The Legendre Pseudorandom Function as a Multivariate Quadratic Cryptosystem: Security and Applications ∗

,


Introduction
Zero-knowledge proofs (ZKP) and secure multi-party computation (MPC) protocols are ubiquitous in cryptography.These advanced cryptographic tools are applied and deployed in many applications, e.g., privacypreserving cryptocurrencies, threshold cryptography and secure instant-messaging.The widespread adoption of ZKPs and MPC protocols necessitates novel symmetric-key primitives [GRR + 16].Traditional symmetrickey primitives, e.g., AES, cause significant overhead in ZKPs or MPC due to their vast multiplicative complexity.
Therefore, recently, revived interest has been shown towards algebraic symmetric key primitives with low multiplicative depth [GRR + 16].Lately, several novel algebraic MACs [DKPW12,CMZ14], hash functions [AGR + 16, GKR + 21] or algebraic pseudorandom functions [Dam88] have been proposed for cryptographic use.New algebraic constructions with low multiplicative complexity are especially attractive due to their distinguished efficiency properties in ZKPs or MPC protocols.However, this new algebraic design paradigm possibly opens up new avenues for attacks [AABS + 20].The cryptanalysis of these new symmetrickey primitives is an active research field with notable published works.For instance, Albrecht et al. conducted an algebraic cryptanalysis of MARVELlous [AD18] and MiMC hash functions [ACG + 19], while Li and Preneel refined interpolation attacks on low algebraic degree cryptosystems [LP19].One of the most promising cryptosystems for use in ZKPs and MPC protocols is a pseudorandom function (PRF) that is based on quadratic and power residue symbols.Recall that if p is a prime, the Legendre symbol a p is 1 if a is a square modulo p and −1 otherwise (the symbol of 0 mod p is 0 by convention).In this work, we focus on the cryptographic security of a PRF family, called the Legendre PRF, and its extensions that are derived from the evaluation of the Legendre symbol.
There exists vast mathematics literature asserting that Legendre and power residue symbols are particularly well suited to be applied in pseudorandom functions since they exhibit high pseudorandomness.One of the first results is due to Pólya and Vinogradov (1918), and later Davenport (1931) cf.[Vin16,Dav31].
They assert that character sums behave like independent fair coin tosses, i.e., M +N a=M +1 a p ≤ √ p log p.In the case of Legendre symbols, Peralta extended this result by showing that for any fixed n, n-grams of Legendre symbols are asymptotically equally distributed [Per92].Mauduit and Sárközy introduced several metrics to measure the pseudorandomness of binary sequences and argued that "Legendre symbol sequences are the most natural candidate for pseudorandomness" [MS97].Ding et al. confirmed the high linear complexity of Legendre symbol sequences [DHS98].Tóth and Gyarmati et al. introduced new pseudorandomness measures and asserted high values of those in Legendre symbol sequences [Tót07,GMS14].
Related work.In spite of the above results, surprisingly, the security guarantees of the Legendre PRF from a cryptographic standpoint are poorly understood.The quantum case is settled whenever a quantum oracle is available for the attacker as polynomial quantum algorithms are known to recover the key of a Legendre PRF [vDHI06,RS04].However, if the oracle can only be queried classically, then no efficient quantum algorithm is known.In concurrent and independent work, Frixons and Schrottenloher [FS21] investigated the quantum security of the Legendre PRF without quantum random-access to an oracle.While they presented two new attacks in this setting, both of them remain impractical for key-recovery, strengthening the security intuition.On the other hand, in the classical setting, only exponential key-recovery algorithms are known due to Khovratovich [Kho19], Beullens et al. [BBUV20] and Kaluderovic et al. [KKK20].One might ask, whether there could be sub-exponential key-recovery attacks on the Legendre PRF.Damgård in 1988 proposed as an open problem to assess the security and complexity of predicting Legendre or Jacobi symbols.He was contemplating on reducing well-known number-theoretic assumptions to the problem of predicting Legendre or Jacobi symbol sequences [Dam88].In this paper, we show connections of the Legendre and Jacobi sequences to a different branch of cryptography, namely, multivariate quadratic cryptography.This study is useful in establishing the security of various cryptographic applications derived from the Legendre PRF, e.g. the digital signature scheme by Beullens et al. [BdSG20].
Our contributions.In this work, we make the following contributions.
Legendre PRF as an MQ instance.We show that key-recovery attacks on the Legendre PRF are equivalent to solving a specific family of sparse multivariate quadratic equation system over a finite field.Moreover, the weak unpredictability of the PRF is reducible to the decidability of the aforementioned equation system.These connections naturally extend to higher-degree Legendre PRFs and power residue symbol PRFs.
Algebraic cryptanalysis.We conduct the first algebraic cryptanalysis on the MQ instance induced by the Legendre PRF.We find that the Legendre PRF is immune to interpolation, direct (Gröbner basis) and rank attacks.We also present algebraic geometric arguments to support the complexity of finding solutions in these sparse MQ instances over a finite field.However, all these standard cryptanalytic tools from multivariate cryptography do not improve the state of the art key recovery attacks against the Legendre PRF [Kho19, BBUV20, KKK20].On the other hand, we find that the induced MQ instances behave like random MQ instances in terms of degree of regularity, i.e., the corresponding ideals are semi-regular.This observation might be interpreted as evidence of the difficulty of breaking the Legendre PRF.
Novel cryptographic applications of the Legendre PRF.Besides assessing the security of the Legendre PRF, we utilise its special properties to apply it in various cryptographic tasks.Expressing the Legendre PRF as an MQ instance facilitates novel cryptographic applications, i.e., verifiable random functions.Moreover, we exploit its multiplicativity to construct (verifiable) oblivious (programmable) pseudorandom functions.Due to their efficiency, these novel extensions can be applied in several cryptographic protocols, such as state-of-the-art private set intersection (PSI) protocols.
Organisation.This paper is organised as follows.In Section 2, we provide the necessary background on Legendre symbols and related hard cryptographic problems.In Section 3, we show that key-recovery attacks against the Legendre PRF are equivalent to solving a specific MQ instance.In Section 4, we analyze the security of the MQ instance induced by the Legendre PRF.We realize several cryptographic primitives from the Legendre PRF in Section 5. Finally, we conclude our paper in Section 6 by pointing out future directions.

