zk/qndleq: Fix challenge in qndleq.

armfazh · armfazh · commit 17fdcc4597e9 · 2026-04-16T12:46:52.000-07:00
diff --git a/zk/qndleq/internal_test.go b/zk/qndleq/internal_test.go
@@ -49,3 +49,24 @@ func TestForgedProofSecParamZero(t *testing.T) {
 
 	test.CheckOk(!forged.Verify(g, gx, h, hx, N), "forged proof must be rejected", t)
 }
+
+func TestChallenge(t *testing.T) {
+	g, gx := big.NewInt(4), big.NewInt(16)
+	h, hx := big.NewInt(9), big.NewInt(81)
+	gP := big.NewInt(50)
+	hP := big.NewInt(60)
+	N := big.NewInt(101)
+
+	invalidValues := []*big.Int{
+		new(big.Int).Neg(g),    // Negative
+		big.NewInt(0),          // Zero
+		new(big.Int).Set(N),    // N
+		new(big.Int).Add(N, N), // bigger than N
+	}
+
+	for _, invalidValue := range invalidValues {
+		c, err := doChallenge(invalidValue, gx, h, hx, gP, hP, N, 128)
+		test.CheckIsErr(t, err, "doChallenge must fail")
+		test.CheckOk(c == nil, "challenge must be nil", t)
+	}
+}
diff --git a/zk/qndleq/qndleq.go b/zk/qndleq/qndleq.go
@@ -127,13 +127,18 @@ func doChallenge(g, gx, h, hx, gP, hP, N *big.Int, secParam uint) (*big.Int, err
 		return nil, ErrSecParam
 	}
 
+	err := checkBounds(N, g, gx, h, hx, gP, hP)
+	if err != nil {
+		return nil, err
+	}
+
 	modulusLenBytes := (N.BitLen() + 7) / 8
 	nBytes := make([]byte, modulusLenBytes)
 	cByteLen := (secParam + 7) / 8
 	cBytes := make([]byte, cByteLen)
 
 	H := sha3.NewShake256()
-	_, err := H.Write(g.FillBytes(nBytes))
+	_, err = H.Write(g.FillBytes(nBytes))
 	if err != nil {
 		return nil, err
 	}
@@ -171,5 +176,21 @@ func doChallenge(g, gx, h, hx, gP, hP, N *big.Int, secParam uint) (*big.Int, err
 	return new(big.Int).SetBytes(cBytes), nil
 }
 
-// ErrSecParam is returned when the security parameter is less than 128.
-var ErrSecParam = errors.New("zk/qndleq: the security parameter must be greater than 128")
+// checkBounds returns nil if 0 < x[i] < N for all 0 <= i < len(x);
+// otherwise, returns ErrBounds.
+func checkBounds(N *big.Int, x ...*big.Int) error {
+	for _, xi := range x {
+		if !(0 < xi.Sign() && xi.Cmp(N) < 0) {
+			return ErrBounds
+		}
+	}
+
+	return nil
+}
+
+var (
+	// ErrSecParam is returned when the security parameter is less than 128.
+	ErrSecParam = errors.New("zk/qndleq: the security parameter must be greater than 128")
+	// ErrBounds is returned when a value is not in the range 0 to N.
+	ErrBounds = errors.New("zk/qndleq: input must be greater than 0 and less than N")
+)
diff --git a/zk/qndleq/qndleq_test.go b/zk/qndleq/qndleq_test.go
@@ -34,6 +34,18 @@ func TestProve(t *testing.T) {
 	}
 }
 
+func TestInvalidStatement(t *testing.T) {
+	g, gx := big.NewInt(4), big.NewInt(16) // 4^2 == 16 mod 101
+	h, hx := big.NewInt(9), big.NewInt(81) // 9^2 == 81 mod 101
+	N := big.NewInt(101)
+	incorrectX := big.NewInt(3)
+
+	p, err := qndleq.Prove(rand.Reader, incorrectX, g, gx, h, hx, N, 128)
+	test.CheckNoErr(t, err, "an alleged proof must be computed")
+	isValid := p.Verify(g, gx, h, hx, N)
+	test.CheckOk(isValid == false, "proof verification must fail", t)
+}
+
 func TestSampleQn(t *testing.T) {
 	const testTimes = 1 << 7
 	one := big.NewInt(1)
