On Constructing Secure and HardwareEfficient Invertible Mappings
Abstract
Our society becomes increasingly dependent on wireless communications. The tremendous growth in the number and type of wirelessly connected devices in a combination with the dropping cost for performing cyberattacks create new challenges for assuring security of services and applications provided by the next generation of wireless communication networks. The situation is complicated even further by the fact that many endpoint Internet of Things (IoT) devices have very limited resources for implementing security functionality. This paper addresses one of the aspects of this important, manyfaceted problem  the design of hardwareefficient cryptographic primitives suitable for the protection of resourceconstrained IoT devices. We focus on cryptographic primitives based on the invertible mappings of type . In order to check if a given mapping is invertible or not, we generally need an exponential in number of steps. In this paper, we derive a sufficient condition for invertibility which can be checked in time, where is the size of representation of the largest function in the mapping. Our results can be used for constructing cryptographically secure invertible mappings which can be efficiently implemented in hardware.
Invertible mapping, permutation, Boolean function, NLFSR
I Introduction
This paper addresses the problem of constructing hardwareefficient cryptographic primitives suitable for assuring trustworthiness of resourceconstrained devices used in services and applications provided by the next generation of wireless communication networks.
The importance of improving security of wireless networks for our society is hard to overestimate. In 2014, the annual loss to the global economy from cybercrimes was more than $400 billion [1]. This number can quickly grow larger with the rapid growth of InternetofThings (IoT) applications. In coming years ”things” such as household appliances, meters, sensors, vehicles, etc. are expected to be accessible and controlled via local networks or the Internet, opening an entirely new range of services appealing to users. The ideas of selfdriving cars, healthtracking wearables, and remote surgeries do not sound like sciencefiction any longer. The number of wirelessly connected devices is expected to grow to a few tens of billions in the next five years [2].
Unfortunately, the new technologies are appealing to the attackers as well. As processing power and connectivity become cheaper, the cost of performing a cyberattack drops, making it easier for adversaries of all types to penetrate networks. Attacks are becoming more frequent, more sophisticated, and more widespread. A connected household appliance becomes a target for all hackers around the globe unless appropriate security mechanisms are implemented. Household appliances typically do not have the same level of protection as computer systems. A compromised device can potentially be used as an entry point for a cyberattack on other devices connected to the network. The first proven cyberattack involving ”smart” household appliances has been already reported in [3]. In this attack, more than 750.000 malicious emails targeting enterprises and individuals worldwide were sent from more than 100.000 consumer devices such as homenetworking routers, multimedia centers, TVs, refrigerators, etc. No more than 10 emails were initiated from any single IPaddress, making the attack difficult to block based on location. The attack surface of future IoT with billions of connected devices will be enormous.
In addition to a larger attack surface, the return value for performing a cyberattack grows. The assets accessible via tomorrow’s networks (hardware, software, information, and revenue streams) are expected to be much greater than the ones available today, increasing incentive for cyber criminals and underground economies [4]. A growing black market for breached data serves as a further encouragement. The damage caused by an individual actor may not be limited to a business or reputation, but could have a severe impact on public safety, national economy, and/or national security.
The tremendous growth in the number and type of wirelessly connected devices, as well as the increased incentive for performing attacks change the threat landscape and create new challenges for security. The situation is complicated even further by the fact that many endpoint IoT devices require utmost efficiency in the use of communication, computing, storage and energy resources. A typical IoT device spends most of its ”life” in a sleep mode. It gets activated at periodic intervals, transmits a small amount of data and then shuts down again. To satisfy extreme limitations of resourceconstrained IoT devices, very efficient cryptographic primitives for implementing encryption, data integrity protection, authentication, etc. are required.
Invertible mappings are among the most frequently used primitives in cryptography [5]. For example, the round function of a block cipher [6, 7] has to be invertible in order to result in unique decryption. Stream ciphers [8, 9] and hash functions [10, 11] use invertible state mappings to prevent incremental reduction of the entropy of the state.
This paper presents a sufficient condition for invertibility of mappings of type . Such a singlevariable valued mapping can be interpreted as an variable Boolean mapping in which the Boolean variable represents the bit number of the input and the Boolean function represents the bit number of the output , i.e.:
(1) 
for . For example, the 4variable Boolean mapping
corresponds to the singlevariable 16valued mapping
where “” is addition modulo 16. Note that the corresponding singlevariable valued mapping may not have a closed form.
