“…Grover-meet-Simon algorithm [ 13 ] was first introduced by Leander and May, and combined Simon’s algorithm and Grover’s algorithm to achieve the key recovery attack against FX-construction. Currently, Simon’s algorithm, Grover’s algorithm, and Grover-meet-Simon algorithm have been extended to the Sum of Even–Mansour construction [ 14 ], encryption schemes [ 15 , 16 , 17 , 18 , 19 , 20 ], hash schemes [ 21 , 22 , 23 ], message authentication codes (MACs) [ 18 , 24 ], and authenticated encryption schemes [ 18 , 25 , 26 ]. There exist other quantum algorithms (such as HHL algorithm and BTH algorithm) and relevant quantum cryptanalysis.…”