What does it mean that $BW_N$ is a permutation over the squares mod N?

Question

Let $BW_N$ be a function such that $BW_N:\mathbb{QR}_{N} \mapsto \mathbb{QR}_{N}$ and let if be defined as follow: $BW_N(x) = x^2 \pmod N$ where $N=pq$ and p and q are primes and $p=q=3 \pmod 4$. I am reading on a set of lecture notes that, "$BW_N$ is a permutation over the squares mod N". Does someone know what that means?

Does that mean its a trapdoor permutation? Or what might it mean?

---

I am not sure if this question would have been more appropriate on the mathematics stack exchange site, but it had to do with crypo so I though it might get a response here.

Answer 1

"$BW_N$ is a permutation over the squares $\mod N$". Does someone know what that means?

You define your map $BW_N:\mathbb{QR}_N\rightarrow \mathbb{QR}_N$. Note that $$\mathbb{QR}_N:=\{r\in Z_N: r\equiv y^2 \pmod{N}, y\in Z_N\}$$ and a permutation is a one-to-one mapping (bijection) from a set into the same set.

Basically, this map is a permutation if under $BW_N$ for every $x\in \mathbb{QR}_N$ there is a unique $y\in \mathbb{QR}_N$ (and clearly the same for its inverse $BW_N^{-1}$).

Now, since you have $N=pq$ being the product of two Blum integers $p$ and $q$, you have that for every of the four possible square roots of $r\in\mathbb{QR}_N$, which are of the form $(\pm\alpha,\pm\beta)$, exactly one of those is also a quardratic residue modulo $N$, i.e., an element of $\mathbb{QR}_N$ (this is not hard to prove).

Consequently, $BW_N$ gives a bijection from $\mathbb{QR}_N$ to $\mathbb{QR}_N$ and this is what is meant by "$BW_N$ is a permutation over the squares mod $N$".

Does that mean its a trapdoor permutation? Or what might it mean?

The factorization of $N$, i.e., the knowledge of $p$ and $q$, is the trapdoor of this permutation and is required to efficiently compute the inverse.

Answer 2

It means that it maps quadratic residues $\mathbb{QR}_{N} \mapsto \mathbb{QR}_{N}$ to quadratic residues. A quadratic residue is a number $x$ such that $x = y^2 \pmod N$ where $N=pq$. A trapdoor means that once you know the factorization of $N$ it is easy to break quadratic residuocity problem. $p=q=3 \pmod 4$ because you choose 'safe' primes $p,q$ such that $p=2p'+1$ for $p'=2p''+1$. So $p=4p''+3$. Consequently the same for q.