Cryptanalysis of the Legendre PRF and Generalizations

Cryptanalysis of the Legendre PRF and Generalizations

The Legendre PRF relies on the conjectured pseudorandomness properties of the Legendre symbol with a hidden shift. Originally proposed as a PRG by Damgård at CRYPTO 1988, it was recently suggested as an efficient PRF for multiparty computation purposes by Grassi et al. at CCS 2016. Moreover, the Le...

Full description

Bibliographic Details
Main Authors: Ward Beullens, Tim Beyne, Aleksei Udovenko, Giuseppe Vitto
Format: Article
Language:English
Published: Ruhr-Universität Bochum 2020-05-01
Series:IACR Transactions on Symmetric Cryptology
Subjects:
Cryptanalysis
Legendre PRF
MPC-friendly primitives
Collision attack
Online Access:https://tosc.iacr.org/index.php/ToSC/article/view/8567
id doaj-9cf647a7b5c048d395b60abee86e3df4
record_format Article
spelling doaj-9cf647a7b5c048d395b60abee86e3df42021-04-02T12:58:46ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2020-05-012020110.13154/tosc.v2020.i1.313-330Cryptanalysis of the Legendre PRF and GeneralizationsWard Beullens0Tim Beyne1Aleksei Udovenko2Giuseppe Vitto3imec - Computer Security and Industrial Cryptography (COSIC) research group, Department of Electrical Engineering (ESAT), KU Leuven, Leuven, Belgiumimec - Computer Security and Industrial Cryptography (COSIC) research group, Department of Electrical Engineering (ESAT), KU Leuven, Leuven, BelgiumInterdisciplinary Centre for Security, Reliability (SnT), University of Luxembourg, Esch-sur-Alzette, LuxembourgInterdisciplinary Centre for Security, Reliability (SnT), University of Luxembourg, Esch-sur-Alzette, Luxembourg The Legendre PRF relies on the conjectured pseudorandomness properties of the Legendre symbol with a hidden shift. Originally proposed as a PRG by Damgård at CRYPTO 1988, it was recently suggested as an efficient PRF for multiparty computation purposes by Grassi et al. at CCS 2016. Moreover, the Legendre PRF is being considered for usage in the Ethereum 2.0 blockchain. This paper improves previous attacks on the Legendre PRF and its higher-degree variant due to Khovratovich by reducing the time complexity from O(< (p log p/M) to O(p log2 p/M2) Legendre symbol evaluations when M ≤ 4√ p log2 p queries are available. The practical relevance of our improved attack is demonstrated by breaking three concrete instances of the PRF proposed by the Ethereum foundation. Furthermore, we generalize our attack in a nontrivial way to the higher-degree variant of the Legendre PRF and we point out a large class of weak keys for this construction. Lastly, we provide the first security analysis of two additional generalizations of the Legendre PRF originally proposed by Damgård in the PRG setting, namely the Jacobi PRF and the power residue PRF. https://tosc.iacr.org/index.php/ToSC/article/view/8567CryptanalysisLegendre PRFMPC-friendly primitivesCollision attack
collection DOAJ
language English
format Article
sources DOAJ
author Ward Beullens
Tim Beyne
Aleksei Udovenko
Giuseppe Vitto
spellingShingle Ward Beullens
Tim Beyne
Aleksei Udovenko
Giuseppe Vitto
Cryptanalysis of the Legendre PRF and Generalizations
IACR Transactions on Symmetric Cryptology
Cryptanalysis
Legendre PRF
MPC-friendly primitives
Collision attack
author_facet Ward Beullens
Tim Beyne
Aleksei Udovenko
Giuseppe Vitto
author_sort Ward Beullens
title Cryptanalysis of the Legendre PRF and Generalizations
title_short Cryptanalysis of the Legendre PRF and Generalizations
title_full Cryptanalysis of the Legendre PRF and Generalizations
title_fullStr Cryptanalysis of the Legendre PRF and Generalizations
title_full_unstemmed Cryptanalysis of the Legendre PRF and Generalizations
title_sort cryptanalysis of the legendre prf and generalizations
publisher Ruhr-Universität Bochum
series IACR Transactions on Symmetric Cryptology
issn 2519-173X
publishDate 2020-05-01
description The Legendre PRF relies on the conjectured pseudorandomness properties of the Legendre symbol with a hidden shift. Originally proposed as a PRG by Damgård at CRYPTO 1988, it was recently suggested as an efficient PRF for multiparty computation purposes by Grassi et al. at CCS 2016. Moreover, the Legendre PRF is being considered for usage in the Ethereum 2.0 blockchain. This paper improves previous attacks on the Legendre PRF and its higher-degree variant due to Khovratovich by reducing the time complexity from O(< (p log p/M) to O(p log2 p/M2) Legendre symbol evaluations when M ≤ 4√ p log2 p queries are available. The practical relevance of our improved attack is demonstrated by breaking three concrete instances of the PRF proposed by the Ethereum foundation. Furthermore, we generalize our attack in a nontrivial way to the higher-degree variant of the Legendre PRF and we point out a large class of weak keys for this construction. Lastly, we provide the first security analysis of two additional generalizations of the Legendre PRF originally proposed by Damgård in the PRG setting, namely the Jacobi PRF and the power residue PRF.
topic Cryptanalysis
Legendre PRF
MPC-friendly primitives
Collision attack
url https://tosc.iacr.org/index.php/ToSC/article/view/8567
work_keys_str_mv AT wardbeullens cryptanalysisofthelegendreprfandgeneralizations
AT timbeyne cryptanalysisofthelegendreprfandgeneralizations
AT alekseiudovenko cryptanalysisofthelegendreprfandgeneralizations
AT giuseppevitto cryptanalysisofthelegendreprfandgeneralizations
_version_ 1721566946308128768

Similar Items