Open alxiong opened 4 years ago
As far as I understand, the current multi-party API makes it awkward to simply extrude RNG out of the main transcript: the transcript is owned by the Dealer, while blinding factors are generated in the Party.
If the goal is to mix the externally-provided blinding factors with the system RNG, then each Party may instantiate an auxiliary instance, throw in the externally provided blinding factors, then extrude an RNG and keep it around through all the subsequent states.
WDYT @cathieyun @hdevalence?
In range proof, there're blinding vectors
S_L
andS_R
which will be used to be committed to S (snippet),And I'm wondering why the randomized blinding factor didn't come from
Transcript::build_rng()
, I thought the purpose of thatrng
is to protect users from using a bad rng or poor-entropied ones, (according to Merlin docs),So I'm quite surprised that only in R1CS/yoloproof, was the "transcript-based synthetic randomness" used, but not in range proof.
thanks for clarification in advance!