Fix nonce reuse in RFC 9381 VRF proving

gen_rng used a fresh hasher instead of the transcript state,
making the nonce depend only on the secret key. Two proofs
with different inputs shared the same nonce, enabling full
secret key recovery: x = (s1 - s2) / (c1 - c2).

Author: rot256

vrf_fun/src/rfc9381.rs

@@ -134,10 +134,12 @@ impl<H: Hash32, const SUITE_STRING: u8> ProverTranscript<crate::VrfDleq<U16>>
         witness: &Scalar,
         _in_rng: Option<&mut R>,
     ) -> Self::Rng {
-        let mut hasher = H::default();
-        hasher = hasher.add(b"vrf-nonce-gen");
-        hasher = hasher.add(witness.to_bytes());
-        let seed = hasher.finalize_fixed();
+        let seed = self
+            .hasher
+            .clone()
+            .add(b"vrf-nonce-gen")
+            .add(witness.to_bytes())
+            .finalize_fixed();
         ChaCha20Rng::from_seed(seed.into())
     }
 }