In order to check if a mapping of type (1) is invertible or not, we generally need an exponential in number of steps. The condition derived in this paper can be checked in time, where is the size of representation of the largest Boolean function in the mapping. So, it can be used for constructing secure invertible mappings with a small hardware implementation cost. For example, we show how the presented results can be used in stream cipher design.
The paper is organized as follows. Section II summarizes basic notations used in the sequel. In Section III, we describe previous work and show that previous methods cannot explain invertibility of some mappings which can be handled by the presented approach. Section IV presents the main result. Section V estimates the complexity of checking the presented condition. Section VI shows how the presented results can be used in stream cipher design. Section VII concludes the paper.
Ii Preliminaries
Throughout the paper, we use ”” to denote the Boolean XOR, ”” to denote the Boolean AND and to denote the Boolean complement of , defined by .
The Algebraic Normal Form (ANF) [12] of a Boolean function (also called positive polarity ReedMuller canonical form [13]) is a polynomial in the Galois Field of order 2, , of type
where are constants, “” is the Boolean AND, “” is the Boolean XOR, the vector is the binary expansion of , and denotes the th power of defined by for and otherwise, for .
A mapping on a finite set is called invertible if if, and only if, . Invertible mappings are also called permutations.
Iii Previous Work
In this section, we describe previous work on invertible mappings and show that previous methods cannot explain invertibility of some mappings which can be handled by the presented approach.
Many methods for constructing different classes of invertible mappings are known. The simplest one is to compose simple invertible operations. A SubstitutionPermutation Network (SPN) is a typical example. An SPN consists of Sboxes, which permute input bits locally, and Pboxes, which diffuse input bits globally. This method of construction cannot explain the invertibility of, for example, the following 4variable mapping
(2) 
since a noninvertible operation Boolean AND is used.
Feistel [15] proposed a powerful technique which makes possible constructing invertible mappings from noninvertible basic operations. It is used in many block ciphers, including DES [16]. The basic Feistel construction maps two inputs, and , into two outputs as follows:
where is any singlevariable function. The full Feistel construction iterates the above mapping any number of times. This method was extended in several directions, including unbalanced, homogeneous, heterogeneous, incomplete, and inconsistent Feistel networks [17]. However, the Feistel construction requires at least two variables. It cannot explain the invertibility of mappings of type . The presented method can explain it by looking into the structure of Boolean functions representing the bits of the output .
Shamir [18] introduced an interesting construction based on the fact that the mapping of type (1) is invertible for almost all inputs if each has the form:
where and are arbitrary nonzero variable polynomials modulo a large RSA modulus . The ”triangular” nature of functions makes it possible to perform the inversion process similarly to the way we do Gaussian elimination to solve a system of linear equations. This approach can also handle ’s and ’s which mix arithmetic and Boolean operations [19, 20]. The approach presented in this paper is similar to the approach of Shamir in that it also uses triangulation to prove invertibility. However, our functions are of the type
(3) 
where and does not depend on . Thus, in our case, the th output may depend on the input such that . For example, in the mapping defined by equations (2), depends on and .
Shamir’s construction was further extended by Klimov and Shamir [19, 20] to a class on invertible mappings based on Tfunctions. A singlevariable function of type is defined to be a Tfunction if each of its output bits depends only on the first input bits :
A Tfunction is invertible if, and only if, each output bit can be represented as
This fundamental result inspired the construction which we present in this paper. The reader will easily notice that, in our construction (3), functions ’s are Tfunctions while functions ’s are not if . Another difference is that Klimov and Shamir targeted software implementation and therefore focused on mappings whose expression can be evaluated by a program with the minimal number of instructions. We target the hardware implementation. Therefore, we are interested in minimizing the number of Boolean operations in the expressions of Boolean functions representing output bits. The construction method which we present can be used as a starting point for constructing nonlinear invertible mappings which have an efficient hardware implementation.
Another group of construction methods consider permutation polynomials which involve only the arithmetic operation of addition, subtraction, and multiplication. Permutation polynomials are wellstudied in mathematics. Hermite [21] made a substantial progress in characterizing univariate permutation polynomials modulo a prime . Dickson [22] described all univariate polynomials with degrees smaller than 5. However, the problem remains unsolved for high degree polynomials modulo a large prime .
