As pointed out in my comments, or discussed offline:

• let us find out if we can take G: Group as template for PolynomialCommitment and related traits. If so, let us declare the domain extended scheme as polynomial commitment with the "vector group" as commitment group.
• let us trim() return again a PCParameters and reduce to a single function max_degree() in the traits for the key material,
• let us clarify in comments why the IPA implementation of the fn get_hash() in the latter traits does "break" with the original intention.

The problems we faced in the implementation of the succinct verifier gadget (which partially generic in the concrete scheme) are due to our functional abstraction of the types for commitments and randomnesses, which leaves the concrete form/structure open and hence inaccessible.

To overcome this problem, and also for the reason of a more natural definition of our Group trait, I propose the following:

• Let us remove the ScalarField and the Mul by such from the Group trait (and put it back in the Curve trait). Imposing a prime torsion is a rather structural than functional requirement. (It enforces that the implementor is either a prime group, or a vectorized version of it.)

• We return to a polynomial commitment scheme over a Curve, i.e. PolynomialCommitment<G: Curve>, and give both Commitment and Randomnesses a specific structure, by demanding that they are vectors of items which implement G, or allow to iterate over such (using IntoIterator).

• As we do not have the scalar multiplication in the group trait anymore, we provide separate helper functions (or trait implementations) for the addition, and scalar multiplication for these associated types.

This allows an implementation for G:EndoMulCurve which uses endomorphism based scalar multiplication instead of the ordinary one. (Hence we could drop the workaround by letting the Fiat Shamir primitive output the expanded native scalar representation of the squeezed challenges.)