The Legendre Pseudorandom Function (PRF) is a highly efficient cryptographic primitive built upon the Legendre symbol, valued for its low multiplicative complexity in Multi-Party Computation (MPC) and Zero-Knowledge Proof (ZKP) protocols. While its security over prime fields $\mathbb{F}_p$ is well-documented, recent interest has shifted toward instantiations over extension fields $\mathbb{F}_{p^r}$. This paper presents the first comprehensive cryptanalysis of the single-degree Legendre PRF operating over $\mathbb{F}_{p^r}$. First, we analyze polynomial input encoding under a standard passive threat model (sequential additive counter queries). We demonstrate that while the absence of polynomial carry-overs causes an asynchronous "no-carry fracture" that neutralizes classical sliding-window collision attacks, the fracture itself is deterministically periodic. By introducing a novel "Differential Signature" bucketing technique, we prove that an adversary can systematically group fractured sequences by their structural shapes to bypass this defense, recovering the secret key in $\mathcal{O}(U \cdot p^r/M)$ operations, where $U$ is the unicity distance. Second, we evaluate the PRF under an active Chosen-Query threat model. We demonstrate that an adversary can circumvent the additive fracture by evaluating the PRF along a geometric sequence generated by a primitive polynomial. This structure invokes strict multiplicative homomorphism over $\mathbb{F}^*_{p^r}$, permitting a direct generalization of state-of-the-art table collision attacks to extract the key in $\mathcal{O}(p^r/M)$ operations. Finally, we establish the cryptographic boundaries of these attacks, formally proving the necessity of higher-degree key variants ($d \ge 2$) to achieve exponential security against structural reduction in extension fields.

翻译：勒让德伪随机函数（PRF）是一种基于勒让德符号构建的高效密码原语，因其在多党计算（MPC）和零知识证明（ZKP）协议中具有低乘法复杂度而备受重视。尽管其在素数域$\mathbb{F}_p$上的安全性已有充分记载，但近期研究兴趣已转向扩展域$\mathbb{F}_{p^r}$上的实例化。本文首次对作用于$\mathbb{F}_{p^r}$上的单次勒让德PRF进行了全面的密码分析。首先，我们分析了在标准被动威胁模型（顺序加法计数器查询）下的多项式输入编码。我们证明，尽管多项式无进位特性导致异步的"无进位断裂"，该断裂可中和经典滑动窗口碰撞攻击，但断裂本身具有确定性周期。通过引入一种新颖的"差分签名"分桶技术，我们证明攻击者可系统地按结构形状对断裂序列进行分组以绕过此防御，在$\mathcal{O}(U \cdot p^r/M)$次操作中恢复秘密密钥，其中$U$是唯一性距离。其次，我们在主动选择查询威胁模型下评估PRF。我们证明攻击者可通过沿本原多项式生成的几何序列评估PRF来规避加法断裂。该结构调用$\mathbb{F}^*_{p^r}$上的严格乘法同态性，从而允许直接推广最先进的表碰撞攻击，以在$\mathcal{O}(p^r/M)$次操作中提取密钥。最后，我们确立了这些攻击的密码学界限，形式化证明了在扩展域中需采用高次密钥变体（$d \ge 2$）以实现指数级安全性从而对抗结构约化。