The problem appears simpler for the ring of integers modulo . Rivest [23] provided a complete characterization of all univariate permutation polynomials modulo . He proved that a polynomial
with integral coefficients is a permutation polynomial for if, and only if, is odd, is even and is even. His powerful algebraic proof technique was further generalized by Klimov and Shamir [19, 20] to polynomials of type
where , which mix arithmetic and Boolean operations. However, since the resulting polynomials are Tfunctions, they do not cover the construction method presented in this paper for the case when th output depends on the input such that .
Finally, we would like to discuss the relation between the mappings of type (1) and the state mappings generated by NonLinear Feedback Shift Registers (NLFSRs) [24]. An bit NLFSR consists of binary stages, each capable of storing 1 bit of information, a nonlinear Boolean function, called feedback function, and a clock (see Figure 1). At each clock cycle, the stage is updated to the value computed by the feedback function. The rest of the stages shift the content of the previous stage. Thus, an bit NLFSR with the feedback functions implements the state mapping of type
where the variable represents the value of the stage , for .
It is wellknown [25] that an bit NLFSR is invertible if, and only if, its feedback function is of type
The mappings considered in this paper can be implemented by a more general type of nonlinear state machines, shown in Figure 2. Since the content of stages is not any longer shifted from one stage to the next, but rather it is updated by some arbitrary functions, such registers are not called shift registers any longer. Instead, they are called binary machines [25] or registers with nonlinear update [26]. Binary machines are typically smaller and faster than NLFSRs generating the same sequence [27, 28]. For example, the 4bit NLFSR with the feedback function generates the same set of sequences as the 4bit binary machine implementing the 4variable mapping defined by equations (2). We can see that the binary machine uses 3 binary Boolean operations, while the NLFSR uses 5 binary Boolean operations. Furthermore, the depth of feedback functions of the binary machine is smaller that the depth of the feedback function of the NLFSR. Thus, the binary machine has a smaller propagation delay than the NLFSR.
Iv Conditions for Invertibility
As we mentioned in Section III, it is wellknown how to construct invertible NLFSRs [25]. An bit NLFSR is invertible if, and only if, its feedback function is of type:
(4) 
The proof is simple, because every two consecutive states of an NLFSR overlap in positions. This implies that each state can have only two possible predecessors and two possible successors. If is in the form (4), then the NLFSR states which correspond to the binary tuples and always have different successors. The values of and depend on the value of and on the value of . The value of is the same for and . The value of is different for and . Thus, . It is also easy to see that, if both and have the same successor, cannot have the form (4).
In the general case of mappings , any binary tuple can have possible predecessors and possible successors. Therefore, to guarantee that a mapping is invertible, we have to check that, for all , implies that , for some . This clearly requires the number of steps which is exponential in . The main contribution of this paper is a more restricted sufficient condition which can be checked in steps. To formulate this condition, we first introduce the notion of a free variable of a function.
Definition 1 (Free variable)
A variable is called a free variable if can decomposed as
where .
Definition 2 (Set of free variables)
The set of free variables of , , contains all free variables of
Now we are ready to formulate the following sufficient condition for invertibility.
Theorem 1
A mapping of type (1) is invertible if the following two conditions hold:

For each , is of type
(5) where .

Functions can be reordered as to satisfy the property
where “” stands for the union.
Proof: By contradiction.
Suppose that there exist a noninvertible mapping of type (1) for which the conditions of the theorem hold. Then, this mapping is of type
(6) 
where , for .
Since the mapping (6) in noninvertible, there exist at least two input assignments and , , which are mapped into the same output. We analyzing (6) row by row, we can conclude that:

and and implies

and and and implies


and and and , , implies .
Therefore, . We reached a contradiction. Thus, the assumption that there exist a noninvertible mapping of type (1) for which the conditions of the theorem hold is not true.
An example of mapping which satisfies the conditions of Theorem 1 is:
(7) 
The reader may notice that mappings defined by Theorem 1 can be obtained by relabeling variables in a Tfunction. The relabeling is given by the ordering of free variables. So, the mapping (5) can be viewed as a composition of a bit permutation and a Tfunction. Since there are bit permutations, the class of invertible mappings considered in this paper is by a factor of larger than the class of invertible mappings based on Tfunctions.
