From 8dfebe4990195224dc162c9d98137040b30cfab2 Mon Sep 17 00:00:00 2001
From: Maddiaa <47148561+Maddiaa0@users.noreply.github.com>
Date: Mon, 22 Jul 2024 18:45:30 +0100
Subject: [PATCH] feat: solidity honk verifier (#5485)

This PR introduces a Honk Verifier for 3 different types of circuit.
- The logic in each circuit is duplicated as (at the time of writing)
solidity does not allow for generic data structures, so as the constants
(LOG_N) are different, then each transcript needs to compile with a new
log_n value.
- In follow up prs i will adjust the tests to run against acir
artifacts, where we will codegen the verifier, so i can remove all but
the basic case in this test suite

Note: this is not an optimal impl, that will follow

As this uses padded proofs, in which N is 2^28, the proof verification
cost has shot up to 1 793 675.
---
 .../commitment_schemes/kzg/kzg.hpp            |    7 +-
 .../zeromorph/zeromorph.hpp                   |    6 +-
 .../execution_trace/execution_trace.cpp       |    2 +
 .../cpp/src/barretenberg/flavor/flavor.hpp    |   11 +-
 .../solidity_helpers/CMakeLists.txt           |   18 +-
 .../circuits/ecdsa_circuit.hpp                |    6 +-
 .../solidity_helpers/honk_key_gen.cpp         |   90 +
 .../solidity_helpers/honk_proof_gen.cpp       |  105 ++
 .../solidity_helpers/honk_sol_gen.hpp         |  112 ++
 .../barretenberg/solidity_helpers/key_gen.cpp |   14 +-
 .../circuit_builders/circuit_builders_fwd.hpp |    2 +
 .../ultra_circuit_builder.hpp                 |    2 +
 .../stdlib_circuit_builders/ultra_flavor.hpp  |    1 +
 .../stdlib_circuit_builders/ultra_keccak.hpp  |  738 +++++++++
 .../sumcheck/instance/prover_instance.cpp     |    1 +
 .../sumcheck/instance/prover_instance.hpp     |    1 +
 .../barretenberg/transcript/transcript.hpp    |   65 +-
 .../ultra_honk/decider_prover.cpp             |    1 +
 .../barretenberg/ultra_honk/oink_prover.cpp   |    1 +
 .../barretenberg/ultra_honk/oink_prover.hpp   |    1 +
 .../barretenberg/ultra_honk/oink_verifier.cpp |    1 +
 .../barretenberg/ultra_honk/oink_verifier.hpp |    1 +
 .../barretenberg/ultra_honk/ultra_prover.cpp  |    1 +
 .../barretenberg/ultra_honk/ultra_prover.hpp  |    1 +
 .../ultra_honk/ultra_verifier.cpp             |    1 +
 .../ultra_honk/ultra_verifier.hpp             |    1 +
 barretenberg/sol/foundry.toml                 |    3 +
 barretenberg/sol/scripts/init_honk.sh         |   11 +
 barretenberg/sol/scripts/run_fuzzer.sh        |    9 +-
 barretenberg/sol/src/honk/Fr.sol              |  116 ++
 barretenberg/sol/src/honk/HonkTypes.sol       |  140 ++
 barretenberg/sol/src/honk/HonkVerifier.sol    | 1217 ++++++++++++++
 barretenberg/sol/src/honk/Transcript.sol      |  218 +++
 .../sol/src/honk/instance/Add2Honk.sol        | 1448 +++++++++++++++++
 .../sol/src/honk/instance/BlakeHonk.sol       | 1445 ++++++++++++++++
 .../sol/src/honk/instance/EcdsaHonk.sol       | 1445 ++++++++++++++++
 .../src/honk/keys/Add2HonkVerificationKey.sol |  121 ++
 .../honk/keys/BlakeHonkVerificationKey.sol    |  120 ++
 .../honk/keys/EcdsaHonkVerificationKey.sol    |  120 ++
 barretenberg/sol/src/honk/utils.sol           |  102 ++
 .../sol/src/ultra/BaseUltraVerifier.sol       |   24 +-
 .../ultra/keys/Add2UltraVerificationKey.sol   |   20 +-
 .../ultra/keys/BlakeUltraVerificationKey.sol  |   72 +-
 .../ultra/keys/EcdsaUltraVerificationKey.sol  |   76 +-
 .../keys/RecursiveUltraVerificationKey.sol    |   80 +-
 .../sol/test/base/DifferentialFuzzer.sol      |    6 +-
 barretenberg/sol/test/base/TestBase.sol       |   49 +-
 barretenberg/sol/test/honk/Add2.t.sol         |   46 +
 barretenberg/sol/test/honk/Blake.t.sol        |   48 +
 barretenberg/sol/test/honk/ECDSA.t.sol        |   49 +
 barretenberg/sol/test/honk/TestBaseHonk.sol   |   26 +
 barretenberg/sol/test/ultra/TestBaseUltra.sol |    1 -
 52 files changed, 8038 insertions(+), 164 deletions(-)
 create mode 100644 barretenberg/cpp/src/barretenberg/solidity_helpers/honk_key_gen.cpp
 create mode 100644 barretenberg/cpp/src/barretenberg/solidity_helpers/honk_proof_gen.cpp
 create mode 100644 barretenberg/cpp/src/barretenberg/solidity_helpers/honk_sol_gen.hpp
 create mode 100644 barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak.hpp
 create mode 100755 barretenberg/sol/scripts/init_honk.sh
 create mode 100644 barretenberg/sol/src/honk/Fr.sol
 create mode 100644 barretenberg/sol/src/honk/HonkTypes.sol
 create mode 100644 barretenberg/sol/src/honk/HonkVerifier.sol
 create mode 100644 barretenberg/sol/src/honk/Transcript.sol
 create mode 100644 barretenberg/sol/src/honk/instance/Add2Honk.sol
 create mode 100644 barretenberg/sol/src/honk/instance/BlakeHonk.sol
 create mode 100644 barretenberg/sol/src/honk/instance/EcdsaHonk.sol
 create mode 100644 barretenberg/sol/src/honk/keys/Add2HonkVerificationKey.sol
 create mode 100644 barretenberg/sol/src/honk/keys/BlakeHonkVerificationKey.sol
 create mode 100644 barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol
 create mode 100644 barretenberg/sol/src/honk/utils.sol
 create mode 100644 barretenberg/sol/test/honk/Add2.t.sol
 create mode 100644 barretenberg/sol/test/honk/Blake.t.sol
 create mode 100644 barretenberg/sol/test/honk/ECDSA.t.sol
 create mode 100644 barretenberg/sol/test/honk/TestBaseHonk.sol

diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.hpp
index a067b224fc6..1c403dc22cc 100644
--- a/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.hpp
+++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/kzg/kzg.hpp
@@ -30,9 +30,10 @@ template <typename Curve_> class KZG {
      * computed
      * @param prover_transcript Prover transcript
      */
+    template <typename Transcript>
     static void compute_opening_proof(std::shared_ptr<CK> ck,
                                       const ProverOpeningClaim<Curve>& opening_claim,
-                                      const std::shared_ptr<NativeTranscript>& prover_trancript)
+                                      const std::shared_ptr<Transcript>& prover_trancript)
     {
         Polynomial quotient = opening_claim.polynomial;
         OpeningPair<Curve> pair = opening_claim.opening_pair;
@@ -56,7 +57,9 @@ template <typename Curve_> class KZG {
      *      - P₀ = C − v⋅[1]₁ + r⋅[W(x)]₁
      *      - P₁ = [W(x)]₁
      */
-    static VerifierAccumulator reduce_verify(const OpeningClaim<Curve>& claim, const auto& verifier_transcript)
+    template <typename Transcript>
+    static VerifierAccumulator reduce_verify(const OpeningClaim<Curve>& claim,
+                                             const std::shared_ptr<Transcript>& verifier_transcript)
     {
         auto quotient_commitment = verifier_transcript->template receive_from_prover<Commitment>("KZG:W");
 
diff --git a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp
index 07efea29451..4f66c019c89 100644
--- a/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp
+++ b/barretenberg/cpp/src/barretenberg/commitment_schemes/zeromorph/zeromorph.hpp
@@ -322,6 +322,7 @@ template <typename Curve> class ZeroMorphProver_ {
      *
      * @todo https://github.com/AztecProtocol/barretenberg/issues/1030: document concatenation trick
      */
+    template <typename Transcript>
     static OpeningClaim prove(FF circuit_size,
                               RefSpan<Polynomial> f_polynomials,
                               RefSpan<Polynomial> g_polynomials,
@@ -329,7 +330,7 @@ template <typename Curve> class ZeroMorphProver_ {
                               RefSpan<FF> g_shift_evaluations,
                               std::span<FF> multilinear_challenge,
                               const std::shared_ptr<CommitmentKey<Curve>>& commitment_key,
-                              const std::shared_ptr<NativeTranscript>& transcript,
+                              const std::shared_ptr<Transcript>& transcript,
                               RefSpan<Polynomial> concatenated_polynomials = {},
                               RefSpan<FF> concatenated_evaluations = {},
                               const std::vector<RefVector<Polynomial>>& concatenation_groups = {})
@@ -725,6 +726,7 @@ template <typename Curve> class ZeroMorphVerifier_ {
      * @param transcript
      * @return VerifierAccumulator Inputs to the final PCS verification check that will be accumulated
      */
+    template <typename Transcript>
     static OpeningClaim<Curve> verify(FF circuit_size,
                                       RefSpan<Commitment> unshifted_commitments,
                                       RefSpan<Commitment> to_be_shifted_commitments,
@@ -732,7 +734,7 @@ template <typename Curve> class ZeroMorphVerifier_ {
                                       RefSpan<FF> shifted_evaluations,
                                       std::span<FF> multivariate_challenge,
                                       const Commitment& g1_identity,
-                                      auto& transcript,
+                                      const std::shared_ptr<Transcript>& transcript,
                                       const std::vector<RefVector<Commitment>>& concatenation_group_commitments = {},
                                       RefSpan<FF> concatenated_evaluations = {})
     {
diff --git a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp
index da72fd56703..3da86e2331e 100644
--- a/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp
+++ b/barretenberg/cpp/src/barretenberg/execution_trace/execution_trace.cpp
@@ -3,6 +3,7 @@
 #include "barretenberg/plonk/proof_system/proving_key/proving_key.hpp"
 #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp"
 #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp"
+#include "barretenberg/stdlib_circuit_builders/ultra_keccak.hpp"
 namespace bb {
 
 template <class Flavor>
@@ -162,6 +163,7 @@ void ExecutionTrace_<Flavor>::add_ecc_op_wires_to_proving_key(Builder& builder,
 }
 
 template class ExecutionTrace_<UltraFlavor>;
+template class ExecutionTrace_<UltraKeccakFlavor>;
 template class ExecutionTrace_<MegaFlavor>;
 template class ExecutionTrace_<plonk::flavor::Standard>;
 template class ExecutionTrace_<plonk::flavor::Ultra>;
diff --git a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp
index 0059b7e166f..6658ed78db7 100644
--- a/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp
+++ b/barretenberg/cpp/src/barretenberg/flavor/flavor.hpp
@@ -355,6 +355,7 @@ template <typename Tuple, std::size_t Index = 0> static constexpr auto create_tu
 namespace bb {
 class UltraFlavor;
 class ECCVMFlavor;
+class UltraKeccakFlavor;
 class MegaFlavor;
 class TranslatorFlavor;
 template <typename BuilderType> class UltraRecursiveFlavor_;
@@ -383,16 +384,16 @@ template <typename T>
 concept IsPlonkFlavor = IsAnyOf<T, plonk::flavor::Standard, plonk::flavor::Ultra>;
 
 template <typename T>
-concept IsUltraPlonkFlavor = IsAnyOf<T, plonk::flavor::Ultra>;
+concept IsUltraPlonkFlavor = IsAnyOf<T, plonk::flavor::Ultra, UltraKeccakFlavor>;
 
 template <typename T> 
-concept IsUltraPlonkOrHonk = IsAnyOf<T, plonk::flavor::Ultra, UltraFlavor, MegaFlavor>;
+concept IsUltraPlonkOrHonk = IsAnyOf<T, plonk::flavor::Ultra, UltraFlavor, UltraKeccakFlavor, MegaFlavor>;
 
 template <typename T> 
-concept IsHonkFlavor = IsAnyOf<T, UltraFlavor, MegaFlavor>;
+concept IsHonkFlavor = IsAnyOf<T, UltraFlavor, UltraKeccakFlavor, MegaFlavor>;
 
 template <typename T> 
-concept IsUltraFlavor = IsAnyOf<T, UltraFlavor, MegaFlavor>;
+concept IsUltraFlavor = IsAnyOf<T, UltraFlavor, UltraKeccakFlavor, MegaFlavor>;
 
 template <typename T> 
 concept IsGoblinFlavor = IsAnyOf<T, MegaFlavor,
@@ -417,6 +418,8 @@ template <typename T> concept IsECCVMRecursiveFlavor = IsAnyOf<T, ECCVMRecursive
 template <typename T> concept IsGrumpkinFlavor = IsAnyOf<T, ECCVMFlavor>;
 
 template <typename T> concept IsFoldingFlavor = IsAnyOf<T, UltraFlavor, 
+                                                           // Note(md): must be here to use oink prover
+                                                           UltraKeccakFlavor,
                                                            MegaFlavor, 
                                                            UltraRecursiveFlavor_<UltraCircuitBuilder>, 
                                                            UltraRecursiveFlavor_<MegaCircuitBuilder>, 
diff --git a/barretenberg/cpp/src/barretenberg/solidity_helpers/CMakeLists.txt b/barretenberg/cpp/src/barretenberg/solidity_helpers/CMakeLists.txt
index 8c7c91633b8..7b91d9c40c4 100644
--- a/barretenberg/cpp/src/barretenberg/solidity_helpers/CMakeLists.txt
+++ b/barretenberg/cpp/src/barretenberg/solidity_helpers/CMakeLists.txt
@@ -1,6 +1,22 @@
-barretenberg_module(stdlib_solidity_helpers stdlib_sha256 stdlib_blake3s stdlib_blake2s stdlib_pedersen_commitment plonk)
+barretenberg_module(stdlib_solidity_helpers ultra_honk stdlib_sha256 stdlib_blake3s stdlib_blake2s stdlib_pedersen_commitment plonk)
 
 if (NOT(FUZZING))
+  # Honk
+  add_executable(honk_solidity_key_gen honk_key_gen.cpp)
+
+  target_link_libraries(
+    honk_solidity_key_gen 
+    stdlib_solidity_helpers
+  )
+
+  add_executable(honk_solidity_proof_gen honk_proof_gen.cpp)
+
+  target_link_libraries(
+    honk_solidity_proof_gen 
+    stdlib_solidity_helpers
+  )
+
+  # Plonk
   add_executable(solidity_key_gen key_gen.cpp)
 
   add_executable(solidity_proof_gen proof_gen.cpp)
diff --git a/barretenberg/cpp/src/barretenberg/solidity_helpers/circuits/ecdsa_circuit.hpp b/barretenberg/cpp/src/barretenberg/solidity_helpers/circuits/ecdsa_circuit.hpp
index a8001611fc5..92bbd07f99f 100644
--- a/barretenberg/cpp/src/barretenberg/solidity_helpers/circuits/ecdsa_circuit.hpp
+++ b/barretenberg/cpp/src/barretenberg/solidity_helpers/circuits/ecdsa_circuit.hpp
@@ -12,6 +12,8 @@
 #include "barretenberg/stdlib/primitives/field/field.hpp"
 #include "barretenberg/stdlib/primitives/witness/witness.hpp"
 
+namespace bb {
+
 template <typename Builder> class EcdsaCircuit {
   public:
     using field_ct = stdlib::field_t<Builder>;
@@ -89,4 +91,6 @@ template <typename Builder> class EcdsaCircuit {
 
         return builder;
     }
-};
\ No newline at end of file
+};
+
+} // namespace bb
\ No newline at end of file
diff --git a/barretenberg/cpp/src/barretenberg/solidity_helpers/honk_key_gen.cpp b/barretenberg/cpp/src/barretenberg/solidity_helpers/honk_key_gen.cpp
new file mode 100644
index 00000000000..a225e6ec262
--- /dev/null
+++ b/barretenberg/cpp/src/barretenberg/solidity_helpers/honk_key_gen.cpp
@@ -0,0 +1,90 @@
+
+#include <iostream>
+#include <memory>
+
+#include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp"
+#include "barretenberg/ultra_honk/ultra_prover.hpp"
+#include "barretenberg/ultra_honk/ultra_verifier.hpp"
+
+#include "./honk_sol_gen.hpp"
+
+#include "circuits/add_2_circuit.hpp"
+#include "circuits/blake_circuit.hpp"
+#include "circuits/ecdsa_circuit.hpp"
+
+using namespace bb;
+
+using ProverInstance = ProverInstance_<UltraKeccakFlavor>;
+using VerificationKey = UltraKeccakFlavor::VerificationKey;
+
+template <template <typename> typename Circuit>
+void generate_keys_honk(std::string output_path, std::string flavour_prefix, std::string circuit_name)
+{
+    uint256_t public_inputs[4] = { 0, 0, 0, 0 };
+    UltraCircuitBuilder builder = Circuit<UltraCircuitBuilder>::generate(public_inputs);
+
+    auto instance = std::make_shared<ProverInstance>(builder);
+    UltraKeccakProver prover(instance);
+    auto verification_key = std::make_shared<VerificationKey>(instance->proving_key);
+
+    // Make verification key file upper case
+    circuit_name.at(0) = static_cast<char>(std::toupper(static_cast<unsigned char>(circuit_name.at(0))));
+    flavour_prefix.at(0) = static_cast<char>(std::toupper(static_cast<unsigned char>(flavour_prefix.at(0))));
+
+    std::string vk_class_name = circuit_name + flavour_prefix + "VerificationKey";
+    std::string base_class_name = "Base" + flavour_prefix + "Verifier";
+    std::string instance_class_name = circuit_name + flavour_prefix + "Verifier";
+
+    {
+        auto vk_filename = output_path + "/keys/" + vk_class_name + ".sol";
+        std::ofstream os(vk_filename);
+        bb::output_vk_sol_ultra_honk(os, verification_key, vk_class_name);
+        info("VK contract written to: ", vk_filename);
+    }
+}
+
+/*
+ * @brief Main entry point for the verification key generator
+ *
+ * 1. project_root_path: path to the solidity project root
+ * 2. srs_path: path to the srs db
+ */
+int main(int argc, char** argv)
+{
+    std::vector<std::string> args(argv, argv + argc);
+
+    if (args.size() < 5) {
+        info("usage: ", args[0], "[plonk flavour] [circuit flavour] [output path] [srs path]");
+        return 1;
+    }
+
+    const std::string plonk_flavour = args[1];
+    const std::string circuit_flavour = args[2];
+    const std::string output_path = args[3];
+    const std::string srs_path = args[4];
+
+    bb::srs::init_crs_factory(srs_path);
+    // @todo - Add support for unrolled standard verifier. Needs a new solidity verifier contract.
+
+    if (plonk_flavour != "honk") {
+        info("honk");
+        return 1;
+    }
+
+    info("Generating ", plonk_flavour, " keys for ", circuit_flavour, " circuit");
+
+    if (plonk_flavour == "honk") {
+        if (circuit_flavour == "add2") {
+            generate_keys_honk<Add2Circuit>(output_path, plonk_flavour, circuit_flavour);
+        } else if (circuit_flavour == "blake") {
+            generate_keys_honk<BlakeCircuit>(output_path, plonk_flavour, circuit_flavour);
+        } else if (circuit_flavour == "ecdsa") {
+            generate_keys_honk<bb::EcdsaCircuit>(output_path, plonk_flavour, circuit_flavour);
+            // TODO: recursive proofs
+        } else {
+            info("Unsupported circuit");
+            return 1;
+        }
+    }
+    return 0;
+} // namespace bb
\ No newline at end of file
diff --git a/barretenberg/cpp/src/barretenberg/solidity_helpers/honk_proof_gen.cpp b/barretenberg/cpp/src/barretenberg/solidity_helpers/honk_proof_gen.cpp
new file mode 100644
index 00000000000..fc5e5a69bbf
--- /dev/null
+++ b/barretenberg/cpp/src/barretenberg/solidity_helpers/honk_proof_gen.cpp
@@ -0,0 +1,105 @@
+
+#include "barretenberg/honk/proof_system/types/proof.hpp"
+#include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp"
+#include "barretenberg/ultra_honk/ultra_prover.hpp"
+#include "barretenberg/ultra_honk/ultra_verifier.hpp"
+
+#include "circuits/add_2_circuit.hpp"
+#include "circuits/blake_circuit.hpp"
+#include "circuits/ecdsa_circuit.hpp"
+#include "utils/utils.hpp"
+
+#include <iostream>
+#include <sstream>
+
+using namespace bb;
+using numeric::uint256_t;
+
+using ProverInstance = ProverInstance_<UltraKeccakFlavor>;
+using VerificationKey = UltraKeccakFlavor::VerificationKey;
+using Prover = UltraKeccakProver;
+using Verifier = UltraKeccakVerifier;
+
+template <template <typename> typename Circuit> void generate_proof(uint256_t inputs[])
+{
+
+    UltraCircuitBuilder builder = Circuit<UltraCircuitBuilder>::generate(inputs);
+
+    auto instance = std::make_shared<ProverInstance>(builder);
+    Prover prover(instance);
+    auto verification_key = std::make_shared<VerificationKey>(instance->proving_key);
+    Verifier verifier(verification_key);
+
+    HonkProof proof = prover.construct_proof();
+    {
+        if (!verifier.verify_proof(proof)) {
+            throw_or_abort("Verification failed");
+        }
+
+        std::vector<uint8_t> proof_bytes = to_buffer(proof);
+        std::string p = bytes_to_hex_string(proof_bytes);
+        std::cout << p;
+    }
+}
+
+std::string pad_left(std::string input, size_t length)
+{
+    return std::string(length - std::min(length, input.length()), '0') + input;
+}
+
+/**
+ * @brief Main entry point for the proof generator.
+ * Expected inputs:
+ * 1. plonk_flavour: ultra
+ * 2. circuit_flavour: blake, add2
+ * 3. public_inputs: comma separated list of public inputs
+ * 4. project_root_path: path to the solidity project root
+ * 5. srs_path: path to the srs db
+ */
+int main(int argc, char** argv)
+{
+    std::vector<std::string> args(argv, argv + argc);
+
+    if (args.size() < 5) {
+        info("usage: ", args[0], "[plonk flavour] [circuit flavour] [srs path] [public inputs]");
+        return 1;
+    }
+
+    const std::string plonk_flavour = args[1];
+    const std::string circuit_flavour = args[2];
+    const std::string srs_path = args[3];
+    const std::string string_input = args[4];
+
+    bb::srs::init_crs_factory(srs_path);
+
+    // @todo dynamically allocate this
+    uint256_t inputs[] = { 0, 0, 0, 0, 0, 0 };
+
+    size_t count = 0;
+    std::stringstream s_stream(string_input);
+    while (s_stream.good()) {
+        std::string sub;
+        getline(s_stream, sub, ',');
+        if (sub.substr(0, 2) == "0x") {
+            sub = sub.substr(2);
+        }
+        std::string padded = pad_left(sub, 64);
+        inputs[count++] = uint256_t(padded);
+    }
+
+    if (plonk_flavour != "honk") {
+        info("Only honk flavor allowed");
+        return 1;
+    }
+
+    if (circuit_flavour == "blake") {
+        generate_proof<BlakeCircuit>(inputs);
+    } else if (circuit_flavour == "add2") {
+        generate_proof<Add2Circuit>(inputs);
+    } else if (circuit_flavour == "ecdsa") {
+        generate_proof<EcdsaCircuit>(inputs);
+    } else {
+        info("Invalid circuit flavour: " + circuit_flavour);
+        return 1;
+    }
+}
\ No newline at end of file
diff --git a/barretenberg/cpp/src/barretenberg/solidity_helpers/honk_sol_gen.hpp b/barretenberg/cpp/src/barretenberg/solidity_helpers/honk_sol_gen.hpp
new file mode 100644
index 00000000000..5ed2407bd95
--- /dev/null
+++ b/barretenberg/cpp/src/barretenberg/solidity_helpers/honk_sol_gen.hpp
@@ -0,0 +1,112 @@
+// TODO: check if we need these
+#include "barretenberg/ultra_honk/ultra_prover.hpp"
+#include "barretenberg/ultra_honk/ultra_verifier.hpp"
+
+#include <iostream>
+#include <memory>
+
+namespace bb {
+/**
+ * Write a solidity file containing the vk params to the given stream.
+ * Uses UltraHonk
+ **/
+inline void output_vk_sol_ultra_honk(
+    std::ostream& os,
+    // TODO: get the VerificationKey outside of the falvor - it's not a part of the flavor
+    auto const& key,
+    std::string const& class_name)
+{
+
+    const auto print_u256_const = [&](const bb::fr& element, const std::string& name) {
+        os << "uint256 constant " << name << " = " << element << ";" << std::endl;
+    };
+
+    const auto print_u256 = [&](const bb::fr& element, const std::string& name) {
+        os << "            " << name << ": uint256(" << element << ")," << std::endl;
+    };
+
+    const auto print_g1 = [&](const bb::g1::affine_element& element, const std::string& name, const bool last = false) {
+        os << "            " << name << ": Honk.G1Point({ \n"
+           << "               "
+           << "x: "
+           << "uint256(" << element.x << "),\n"
+           << "               "
+           << "y: "
+           << "uint256(" << element.y << ")\n"
+           << "            })";
+
+        // only include comma if we are not the last element
+        if (!last) {
+            os << ",\n";
+        } else {
+            os << "\n";
+        }
+    };
+
+    // clang-format off
+    os <<
+    //   "// Verification Key Hash: " << key->sha256_hash() << "\n"
+      "// SPDX-License-Identifier: Apache-2.0\n"
+      "// Copyright 2022 Aztec\n"
+      "pragma solidity >=0.8.21;\n"
+      "\n"
+      "import { Honk } from \"../HonkTypes.sol\";\n"
+    "";
+    print_u256_const(key->circuit_size, "N");
+    print_u256_const(key->log_circuit_size, "LOG_N");
+    print_u256_const(key->num_public_inputs, "NUMBER_OF_PUBLIC_INPUTS");
+    os << ""
+    "library " << class_name << " {\n"
+    //   "    function verificationKeyHash() internal pure returns(bytes32) {\n"
+    //   "        return 0x" << key->sha256_hash() << ";\n"
+    //   "    }\n\n"
+      "    function loadVerificationKey() internal pure returns (Honk.VerificationKey memory) {\n"
+      "        Honk.VerificationKey memory vk = Honk.VerificationKey({\n";
+    print_u256(key->circuit_size, "circuitSize");
+    print_u256(key->log_circuit_size, "logCircuitSize");
+    print_u256(key->num_public_inputs, "publicInputsSize");
+    print_g1(key->q_l, "ql");
+    print_g1(key->q_r, "qr");
+    print_g1(key->q_o, "qo");
+    print_g1(key->q_4, "q4");
+    print_g1(key->q_m, "qm");
+    print_g1(key->q_c, "qc");
+    print_g1(key->q_arith, "qArith");
+    print_g1(key->q_delta_range, "qDeltaRange");
+    print_g1(key->q_elliptic, "qElliptic");
+    print_g1(key->q_aux, "qAux");
+    print_g1(key->q_lookup, "qLookup");
+    print_g1(key->sigma_1, "s1");
+    print_g1(key->sigma_2, "s2");
+    print_g1(key->sigma_3, "s3");
+    print_g1(key->sigma_4, "s4");
+    print_g1(key->table_1, "t1");
+    print_g1(key->table_2, "t2");
+    print_g1(key->table_3, "t3");
+    print_g1(key->table_4, "t4");
+    // print_g1("0x500", "0x520", key->table, "vk.TABLE_TYPE");
+    print_g1(key->id_1, "id1");
+    print_g1(key->id_2, "id2");
+    print_g1(key->id_3, "id3");
+    print_g1(key->id_4, "id4");
+    print_g1(key->lagrange_first, "lagrangeFirst");
+    print_g1(key->lagrange_last, "lagrangeLast", /*last=*/ true);
+    os <<
+
+        // TODO: no recursive proofs
+        // TODO: no pairing check yet
+        // "            mstore(add(_vk, 0x640), " << (key->contains_recursive_proof ? "0x01" : "0x00") << ") // vk.contains_recursive_proof\n"
+        // "            mstore(add(_vk, 0x660), " << (key->contains_recursive_proof ? key->recursive_proof_public_input_indices[0] : 0) << ") // vk.recursive_proof_public_input_indices\n"
+        
+        // "            mstore(add(_vk, 0x680), " <<  key->reference_string->get_g2x().x.c1 << ") // vk.g2_x.X.c1 \n"
+        // "            mstore(add(_vk, 0x6a0), " <<  key->reference_string->get_g2x().x.c0 << ") // vk.g2_x.X.c0 \n"
+        // "            mstore(add(_vk, 0x6c0), " <<  key->reference_string->get_g2x().y.c1 << ") // vk.g2_x.Y.c1 \n"
+        // "            mstore(add(_vk, 0x6e0), " <<  key->reference_string->get_g2x().y.c0 << ") // vk.g2_x.Y.c0 \n"
+        "        });\n"
+        "        return vk;\n"
+        "    }\n"
+        "}\n";
+
+    os << std::flush;
+}
+}
\ No newline at end of file
diff --git a/barretenberg/cpp/src/barretenberg/solidity_helpers/key_gen.cpp b/barretenberg/cpp/src/barretenberg/solidity_helpers/key_gen.cpp
index bc78bda31d2..762ee2a47fc 100644
--- a/barretenberg/cpp/src/barretenberg/solidity_helpers/key_gen.cpp
+++ b/barretenberg/cpp/src/barretenberg/solidity_helpers/key_gen.cpp
@@ -68,22 +68,22 @@ int main(int argc, char** argv)
     // @todo - Add support for unrolled standard verifier. Needs a new solidity verifier contract.
 
     if (plonk_flavour != "ultra") {
-        info("Only ultra plonk flavour is supported at the moment");
+        info("Flavour must be ultra");
         return 1;
     }
 
-    info("Generating ultra plonk keys for ", circuit_flavour, " circuit");
+    info("Generating ", plonk_flavour, " keys for ", circuit_flavour, " circuit");
 
     if (circuit_flavour == "blake") {
-        generate_keys<UltraComposer, BlakeCircuit>(output_path, plonk_flavour, circuit_flavour);
+        generate_keys<bb::plonk::UltraComposer, BlakeCircuit>(output_path, plonk_flavour, circuit_flavour);
     } else if (circuit_flavour == "add2") {
-        generate_keys<UltraComposer, Add2Circuit>(output_path, plonk_flavour, circuit_flavour);
+        generate_keys<bb::plonk::UltraComposer, Add2Circuit>(output_path, plonk_flavour, circuit_flavour);
     } else if (circuit_flavour == "recursive") {
-        generate_keys<UltraComposer, RecursiveCircuit>(output_path, plonk_flavour, circuit_flavour);
+        generate_keys<bb::plonk::UltraComposer, RecursiveCircuit>(output_path, plonk_flavour, circuit_flavour);
     } else if (circuit_flavour == "ecdsa") {
-        generate_keys<UltraComposer, EcdsaCircuit>(output_path, plonk_flavour, circuit_flavour);
+        generate_keys<bb::plonk::UltraComposer, EcdsaCircuit>(output_path, plonk_flavour, circuit_flavour);
     } else {
-        info("Unsupported circuit are supported at the moment");
+        info("Unsupported circuit");
         return 1;
     }
     return 0;
diff --git a/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp b/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp
index 344c0489643..c3ea08590fd 100644
--- a/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp
+++ b/barretenberg/cpp/src/barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp
@@ -12,6 +12,8 @@ construction in stdlib and contains macros for explicit instantiation.
 namespace bb {
 class StandardFlavor;
 class UltraFlavor;
+class UltraKeccakFlavor;
+
 class Bn254FrParams;
 class Bn254FqParams;
 template <class Params> struct alignas(32) field;
diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp
index d9e157c14e7..fadbb9a6f16 100644
--- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp
+++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp
@@ -9,6 +9,8 @@
 #include "barretenberg/stdlib_circuit_builders/op_queue/ecc_op_queue.hpp"
 #include "barretenberg/stdlib_circuit_builders/plookup_tables/plookup_tables.hpp"
 #include "barretenberg/stdlib_circuit_builders/plookup_tables/types.hpp"
+
+// TODO(md): note that this has now been added
 #include "circuit_builder_base.hpp"
 #include <optional>
 #include <unordered_set>
diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp
index d9b010c320d..720d2ab74d2 100644
--- a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp
+++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_flavor.hpp
@@ -693,6 +693,7 @@ class UltraFlavor {
             zm_cq_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
             kzg_w_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
         }
+
         /**
          * @brief Serializes the structure variables into a FULL Ultra proof. Should be called
          * only if deserialize_full_transcript() was called and some transcript variable was
diff --git a/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak.hpp b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak.hpp
new file mode 100644
index 00000000000..9b8d8dd6070
--- /dev/null
+++ b/barretenberg/cpp/src/barretenberg/stdlib_circuit_builders/ultra_keccak.hpp
@@ -0,0 +1,738 @@
+// TODO: the only change should be making honk generic over the transcript
+#pragma once
+#include "barretenberg/commitment_schemes/kzg/kzg.hpp"
+#include "barretenberg/ecc/curves/bn254/g1.hpp"
+#include "barretenberg/flavor/flavor.hpp"
+#include "barretenberg/flavor/flavor_macros.hpp"
+#include "barretenberg/plonk_honk_shared/library/grand_product_delta.hpp"
+#include "barretenberg/plonk_honk_shared/library/grand_product_library.hpp"
+#include "barretenberg/polynomials/barycentric.hpp"
+#include "barretenberg/polynomials/evaluation_domain.hpp"
+#include "barretenberg/polynomials/polynomial.hpp"
+#include "barretenberg/polynomials/univariate.hpp"
+#include "barretenberg/relations/auxiliary_relation.hpp"
+#include "barretenberg/relations/delta_range_constraint_relation.hpp"
+#include "barretenberg/relations/elliptic_relation.hpp"
+#include "barretenberg/relations/logderiv_lookup_relation.hpp"
+#include "barretenberg/relations/permutation_relation.hpp"
+#include "barretenberg/relations/relation_parameters.hpp"
+#include "barretenberg/relations/ultra_arithmetic_relation.hpp"
+#include "barretenberg/stdlib_circuit_builders/ultra_circuit_builder.hpp"
+#include "barretenberg/transcript/transcript.hpp"
+
+namespace bb {
+
+class UltraKeccakFlavor {
+  public:
+    using CircuitBuilder = UltraCircuitBuilder;
+    using Curve = curve::BN254;
+    using FF = Curve::ScalarField;
+    using GroupElement = Curve::Element;
+    using Commitment = Curve::AffineElement;
+    using PCS = KZG<Curve>;
+    using Polynomial = bb::Polynomial<FF>;
+    using CommitmentKey = bb::CommitmentKey<Curve>;
+    using VerifierCommitmentKey = bb::VerifierCommitmentKey<Curve>;
+
+    static constexpr size_t NUM_WIRES = CircuitBuilder::NUM_WIRES;
+    // The number of multivariate polynomials on which a sumcheck prover sumcheck operates (including shifts). We often
+    // need containers of this size to hold related data, so we choose a name more agnostic than `NUM_POLYNOMIALS`.
+    static constexpr size_t NUM_ALL_ENTITIES = 42;
+    // The number of polynomials precomputed to describe a circuit and to aid a prover in constructing a satisfying
+    // assignment of witnesses. We again choose a neutral name.
+    static constexpr size_t NUM_PRECOMPUTED_ENTITIES = 25;
+    // The total number of witness entities not including shifts.
+    static constexpr size_t NUM_WITNESS_ENTITIES = 8;
+    // Total number of folded polynomials, which is just all polynomials except the shifts
+    static constexpr size_t NUM_FOLDED_ENTITIES = NUM_PRECOMPUTED_ENTITIES + NUM_WITNESS_ENTITIES;
+
+    using GrandProductRelations = std::tuple<bb::UltraPermutationRelation<FF>>;
+    // define the tuple of Relations that comprise the Sumcheck relation
+    // Note: made generic for use in MegaRecursive.
+    template <typename FF>
+    using Relations_ = std::tuple<bb::UltraArithmeticRelation<FF>,
+                                  bb::UltraPermutationRelation<FF>,
+                                  bb::LogDerivLookupRelation<FF>,
+                                  bb::DeltaRangeConstraintRelation<FF>,
+                                  bb::EllipticRelation<FF>,
+                                  bb::AuxiliaryRelation<FF>>;
+    using Relations = Relations_<FF>;
+
+    static constexpr size_t MAX_PARTIAL_RELATION_LENGTH = compute_max_partial_relation_length<Relations>();
+    static_assert(MAX_PARTIAL_RELATION_LENGTH == 6);
+    static constexpr size_t MAX_TOTAL_RELATION_LENGTH = compute_max_total_relation_length<Relations>();
+    static_assert(MAX_TOTAL_RELATION_LENGTH == 11);
+    static constexpr size_t NUM_SUBRELATIONS = compute_number_of_subrelations<Relations>();
+    // For instances of this flavour, used in folding, we need a unique sumcheck batching challenge for each
+    // subrelation. This is because using powers of alpha would increase the degree of Protogalaxy polynomial $G$ (the
+    // combiner) too much.
+    using RelationSeparator = std::array<FF, NUM_SUBRELATIONS - 1>;
+
+    // BATCHED_RELATION_PARTIAL_LENGTH = algebraic degree of sumcheck relation *after* multiplying by the `pow_zeta`
+    // random polynomial e.g. For \sum(x) [A(x) * B(x) + C(x)] * PowZeta(X), relation length = 2 and random relation
+    // length = 3
+    static constexpr size_t BATCHED_RELATION_PARTIAL_LENGTH = MAX_PARTIAL_RELATION_LENGTH + 1;
+    static constexpr size_t BATCHED_RELATION_TOTAL_LENGTH = MAX_TOTAL_RELATION_LENGTH + 1;
+    static constexpr size_t NUM_RELATIONS = std::tuple_size_v<Relations>;
+
+    template <size_t NUM_INSTANCES>
+    using ProtogalaxyTupleOfTuplesOfUnivariates =
+        decltype(create_protogalaxy_tuple_of_tuples_of_univariates<Relations, NUM_INSTANCES>());
+    template <size_t NUM_INSTANCES>
+    using OptimisedProtogalaxyTupleOfTuplesOfUnivariates =
+        decltype(create_protogalaxy_tuple_of_tuples_of_univariates<Relations,
+                                                                   NUM_INSTANCES,
+                                                                   /*optimised=*/true>());
+    using SumcheckTupleOfTuplesOfUnivariates = decltype(create_sumcheck_tuple_of_tuples_of_univariates<Relations>());
+    using TupleOfArraysOfValues = decltype(create_tuple_of_arrays_of_values<Relations>());
+
+    // Whether or not the first row of the execution trace is reserved for 0s to enable shifts
+    static constexpr bool has_zero_row = true;
+
+    static constexpr bool is_decider = true;
+
+    /**
+     * @brief A base class labelling precomputed entities and (ordered) subsets of interest.
+     * @details Used to build the proving key and verification key.
+     */
+    template <typename DataType_> class PrecomputedEntities : public PrecomputedEntitiesBase {
+      public:
+        using DataType = DataType_;
+        DEFINE_FLAVOR_MEMBERS(DataType,
+                              q_m,            // column 0
+                              q_c,            // column 1
+                              q_l,            // column 2
+                              q_r,            // column 3
+                              q_o,            // column 4
+                              q_4,            // column 5
+                              q_arith,        // column 6
+                              q_delta_range,  // column 7
+                              q_elliptic,     // column 8
+                              q_aux,          // column 9
+                              q_lookup,       // column 10
+                              sigma_1,        // column 11
+                              sigma_2,        // column 12
+                              sigma_3,        // column 13
+                              sigma_4,        // column 14
+                              id_1,           // column 15
+                              id_2,           // column 16
+                              id_3,           // column 17
+                              id_4,           // column 18
+                              table_1,        // column 19
+                              table_2,        // column 20
+                              table_3,        // column 21
+                              table_4,        // column 22
+                              lagrange_first, // column 23
+                              lagrange_last)  // column 24
+
+        static constexpr CircuitType CIRCUIT_TYPE = CircuitBuilder::CIRCUIT_TYPE;
+
+        auto get_selectors()
+        {
+            return RefArray{ q_m, q_c, q_l, q_r, q_o, q_4, q_arith, q_delta_range, q_elliptic, q_aux, q_lookup };
+        };
+        auto get_sigma_polynomials() { return RefArray{ sigma_1, sigma_2, sigma_3, sigma_4 }; };
+        auto get_id_polynomials() { return RefArray{ id_1, id_2, id_3, id_4 }; };
+
+        auto get_table_polynomials() { return RefArray{ table_1, table_2, table_3, table_4 }; };
+    };
+
+    /**
+     * @brief Container for all witness polynomials used/constructed by the prover.
+     * @details Shifts are not included here since they do not occupy their own memory.
+     */
+    template <typename DataType> class WitnessEntities {
+      public:
+        DEFINE_FLAVOR_MEMBERS(DataType,
+                              w_l,                // column 0
+                              w_r,                // column 1
+                              w_o,                // column 2
+                              w_4,                // column 3
+                              z_perm,             // column 4
+                              lookup_inverses,    // column 5
+                              lookup_read_counts, // column 6
+                              lookup_read_tags)   // column 7
+
+        auto get_wires() { return RefArray{ w_l, w_r, w_o, w_4 }; };
+
+        MSGPACK_FIELDS(w_l, w_r, w_o, w_4, z_perm, lookup_inverses, lookup_read_counts, lookup_read_tags);
+    };
+
+    /**
+     * @brief Class for ShiftedEntities, containing shifted witness and table polynomials.
+     */
+    template <typename DataType> class ShiftedEntities {
+      public:
+        DEFINE_FLAVOR_MEMBERS(DataType,
+                              table_1_shift, // column 0
+                              table_2_shift, // column 1
+                              table_3_shift, // column 2
+                              table_4_shift, // column 3
+                              w_l_shift,     // column 4
+                              w_r_shift,     // column 5
+                              w_o_shift,     // column 6
+                              w_4_shift,     // column 7
+                              z_perm_shift)  // column 10
+
+        auto get_shifted()
+        {
+            return RefArray{ table_1_shift, table_2_shift, table_3_shift, table_4_shift, w_l_shift,
+                             w_r_shift,     w_o_shift,     w_4_shift,     z_perm_shift };
+        };
+    };
+
+    /**
+     * @brief A base class labelling all entities (for instance, all of the polynomials used by the prover during
+     * sumcheck) in this Honk variant along with particular subsets of interest
+     * @details Used to build containers for: the prover's polynomial during sumcheck; the sumcheck's folded
+     * polynomials; the univariates consturcted during during sumcheck; the evaluations produced by sumcheck.
+     *
+     * Symbolically we have: AllEntities = PrecomputedEntities + WitnessEntities + "ShiftedEntities". It could be
+     * implemented as such, but we have this now.
+     */
+    template <typename DataType>
+    class AllEntities : public PrecomputedEntities<DataType>,
+                        public WitnessEntities<DataType>,
+                        public ShiftedEntities<DataType> {
+      public:
+        DEFINE_COMPOUND_GET_ALL(PrecomputedEntities<DataType>, WitnessEntities<DataType>, ShiftedEntities<DataType>)
+
+        auto get_wires() { return RefArray{ this->w_l, this->w_r, this->w_o, this->w_4 }; };
+        auto get_selectors() { return PrecomputedEntities<DataType>::get_selectors(); }
+        auto get_sigmas() { return RefArray{ this->sigma_1, this->sigma_2, this->sigma_3, this->sigma_4 }; };
+        auto get_ids() { return RefArray{ this->id_1, this->id_2, this->id_3, this->id_4 }; };
+        auto get_tables() { return RefArray{ this->table_1, this->table_2, this->table_3, this->table_4 }; };
+        auto get_unshifted()
+        {
+            return concatenate(PrecomputedEntities<DataType>::get_all(), WitnessEntities<DataType>::get_all());
+        };
+
+        auto get_precomputed() { return PrecomputedEntities<DataType>::get_all(); }
+
+        auto get_witness() { return WitnessEntities<DataType>::get_all(); };
+        auto get_to_be_shifted()
+        {
+            return RefArray{ this->table_1, this->table_2, this->table_3, this->table_4, this->w_l,
+                             this->w_r,     this->w_o,     this->w_4,     this->z_perm };
+        };
+        auto get_shifted() { return ShiftedEntities<DataType>::get_all(); };
+    };
+
+  public:
+    /**
+     * @brief A field element for each entity of the flavor. These entities represent the prover polynomials
+     * evaluated at one point.
+     */
+    class AllValues : public AllEntities<FF> {
+      public:
+        using Base = AllEntities<FF>;
+        using Base::Base;
+    };
+
+    /**
+     * @brief A container for polynomials handles.
+     */
+    // TODO(https://github.com/AztecProtocol/barretenberg/issues/966): use inheritance
+    class ProverPolynomials : public AllEntities<Polynomial> {
+      public:
+        // Define all operations as default, except copy construction/assignment
+        ProverPolynomials() = default;
+        ProverPolynomials(size_t circuit_size)
+        { // Initialize all unshifted polynomials to the zero polynomial and initialize the
+          // shifted polys
+            for (auto& poly : get_unshifted()) {
+                poly = Polynomial{ circuit_size };
+            }
+            set_shifted();
+        }
+        ProverPolynomials& operator=(const ProverPolynomials&) = delete;
+        ProverPolynomials(const ProverPolynomials& o) = delete;
+        ProverPolynomials(ProverPolynomials&& o) noexcept = default;
+        ProverPolynomials& operator=(ProverPolynomials&& o) noexcept = default;
+        ~ProverPolynomials() = default;
+        [[nodiscard]] size_t get_polynomial_size() const { return q_c.size(); }
+        [[nodiscard]] AllValues get_row(const size_t row_idx) const
+        {
+            AllValues result;
+            for (auto [result_field, polynomial] : zip_view(result.get_all(), get_all())) {
+                result_field = polynomial[row_idx];
+            }
+            return result;
+        }
+
+        // Set all shifted polynomials based on their to-be-shifted counterpart
+        void set_shifted()
+        {
+            for (auto [shifted, to_be_shifted] : zip_view(get_shifted(), get_to_be_shifted())) {
+                shifted = to_be_shifted.shifted();
+            }
+        }
+    };
+    /**
+     * @brief The proving key is responsible for storing the polynomials used by the prover.
+     *
+     */
+    class ProvingKey : public ProvingKey_<FF, CommitmentKey> {
+      public:
+        // Expose constructors on the base class
+        using Base = ProvingKey_<FF, CommitmentKey>;
+        using Base::Base;
+
+        ProvingKey(const size_t circuit_size, const size_t num_public_inputs)
+            : Base(circuit_size, num_public_inputs)
+            , polynomials(circuit_size){};
+
+        std::vector<uint32_t> memory_read_records;
+        std::vector<uint32_t> memory_write_records;
+        ProverPolynomials polynomials; // storage for all polynomials evaluated by the prover
+
+        /**
+         * @brief Add RAM/ROM memory records to the fourth wire polynomial
+         *
+         * @details This operation must be performed after the first three wires have been
+         * committed to, hence the dependence on the `eta` challenge.
+         *
+         * @tparam Flavor
+         * @param eta challenge produced after commitment to first three wire polynomials
+         */
+        void add_ram_rom_memory_records_to_wire_4(const FF& eta, const FF& eta_two, const FF& eta_three)
+        {
+            // The memory record values are computed at the indicated indices as
+            // w4 = w3 * eta^3 + w2 * eta^2 + w1 * eta + read_write_flag;
+            // (See the Auxiliary relation for details)
+            auto wires = polynomials.get_wires();
+
+            // Compute read record values
+            for (const auto& gate_idx : memory_read_records) {
+                wires[3][gate_idx] += wires[2][gate_idx] * eta_three;
+                wires[3][gate_idx] += wires[1][gate_idx] * eta_two;
+                wires[3][gate_idx] += wires[0][gate_idx] * eta;
+            }
+
+            // Compute write record values
+            for (const auto& gate_idx : memory_write_records) {
+                wires[3][gate_idx] += wires[2][gate_idx] * eta_three;
+                wires[3][gate_idx] += wires[1][gate_idx] * eta_two;
+                wires[3][gate_idx] += wires[0][gate_idx] * eta;
+                wires[3][gate_idx] += 1;
+            }
+        }
+
+        /**
+         * @brief Compute the inverse polynomial used in the log derivative lookup argument
+         *
+         * @tparam Flavor
+         * @param beta
+         * @param gamma
+         */
+        void compute_logderivative_inverses(const RelationParameters<FF>& relation_parameters)
+        {
+            // Compute inverses for conventional lookups
+            compute_logderivative_inverse<UltraKeccakFlavor, LogDerivLookupRelation<FF>>(
+                this->polynomials, relation_parameters, this->circuit_size);
+        }
+
+        /**
+         * @brief Computes public_input_delta and the permutation grand product polynomial
+         *
+         * @param relation_parameters
+         */
+        void compute_grand_product_polynomials(RelationParameters<FF>& relation_parameters)
+        {
+            auto public_input_delta = compute_public_input_delta<UltraKeccakFlavor>(this->public_inputs,
+                                                                                    relation_parameters.beta,
+                                                                                    relation_parameters.gamma,
+                                                                                    this->circuit_size,
+                                                                                    this->pub_inputs_offset);
+            relation_parameters.public_input_delta = public_input_delta;
+
+            // Compute permutation and lookup grand product polynomials
+            compute_grand_products<UltraKeccakFlavor>(this->polynomials, relation_parameters);
+        }
+    };
+
+    /**
+     * @brief The verification key is responsible for storing the the commitments to the precomputed (non-witnessk)
+     * polynomials used by the verifier.
+     *
+     * @note Note the discrepancy with what sort of data is stored here vs in the proving key. We may want to resolve
+     * that, and split out separate PrecomputedPolynomials/Commitments data for clarity but also for portability of our
+     * circuits.
+     */
+    class VerificationKey : public VerificationKey_<PrecomputedEntities<Commitment>, VerifierCommitmentKey> {
+      public:
+        VerificationKey() = default;
+        VerificationKey(const size_t circuit_size, const size_t num_public_inputs)
+            : VerificationKey_(circuit_size, num_public_inputs)
+        {}
+        VerificationKey(ProvingKey& proving_key)
+        {
+            this->pcs_verification_key = std::make_shared<VerifierCommitmentKey>();
+            this->circuit_size = proving_key.circuit_size;
+            this->log_circuit_size = numeric::get_msb(this->circuit_size);
+            this->num_public_inputs = proving_key.num_public_inputs;
+            this->pub_inputs_offset = proving_key.pub_inputs_offset;
+
+            for (auto [polynomial, commitment] : zip_view(proving_key.polynomials.get_precomputed(), this->get_all())) {
+                commitment = proving_key.commitment_key->commit(polynomial);
+            }
+        }
+        // TODO(https://github.com/AztecProtocol/barretenberg/issues/964): Clean the boilerplate
+        // up.
+        VerificationKey(const uint64_t circuit_size,
+                        const uint64_t num_public_inputs,
+                        const uint64_t pub_inputs_offset,
+                        const Commitment& q_m,
+                        const Commitment& q_c,
+                        const Commitment& q_l,
+                        const Commitment& q_r,
+                        const Commitment& q_o,
+                        const Commitment& q_4,
+                        const Commitment& q_arith,
+                        const Commitment& q_delta_range,
+                        const Commitment& q_elliptic,
+                        const Commitment& q_aux,
+                        const Commitment& q_lookup,
+                        const Commitment& sigma_1,
+                        const Commitment& sigma_2,
+                        const Commitment& sigma_3,
+                        const Commitment& sigma_4,
+                        const Commitment& id_1,
+                        const Commitment& id_2,
+                        const Commitment& id_3,
+                        const Commitment& id_4,
+                        const Commitment& table_1,
+                        const Commitment& table_2,
+                        const Commitment& table_3,
+                        const Commitment& table_4,
+                        const Commitment& lagrange_first,
+                        const Commitment& lagrange_last)
+        {
+            this->circuit_size = circuit_size;
+            this->log_circuit_size = numeric::get_msb(this->circuit_size);
+            this->num_public_inputs = num_public_inputs;
+            this->pub_inputs_offset = pub_inputs_offset;
+            this->q_m = q_m;
+            this->q_c = q_c;
+            this->q_l = q_l;
+            this->q_r = q_r;
+            this->q_o = q_o;
+            this->q_4 = q_4;
+            this->q_arith = q_arith;
+            this->q_delta_range = q_delta_range;
+            this->q_elliptic = q_elliptic;
+            this->q_aux = q_aux;
+            this->q_lookup = q_lookup;
+            this->sigma_1 = sigma_1;
+            this->sigma_2 = sigma_2;
+            this->sigma_3 = sigma_3;
+            this->sigma_4 = sigma_4;
+            this->id_1 = id_1;
+            this->id_2 = id_2;
+            this->id_3 = id_3;
+            this->id_4 = id_4;
+            this->table_1 = table_1;
+            this->table_2 = table_2;
+            this->table_3 = table_3;
+            this->table_4 = table_4;
+            this->lagrange_first = lagrange_first;
+            this->lagrange_last = lagrange_last;
+        }
+
+        // For serialising and deserialising data
+        MSGPACK_FIELDS(circuit_size,
+                       log_circuit_size,
+                       num_public_inputs,
+                       pub_inputs_offset,
+                       q_m,
+                       q_c,
+                       q_l,
+                       q_r,
+                       q_o,
+                       q_4,
+                       q_arith,
+                       q_delta_range,
+                       q_elliptic,
+                       q_aux,
+                       q_lookup,
+                       sigma_1,
+                       sigma_2,
+                       sigma_3,
+                       sigma_4,
+                       id_1,
+                       id_2,
+                       id_3,
+                       id_4,
+                       table_1,
+                       table_2,
+                       table_3,
+                       table_4,
+                       lagrange_first,
+                       lagrange_last);
+    };
+
+    /**
+     * @brief A container for storing the partially evaluated multivariates produced by sumcheck.
+     */
+    class PartiallyEvaluatedMultivariates : public AllEntities<Polynomial> {
+
+      public:
+        PartiallyEvaluatedMultivariates() = default;
+        PartiallyEvaluatedMultivariates(const size_t circuit_size)
+        {
+            // Storage is only needed after the first partial evaluation, hence polynomials of
+            // size (n / 2)
+            for (auto& poly : this->get_all()) {
+                poly = Polynomial(circuit_size / 2);
+            }
+        }
+    };
+
+    /**
+     * @brief A container for univariates used during Protogalaxy folding and sumcheck.
+     * @details During folding and sumcheck, the prover evaluates the relations on these univariates.
+     */
+    template <size_t LENGTH> using ProverUnivariates = AllEntities<bb::Univariate<FF, LENGTH>>;
+    /**
+     * @brief A container for univariates used during Protogalaxy folding and sumcheck.
+     * @details During folding and sumcheck, the prover evaluates the relations on these univariates.
+     */
+    template <size_t LENGTH, size_t SKIP_COUNT>
+    using OptimisedProverUnivariates = AllEntities<bb::Univariate<FF, LENGTH, 0, SKIP_COUNT>>;
+
+    /**
+     * @brief A container for univariates produced during the hot loop in sumcheck.
+     */
+    using ExtendedEdges = ProverUnivariates<MAX_PARTIAL_RELATION_LENGTH>;
+
+    /**
+     * @brief A container for the witness commitments.
+     */
+    using WitnessCommitments = WitnessEntities<Commitment>;
+
+    /**
+     * @brief A container for commitment labels.
+     * @note It's debatable whether this should inherit from AllEntities. since most entries are not strictly needed. It
+     * has, however, been useful during debugging to have these labels available.
+     *
+     */
+    class CommitmentLabels : public AllEntities<std::string> {
+      public:
+        CommitmentLabels()
+        {
+            w_l = "W_L";
+            w_r = "W_R";
+            w_o = "W_O";
+            w_4 = "W_4";
+            z_perm = "Z_PERM";
+            lookup_inverses = "LOOKUP_INVERSES";
+            lookup_read_counts = "LOOKUP_READ_COUNTS";
+            lookup_read_tags = "LOOKUP_READ_TAGS";
+
+            q_c = "Q_C";
+            q_l = "Q_L";
+            q_r = "Q_R";
+            q_o = "Q_O";
+            q_4 = "Q_4";
+            q_m = "Q_M";
+            q_arith = "Q_ARITH";
+            q_delta_range = "Q_SORT";
+            q_elliptic = "Q_ELLIPTIC";
+            q_aux = "Q_AUX";
+            q_lookup = "Q_LOOKUP";
+            sigma_1 = "SIGMA_1";
+            sigma_2 = "SIGMA_2";
+            sigma_3 = "SIGMA_3";
+            sigma_4 = "SIGMA_4";
+            id_1 = "ID_1";
+            id_2 = "ID_2";
+            id_3 = "ID_3";
+            id_4 = "ID_4";
+            table_1 = "TABLE_1";
+            table_2 = "TABLE_2";
+            table_3 = "TABLE_3";
+            table_4 = "TABLE_4";
+            lagrange_first = "LAGRANGE_FIRST";
+            lagrange_last = "LAGRANGE_LAST";
+        };
+    };
+
+    /**
+     * @brief A container encapsulating all the commitments that the verifier receives (to precomputed polynomials and
+     * witness polynomials).
+     *
+     */
+    template <typename Commitment, typename VerificationKey>
+    class VerifierCommitments_ : public AllEntities<Commitment> {
+      public:
+        VerifierCommitments_(const std::shared_ptr<VerificationKey>& verification_key,
+                             const std::optional<WitnessCommitments>& witness_commitments = std::nullopt)
+        {
+            this->q_m = verification_key->q_m;
+            this->q_c = verification_key->q_c;
+            this->q_l = verification_key->q_l;
+            this->q_r = verification_key->q_r;
+            this->q_o = verification_key->q_o;
+            this->q_4 = verification_key->q_4;
+            this->q_arith = verification_key->q_arith;
+            this->q_delta_range = verification_key->q_delta_range;
+            this->q_elliptic = verification_key->q_elliptic;
+            this->q_aux = verification_key->q_aux;
+            this->q_lookup = verification_key->q_lookup;
+            this->sigma_1 = verification_key->sigma_1;
+            this->sigma_2 = verification_key->sigma_2;
+            this->sigma_3 = verification_key->sigma_3;
+            this->sigma_4 = verification_key->sigma_4;
+            this->id_1 = verification_key->id_1;
+            this->id_2 = verification_key->id_2;
+            this->id_3 = verification_key->id_3;
+            this->id_4 = verification_key->id_4;
+            this->table_1 = verification_key->table_1;
+            this->table_2 = verification_key->table_2;
+            this->table_3 = verification_key->table_3;
+            this->table_4 = verification_key->table_4;
+            this->lagrange_first = verification_key->lagrange_first;
+            this->lagrange_last = verification_key->lagrange_last;
+
+            if (witness_commitments.has_value()) {
+                auto commitments = witness_commitments.value();
+                this->w_l = commitments.w_l;
+                this->w_r = commitments.w_r;
+                this->w_o = commitments.w_o;
+                this->lookup_inverses = commitments.lookup_inverses;
+                this->lookup_read_counts = commitments.lookup_read_counts;
+                this->lookup_read_tags = commitments.lookup_read_tags;
+                this->w_4 = commitments.w_4;
+                this->z_perm = commitments.z_perm;
+            }
+        }
+    };
+    // Specialize for Ultra (general case used in UltraRecursive).
+    using VerifierCommitments = VerifierCommitments_<Commitment, VerificationKey>;
+
+    /**
+     * @brief Derived class that defines proof structure for Ultra proofs, as well as supporting functions.
+     *
+     */
+    class Transcript : public KeccakTranscript {
+      public:
+        // Transcript objects defined as public member variables for easy access and modification
+        uint32_t circuit_size;
+        uint32_t public_input_size;
+        uint32_t pub_inputs_offset;
+        std::vector<FF> public_inputs;
+        Commitment w_l_comm;
+        Commitment w_r_comm;
+        Commitment w_o_comm;
+        Commitment lookup_read_counts_comm;
+        Commitment lookup_read_tags_comm;
+        Commitment w_4_comm;
+        Commitment z_perm_comm;
+        Commitment lookup_inverses_comm;
+        std::vector<bb::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH>> sumcheck_univariates;
+        std::array<FF, NUM_ALL_ENTITIES> sumcheck_evaluations;
+        std::vector<Commitment> zm_cq_comms;
+        Commitment zm_cq_comm;
+        Commitment kzg_w_comm;
+
+        Transcript() = default;
+
+        // Used by verifier to initialize the transcript
+        Transcript(const std::vector<FF>& proof)
+            : KeccakTranscript(proof)
+        {}
+
+        static std::shared_ptr<Transcript> prover_init_empty()
+        {
+            auto transcript = std::make_shared<Transcript>();
+            constexpr uint32_t init{ 42 }; // arbitrary
+            transcript->send_to_verifier("Init", init);
+            return transcript;
+        };
+
+        static std::shared_ptr<Transcript> verifier_init_empty(const std::shared_ptr<Transcript>& transcript)
+        {
+            auto verifier_transcript = std::make_shared<Transcript>(transcript->proof_data);
+            [[maybe_unused]] auto _ = verifier_transcript->template receive_from_prover<FF>("Init");
+            return verifier_transcript;
+        };
+
+        /**
+         * @brief Takes a FULL Ultra proof and deserializes it into the public member variables
+         * that compose the structure. Must be called in order to access the structure of the
+         * proof.
+         *
+         */
+        void deserialize_full_transcript()
+        {
+            // take current proof and put them into the struct
+            size_t num_frs_read = 0;
+            circuit_size = deserialize_from_buffer<uint32_t>(proof_data, num_frs_read);
+
+            public_input_size = deserialize_from_buffer<uint32_t>(proof_data, num_frs_read);
+            pub_inputs_offset = deserialize_from_buffer<uint32_t>(proof_data, num_frs_read);
+            for (size_t i = 0; i < public_input_size; ++i) {
+                public_inputs.push_back(deserialize_from_buffer<FF>(proof_data, num_frs_read));
+            }
+            w_l_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            w_r_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            w_o_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            lookup_read_counts_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            lookup_read_tags_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            w_4_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            lookup_inverses_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            z_perm_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) {
+                sumcheck_univariates.push_back(
+                    deserialize_from_buffer<bb::Univariate<FF, BATCHED_RELATION_PARTIAL_LENGTH>>(proof_data,
+                                                                                                 num_frs_read));
+            }
+            sumcheck_evaluations = deserialize_from_buffer<std::array<FF, NUM_ALL_ENTITIES>>(proof_data, num_frs_read);
+            for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) {
+                zm_cq_comms.push_back(deserialize_from_buffer<Commitment>(proof_data, num_frs_read));
+            }
+            zm_cq_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+            kzg_w_comm = deserialize_from_buffer<Commitment>(proof_data, num_frs_read);
+        }
+
+        /**
+         * @brief Serializes the structure variables into a FULL Ultra proof. Should be called
+         * only if deserialize_full_transcript() was called and some transcript variable was
+         * modified.
+         *
+         */
+        void serialize_full_transcript()
+        {
+            size_t old_proof_length = proof_data.size();
+            proof_data.clear(); // clear proof_data so the rest of the function can replace it
+            serialize_to_buffer(circuit_size, proof_data);
+            serialize_to_buffer(public_input_size, proof_data);
+            serialize_to_buffer(pub_inputs_offset, proof_data);
+            for (size_t i = 0; i < public_input_size; ++i) {
+                serialize_to_buffer(public_inputs[i], proof_data);
+            }
+            serialize_to_buffer(w_l_comm, proof_data);
+            serialize_to_buffer(w_r_comm, proof_data);
+            serialize_to_buffer(w_o_comm, proof_data);
+            serialize_to_buffer(lookup_read_counts_comm, proof_data);
+            serialize_to_buffer(lookup_read_tags_comm, proof_data);
+            serialize_to_buffer(w_4_comm, proof_data);
+            serialize_to_buffer(lookup_inverses_comm, proof_data);
+            serialize_to_buffer(z_perm_comm, proof_data);
+            for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) {
+                serialize_to_buffer(sumcheck_univariates[i], proof_data);
+            }
+            serialize_to_buffer(sumcheck_evaluations, proof_data);
+            for (size_t i = 0; i < CONST_PROOF_SIZE_LOG_N; ++i) {
+                serialize_to_buffer(zm_cq_comms[i], proof_data);
+            }
+            serialize_to_buffer(zm_cq_comm, proof_data);
+            serialize_to_buffer(kzg_w_comm, proof_data);
+
+            // sanity check to make sure we generate the same length of proof as before.
+            ASSERT(proof_data.size() == old_proof_length);
+        }
+    };
+};
+
+} // namespace bb
diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp
index 97ea56dde77..2d8af1288aa 100644
--- a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp
+++ b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.cpp
@@ -80,6 +80,7 @@ void ProverInstance_<Flavor>::construct_databus_polynomials(Circuit& circuit)
 }
 
