Abstract
The Legendre PRF relies on the conjectured pseudorandomness properties of the Legendre symbol with a hidden shift. Originally proposed as a PRG by Damgård at CRYPTO 1988, it was recently suggested as an efficient PRF for multiparty computation purposes by Grassi et al. at CCS 2016. Moreover, the Legendre PRF is being considered for usage in the Ethereum 2.0 blockchain.This paper improves previous attacks on the Legendre PRF and its higher-degree variant due to Khovratovich by reducing the time complexity from O(< (p log p/M) to O(p log2 p/M2) Legendre symbol evaluations when M ≤ 4√ p log2 p queries are available. The practical relevance of our improved attack is demonstrated by breaking three concrete instances of the PRF proposed by the Ethereum foundation. Furthermore, we generalize our attack in a nontrivial way to the higher-degree variant of the Legendre PRF and we point out a large class of weak keys for this construction. Lastly, we provide the first security analysis of two additional generalizations of the Legendre PRF originally proposed by Damgård in the PRG setting, namely the Jacobi PRF and the power residue PRF.
Highlights
The Legendre symbol is a multiplicative function modulo an odd prime number p that assigns to an element a ∈ Fp the value 1, 0 or −1 depending on whether or not a is a square
This paper aims to advance the state-of-the-art in the cryptanalysis of the Legendre PRF by improving upon Khovratovich’s attacks on the one hand, and by providing the first security analysis of the Jacobi and power residue symbol generalizations on the other hand
This section discusses several aspects of our implementation of the attack from Section 3.3 that we applied to the key recovery puzzles proposed by the Ethereum foundation [Fei19b]
Summary
The Legendre symbol is a multiplicative function modulo an odd prime number p that assigns to an element a ∈ Fp the value 1, 0 or −1 depending on whether or not a is a square. The distribution of Legendre symbols has been a subject of study for number theorists at least since the early 1900s [Ala[96], vS98, Jac[06], Dav[31], Dav39]. Cryptanalysis of the Legendre PRF and Generalizations the Weil bound [Wei48] that the number of occurrences of a fixed pattern of l nonzero Legendre symbols among the integers 1, 2, . The distribution of fixed length substrings of Legendre symbols converges to the uniform distribution
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