Clearly, the relabeling of variables does not change the implementation cost of a mapping. However, it might drastically change the cycle structure of the underlying state transition graph, as illustrated by the following example. Consider the following 4variable mapping based on a Tfunction:
(8) 
This mapping has a quite uninteresting state transition graph shown in Figure 3. Let us relabel the variables as . We get the mapping:
(9) 
which has the state transition graph shown in Figure 4. All states, except the all0 state, are included in one cycle. If we implement this mapping by the binary machine shown in Figure 2 and initialize the binary machine to any nonzero state, then its output generates a pseudorandom sequence with period 15 which satisfies the first two randomness postulates of Golomb [25], namely the balance property and the run property. No sequence generated by a nonlinear Boolean function satisfy the third randomness postulate (twolevel autocorrelation property). Therefore, the mapping we obtained by relabeling has much more interesting statistical properties than the original mapping.
The cycle structure of a mapping is important for some cryptographic applications, e.g. stream ciphers [29]. Obviously, if we iterate a mapping a large number of times, we do not want the sequence of generated states to be trapped in a short cycle. It is worth noting that formal verification tools based on reachability analysis can be adopted for finding short cycles in a state transition graph. There are dedicated tools to compute the number and length of cycles in state transition graphs of synchronous sequential networks, e.g. BNS [30] which is based on SATbased bounded model checking and BooleNet [31] which is based on Binary Decision Diagrams.
The mappings defined by Theorem 1 are invertible for any choice of Boolean functions . The smaller is the number of Boolean operations in the expressions of ’s, the smaller is its hardware implementation cost. Note, that we are not restricted to represent ’s in ANF. Any Boolean expression combining AND, OR, NOT and XOR can be used. Multilevel logic optimization tools, such as UC Berkeley tool ABC [32] can be applied to transform the ANF or other Boolean expression representing the function into an optimized multilevel expression. Clearly, the choice of ’s will be guided not only by the hardware cost, but also by other criteria determining the cryptographic strength of the resulting function, e.g. nonlinearity, correlation immunity, algebraic degree, etc. (see [12] for requirements on cryptographically strong functions).
Finally, we would like to point out that the conditions of Theorem 1 are sufficient, but not necessary conditions for invertibility. For example, the following 4variable mapping is invertible, but it does not satisfy them:
V Condition Checking
Next, let us estimate the number of steps required to check the conditions of Theorem 1. Suppose that all Boolean functions of the mapping are represented in ANF. Let be the ANF size of the largest function in the mapping. The size of an ANF is defined as the total number of variables appearing in the ANF. For example, the ANF is of size 3.
Consider the pseudocode shown as Algorithm 1. is a set which keeps track of variables which are identified as free for some . If this set is implemented as a hash table of size , then adding a variable to the set or checking if a variable belongs to the set can be done in constant time.
In the first forloop, we check if each is of type or , for some . If yes, we add to the set and mark . Since the steps 4, 5, 6 and 7 can be done in time, the complexity of the first forloop is .
If none of the functions are marked during the first forloop, the algorithm terminates with the conclusion that the conditions of Theorem 1 are not satisfied.
In the second forloop, for each nonmarked , we check if it is of type (5) and if every belongs to . If yes, add to , mark , and return to step 13. The steps 15, 17 and 18 can be done in time. The step 16 requires time. Thus, the complexity of the second forloop is . Since we return to the step 13 at most times, the overall complexity of steps 1322 is .
In the third forloop, we check if all are marked. If yes, the mapping is invertible. Otherwise, the algorithm returns ”conditions are not satisfied”. Since the conditions of Theorem 1 are sufficient, but not necessary conditions for invertibility, in this case the mapping may or may not be invertible. The complexity of the third forloop is . We can conclude that overall complexity of Algorithm 1 is .
Vi Applications
In this section we show how the presented results can be used in stream cipher design.
A possible way to construct a key stream generator for a stream cipher is to run several FSRs in parallel and to combine their outputs with a nonlinear Boolean function [12]. The resulting structure is called a combination generator. If the periods of FSRs are pairwise coprime, then the period of the resulting key stream generator is equal to the product of periods of FRSs [33]. Examples of stream ciphers based on combination generators are VEST [34], Achterbahn128/80 [35], and the cipher [36]. VEST uses 16 10bit and 16 11bit NLFSRs. Achterbahn128/80 uses 13 NLFSRs of size from 21 to 33 bits. The cipher from [36] uses 10 NLFSRs of size 2229, 31 and 32 bits.
