First Cryptanalysis of Legendre PRF Over Extension Fields: New Attack Breaks 'No-Carry Fracture' Defense

The Legendre Pseudorandom Function (PRF) is a highly efficient cryptographic primitive valued for its low multiplicative complexity in Multi-Party Computation (MPC) and Zero-Knowledge Proof (ZKP) protocols. A new paper presents the first comprehensive cryptanalysis of the single-degree Legendre PRF operating over extension fields.

Why Legendre PRF Matters

• MPC efficiency — Low multiplicative complexity makes it ideal for secure computation protocols
• ZKP friendly — Efficient for zero-knowledge proof systems
• Extension fields — Recent interest shifted from prime fields to extension fields (F_{p^r}) for practical efficiency

The Defense: "No-Carry Fracture"

When extending Legendre PRF to extension fields, a natural defense appeared: polynomial input encoding over extension fields lacks the "carry-over" effect present in prime field implementations. This creates an asynchronous "no-carry fracture" that was believed to neutralize classical sliding-window collision attacks.

The Breakthrough

The researchers discovered that while the no-carry fracture does block standard attacks, the fracture itself is deterministically periodic. By introducing a novel "Differential Signature" bucketing technique:

• Adversaries can systematically group fractured sequences by their structural shapes
• This bypasses the no-carry defense entirely
• Secret key recovery is achieved in O(U · p^r/M) operations

Implications

• Extension fields aren't automatically safer — The carry-free property that seemed like a defense is actually exploitable
• MPC/ZKP protocols using Legendre PRF over extension fields may need reevaluation
• New primitives or parameter choices may be required for secure deployment

This is a significant result in practical cryptography, affecting deployed systems that use Legendre PRF for efficient secure computation.