Related-Key Zero-Correlation Linear Attacks on Block Ciphers with Linear Key Schedules

Related-key model is a favourable approach to improve attacks on block ciphers with a simple key schedule. However, to the best of our knowledge, there are a few results in which zero-correlation linear attacks take advantage of the related-key model. We ascribe this phenomenon to the lack of consideration of the key input in zero-correlation linear attacks. Concentrating on the linear key schedule of a block cipher, we generalize the zero-correlation linear attack by using a related-key setting. Specifically, we propose the creation of generalized linear hulls (GLHs) when the key input is involved; moreover, we indicate the links between GLHs and conventional linear hulls (CLHs). Then, we prove that the existence of zero-correlation GLHs is completely determined by the corresponding CLHs and the linear key schedule. In addition, we introduce a method to construct zero-correlation GLHs by CLHs and transform them into an integral distinguisher. The correctness is verified by applying it to SIMON16/16, a SIMON-like toy cipher. Based on our method, we find 12/13/14/15/15/17/20/22-round related-key zero-correlation linear distinguishers of SIMON32/64, SIMON48/72, SIMON48/96, SIMON64/96, SIMON64/128, SIMON96/144, SIMON128/192 and SIMON128/256, respectively. As far as we know, these distinguishers are one, two, or three rounds longer than current best zero-correlation linear distinguishers of SIMON.