At present it is not known how to construct large NLFSRs with a guaranteed long period. Existing algorithms cover special cases only, e.g. [37, 38]. Small NLFSRs which are used in combination generators are computed by a random search. Lists of bit NLFSRs of size bits with the period whose feedback functions contain up to 6 binary Boolean operations in their ANFs are available in [39]. It is known that, for example, there are no 20bit NLFSRs with the period whose feedback function contains only four binary Boolean operations in its ANF (i.e. implementable with four 2input gates).
Using Algorithm 1 to bound random search, in 12 hours we were able to find 63 20variable nonlinear invertible mappings with the period whose functions contain no more than 4 binary Boolean operations in their ANFs in total. Two representatives are:

, , .

, .
The omitted functions are of type , for . This shows that Algorithm 1 is useful for finding nonlinear invertible mappings with a small hardware implementation cost. Other important properties, such as nonlinearity, correlation immunity, algebraic degree, etc., can then be used to further guide the search.
Vii Conclusion
We derived a sufficient condition for invertibility of mappings of type which can be checked in steps, where is the ANF size of the largest Boolean function in the mapping. The presented method can be used as a starting point for constructing nonlinear invertible mappings which can be efficiently implemented in hardware.
Future work remains on constructing new cryptographic primitives based on the presented class of invertible mappings and evaluating their security and hardware cost. We also plan to investigate the usability our results in reversible computing.
Viii Acknowledgements
This work was supported in part by the research grant No SM140016 from the Swedish Foundation for Strategic Research. The author would like to thank the anonymous reviewers for their valuable comments and suggestions to improve the quality of the paper.
References
 Center for Strategic and International Studies, “Net losses: Estimating the global cost of cybercrime,” June 2014. https://www.mcafee.com/mx/resources/ reports/rpeconomicimpactcybercrime2.pdf.
 Ericsson, “More that 50 billions connected devices,” 2012. www.ericsson.com/res/docs/whitepapers/wp50billions.pdf.
 Proofpoint, “Proofpoint uncovers Internet of Things (IoT) cyberattack,” January 2014. https://www.proofpoint.com/us/ proofpointuncoversinternetofthingsiotcyberattack.
 Ericsson, “5g security: Scenarios and solutions,” 2015. www.ericsson.com/news/150624wp5gsecurity_244069646_c.
 D. Stinson, Cryptography Theory and Practice. Chapman & Hall/CRC, 3rd edition, 2006.
 A. Bogdanov, L. Knudsen, G. Leander, C. Paar, A. Poschmann, M. Robshaw, Y. Seurin, and C. Vikkelsoe, “Present: An ultralightweight block cipher,” in Cryptographic Hardware and Embedded Systems  CHES 2007 (P. Paillier and I. Verbauwhede, eds.), vol. 4727 of Lecture Notes in Computer Science, pp. 450–466, Springer Berlin Heidelberg, 2007.
 J. Borghoff, A. Canteaut, T. GÃ¼neysu, E. Kavun, M. Knezevic, L. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S. Thomsen, and T. YalÃ§Ä±n, “Prince â a lowlatency block cipher for pervasive computing applications,” in Advances in Cryptology â ASIACRYPT 2012 (X. Wang and K. Sako, eds.), vol. 7658 of Lecture Notes in Computer Science, pp. 208–225, Springer Berlin Heidelberg, 2012.
 M. Hell, T. Johansson, A. Maximov, and W. Meier, “The Grain family of stream ciphers,” New Stream Cipher Designs: The eSTREAM Finalists, LNCS 4986, pp. 179–190, 2008.
 E. Dubrova and M. Hell, “Espresso: A stream cipher for 5G wireless communication systems,” Cryptography and Communications, 2015. accepted, availible at https://eprint.iacr.org/2015/241.
 J.P. Aumasson, L. Henzen, W. Meier, and M. NayaPlasencia, “Quark: A lightweight hash,” Journal of Cryptology, vol. 26, no. 2, pp. 313–339, 2013.
 E. Dubrova, M. Naslund, and G. Selander, “CRCbased message authentication for 5G mobile technology,” in Proceedings of 1st IEEE International Workshop on 5G Security, August 2015.
 T. W. Cusick and P. Stǎnicǎ, Cryptographic Boolean functions and applications. San Diego, CA, USA: Academic Press, 2009.
 D. H. Green, “Families of ReedMuller canonical forms,” International Journal of Electronics, vol. 70, pp. 259–280, 1991.
 R. K. Brayton, C. McMullen, G. Hatchel, and A. SangiovanniVincentelli, Logic Minimization Algorithms For VLSI Synthesis. Kluwer Academic Publishers, 1984.
