Wycheproof verdict checks can be disabled by optimized Python

[fegge]

The Wycheproof client uses Python assert statements for security-relevant
verdict checks. This includes signature equality checks for valid signing
vectors, rejection checks for invalid verification vectors, and pkFromSk
consistency checks.

Python removes assert statements when optimization is requested with -O or
PYTHONOPTIMIZE. The official Python reference describes __debug__ as false
under -O and states that no code is emitted for assert statements in that
mode. As a result, running the Wycheproof client with optimized Python converts
failed verdict checks into successful test cases.

The affected checks include:

• check_sign_result accepts a wrong signature for a valid signing vector when
  the assertion at test/wycheproof/wycheproof_client.py:140 is compiled out.
• run_verify_test accepts a successful verification of an invalid vector when
  the assertion at test/wycheproof/wycheproof_client.py:250 is compiled out.
• check_pk_from_sk_result accepts incorrect pkFromSk behavior when the
  assertions at test/wycheproof/wycheproof_client.py:269,
  test/wycheproof/wycheproof_client.py:273, and
  test/wycheproof/wycheproof_client.py:275 are compiled out.

This is not a runtime ML-DSA implementation bug, but it is a proof and
assurance gap. Wycheproof is one of the project guardrails for unexpected
edge-case behavior, so a false positive result can hide regressions if a local
or CI invocation inherits PYTHONOPTIMIZE=1 or uses python -O.