Preliminaries
Notations.Whenever we sample x from set S uniformly at random we write x ∈ R S. Let p be an odd prime and let K ∈ R F p be a secret key.The modular square root algorithm mod p is denoted as sqrt p (•). Vectors of group elements are denoted in bold.In the following, n, m denote the number of variables and equations, respectively.Throughout this work, we will work in the multivariate polynomial ring F p [x 1 , . . ., x n ] over a finite field F p .LT(I) denotes the ideal generated by the leading terms of the ideal I.For the ease of exposition we use [x] to denote a secret share of the value x ∈ F p .
Background on the Legendre PRF.Damgård proposed using the sequence of consecutive Legendre symbols with respect to a large prime p for "pseudorandom bit generation" [Dam88].
Definition 2.1 (Sequential Legendre PRF) Let p be a prime, depending on the security parameter λ, then let {a} K denote the following sequence: Damgård conjectured that the sequence is pseudorandom, when starting at a secret K. Sometimes, it is easier to work with bits, rather than the original Legendre symbols themselves, therefore the Legendre PRF is defined with Boolean output (for a key-and input-space F p ).
Definition 2.2 (Legendre pseudorandom function) The function L K (x) is defined by mapping the corresponding Legendre symbol to {0,1}, i.e., , where s is a seed and l(•) is an expansion factor, is next bit unpredictable (sometimes weakly unpredictable) if for all probabilistic polynomial time algorithm A, there is a negligible function negl(λ) such that where the sequence Assumptions.It is conjectured that no classical adversary running in sub-exponential time could recover the hidden shift K.One might also consider generalisations of the problem, such as changing the linear polynomial to a secret degree-d polynomial in the Legendre symbol evaluations or changing the quadratic symbol to an rth power residue symbol.
Definition 2.5 (Multivariate Quadratic (MQ) problem) Given random quadratic polynomials over a finite field, i.e., (f It is well-known that the MQ problem is NP-hard for any choice of finite field F [GJ79].In cryptographic applications, F is often F 2 or an extension of it.However, throughout this work, we consider MQ problems over F p , for some large prime p.The MQ problem is one of the major candidates on which post-quantum secure cryptosystems can be based.Currently, there are no known sub-exponential algorithms to solve the MQ problem. NIZK Arguments.Since in our VRF proposal we make use of non-interactive zero-knowledge (NIZK) arguments, we recall the relevant syntax following [BFM19] and for the details and exact security requirements we refer to [BFM19].NIZK arguments consist of four PPT algorithms that are defined with respect to a relation generator algorithm R-Gen(1 λ ) that, upon receiving some security parameter λ, outputs a polynomial time decidable relation R : {0, 1} * ×{0, 1} * for which in our case {(φ, w) ∈ R | φ(w) = 0}, where the statement φ is a MQ equation system over F p and a valid witness w is a solution of the system.
Definition 2.6 (Perfect NIZK argument [BFM19]) We say that a NIZK is a perfect NIZK argument for R if it has perfect completeness, perfect zero-knowledge and computational soundness as defined in [BFM19].
3 The Legendre PRF as an MQ instance Hereby, we describe how to express the sequential Legendre PRF, cf.Definition 2.1, as a multivariate quadratic equation system.We remark that in a similar fashion, all the variants (higher-degree) and extensions (power-residue and Jacobi PRF) of the sequential Legendre PRF could be expressed as a suitable MQ instance.Most of our results and observations can be easily ported to those MQ instances as well.Therefore, in this work, we solely focus on the sequential Legendre PRF.

The Ideal
Let us fix an arbitrary quadratic non-residue r ∈ Z * p .Furthermore, it is assumed that we are given {a} K , often a ≈ log(p).Let b i := K + i p and x i be the corresponding unknown.We think of the unknown x i as the square root of K + i if b i = 1, otherwise x i denotes the square root of r(K + i), which is a quadratic residue.Therefore, for each pair of neighboring Legendre symbols (b i , b i+1 ), we define a unique quadratic equation.If b i = b i+1 = 1, then we know that x 2 i+1 = K + i + 1 and If b i = b i+1 = −1, then we have that x 2 i+1 = r(K + i + 1) and x 2 i = r(K + i), hence Finally if b i = 1 = −b i+1 or b i = −1 = −b i+1 then we obtain the following two quadratic equations: Altogether, this allows us to efficiently transform any Legendre symbol sequence into an equivalent multivariate quadratic equation system.If we have n Legendre symbols, then we obtain m = n − 1 independent equations in n variables, hence the MQ instance is underdefined.Note, that the equation system is extremely sparse.
Example 1 We consider the following example to illustrate the quadratic equation system induced by the Legendre PRF.Let p = 0xfffffffffffffffffffdd and K = 0x27aaa97c746c22e12d10.The smallest quadratic non-residue modulo p is 2. We display the MQ instance induced by the evaluation of the sequential Legendre PRF, {5} K = (1, 1, −1, −1, 1).Each consecutive Legendre symbol pairs define an equation.The ideal corresponding to {5} K has the following form: Let I := f 1 , f 2 , . . ., f m be the ideal generated by the quadratic polynomials defined by Equations 1, 2 and 3. We want to solve simultaneously this equation system, i.e., finding points in the variety V (I).If the sequence of Legendre symbols is long enough, heuristically O(log p), then there are O(1) solutions in F p (only considering solutions where x i ∈ [0, p−1 2 ] for all i) and one of them corresponds to the secret key K of the PRF.Note that V (I) might contain additional solutions when considered above the algebraic closure F p .

