On Constructing Secure and Hardware-Efficient Invertible Mappings

Our society becomes increasingly dependent on wireless communications. The tremendous growth in the number and type of wirelessly connected devices in a combination with the dropping cost for performing cyberattacks create new challenges for assuring security of services and applications provided by the next generation of wireless communication networks. The situation is complicated even further by the fact that many end-point Internet of Things (IoT) devices have very limited resources for implementing security functionality. This paper addresses one of the aspects of this important, many-faceted problem - the design of hardware-efficient cryptographic primitives suitable for the protection of resource-constrained IoT devices. We focus on cryptographic primitives based on the invertible mappings of type ${0,1,\ldots,2^n-1} \rightarrow {0,1,\ldots,2^n-1}$. In order to check if a given mapping is invertible or not, we generally need an exponential in $n$ number of steps. In this paper, we derive a sufficient condition for invertibility which can be checked in $O(n^2 N)$ time, where $N$ is the size of representation of the largest function in the mapping. Our results can be used for constructing cryptographically secure invertible mappings which can be efficiently implemented in hardware.

💡 Research Summary

The paper addresses the pressing need for lightweight cryptographic primitives that can be efficiently realized in hardware for resource‑constrained Internet‑of‑Things (IoT) devices. It focuses on invertible mappings of the form {0,…,2ⁿ‑1} → {0,…,2ⁿ‑1}, which can be equivalently expressed as an n‑bit Boolean vector function f = (f₀,…,fₙ₋₁) where each output bit fᵢ is a Boolean function of the n input bits. While it is trivial to verify invertibility by exhaustive enumeration (requiring O(2ⁿ) time), such a method is infeasible for realistic values of n. Existing constructions—such as Substitution‑Permutation Networks, Feistel networks, T‑functions, and permutation polynomials—either rely on specific algebraic forms or impose restrictive dependencies (e.g., each output bit may depend only on lower‑indexed inputs). Consequently, they cannot capture many useful nonlinear mappings that would be attractive for hardware implementation.

The authors introduce a novel sufficient condition for invertibility that can be checked in polynomial time, specifically O(n²·N), where N denotes the size of the largest Boolean function’s representation (e.g., the number of monomials in its Algebraic Normal Form). The key ideas are:

1. Free Variable – A variable xᵢ is called a free variable of a Boolean function f if f can be written as xᵢ ⊕ g, where xᵢ does not appear in g. The set of all free variables of f is denoted Φ(f).

2. Triangular Decomposition – For each output function fᵢ, there must exist a free variable x_{jᵢ} such that fᵢ = x_{jᵢ} ⊕ gᵢ, with x_{jᵢ} ∈ Φ(fᵢ). Moreover, the functions f₀,…,fₙ₋₁ can be reordered (renamed) so that the dependency set of each gᵢₖ is contained in the union of the dependency sets of the previously ordered g’s and the original dependency set of the corresponding f. Formally, dep(gᵢₖ) ⊆ ⋃{t<k} dep(gᵢ_t) ∪ dep(fᵢ{j}) for appropriate indices.

These two conditions enforce a “triangular” structure reminiscent of Gaussian elimination: starting from the first reordered function, the free variable can be recovered directly (x_{j₀}=f₀⊕g₀). The second function’s free variable can then be recovered using the already known x_{j₀}, and so on. By induction, every input bit can be uniquely reconstructed from the output vector, guaranteeing that distinct inputs cannot map to the same output; thus the mapping is a permutation.

The authors prove the condition by contradiction: assuming a non‑invertible mapping satisfies the conditions leads to an impossible situation where two distinct inputs would produce identical outputs, violating the triangular reconstruction process.

Complexity Analysis – Detecting whether a variable is free in a Boolean function reduces to checking whether the variable appears linearly (i.e., with coefficient 1) and does not appear in any higher‑degree monomial. This can be done by scanning the ANF representation in O(N) time per function. Verifying the inclusion of dependency sets for the reordered sequence requires O(n·N) time per function, leading to an overall O(n²·N) bound. This is dramatically better than the exponential brute‑force approach and makes the condition practical for automated design tools.

Hardware Implications – Because each free variable appears only as a single XOR with a (typically smaller) sub‑function gᵢ, the hardware realization requires only one XOR gate per output bit plus the gates needed to implement gᵢ. The triangular ordering ensures that the overall circuit depth is limited: the computation of later outputs depends only on previously computed free variables, not on the full set of inputs. The paper contrasts this with traditional NLFSR implementations, showing that a “binary machine” built from the proposed mappings can achieve the same state‑transition behavior with fewer Boolean operations and lower propagation delay, which is crucial for low‑power, low‑area IoT chips.

Application to Stream Ciphers – The authors sketch how the sufficient condition can be employed to construct the state‑update function of a stream cipher. By designing the state transition as a permutation satisfying the triangular free‑variable condition, the cipher guarantees that the internal state can be uniquely reversed (useful for decryption or for certain cryptanalytic reductions) while still providing high non‑linearity and resistance to differential attacks. Moreover, the hardware‑friendly nature of the construction leads to efficient implementations on ASICs or FPGAs.

In summary, the paper contributes a theoretically sound, efficiently verifiable sufficient condition for invertibility of n‑bit Boolean mappings, bridges the gap between algebraic constructions and practical hardware design, and demonstrates its relevance to modern cryptographic primitives targeting the IoT ecosystem. The O(n²·N) verification algorithm enables designers to automatically generate secure, hardware‑efficient permutations without resorting to exhaustive testing, thereby facilitating the development of lightweight yet robust cryptographic modules for the next generation of wireless and embedded systems.