[Question] Why blinding vectors in range proof didn't use Transcript::build_rng()

[alxiong]

In range proof, there're blinding vectors S_L and S_R which will be used to be committed to S (snippet),

And I'm wondering why the randomized blinding factor didn't come from Transcript::build_rng(), I thought the purpose of that rng is to protect users from using a bad rng or poor-entropied ones, (according to Merlin docs),

So I'm quite surprised that only in R1CS/yoloproof, was the "transcript-based synthetic randomness" used, but not in range proof.

thanks for clarification in advance!

[oleganza]

As far as I understand, the current multi-party API makes it awkward to simply extrude RNG out of the main transcript: the transcript is owned by the Dealer, while blinding factors are generated in the Party.

If the goal is to mix the externally-provided blinding factors with the system RNG, then each Party may instantiate an auxiliary instance, throw in the externally provided blinding factors, then extrude an RNG and keep it around through all the subsequent states.

WDYT @cathieyun @hdevalence?