The Gröbner basis
To better understand the variety V (I), first we describe the Gröbner basis of I [Buc65].Interestingly, we can easily compute the Gröbner basis of I regardless of the size of p or the length of the Legendre sequence {a} K .
Proof: With a case distinction one can show that G generates The other cases are similar.Thus I ⊂ G .By the Buchberger-criterion, we only need to verify that for all i, j, it holds that the S-polynomial S(g i , g j ) divided by the Gröbner basis has no remainder, i.e., S(g i , g j ) G = 0.This follows from Buchberger's product criterion but we include the following simple proof for completeness.We let i < j and hereby solely consider the case when b i = b j = b n−1 = 1.The rest of the cases result in a similar calculation.By the definition of the S-polynomials, we have S(g i , g j ) = x 2 j g i − x 2 i g j .First, we divide S(g i , g j ) by g i .We observe that the remainder of the polynomial division is g j (x 2 n−1 − (n − i)), which is divisible by g j .Therefore, indeed S(g i , g j ) G = 0. Hence, the polynomials in G indeed form a Gröbner basis.G is reduced, since all of its basis polynomials have a leading coefficient one.Moreover, LT(g i ) = LT(I) and no trailing term of any g i ∈ G lies in LT(I) .
Example 2 The Gröbner basis of the polynomials corresponding to the Legendre symbol sequence {5} K , from Example 1, consists of the following quadratic bi-variate polynomials: We remark that one can view the resulting equation system as a simultaneous Pell-equation system over F p .Each polynomial in the Gröbner basis is quadratic, bi-variate and has p−1 solutions in F p .Put differently, seemingly no elimination ideal turns out to be helpful in finding a common zero.
First, we observe that the polynomials in I lack any special internal structure, i.e., the only relations holding are the trivial ones.More formally, the m = n − 1 multivariate quadratic polynomials of I in n variables define a regular ideal, i.e., V (I) is a 1-dimensional variety, namely, it contains an infinite number of solutions in F p .The proof of the following lemma is in Appendix B. Lemma 3.2 I is a regular ideal.

The Field Equations
As we have seen previously the corresponding variety V (I) of the ideal I has dimension 1.However, in the cryptanalysis of the Legendre PRF, we wish to obtain a 0-dimensional variety that contains the secret key K of the PRF.As we show, this can be achieved by adding the field equations to the ideal I.
A sequence {n} K can be described with polynomials in F p [x 0 , x 1 , . . ., x n ].Let us define I FE as follows: Example 3 We illustrate the ideal I FE complemented with the field equations with parameters p = 191 and The smallest quadratic non-residue is r = 7 mod 191.
The corresponding Gröbner basis has the following form, Note how helpful the Gröbner bases are in obtaining the secret key K.In addition, one can also read off all the evaluated points from the Gröbner bases.If the variable x i corresponds to a residue, then x 2 i is one of the evaluated points in the PRF.Alternatively, if x i corresponds to a non-residue, then r −1 x 2 i mod p is the evaluated point in the PRF.
Using the intuition of the Example 3, we can show in general the structure of the Gröbner basis of I FE .
Theorem 3.3 Let {n} K = (b 0 , . . ., b n−1 ) be a Legendre symbol sequence for which there exists a unique key K.We consider its corresponding ideal complemented with the field equations I FE = f 1 , f 2 , . . ., f m , where m = 2(n − 1) + 1 as defined by Equation 5. Then the Gröbner basis of I FE with respect to the (graded) lexicographic ordering, consists of the polynomials g i , for i ∈ [0, n − 1] such that, Moreover, G := (g i ) n−1 i=0 is a reduced Gröbner basis.Proof: G generates the ideal I FE , since each f i can be expressed by using the generators g i .The generating polynomials f i of the ideal I can be expressed as f i = r L0(K+i+1) g i+1 − r L0(K+i) g i .The field polynomials can be also expressed using the generators of G. Specifically, let us denote the modular square roots of r L0(K+i) (K + i) as b and c.Then, By the uniqueness of K, we also have that G ⊂ I FE , since the corresponding varieties are equal above the algebraic closure.
Next, we verify that the Buchberger-criterion holds for the polynomials in G.In this case, S(g i , g j ) = x 2 j g i − x 2 i g j .Depending on the residuosity of b i , b j we have four cases, but for the sake of simplicity we only consider here the case of b i = b j = 1.The other cases follow similarly.The S-polynomial is divisible by G, since S(g i , g G is clearly a reduced Gröbner basis as each leading coefficient is one and no monomial of g i lies in LT(G \ g i ) .
In Section 4, we evaluate empirically the time complexity of computing the Gröbner basis of MQ instances (the I FE ideal) induced by Legendre PRF sequences.The ideal I FE cannot be regular as it contains more polynomials than variables.However, the Gröbner basis of I FE allows us to observe easily that in I FE there are no internal dependencies between the ideal's generating polynomials.More precisely, we prove the following lemma in Appendix B. Lemma 3.4 I FE is a semi-regular ideal, if the conditions of Theorem 3.3 are met.
The asymptotic behavior of the degree of regularity of semi-regular ideals is well understood [BFSY05].The degree of regularity d reg of an ideal is a measure to assess the theoretical complexity of computing the Gröbner basis of an ideal.For a precise definition, the reader is referred to [CLO13].Finally, we show the usefulness of I FE in connection with the Legendre PRF.Lemma 3.5 A successful Legendre key-recovery attack is equivalent in polynomial time to solving the MQ system defined by the ideal I FE .On the other hand, the weak unpredictability of the Legendre PRF is equivalent to the decidability of the induced MQ instance over the finite prime field.

Proof:
Let us define the variety V and ideal I defined by the Legendre PRF evaluation {n} K .More precisely, we fix a quadratic non-residue r ∈ F p .In polynomial-time, we construct The corresponding ideal is denoted as I * .We show that V * = V (I FE ).First, V * ⊂ V (I FE ), because this is how the polynomials in I FE are constructed, such that all the points in V * vanish on the polynomials of I FE .The other inclusion is trivial by the construction of the polynomials of I FE .I FE is a radical ideal, since every ideal that contains its field equations is a radical ideal [Ull12, Lemma 2.2.3.].Hence, I FE is the smallest ideal that vanishes on V * .
As for the unpredictability of the Legendre PRF, if the MQ system corresponding to a purported PRF evaluation is not solvable, then it is sure that the psuedorandom sequence is not obtained by evaluating the Legendre PRF.
We highlight again the sparsity of the induced MQ instance.This is in contrast with most MQ publickey cryptosystems, where the MQ instance is generated uniformly at random by the signer or encryptor.
Typically, a random MQ instance has many non-zero coefficients resulting in large public keys.Contrarily, in the case of the Legendre PRF, the MQ instances exhibit a specific structure (cf.Example 1, 3) stemming from the multiplicative group of F p .Interestingly, if a single coefficient in the Legendre MQ instance became 0, then the whole equation system suddenly would be trivially solvable by "back-substitution".
In Section 4, we turn our attention to assessing the security of the MQ instance induced by the Legendre PRF.In particular, we assess the complexity of solving the particular equation systems.According to [HLY12], in order to prove the security of a multivariate PRF, it suffices to show that the family of MQ instances f induced by the PRF is hard to solve.This is because then the distributions D 1 = (f , f (x 0 , x 1 , . . ., x n−1 )) and D 2 = (f , U m ) are computationally indistinguishable, where U m is a uniform distribution over F m p [HLY12].
4 Security of the Legendre PRF as MQ instances In this section, we evaluate the complexity of a key recovery attack on the Legendre PRF as an MQ instance.We find that direct attacks, solvers and other traditional algebraic attacks (interpolation attacks, MinRank etc.) do not improve on the state-of-the-art classical attack due to Kaluderovic et al [KKK20].

