plonk: added back the computation of the multipoint challenge u in th…

…e last round of the prover. we need to compute u even though we are not using it in the prover in order to make sure that the prover and verifier make exactly the same number of calls to transcript_hasher.get_hash(). addresses PR #61 comment #61 (comment)
clearmatics · Oct 26, 2022 · c6396cf · c6396cf
1 parent afdd4df
commit c6396cf
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/libsnark/zk_proof_systems/plonk/prover.tcc b/libsnark/zk_proof_systems/plonk/prover.tcc
@@ -1104,6 +1104,16 @@ plonk_proof<ppT> plonk_prover<ppT>::compute_proof(
         srs,
         hasher);
 
+    // u: multipoint evaluation challenge -- hash of transcript from
+    // rounds 1,2,3,4,5
+    const libff::Fr<ppT> u = hasher.get_hash();
+    // get_hash may update the internal state of the
+    // transcript_hasher, depending on the implementation, therefore
+    // the prover and verifier must make exactly the same calls to
+    // both add_element and get_hash. that's why here we are computing
+    // u even if we are not using it.
+    libff::UNUSED(u);
+
     // construct proof
     plonk_proof<ppT> proof(
         round_one_out.W_polys_blinded_at_secret_g1,