Question about "Q" in the InnerProductProof

[valchichelapierre]

Context:

The InnerProductProofs takes a few inputs including g_vec, h_vec, a_vec, b_vec, Q and basically gives a point P and a proof that we know a_vec, b_vec such that

(g_vec^a_vec) (h_vec^b_vec) Q^<a_vec, b_vec> = P

My question:

It seems to me that Q can be any point as long as finding a non trivial discrete log relation between elements of g_vec, h_vec and Q is hard. It particular, I think Q = RISTRETTO_BASEPOINT_POINT (aka self.pc_gens.B) would do. Well, as long as we didn't pick one of the points of g_vec or h_vec to be a known power of RISTRETTO_BASEPOINT_POINT.

In the range proof, this is how Q is defined:

// Get a challenge value to combine statements for the IPP
let w = self.transcript.challenge_scalar(b"w");
let Q = w * self.pc_gens.B;

I'm wondering what is the motivation for constructing it with a challenge. Do we need this point to not be predictable?

[rickwebiii]

Well, as long as we didn't pick one of the points of g_vec or h_vec to be a known power of RISTRETTO_BASEPOINT_POINT.

I think choosing Q by hashing the transcript provides extra guarantee the protocol developer didn't do that, accidentally or otherwise. Otherwise, how would you really know that some point g/h in the protocol isn't a known power of Q to somebody?