Key-dependency of linear probability of RC5

In estimating the vulnerability of a block cipher to differential cryptanalysis and linear cryptanalysis, we must consider the fact that the differential probability and the linear probability vary with the key. In the case of cryptosystems where the round key is XORed to the input data of each round, the difference in both types of probability with different keys is regarded as negligible. However, this is not the case with RC5. This paper makes a primary analysis of the key-dependency of linear probability of RC5. Throughout this paper we study ''precise'' linear probability. We find some linear approximations that have higher deviation (bias) for some keys than the ''best linear approximation'' claimed by Kaliski and Yin in CRYPTO'95. Using one linear approximation, we find 10 weak keys of RC5-4/2/2 with linear probability 2(-1), 2 weak keys of RC5-4/5/16 with linear probability 2(-2) and a weak key of RC5-16/5/16 with linear probability 2(-15.4), while Kaliski-Yin's ''best biases'' are 2(-3), 2(-9), and 2(-17), respectively.