  // Goblin sub-proofs
+    HonkProof hiding_oink_proof; // MegaZK Oink (pre-sumcheck commitments for the hiding kernel)
+    HonkProof merge_proof;       // Merge proof for hiding kernel's ECC op subtable
+    HonkProof eccvm_proof;       // ECCVM proof
+    HonkProof ipa_proof;         // IPA opening proof (separate transcript)
+    HonkProof joint_proof;       // Translator Oink + joint sumcheck + joint PCS
 };
 ```
 
 **Proof components:**
 
-1. **Mega proof** (MegaZK): ZK proof of the Hiding kernel which recursively verifies:
-   - The final HyperNova folding proof
-   - The decider proof
+1. **Hiding Oink proof**: Pre-sumcheck phase of the hiding kernel's MegaZK circuit (wire commitments, permutation grand products, relation parameters). Produces the `HidingKernelIO` public inputs.
 
-2. **Goblin proof**: Contains sub-proofs for efficient EC operations:
-   - **Merge proof**: Proves correct merging of op queue tables
-   - **ECCVM proof**: Proves correctness of EC operations (see [ECCVM README](../eccvm/README.md))
-   - **IPA proof**: Inner product argument for ECCVM (Grumpkin curve)
-   - **Translator proof**: Converts between BN254 and Grumpkin curves
+2. **Merge proof**: Proves correct APPEND-mode merging of the hiding kernel's ECC op subtable into the global op queue.
+
+3. **ECCVM proof**: Proves correctness of all accumulated EC operations on the Grumpkin curve. Produces translation parameters (`evaluation_input_x`, `batching_challenge_v`, `accumulated_result`) used by the translator. See [ECCVM README](../eccvm/README.md).
+
+4. **IPA proof**: Inner product argument opening proof for the ECCVM (Grumpkin curve, separate transcript).
+
+5. **Joint proof**: The translator's Oink phase followed by a **joint sumcheck and joint PCS** that batches the MegaZK hiding kernel and translator circuits together. The joint sumcheck runs for 17 rounds (the translator's fixed circuit size); the MegaZK circuit contributes via extension-by-zero for virtual rounds beyond its own `log_n`. A single Shplemini/KZG reduction covers polynomial openings from both circuits. See [Batched Honk + Translator README](batched_honk_translator/README.md) for the full protocol.
+
+**Key optimization**: By batching the MegaZK and translator sumcheck+PCS into a single joint protocol, the proof avoids two independent Honk proofs and reduces overall proof size.
 
 **Verification Architecture:**
 
-The Chonk verifier performs verification in stages:
-1. **MegaZK reduction**: Uses `MegaZKVerifier::reduce_to_pairing_check` to verify Hiding kernel
-2. **Goblin reduction**: Reduces Merge, ECCVM, and Translator to pairing checks and IPA verification
-3. **Pairing aggregation**: Aggregates 4 pairing point sets in a single operation using `aggregate_multiple`:
-   - Public Input (PI) pairing points from MegaZK
-   - Polynomial Commitment Scheme (PCS) pairing points from MegaZK
+The Chonk verifier performs verification on a shared transcript:
+
+```
+MegaZK Oink → Merge → ECCVM → Translator Oink + Joint Sumcheck + Joint PCS → Pairing Check
+```
+
+Concretely (`ChonkVerifier::reduce_to_ipa_claim` / `ChonkVerifier::verify`):
+
+1. **MegaZK Oink verification**: `BatchedHonkTranslatorVerifier::verify_mega_zk_oink` processes the hiding kernel's pre-sumcheck proof and extracts `HidingKernelIO` (pairing points, calldata commitment, ECC op wire commitments)
+2. **Databus consistency check**: Asserts the hiding kernel's calldata commitment equals its `kernel_return_data` commitment
+3. **Merge verification**: Verifies the hiding kernel's APPEND-mode merge proof using the ECC op wire commitments from step 1 and `ecc_op_tables` from `HidingKernelIO`
+4. **ECCVM verification**: Reduces to an IPA opening claim; extracts translator input parameters (`v`, `x`, `accumulated_result`)
+5. **Joint verification**: `BatchedHonkTranslatorVerifier::verify` processes the translator Oink, runs the 17-round joint sumcheck, and performs the joint Shplemini/KZG PCS reduction
+6. **Pairing aggregation**: Aggregates 3 pairing point sets using `aggregate_multiple`:
+   - Public Input (PI) pairing points from `HidingKernelIO`
    - Merge protocol pairing points
-   - Translator protocol pairing points
-4. **Native mode**: Immediately verifies aggregated pairing points and IPA claim
-5. **Recursive mode**: Returns `ChonkVerifier::ReductionResult` with aggregated pairing points and IPA claim for deferred verification
+   - Batched PCS pairing points (covering both MegaZK and translator polynomials)
+7. **Native mode**: Immediately verifies aggregated pairing points and IPA claim
+8. **Recursive mode**: Returns `ChonkVerifier::ReductionResult` with aggregated pairing points and IPA claim for deferred verification
 
 **Note on deferred verification**: IPA claims and pairing points are propagated through the rollup:
 - **IPA claims** (Grumpkin): originate from ECCVM verification when Chonk or AVM proofs are recursively verified. Carried in `RollupIO` public inputs through tx_merge → block_merge → checkpoint_root → checkpoint_merge. At each level, claims from child proofs are accumulated via `IPA::accumulate`. Finally verified **in-circuit in the root rollup** via `IPA::full_verify_recursive`.
