Some security results of the RC4+ stream cipher

RC4+ stream cipher was proposed by Maitra et. al. at Indocrypt 2008. It was claimed by the authors that this new stream cipher is designed to overcome all the weaknesses reported on the alleged RC4 stream cipher. In the design specifications of RC4+, the authors make use of an 8-bit design parameter called pad which is fixed to the value 0xAA. The first Distinguishing Attack on RC4+ based on the bias of its first output byte was shown by Banik et. al. in Indocrypt 2013. In this paper, it was also mentioned that the distinguishing attack would still hold if the pad used in RC4+ is fixed to any even 8-bit constant other than 0xAA. Therefore, the question that arises is whether the design of RC4+ can be protected by fixing the pad parameter to some constant odd value. In this paper, we try to answer this very question. We show that the design is still vulnerable by mounting a distinguishing attack even if the pad is fixed to some constant 8-bit odd value. Surprisingly we find that if the value of the pad is made equal to 0x03, the design provides maximum resistance to distinguishing attacks. Lastly we return to the original cipher i.e. in which pad is set to 0xAA and unearth another bias in the second output byte of the cipher, thereby showing that practical implementations of this cipher should discard the use of the first two output bytes for encryption.