Legendre PRF bounties

The Legendre PRF

The Legendre pseudo-random function is a one-bit PRF defined using the Legendre symbol:

Bounties

$ 10,000

  For either

  • a sub-exponential, i.e. , classical key recovery algorithm that extracts the key using inputs chosen by the attacker1
  • a security proof showing the non-existence of such an algorithm by reducing it to a well-established computational hardness assumption (see below)

$ 3,000 (CLAIMED)

  For a classical key recovery algorithm improving on the Khovratovich ( where is the number of PRF queries needed) algorithm, using a sub-exponential, i.e. number of queries.1 2

CLAIMED: Congratulations to Ward Beullens for successfully claiming this bounty with an algorithm performing Legendre key recovery in for . A new bounty based on this performance will be announced soon, so stay tuned!

$ 1,000

  For the most interesting paper on the Legendre PRF in the next year (ends 31 August 2020)3

The first two bounties are for the first entry that beats the given bounds. Please send submissions to Dankrad Feist dankrad .at. ethereum .dot. org.

Computational hardness assumptions

For the reduction to a well-established computational hardness assumption, we consider the assumptions below which are taken from the Wikipedia page

  • Integer factorization problem
  • RSA problem
  • Quadratic residuosity, higher residuosity and decisional composite residuosity problem
  • Phi-hiding assumption
  • Discrete logarithm, Diffie-Hellman and Decisional Diffie-Hellman in
  • Lattice problems: Shortest vector and learning with errors

Concrete instances

At Devcon5, further bounties for concrete instances of the Legendre PRF were announced. For primes of size 64–148 (security levels 24–1084), the following bounties are now available for recovering a Legendre key:

Prime size Security Prize  
64 bits 24 bits 1 ETH CLAIMED
74 bits 34 bits 2 ETH CLAIMED
84 bits 44 bits 4 ETH  
100 bits 60 bits 8 ETH  
148 bits 108 bits 16 ETH  

For each of the challenges, bits of output from the Legendre PRF are available here. To claim one of these bounties, you must find the correct key that generates the outputs.

Research papers

  1. In all cases, probabilistic algorithms are also considered if they improve on the probabilistic versions of the known algorithms. Only classical (non-quantum) algorithms are permitted for the algorithm bounties.  2

  2. For this bounty, we also consider any algorithm that can distinguish a bit length output of the Legendre PRF from a random bit string with advantage  

  3. A cryptographer will be appointed by the Ethereum Foundation to judge this (TBD) 

  4. This was originally 44–128 bits of security, but has been reduced to 24–108 due to the Beullens algorithm.