swisspost-evoting-go-poc/pkg/math/random_test.go
saymrwulf ec4be74e17 Due-diligence hardening + Rust transport-security layer
Correctness/security review of the whole PoC, with fixes and regression tests.

Cryptographic soundness:
- mixnet: enforce the multi-exponentiation c_{B_m}=commit(0;0) check that was
  stubbed out with an empty if — without it a malicious mixer can prove a
  non-permutation shuffle.
- zkp: derive all four Fiat-Shamir challenges via RecursiveHashToZq instead of
  a biased `hash mod q` (which also capped the challenge space at 256 bits for
  production-sized groups).

Verification honesty:
- protocol: VerifyTally now actually calls zkp.VerifySchnorrProof and returns
  the true aggregate result instead of an unconditional true.
- protocol: persist the padded mix input (event.MixInput) so the verifier checks
  shuffle 0 against the same padding the tally used (fixes false INVALID for N<2).

Other correctness:
- kdf: length-prefix BuildKDFInfo parts so the info encoding is injective.
- math: GqElementFromSquareRoot accepts the valid root q (off-by-one that could
  panic in HashAndSquare); RandomGqElement samples the full canonical range.
- cmd: validate demo --voters/--options instead of panicking on degenerate values.
- protocol: use crypto/rand in the demo driver (drop the last math/rand import).

Transport security (new): pkg/transportsec exposes Ed25519 signatures and X25519
ECDH — implemented in Rust (rust/transportsec: ed25519-dalek, x25519-dalek),
linked into Go via cgo. No RSA. Cross-language conformance test proves the Rust
Ed25519 signatures interoperate with Go's crypto/ed25519. Makefile builds the
Rust static lib before the Go binary.

Tests: added unit/round-trip/tamper coverage for math, hash, elgamal, zkp,
mixnet, kdf, returncodes, protocol (end-to-end), and the Rust FFI bridge.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-06 14:42:34 +02:00

52 lines
1.7 KiB
Go

package math
import (
"math/big"
"testing"
)
// TestRandomGqElementIsMember checks that every sampled element is a genuine
// quadratic residue in G_q (regression for the [1,q] square-root range fix).
func TestRandomGqElementIsMember(t *testing.T) {
group := testGqGroup(t)
for i := 0; i < 200; i++ {
e := RandomGqElement(group)
if !group.IsGroupMember(e.Value()) {
t.Fatalf("RandomGqElement produced non-member: %v", e.Value())
}
}
}
// TestRandomZqElementInRange checks uniform elements stay within [0, q).
func TestRandomZqElementInRange(t *testing.T) {
group := testGqGroup(t)
zq := ZqGroupFromGqGroup(group)
for i := 0; i < 200; i++ {
v := RandomZqElement(zq).Value()
if v.Sign() < 0 || v.Cmp(group.Q()) >= 0 {
t.Fatalf("RandomZqElement out of [0,q): %v", v)
}
}
}
// TestGqElementFromSquareRootBoundary verifies the canonical root range is
// [1, q] inclusive — the boundary value q must be accepted (regression for the
// off-by-one that made h+1==q panic in HashAndSquare), while 0 and q+1 are not.
func TestGqElementFromSquareRootBoundary(t *testing.T) {
group := testGqGroup(t)
q := group.Q()
if _, err := GqElementFromSquareRoot(new(big.Int).Set(q), group); err != nil {
t.Fatalf("root == q must be accepted, got error: %v", err)
}
if _, err := GqElementFromSquareRoot(big.NewInt(1), group); err != nil {
t.Fatalf("root == 1 must be accepted, got error: %v", err)
}
if _, err := GqElementFromSquareRoot(big.NewInt(0), group); err == nil {
t.Fatal("root == 0 must be rejected")
}
qPlus1 := new(big.Int).Add(q, big.NewInt(1))
if _, err := GqElementFromSquareRoot(qPlus1, group); err == nil {
t.Fatal("root == q+1 must be rejected")
}
}