M. R. Albrecht, B. Driessen, G. Elif-bilge-kavun, C. Leander, T. Paar et al., The same property also holds for the inverse function, S ?1 16 , whose components have degree 9, The choice of the 4-bit Sboxes 0 and 1 guarantees that all components of the Super-Sbox (i.e., all non-trivial linear combinations of its coordinates) have degree 9, vol.8616, pp.57-76, 2014.

A. Ambainis, Quantum walk algorithm for element distinctness, SIAM J. Comput, vol.37, issue.1, pp.210-239, 2007.

G. Alagic, C. Majenz, A. Russell, and F. Song, Quantumsecure message authentication via blind-unforgeability. IACR Cryptology ePrint Archive, 2018.

E. E. Mayuresh-vivekanand-anand, G. Targhi, D. Noel-tabia, and . Unruh, Post-quantum security of the CBC, CFB, OFB, CTR, and XTS modes of operation, Post-Quantum Cryptography -7th International Workshop, pp.44-63, 2016.

. Springer, , 2016.

E. Biham, A. Biryukov, and A. Shamir, Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials, LNCS, vol.1592, pp.12-23, 1999.

C. Boura and A. Canteaut, On the influence of the algebraic degree of ?1 on the algebraic degree of ?, IEEE Trans. Information Theory, vol.59, issue.1, pp.691-702, 2013.
URL : https://hal.archives-ouvertes.fr/hal-00738398

C. Boura, A. Canteaut, and C. D. Cannière, Higher-order differential properties of Keccak and Luffa, LNCS, vol.6733, pp.252-269, 2011.
URL : https://hal.archives-ouvertes.fr/inria-00537741

M. Bellare, R. Canetti, and H. Krawczyk, Keying hash functions for message authentication, CRYPTO'96, vol.1109, pp.1-15, 1996.

A. Bar-on, O. Dunkelman, N. Keller, E. Ronen, and A. Shamir, Improved key recovery attacks on reduced-round AES with practical data and memory complexities, CRYPTO 2018, Part II, vol.10992, pp.185-212, 2018.

M. Bellare, New proofs for NMAC and HMAC: Security without collision resistance, Journal of Cryptology, vol.28, issue.4, pp.844-878, 2015.

D. J. Bernstein, Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete, SHARCS 2009, pp.105-116, 2009.

G. Brassard, P. Høyer, and A. Tapp, Quantum cryptanalysis of hash and claw-free functions, LNCS, vol.1380, pp.163-169, 1998.

C. Beierle, J. Jean, S. Kölbl, G. Leander, A. Moradi et al., The SKINNY family of block ciphers and its low-latency variant MANTIS, CRYPTO 2016, Part II, vol.9815, pp.123-153, 2016.

M. Bellare and T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, LNCS, vol.2656, pp.491-506, 2003.

A. Biryukov and D. Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, LNCS, vol.5912, pp.1-18, 2009.

A. Biryukov, D. Khovratovich, and I. Nikolic, Distinguisher and related-key attack on the full AES-256, LNCS, vol.5677, pp.231-249, 2009.

A. Bogdanov, D. Khovratovich, and C. Rechberger, Biclique cryptanalysis of the full AES, LNCS, vol.7073, pp.344-371, 2011.

C. Boura, V. Lallemand, M. Naya-plasencia, and V. Suder, Making the impossible possible, Journal of Cryptology, vol.31, issue.1, pp.101-133, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01953916

M. Bellare and C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Journal of Cryptology, vol.21, issue.4, pp.469-491, 2008.

X. Bonnetain, M. Naya-plasencia, and A. Schrottenloher, Quantum security analysis of AES. IACR Cryptology ePrint Archive, 2019.
URL : https://hal.archives-ouvertes.fr/hal-02397049

M. Bellare and P. Rogaway, Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography, LNCS, vol.1976, pp.317-330, 2000.

D. Boneh and M. Zhandry, Quantum-secure message authentication codes, LNCS, vol.7881, pp.592-608, 2013.

D. Boneh and M. Zhandry, Secure signatures and chosen ciphertext security in a quantum computing world, CRYPTO 2013, Part II, vol.8043, pp.361-379, 2013.

