mirror of
https://github.com/saymrwulf/swisspost-evoting-go-poc.git
synced 2026-07-18 18:52:31 +00:00
Correctness/security review of the whole PoC, with fixes and regression tests.
Cryptographic soundness:
- mixnet: enforce the multi-exponentiation c_{B_m}=commit(0;0) check that was
stubbed out with an empty if — without it a malicious mixer can prove a
non-permutation shuffle.
- zkp: derive all four Fiat-Shamir challenges via RecursiveHashToZq instead of
a biased `hash mod q` (which also capped the challenge space at 256 bits for
production-sized groups).
Verification honesty:
- protocol: VerifyTally now actually calls zkp.VerifySchnorrProof and returns
the true aggregate result instead of an unconditional true.
- protocol: persist the padded mix input (event.MixInput) so the verifier checks
shuffle 0 against the same padding the tally used (fixes false INVALID for N<2).
Other correctness:
- kdf: length-prefix BuildKDFInfo parts so the info encoding is injective.
- math: GqElementFromSquareRoot accepts the valid root q (off-by-one that could
panic in HashAndSquare); RandomGqElement samples the full canonical range.
- cmd: validate demo --voters/--options instead of panicking on degenerate values.
- protocol: use crypto/rand in the demo driver (drop the last math/rand import).
Transport security (new): pkg/transportsec exposes Ed25519 signatures and X25519
ECDH — implemented in Rust (rust/transportsec: ed25519-dalek, x25519-dalek),
linked into Go via cgo. No RSA. Cross-language conformance test proves the Rust
Ed25519 signatures interoperate with Go's crypto/ed25519. Makefile builds the
Rust static lib before the Go binary.
Tests: added unit/round-trip/tamper coverage for math, hash, elgamal, zkp,
mixnet, kdf, returncodes, protocol (end-to-end), and the Rust FFI bridge.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
52 lines
1.7 KiB
Go
52 lines
1.7 KiB
Go
package math
|
|
|
|
import (
|
|
"math/big"
|
|
"testing"
|
|
)
|
|
|
|
// TestRandomGqElementIsMember checks that every sampled element is a genuine
|
|
// quadratic residue in G_q (regression for the [1,q] square-root range fix).
|
|
func TestRandomGqElementIsMember(t *testing.T) {
|
|
group := testGqGroup(t)
|
|
for i := 0; i < 200; i++ {
|
|
e := RandomGqElement(group)
|
|
if !group.IsGroupMember(e.Value()) {
|
|
t.Fatalf("RandomGqElement produced non-member: %v", e.Value())
|
|
}
|
|
}
|
|
}
|
|
|
|
// TestRandomZqElementInRange checks uniform elements stay within [0, q).
|
|
func TestRandomZqElementInRange(t *testing.T) {
|
|
group := testGqGroup(t)
|
|
zq := ZqGroupFromGqGroup(group)
|
|
for i := 0; i < 200; i++ {
|
|
v := RandomZqElement(zq).Value()
|
|
if v.Sign() < 0 || v.Cmp(group.Q()) >= 0 {
|
|
t.Fatalf("RandomZqElement out of [0,q): %v", v)
|
|
}
|
|
}
|
|
}
|
|
|
|
// TestGqElementFromSquareRootBoundary verifies the canonical root range is
|
|
// [1, q] inclusive — the boundary value q must be accepted (regression for the
|
|
// off-by-one that made h+1==q panic in HashAndSquare), while 0 and q+1 are not.
|
|
func TestGqElementFromSquareRootBoundary(t *testing.T) {
|
|
group := testGqGroup(t)
|
|
q := group.Q()
|
|
|
|
if _, err := GqElementFromSquareRoot(new(big.Int).Set(q), group); err != nil {
|
|
t.Fatalf("root == q must be accepted, got error: %v", err)
|
|
}
|
|
if _, err := GqElementFromSquareRoot(big.NewInt(1), group); err != nil {
|
|
t.Fatalf("root == 1 must be accepted, got error: %v", err)
|
|
}
|
|
if _, err := GqElementFromSquareRoot(big.NewInt(0), group); err == nil {
|
|
t.Fatal("root == 0 must be rejected")
|
|
}
|
|
qPlus1 := new(big.Int).Add(q, big.NewInt(1))
|
|
if _, err := GqElementFromSquareRoot(qPlus1, group); err == nil {
|
|
t.Fatal("root == q+1 must be rejected")
|
|
}
|
|
}
|