1 Introduction

Zero-knowledge proofs (ZKP) and secure multi-party computation (MPC) protocols are ubiquitous in cryptography. These advanced cryptographic tools are applied and deployed in many applications, e.g., privacy-preserving cryptocurrencies, threshold cryptography and secure instant-messaging. The widespread adoption of ZKPs and MPC protocols necessitates novel symmetric-key primitives [43]. Traditional symmetric-key primitives, e.g., AES, cause significant overhead in ZKPs or MPC due to their vast multiplicative complexity.

Therefore, recently, revived interest has been shown towards algebraic symmetric key primitives with low multiplicative depth [43]. Lately, several novel algebraic MACs [22, 30], hash functions [6, 38] or algebraic pseudorandom functions [24] have been proposed for cryptographic use. New algebraic constructions with low multiplicative complexity are especially attractive due to their distinguished efficiency properties in ZKPs or MPC protocols. However, this new algebraic design paradigm possibly opens up new avenues for attacks [1]. The cryptanalysis of these new symmetric-key primitives is an active research field with notable published works. For instance, Albrecht et al. conducted an algebraic cryptanalysis of MARVELlous [3] and MiMC hash functions [2], while Li and Preneel refined interpolation attacks on low algebraic degree cryptosystems [64]. One of the most promising cryptosystems for use in ZKPs and MPC protocols is a pseudorandom function (PRF) that is based on quadratic and power residue symbols. Recall that if p is a prime, the Legendre symbol \(\genfrac(){}0{a}{p}\) is 1 if a is a square modulo p and \(-1\) otherwise (the symbol of \(0\bmod {p}\) is 0 by convention). In this work, we focus on the cryptographic security of a PRF family, called the Legendre PRF, and its extensions that are derived from the evaluation of the Legendre symbol.

There exists vast mathematics literature asserting that Legendre and power residue symbols are particularly well suited to be applied in pseudorandom functions since they exhibit high pseudorandomness. One of the first results is due to Pólya and Vinogradov (1918), and later Davenport (1931) cf. [25, 79]. They assert that character sums behave like independent fair coin tosses, i.e., \(\sum \nolimits _{a=M+1}^{M+N}\genfrac(){}0{a}{p}\le \sqrt{p}\log p\). In the case of Legendre symbols, Peralta extended this result by showing that for any fixed n, n-grams of Legendre symbols are asymptotically equally distributed [70]. Mauduit and Sárközy [67] introduced several metrics to measure the pseudorandomness of binary sequences and argued that “Legendre symbol sequences are the most natural candidate for pseudorandomness”. Ding et al. [29] confirmed the high linear complexity of Legendre symbol sequences. Tóth and Gyarmati et al. [39] introduced new pseudorandomness measures and asserted high values of those in Legendre symbol sequences [76].

1.1 Related work

In spite of the above results, surprisingly, the security guarantees of the Legendre PRF from a cryptographic standpoint are poorly understood. The quantum case is settled whenever a quantum oracle is available for the attacker as polynomial quantum algorithms are known to recover the key of a Legendre PRF [74, 78]. However, if the oracle can only be queried classically, then no efficient quantum algorithm is known. In concurrent and independent work, Frixons and Schrottenloher [35] investigated the quantum security of the Legendre PRF without quantum random-access to an oracle. While they presented two new attacks in this setting, both of them remain impractical for key-recovery, strengthening the security intuition. On the other hand, in the classical setting, only exponential key-recovery algorithms are known due to Khovratovich [54], Beullens et al. [8] and Kaluderovic et al. [56]. One might ask, whether there could be sub-exponential key-recovery attacks on the Legendre PRF. Damgård in 1988 proposed as an open problem to assess the security and complexity of predicting Legendre or Jacobi symbols. He was contemplating on reducing well-known number-theoretic assumptions to the problem of predicting Legendre or Jacobi symbol sequences [24]. In this paper, we show connections of the Legendre and Jacobi sequences to a different branch of cryptography, namely, multivariate quadratic cryptography. This study is useful in establishing the security of various cryptographic applications derived from the Legendre PRF, e.g. the digital signature scheme by Beullens et al. [11].

1.2 Our contributions

In this work, we make the following contributions.

Legendre PRF as an MQ instance We show that key-recovery attacks on the Legendre PRF are equivalent to solving a specific family of sparse multivariate quadratic equation system over a finite field. Moreover, the weak unpredictability of the PRF is reducible to the decidability of the aforementioned equation system. These connections naturally extend to higher-degree Legendre PRFs and power residue symbol PRFs.

Algebraic cryptanalysis We conduct the first algebraic cryptanalysis on the MQ instance induced by the Legendre PRF. We find that the Legendre PRF is immune to interpolation, direct (Gröbner basis) and rank attacks. We also present algebraic geometric arguments to support the complexity of finding solutions in these sparse MQ instances over a finite field. However, all these standard cryptanalytic tools from multivariate cryptography do not improve the state of the art key recovery attacks against the Legendre PRF [8, 54, 56]. On the other hand, we find that the induced MQ instances behave like random MQ instances in terms of degree of regularity, i.e., the corresponding ideals are semi-regular. This observation might be interpreted as evidence of the difficulty of breaking the Legendre PRF.

Novel cryptographic applications of the Legendre PRF Besides assessing the security of the Legendre PRF, we utilise its special properties to apply it in various cryptographic tasks. Expressing the Legendre PRF as an MQ instance facilitates novel cryptographic applications, i.e., verifiable random functions. Moreover, we exploit its multiplicativity to construct (verifiable) oblivious (programmable) pseudorandom functions. Due to their efficiency, these novel extensions can be applied in several cryptographic protocols, such as state-of-the-art private set intersection (PSI) protocols.

1.3 Organisation

This paper is organised as follows. In Sect. 2, we provide the necessary background on Legendre symbols and related hard cryptographic problems. In Sect. 3, we show that key-recovery attacks against the Legendre PRF are equivalent to solving a specific MQ instance. In Sect. 4, we analyze the security of the MQ instance induced by the Legendre PRF. We realize several cryptographic primitives from the Legendre PRF in Sect. 5. Finally, we conclude our paper in Sect. 6 by pointing out future directions.

2 Preliminaries

2.1 Notations

Whenever we sample x from set S uniformly at random we write \(x\in _R S\). Let p be an odd prime and let \(K\in _R\mathbb {F}_p\) be a secret key. The modular square root algorithm \(\mod p\) is denoted as \(\textsf{sqrt}_p(\cdot )\). Vectors of group elements are denoted in bold. In the following, nm denote the number of variables and equations, respectively. Throughout this work, we will work in the multivariate polynomial ring \(\mathbb {F}_p[x_1,\dots ,x_n]\) over a finite field \(\mathbb {F}_p\). \(\textsf{LT}(I)\) denotes the ideal generated by the leading terms of the ideal I. For the ease of exposition we use [x] to denote a secret share of the value \(x\in \mathbb {F}_p\).

2.2 Background on the Legendre PRF

Damgård proposed using the sequence of consecutive Legendre symbols with respect to a large prime p for “pseudorandom bit generation” [24].

