From 435949a14331cabe7859132bfdd32440b9c1b482 Mon Sep 17 00:00:00 2001
From: Vesselin Velichkov <vesselin@lancre>
Date: Fri, 26 Aug 2022 11:42:23 +0100
Subject: [PATCH] plonk: added back the computation of the multipoint challenge
 u in the last round of the prover. we need to compute u even though we are
 not using it in the prover in order to make sure that the prover and verifier
 make exactly the same number of calls to transcript_hasher.get_hash().
 addresses PR #61 comment
 https://github.com/clearmatics/libsnark/pull/61#discussion_r952276778

---
 libsnark/zk_proof_systems/plonk/prover.tcc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libsnark/zk_proof_systems/plonk/prover.tcc b/libsnark/zk_proof_systems/plonk/prover.tcc
index 4f9ebb209..4074877ed 100644
--- a/libsnark/zk_proof_systems/plonk/prover.tcc
+++ b/libsnark/zk_proof_systems/plonk/prover.tcc
@@ -1115,6 +1115,16 @@ plonk_proof<ppT> plonk_prover<ppT>::compute_proof(
         srs,
         hasher);
 
+    // u: multipoint evaluation challenge -- hash of transcript from
+    // rounds 1,2,3,4,5
+    const libff::Fr<ppT> u = hasher.get_hash();
+    // get_hash may update the internal state of the
+    // transcript_hasher, depending on the implementation, therefore
+    // the prover and verifier must make exactly the same calls to
+    // both add_element and get_hash. that's why here we are computing
+    // u even if we are not using it.
+    libff::UNUSED(u);
+
     // construct proof
     plonk_proof<ppT> proof(
         round_one_out.W_polys_blinded_at_secret_g1,