 template class ProverInstance_<UltraFlavor>;
+template class ProverInstance_<UltraKeccakFlavor>;
 template class ProverInstance_<MegaFlavor>;
 
 } // namespace bb
diff --git a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp
index ca17fd3c610..ddcc80cb68f 100644
--- a/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp
+++ b/barretenberg/cpp/src/barretenberg/sumcheck/instance/prover_instance.hpp
@@ -8,6 +8,7 @@
 #include "barretenberg/relations/relation_parameters.hpp"
 #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp"
 #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp"
+#include "barretenberg/stdlib_circuit_builders/ultra_keccak.hpp"
 
 namespace bb {
 /**
diff --git a/barretenberg/cpp/src/barretenberg/transcript/transcript.hpp b/barretenberg/cpp/src/barretenberg/transcript/transcript.hpp
index afd0d33dc5e..8220d57c681 100644
--- a/barretenberg/cpp/src/barretenberg/transcript/transcript.hpp
+++ b/barretenberg/cpp/src/barretenberg/transcript/transcript.hpp
@@ -159,9 +159,8 @@ template <typename TranscriptParams> class BaseTranscript {
         // Hash the full buffer with poseidon2, which is believed to be a collision resistant hash function and a random
         // oracle, removing the need to pre-hash to compress and then hash with a random oracle, as we previously did
         // with Pedersen and Blake3s.
-        Fr base_hash = TranscriptParams::hash(full_buffer);
+        Fr new_challenge = TranscriptParams::hash(full_buffer);
 
-        Fr new_challenge = base_hash;
         // update previous challenge buffer for next time we call this function
         previous_challenge = new_challenge;
         return new_challenge;
@@ -278,7 +277,8 @@ template <typename TranscriptParams> class BaseTranscript {
             //             HASH_OUTPUT_SIZE / 2,
             //             field_element_buffer.begin() + HASH_OUTPUT_SIZE / 2);
             */
-            challenges[i] = TranscriptParams::template convert_challenge<ChallengeType>(get_next_challenge_buffer());
+            auto challenge_buffer = get_next_challenge_buffer();
+            challenges[i] = TranscriptParams::template convert_challenge<ChallengeType>(challenge_buffer);
         }
 
         // Prepare for next round.
@@ -397,4 +397,63 @@ static bb::StdlibProof<Builder> convert_proof_to_witness(Builder* builder, const
 
 using NativeTranscript = BaseTranscript<NativeTranscriptParams>;
 
+///////////////////////////////////////////
+// Solidity Transcript
+///////////////////////////////////////////
+
+// This is a compatible wrapper around the keccak256 function from ethash
+inline bb::fr keccak_hash_uint256(std::vector<bb::fr> const& data)
+// Losing 2 bits of this is not an issue -> we can just reduce mod p
+{
+    // cast into uint256_t
+    std::vector<uint8_t> buffer = to_buffer(data);
+
+    keccak256 hash_result = ethash_keccak256(&buffer[0], buffer.size());
+    for (auto& word : hash_result.word64s) {
+        if (is_little_endian()) {
+            word = __builtin_bswap64(word);
+        }
+    }
+    std::array<uint8_t, 32> result;
+
+    for (size_t i = 0; i < 4; ++i) {
+        for (size_t j = 0; j < 8; ++j) {
+            uint8_t byte = static_cast<uint8_t>(hash_result.word64s[i] >> (56 - (j * 8)));
+            result[i * 8 + j] = byte;
+        }
+    }
+
+    auto result_fr = from_buffer<bb::fr>(result);
+
+    return result_fr;
+}
+
+struct KeccakTranscriptParams {
+    using Fr = bb::fr;
+    using Proof = HonkProof;
+
+    static inline Fr hash(const std::vector<Fr>& data) { return keccak_hash_uint256(data); }
+
+    template <typename T> static inline T convert_challenge(const Fr& challenge)
+    {
+        return bb::field_conversion::convert_challenge<T>(challenge);
+    }
+    template <typename T> static constexpr size_t calc_num_bn254_frs()
+    {
+        return bb::field_conversion::calc_num_bn254_frs<T>();
+    }
+    template <typename T> static inline T convert_from_bn254_frs(std::span<const Fr> frs)
+    {
+        return bb::field_conversion::convert_from_bn254_frs<T>(frs);
+    }
+    template <typename T> static inline std::vector<Fr> convert_to_bn254_frs(const T& element)
+    {
+        // TODO(md): Need to refactor this to be able to NOT just be field elements - Im working about it in the
+        // verifier for keccak resulting in twice as much hashing
+        return bb::field_conversion::convert_to_bn254_frs(element);
+    }
+};
+
+using KeccakTranscript = BaseTranscript<KeccakTranscriptParams>;
+
 } // namespace bb
diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp
index 404f251b9b5..ab99b6b2b4f 100644
--- a/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp
+++ b/barretenberg/cpp/src/barretenberg/ultra_honk/decider_prover.cpp
@@ -74,6 +74,7 @@ template <IsUltraFlavor Flavor> HonkProof DeciderProver_<Flavor>::construct_proo
 }
 
 template class DeciderProver_<UltraFlavor>;
+template class DeciderProver_<UltraKeccakFlavor>;
 template class DeciderProver_<MegaFlavor>;
 
 } // namespace bb
diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp
index 47993acabcc..bf1e6f04c38 100644
--- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp
+++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.cpp
@@ -175,6 +175,7 @@ template <IsUltraFlavor Flavor> typename Flavor::RelationSeparator OinkProver<Fl
 }
 
 template class OinkProver<UltraFlavor>;
+template class OinkProver<UltraKeccakFlavor>;
 template class OinkProver<MegaFlavor>;
 
 } // namespace bb
\ No newline at end of file
diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp
index 011e38b6361..245d8256cd6 100644
--- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp
+++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_prover.hpp
@@ -21,6 +21,7 @@
 
 #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp"
 #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp"
+#include "barretenberg/stdlib_circuit_builders/ultra_keccak.hpp"
 #include "barretenberg/transcript/transcript.hpp"
 
 namespace bb {
diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp
index ad4f69c2258..e076b47bc1a 100644
--- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp
+++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.cpp
@@ -148,6 +148,7 @@ template <IsUltraFlavor Flavor> typename Flavor::RelationSeparator OinkVerifier<
 }
 
 template class OinkVerifier<UltraFlavor>;
+template class OinkVerifier<UltraKeccakFlavor>;
 template class OinkVerifier<MegaFlavor>;
 
 } // namespace bb
\ No newline at end of file
diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp
index 2f101f13392..d66dd2a2b9d 100644
--- a/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp
+++ b/barretenberg/cpp/src/barretenberg/ultra_honk/oink_verifier.hpp
@@ -5,6 +5,7 @@
 #include "barretenberg/relations/relation_parameters.hpp"
 #include "barretenberg/stdlib_circuit_builders/mega_flavor.hpp"
 #include "barretenberg/stdlib_circuit_builders/ultra_flavor.hpp"
+#include "barretenberg/stdlib_circuit_builders/ultra_keccak.hpp"
 
 namespace bb {
 
diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp
index 562562de67b..7fe626eb220 100644
--- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp
+++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.cpp
@@ -61,6 +61,7 @@ template <IsUltraFlavor Flavor> HonkProof UltraProver_<Flavor>::construct_proof(
 }
 
 template class UltraProver_<UltraFlavor>;
+template class UltraProver_<UltraKeccakFlavor>;
 template class UltraProver_<MegaFlavor>;
 
 } // namespace bb
diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp
index aa580108678..2a11cb4fe74 100644
--- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp
+++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_prover.hpp
@@ -53,6 +53,7 @@ template <IsUltraFlavor Flavor_> class UltraProver_ {
 };
 
 using UltraProver = UltraProver_<UltraFlavor>;
+using UltraKeccakProver = UltraProver_<UltraKeccakFlavor>;
 using MegaProver = UltraProver_<MegaFlavor>;
 
 } // namespace bb
diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp
index 6804be61836..7526a33a115 100644
--- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp
+++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.cpp
@@ -90,6 +90,7 @@ template <typename Flavor> bool UltraVerifier_<Flavor>::verify_proof(const HonkP
 }
 
 template class UltraVerifier_<UltraFlavor>;
+template class UltraVerifier_<UltraKeccakFlavor>;
 template class UltraVerifier_<MegaFlavor>;
 
 } // namespace bb
diff --git a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.hpp b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.hpp
index 71dccbeac9f..727b30482fd 100644
--- a/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.hpp
+++ b/barretenberg/cpp/src/barretenberg/ultra_honk/ultra_verifier.hpp
@@ -30,6 +30,7 @@ template <typename Flavor> class UltraVerifier_ {
 };
 
 using UltraVerifier = UltraVerifier_<UltraFlavor>;
+using UltraKeccakVerifier = UltraVerifier_<UltraKeccakFlavor>;
 using MegaVerifier = UltraVerifier_<MegaFlavor>;
 
 } // namespace bb
diff --git a/barretenberg/sol/foundry.toml b/barretenberg/sol/foundry.toml
index 4bb153bc7de..73aedc5a84a 100644
--- a/barretenberg/sol/foundry.toml
+++ b/barretenberg/sol/foundry.toml
@@ -3,10 +3,13 @@ src = 'src'
 out = 'out'
 libs = ['lib']
 ffi = true
+optimizer_runs = 500
+gas_limit = 900000000000000000
 
 [fuzz]
 runs = 1
 
+
 solc = "0.8.21"
 
 # See more config options https://github.com/foundry-rs/foundry/tree/master/config
\ No newline at end of file
diff --git a/barretenberg/sol/scripts/init_honk.sh b/barretenberg/sol/scripts/init_honk.sh
new file mode 100755
index 00000000000..6680116e106
--- /dev/null
+++ b/barretenberg/sol/scripts/init_honk.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+PLONK_FLAVOUR="honk"
+SRS_PATH="../cpp/srs_db/ignition"
+OUTPUT_PATH="./src/honk"
+
+mkdir -p './src/honk/keys'
+
+../cpp/build/bin/honk_solidity_key_gen $PLONK_FLAVOUR add2 $OUTPUT_PATH $SRS_PATH
+../cpp/build/bin/honk_solidity_key_gen $PLONK_FLAVOUR blake $OUTPUT_PATH $SRS_PATH
+../cpp/build/bin/honk_solidity_key_gen $PLONK_FLAVOUR ecdsa $OUTPUT_PATH $SRS_PATH
\ No newline at end of file
diff --git a/barretenberg/sol/scripts/run_fuzzer.sh b/barretenberg/sol/scripts/run_fuzzer.sh
index 2c76ad1de43..e8686c5d5a7 100755
--- a/barretenberg/sol/scripts/run_fuzzer.sh
+++ b/barretenberg/sol/scripts/run_fuzzer.sh
@@ -4,9 +4,16 @@ PLONK_FLAVOUR=${1:-"ultra"}
 CIRCUIT_FLAVOUR=${2:-"blake"}
 INPUTS=${3:-"1,2,3,4"}
 
+BIN="../cpp/build/bin/solidity_proof_gen"
+
 INPUTS="$( sed 's/\\n//g' <<<"$INPUTS" )"
 
 SRS_PATH="../cpp/srs_db/ignition"
 