@@ -219,6 +233,16 @@ Goblin handles non-native EC operations by deferring them to an op queue, then p
 - **ECCVM**: Proves EC operations on the Grumpkin curve (see [ECCVM README](../eccvm/README.md))
 - **Translator**: Bridges BN254 ↔ Grumpkin field elements
 
+### Batched Honk + Translator
+
+`BatchedHonkTranslatorProver`/`BatchedHonkTranslatorVerifier` implement the joint proving and verification of the MegaZK hiding kernel and translator circuits. Both circuits operate over BN254 scalars, so their sumcheck and polynomial openings can be combined into a single protocol. This eliminates two independent Honk proofs and reduces proof size.
+
+The protocol has two phases separated by Merge + ECCVM verification:
+- **Phase 1 (MegaZK Oink)**: Pre-sumcheck commitments for the hiding kernel
+- **Phase 2 (Joint)**: Translator Oink + 17-round joint sumcheck + single Shplemini/KZG PCS
+
+See [Batched Honk + Translator README](batched_honk_translator/README.md) for the full protocol specification including the joint round univariate, extension-by-zero, and repeated commitments optimization.
+
 ### Merge Protocol
 
 Each circuit produces a subtable of ECC operations that must be merged into the global op queue. The Merge protocol proves this was done correctly. See [MERGE_PROTOCOL.md](../goblin/MERGE_PROTOCOL.md) for full details including the degree check and ZK analysis.
@@ -355,7 +379,7 @@ There are two verification paths:
    - `PrivateTxBaseRollup`: For private-only txs - verifies Chonk proof + processes tx (updates trees, validates fees, etc.)
    - `PublicChonkVerifier`: For public txs - verifies Chonk proof in parallel with AVM verification
 
-Both verify: the hiding kernel's MegaZK proof + Goblin proof (merge, ECCVM, translator).
+Both verify the Chonk proof: MegaZK Oink + Merge + ECCVM + joint Translator/MegaZK sumcheck+PCS (+ IPA).
 Output: `PrivateToRollupKernelCircuitPublicInputs` consumed by the rollup.
 
 ---
@@ -366,13 +390,11 @@ A Chonk proof must reveal nothing about the private execution. ZK is achieved th
 
 ### Proof-Level ZK
 
-1. **Hiding kernel proof** (verified server-side): Uses MegaZKFlavor with:
-   - ZK Sumcheck (Libra masking polynomials)
-   - ZK Shplemini (gemini masking polynomial)
-
-2. **ECCVM proof**: Also ZK via ZK Sumcheck and ZK Shplemini
+1. **Joint MegaZK + Translator proof**: The hiding kernel (MegaZKFlavor) and translator circuits are batched into a single joint sumcheck and PCS. ZK is achieved via:
+   - ZK Sumcheck with a joint Libra masking polynomial covering both circuits
+   - ZK Shplemini with a gemini masking polynomial for the joint PCS reduction
 
-3. **Translator proof**: ZK via the same mechanisms
+2. **ECCVM proof**: ZK via committed sumcheck and ZK Shplemini
 
 ### Op Queue Hiding
 
@@ -623,7 +645,7 @@ Transcripts are shared to ensure Fiat-Shamir challenge binding - challenges in l
    - The decider proof (after tail kernel) also continues this transcript
 
 2. **Final proof transcript**:
-   - Shared across: Hiding kernel MegaZK proof, Merge proof, ECCVM proof, Translator proof
+   - Shared across: MegaZK Oink, Merge proof, ECCVM proof, Translator Oink + Joint sumcheck + Joint PCS
    - This is the transcript serialized into the Chonk proof
 
 **Verifier-side transcript matching**: The recursive verifier in kernel $K_{i+1}$ reconstructs the same transcript state by processing the same proof elements in the same order, ensuring challenges match.
