Cryptanalysis of the Legendre Pseudorandom Function over Extension Fields

Abstract

The Legendre Pseudorandom Function (PRF) is a highly efficient cryptographic primitive built upon the Legendre symbol, valued for its low multiplicative complexity in Multi-Party Computation (MPC) and Zero-Knowledge Proof (ZKP) protocols. While its security over prime fields Fp is well-documented, recent interest has shifted toward instantiations over extension fields Fpr. This paper presents the first comprehensive cryptanalysis of the single-degree Legendre PRF operating over Fpr. First, we analyze polynomial input encoding under a standard passive threat model (sequential additive counter queries). We demonstrate that while the absence of polynomial carry-overs causes an asynchronous "no-carry fracture" that neutralizes classical sliding-window collision attacks, the fracture itself is deterministically periodic. By introducing a novel "Differential Signature" bucketing technique, we prove that an adversary can systematically group fractured sequences by their structural shapes to bypass this defense, recovering the secret key in O(U · pr/M) operations, where U is the unicity distance. Second, we evaluate the PRF under an active Chosen-Query threat model. We demonstrate that an adversary can circumvent the additive fracture by evaluating the PRF along a geometric sequence generated by a primitive polynomial. This structure invokes strict multiplicative homomorphism over F*pr, permitting a direct generalization of state-of-the-art table collision attacks to extract the key in O(pr/M) operations. Finally, we establish the cryptographic boundaries of these attacks, formally proving the necessity of higher-degree key variants (d 2) to achieve exponential security against structural reduction in extension fields.