Definition 1

(Sequential Legendre PRF) Let p be a prime, depending on the security parameter \(\lambda\), then let \(\{a\}_{K}\) denote the following sequence:

$$\begin{aligned} \{a\}_{K}:=\genfrac(){}0{K}{p},\genfrac(){}0{K+1}{p},\dots ,\genfrac(){}0{K+a-1}{p}. \end{aligned}$$

Damgård conjectured that the sequence is pseudorandom, when starting at a secret K. Sometimes, it is easier to work with bits, rather than the original Legendre symbols themselves, therefore the Legendre PRF is defined with Boolean output (for a key- and input-space \(\mathbb {F}_p\)).

Definition 2

(Legendre pseudorandom function) The function \(L_{K}(x)\) is defined by mapping the corresponding Legendre symbol to {0,1}, i.e.,

$$\begin{aligned} L_{K}(x)=\Bigl \lfloor {\frac{1}{2}}\Big (1-\genfrac(){}0{K+x}{p}\Big )\Bigr \rfloor . \end{aligned}$$

Definition 3

(Weak Unpredictability) A pseudo-random bit-generator \(\mathcal {X}_{\lambda }(s):\{0,1\}^{\lambda }\rightarrow \{0,1\}^{l(\lambda )}\), where s is a seed and \(l(\cdot )\) is an expansion factor, is next bit unpredictable (sometimes weakly unpredictable) if for all probabilistic polynomial time algorithm \(\mathcal {A}\), there is a negligible function \(\texttt {negl} (\lambda )\) such that

$$\begin{aligned} \Pr [\mathcal {A}(x_1, x_2,\dots ,x_{l(\lambda )-1})=x_ {l(\lambda )}]\le \frac{1}{2}+\texttt {negl} (\lambda ), \end{aligned}$$

where the sequence \(X = x_1x_2\dots x_{l(\lambda )}\) is generated by \(\mathcal {X}_{\lambda }(s)\) with \(s\in _R\{0,1\}^{\lambda }\).

Assumptions. Grassi et al. formulated the following problem that underpins the security of the Legendre PRF [43].

Definition 4

(Shifted Legendre Symbol (SLS) Problem) Let K be uniformly sampled from \(\mathbb {F}_p\), and define \(\mathcal {O}_{Leg}\) to be an oracle that takes \(x\in \mathbb {F}_p\) and outputs \(\genfrac(){}0{K+x}{p}\). Then the Shifted Legendre Symbol (SLS) problem is to find K given oracle access to \(\mathcal {O}_{Leg}\) with non-negligible probability.

It is conjectured that no classical adversary running in sub-exponential time could recover the hidden shift K. One might also consider generalisations of the problem, such as changing the linear polynomial to a secret degree-d polynomial in the Legendre symbol evaluations or changing the quadratic symbol to an rth power residue symbol.

Definition 5

(Multivariate Quadratic (MQ) problem) Given random quadratic polynomials over a finite field, i.e., \((f_1(x_1,\dots ,x_n),\dots ,f_m(x_1,\dots ,x_n))\in \mathbb {F}[x_1,\dots ,x_n]^{m},\) find a common zero \(\textbf{x}\in \mathbb {F}^n\) of the polynomials \(f_1,\dots ,f_m\).

It is well-known that the MQ problem is NP-hard for any choice of finite field \(\mathbb {F}\) [37]. In cryptographic applications, \(\mathbb {F}\) is often \(\mathbb {F}_2\) or an extension of it. However, throughout this work, we consider MQ problems over \(\mathbb {F}_p\), for some large prime p. The MQ problem is one of the major candidates on which post-quantum secure cryptosystems can be based. Currently, there are no known sub-exponential algorithms to solve the MQ problem.

2.3 NIZK arguments

Since in our VRF proposal we make use of non-interactive zero-knowledge (NIZK) arguments, we recall the relevant syntax following [12] and for the details and exact security requirements we refer to [12]. NIZK arguments consist of four PPT algorithms that are defined with respect to a relation generator algorithm \(\mathcal {R}\text {-}\textsf{Gen}(\textsf{1}^{\lambda })\) that, upon receiving some security parameter \(\lambda\), outputs a polynomial time decidable relation \(\mathcal {R}:\{0,1\}^*\times \{0,1\}^*\) for which in our case \(\{(\phi ,\textsf{w})\in \mathcal {R}\mid \phi (\textsf{w})=0\}\), where the statement \(\phi\) is a MQ equation system over \(\mathbb {F}_p\) and a valid witness \(\textsf{w}\) is a solution of the system.

  • \(\mathsf {NIZK.Setup}(\mathcal {R})\rightarrow (\sigma ,\tau )\). For the relation \(\mathcal {R}\) the setup produces a common reference string \(\sigma\) and a simulation trapdoor \(\tau\).

  • \(\mathsf {NIZK.Prove}(\mathcal {R},\sigma ,\phi ,\textsf{w}) \rightarrow \pi\). Upon the \((\phi ,\textsf{w})\in \mathcal {R}\) and the common reference string \(\sigma\), the prover returns an argument \(\pi\).

  • \(\mathsf {NIZK.Vfy}(\mathcal {R},\sigma ,\phi ,\pi ) \rightarrow \{0,1\}\). Upon the common reference string \(\sigma\), the statement \(\phi\) and an argument \(\pi\) the verification algorithm returns 0 or 1.

  • \(\mathsf {NIZK.Sim}(\mathcal {R},\tau ,\phi ) \rightarrow \pi\). Using the simulation trapdoor \(\tau\) and statement \(\phi\) the simulator returns an argument \(\pi\).

Definition 6

(Perfect NIZK argument [12]) We say that a NIZK is a perfect NIZK argument for \(\mathcal {R}\) if it has perfect completeness, perfect zero-knowledge and computational soundness as defined in [12].

3 The Legendre PRF as an MQ instance

Hereby, we describe how to express the sequential Legendre PRF, cf. Definition 1, as a multivariate quadratic equation system. We remark that in a similar fashion, all the variants (higher-degree) and extensions (power-residue and Jacobi PRF) of the sequential Legendre PRF could be expressed as a suitable MQ instance. Most of our results and observations can be easily ported to those MQ instances as well. Therefore, in this work, we solely focus on the sequential Legendre PRF.

3.1 The ideal

Let us fix an arbitrary quadratic non-residue \(r\in \mathbb {Z}^{*}_p\). Furthermore, it is assumed that we are given \(\{a\}_{K}\), often \(a\approx \log (p)\). Let \(b_i:=\genfrac(){}0{K+i}{p}\) and \(x_i\) be the corresponding unknown. We think of the unknown \(x_i\) as the square root of \(K+i\) if \(b_i=1\), otherwise \(x_i\) denotes the square root of \(r(K+i)\), which is a quadratic residue. Therefore, for each pair of neighboring Legendre symbols \((b_i,b_{i+1})\), we define a unique quadratic equation. If \(b_i=b_{i+1}=1\), then we know that \(x^{2}_{i+1}=K+i+1\) and \(x^{2}_{i}=K+i\), hence

$$\begin{aligned} x^{2}_{i+1}-x^2_i=1. \end{aligned}$$
(1)

If \(b_i=b_{i+1}=-1\), then we have that \(x^{2}_{i+1}=r(K+i+1)\) and \(x^{2}_{i}=r(K+i)\), hence

$$\begin{aligned} x^{2}_{i+1}-x^2_i=r. \end{aligned}$$
(2)

Finally if \(b_i=1=-b_{i+1}\) or \(b_i=-1=-b_{i+1}\) then we obtain the following two quadratic equations:

$$\begin{aligned} x^{2}_{i+1}-r x^2_i=r,\qquad x^{2}_{i+1}-r^{-1}x^2_i=1. \end{aligned}$$
(3)

Altogether, this allows us to efficiently transform any Legendre symbol sequence into an equivalent multivariate quadratic equation system. If we have n Legendre symbols, then we obtain \(m=n-1\) independent equations in n variables, hence the MQ instance is underdefined. Note, that the equation system is extremely sparse.

