Security Weakness of Flexible Group Key Exchange with On-Demand Computation of Subgroup Keys

In AFRICACRYPT 2010, Abdalla et al. first proposed a slight modification to the computations steps of the BD protocol, called mBD+P. Then they extended mBD+P protocol into mBD+S protocol. In this paper, we show that both of mBD+P and mBD+S protocols are vulnerable to malicious insiders attack. Further, we propose a simple countermeasure against this attack.

💡 Research Summary

The paper investigates the security of two flexible group key exchange (GKE) protocols—mBD+P and its extension mBD+S—proposed by Abdalla et al. at AFRICACRYPT 2010. Both protocols are built on the classic Burmester‑Desmedt (BD) scheme and incorporate on‑demand computation of peer‑to‑peer (P2P) keys using a parallel Diffie‑Hellman (PDH) technique. The authors first recap the structure of the protocols. In the group stage, each participant (U_i) selects a random exponent (x_i) and broadcasts (y_i = g^{x_i}). In the second round, each user computes two shared Diffie‑Hellman values with its immediate neighbours, hashes them together with the full list of public values (the session identifier (sid)), XORs the two hashes to obtain (z_i), and signs ((U_i, z_i, sid)). After verifying that the XOR of all (z_i) equals zero and that all signatures are valid, each participant iteratively reconstructs the neighbour‑derived hashes (z’_{j,j+1}) and finally derives the group session key (k = H_g(z’_1,\dots,z’_n, sid)). The mBD+S protocol adds a subgroup stage that repeats the same process on an arbitrary subset of participants.

The core contribution of the paper is a demonstration that both protocols are vulnerable to a malicious‑insider collusion attack. Assume two colluding insiders, (U_{i-1}) and (U_{i+1}), aim to deceive a victim (U_i). The insiders agree on a random value (r_M). During the second round they each modify their transmitted (z) values by XOR‑ing (r_M) into them: (z_{i-1}=z’{i-2,i-1}\oplus z’{i-1,i}\oplus r_M) and (z_{i+1}=z’{i,i+1}\oplus z’{i+1,i+2}\oplus r_M). All honest participants still see (\bigoplus_{j=1}^n z_j = 0) and accept the signatures, so the protocol proceeds. However, when (U_i) reconstructs the neighbour hashes, the injected (r_M) propagates through the iterative XOR chain, causing the final key computed by (U_i) to be (k_i = H_g(\dots, z’{i-1,i}\oplus r_M, z’{i,i+1}\oplus r_M, \dots)), which differs from the key (k) derived by the rest of the group. Consequently, the victim ends up with a different session key, breaking the fundamental security goal that all group members share a common secret. The same technique can be applied to the subgroup stage, allowing the attackers to isolate a victim from any chosen subgroup.

To remediate this flaw, the authors propose a lightweight countermeasure: add a third round dedicated to key confirmation. After the original two rounds, each participant computes a pair ((k_i, k_{kc,i}) = H’g(z’1,\dots,z’n, sid)), where (k{kc,i}) is a confirmation token. Each user then derives a confirmation message (M_i = H{kc}(k{kc,i}, sid)) and signs ((U_i, M_i, sid)). All participants broadcast ((M_i, \sigma_{kc,i})). In the final round, each participant checks that all received (M_j) values are identical and that the corresponding signatures are valid. If any discrepancy is found, the protocol aborts. Because the confirmation token is derived from the same hash input that yields the session key, any manipulation of the intermediate (z) values (such as the insertion of (r_M)) will cause the confirmation tokens to differ, instantly exposing the attack. This modification preserves the original efficiency of the protocols while providing strong protection against colluding insiders.

The paper concludes that the original security proofs of mBD+P and mBD+S, which were conducted in the random‑oracle model, omitted the insider collusion scenario and therefore do not guarantee that all participants derive the same key. The proposed key‑confirmation enhancement restores this guarantee and can be applied to both the group and subgroup stages. The work highlights the importance of considering insider threats in the design and analysis of group key exchange protocols and offers a practical, easily implementable fix.