M. R. Albrecht, B. Driessen, E. B. Kavun, G. Leander, C. Paar et al., Block ciphers -focus on the linear layer (feat. PRIDE). In: CRYPTO (2), Lecture Notes in Computer Science, vol.8616, pp.57-76, 2014.

G. Bertoni, J. Daemen, S. Hoffert, M. Peeters, G. V. Assche et al., Farfalle: parallel permutation-based cryptography, IACR Trans. Symmetric Cryptol, vol.2017, issue.4, pp.1-38, 2017.

A. Biryukov and D. A. Wagner, Slide attacks, FSE. Lecture Notes in Computer Science, vol.1636, pp.245-259, 1999.

X. Bonnetain, Quantum key-recovery on full AEZ, Selected Areas in Cryptography -SAC 2017, vol.10719, pp.394-406, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01650026

X. Bonnetain and M. Naya-plasencia, Hidden shift quantum cryptanalysis and implications, ASIACRYPT 2018, vol.11272, pp.560-592, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01953914

X. Bonnetain, M. Naya-plasencia, and A. Schrottenloher, On quantum slide attacks, Selected Areas in Cryptography -SAC 2019, 2020.
URL : https://hal.archives-ouvertes.fr/hal-01946399

J. Borghoff, A. Canteaut, T. Güneysu, E. B. Kavun, M. Knezevic et al., PRINCE -A low-latency block cipher for pervasive computing applications -extended abstract, ASIACRYPT. Lecture Notes in Computer Science, vol.7658, pp.208-225, 2012.

G. Brassard, P. Hoyer, M. Mosca, and A. Tapp, Quantum amplitude amplification and estimation, Contemporary Mathematics, vol.305, pp.53-74, 2002.

G. Brassard, P. Høyer, and A. Tapp, Quantum cryptanalysis of hash and claw-free functions, LATIN '98: Theoretical Informatics, Third Latin American Symposium, vol.1380, pp.163-169, 1998.

A. Canteaut, S. Duval, G. Leurent, M. Naya-plasencia, L. Perrin et al., Saturnin: a suite of lightweight symmetric algorithms for post-quantum security, 2019.

C. Carlet, P. Charpin, and V. Zinoviev, Codes, bent functions and permutations suitable for DES-like cryptosystems, Designs, Codes and Cryptography, vol.15, issue.2, pp.125-156, 1998.

A. Chailloux, M. Naya-plasencia, and A. Schrottenloher, An efficient quantum collision search algorithm and implications on symmetric cryptography, ASI-ACRYPT, vol.10625, pp.211-240, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01651007

A. Chakraborti, N. Datta, M. Nandi, and K. Yasuda, Beetle family of lightweight and secure authenticated encryption ciphers, IACR Trans. Cryptogr. Hardw. Embed. Syst, vol.2018, issue.2, pp.218-241, 2018.

P. Crowley and E. Biggers, Adiantum: length-preserving encryption for entrylevel processors, IACR Trans. Symmetric Cryptol, issue.4, pp.39-61, 2018.

J. Daemen, Limitations of the even-mansour construction, ASIACRYPT 1991, vol.739, pp.495-498, 1991.

J. Daemen, S. Hoffert, G. V. Assche, and R. V. Keer, The design of xoodoo and xoofff, IACR Trans. Symmetric Cryptol, issue.4, pp.1-38, 2018.

I. Dinur, Cryptanalytic time-memory-data tradeoffs for fx-constructions with applications to PRINCE and PRIDE, EUROCRYPT 2015. Lecture Notes in Computer Science, vol.9056, pp.231-253, 2015.
URL : https://hal.archives-ouvertes.fr/hal-01235168

I. Dinur, O. Dunkelman, N. Keller, and A. Shamir, Cryptanalysis of iterated evenmansour schemes with two keys, ASIACRYPT 2014, vol.8873, pp.439-457, 2014.
URL : https://hal.archives-ouvertes.fr/hal-01086179

S. Even and Y. Mansour, A construction of a cipher from a single pseudorandom permutation, J. Cryptology, vol.10, issue.3, pp.151-162, 1997.

T. Gagliardoni, Quantum Security of Cryptographic Primitives, 2017.

M. Grassl, B. Langenberg, M. Roetteler, and R. Steinwandt, Applying grover's algorithm to AES: quantum resource estimates, PQCrypto. Lecture Notes in Computer Science, vol.9606, pp.29-43, 2016.

L. K. Grover, A Fast Quantum Mechanical Algorithm for Database Search, Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pp.212-219, 1996.

A. Hosoyamada and Y. Sasaki, Cryptanalysis against symmetric-key schemes with online classical queries and offline quantum computations, CT-RSA, vol.10808, pp.198-218, 2018.

M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-plasencia, Breaking symmetric cryptosystems using quantum period finding, Lecture Notes in Computer Science, vol.9815, issue.2, pp.207-237, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01404196

M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-plasencia, Quantum differential and linear cryptanalysis, IACR Trans. Symmetric Cryptol, vol.2016, issue.1, pp.71-94, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01652807

J. Kilian and P. Rogaway, How to protect DES against exhaustive key search, CRYPTO. Lecture Notes in Computer Science, vol.1109, pp.252-267, 1996.

G. Kuperberg, A subexponential-time quantum algorithm for the dihedral hidden subgroup problem, SIAM J. Comput, vol.35, issue.1, pp.170-188, 2005.

G. Kuperberg, Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem, TQC 2013. LIPIcs, vol.22, pp.20-34, 2013.

H. Kuwakado and M. Morii, Quantum distinguisher between the 3-round feistel cipher and the random permutation, IEEE International Symposium on Information Theory, ISIT 2010, Proceedings, pp.2682-2685, 2010.

H. Kuwakado and M. Morii, Security on the quantum-type even-mansour cipher, Proceedings of the International Symposium on Information Theory and its Applications, ISITA 2012, pp.312-316, 2012.

G. Leander and A. May, Grover Meets Simon -Quantumly Attacking the FXconstruction, ASIACRYPT 2017, vol.10625, pp.161-178, 2017.

L. Martin, XTS: A mode of AES for encrypting hard disks, IEEE Security & Privacy, vol.8, issue.3, pp.68-69, 2010.

N. Mouha, B. Mennink, A. V. Herrewege, D. Watanabe, B. Preneel et al., Chaskey: An efficient MAC algorithm for 32-bit microcontrollers, Selected Areas in Cryptography, vol.8781, pp.306-323, 2014.

, National Institute of Standards and Technlology: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, 2016.

M. A. Nielsen and I. Chuang, Quantum computation and quantum information, 2002.

M. Rötteler and R. Steinwandt, A note on quantum related-key attacks, Inf. Process. Lett, vol.115, issue.1, pp.40-44, 2015.

Y. Sasaki, Y. Todo, K. Aoki, Y. Naito, T. Sugawara et al., , 2015.

P. W. Shor, Algorithms for quantum computation: Discrete logarithms and factoring, 35th Annual Symposium on Foundations of Computer Science, pp.124-134, 1994.

D. R. Simon, On the Power of Quantum Computation, 35th Annual Symposium on Foundations of Computer Science, pp.116-123, 1994.

R. S. Winternitz and M. E. Hellman, Chosen-key attacks on a block cipher, Cryptologia, vol.11, issue.1, pp.16-20, 1987.

, Note that, given such S ? , by using an ancilla qubit we can implement a unitary operator S ? such that