@@ -860,12 +882,14 @@ merge_commitments.T_prev_commitments = std::move(kernel_input.ecc_op_tables);
 
 **Step 5: Chonk verifier extracts [M_tail] from hiding kernel**
 ```cpp
-auto [mega_verified, kernel_return_data, T_prev_commitments] =
-    verifier.template verify_proof<bb::HidingKernelIO>(proof.mega_proof);
+auto oink_result = batched_verifier.verify_mega_zk_oink(proof.hiding_oink_proof);
+HidingKernelIO kernel_io;
+kernel_io.reconstruct_from_public(oink_result.public_inputs);
+// kernel_io.ecc_op_tables contains [M_tail]
 ```
-- Verifies hiding kernel's MegaZK proof (including its public inputs)
-- Extracts `T_prev_commitments` = $[M_{tail}]$ from `HidingKernelIO` public inputs
-- MegaZK verification ensures `T_prev_commitments` is bound to hiding kernel's proof
+- Verifies hiding kernel's MegaZK Oink proof (including its public inputs)
+- Extracts `ecc_op_tables` = $[M_{tail}]$ from `HidingKernelIO` public inputs
+- MegaZK verification (completed by the joint sumcheck+PCS) ensures `ecc_op_tables` is bound to the hiding kernel's proof
 
 **Step 6: Final merge (APPEND mode) - merges hiding kernel's ops with constant shift size**
 

barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini.hpp

@@ -75,9 +75,12 @@ namespace gemini {
  */
 template <class Fr> inline std::vector<Fr> powers_of_rho(const Fr& rho, const size_t num_powers)
 {
-    std::vector<Fr> rhos = { Fr(1), rho };
+    std::vector<Fr> rhos;
     rhos.reserve(num_powers);
-    for (size_t j = 2; j < num_powers; j++) {
+    if (num_powers >= 1) {
+        rhos.emplace_back(Fr(1));
+    }
+    for (size_t j = 1; j < num_powers; j++) {
         rhos.emplace_back(rhos[j - 1] * rho);
     }
     return rhos;
@@ -250,14 +253,12 @@ template <typename Curve> class GeminiProver_ {
 
             Fr r_inv = r_challenge.invert();
             if (has_to_be_shifted_by_one()) {
-                batched_to_be_shifted_by_one *= r_inv;
-                A_0_pos += batched_to_be_shifted_by_one;
-                A_0_neg -= batched_to_be_shifted_by_one;
+                A_0_pos.add_scaled(batched_to_be_shifted_by_one, r_inv);
+                A_0_neg.add_scaled(batched_to_be_shifted_by_one, -r_inv);
             }
             if (!batched_shifted_tail_.is_empty()) {
-                batched_shifted_tail_ *= r_inv;
-                A_0_pos += batched_shifted_tail_;
-                A_0_neg -= batched_shifted_tail_;
+                A_0_pos.add_scaled(batched_shifted_tail_, r_inv);
+                A_0_neg.add_scaled(batched_shifted_tail_, -r_inv);
             }
 
             return { A_0_pos, A_0_neg };

barretenberg/cpp/src/barretenberg/commitment_schemes/gemini/gemini_impl.hpp

@@ -111,6 +111,7 @@ std::vector<typename GeminiProver_<Curve>::Polynomial> GeminiProver_<Curve>::com
     const size_t log_n, std::span<const Fr> multilinear_challenge, const Polynomial& A_0, const bool& has_zk)
 {
     BB_BENCH_NAME("Gemini::compute_fold_polynomials");
+    BB_ASSERT_GTE(log_n, size_t(2), "Gemini folding requires at least 4-element polynomials");
     const size_t virtual_log_n = multilinear_challenge.size();
 
     // Cost per iteration: 1 subtraction + 1 multiplication + 1 addition

barretenberg/cpp/src/barretenberg/commitment_schemes/ipa/ipa.hpp

@@ -575,14 +575,14 @@ template <typename Curve_, size_t log_poly_length = CONST_ECCVM_LOG_N> class IPA
 
         // Step 6.
         // Receive a_zero from the prover
-        const auto a_zero = transcript->template receive_from_prover<Fr>("IPA:a_0");
+        auto a_zero = transcript->template receive_from_prover<Fr>("IPA:a_0");
 
         // OriginTag false positive: G_zero and a_zero are fully determined once all round challenges are fixed - the
         // prover must send the correct values or the final relation check fails.
         if constexpr (Curve::is_stdlib_type) {
             const auto last_round_tag = round_challenges.back().get_origin_tag();
             G_zero.set_origin_tag(last_round_tag);
-            const_cast<Fr&>(a_zero).set_origin_tag(last_round_tag);
+            a_zero.set_origin_tag(last_round_tag);
         }
 
         // Step 7.