+# If the plonk flavour is honk, then run the honk generator
+if [ "$PLONK_FLAVOUR" == "honk" ]; then
+    BIN="../cpp/build/bin/honk_solidity_proof_gen"
+fi
+
 # @note This needs to be updated to point to the generator
-../cpp/build/bin/solidity_proof_gen $PLONK_FLAVOUR $CIRCUIT_FLAVOUR $SRS_PATH $INPUTS
\ No newline at end of file
+$BIN $PLONK_FLAVOUR $CIRCUIT_FLAVOUR $SRS_PATH $INPUTS
\ No newline at end of file
diff --git a/barretenberg/sol/src/honk/Fr.sol b/barretenberg/sol/src/honk/Fr.sol
new file mode 100644
index 00000000000..26fada6693a
--- /dev/null
+++ b/barretenberg/sol/src/honk/Fr.sol
@@ -0,0 +1,116 @@
+// TODO: doc
+pragma solidity ^0.8.21;
+
+type Fr is uint256;
+
+using {add as +} for Fr global;
+using {sub as -} for Fr global;
+using {mul as *} for Fr global;
+
+// Yuck using ^ for exp  - todo maybe make it manual
+using {exp as ^} for Fr global;
+using {notEqual as !=} for Fr global;
+using {equal as ==} for Fr global;
+
+uint256 constant MODULUS = 21888242871839275222246405745257275088548364400416034343698204186575808495617; // Prime field order
+
+// Instantiation
+library FrLib {
+    function from(uint256 value) internal pure returns (Fr) {
+        return Fr.wrap(value % MODULUS);
+    }
+
+    function fromBytes32(bytes32 value) internal pure returns (Fr) {
+        return Fr.wrap(uint256(value) % MODULUS);
+    }
+
+    function toBytes32(Fr value) internal pure returns (bytes32) {
+        return bytes32(Fr.unwrap(value));
+    }
+
+    function invert(Fr value) internal view returns (Fr) {
+        uint256 v = Fr.unwrap(value);
+        uint256 result;
+
+        // Call the modexp precompile to invert in the field
+        assembly {
+            let free := mload(0x40)
+            mstore(free, 0x20)
+            mstore(add(free, 0x20), 0x20)
+            mstore(add(free, 0x40), 0x20)
+            mstore(add(free, 0x60), v)
+            mstore(add(free, 0x80), sub(MODULUS, 2)) // TODO: check --via-ir will compiler inline
+            mstore(add(free, 0xa0), MODULUS)
+            let success := staticcall(gas(), 0x05, free, 0xc0, 0x00, 0x20)
+            if iszero(success) {
+                // TODO: meaningful error
+                revert(0, 0)
+            }
+            result := mload(0x00)
+        }
+
+        return Fr.wrap(result);
+    }
+
+    // TODO: edit other pow, it only works for powers of two
+    function pow(Fr base, uint256 v) internal view returns (Fr) {
+        uint256 b = Fr.unwrap(base);
+        uint256 result;
+
+        // Call the modexp precompile to invert in the field
+        assembly {
+            let free := mload(0x40)
+            mstore(free, 0x20)
+            mstore(add(free, 0x20), 0x20)
+            mstore(add(free, 0x40), 0x20)
+            mstore(add(free, 0x60), b)
+            mstore(add(free, 0x80), v) // TODO: check --via-ir will compiler inline
+            mstore(add(free, 0xa0), MODULUS)
+            let success := staticcall(gas(), 0x05, free, 0xc0, 0x00, 0x20)
+            if iszero(success) {
+                // TODO: meaningful error
+                revert(0, 0)
+            }
+            result := mload(0x00)
+        }
+
+        return Fr.wrap(result);
+    }
+
+    // TODO: Montgomery's batch inversion trick
+    function div(Fr numerator, Fr denominator) internal view returns (Fr) {
+        Fr inversion = invert(denominator);
+        return numerator * invert(denominator);
+    }
+}
+
+// Free functions
+function add(Fr a, Fr b) pure returns (Fr) {
+    return Fr.wrap(addmod(Fr.unwrap(a), Fr.unwrap(b), MODULUS));
+}
+
+function mul(Fr a, Fr b) pure returns (Fr) {
+    return Fr.wrap(mulmod(Fr.unwrap(a), Fr.unwrap(b), MODULUS));
+}
+
+function sub(Fr a, Fr b) pure returns (Fr) {
+    return Fr.wrap(addmod(Fr.unwrap(a), MODULUS - Fr.unwrap(b), MODULUS));
+}
+
+// TODO: double check this !
+function exp(Fr base, Fr exponent) pure returns (Fr) {
+    if (Fr.unwrap(exponent) == 0) return Fr.wrap(1);
+    // Implement exponent with a loop as we will overflow otherwise
+    for (uint256 i = 1; i < Fr.unwrap(exponent); i += i) {
+        base = base * base;
+    }
+    return base;
+}
+
+function notEqual(Fr a, Fr b) pure returns (bool) {
+    return Fr.unwrap(a) != Fr.unwrap(b);
+}
+
+function equal(Fr a, Fr b) pure returns (bool) {
+    return Fr.unwrap(a) == Fr.unwrap(b);
+}
diff --git a/barretenberg/sol/src/honk/HonkTypes.sol b/barretenberg/sol/src/honk/HonkTypes.sol
new file mode 100644
index 00000000000..17d749c9de5
--- /dev/null
+++ b/barretenberg/sol/src/honk/HonkTypes.sol
@@ -0,0 +1,140 @@
+// SPDX-License-Identifier: MIT
+pragma solidity >=0.8.21;
+
+// Temp only set here for testing, logn will be templated
+import {LOG_N} from "./keys/Add2HonkVerificationKey.sol";
+
+import {Fr} from "./Fr.sol";
+
+uint256 constant CONST_PROOF_SIZE_LOG_N = 28;
+
+uint256 constant NUMBER_OF_SUBRELATIONS = 18;
+uint256 constant BATCHED_RELATION_PARTIAL_LENGTH = 7;
+uint256 constant NUMBER_OF_ENTITIES = 42;
+uint256 constant NUMBER_OF_ALPHAS = 17;
+
+// Prime field order
+uint256 constant Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583; // EC group order
+uint256 constant P = 21888242871839275222246405745257275088548364400416034343698204186575808495617; // Prime field order
+
+// ENUM FOR WIRES
+enum WIRE {
+    Q_M,
+    Q_C,
+    Q_L,
+    Q_R,
+    Q_O,
+    Q_4,
+    Q_ARITH,
+    Q_RANGE,
+    Q_ELLIPTIC,
+    Q_AUX,
+    Q_LOOKUP,
+    SIGMA_1,
+    SIGMA_2,
+    SIGMA_3,
+    SIGMA_4,
+    ID_1,
+    ID_2,
+    ID_3,
+    ID_4,
+    TABLE_1,
+    TABLE_2,
+    TABLE_3,
+    TABLE_4,
+    LAGRANGE_FIRST,
+    LAGRANGE_LAST,
+    W_L,
+    W_R,
+    W_O,
+    W_4,
+    Z_PERM,
+    LOOKUP_INVERSES,
+    LOOKUP_READ_COUNTS,
+    LOOKUP_READ_TAGS,
+    TABLE_1_SHIFT,
+    TABLE_2_SHIFT,
+    TABLE_3_SHIFT,
+    TABLE_4_SHIFT,
+    W_L_SHIFT,
+    W_R_SHIFT,
+    W_O_SHIFT,
+    W_4_SHIFT,
+    Z_PERM_SHIFT
+}
+
+library Honk {
+    struct G1Point {
+        uint256 x;
+        uint256 y;
+    }
+
+    // TODO(md): temporary work around transcript fields
+    struct G1ProofPoint {
+        uint256 x_0;
+        uint256 x_1;
+        uint256 y_0;
+        uint256 y_1;
+    }
+
+    struct VerificationKey {
+        // Misc Params
+        uint256 circuitSize;
+        uint256 logCircuitSize;
+        uint256 publicInputsSize;
+        // Selectors
+        G1Point qm;
+        G1Point qc;
+        G1Point ql;
+        G1Point qr;
+        G1Point qo;
+        G1Point q4;
+        G1Point qArith; // Arithmetic widget
+        G1Point qDeltaRange; // Delta Range sort
+        G1Point qAux; // Auxillary
+        G1Point qElliptic; // Auxillary
+        G1Point qLookup; // Lookup
+        // Copy cnstraints
+        G1Point s1;
+        G1Point s2;
+        G1Point s3;
+        G1Point s4;
+        // Copy identity
+        G1Point id1;
+        G1Point id2;
+        G1Point id3;
+        G1Point id4;
+        // Precomputed lookup table
+        G1Point t1;
+        G1Point t2;
+        G1Point t3;
+        G1Point t4;
+        // Fixed first and last
+        G1Point lagrangeFirst;
+        G1Point lagrangeLast;
+    }
+
+    struct Proof {
+        uint256 circuitSize;
+        uint256 publicInputsSize;
+        uint256 publicInputsOffset;
+        // Free wires
+        Honk.G1ProofPoint w1;
+        Honk.G1ProofPoint w2;
+        Honk.G1ProofPoint w3;
+        Honk.G1ProofPoint w4;
+        // Lookup helpers - permutations
+        Honk.G1ProofPoint zPerm;
+        // Lookup helpers - logup plookup
+        Honk.G1ProofPoint lookupReadCounts;
+        Honk.G1ProofPoint lookupReadTags;
+        Honk.G1ProofPoint lookupInverses;
+        // Sumcheck
+        Fr[BATCHED_RELATION_PARTIAL_LENGTH][LOG_N] sumcheckUnivariates;
+        Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations;
+        // Zero morph
+        Honk.G1ProofPoint[LOG_N] zmCqs;
+        Honk.G1ProofPoint zmCq;
+        Honk.G1ProofPoint zmPi;
+    }
+}
diff --git a/barretenberg/sol/src/honk/HonkVerifier.sol b/barretenberg/sol/src/honk/HonkVerifier.sol
new file mode 100644
index 00000000000..ed448b255db
--- /dev/null
+++ b/barretenberg/sol/src/honk/HonkVerifier.sol
@@ -0,0 +1,1217 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 Aztec Labs
+pragma solidity >=0.8.21;
+
+import {IVerifier} from "../interfaces/IVerifier.sol";
+import {Add2HonkVerificationKey as VK, N, LOG_N} from "./keys/Add2HonkVerificationKey.sol";
+
+import {
+    Honk,
+    WIRE,
+    NUMBER_OF_ENTITIES,
+    NUMBER_OF_SUBRELATIONS,
+    NUMBER_OF_ALPHAS,
+    BATCHED_RELATION_PARTIAL_LENGTH,
+    CONST_PROOF_SIZE_LOG_N,
+    P,
+    Q
+} from "./HonkTypes.sol";
+
+import {ecMul, ecAdd, ecSub, negateInplace, convertProofPoint} from "./utils.sol";
+
+// Field arithmetic libraries - prevent littering the code with modmul / addmul
+import {Fr, FrLib} from "./Fr.sol";
+// Transcript library to generate fiat shamir challenges
+import {Transcript, TranscriptLib} from "./Transcript.sol";
+
+error PublicInputsLengthWrong();
+error SumcheckFailed();
+error ZeromorphFailed();
+
+/// Smart contract verifier of honk proofs
+abstract contract BaseHonkVerifier is IVerifier {
+    Fr internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = Fr.wrap(17); // -(-17)
+
+    // TODO(md): I would perfer the publicInputs to be uint256
+    function verify(bytes calldata proof, bytes32[] calldata publicInputs) public view override returns (bool) {
+        Honk.VerificationKey memory vk = loadVerificationKey();
+        Honk.Proof memory p = loadProof(proof);
+
+        if (vk.publicInputsSize != publicInputs.length) {
+            revert PublicInputsLengthWrong();
+        }
+
+        // Generate the fiat shamir challenges for the whole protocol
+        Transcript memory t = TranscriptLib.generateTranscript(p, vk, publicInputs);
+
+        // Compute the public input delta
+        t.publicInputsDelta =
+            computePublicInputDelta(publicInputs, t.beta, t.gamma, vk.circuitSize, p.publicInputsOffset);
+
+        // Sumcheck
+        bool sumcheckVerified = verifySumcheck(p, t);
+        if (!sumcheckVerified) revert SumcheckFailed();
+
+        // Zeromorph
+        bool zeromorphVerified = verifyZeroMorph(p, vk, t);
+        if (!zeromorphVerified) revert ZeromorphFailed();
+
+        return sumcheckVerified && zeromorphVerified; // Boolean condition not required - nice for vanity :)
+    }
+
+    function loadVerificationKey() internal view returns (Honk.VerificationKey memory) {
+        return VK.loadVerificationKey();
+    }
+
+    // TODO: mod q proof points
+    // TODO: Preprocess all of the memory locations
+    // TODO: Adjust proof point serde away from poseidon forced field elements
+    function loadProof(bytes calldata proof) internal view returns (Honk.Proof memory) {
+        Honk.Proof memory p;
+
+        // Metadata
+        p.circuitSize = uint256(bytes32(proof[0x00:0x20]));
+        p.publicInputsSize = uint256(bytes32(proof[0x20:0x40]));
+        p.publicInputsOffset = uint256(bytes32(proof[0x40:0x60]));
+
+        // Commitments
+        p.w1 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x60:0x80])),
+            x_1: uint256(bytes32(proof[0x80:0xa0])),
+            y_0: uint256(bytes32(proof[0xa0:0xc0])),
+            y_1: uint256(bytes32(proof[0xc0:0xe0]))
+        });
+
+        p.w2 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0xe0:0x100])),
+            x_1: uint256(bytes32(proof[0x100:0x120])),
+            y_0: uint256(bytes32(proof[0x120:0x140])),
+            y_1: uint256(bytes32(proof[0x140:0x160]))
+        });
+        p.w3 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x160:0x180])),
+            x_1: uint256(bytes32(proof[0x180:0x1a0])),
+            y_0: uint256(bytes32(proof[0x1a0:0x1c0])),
+            y_1: uint256(bytes32(proof[0x1c0:0x1e0]))
+        });
+
+        // Lookup / Permutation Helper Commitments
+        // TODO(md): update the log deriv prover commitment rounds
+        p.lookupReadCounts = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x1e0:0x200])),
+            x_1: uint256(bytes32(proof[0x200:0x220])),
+            y_0: uint256(bytes32(proof[0x220:0x240])),
+            y_1: uint256(bytes32(proof[0x240:0x260]))
+        });
+        p.lookupReadTags = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x260:0x280])),
+            x_1: uint256(bytes32(proof[0x280:0x2a0])),
+            y_0: uint256(bytes32(proof[0x2a0:0x2c0])),
+            y_1: uint256(bytes32(proof[0x2c0:0x2e0]))
+        });
+        p.w4 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x2e0:0x300])),
+            x_1: uint256(bytes32(proof[0x300:0x320])),
+            y_0: uint256(bytes32(proof[0x320:0x340])),
+            y_1: uint256(bytes32(proof[0x340:0x360]))
+        });
+        p.lookupInverses = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x360:0x380])),
+            x_1: uint256(bytes32(proof[0x380:0x3a0])),
+            y_0: uint256(bytes32(proof[0x3a0:0x3c0])),
+            y_1: uint256(bytes32(proof[0x3c0:0x3e0]))
+        });
+        p.zPerm = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x3e0:0x400])),
+            x_1: uint256(bytes32(proof[0x400:0x420])),
+            y_0: uint256(bytes32(proof[0x420:0x440])),
+            y_1: uint256(bytes32(proof[0x440:0x460]))
+        });
+
+        // TEMP the boundary of what has already been read
+        uint256 boundary = 0x460;
+
+        // Sumcheck univariates
+        // TODO: in this case we know what log_n is - so we hard code it, we would want this to be included in
+        // a cpp template for different circuit sizes
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            // The loop boundary of i, this will shift forward on each evaluation
+            uint256 loop_boundary = boundary + (i * 0x20 * BATCHED_RELATION_PARTIAL_LENGTH);
+
+            for (uint256 j = 0; j < BATCHED_RELATION_PARTIAL_LENGTH; j++) {
+                uint256 start = loop_boundary + (j * 0x20);
+                uint256 end = start + 0x20;
+                p.sumcheckUnivariates[i][j] = FrLib.fromBytes32(bytes32(proof[start:end]));
+            }
+        }
+
+        boundary = boundary + (CONST_PROOF_SIZE_LOG_N * BATCHED_RELATION_PARTIAL_LENGTH * 0x20);
+        // Sumcheck evaluations
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) {
+            uint256 start = boundary + (i * 0x20);
+            uint256 end = start + 0x20;
+            p.sumcheckEvaluations[i] = FrLib.fromBytes32(bytes32(proof[start:end]));
+        }
+
+        boundary = boundary + (NUMBER_OF_ENTITIES * 0x20);
+        // Zero morph Commitments
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            // Explicitly stating the x0, x1, y0, y1 start and end boundaries to make the calldata slicing bearable
+            uint256 xStart = boundary + (i * 0x80);
+            uint256 xEnd = xStart + 0x20;
+
+            uint256 x1Start = xEnd;
+            uint256 x1End = x1Start + 0x20;
+
+            uint256 yStart = x1End;
+            uint256 yEnd = yStart + 0x20;
+
+            uint256 y1Start = yEnd;
+            uint256 y1End = y1Start + 0x20;
+
+            p.zmCqs[i] = Honk.G1ProofPoint({
+                x_0: uint256(bytes32(proof[xStart:xEnd])),
+                x_1: uint256(bytes32(proof[x1Start:x1End])),
+                y_0: uint256(bytes32(proof[yStart:yEnd])),
+                y_1: uint256(bytes32(proof[y1Start:y1End]))
+            });
+        }
+
+        boundary = boundary + (CONST_PROOF_SIZE_LOG_N * 0x80);
+
+        p.zmCq = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[boundary:boundary + 0x20])),
+            x_1: uint256(bytes32(proof[boundary + 0x20:boundary + 0x40])),
+            y_0: uint256(bytes32(proof[boundary + 0x40:boundary + 0x60])),
+            y_1: uint256(bytes32(proof[boundary + 0x60:boundary + 0x80]))
+        });
+
+        p.zmPi = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[boundary + 0x80:boundary + 0xa0])),
+            x_1: uint256(bytes32(proof[boundary + 0xa0:boundary + 0xc0])),
+            y_0: uint256(bytes32(proof[boundary + 0xc0:boundary + 0xe0])),
+            y_1: uint256(bytes32(proof[boundary + 0xe0:boundary + 0x100]))
+        });
+
+        return p;
+    }
+
+    function computePublicInputDelta(
+        bytes32[] memory publicInputs,
+        Fr beta,
+        Fr gamma,
+        uint256 domainSize,
+        uint256 offset
+    ) internal view returns (Fr publicInputDelta) {
+        Fr numerator = Fr.wrap(1);
+        Fr denominator = Fr.wrap(1);
+
+        Fr numeratorAcc = gamma + (beta * FrLib.from(domainSize + offset));
+        Fr denominatorAcc = gamma - (beta * FrLib.from(offset + 1));
+
+        {
+            for (uint256 i = 0; i < publicInputs.length; i++) {
+                Fr pubInput = FrLib.fromBytes32(publicInputs[i]);
+
+                numerator = numerator * (numeratorAcc + pubInput);
+                denominator = denominator * (denominatorAcc + pubInput);
+
+                numeratorAcc = numeratorAcc + beta;
+                denominatorAcc = denominatorAcc - beta;
+            }
+        }
+
+        // Fr delta = numerator / denominator; // TOOO: batch invert later?
+        publicInputDelta = FrLib.div(numerator, denominator);
+    }
+
+    uint256 constant ROUND_TARGET = 0;
+
+    function verifySumcheck(Honk.Proof memory proof, Transcript memory tp) internal view returns (bool verified) {
+        Fr roundTarget;
+        Fr powPartialEvaluation = Fr.wrap(1);
+
+        // We perform sumcheck reductions over log n rounds ( the multivariate degree )
+        for (uint256 round; round < LOG_N; ++round) {
+            Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate = proof.sumcheckUnivariates[round];
+            bool valid = checkSum(roundUnivariate, roundTarget);
+            if (!valid) revert SumcheckFailed();
+
+            Fr roundChallenge = tp.sumCheckUChallenges[round];
+
+            // Update the round target for the next rounf
+            roundTarget = computeNextTargetSum(roundUnivariate, roundChallenge);
+            powPartialEvaluation = partiallyEvaluatePOW(tp, powPartialEvaluation, roundChallenge, round);
+        }
+
+        // Last round
+        Fr grandHonkRelationSum = accumulateRelationEvaluations(proof, tp, powPartialEvaluation);
+        verified = (grandHonkRelationSum == roundTarget);
+    }
+
+    function checkSum(Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate, Fr roundTarget)
+        internal
+        view
+        returns (bool checked)
+    {
+        Fr totalSum = roundUnivariate[0] + roundUnivariate[1];
+        checked = totalSum == roundTarget;
+    }
+
+    // Return the new target sum for the next sumcheck round
+    function computeNextTargetSum(Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariates, Fr roundChallenge)
+        internal
+        view
+        returns (Fr targetSum)
+    {
+        // TODO: inline
+        Fr[7] memory BARYCENTRIC_LAGRANGE_DENOMINATORS = [
+            Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000002d0),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff89),
+            Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000030),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffffdd),
+            Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000030),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff89),
+            Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000002d0)
+        ];
+
+        Fr[7] memory BARYCENTRIC_DOMAIN =
+            [Fr.wrap(0x00), Fr.wrap(0x01), Fr.wrap(0x02), Fr.wrap(0x03), Fr.wrap(0x04), Fr.wrap(0x05), Fr.wrap(0x06)];
+        // To compute the next target sum, we evaluate the given univariate at a point u (challenge).
+
+        // TODO: opt: use same array mem for each iteratioon
+        // Performing Barycentric evaluations
+        // Compute B(x)
+        Fr numeratorValue = Fr.wrap(1);
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            numeratorValue = numeratorValue * (roundChallenge - Fr.wrap(i));
+        }
+
+        // Calculate domain size N of inverses -- TODO: montgomery's trick
+        Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory denominatorInverses;
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            Fr inv = BARYCENTRIC_LAGRANGE_DENOMINATORS[i];
+            inv = inv * (roundChallenge - BARYCENTRIC_DOMAIN[i]);
+            inv = FrLib.invert(inv);
+            denominatorInverses[i] = inv;
+        }
+
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            Fr term = roundUnivariates[i];
+            term = term * denominatorInverses[i];
+            targetSum = targetSum + term;
+        }
+
+        // Scale the sum by the value of B(x)
+        targetSum = targetSum * numeratorValue;
+    }
+
+    // Univariate evaluation of the monomial ((1-X_l) + X_l.B_l) at the challenge point X_l=u_l
+    function partiallyEvaluatePOW(Transcript memory tp, Fr currentEvaluation, Fr roundChallenge, uint256 round)
+        internal
+        view
+        returns (Fr newEvaluation)
+    {
+        Fr univariateEval = Fr.wrap(1) + (roundChallenge * (tp.gateChallenges[round] - Fr.wrap(1)));
+        newEvaluation = currentEvaluation * univariateEval;
+    }
+
+    // Calculate the contributions of each relation to the expected value of the full honk relation
+    //
+    // For each relation, we use the purported values ( the ones provided by the prover ) of the multivariates to
+    // calculate a contribution to the purported value of the full Honk relation.
+    // These are stored in the evaluations part of the proof object.
+    // We add these together, with the appropiate scaling factor ( the alphas calculated in challenges )
+    // This value is checked against the final value of the target total sum - et voila!
+    function accumulateRelationEvaluations(Honk.Proof memory proof, Transcript memory tp, Fr powPartialEval)
+        internal
+        view
+        returns (Fr accumulator)
+    {
+        Fr[NUMBER_OF_ENTITIES] memory purportedEvaluations = proof.sumcheckEvaluations;
+        Fr[NUMBER_OF_SUBRELATIONS] memory evaluations;
+
+        // Accumulate all 6 custom gates - each with varying number of subrelations
+        // TODO: annotate how many subrealtions each has
+        accumulateArithmeticRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulatePermutationRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+        accumulateLogDerivativeLookupRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+        accumulateDeltaRangeRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulateEllipticRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulateAuxillaryRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+
+        // Apply alpha challenges to challenge evaluations
+        // Returns grand honk realtion evaluation
+        accumulator = scaleAndBatchSubrelations(evaluations, tp.alphas);
+    }
+
+    /**
+     * WIRE
+     *
+     * Wire is an aesthetic helper function that is used to index by enum into proof.sumcheckEvaluations, it avoids
+     * the relation checking code being cluttered with uint256 type casting, which is often a different colour in code
+     * editors, and thus is noisy.
+     */
+    function wire(Fr[NUMBER_OF_ENTITIES] memory p, WIRE _wire) internal pure returns (Fr) {
+        return p[uint256(_wire)];
+    }
+
+    /**
+     * Ultra Arithmetic Relation
+     *
+     */
+    function accumulateArithmeticRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        // Relation 0
+        Fr q_arith = wire(p, WIRE.Q_ARITH);
+        {
+            Fr neg_half = Fr.wrap(0) - (FrLib.invert(Fr.wrap(2)));
+
+            Fr accum = (q_arith - Fr.wrap(3)) * (wire(p, WIRE.Q_M) * wire(p, WIRE.W_R) * wire(p, WIRE.W_L)) * neg_half;
+            accum = accum + (wire(p, WIRE.Q_L) * wire(p, WIRE.W_L)) + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_R))
+                + (wire(p, WIRE.Q_O) * wire(p, WIRE.W_O)) + (wire(p, WIRE.Q_4) * wire(p, WIRE.W_4)) + wire(p, WIRE.Q_C);
+            accum = accum + (q_arith - Fr.wrap(1)) * wire(p, WIRE.W_4_SHIFT);
+            accum = accum * q_arith;
+            accum = accum * domainSep;
+            evals[0] = accum;
+        }
+
+        // Relation 1
+        {
+            Fr accum = wire(p, WIRE.W_L) + wire(p, WIRE.W_4) - wire(p, WIRE.W_L_SHIFT) + wire(p, WIRE.Q_M);
+            accum = accum * (q_arith - Fr.wrap(2));
+            accum = accum * (q_arith - Fr.wrap(1));
+            accum = accum * q_arith;
+            accum = accum * domainSep;
+            evals[1] = accum;
+        }
+    }
+
+    function accumulatePermutationRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr grand_product_numerator;
+        Fr grand_product_denominator;
+
+        {
+            Fr num = wire(p, WIRE.W_L) + wire(p, WIRE.ID_1) * tp.beta + tp.gamma;
+            num = num * (wire(p, WIRE.W_R) + wire(p, WIRE.ID_2) * tp.beta + tp.gamma);
+            num = num * (wire(p, WIRE.W_O) + wire(p, WIRE.ID_3) * tp.beta + tp.gamma);
+            num = num * (wire(p, WIRE.W_4) + wire(p, WIRE.ID_4) * tp.beta + tp.gamma);
+
+            grand_product_numerator = num;
+        }
+        {
+            Fr den = wire(p, WIRE.W_L) + wire(p, WIRE.SIGMA_1) * tp.beta + tp.gamma;
+            den = den * (wire(p, WIRE.W_R) + wire(p, WIRE.SIGMA_2) * tp.beta + tp.gamma);
+            den = den * (wire(p, WIRE.W_O) + wire(p, WIRE.SIGMA_3) * tp.beta + tp.gamma);
+            den = den * (wire(p, WIRE.W_4) + wire(p, WIRE.SIGMA_4) * tp.beta + tp.gamma);
+
+            grand_product_denominator = den;
+        }
+
+        // Contribution 2
+        {
+            Fr acc = (wire(p, WIRE.Z_PERM) + wire(p, WIRE.LAGRANGE_FIRST)) * grand_product_numerator;
+
+            acc = acc
+                - (
+                    (wire(p, WIRE.Z_PERM_SHIFT) + (wire(p, WIRE.LAGRANGE_LAST) * tp.publicInputsDelta))
+                        * grand_product_denominator
+                );
+            acc = acc * domainSep;
+            evals[2] = acc;
+        }
+
+        // Contribution 3
+        {
+            Fr acc = (wire(p, WIRE.LAGRANGE_LAST) * wire(p, WIRE.Z_PERM_SHIFT)) * domainSep;
+            evals[3] = acc;
+        }
+    }
+
+    // Lookup parameters have been yoinked into memory to avoid stack too deep
+    struct LookupParams {
+        Fr eta_sqr;
+        Fr eta_cube;
+        Fr one_plus_beta;
+        Fr gamma_by_one_plus_beta;
+        Fr wire_accum;
+        Fr table_accum;
+        Fr table_accum_shift;
+    }
+
+    // TODO(md): calculate eta one two and three above
+
+    function accumulateLogDerivativeLookupRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr write_term;
+        Fr read_term;
+
+        // Calculate the write term (the table accumulation)
+        {
+            write_term = wire(p, WIRE.TABLE_1) + tp.gamma + (wire(p, WIRE.TABLE_2) * tp.eta)
+                + (wire(p, WIRE.TABLE_3) * tp.etaTwo) + (wire(p, WIRE.TABLE_4) * tp.etaThree);
+        }
+
+        // Calculate the write term
+        {
+            Fr derived_entry_1 = wire(p, WIRE.W_L) + tp.gamma + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_L_SHIFT));
+            Fr derived_entry_2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_M) * wire(p, WIRE.W_R_SHIFT);
+            Fr derived_entry_3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_C) * wire(p, WIRE.W_O_SHIFT);
+
+            read_term = derived_entry_1 + (derived_entry_2 * tp.eta) + (derived_entry_3 * tp.etaTwo)
+                + (wire(p, WIRE.Q_O) * tp.etaThree);
+        }
+
+        Fr read_inverse = wire(p, WIRE.LOOKUP_INVERSES) * write_term;
+        Fr write_inverse = wire(p, WIRE.LOOKUP_INVERSES) * read_term;
+
+        Fr inverse_exists_xor = wire(p, WIRE.LOOKUP_READ_TAGS) + wire(p, WIRE.Q_LOOKUP)
+            - (wire(p, WIRE.LOOKUP_READ_TAGS) * wire(p, WIRE.Q_LOOKUP));
+
+        // Inverse calculated correctly relation
+        Fr accumulatorNone = read_term * write_term * wire(p, WIRE.LOOKUP_INVERSES) - inverse_exists_xor;
+        accumulatorNone = accumulatorNone * domainSep;
+
+        // Inverse
+        Fr accumulatorOne = wire(p, WIRE.Q_LOOKUP) * read_inverse - wire(p, WIRE.LOOKUP_READ_COUNTS) * write_inverse;
+
+        evals[4] = accumulatorNone;
+        evals[5] = accumulatorOne;
+    }
+
+    function accumulateDeltaRangeRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr minus_one = Fr.wrap(0) - Fr.wrap(1);
+        Fr minus_two = Fr.wrap(0) - Fr.wrap(2);
+        Fr minus_three = Fr.wrap(0) - Fr.wrap(3);
+
+        // Compute wire differences
+        Fr delta_1 = wire(p, WIRE.W_R) - wire(p, WIRE.W_L);
+        Fr delta_2 = wire(p, WIRE.W_O) - wire(p, WIRE.W_R);
+        Fr delta_3 = wire(p, WIRE.W_4) - wire(p, WIRE.W_O);
+        Fr delta_4 = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_4);
+
+        // Contribution 6
+        {
+            Fr acc = delta_1;
+            acc = acc * (delta_1 + minus_one);
+            acc = acc * (delta_1 + minus_two);
+            acc = acc * (delta_1 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[6] = acc;
+        }
+
+        // Contribution 7
+        {
+            Fr acc = delta_2;
+            acc = acc * (delta_2 + minus_one);
+            acc = acc * (delta_2 + minus_two);
+            acc = acc * (delta_2 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[7] = acc;
+        }
+
+        // Contribution 8
+        {
+            Fr acc = delta_3;
+            acc = acc * (delta_3 + minus_one);
+            acc = acc * (delta_3 + minus_two);
+            acc = acc * (delta_3 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[8] = acc;
+        }
+
+        // Contribution 9
+        {
+            Fr acc = delta_4;
+            acc = acc * (delta_4 + minus_one);
+            acc = acc * (delta_4 + minus_two);
+            acc = acc * (delta_4 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[9] = acc;
+        }
+    }
+
+    struct EllipticParams {
+        // Points
+        Fr x_1;
+        Fr y_1;
+        Fr x_2;
+        Fr y_2;
+        Fr y_3;
+        Fr x_3;
+        // push accumulators into memory
+        Fr x_double_identity;
+    }
+
+    function accumulateEllipticRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        EllipticParams memory ep;
+        ep.x_1 = wire(p, WIRE.W_R);
+        ep.y_1 = wire(p, WIRE.W_O);
+
+        ep.x_2 = wire(p, WIRE.W_L_SHIFT);
+        ep.y_2 = wire(p, WIRE.W_4_SHIFT);
+        ep.y_3 = wire(p, WIRE.W_O_SHIFT);
+        ep.x_3 = wire(p, WIRE.W_R_SHIFT);
+
+        Fr q_sign = wire(p, WIRE.Q_L);
+        Fr q_is_double = wire(p, WIRE.Q_M);
+
+        // Contribution 10 point addition, x-coordinate check
+        // q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0
+        Fr x_diff = (ep.x_2 - ep.x_1);
+        Fr y1_sqr = (ep.y_1 * ep.y_1);
+        {
+            // Move to top
+            Fr partialEval = domainSep;
+
+            Fr y2_sqr = (ep.y_2 * ep.y_2);
+            Fr y1y2 = ep.y_1 * ep.y_2 * q_sign;
+            Fr x_add_identity = (ep.x_3 + ep.x_2 + ep.x_1);
+            x_add_identity = x_add_identity * x_diff * x_diff;
+            x_add_identity = x_add_identity - y2_sqr - y1_sqr + y1y2 + y1y2;
+
+            evals[10] = x_add_identity * partialEval * wire(p, WIRE.Q_ELLIPTIC) * (Fr.wrap(1) - q_is_double);
+        }
+
+        // Contribution 11 point addition, x-coordinate check
+        // q_elliptic * (q_sign * y1 + y3)(x2 - x1) + (x3 - x1)(y2 - q_sign * y1) = 0
+        {
+            Fr y1_plus_y3 = ep.y_1 + ep.y_3;
+            Fr y_diff = ep.y_2 * q_sign - ep.y_1;
+            Fr y_add_identity = y1_plus_y3 * x_diff + (ep.x_3 - ep.x_1) * y_diff;
+            evals[11] = y_add_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * (Fr.wrap(1) - q_is_double);
+        }
+
+        // Contribution 10 point doubling, x-coordinate check
+        // (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0
+        // N.B. we're using the equivalence x1*x1*x1 === y1*y1 - curve_b to reduce degree by 1
+        {
+            Fr x_pow_4 = (y1_sqr + GRUMPKIN_CURVE_B_PARAMETER_NEGATED) * ep.x_1;
+            Fr y1_sqr_mul_4 = y1_sqr + y1_sqr;
+            y1_sqr_mul_4 = y1_sqr_mul_4 + y1_sqr_mul_4;
+            Fr x1_pow_4_mul_9 = x_pow_4 * Fr.wrap(9);
+
+            // NOTE: pushed into memory (stack >:'( )
+            ep.x_double_identity = (ep.x_3 + ep.x_1 + ep.x_1) * y1_sqr_mul_4 - x1_pow_4_mul_9;
+
+            Fr acc = ep.x_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
+            evals[10] = evals[10] + acc;
+        }
+
+        // Contribution 11 point doubling, y-coordinate check
+        // (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0
+        {
+            Fr x1_sqr_mul_3 = (ep.x_1 + ep.x_1 + ep.x_1) * ep.x_1;
+            Fr y_double_identity = x1_sqr_mul_3 * (ep.x_1 - ep.x_3) - (ep.y_1 + ep.y_1) * (ep.y_1 + ep.y_3);
+            evals[11] = evals[11] + y_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
+        }
+    }
+
+    // Constants for the auxiliary relation
+    Fr constant LIMB_SIZE = Fr.wrap(uint256(1) << 68);
+    Fr constant SUBLIMB_SHIFT = Fr.wrap(uint256(1) << 14);
+    Fr constant MINUS_ONE = Fr.wrap(P - 1);
+
+    // Parameters used within the Auxiliary Relation
+    // A struct is used to work around stack too deep. This relation has alot of variables
+    struct AuxParams {
+        Fr limb_subproduct;
+        Fr non_native_field_gate_1;
+        Fr non_native_field_gate_2;
+        Fr non_native_field_gate_3;
+        Fr limb_accumulator_1;
+        Fr limb_accumulator_2;
+        Fr memory_record_check;
+        Fr partial_record_check;
+        Fr next_gate_access_type;
+        Fr record_delta;
+        Fr index_delta;
+        Fr adjacent_values_match_if_adjacent_indices_match;
+        Fr adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation;
+        Fr access_check;
+        Fr next_gate_access_type_is_boolean;
+        Fr ROM_consistency_check_identity;
+        Fr RAM_consistency_check_identity;
+        Fr timestamp_delta;
+        Fr RAM_timestamp_check_identity;
+        Fr memory_identity;
+        Fr index_is_monotonically_increasing;
+        Fr auxiliary_identity;
+    }
+
+    function accumulateAuxillaryRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal pure {
+        AuxParams memory ap;
+
+        /**
+         * Contribution 12
+         * Non native field arithmetic gate 2
+         * deg 4
+         *
+         *             _                                                                               _
+         *            /   _                   _                               _       14                \
+         * q_2 . q_4 |   (w_1 . w_2) + (w_1 . w_2) + (w_1 . w_4 + w_2 . w_3 - w_3) . 2    - w_3 - w_4   |
+         *            \_                                                                               _/
+         *
+         *
+         */
+        ap.limb_subproduct = wire(p, WIRE.W_L) * wire(p, WIRE.W_R_SHIFT) + wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R);
+        ap.non_native_field_gate_2 =
+            (wire(p, WIRE.W_L) * wire(p, WIRE.W_4) + wire(p, WIRE.W_R) * wire(p, WIRE.W_O) - wire(p, WIRE.W_O_SHIFT));
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * LIMB_SIZE;
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 - wire(p, WIRE.W_4_SHIFT);
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 + ap.limb_subproduct;
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * wire(p, WIRE.Q_4);
+
+        ap.limb_subproduct = ap.limb_subproduct * LIMB_SIZE;
+        ap.limb_subproduct = ap.limb_subproduct + (wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R_SHIFT));
+        ap.non_native_field_gate_1 = ap.limb_subproduct;
+        ap.non_native_field_gate_1 = ap.non_native_field_gate_1 - (wire(p, WIRE.W_O) + wire(p, WIRE.W_4));
+        ap.non_native_field_gate_1 = ap.non_native_field_gate_1 * wire(p, WIRE.Q_O);
+
+        ap.non_native_field_gate_3 = ap.limb_subproduct;
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 + wire(p, WIRE.W_4);
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 - (wire(p, WIRE.W_O_SHIFT) + wire(p, WIRE.W_4_SHIFT));
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 * wire(p, WIRE.Q_M);
+
+        Fr non_native_field_identity =
+            ap.non_native_field_gate_1 + ap.non_native_field_gate_2 + ap.non_native_field_gate_3;
+        non_native_field_identity = non_native_field_identity * wire(p, WIRE.Q_R);
+
+        // ((((w2' * 2^14 + w1') * 2^14 + w3) * 2^14 + w2) * 2^14 + w1 - w4) * qm
+        // deg 2
+        ap.limb_accumulator_1 = wire(p, WIRE.W_R_SHIFT) * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L_SHIFT);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_O);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_R);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 - wire(p, WIRE.W_4);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * wire(p, WIRE.Q_4);
+
+        // ((((w3' * 2^14 + w2') * 2^14 + w1') * 2^14 + w4) * 2^14 + w3 - w4') * qm
+        // deg 2
+        ap.limb_accumulator_2 = wire(p, WIRE.W_O_SHIFT) * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_R_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_L_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_4);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_O);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 - wire(p, WIRE.W_4_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * wire(p, WIRE.Q_M);
+
+        Fr limb_accumulator_identity = ap.limb_accumulator_1 + ap.limb_accumulator_2;
+        limb_accumulator_identity = limb_accumulator_identity * wire(p, WIRE.Q_O); //  deg 3
+
+        /**
+         * MEMORY
+         *
+         * A RAM memory record contains a tuple of the following fields:
+         *  * i: `index` of memory cell being accessed
+         *  * t: `timestamp` of memory cell being accessed (used for RAM, set to 0 for ROM)
+         *  * v: `value` of memory cell being accessed
+         *  * a: `access` type of record. read: 0 = read, 1 = write
+         *  * r: `record` of memory cell. record = access + index * eta + timestamp * eta_two + value * eta_three
+         *
+         * A ROM memory record contains a tuple of the following fields:
+         *  * i: `index` of memory cell being accessed
+         *  * v: `value1` of memory cell being accessed (ROM tables can store up to 2 values per index)
+         *  * v2:`value2` of memory cell being accessed (ROM tables can store up to 2 values per index)
+         *  * r: `record` of memory cell. record = index * eta + value2 * eta_two + value1 * eta_three
+         *
+         *  When performing a read/write access, the values of i, t, v, v2, a, r are stored in the following wires +
+         * selectors, depending on whether the gate is a RAM read/write or a ROM read
+         *
+         *  | gate type | i  | v2/t  |  v | a  | r  |
+         *  | --------- | -- | ----- | -- | -- | -- |
+         *  | ROM       | w1 | w2    | w3 | -- | w4 |
+         *  | RAM       | w1 | w2    | w3 | qc | w4 |
+         *
+         * (for accesses where `index` is a circuit constant, it is assumed the circuit will apply a copy constraint on
+         * `w2` to fix its value)
+         *
+         *
+         */
+
+        /**
+         * Memory Record Check
+         * Partial degree: 1
+         * Total degree: 4
+         *
+         * A ROM/ROM access gate can be evaluated with the identity:
+         *
+         * qc + w1 \eta + w2 \eta_two + w3 \eta_three - w4 = 0
+         *
+         * For ROM gates, qc = 0
+         */
+        ap.memory_record_check = wire(p, WIRE.W_O) * tp.etaThree;
+        ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_R) * tp.etaTwo);
+        ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_L) * tp.eta);
+        ap.memory_record_check = ap.memory_record_check + wire(p, WIRE.Q_C);
+        ap.partial_record_check = ap.memory_record_check; // used in RAM consistency check; deg 1 or 4
+        ap.memory_record_check = ap.memory_record_check - wire(p, WIRE.W_4);
+
+        /**
+         * Contribution 13 & 14
+         * ROM Consistency Check
+         * Partial degree: 1
+         * Total degree: 4
+         *
+         * For every ROM read, a set equivalence check is applied between the record witnesses, and a second set of
+         * records that are sorted.
+         *
+         * We apply the following checks for the sorted records:
+         *
+         * 1. w1, w2, w3 correctly map to 'index', 'v1, 'v2' for a given record value at w4
+         * 2. index values for adjacent records are monotonically increasing
+         * 3. if, at gate i, index_i == index_{i + 1}, then value1_i == value1_{i + 1} and value2_i == value2_{i + 1}
+         *
+         */
+        ap.index_delta = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_L);
+        ap.record_delta = wire(p, WIRE.W_4_SHIFT) - wire(p, WIRE.W_4);
+
+        ap.index_is_monotonically_increasing = ap.index_delta * ap.index_delta - ap.index_delta; // deg 2
+
+        ap.adjacent_values_match_if_adjacent_indices_match = (ap.index_delta * MINUS_ONE + Fr.wrap(1)) * ap.record_delta; // deg 2
+
+        evals[13] = ap.adjacent_values_match_if_adjacent_indices_match * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
+            * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5
+        evals[14] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
+            * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5
+
+        ap.ROM_consistency_check_identity = ap.memory_record_check * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)); // deg 3 or 7
+
+        /**
+         * Contributions 15,16,17
+         * RAM Consistency Check
+         *
+         * The 'access' type of the record is extracted with the expression `w_4 - ap.partial_record_check`
+         * (i.e. for an honest Prover `w1 * eta + w2 * eta^2 + w3 * eta^3 - w4 = access`.
+         * This is validated by requiring `access` to be boolean
+         *
+         * For two adjacent entries in the sorted list if _both_
+         *  A) index values match
+         *  B) adjacent access value is 0 (i.e. next gate is a READ)
+         * then
+         *  C) both values must match.
+         * The gate boolean check is
+         * (A && B) => C  === !(A && B) || C ===  !A || !B || C
+         *
+         * N.B. it is the responsibility of the circuit writer to ensure that every RAM cell is initialized
+         * with a WRITE operation.
+         */
+        Fr access_type = (wire(p, WIRE.W_4) - ap.partial_record_check); // will be 0 or 1 for honest Prover; deg 1 or 4
+        ap.access_check = access_type * access_type - access_type; // check value is 0 or 1; deg 2 or 8
+
+        // TODO(https://github.com/AztecProtocol/barretenberg/issues/757): If we sorted in
+        // reverse order we could re-use `ap.partial_record_check`  1 -  ((w3' * eta + w2') * eta + w1') * eta
+        // deg 1 or 4
+        ap.next_gate_access_type = wire(p, WIRE.W_O_SHIFT) * tp.etaThree;
+        ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_R_SHIFT) * tp.etaTwo);
+        ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_L_SHIFT) * tp.eta);
+        ap.next_gate_access_type = wire(p, WIRE.W_4_SHIFT) - ap.next_gate_access_type;
+
+        Fr value_delta = wire(p, WIRE.W_O_SHIFT) - wire(p, WIRE.W_O);
+        ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation = (
+            ap.index_delta * MINUS_ONE + Fr.wrap(1)
+        ) * value_delta * (ap.next_gate_access_type * MINUS_ONE + Fr.wrap(1)); // deg 3 or 6
+
+        // We can't apply the RAM consistency check identity on the final entry in the sorted list (the wires in the
+        // next gate would make the identity fail).  We need to validate that its 'access type' bool is correct. Can't
+        // do  with an arithmetic gate because of the  `eta` factors. We need to check that the *next* gate's access
+        // type is  correct, to cover this edge case
+        // deg 2 or 4
+        ap.next_gate_access_type_is_boolean =
+            ap.next_gate_access_type * ap.next_gate_access_type - ap.next_gate_access_type;
+
+        // Putting it all together...
+        evals[15] = ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation
+            * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5 or 8
+        evals[16] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4
+        evals[17] = ap.next_gate_access_type_is_boolean * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4 or 6
+
+        ap.RAM_consistency_check_identity = ap.access_check * (wire(p, WIRE.Q_ARITH)); // deg 3 or 9
+
+        /**
+         * RAM Timestamp Consistency Check
+         *
+         * | w1 | w2 | w3 | w4 |
+         * | index | timestamp | timestamp_check | -- |
+         *
+         * Let delta_index = index_{i + 1} - index_{i}
+         *
+         * Iff delta_index == 0, timestamp_check = timestamp_{i + 1} - timestamp_i
+         * Else timestamp_check = 0
+         */
+        ap.timestamp_delta = wire(p, WIRE.W_R_SHIFT) - wire(p, WIRE.W_R);
+        ap.RAM_timestamp_check_identity =
+            (ap.index_delta * MINUS_ONE + Fr.wrap(1)) * ap.timestamp_delta - wire(p, WIRE.W_O); // deg 3
+
+        /**
+         * Complete Contribution 12
+         * The complete RAM/ROM memory identity
+         * Partial degree:
+         */
+        ap.memory_identity = ap.ROM_consistency_check_identity; // deg 3 or 6
+        ap.memory_identity =
+            ap.memory_identity + ap.RAM_timestamp_check_identity * (wire(p, WIRE.Q_4) * wire(p, WIRE.Q_L)); // deg 4
+        ap.memory_identity = ap.memory_identity + ap.memory_record_check * (wire(p, WIRE.Q_M) * wire(p, WIRE.Q_L)); // deg 3 or 6
+        ap.memory_identity = ap.memory_identity + ap.RAM_consistency_check_identity; // deg 3 or 9
+
+        // (deg 3 or 9) + (deg 4) + (deg 3)
+        ap.auxiliary_identity = ap.memory_identity + non_native_field_identity + limb_accumulator_identity;
+        ap.auxiliary_identity = ap.auxiliary_identity * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4 or 10
+        evals[12] = ap.auxiliary_identity;
+    }
+
+    function scaleAndBatchSubrelations(
+        Fr[NUMBER_OF_SUBRELATIONS] memory evaluations,
+        Fr[NUMBER_OF_ALPHAS] memory subrelationChallenges
+    ) internal view returns (Fr accumulator) {
+        accumulator = accumulator + evaluations[0];
+
+        for (uint256 i = 1; i < NUMBER_OF_SUBRELATIONS; ++i) {
+            accumulator = accumulator + evaluations[i] * subrelationChallenges[i - 1];
+        }
+    }
+
+    function verifyZeroMorph(Honk.Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp)
+        internal
+        view
+        returns (bool verified)
+    {
+        // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u)
+        Fr batchedEval = Fr.wrap(0);
+        Fr batchedScalar = Fr.wrap(1);
+
+        // We linearly combine all evaluations (unshifted first, then shifted)
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; ++i) {
+            batchedEval = batchedEval + proof.sumcheckEvaluations[i] * batchedScalar;
+            batchedScalar = batchedScalar * tp.rho;
+        }
+
+        // Get k commitments
+        Honk.G1Point memory c_zeta = computeCZeta(proof, tp);
+        Honk.G1Point memory c_zeta_x = computeCZetaX(proof, vk, tp, batchedEval);
+        Honk.G1Point memory c_zeta_Z = ecAdd(c_zeta, ecMul(c_zeta_x, tp.zmZ));
+
+        // KZG pairing accumulator
+        // WORKTODO: concerned that this is zero - it is multiplied by a point later on
+        Fr evaluation = Fr.wrap(0);
+        verified = zkgReduceVerify(proof, tp, evaluation, c_zeta_Z);
+    }
+
+    // Compute commitment to lifted degree quotient identity
+    function computeCZeta(Honk.Proof memory proof, Transcript memory tp) internal view returns (Honk.G1Point memory) {
+        Fr[LOG_N + 1] memory scalars;
+        Honk.G1ProofPoint[LOG_N + 1] memory commitments;
+
+        // Initial contribution
+        commitments[0] = proof.zmCq;
+        scalars[0] = Fr.wrap(1);
+
+        // TODO: optimize pow operations here ? batch mulable
+        for (uint256 k = 0; k < LOG_N; ++k) {
+            Fr degree = Fr.wrap((1 << k) - 1);
+            Fr scalar = FrLib.pow(tp.zmY, k);
+            scalar = scalar * FrLib.pow(tp.zmX, (1 << LOG_N) - Fr.unwrap(degree) - 1);
+            scalar = scalar * MINUS_ONE;
+
+            scalars[k + 1] = scalar;
+            commitments[k + 1] = proof.zmCqs[k];
+        }
+
+        // Convert all commitments for batch mul
+        Honk.G1Point[LOG_N + 1] memory comms = convertPoints(commitments);
+
+        return batchMul(comms, scalars);
+    }
+
+    struct CZetaXParams {
+        Fr phi_numerator;
+        Fr phi_n_x;
+        Fr rho_pow;
+        Fr phi_1;
+        Fr phi_2;
+        Fr x_pow_2k;
+        Fr x_pow_2kp1;
+    }
+
+    function computeCZetaX(Honk.Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp, Fr batchedEval)
+        internal
+        view
+        returns (Honk.G1Point memory)
+    {
+        Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars;
+        Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory commitments;
+        CZetaXParams memory cp;
+
+        // Phi_n(x) = (x^N - 1) / (x - 1)
+        cp.phi_numerator = FrLib.pow(tp.zmX, (1 << LOG_N)) - Fr.wrap(1);
+        cp.phi_n_x = FrLib.div(cp.phi_numerator, tp.zmX - Fr.wrap(1));
+
+        // Add contribution: -v * x * \Phi_n(x) * [1]_1
+        // Add base
+        scalars[0] = MINUS_ONE * batchedEval * tp.zmX * cp.phi_n_x;
+        commitments[0] = Honk.G1Point({x: 1, y: 2}); // One
+
+        // f - Add all unshifted commitments
+        // g - Add add to be shifted commitments
+
+        // f commitments are accumulated at (zm_x * r)
+        cp.rho_pow = Fr.wrap(1);
+        for (uint256 i = 1; i < 34; ++i) {
+            scalars[i] = tp.zmX * cp.rho_pow;
+            cp.rho_pow = cp.rho_pow * tp.rho;
+        }
+        // g commitments are accumulated at r
+        for (uint256 i = 34; i < 43; ++i) {
+            scalars[i] = cp.rho_pow;
+            cp.rho_pow = cp.rho_pow * tp.rho;
+        }
+
+        // TODO: dont accumulate these into the comms array, just accumulate directly
+        commitments[1] = vk.qm;
+        commitments[2] = vk.qc;
+        commitments[3] = vk.ql;
+        commitments[4] = vk.qr;
+        commitments[5] = vk.qo;
+        commitments[6] = vk.q4;
+        commitments[7] = vk.qArith;
+        commitments[8] = vk.qDeltaRange;
+        commitments[9] = vk.qElliptic;
+        commitments[10] = vk.qAux;
+        commitments[11] = vk.qLookup;
+        commitments[12] = vk.s1;
+        commitments[13] = vk.s2;
+        commitments[14] = vk.s3;
+        commitments[15] = vk.s4;
+        commitments[16] = vk.id1;
+        commitments[17] = vk.id2;
+        commitments[18] = vk.id3;
+        commitments[19] = vk.id4;
+        commitments[20] = vk.t1;
+        commitments[21] = vk.t2;
+        commitments[22] = vk.t3;
+        commitments[23] = vk.t4;
+        commitments[24] = vk.lagrangeFirst;
+        commitments[25] = vk.lagrangeLast;
+
+        // Accumulate proof points
+        commitments[26] = convertProofPoint(proof.w1);
+        commitments[27] = convertProofPoint(proof.w2);
+        commitments[28] = convertProofPoint(proof.w3);
+        commitments[29] = convertProofPoint(proof.w4);
+        commitments[30] = convertProofPoint(proof.zPerm);
+        commitments[31] = convertProofPoint(proof.lookupInverses);
+        commitments[32] = convertProofPoint(proof.lookupReadCounts);
+        commitments[33] = convertProofPoint(proof.lookupReadTags);
+
+        // to be Shifted
+        commitments[34] = vk.t1;
+        commitments[35] = vk.t2;
+        commitments[36] = vk.t3;
+        commitments[37] = vk.t4;
+        commitments[38] = convertProofPoint(proof.w1);
+        commitments[39] = convertProofPoint(proof.w2);
+        commitments[40] = convertProofPoint(proof.w3);
+        commitments[41] = convertProofPoint(proof.w4);
+        commitments[42] = convertProofPoint(proof.zPerm);
+
+        // Add scalar contributions
+        // Add contributions: scalar * [q_k],  k = 0,...,log_N, where
+        // scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k}))
+        cp.x_pow_2k = tp.zmX;
+        cp.x_pow_2kp1 = tp.zmX * tp.zmX;
+        for (uint256 k; k < CONST_PROOF_SIZE_LOG_N; ++k) {
+            bool dummy_round = k >= LOG_N;
+
+            // note: defaults to 0
+            Fr scalar;
+            if (!dummy_round) {
+                cp.phi_1 = FrLib.div(cp.phi_numerator, cp.x_pow_2kp1 - Fr.wrap(1));
+                cp.phi_2 = FrLib.div(cp.phi_numerator, cp.x_pow_2k - Fr.wrap(1));
+
+                scalar = cp.x_pow_2k * cp.phi_1;
+                scalar = scalar - (tp.sumCheckUChallenges[k] * cp.phi_2);
+                scalar = scalar * tp.zmX;
+                scalar = scalar * MINUS_ONE;
+
+                cp.x_pow_2k = cp.x_pow_2kp1;
+                cp.x_pow_2kp1 = cp.x_pow_2kp1 * cp.x_pow_2kp1;
+            }
+
+            scalars[43 + k] = scalar;
+            commitments[43 + k] = convertProofPoint(proof.zmCqs[k]);
+        }
+
+        return batchMul2(commitments, scalars);
+    }
+
+    // TODO: TODO: TODO: optimize
+    // Scalar Mul and acumulate into total
+    function batchMul(Honk.G1Point[LOG_N + 1] memory base, Fr[LOG_N + 1] memory scalars)
+        internal
+        view
+        returns (Honk.G1Point memory result)
+    {
+        uint256 limit = LOG_N + 1;
+        assembly {
+            let success := 0x01
+            let free := mload(0x40)
+
+            // Write the original into the accumulator
+            // Load into memory for ecMUL, leave offset for eccAdd result
+            // base is an array of pointers, so we have to dereference them
+            mstore(add(free, 0x40), mload(mload(base)))
+            mstore(add(free, 0x60), mload(add(0x20, mload(base))))
+            // Add scalar
+            mstore(add(free, 0x80), mload(scalars))
+            success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40))
+
+            let count := 0x01
+
+            for {} lt(count, limit) { count := add(count, 1) } {
+                // Get loop offsets
+                let base_base := add(base, mul(count, 0x20))
+                let scalar_base := add(scalars, mul(count, 0x20))
+
+                mstore(add(free, 0x40), mload(mload(base_base)))
+                mstore(add(free, 0x60), mload(add(0x20, mload(base_base))))
+                // Add scalar
+                mstore(add(free, 0x80), mload(scalar_base))
+
+                success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40))
+                success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40))
+            }
+
+            mstore(result, mload(free))
+            mstore(add(result, 0x20), mload(add(free, 0x20)))
+        }
+    }
+
+    // This implementation is the same as above with different constants
+    function batchMul2(
+        Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory base,
+        Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars
+    ) internal view returns (Honk.G1Point memory result) {
+        uint256 limit = NUMBER_OF_ENTITIES + LOG_N + 1;
+        assembly {
+            let success := 0x01
+            let free := mload(0x40)
+
+            // Write the original into the accumulator
+            // Load into memory for ecMUL, leave offset for eccAdd result
+            // base is an array of pointers, so we have to dereference them
+            mstore(add(free, 0x40), mload(mload(base)))
+            mstore(add(free, 0x60), mload(add(0x20, mload(base))))
+            // Add scalar
+            mstore(add(free, 0x80), mload(scalars))
+            success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40))
+
+            let count := 0x01
+            for {} lt(count, limit) { count := add(count, 1) } {
+                // Get loop offsets
+                let base_base := add(base, mul(count, 0x20))
+                let scalar_base := add(scalars, mul(count, 0x20))
+
+                mstore(add(free, 0x40), mload(mload(base_base)))
+                mstore(add(free, 0x60), mload(add(0x20, mload(base_base))))
+                // Add scalar
+                mstore(add(free, 0x80), mload(scalar_base))
+
+                success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40))
+                // accumulator = accumulator + accumulator_2
+                success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40))
+            }
+
+            // Return the result - i hate this
+            mstore(result, mload(free))
+            mstore(add(result, 0x20), mload(add(free, 0x20)))
+        }
+    }
+
+    function zkgReduceVerify(Honk.Proof memory proof, Transcript memory tp, Fr evaluation, Honk.G1Point memory commitment)
+        internal
+        view
+        returns (bool)
+    {
+        Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi);
+        Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2});
+
+        Honk.G1Point memory P0 = commitment;
+        P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX));
+
+        Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation);
+        P0 = ecSub(P0, evalAsPoint);
+
+        Honk.G1Point memory P1 = negateInplace(quotient_commitment);
+
+        // Perform pairing check
+        return pairing(P0, P1);
+    }
+
+    function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) internal view returns (bool) {
+        bytes memory input = abi.encodePacked(
+            rhs.x,
+            rhs.y,
+            // Fixed G1 point
+            uint256(0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2),
+            uint256(0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed),
+            uint256(0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b),
+            uint256(0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa),
+            lhs.x,
+            lhs.y,
+            // G1 point from VK
+            uint256(0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1),
+            uint256(0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0),
+            uint256(0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4),
+            uint256(0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55)
+        );
+
+        (bool success, bytes memory result) = address(0x08).staticcall(input);
+        return abi.decode(result, (bool));
+    }
+}
+
+// Conversion util - Duplicated as we cannot template LOG_N
+function convertPoints(Honk.G1ProofPoint[LOG_N + 1] memory commitments)
+    pure
+    returns (Honk.G1Point[LOG_N + 1] memory converted)
+{
+    for (uint256 i; i < LOG_N + 1; ++i) {
+        converted[i] = convertProofPoint(commitments[i]);
+    }
+}
diff --git a/barretenberg/sol/src/honk/Transcript.sol b/barretenberg/sol/src/honk/Transcript.sol
new file mode 100644
index 00000000000..986c446bbc5
--- /dev/null
+++ b/barretenberg/sol/src/honk/Transcript.sol
@@ -0,0 +1,218 @@
+import {
+    Honk,
+    NUMBER_OF_ALPHAS,
+    NUMBER_OF_ENTITIES,
+    BATCHED_RELATION_PARTIAL_LENGTH,
+    CONST_PROOF_SIZE_LOG_N
+} from "./HonkTypes.sol";
+import {Fr, FrLib} from "./Fr.sol";
+import {LOG_N, NUMBER_OF_PUBLIC_INPUTS} from "./keys/Add2HonkVerificationKey.sol";
+
+// Transcript library to generate fiat shamir challenges
+struct Transcript {
+    Fr eta;
+    Fr etaTwo;
+    Fr etaThree;
+    Fr beta;
+    Fr gamma;
+    Fr[NUMBER_OF_ALPHAS] alphas;
+    Fr[LOG_N] gateChallenges;
+    Fr[CONST_PROOF_SIZE_LOG_N] sumCheckUChallenges;
+    Fr rho;
+    // Zero morph
+    Fr zmX;
+    Fr zmY;
+    Fr zmZ;
+    Fr zmQuotient;
+    // Derived
+    Fr publicInputsDelta;
+    Fr lookupGrandProductDelta;
+}
+
+library TranscriptLib {
+    function generateTranscript(
+        Honk.Proof memory proof,
+        Honk.VerificationKey memory vk,
+        bytes32[] calldata publicInputs
+    ) internal view returns (Transcript memory t) {
+        // TODO: calcaulte full series of  eta;
+        (t.eta, t.etaTwo, t.etaThree) = generateEtaChallenge(proof, publicInputs);
+
+        (t.beta, t.gamma) = generateBetaAndGammaChallenges(t.etaThree, proof);
+
+        t.alphas = generateAlphaChallenges(t.gamma, proof);
+
+        t.gateChallenges = generateGateChallenges(t.alphas[NUMBER_OF_ALPHAS - 1]);
+
+        t.sumCheckUChallenges = generateSumcheckChallenges(proof, t.gateChallenges[LOG_N - 1]);
+        t.rho = generateRhoChallenge(proof, t.sumCheckUChallenges[CONST_PROOF_SIZE_LOG_N - 1]);
+
+        t.zmY = generateZMYChallenge(t.rho, proof);
+
+        (t.zmX, t.zmZ) = generateZMXZChallenges(t.zmY, proof);
+
+        return t;
+    }
+
+    function generateEtaChallenge(Honk.Proof memory proof, bytes32[] calldata publicInputs)
+        internal
+        view
+        returns (Fr eta, Fr etaTwo, Fr etaThree)
+    {
+        // TODO(md): the 12 here will need to be halved when we fix the transcript to not be over field elements
+        // TODO: use assembly
+        bytes32[3 + NUMBER_OF_PUBLIC_INPUTS + 12] memory round0;
+        round0[0] = bytes32(proof.circuitSize);
+        round0[1] = bytes32(proof.publicInputsSize);
+        round0[2] = bytes32(proof.publicInputsOffset);
+        for (uint256 i = 0; i < NUMBER_OF_PUBLIC_INPUTS; i++) {
+            round0[3 + i] = bytes32(publicInputs[i]);
+        }
+
+        // Create the first challenge
+        // Note: w4 is added to the challenge later on
+        // TODO: UPDATE ALL VALUES IN HERE
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS] = bytes32(proof.w1.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 1] = bytes32(proof.w1.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 2] = bytes32(proof.w1.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 3] = bytes32(proof.w1.y_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 4] = bytes32(proof.w2.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 5] = bytes32(proof.w2.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 6] = bytes32(proof.w2.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 7] = bytes32(proof.w2.y_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 8] = bytes32(proof.w3.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 9] = bytes32(proof.w3.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 10] = bytes32(proof.w3.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 11] = bytes32(proof.w3.y_1);
+
+        eta = FrLib.fromBytes32(keccak256(abi.encodePacked(round0)));
+        etaTwo = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(eta))));
+        etaThree = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(etaTwo))));
+    }
+
+    function generateBetaAndGammaChallenges(Fr previousChallenge, Honk.Proof memory proof)
+        internal
+        view
+        returns (Fr beta, Fr gamma)
+    {
+        // TODO(md): adjust round size when the proof points are generated correctly - 5
+        bytes32[13] memory round1;
+        round1[0] = FrLib.toBytes32(previousChallenge);
+        round1[1] = bytes32(proof.lookupReadCounts.x_0);
+        round1[2] = bytes32(proof.lookupReadCounts.x_1);
+        round1[3] = bytes32(proof.lookupReadCounts.y_0);
+        round1[4] = bytes32(proof.lookupReadCounts.y_1);
+        round1[5] = bytes32(proof.lookupReadTags.x_0);
+        round1[6] = bytes32(proof.lookupReadTags.x_1);
+        round1[7] = bytes32(proof.lookupReadTags.y_0);
+        round1[8] = bytes32(proof.lookupReadTags.y_1);
+        round1[9] = bytes32(proof.w4.x_0);
+        round1[10] = bytes32(proof.w4.x_1);
+        round1[11] = bytes32(proof.w4.y_0);
+        round1[12] = bytes32(proof.w4.y_1);
+
+        beta = FrLib.fromBytes32(keccak256(abi.encodePacked(round1)));
+        gamma = FrLib.fromBytes32(keccak256(abi.encodePacked(beta)));
+    }
+
+    // Alpha challenges non-linearise the gate contributions
+    function generateAlphaChallenges(Fr previousChallenge, Honk.Proof memory proof)
+        internal
+        view
+        returns (Fr[NUMBER_OF_ALPHAS] memory alphas)
+    {
+        // Generate the original sumcheck alpha 0 by hashing zPerm and zLookup
+        // TODO(md): 5 post correct proof size fix
+        uint256[9] memory alpha0;
+        alpha0[0] = Fr.unwrap(previousChallenge);
+        alpha0[1] = proof.lookupInverses.x_0;
+        alpha0[2] = proof.lookupInverses.x_1;
+        alpha0[3] = proof.lookupInverses.y_0;
+        alpha0[4] = proof.lookupInverses.y_1;
+        alpha0[5] = proof.zPerm.x_0;
+        alpha0[6] = proof.zPerm.x_1;
+        alpha0[7] = proof.zPerm.y_0;
+        alpha0[8] = proof.zPerm.y_1;
+
+        alphas[0] = FrLib.fromBytes32(keccak256(abi.encodePacked(alpha0)));
+
+        Fr prevChallenge = alphas[0];
+        for (uint256 i = 1; i < NUMBER_OF_ALPHAS; i++) {
+            prevChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(prevChallenge))));
+            alphas[i] = prevChallenge;
+        }
+    }
+
+    function generateGateChallenges(Fr previousChallenge) internal view returns (Fr[LOG_N] memory gateChallenges) {
+        for (uint256 i = 0; i < LOG_N; i++) {
+            previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge))));
+            gateChallenges[i] = previousChallenge;
+        }
+    }
+
+    function generateSumcheckChallenges(Honk.Proof memory proof, Fr prevChallenge)
+        internal
+        view
+        returns (Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckChallenges)
+    {
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            Fr[BATCHED_RELATION_PARTIAL_LENGTH + 1] memory univariateChal;
+            univariateChal[0] = prevChallenge;
+
+            // TODO(opt): memcpy
+            for (uint256 j = 0; j < BATCHED_RELATION_PARTIAL_LENGTH; j++) {
+                univariateChal[j + 1] = proof.sumcheckUnivariates[i][j];
+            }
+
+            sumcheckChallenges[i] = FrLib.fromBytes32(keccak256(abi.encodePacked(univariateChal)));
+            prevChallenge = sumcheckChallenges[i];
+        }
+    }
+
+    function generateRhoChallenge(Honk.Proof memory proof, Fr prevChallenge) internal view returns (Fr rho) {
+        Fr[NUMBER_OF_ENTITIES + 1] memory rhoChallengeElements;
+        rhoChallengeElements[0] = prevChallenge;
+
+        // TODO: memcpy
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) {
+            rhoChallengeElements[i + 1] = proof.sumcheckEvaluations[i];
+        }
+
+        rho = FrLib.fromBytes32(keccak256(abi.encodePacked(rhoChallengeElements)));
+    }
+
+    function generateZMYChallenge(Fr previousChallenge, Honk.Proof memory proof)
+        internal
+        view
+        returns (Fr zeromorphY)
+    {
+        uint256[CONST_PROOF_SIZE_LOG_N * 4 + 1] memory zmY;
+        zmY[0] = Fr.unwrap(previousChallenge);
+
+        for (uint256 i; i < CONST_PROOF_SIZE_LOG_N; ++i) {
+            zmY[1 + i * 4] = proof.zmCqs[i].x_0;
+            zmY[2 + i * 4] = proof.zmCqs[i].x_1;
+            zmY[3 + i * 4] = proof.zmCqs[i].y_0;
+            zmY[4 + i * 4] = proof.zmCqs[i].y_1;
+        }
+
+        zeromorphY = FrLib.fromBytes32(keccak256(abi.encodePacked(zmY)));
+    }
+
+    function generateZMXZChallenges(Fr previousChallenge, Honk.Proof memory proof)
+        internal
+        view
+        returns (Fr zeromorphX, Fr zeromorphZ)
+    {
+        uint256[4 + 1] memory buf;
+        buf[0] = Fr.unwrap(previousChallenge);
+
+        buf[1] = proof.zmCq.x_0;
+        buf[2] = proof.zmCq.x_1;
+        buf[3] = proof.zmCq.y_0;
+        buf[4] = proof.zmCq.y_1;
+
+        zeromorphX = FrLib.fromBytes32(keccak256(abi.encodePacked(buf)));
+        zeromorphZ = FrLib.fromBytes32(keccak256(abi.encodePacked(zeromorphX)));
+    }
+}
diff --git a/barretenberg/sol/src/honk/instance/Add2Honk.sol b/barretenberg/sol/src/honk/instance/Add2Honk.sol
new file mode 100644
index 00000000000..ec533e83270
--- /dev/null
+++ b/barretenberg/sol/src/honk/instance/Add2Honk.sol
@@ -0,0 +1,1448 @@
+// SPDX-License-Identifier: Apache-2.0
+
+// NOTE: to work around solidity not allowing templates, we need a transcript class and proof class for each
+
+// Copyright 2024 Aztec Labs
+pragma solidity >=0.8.21;
+
+import {IVerifier} from "../../interfaces/IVerifier.sol";
+import {Add2HonkVerificationKey as VK, N, LOG_N, NUMBER_OF_PUBLIC_INPUTS} from "../keys/Add2HonkVerificationKey.sol";
+
+import {
+    Honk,
+    WIRE,
+    NUMBER_OF_ENTITIES,
+    NUMBER_OF_SUBRELATIONS,
+    NUMBER_OF_ALPHAS,
+    BATCHED_RELATION_PARTIAL_LENGTH,
+    CONST_PROOF_SIZE_LOG_N,
+    P,
+    Q
+} from "../HonkTypes.sol";
+
+import {ecMul, ecAdd, ecSub, negateInplace, convertProofPoint} from "../utils.sol";
+
+// Field arithmetic libraries
+import {Fr, FrLib} from "../Fr.sol";
+
+struct Proof {
+    uint256 circuitSize;
+    uint256 publicInputsSize;
+    uint256 publicInputsOffset;
+    // Free wires
+    Honk.G1ProofPoint w1;
+    Honk.G1ProofPoint w2;
+    Honk.G1ProofPoint w3;
+    Honk.G1ProofPoint w4;
+    // Lookup helpers - Permutations
+    Honk.G1ProofPoint zPerm;
+    // Lookup helpers - logup
+    Honk.G1ProofPoint lookupReadCounts;
+    Honk.G1ProofPoint lookupReadTags;
+    Honk.G1ProofPoint lookupInverses;
+    // Sumcheck
+    Fr[BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates;
+    Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations;
+    // Zero morph
+    Honk.G1ProofPoint[CONST_PROOF_SIZE_LOG_N] zmCqs;
+    Honk.G1ProofPoint zmCq;
+    Honk.G1ProofPoint zmPi;
+}
+
+// Transcript library to generate fiat shamir challenges
+struct Transcript {
+    Fr eta;
+    Fr etaTwo;
+    Fr etaThree;
+    Fr beta;
+    Fr gamma;
+    Fr[NUMBER_OF_ALPHAS] alphas;
+    Fr[LOG_N] gateChallenges;
+    Fr[CONST_PROOF_SIZE_LOG_N] sumCheckUChallenges;
+    Fr rho;
+    // Zero morph
+    Fr zmX;
+    Fr zmY;
+    Fr zmZ;
+    Fr zmQuotient;
+    // Derived
+    Fr publicInputsDelta;
+    Fr lookupGrandProductDelta;
+}
+
+library TranscriptLib {
+    function generateTranscript(Proof memory proof, Honk.VerificationKey memory vk, bytes32[] calldata publicInputs)
+        internal
+        view
+        returns (Transcript memory t)
+    {
+        // TODO: calcaulte full series of  eta;
+        (t.eta, t.etaTwo, t.etaThree) = generateEtaChallenge(proof, publicInputs);
+
+        (t.beta, t.gamma) = generateBetaAndGammaChallenges(t.etaThree, proof);
+
+        t.alphas = generateAlphaChallenges(t.gamma, proof);
+
+        t.gateChallenges = generateGateChallenges(t.alphas[NUMBER_OF_ALPHAS - 1]);
+
+        t.sumCheckUChallenges = generateSumcheckChallenges(proof, t.gateChallenges[LOG_N - 1]);
+        t.rho = generateRhoChallenge(proof, t.sumCheckUChallenges[CONST_PROOF_SIZE_LOG_N - 1]);
+
+        t.zmY = generateZMYChallenge(t.rho, proof);
+
+        (t.zmX, t.zmZ) = generateZMXZChallenges(t.zmY, proof);
+
+        return t;
+    }
+
+    function generateEtaChallenge(Proof memory proof, bytes32[] calldata publicInputs)
+        internal
+        view
+        returns (Fr eta, Fr etaTwo, Fr etaThree)
+    {
+        // TODO(md): the 12 here will need to be halved when we fix the transcript to not be over field elements
+        // TODO: use assembly
+        bytes32[3 + NUMBER_OF_PUBLIC_INPUTS + 12] memory round0;
+        round0[0] = bytes32(proof.circuitSize);
+        round0[1] = bytes32(proof.publicInputsSize);
+        round0[2] = bytes32(proof.publicInputsOffset);
+        for (uint256 i = 0; i < NUMBER_OF_PUBLIC_INPUTS; i++) {
+            round0[3 + i] = bytes32(publicInputs[i]);
+        }
+
+        // Create the first challenge
+        // Note: w4 is added to the challenge later on
+        // TODO: UPDATE ALL VALUES IN HERE
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS] = bytes32(proof.w1.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 1] = bytes32(proof.w1.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 2] = bytes32(proof.w1.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 3] = bytes32(proof.w1.y_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 4] = bytes32(proof.w2.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 5] = bytes32(proof.w2.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 6] = bytes32(proof.w2.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 7] = bytes32(proof.w2.y_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 8] = bytes32(proof.w3.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 9] = bytes32(proof.w3.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 10] = bytes32(proof.w3.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 11] = bytes32(proof.w3.y_1);
+
+        eta = FrLib.fromBytes32(keccak256(abi.encodePacked(round0)));
+        etaTwo = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(eta))));
+        etaThree = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(etaTwo))));
+    }
+
+    function generateBetaAndGammaChallenges(Fr previousChallenge, Proof memory proof)
+        internal
+        view
+        returns (Fr beta, Fr gamma)
+    {
+        // TODO(md): adjust round size when the proof points are generated correctly - 5
+        bytes32[13] memory round1;
+        round1[0] = FrLib.toBytes32(previousChallenge);
+        round1[1] = bytes32(proof.lookupReadCounts.x_0);
+        round1[2] = bytes32(proof.lookupReadCounts.x_1);
+        round1[3] = bytes32(proof.lookupReadCounts.y_0);
+        round1[4] = bytes32(proof.lookupReadCounts.y_1);
+        round1[5] = bytes32(proof.lookupReadTags.x_0);
+        round1[6] = bytes32(proof.lookupReadTags.x_1);
+        round1[7] = bytes32(proof.lookupReadTags.y_0);
+        round1[8] = bytes32(proof.lookupReadTags.y_1);
+        round1[9] = bytes32(proof.w4.x_0);
+        round1[10] = bytes32(proof.w4.x_1);
+        round1[11] = bytes32(proof.w4.y_0);
+        round1[12] = bytes32(proof.w4.y_1);
+
+        beta = FrLib.fromBytes32(keccak256(abi.encodePacked(round1)));
+        gamma = FrLib.fromBytes32(keccak256(abi.encodePacked(beta)));
+    }
+
+    // Alpha challenges non-linearise the gate contributions
+    function generateAlphaChallenges(Fr previousChallenge, Proof memory proof)
+        internal
+        view
+        returns (Fr[NUMBER_OF_ALPHAS] memory alphas)
+    {
+        // Generate the original sumcheck alpha 0 by hashing zPerm and zLookup
+        // TODO(md): 5 post correct proof size fix
+        uint256[9] memory alpha0;
+        alpha0[0] = Fr.unwrap(previousChallenge);
+        alpha0[1] = proof.lookupInverses.x_0;
+        alpha0[2] = proof.lookupInverses.x_1;
+        alpha0[3] = proof.lookupInverses.y_0;
+        alpha0[4] = proof.lookupInverses.y_1;
+        alpha0[5] = proof.zPerm.x_0;
+        alpha0[6] = proof.zPerm.x_1;
+        alpha0[7] = proof.zPerm.y_0;
+        alpha0[8] = proof.zPerm.y_1;
+
+        alphas[0] = FrLib.fromBytes32(keccak256(abi.encodePacked(alpha0)));
+
+        Fr prevChallenge = alphas[0];
+        for (uint256 i = 1; i < NUMBER_OF_ALPHAS; i++) {
+            prevChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(prevChallenge))));
+            alphas[i] = prevChallenge;
+        }
+    }
+
+    function generateGateChallenges(Fr previousChallenge) internal view returns (Fr[LOG_N] memory gateChallenges) {
+        for (uint256 i = 0; i < LOG_N; i++) {
+            previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge))));
+            gateChallenges[i] = previousChallenge;
+        }
+    }
+
+    function generateSumcheckChallenges(Proof memory proof, Fr prevChallenge)
+        internal
+        view
+        returns (Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckChallenges)
+    {
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            Fr[BATCHED_RELATION_PARTIAL_LENGTH + 1] memory univariateChal;
+            univariateChal[0] = prevChallenge;
+
+            // TODO(opt): memcpy
+            for (uint256 j = 0; j < BATCHED_RELATION_PARTIAL_LENGTH; j++) {
+                univariateChal[j + 1] = proof.sumcheckUnivariates[i][j];
+            }
+
+            sumcheckChallenges[i] = FrLib.fromBytes32(keccak256(abi.encodePacked(univariateChal)));
+            prevChallenge = sumcheckChallenges[i];
+        }
+    }
+
+    function generateRhoChallenge(Proof memory proof, Fr prevChallenge) internal view returns (Fr rho) {
+        Fr[NUMBER_OF_ENTITIES + 1] memory rhoChallengeElements;
+        rhoChallengeElements[0] = prevChallenge;
+
+        // TODO: memcpy
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) {
+            rhoChallengeElements[i + 1] = proof.sumcheckEvaluations[i];
+        }
+
+        rho = FrLib.fromBytes32(keccak256(abi.encodePacked(rhoChallengeElements)));
+    }
+
+    function generateZMYChallenge(Fr previousChallenge, Proof memory proof) internal view returns (Fr zeromorphY) {
+        uint256[CONST_PROOF_SIZE_LOG_N * 4 + 1] memory zmY;
+        zmY[0] = Fr.unwrap(previousChallenge);
+
+        for (uint256 i; i < CONST_PROOF_SIZE_LOG_N; ++i) {
+            zmY[1 + i * 4] = proof.zmCqs[i].x_0;
+            zmY[2 + i * 4] = proof.zmCqs[i].x_1;
+            zmY[3 + i * 4] = proof.zmCqs[i].y_0;
+            zmY[4 + i * 4] = proof.zmCqs[i].y_1;
+        }
+
+        zeromorphY = FrLib.fromBytes32(keccak256(abi.encodePacked(zmY)));
+    }
+
+    function generateZMXZChallenges(Fr previousChallenge, Proof memory proof)
+        internal
+        view
+        returns (Fr zeromorphX, Fr zeromorphZ)
+    {
+        uint256[4 + 1] memory buf;
+        buf[0] = Fr.unwrap(previousChallenge);
+
+        buf[1] = proof.zmCq.x_0;
+        buf[2] = proof.zmCq.x_1;
+        buf[3] = proof.zmCq.y_0;
+        buf[4] = proof.zmCq.y_1;
+
+        zeromorphX = FrLib.fromBytes32(keccak256(abi.encodePacked(buf)));
+        zeromorphZ = FrLib.fromBytes32(keccak256(abi.encodePacked(zeromorphX)));
+    }
+}
+
+// Errors
+error PublicInputsLengthWrong();
+error SumcheckFailed();
+error ZeromorphFailed();
+
+/// Smart contract verifier of honk proofs
+contract Add2HonkVerifier is IVerifier {
+    Fr internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = Fr.wrap(17); // -(-17)
+
+    // TODO(md): I would perfer the publicInputs to be uint256
+    function verify(bytes calldata proof, bytes32[] calldata publicInputs) public view override returns (bool) {
+        Honk.VerificationKey memory vk = loadVerificationKey();
+        Proof memory p = loadProof(proof);
+
+        if (vk.publicInputsSize != NUMBER_OF_PUBLIC_INPUTS) {
+            revert PublicInputsLengthWrong();
+        }
+
+        // Generate the fiat shamir challenges for the whole protocol
+        Transcript memory t = TranscriptLib.generateTranscript(p, vk, publicInputs);
+
+        // Compute the public input delta
+        t.publicInputsDelta =
+            computePublicInputDelta(publicInputs, t.beta, t.gamma, vk.circuitSize, p.publicInputsOffset);
+
+        // Sumcheck
+        bool sumcheckVerified = verifySumcheck(p, t);
+        if (!sumcheckVerified) revert SumcheckFailed();
+
+        // Zeromorph
+        bool zeromorphVerified = verifyZeroMorph(p, vk, t);
+        if (!zeromorphVerified) revert ZeromorphFailed();
+
+        return sumcheckVerified && zeromorphVerified; // Boolean condition not required - nice for vanity :)
+    }
+
+    function loadVerificationKey() internal view returns (Honk.VerificationKey memory) {
+        return VK.loadVerificationKey();
+    }
+
+    // TODO: mod q proof points
+    // TODO: Preprocess all of the memory locations
+    // TODO: Adjust proof point serde away from poseidon forced field elements
+    function loadProof(bytes calldata proof) internal view returns (Proof memory) {
+        Proof memory p;
+
+        // Metadata
+        p.circuitSize = uint256(bytes32(proof[0x00:0x20]));
+        p.publicInputsSize = uint256(bytes32(proof[0x20:0x40]));
+        p.publicInputsOffset = uint256(bytes32(proof[0x40:0x60]));
+
+        // Commitments
+        p.w1 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x60:0x80])),
+            x_1: uint256(bytes32(proof[0x80:0xa0])),
+            y_0: uint256(bytes32(proof[0xa0:0xc0])),
+            y_1: uint256(bytes32(proof[0xc0:0xe0]))
+        });
+
+        p.w2 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0xe0:0x100])),
+            x_1: uint256(bytes32(proof[0x100:0x120])),
+            y_0: uint256(bytes32(proof[0x120:0x140])),
+            y_1: uint256(bytes32(proof[0x140:0x160]))
+        });
+        p.w3 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x160:0x180])),
+            x_1: uint256(bytes32(proof[0x180:0x1a0])),
+            y_0: uint256(bytes32(proof[0x1a0:0x1c0])),
+            y_1: uint256(bytes32(proof[0x1c0:0x1e0]))
+        });
+
+        // Lookup / Permutation Helper Commitments
+        // TODO(md): update the log deriv prover commitment rounds
+        p.lookupReadCounts = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x1e0:0x200])),
+            x_1: uint256(bytes32(proof[0x200:0x220])),
+            y_0: uint256(bytes32(proof[0x220:0x240])),
+            y_1: uint256(bytes32(proof[0x240:0x260]))
+        });
+        p.lookupReadTags = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x260:0x280])),
+            x_1: uint256(bytes32(proof[0x280:0x2a0])),
+            y_0: uint256(bytes32(proof[0x2a0:0x2c0])),
+            y_1: uint256(bytes32(proof[0x2c0:0x2e0]))
+        });
+        p.w4 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x2e0:0x300])),
+            x_1: uint256(bytes32(proof[0x300:0x320])),
+            y_0: uint256(bytes32(proof[0x320:0x340])),
+            y_1: uint256(bytes32(proof[0x340:0x360]))
+        });
+        p.lookupInverses = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x360:0x380])),
+            x_1: uint256(bytes32(proof[0x380:0x3a0])),
+            y_0: uint256(bytes32(proof[0x3a0:0x3c0])),
+            y_1: uint256(bytes32(proof[0x3c0:0x3e0]))
+        });
+        p.zPerm = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x3e0:0x400])),
+            x_1: uint256(bytes32(proof[0x400:0x420])),
+            y_0: uint256(bytes32(proof[0x420:0x440])),
+            y_1: uint256(bytes32(proof[0x440:0x460]))
+        });
+
+        // TEMP the boundary of what has already been read
+        uint256 boundary = 0x460;
+
+        // Sumcheck univariates
+        // TODO: in this case we know what log_n is - so we hard code it, we would want this to be included in
+        // a cpp template for different circuit sizes
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            // The loop boundary of i, this will shift forward on each evaluation
+            uint256 loop_boundary = boundary + (i * 0x20 * BATCHED_RELATION_PARTIAL_LENGTH);
+
+            for (uint256 j = 0; j < BATCHED_RELATION_PARTIAL_LENGTH; j++) {
+                uint256 start = loop_boundary + (j * 0x20);
+                uint256 end = start + 0x20;
+                p.sumcheckUnivariates[i][j] = FrLib.fromBytes32(bytes32(proof[start:end]));
+            }
+        }
+
+        boundary = boundary + (CONST_PROOF_SIZE_LOG_N * BATCHED_RELATION_PARTIAL_LENGTH * 0x20);
+        // Sumcheck evaluations
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) {
+            uint256 start = boundary + (i * 0x20);
+            uint256 end = start + 0x20;
+            p.sumcheckEvaluations[i] = FrLib.fromBytes32(bytes32(proof[start:end]));
+        }
+
+        boundary = boundary + (NUMBER_OF_ENTITIES * 0x20);
+        // Zero morph Commitments
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            // Explicitly stating the x0, x1, y0, y1 start and end boundaries to make the calldata slicing bearable
+            uint256 xStart = boundary + (i * 0x80);
+            uint256 xEnd = xStart + 0x20;
+
+            uint256 x1Start = xEnd;
+            uint256 x1End = x1Start + 0x20;
+
+            uint256 yStart = x1End;
+            uint256 yEnd = yStart + 0x20;
+
+            uint256 y1Start = yEnd;
+            uint256 y1End = y1Start + 0x20;
+
+            p.zmCqs[i] = Honk.G1ProofPoint({
+                x_0: uint256(bytes32(proof[xStart:xEnd])),
+                x_1: uint256(bytes32(proof[x1Start:x1End])),
+                y_0: uint256(bytes32(proof[yStart:yEnd])),
+                y_1: uint256(bytes32(proof[y1Start:y1End]))
+            });
+        }
+
+        boundary = boundary + (CONST_PROOF_SIZE_LOG_N * 0x80);
+
+        p.zmCq = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[boundary:boundary + 0x20])),
+            x_1: uint256(bytes32(proof[boundary + 0x20:boundary + 0x40])),
+            y_0: uint256(bytes32(proof[boundary + 0x40:boundary + 0x60])),
+            y_1: uint256(bytes32(proof[boundary + 0x60:boundary + 0x80]))
+        });
+
+        p.zmPi = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[boundary + 0x80:boundary + 0xa0])),
+            x_1: uint256(bytes32(proof[boundary + 0xa0:boundary + 0xc0])),
+            y_0: uint256(bytes32(proof[boundary + 0xc0:boundary + 0xe0])),
+            y_1: uint256(bytes32(proof[boundary + 0xe0:boundary + 0x100]))
+        });
+
+        return p;
+    }
+
+    function computePublicInputDelta(
+        bytes32[] memory publicInputs,
+        Fr beta,
+        Fr gamma,
+        uint256 domainSize,
+        uint256 offset
+    ) internal view returns (Fr publicInputDelta) {
+        Fr numerator = Fr.wrap(1);
+        Fr denominator = Fr.wrap(1);
+
+        Fr numeratorAcc = gamma + (beta * FrLib.from(domainSize + offset));
+        Fr denominatorAcc = gamma - (beta * FrLib.from(offset + 1));
+
+        {
+            for (uint256 i = 0; i < NUMBER_OF_PUBLIC_INPUTS; i++) {
+                Fr pubInput = FrLib.fromBytes32(publicInputs[i]);
+
+                numerator = numerator * (numeratorAcc + pubInput);
+                denominator = denominator * (denominatorAcc + pubInput);
+
+                numeratorAcc = numeratorAcc + beta;
+                denominatorAcc = denominatorAcc - beta;
+            }
+        }
+
+        // Fr delta = numerator / denominator; // TOOO: batch invert later?
+        publicInputDelta = FrLib.div(numerator, denominator);
+    }
+
+    uint256 constant ROUND_TARGET = 0;
+
+    function verifySumcheck(Proof memory proof, Transcript memory tp) internal view returns (bool verified) {
+        Fr roundTarget;
+        Fr powPartialEvaluation = Fr.wrap(1);
+
+        // We perform sumcheck reductions over log n rounds ( the multivariate degree )
+        for (uint256 round; round < LOG_N; ++round) {
+            Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate = proof.sumcheckUnivariates[round];
+            bool valid = checkSum(roundUnivariate, roundTarget);
+            if (!valid) revert SumcheckFailed();
+
+            Fr roundChallenge = tp.sumCheckUChallenges[round];
+
+            // Update the round target for the next rounf
+            roundTarget = computeNextTargetSum(roundUnivariate, roundChallenge);
+            powPartialEvaluation = partiallyEvaluatePOW(tp, powPartialEvaluation, roundChallenge, round);
+        }
+
+        // Last round
+        Fr grandHonkRelationSum = accumulateRelationEvaluations(proof, tp, powPartialEvaluation);
+        verified = (grandHonkRelationSum == roundTarget);
+    }
+
+    function checkSum(Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate, Fr roundTarget)
+        internal
+        view
+        returns (bool checked)
+    {
+        Fr totalSum = roundUnivariate[0] + roundUnivariate[1];
+        checked = totalSum == roundTarget;
+    }
+
+    // Return the new target sum for the next sumcheck round
+    function computeNextTargetSum(Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariates, Fr roundChallenge)
+        internal
+        view
+        returns (Fr targetSum)
+    {
+        // TODO: inline
+        Fr[7] memory BARYCENTRIC_LAGRANGE_DENOMINATORS = [
+            Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000002d0),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff89),
+            Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000030),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffffdd),
+            Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000030),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff89),
+            Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000002d0)
+        ];
+
+        Fr[7] memory BARYCENTRIC_DOMAIN =
+            [Fr.wrap(0x00), Fr.wrap(0x01), Fr.wrap(0x02), Fr.wrap(0x03), Fr.wrap(0x04), Fr.wrap(0x05), Fr.wrap(0x06)];
+        // To compute the next target sum, we evaluate the given univariate at a point u (challenge).
+
+        // TODO: opt: use same array mem for each iteratioon
+        // Performing Barycentric evaluations
+        // Compute B(x)
+        Fr numeratorValue = Fr.wrap(1);
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            numeratorValue = numeratorValue * (roundChallenge - Fr.wrap(i));
+        }
+
+        // Calculate domain size N of inverses -- TODO: montgomery's trick
+        Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory denominatorInverses;
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            Fr inv = BARYCENTRIC_LAGRANGE_DENOMINATORS[i];
+            inv = inv * (roundChallenge - BARYCENTRIC_DOMAIN[i]);
+            inv = FrLib.invert(inv);
+            denominatorInverses[i] = inv;
+        }
+
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            Fr term = roundUnivariates[i];
+            term = term * denominatorInverses[i];
+            targetSum = targetSum + term;
+        }
+
+        // Scale the sum by the value of B(x)
+        targetSum = targetSum * numeratorValue;
+    }
+
+    // Univariate evaluation of the monomial ((1-X_l) + X_l.B_l) at the challenge point X_l=u_l
+    function partiallyEvaluatePOW(Transcript memory tp, Fr currentEvaluation, Fr roundChallenge, uint256 round)
+        internal
+        view
+        returns (Fr newEvaluation)
+    {
+        Fr univariateEval = Fr.wrap(1) + (roundChallenge * (tp.gateChallenges[round] - Fr.wrap(1)));
+        newEvaluation = currentEvaluation * univariateEval;
+    }
+
+    // Calculate the contributions of each relation to the expected value of the full honk relation
+    //
+    // For each relation, we use the purported values ( the ones provided by the prover ) of the multivariates to
+    // calculate a contribution to the purported value of the full Honk relation.
+    // These are stored in the evaluations part of the proof object.
+    // We add these together, with the appropiate scaling factor ( the alphas calculated in challenges )
+    // This value is checked against the final value of the target total sum - et voila!
+    function accumulateRelationEvaluations(Proof memory proof, Transcript memory tp, Fr powPartialEval)
+        internal
+        view
+        returns (Fr accumulator)
+    {
+        Fr[NUMBER_OF_ENTITIES] memory purportedEvaluations = proof.sumcheckEvaluations;
+        Fr[NUMBER_OF_SUBRELATIONS] memory evaluations;
+
+        // Accumulate all 6 custom gates - each with varying number of subrelations
+        // TODO: annotate how many subrealtions each has
+        accumulateArithmeticRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulatePermutationRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+        accumulateLogDerivativeLookupRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+        accumulateDeltaRangeRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulateEllipticRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulateAuxillaryRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+
+        // Apply alpha challenges to challenge evaluations