Algebraic Cryptanalytic Attempts
Interpolation Attacks Interpolation attacks aim to interpolate a cryptosystem's polynomial without knowing its secret key [JK97].In a single party setting, the Legendre PRF is typically evaluated more than once for a particular key K, i.e., {a} K is used as a pseudorandom bit-string, where a > 0. In these cases, the resulting bit-string is mapped to integers, for instance, in the following way, Note that deg(F K (a)) = p−1 2 , i.e., the degree of the polynomial representing the Legendre PRF has almost full degree over F p , that is exponential in the security parameter.The polynomial is dense (all possible monomials appear) and no coefficient is dependent on the key K.These properties make interpolation attacks infeasible as they would require at least p−1 2 + 1 pairs of keys and pseudorandom field elements to interpolate F K (a).
Direct Algebraic Attacks Direct algebraic attacks, i.e., computing the Gröbner basis [Buc65], aim to directly solve the cryptosystem's underlying MQ instance.The computational complexity of these attacks is equivalent to that of computing the Gröbner basis [SKI04], which in turn depends on the degree of regularity, d reg , of the MQ instance at hand.Hence, it is of great interest to compute d reg of an MQ cryptosystem.However, in many cases, this is not possible without actually calculating the Gröbner basis itself.For m equations of degree at most d in n variables, the arithmetic complexity of Gröbner basis computation are 2 2 O(n) in general and O m • n+dreg −1 n ω in case of 0-dimensional regular systems, where 2 ≤ ω ≤ 3 is the linear algebra constant of matrix multiplication.We empirically evaluated the performance of computing the Gröbner basis for the ideal I FE induced by the PRF evaluations, see Figure 1.We sampled random small primes with a given bit-length and evaluated the Legendre PRF for a sequence of length seven and nine.We computed and recorded the time it takes to compute the Gröbner basis of the corresponding ideal I FE .We repeated the experiment 10 times.We observe that computing the Gröbner basis takes exponential time in the bit-length of the prime modulus.We expect that launching key-recovery against the Legendre PRF using Gröbner basis methods is hopeless for cryptographic parameter sets, i.e., for primes of size ≈ 2 128 .Attaining lower and upper bounds for d reg to assess the exact complexity of the Gröbner basis computation of I F E is an interesting open problem.

MinRank Attacks
The MinRank attack is a powerful tool in the cryptanalysis of multivariate cryptography.MinRank attacks broke numerous multivariate cryptosystems, such as the cryptanalysis of HFE due to Kipnis and Shamir [KS99] or the cryptanalysis of SRP encryption system [PPST17].In the following, we show that the Legendre PRF has high Q-rank, therefore it is immune to MinRank attacks.For the complete calculation the reader is referred to Appendix E.1.

Group Structure of the Legendre PRF MQ Instances' Solutions
We give an algebraic-geometric argument on the security of the Legendre PRF.In Section 3.1, we showed that the PRF seed lies in the intersection of multiple Pell-conics.The solutions of a single Pell-equation over F p form a cyclic Abelian-group [Déc07].These groups were previously suggested for use in cryptography as it is believed that the discrete logarithm problem is hard in these groups [Lem03].A single Pell conic has genus 0. The intersection of two Pell-conics yields a nonsingular elliptic curve with genus 1.Specifically, if one wants to find every secret key K that results in a 3-long specific binary sequence produced by the Legendre PRF, e.g.(1, −1, 1), then every satisfying secret key K is a rational point on a sequence-specific elliptic curve.However, if one considers longer sequences, then the resulting curve has a genus greater than 1, cf. Figure 3. Hence, the solutions of those algebraic curves do not have an Abelian group structure equipped with them.In the following, we compute the genus of the high-degree surfaces induced by the Legendre PRF in the general case.
We want to calculate the genus of the algebraic curve containing the solutions of a Legendre PRF keyrecovery attack.More formally, we want to compute 1 − P (0), where P (•) is the Hilbert-polynomial of the curve defined by the intersection of several Pell conics.Let (f 1 , f 2 , . . ., f m ) be the given Pell conics in variables x 0 , x 1 , . . ., x n and I the corresponding ideal generated by them.Note that n denotes the length of the given Legendre sequence.For N 0 , we have that P (N ) is the dimension over F p of the degree-N homogeneous part of F p [x 0 , . . ., x n ]/I [Har13].This is a linear polynomial.Since for all i, j, i = j we have (f i , f j ) = 1, we obtain the following inclusion-exclusion type equation, where g n (N ) denotes the number of N -degree monomials in F p [x 0 , . . ., x n ].Therefore, g n (N ) = N +n n .For concreteness and as an example let us consider the case of four intersecting Pell-conics, i.e., Legendresequences of length five.We have the following expression for the Hilbert-polynomial, when n = 4: By substituting N = 0, we have that P 4 (0) = −4, namely the arithmetic genus is 1 − P 4 (0) = 5.We obtain the following closed formula for the Hilbert-polynomial: Proof: The proof is enclosed in Appendix E.2 5 Extensions of the Legendre PRF In this section, we construct various extensions of the Legendre PRF and compare them with other state-ofthe-art constructions.We build verifiable random functions in Section 5.1, oblivious pseudorandom functions (OPRF) in Section 5.2 and verifiable OPRF in Appendix G.