Example 1

We consider the following example to illustrate the quadratic equation system induced by the Legendre PRF. Let \(p=\texttt{0xfffffffffffffffffffdd}\) and \(K=\texttt{0x27aaa97c746c22e12d10}\). The smallest quadratic non-residue modulo p is 2. We display the MQ instance induced by the evaluation of the sequential Legendre PRF, \(\{5\}_K=(1,1,-1,-1,1)\). Each consecutive Legendre symbol pairs define an equation. The ideal corresponding to \(\{5\}_K\) has the following form:

$$\begin{aligned} \langle x_1^2-x_0^2-1, x_2^2-2x_1^2-2, x_3^2-x_2^2-2, x_4^2-2^{-1}x_3^2-1 \rangle . \end{aligned}$$

Let \(I:=\langle f_1,f_2,\dots ,f_{m}\rangle\) be the ideal generated by the quadratic polynomials defined by Eqs. 12 and 3. We want to solve simultaneously this equation system, i.e., finding points in the variety V(I). If the sequence of Legendre symbols is long enough, heuristically \(\mathcal {O}(\log p)\), then there are \(\mathcal {O}(1)\) solutions in \(\mathbb {F}_p\) (only considering solutions where \(x_i\in [0,\frac{p-1}{2}]\) for all i) and one of them corresponds to the secret key K of the PRF. Note that V(I) might contain additional solutions when considered above the algebraic closure \(\overline{\mathbb {F}}_p\).

3.2 The Gröbner basis

To better understand the variety V(I), first we describe the Gröbner basis of I [17]. Interestingly, we can easily compute the Gröbner basis of I regardless of the size of p or the length of the Legendre sequence \(\{a\}_K\).

Theorem 1

Given a Legendre symbol sequence \(\{n\}_K=(b_0,\dots ,b_{n-1})\) and its corresponding ideal \(I=\langle f_1,f_2,\dots ,f_{m}\rangle\), where \(m=n-1\) as defined by the Eqs. 1,  2 and 3, its Gröbner basis with respect to the (graded) lexicographic ordering, consists of the polynomials \(g_i\), for \(i\in [0,n-2]\) such that,

$$\begin{aligned} g_i= {\left\{ \begin{array}{ll} x^2_i-x^2_{n-1}+(n-i), \text {if } b_{n-1}=1\wedge b_i=1\\ x^2_i-rx^2_{n-1}+r(n-i), \text {if } b_{n-1}=1\wedge b_i=-1\\ x^2_i-r^{-1}x^2_{n-1}+(n-i), \text {if } b_{n-1}=-1\wedge b_i=1\\ x^2_i-x^2_{n-1}+r(n-i), \text {if } b_{n-1}=-1\wedge b_i=-1 \end{array}\right. } \end{aligned}$$
(4)

Specifically, \(I=\langle g_0,\dots ,g_{n-2}\rangle\) and \(G:=(g_i)^{n-2}_{i=0}\) is a reduced Gröbner basis.

Proof

With a case distinction one can show that G generates I. For instance, if \(b_i=b_j=b_{n-1}=1\), then \(g_i-g_j=f_i\). The other cases are similar. Thus \(I\subset \langle G\rangle\).

By the Buchberger-criterion, we only need to verify that for all ij, it holds that the S-polynomial \(S(g_i,g_j)\) divided by the Gröbner basis has no remainder, i.e., \(\overline{S(g_i,g_j)}^{G}=0\). This follows from Buchberger’s product criterion but we include the following simple proof for completeness. We let \(i<j\) and hereby solely consider the case when \(b_i=b_j=b_{n-1}=1\). The rest of the cases result in a similar calculation. By the definition of the S-polynomials, we have \(S(g_i,g_j)=x^2_jg_i-x^2_i g_j\). First, we divide \(S(g_i,g_j)\) by \(g_i\). We observe that the remainder of the polynomial division is \(g_j(x^2_{n-1}-(n-i)),\) which is divisible by \(g_j\). Therefore, indeed \(\overline{S(g_i,g_j)}^{G}=0\). Hence, the polynomials in G indeed form a Gröbner basis.

G is reduced, since all of its basis polynomials have a leading coefficient one. Moreover, \(\langle \textsf{LT}(g_i)\rangle =\langle \textsf{LT}(I)\rangle\) and no trailing term of any \(g_i\in G\) lies in \(\langle \textsf{LT}(I)\rangle\). \(\square\)

Example 2

The Gröbner basis of the polynomials corresponding to the Legendre symbol sequence \(\{5\}_{K}\), from Example 1, consists of the following quadratic bi-variate polynomials:

$$\begin{aligned} \langle x_0^2-x_4^2+4, x_1^2-x_4^2+3, x_2^2-2x_4^2+4, x_3^2-2x_4^2+2\rangle . \end{aligned}$$

We remark that one can view the resulting equation system as a simultaneous Pell-equation system over \(\mathbb {F}_p\). Each polynomial in the Gröbner basis is quadratic, bi-variate and has \(p-1\) solutions in \(\mathbb {F}_p\). Put differently, seemingly no elimination ideal turns out to be helpful in finding a common zero.

First, we observe that the polynomials in I lack any special internal structure, i.e., the only relations holding are the trivial ones. More formally, the \(m=n-1\) multivariate quadratic polynomials of I in n variables define a regular ideal, i.e., V(I) is a 1-dimensional variety, namely, it contains an infinite number of solutions in \(\overline{\mathbb {F}}_p\). The proof of the following lemma is in Appendix A.

Lemma 1

I is a regular ideal.

3.3 The field equations

As we have seen previously the corresponding variety V(I) of the ideal I has dimension 1. However, in the cryptanalysis of the Legendre PRF, we wish to obtain a 0-dimensional variety that contains the secret key K of the PRF. As we show, this can be achieved by adding the field equations to the ideal I.