 H. Feistel, “Cryptography and computer privacy,” Scientific American, vol. 228, pp. 15–23, May 1973.
 National Bureau of Standards, “Data encryption standard,” Tech. Rep. NBS FIPS PUB 46, U.S. Department of Commerce, January 1977.
 B. Schneier and J. Kelsey, “Unbalanced feistel networks and blockcipher design,” in Fast Software Encryption, 3rd International Workshop Proceedings, pp. 121–144, SpringerVerlag, 1996.
 A. Shamir, “Efficient signature schemes based on birational permutations,” in Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO’93, (London, UK, UK), pp. 1–12, SpringerVerlag, 1993.
 A. Klimov and A. Shamir, “A new class of invertible mappings,” in Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems, CHES’02, (London, UK), pp. 470–483, SpringerVerlag, 2002.
 A. Klimov, Applications of Tfunctions in Cryptography. Ph.D. Thesis, Weizmann Institute of Science, 2005.
 R. Lidl and H. Niederreiter, Introduction to Finite Fields and their Applications. Cambridge Univ. Press, 1994.
 L. E. Dickson, Linear Groups with an Exposition of the Galois Field Theory. Teubner, 1901.
 R. L. Rivest, “Permutation polynomials modulo ,” Finite Fields and Their Applications, vol. 7, pp. 287–292, 1999.
 C. J. A. Jansen, Investigations On Nonlinear Streamcipher Systems: Construction and Evaluation Methods. Ph.D. Thesis, Technical University of Delft, 1989.
 S. Golomb, Shift Register Sequences. Aegean Park Press, 1982.
 N. Li and E. Dubrova, “An algorithm for constructing a smallest register with nonlinear update generating a given binary sequence,” in Proceedings of IEEE International Symposium on MultipleValued Logic (ISMVL’2014), 2014.
 E. Dubrova, “Synthesis of binary machines,” IEEE Transactions on Information Theory, vol. 57, pp. 6890 – 6893, 2011.
 E. Dubrova, “Synthesis of parallel binary machines,” in Proceedings of International Conference of ComputerAided Design (ICCAD’2011), (San Jose, CA, USA), pp. 200–206, Nov. 2011.
 M. Robshaw, “Stream ciphers,” Tech. Rep. TR  701, July 1994.
 E. Dubrova and M. Teslenko, “A SATbased algorithm for finding attractors in synchronous Boolean networks,” IEEE/ACM Transactions on Computational Biology and Bioinformatics, vol. 8, no. 5, pp. 1393 –1399, 2011.
 E. Dubrova, M. Teslenko, and A. Martinelli, “Kauffman networks: analysis and applications,” in IEEE/ACM International Conference on ComputerAided Design (ICCAD’2005), pp. 479–484, Nov 2005.
 Berkeley Logic Synthesis and Verification Group, “ABC: A system for sequential synthesis and verification, release 70930,” 2007.
 E. Dubrova and M. Teslenko, “Compositional properties of Random Boolean Networks,” Physical Review E, vol. 71, p. 056116, May 2005.
 B. Gittins, H. A. Landman, S. O’Neil, and R. Kelson, “A presentation on VEST hardware performance, chip area measurements, power consumption estimates and benchmarking in relation to the aes, sha256 and sha512.” Cryptology ePrint Archive, Report 2005/415, 2005. http://eprint.iacr.org/2005/415.
 B. Gammel, R. Göttfert, and O. Kniffler, “Achterbahn128/80: Design and analysis,” in SASC’2007: Workshop Record of The State of the Art of Stream Ciphers, pp. 152–165, 2007.
 B. M. Gammel, R. Göttfert, and O. Kniffler, “An NLFSRbased stream cipher,” in ISCAS, 2006.
 E. Dubrova, “A method for generating full cycles by a composition of NLFSRs,” Design, Codes and Cryptography, 2012.
 E. Dubrova, “A scalable method for constructing Galois NLFSRs with period using crossjoin pairs,” IEEE Transactions on Information Theory, vol. 1, no. 59, pp. 703–709, 2013.
 E. Dubrova, “A list of maximumperiod NLFSRs.” Cryptology ePrint Archive, Report 2012/166, 2012. http://eprint.iacr.org/2012/166.