Verifiable Random Functions from the Legendre PRF
Verifiable random functions (VRFs) are natural extensions of PRFs [MRV99].In a VRF, the PRF evaluator can produce a publicly verifiable proof about the correct evaluation of the PRF F K (x) given the PRF input x, the output F K (x) = y and a public verification key, without revealing anything about the secret key K.In many applications, in addition to the efficient production of pseudorandom strings, one also needs to prove the correctness of those pseudorandom bits, e.g., proof-of-stake consensus algorithms [GHM + 17].
An advantage of the Legendre PRF arithmetization as an MQ instance, is that it allows to model the PRF as a low-degree polynomial equation system.This arithmetization easily facilitates the construction of efficient Legendre VRFs.By contrast, if one models the Legendre PRF as a high-degree p−1 2 univariate polynomial by Euler's criterion, then it hinders applying efficient proof systems for the correct evaluation statement.Building on this observation and using NIZK with the Legendre PRF (following the high-level approach sketched in [MRV99]), we propose a new VRF that admits post-quantum secure instantiations with comparable performance to the state of the art.

Syntax and Security of VRFs
Definition 5.1 A verifiable random function is comprised of the following four polynomial-time algorithms VRF = (VRF.PPGen, VRF.Gen, VRF.Eval, VRF.Vfy) with the following functionality: • VRF.PPGen(1 λ ) → pp vrf .Upon the security parameter λ, the algorithm samples the public parameters pp vrf .
3. Pseudorandomness: Let A = (A 1 , A 2 ) be an attacker with oracle access to VRF.Eval(pp vrf , sk, •) in the following pseudoramndomness game: Denoting the oracle queries of A in the game with Q = (X 1 , . . ., X Q ), we say that A is legitimate if for any random coin choices ρ A ∈ {0, 1} λ of A, there exists no i ∈ [Q] for which X i = X * would hold.We say that a VRFis pseudorandom, if for all legitimate A, its advantage in game

Construction.
We proceed with the construction of the Legendre VRF.
Intuition.We face two challenges in creating a Legendre VRF.First, we need a verification key vk.For sk = K ∈ R F p , we let vk = {c • log p} K .Heuristic arguments imply that a long enough symbol sequence is unique if its length is roughly log p [Per92].Hence, a unique symbol sequence acts as a "commitment" to sk.Second, we need to verify efficiently the correct evaluation of the Legendre PRF.We can leverage NIZK argument systems, since we can express the correct PRF evaluation statement as a low-degree polynomial equation system.
• VRF.Gen(pp vrf ) → (vk, sk).Using the public parameters pp vrf , the key generation algorithm samples random sk = K ∈ R F p , compute the Legendre sequence vk := {c•log p} K that serves as a "commitment" to K (for a fixed constant c).
• VRF.Eval(pp vrf , sk, X) → (Y, π).The evaluation of the VRF takes the public parameters pp vrf , the secret key sk = K and an input X to the PRF.Let Y be λ consecutive Legendre symbols, i.e., Y = {λ} K+Xλ , so that for all X we evaluate the symbol on disjoint intervals (we constrain X ≤ p/λ).
Disjointness is used to ensure the pseudorandomness of the VRF, see the proof in Appendix F. Let π ← NIZK.Prove(R, σ, φ, w), where the witness w = sk and φ corresponds to a MQ equation system that consists of quadratic equations corresponding to the evaluation of the Legendre PRF as defined in Section 3.1.For an illustrative example, the reader is referred to Figure 4.
1 Unique provability requires uniqueness to hold even when all the values are maliciously generated by the adversary.[PWH + 17] proposed the relaxation of requiring uniqueness to hold only when some values are assumed to be generated honestly.While we use this approach, it is important to emphasize that we only assume that public system parameters (pp vrf ) are generated honestly, while e.g., [PWH + 17] assumed this for the verification key that is a stronger assumption than ours.
2 We say that the unique provability requirement holds unconditionally if the probability in the requirement is equal to zero even if A is not computationally bounded.The relaxation we use is due to [CL07] and it was first formulated by [GNPR16].
-Similar equations showing the relation of sk and sk + Xλ, i.e., the ith bits of vk and Y correspond to Legendre symbols of values with distance Xλ.For instance, in case of two quadratic residues, we have x 2 i − x 2 vki = Xλ, cf.Equation 1.The equations corresponding to the other cases can be similarly adapted from the quadratic equations of Section 3.1.
The following theorem, which we prove in Appendix F, formalizes the security of the Legendre VRF.
Theorem 5.2 Assuming the hardness of the SLS problem (Definition 2.1) the Legendre VRF is secure according to Definition 5.1, if the underlying NIZK argument fulfils the perfect completeness, perfect zeroknowledge and computational soundness requirements (defined in [BFM19]).
Figure 4: Arithmetic circuit representation of the ZKP statement that proves the relation R PRF = {{5} K = (1, 1, −1, −1, 1), K} from Example 1 where 2 is the least quadratic non-residue.Applying our Legendre PRF arithmetization, the PRF evaluator proves that it knows the zeros of the following polynomials (2x . Secret input nodes are colored with yellow, while public output nodes are colored with green.Nodes with 2x denote a multiplication gate, where one of the inputs is the constant quadratic non-residue 2. Note, that for any Legendre PRF statement R * PRF the arithmetic circuit has a constant multiplicative depth of two.

Instantiations and Performance.
We instantiate our VRF with the state of the art succinct NIZK [Gro16].However, it does not provide postquantum security.Another proof system family of zero-knowledge succinct transparent arguments of knowledge (zkSTARK) was pioneered by the work of Ben-Sasson et al. [BSBHR18].STARK proof systems provide post-quantum security and does not rely on trusted setups.The performance evaluation of [BSBHR18] shows, that the proof of a Legendre PRF statement with 2 21 multiplication gates, i.e., verifying ≈ 2 19 Legendre symbols, can be generated in less than a second, while can be verified in 100ms.The proof size is ≈ 50KB.An even more efficient VRF instantiation can be obtained by applying the NIZK of Beullens and Delpech de Saint [BdSG20].In Table 5.1, we compare the proposed VRF to the state of the art.The Legendre VRF is a potential contender for being the most efficient post-quantum secure VRF in terms of proof size, prover and verifier complexity.