+        // Returns grand honk realtion evaluation
+        accumulator = scaleAndBatchSubrelations(evaluations, tp.alphas);
+    }
+
+    /**
+     * WIRE
+     *
+     * Wire is an aesthetic helper function that is used to index by enum into proof.sumcheckEvaluations, it avoids
+     * the relation checking code being cluttered with uint256 type casting, which is often a different colour in code
+     * editors, and thus is noisy.
+     */
+    function wire(Fr[NUMBER_OF_ENTITIES] memory p, WIRE _wire) internal pure returns (Fr) {
+        return p[uint256(_wire)];
+    }
+
+    /**
+     * Ultra Arithmetic Relation
+     *
+     */
+    function accumulateArithmeticRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        // Relation 0
+        Fr q_arith = wire(p, WIRE.Q_ARITH);
+        {
+            Fr neg_half = Fr.wrap(0) - (FrLib.invert(Fr.wrap(2)));
+
+            Fr accum = (q_arith - Fr.wrap(3)) * (wire(p, WIRE.Q_M) * wire(p, WIRE.W_R) * wire(p, WIRE.W_L)) * neg_half;
+            accum = accum + (wire(p, WIRE.Q_L) * wire(p, WIRE.W_L)) + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_R))
+                + (wire(p, WIRE.Q_O) * wire(p, WIRE.W_O)) + (wire(p, WIRE.Q_4) * wire(p, WIRE.W_4)) + wire(p, WIRE.Q_C);
+            accum = accum + (q_arith - Fr.wrap(1)) * wire(p, WIRE.W_4_SHIFT);
+            accum = accum * q_arith;
+            accum = accum * domainSep;
+            evals[0] = accum;
+        }
+
+        // Relation 1
+        {
+            Fr accum = wire(p, WIRE.W_L) + wire(p, WIRE.W_4) - wire(p, WIRE.W_L_SHIFT) + wire(p, WIRE.Q_M);
+            accum = accum * (q_arith - Fr.wrap(2));
+            accum = accum * (q_arith - Fr.wrap(1));
+            accum = accum * q_arith;
+            accum = accum * domainSep;
+            evals[1] = accum;
+        }
+    }
+
+    function accumulatePermutationRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr grand_product_numerator;
+        Fr grand_product_denominator;
+
+        {
+            Fr num = wire(p, WIRE.W_L) + wire(p, WIRE.ID_1) * tp.beta + tp.gamma;
+            num = num * (wire(p, WIRE.W_R) + wire(p, WIRE.ID_2) * tp.beta + tp.gamma);
+            num = num * (wire(p, WIRE.W_O) + wire(p, WIRE.ID_3) * tp.beta + tp.gamma);
+            num = num * (wire(p, WIRE.W_4) + wire(p, WIRE.ID_4) * tp.beta + tp.gamma);
+
+            grand_product_numerator = num;
+        }
+        {
+            Fr den = wire(p, WIRE.W_L) + wire(p, WIRE.SIGMA_1) * tp.beta + tp.gamma;
+            den = den * (wire(p, WIRE.W_R) + wire(p, WIRE.SIGMA_2) * tp.beta + tp.gamma);
+            den = den * (wire(p, WIRE.W_O) + wire(p, WIRE.SIGMA_3) * tp.beta + tp.gamma);
+            den = den * (wire(p, WIRE.W_4) + wire(p, WIRE.SIGMA_4) * tp.beta + tp.gamma);
+
+            grand_product_denominator = den;
+        }
+
+        // Contribution 2
+        {
+            Fr acc = (wire(p, WIRE.Z_PERM) + wire(p, WIRE.LAGRANGE_FIRST)) * grand_product_numerator;
+
+            acc = acc
+                - (
+                    (wire(p, WIRE.Z_PERM_SHIFT) + (wire(p, WIRE.LAGRANGE_LAST) * tp.publicInputsDelta))
+                        * grand_product_denominator
+                );
+            acc = acc * domainSep;
+            evals[2] = acc;
+        }
+
+        // Contribution 3
+        {
+            Fr acc = (wire(p, WIRE.LAGRANGE_LAST) * wire(p, WIRE.Z_PERM_SHIFT)) * domainSep;
+            evals[3] = acc;
+        }
+    }
+
+    // Lookup parameters have been yoinked into memory to avoid stack too deep
+    struct LookupParams {
+        Fr eta_sqr;
+        Fr eta_cube;
+        Fr one_plus_beta;
+        Fr gamma_by_one_plus_beta;
+        Fr wire_accum;
+        Fr table_accum;
+        Fr table_accum_shift;
+    }
+
+    // TODO(md): calculate eta one two and three above
+
+    function accumulateLogDerivativeLookupRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr write_term;
+        Fr read_term;
+
+        // Calculate the write term (the table accumulation)
+        {
+            write_term = wire(p, WIRE.TABLE_1) + tp.gamma + (wire(p, WIRE.TABLE_2) * tp.eta)
+                + (wire(p, WIRE.TABLE_3) * tp.etaTwo) + (wire(p, WIRE.TABLE_4) * tp.etaThree);
+        }
+
+        // Calculate the write term
+        {
+            Fr derived_entry_1 = wire(p, WIRE.W_L) + tp.gamma + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_L_SHIFT));
+            Fr derived_entry_2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_M) * wire(p, WIRE.W_R_SHIFT);
+            Fr derived_entry_3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_C) * wire(p, WIRE.W_O_SHIFT);
+
+            read_term = derived_entry_1 + (derived_entry_2 * tp.eta) + (derived_entry_3 * tp.etaTwo)
+                + (wire(p, WIRE.Q_O) * tp.etaThree);
+        }
+
+        Fr read_inverse = wire(p, WIRE.LOOKUP_INVERSES) * write_term;
+        Fr write_inverse = wire(p, WIRE.LOOKUP_INVERSES) * read_term;
+
+        Fr inverse_exists_xor = wire(p, WIRE.LOOKUP_READ_TAGS) + wire(p, WIRE.Q_LOOKUP)
+            - (wire(p, WIRE.LOOKUP_READ_TAGS) * wire(p, WIRE.Q_LOOKUP));
+
+        // Inverse calculated correctly relation
+        Fr accumulatorNone = read_term * write_term * wire(p, WIRE.LOOKUP_INVERSES) - inverse_exists_xor;
+        accumulatorNone = accumulatorNone * domainSep;
+
+        // Inverse
+        Fr accumulatorOne = wire(p, WIRE.Q_LOOKUP) * read_inverse - wire(p, WIRE.LOOKUP_READ_COUNTS) * write_inverse;
+
+        evals[4] = accumulatorNone;
+        evals[5] = accumulatorOne;
+    }
+
+    function accumulateDeltaRangeRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr minus_one = Fr.wrap(0) - Fr.wrap(1);
+        Fr minus_two = Fr.wrap(0) - Fr.wrap(2);
+        Fr minus_three = Fr.wrap(0) - Fr.wrap(3);
+
+        // Compute wire differences
+        Fr delta_1 = wire(p, WIRE.W_R) - wire(p, WIRE.W_L);
+        Fr delta_2 = wire(p, WIRE.W_O) - wire(p, WIRE.W_R);
+        Fr delta_3 = wire(p, WIRE.W_4) - wire(p, WIRE.W_O);
+        Fr delta_4 = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_4);
+
+        // Contribution 6
+        {
+            Fr acc = delta_1;
+            acc = acc * (delta_1 + minus_one);
+            acc = acc * (delta_1 + minus_two);
+            acc = acc * (delta_1 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[6] = acc;
+        }
+
+        // Contribution 7
+        {
+            Fr acc = delta_2;
+            acc = acc * (delta_2 + minus_one);
+            acc = acc * (delta_2 + minus_two);
+            acc = acc * (delta_2 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[7] = acc;
+        }
+
+        // Contribution 8
+        {
+            Fr acc = delta_3;
+            acc = acc * (delta_3 + minus_one);
+            acc = acc * (delta_3 + minus_two);
+            acc = acc * (delta_3 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[8] = acc;
+        }
+
+        // Contribution 9
+        {
+            Fr acc = delta_4;
+            acc = acc * (delta_4 + minus_one);
+            acc = acc * (delta_4 + minus_two);
+            acc = acc * (delta_4 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[9] = acc;
+        }
+    }
+
+    struct EllipticParams {
+        // Points
+        Fr x_1;
+        Fr y_1;
+        Fr x_2;
+        Fr y_2;
+        Fr y_3;
+        Fr x_3;
+        // push accumulators into memory
+        Fr x_double_identity;
+    }
+
+    function accumulateEllipticRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        EllipticParams memory ep;
+        ep.x_1 = wire(p, WIRE.W_R);
+        ep.y_1 = wire(p, WIRE.W_O);
+
+        ep.x_2 = wire(p, WIRE.W_L_SHIFT);
+        ep.y_2 = wire(p, WIRE.W_4_SHIFT);
+        ep.y_3 = wire(p, WIRE.W_O_SHIFT);
+        ep.x_3 = wire(p, WIRE.W_R_SHIFT);
+
+        Fr q_sign = wire(p, WIRE.Q_L);
+        Fr q_is_double = wire(p, WIRE.Q_M);
+
+        // Contribution 10 point addition, x-coordinate check
+        // q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0
+        Fr x_diff = (ep.x_2 - ep.x_1);
+        Fr y1_sqr = (ep.y_1 * ep.y_1);
+        {
+            // Move to top
+            Fr partialEval = domainSep;
+
+            Fr y2_sqr = (ep.y_2 * ep.y_2);
+            Fr y1y2 = ep.y_1 * ep.y_2 * q_sign;
+            Fr x_add_identity = (ep.x_3 + ep.x_2 + ep.x_1);
+            x_add_identity = x_add_identity * x_diff * x_diff;
+            x_add_identity = x_add_identity - y2_sqr - y1_sqr + y1y2 + y1y2;
+
+            evals[10] = x_add_identity * partialEval * wire(p, WIRE.Q_ELLIPTIC) * (Fr.wrap(1) - q_is_double);
+        }
+
+        // Contribution 11 point addition, x-coordinate check
+        // q_elliptic * (q_sign * y1 + y3)(x2 - x1) + (x3 - x1)(y2 - q_sign * y1) = 0
+        {
+            Fr y1_plus_y3 = ep.y_1 + ep.y_3;
+            Fr y_diff = ep.y_2 * q_sign - ep.y_1;
+            Fr y_add_identity = y1_plus_y3 * x_diff + (ep.x_3 - ep.x_1) * y_diff;
+            evals[11] = y_add_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * (Fr.wrap(1) - q_is_double);
+        }
+
+        // Contribution 10 point doubling, x-coordinate check
+        // (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0
+        // N.B. we're using the equivalence x1*x1*x1 === y1*y1 - curve_b to reduce degree by 1
+        {
+            Fr x_pow_4 = (y1_sqr + GRUMPKIN_CURVE_B_PARAMETER_NEGATED) * ep.x_1;
+            Fr y1_sqr_mul_4 = y1_sqr + y1_sqr;
+            y1_sqr_mul_4 = y1_sqr_mul_4 + y1_sqr_mul_4;
+            Fr x1_pow_4_mul_9 = x_pow_4 * Fr.wrap(9);
+
+            // NOTE: pushed into memory (stack >:'( )
+            ep.x_double_identity = (ep.x_3 + ep.x_1 + ep.x_1) * y1_sqr_mul_4 - x1_pow_4_mul_9;
+
+            Fr acc = ep.x_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
+            evals[10] = evals[10] + acc;
+        }
+
+        // Contribution 11 point doubling, y-coordinate check
+        // (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0
+        {
+            Fr x1_sqr_mul_3 = (ep.x_1 + ep.x_1 + ep.x_1) * ep.x_1;
+            Fr y_double_identity = x1_sqr_mul_3 * (ep.x_1 - ep.x_3) - (ep.y_1 + ep.y_1) * (ep.y_1 + ep.y_3);
+            evals[11] = evals[11] + y_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
+        }
+    }
+
+    // Constants for the auxiliary relation
+    Fr constant LIMB_SIZE = Fr.wrap(uint256(1) << 68);
+    Fr constant SUBLIMB_SHIFT = Fr.wrap(uint256(1) << 14);
+    Fr constant MINUS_ONE = Fr.wrap(P - 1);
+
+    // Parameters used within the Auxiliary Relation
+    // A struct is used to work around stack too deep. This relation has alot of variables
+    struct AuxParams {
+        Fr limb_subproduct;
+        Fr non_native_field_gate_1;
+        Fr non_native_field_gate_2;
+        Fr non_native_field_gate_3;
+        Fr limb_accumulator_1;
+        Fr limb_accumulator_2;
+        Fr memory_record_check;
+        Fr partial_record_check;
+        Fr next_gate_access_type;
+        Fr record_delta;
+        Fr index_delta;
+        Fr adjacent_values_match_if_adjacent_indices_match;
+        Fr adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation;
+        Fr access_check;
+        Fr next_gate_access_type_is_boolean;
+        Fr ROM_consistency_check_identity;
+        Fr RAM_consistency_check_identity;
+        Fr timestamp_delta;
+        Fr RAM_timestamp_check_identity;
+        Fr memory_identity;
+        Fr index_is_monotonically_increasing;
+        Fr auxiliary_identity;
+    }
+
+    function accumulateAuxillaryRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal pure {
+        AuxParams memory ap;
+
+        /**
+         * Contribution 12
+         * Non native field arithmetic gate 2
+         * deg 4
+         *
+         *             _                                                                               _
+         *            /   _                   _                               _       14                \
+         * q_2 . q_4 |   (w_1 . w_2) + (w_1 . w_2) + (w_1 . w_4 + w_2 . w_3 - w_3) . 2    - w_3 - w_4   |
+         *            \_                                                                               _/
+         *
+         *
+         */
+        ap.limb_subproduct = wire(p, WIRE.W_L) * wire(p, WIRE.W_R_SHIFT) + wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R);
+        ap.non_native_field_gate_2 =
+            (wire(p, WIRE.W_L) * wire(p, WIRE.W_4) + wire(p, WIRE.W_R) * wire(p, WIRE.W_O) - wire(p, WIRE.W_O_SHIFT));
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * LIMB_SIZE;
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 - wire(p, WIRE.W_4_SHIFT);
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 + ap.limb_subproduct;
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * wire(p, WIRE.Q_4);
+
+        ap.limb_subproduct = ap.limb_subproduct * LIMB_SIZE;
+        ap.limb_subproduct = ap.limb_subproduct + (wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R_SHIFT));
+        ap.non_native_field_gate_1 = ap.limb_subproduct;
+        ap.non_native_field_gate_1 = ap.non_native_field_gate_1 - (wire(p, WIRE.W_O) + wire(p, WIRE.W_4));
+        ap.non_native_field_gate_1 = ap.non_native_field_gate_1 * wire(p, WIRE.Q_O);
+
+        ap.non_native_field_gate_3 = ap.limb_subproduct;
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 + wire(p, WIRE.W_4);
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 - (wire(p, WIRE.W_O_SHIFT) + wire(p, WIRE.W_4_SHIFT));
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 * wire(p, WIRE.Q_M);
+
+        Fr non_native_field_identity =
+            ap.non_native_field_gate_1 + ap.non_native_field_gate_2 + ap.non_native_field_gate_3;
+        non_native_field_identity = non_native_field_identity * wire(p, WIRE.Q_R);
+
+        // ((((w2' * 2^14 + w1') * 2^14 + w3) * 2^14 + w2) * 2^14 + w1 - w4) * qm
+        // deg 2
+        ap.limb_accumulator_1 = wire(p, WIRE.W_R_SHIFT) * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L_SHIFT);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_O);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_R);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 - wire(p, WIRE.W_4);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * wire(p, WIRE.Q_4);
+
+        // ((((w3' * 2^14 + w2') * 2^14 + w1') * 2^14 + w4) * 2^14 + w3 - w4') * qm
+        // deg 2
+        ap.limb_accumulator_2 = wire(p, WIRE.W_O_SHIFT) * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_R_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_L_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_4);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_O);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 - wire(p, WIRE.W_4_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * wire(p, WIRE.Q_M);
+
+        Fr limb_accumulator_identity = ap.limb_accumulator_1 + ap.limb_accumulator_2;
+        limb_accumulator_identity = limb_accumulator_identity * wire(p, WIRE.Q_O); //  deg 3
+
+        /**
+         * MEMORY
+         *
+         * A RAM memory record contains a tuple of the following fields:
+         *  * i: `index` of memory cell being accessed
+         *  * t: `timestamp` of memory cell being accessed (used for RAM, set to 0 for ROM)
+         *  * v: `value` of memory cell being accessed
+         *  * a: `access` type of record. read: 0 = read, 1 = write
+         *  * r: `record` of memory cell. record = access + index * eta + timestamp * eta_two + value * eta_three
+         *
+         * A ROM memory record contains a tuple of the following fields:
+         *  * i: `index` of memory cell being accessed
+         *  * v: `value1` of memory cell being accessed (ROM tables can store up to 2 values per index)
+         *  * v2:`value2` of memory cell being accessed (ROM tables can store up to 2 values per index)
+         *  * r: `record` of memory cell. record = index * eta + value2 * eta_two + value1 * eta_three
+         *
+         *  When performing a read/write access, the values of i, t, v, v2, a, r are stored in the following wires +
+         * selectors, depending on whether the gate is a RAM read/write or a ROM read
+         *
+         *  | gate type | i  | v2/t  |  v | a  | r  |
+         *  | --------- | -- | ----- | -- | -- | -- |
+         *  | ROM       | w1 | w2    | w3 | -- | w4 |
+         *  | RAM       | w1 | w2    | w3 | qc | w4 |
+         *
+         * (for accesses where `index` is a circuit constant, it is assumed the circuit will apply a copy constraint on
+         * `w2` to fix its value)
+         *
+         *
+         */
+
+        /**
+         * Memory Record Check
+         * Partial degree: 1
+         * Total degree: 4
+         *
+         * A ROM/ROM access gate can be evaluated with the identity:
+         *
+         * qc + w1 \eta + w2 \eta_two + w3 \eta_three - w4 = 0
+         *
+         * For ROM gates, qc = 0
+         */
+        ap.memory_record_check = wire(p, WIRE.W_O) * tp.etaThree;
+        ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_R) * tp.etaTwo);
+        ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_L) * tp.eta);
+        ap.memory_record_check = ap.memory_record_check + wire(p, WIRE.Q_C);
+        ap.partial_record_check = ap.memory_record_check; // used in RAM consistency check; deg 1 or 4
+        ap.memory_record_check = ap.memory_record_check - wire(p, WIRE.W_4);
+
+        /**
+         * Contribution 13 & 14
+         * ROM Consistency Check
+         * Partial degree: 1
+         * Total degree: 4
+         *
+         * For every ROM read, a set equivalence check is applied between the record witnesses, and a second set of
+         * records that are sorted.
+         *
+         * We apply the following checks for the sorted records:
+         *
+         * 1. w1, w2, w3 correctly map to 'index', 'v1, 'v2' for a given record value at w4
+         * 2. index values for adjacent records are monotonically increasing
+         * 3. if, at gate i, index_i == index_{i + 1}, then value1_i == value1_{i + 1} and value2_i == value2_{i + 1}
+         *
+         */
+        ap.index_delta = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_L);
+        ap.record_delta = wire(p, WIRE.W_4_SHIFT) - wire(p, WIRE.W_4);
+
+        ap.index_is_monotonically_increasing = ap.index_delta * ap.index_delta - ap.index_delta; // deg 2
+
+        ap.adjacent_values_match_if_adjacent_indices_match = (ap.index_delta * MINUS_ONE + Fr.wrap(1)) * ap.record_delta; // deg 2
+
+        evals[13] = ap.adjacent_values_match_if_adjacent_indices_match * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
+            * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5
+        evals[14] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
+            * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5
+
+        ap.ROM_consistency_check_identity = ap.memory_record_check * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)); // deg 3 or 7
+
+        /**
+         * Contributions 15,16,17
+         * RAM Consistency Check
+         *
+         * The 'access' type of the record is extracted with the expression `w_4 - ap.partial_record_check`
+         * (i.e. for an honest Prover `w1 * eta + w2 * eta^2 + w3 * eta^3 - w4 = access`.
+         * This is validated by requiring `access` to be boolean
+         *
+         * For two adjacent entries in the sorted list if _both_
+         *  A) index values match
+         *  B) adjacent access value is 0 (i.e. next gate is a READ)
+         * then
+         *  C) both values must match.
+         * The gate boolean check is
+         * (A && B) => C  === !(A && B) || C ===  !A || !B || C
+         *
+         * N.B. it is the responsibility of the circuit writer to ensure that every RAM cell is initialized
+         * with a WRITE operation.
+         */
+        Fr access_type = (wire(p, WIRE.W_4) - ap.partial_record_check); // will be 0 or 1 for honest Prover; deg 1 or 4
+        ap.access_check = access_type * access_type - access_type; // check value is 0 or 1; deg 2 or 8
+
+        // TODO(https://github.com/AztecProtocol/barretenberg/issues/757): If we sorted in
+        // reverse order we could re-use `ap.partial_record_check`  1 -  ((w3' * eta + w2') * eta + w1') * eta
+        // deg 1 or 4
+        ap.next_gate_access_type = wire(p, WIRE.W_O_SHIFT) * tp.etaThree;
+        ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_R_SHIFT) * tp.etaTwo);
+        ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_L_SHIFT) * tp.eta);
+        ap.next_gate_access_type = wire(p, WIRE.W_4_SHIFT) - ap.next_gate_access_type;
+
+        Fr value_delta = wire(p, WIRE.W_O_SHIFT) - wire(p, WIRE.W_O);
+        ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation = (
+            ap.index_delta * MINUS_ONE + Fr.wrap(1)
+        ) * value_delta * (ap.next_gate_access_type * MINUS_ONE + Fr.wrap(1)); // deg 3 or 6
+
+        // We can't apply the RAM consistency check identity on the final entry in the sorted list (the wires in the
+        // next gate would make the identity fail).  We need to validate that its 'access type' bool is correct. Can't
+        // do  with an arithmetic gate because of the  `eta` factors. We need to check that the *next* gate's access
+        // type is  correct, to cover this edge case
+        // deg 2 or 4
+        ap.next_gate_access_type_is_boolean =
+            ap.next_gate_access_type * ap.next_gate_access_type - ap.next_gate_access_type;
+
+        // Putting it all together...
+        evals[15] = ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation
+            * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5 or 8
+        evals[16] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4
+        evals[17] = ap.next_gate_access_type_is_boolean * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4 or 6
+
+        ap.RAM_consistency_check_identity = ap.access_check * (wire(p, WIRE.Q_ARITH)); // deg 3 or 9
+
+        /**
+         * RAM Timestamp Consistency Check
+         *
+         * | w1 | w2 | w3 | w4 |
+         * | index | timestamp | timestamp_check | -- |
+         *
+         * Let delta_index = index_{i + 1} - index_{i}
+         *
+         * Iff delta_index == 0, timestamp_check = timestamp_{i + 1} - timestamp_i
+         * Else timestamp_check = 0
+         */
+        ap.timestamp_delta = wire(p, WIRE.W_R_SHIFT) - wire(p, WIRE.W_R);
+        ap.RAM_timestamp_check_identity =
+            (ap.index_delta * MINUS_ONE + Fr.wrap(1)) * ap.timestamp_delta - wire(p, WIRE.W_O); // deg 3
+
+        /**
+         * Complete Contribution 12
+         * The complete RAM/ROM memory identity
+         * Partial degree:
+         */
+        ap.memory_identity = ap.ROM_consistency_check_identity; // deg 3 or 6
+        ap.memory_identity =
+            ap.memory_identity + ap.RAM_timestamp_check_identity * (wire(p, WIRE.Q_4) * wire(p, WIRE.Q_L)); // deg 4
+        ap.memory_identity = ap.memory_identity + ap.memory_record_check * (wire(p, WIRE.Q_M) * wire(p, WIRE.Q_L)); // deg 3 or 6
+        ap.memory_identity = ap.memory_identity + ap.RAM_consistency_check_identity; // deg 3 or 9
+
+        // (deg 3 or 9) + (deg 4) + (deg 3)
+        ap.auxiliary_identity = ap.memory_identity + non_native_field_identity + limb_accumulator_identity;
+        ap.auxiliary_identity = ap.auxiliary_identity * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4 or 10
+        evals[12] = ap.auxiliary_identity;
+    }
+
+    function scaleAndBatchSubrelations(
+        Fr[NUMBER_OF_SUBRELATIONS] memory evaluations,
+        Fr[NUMBER_OF_ALPHAS] memory subrelationChallenges
+    ) internal view returns (Fr accumulator) {
+        accumulator = accumulator + evaluations[0];
+
+        for (uint256 i = 1; i < NUMBER_OF_SUBRELATIONS; ++i) {
+            accumulator = accumulator + evaluations[i] * subrelationChallenges[i - 1];
+        }
+    }
+
+    function verifyZeroMorph(Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp)
+        internal
+        view
+        returns (bool verified)
+    {
+        // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u)
+        Fr batchedEval = Fr.wrap(0);
+        Fr batchedScalar = Fr.wrap(1);
+
+        // We linearly combine all evaluations (unshifted first, then shifted)
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; ++i) {
+            batchedEval = batchedEval + proof.sumcheckEvaluations[i] * batchedScalar;
+            batchedScalar = batchedScalar * tp.rho;
+        }
+
+        // Get k commitments
+        Honk.G1Point memory c_zeta = computeCZeta(proof, tp);
+        Honk.G1Point memory c_zeta_x = computeCZetaX(proof, vk, tp, batchedEval);
+        Honk.G1Point memory c_zeta_Z = ecAdd(c_zeta, ecMul(c_zeta_x, tp.zmZ));
+
+        // KZG pairing accumulator
+        // WORKTODO: concerned that this is zero - it is multiplied by a point later on
+        Fr evaluation = Fr.wrap(0);
+        verified = zkgReduceVerify(proof, tp, evaluation, c_zeta_Z);
+    }
+
+    // Compute commitment to lifted degree quotient identity
+    function computeCZeta(Proof memory proof, Transcript memory tp) internal view returns (Honk.G1Point memory) {
+        Fr[LOG_N + 1] memory scalars;
+        Honk.G1ProofPoint[LOG_N + 1] memory commitments;
+
+        // Initial contribution
+        commitments[0] = proof.zmCq;
+        scalars[0] = Fr.wrap(1);
+
+        // TODO: optimize pow operations here ? batch mulable
+        for (uint256 k = 0; k < LOG_N; ++k) {
+            Fr degree = Fr.wrap((1 << k) - 1);
+            Fr scalar = FrLib.pow(tp.zmY, k);
+            scalar = scalar * FrLib.pow(tp.zmX, (1 << LOG_N) - Fr.unwrap(degree) - 1);
+            scalar = scalar * MINUS_ONE;
+
+            scalars[k + 1] = scalar;
+            commitments[k + 1] = proof.zmCqs[k];
+        }
+
+        // Convert all commitments for batch mul
+        Honk.G1Point[LOG_N + 1] memory comms = convertPoints(commitments);
+
+        return batchMul(comms, scalars);
+    }
+
+    struct CZetaXParams {
+        Fr phi_numerator;
+        Fr phi_n_x;
+        Fr rho_pow;
+        Fr phi_1;
+        Fr phi_2;
+        Fr x_pow_2k;
+        Fr x_pow_2kp1;
+    }
+
+    function computeCZetaX(Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp, Fr batchedEval)
+        internal
+        view
+        returns (Honk.G1Point memory)
+    {
+        Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars;
+        Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory commitments;
+        CZetaXParams memory cp;
+
+        // Phi_n(x) = (x^N - 1) / (x - 1)
+        cp.phi_numerator = FrLib.pow(tp.zmX, (1 << LOG_N)) - Fr.wrap(1);
+        cp.phi_n_x = FrLib.div(cp.phi_numerator, tp.zmX - Fr.wrap(1));
+
+        // Add contribution: -v * x * \Phi_n(x) * [1]_1
+        // Add base
+        scalars[0] = MINUS_ONE * batchedEval * tp.zmX * cp.phi_n_x;
+        commitments[0] = Honk.G1Point({x: 1, y: 2}); // One
+
+        // f - Add all unshifted commitments
+        // g - Add add to be shifted commitments
+
+        // f commitments are accumulated at (zm_x * r)
+        cp.rho_pow = Fr.wrap(1);
+        for (uint256 i = 1; i < 34; ++i) {
+            scalars[i] = tp.zmX * cp.rho_pow;
+            cp.rho_pow = cp.rho_pow * tp.rho;
+        }
+        // g commitments are accumulated at r
+        for (uint256 i = 34; i < 43; ++i) {
+            scalars[i] = cp.rho_pow;
+            cp.rho_pow = cp.rho_pow * tp.rho;
+        }
+
+        // TODO: dont accumulate these into the comms array, just accumulate directly
+        commitments[1] = vk.qm;
+        commitments[2] = vk.qc;
+        commitments[3] = vk.ql;
+        commitments[4] = vk.qr;
+        commitments[5] = vk.qo;
+        commitments[6] = vk.q4;
+        commitments[7] = vk.qArith;
+        commitments[8] = vk.qDeltaRange;
+        commitments[9] = vk.qElliptic;
+        commitments[10] = vk.qAux;
+        commitments[11] = vk.qLookup;
+        commitments[12] = vk.s1;
+        commitments[13] = vk.s2;
+        commitments[14] = vk.s3;
+        commitments[15] = vk.s4;
+        commitments[16] = vk.id1;
+        commitments[17] = vk.id2;
+        commitments[18] = vk.id3;
+        commitments[19] = vk.id4;
+        commitments[20] = vk.t1;
+        commitments[21] = vk.t2;
+        commitments[22] = vk.t3;
+        commitments[23] = vk.t4;
+        commitments[24] = vk.lagrangeFirst;
+        commitments[25] = vk.lagrangeLast;
+
+        // Accumulate proof points
+        commitments[26] = convertProofPoint(proof.w1);
+        commitments[27] = convertProofPoint(proof.w2);
+        commitments[28] = convertProofPoint(proof.w3);
+        commitments[29] = convertProofPoint(proof.w4);
+        commitments[30] = convertProofPoint(proof.zPerm);
+        commitments[31] = convertProofPoint(proof.lookupInverses);
+        commitments[32] = convertProofPoint(proof.lookupReadCounts);
+        commitments[33] = convertProofPoint(proof.lookupReadTags);
+
+        // to be Shifted
+        commitments[34] = vk.t1;
+        commitments[35] = vk.t2;
+        commitments[36] = vk.t3;
+        commitments[37] = vk.t4;
+        commitments[38] = convertProofPoint(proof.w1);
+        commitments[39] = convertProofPoint(proof.w2);
+        commitments[40] = convertProofPoint(proof.w3);
+        commitments[41] = convertProofPoint(proof.w4);
+        commitments[42] = convertProofPoint(proof.zPerm);
+
+        // Add scalar contributions
+        // Add contributions: scalar * [q_k],  k = 0,...,log_N, where
+        // scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k}))
+        cp.x_pow_2k = tp.zmX;
+        cp.x_pow_2kp1 = tp.zmX * tp.zmX;
+        for (uint256 k; k < CONST_PROOF_SIZE_LOG_N; ++k) {
+            bool dummy_round = k >= LOG_N;
+
+            // note: defaults to 0
+            Fr scalar;
+            if (!dummy_round) {
+                cp.phi_1 = FrLib.div(cp.phi_numerator, cp.x_pow_2kp1 - Fr.wrap(1));
+                cp.phi_2 = FrLib.div(cp.phi_numerator, cp.x_pow_2k - Fr.wrap(1));
+
+                scalar = cp.x_pow_2k * cp.phi_1;
+                scalar = scalar - (tp.sumCheckUChallenges[k] * cp.phi_2);
+                scalar = scalar * tp.zmX;
+                scalar = scalar * MINUS_ONE;
+
+                cp.x_pow_2k = cp.x_pow_2kp1;
+                cp.x_pow_2kp1 = cp.x_pow_2kp1 * cp.x_pow_2kp1;
+            }
+
+            scalars[43 + k] = scalar;
+            commitments[43 + k] = convertProofPoint(proof.zmCqs[k]);
+        }
+
+        return batchMul2(commitments, scalars);
+    }
+
+    // TODO: TODO: TODO: optimize
+    // Scalar Mul and acumulate into total
+    function batchMul(Honk.G1Point[LOG_N + 1] memory base, Fr[LOG_N + 1] memory scalars)
+        internal
+        view
+        returns (Honk.G1Point memory result)
+    {
+        uint256 limit = LOG_N + 1;
+        assembly {
+            let success := 0x01
+            let free := mload(0x40)
+
+            // Write the original into the accumulator
+            // Load into memory for ecMUL, leave offset for eccAdd result
+            // base is an array of pointers, so we have to dereference them
+            mstore(add(free, 0x40), mload(mload(base)))
+            mstore(add(free, 0x60), mload(add(0x20, mload(base))))
+            // Add scalar
+            mstore(add(free, 0x80), mload(scalars))
+            success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40))
+
+            let count := 0x01
+
+            for {} lt(count, limit) { count := add(count, 1) } {
+                // Get loop offsets
+                let base_base := add(base, mul(count, 0x20))
+                let scalar_base := add(scalars, mul(count, 0x20))
+
+                mstore(add(free, 0x40), mload(mload(base_base)))
+                mstore(add(free, 0x60), mload(add(0x20, mload(base_base))))
+                // Add scalar
+                mstore(add(free, 0x80), mload(scalar_base))
+
+                success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40))
+                success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40))
+            }
+
+            mstore(result, mload(free))
+            mstore(add(result, 0x20), mload(add(free, 0x20)))
+        }
+    }
+
+    // This implementation is the same as above with different constants
+    function batchMul2(
+        Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory base,
+        Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars
+    ) internal view returns (Honk.G1Point memory result) {
+        uint256 limit = NUMBER_OF_ENTITIES + LOG_N + 1;
+        assembly {
+            let success := 0x01
+            let free := mload(0x40)
+
+            // Write the original into the accumulator
+            // Load into memory for ecMUL, leave offset for eccAdd result
+            // base is an array of pointers, so we have to dereference them
+            mstore(add(free, 0x40), mload(mload(base)))
+            mstore(add(free, 0x60), mload(add(0x20, mload(base))))
+            // Add scalar
+            mstore(add(free, 0x80), mload(scalars))
+            success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40))
+
+            let count := 0x01
+            for {} lt(count, limit) { count := add(count, 1) } {
+                // Get loop offsets
+                let base_base := add(base, mul(count, 0x20))
+                let scalar_base := add(scalars, mul(count, 0x20))
+
+                mstore(add(free, 0x40), mload(mload(base_base)))
+                mstore(add(free, 0x60), mload(add(0x20, mload(base_base))))
+                // Add scalar
+                mstore(add(free, 0x80), mload(scalar_base))
+
+                success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40))
+                // accumulator = accumulator + accumulator_2
+                success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40))
+            }
+
+            // Return the result - i hate this
+            mstore(result, mload(free))
+            mstore(add(result, 0x20), mload(add(free, 0x20)))
+        }
+    }
+
+    function zkgReduceVerify(Proof memory proof, Transcript memory tp, Fr evaluation, Honk.G1Point memory commitment)
+        internal
+        view
+        returns (bool)
+    {
+        Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi);
+        Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2});
+
+        Honk.G1Point memory P0 = commitment;
+        P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX));
+
+        Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation);
+        P0 = ecSub(P0, evalAsPoint);
+
+        Honk.G1Point memory P1 = negateInplace(quotient_commitment);
+
+        // Perform pairing check
+        return pairing(P0, P1);
+    }
+
+    function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) internal view returns (bool) {
+        bytes memory input = abi.encodePacked(
+            rhs.x,
+            rhs.y,
+            // Fixed G1 point
+            uint256(0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2),
+            uint256(0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed),
+            uint256(0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b),
+            uint256(0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa),
+            lhs.x,
+            lhs.y,
+            // G1 point from VK
+            uint256(0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1),
+            uint256(0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0),
+            uint256(0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4),
+            uint256(0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55)
+        );
+
+        (bool success, bytes memory result) = address(0x08).staticcall(input);
+        return abi.decode(result, (bool));
+    }
+}
+
+// Conversion util - Duplicated as we cannot template LOG_N
+function convertPoints(Honk.G1ProofPoint[LOG_N + 1] memory commitments)
+    pure
+    returns (Honk.G1Point[LOG_N + 1] memory converted)
+{
+    for (uint256 i; i < LOG_N + 1; ++i) {
+        converted[i] = convertProofPoint(commitments[i]);
+    }
+}
diff --git a/barretenberg/sol/src/honk/instance/BlakeHonk.sol b/barretenberg/sol/src/honk/instance/BlakeHonk.sol
new file mode 100644
index 00000000000..e1037cef0d0
--- /dev/null
+++ b/barretenberg/sol/src/honk/instance/BlakeHonk.sol
@@ -0,0 +1,1445 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 Aztec Labs
+pragma solidity >=0.8.21;
+
+import {IVerifier} from "../../interfaces/IVerifier.sol";
+import {BlakeHonkVerificationKey as VK, N, LOG_N, NUMBER_OF_PUBLIC_INPUTS} from "../keys/BlakeHonkVerificationKey.sol";
+
+import {
+    Honk,
+    WIRE,
+    NUMBER_OF_ENTITIES,
+    NUMBER_OF_SUBRELATIONS,
+    NUMBER_OF_ALPHAS,
+    BATCHED_RELATION_PARTIAL_LENGTH,
+    CONST_PROOF_SIZE_LOG_N,
+    P,
+    Q
+} from "../HonkTypes.sol";
+
+import {ecMul, ecAdd, ecSub, negateInplace, convertProofPoint} from "../utils.sol";
+
+// Field arithmetic libraries - prevent littering the code with modmul / addmul
+import {Fr, FrLib} from "../Fr.sol";
+
+struct Proof {
+    uint256 circuitSize;
+    uint256 publicInputsSize;
+    uint256 publicInputsOffset;
+    // Free wires
+    Honk.G1ProofPoint w1;
+    Honk.G1ProofPoint w2;
+    Honk.G1ProofPoint w3;
+    Honk.G1ProofPoint w4;
+    // Lookup helpers - Permutations
+    Honk.G1ProofPoint zPerm;
+    // Lookup helpers - logup
+    Honk.G1ProofPoint lookupReadCounts;
+    Honk.G1ProofPoint lookupReadTags;
+    Honk.G1ProofPoint lookupInverses;
+    // Sumcheck
+    Fr[BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates;
+    Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations;
+    // Zero morph
+    Honk.G1ProofPoint[CONST_PROOF_SIZE_LOG_N] zmCqs;
+    Honk.G1ProofPoint zmCq;
+    Honk.G1ProofPoint zmPi;
+}
+
+// Transcript library to generate fiat shamir challenges
+struct Transcript {
+    Fr eta;
+    Fr etaTwo;
+    Fr etaThree;
+    Fr beta;
+    Fr gamma;
+    Fr[NUMBER_OF_ALPHAS] alphas;
+    Fr[LOG_N] gateChallenges;
+    Fr[CONST_PROOF_SIZE_LOG_N] sumCheckUChallenges;
+    Fr rho;
+    // Zero morph
+    Fr zmX;
+    Fr zmY;
+    Fr zmZ;
+    Fr zmQuotient;
+    // Derived
+    Fr publicInputsDelta;
+    Fr lookupGrandProductDelta;
+}
+
+library TranscriptLib {
+    function generateTranscript(Proof memory proof, Honk.VerificationKey memory vk, bytes32[] calldata publicInputs)
+        internal
+        view
+        returns (Transcript memory t)
+    {
+        // TODO: calcaulte full series of  eta;
+        (t.eta, t.etaTwo, t.etaThree) = generateEtaChallenge(proof, publicInputs);
+
+        (t.beta, t.gamma) = generateBetaAndGammaChallenges(t.etaThree, proof);
+
+        t.alphas = generateAlphaChallenges(t.gamma, proof);
+
+        t.gateChallenges = generateGateChallenges(t.alphas[NUMBER_OF_ALPHAS - 1]);
+
+        t.sumCheckUChallenges = generateSumcheckChallenges(proof, t.gateChallenges[LOG_N - 1]);
+        t.rho = generateRhoChallenge(proof, t.sumCheckUChallenges[CONST_PROOF_SIZE_LOG_N - 1]);
+
+        t.zmY = generateZMYChallenge(t.rho, proof);
+
+        (t.zmX, t.zmZ) = generateZMXZChallenges(t.zmY, proof);
+
+        return t;
+    }
+
+    function generateEtaChallenge(Proof memory proof, bytes32[] calldata publicInputs)
+        internal
+        view
+        returns (Fr eta, Fr etaTwo, Fr etaThree)
+    {
+        // TODO(md): the 12 here will need to be halved when we fix the transcript to not be over field elements
+        // TODO: use assembly
+        bytes32[3 + NUMBER_OF_PUBLIC_INPUTS + 12] memory round0;
+        round0[0] = bytes32(proof.circuitSize);
+        round0[1] = bytes32(proof.publicInputsSize);
+        round0[2] = bytes32(proof.publicInputsOffset);
+        for (uint256 i = 0; i < NUMBER_OF_PUBLIC_INPUTS; i++) {
+            round0[3 + i] = bytes32(publicInputs[i]);
+        }
+
+        // Create the first challenge
+        // Note: w4 is added to the challenge later on
+        // TODO: UPDATE ALL VALUES IN HERE
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS] = bytes32(proof.w1.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 1] = bytes32(proof.w1.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 2] = bytes32(proof.w1.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 3] = bytes32(proof.w1.y_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 4] = bytes32(proof.w2.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 5] = bytes32(proof.w2.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 6] = bytes32(proof.w2.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 7] = bytes32(proof.w2.y_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 8] = bytes32(proof.w3.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 9] = bytes32(proof.w3.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 10] = bytes32(proof.w3.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 11] = bytes32(proof.w3.y_1);
+
+        eta = FrLib.fromBytes32(keccak256(abi.encodePacked(round0)));
+        etaTwo = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(eta))));
+        etaThree = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(etaTwo))));
+    }
+
+    function generateBetaAndGammaChallenges(Fr previousChallenge, Proof memory proof)
+        internal
+        view
+        returns (Fr beta, Fr gamma)
+    {
+        // TODO(md): adjust round size when the proof points are generated correctly - 5
+        bytes32[13] memory round1;
+        round1[0] = FrLib.toBytes32(previousChallenge);
+        round1[1] = bytes32(proof.lookupReadCounts.x_0);
+        round1[2] = bytes32(proof.lookupReadCounts.x_1);
+        round1[3] = bytes32(proof.lookupReadCounts.y_0);
+        round1[4] = bytes32(proof.lookupReadCounts.y_1);
+        round1[5] = bytes32(proof.lookupReadTags.x_0);
+        round1[6] = bytes32(proof.lookupReadTags.x_1);
+        round1[7] = bytes32(proof.lookupReadTags.y_0);
+        round1[8] = bytes32(proof.lookupReadTags.y_1);
+        round1[9] = bytes32(proof.w4.x_0);
+        round1[10] = bytes32(proof.w4.x_1);
+        round1[11] = bytes32(proof.w4.y_0);
+        round1[12] = bytes32(proof.w4.y_1);
+
+        beta = FrLib.fromBytes32(keccak256(abi.encodePacked(round1)));
+        gamma = FrLib.fromBytes32(keccak256(abi.encodePacked(beta)));
+    }
+
+    // Alpha challenges non-linearise the gate contributions
+    function generateAlphaChallenges(Fr previousChallenge, Proof memory proof)
+        internal
+        view
+        returns (Fr[NUMBER_OF_ALPHAS] memory alphas)
+    {
+        // Generate the original sumcheck alpha 0 by hashing zPerm and zLookup
+        // TODO(md): 5 post correct proof size fix
+        uint256[9] memory alpha0;
+        alpha0[0] = Fr.unwrap(previousChallenge);
+        alpha0[1] = proof.lookupInverses.x_0;
+        alpha0[2] = proof.lookupInverses.x_1;
+        alpha0[3] = proof.lookupInverses.y_0;
+        alpha0[4] = proof.lookupInverses.y_1;
+        alpha0[5] = proof.zPerm.x_0;
+        alpha0[6] = proof.zPerm.x_1;
+        alpha0[7] = proof.zPerm.y_0;
+        alpha0[8] = proof.zPerm.y_1;
+
+        alphas[0] = FrLib.fromBytes32(keccak256(abi.encodePacked(alpha0)));
+
+        Fr prevChallenge = alphas[0];
+        for (uint256 i = 1; i < NUMBER_OF_ALPHAS; i++) {
+            prevChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(prevChallenge))));
+            alphas[i] = prevChallenge;
+        }
+    }
+
+    function generateGateChallenges(Fr previousChallenge) internal view returns (Fr[LOG_N] memory gateChallenges) {
+        for (uint256 i = 0; i < LOG_N; i++) {
+            previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge))));
+            gateChallenges[i] = previousChallenge;
+        }
+    }
+
+    function generateSumcheckChallenges(Proof memory proof, Fr prevChallenge)
+        internal
+        view
+        returns (Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckChallenges)
+    {
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            Fr[BATCHED_RELATION_PARTIAL_LENGTH + 1] memory univariateChal;
+            univariateChal[0] = prevChallenge;
+
+            // TODO(opt): memcpy
+            for (uint256 j = 0; j < BATCHED_RELATION_PARTIAL_LENGTH; j++) {
+                univariateChal[j + 1] = proof.sumcheckUnivariates[i][j];
+            }
+
+            sumcheckChallenges[i] = FrLib.fromBytes32(keccak256(abi.encodePacked(univariateChal)));
+            prevChallenge = sumcheckChallenges[i];
+        }
+    }
+
+    function generateRhoChallenge(Proof memory proof, Fr prevChallenge) internal view returns (Fr rho) {
+        Fr[NUMBER_OF_ENTITIES + 1] memory rhoChallengeElements;
+        rhoChallengeElements[0] = prevChallenge;
+
+        // TODO: memcpy
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) {
+            rhoChallengeElements[i + 1] = proof.sumcheckEvaluations[i];
+        }
+
+        rho = FrLib.fromBytes32(keccak256(abi.encodePacked(rhoChallengeElements)));
+    }
+
+    function generateZMYChallenge(Fr previousChallenge, Proof memory proof) internal view returns (Fr zeromorphY) {
+        uint256[CONST_PROOF_SIZE_LOG_N * 4 + 1] memory zmY;
+        zmY[0] = Fr.unwrap(previousChallenge);
+
+        for (uint256 i; i < CONST_PROOF_SIZE_LOG_N; ++i) {
+            zmY[1 + i * 4] = proof.zmCqs[i].x_0;
+            zmY[2 + i * 4] = proof.zmCqs[i].x_1;
+            zmY[3 + i * 4] = proof.zmCqs[i].y_0;
+            zmY[4 + i * 4] = proof.zmCqs[i].y_1;
+        }
+
+        zeromorphY = FrLib.fromBytes32(keccak256(abi.encodePacked(zmY)));
+    }
+
+    function generateZMXZChallenges(Fr previousChallenge, Proof memory proof)
+        internal
+        view
+        returns (Fr zeromorphX, Fr zeromorphZ)
+    {
+        uint256[4 + 1] memory buf;
+        buf[0] = Fr.unwrap(previousChallenge);
+
+        buf[1] = proof.zmCq.x_0;
+        buf[2] = proof.zmCq.x_1;
+        buf[3] = proof.zmCq.y_0;
+        buf[4] = proof.zmCq.y_1;
+
+        zeromorphX = FrLib.fromBytes32(keccak256(abi.encodePacked(buf)));
+        zeromorphZ = FrLib.fromBytes32(keccak256(abi.encodePacked(zeromorphX)));
+    }
+}
+
+// Errors
+error PublicInputsLengthWrong();
+error SumcheckFailed();
+error ZeromorphFailed();
+
+/// Smart contract verifier of honk proofs
+contract BlakeHonkVerifier is IVerifier {
+    Fr internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = Fr.wrap(17); // -(-17)
+
+    // TODO(md): I would perfer the publicInputs to be uint256
+    function verify(bytes calldata proof, bytes32[] calldata publicInputs) public view override returns (bool) {
+        Honk.VerificationKey memory vk = loadVerificationKey();
+        Proof memory p = loadProof(proof);
+
+        if (vk.publicInputsSize != NUMBER_OF_PUBLIC_INPUTS) {
+            revert PublicInputsLengthWrong();
+        }
+
+        // Generate the fiat shamir challenges for the whole protocol
+        Transcript memory t = TranscriptLib.generateTranscript(p, vk, publicInputs);
+
+        // Compute the public input delta
+        t.publicInputsDelta =
+            computePublicInputDelta(publicInputs, t.beta, t.gamma, vk.circuitSize, p.publicInputsOffset);
+
+        // Sumcheck
+        bool sumcheckVerified = verifySumcheck(p, t);
+        if (!sumcheckVerified) revert SumcheckFailed();
+
+        // Zeromorph
+        bool zeromorphVerified = verifyZeroMorph(p, vk, t);
+        if (!zeromorphVerified) revert ZeromorphFailed();
+
+        return sumcheckVerified && zeromorphVerified; // Boolean condition not required - nice for vanity :)
+    }
+
+    function loadVerificationKey() internal view returns (Honk.VerificationKey memory) {
+        return VK.loadVerificationKey();
+    }
+
+    // TODO: mod q proof points
+    // TODO: Preprocess all of the memory locations
+    // TODO: Adjust proof point serde away from poseidon forced field elements
+    function loadProof(bytes calldata proof) internal view returns (Proof memory) {
+        Proof memory p;
+
+        // Metadata
+        p.circuitSize = uint256(bytes32(proof[0x00:0x20]));
+        p.publicInputsSize = uint256(bytes32(proof[0x20:0x40]));
+        p.publicInputsOffset = uint256(bytes32(proof[0x40:0x60]));
+
+        // Commitments
+        p.w1 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x60:0x80])),
+            x_1: uint256(bytes32(proof[0x80:0xa0])),
+            y_0: uint256(bytes32(proof[0xa0:0xc0])),
+            y_1: uint256(bytes32(proof[0xc0:0xe0]))
+        });
+
+        p.w2 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0xe0:0x100])),
+            x_1: uint256(bytes32(proof[0x100:0x120])),
+            y_0: uint256(bytes32(proof[0x120:0x140])),
+            y_1: uint256(bytes32(proof[0x140:0x160]))
+        });
+        p.w3 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x160:0x180])),
+            x_1: uint256(bytes32(proof[0x180:0x1a0])),
+            y_0: uint256(bytes32(proof[0x1a0:0x1c0])),
+            y_1: uint256(bytes32(proof[0x1c0:0x1e0]))
+        });
+
+        // Lookup / Permutation Helper Commitments
+        // TODO(md): update the log deriv prover commitment rounds
+        p.lookupReadCounts = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x1e0:0x200])),
+            x_1: uint256(bytes32(proof[0x200:0x220])),
+            y_0: uint256(bytes32(proof[0x220:0x240])),
+            y_1: uint256(bytes32(proof[0x240:0x260]))
+        });
+        p.lookupReadTags = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x260:0x280])),
+            x_1: uint256(bytes32(proof[0x280:0x2a0])),
+            y_0: uint256(bytes32(proof[0x2a0:0x2c0])),
+            y_1: uint256(bytes32(proof[0x2c0:0x2e0]))
+        });
+        p.w4 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x2e0:0x300])),
+            x_1: uint256(bytes32(proof[0x300:0x320])),
+            y_0: uint256(bytes32(proof[0x320:0x340])),
+            y_1: uint256(bytes32(proof[0x340:0x360]))
+        });
+        p.lookupInverses = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x360:0x380])),
+            x_1: uint256(bytes32(proof[0x380:0x3a0])),
+            y_0: uint256(bytes32(proof[0x3a0:0x3c0])),
+            y_1: uint256(bytes32(proof[0x3c0:0x3e0]))
+        });
+        p.zPerm = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x3e0:0x400])),
+            x_1: uint256(bytes32(proof[0x400:0x420])),
+            y_0: uint256(bytes32(proof[0x420:0x440])),
+            y_1: uint256(bytes32(proof[0x440:0x460]))
+        });
+
+        // TEMP the boundary of what has already been read
+        uint256 boundary = 0x460;
+
+        // Sumcheck univariates
+        // TODO: in this case we know what log_n is - so we hard code it, we would want this to be included in
+        // a cpp template for different circuit sizes
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            // The loop boundary of i, this will shift forward on each evaluation
+            uint256 loop_boundary = boundary + (i * 0x20 * BATCHED_RELATION_PARTIAL_LENGTH);
+
+            for (uint256 j = 0; j < BATCHED_RELATION_PARTIAL_LENGTH; j++) {
+                uint256 start = loop_boundary + (j * 0x20);
+                uint256 end = start + 0x20;
+                p.sumcheckUnivariates[i][j] = FrLib.fromBytes32(bytes32(proof[start:end]));
+            }
+        }
+
+        boundary = boundary + (CONST_PROOF_SIZE_LOG_N * BATCHED_RELATION_PARTIAL_LENGTH * 0x20);
+        // Sumcheck evaluations
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) {
+            uint256 start = boundary + (i * 0x20);
+            uint256 end = start + 0x20;
+            p.sumcheckEvaluations[i] = FrLib.fromBytes32(bytes32(proof[start:end]));
+        }
+
+        boundary = boundary + (NUMBER_OF_ENTITIES * 0x20);
+        // Zero morph Commitments
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            // Explicitly stating the x0, x1, y0, y1 start and end boundaries to make the calldata slicing bearable
+            uint256 xStart = boundary + (i * 0x80);
+            uint256 xEnd = xStart + 0x20;
+
+            uint256 x1Start = xEnd;
+            uint256 x1End = x1Start + 0x20;
+
+            uint256 yStart = x1End;
+            uint256 yEnd = yStart + 0x20;
+
+            uint256 y1Start = yEnd;
+            uint256 y1End = y1Start + 0x20;
+
+            p.zmCqs[i] = Honk.G1ProofPoint({
+                x_0: uint256(bytes32(proof[xStart:xEnd])),
+                x_1: uint256(bytes32(proof[x1Start:x1End])),
+                y_0: uint256(bytes32(proof[yStart:yEnd])),
+                y_1: uint256(bytes32(proof[y1Start:y1End]))
+            });
+        }
+
+        boundary = boundary + (CONST_PROOF_SIZE_LOG_N * 0x80);
+
+        p.zmCq = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[boundary:boundary + 0x20])),
+            x_1: uint256(bytes32(proof[boundary + 0x20:boundary + 0x40])),
+            y_0: uint256(bytes32(proof[boundary + 0x40:boundary + 0x60])),
+            y_1: uint256(bytes32(proof[boundary + 0x60:boundary + 0x80]))
+        });
+
+        p.zmPi = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[boundary + 0x80:boundary + 0xa0])),
+            x_1: uint256(bytes32(proof[boundary + 0xa0:boundary + 0xc0])),
+            y_0: uint256(bytes32(proof[boundary + 0xc0:boundary + 0xe0])),
+            y_1: uint256(bytes32(proof[boundary + 0xe0:boundary + 0x100]))
+        });
+
+        return p;
+    }
+
+    function computePublicInputDelta(
+        bytes32[] memory publicInputs,
+        Fr beta,
+        Fr gamma,
+        uint256 domainSize,
+        uint256 offset
+    ) internal view returns (Fr publicInputDelta) {
+        Fr numerator = Fr.wrap(1);
+        Fr denominator = Fr.wrap(1);
+
+        Fr numeratorAcc = gamma + (beta * FrLib.from(domainSize + offset));
+        Fr denominatorAcc = gamma - (beta * FrLib.from(offset + 1));
+
+        {
+            for (uint256 i = 0; i < NUMBER_OF_PUBLIC_INPUTS; i++) {
+                Fr pubInput = FrLib.fromBytes32(publicInputs[i]);
+
+                numerator = numerator * (numeratorAcc + pubInput);
+                denominator = denominator * (denominatorAcc + pubInput);
+
+                numeratorAcc = numeratorAcc + beta;
+                denominatorAcc = denominatorAcc - beta;
+            }
+        }
+
+        // Fr delta = numerator / denominator; // TOOO: batch invert later?
+        publicInputDelta = FrLib.div(numerator, denominator);
+    }
+
+    uint256 constant ROUND_TARGET = 0;
+
+    function verifySumcheck(Proof memory proof, Transcript memory tp) internal view returns (bool verified) {
+        Fr roundTarget;
+        Fr powPartialEvaluation = Fr.wrap(1);
+
+        // We perform sumcheck reductions over log n rounds ( the multivariate degree )
+        for (uint256 round; round < LOG_N; ++round) {
+            Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate = proof.sumcheckUnivariates[round];
+            bool valid = checkSum(roundUnivariate, roundTarget);
+            if (!valid) revert SumcheckFailed();
+
+            Fr roundChallenge = tp.sumCheckUChallenges[round];
+
+            // Update the round target for the next rounf
+            roundTarget = computeNextTargetSum(roundUnivariate, roundChallenge);
+            powPartialEvaluation = partiallyEvaluatePOW(tp, powPartialEvaluation, roundChallenge, round);
+        }
+
+        // Last round
+        Fr grandHonkRelationSum = accumulateRelationEvaluations(proof, tp, powPartialEvaluation);
+        verified = (grandHonkRelationSum == roundTarget);
+    }
+
+    function checkSum(Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate, Fr roundTarget)
+        internal
+        view
+        returns (bool checked)
+    {
+        Fr totalSum = roundUnivariate[0] + roundUnivariate[1];
+        checked = totalSum == roundTarget;
+    }
+
+    // Return the new target sum for the next sumcheck round
+    function computeNextTargetSum(Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariates, Fr roundChallenge)
+        internal
+        view
+        returns (Fr targetSum)
+    {
+        // TODO: inline
+        Fr[7] memory BARYCENTRIC_LAGRANGE_DENOMINATORS = [
+            Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000002d0),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff89),
+            Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000030),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffffdd),
+            Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000030),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff89),
+            Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000002d0)
+        ];
+
+        Fr[7] memory BARYCENTRIC_DOMAIN =
+            [Fr.wrap(0x00), Fr.wrap(0x01), Fr.wrap(0x02), Fr.wrap(0x03), Fr.wrap(0x04), Fr.wrap(0x05), Fr.wrap(0x06)];
+        // To compute the next target sum, we evaluate the given univariate at a point u (challenge).
+
+        // TODO: opt: use same array mem for each iteratioon
+        // Performing Barycentric evaluations
+        // Compute B(x)
+        Fr numeratorValue = Fr.wrap(1);
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            numeratorValue = numeratorValue * (roundChallenge - Fr.wrap(i));
+        }
+
+        // Calculate domain size N of inverses -- TODO: montgomery's trick
+        Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory denominatorInverses;
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            Fr inv = BARYCENTRIC_LAGRANGE_DENOMINATORS[i];
+            inv = inv * (roundChallenge - BARYCENTRIC_DOMAIN[i]);
+            inv = FrLib.invert(inv);
+            denominatorInverses[i] = inv;
+        }
+
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            Fr term = roundUnivariates[i];
+            term = term * denominatorInverses[i];
+            targetSum = targetSum + term;
+        }
+
+        // Scale the sum by the value of B(x)
+        targetSum = targetSum * numeratorValue;
+    }
+
+    // Univariate evaluation of the monomial ((1-X_l) + X_l.B_l) at the challenge point X_l=u_l
+    function partiallyEvaluatePOW(Transcript memory tp, Fr currentEvaluation, Fr roundChallenge, uint256 round)
+        internal
+        view
+        returns (Fr newEvaluation)
+    {
+        Fr univariateEval = Fr.wrap(1) + (roundChallenge * (tp.gateChallenges[round] - Fr.wrap(1)));
+        newEvaluation = currentEvaluation * univariateEval;
+    }
+
+    // Calculate the contributions of each relation to the expected value of the full honk relation
+    //
+    // For each relation, we use the purported values ( the ones provided by the prover ) of the multivariates to
+    // calculate a contribution to the purported value of the full Honk relation.
+    // These are stored in the evaluations part of the proof object.
+    // We add these together, with the appropiate scaling factor ( the alphas calculated in challenges )
+    // This value is checked against the final value of the target total sum - et voila!
+    function accumulateRelationEvaluations(Proof memory proof, Transcript memory tp, Fr powPartialEval)
+        internal
+        view
+        returns (Fr accumulator)
+    {
+        Fr[NUMBER_OF_ENTITIES] memory purportedEvaluations = proof.sumcheckEvaluations;
+        Fr[NUMBER_OF_SUBRELATIONS] memory evaluations;
+
+        // Accumulate all 6 custom gates - each with varying number of subrelations
+        // TODO: annotate how many subrealtions each has
+        accumulateArithmeticRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulatePermutationRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+        accumulateLogDerivativeLookupRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+        accumulateDeltaRangeRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulateEllipticRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulateAuxillaryRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+
+        // Apply alpha challenges to challenge evaluations
+        // Returns grand honk realtion evaluation
+        accumulator = scaleAndBatchSubrelations(evaluations, tp.alphas);
+    }
+
+    /**
+     * WIRE
+     *
+     * Wire is an aesthetic helper function that is used to index by enum into proof.sumcheckEvaluations, it avoids
+     * the relation checking code being cluttered with uint256 type casting, which is often a different colour in code
+     * editors, and thus is noisy.
+     */
+    function wire(Fr[NUMBER_OF_ENTITIES] memory p, WIRE _wire) internal pure returns (Fr) {
+        return p[uint256(_wire)];
+    }
+
+    /**
+     * Ultra Arithmetic Relation
+     *
+     */
+    function accumulateArithmeticRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        // Relation 0
+        Fr q_arith = wire(p, WIRE.Q_ARITH);
+        {
+            Fr neg_half = Fr.wrap(0) - (FrLib.invert(Fr.wrap(2)));
+
+            Fr accum = (q_arith - Fr.wrap(3)) * (wire(p, WIRE.Q_M) * wire(p, WIRE.W_R) * wire(p, WIRE.W_L)) * neg_half;
+            accum = accum + (wire(p, WIRE.Q_L) * wire(p, WIRE.W_L)) + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_R))
+                + (wire(p, WIRE.Q_O) * wire(p, WIRE.W_O)) + (wire(p, WIRE.Q_4) * wire(p, WIRE.W_4)) + wire(p, WIRE.Q_C);
+            accum = accum + (q_arith - Fr.wrap(1)) * wire(p, WIRE.W_4_SHIFT);
+            accum = accum * q_arith;
+            accum = accum * domainSep;
+            evals[0] = accum;
+        }
+
+        // Relation 1
+        {
+            Fr accum = wire(p, WIRE.W_L) + wire(p, WIRE.W_4) - wire(p, WIRE.W_L_SHIFT) + wire(p, WIRE.Q_M);
+            accum = accum * (q_arith - Fr.wrap(2));
+            accum = accum * (q_arith - Fr.wrap(1));
+            accum = accum * q_arith;
+            accum = accum * domainSep;
+            evals[1] = accum;
+        }
+    }
+
+    function accumulatePermutationRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr grand_product_numerator;
+        Fr grand_product_denominator;
+
+        {
+            Fr num = wire(p, WIRE.W_L) + wire(p, WIRE.ID_1) * tp.beta + tp.gamma;
+            num = num * (wire(p, WIRE.W_R) + wire(p, WIRE.ID_2) * tp.beta + tp.gamma);
+            num = num * (wire(p, WIRE.W_O) + wire(p, WIRE.ID_3) * tp.beta + tp.gamma);
+            num = num * (wire(p, WIRE.W_4) + wire(p, WIRE.ID_4) * tp.beta + tp.gamma);
+
+            grand_product_numerator = num;
+        }
+        {
+            Fr den = wire(p, WIRE.W_L) + wire(p, WIRE.SIGMA_1) * tp.beta + tp.gamma;
+            den = den * (wire(p, WIRE.W_R) + wire(p, WIRE.SIGMA_2) * tp.beta + tp.gamma);
+            den = den * (wire(p, WIRE.W_O) + wire(p, WIRE.SIGMA_3) * tp.beta + tp.gamma);
+            den = den * (wire(p, WIRE.W_4) + wire(p, WIRE.SIGMA_4) * tp.beta + tp.gamma);
+
+            grand_product_denominator = den;
+        }
+
+        // Contribution 2
+        {
+            Fr acc = (wire(p, WIRE.Z_PERM) + wire(p, WIRE.LAGRANGE_FIRST)) * grand_product_numerator;
+
+            acc = acc
+                - (
+                    (wire(p, WIRE.Z_PERM_SHIFT) + (wire(p, WIRE.LAGRANGE_LAST) * tp.publicInputsDelta))
+                        * grand_product_denominator
+                );
+            acc = acc * domainSep;
+            evals[2] = acc;
+        }
+
+        // Contribution 3
+        {
+            Fr acc = (wire(p, WIRE.LAGRANGE_LAST) * wire(p, WIRE.Z_PERM_SHIFT)) * domainSep;
+            evals[3] = acc;
+        }
+    }
+
+    // Lookup parameters have been yoinked into memory to avoid stack too deep
+    struct LookupParams {
+        Fr eta_sqr;
+        Fr eta_cube;
+        Fr one_plus_beta;
+        Fr gamma_by_one_plus_beta;
+        Fr wire_accum;
+        Fr table_accum;
+        Fr table_accum_shift;
+    }
+
+    // TODO(md): calculate eta one two and three above
+
+    function accumulateLogDerivativeLookupRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr write_term;
+        Fr read_term;
+
+        // Calculate the write term (the table accumulation)
+        {
+            write_term = wire(p, WIRE.TABLE_1) + tp.gamma + (wire(p, WIRE.TABLE_2) * tp.eta)
+                + (wire(p, WIRE.TABLE_3) * tp.etaTwo) + (wire(p, WIRE.TABLE_4) * tp.etaThree);
+        }
+
+        // Calculate the write term
+        {
+            Fr derived_entry_1 = wire(p, WIRE.W_L) + tp.gamma + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_L_SHIFT));
+            Fr derived_entry_2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_M) * wire(p, WIRE.W_R_SHIFT);
+            Fr derived_entry_3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_C) * wire(p, WIRE.W_O_SHIFT);
+
+            read_term = derived_entry_1 + (derived_entry_2 * tp.eta) + (derived_entry_3 * tp.etaTwo)
+                + (wire(p, WIRE.Q_O) * tp.etaThree);
+        }
+
+        Fr read_inverse = wire(p, WIRE.LOOKUP_INVERSES) * write_term;
+        Fr write_inverse = wire(p, WIRE.LOOKUP_INVERSES) * read_term;
+
+        Fr inverse_exists_xor = wire(p, WIRE.LOOKUP_READ_TAGS) + wire(p, WIRE.Q_LOOKUP)
+            - (wire(p, WIRE.LOOKUP_READ_TAGS) * wire(p, WIRE.Q_LOOKUP));
+
+        // Inverse calculated correctly relation
+        Fr accumulatorNone = read_term * write_term * wire(p, WIRE.LOOKUP_INVERSES) - inverse_exists_xor;
+        accumulatorNone = accumulatorNone * domainSep;
+
+        // Inverse
+        Fr accumulatorOne = wire(p, WIRE.Q_LOOKUP) * read_inverse - wire(p, WIRE.LOOKUP_READ_COUNTS) * write_inverse;
+
+        evals[4] = accumulatorNone;
+        evals[5] = accumulatorOne;
+    }
+
+    function accumulateDeltaRangeRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr minus_one = Fr.wrap(0) - Fr.wrap(1);
+        Fr minus_two = Fr.wrap(0) - Fr.wrap(2);
+        Fr minus_three = Fr.wrap(0) - Fr.wrap(3);
+
+        // Compute wire differences
+        Fr delta_1 = wire(p, WIRE.W_R) - wire(p, WIRE.W_L);
+        Fr delta_2 = wire(p, WIRE.W_O) - wire(p, WIRE.W_R);
+        Fr delta_3 = wire(p, WIRE.W_4) - wire(p, WIRE.W_O);
+        Fr delta_4 = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_4);
+
+        // Contribution 6
+        {
+            Fr acc = delta_1;
+            acc = acc * (delta_1 + minus_one);
+            acc = acc * (delta_1 + minus_two);
+            acc = acc * (delta_1 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[6] = acc;
+        }
+
+        // Contribution 7
+        {
+            Fr acc = delta_2;
+            acc = acc * (delta_2 + minus_one);
+            acc = acc * (delta_2 + minus_two);
+            acc = acc * (delta_2 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[7] = acc;
+        }
+
+        // Contribution 8
+        {
+            Fr acc = delta_3;
+            acc = acc * (delta_3 + minus_one);
+            acc = acc * (delta_3 + minus_two);
+            acc = acc * (delta_3 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[8] = acc;
+        }
+
+        // Contribution 9
+        {
+            Fr acc = delta_4;
+            acc = acc * (delta_4 + minus_one);
+            acc = acc * (delta_4 + minus_two);
+            acc = acc * (delta_4 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[9] = acc;
+        }
+    }
+
+    struct EllipticParams {
+        // Points
+        Fr x_1;
+        Fr y_1;
+        Fr x_2;
+        Fr y_2;
+        Fr y_3;
+        Fr x_3;
+        // push accumulators into memory
+        Fr x_double_identity;
+    }
+
+    function accumulateEllipticRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        EllipticParams memory ep;
+        ep.x_1 = wire(p, WIRE.W_R);
+        ep.y_1 = wire(p, WIRE.W_O);
+
+        ep.x_2 = wire(p, WIRE.W_L_SHIFT);
+        ep.y_2 = wire(p, WIRE.W_4_SHIFT);
+        ep.y_3 = wire(p, WIRE.W_O_SHIFT);
+        ep.x_3 = wire(p, WIRE.W_R_SHIFT);
+
+        Fr q_sign = wire(p, WIRE.Q_L);
+        Fr q_is_double = wire(p, WIRE.Q_M);
+
+        // Contribution 10 point addition, x-coordinate check
+        // q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0
+        Fr x_diff = (ep.x_2 - ep.x_1);
+        Fr y1_sqr = (ep.y_1 * ep.y_1);
+        {
+            // Move to top
+            Fr partialEval = domainSep;
+
+            Fr y2_sqr = (ep.y_2 * ep.y_2);
+            Fr y1y2 = ep.y_1 * ep.y_2 * q_sign;
+            Fr x_add_identity = (ep.x_3 + ep.x_2 + ep.x_1);
+            x_add_identity = x_add_identity * x_diff * x_diff;
+            x_add_identity = x_add_identity - y2_sqr - y1_sqr + y1y2 + y1y2;
+
+            evals[10] = x_add_identity * partialEval * wire(p, WIRE.Q_ELLIPTIC) * (Fr.wrap(1) - q_is_double);
+        }
+
+        // Contribution 11 point addition, x-coordinate check
+        // q_elliptic * (q_sign * y1 + y3)(x2 - x1) + (x3 - x1)(y2 - q_sign * y1) = 0
+        {
+            Fr y1_plus_y3 = ep.y_1 + ep.y_3;
+            Fr y_diff = ep.y_2 * q_sign - ep.y_1;
+            Fr y_add_identity = y1_plus_y3 * x_diff + (ep.x_3 - ep.x_1) * y_diff;
+            evals[11] = y_add_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * (Fr.wrap(1) - q_is_double);
+        }
+
+        // Contribution 10 point doubling, x-coordinate check
+        // (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0
+        // N.B. we're using the equivalence x1*x1*x1 === y1*y1 - curve_b to reduce degree by 1
+        {
+            Fr x_pow_4 = (y1_sqr + GRUMPKIN_CURVE_B_PARAMETER_NEGATED) * ep.x_1;
+            Fr y1_sqr_mul_4 = y1_sqr + y1_sqr;
+            y1_sqr_mul_4 = y1_sqr_mul_4 + y1_sqr_mul_4;
+            Fr x1_pow_4_mul_9 = x_pow_4 * Fr.wrap(9);
+
+            // NOTE: pushed into memory (stack >:'( )
+            ep.x_double_identity = (ep.x_3 + ep.x_1 + ep.x_1) * y1_sqr_mul_4 - x1_pow_4_mul_9;
+
+            Fr acc = ep.x_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
+            evals[10] = evals[10] + acc;
+        }
+
+        // Contribution 11 point doubling, y-coordinate check
+        // (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0
+        {
+            Fr x1_sqr_mul_3 = (ep.x_1 + ep.x_1 + ep.x_1) * ep.x_1;
+            Fr y_double_identity = x1_sqr_mul_3 * (ep.x_1 - ep.x_3) - (ep.y_1 + ep.y_1) * (ep.y_1 + ep.y_3);
+            evals[11] = evals[11] + y_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
+        }
+    }
+
+    // Constants for the auxiliary relation
+    Fr constant LIMB_SIZE = Fr.wrap(uint256(1) << 68);
+    Fr constant SUBLIMB_SHIFT = Fr.wrap(uint256(1) << 14);
+    Fr constant MINUS_ONE = Fr.wrap(P - 1);
+
+    // Parameters used within the Auxiliary Relation
+    // A struct is used to work around stack too deep. This relation has alot of variables
+    struct AuxParams {
+        Fr limb_subproduct;
+        Fr non_native_field_gate_1;
+        Fr non_native_field_gate_2;
+        Fr non_native_field_gate_3;
+        Fr limb_accumulator_1;
+        Fr limb_accumulator_2;
+        Fr memory_record_check;
+        Fr partial_record_check;
+        Fr next_gate_access_type;
+        Fr record_delta;
+        Fr index_delta;
+        Fr adjacent_values_match_if_adjacent_indices_match;
+        Fr adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation;
+        Fr access_check;
+        Fr next_gate_access_type_is_boolean;
+        Fr ROM_consistency_check_identity;
+        Fr RAM_consistency_check_identity;
+        Fr timestamp_delta;
+        Fr RAM_timestamp_check_identity;
+        Fr memory_identity;
+        Fr index_is_monotonically_increasing;
+        Fr auxiliary_identity;
+    }
+
+    function accumulateAuxillaryRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal pure {
+        AuxParams memory ap;
+
+        /**
+         * Contribution 12
+         * Non native field arithmetic gate 2
+         * deg 4
+         *
+         *             _                                                                               _
+         *            /   _                   _                               _       14                \
+         * q_2 . q_4 |   (w_1 . w_2) + (w_1 . w_2) + (w_1 . w_4 + w_2 . w_3 - w_3) . 2    - w_3 - w_4   |
+         *            \_                                                                               _/
+         *
+         *
+         */
+        ap.limb_subproduct = wire(p, WIRE.W_L) * wire(p, WIRE.W_R_SHIFT) + wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R);
+        ap.non_native_field_gate_2 =
+            (wire(p, WIRE.W_L) * wire(p, WIRE.W_4) + wire(p, WIRE.W_R) * wire(p, WIRE.W_O) - wire(p, WIRE.W_O_SHIFT));
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * LIMB_SIZE;
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 - wire(p, WIRE.W_4_SHIFT);
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 + ap.limb_subproduct;
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * wire(p, WIRE.Q_4);
+
+        ap.limb_subproduct = ap.limb_subproduct * LIMB_SIZE;
+        ap.limb_subproduct = ap.limb_subproduct + (wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R_SHIFT));
+        ap.non_native_field_gate_1 = ap.limb_subproduct;
+        ap.non_native_field_gate_1 = ap.non_native_field_gate_1 - (wire(p, WIRE.W_O) + wire(p, WIRE.W_4));
+        ap.non_native_field_gate_1 = ap.non_native_field_gate_1 * wire(p, WIRE.Q_O);
+
+        ap.non_native_field_gate_3 = ap.limb_subproduct;
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 + wire(p, WIRE.W_4);
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 - (wire(p, WIRE.W_O_SHIFT) + wire(p, WIRE.W_4_SHIFT));
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 * wire(p, WIRE.Q_M);
+
+        Fr non_native_field_identity =
+            ap.non_native_field_gate_1 + ap.non_native_field_gate_2 + ap.non_native_field_gate_3;
+        non_native_field_identity = non_native_field_identity * wire(p, WIRE.Q_R);
+
+        // ((((w2' * 2^14 + w1') * 2^14 + w3) * 2^14 + w2) * 2^14 + w1 - w4) * qm
+        // deg 2
+        ap.limb_accumulator_1 = wire(p, WIRE.W_R_SHIFT) * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L_SHIFT);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_O);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_R);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 - wire(p, WIRE.W_4);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * wire(p, WIRE.Q_4);
+
+        // ((((w3' * 2^14 + w2') * 2^14 + w1') * 2^14 + w4) * 2^14 + w3 - w4') * qm
+        // deg 2
+        ap.limb_accumulator_2 = wire(p, WIRE.W_O_SHIFT) * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_R_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_L_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_4);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_O);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 - wire(p, WIRE.W_4_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * wire(p, WIRE.Q_M);
+
+        Fr limb_accumulator_identity = ap.limb_accumulator_1 + ap.limb_accumulator_2;
+        limb_accumulator_identity = limb_accumulator_identity * wire(p, WIRE.Q_O); //  deg 3
+
+        /**
+         * MEMORY
+         *
+         * A RAM memory record contains a tuple of the following fields:
+         *  * i: `index` of memory cell being accessed
+         *  * t: `timestamp` of memory cell being accessed (used for RAM, set to 0 for ROM)
+         *  * v: `value` of memory cell being accessed
+         *  * a: `access` type of record. read: 0 = read, 1 = write
+         *  * r: `record` of memory cell. record = access + index * eta + timestamp * eta_two + value * eta_three
+         *
+         * A ROM memory record contains a tuple of the following fields:
+         *  * i: `index` of memory cell being accessed
+         *  * v: `value1` of memory cell being accessed (ROM tables can store up to 2 values per index)
+         *  * v2:`value2` of memory cell being accessed (ROM tables can store up to 2 values per index)
+         *  * r: `record` of memory cell. record = index * eta + value2 * eta_two + value1 * eta_three
+         *
+         *  When performing a read/write access, the values of i, t, v, v2, a, r are stored in the following wires +
+         * selectors, depending on whether the gate is a RAM read/write or a ROM read
+         *
+         *  | gate type | i  | v2/t  |  v | a  | r  |
+         *  | --------- | -- | ----- | -- | -- | -- |
+         *  | ROM       | w1 | w2    | w3 | -- | w4 |
+         *  | RAM       | w1 | w2    | w3 | qc | w4 |
+         *
+         * (for accesses where `index` is a circuit constant, it is assumed the circuit will apply a copy constraint on
+         * `w2` to fix its value)
+         *
+         *
+         */
+
+        /**
+         * Memory Record Check
+         * Partial degree: 1
+         * Total degree: 4
+         *
+         * A ROM/ROM access gate can be evaluated with the identity:
+         *
+         * qc + w1 \eta + w2 \eta_two + w3 \eta_three - w4 = 0
+         *
+         * For ROM gates, qc = 0
+         */
+        ap.memory_record_check = wire(p, WIRE.W_O) * tp.etaThree;
+        ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_R) * tp.etaTwo);
+        ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_L) * tp.eta);
+        ap.memory_record_check = ap.memory_record_check + wire(p, WIRE.Q_C);
+        ap.partial_record_check = ap.memory_record_check; // used in RAM consistency check; deg 1 or 4
+        ap.memory_record_check = ap.memory_record_check - wire(p, WIRE.W_4);
+
+        /**
+         * Contribution 13 & 14
+         * ROM Consistency Check
+         * Partial degree: 1
+         * Total degree: 4
+         *
+         * For every ROM read, a set equivalence check is applied between the record witnesses, and a second set of
+         * records that are sorted.
+         *
+         * We apply the following checks for the sorted records:
+         *
+         * 1. w1, w2, w3 correctly map to 'index', 'v1, 'v2' for a given record value at w4
+         * 2. index values for adjacent records are monotonically increasing
+         * 3. if, at gate i, index_i == index_{i + 1}, then value1_i == value1_{i + 1} and value2_i == value2_{i + 1}
+         *
+         */
+        ap.index_delta = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_L);
+        ap.record_delta = wire(p, WIRE.W_4_SHIFT) - wire(p, WIRE.W_4);
+
+        ap.index_is_monotonically_increasing = ap.index_delta * ap.index_delta - ap.index_delta; // deg 2
+
+        ap.adjacent_values_match_if_adjacent_indices_match = (ap.index_delta * MINUS_ONE + Fr.wrap(1)) * ap.record_delta; // deg 2
+
+        evals[13] = ap.adjacent_values_match_if_adjacent_indices_match * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
+            * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5
+        evals[14] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
+            * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5
+
+        ap.ROM_consistency_check_identity = ap.memory_record_check * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)); // deg 3 or 7
+
+        /**
+         * Contributions 15,16,17
+         * RAM Consistency Check
+         *
+         * The 'access' type of the record is extracted with the expression `w_4 - ap.partial_record_check`
+         * (i.e. for an honest Prover `w1 * eta + w2 * eta^2 + w3 * eta^3 - w4 = access`.
+         * This is validated by requiring `access` to be boolean
+         *
+         * For two adjacent entries in the sorted list if _both_
+         *  A) index values match
+         *  B) adjacent access value is 0 (i.e. next gate is a READ)
+         * then
+         *  C) both values must match.
+         * The gate boolean check is
+         * (A && B) => C  === !(A && B) || C ===  !A || !B || C
+         *
+         * N.B. it is the responsibility of the circuit writer to ensure that every RAM cell is initialized
+         * with a WRITE operation.
+         */
+        Fr access_type = (wire(p, WIRE.W_4) - ap.partial_record_check); // will be 0 or 1 for honest Prover; deg 1 or 4
+        ap.access_check = access_type * access_type - access_type; // check value is 0 or 1; deg 2 or 8
+
+        // TODO(https://github.com/AztecProtocol/barretenberg/issues/757): If we sorted in
+        // reverse order we could re-use `ap.partial_record_check`  1 -  ((w3' * eta + w2') * eta + w1') * eta
+        // deg 1 or 4
+        ap.next_gate_access_type = wire(p, WIRE.W_O_SHIFT) * tp.etaThree;
+        ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_R_SHIFT) * tp.etaTwo);
+        ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_L_SHIFT) * tp.eta);
+        ap.next_gate_access_type = wire(p, WIRE.W_4_SHIFT) - ap.next_gate_access_type;
+
+        Fr value_delta = wire(p, WIRE.W_O_SHIFT) - wire(p, WIRE.W_O);
+        ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation = (
+            ap.index_delta * MINUS_ONE + Fr.wrap(1)
+        ) * value_delta * (ap.next_gate_access_type * MINUS_ONE + Fr.wrap(1)); // deg 3 or 6
+
+        // We can't apply the RAM consistency check identity on the final entry in the sorted list (the wires in the
+        // next gate would make the identity fail).  We need to validate that its 'access type' bool is correct. Can't
+        // do  with an arithmetic gate because of the  `eta` factors. We need to check that the *next* gate's access
+        // type is  correct, to cover this edge case
+        // deg 2 or 4
+        ap.next_gate_access_type_is_boolean =
+            ap.next_gate_access_type * ap.next_gate_access_type - ap.next_gate_access_type;
+
+        // Putting it all together...
+        evals[15] = ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation
+            * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5 or 8
+        evals[16] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4
+        evals[17] = ap.next_gate_access_type_is_boolean * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4 or 6
+
+        ap.RAM_consistency_check_identity = ap.access_check * (wire(p, WIRE.Q_ARITH)); // deg 3 or 9
+
+        /**
+         * RAM Timestamp Consistency Check
+         *
+         * | w1 | w2 | w3 | w4 |
+         * | index | timestamp | timestamp_check | -- |
+         *
+         * Let delta_index = index_{i + 1} - index_{i}
+         *
+         * Iff delta_index == 0, timestamp_check = timestamp_{i + 1} - timestamp_i
+         * Else timestamp_check = 0
+         */
+        ap.timestamp_delta = wire(p, WIRE.W_R_SHIFT) - wire(p, WIRE.W_R);
+        ap.RAM_timestamp_check_identity =
+            (ap.index_delta * MINUS_ONE + Fr.wrap(1)) * ap.timestamp_delta - wire(p, WIRE.W_O); // deg 3
+
+        /**
+         * Complete Contribution 12
+         * The complete RAM/ROM memory identity
+         * Partial degree:
+         */
+        ap.memory_identity = ap.ROM_consistency_check_identity; // deg 3 or 6
+        ap.memory_identity =
+            ap.memory_identity + ap.RAM_timestamp_check_identity * (wire(p, WIRE.Q_4) * wire(p, WIRE.Q_L)); // deg 4
+        ap.memory_identity = ap.memory_identity + ap.memory_record_check * (wire(p, WIRE.Q_M) * wire(p, WIRE.Q_L)); // deg 3 or 6
+        ap.memory_identity = ap.memory_identity + ap.RAM_consistency_check_identity; // deg 3 or 9
+
+        // (deg 3 or 9) + (deg 4) + (deg 3)
+        ap.auxiliary_identity = ap.memory_identity + non_native_field_identity + limb_accumulator_identity;
+        ap.auxiliary_identity = ap.auxiliary_identity * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4 or 10
+        evals[12] = ap.auxiliary_identity;
+    }
+
+    function scaleAndBatchSubrelations(
+        Fr[NUMBER_OF_SUBRELATIONS] memory evaluations,
+        Fr[NUMBER_OF_ALPHAS] memory subrelationChallenges
+    ) internal view returns (Fr accumulator) {
+        accumulator = accumulator + evaluations[0];
+
+        for (uint256 i = 1; i < NUMBER_OF_SUBRELATIONS; ++i) {
+            accumulator = accumulator + evaluations[i] * subrelationChallenges[i - 1];
+        }
+    }
+
+    function verifyZeroMorph(Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp)
+        internal
+        view
+        returns (bool verified)
+    {
+        // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u)
+        Fr batchedEval = Fr.wrap(0);
+        Fr batchedScalar = Fr.wrap(1);
+
+        // We linearly combine all evaluations (unshifted first, then shifted)
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; ++i) {
+            batchedEval = batchedEval + proof.sumcheckEvaluations[i] * batchedScalar;
+            batchedScalar = batchedScalar * tp.rho;
+        }
+
+        // Get k commitments
+        Honk.G1Point memory c_zeta = computeCZeta(proof, tp);
+        Honk.G1Point memory c_zeta_x = computeCZetaX(proof, vk, tp, batchedEval);
+        Honk.G1Point memory c_zeta_Z = ecAdd(c_zeta, ecMul(c_zeta_x, tp.zmZ));
+
+        // KZG pairing accumulator
+        // WORKTODO: concerned that this is zero - it is multiplied by a point later on
+        Fr evaluation = Fr.wrap(0);
+        verified = zkgReduceVerify(proof, tp, evaluation, c_zeta_Z);
+    }
+
+    // Compute commitment to lifted degree quotient identity
+    function computeCZeta(Proof memory proof, Transcript memory tp) internal view returns (Honk.G1Point memory) {
+        Fr[LOG_N + 1] memory scalars;
+        Honk.G1ProofPoint[LOG_N + 1] memory commitments;
+
+        // Initial contribution
+        commitments[0] = proof.zmCq;
+        scalars[0] = Fr.wrap(1);
+
+        // TODO: optimize pow operations here ? batch mulable
+        for (uint256 k = 0; k < LOG_N; ++k) {
+            Fr degree = Fr.wrap((1 << k) - 1);
+            Fr scalar = FrLib.pow(tp.zmY, k);
+            scalar = scalar * FrLib.pow(tp.zmX, (1 << LOG_N) - Fr.unwrap(degree) - 1);
+            scalar = scalar * MINUS_ONE;
+
+            scalars[k + 1] = scalar;
+            commitments[k + 1] = proof.zmCqs[k];
+        }
+
+        // Convert all commitments for batch mul
+        Honk.G1Point[LOG_N + 1] memory comms = convertPoints(commitments);
+
+        return batchMul(comms, scalars);
+    }
+
+    struct CZetaXParams {
+        Fr phi_numerator;
+        Fr phi_n_x;
+        Fr rho_pow;
+        Fr phi_1;
+        Fr phi_2;
+        Fr x_pow_2k;
+        Fr x_pow_2kp1;
+    }
+
+    function computeCZetaX(Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp, Fr batchedEval)
+        internal
+        view
+        returns (Honk.G1Point memory)
+    {
+        Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars;
+        Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory commitments;
+        CZetaXParams memory cp;
+
+        // Phi_n(x) = (x^N - 1) / (x - 1)
+        cp.phi_numerator = FrLib.pow(tp.zmX, (1 << LOG_N)) - Fr.wrap(1);
+        cp.phi_n_x = FrLib.div(cp.phi_numerator, tp.zmX - Fr.wrap(1));
+
+        // Add contribution: -v * x * \Phi_n(x) * [1]_1
+        // Add base
+        scalars[0] = MINUS_ONE * batchedEval * tp.zmX * cp.phi_n_x;
+        commitments[0] = Honk.G1Point({x: 1, y: 2}); // One
+
+        // f - Add all unshifted commitments
+        // g - Add add to be shifted commitments
+
+        // f commitments are accumulated at (zm_x * r)
+        cp.rho_pow = Fr.wrap(1);
+        for (uint256 i = 1; i < 34; ++i) {
+            scalars[i] = tp.zmX * cp.rho_pow;
+            cp.rho_pow = cp.rho_pow * tp.rho;
+        }
+        // g commitments are accumulated at r
+        for (uint256 i = 34; i < 43; ++i) {
+            scalars[i] = cp.rho_pow;
+            cp.rho_pow = cp.rho_pow * tp.rho;
+        }
+
+        // TODO: dont accumulate these into the comms array, just accumulate directly
+        commitments[1] = vk.qm;
+        commitments[2] = vk.qc;
+        commitments[3] = vk.ql;
+        commitments[4] = vk.qr;
+        commitments[5] = vk.qo;
+        commitments[6] = vk.q4;
+        commitments[7] = vk.qArith;
+        commitments[8] = vk.qDeltaRange;
+        commitments[9] = vk.qElliptic;
+        commitments[10] = vk.qAux;
+        commitments[11] = vk.qLookup;
+        commitments[12] = vk.s1;
+        commitments[13] = vk.s2;
+        commitments[14] = vk.s3;
+        commitments[15] = vk.s4;
+        commitments[16] = vk.id1;
+        commitments[17] = vk.id2;
+        commitments[18] = vk.id3;
+        commitments[19] = vk.id4;
+        commitments[20] = vk.t1;
+        commitments[21] = vk.t2;
+        commitments[22] = vk.t3;
+        commitments[23] = vk.t4;
+        commitments[24] = vk.lagrangeFirst;
+        commitments[25] = vk.lagrangeLast;
+
+        // Accumulate proof points
+        commitments[26] = convertProofPoint(proof.w1);
+        commitments[27] = convertProofPoint(proof.w2);
+        commitments[28] = convertProofPoint(proof.w3);
+        commitments[29] = convertProofPoint(proof.w4);
+        commitments[30] = convertProofPoint(proof.zPerm);
+        commitments[31] = convertProofPoint(proof.lookupInverses);
+        commitments[32] = convertProofPoint(proof.lookupReadCounts);
+        commitments[33] = convertProofPoint(proof.lookupReadTags);
+
+        // to be Shifted
+        commitments[34] = vk.t1;
+        commitments[35] = vk.t2;
+        commitments[36] = vk.t3;
+        commitments[37] = vk.t4;
+        commitments[38] = convertProofPoint(proof.w1);
+        commitments[39] = convertProofPoint(proof.w2);
+        commitments[40] = convertProofPoint(proof.w3);
+        commitments[41] = convertProofPoint(proof.w4);
+        commitments[42] = convertProofPoint(proof.zPerm);
+
+        // Add scalar contributions
+        // Add contributions: scalar * [q_k],  k = 0,...,log_N, where
+        // scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k}))
+        cp.x_pow_2k = tp.zmX;
+        cp.x_pow_2kp1 = tp.zmX * tp.zmX;
+        for (uint256 k; k < CONST_PROOF_SIZE_LOG_N; ++k) {
+            bool dummy_round = k >= LOG_N;
+
+            // note: defaults to 0
+            Fr scalar;
+            if (!dummy_round) {
+                cp.phi_1 = FrLib.div(cp.phi_numerator, cp.x_pow_2kp1 - Fr.wrap(1));
+                cp.phi_2 = FrLib.div(cp.phi_numerator, cp.x_pow_2k - Fr.wrap(1));
+
+                scalar = cp.x_pow_2k * cp.phi_1;
+                scalar = scalar - (tp.sumCheckUChallenges[k] * cp.phi_2);
+                scalar = scalar * tp.zmX;
+                scalar = scalar * MINUS_ONE;
+
+                cp.x_pow_2k = cp.x_pow_2kp1;
+                cp.x_pow_2kp1 = cp.x_pow_2kp1 * cp.x_pow_2kp1;
+            }
+
+            scalars[43 + k] = scalar;
+            commitments[43 + k] = convertProofPoint(proof.zmCqs[k]);
+        }
+
+        return batchMul2(commitments, scalars);
+    }
+
+    // TODO: TODO: TODO: optimize
+    // Scalar Mul and acumulate into total
+    function batchMul(Honk.G1Point[LOG_N + 1] memory base, Fr[LOG_N + 1] memory scalars)
+        internal
+        view
+        returns (Honk.G1Point memory result)
+    {
+        uint256 limit = LOG_N + 1;
+        assembly {
+            let success := 0x01
+            let free := mload(0x40)
+
+            // Write the original into the accumulator
+            // Load into memory for ecMUL, leave offset for eccAdd result
+            // base is an array of pointers, so we have to dereference them
+            mstore(add(free, 0x40), mload(mload(base)))
+            mstore(add(free, 0x60), mload(add(0x20, mload(base))))
+            // Add scalar
+            mstore(add(free, 0x80), mload(scalars))
+            success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40))
+
+            let count := 0x01
+
+            for {} lt(count, limit) { count := add(count, 1) } {
+                // Get loop offsets
+                let base_base := add(base, mul(count, 0x20))
+                let scalar_base := add(scalars, mul(count, 0x20))
+
+                mstore(add(free, 0x40), mload(mload(base_base)))
+                mstore(add(free, 0x60), mload(add(0x20, mload(base_base))))
