# Attacking YJ14

Complete decryption attack against the YJ14 scheme based on
CVE-2021-37587. It requires the corruption of one of the authorities
to obtain x_2.

![title](img/yj14_main.png)

## Setup

In [None]:
from charm.toolbox.pairinggroup import PairingGroup,ZR,G1,GT,pair
from charm.toolbox.secretutil import SecretUtil
from charm.toolbox.ABEncMultiAuth import ABEncMultiAuth
from charm.schemes.abenc.abenc_maabe_yj14 import MAABE

from abeattacks import attack_yj14

## System generation and configuration

In [None]:
groupObj = PairingGroup('SS512')
maabe = MAABE(groupObj)

# Global authority setup
GPP, GMK = maabe.setup()
   
# Insurance KGA setup

users = {} # public user data
authorities = {}
authorityAttributes = ["CONSULTANT", "OPERATIONS", "FINANCIAL", "DOWNTOWN"]
authority1 = "Insurance KGA"
maabe.setupAuthority(GPP, authority1, authorityAttributes, authorities)
   
# We create two users working with the Insurance KGA
# Alice receieves the CONSULTANT attribute whereas BOB obtains
# DOWNTOWN.

alice = { 'id': 'alice', 'authoritySecretKeys': {}, 'keys': None }
alice['keys'], users[alice['id']] = maabe.registerUser(GPP)
SK_i = maabe.keygen(GPP, authorities[authority1], "CONSULTANT", users[alice['id']], alice['authoritySecretKeys'])
 
bob = { 'id': 'bob', 'authoritySecretKeys': {}, 'keys': None }
bob['keys'], users[bob['id']] = maabe.registerUser(GPP)
SK_bob_i = maabe.keygen(GPP, authorities[authority1], "DOWNTOWN", users[bob['id']], alice['authoritySecretKeys'])

# The data owner prepares two content keys, one for Alice and another one
# for Bob

k = groupObj.random(GT)
policy_str = '(CONSULTANT or OPERATIONS)'
CT = maabe.encrypt(GPP, policy_str, k, authorities[authority1])
 
k_bob = groupObj.random(GT)
policy_str_bob = '(DOWNTOWN or FINANCIAL)'
CT_bob = maabe.encrypt(GPP, policy_str_bob, k_bob, authorities[authority1])

## Recovering Bob's content key

In [None]:
pk_1 = alice['keys'][0]
sk_2 = alice['keys'][1] 
pk_2 = users[alice['id']]['pk']    

# This parameter is typically part of the KGA that we need
# to corrupt

sk_1 = users[alice['id']]['sk']

egg = attack_yj14.yj14_corrupt_authority(SK_i['K'], CT_bob['C2'], SK_i['KS'], CT_bob['C3'], GPP['g_a'], sk_1)
k_bob_recovered = CT_bob['C1'] / egg

assert k_bob_recovered == k_bob, 'I cannot recover Bob content key'
print('I can recover Bob content key')