Oblivious PRFs from the Legendre PRF
An oblivious PRF (OPRF) [NR97,FIPR05] is a two-party secure computation protocol (2PC) to evaluate a PRF F (•, •) in an oblivious fashion.Specifically, it allows a sender and a receiver with inputs K and x, respectively, to compute F (K, x) such that the sender does not learn anything new from the protocol messages, while the receiver can output F (K, x) without obtaining information about the used key K.In this section, we show how to build an OPRF relying on the hardness of the SLS problem and also extend this result to two variants of OPRFs, namely to programmable and to verifiable OPRFs (denoted as OPPRF and VOPRF respectively).
These protocols are extensively used in various tasks.A non-exhaustive list of OPRF applications include secure keyword search [FIPR05], private set intersection (PSI) [HL10, JL09, KKRT16, KLS + 17], secure deduplicated storage [KBR13], password-protected secret sharing [JKKX16], password-authenticated key exchange [JKX18].OPPRFs were used to build two-party PSI [PSTY19, KK20  and circuit-PSI that enables secure function evaluation on the intersection of sets [CGS22].Finally, VOPRF is the cornerstone of Privacy Pass, a privacy-preserving lightweight authentication mechanism [DGS + 18] and password-protected secret sharing [JKK14].The importance of (V)OPRF is also indicated by the ongoing effort to standardize them [DFHSW21].

The Legendre OPRF
Motivated by the wide range of applications, our goal is to present a novel pathway to the realization of OPRFs that we formally define in Figure 5a.

Functionality FOPPRF
Participants: sender S, receiver R. Parameters: a PRF F : K×X → {0, 1} for key-space K input-space X , the number of programmed points n.Input: -S: K ∈ K, x 1 , . . ., x n ∈ X and y 1 , . . ., y n ∈ {0, 1}, -R: (a) The ideal OPRF functionality.Together with the extensions in blue, we get the OPPRF ideal functionality.We observe that the distributed protocol for evaluating the Legendre PRF of [GRR + 16] yields an OPRF.For completeness, we include their protocol presented in the language of OPRFs.The key ingredient -that was used in [GRR + 16] for the secure computation of the Legendre PRF in the multi-party setting -is that the key of the PRF can be masked without changing the PRF value by utilizing the multiplicative property of the Legendre symbol.Namely, if we choose a random square and multiply it with some number, the Legendre symbol of the resulting value will be equal to the symbol of the original number.This fact gives rise to the arithmetic sharing-based3 OPRF protocol Π OP RF Legendre , depicted in Figure 6a.The protocol is divided into online and offline parts.In an offline preprocessing phase the parties can compute the shares of the previously mentioned random square and a so-called Beaver multiplication triple [a], [b], [ab] (for some random a, b) both of which operations are entirely independent of the inputs of the participants.For simplicity, we abstract away the underlying details of preprocessing and use the necessary operations in a black-box manner through the ideal functionality of Figure 5b.The realization of F Prep is possible using a 2PC framework in the semihonest model, such as ABY by [DSZ15].
After exchanging secret shares of their inputs, participants execute shares in the online phase.While the addition of secret shares is for free, i.e., corresponds to ordinary local addition, share multiplication, which we denote with , consumes one multiplication triple and requires one round of interaction and 2 group elements of communication.For brevity, we omit the proof since it follows the blueprint of the proof of [GRR + 16, Theorem 2.].We note that Π OP RF Legendre is only statistically correct as with probability 1/p = Pr(s 2 = 0) the output is necessarily zero.For perfect correctness, we need to use RandSquare in the preprocessing phase to rule out s 2 = 0 the cost of which appears in the round complexity, resulting in expected constant (one) round.Our efficiency comparisons in Table 5.2 show that in terms of both message size and computational complexity, the Legendre OPRF is a promising candidate for a post-quantum OPRF since the underlying SLS problem is not known to be vulnerable to post-quantum attacks.
Client Server Table 5.2: Comparing the online costs of various Oblivious PRF protocols.In the columns of communication and computation complexity G denotes a group element or group operation, while H denotes a hashing operation.Concrete efficiency of obtaining λ pseudorandom bits with the corresponding OPRFs were computed with λ = 128 bit-security.(Q)ROM stands for the (quantum) random oracle model.Note, that the PRF of [KKRT16] is only a relaxed PRF.RLWE is the abbreviation for the ring-learning with errors assumption.Oblivious transfer (OT) can be instantiated both with classic and post-quantum security.Non post-quantum secure assumptions are written in red, while assumptions written in green are secure even against quantum attackers.

OPPRF: Programming the Legendre OPRF
The notion of oblivious programmable PRF (OPPRF) was introduced by Kolesnikov et al. [KMP + 17].A PRF is an OPPRF if it is in addition to being an OPRF, also allows the sender to program the output of the OPRF at certain evaluation points (see Figure 5a).Kolesnikov et al. [KMP + 17] formulated three generic OPPRF constructions, that can turn any OPRF into an OPPRF.We follow the terminology of these generic constructions and introduce two algorithms that aims to turn an OPRF into an OPPRF: -OPPRF.KeyGen(1 λ , P) → (K, hint): Given a security parameter and set of programmed points P = {(x 1 , y 1 ), . . ., (x n , y n )} with distinct x i -values, generates a PRF key K and (public) auxiliary information hint.
(n, t)-security: No efficient adversary is able to distinguish the n programmed points from non-programmed points given oracle access to the PRF using t queries.Note that this definition implies that unprogrammed PRF outputs (i.e., those not set by the input to OPPRF.KeyGen) are pseudorandom.
Programming the Legendre OPRF.We show how one can program efficiently the output of the Legendre PRF by carefully choosing the prime modulus, which defines our OPPRF.KeyGen algorithm.This strategy already highlights the strength of the resulting OPPRF: it does not require an explicit hint beyond the prime modulus that is a public parameter anyway.Moreover, the OPPRF.Eval algorithm can simply return the output of the Legendre OPRF.
The naïve way to program the Legendre PRF would be to generate primes randomly and hope that the PRF outputs match the desired values y i at the programmed points x i for a given key K.This certainly works for small number of programmed points, however, this naïve PRF programming method incurs an exponential time-complexity in the number of programmed points.To circumvent the exponential timecomplexity of the programming, we take a different approach, cf. Figure 6b.The goal of the algorithm is to find a prime p, such that i ∈ [0, n) : .
Without loss of generality, we search p in the form p ≡ 1 mod 4.Moreover, we assume that the programmed points K + x i are prime numbers.This assumption is natural and eases our exposition.This is because programming the PRF output at a composite K + x i is reducible to programming the PRF output at the prime factors of K + x i due to the multiplicativity of the Legendre symbol.For each K + x i the value p K + x i establishes possible residue classes for p mod K + x i .The appropriate modulus p can be obtained via the Chinese remainder theorem.Therefore, the "programmability" of the Legendre PRF is rather spaceinefficient, since p ≈ n i=1 K + x i .Hence, the number of programmed points is somewhat limited with our algorithm.We note that the main ideas of this programming method were already proposed in a different context (secure comparison protocols) by Yu [Yu11].In a similar fashion, one could generalize the approach of Figure 6b to power residue symbols, i.e., programming power residue symbol PRFs.Such generalization was shown recently by Cascudo et al. [CS20] who proposed as an open question to find concrete applications for their protocol.We note that their methods can be applied to program power residue symbol OPRFs.
Hint size and batch OPPRFs.As our novel programming methods -specifically designed for the Legendre OPRF -minimize the necessary auxiliary information for the OPPRF evaluation, it outperforms all existing solutions in this metric.For a detailed comparison, we refer to Table 5.3.Finally, we note that [PSTY19] uses a so-called "Batch OPPRF" that -informally -invokes independent OPPRF instances with a total number of programmed points σ (the number of programmed points per instance may vary but has to remain hidden) and only uses a single hint with size linear in σ.Since the hint size of the Legendre OPPRF is independent of the number of programmed points, it naturally fulfils the requirement of Batch OPPRFs.6 Future Directions We perceive three main areas future work.work to be done on the provable security part of the Legendre PRF.It would be fascinating to find new connections to other post-quantum secure cryptographic assumptions, e.g.LWE.For instance, note that the probability distribution of the coefficients of the quadratic terms in the induced MQ instance follows a discrete Gaussian distribution.Could one reframe the MQ instance as an LWE instance for a suitable change in the variables?Moreover, it would be fruitful to establish concrete and asymptotic lower bounds on the degree of regularity of the Legendre PRF's MQ instances.That would pave the path for settling the provable security of this PRF.
It is quintessential to improve on existing key-recovery attacks or find new, more performant cryptanalytic approaches.It would allow us to better estimate the bit-security of the Legendre PRF and other variants.We foresee many more novel cryptographic applications of the Legendre PRF due to its homomorphic properties and MPC-friendliness.For instance, it seems accessible to prove the existence of related-key secure PRFs or key-homomorphic PRFs from quadratic and power residue symbol PRFs.
B Proofs from Section 3 Lemma B.1 I

