A security weakness in Abdalla et al.’s generic construction of a group key exchange protocol

In TCC ’07, Abdalla et al. presented a protocol compiler that transforms any authenticated 2-party key exchange protocol into an authenticated group key exchange (GKE) protocol. Abdalla et al.’s compiler is certainly elegant in its genericness, symmetry, simplicity and efficiency. However, this compiler is not as secure as claimed. Under a reasonable assumption, the GKE protocol constructed by the compiler (from a 2-party protocol) fails to achieve implicit key authentication. We here reveal this security problem with the compiler and show how to address it.