For the implementation of the core logic, I probably would have gone for the lazy solution of iterating AES until the output is <2^122 (64 times on average).
Alternatively just use standard Format-Preserving-Encryption, which is usually a Feistel Network, similar to what they ended up with, but built on a standard algorithm, instead of a homebrew round function.
Thank you for finally giving me a name for this concept. I've run into lots of code implementing them badly, but there's a bit of a semantic hill for others when you don't have a better name than "1-cycle permutation".
Alternatively just use standard Format-Preserving-Encryption, which is usually a Feistel Network, similar to what they ended up with, but built on a standard algorithm, instead of a homebrew round function.