A sequence \(\{n\}_K\) can be described with polynomials in \(\mathbb {F}_p[x_0,x_1,\dots ,x_{n}]\). Let us define \(I_{\textsf{FE}}\) as follows:

$$\begin{aligned} I_{\textsf{FE}}=I+\{x^p_i-x_i\vert i\in [0,n]\}. \end{aligned}$$
(5)

Example 3

We illustrate the ideal \(I_{\textsf{FE}}\) complemented with the field equations with parameters \(p=191\) and \(\{9\}_{45}=(1,1,-1,1,1,1,1,1,-1)\). The smallest quadratic non-residue is \(r=7\bmod {191}\).

$$\begin{aligned} I_{\textsf{FE}}=\langle -x_0^2 + x_1^2 - 1, -7x_1^2 + x_2^2 - 7, -x_2^2 + 7x_3^2 - 7, -x_3^2 + x_4^2 - 1,\\ -x_4^2 + x_5^2 - 1,-x_5^2 + x_6^2 - 1, -x_6^2 + x_7^2 - 1, -7x_7^2 + x_8^2 - 7,\\ x_0^{191} - x_0, x_1^{191} - x_1, x_2^{191} - x_2, x_3^{191} - x_3, x_4^{191} - x_4,\\ x_5^{191} - x_5, x_6^{191} - x_6, x_7^{191} - x_7, x_8^{191} - x_8\rangle . \end{aligned}$$

The corresponding Gröbner basis has the following form,

$$\begin{aligned} \langle x_0^2 - 45, x_1^2 - 46, x_2^2 + 53, x_3^2 - 48, x_4^2 - 49, x_5^2 - 50, x_6^2 - 51, x_7^2 - 52, x_8^2 + 11\rangle . \end{aligned}$$

Note how helpful the Gröbner bases are in obtaining the secret key K. In addition, one can also read off all the evaluated points from the Gröbner bases. If the variable \(x_i\) corresponds to a residue, then \(x^2_i\) is one of the evaluated points in the PRF. Alternatively, if \(x_i\) corresponds to a non-residue, then \(r^{-1}x^2_i\bmod {p}\) is the evaluated point in the PRF.

Using the intuition of the Example 3, we can show in general the structure of the Gröbner basis of \(I_{\textsf{FE}}\).

Theorem 2

Let \(\{n\}_K=(b_0,\dots ,b_{n-1})\) be a Legendre symbol sequence for which there exists a unique key K. We consider its corresponding ideal complemented with the field equations \(I_{\textsf{FE}}=\langle f_1,f_2,\dots ,f_{m}\rangle\), where \(m=2(n-1)+1\) as defined by Eq. 5. Then the Gröbner basis of \(I_{\textsf{FE}}\) with respect to the (graded) lexicographic ordering, consists of the polynomials \(g_i\), for \(i\in [0,n-1]\) such that,

$$\begin{aligned} g_i= {\left\{ \begin{array}{ll} x^2_i-(K+i), \text {if } b_{i}=1\\ x^2_i-r(K+i), \text {if } b_{i}=-1 \end{array}\right. } \end{aligned}$$
(6)

Moreover, \(G:=(g_i)^{n-1}_{i=0}\) is a reduced Gröbner basis.

Proof

G generates the ideal \(I_{\textsf{FE}}\), since each \(f_i\) can be expressed by using the generators \(g_i\). The generating polynomials \(f_i\) of the ideal I can be expressed as \(f_i=r^{L_0(K+i+1)}g_{i+1}-r^{L_0(K+i)}g_i\). The field polynomials can be also expressed using the generators of G. Specifically, let us denote the modular square roots of \(r^{L_0(K+i)}(K+i)\) as b and c. Then, \(x^p_i-x_i=g_i\Pi _{a\ne b,c}(x-a)\). Hence, \(I_{\textsf{FE}}\subset \langle G\rangle\). By the uniqueness of K, we also have that \(\langle G\rangle \subset I_{\textsf{FE}}\), since the corresponding varieties are equal above the algebraic closure.

Next, we verify that the Buchberger-criterion holds for the polynomials in G. In this case, \(S(g_i,g_j)=x_j^2g_i-x_i^2g_j\). Depending on the residuosity of \(b_i,b_j\) we have four cases, but for the sake of simplicity we only consider here the case of \(b_i=b_j=1\). The other cases follow similarly. The S-polynomial is divisible by G, since \(S(g_i,g_j)=x_j^2(x_i^2-(K+i))-x_i^2(x_j^2-(K+j))=-(K+i)x^2_j+(K+j)x_i^2=(K+j)g_i-(K+i)g_j,\) that is clearly divisible by the polynomials of G. G is clearly a reduced Gröbner basis as each leading coefficient is one and no monomial of \(g_i\) lies in \(\langle \textsf{LT}(G\setminus g_i)\rangle\). \(\square\)

In Sect. 4, we evaluate empirically the time complexity of computing the Gröbner basis of MQ instances (the \(I_{\textsf{FE}}\) ideal) induced by Legendre PRF sequences. The ideal \(I_{\textsf{FE}}\) cannot be regular as it contains more polynomials than variables. However, the Gröbner basis of \(I_{\textsf{FE}}\) allows us to observe easily that in \(I_{\textsf{FE}}\) there are no internal dependencies between the ideal’s generating polynomials. More precisely, we prove the following lemma in Appendix A.

Lemma 2

\(I_{\textsf{FE}}\) is a semi-regular ideal, if the conditions of Theorem 2 are met.

The asymptotic behavior of the degree of regularity of semi-regular ideals is well understood [13]. The degree of regularity \(d_{reg}\) of an ideal is a measure to assess the theoretical complexity of computing the Gröbner basis of an ideal. For a precise definition, the reader is referred to [21]. Finally, we show the usefulness of \(I_{\textsf{FE}}\) in connection with the Legendre PRF.

Lemma 3

A successful Legendre key-recovery attack is equivalent in polynomial time to solving the MQ system defined by the ideal \(I_{\textsf{FE}}\). On the other hand, the weak unpredictability of the Legendre PRF is equivalent to the decidability of the induced MQ instance over the finite prime field.

Proof

Let us define the variety V and ideal I defined by the Legendre PRF evaluation \(\{n\}_K\). More precisely, we fix a quadratic non-residue \(r\in \mathbb {F}_p\). In polynomial-time, we construct \(V^{*}=\{(x_0, x_1, \ldots , x_n)\vert x_i = \pm \textsf{sqrt}_p(r^{L_{K}(i)}(K+i)),i\in [0,n-1]\}\). The corresponding ideal is denoted as \(I^{*}\). We show that \(V^{*}=V(I_{\textsf{FE}})\). First, \(V^{*}\subset V(I_{\textsf{FE}})\), because this is how the polynomials in \(I_{\textsf{FE}}\) are constructed, such that all the points in \(V^{*}\) vanish on the polynomials of \(I_{\textsf{FE}}\). The other inclusion is trivial by the construction of the polynomials of \(I_{\textsf{FE}}\). \(I_{\textsf{FE}}\) is a radical ideal, since every ideal that contains its field equations is a radical ideal [77, Lemma 2.2.3.]. Hence, \(I_{\textsf{FE}}\) is the smallest ideal that vanishes on \(V^{*}\).

As for the unpredictability of the Legendre PRF, if the MQ system corresponding to a purported PRF evaluation is not solvable, then it is sure that the psuedorandom sequence is not obtained by evaluating the Legendre PRF. \(\square\)

We highlight again the sparsity of the induced MQ instance. This is in contrast with most MQ public-key cryptosystems, where the MQ instance is generated uniformly at random by the signer or encryptor. Typically, a random MQ instance has many non-zero coefficients resulting in large public keys. Contrarily, in the case of the Legendre PRF, the MQ instances exhibit a specific structure (cf. Example 13) stemming from the multiplicative group of \(\mathbb {F}_p\). Interestingly, if a single coefficient in the Legendre MQ instance became 0, then the whole equation system suddenly would be trivially solvable by “back-substitution”.