+                // Add scalar
+                mstore(add(free, 0x80), mload(scalar_base))
+
+                success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40))
+                success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40))
+            }
+
+            mstore(result, mload(free))
+            mstore(add(result, 0x20), mload(add(free, 0x20)))
+        }
+    }
+
+    // This implementation is the same as above with different constants
+    function batchMul2(
+        Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory base,
+        Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars
+    ) internal view returns (Honk.G1Point memory result) {
+        uint256 limit = NUMBER_OF_ENTITIES + LOG_N + 1;
+        assembly {
+            let success := 0x01
+            let free := mload(0x40)
+
+            // Write the original into the accumulator
+            // Load into memory for ecMUL, leave offset for eccAdd result
+            // base is an array of pointers, so we have to dereference them
+            mstore(add(free, 0x40), mload(mload(base)))
+            mstore(add(free, 0x60), mload(add(0x20, mload(base))))
+            // Add scalar
+            mstore(add(free, 0x80), mload(scalars))
+            success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40))
+
+            let count := 0x01
+            for {} lt(count, limit) { count := add(count, 1) } {
+                // Get loop offsets
+                let base_base := add(base, mul(count, 0x20))
+                let scalar_base := add(scalars, mul(count, 0x20))
+
+                mstore(add(free, 0x40), mload(mload(base_base)))
+                mstore(add(free, 0x60), mload(add(0x20, mload(base_base))))
+                // Add scalar
+                mstore(add(free, 0x80), mload(scalar_base))
+
+                success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40))
+                // accumulator = accumulator + accumulator_2
+                success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40))
+            }
+
+            // Return the result - i hate this
+            mstore(result, mload(free))
+            mstore(add(result, 0x20), mload(add(free, 0x20)))
+        }
+    }
+
+    function zkgReduceVerify(Proof memory proof, Transcript memory tp, Fr evaluation, Honk.G1Point memory commitment)
+        internal
+        view
+        returns (bool)
+    {
+        Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi);
+        Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2});
+
+        Honk.G1Point memory P0 = commitment;
+        P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX));
+
+        Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation);
+        P0 = ecSub(P0, evalAsPoint);
+
+        Honk.G1Point memory P1 = negateInplace(quotient_commitment);
+
+        // Perform pairing check
+        return pairing(P0, P1);
+    }
+
+    function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) internal view returns (bool) {
+        bytes memory input = abi.encodePacked(
+            rhs.x,
+            rhs.y,
+            // Fixed G1 point
+            uint256(0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2),
+            uint256(0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed),
+            uint256(0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b),
+            uint256(0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa),
+            lhs.x,
+            lhs.y,
+            // G1 point from VK
+            uint256(0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1),
+            uint256(0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0),
+            uint256(0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4),
+            uint256(0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55)
+        );
+
+        (bool success, bytes memory result) = address(0x08).staticcall(input);
+        return abi.decode(result, (bool));
+    }
+}
+
+// Conversion util - Duplicated as we cannot template LOG_N
+function convertPoints(Honk.G1ProofPoint[LOG_N + 1] memory commitments)
+    pure
+    returns (Honk.G1Point[LOG_N + 1] memory converted)
+{
+    for (uint256 i; i < LOG_N + 1; ++i) {
+        converted[i] = convertProofPoint(commitments[i]);
+    }
+}
diff --git a/barretenberg/sol/src/honk/instance/EcdsaHonk.sol b/barretenberg/sol/src/honk/instance/EcdsaHonk.sol
new file mode 100644
index 00000000000..61e08027aa6
--- /dev/null
+++ b/barretenberg/sol/src/honk/instance/EcdsaHonk.sol
@@ -0,0 +1,1445 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 Aztec Labs
+pragma solidity >=0.8.21;
+
+import {IVerifier} from "../../interfaces/IVerifier.sol";
+import {EcdsaHonkVerificationKey as VK, N, LOG_N, NUMBER_OF_PUBLIC_INPUTS} from "../keys/EcdsaHonkVerificationKey.sol";
+
+import {
+    Honk,
+    WIRE,
+    NUMBER_OF_ENTITIES,
+    NUMBER_OF_SUBRELATIONS,
+    NUMBER_OF_ALPHAS,
+    BATCHED_RELATION_PARTIAL_LENGTH,
+    CONST_PROOF_SIZE_LOG_N,
+    P,
+    Q
+} from "../HonkTypes.sol";
+
+import {ecMul, ecAdd, ecSub, negateInplace, convertProofPoint} from "../utils.sol";
+
+// Field arithmetic libraries - prevent littering the code with modmul / addmul
+import {Fr, FrLib} from "../Fr.sol";
+
+struct Proof {
+    uint256 circuitSize;
+    uint256 publicInputsSize;
+    uint256 publicInputsOffset;
+    // Free wires
+    Honk.G1ProofPoint w1;
+    Honk.G1ProofPoint w2;
+    Honk.G1ProofPoint w3;
+    Honk.G1ProofPoint w4;
+    // Lookup helpers - Permutations
+    Honk.G1ProofPoint zPerm;
+    // Lookup helpers - logup
+    Honk.G1ProofPoint lookupReadCounts;
+    Honk.G1ProofPoint lookupReadTags;
+    Honk.G1ProofPoint lookupInverses;
+    // Sumcheck
+    Fr[BATCHED_RELATION_PARTIAL_LENGTH][CONST_PROOF_SIZE_LOG_N] sumcheckUnivariates;
+    Fr[NUMBER_OF_ENTITIES] sumcheckEvaluations;
+    // Zero morph
+    Honk.G1ProofPoint[CONST_PROOF_SIZE_LOG_N] zmCqs;
+    Honk.G1ProofPoint zmCq;
+    Honk.G1ProofPoint zmPi;
+}
+
+// Transcript library to generate fiat shamir challenges
+struct Transcript {
+    Fr eta;
+    Fr etaTwo;
+    Fr etaThree;
+    Fr beta;
+    Fr gamma;
+    Fr[NUMBER_OF_ALPHAS] alphas;
+    Fr[LOG_N] gateChallenges;
+    Fr[CONST_PROOF_SIZE_LOG_N] sumCheckUChallenges;
+    Fr rho;
+    // Zero morph
+    Fr zmX;
+    Fr zmY;
+    Fr zmZ;
+    Fr zmQuotient;
+    // Derived
+    Fr publicInputsDelta;
+    Fr lookupGrandProductDelta;
+}
+
+library TranscriptLib {
+    function generateTranscript(Proof memory proof, Honk.VerificationKey memory vk, bytes32[] calldata publicInputs)
+        internal
+        view
+        returns (Transcript memory t)
+    {
+        // TODO: calcaulte full series of  eta;
+        (t.eta, t.etaTwo, t.etaThree) = generateEtaChallenge(proof, publicInputs);
+
+        (t.beta, t.gamma) = generateBetaAndGammaChallenges(t.etaThree, proof);
+
+        t.alphas = generateAlphaChallenges(t.gamma, proof);
+
+        t.gateChallenges = generateGateChallenges(t.alphas[NUMBER_OF_ALPHAS - 1]);
+
+        t.sumCheckUChallenges = generateSumcheckChallenges(proof, t.gateChallenges[LOG_N - 1]);
+        t.rho = generateRhoChallenge(proof, t.sumCheckUChallenges[CONST_PROOF_SIZE_LOG_N - 1]);
+
+        t.zmY = generateZMYChallenge(t.rho, proof);
+
+        (t.zmX, t.zmZ) = generateZMXZChallenges(t.zmY, proof);
+
+        return t;
+    }
+
+    function generateEtaChallenge(Proof memory proof, bytes32[] calldata publicInputs)
+        internal
+        view
+        returns (Fr eta, Fr etaTwo, Fr etaThree)
+    {
+        // TODO(md): the 12 here will need to be halved when we fix the transcript to not be over field elements
+        // TODO: use assembly
+        bytes32[3 + NUMBER_OF_PUBLIC_INPUTS + 12] memory round0;
+        round0[0] = bytes32(proof.circuitSize);
+        round0[1] = bytes32(proof.publicInputsSize);
+        round0[2] = bytes32(proof.publicInputsOffset);
+        for (uint256 i = 0; i < NUMBER_OF_PUBLIC_INPUTS; i++) {
+            round0[3 + i] = bytes32(publicInputs[i]);
+        }
+
+        // Create the first challenge
+        // Note: w4 is added to the challenge later on
+        // TODO: UPDATE ALL VALUES IN HERE
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS] = bytes32(proof.w1.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 1] = bytes32(proof.w1.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 2] = bytes32(proof.w1.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 3] = bytes32(proof.w1.y_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 4] = bytes32(proof.w2.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 5] = bytes32(proof.w2.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 6] = bytes32(proof.w2.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 7] = bytes32(proof.w2.y_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 8] = bytes32(proof.w3.x_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 9] = bytes32(proof.w3.x_1);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 10] = bytes32(proof.w3.y_0);
+        round0[3 + NUMBER_OF_PUBLIC_INPUTS + 11] = bytes32(proof.w3.y_1);
+
+        eta = FrLib.fromBytes32(keccak256(abi.encodePacked(round0)));
+        etaTwo = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(eta))));
+        etaThree = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(etaTwo))));
+    }
+
+    function generateBetaAndGammaChallenges(Fr previousChallenge, Proof memory proof)
+        internal
+        view
+        returns (Fr beta, Fr gamma)
+    {
+        // TODO(md): adjust round size when the proof points are generated correctly - 5
+        bytes32[13] memory round1;
+        round1[0] = FrLib.toBytes32(previousChallenge);
+        round1[1] = bytes32(proof.lookupReadCounts.x_0);
+        round1[2] = bytes32(proof.lookupReadCounts.x_1);
+        round1[3] = bytes32(proof.lookupReadCounts.y_0);
+        round1[4] = bytes32(proof.lookupReadCounts.y_1);
+        round1[5] = bytes32(proof.lookupReadTags.x_0);
+        round1[6] = bytes32(proof.lookupReadTags.x_1);
+        round1[7] = bytes32(proof.lookupReadTags.y_0);
+        round1[8] = bytes32(proof.lookupReadTags.y_1);
+        round1[9] = bytes32(proof.w4.x_0);
+        round1[10] = bytes32(proof.w4.x_1);
+        round1[11] = bytes32(proof.w4.y_0);
+        round1[12] = bytes32(proof.w4.y_1);
+
+        beta = FrLib.fromBytes32(keccak256(abi.encodePacked(round1)));
+        gamma = FrLib.fromBytes32(keccak256(abi.encodePacked(beta)));
+    }
+
+    // Alpha challenges non-linearise the gate contributions
+    function generateAlphaChallenges(Fr previousChallenge, Proof memory proof)
+        internal
+        view
+        returns (Fr[NUMBER_OF_ALPHAS] memory alphas)
+    {
+        // Generate the original sumcheck alpha 0 by hashing zPerm and zLookup
+        // TODO(md): 5 post correct proof size fix
+        uint256[9] memory alpha0;
+        alpha0[0] = Fr.unwrap(previousChallenge);
+        alpha0[1] = proof.lookupInverses.x_0;
+        alpha0[2] = proof.lookupInverses.x_1;
+        alpha0[3] = proof.lookupInverses.y_0;
+        alpha0[4] = proof.lookupInverses.y_1;
+        alpha0[5] = proof.zPerm.x_0;
+        alpha0[6] = proof.zPerm.x_1;
+        alpha0[7] = proof.zPerm.y_0;
+        alpha0[8] = proof.zPerm.y_1;
+
+        alphas[0] = FrLib.fromBytes32(keccak256(abi.encodePacked(alpha0)));
+
+        Fr prevChallenge = alphas[0];
+        for (uint256 i = 1; i < NUMBER_OF_ALPHAS; i++) {
+            prevChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(prevChallenge))));
+            alphas[i] = prevChallenge;
+        }
+    }
+
+    function generateGateChallenges(Fr previousChallenge) internal view returns (Fr[LOG_N] memory gateChallenges) {
+        for (uint256 i = 0; i < LOG_N; i++) {
+            previousChallenge = FrLib.fromBytes32(keccak256(abi.encodePacked(Fr.unwrap(previousChallenge))));
+            gateChallenges[i] = previousChallenge;
+        }
+    }
+
+    function generateSumcheckChallenges(Proof memory proof, Fr prevChallenge)
+        internal
+        view
+        returns (Fr[CONST_PROOF_SIZE_LOG_N] memory sumcheckChallenges)
+    {
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            Fr[BATCHED_RELATION_PARTIAL_LENGTH + 1] memory univariateChal;
+            univariateChal[0] = prevChallenge;
+
+            // TODO(opt): memcpy
+            for (uint256 j = 0; j < BATCHED_RELATION_PARTIAL_LENGTH; j++) {
+                univariateChal[j + 1] = proof.sumcheckUnivariates[i][j];
+            }
+
+            sumcheckChallenges[i] = FrLib.fromBytes32(keccak256(abi.encodePacked(univariateChal)));
+            prevChallenge = sumcheckChallenges[i];
+        }
+    }
+
+    function generateRhoChallenge(Proof memory proof, Fr prevChallenge) internal view returns (Fr rho) {
+        Fr[NUMBER_OF_ENTITIES + 1] memory rhoChallengeElements;
+        rhoChallengeElements[0] = prevChallenge;
+
+        // TODO: memcpy
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) {
+            rhoChallengeElements[i + 1] = proof.sumcheckEvaluations[i];
+        }
+
+        rho = FrLib.fromBytes32(keccak256(abi.encodePacked(rhoChallengeElements)));
+    }
+
+    function generateZMYChallenge(Fr previousChallenge, Proof memory proof) internal view returns (Fr zeromorphY) {
+        uint256[CONST_PROOF_SIZE_LOG_N * 4 + 1] memory zmY;
+        zmY[0] = Fr.unwrap(previousChallenge);
+
+        for (uint256 i; i < CONST_PROOF_SIZE_LOG_N; ++i) {
+            zmY[1 + i * 4] = proof.zmCqs[i].x_0;
+            zmY[2 + i * 4] = proof.zmCqs[i].x_1;
+            zmY[3 + i * 4] = proof.zmCqs[i].y_0;
+            zmY[4 + i * 4] = proof.zmCqs[i].y_1;
+        }
+
+        zeromorphY = FrLib.fromBytes32(keccak256(abi.encodePacked(zmY)));
+    }
+
+    function generateZMXZChallenges(Fr previousChallenge, Proof memory proof)
+        internal
+        view
+        returns (Fr zeromorphX, Fr zeromorphZ)
+    {
+        uint256[4 + 1] memory buf;
+        buf[0] = Fr.unwrap(previousChallenge);
+
+        buf[1] = proof.zmCq.x_0;
+        buf[2] = proof.zmCq.x_1;
+        buf[3] = proof.zmCq.y_0;
+        buf[4] = proof.zmCq.y_1;
+
+        zeromorphX = FrLib.fromBytes32(keccak256(abi.encodePacked(buf)));
+        zeromorphZ = FrLib.fromBytes32(keccak256(abi.encodePacked(zeromorphX)));
+    }
+}
+
+// Errors
+error PublicInputsLengthWrong();
+error SumcheckFailed();
+error ZeromorphFailed();
+
+/// Smart contract verifier of honk proofs
+contract EcdsaHonkVerifier is IVerifier {
+    Fr internal constant GRUMPKIN_CURVE_B_PARAMETER_NEGATED = Fr.wrap(17); // -(-17)
+
+    // TODO(md): I would perfer the publicInputs to be uint256
+    function verify(bytes calldata proof, bytes32[] calldata publicInputs) public view override returns (bool) {
+        Honk.VerificationKey memory vk = loadVerificationKey();
+        Proof memory p = loadProof(proof);
+
+        if (vk.publicInputsSize != NUMBER_OF_PUBLIC_INPUTS) {
+            revert PublicInputsLengthWrong();
+        }
+
+        // Generate the fiat shamir challenges for the whole protocol
+        Transcript memory t = TranscriptLib.generateTranscript(p, vk, publicInputs);
+
+        // Compute the public input delta
+        t.publicInputsDelta =
+            computePublicInputDelta(publicInputs, t.beta, t.gamma, vk.circuitSize, p.publicInputsOffset);
+
+        // Sumcheck
+        bool sumcheckVerified = verifySumcheck(p, t);
+        if (!sumcheckVerified) revert SumcheckFailed();
+
+        // Zeromorph
+        bool zeromorphVerified = verifyZeroMorph(p, vk, t);
+        if (!zeromorphVerified) revert ZeromorphFailed();
+
+        return sumcheckVerified && zeromorphVerified; // Boolean condition not required - nice for vanity :)
+    }
+
+    function loadVerificationKey() internal view returns (Honk.VerificationKey memory) {
+        return VK.loadVerificationKey();
+    }
+
+    // TODO: mod q proof points
+    // TODO: Preprocess all of the memory locations
+    // TODO: Adjust proof point serde away from poseidon forced field elements
+    function loadProof(bytes calldata proof) internal view returns (Proof memory) {
+        Proof memory p;
+
+        // Metadata
+        p.circuitSize = uint256(bytes32(proof[0x00:0x20]));
+        p.publicInputsSize = uint256(bytes32(proof[0x20:0x40]));
+        p.publicInputsOffset = uint256(bytes32(proof[0x40:0x60]));
+
+        // Commitments
+        p.w1 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x60:0x80])),
+            x_1: uint256(bytes32(proof[0x80:0xa0])),
+            y_0: uint256(bytes32(proof[0xa0:0xc0])),
+            y_1: uint256(bytes32(proof[0xc0:0xe0]))
+        });
+
+        p.w2 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0xe0:0x100])),
+            x_1: uint256(bytes32(proof[0x100:0x120])),
+            y_0: uint256(bytes32(proof[0x120:0x140])),
+            y_1: uint256(bytes32(proof[0x140:0x160]))
+        });
+        p.w3 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x160:0x180])),
+            x_1: uint256(bytes32(proof[0x180:0x1a0])),
+            y_0: uint256(bytes32(proof[0x1a0:0x1c0])),
+            y_1: uint256(bytes32(proof[0x1c0:0x1e0]))
+        });
+
+        // Lookup / Permutation Helper Commitments
+        // TODO(md): update the log deriv prover commitment rounds
+        p.lookupReadCounts = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x1e0:0x200])),
+            x_1: uint256(bytes32(proof[0x200:0x220])),
+            y_0: uint256(bytes32(proof[0x220:0x240])),
+            y_1: uint256(bytes32(proof[0x240:0x260]))
+        });
+        p.lookupReadTags = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x260:0x280])),
+            x_1: uint256(bytes32(proof[0x280:0x2a0])),
+            y_0: uint256(bytes32(proof[0x2a0:0x2c0])),
+            y_1: uint256(bytes32(proof[0x2c0:0x2e0]))
+        });
+        p.w4 = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x2e0:0x300])),
+            x_1: uint256(bytes32(proof[0x300:0x320])),
+            y_0: uint256(bytes32(proof[0x320:0x340])),
+            y_1: uint256(bytes32(proof[0x340:0x360]))
+        });
+        p.lookupInverses = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x360:0x380])),
+            x_1: uint256(bytes32(proof[0x380:0x3a0])),
+            y_0: uint256(bytes32(proof[0x3a0:0x3c0])),
+            y_1: uint256(bytes32(proof[0x3c0:0x3e0]))
+        });
+        p.zPerm = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[0x3e0:0x400])),
+            x_1: uint256(bytes32(proof[0x400:0x420])),
+            y_0: uint256(bytes32(proof[0x420:0x440])),
+            y_1: uint256(bytes32(proof[0x440:0x460]))
+        });
+
+        // TEMP the boundary of what has already been read
+        uint256 boundary = 0x460;
+
+        // Sumcheck univariates
+        // TODO: in this case we know what log_n is - so we hard code it, we would want this to be included in
+        // a cpp template for different circuit sizes
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            // The loop boundary of i, this will shift forward on each evaluation
+            uint256 loop_boundary = boundary + (i * 0x20 * BATCHED_RELATION_PARTIAL_LENGTH);
+
+            for (uint256 j = 0; j < BATCHED_RELATION_PARTIAL_LENGTH; j++) {
+                uint256 start = loop_boundary + (j * 0x20);
+                uint256 end = start + 0x20;
+                p.sumcheckUnivariates[i][j] = FrLib.fromBytes32(bytes32(proof[start:end]));
+            }
+        }
+
+        boundary = boundary + (CONST_PROOF_SIZE_LOG_N * BATCHED_RELATION_PARTIAL_LENGTH * 0x20);
+        // Sumcheck evaluations
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; i++) {
+            uint256 start = boundary + (i * 0x20);
+            uint256 end = start + 0x20;
+            p.sumcheckEvaluations[i] = FrLib.fromBytes32(bytes32(proof[start:end]));
+        }
+
+        boundary = boundary + (NUMBER_OF_ENTITIES * 0x20);
+        // Zero morph Commitments
+        for (uint256 i = 0; i < CONST_PROOF_SIZE_LOG_N; i++) {
+            // Explicitly stating the x0, x1, y0, y1 start and end boundaries to make the calldata slicing bearable
+            uint256 xStart = boundary + (i * 0x80);
+            uint256 xEnd = xStart + 0x20;
+
+            uint256 x1Start = xEnd;
+            uint256 x1End = x1Start + 0x20;
+
+            uint256 yStart = x1End;
+            uint256 yEnd = yStart + 0x20;
+
+            uint256 y1Start = yEnd;
+            uint256 y1End = y1Start + 0x20;
+
+            p.zmCqs[i] = Honk.G1ProofPoint({
+                x_0: uint256(bytes32(proof[xStart:xEnd])),
+                x_1: uint256(bytes32(proof[x1Start:x1End])),
+                y_0: uint256(bytes32(proof[yStart:yEnd])),
+                y_1: uint256(bytes32(proof[y1Start:y1End]))
+            });
+        }
+
+        boundary = boundary + (CONST_PROOF_SIZE_LOG_N * 0x80);
+
+        p.zmCq = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[boundary:boundary + 0x20])),
+            x_1: uint256(bytes32(proof[boundary + 0x20:boundary + 0x40])),
+            y_0: uint256(bytes32(proof[boundary + 0x40:boundary + 0x60])),
+            y_1: uint256(bytes32(proof[boundary + 0x60:boundary + 0x80]))
+        });
+
+        p.zmPi = Honk.G1ProofPoint({
+            x_0: uint256(bytes32(proof[boundary + 0x80:boundary + 0xa0])),
+            x_1: uint256(bytes32(proof[boundary + 0xa0:boundary + 0xc0])),
+            y_0: uint256(bytes32(proof[boundary + 0xc0:boundary + 0xe0])),
+            y_1: uint256(bytes32(proof[boundary + 0xe0:boundary + 0x100]))
+        });
+
+        return p;
+    }
+
+    function computePublicInputDelta(
+        bytes32[] memory publicInputs,
+        Fr beta,
+        Fr gamma,
+        uint256 domainSize,
+        uint256 offset
+    ) internal view returns (Fr publicInputDelta) {
+        Fr numerator = Fr.wrap(1);
+        Fr denominator = Fr.wrap(1);
+
+        Fr numeratorAcc = gamma + (beta * FrLib.from(domainSize + offset));
+        Fr denominatorAcc = gamma - (beta * FrLib.from(offset + 1));
+
+        {
+            for (uint256 i = 0; i < NUMBER_OF_PUBLIC_INPUTS; i++) {
+                Fr pubInput = FrLib.fromBytes32(publicInputs[i]);
+
+                numerator = numerator * (numeratorAcc + pubInput);
+                denominator = denominator * (denominatorAcc + pubInput);
+
+                numeratorAcc = numeratorAcc + beta;
+                denominatorAcc = denominatorAcc - beta;
+            }
+        }
+
+        // Fr delta = numerator / denominator; // TOOO: batch invert later?
+        publicInputDelta = FrLib.div(numerator, denominator);
+    }
+
+    uint256 constant ROUND_TARGET = 0;
+
+    function verifySumcheck(Proof memory proof, Transcript memory tp) internal view returns (bool verified) {
+        Fr roundTarget;
+        Fr powPartialEvaluation = Fr.wrap(1);
+
+        // We perform sumcheck reductions over log n rounds ( the multivariate degree )
+        for (uint256 round; round < LOG_N; ++round) {
+            Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate = proof.sumcheckUnivariates[round];
+            bool valid = checkSum(roundUnivariate, roundTarget);
+            if (!valid) revert SumcheckFailed();
+
+            Fr roundChallenge = tp.sumCheckUChallenges[round];
+
+            // Update the round target for the next rounf
+            roundTarget = computeNextTargetSum(roundUnivariate, roundChallenge);
+            powPartialEvaluation = partiallyEvaluatePOW(tp, powPartialEvaluation, roundChallenge, round);
+        }
+
+        // Last round
+        Fr grandHonkRelationSum = accumulateRelationEvaluations(proof, tp, powPartialEvaluation);
+        verified = (grandHonkRelationSum == roundTarget);
+    }
+
+    function checkSum(Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariate, Fr roundTarget)
+        internal
+        view
+        returns (bool checked)
+    {
+        Fr totalSum = roundUnivariate[0] + roundUnivariate[1];
+        checked = totalSum == roundTarget;
+    }
+
+    // Return the new target sum for the next sumcheck round
+    function computeNextTargetSum(Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory roundUnivariates, Fr roundChallenge)
+        internal
+        view
+        returns (Fr targetSum)
+    {
+        // TODO: inline
+        Fr[7] memory BARYCENTRIC_LAGRANGE_DENOMINATORS = [
+            Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000002d0),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff89),
+            Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000030),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffffdd),
+            Fr.wrap(0x0000000000000000000000000000000000000000000000000000000000000030),
+            Fr.wrap(0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593efffff89),
+            Fr.wrap(0x00000000000000000000000000000000000000000000000000000000000002d0)
+        ];
+
+        Fr[7] memory BARYCENTRIC_DOMAIN =
+            [Fr.wrap(0x00), Fr.wrap(0x01), Fr.wrap(0x02), Fr.wrap(0x03), Fr.wrap(0x04), Fr.wrap(0x05), Fr.wrap(0x06)];
+        // To compute the next target sum, we evaluate the given univariate at a point u (challenge).
+
+        // TODO: opt: use same array mem for each iteratioon
+        // Performing Barycentric evaluations
+        // Compute B(x)
+        Fr numeratorValue = Fr.wrap(1);
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            numeratorValue = numeratorValue * (roundChallenge - Fr.wrap(i));
+        }
+
+        // Calculate domain size N of inverses -- TODO: montgomery's trick
+        Fr[BATCHED_RELATION_PARTIAL_LENGTH] memory denominatorInverses;
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            Fr inv = BARYCENTRIC_LAGRANGE_DENOMINATORS[i];
+            inv = inv * (roundChallenge - BARYCENTRIC_DOMAIN[i]);
+            inv = FrLib.invert(inv);
+            denominatorInverses[i] = inv;
+        }
+
+        for (uint256 i; i < BATCHED_RELATION_PARTIAL_LENGTH; ++i) {
+            Fr term = roundUnivariates[i];
+            term = term * denominatorInverses[i];
+            targetSum = targetSum + term;
+        }
+
+        // Scale the sum by the value of B(x)
+        targetSum = targetSum * numeratorValue;
+    }
+
+    // Univariate evaluation of the monomial ((1-X_l) + X_l.B_l) at the challenge point X_l=u_l
+    function partiallyEvaluatePOW(Transcript memory tp, Fr currentEvaluation, Fr roundChallenge, uint256 round)
+        internal
+        view
+        returns (Fr newEvaluation)
+    {
+        Fr univariateEval = Fr.wrap(1) + (roundChallenge * (tp.gateChallenges[round] - Fr.wrap(1)));
+        newEvaluation = currentEvaluation * univariateEval;
+    }
+
+    // Calculate the contributions of each relation to the expected value of the full honk relation
+    //
+    // For each relation, we use the purported values ( the ones provided by the prover ) of the multivariates to
+    // calculate a contribution to the purported value of the full Honk relation.
+    // These are stored in the evaluations part of the proof object.
+    // We add these together, with the appropiate scaling factor ( the alphas calculated in challenges )
+    // This value is checked against the final value of the target total sum - et voila!
+    function accumulateRelationEvaluations(Proof memory proof, Transcript memory tp, Fr powPartialEval)
+        internal
+        view
+        returns (Fr accumulator)
+    {
+        Fr[NUMBER_OF_ENTITIES] memory purportedEvaluations = proof.sumcheckEvaluations;
+        Fr[NUMBER_OF_SUBRELATIONS] memory evaluations;
+
+        // Accumulate all 6 custom gates - each with varying number of subrelations
+        // TODO: annotate how many subrealtions each has
+        accumulateArithmeticRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulatePermutationRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+        accumulateLogDerivativeLookupRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+        accumulateDeltaRangeRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulateEllipticRelation(purportedEvaluations, evaluations, powPartialEval);
+        accumulateAuxillaryRelation(purportedEvaluations, tp, evaluations, powPartialEval);
+
+        // Apply alpha challenges to challenge evaluations
+        // Returns grand honk realtion evaluation
+        accumulator = scaleAndBatchSubrelations(evaluations, tp.alphas);
+    }
+
+    /**
+     * WIRE
+     *
+     * Wire is an aesthetic helper function that is used to index by enum into proof.sumcheckEvaluations, it avoids
+     * the relation checking code being cluttered with uint256 type casting, which is often a different colour in code
+     * editors, and thus is noisy.
+     */
+    function wire(Fr[NUMBER_OF_ENTITIES] memory p, WIRE _wire) internal pure returns (Fr) {
+        return p[uint256(_wire)];
+    }
+
+    /**
+     * Ultra Arithmetic Relation
+     *
+     */
+    function accumulateArithmeticRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        // Relation 0
+        Fr q_arith = wire(p, WIRE.Q_ARITH);
+        {
+            Fr neg_half = Fr.wrap(0) - (FrLib.invert(Fr.wrap(2)));
+
+            Fr accum = (q_arith - Fr.wrap(3)) * (wire(p, WIRE.Q_M) * wire(p, WIRE.W_R) * wire(p, WIRE.W_L)) * neg_half;
+            accum = accum + (wire(p, WIRE.Q_L) * wire(p, WIRE.W_L)) + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_R))
+                + (wire(p, WIRE.Q_O) * wire(p, WIRE.W_O)) + (wire(p, WIRE.Q_4) * wire(p, WIRE.W_4)) + wire(p, WIRE.Q_C);
+            accum = accum + (q_arith - Fr.wrap(1)) * wire(p, WIRE.W_4_SHIFT);
+            accum = accum * q_arith;
+            accum = accum * domainSep;
+            evals[0] = accum;
+        }
+
+        // Relation 1
+        {
+            Fr accum = wire(p, WIRE.W_L) + wire(p, WIRE.W_4) - wire(p, WIRE.W_L_SHIFT) + wire(p, WIRE.Q_M);
+            accum = accum * (q_arith - Fr.wrap(2));
+            accum = accum * (q_arith - Fr.wrap(1));
+            accum = accum * q_arith;
+            accum = accum * domainSep;
+            evals[1] = accum;
+        }
+    }
+
+    function accumulatePermutationRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr grand_product_numerator;
+        Fr grand_product_denominator;
+
+        {
+            Fr num = wire(p, WIRE.W_L) + wire(p, WIRE.ID_1) * tp.beta + tp.gamma;
+            num = num * (wire(p, WIRE.W_R) + wire(p, WIRE.ID_2) * tp.beta + tp.gamma);
+            num = num * (wire(p, WIRE.W_O) + wire(p, WIRE.ID_3) * tp.beta + tp.gamma);
+            num = num * (wire(p, WIRE.W_4) + wire(p, WIRE.ID_4) * tp.beta + tp.gamma);
+
+            grand_product_numerator = num;
+        }
+        {
+            Fr den = wire(p, WIRE.W_L) + wire(p, WIRE.SIGMA_1) * tp.beta + tp.gamma;
+            den = den * (wire(p, WIRE.W_R) + wire(p, WIRE.SIGMA_2) * tp.beta + tp.gamma);
+            den = den * (wire(p, WIRE.W_O) + wire(p, WIRE.SIGMA_3) * tp.beta + tp.gamma);
+            den = den * (wire(p, WIRE.W_4) + wire(p, WIRE.SIGMA_4) * tp.beta + tp.gamma);
+
+            grand_product_denominator = den;
+        }
+
+        // Contribution 2
+        {
+            Fr acc = (wire(p, WIRE.Z_PERM) + wire(p, WIRE.LAGRANGE_FIRST)) * grand_product_numerator;
+
+            acc = acc
+                - (
+                    (wire(p, WIRE.Z_PERM_SHIFT) + (wire(p, WIRE.LAGRANGE_LAST) * tp.publicInputsDelta))
+                        * grand_product_denominator
+                );
+            acc = acc * domainSep;
+            evals[2] = acc;
+        }
+
+        // Contribution 3
+        {
+            Fr acc = (wire(p, WIRE.LAGRANGE_LAST) * wire(p, WIRE.Z_PERM_SHIFT)) * domainSep;
+            evals[3] = acc;
+        }
+    }
+
+    // Lookup parameters have been yoinked into memory to avoid stack too deep
+    struct LookupParams {
+        Fr eta_sqr;
+        Fr eta_cube;
+        Fr one_plus_beta;
+        Fr gamma_by_one_plus_beta;
+        Fr wire_accum;
+        Fr table_accum;
+        Fr table_accum_shift;
+    }
+
+    // TODO(md): calculate eta one two and three above
+
+    function accumulateLogDerivativeLookupRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr write_term;
+        Fr read_term;
+
+        // Calculate the write term (the table accumulation)
+        {
+            write_term = wire(p, WIRE.TABLE_1) + tp.gamma + (wire(p, WIRE.TABLE_2) * tp.eta)
+                + (wire(p, WIRE.TABLE_3) * tp.etaTwo) + (wire(p, WIRE.TABLE_4) * tp.etaThree);
+        }
+
+        // Calculate the write term
+        {
+            Fr derived_entry_1 = wire(p, WIRE.W_L) + tp.gamma + (wire(p, WIRE.Q_R) * wire(p, WIRE.W_L_SHIFT));
+            Fr derived_entry_2 = wire(p, WIRE.W_R) + wire(p, WIRE.Q_M) * wire(p, WIRE.W_R_SHIFT);
+            Fr derived_entry_3 = wire(p, WIRE.W_O) + wire(p, WIRE.Q_C) * wire(p, WIRE.W_O_SHIFT);
+
+            read_term = derived_entry_1 + (derived_entry_2 * tp.eta) + (derived_entry_3 * tp.etaTwo)
+                + (wire(p, WIRE.Q_O) * tp.etaThree);
+        }
+
+        Fr read_inverse = wire(p, WIRE.LOOKUP_INVERSES) * write_term;
+        Fr write_inverse = wire(p, WIRE.LOOKUP_INVERSES) * read_term;
+
+        Fr inverse_exists_xor = wire(p, WIRE.LOOKUP_READ_TAGS) + wire(p, WIRE.Q_LOOKUP)
+            - (wire(p, WIRE.LOOKUP_READ_TAGS) * wire(p, WIRE.Q_LOOKUP));
+
+        // Inverse calculated correctly relation
+        Fr accumulatorNone = read_term * write_term * wire(p, WIRE.LOOKUP_INVERSES) - inverse_exists_xor;
+        accumulatorNone = accumulatorNone * domainSep;
+
+        // Inverse
+        Fr accumulatorOne = wire(p, WIRE.Q_LOOKUP) * read_inverse - wire(p, WIRE.LOOKUP_READ_COUNTS) * write_inverse;
+
+        evals[4] = accumulatorNone;
+        evals[5] = accumulatorOne;
+    }
+
+    function accumulateDeltaRangeRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        Fr minus_one = Fr.wrap(0) - Fr.wrap(1);
+        Fr minus_two = Fr.wrap(0) - Fr.wrap(2);
+        Fr minus_three = Fr.wrap(0) - Fr.wrap(3);
+
+        // Compute wire differences
+        Fr delta_1 = wire(p, WIRE.W_R) - wire(p, WIRE.W_L);
+        Fr delta_2 = wire(p, WIRE.W_O) - wire(p, WIRE.W_R);
+        Fr delta_3 = wire(p, WIRE.W_4) - wire(p, WIRE.W_O);
+        Fr delta_4 = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_4);
+
+        // Contribution 6
+        {
+            Fr acc = delta_1;
+            acc = acc * (delta_1 + minus_one);
+            acc = acc * (delta_1 + minus_two);
+            acc = acc * (delta_1 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[6] = acc;
+        }
+
+        // Contribution 7
+        {
+            Fr acc = delta_2;
+            acc = acc * (delta_2 + minus_one);
+            acc = acc * (delta_2 + minus_two);
+            acc = acc * (delta_2 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[7] = acc;
+        }
+
+        // Contribution 8
+        {
+            Fr acc = delta_3;
+            acc = acc * (delta_3 + minus_one);
+            acc = acc * (delta_3 + minus_two);
+            acc = acc * (delta_3 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[8] = acc;
+        }
+
+        // Contribution 9
+        {
+            Fr acc = delta_4;
+            acc = acc * (delta_4 + minus_one);
+            acc = acc * (delta_4 + minus_two);
+            acc = acc * (delta_4 + minus_three);
+            acc = acc * wire(p, WIRE.Q_RANGE);
+            acc = acc * domainSep;
+            evals[9] = acc;
+        }
+    }
+
+    struct EllipticParams {
+        // Points
+        Fr x_1;
+        Fr y_1;
+        Fr x_2;
+        Fr y_2;
+        Fr y_3;
+        Fr x_3;
+        // push accumulators into memory
+        Fr x_double_identity;
+    }
+
+    function accumulateEllipticRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal view {
+        EllipticParams memory ep;
+        ep.x_1 = wire(p, WIRE.W_R);
+        ep.y_1 = wire(p, WIRE.W_O);
+
+        ep.x_2 = wire(p, WIRE.W_L_SHIFT);
+        ep.y_2 = wire(p, WIRE.W_4_SHIFT);
+        ep.y_3 = wire(p, WIRE.W_O_SHIFT);
+        ep.x_3 = wire(p, WIRE.W_R_SHIFT);
+
+        Fr q_sign = wire(p, WIRE.Q_L);
+        Fr q_is_double = wire(p, WIRE.Q_M);
+
+        // Contribution 10 point addition, x-coordinate check
+        // q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0
+        Fr x_diff = (ep.x_2 - ep.x_1);
+        Fr y1_sqr = (ep.y_1 * ep.y_1);
+        {
+            // Move to top
+            Fr partialEval = domainSep;
+
+            Fr y2_sqr = (ep.y_2 * ep.y_2);
+            Fr y1y2 = ep.y_1 * ep.y_2 * q_sign;
+            Fr x_add_identity = (ep.x_3 + ep.x_2 + ep.x_1);
+            x_add_identity = x_add_identity * x_diff * x_diff;
+            x_add_identity = x_add_identity - y2_sqr - y1_sqr + y1y2 + y1y2;
+
+            evals[10] = x_add_identity * partialEval * wire(p, WIRE.Q_ELLIPTIC) * (Fr.wrap(1) - q_is_double);
+        }
+
+        // Contribution 11 point addition, x-coordinate check
+        // q_elliptic * (q_sign * y1 + y3)(x2 - x1) + (x3 - x1)(y2 - q_sign * y1) = 0
+        {
+            Fr y1_plus_y3 = ep.y_1 + ep.y_3;
+            Fr y_diff = ep.y_2 * q_sign - ep.y_1;
+            Fr y_add_identity = y1_plus_y3 * x_diff + (ep.x_3 - ep.x_1) * y_diff;
+            evals[11] = y_add_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * (Fr.wrap(1) - q_is_double);
+        }
+
+        // Contribution 10 point doubling, x-coordinate check
+        // (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0
+        // N.B. we're using the equivalence x1*x1*x1 === y1*y1 - curve_b to reduce degree by 1
+        {
+            Fr x_pow_4 = (y1_sqr + GRUMPKIN_CURVE_B_PARAMETER_NEGATED) * ep.x_1;
+            Fr y1_sqr_mul_4 = y1_sqr + y1_sqr;
+            y1_sqr_mul_4 = y1_sqr_mul_4 + y1_sqr_mul_4;
+            Fr x1_pow_4_mul_9 = x_pow_4 * Fr.wrap(9);
+
+            // NOTE: pushed into memory (stack >:'( )
+            ep.x_double_identity = (ep.x_3 + ep.x_1 + ep.x_1) * y1_sqr_mul_4 - x1_pow_4_mul_9;
+
+            Fr acc = ep.x_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
+            evals[10] = evals[10] + acc;
+        }
+
+        // Contribution 11 point doubling, y-coordinate check
+        // (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0
+        {
+            Fr x1_sqr_mul_3 = (ep.x_1 + ep.x_1 + ep.x_1) * ep.x_1;
+            Fr y_double_identity = x1_sqr_mul_3 * (ep.x_1 - ep.x_3) - (ep.y_1 + ep.y_1) * (ep.y_1 + ep.y_3);
+            evals[11] = evals[11] + y_double_identity * domainSep * wire(p, WIRE.Q_ELLIPTIC) * q_is_double;
+        }
+    }
+
+    // Constants for the auxiliary relation
+    Fr constant LIMB_SIZE = Fr.wrap(uint256(1) << 68);
+    Fr constant SUBLIMB_SHIFT = Fr.wrap(uint256(1) << 14);
+    Fr constant MINUS_ONE = Fr.wrap(P - 1);
+
+    // Parameters used within the Auxiliary Relation
+    // A struct is used to work around stack too deep. This relation has alot of variables
+    struct AuxParams {
+        Fr limb_subproduct;
+        Fr non_native_field_gate_1;
+        Fr non_native_field_gate_2;
+        Fr non_native_field_gate_3;
+        Fr limb_accumulator_1;
+        Fr limb_accumulator_2;
+        Fr memory_record_check;
+        Fr partial_record_check;
+        Fr next_gate_access_type;
+        Fr record_delta;
+        Fr index_delta;
+        Fr adjacent_values_match_if_adjacent_indices_match;
+        Fr adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation;
+        Fr access_check;
+        Fr next_gate_access_type_is_boolean;
+        Fr ROM_consistency_check_identity;
+        Fr RAM_consistency_check_identity;
+        Fr timestamp_delta;
+        Fr RAM_timestamp_check_identity;
+        Fr memory_identity;
+        Fr index_is_monotonically_increasing;
+        Fr auxiliary_identity;
+    }
+
+    function accumulateAuxillaryRelation(
+        Fr[NUMBER_OF_ENTITIES] memory p,
+        Transcript memory tp,
+        Fr[NUMBER_OF_SUBRELATIONS] memory evals,
+        Fr domainSep
+    ) internal pure {
+        AuxParams memory ap;
+
+        /**
+         * Contribution 12
+         * Non native field arithmetic gate 2
+         * deg 4
+         *
+         *             _                                                                               _
+         *            /   _                   _                               _       14                \
+         * q_2 . q_4 |   (w_1 . w_2) + (w_1 . w_2) + (w_1 . w_4 + w_2 . w_3 - w_3) . 2    - w_3 - w_4   |
+         *            \_                                                                               _/
+         *
+         *
+         */
+        ap.limb_subproduct = wire(p, WIRE.W_L) * wire(p, WIRE.W_R_SHIFT) + wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R);
+        ap.non_native_field_gate_2 =
+            (wire(p, WIRE.W_L) * wire(p, WIRE.W_4) + wire(p, WIRE.W_R) * wire(p, WIRE.W_O) - wire(p, WIRE.W_O_SHIFT));
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * LIMB_SIZE;
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 - wire(p, WIRE.W_4_SHIFT);
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 + ap.limb_subproduct;
+        ap.non_native_field_gate_2 = ap.non_native_field_gate_2 * wire(p, WIRE.Q_4);
+
+        ap.limb_subproduct = ap.limb_subproduct * LIMB_SIZE;
+        ap.limb_subproduct = ap.limb_subproduct + (wire(p, WIRE.W_L_SHIFT) * wire(p, WIRE.W_R_SHIFT));
+        ap.non_native_field_gate_1 = ap.limb_subproduct;
+        ap.non_native_field_gate_1 = ap.non_native_field_gate_1 - (wire(p, WIRE.W_O) + wire(p, WIRE.W_4));
+        ap.non_native_field_gate_1 = ap.non_native_field_gate_1 * wire(p, WIRE.Q_O);
+
+        ap.non_native_field_gate_3 = ap.limb_subproduct;
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 + wire(p, WIRE.W_4);
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 - (wire(p, WIRE.W_O_SHIFT) + wire(p, WIRE.W_4_SHIFT));
+        ap.non_native_field_gate_3 = ap.non_native_field_gate_3 * wire(p, WIRE.Q_M);
+
+        Fr non_native_field_identity =
+            ap.non_native_field_gate_1 + ap.non_native_field_gate_2 + ap.non_native_field_gate_3;
+        non_native_field_identity = non_native_field_identity * wire(p, WIRE.Q_R);
+
+        // ((((w2' * 2^14 + w1') * 2^14 + w3) * 2^14 + w2) * 2^14 + w1 - w4) * qm
+        // deg 2
+        ap.limb_accumulator_1 = wire(p, WIRE.W_R_SHIFT) * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L_SHIFT);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_O);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_R);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 + wire(p, WIRE.W_L);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 - wire(p, WIRE.W_4);
+        ap.limb_accumulator_1 = ap.limb_accumulator_1 * wire(p, WIRE.Q_4);
+
+        // ((((w3' * 2^14 + w2') * 2^14 + w1') * 2^14 + w4) * 2^14 + w3 - w4') * qm
+        // deg 2
+        ap.limb_accumulator_2 = wire(p, WIRE.W_O_SHIFT) * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_R_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_L_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_4);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * SUBLIMB_SHIFT;
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 + wire(p, WIRE.W_O);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 - wire(p, WIRE.W_4_SHIFT);
+        ap.limb_accumulator_2 = ap.limb_accumulator_2 * wire(p, WIRE.Q_M);
+
+        Fr limb_accumulator_identity = ap.limb_accumulator_1 + ap.limb_accumulator_2;
+        limb_accumulator_identity = limb_accumulator_identity * wire(p, WIRE.Q_O); //  deg 3
+
+        /**
+         * MEMORY
+         *
+         * A RAM memory record contains a tuple of the following fields:
+         *  * i: `index` of memory cell being accessed
+         *  * t: `timestamp` of memory cell being accessed (used for RAM, set to 0 for ROM)
+         *  * v: `value` of memory cell being accessed
+         *  * a: `access` type of record. read: 0 = read, 1 = write
+         *  * r: `record` of memory cell. record = access + index * eta + timestamp * eta_two + value * eta_three
+         *
+         * A ROM memory record contains a tuple of the following fields:
+         *  * i: `index` of memory cell being accessed
+         *  * v: `value1` of memory cell being accessed (ROM tables can store up to 2 values per index)
+         *  * v2:`value2` of memory cell being accessed (ROM tables can store up to 2 values per index)
+         *  * r: `record` of memory cell. record = index * eta + value2 * eta_two + value1 * eta_three
+         *
+         *  When performing a read/write access, the values of i, t, v, v2, a, r are stored in the following wires +
+         * selectors, depending on whether the gate is a RAM read/write or a ROM read
+         *
+         *  | gate type | i  | v2/t  |  v | a  | r  |
+         *  | --------- | -- | ----- | -- | -- | -- |
+         *  | ROM       | w1 | w2    | w3 | -- | w4 |
+         *  | RAM       | w1 | w2    | w3 | qc | w4 |
+         *
+         * (for accesses where `index` is a circuit constant, it is assumed the circuit will apply a copy constraint on
+         * `w2` to fix its value)
+         *
+         *
+         */
+
+        /**
+         * Memory Record Check
+         * Partial degree: 1
+         * Total degree: 4
+         *
+         * A ROM/ROM access gate can be evaluated with the identity:
+         *
+         * qc + w1 \eta + w2 \eta_two + w3 \eta_three - w4 = 0
+         *
+         * For ROM gates, qc = 0
+         */
+        ap.memory_record_check = wire(p, WIRE.W_O) * tp.etaThree;
+        ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_R) * tp.etaTwo);
+        ap.memory_record_check = ap.memory_record_check + (wire(p, WIRE.W_L) * tp.eta);
+        ap.memory_record_check = ap.memory_record_check + wire(p, WIRE.Q_C);
+        ap.partial_record_check = ap.memory_record_check; // used in RAM consistency check; deg 1 or 4
+        ap.memory_record_check = ap.memory_record_check - wire(p, WIRE.W_4);
+
+        /**
+         * Contribution 13 & 14
+         * ROM Consistency Check
+         * Partial degree: 1
+         * Total degree: 4
+         *
+         * For every ROM read, a set equivalence check is applied between the record witnesses, and a second set of
+         * records that are sorted.
+         *
+         * We apply the following checks for the sorted records:
+         *
+         * 1. w1, w2, w3 correctly map to 'index', 'v1, 'v2' for a given record value at w4
+         * 2. index values for adjacent records are monotonically increasing
+         * 3. if, at gate i, index_i == index_{i + 1}, then value1_i == value1_{i + 1} and value2_i == value2_{i + 1}
+         *
+         */
+        ap.index_delta = wire(p, WIRE.W_L_SHIFT) - wire(p, WIRE.W_L);
+        ap.record_delta = wire(p, WIRE.W_4_SHIFT) - wire(p, WIRE.W_4);
+
+        ap.index_is_monotonically_increasing = ap.index_delta * ap.index_delta - ap.index_delta; // deg 2
+
+        ap.adjacent_values_match_if_adjacent_indices_match = (ap.index_delta * MINUS_ONE + Fr.wrap(1)) * ap.record_delta; // deg 2
+
+        evals[13] = ap.adjacent_values_match_if_adjacent_indices_match * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
+            * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5
+        evals[14] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R))
+            * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5
+
+        ap.ROM_consistency_check_identity = ap.memory_record_check * (wire(p, WIRE.Q_L) * wire(p, WIRE.Q_R)); // deg 3 or 7
+
+        /**
+         * Contributions 15,16,17
+         * RAM Consistency Check
+         *
+         * The 'access' type of the record is extracted with the expression `w_4 - ap.partial_record_check`
+         * (i.e. for an honest Prover `w1 * eta + w2 * eta^2 + w3 * eta^3 - w4 = access`.
+         * This is validated by requiring `access` to be boolean
+         *
+         * For two adjacent entries in the sorted list if _both_
+         *  A) index values match
+         *  B) adjacent access value is 0 (i.e. next gate is a READ)
+         * then
+         *  C) both values must match.
+         * The gate boolean check is
+         * (A && B) => C  === !(A && B) || C ===  !A || !B || C
+         *
+         * N.B. it is the responsibility of the circuit writer to ensure that every RAM cell is initialized
+         * with a WRITE operation.
+         */
+        Fr access_type = (wire(p, WIRE.W_4) - ap.partial_record_check); // will be 0 or 1 for honest Prover; deg 1 or 4
+        ap.access_check = access_type * access_type - access_type; // check value is 0 or 1; deg 2 or 8
+
+        // TODO(https://github.com/AztecProtocol/barretenberg/issues/757): If we sorted in
+        // reverse order we could re-use `ap.partial_record_check`  1 -  ((w3' * eta + w2') * eta + w1') * eta
+        // deg 1 or 4
+        ap.next_gate_access_type = wire(p, WIRE.W_O_SHIFT) * tp.etaThree;
+        ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_R_SHIFT) * tp.etaTwo);
+        ap.next_gate_access_type = ap.next_gate_access_type + (wire(p, WIRE.W_L_SHIFT) * tp.eta);
+        ap.next_gate_access_type = wire(p, WIRE.W_4_SHIFT) - ap.next_gate_access_type;
+
+        Fr value_delta = wire(p, WIRE.W_O_SHIFT) - wire(p, WIRE.W_O);
+        ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation = (
+            ap.index_delta * MINUS_ONE + Fr.wrap(1)
+        ) * value_delta * (ap.next_gate_access_type * MINUS_ONE + Fr.wrap(1)); // deg 3 or 6
+
+        // We can't apply the RAM consistency check identity on the final entry in the sorted list (the wires in the
+        // next gate would make the identity fail).  We need to validate that its 'access type' bool is correct. Can't
+        // do  with an arithmetic gate because of the  `eta` factors. We need to check that the *next* gate's access
+        // type is  correct, to cover this edge case
+        // deg 2 or 4
+        ap.next_gate_access_type_is_boolean =
+            ap.next_gate_access_type * ap.next_gate_access_type - ap.next_gate_access_type;
+
+        // Putting it all together...
+        evals[15] = ap.adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation
+            * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 5 or 8
+        evals[16] = ap.index_is_monotonically_increasing * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4
+        evals[17] = ap.next_gate_access_type_is_boolean * (wire(p, WIRE.Q_ARITH)) * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4 or 6
+
+        ap.RAM_consistency_check_identity = ap.access_check * (wire(p, WIRE.Q_ARITH)); // deg 3 or 9
+
+        /**
+         * RAM Timestamp Consistency Check
+         *
+         * | w1 | w2 | w3 | w4 |
+         * | index | timestamp | timestamp_check | -- |
+         *
+         * Let delta_index = index_{i + 1} - index_{i}
+         *
+         * Iff delta_index == 0, timestamp_check = timestamp_{i + 1} - timestamp_i
+         * Else timestamp_check = 0
+         */
+        ap.timestamp_delta = wire(p, WIRE.W_R_SHIFT) - wire(p, WIRE.W_R);
+        ap.RAM_timestamp_check_identity =
+            (ap.index_delta * MINUS_ONE + Fr.wrap(1)) * ap.timestamp_delta - wire(p, WIRE.W_O); // deg 3
+
+        /**
+         * Complete Contribution 12
+         * The complete RAM/ROM memory identity
+         * Partial degree:
+         */
+        ap.memory_identity = ap.ROM_consistency_check_identity; // deg 3 or 6
+        ap.memory_identity =
+            ap.memory_identity + ap.RAM_timestamp_check_identity * (wire(p, WIRE.Q_4) * wire(p, WIRE.Q_L)); // deg 4
+        ap.memory_identity = ap.memory_identity + ap.memory_record_check * (wire(p, WIRE.Q_M) * wire(p, WIRE.Q_L)); // deg 3 or 6
+        ap.memory_identity = ap.memory_identity + ap.RAM_consistency_check_identity; // deg 3 or 9
+
+        // (deg 3 or 9) + (deg 4) + (deg 3)
+        ap.auxiliary_identity = ap.memory_identity + non_native_field_identity + limb_accumulator_identity;
+        ap.auxiliary_identity = ap.auxiliary_identity * (wire(p, WIRE.Q_AUX) * domainSep); // deg 4 or 10
+        evals[12] = ap.auxiliary_identity;
+    }
+
+    function scaleAndBatchSubrelations(
+        Fr[NUMBER_OF_SUBRELATIONS] memory evaluations,
+        Fr[NUMBER_OF_ALPHAS] memory subrelationChallenges
+    ) internal view returns (Fr accumulator) {
+        accumulator = accumulator + evaluations[0];
+
+        for (uint256 i = 1; i < NUMBER_OF_SUBRELATIONS; ++i) {
+            accumulator = accumulator + evaluations[i] * subrelationChallenges[i - 1];
+        }
+    }
+
+    function verifyZeroMorph(Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp)
+        internal
+        view
+        returns (bool verified)
+    {
+        // Construct batched evaluation v = sum_{i=0}^{m-1}\rho^i*f_i(u) + sum_{i=0}^{l-1}\rho^{m+i}*h_i(u)
+        Fr batchedEval = Fr.wrap(0);
+        Fr batchedScalar = Fr.wrap(1);
+
+        // We linearly combine all evaluations (unshifted first, then shifted)
+        for (uint256 i = 0; i < NUMBER_OF_ENTITIES; ++i) {
+            batchedEval = batchedEval + proof.sumcheckEvaluations[i] * batchedScalar;
+            batchedScalar = batchedScalar * tp.rho;
+        }
+
+        // Get k commitments
+        Honk.G1Point memory c_zeta = computeCZeta(proof, tp);
+        Honk.G1Point memory c_zeta_x = computeCZetaX(proof, vk, tp, batchedEval);
+        Honk.G1Point memory c_zeta_Z = ecAdd(c_zeta, ecMul(c_zeta_x, tp.zmZ));
+
+        // KZG pairing accumulator
+        // WORKTODO: concerned that this is zero - it is multiplied by a point later on
+        Fr evaluation = Fr.wrap(0);
+        verified = zkgReduceVerify(proof, tp, evaluation, c_zeta_Z);
+    }
+
+    // Compute commitment to lifted degree quotient identity
+    function computeCZeta(Proof memory proof, Transcript memory tp) internal view returns (Honk.G1Point memory) {
+        Fr[LOG_N + 1] memory scalars;
+        Honk.G1ProofPoint[LOG_N + 1] memory commitments;
+
+        // Initial contribution
+        commitments[0] = proof.zmCq;
+        scalars[0] = Fr.wrap(1);
+
+        // TODO: optimize pow operations here ? batch mulable
+        for (uint256 k = 0; k < LOG_N; ++k) {
+            Fr degree = Fr.wrap((1 << k) - 1);
+            Fr scalar = FrLib.pow(tp.zmY, k);
+            scalar = scalar * FrLib.pow(tp.zmX, (1 << LOG_N) - Fr.unwrap(degree) - 1);
+            scalar = scalar * MINUS_ONE;
+
+            scalars[k + 1] = scalar;
+            commitments[k + 1] = proof.zmCqs[k];
+        }
+
+        // Convert all commitments for batch mul
+        Honk.G1Point[LOG_N + 1] memory comms = convertPoints(commitments);
+
+        return batchMul(comms, scalars);
+    }
+
+    struct CZetaXParams {
+        Fr phi_numerator;
+        Fr phi_n_x;
+        Fr rho_pow;
+        Fr phi_1;
+        Fr phi_2;
+        Fr x_pow_2k;
+        Fr x_pow_2kp1;
+    }
+
+    function computeCZetaX(Proof memory proof, Honk.VerificationKey memory vk, Transcript memory tp, Fr batchedEval)
+        internal
+        view
+        returns (Honk.G1Point memory)
+    {
+        Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars;
+        Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory commitments;
+        CZetaXParams memory cp;
+
+        // Phi_n(x) = (x^N - 1) / (x - 1)
+        cp.phi_numerator = FrLib.pow(tp.zmX, (1 << LOG_N)) - Fr.wrap(1);
+        cp.phi_n_x = FrLib.div(cp.phi_numerator, tp.zmX - Fr.wrap(1));
+
+        // Add contribution: -v * x * \Phi_n(x) * [1]_1
+        // Add base
+        scalars[0] = MINUS_ONE * batchedEval * tp.zmX * cp.phi_n_x;
+        commitments[0] = Honk.G1Point({x: 1, y: 2}); // One
+
+        // f - Add all unshifted commitments
+        // g - Add add to be shifted commitments
+
+        // f commitments are accumulated at (zm_x * r)
+        cp.rho_pow = Fr.wrap(1);
+        for (uint256 i = 1; i < 34; ++i) {
+            scalars[i] = tp.zmX * cp.rho_pow;
+            cp.rho_pow = cp.rho_pow * tp.rho;
+        }
+        // g commitments are accumulated at r
+        for (uint256 i = 34; i < 43; ++i) {
+            scalars[i] = cp.rho_pow;
+            cp.rho_pow = cp.rho_pow * tp.rho;
+        }
+
+        // TODO: dont accumulate these into the comms array, just accumulate directly
+        commitments[1] = vk.qm;
+        commitments[2] = vk.qc;
+        commitments[3] = vk.ql;
+        commitments[4] = vk.qr;
+        commitments[5] = vk.qo;
+        commitments[6] = vk.q4;
+        commitments[7] = vk.qArith;
+        commitments[8] = vk.qDeltaRange;
+        commitments[9] = vk.qElliptic;
+        commitments[10] = vk.qAux;
+        commitments[11] = vk.qLookup;
+        commitments[12] = vk.s1;
+        commitments[13] = vk.s2;
+        commitments[14] = vk.s3;
+        commitments[15] = vk.s4;
+        commitments[16] = vk.id1;
+        commitments[17] = vk.id2;
+        commitments[18] = vk.id3;
+        commitments[19] = vk.id4;
+        commitments[20] = vk.t1;
+        commitments[21] = vk.t2;
+        commitments[22] = vk.t3;
+        commitments[23] = vk.t4;
+        commitments[24] = vk.lagrangeFirst;
+        commitments[25] = vk.lagrangeLast;
+
+        // Accumulate proof points
+        commitments[26] = convertProofPoint(proof.w1);
+        commitments[27] = convertProofPoint(proof.w2);
+        commitments[28] = convertProofPoint(proof.w3);
+        commitments[29] = convertProofPoint(proof.w4);
+        commitments[30] = convertProofPoint(proof.zPerm);
+        commitments[31] = convertProofPoint(proof.lookupInverses);
+        commitments[32] = convertProofPoint(proof.lookupReadCounts);
+        commitments[33] = convertProofPoint(proof.lookupReadTags);
+
+        // to be Shifted
+        commitments[34] = vk.t1;
+        commitments[35] = vk.t2;
+        commitments[36] = vk.t3;
+        commitments[37] = vk.t4;
+        commitments[38] = convertProofPoint(proof.w1);
+        commitments[39] = convertProofPoint(proof.w2);
+        commitments[40] = convertProofPoint(proof.w3);
+        commitments[41] = convertProofPoint(proof.w4);
+        commitments[42] = convertProofPoint(proof.zPerm);
+
+        // Add scalar contributions
+        // Add contributions: scalar * [q_k],  k = 0,...,log_N, where
+        // scalar = -x * (x^{2^k} * \Phi_{n-k-1}(x^{2^{k+1}}) - u_k * \Phi_{n-k}(x^{2^k}))
+        cp.x_pow_2k = tp.zmX;
+        cp.x_pow_2kp1 = tp.zmX * tp.zmX;
+        for (uint256 k; k < CONST_PROOF_SIZE_LOG_N; ++k) {
+            bool dummy_round = k >= LOG_N;
+
+            // note: defaults to 0
+            Fr scalar;
+            if (!dummy_round) {
+                cp.phi_1 = FrLib.div(cp.phi_numerator, cp.x_pow_2kp1 - Fr.wrap(1));
+                cp.phi_2 = FrLib.div(cp.phi_numerator, cp.x_pow_2k - Fr.wrap(1));
+
+                scalar = cp.x_pow_2k * cp.phi_1;
+                scalar = scalar - (tp.sumCheckUChallenges[k] * cp.phi_2);
+                scalar = scalar * tp.zmX;
+                scalar = scalar * MINUS_ONE;
+
+                cp.x_pow_2k = cp.x_pow_2kp1;
+                cp.x_pow_2kp1 = cp.x_pow_2kp1 * cp.x_pow_2kp1;
+            }
+
+            scalars[43 + k] = scalar;
+            commitments[43 + k] = convertProofPoint(proof.zmCqs[k]);
+        }
+
+        return batchMul2(commitments, scalars);
+    }
+
+    // TODO: TODO: TODO: optimize
+    // Scalar Mul and acumulate into total
+    function batchMul(Honk.G1Point[LOG_N + 1] memory base, Fr[LOG_N + 1] memory scalars)
+        internal
+        view
+        returns (Honk.G1Point memory result)
+    {
+        uint256 limit = LOG_N + 1;
+        assembly {
+            let success := 0x01
+            let free := mload(0x40)
+
+            // Write the original into the accumulator
+            // Load into memory for ecMUL, leave offset for eccAdd result
+            // base is an array of pointers, so we have to dereference them
+            mstore(add(free, 0x40), mload(mload(base)))
+            mstore(add(free, 0x60), mload(add(0x20, mload(base))))
+            // Add scalar
+            mstore(add(free, 0x80), mload(scalars))
+            success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40))
+
+            let count := 0x01
+
+            for {} lt(count, limit) { count := add(count, 1) } {
+                // Get loop offsets
+                let base_base := add(base, mul(count, 0x20))
+                let scalar_base := add(scalars, mul(count, 0x20))
+
+                mstore(add(free, 0x40), mload(mload(base_base)))
+                mstore(add(free, 0x60), mload(add(0x20, mload(base_base))))
+                // Add scalar
+                mstore(add(free, 0x80), mload(scalar_base))
+
+                success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40))
+                success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40))
+            }
+
+            mstore(result, mload(free))
+            mstore(add(result, 0x20), mload(add(free, 0x20)))
+        }
+    }
+
+    // This implementation is the same as above with different constants
+    function batchMul2(
+        Honk.G1Point[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory base,
+        Fr[NUMBER_OF_ENTITIES + CONST_PROOF_SIZE_LOG_N + 1] memory scalars
+    ) internal view returns (Honk.G1Point memory result) {
+        uint256 limit = NUMBER_OF_ENTITIES + LOG_N + 1;
+        assembly {
+            let success := 0x01
+            let free := mload(0x40)
+
+            // Write the original into the accumulator
+            // Load into memory for ecMUL, leave offset for eccAdd result
+            // base is an array of pointers, so we have to dereference them
+            mstore(add(free, 0x40), mload(mload(base)))
+            mstore(add(free, 0x60), mload(add(0x20, mload(base))))
+            // Add scalar
+            mstore(add(free, 0x80), mload(scalars))
+            success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, free, 0x40))
+
+            let count := 0x01
+            for {} lt(count, limit) { count := add(count, 1) } {
+                // Get loop offsets
+                let base_base := add(base, mul(count, 0x20))
+                let scalar_base := add(scalars, mul(count, 0x20))
+
+                mstore(add(free, 0x40), mload(mload(base_base)))
+                mstore(add(free, 0x60), mload(add(0x20, mload(base_base))))
+                // Add scalar
+                mstore(add(free, 0x80), mload(scalar_base))
+
+                success := and(success, staticcall(gas(), 7, add(free, 0x40), 0x60, add(free, 0x40), 0x40))
+                // accumulator = accumulator + accumulator_2
+                success := and(success, staticcall(gas(), 6, free, 0x80, free, 0x40))
+            }
+
+            // Return the result - i hate this
+            mstore(result, mload(free))
+            mstore(add(result, 0x20), mload(add(free, 0x20)))
+        }
+    }
+
+    function zkgReduceVerify(Proof memory proof, Transcript memory tp, Fr evaluation, Honk.G1Point memory commitment)
+        internal
+        view
+        returns (bool)
+    {
+        Honk.G1Point memory quotient_commitment = convertProofPoint(proof.zmPi);
+        Honk.G1Point memory ONE = Honk.G1Point({x: 1, y: 2});
+
+        Honk.G1Point memory P0 = commitment;
+        P0 = ecAdd(P0, ecMul(quotient_commitment, tp.zmX));
+
+        Honk.G1Point memory evalAsPoint = ecMul(ONE, evaluation);
+        P0 = ecSub(P0, evalAsPoint);
+
+        Honk.G1Point memory P1 = negateInplace(quotient_commitment);
+
+        // Perform pairing check
+        return pairing(P0, P1);
+    }
+
+    function pairing(Honk.G1Point memory rhs, Honk.G1Point memory lhs) internal view returns (bool) {
+        bytes memory input = abi.encodePacked(
+            rhs.x,
+            rhs.y,
+            // Fixed G1 point
+            uint256(0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2),
+            uint256(0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed),
+            uint256(0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b),
+            uint256(0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa),
+            lhs.x,
+            lhs.y,
+            // G1 point from VK
+            uint256(0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1),
+            uint256(0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0),
+            uint256(0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4),
+            uint256(0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55)
+        );
+
+        (bool success, bytes memory result) = address(0x08).staticcall(input);
+        return abi.decode(result, (bool));
+    }
+}
+
+// Conversion util - Duplicated as we cannot template LOG_N
+function convertPoints(Honk.G1ProofPoint[LOG_N + 1] memory commitments)
+    pure
+    returns (Honk.G1Point[LOG_N + 1] memory converted)
+{
+    for (uint256 i; i < LOG_N + 1; ++i) {
+        converted[i] = convertProofPoint(commitments[i]);
+    }
+}
diff --git a/barretenberg/sol/src/honk/keys/Add2HonkVerificationKey.sol b/barretenberg/sol/src/honk/keys/Add2HonkVerificationKey.sol
new file mode 100644
index 00000000000..8089bf3c203
--- /dev/null
+++ b/barretenberg/sol/src/honk/keys/Add2HonkVerificationKey.sol
@@ -0,0 +1,121 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Aztec
+pragma solidity >=0.8.21;
+
+import {Honk} from "../HonkTypes.sol";
+
+uint256 constant N = 0x0000000000000000000000000000000000000000000000000000000000000020;
+// Note(md): fixed proof size at 2^28 dictates this value
+uint256 constant LOG_N = 0x0000000000000000000000000000000000000000000000000000000000000005;
+uint256 constant NUMBER_OF_PUBLIC_INPUTS = 0x0000000000000000000000000000000000000000000000000000000000000003;
+
+library Add2HonkVerificationKey {
+    function loadVerificationKey() internal pure returns (Honk.VerificationKey memory) {
+        Honk.VerificationKey memory vk = Honk.VerificationKey({
+            circuitSize: uint256(0x0000000000000000000000000000000000000000000000000000000000000020),
+            logCircuitSize: uint256(0x0000000000000000000000000000000000000000000000000000000000000005),
+            publicInputsSize: uint256(0x0000000000000000000000000000000000000000000000000000000000000003),
+            ql: Honk.G1Point({
+                x: uint256(0x043d063b130adfb37342af45d0155a28edd1a7e46c840d9c943fdf45521c64ce),
+                y: uint256(0x261522c4089330646aff96736194949330952ae74c573d1686d9cb4a00733854)
+            }),
+            qr: Honk.G1Point({
+                x: uint256(0x291338e99e7857222c76c5e4ba8b954f5fde09fd2f05634d622ba379657cd501),
+                y: uint256(0x137030ce3236d7c12307adf650a73b87fc95a774ec43ac0a3a341ef26b7f56c9)
+            }),
+            qo: Honk.G1Point({
+                x: uint256(0x0f90f4bb16b330b82ef51e7ce3f70a9310ea2d3c5ef855f07b6f58081b5ef41f),
+                y: uint256(0x0e09412eea75978da57db1d3fa6b7d14c0e282c378be9a6d0efc5770863ed70b)
+            }),
+            q4: Honk.G1Point({
+                x: uint256(0x1eec247154ced5c29b0836528d7c19eda11399dc21e23df4bee4b5cd0bec659f),
+                y: uint256(0x107cc382fdee2f6530d39b072a2bc50bdb0c0ac4b054a905b03b9d53bebef404)
+            }),
+            qm: Honk.G1Point({
+                x: uint256(0x0c17b7ba3864cabe287a2b121b5cb3f8ee4ede87a7f656b8d9b470be025007c8),
+                y: uint256(0x09590397bf354089980bd40f5d84f4c12faa8b4646425fa660ab7c4c76fb4859)
+            }),
+            qc: Honk.G1Point({
+                x: uint256(0x2ac1a00b4c9bb4e7deef8d7a6bf9e26e61f2b935409e41c5770c074303b6d142),
+                y: uint256(0x192d962de288fb26f3d68052b2f475e884ca47e595de1184171cd1500249fa66)
+            }),
+            qArith: Honk.G1Point({
+                x: uint256(0x1797e3e7ee9e4f42b42bd375f13f2ccb395b827e9079e999b6c128d9b083c395),
+                y: uint256(0x101a60efaab1c8564add45d41b9147efacf45941c3efe93c3568bde1e08e1919)
+            }),
+            qDeltaRange: Honk.G1Point({
+                x: uint256(0x0e84090add56f2500ab518c655cae63896ea793e6b3f6a14218d476534109610),
+                y: uint256(0x2b78a584bd6ae88cf4ec7c65c90e0b65df446fdddba972f3c4414ad3c901f4f9)
+            }),
+            qElliptic: Honk.G1Point({
+                x: uint256(0x1bd6129f9646aa21af0d77e7b1cc9794e611b5d59a27773f744710b476fbd30f),
+                y: uint256(0x2f8d492d76a22b6834f0b88e2d4096139a9d1593d56e65e710b2f344756b721e)
+            }),
+            qAux: Honk.G1Point({
+                x: uint256(0x056ab50282da428d93b17cbd1c81267dcebcfbabdedb47b2d715b5baa6520bff),
+                y: uint256(0x10b4e7bd9d6d91a57b0695be166ffd27cbeee602bcb5a9ed32c8d9440912cb72)
+            }),
+            qLookup: Honk.G1Point({
+                x: uint256(0x19e2d786ebad24caf1bef735441e58525a2f9b5807b2102f295c58cde00f5c97),
+                y: uint256(0x085713ce7bac807a084a66904ebc6e695840e8cf405a6fd0c325f8bfcf7c2dd8)
+            }),
+            s1: Honk.G1Point({
+                x: uint256(0x039e4b13c22e227df79cafc6a8a9e8cc6217791d738ccad75c88d4a150cf9324),
+                y: uint256(0x16b832f3a75a8dffdb969bb79918867eaff198957c687d20ebc726dcbd61f9e1)
+            }),
+            s2: Honk.G1Point({
+                x: uint256(0x165d5d53619ae0694e61c26302abfe39bc20646fd04210519520980f3ffb91d2),
+                y: uint256(0x10f0c4a0b216e66fe2f88ae617b54347fa41fce598ec801dd289394890f3b66b)
+            }),
+            s3: Honk.G1Point({
+                x: uint256(0x0afca124a27006abfd194b1ad23b404f2112d11fe95ec69cc705f02258adc913),
+                y: uint256(0x2c1acafafadacc271d5297ab45bc79a5a3c87916578d8309493c2e2507bbe508)
+            }),
+            s4: Honk.G1Point({
+                x: uint256(0x0f7cf2c8c0cd0fe37630e8f79ba6dffd59c0fd1f2f6ae5789efab86d4c1c0007),
+                y: uint256(0x25bde264a751e99cf36bb64034710e55b3b1e02234c75a35683c91274d445ed8)
+            }),
+            t1: Honk.G1Point({
+                x: uint256(0x2e0cddbc5712d79b59cb3b41ebbcdd494997477ab161763e46601d95844837ef),
+                y: uint256(0x303126892f664d8d505964d14315ec426db4c64531d350750df62dbbc41a1bd9)
+            }),
+            t2: Honk.G1Point({
+                x: uint256(0x00874a5ad262eecc6b565e0b08507476a6b2c6040c0c62bd59acfe3e3e125672),
+                y: uint256(0x127b2a745a1b74968c3edc18982b9bef082fb517183c9c6841c2b8ef2ca1df04)
+            }),
+            t3: Honk.G1Point({
+                x: uint256(0x15a18748490ff4c2b1871081954e86c9efd4f8c3d56e1eb23d789a8f710d5be6),
+                y: uint256(0x2097c84955059442a95df075833071a0011ef987dc016ab110eacd554a1d8bbf)
+            }),
+            t4: Honk.G1Point({
+                x: uint256(0x2aecd48089890ea0798eb952c66824d38e9426ad3085b68b00a93c17897c2877),
+                y: uint256(0x1216bdb2f0d961bb8a7a23331d215078d8a9ce405ce559f441f2e71477ff3ddb)
+            }),
+            id1: Honk.G1Point({
+                x: uint256(0x292298ecab24d2b6f6999cac29848def2665a62342170311f44c08708db0fe1f),
+                y: uint256(0x277022c35d3145de166b139aa94609551122915366ba42ff7c5157b748fb7f9d)
+            }),
+            id2: Honk.G1Point({
+                x: uint256(0x2ddc6a05ccd584bdfc65d642b39a3be3075e7a370602112dbf9fc644789acace),
+                y: uint256(0x1a4167481d5f295af9921741bd0e32dda7a78cb391132b31ab4a77559c297c2e)
+            }),
+            id3: Honk.G1Point({
+                x: uint256(0x19629b85ab2acf9713223ff4f758882af6247963bbf2f6ec4f9cbcde13675b87),
+                y: uint256(0x165063fe922948bf1d065a882242724c1bde5fdfd93be29586b45e1ce2cc750c)
+            }),
+            id4: Honk.G1Point({
+                x: uint256(0x2493c99a3d068b03f8f2b8d28b57cea3ee22dd60456277b86c32a18982dcb185),
+                y: uint256(0x1ded39c4c8366469843cd63f09ecacf6c3731486320082c20ec71bbdc92196c1)
+            }),
+            lagrangeFirst: Honk.G1Point({
+                x: uint256(0x0000000000000000000000000000000000000000000000000000000000000001),
+                y: uint256(0x0000000000000000000000000000000000000000000000000000000000000002)
+            }),
+            lagrangeLast: Honk.G1Point({
+                x: uint256(0x140b0936c323fd2471155617b6af56ee40d90bea71fba7a412dd61fcf34e8ceb),
+                y: uint256(0x2b6c10790a5f6631c87d652e059df42b90071823185c5ff8e440fd3d73b6fefc)
+            })
+        });
+        return vk;
+    }
+}
diff --git a/barretenberg/sol/src/honk/keys/BlakeHonkVerificationKey.sol b/barretenberg/sol/src/honk/keys/BlakeHonkVerificationKey.sol
new file mode 100644
index 00000000000..9880af55106
--- /dev/null
+++ b/barretenberg/sol/src/honk/keys/BlakeHonkVerificationKey.sol
@@ -0,0 +1,120 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Aztec
+pragma solidity >=0.8.21;
+
+import {Honk} from "../HonkTypes.sol";
+
+uint256 constant N = 0x0000000000000000000000000000000000000000000000000000000000008000;
+uint256 constant LOG_N = 0x000000000000000000000000000000000000000000000000000000000000000f;
+uint256 constant NUMBER_OF_PUBLIC_INPUTS = 0x0000000000000000000000000000000000000000000000000000000000000004;
+
+library BlakeHonkVerificationKey {
+    function loadVerificationKey() internal pure returns (Honk.VerificationKey memory) {
+        Honk.VerificationKey memory vk = Honk.VerificationKey({
+            circuitSize: uint256(0x0000000000000000000000000000000000000000000000000000000000008000),
+            logCircuitSize: uint256(0x000000000000000000000000000000000000000000000000000000000000000f),
+            publicInputsSize: uint256(0x0000000000000000000000000000000000000000000000000000000000000004),
+            ql: Honk.G1Point({
+                x: uint256(0x2e5f133c25f7e05bd6660196c892121f7fa686cb9a8717a5deea6cd0881e618e),
+                y: uint256(0x1189bba9eeea96ba8935052434f4b0a60b0a481e3464dd81dfcd89e23def001b)
+            }),
+            qr: Honk.G1Point({
+                x: uint256(0x2a93ffb34002da94f5b156ba5a212ac3616c848bd9c44c9821bbdd64cfd848af),
+                y: uint256(0x015699dcc0b28766d45f5ddce8258393e84c40619d26034e76f778460a1e4d89)
+            }),
+            qo: Honk.G1Point({
+                x: uint256(0x2057928e8c5eb539c32c3025007b7be1e1663c358f59540c6f949794c274f886),
+                y: uint256(0x12bf0b15c3aa92792330f58b04512714c4a902e537fe87cc438293e1805eaabf)
+            }),
+            q4: Honk.G1Point({
+                x: uint256(0x304f47a08d4687afa0e2502a9782c32c458bf873ef50c169b732a367e567aaf3),
+                y: uint256(0x0bb37044594e7de200408a4db6bc46adf7790b06f17dce6f38b7deed480aa9f0)
+            }),
+            qm: Honk.G1Point({
+                x: uint256(0x0aea5b04332ad8781411f7edde21266857ffe11e93af334b14a2b948429afaa4),
+                y: uint256(0x2bd2e3884d486b387122effa12e8698daef82e9b99d7d25b7d5df91a9d738495)
+            }),
+            qc: Honk.G1Point({
+                x: uint256(0x0e3b418ea1924b4514d5009cd983b5a8074fa95cd1fb200f019fdebe944e4225),
+                y: uint256(0x1e6ef5bde7a9727f1c1d07c91461ae1b40524650b35fdd92ac7a129f263b1beb)
+            }),
+            qArith: Honk.G1Point({
+                x: uint256(0x096841bfa8ec2295a5af5bf69ec539c31a05b221c84ed1d24c702e31ce1cbc95),
+                y: uint256(0x10b14cca7e9ff05fcf1e3084f4fc9ab098cf379864b2e2e2e0d33fc5df9d9a50)
+            }),
+            qDeltaRange: Honk.G1Point({
+                x: uint256(0x2d27fd1a30a0ab04a05144c27ac41187d5cf89a6022e47b263d1ccb93b3cbea5),
+                y: uint256(0x238eb233e9aebc81285a2647f2598bab00a4367da47b12c2b0476afc2d94ab1d)
+            }),
+            qElliptic: Honk.G1Point({
+                x: uint256(0x1c6fc8e14453adf64e6d9643ef9f1fb55e3a307ac1ec84f86cd736fc866e05ab),
+                y: uint256(0x1bf8619b1704b99ab8820ed94dd760da2945e8e1c771c0bdeadbe40aa5700cdd)
+            }),
+            qAux: Honk.G1Point({
+                x: uint256(0x023fe0703623b99c93358348d76eb620f26ceafa58df018e3a8f1d599a61e76f),
+                y: uint256(0x2ceb9c4c4ca12ea769157ef10cde9644f9f0549805e48d5fd5d73a634d2cdcb5)
+            }),
+            qLookup: Honk.G1Point({
+                x: uint256(0x1375bbfbf5ed31b38460f46a43ac14e2cda93a3bc5cfd6e8a93cca356694a346),
+                y: uint256(0x204c5173892c19a97a04b5f8419898063df5136489809ddb9f7eabb58d6858ab)
+            }),
+            s1: Honk.G1Point({
+                x: uint256(0x07205fa20c0a8ff2aab958f4dfc4fa14449aad08f66de2341412a70ca6cb972b),
+                y: uint256(0x1341c9e5d1300703ae7ab1689c2d83a843ec898e5120a2b52b4323e2acf94f30)
+            }),
+            s2: Honk.G1Point({
+                x: uint256(0x09821cc06874047f1204cf5c13d5d24951757e727368690715de0e8160f50eeb),
+                y: uint256(0x01675621d2a4202874b596d732f983f06524dbcc855a08dadd9925e29c02c7e3)
+            }),
+            s3: Honk.G1Point({
+                x: uint256(0x2567d6126bd4dfa15eecbda777e9c86566fc5817b87bdd479e558919cd5aa96b),
+                y: uint256(0x2ac31be3d7a2f45625b98c022106a076c0c4730299c18d48c7739d423e53bd94)
+            }),
+            s4: Honk.G1Point({
+                x: uint256(0x15d68f126e0adc08580957fad3db16973c5c7f47a64d04646204c2b14ec14482),
+                y: uint256(0x3048e354794e4dbcbb670dc137409427a954eb899bdba8bbaeec5ba7f3a79170)
+            }),
+            t1: Honk.G1Point({
+                x: uint256(0x1ec1b607634e31421b5047dc99d7674d6505fed978df0f42a3504f9771a8a7fa),
+                y: uint256(0x1da802c6dc2fe6cffc6f9ae983080c66690ceee40c181b4d51fdba6c5c360297)
+            }),
+            t2: Honk.G1Point({
+                x: uint256(0x1e38a0a482b7174f429a3bef25fb0a7656abc88cfd215b8e8404132601620784),
+                y: uint256(0x2e9ea07a995fa6d589e37fba2715f3f1fa338652ddf84d4e2e4f33dccadb9156)
+            }),
+            t3: Honk.G1Point({
+                x: uint256(0x211a0833bb3c6f9ae6c94519b6878ed6157c4a080df786a053d9a19796b9a7f8),
+                y: uint256(0x1a3a450e1a272aa1fe9f097acf359502ff69df617de4918b37a497def94db2b5)
+            }),
+            t4: Honk.G1Point({
+                x: uint256(0x281a984aef14716cd5d8fc2759eb8ea2464909b5c57d97b6bc50e4dad74d92d3),
+                y: uint256(0x169160e1505685aabd5bd60e994bac45162c6868235cc4252c8b87d0f12603fd)
+            }),
+            id1: Honk.G1Point({
+                x: uint256(0x01c082a85908fea4c69c4e51436fba7d965e1d88e485da16e35d8f4e8af3b8bd),
+                y: uint256(0x11b0ada021468b059aa6c27f4d4950ef65b98d4d8808ae21718bd8b90f9bb365)
+            }),
+            id2: Honk.G1Point({
+                x: uint256(0x0b8667619755bd09c7970defeae2c920df2b17b41608303ae1d7393615dd04e4),
+                y: uint256(0x1c5419cd435c5516ac566a9d1dfecdb4e10190c63f2dbd8a1932785caf022e2c)
+            }),
+            id3: Honk.G1Point({
+                x: uint256(0x110aee72793c4b4ede92c1375f058b4170fcf01bf18f8f1ee934f7ae0fa26da5),
+                y: uint256(0x15c4f6a01ff04ef6b5225c896dfb7060a7a2c320395bda410e756d6b507b7eb8)
+            }),
+            id4: Honk.G1Point({
+                x: uint256(0x2472aba130e7ed2aefad128109415ec2bdeb56e81e3cbeacc93e00c95f203579),
+                y: uint256(0x0c867d0f8e2f9c861574383b89020980358d898497f80c198a6c17c2f4daf9a4)
+            }),
+            lagrangeFirst: Honk.G1Point({
+                x: uint256(0x0000000000000000000000000000000000000000000000000000000000000001),
+                y: uint256(0x0000000000000000000000000000000000000000000000000000000000000002)
+            }),
+            lagrangeLast: Honk.G1Point({
+                x: uint256(0x13b825e996cc8d600f363dca4481a54d6dd3da85900cd9f0a61fa02600851998),
+                y: uint256(0x151cb86205f2dc38a5651840c1a4b4928f3f3c98f77c2abd08336562986dc404)
+            })
+        });
+        return vk;
+    }
+}
diff --git a/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol b/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol
new file mode 100644
index 00000000000..a0521edeb1a
--- /dev/null
+++ b/barretenberg/sol/src/honk/keys/EcdsaHonkVerificationKey.sol
@@ -0,0 +1,120 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Aztec
+pragma solidity >=0.8.21;
+
+import {Honk} from "../HonkTypes.sol";
+
+uint256 constant N = 0x0000000000000000000000000000000000000000000000000000000000010000;
+uint256 constant LOG_N = 0x0000000000000000000000000000000000000000000000000000000000000010;
+uint256 constant NUMBER_OF_PUBLIC_INPUTS = 0x0000000000000000000000000000000000000000000000000000000000000006;
+
+library EcdsaHonkVerificationKey {
+    function loadVerificationKey() internal pure returns (Honk.VerificationKey memory) {
+        Honk.VerificationKey memory vk = Honk.VerificationKey({
+            circuitSize: uint256(0x0000000000000000000000000000000000000000000000000000000000010000),
+            logCircuitSize: uint256(0x0000000000000000000000000000000000000000000000000000000000000010),
+            publicInputsSize: uint256(0x0000000000000000000000000000000000000000000000000000000000000006),
+            ql: Honk.G1Point({
+                x: uint256(0x0b1acdcf739e1e6c27df046577122a292a77f4fcdf8056d8b8ae12f105d3a888),
+                y: uint256(0x145dad3bdd9a262411aaa657129df49dbf44a63f510e9ab8191622c643ebd9bd)
+            }),
+            qr: Honk.G1Point({
+                x: uint256(0x1940872f30b32522e26efd0fd4a642289bce2c56083e7a03af564c30969066d8),
+                y: uint256(0x181fd173051ca19e37f09c42298c36d2e9834df50535d85d429f562352c0d924)
+            }),
+            qo: Honk.G1Point({
+                x: uint256(0x2a1afa631e8b6ab8fb1444fb0154686a5a34c7a4ddae66bdc344e782a81382b3),
+                y: uint256(0x0cfa0936a5e63e723a5c318c7461ddc22824ad0ee62fa00e2e8b92f9b3f1cdf6)
+            }),
+            q4: Honk.G1Point({
+                x: uint256(0x1a01666b2e915221eb0c1ae6bf91394d18c73e6882dd1241d244f932678982ec),
+                y: uint256(0x212b0436d2da1b4a6507142b794024ded58e3d41fdde2f95249405ffdd02b324)
+            }),
+            qm: Honk.G1Point({
+                x: uint256(0x0dd29943b961b1c615ab22df0e5b567489a7c9a9ad3ac92ae281d68ca603326c),
+                y: uint256(0x2a552165dc59dc5c5398e6b8c2227dc3f36ccdcc1250e7c9a8c1631c963aff2f)
+            }),
+            qc: Honk.G1Point({
+                x: uint256(0x203785f30cf75ed2e8559faa797897174bca19ebcb44266c6bc87aee8dc86964),
+                y: uint256(0x11ae3fbccf0c302ab29a8123b2ef631a659a3750d27df3eb7c492ae978ac3f07)
+            }),
+            qArith: Honk.G1Point({
+                x: uint256(0x059453a86c23185b89783698e7da32ce59270611c312c82a16c42e83d66f3a11),
+                y: uint256(0x23403bda1774d1e372f94dd86571d393290df9d27cc1f032a1a2ba3a02becb28)
+            }),
+            qDeltaRange: Honk.G1Point({
+                x: uint256(0x189ec3e8c791a2933a4f188b2183c4bfeb9a2a8e51bb10a7571c243603dd3fce),
+                y: uint256(0x00d30f1839bdf225d00e20bcf76adcf2bfc6ea98a4ca12b4f36c68f4a865fa59)
+            }),
+            qElliptic: Honk.G1Point({
+                x: uint256(0x16b1166d95a8e2496eb12363dbfb9ca5aa5bc0975fc4994dc2c61cc0609d8eba),
+                y: uint256(0x1aded54ecb6c2ec4fdeaef0f9e3b2dae5da1e1958d76b953b9e29efb1e8962b4)
+            }),
+            qAux: Honk.G1Point({
+                x: uint256(0x1011b815b4505f86944621990bd81bd442780186904784572d50087942aa8607),
+                y: uint256(0x24e575bf4641129d492759c66a4a5c1d3da80b647d4e67adfea20ab72eb69854)
+            }),
+            qLookup: Honk.G1Point({
+                x: uint256(0x13a5f6d8f4de0f66dc7ea0d75efa7ae6632e6448c13bbbe5358412f7a36518d6),
+                y: uint256(0x142fd8f3223785fbd36b380c6065215d16b821b3df4d86d5464f1bfff2a29544)
+            }),
+            s1: Honk.G1Point({
+                x: uint256(0x12f95fba378f68a39b900e458349c0f778dca65e2627bb1c5d6284c2b1260ef1),
+                y: uint256(0x15965dc624e9a40d1ffe0343f8fd4c2afdb6ac86e0f487ab8c4fe2a85d1036f4)
+            }),
+            s2: Honk.G1Point({
+                x: uint256(0x1c260f913ab6417444cf9512dc273201aa34946e41d75fa81c3626c81fe716ff),
+                y: uint256(0x176e7818b3dfff8b2744f5b5d2c0a2ebdafcd9286c795270092dfbe25a9c08af)
+            }),
+            s3: Honk.G1Point({
+                x: uint256(0x16945d3d1dc53de6aeaff189e40c72c9de0ac1dd796345064c0af5e092e8e3f1),
+                y: uint256(0x21f48c50caca803009a007bc66421e7135ece814e02767a43cb5a7ec60b4e7d8)
+            }),
+            s4: Honk.G1Point({
+                x: uint256(0x187a3c8a8fa68d820cdcbdda2aec2fd6af5495bce3ec51a86a9043ed828cac12),
+                y: uint256(0x08d15b3ae7be0b34eac0495b771c58ec10b386e4e614301b4b00e2b0e360f8e0)
+            }),
+            t1: Honk.G1Point({
+                x: uint256(0x1ddc9ef86584375e5998d9f6fc16a4e646dc315ab86b477abc2f18a723dc24f6),
+                y: uint256(0x03a3b132ca6590c4ffdf35e1acd932da680a4247a55c88dd2284af78cb047906)
+            }),
+            t2: Honk.G1Point({
+                x: uint256(0x1e4cde3e410660193bacdf1db498ffb6bf1618c4d7b355415858d7d996e8bd03),
+                y: uint256(0x18d7f0300f961521ead0cb3c81a2a43a2dea0fdcb17bd772aef6c7b908be4273)
+            }),
+            t3: Honk.G1Point({
+                x: uint256(0x0e77f28b07af551fea1ad81b304fd41013850e8b3539309c20bb2fa115289642),
+                y: uint256(0x15f92fde2f0d7a77c27daeb397336220ffc07b99f710980253e84f8ae94afd4d)
+            }),
+            t4: Honk.G1Point({
+                x: uint256(0x2285ea4116ca00b673b2daadf596052b6d9ba6d231a4bea8af5a3c0f28c44aa4),
+                y: uint256(0x076bf1e1f682badebfca083e25d808e8dae96372631c0721a7ee238c333a862a)
+            }),
+            id1: Honk.G1Point({
+                x: uint256(0x003bfa695fb125e2e815ae3565a2b7667fe2240edfd46c312fa6b6ed88226d3f),
+                y: uint256(0x080c85e17835fce14e045eeb531ef2c287ad933a2ca7f35d3c7df03d0367fb9c)
+            }),
+            id2: Honk.G1Point({
+                x: uint256(0x17662e6b69e1a67d8682a5c00b4d3c57c8f3ce7d82df027ba71c5031a946e070),
+                y: uint256(0x14bd830834279aa5f4ff64181af68bef9121c6322d37d25b5490f60a83b755f9)
+            }),
+            id3: Honk.G1Point({
+                x: uint256(0x05bc83edcd40f963c7f6983f1c6a993ce32ca97a6e45c076dc4e38195ba8560a),
+                y: uint256(0x01239f42bab3bc0d1cc4194ca17fa76036ce2e4887a3dc499fe71da67d7af9a3)
+            }),
+            id4: Honk.G1Point({
+                x: uint256(0x1bcbd59c8e9e24132d3d3dfb1eaf21fa4ed74e922bb4d44f3c8d22ebb50105da),
+                y: uint256(0x147b021c1046d59dcc6b8be404ef2670f7e6f33a03dbaeef966c9bf3882324f4)
+            }),
+            lagrangeFirst: Honk.G1Point({
+                x: uint256(0x0000000000000000000000000000000000000000000000000000000000000001),
+                y: uint256(0x0000000000000000000000000000000000000000000000000000000000000002)
+            }),
+            lagrangeLast: Honk.G1Point({
+                x: uint256(0x28bf8c9eeae6946902ee08351768a3e4f67d812e6465f55f16bf69fad16cf46d),
+                y: uint256(0x12dab1c326b33ea63ec6651324077c0ea2cb0ddfafd63fb8f9fbcc70bd53d7e0)
+            })
+        });
+        return vk;
+    }
+}
diff --git a/barretenberg/sol/src/honk/utils.sol b/barretenberg/sol/src/honk/utils.sol
new file mode 100644
index 00000000000..340204c20bc
--- /dev/null
+++ b/barretenberg/sol/src/honk/utils.sol
@@ -0,0 +1,102 @@
+import {Honk, P, Q} from "./HonkTypes.sol";
+import {Fr, FrLib} from "./Fr.sol";
+
+import "forge-std/console.sol";
+import "forge-std/console2.sol";
+
+function bytes32ToString(bytes32 value) pure returns (string memory) {
+    bytes memory alphabet = "0123456789abcdef";
+
+    bytes memory str = new bytes(66);
+    str[0] = "0";
+    str[1] = "x";
+    for (uint256 i = 0; i < 32; i++) {
+        str[2 + i * 2] = alphabet[uint8(value[i] >> 4)];
+        str[3 + i * 2] = alphabet[uint8(value[i] & 0x0f)];
+    }
+    return string(str);
+}
+
+function logG1(string memory name, Honk.G1ProofPoint memory point) pure {
+    // TODO: convert both to hex before printing to line up with cpp
+    string memory x_0 = bytes32ToString(bytes32(point.x_0));
+    string memory x_1 = bytes32ToString(bytes32(point.x_1));
+    string memory y_0 = bytes32ToString(bytes32(point.y_0));
+    string memory y_1 = bytes32ToString(bytes32(point.y_1));
+
+    string memory message = string(abi.encodePacked(name, " x: ", x_0, x_1, " y: ", y_0, y_1));
+    console2.log(message);
+}
+
+function logG(string memory name, Honk.G1Point memory point) pure {
+    // TODO: convert both to hex before printing to line up with cpp
+    string memory x = bytes32ToString(bytes32(point.x));
+    string memory y = bytes32ToString(bytes32(point.y));
+
+    string memory message = string(abi.encodePacked(name, " x: ", x, " y: ", y));
+    console2.log(message);
+}
+
+function logG(string memory name, uint256 i, Honk.G1Point memory point) pure {
+    // TODO: convert both to hex before printing to line up with cpp
+    string memory x = bytes32ToString(bytes32(point.x));
+    string memory y = bytes32ToString(bytes32(point.y));
+
+    string memory message = string(abi.encodePacked(name, " ", i, " x: ", x, " y: ", y));
+    console2.log(message);
+}
+
+function logUint(string memory name, uint256 value) pure {
+    string memory as_hex = bytes32ToString(bytes32(value));
+    console2.log(name, as_hex);
+}
+
+function logFr(string memory name, Fr value) pure {
+    string memory as_hex = bytes32ToString(bytes32(Fr.unwrap(value)));
+    console2.log(name, as_hex);
+}
+
+function logFr(string memory name, uint256 i, Fr value) pure {
+    string memory as_hex = bytes32ToString(bytes32(Fr.unwrap(value)));
+    console2.log(name, i, as_hex);
+}
+
+// EC Point utilities
+
+function convertProofPoint(Honk.G1ProofPoint memory input) pure returns (Honk.G1Point memory) {
+    return Honk.G1Point({x: input.x_0 | (input.x_1 << 136), y: input.y_0 | (input.y_1 << 136)});
+}
+
+function ecMul(Honk.G1Point memory point, Fr scalar) view returns (Honk.G1Point memory) {
+    bytes memory input = abi.encodePacked(point.x, point.y, Fr.unwrap(scalar));
+    (bool success, bytes memory result) = address(0x07).staticcall(input);
+    require(success, "ecMul failed");
+
+    (uint256 x, uint256 y) = abi.decode(result, (uint256, uint256));
+    return Honk.G1Point({x: x, y: y});
+}
+
+function ecAdd(Honk.G1Point memory point0, Honk.G1Point memory point1) view returns (Honk.G1Point memory) {
+    bytes memory input = abi.encodePacked(point0.x, point0.y, point1.x, point1.y);
+    (bool success, bytes memory result) = address(0x06).staticcall(input);
+    require(success, "ecAdd failed");
+
+    (uint256 x, uint256 y) = abi.decode(result, (uint256, uint256));
+    return Honk.G1Point({x: x, y: y});
+}
+
+function ecSub(Honk.G1Point memory point0, Honk.G1Point memory point1) view returns (Honk.G1Point memory) {
+    // We negate the second point
+    uint256 negativePoint1Y = (Q - point1.y) % Q;
+    bytes memory input = abi.encodePacked(point0.x, point0.y, point1.x, negativePoint1Y);
+    (bool success, bytes memory result) = address(0x06).staticcall(input);
+    require(success, "ecAdd failed");
+
+    (uint256 x, uint256 y) = abi.decode(result, (uint256, uint256));
+    return Honk.G1Point({x: x, y: y});
+}
+
+function negateInplace(Honk.G1Point memory point) pure returns (Honk.G1Point memory) {
+    point.y = (Q - point.y) % Q;
+    return point;
+}
diff --git a/barretenberg/sol/src/ultra/BaseUltraVerifier.sol b/barretenberg/sol/src/ultra/BaseUltraVerifier.sol
index e969bff9009..9cf0f06e487 100644
--- a/barretenberg/sol/src/ultra/BaseUltraVerifier.sol
+++ b/barretenberg/sol/src/ultra/BaseUltraVerifier.sol
@@ -299,10 +299,10 @@ abstract contract BaseUltraVerifier {
      */
     function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure virtual;
 