A. Chailloux, M. Naya-plasencia, and A. Schrottenloher, An efficient quantum collision search algorithm and implications on symmetric cryptography, Part, vol.II, pp.211-240, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01651007

P. Derbez, P. Fouque, and J. Jean, Improved key recovery attacks on reduced-round AES in the single-key setting, LNCS, vol.7881, pp.371-387, 2013.
URL : https://hal.archives-ouvertes.fr/hal-01094304

J. Daemen, L. R. Knudsen, and V. Rijmen, The block cipher Square, LNCS, vol.1267, pp.149-165, 1997.

S. Duval and G. Leurent, MDS matrices with lightweight circuits, IACR Trans. Symm. Cryptol, vol.2018, issue.2, pp.48-78, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01944495

J. Daemen and V. Rijmen, AES Proposal: Rijndael. Submission to the NIST AES competition, 1999.

J. Daemen and V. Rijmen, AES and the wide trail design strategy (invited talk), LNCS, vol.2332, pp.108-109, 2002.

J. Daemen and V. Rijmen, The Design of Rijndael: AES -The Advanced Encryption Standard. Information Security and Cryptography, 2002.

H. Demirci and A. Selçuk, A meet-in-the-middle attack on 8-round AES, LNCS, vol.5086, pp.116-126, 2008.

T. Gagliardoni, Quantum Security of Cryptographic Primitives, 2017.

. Gbb-+-08]-henri, R. Gilbert, O. Benadjila, G. Billet, T. Macario-rat et al., SHA-3 proposal: ECHO. Submission to NIST, 2008.

T. Gagliardoni, A. Hülsing, and C. Schaffner, Semantic security and indistinguishability in the quantum world, CRYPTO 2016, Part III, vol.9816, pp.60-89, 2016.

T. Gilliam and T. Jones, Monty Python and the Holy Grail. Distributed by EMI Films, 1975.

. Gkm-+-08]-praveen, L. R. Gauravaram, K. Knudsen, F. Matusiewicz, C. Mendel et al., Grøstl -a SHA-3 candidate. Submission to NIST, 2008.

M. Grassl, B. Langenberg, M. Roetteler, and R. Steinwandt, Applying Grover's algorithm to AES: Quantum resource estimates, pp.29-43, 2016.

S. Galice and M. Minier, Improving integral attacks against Rijndael-256 up to 9 rounds, LNCS, vol.5023, pp.1-15, 2008.

K. Lov, T. Grover, and . Rudolph, How significant are the known collision and element distinctness quantum algorithms?, Quantum Information & Computation, vol.4, pp.201-206, 2004.

L. Grassi, Mixture differential cryptanalysis: a new approach to distinguishers and attacks on round-reduced AES, IACR Trans. Symm. Cryptol, vol.2018, issue.2, pp.133-160, 2018.

K. Lov and . Grover, A fast quantum mechanical algorithm for database search, 28th ACM STOC, pp.212-219, 1996.

L. Grassi, C. Rechberger, and S. Rønjom, A new structuraldifferential property of 5-round AES, Part, vol.II, pp.289-317, 2017.

A. Hosoyamada and K. Yasuda, Building quantum-one-way functions from block ciphers: Davies-Meyer and Merkle-Damgård constructions, ASIACRYPT 2018, Part I, volume 11272 of LNCS, pp.275-304, 2018.

S. Indesteege, E. Andreeva, C. D. Cannière, O. Dunkelman, E. Käsper et al., The LANE hash function. Submission to NIST, 2008.

S. Jaques and J. M. Schanck, Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE. IACR Cryptology ePrint Archive, 2019.

M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-plasencia, Breaking symmetric cryptosystems using quantum period finding, CRYPTO 2016, Part II, vol.9815, pp.207-237, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01404196

M. Kaplan, G. Leurent, A. Leverrier, and M. Naya-plasencia, Quantum differential and linear cryptanalysis, IACR Trans. Symm. Cryptol, vol.2016, issue.1, pp.71-94, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01652807

H. Kuwakado and M. Morii, Quantum distinguisher between the 3-round Feistel cipher and the random permutation, ISIT 2010, pp.2682-2685, 2010.