In Sect. 4, we turn our attention to assessing the security of the MQ instance induced by the Legendre PRF. In particular, we assess the complexity of solving the particular equation systems. According to [46], in order to prove the security of a multivariate PRF, it suffices to show that the family of MQ instances \(\textbf{f}\) induced by the PRF is hard to solve. This is because then the distributions \(D_1=(\textbf{f},\textbf{f}(x_0,x_1,\dots ,x_{n-1}))\) and \(D_2=(\textbf{f},U_m)\) are computationally indistinguishable, where \(U_m\) is a uniform distribution over \(\mathbb {F}^m_p\) [46].

4 Security of the Legendre PRF as MQ instances

In this section, we evaluate the complexity of a key recovery attack on the Legendre PRF as an MQ instance. We find that direct attacks, solvers and other traditional algebraic attacks (interpolation attacks, MinRank etc.) do not improve on the state-of-the-art classical attack due to Kaluderovic et al [56].

4.1 Algebraic cryptanalytic attempts

4.1.1 Interpolation attacks

Interpolation attacks aim to interpolate a cryptosystem’s polynomial without knowing its secret key [48]. In a single party setting, the Legendre PRF is typically evaluated more than once for a particular key K, i.e., \(\{a\}_{K}\) is used as a pseudorandom bit-string, where \(a>0\). In these cases, the resulting bit-string is mapped to integers, for instance, in the following way,

$$\begin{aligned} F_K(a)=\sum ^{a-1}_{i=0}2^{a-1-i}(K+i)^{\frac{p-1}{2}}\mod p \end{aligned}$$
(7)

Note that \(deg (F_K(a))=\frac{p-1}{2}\), i.e., the degree of the polynomial representing the Legendre PRF has almost full degree over \(\mathbb {F}_p\), that is exponential in the security parameter. The polynomial is dense (all possible monomials appear) and no coefficient is dependent on the key K. These properties make interpolation attacks infeasible as they would require at least \(\frac{p-1}{2}+1\) pairs of keys and pseudorandom field elements to interpolate \(F_K(a)\).

4.1.2 Direct algebraic attacks

Direct algebraic attacks, i.e., computing the Gröbner basis [17], aim to directly solve the cryptosystem’s underlying MQ instance. The computational complexity of these attacks is equivalent to that of computing the Gröbner basis [75], which in turn depends on the degree of regularity, \(d_{ reg }\), of the MQ instance at hand. Hence, it is of great interest to compute \(d_{ reg }\) of an MQ cryptosystem. However, in many cases, this is not possible without actually calculating the Gröbner basis itself. For m equations of degree at most d in n variables, the arithmetic complexity of Gröbner basis computation are \(2^{2^{\mathcal {O}(n)}}\) in general and \(\mathcal {O}\Bigl (m\cdot \left( {\begin{array}{c}n+d_{ reg }-1\\ n\end{array}}\right) ^{\omega }\Bigr )\) in case of 0-dimensional regular systems, where \(2\le \omega \le 3\) is the linear algebra constant of matrix multiplication.

Fig. 1
figure 1

The maximum degree in the Gröbner basis (left) and the exponential time complexity of computing the Gröbner bases (right) for the ideals \(I_{\textsf{FE}}\) defined by the Legendre PRF

Full size image

We empirically evaluated the performance of computing the Gröbner basis for the ideal \(I_{\textsf{FE}}\) induced by the PRF evaluations, see Fig. 1. We sampled random small primes with a given bit-length and evaluated the Legendre PRF for a sequence of length seven and nine. We computed and recorded the time it takes to compute the Gröbner basis of the corresponding ideal \(I_{\textsf{FE}}\). We repeated the experiment 10 times. We observe that computing the Gröbner basis takes exponential time in the bit-length of the prime modulus. We expect that launching key-recovery against the Legendre PRF using Gröbner basis methods is hopeless for cryptographic parameter sets, i.e., for primes of size \(\approx 2^{128}\). Attaining lower and upper bounds for \(d_{ reg }\) to assess the exact complexity of the Gröbner basis computation of \(I_{FE}\) is an interesting open problem.

4.1.3 MinRank attacks

The MinRank attack is a powerful tool in the cryptanalysis of multivariate cryptography. MinRank attacks broke numerous multivariate cryptosystems, such as the cryptanalysis of HFE due to Kipnis and Shamir [61] or the cryptanalysis of SRP encryption system [71]. In the following, we show that the Legendre PRF has high Q-rank, therefore it is immune to MinRank attacks. For the complete calculation the reader is referred to Appendix C.1.

4.2 Group atructure of the Legendre PRF MQ instances’solutions

We give an algebraic-geometric argument on the security of the Legendre PRF. In Sect. 3.1, we showed that the PRF seed lies in the intersection of multiple Pell-conics. The solutions of a single Pell-equation over \(\mathbb {F}_p\) form a cyclic Abelian-group [26]. These groups were previously suggested for use in cryptography as it is believed that the discrete logarithm problem is hard in these groups [63]. A single Pell conic has genus 0. The intersection of two Pell-conics yields a nonsingular elliptic curve with genus 1. Specifically, if one wants to find every secret key K that results in a 3-long specific binary sequence produced by the Legendre PRF, e.g. \((1,-1,1)\), then every satisfying secret key K is a rational point on a sequence-specific elliptic curve. However, if one considers longer sequences, then the resulting curve has a genus greater than 1, cf. Fig. 2. Hence, the solutions of those algebraic curves do not have an Abelian group structure equipped with them. In the following, we compute the genus of the high-degree surfaces induced by the Legendre PRF in the general case.

Fig. 2
figure 2

The genus of the algebraic curves containing the solutions corresponding to a Legendre symbol sequence of length \(m+1\)

Full size image

We want to calculate the genus of the algebraic curve containing the solutions of a Legendre PRF key-recovery attack. More formally, we want to compute \(1-P(0)\), where \(P(\cdot )\) is the Hilbert-polynomial of the curve defined by the intersection of several Pell conics. Let \((f_1,f_2,\dots ,f_m)\) be the given Pell conics in variables \(x_0,x_1,\dots ,x_n\) and I the corresponding ideal generated by them. Note that n denotes the length of the given Legendre sequence. For \(N\gg 0\), we have that P(N) is the dimension over \(\mathbb {F}_p\) of the degree-N homogeneous part of \(\mathbb {F}_p[x_0,\dots ,x_n]/I\) [44]. This is a linear polynomial. Since for all \(i,j,i\ne j\) we have \((f_i,f_j)=1\), we obtain the following inclusion–exclusion type equation,

$$\begin{aligned} P_n(N)=g_n(N)-\left( {\begin{array}{c}n-1\\ 1\end{array}}\right) g_n(N-2)+\left( {\begin{array}{c}n-1\\ 2\end{array}}\right) g_n(N-4)-\dots , \end{aligned}$$
(8)

where \(g_n(N)\) denotes the number of N-degree monomials in \(\mathbb {F}_p[x_0,\dots ,x_n]\). Therefore, \(g_n(N)=\left( {\begin{array}{c}N+n\\ n\end{array}}\right)\). For concreteness and as an example let us consider the case of four intersecting Pell-conics, i.e., Legendre-sequences of length five. We have the following expression for the Hilbert-polynomial, when \(n=4\):

$$\begin{aligned} P_4(N)=\left( {\begin{array}{c}N+4\\ 4\end{array}}\right) -3\left( {\begin{array}{c}N+2\\ 4\end{array}}\right) +3\left( {\begin{array}{c}N\\ 4\end{array}}\right) -\left( {\begin{array}{c}N-2\\ 4\end{array}}\right) . \end{aligned}$$
(9)

By substituting \(N=0\), we have that \(P_4(0)=-4\), namely the arithmetic genus is \(1-P_4(0)=5\). We obtain the following closed formula for the Hilbert-polynomial:

Lemma 4

\(P_n(N)=2^{(n-1)}\cdot N -(n-3)\cdot 2^{(n-2)}\).