-    constructor() { 
+    constructor() {
         loadVerificationKey(N_LOC, OMEGA_INVERSE_LOC);
 
-        // We verify that all of the EC points in the verification key lie on the bn128 curve. 
+        // We verify that all of the EC points in the verification key lie on the bn128 curve.
         assembly {
             let q := 21888242871839275222246405745257275088696311157297823662689037894645226208583 // EC group order
 
@@ -429,7 +429,7 @@ abstract contract BaseUltraVerifier {
                 let xx := mulmod(x, x, q)
                 // validate on curve
                 success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
-            } 
+            }
             // VALIDATE TABLE2
             {
                 let x := mload(TABLE2_X_LOC)
@@ -437,7 +437,7 @@ abstract contract BaseUltraVerifier {
                 let xx := mulmod(x, x, q)
                 // validate on curve
                 success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
-            } 
+            }
             // VALIDATE TABLE3
             {
                 let x := mload(TABLE3_X_LOC)
@@ -445,7 +445,7 @@ abstract contract BaseUltraVerifier {
                 let xx := mulmod(x, x, q)
                 // validate on curve
                 success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
-            } 
+            }
             // VALIDATE TABLE4
             {
                 let x := mload(TABLE4_X_LOC)
@@ -453,7 +453,7 @@ abstract contract BaseUltraVerifier {
                 let xx := mulmod(x, x, q)
                 // validate on curve
                 success := and(success, eq(mulmod(y, y, q), addmod(mulmod(x, xx, q), 3, q)))
-            } 
+            }
             // VALIDATE TABLE_TYPE
             {
                 let x := mload(TABLE_TYPE_X_LOC)
@@ -783,7 +783,6 @@ abstract contract BaseUltraVerifier {
                      * root_1 *= ω
                      * root_2 *= ω
                      */
-
                     let input := calldataload(public_inputs_ptr)
                     valid_inputs := and(valid_inputs, lt(input, p_clone))
                     let temp := addmod(input, gamma, p_clone)
@@ -849,7 +848,6 @@ abstract contract BaseUltraVerifier {
                  * l_end_denominator = accumulating_root^2 * work_root * zeta - 1
                  * Note: l_end_denominator term contains a term \omega^5 to cut out 5 roots of unity from vanishing poly
                  */
-
                 let zeta := mload(C_ZETA_LOC)
 