Proof:
Let f 1 , . . ., f m be the ideal induced by the Legendre PRF, and we assume that f i forms a reduced Gröbner basis.For a homogeneous sequence of polynomials (f 1 , . . ., f m ) being regular, we need to show that if for all i ∈ [1, m] and g such that gf i ∈ f 1 , . . ., f i−1 , then g ∈ f 1 , . . ., f i−1 .An affine sequence of polynomials (f 1 , . . ., f m ) is regular by definition, if the homogeneous sequence (f h 1 , . . ., f h m ) is regular, where f h i is the homogeneous part of f i of highest degree with respect to the (graded) lexicographic monomial ordering.In our case (f h 1 , f h 2 , . . ., f h m ) = (x 2 1 , x 2 2 , . . ., x 2 m ).Since f h i = x 2 i , in our case for every i, therefore the ideal , for some polynomial g .This completes the proof.
Lemma B.2 I FE is a semi-regular ideal, if the conditions of Theorem 3.3 are met.

Proof:
The proof's blueprint is the same as that of Lemma 3.2.We consider the generating set for I FE provided by the Gröbner basis, i.e., I FE = (f 1 , . . ., f m ).By definition, a homogeneous sequence of polynomials (f 1 , . . ., f m ) is semi-regular if for all i = 1, . . ., m and g such that gf i ∈ f 1 , . . ., f i−1 ∧deg(gf i ) < d reg then g is also in f 1 , . . ., f i−1 .An affine sequence of polynomials (f 1 , . . ., f m ) is semi-regular if the sequence (f h 1 , . . ., f h m ) is semi-regular, where f h i is the homogeneous part of f i of highest degree.In our case (f h 1 , . . ., f h m )) = (x 2 1 , . . ., x 2 m ).Previously in the proof of Lemma 3.2, we saw why (x 2 1 , . . ., x 2 m ) forms a regular ideal.

C Adding More Polynomials to the Ideal of the PRF
As we have seen in Section 3.3, the Legendre key-recovery attack is equivalent to solving an overtedermined MQ instance.However, when p ≡ 3 mod 4 or p ≡ 5 mod 8, we might decrease the complexity of solving the resulting MQ instance by adding new equations.Observe that in these cases, we can express the modular square roots as follows: If p ≡ 1 mod 8, it is not possible to express easily the sqrt p (•) algorithm as a polynomial function, since in that case the root-finding Tonelli-Shank algorithm is a probabilistic algorithm.Nevertheless, we can obtain O(log 2 p) new polynomials in the other cases, one for each quadratic term x i x j : Similarly, we can add new polynomials to the system involving the linear terms of the unknowns for every i = j, All polynomials in Equations 12 and 13 have degree ≈ p.Therefore, the addition of each of those polynomials incur the inclusion of ≈ log p new quadratic equations in ≈ log p new variables in order to break down the almost full degree polynomials to quadratic polynomials.All in all, we end up with an equation system in n variables and m = n + k equations, where m, n ∈ O(log 3 p) and k ≈ log 2 p.We leave it as future work to analyze the independence of the newly introduced polynomials of Equation 12 and 13 from the polynomials of the ideal I FE .We suspect that adding these high-degree polynomials to the ideal does not significantly speed up the Gröbner basis computation.Hence, these new polynomials might not have cryptanalytic relevance.

D Group Structure of the Solutions of a Legendre PRF key-recovery attack
In Section 4.2, we showed that if there exists a probabilistic polynomial-time algorithm that breaks the SLS problem, then it could be used to find solutions of high order algebraic curves over F p .This is essentially an equivalent restatement of viewing the Legendre PRF as an MQ instance.
Moreover, the resulting algebraic curves have a genus than 1, on the curve lack an Abelian group structure.However, in the case of shorter sequences, e.g.Legendre sequences of length three, all the points that result in a specific Legendre symbol sequence of length three lie on a sequence-specific non-singular elliptic curve.In the sequel, we show how to obtain the Legendre-sequence specific elliptic curve equation by elementary methods.

