The Legendre Pseudorandom Function (PRF) is a highly efficient cryptographic primitive built upon the Legendre symbol, valued for its low multiplicative complexity in Multi-Party Computation (MPC) and Zero-Knowledge Proof (ZKP) protocols. While its security over prime fields $\mathbb{F}_p$ is well-documented, recent interest has shifted toward instantiations over extension fields $\mathbb{F}_{p^r}$. This paper presents the first comprehensive cryptanalysis of the single-degree Legendre PRF operating over $\mathbb{F}_{p^r}$. First, we analyze polynomial input encoding under a standard passive threat model (sequential additive counter queries). We demonstrate that while the absence of polynomial carry-overs causes an asynchronous "no-carry fracture" that neutralizes classical sliding-window collision attacks, the fracture itself is deterministically periodic. By introducing a novel "Differential Signature" bucketing technique, we prove that an adversary can systematically group fractured sequences by their structural shapes to bypass this defense, recovering the secret key in $\mathcal{O}(U \cdot p^r/M)$ operations, where $U$ is the unicity distance. Second, we evaluate the PRF under an active Chosen-Query threat model. We demonstrate that an adversary can circumvent the additive fracture by evaluating the PRF along a geometric sequence generated by a primitive polynomial. This structure invokes strict multiplicative homomorphism over $\mathbb{F}^*_{p^r}$, permitting a direct generalization of state-of-the-art table collision attacks to extract the key in $\mathcal{O}(p^r/M)$ operations. Finally, we establish the cryptographic boundaries of these attacks, formally proving the necessity of higher-degree key variants ($d \ge 2$) to achieve exponential security against structural reduction in extension fields.

翻译：勒让德伪随机函数（PRF）是一种基于勒让德符号构建的高效密码学原语，因其在多党计算（MPC）和零知识证明（ZKP）协议中具有较低乘法复杂度而备受推崇。尽管其在素数域 $\mathbb{F}_p$ 上的安全性已有充分文献记载，但近期研究兴趣已转向在扩展域 $\mathbb{F}_{p^r}$ 上的实例化。本文首次对在 $\mathbb{F}_{p^r}$ 上运行的单次勒让德PRF进行了全面的密码分析。首先，我们在标准被动威胁模型（顺序加法计数器查询）下分析了多项式输入编码。我们证明，虽然多项式无进位特性导致了异步的“无进位断裂”，从而中和了经典滑动窗口碰撞攻击，但这种断裂本身具有确定性周期性。通过引入一种新颖的“差分签名”分桶技术，我们证明攻击者可以按结构形状系统性地对断裂序列进行分组，以绕过此防御，并在 $\mathcal{O}(U \cdot p^r/M)$ 次操作中恢复密钥，其中 $U$ 是单一性距离。其次，我们在主动选择查询威胁模型下评估了该PRF。我们证明，攻击者可通过沿本原多项式生成的几何序列计算PRF来避免加法断裂。该结构在 $\mathbb{F}^*_{p^r}$ 上调用严格乘法同态性，从而允许直接推广最先进的表格碰撞攻击，在 $\mathcal{O}(p^r/M)$ 次操作中提取密钥。最后，我们确立了这些攻击的密码学边界，形式化证明了在扩展域中需要更高次密钥变体（$d \ge 2$）才能实现针对结构缩减的指数级安全性。