                 // compute zeta^n, where n is a power of 2
@@ -1183,7 +1181,6 @@ abstract contract BaseUltraVerifier {
                  * the next gate. Then we can treat (q_arith - 1) as a simulated q_6 selector and scale q_m to handle (q_arith - 3) at
                  * product.
                  */
-
                 let w1q1 := mulmod(mload(W1_EVAL_LOC), mload(Q1_EVAL_LOC), p)
                 let w2q2 := mulmod(mload(W2_EVAL_LOC), mload(Q2_EVAL_LOC), p)
                 let w3q3 := mulmod(mload(W3_EVAL_LOC), mload(Q3_EVAL_LOC), p)
@@ -1491,7 +1488,6 @@ abstract contract BaseUltraVerifier {
                      * non_native_field_gate_3 = (limb_subproduct + w_4 - (w_3_omega + w_4_omega)) * q_m
                      * non_native_field_identity = (non_native_field_gate_1 + non_native_field_gate_2 + non_native_field_gate_3) * q_2
                      */
-
                     let limb_subproduct :=
                         addmod(
                             mulmod(mload(W1_EVAL_LOC), mload(W2_OMEGA_EVAL_LOC), p),
@@ -1611,7 +1607,6 @@ abstract contract BaseUltraVerifier {
                      *
                      * memory_record_check -= w_4;
                      */
-
                     let memory_record_check := mulmod(mload(W3_EVAL_LOC), mload(C_ETA_LOC), p)
                     memory_record_check := addmod(memory_record_check, mload(W2_EVAL_LOC), p)
                     memory_record_check := mulmod(memory_record_check, mload(C_ETA_LOC), p)
@@ -1695,7 +1690,6 @@ abstract contract BaseUltraVerifier {
                          * RAM_consistency_check_identity *= alpha;
                          * RAM_consistency_check_identity += access_check;
                          */
-
                         let access_type := addmod(mload(W4_EVAL_LOC), sub(p, partial_record_check), p)
                         let access_check := mulmod(access_type, addmod(access_type, sub(p, 1), p), p)
                         let next_gate_access_type_is_boolean :=
@@ -2117,7 +2111,7 @@ abstract contract BaseUltraVerifier {
             success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40))
 
             // ACCUMULATE Q3
-            
+
             // Verification key fields verified to be on curve at contract deployment
             mstore(0x00, mload(Q3_X_LOC))
             mstore(0x20, mload(Q3_Y_LOC))
@@ -2128,7 +2122,7 @@ abstract contract BaseUltraVerifier {
             success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40))
 
             // ACCUMULATE Q4
-            
+
             // Verification key fields verified to be on curve at contract deployment
             mstore(0x00, mload(Q4_X_LOC))
             mstore(0x20, mload(Q4_Y_LOC))
@@ -2139,7 +2133,7 @@ abstract contract BaseUltraVerifier {
             success := and(success, staticcall(gas(), 6, ACCUMULATOR_X_LOC, 0x80, ACCUMULATOR_X_LOC, 0x40))
 
             // ACCUMULATE QM
-            
+
             // Verification key fields verified to be on curve at contract deployment
             mstore(0x00, mload(QM_X_LOC))
             mstore(0x20, mload(QM_Y_LOC))
diff --git a/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol
index 67c3b6080a1..27f1983ed5f 100644
--- a/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol
+++ b/barretenberg/sol/src/ultra/keys/Add2UltraVerificationKey.sol
@@ -1,11 +1,11 @@
-// Verification Key Hash: a0e940165bfc708013d5b4f7940f3b07f3bcf3c0f57ee21d8b4bdb78630817a3
+// Verification Key Hash: f7bbd1b4758c8616f966f56728b3d7127a0d1ca6763cbaf70b4719914be476bd
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2022 Aztec
 pragma solidity >=0.8.4;
 
 library Add2UltraVerificationKey {
     function verificationKeyHash() internal pure returns (bytes32) {
-        return 0xa0e940165bfc708013d5b4f7940f3b07f3bcf3c0f57ee21d8b4bdb78630817a3;
+        return 0xf7bbd1b4758c8616f966f56728b3d7127a0d1ca6763cbaf70b4719914be476bd;
     }
 
     function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure {
@@ -38,10 +38,10 @@ library Add2UltraVerificationKey {
             mstore(add(_vk, 0x320), 0x261015d69327a58810e6eb1052ed694914b7a89034e1334c50b9e70a161489b7) // vk.SIGMA1.y
             mstore(add(_vk, 0x340), 0x1987df111730a8a6a650423757dbf048f3f43860a7d24a5e2e8bd67b6931ca67) // vk.SIGMA2.x
             mstore(add(_vk, 0x360), 0x1fe074ff24b35d7830bec2a3fad7e53038ffb5e2a3f718a23660d68daffc2953) // vk.SIGMA2.y
-            mstore(add(_vk, 0x380), 0x191d6881b9369e50141da3f2009a2f2dfc9adba276e874eb9f7f3183a0ea8f89) // vk.SIGMA3.x
-            mstore(add(_vk, 0x3a0), 0x2cbfbdd75526be7e9f2830cb1fd99457227f90fb024902635e342344cb6b2926) // vk.SIGMA3.y
-            mstore(add(_vk, 0x3c0), 0x2e7fe658b8f1f34dc561568e4ef6c74bb36330404967952b1e15390c1e2443cf) // vk.SIGMA4.x
-            mstore(add(_vk, 0x3e0), 0x293a5337eedc88329f10aa45a11e4adbb77f74717345987d70ed726e3e4556f1) // vk.SIGMA4.y
+            mstore(add(_vk, 0x380), 0x1995a6246a4cf48e66d1f4753d001b67712f57a94b364498c12b7048f162665f) // vk.SIGMA3.x
+            mstore(add(_vk, 0x3a0), 0x0b09e4f696f8fcdae85a72b71cc2bc2be2be2960d4fa0078d79c32d21619bd5e) // vk.SIGMA3.y
+            mstore(add(_vk, 0x3c0), 0x267b628499addfdfc2ff596957b0aa713baa1054a78cd80dcb0b588bfa209adf) // vk.SIGMA4.x
+            mstore(add(_vk, 0x3e0), 0x119db2893b20259b419e53e6686f2fba9934c9e1af0ffa2ede920718eea14086) // vk.SIGMA4.y
             mstore(add(_vk, 0x400), 0x02c397073c8abce6d4140c9b961209dd783bff1a1cfc999bb29859cfb16c46fc) // vk.TABLE1.x
             mstore(add(_vk, 0x420), 0x2b7bba2d1efffce0d033f596b4d030750599be670db593af86e1923fe8a1bb18) // vk.TABLE1.y
             mstore(add(_vk, 0x440), 0x2c71c58b66498f903b3bbbda3d05ce8ffb571a4b3cf83533f3f71b99a04f6e6b) // vk.TABLE2.x
@@ -52,12 +52,12 @@ library Add2UltraVerificationKey {
             mstore(add(_vk, 0x4e0), 0x13dd7515ccac4095302d204f06f0bff2595d77bdf72e4acdb0b0b43969860d98) // vk.TABLE4.y
             mstore(add(_vk, 0x500), 0x16ff3501369121d410b445929239ba057fe211dad1b706e49a3b55920fac20ec) // vk.TABLE_TYPE.x
             mstore(add(_vk, 0x520), 0x1e190987ebd9cf480f608b82134a00eb8007673c1ed10b834a695adf0068522a) // vk.TABLE_TYPE.y
-            mstore(add(_vk, 0x540), 0x0baaf073a203ba4ba0093c827bb5b3f7a55611765f111ecf80c456f631e99f29) // vk.ID1.x
-            mstore(add(_vk, 0x560), 0x27cd34cafd5735ec970278202765e0f1e9da3494b30b948ebce3414d078cef9e) // vk.ID1.y
+            mstore(add(_vk, 0x540), 0x1e44194e60f0ab4ee0f77adc50f4220944f94301aa6da3016a226de04de52f4c) // vk.ID1.x
+            mstore(add(_vk, 0x560), 0x2a017d0d9f40d0aeb5c8152ffddec56c2c7bea37dfbd20be6bed19efd743397a) // vk.ID1.y
             mstore(add(_vk, 0x580), 0x0868357b28039385c5a5058b6d358ebb29f26f9890d6cc6401f4921d5884edca) // vk.ID2.x
             mstore(add(_vk, 0x5a0), 0x1060afe929554ca473103f5e68193c36fb6e229dde8edf7ec858b12d7e8be485) // vk.ID2.y
-            mstore(add(_vk, 0x5c0), 0x0b1c02619282755533457230b19b4a15226e07e207744c0857074dcab883af4a) // vk.ID3.x
-            mstore(add(_vk, 0x5e0), 0x0d928deafed363659688ed4ccdef521f2a0277e4807e6e1cbabca21dde5eb5e1) // vk.ID3.y
+            mstore(add(_vk, 0x5c0), 0x1953e657c2c941f0eb52e94a96b64a0152c7cc3baff59a345fd6ecd311f313af) // vk.ID3.x
+            mstore(add(_vk, 0x5e0), 0x08579320bf2aa71698b64152f1f3f4afe1873af96d6403dcaf56908dc78c6704) // vk.ID3.y
             mstore(add(_vk, 0x600), 0x2eea648c8732596b1314fe2a4d2f05363f0c994e91cecad25835338edee2294f) // vk.ID4.x
             mstore(add(_vk, 0x620), 0x0ab49886c2b94bd0bd3f6ed1dbbe2cb2671d2ae51d31c1210433c3972bb64578) // vk.ID4.y
             mstore(add(_vk, 0x640), 0x00) // vk.contains_recursive_proof
diff --git a/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol
index 0b8676e4dab..b8a1d2efd68 100644
--- a/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol
+++ b/barretenberg/sol/src/ultra/keys/BlakeUltraVerificationKey.sol
@@ -1,11 +1,11 @@
-// Verification Key Hash: ab0e7eca8953a659e04b83b3e1eb0525036ab76b5c6c53b090c8e3e568df3912
+// Verification Key Hash: 7370a14d9a35deb926608bdc13693b06292d2f66052be3dd6d13d35441270318
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2022 Aztec
 pragma solidity >=0.8.4;
 
 library BlakeUltraVerificationKey {
     function verificationKeyHash() internal pure returns (bytes32) {
-        return 0xab0e7eca8953a659e04b83b3e1eb0525036ab76b5c6c53b090c8e3e568df3912;
+        return 0x7370a14d9a35deb926608bdc13693b06292d2f66052be3dd6d13d35441270318;
     }
 
