diff --git a/include/mls/key_schedule.h b/include/mls/key_schedule.h
index afee2a5b..de1d26ea 100644
--- a/include/mls/key_schedule.h
+++ b/include/mls/key_schedule.h
@@ -199,8 +199,9 @@ struct TranscriptHash
                  bytes confirmed_in,
                  const bytes& confirmation_tag);
 
-  void update(const AuthenticatedContent& content_auth);
-  void update_confirmed(const AuthenticatedContent& content_auth);
+  // Updating hashes
+  bytes new_confirmed(const AuthenticatedContent& content_auth) const;
+  void set_confirmed(bytes confirmed_transcript_hash);
   void update_interim(const bytes& confirmation_tag);
   void update_interim(const AuthenticatedContent& content_auth);
 };
diff --git a/lib/mls_vectors/src/mls_vectors.cpp b/lib/mls_vectors/src/mls_vectors.cpp
index d3f3ce8a..9471b4f0 100644
--- a/lib/mls_vectors/src/mls_vectors.cpp
+++ b/lib/mls_vectors/src/mls_vectors.cpp
@@ -989,7 +989,8 @@ TranscriptTestVector::TranscriptTestVector(CipherSuite suite)
     sig_priv,
     group_context);
 
-  transcript.update_confirmed(authenticated_content);
+  const auto new_confirmed = transcript.new_confirmed(authenticated_content);
+  transcript.set_confirmed(new_confirmed);
 
   group_context.confirmed_transcript_hash = transcript.confirmed;
   auto key_schedule_after =
@@ -1015,7 +1016,10 @@ TranscriptTestVector::verify() const
   auto transcript = TranscriptHash(cipher_suite);
   transcript.interim = interim_transcript_hash_before;
 
-  transcript.update(authenticated_content);
+  const auto new_confirmed = transcript.new_confirmed(authenticated_content);
+  transcript.set_confirmed(new_confirmed);
+  transcript.update_interim(authenticated_content);
+
   VERIFY_EQUAL(
     "confirmed", transcript.confirmed, confirmed_transcript_hash_after);
   VERIFY_EQUAL("interim", transcript.interim, interim_transcript_hash_after);
diff --git a/src/key_schedule.cpp b/src/key_schedule.cpp
index 8fd50de9..b7cd8f32 100644
--- a/src/key_schedule.cpp
+++ b/src/key_schedule.cpp
@@ -550,19 +550,18 @@ TranscriptHash::TranscriptHash(CipherSuite suite_in,
   update_interim(confirmation_tag);
 }
 
-void
-TranscriptHash::update(const AuthenticatedContent& content_auth)
+bytes
+TranscriptHash::new_confirmed(const AuthenticatedContent& content_auth) const
 {
-  update_confirmed(content_auth);
-  update_interim(content_auth);
+  const auto transcript =
+    interim + content_auth.confirmed_transcript_hash_input();
+  return suite.digest().hash(transcript);
 }
 
 void
-TranscriptHash::update_confirmed(const AuthenticatedContent& content_auth)
+TranscriptHash::set_confirmed(bytes confirmed_transcript_hash)
 {
-  const auto transcript =
-    interim + content_auth.confirmed_transcript_hash_input();
-  confirmed = suite.digest().hash(transcript);
+  confirmed = std::move(confirmed_transcript_hash);
 }
 
 void
diff --git a/src/state.cpp b/src/state.cpp
index dce34114..f745db47 100644
--- a/src/state.cpp
+++ b/src/state.cpp
@@ -789,14 +789,14 @@ State::commit(const bytes& leaf_secret,
     sign(sender, commit, msg_opts.authenticated_data, msg_opts.encrypt);
 
   // Update confirmed transcript hash and ratchet the key schedule forward
-  auto transcript_hash = _transcript_hash;
-  transcript_hash.update_confirmed(preliminary_commit);
+  const auto confirmed_transcript_hash =
+    _transcript_hash.new_confirmed(preliminary_commit);
 
   const auto next = successor(commit_materials.index,
                               std::move(commit_materials.new_tree),
                               std::move(commit_materials.new_tree_priv),
                               std::move(commit_materials.extensions),
-                              transcript_hash.confirmed,
+                              confirmed_transcript_hash,
                               commit_materials.path.has_value(),
                               commit_materials.psks,
                               commit_materials.force_init_secret);
@@ -1013,9 +1013,8 @@ State::handle_commit(const AuthenticatedContent& content_auth,
   }
 
   // Update the transcript hash
-  auto new_transcript_hash = _transcript_hash;
-  new_transcript_hash.update_confirmed(content_auth);
-  const auto new_confirmed_transcript_hash = new_transcript_hash.confirmed;
+  const auto new_confirmed_transcript_hash =
+    _transcript_hash.new_confirmed(content_auth);
   const auto new_confirmation_tag =
     opt::get(content_auth.auth.confirmation_tag);
 
@@ -2286,7 +2285,7 @@ State::successor(LeafIndex index,
   }
 
   // Ratchet forward the key schedule
-  next._transcript_hash.confirmed = confirmed_transcript_hash;
+  next._transcript_hash.set_confirmed(confirmed_transcript_hash);
 
   const auto ctx = tls::marshal(next.group_context());
   next._key_schedule = _key_schedule.next(commit_secret,