zk/qndleq: Check challenge is not congruent to zero.

armfazh · armfazh · commit 824ca4c19caa · 2026-04-16T15:05:50.000-07:00
diff --git a/zk/qndleq/internal_test.go b/zk/qndleq/internal_test.go
@@ -9,8 +9,8 @@ import (
 )
 
 func TestForgedProofSecParamZero(t *testing.T) {
-	p := big.NewInt(1019)
-	q := big.NewInt(1021)
+	// Safe primes: https://oeis.org/A005385
+	p, q := big.NewInt(1019), big.NewInt(1187)
 	N := new(big.Int).Mul(p, q)
 
 	g, err := SampleQn(rand.Reader, N)
@@ -51,11 +51,14 @@ func TestForgedProofSecParamZero(t *testing.T) {
 }
 
 func TestChallenge(t *testing.T) {
+	// Safe primes: https://oeis.org/A005385
+	p, q := big.NewInt(1019), big.NewInt(1187)
+	N := new(big.Int).Mul(p, q)
+
 	g, gx := big.NewInt(4), big.NewInt(16)
 	h, hx := big.NewInt(9), big.NewInt(81)
 	gP := big.NewInt(50)
 	hP := big.NewInt(60)
-	N := big.NewInt(101)
 
 	invalidValues := []*big.Int{
 		new(big.Int).Neg(g),    // Negative
@@ -70,3 +73,19 @@ func TestChallenge(t *testing.T) {
 		test.CheckOk(c == nil, "challenge must be nil", t)
 	}
 }
+
+func TestChallengeZero(t *testing.T) {
+	// Safe primes: https://oeis.org/A005385
+	p, q := big.NewInt(1019), big.NewInt(1187)
+	N := new(big.Int).Mul(p, q)
+	g, gx := big.NewInt(4), big.NewInt(16) // 4^2 == 16 mod 101
+	h, hx := big.NewInt(9), big.NewInt(81) // 9^2 == 81 mod 101
+
+	// Proof must fail as challenge is congruent to zero modulo m = (p-1)(q-1)/4.
+	c, _ := new(big.Int).SetString("325783150686773390995072744979517913979", 10)
+	z, _ := new(big.Int).SetString("909208770437996720153744987183938443953758507571077689625761350579371458087594451128", 10)
+	invalidProof := Proof{z, c, 128}
+
+	isValid := invalidProof.Verify(g, gx, h, hx, N)
+	test.CheckOk(isValid == false, "proof verification must fail", t)
+}
diff --git a/zk/qndleq/qndleq.go b/zk/qndleq/qndleq.go
@@ -72,30 +72,52 @@ func SampleQn(random io.Reader, N *big.Int) (*big.Int, error) {
 func Prove(random io.Reader, x, g, gx, h, hx, N *big.Int, secParam uint) (*Proof, error) {
 	rSizeBits := uint(N.BitLen()) + 2*secParam
 	rSizeBytes := (rSizeBits + 7) / 8
-
 	rBytes := make([]byte, rSizeBytes)
-	_, err := io.ReadFull(random, rBytes)
-	if err != nil {
-		return nil, err
-	}
-	r := new(big.Int).SetBytes(rBytes)
 
-	gP := new(big.Int).Exp(g, r, N)
-	hP := new(big.Int).Exp(h, r, N)
+	ONE := big.NewInt(1)
+	NUM_TRIES := 10
+	var r, gP, hP, gc, hc big.Int
+	for i := 0; i < NUM_TRIES; i++ {
+		_, err := io.ReadFull(random, rBytes)
+		if err != nil {
+			return nil, err
+		}
 
-	c, err := doChallenge(g, gx, h, hx, gP, hP, N, secParam)
-	if err != nil {
-		return nil, err
-	}
+		r.SetBytes(rBytes)
+		gP.Exp(g, &r, N)
+		hP.Exp(h, &r, N)
 
-	z := new(big.Int)
-	z.Mul(c, x).Add(z, r)
+		c, err := doChallenge(g, gx, h, hx, &gP, &hP, N, secParam)
+		if err != nil {
+			return nil, err
+		}
 
-	return &Proof{z, c, secParam}, nil
+		// Challenge must not be congruent to zero.
+		//   c != 0 mod m, where m = (p-1)(q-1)/4, and N = p*q.
+		// Check this by doing an Exp because m is unknown.
+		gc.Exp(g, c, N)
+		hc.Exp(h, c, N)
+		if gc.Cmp(ONE) != 0 && hc.Cmp(ONE) != 0 {
+			z := new(big.Int).Mul(c, x)
+			z.Add(z, &r)
+			return &Proof{z, c, secParam}, nil
+		}
+	}
+
+	return nil, ErrProve
 }
 
 // Verify checks whether x = Log_g(g^x) = Log_h(h^x).
 func (p Proof) Verify(g, gx, h, hx, N *big.Int) bool {
+	// Check c != 0 (mod m), where m = (p-1)(q-1)/4,
+	// by doing an Exp as m is unknown.
+	ONE := big.NewInt(1)
+	gc := new(big.Int).Exp(g, p.c, N)
+	hc := new(big.Int).Exp(h, p.c, N)
+	if gc.Cmp(ONE) == 0 || hc.Cmp(ONE) == 0 {
+		return false
+	}
+
 	gPNum := new(big.Int).Exp(g, p.z, N)
 	gPDen := new(big.Int).Exp(gx, p.c, N)
 	ok := gPDen.ModInverse(gPDen, N)
@@ -193,4 +215,6 @@ var (
 	ErrSecParam = errors.New("zk/qndleq: the security parameter must be greater than 128")
 	// ErrBounds is returned when a value is not in the range 0 to N.
 	ErrBounds = errors.New("zk/qndleq: input must be greater than 0 and less than N")
+	// ErrProve is returned when Prove cannot produce a proof.
+	ErrProve = errors.New("zk/qndleq: Prove cannot produce a proof")
 )
diff --git a/zk/qndleq/qndleq_test.go b/zk/qndleq/qndleq_test.go
@@ -35,14 +35,16 @@ func TestProve(t *testing.T) {
 }
 
 func TestInvalidStatement(t *testing.T) {
-	g, gx := big.NewInt(4), big.NewInt(16) // 4^2 == 16 mod 101
-	h, hx := big.NewInt(9), big.NewInt(81) // 9^2 == 81 mod 101
-	N := big.NewInt(101)
+	// Safe primes: https://oeis.org/A005385
+	p, q := big.NewInt(1019), big.NewInt(1187)
+	N := new(big.Int).Mul(p, q)
+	g, gx := big.NewInt(4), big.NewInt(16) // 4^2 == 16
+	h, hx := big.NewInt(9), big.NewInt(81) // 9^2 == 81
 	incorrectX := big.NewInt(3)
 
-	p, err := qndleq.Prove(rand.Reader, incorrectX, g, gx, h, hx, N, 128)
+	proof, err := qndleq.Prove(rand.Reader, incorrectX, g, gx, h, hx, N, 128)
 	test.CheckNoErr(t, err, "an alleged proof must be computed")
-	isValid := p.Verify(g, gx, h, hx, N)
+	isValid := proof.Verify(g, gx, h, hx, N)
 	test.CheckOk(isValid == false, "proof verification must fail", t)
 }
 