     function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure {
@@ -14,34 +14,34 @@ library BlakeUltraVerificationKey {
             mstore(add(_vk, 0x20), 0x0000000000000000000000000000000000000000000000000000000000000004) // vk.num_inputs
             mstore(add(_vk, 0x40), 0x2d1ba66f5941dc91017171fa69ec2bd0022a2a2d4115a009a93458fd4e26ecfb) // vk.work_root
             mstore(add(_vk, 0x60), 0x3063edaa444bddc677fcd515f614555a777997e0a9287d1e62bf6dd004d82001) // vk.domain_inverse
-            mstore(add(_vk, 0x80), 0x1a80f3623f0778b08837c863a65a1947e56828b26496c5737e25041052f7009c) // vk.Q1.x
-            mstore(add(_vk, 0xa0), 0x2a3cacc92240779ca4f320c576190d0d6ec1266368357178a9a8260cfa235455) // vk.Q1.y
-            mstore(add(_vk, 0xc0), 0x2acda97834aca4418d41ed03d801e2dd48a1d0b5c41d76ad369a8f7af50e0661) // vk.Q2.x
-            mstore(add(_vk, 0xe0), 0x1b69f6a121b1cb789d87cbb3236233b7a4a480ee9bdde5b7bd47e62a227dc5fc) // vk.Q2.y
-            mstore(add(_vk, 0x100), 0x0ac1dea6a1af1f8971d1341ab89d8a04f441306474df59985c648f96d1de246c) // vk.Q3.x
-            mstore(add(_vk, 0x120), 0x0d41764f9161b19571da0200f8efa730ac7c2025e09a2decd3e4889261792e8b) // vk.Q3.y
-            mstore(add(_vk, 0x140), 0x26c4dcb136c91c0acb772bba73db577c1f0f3c09cf4dd7cf4a2bcecf4aa3057a) // vk.Q4.x
-            mstore(add(_vk, 0x160), 0x0a5072484a9fce7eef8d097a377375142da6f88bb9616d5ca1f2aad4bb092129) // vk.Q4.y
-            mstore(add(_vk, 0x180), 0x2c294f4909e331bfdaf0b65ac1b7197251217d346f0b990471359d419a632662) // vk.Q_M.x
-            mstore(add(_vk, 0x1a0), 0x0b3d987ce70e2cff4a2fd93156efd896e0f4f9f671ccb1ab8c3493217b3d9b07) // vk.Q_M.y
-            mstore(add(_vk, 0x1c0), 0x1dfbace7f5f42d72d8df9c6c40a118a8c05d340796095cdb30d5ae76807ff4c3) // vk.Q_C.x
-            mstore(add(_vk, 0x1e0), 0x1a8d4a2ec9837b684fa5b688e36f48288c1450591c7e807bbb86ec125d7b3dd4) // vk.Q_C.y
-            mstore(add(_vk, 0x200), 0x0a51756abf4c062b5f4d76b29e1dbba021b670d13442aee1fef9e3018eb4aca4) // vk.Q_ARITHMETIC.x
-            mstore(add(_vk, 0x220), 0x0ad4318714e1493aae41463ebd941fd2d7fb5357c55ae9eb6491c7c3ccb8399d) // vk.Q_ARITHMETIC.y
-            mstore(add(_vk, 0x240), 0x0d7d8284681025c0926d0bfda9a6887098f151a49b27160e76c0cbe5e081fcb8) // vk.QSORT.x
-            mstore(add(_vk, 0x260), 0x083b2abe0a5c29769ba8f427e7440a3dcb1ffcd86cb1b106f0aa27b6903655ba) // vk.QSORT.y
+            mstore(add(_vk, 0x80), 0x260b63c5c404eba05c531b64a63c4f8752eb48b02d8d53910bbc22e7648b672b) // vk.Q1.x
+            mstore(add(_vk, 0xa0), 0x0a84e4198292ba82e9ec6e130ebf86ff8513b8133501e8b7c625c322451cc17a) // vk.Q1.y
+            mstore(add(_vk, 0xc0), 0x066bf08a2edd0ed02a5b2b4c72f512585b1816d943d06f4822219d37d28b88f7) // vk.Q2.x
+            mstore(add(_vk, 0xe0), 0x18e0525744e594592f2ba6832df668c1424c920ebf1e2ec358558075df1fc906) // vk.Q2.y
+            mstore(add(_vk, 0x100), 0x25880f31af07e4d48de7be715bc3b63495b1ce16c3ce6233ad5ba832cf3330a5) // vk.Q3.x
+            mstore(add(_vk, 0x120), 0x190ab6675593f90dc404518e02369c97f0d736010033237073dfc5611cb4e0cc) // vk.Q3.y
+            mstore(add(_vk, 0x140), 0x1afd5ebe896054ba2812a94f5903a17aa5de0ffc7f1915259b4d9e01a24ceb44) // vk.Q4.x
+            mstore(add(_vk, 0x160), 0x03b445d3e75bd9ecf05703d2301157ccb3795adf7ddb3c0d03cbcc691772288e) // vk.Q4.y
+            mstore(add(_vk, 0x180), 0x00f612887aad4e61796d7948533fff40184bd1d00ba52e9201fea5b9b5a8258a) // vk.Q_M.x
+            mstore(add(_vk, 0x1a0), 0x25bd9c5fec68e480ccf127be8b4bf7810c737a38f4d6a4379b3817d4d157a3f5) // vk.Q_M.y
+            mstore(add(_vk, 0x1c0), 0x27e6361916a9c2a4f81501df8f6588c394f7ba0010e565fe9162e1456acb64fe) // vk.Q_C.x
+            mstore(add(_vk, 0x1e0), 0x232d6f8f7582fc930a95c1d97e1cbe471935642ef95ac1457f953b92601a7f36) // vk.Q_C.y
+            mstore(add(_vk, 0x200), 0x1344134626051322a90942b7cbd3a98227e7e192c8597604dea27f5eb49a1332) // vk.Q_ARITHMETIC.x
+            mstore(add(_vk, 0x220), 0x2c4782c37eb3e19589fc42e465f89cb3dd47ddcfce1a3a5f7e0e6423e9290f53) // vk.Q_ARITHMETIC.y
+            mstore(add(_vk, 0x240), 0x2ea84c6aebfa0d7b78e6f8344086d9a4ceabf599cdc3c8b8efaf937f78fa89f8) // vk.QSORT.x
+            mstore(add(_vk, 0x260), 0x00fc4dc0688832477ed1b999b886307775590a5155ccfbe5e4a686cab3684fd9) // vk.QSORT.y
             mstore(add(_vk, 0x280), 0x21959276775cd4749236c8bf773a9b2403cecb45fbf70e6439f73d75442e8850) // vk.Q_ELLIPTIC.x
             mstore(add(_vk, 0x2a0), 0x017714509f01d1a9ee7ebaf4d50745e33a14150b4fe9850a27e44de56d88cb14) // vk.Q_ELLIPTIC.y
             mstore(add(_vk, 0x2c0), 0x2e76c4474fcb457db84fb273ccc10a4647a1a37444369f2f275bb74540f5e2d0) // vk.Q_AUX.x
             mstore(add(_vk, 0x2e0), 0x209035caddd02a78acd0ed617a85d782533bd142c6cad8e3338f3142b919c3a4) // vk.Q_AUX.y
-            mstore(add(_vk, 0x300), 0x12922936896c92f4773be96aa6eced49c9e6973d091baca38bcd2ce7c2432b13) // vk.SIGMA1.x
-            mstore(add(_vk, 0x320), 0x0195e866ae7531344bc2cec037b002d99caace033bdbdf98b4db64b1e23be236) // vk.SIGMA1.y
-            mstore(add(_vk, 0x340), 0x136128a1e6bc7bc733fcb9343fe23760d8d8a08d4ba4cdfc8970429696720a85) // vk.SIGMA2.x
-            mstore(add(_vk, 0x360), 0x222d19d2afae1cc8c5b1b802be90b5d4d648f5e89f4b32df381fb92135497a2c) // vk.SIGMA2.y
-            mstore(add(_vk, 0x380), 0x0dea033b8db2e2948559604ffac72f411931477ca58240ce0a3007c9a82d1b0a) // vk.SIGMA3.x
-            mstore(add(_vk, 0x3a0), 0x1fd05a799d3dfaba1bfed3145b27e4768be0bc0893b24962de96fdbce7cdc319) // vk.SIGMA3.y
-            mstore(add(_vk, 0x3c0), 0x07f75bc93d92e6dccd6ba833a23aa5d1ba7c36cd2e2d6c2e6406c62480e19119) // vk.SIGMA4.x
-            mstore(add(_vk, 0x3e0), 0x253f74ab6ef1778beba646f245c7dcd5e60cdaebcc37d2c5db22caf03ee7091f) // vk.SIGMA4.y
+            mstore(add(_vk, 0x300), 0x16a04bedbbced0858d1cb768d5dee65d7a9e5eda5840f041a6b0c2d9a05a47e9) // vk.SIGMA1.x
+            mstore(add(_vk, 0x320), 0x0f295c2f65406bd8aa6844f7a8c797da1ec69b048441e5926a0d11e515056af4) // vk.SIGMA1.y
+            mstore(add(_vk, 0x340), 0x219f3919df06c1843bdcf405c9c6304c9affb6b5b075e25d9213cb9ca4177ad8) // vk.SIGMA2.x
+            mstore(add(_vk, 0x360), 0x2a5acc53d574ddef7c44bc0d578d9371cecc89ab42a4b0bc6017eaecc68ebeb0) // vk.SIGMA2.y
+            mstore(add(_vk, 0x380), 0x270efbcff761d452b5a3024f5a1b13b2108bfd126610f7c6580acfc8a3eadc43) // vk.SIGMA3.x
+            mstore(add(_vk, 0x3a0), 0x052330edc9afc72fdaa4d7c5df4617631634c46a7132ece7ec56286647f66a77) // vk.SIGMA3.y
+            mstore(add(_vk, 0x3c0), 0x1a07bea503dbfd8375d3cd35b79187516326c0a96af71418b8004e863d2126d7) // vk.SIGMA4.x
+            mstore(add(_vk, 0x3e0), 0x1601a5ddea012bc53cf9633d99e704caa30b017e3e81e935a8d791030be559c3) // vk.SIGMA4.y
             mstore(add(_vk, 0x400), 0x06c5d3c2a64587cf9dc278c6892854fc8f1aba4183115224cb2eda4c1aab64b8) // vk.TABLE1.x
             mstore(add(_vk, 0x420), 0x132622df9222e04fa9c4cf2895212a49556038d4fdc6d0d7a15b1067bb446efa) // vk.TABLE1.y
             mstore(add(_vk, 0x440), 0x2dbc1ac72b2f0c530b3bdbef307395e6059f82ce9f3beea34ff6c3a04ca112bc) // vk.TABLE2.x
@@ -50,16 +50,16 @@ library BlakeUltraVerificationKey {
             mstore(add(_vk, 0x4a0), 0x1bb16a4d3b60d47e572e02fac8bf861df5ba5f96942054e0896c7d4d602dc5c7) // vk.TABLE3.y
             mstore(add(_vk, 0x4c0), 0x1f5976fc145f0524228ca90c221a21228ff9be92d487b56890a39c3bc0d22bf2) // vk.TABLE4.x
             mstore(add(_vk, 0x4e0), 0x0f43d83a0d9eb36476e05c8d1280df98ec46ce93ae238597a687a4937ebec6cc) // vk.TABLE4.y
-            mstore(add(_vk, 0x500), 0x0b140556df3e8e29980eeae95a724d3c06c830707ce655b6bee64acc9be9e9c2) // vk.TABLE_TYPE.x
-            mstore(add(_vk, 0x520), 0x04de5162de4a6bea5e1e3b1386d87d41adef6c98203f749c98d2c2113ba12e9b) // vk.TABLE_TYPE.y
-            mstore(add(_vk, 0x540), 0x2e9d323290bebf84302163b43af960fde161663907a5e344ab62e3d0db9dc2a4) // vk.ID1.x
-            mstore(add(_vk, 0x560), 0x282cbb41af3a18746f880f35caf350a0e653cc9ff266380f9dad6c8145fc8532) // vk.ID1.y
-            mstore(add(_vk, 0x580), 0x29c73bc4fb55d00bb6b91bff171aaa98e3ab1d64829603b29a5364e510f692d7) // vk.ID2.x
-            mstore(add(_vk, 0x5a0), 0x1011dea47912a0daae13bf8f0e4b6df1f706252a27b69d34724cd05a3bbb5542) // vk.ID2.y
-            mstore(add(_vk, 0x5c0), 0x040261783eb93ad94557cb1c9c798d8468953eb65b00b3e0059fc7af5555ac5f) // vk.ID3.x
-            mstore(add(_vk, 0x5e0), 0x0e05422e3bc394ae55128d83ed0087f1d18810c951f4d03b2f0eff6d5b2e74a2) // vk.ID3.y
-            mstore(add(_vk, 0x600), 0x1b21ff32cadfbe3b43171ee3d0b14d1eed1c29e3719320d3e61f0e71c6aaf6d8) // vk.ID4.x
-            mstore(add(_vk, 0x620), 0x04f57e846a88c4a0254841cf7b6226e878e7a4ea49c34c3732870f1d8c4f6c18) // vk.ID4.y
+            mstore(add(_vk, 0x500), 0x239c09880dcbafee7caf9fb8460d1ca62e86b42b8724e350f01a12ddd4f08add) // vk.TABLE_TYPE.x
+            mstore(add(_vk, 0x520), 0x14dd9f4bba78075eb5bdb7d401281b01d9e88f8827fab15f6b718bfed5b6a598) // vk.TABLE_TYPE.y
+            mstore(add(_vk, 0x540), 0x0059fbc7f6f474f8a602db54e7aeb9b7072081bfb31d4831562003e8c5804177) // vk.ID1.x
+            mstore(add(_vk, 0x560), 0x01e2a561adf9c7843fd4e9acab18137656dbef06f22c9d2f05a68eae8576bd6b) // vk.ID1.y
+            mstore(add(_vk, 0x580), 0x205ed43983566317600b8324e02262240b23d6caa751e53360fe9410deb876b3) // vk.ID2.x
+            mstore(add(_vk, 0x5a0), 0x29ca9b6ba6da40ef21d62321d81594b449185bde9f071a3619731444a3cc30a2) // vk.ID2.y
+            mstore(add(_vk, 0x5c0), 0x0e633257c8c686bbe65fbf5792b8c944747838fd385d3b02eb7900dad50f6f4c) // vk.ID3.x
+            mstore(add(_vk, 0x5e0), 0x1bfda6b7d38472e9418a8eb55f4c1d372642b5819fde074d4fe62c29f843b566) // vk.ID3.y
+            mstore(add(_vk, 0x600), 0x1dab0d03d72afa6328933a39b05c764bc713f67606fa016ebf532deb2b4bc105) // vk.ID4.x
+            mstore(add(_vk, 0x620), 0x24bef3bbfed9cfcedabed6d61d289ae44ce360aa38fd022886fd22bc75fd5980) // vk.ID4.y
             mstore(add(_vk, 0x640), 0x00) // vk.contains_recursive_proof
             mstore(add(_vk, 0x660), 0) // vk.recursive_proof_public_input_indices
             mstore(add(_vk, 0x680), 0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1) // vk.g2_x.X.c1
diff --git a/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol
index d226d196bf5..2d6ea8d8991 100644
--- a/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol
+++ b/barretenberg/sol/src/ultra/keys/EcdsaUltraVerificationKey.sol
@@ -1,11 +1,11 @@
-// Verification Key Hash: e30e949f5160482ce231cd52882ea6e3146c3ef53d7a2e7a1ead236a058d5a78
+// Verification Key Hash: 37857017e148045fbf1d4c2a44593a697c670712dd978c475904b8dc36169f18
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2022 Aztec
 pragma solidity >=0.8.4;
 
 library EcdsaUltraVerificationKey {
     function verificationKeyHash() internal pure returns (bytes32) {
-        return 0xe30e949f5160482ce231cd52882ea6e3146c3ef53d7a2e7a1ead236a058d5a78;
+        return 0x37857017e148045fbf1d4c2a44593a697c670712dd978c475904b8dc36169f18;
     }
 
     function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure {
@@ -14,34 +14,34 @@ library EcdsaUltraVerificationKey {
             mstore(add(_vk, 0x20), 0x0000000000000000000000000000000000000000000000000000000000000006) // vk.num_inputs
             mstore(add(_vk, 0x40), 0x00eeb2cb5981ed45649abebde081dcff16c8601de4347e7dd1628ba2daac43b7) // vk.work_root
             mstore(add(_vk, 0x60), 0x30641e0e92bebef818268d663bcad6dbcfd6c0149170f6d7d350b1b1fa6c1001) // vk.domain_inverse
-            mstore(add(_vk, 0x80), 0x21e3003d8b8316c4ce71fb5419a9ae911da948bb43cf79b6f77db537b680c442) // vk.Q1.x
-            mstore(add(_vk, 0xa0), 0x3005267a5059be6fde8f88bbd95321c8ddea179df2a11dc1df2e77f740ca8f1f) // vk.Q1.y
-            mstore(add(_vk, 0xc0), 0x024526d9500f6edf685a057c97b8cff30a2ed489a002f7f35d1856da3ac42e01) // vk.Q2.x
-            mstore(add(_vk, 0xe0), 0x016b7763c0fba3bb1e445895adfb07bf26cbd99e202b0d8f93a8f7004a306bbc) // vk.Q2.y
-            mstore(add(_vk, 0x100), 0x2ff3496186b9586a042939286d9d83596cdd074f6df473613951ce5229fa31bc) // vk.Q3.x
-            mstore(add(_vk, 0x120), 0x28d41b097e1c8a0863f5593d6cc4a804e5f748b38443cb7909c6cbe2f9d1ab84) // vk.Q3.y
-            mstore(add(_vk, 0x140), 0x19a9e44ac41213223362bbedd7b6d61adf942a0a5880be9c7c53943b4e280640) // vk.Q4.x
-            mstore(add(_vk, 0x160), 0x1fa921169505614db374a60d1bbea0a08815b4804542bcbf3309506b8b0507f0) // vk.Q4.y
-            mstore(add(_vk, 0x180), 0x2035284dbb7544e5a0c1f5b56084267b165b23f541c038979555b82e0f2607ea) // vk.Q_M.x
-            mstore(add(_vk, 0x1a0), 0x02ff6b514c7fa2c20ba949ea94c08c5f5e146e09336b65de3d5fccfcaaf56b96) // vk.Q_M.y
-            mstore(add(_vk, 0x1c0), 0x098709b45abc886af6902f48ba0ae3587c9ebd298ceab3183e0aeb6068e96dcb) // vk.Q_C.x
-            mstore(add(_vk, 0x1e0), 0x2767a84ab297d7757b53fb08492d0a5f657d44b47c944a080c7c42ab890732f1) // vk.Q_C.y
-            mstore(add(_vk, 0x200), 0x0e5bc77185f9a211ce4dba62562d072d88600ba25fbd13028829cb916af11030) // vk.Q_ARITHMETIC.x
-            mstore(add(_vk, 0x220), 0x2039506dca5969fc929e7ed9ab162f17294f7e0d7c56959508562d9556357a6e) // vk.Q_ARITHMETIC.y
-            mstore(add(_vk, 0x240), 0x1d2501b2fa086e00afea57bf974ab9df0e259dc30aebf0021c17b8189c42d50c) // vk.QSORT.x
-            mstore(add(_vk, 0x260), 0x13cdd55a7fa83f59db568fdc67f4b07e7adddd403b975edcb7b4bf2ad2dcf453) // vk.QSORT.y
+            mstore(add(_vk, 0x80), 0x0740309101d13ea04888ecf9966d509116884ac038bdf2c07646806c87882e5f) // vk.Q1.x
+            mstore(add(_vk, 0xa0), 0x2fa84f63c12178cc8ac1f4e8588df585bde0d219e278e4ee201ffba99a3411e4) // vk.Q1.y
+            mstore(add(_vk, 0xc0), 0x0558758bd7554eeff4f8134d8ae5698a017ce2a129925bd48801548c77fbe63c) // vk.Q2.x
+            mstore(add(_vk, 0xe0), 0x0fb3ffe7ccc0570d878afafb118b383e81957c7b45b1b6ec827687c32e041b48) // vk.Q2.y
+            mstore(add(_vk, 0x100), 0x29b23512911ac602dad1322d794b14d93969dfce065e7d7f3c27eca231a7ce6b) // vk.Q3.x
+            mstore(add(_vk, 0x120), 0x181fa6dd3e9381e50a4803813066991c57a2da9124bc3578a50c368e64806238) // vk.Q3.y
+            mstore(add(_vk, 0x140), 0x00eaa74d50fa51c361607c4975d0901d985c3702e451ff6f90919ef5f30fb953) // vk.Q4.x
+            mstore(add(_vk, 0x160), 0x2943e906ab4660823fe6cc999101066309f99157af7a6fa948f75bac0527237a) // vk.Q4.y
+            mstore(add(_vk, 0x180), 0x0bb76b97b2e497edbda41d64eeeb4240482861bfe02220944a1f1b92939d31b7) // vk.Q_M.x
+            mstore(add(_vk, 0x1a0), 0x2777a52a5cbeb31f3f16c2268492e233bdd5cf02fd0c4e68e404347eda2670ac) // vk.Q_M.y
+            mstore(add(_vk, 0x1c0), 0x0ec4edd551546f895838153731c4241ba099c255f4dc3d0bd88fc901cdc941bc) // vk.Q_C.x
+            mstore(add(_vk, 0x1e0), 0x09bcf0a0c13ae4e765801b6b8acc8eef3da55fb43ff5a9305dd75c66d1287a0d) // vk.Q_C.y
+            mstore(add(_vk, 0x200), 0x2bf60d0b3adda58dfe2be290fcebb58851071646f7f715a5a0063dba93168b83) // vk.Q_ARITHMETIC.x
+            mstore(add(_vk, 0x220), 0x24562762b7b7219f77188e1e0c1b4db96493b1c7e41a5f1e7c0130ab5b720f43) // vk.Q_ARITHMETIC.y
+            mstore(add(_vk, 0x240), 0x04cf13b71400ed5ba47983d1d0795124e7ea3caf4f7d24f7713fe2205e2f80df) // vk.QSORT.x
+            mstore(add(_vk, 0x260), 0x15cc2c54fdc490a08833bd1a449bb0fbf26cd0590c648b45f7d83da966d5e9e8) // vk.QSORT.y
             mstore(add(_vk, 0x280), 0x21245d6c0a4d2ff12b21a825f39f30e8f8cf9b259448d111183e975828539576) // vk.Q_ELLIPTIC.x
             mstore(add(_vk, 0x2a0), 0x16a409532c8a1693536e93b6ce9920bfc2e6796e8dfe404675a0cdf6ee77ee7a) // vk.Q_ELLIPTIC.y
-            mstore(add(_vk, 0x2c0), 0x2a5e88249e7a11c5011cdca34920359e9442a5ae3aae68e56e8cdfc4062c8b52) // vk.Q_AUX.x
-            mstore(add(_vk, 0x2e0), 0x12065cc874d23213d1ccbef7087359fa4c75a87d9a25df50a05dce8e635073d5) // vk.Q_AUX.y
-            mstore(add(_vk, 0x300), 0x2e5b641397b2265450974ac68cdd0f151bd66d9c9854ab6f64e84671f3e0c267) // vk.SIGMA1.x
-            mstore(add(_vk, 0x320), 0x0fe1186570db78e9d0c24fa2f5582c43d1ca518567caa9e033007612c8245873) // vk.SIGMA1.y
-            mstore(add(_vk, 0x340), 0x0d5bbea26d87e9fadc9c3b860123ca849abba8e0e41c4e55998022b51d95d8a1) // vk.SIGMA2.x
-            mstore(add(_vk, 0x360), 0x1b503ef8d777b251c32e63d17a76e9ebd7efb586063bc52d6f75c86d3722efe9) // vk.SIGMA2.y
-            mstore(add(_vk, 0x380), 0x07c2dae78ad3943d62867423792d1cdaa68df83ebc974863ae3be3f90c490aae) // vk.SIGMA3.x
-            mstore(add(_vk, 0x3a0), 0x15301e4d92461354d18ac6208dcfea4967feac437435efa613183fb84007c6ae) // vk.SIGMA3.y
-            mstore(add(_vk, 0x3c0), 0x272d645226dbce24fcbaf241b18ebcd6c745f5f462f4f17b1b0d05deb1b342f0) // vk.SIGMA4.x
-            mstore(add(_vk, 0x3e0), 0x2a9f2b440f257f3e4619df6f3cb0c0cf1e8026061b4071249ae178447eb51b9e) // vk.SIGMA4.y
+            mstore(add(_vk, 0x2c0), 0x212c745dcc4a77000c8811ed40afb24af308b4df977301025f700d34da365259) // vk.Q_AUX.x
+            mstore(add(_vk, 0x2e0), 0x1f948ad81820af56f3eca2ae3d7e99f0d0a7edb380cf5ebb9f33a9cba3cc3003) // vk.Q_AUX.y
+            mstore(add(_vk, 0x300), 0x2fb17d2149521c0656a73395466a295e30cde468aca4124e34235609ede6bcf7) // vk.SIGMA1.x
+            mstore(add(_vk, 0x320), 0x2e9d5f4cb83ec03ecdd8bb1c8e8319f991e80d8b1af6f420f75ffc1851da6d77) // vk.SIGMA1.y
+            mstore(add(_vk, 0x340), 0x003841079f4625f2c236862b62391a7770a7ac22c538c4af8d70b8dba8e62a4e) // vk.SIGMA2.x
+            mstore(add(_vk, 0x360), 0x0b55d7bab80f1febf20f1faca1e71c5f917d1eab85fe03df8bcbec192f25da58) // vk.SIGMA2.y
+            mstore(add(_vk, 0x380), 0x26ee5759c003a3e371be8fbbe1cb783bce386b4583d1ee22e3abb86a1b0c59f2) // vk.SIGMA3.x
+            mstore(add(_vk, 0x3a0), 0x00678775ed828729a75de81d07419b825d017c80d7e1520f659dc23bb476cf0f) // vk.SIGMA3.y
+            mstore(add(_vk, 0x3c0), 0x282a0813e6ce49d1d2e70a13fcdc9aa4622b2218a83e8eca83e7c72747c37eea) // vk.SIGMA4.x
+            mstore(add(_vk, 0x3e0), 0x218a25ab5d221802dab140aad610b6ed71674a8cb9d899b85cafed786a778213) // vk.SIGMA4.y
             mstore(add(_vk, 0x400), 0x18f7cf965339d9c9d190296fa92f915767b0a8da455975f3e03fa98439fd7110) // vk.TABLE1.x
             mstore(add(_vk, 0x420), 0x0eecc02f9d44125407adbf00d56b086afd1adc5de536450afe05de382761b32f) // vk.TABLE1.y
             mstore(add(_vk, 0x440), 0x0bdfe662ea9f40f125ca5f7e99a8c6ba09b87ba8313864316745df862946c5c4) // vk.TABLE2.x
@@ -50,16 +50,16 @@ library EcdsaUltraVerificationKey {
             mstore(add(_vk, 0x4a0), 0x1fda66dfb58273345f2471dff55c51b6856241460272e64b4cc67cde65231e89) // vk.TABLE3.y
             mstore(add(_vk, 0x4c0), 0x024ccc0fcff3b515cdc97dde2fae5c516bf3c97207891801707142af02538a83) // vk.TABLE4.x
             mstore(add(_vk, 0x4e0), 0x27827250d02b7b67d084bfc52b26c722f33f75ae5098c109573bfe92b782e559) // vk.TABLE4.y
-            mstore(add(_vk, 0x500), 0x1ae2687fae0bfbb8b923aee57fd70697da8239d170e3dd9e903c5d2141073acc) // vk.TABLE_TYPE.x
-            mstore(add(_vk, 0x520), 0x2bc2419b9c6badd0755da06b3f73fba761bf5fc6708b1d9ebf8024ba7f95a2f6) // vk.TABLE_TYPE.y
-            mstore(add(_vk, 0x540), 0x1006cbbc3a187f1d286337a2a5851481ad736ddc9708de146b0c16af67af55f5) // vk.ID1.x
-            mstore(add(_vk, 0x560), 0x11cc4086b8c85a1c1cb633e148743dd35026dcb5d78b2d95c1d82235b4aa3f55) // vk.ID1.y
-            mstore(add(_vk, 0x580), 0x1280e0e41489a0689eca740eb87c2a956d7e5e01490d4ab8bed22cf702b868f5) // vk.ID2.x
-            mstore(add(_vk, 0x5a0), 0x1ee6fba2609e79fd8c183a090740d594b31ff64d1fa417d5b257e073d158dded) // vk.ID2.y
-            mstore(add(_vk, 0x5c0), 0x2b9204f05f51933d2aee0d9b4d6abb90fc8b647d2867191259b6b1180081d75e) // vk.ID3.x
-            mstore(add(_vk, 0x5e0), 0x0ae99a82bb35dbde21c2930925f571f81f41e1fb7afe103a52c01b830c042449) // vk.ID3.y
-            mstore(add(_vk, 0x600), 0x12dcf5c41e156844037bb35b2eb4b0b0c0e40c75b8374a1800387dbf399b4bc9) // vk.ID4.x
-            mstore(add(_vk, 0x620), 0x2c1e133ab13d64c88e3ac0dd7e4c29f4cb517ed81f84053a824608cc5fc3c3b0) // vk.ID4.y
+            mstore(add(_vk, 0x500), 0x2b11866ecb5b6a1e891e14792b0c04fdb6484cc1f910410459d3a9dfcaa75435) // vk.TABLE_TYPE.x
+            mstore(add(_vk, 0x520), 0x1422d413ccda11d6519d87f9379c29ef515ff37bdd366ab1aa7fc2029263cfe7) // vk.TABLE_TYPE.y
+            mstore(add(_vk, 0x540), 0x255d46db0711edd487412cba825c76c98f793128a8ce85c35133541e4e02abb2) // vk.ID1.x
+            mstore(add(_vk, 0x560), 0x160fad047875fd62e546eae73bce930febf8477c87769a5b1063eae02638c560) // vk.ID1.y
+            mstore(add(_vk, 0x580), 0x01548254d6a72ea1faeef8e50364e8103b527e4df00944d0a0b53d231a6df578) // vk.ID2.x
+            mstore(add(_vk, 0x5a0), 0x040430723dc214dcc9d20d0ed95d24d62a5f935e6243eec6302917c1b5d2b38f) // vk.ID2.y
+            mstore(add(_vk, 0x5c0), 0x1bde6129bc64b0816a88717b9b5b2904c85e7b88c73ac1b0ba75d371ecf235fc) // vk.ID3.x
+            mstore(add(_vk, 0x5e0), 0x0f7e40cedb79332543fd5c040a0eb687b1124869437414aee4497e9d66a6ecb9) // vk.ID3.y
+            mstore(add(_vk, 0x600), 0x25fbe717194485caaf7607cd9043bc528100b7e757f957680865edf2d7794616) // vk.ID4.x
+            mstore(add(_vk, 0x620), 0x119e345a421dcd7c7c9d8ffd14843eeb1536f640d777340dc4321e59941a3ef7) // vk.ID4.y
             mstore(add(_vk, 0x640), 0x00) // vk.contains_recursive_proof
             mstore(add(_vk, 0x660), 0) // vk.recursive_proof_public_input_indices
             mstore(add(_vk, 0x680), 0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1) // vk.g2_x.X.c1
diff --git a/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol b/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol
index 10094d20df7..e6e5a11f22e 100644
--- a/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol
+++ b/barretenberg/sol/src/ultra/keys/RecursiveUltraVerificationKey.sol
@@ -1,11 +1,11 @@
-// Verification Key Hash: e22392a1f3bddc5d1f000fd4920b5c0e7f8282ee348c68538ea51321fda78a6f
+// Verification Key Hash: bfb307aa80c044280f7b66742bc68eb8075aef056ac704ffd7d5cbe1d83268fa
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2022 Aztec
 pragma solidity >=0.8.4;
 
 library RecursiveUltraVerificationKey {
     function verificationKeyHash() internal pure returns (bytes32) {
-        return 0xe22392a1f3bddc5d1f000fd4920b5c0e7f8282ee348c68538ea51321fda78a6f;
+        return 0xbfb307aa80c044280f7b66742bc68eb8075aef056ac704ffd7d5cbe1d83268fa;
     }
 
     function loadVerificationKey(uint256 _vk, uint256 _omegaInverseLoc) internal pure {
@@ -14,34 +14,34 @@ library RecursiveUltraVerificationKey {
             mstore(add(_vk, 0x20), 0x0000000000000000000000000000000000000000000000000000000000000010) // vk.num_inputs
             mstore(add(_vk, 0x40), 0x19ddbcaf3a8d46c15c0176fbb5b95e4dc57088ff13f4d1bd84c6bfa57dcdc0e0) // vk.work_root
             mstore(add(_vk, 0x60), 0x30644259cd94e7dd5045d7a27013b7fcd21c9e3b7fa75222e7bda49b729b0401) // vk.domain_inverse
-            mstore(add(_vk, 0x80), 0x1955384fa963070c967ff2c960277b4e296aae8d72c72e01930356b9e66e82f0) // vk.Q1.x
-            mstore(add(_vk, 0xa0), 0x1abfdcc530bde7617e8bdacdb27582d2c313b5ac663a9d47075ccd7ea20be189) // vk.Q1.y
-            mstore(add(_vk, 0xc0), 0x019e10458c6caa9d5be700d9b289766239bef8ef7f9608300f75e4db84014d7b) // vk.Q2.x
-            mstore(add(_vk, 0xe0), 0x2c8b6fc311eb5850c154e438fc9ffba848c332d3b1f517266751cff56f711890) // vk.Q2.y
-            mstore(add(_vk, 0x100), 0x16087fc135eeed06f55acc3a59da6eff09599c013fbc397e742e7e7c3e34529a) // vk.Q3.x
-            mstore(add(_vk, 0x120), 0x025586359ebb3a81602ac1266da2503f320d26b9b18a3835a75f5ea587363d9b) // vk.Q3.y
-            mstore(add(_vk, 0x140), 0x049008f625581a490bb8fcf4ea3c648c6fd4d802cdffe7866175efd7b5664185) // vk.Q4.x
-            mstore(add(_vk, 0x160), 0x25e38e7a8cda67d926bdf8db7ebdd535499f4354f1e902ef27aeb79c63d2c233) // vk.Q4.y
-            mstore(add(_vk, 0x180), 0x113e080e177eeabec67380d0d0ecfdbfd9a8f7cc9e02c8d8445c328abbfeb9a5) // vk.Q_M.x
-            mstore(add(_vk, 0x1a0), 0x10f95dae13bfe0c0a3efbe10855b52c43269d8aa611525dbbcb1f1d0eb42f848) // vk.Q_M.y
-            mstore(add(_vk, 0x1c0), 0x23f14dc05ec047d53df22710cdfd3cb4a44963811078a600811aa06d9576b4c0) // vk.Q_C.x
-            mstore(add(_vk, 0x1e0), 0x0821bba87eb570b4f41b432624bb2bf013a9b129e7bc0c0178bcc2adc1c47606) // vk.Q_C.y
-            mstore(add(_vk, 0x200), 0x26486dece09dab5a8e4e757625088433f1d8123e8fda3693d4a7993f621f1eed) // vk.Q_ARITHMETIC.x
-            mstore(add(_vk, 0x220), 0x286019a7e6055aef52b91c449a1c2b9abbcb92595118160efc96ced10ac4b6e4) // vk.Q_ARITHMETIC.y
-            mstore(add(_vk, 0x240), 0x2ca5a08c8d2cc428aa539aab26c0ae71d28ed89e61fff9ef5c9eb896748e01c0) // vk.QSORT.x
-            mstore(add(_vk, 0x260), 0x124d0e50734e64db09937d992e57c88c3d82f17786ee7691191da883af81f7cb) // vk.QSORT.y
-            mstore(add(_vk, 0x280), 0x1ade93a940dab58eb305c26f147e387aa2ce033cd98b3f6d92d440a7ec159d7e) // vk.Q_ELLIPTIC.x
-            mstore(add(_vk, 0x2a0), 0x0bfe74216774dc130b6219ffd3ca3d716dde56532ef454e002b5e7cc1a714f06) // vk.Q_ELLIPTIC.y
-            mstore(add(_vk, 0x2c0), 0x11aa3c2e6abd71b46496cc7258ffb26e454779dd7a861c9b170df7b6d19866bb) // vk.Q_AUX.x
-            mstore(add(_vk, 0x2e0), 0x078a7416251f2354b81f7f23674a442733beaa73928c52482e09af67e4266630) // vk.Q_AUX.y
-            mstore(add(_vk, 0x300), 0x18b0d041e64959a1b4c8aec2988ed0781a8e71e3b399e9e6f1519553e7d4b844) // vk.SIGMA1.x
-            mstore(add(_vk, 0x320), 0x051faec8bc66561eb3dd53d7e9f062a69726ee92df29f337c1152b4838a6ecb5) // vk.SIGMA1.y
-            mstore(add(_vk, 0x340), 0x1b3db046a836a946d73153637681ae12a3747e76100a973ba3e57a60bf05f8b8) // vk.SIGMA2.x
-            mstore(add(_vk, 0x360), 0x2a0d1cb0659525e3e515020d4728b9deb1aac70c1286eb565e2589da5700caac) // vk.SIGMA2.y
-            mstore(add(_vk, 0x380), 0x2da060ec79d4280499b69fde005a3712a9b694118f9332af6e1611659ea05d10) // vk.SIGMA3.x
-            mstore(add(_vk, 0x3a0), 0x0de556d12e70d90ed705a5542c16a55a44910532e1f24c2252649f0b061af019) // vk.SIGMA3.y
-            mstore(add(_vk, 0x3c0), 0x101702660aecee7905d290afb56978ff8756662cb0589bf1260b7aa0feb8e044) // vk.SIGMA4.x
-            mstore(add(_vk, 0x3e0), 0x29d27af726556b6b97d2998f0ed57fecbb2fa27cefc51fee5a96a4ada07c0d2d) // vk.SIGMA4.y
+            mstore(add(_vk, 0x80), 0x2872629d2db8cb63feef4ab8ab250d2b8bd2fbdb622942962872f05b5e742d95) // vk.Q1.x
+            mstore(add(_vk, 0xa0), 0x1948d2b7b800c7a93368e1987b7871e7df65246af142f6573596865684913cc9) // vk.Q1.y
+            mstore(add(_vk, 0xc0), 0x27c1cc0a26221de00043568e1ecb193fc349be273624f69a9c3e766470f936cb) // vk.Q2.x
+            mstore(add(_vk, 0xe0), 0x0ba47ff2bea29b40ad0a9c8650a8833662b461389862423a7a73bbb54c7d4f0e) // vk.Q2.y
+            mstore(add(_vk, 0x100), 0x11710dd57cc6fa657dccc53cc681de5fc97d324f1f0c72e20c08371ee4f65e5d) // vk.Q3.x
+            mstore(add(_vk, 0x120), 0x244fd7fe0b18f6ff86a773655b34fb76abcd5217877e7df959e3e0151000ccd5) // vk.Q3.y
+            mstore(add(_vk, 0x140), 0x065e12520e3b7419d0c3b557d7a26f24d68763744b74a922993992148cfef300) // vk.Q4.x
+            mstore(add(_vk, 0x160), 0x2d5af9ed366fe901d76b2d5dee01535679a6adec0d88d9192dfea384ad56b4ee) // vk.Q4.y
+            mstore(add(_vk, 0x180), 0x2c2cf9cdde5d02feb8f244b62f37d794c2dff66622a55c77188f30aa0eb96e2a) // vk.Q_M.x
+            mstore(add(_vk, 0x1a0), 0x188afa06880347bd0a7181a6ee022742889e5c325df2a46ed325816c20472717) // vk.Q_M.y
+            mstore(add(_vk, 0x1c0), 0x2db1866af181147eb2deb1a81a237a80ede43cd670afed4ed707f5452043e41c) // vk.Q_C.x
+            mstore(add(_vk, 0x1e0), 0x07686d5c3d3166a9f171b4c6ea91e787b0988b78a4bc833894f0ff38d9098ea7) // vk.Q_C.y
+            mstore(add(_vk, 0x200), 0x1a906065dbb4b466aa34c76b50d49941b8f0cc5257ae7825093eb555cf093ecd) // vk.Q_ARITHMETIC.x
+            mstore(add(_vk, 0x220), 0x16be7a84788d5d7f80fa66a850bd2a61977180e4caaaa44193458847e96f4df3) // vk.Q_ARITHMETIC.y
+            mstore(add(_vk, 0x240), 0x12c6fa152ae4645fab9ce20db8ea7dee0eac2cc6562840f4d025036e7a06cdd0) // vk.QSORT.x
+            mstore(add(_vk, 0x260), 0x26a190dcd1abf61afc12ff56da242a29c196d1f75b3c0c6922dc026702489c2b) // vk.QSORT.y
+            mstore(add(_vk, 0x280), 0x2d7d1a26c4e4d806f73753d6f33c887df548d60adfc903867189947022643261) // vk.Q_ELLIPTIC.x
+            mstore(add(_vk, 0x2a0), 0x2d71cb325bb3a6af51e99830f0700d4ccedacbfd21ec7dffebd7e9c8cab386a6) // vk.Q_ELLIPTIC.y
+            mstore(add(_vk, 0x2c0), 0x30094b60cb5228b662501dd1942ea7d989694530497df30d9158b3933773f7f0) // vk.Q_AUX.x
+            mstore(add(_vk, 0x2e0), 0x04f2cc1c0aa3a57dc8173be9dec656884aec11a6f154eb2d0a31e7a5b3bc65bb) // vk.Q_AUX.y
+            mstore(add(_vk, 0x300), 0x14c1d865fc203cf3248b978de69ca2cbed717176a83931dcaaabddf84aac1125) // vk.SIGMA1.x
+            mstore(add(_vk, 0x320), 0x03413319a4878452335c3c679a952a71dad895d92acd1db566a8b72726b34f34) // vk.SIGMA1.y
+            mstore(add(_vk, 0x340), 0x01130e52ac74730e6fad05aeb3ee1e3e14feba55956bd944159ce65e854f6bb4) // vk.SIGMA2.x
+            mstore(add(_vk, 0x360), 0x0ee3c32db6c8483ae225f58ffce0c57e757852401b26f666506619529e6d830e) // vk.SIGMA2.y
+            mstore(add(_vk, 0x380), 0x1cdf6e1d1a2c00394de5e91aeafd134cf75f2c8b8014bf21d6074c2f66aff68c) // vk.SIGMA3.x
+            mstore(add(_vk, 0x3a0), 0x24fe45588eeb54159a8e9aa2e3c3a3ab90f78f0e509dfcc3cf3c03fffd5e2693) // vk.SIGMA3.y
+            mstore(add(_vk, 0x3c0), 0x2294016984ba84bd39822af4780b4fa91f06ac9f46d081c6e4639dc0091eff2b) // vk.SIGMA4.x
+            mstore(add(_vk, 0x3e0), 0x2070976b4eb47279553017922492bd0e8b78e57dd8bf424309f133fd02e9f8b5) // vk.SIGMA4.y
             mstore(add(_vk, 0x400), 0x09796190fd3ba909c6530c89811df9b5b4f5f2fe6501ec21dd864b20673fc02c) // vk.TABLE1.x
             mstore(add(_vk, 0x420), 0x00b9c2423e310caa43e1eb83b55f53977fccbed85422df8935635d77d146bf39) // vk.TABLE1.y
             mstore(add(_vk, 0x440), 0x217dad26ccc0c543ec5750513e9365a5cae8164b08d364efcf4b5890ff05f334) // vk.TABLE2.x
@@ -50,16 +50,16 @@ library RecursiveUltraVerificationKey {
             mstore(add(_vk, 0x4a0), 0x3032b9ff096a43ce326cc63ffc6a86dcb913fb1f7700939f5304f6c6beb24574) // vk.TABLE3.y
             mstore(add(_vk, 0x4c0), 0x1f4c58502ca713ed0bffb4ff31ed55e557e83a37d31b8e703aa9219d6158e2d2) // vk.TABLE4.x
             mstore(add(_vk, 0x4e0), 0x0b0d5ed5432c5e7b56344c1d26ce0d9f632e8f8aa52505d6c89f6da89f357fa8) // vk.TABLE4.y
-            mstore(add(_vk, 0x500), 0x1ec56cfb03ca703e6c5b12bc25735a6277ba8e195789f871273e0ab6108c69dc) // vk.TABLE_TYPE.x
-            mstore(add(_vk, 0x520), 0x15dd65957a13632642739159f99cb0bc793a3e9fd3317b11de1887305b1f0ba0) // vk.TABLE_TYPE.y
-            mstore(add(_vk, 0x540), 0x1132be2c2fba72cd6196c25c3f9e4a2607225e1dd9b1df156278bc70eaef9833) // vk.ID1.x
-            mstore(add(_vk, 0x560), 0x15ac1cf6f0d69580d63e3cef0fbe784daddf5d89cd0532e6c3bac8110f713739) // vk.ID1.y
-            mstore(add(_vk, 0x580), 0x0a54083d0241492b018ff651dd4a94f694ac29815be96788bbcc1f6731da2c2f) // vk.ID2.x
-            mstore(add(_vk, 0x5a0), 0x1ac60ad10f90e6a3dae7fc97aa1e86be376a8e477e320ce1a2c5c667587414b0) // vk.ID2.y
-            mstore(add(_vk, 0x5c0), 0x1499c048e87fea28057e1ec5c3a23c11556bdc658626b07edfedf2739ef2eae2) // vk.ID3.x
-            mstore(add(_vk, 0x5e0), 0x280fec47ce5e775c01ebfb880fed2fa60ae7c7434d5de1d54dfe3f66cf7e1186) // vk.ID3.y
-            mstore(add(_vk, 0x600), 0x2daba5e0c0a440cc134049635e97d3f4fdbe0709c73f0480fad500f51542c5ae) // vk.ID4.x
-            mstore(add(_vk, 0x620), 0x064089effdda7af9ea5de9407b5e96f826001c7d7cef054877ff0203e7ad229e) // vk.ID4.y
+            mstore(add(_vk, 0x500), 0x14cc772886149da159eca12ceab8b0cb5d63043e354699ef54bc13e2aff0a57f) // vk.TABLE_TYPE.x
+            mstore(add(_vk, 0x520), 0x1874e1387aa83a45cc599a97c8027a53c92c0934c1cb59537aeda8b9edf8b019) // vk.TABLE_TYPE.y
+            mstore(add(_vk, 0x540), 0x16fe41844f95ddeb66b8d54eae7dcb87df2fafe782e09dd0034e016474742136) // vk.ID1.x
+            mstore(add(_vk, 0x560), 0x05f0dbcfa556fd26f1563cbdf8f8d2d5f92ad46ff561655383bf5efa341b58af) // vk.ID1.y
+            mstore(add(_vk, 0x580), 0x0e2e21b159efae413496f5987159ae35a22970d2e81865c2d19ae32170305b4d) // vk.ID2.x
+            mstore(add(_vk, 0x5a0), 0x01c6cd8f3faba6127b043644fa40aec9bc07ef5f5dd1fc73abadc8ff25b28bb4) // vk.ID2.y
+            mstore(add(_vk, 0x5c0), 0x0cf6b92268f315107f92225c8c7853c89907f4f016727c8e038b74aad81585af) // vk.ID3.x
+            mstore(add(_vk, 0x5e0), 0x1955c97edb1cd3637736cce7a911b64626fcdd5eee63a882f9058d901713b5e3) // vk.ID3.y
+            mstore(add(_vk, 0x600), 0x012ef051b06db65bdf78950b5d3ca6b1bdfef77e381e9220aa25d72c63518f27) // vk.ID4.x
+            mstore(add(_vk, 0x620), 0x265f2a5c1d100fdc81183e099e52de0751578056574fb56fc4c7814a31e5fc86) // vk.ID4.y
             mstore(add(_vk, 0x640), 0x01) // vk.contains_recursive_proof
             mstore(add(_vk, 0x660), 0) // vk.recursive_proof_public_input_indices
             mstore(add(_vk, 0x680), 0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1) // vk.g2_x.X.c1
diff --git a/barretenberg/sol/test/base/DifferentialFuzzer.sol b/barretenberg/sol/test/base/DifferentialFuzzer.sol
index 60aabb123fc..e1c26661400 100644
--- a/barretenberg/sol/test/base/DifferentialFuzzer.sol
+++ b/barretenberg/sol/test/base/DifferentialFuzzer.sol
@@ -2,7 +2,6 @@ import {Vm} from "forge-std/Vm.sol";
 import {strings} from "stringutils/strings.sol";
 import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";
 import {TestBase} from "./TestBase.sol";
-import "forge-std/console.sol";
 
 contract DifferentialFuzzer is TestBase {
     using strings for *;
@@ -11,7 +10,8 @@ contract DifferentialFuzzer is TestBase {
     enum PlonkFlavour {
         Invalid,
         Standard,
-        Ultra
+        Ultra,
+        Honk
     }
     enum CircuitFlavour {
         Invalid,
@@ -52,6 +52,8 @@ contract DifferentialFuzzer is TestBase {
             return "standard";
         } else if (plonkFlavour == PlonkFlavour.Ultra) {
             return "ultra";
+        } else if (plonkFlavour == PlonkFlavour.Honk) {
+            return "honk";
         } else {
             revert("Invalid flavour");
         }
diff --git a/barretenberg/sol/test/base/TestBase.sol b/barretenberg/sol/test/base/TestBase.sol
index 78a239b5697..ecf458e28a3 100644
--- a/barretenberg/sol/test/base/TestBase.sol
+++ b/barretenberg/sol/test/base/TestBase.sol
@@ -52,6 +52,54 @@ contract TestBase is Test {
         }
     }
 
+    function splitProofHonk(bytes memory _proofData, uint256 _numberOfPublicInputs)
+        internal
+        view
+        returns (bytes32[] memory publicInputs, bytes memory proof)
+    {
+        publicInputs = new bytes32[](_numberOfPublicInputs);
+        for (uint256 i = 0; i < _numberOfPublicInputs; i++) {
+            // The proofs spit out by barretenberg have the public inputs at the beginning
+            publicInputs[i] = readWordByIndex(_proofData, i + 3); // TODO(md): Plus 3 as circuit_size, number of pub, offset preceed
+        }
+
+        proof = new bytes(_proofData.length - (_numberOfPublicInputs * 0x20));
+        uint256 len = proof.length;
+
+        // Copy first 3 words from proofData to proof
+        assembly {
+            mstore(add(proof, 0x20), mload(add(_proofData, 0x20)))
+            mstore(add(proof, 0x40), mload(add(_proofData, 0x40)))
+            mstore(add(proof, 0x60), mload(add(_proofData, 0x60)))
+        }
+
+        // Copy the rest of the proof
+        assembly {
+            pop(
+                staticcall(
+                    gas(),
+                    0x4,
+                    add(
+                        _proofData,
+                        add(
+                            0x20,
+                            mul(
+                                0x20,
+                                add(_numberOfPublicInputs, 3) // Then skip public inputs & 3 words already added
+                            )
+                        )
+                    ),
+                    len,
+                    add(
+                        proof,
+                        add(0x20, 0x60) // skip the first 3 words we added above
+                    ),
+                    len
+                )
+            )
+        }
+    }
+
     function printBytes(bytes memory _data, uint256 _offset) internal {
         uint256 length = _data.length - _offset;
         for (uint256 i = 0; i < length / 0x20; i++) {
@@ -129,7 +177,6 @@ contract TestBase is Test {
              * only contains 2 byteso f useful data.
              *
              */
-
             let base := input
             function slice(v, tableptr) {
                 mstore(0x1e, mload(add(tableptr, shl(1, and(v, 0xff)))))
diff --git a/barretenberg/sol/test/honk/Add2.t.sol b/barretenberg/sol/test/honk/Add2.t.sol
new file mode 100644
index 00000000000..440fd498877
--- /dev/null
+++ b/barretenberg/sol/test/honk/Add2.t.sol
@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Aztec
+pragma solidity >=0.8.21;
+
+import {TestBaseHonk} from "./TestBaseHonk.sol";
+
+// TODO(md): need to generalize the verifier instances
+import {Add2HonkVerifier} from "../../src/honk/instance/Add2Honk.sol";
+import {DifferentialFuzzer} from "../base/DifferentialFuzzer.sol";
+import {IVerifier} from "../../src/interfaces/IVerifier.sol";
+
+import "forge-std/console.sol";
+
+contract Add2HonkTest is TestBaseHonk {
+    function setUp() public override(TestBaseHonk) {
+        super.setUp();
+
+        verifier = IVerifier(address(new Add2HonkVerifier()));
+        fuzzer = fuzzer.with_circuit_flavour(DifferentialFuzzer.CircuitFlavour.Add2);
+
+        PUBLIC_INPUT_COUNT = 3;
+
+        // Add default inputs to the fuzzer (we will override these in fuzz test)
+        uint256[] memory defaultInputs = new uint256[](3);
+        defaultInputs[0] = 5;
+        defaultInputs[1] = 10;
+        defaultInputs[2] = 15;
+
+        fuzzer = fuzzer.with_inputs(defaultInputs);
+    }
+
+    function testFuzzProof(uint16 input1, uint16 input2) public {
+        uint256[] memory inputs = new uint256[](3);
+        inputs[0] = uint256(input1);
+        inputs[1] = uint256(input2);
+        inputs[2] = inputs[0] + inputs[1];
+
+        bytes memory proofData = fuzzer.with_inputs(inputs).generate_proof();
+
+        (bytes32[] memory publicInputs, bytes memory proof) = splitProofHonk(proofData, PUBLIC_INPUT_COUNT);
+
+        assertTrue(verifier.verify(proof, publicInputs), "The proof is not valid");
+
+        console.log("Proof verified");
+    }
+}
diff --git a/barretenberg/sol/test/honk/Blake.t.sol b/barretenberg/sol/test/honk/Blake.t.sol
new file mode 100644
index 00000000000..8f76d8e516d
--- /dev/null
+++ b/barretenberg/sol/test/honk/Blake.t.sol
@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Aztec
+pragma solidity >=0.8.21;
+
+import {TestBaseHonk} from "./TestBaseHonk.sol";
+
+// TODO(md): need to generalize the verifier instances
+import {BlakeHonkVerifier} from "../../src/honk/instance/BlakeHonk.sol";
+import {DifferentialFuzzer} from "../base/DifferentialFuzzer.sol";
+import {IVerifier} from "../../src/interfaces/IVerifier.sol";
+
+import "forge-std/console.sol";
+
+contract BlakeHonkTest is TestBaseHonk {
+    function setUp() public override(TestBaseHonk) {
+        super.setUp();
+
+        verifier = IVerifier(address(new BlakeHonkVerifier()));
+        fuzzer = fuzzer.with_circuit_flavour(DifferentialFuzzer.CircuitFlavour.Blake);
+
+        PUBLIC_INPUT_COUNT = 4;
+
+        // Add default inputs to the fuzzer (we will override these in fuzz test)
+        uint256[] memory defaultInputs = new uint256[](4);
+        defaultInputs[0] = 1;
+        defaultInputs[1] = 2;
+        defaultInputs[2] = 3;
+        defaultInputs[3] = 4;
+
+        fuzzer = fuzzer.with_inputs(defaultInputs);
+    }
+
+    function testFuzzProof(uint256 input1, uint256 input2, uint256 input3, uint256 input4) public {
+        uint256[] memory inputs = new uint256[](4);
+        inputs[0] = input1;
+        inputs[1] = input2;
+        inputs[2] = input3;
+        inputs[3] = input4;
+
+        bytes memory proofData = fuzzer.with_inputs(inputs).generate_proof();
+
+        (bytes32[] memory publicInputs, bytes memory proof) = splitProofHonk(proofData, PUBLIC_INPUT_COUNT);
+
+        assertTrue(verifier.verify(proof, publicInputs), "The proof is not valid");
+
+        console.log("Proof verified");
+    }
+}
diff --git a/barretenberg/sol/test/honk/ECDSA.t.sol b/barretenberg/sol/test/honk/ECDSA.t.sol
new file mode 100644
index 00000000000..063ea48c4a6
--- /dev/null
+++ b/barretenberg/sol/test/honk/ECDSA.t.sol
@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Aztec
+pragma solidity >=0.8.4;
+
+import {TestBaseHonk} from "./TestBaseHonk.sol";
+import {EcdsaHonkVerifier} from "../../src/honk/instance/EcdsaHonk.sol";
+import {DifferentialFuzzer} from "../base/DifferentialFuzzer.sol";
+import {IVerifier} from "../../src/interfaces/IVerifier.sol";
+
+contract EcdsaHonkTest is TestBaseHonk {
+    function setUp() public override(TestBaseHonk) {
+        super.setUp();
+
+        verifier = IVerifier(address(new EcdsaHonkVerifier()));
+        fuzzer = fuzzer.with_circuit_flavour(DifferentialFuzzer.CircuitFlavour.Ecdsa);
+
+        PUBLIC_INPUT_COUNT = 6;
+
+        // Add default inputs to the fuzzer (we will override these in fuzz test)
+        uint256[] memory inputs = new uint256[](6);
+        inputs[0] = uint256(0x67);
+        inputs[1] = uint256(0x6f);
+        inputs[2] = uint256(0x62);
+        inputs[3] = uint256(0x6c);
+        inputs[4] = uint256(0x69);
+        inputs[5] = uint256(0x6e);
+
+        fuzzer = fuzzer.with_inputs(inputs);
+    }
+
+    function testFuzzProof() public {
+        // NOTE we do not fuzz here yet
+        // "goblin"
+        // 67 6f 62 6c 69 6e
+        uint256[] memory inputs = new uint256[](6);
+        inputs[0] = uint256(0x67);
+        inputs[1] = uint256(0x6f);
+        inputs[2] = uint256(0x62);
+        inputs[3] = uint256(0x6c);
+        inputs[4] = uint256(0x69);
+        inputs[5] = uint256(0x6e);
+
+        // Construct Ecdsa siganture
+        bytes memory proofData = fuzzer.with_inputs(inputs).generate_proof();
+        (bytes32[] memory publicInputs, bytes memory proof) = splitProofHonk(proofData, PUBLIC_INPUT_COUNT);
+
+        assertTrue(verifier.verify(proof, publicInputs), "The proof is not valid");
+    }
+}
diff --git a/barretenberg/sol/test/honk/TestBaseHonk.sol b/barretenberg/sol/test/honk/TestBaseHonk.sol
new file mode 100644
index 00000000000..a4629ac8c19
--- /dev/null
+++ b/barretenberg/sol/test/honk/TestBaseHonk.sol
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.21;
+
+import {TestBase} from "../base/TestBase.sol";
+import {DifferentialFuzzer} from "../base/DifferentialFuzzer.sol";
+import {IVerifier} from "../../src/interfaces/IVerifier.sol";
+
+import "forge-std/console.sol";
+
+contract TestBaseHonk is TestBase {
+    IVerifier public verifier;
+    DifferentialFuzzer public fuzzer;
+    uint256 public PUBLIC_INPUT_COUNT;
+
+    function setUp() public virtual {
+        fuzzer = new DifferentialFuzzer().with_plonk_flavour(DifferentialFuzzer.PlonkFlavour.Honk);
+    }
+
+    function testValidProof() public {
+        bytes memory proofData = fuzzer.generate_proof();
+        (bytes32[] memory publicInputs, bytes memory proof) = splitProofHonk(proofData, PUBLIC_INPUT_COUNT);
+        console.log("After split proof verified");
+        assertTrue(verifier.verify(proof, publicInputs), "The proof is not valid");
+        console.log("Honk proof verified");
+    }
+}
diff --git a/barretenberg/sol/test/ultra/TestBaseUltra.sol b/barretenberg/sol/test/ultra/TestBaseUltra.sol
index 51a621b03cf..ff75e9fff31 100644
--- a/barretenberg/sol/test/ultra/TestBaseUltra.sol
+++ b/barretenberg/sol/test/ultra/TestBaseUltra.sol
@@ -3,7 +3,6 @@ pragma solidity ^0.8.13;
 
 import {TestBase} from "../base/TestBase.sol";
 import {DifferentialFuzzer} from "../base/DifferentialFuzzer.sol";
-import {BaseUltraVerifier} from "../../src/ultra/BaseUltraVerifier.sol";
 import {IVerifier} from "../../src/interfaces/IVerifier.sol";
 
 contract TestBaseUltra is TestBase {