Some security results of the RC4+ stream cipher

The RC4+ stream cipher was proposed as an alternative to the well known RC4 stream cipher. It was claimed by the authors that this new stream cipher was designed to overcome all the weaknesses reported against the alleged RC4 stream cipher. In the design specifications of RC4+, the authors make use of an 8‐bit design parameter called pad that is fixed to the value 0xAA . The first distinguishing attack on RC4+ based on the bias of its first output byte was shown in a previous paper. In this paper, it was also mentioned that the distinguishing attack would still hold if the pad used in RC4+ is fixed to any even 8‐bit constant other than 0xAA . Therefore, the question that naturally arises is whether the design of RC4+ can be protected by fixing the pad parameter to some constant odd value. In this paper, we try to answer this very question. We show that the design is still vulnerable by mounting a distinguishing attack even if the pad is fixed to some constant 8‐bit odd value. Surprisingly, we find that if the value of the pad is made equal to 0x03 , the design provides maximum resistance to distinguishing attacks. Lastly, we return to the original cipher, that is, in which pad is set to 0xAA and unearth another bias in the second output byte of the cipher. Thereafter, we will present a generalized way of finding biases in every M ‐th output byte ( M ≥3) of RC4+, that is, Z M , based on the Hamming weight of m ≡ M mod N . Finally, we improve the differential fault attack on RC4+ proposed in a previous paper, both in terms of number of faults required and the computational complexity. In fact, we reduce the number of faults by around 11264 on average, and our algorithm is around 2 6 times faster. Copyright © 2015 John Wiley & Sons, Ltd.