Cryptanalysis of the Legendre Pseudorandom Function over Extension Fields

TL;DR

This paper conducts the first comprehensive cryptanalysis of the Legendre PRF over extension fields, revealing vulnerabilities under passive and active attack models and emphasizing the need for higher-degree variants for security.

Contribution

It introduces novel attack techniques on the Legendre PRF over extension fields and establishes security boundaries, highlighting the importance of higher-degree keys.

Findings

Classical collision attacks are neutralized by a no-carry fracture but can be bypassed using Differential Signature bucketing.

Adversaries can recover the secret key in polynomial time under passive and active models using structural attacks.

Higher-degree key variants are necessary for exponential security against structural reductions in extension fields.

Abstract

The Legendre Pseudorandom Function (PRF) is a highly efficient cryptographic primitive built upon the Legendre symbol, valued for its low multiplicative complexity in Multi-Party Computation (MPC) and Zero-Knowledge Proof (ZKP) protocols. While its security over prime fields $\mathbb{F}_p$ is well-documented, recent interest has shifted toward instantiations over extension fields $\mathbb{F}_{p^r}$. This paper presents the first comprehensive cryptanalysis of the single-degree Legendre PRF operating over $\mathbb{F}_{p^r}$. First, we analyze polynomial input encoding under a standard passive threat model (sequential additive counter queries). We demonstrate that while the absence of polynomial carry-overs causes an asynchronous "no-carry fracture" that neutralizes classical sliding-window collision attacks, the fracture itself is deterministically periodic. By introducing a novel "Differential Signature" bucketing technique, we prove that an adversary can systematically group fractured sequences by their structural shapes to bypass this defense, recovering the secret key in $\mathcal{O}(U \cdot p^r/M)$ operations, where $U$ is the unicity distance. Second, we evaluate the PRF under an active Chosen-Query threat model. We demonstrate that an adversary can circumvent the additive fracture by evaluating the PRF along a geometric sequence generated by a primitive polynomial. This structure invokes strict multiplicative homomorphism over $\mathbb{F}^*_{p^r}$, permitting a direct generalization of state-of-the-art table collision attacks to extract the key in $\mathcal{O}(p^r/M)$ operations. Finally, we establish the cryptographic boundaries of these attacks, formally proving the necessity of higher-degree key variants ($d \ge 2$) to achieve exponential security against structural reduction in extension fields.