H. Kuwakado and M. Morii, Security on the quantum-type even-mansour cipher, ISITA 2012, pp.312-316, 2012.

G. Leander and A. Poschmann, On the Classification of 4 Bit S-Boxes

, LNCS, vol.4547, pp.159-176, 2007.

G. Leurent and F. Sibleyras, The missing difference problem, and its applications to counter mode encryption, EUROCRYPT 2018, Part II, vol.10821, pp.745-770, 2018.
URL : https://hal.archives-ouvertes.fr/hal-01953390

G. Leander, C. Tezcan, and F. Wiemer, Searching for subspace trails and truncated differentials, IACR Trans. Symm. Cryptol, vol.2018, issue.1, pp.74-100, 2018.

M. Minier, C. Raphael, B. Phan, and . Pousse, Distinguishers for ciphers and known key attack against Rijndael with large blocks, LNCS, vol.5580, pp.60-76
URL : https://hal.archives-ouvertes.fr/inria-00524350

. Springer, , 2009.

J. Nakahara, 3D: A three-dimensional block cipher, CANS 08, vol.5339, pp.252-267, 2008.

, SP 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques, 2001.

, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, NIST FIPS PUB, vol.202, 2015.

, Submission requirements and evaluation criteria for the post-quantum cryptography standardization process, 2016.

, Quantum Computing: Progress and Prospects, 2018.

A. Michael, I. Nielsen, and . Chuang, Quantum computation and quantum information, 2002.

J. Nakahara and . Ivan-carlos-pavão, Impossible-differential attacks on large-block Rijndael, LNCS, vol.4779, pp.104-117, 2007.

. Springer, , 2007.

S. Rønjom, G. Navid, T. Bardeh, and . Helleseth, Yoyo tricks with AES, ASIACRYPT 2017, Part I, vol.10624, pp.217-243, 2017.

Y. Sasaki, Known-key attacks on Rijndael with large blocks and strengthening ShiftRow parameter, LNCS, vol.10, pp.301-315, 2010.

W. Peter and . Shor, Algorithms for quantum computation: Discrete logarithms and factoring, 35th FOCS, pp.124-134, 1994.

D. R. Simon, On the power of quantum computation, 35th FOCS, pp.116-123, 1994.

V. Soukharev, D. Jao, and S. Seshadri, Post-quantum security models for authenticated encryption, pp.64-78, 2016.

M. Slg-+-16]-bing-sun, J. Liu, L. Guo, V. Qu, and . Rijmen, New insights on AES-like SPN ciphers, CRYPTO 2016, Part I, vol.9814, pp.605-624, 2016.

F. Song and A. Yun, Quantum security of NMAC and related constructions -PRF domain extension against quantum attacks, Part, vol.II, pp.283-309, 2017.

M. Ullrich, C. D. Cannière, S. Indesteege, Ö. Küçük, N. Mouha et al., Finding optimal bitsliced implementations of 4x4-bit s-boxes, SKEW 2011, 2011.

C. Paul, M. J. Van-oorschot, and . Wiener, Parallel collision search with cryptanalytic applications, Journal of Cryptology, vol.12, issue.1, pp.1-28, 1999.

Q. Wang, D. Gu, V. Rijmen, Y. Liu, J. Chen et al., Improved impossible differential attacks on large-block Rijndael, Taekyoung Kwon, Mun-Kyu Lee, and Daesung Kwon, vol.12, pp.126-140, 2013.

M. Zhandry, A note on the quantum collision and set equality problems, Quantum Information & Computation, vol.15, pp.557-567, 2015.

M. Zhandry, How to record quantum queries, and applications to quantum indifferentiability, Cryptology ePrint Archive, 2018.

L. Zhang, W. Wu, J. H. Park, Y. Bon-wook-koo, and . Yeom, Improved impossible differential attacks on large-block Rijndael, LNCS, vol.5222, pp.298-315, 2008.

/. Mul_inv,

/. Mul_inv, A) */ \ 14 MUL_INV(x8, x9, xa, xb, tmp)

/. Mul_inv,