D.1 The Case of Consecutive Legendre symbol triplets
Let us suppose that one wants to generate key candidates K , whose subsequent Legendre symbols match the first three symbols of a sequence, i.e.
. Hereby, we show that such key candidates can be obtained as solutions of an elliptic curve over F p .One might generalise this approach to potentially speed up key-recovery attacks against the Legendre PRF and reduce its security to finding rational points on higher order algebraic curves over F p .
For the sake of concreteness, let us assume that (b 0 , b 1 , b 2 ) = (1, 1, 1).Similar techniques apply for other bit-sequence patterns.Put it differently, the shifted Legendre sequence starts with 3 quadratic residues.Let us denote the corresponding square roots as a, b, c mod p. Therefore we wish to solve the following equations: We introduce the following notation: s := b − a, 1 s := b + a and c−b b−a = λ.We have that 2b = s + 1 s and 2b = 1 sλ − sλ.This implies the following: By denoting the left hand side of Equation 14. as t 2 , we finally obtain the following nonsingular elliptic curve of genus 1: t 2 = λ 3 − λ.Given Equation 14, we also have that Since, r = sλ we can squeeze Equation 14 and Equation 15 into a single two-variable quartic equation:

D.2 An Alternative View
We view the resulting equation system globally and assess the probability distribution of each coefficient to appear in the MQ instance.Adjacent pairs of Legendre symbols are asymptotically equi-distributed [Per92].Therefore we can easily describe the discrete probability distribution of the coefficients in the induced equation system.Let X (i,j) q , X l , X c be the random discrete variables corresponding to the ith unknown's quadratic, linear and constant terms.For the equation system's coefficients, we have the following discrete probability distributions given Equations 1, 2 and 3.For the constant terms, we have that Every linear term is zero, namely, Pr[X Finally, the quadratic terms' coefficients have the following Pr[X (i,j) = = 1, if i = j,.we have that Pr[X (i,i) We remark that the discrete probability distribution of the quadratic terms is reminiscent of a discrete normal Gaussian distribution with average 0, whenever n goes to infinity.If the linear terms, cf.Equation 17, would follow a uniformly random distribution after a suitable change in the variables, the resulting MQ instance could be seen asymptotically as a learning with errors (LWE) instance.We leave this as an interesting future direction to investigate further connections to other post-quantum secure assumptions.
E Algebraic Cryptanalysis of the Legendre PRF E.1 Computing the Q-rank of the Legendre PRF The Q-rank of a MQ cryptosystem plays a crucial role in cryptanalysis.Every multivariate quadratic equation system f can be lifted to a quadratic form Q in an extension field.Let E denote an extension field over F p .Informally, Q-rank is the rank of the quadratic form Q as a matrix over the field E. Low Q-rank is detrimental, since it facilitates successful cryptanalysis (key-recovery, decryption etc.) [KS99,PPST17].
We compute now the Q-rank (cf.Definition E.1) of the Legendre PRF equation system [Osp16].We rewrite each generator polynomial f i in the ideal I = f 1 , . . ., f m induced by the Legendre PRF, as folllows: where x = [x 1 , . . ., x n ] T , A i ∈ M n×n (F) is the matrix [a ij ] ij and B i ∈ M 1×n (F) is the matrix [b i ] 1i .We note, that in the case of the Legendre PRF, B i = 0.Each polynomial f i can be represented in the extension field, in the following form: where X = [X q 0 , . . ., X q n−1 ] T , M i ∈ M n×n (E) is the matrix [α ij ] ij and B ∈ M 1×n (F) is the matrix [β i ] 1i .It is well-known that a quadratic polynomial equation system F defined by the generating polynomials f i of I, can be lifted to the extension field by where x = φ(X).Our goal is to establish the rank of the matrix M ∈ M n×n (E).We start off by defining X = ∆ • φ(X), where ∆ is the following invertible matrix, y 0 y 1 . . .y n−2 y n−1 (y 0 ) q 1 (y 1 ) q 1 . . .(y n−2 ) q 1 (y n−1 ) q 1 (y 0 ) q 2 (y 1 ) q 2 . . .(y n−2 ) q 2 (y n−1 ) q 2 . . . . . . . . . . . . . . .(y 0 ) q n−1 (y 1 ) q n−1 . . .(y n−2 ) q n−1 (y n−1 ) Equipped with all this, we can now define M ∈ M n×n (F), N ∈ M 1×n (F) and γ ∈ E from the lifting Equation 21.We define γ = c 1 + c 2 y + • • • + c n y n−1 and the matrices as, Note that in case of the Legendre PRF MQ instance, N = 0, since B i = 0 for all i.The second term in matrix M , y i−1 A i is a double diagonal non-singular matrix.Hence, M has full rank, since it is the product of non-singular matrices.
Figure 1: The maximum degree in the Gröbner basis (left) and the exponential time complexity of computing the Gröbner bases (right) for the ideals I FE defined by the Legendre PRF.

Figure 2 :Figure 3 :
Figure 2: The maximum degrees in the Gröbner basis of the ideal I FE as a function of the Legendre PRF sequence length.
Concretely, [x] [y] = [xy] can be computed by revealing (x + a) and (y + b) (that does not disclose information about x and y, because a, b are random), then (x + a) • (y + b) − (x + a) • [b] − (y + b) • [a] + [ab] = [xy] can be evaluated.The resulting online part then consists of three rounds of interaction and 5 group elements of communication.

Figure 6 :
Figure6: Legendre OPRF and the algorithm to extend it to be an OPPRF.

4
-symbol case (sketch): Now, let us assume we have an additional b 3 = 1.Let d be the square-root of K + 3. Furhtermore, let r := c − b and µ := d−c c−b .

Table 5 .
1: Overview of various VRF constructions.Hashing, group operations, exponentiation and pairings are denoted as H, G, F p , P , respectively.Note that [EKS + 20] only provides a few-time VRF.Module-SIS and module-LWE ranks are denoted as k and l, respectively.|C| denotes the number of AND gates of the LowMC [ARS + 15] PRF applied in [BDE + 21].Here n is the length of the Legendre symbol sequence being proved.Assumptions written in green are post-quantum secure, while those written in red are not.

Table 5 .
[KKRT16]rison of the generic OPPRF constructions of [KMP + 17] (which can be based on an OPRF, e.g. that of[KKRT16]) and the Legendre OPRF that was shown to be programmable in Section 5.2.2.The number of programmed input positions is denoted as n, λ BF is the soundness parameter of the Bloom filter, and k denotes the number of base-OTs, typically k ≈ 4λ.