# Encryption & Security Tests

**Task**: AZ-157_test_encryption
**Name**: Encryption & Security Tests
**Description**: Implement blackbox, security, performance, resilience, and resource tests for AES-256-CBC encryption — roundtrips, key behavior, IV randomness, throughput, size bounds
**Complexity**: 3 points
**Dependencies**: AZ-152_test_infrastructure
**Component**: Blackbox Tests
**Jira**: AZ-157
**Epic**: AZ-151

## Problem

The encryption module must correctly encrypt/decrypt data, produce key-dependent ciphertexts with random IVs, handle edge cases, and meet throughput requirements.

## Outcome

- 13 passing pytest tests in `tests/test_encryption.py`
- Performance test in `tests/performance/test_encryption_perf.py`

## Scope

### Included
- BT-ENC-01: Encrypt-decrypt roundtrip (1024 random bytes)
- BT-ENC-02: Encrypt-decrypt roundtrip (ONNX model)
- BT-ENC-03: Empty input roundtrip
- BT-ENC-04: Single byte roundtrip
- BT-ENC-05: Different keys produce different ciphertext
- BT-ENC-06: Wrong key fails decryption
- PT-ENC-01: Encryption throughput (10MB ≤ 5s)
- RT-ENC-01: Decrypt with corrupted ciphertext
- ST-ENC-01: Random IV (same data, same key → different ciphertexts)
- ST-ENC-02: Wrong key cannot recover plaintext
- ST-ENC-03: Model encryption key is deterministic
- RL-ENC-01: Encrypted output size bounded (≤ N + 32 bytes)

### Excluded
- Model split tests (separate task)

## Acceptance Criteria

**AC-1: Roundtrip**
Given 1024 random bytes and key "test-key"
When encrypt then decrypt
Then output equals input exactly

**AC-2: Model roundtrip**
Given azaion.onnx bytes and model encryption key
When encrypt then decrypt
Then output equals input exactly

**AC-3: Empty input**
Given b"" and key
When encrypt then decrypt
Then output equals b""

**AC-4: Single byte**
Given b"\x00" and key
When encrypt then decrypt
Then output equals b"\x00"

**AC-5: Key-dependent ciphertext**
Given same data, keys "key-a" and "key-b"
When encrypting with each key
Then ciphertexts differ

**AC-6: Wrong key failure**
Given encrypted with "key-a"
When decrypting with "key-b"
Then output does NOT equal original

**AC-7: Throughput**
Given 10MB random bytes
When encrypt + decrypt roundtrip
Then completes within 5 seconds

**AC-8: Corrupted ciphertext**
Given randomly modified ciphertext bytes
When decrypt_to is called
Then either raises exception or returns non-original bytes

**AC-9: Random IV**
Given same data, same key, encrypted twice
When comparing ciphertexts
Then they differ (random IV)

**AC-10: Model key deterministic**
Given two calls to get_model_encryption_key()
When comparing results
Then identical

**AC-11: Size bound**
Given N bytes plaintext
When encrypted
Then ciphertext size ≤ N + 32 bytes

## Constraints

- ONNX model fixture is session-scoped (77MB, read once)
- Security tests marked: `@pytest.mark.security`
- Performance test marked: `@pytest.mark.performance`
- Resource limit test marked: `@pytest.mark.resource_limit`