Proof

The proof is enclosed in Appendix 1.

5 Extensions of the Legendre PRF

In this section, we construct various extensions of the Legendre PRF and compare them with other state-of-the-art constructions. We build verifiable random functions in Sect. 5.1, oblivious pseudorandom functions (OPRF) in Sect. 5.2 and verifiable OPRF in Appendix E.

5.1 Verifiable random functions from the Legendre PRF

Verifiable random functions (VRFs) are natural extensions of PRFs [66]. In a VRF, the PRF evaluator can produce a publicly verifiable proof about the correct evaluation of the PRF \(F_K(x)\) given the PRF input x, the output \(F_K(x)=y\) and a public verification key, without revealing anything about the secret key K. In many applications, in addition to the efficient production of pseudorandom strings, one also needs to prove the correctness of those pseudorandom bits, e.g., proof-of-stake consensus algorithms [36].

An advantage of the Legendre PRF arithmetization as an MQ instance, is that it allows to model the PRF as a low-degree polynomial equation system. This arithmetization easily facilitates the construction of efficient Legendre VRFs. By contrast, if one models the Legendre PRF as a high-degree \(\frac{p-1}{2}\) univariate polynomial by Euler’s criterion, then it hinders applying efficient proof systems for the correct evaluation statement. Building on this observation and using NIZK with the Legendre PRF (following the high-level approach sketched in [66]), we propose a new VRF that admits post-quantum secure instantiations with comparable performance to the state of the art.

5.1.1 Syntax and security of VRFs

Definition 7

A VRF is comprised of the polynomial-time algorithms \(\mathcal {VRF}= (\mathsf {VRF.PPGen},\mathsf {VRF.Gen},\mathsf {VRF.Eval},\mathsf {VRF.Vfy})\) with the following functionality:

  • \(\mathsf {VRF.PPGen}(\textsf{1}^{\lambda })\rightarrow \textsf{pp}_{\textsf{vrf}}\). Upon the security parameter \(\lambda\), the algorithm samples the public parameters \(\textsf{pp}_{\textsf{vrf}}\).

  • \(\mathsf {VRF.Gen}(\textsf{pp}_{\textsf{vrf}})\rightarrow (\textsf{sk},\textsf{vk})\). Upon \(\textsf{pp}_{\textsf{vrf}}\), the algorithm samples secret and verification keys \((\textsf{sk},\textsf{vk})\).

  • \(\mathsf {VRF.Eval}(\textsf{pp}_{\textsf{vrf}},\textsf{sk}, X)\rightarrow (Y,\pi )\). This algorithm evaluates a PRF \(F:\{0,1\}^{\lambda }\times \{0,1\}^{\lambda }\rightarrow \{0,1\}^{\lambda }\) using the public parameters \(\textsf{pp}_{\textsf{vrf}}\), secret key \(\textsf{sk}\) and PRF input X and outputs the PRF value Y and a proof of honest evaluation \(\pi\).

  • \(\mathsf {VRF.Vfy}(\textsf{pp}_{\textsf{vrf}},\textsf{vk},X,Y,\pi )\rightarrow \{0,1\}\). Upon the public parameters \(\textsf{pp}_{\textsf{vrf}}\), verification key \(\textsf{vk}\), PRF input–output pair XY and proof \(\pi\), the verification algorithm either outputs 1 (accept) or 0 (reject).

Furthermore, the following requirements must hold:

  1. 1.

    Correctness: \(\forall \lambda \in \mathbb {N}\), \(\textsf{pp}_{\textsf{vrf}}{\leftarrow \!\!{\$}}\,\mathsf {VRF.PPGen}(\textsf{1}^{\lambda })\), input \(X\in \{0,1\}^{\lambda }\), keys \((\textsf{vk},\textsf{sk}){\leftarrow \!\!{\$}}\,\mathsf {VRF.Gen}(\textsf{pp}_{\textsf{vrf}})\), and \((Y,\pi ){\leftarrow \!\!{\$}}\,\mathsf {VRF.Eval}(\textsf{pp}_{\textsf{vrf}},\textsf{sk}, X)\) it must hold that \(\mathsf {VRF.Vfy}(\textsf{pp}_{\textsf{vrf}},\textsf{vk},X,Y,\pi )=1\).

  2. 2.
    figure a

    Footnote 1 computationalFootnote 2 unique provability: \(\forall \lambda \in \mathbb {N}, X\in \{0,1\}^{\lambda }\) and PPT adversary \(\mathcal {A}\), there exists a negligible function \(\texttt {negl} (\lambda )\) s.t.

    (10)
  3. 3.

    Pseudorandomness: Let \(\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)\) be an attacker with oracle access to \(\mathsf {VRF.Eval}(\textsf{pp}_{\textsf{vrf}},\textsf{sk},\cdot )\) in the following pseudoramndomness game:

    figure b

    Denoting the oracle queries of \(\mathcal {A}\)in the game with \(\mathcal {Q} = (X_1,\ldots ,X_Q)\), we say that \(\mathcal {A}\)is legitimate if for any random coin choices \(\rho _{\mathcal {A}}\in \{0,1\}^{\lambda }\) of \(\mathcal {A}\), there exists no \(i\in [Q]\) for which \(X_i = X^*\) would hold. We say that a \(\mathcal {VRF}\)is pseudorandom, if for all legitimate \(\mathcal {A}\), its advantage in game \(\mathcal {G}_{\mathcal {A}}^{\mathcal {VRF}}(\textsf{1}^{\lambda })\) is at most negligible, i.e., \(\left| \text {Pr}{\mathcal {G}_{\mathcal {A}}^{\mathcal {VRF}}(\textsf{1}^{\lambda }) = 1} - \frac{1}{2} \right| \le \texttt {negl} (\lambda ).\)

5.1.2 Construction

We proceed with the construction of the Legendre VRF.

Intuition We face two challenges in creating a Legendre VRF. First, we need a verification key \(\textsf{vk}\). For \(\textsf{sk}=K\in _R\mathbb {F}_p\), we let \(\textsf{vk}=\{c\cdot \log p\}_{K}\). Heuristic arguments imply that a long enough symbol sequence is unique if its length is roughly \(\log p\) [70]. Hence, a unique symbol sequence acts as a “commitment” to \(\textsf{sk}\). Second, we need to verify efficiently the correct evaluation of the Legendre PRF. We can leverage NIZK argument systems, since we can express the correct PRF evaluation statement as a low-degree polynomial equation system.

  • \(\mathsf {VRF.PPGen}(\textsf{1}^{\lambda }) \rightarrow \textsf{pp}_{\textsf{vrf}}\). On receiving the security parameter \(\textsf{1}^{\lambda }\), the public parameter generation algorithm runs \((\mathcal {R},\textsf{aux})\leftarrow \mathcal {R}\text {-}\textsf{Gen}\) and \((\sigma ,\tau )\leftarrow \mathsf {NIZK.Setup}(\mathcal {R})\) and output \(\textsf{pp}_{\textsf{vrf}}= (\sigma ,\mathcal {R})\).

