Sequences of consecutive Legendre and Jacobi symbols as pseudorandom bit generators were proposed for cryptographic use in 1988. Major interest has been shown towards pseudorandom functions (PRF) recently, based on the Legendre and power residue symbols, due to their efficiency in the multi-party setting. The security of these PRFs is not known to be reducible to standard cryptographic assumptions. In this work, we show that key-recovery attacks against the Legendre PRF are equivalent to solving a specific family of multivariate quadratic (MQ) equation system over a finite prime field. This new perspective sheds some light on the complexity of key-recovery attacks against the Legendre PRF. We conduct algebraic cryptanalysis on the resulting MQ instance. We show that the currently known techniques and attacks fall short in solving these sparse quadratic equation systems. Furthermore, we build novel cryptographic applications of the Legendre PRF, e.g., verifiable random function and (verifiable) oblivious (programmable) PRFs.

1988 年提出了将连续的勒让德和雅可比符号序列作为伪随机位生成器用于密码学用途。最近，基于勒让德和幂余数符号的伪随机函数 (PRF) 表现出主要兴趣，因为它们在多方计算中的效率环境。不知道这些 PRF 的安全性是否可以简化为标准密码假设。在这项工作中，我们表明针对 Legendre PRF 的密钥恢复攻击等同于在有限素数域上求解特定的多元二次 (MQ) 方程组族。这种新观点揭示了针对 Legendre PRF 的密钥恢复攻击的复杂性。我们对生成的 MQ 实例进行代数密码分析。我们表明，目前已知的技术和攻击在解决这些稀疏二次方程系统方面存在不足。此外，我们构建了 Legendre PRF 的新颖密码应用程序，例如，可验证的随机函数和（可验证的）遗忘的（可编程的）PRF。