  • \(\mathsf {VRF.Gen}(\textsf{pp}_{\textsf{vrf}})\rightarrow (\textsf{vk}, \textsf{sk})\). Using the public parameters \(\textsf{pp}_{\textsf{vrf}}\), the key generation algorithm samples random \(\textsf{sk}=K\in _{R}\mathbb {F}_p\), compute the Legendre sequence \(\textsf{vk}:=\{c\cdot \log p\}_K\) that serves as a “commitment” to K (for a fixed constant c).

  • \(\mathsf {VRF.Eval}(\textsf{pp}_{\textsf{vrf}},\textsf{sk},X)\rightarrow (Y,\pi )\). The evaluation of the VRF takes the public parameters \(\textsf{pp}_{\textsf{vrf}}\), the secret key \(\textsf{sk}=K\) and an input X to the PRF. Let Y be \(\lambda\) consecutive Legendre symbols, i.e., \(Y=\{\lambda \}_{K+X\lambda }\), so that for all X we evaluate the symbol on disjoint intervals (we constrain \(X\le p/\lambda\)). Disjointness is used to ensure the pseudorandomness of the VRF, see the proof in Appendix D. Let \(\pi \leftarrow \mathsf {NIZK.Prove}(\mathcal {R},\sigma ,\phi ,\textsf{w})\), where the witness \(\textsf{w}= \textsf{sk}\) and \(\phi\) corresponds to a MQ equation system that consists of

    • quadratic equations corresponding to the evaluation of the Legendre PRF as defined in Sect. 3.1,

    • similar equations showing the relation of \(\textsf{sk}\) and \(\textsf{sk}+X\lambda\), i.e., the ith bits of \(\textsf{vk}\) and Y correspond to Legendre symbols of values with distance \(X\lambda\). For instance, in case of two quadratic residues, we have \(x^2_i-x^2_{\textsf{vk}_i}=X\lambda\), cf. Equation 1. The equations corresponding to the other cases can be similarly adapted from the quadratic equations of Sect. 3.1.

    The algorithm outputs \((Y,\pi )\).

  • \(\mathsf {VRF.Vfy}(\textsf{pp}_{\textsf{vrf}},\textsf{vk},X,Y,\pi )\rightarrow \{0,1\}\). On receiving the public parameters \(\textsf{pp}_{\textsf{vrf}}=(\mathcal {R},\sigma )\), verification key \(\textsf{vk}\), a VRF input–output pair XY with a proof \(\pi\), the verification algorithm first determines \(\phi\) based on \(\textsf{vk},X,Y\), and \(|Y|=n\), then runs \(\mathsf {NIZK.Vfy}(\mathcal {R},\sigma ,\phi ,\pi )\) and returns its output.

The following theorem, which we prove in Appendix D, formalizes the security of the Legendre VRF.

Theorem 3

Assuming the hardness of the SLS problem (Definition 1) the Legendre VRF is secure according to Definition 7, if the underlying NIZK argument fulfils the perfect completeness, perfect zero-knowledge and computational soundness requirements (defined in [12]).

5.1.3 Instantiations and performance

We instantiate our VRF with the state of the art succinct NIZK [42]. However, it does not provide post-quantum security. Another proof system family of zero-knowledge succinct transparent arguments of knowledge (zkSTARK) was pioneered by the work of Ben-Sasson et al. [16]. STARK proof systems provide post-quantum security and does not rely on trusted setups. The performance evaluation of [16] shows, that the proof of a Legendre PRF statement with \(2^{21}\) multiplication gates, i.e., verifying \(\approx 2^{19}\) Legendre symbols, can be generated in less than a second, while can be verified in 100ms. The proof size is \(\approx 50\)KB. An even more efficient VRF instantiation can be obtained by applying the NIZK of Beullens and Delpech de Saint [11]. In Table 1, we compare the proposed VRF to the state of the art. The Legendre VRF is a potential contender for being the most efficient post-quantum secure VRF in terms of proof size, prover and verifier complexity.

Table 1 Overview of various VRF constructions
Full size table

5.2 Oblivious PRFs from the Legendre PRF

An oblivious PRF (OPRF) [34, 68] is a two-party secure computation protocol (2PC) to evaluate a PRF \(F(\cdot ,\cdot )\) in an oblivious fashion. Specifically, it allows a sender and a receiver with inputs K and x, respectively, to compute F(Kx) such that the sender does not learn anything new from the protocol messages, while the receiver can output F(Kx) without obtaining information about the used key K. In this section, we show how to build an OPRF relying on the hardness of the SLS problem and also extend this result to two variants of OPRFs, namely to programmable and to verifiable OPRFs (denoted as OPPRF and VOPRF respectively).

These protocols are extensively used in various tasks. A non-exhaustive list of OPRF applications include secure keyword search [34], private set intersection (PSI) [45, 52, 57, 58], secure deduplicated storage [53], password-protected secret sharing [50], password-authenticated key exchange [51]. OPPRFs were used to build two-party PSI [55, 72], multi-party PSI [59] and circuit-PSI that enables secure function evaluation on the intersection of sets [18]. Finally, VOPRF is the cornerstone of Privacy Pass, a privacy-preserving lightweight authentication mechanism [28] and password-protected secret sharing [49]. The importance of (V)OPRF is also indicated by the ongoing effort to standardize them [27].

5.2.1 The Legendre OPRF

Motivated by the wide range of applications, our goal is to present a novel pathway to the realization of OPRFs that we formally define in Fig. 3.

Fig. 3
figure 3

Ideal functionalities

Full size image

We observe that the distributed protocol for evaluating the Legendre PRF of [43] yields an OPRF. For completeness, we include their protocol presented in the language of OPRFs. The key ingredient—that was used in [43] for the secure computation of the Legendre PRF in the multi-party setting—is that the key of the PRF can be masked without changing the PRF value by utilizing the multiplicative property of the Legendre symbol. Namely, if we choose a random square and multiply it with some number, the Legendre symbol of the resulting value will be equal to the symbol of the original number. This fact gives rise to the arithmetic sharing-basedFootnote 3 OPRF protocol \(\Pi _{\textrm{Legendre}}^{OPRF}\), depicted in Fig. 4. The protocol is divided into online and offline parts. In an offline preprocessing phase the parties can compute the shares of the previously mentioned random square and a so-called Beaver multiplication triple [a], [b], [ab] (for some random ab) both of which operations are entirely independent of the inputs of the participants. For simplicity, we abstract away the underlying details of preprocessing and use the necessary operations in a black-box manner through the ideal functionality of Fig. 3. The realization of \(\mathcal {F}_{\textrm{Prep}}\) is possible using a 2PC framework in the semi-honest model, such as ABY by [31].

After exchanging secret shares of their inputs, both participants execute the same computation on their shares in the online phase. While the addition of secret shares is for free, i.e., corresponds to ordinary local addition, share multiplication, which we denote with \(\boxdot\), consumes one multiplication triple and requires one round of interaction and 2 group elements of communication. Concretely, \([x]\boxdot [y]=[xy]\) can be computed by revealing \((x+a)\) and \((y+b)\) (that does not disclose information about x and y, because ab are random), then \((x+a)\cdot (y+b) - (x+a)\cdot [b] - (y+b)\cdot [a] + [ab] = [xy]\) can be evaluated. The resulting online part then consists of three rounds of interaction and 5 group elements of communication.

Fig. 4
figure 4

Legendre OPRF and the algorithm to extend it to be an OPPRF

Full size image

Theorem 4

The protocol \(\Pi _{\textrm{Legendre}}^{OPRF}\) securely computes the functionality \(\mathcal {F}_{\text {OPRF}}\) in the \(\mathcal {F}_{\textrm{Prep}}\)-hybrid model, if the SLS problem is hard.

For brevity, we omit the proof since it follows the blueprint of the proof of [43, Theorem 2.]. We note that \(\Pi _{\textrm{Legendre}}^{OPRF}\) is only statistically correct as with probability \(1/p = \Pr (s^2=0)\) the output is necessarily zero. For perfect correctness, we need to use \(\mathsf {RandSquare'}\) in the preprocessing phase to rule out \(s^2=0\) the cost of which appears in the round complexity, resulting in expected constant (one) round. Our efficiency comparisons in Table 2 show that in terms of both message size and computational complexity, the Legendre OPRF is a promising candidate for a post-quantum OPRF since the underlying SLS problem is not known to be vulnerable to post-quantum attacks.

Table 2 Comparing the online costs of various Oblivious PRF protocols
Full size table

5.2.2 OPPRF: programming the Legendre OPRF

The notion of oblivious programmable PRF (OPPRF) was introduced by Kolesnikov et al. [59]. A PRF is an OPPRF if it is in addition to being an OPRF, also allows the sender to program the output of the OPRF at certain evaluation points (see Fig. 3). Kolesnikov et al. [59] formulated three generic OPPRF constructions, that can turn any OPRF into an OPPRF. We follow the terminology of these generic constructions and introduce two algorithms that aims to turn an OPRF into an OPPRF:

  • \(\mathsf {OPPRF.KeyGen}(1^{\lambda },\mathcal {P})\rightarrow (K,\textsf{hint})\): Given a security parameter and set of points \(\mathcal {P}=\{(x_1, y_1),\dots ,(x_n, y_n)\}\) with distinct \(x_i\)-values, generates a PRF key K and (public) auxiliary information \(\textsf{hint}\).

  • \(\mathsf {OPPRF.Eval}\big (F(K,x), \textsf{hint}\big )\rightarrow y\): Using the \(\textsf{hint}\) turns the OPRF output into the OPPRF output y.

We require from an OPPRF the following high-level security notions to hold (for the formal security definitions, the reader is referred to [59]):

Correctness::

TOSC \((x,y)\in \mathcal {P}\wedge \big ((K,\textsf{hint})\xleftarrow {}\mathsf {OPPRF.KeyGen}(\mathcal {P})\big ) \implies \mathsf {OPPRF.Eval}\big (F(K,x),\textsf{hint}\big )=y\).

(nt)-security::

No efficient adversary is able to distinguish the n programmed points from non-programmed points given oracle access to the PRF using t queries. Note that this definition implies that unprogrammed PRF outputs (i.e., those not set by the input to \(\mathsf {OPPRF.KeyGen}\)) are pseudorandom.

Programming the Legendre OPRF We show how one can program efficiently the output of the Legendre PRF by carefully choosing the prime modulus, which defines our \(\mathsf {OPPRF.KeyGen}\) algorithm. This strategy already highlights the strength of the resulting OPPRF: it does not require an explicit \(\textsf{hint}\) beyond the prime modulus that is a public parameter anyway. Moreover, the \(\mathsf {OPPRF.Eval}\) algorithm can simply return the output of the Legendre OPRF.

The naïve way to program the Legendre PRF would be to generate primes randomly and hope that the PRF outputs match the desired values \(y_i\) at the programmed points \(x_i\) for a given key K. This certainly works for small number of programmed points, however, this naïve PRF programming method incurs an exponential time-complexity in the number of programmed points. To circumvent the exponential time-complexity of the programming, we take a different approach, cf. Figure 4. The goal of the algorithm is to find a prime p, such that

$$\begin{aligned} i\in [0,n): y_i=\genfrac(){}0{K+x_i}{p}=\genfrac(){}0{p}{K+x_i}(-1)^{\frac{(p-1)(K+x_{i}-1)}{4}}. \end{aligned}$$

Without loss of generality, we search p in the form \(p\equiv 1\mod 4\). Moreover, we assume that the programmed points \(K+x_i\) are prime numbers. This assumption is natural and eases our exposition. This is because programming the PRF output at a composite \(K+x_i\) is reducible to programming the PRF output at the prime factors of \(K+x_i\) due to the multiplicativity of the Legendre symbol. For each \(K+x_i\) the value \(\genfrac(){}0{p}{K+x_i}\) establishes possible residue classes for \(p\bmod {K+x_i}\). The appropriate modulus p can be obtained via the Chinese remainder theorem. Therefore, the “programmability” of the Legendre PRF is rather space-inefficient, since \(p\approx \prod ^n_{i=1} K+x_i\). Hence, the number of programmed points is somewhat limited with our algorithm. We note that the main ideas of this programming method were already proposed in a different context (secure comparison protocols) by Yu [80]. In a similar fashion, one could generalize the approach of Fig. 4 to power residue symbols, i.e., programming power residue symbol PRFs. Such generalization was shown recently by Cascudo et al. [23] who proposed as an open question to find concrete applications for their protocol. We note that their methods can be applied to program power residue symbol OPRFs.

Hint size and batch OPPRFs As our novel programming methods—specifically designed for the Legendre OPRF—minimize the necessary auxiliary information for the OPPRF evaluation, it outperforms all existing solutions in this metric. For a detailed comparison, we refer to Table 3. Finally, we note that [72] uses a so-called “Batch OPPRF” that—informally—invokes independent OPPRF instances with a total number of programmed points \(\sigma\) (the number of programmed points per instance may vary but has to remain hidden) and only uses a single hint with size linear in \(\sigma\). Since the hint size of the Legendre OPPRF is independent of the number of programmed points, it naturally fulfils the requirement of Batch OPPRFs.

Table 3 Comparison of the generic OPPRF constructions of [59] (which can be based on an OPRF, e.g. that of [57]) and the Legendre OPRF that was shown to be programmable in Sect. 5.2.2
Full size table

6 Future directions

We perceive three main areas for future work. There is still quite some work to be done on the provable security part of the Legendre PRF. It would be fascinating to find new connections to other post-quantum secure cryptographic assumptions, e.g. LWE. For instance, note that the probability distribution of the coefficients of the quadratic terms in the induced MQ instance follows a discrete Gaussian distribution. Could one reframe the MQ instance as an LWE instance for a suitable change in the variables? Moreover, it would be fruitful to establish concrete and asymptotic lower bounds on the degree of regularity of the Legendre PRF’s MQ instances. That would pave the path for settling the provable security of this PRF. It is quintessential to improve on existing key-recovery attacks or find new, more performant cryptanalytic approaches. It would allow us to better estimate the bit-security of the Legendre PRF and other variants. We foresee many more novel cryptographic applications of the Legendre PRF due to its homomorphic properties and MPC-friendliness. For instance, it seems accessible to prove the existence of related-key secure PRFs or key-homomorphic PRFs from quadratic and power residue symbol PRFs.