The Legendre PRF
The Legendre pseudorandom function is a PRF that is extremely well suited for secure multiparty computation (MPC) and zeroknowledge proofs (ZKP) over arithmetic circuits.
For bounties on breaking the Legendre PRF, please see bounties for algorithmic bounties and here for concrete key recovery puzzles.
The Legendre pseudorandom function is a onebit PRF $\mathbb{F}_p \rightarrow \{0,1\}$ defined using the Legendre symbol:
There are also variants of Legendre PRF with a higher degree, which replaces $K+x$ above with a univariate polynomial $f_K(x)$ of degree two or more, where $K$ represents its coefficients.
Suitability for MPC
Thanks to a result by Grassi et al. (2016), we know that this PRF can be evaluated very efficiently in arithmetic circuit multiparty computations (MPCs). Due to the multiplicative property of the Legendre symbol, a multiplication by a random square does not change the result of an evaluation. By additionally blinding with a random bit, the Legendre symbol can be evaluated using only three multiplications, two of which can be done offline (before the input is known).
To compute the Legendre symbol $\left[\left(\frac{x}{p}\right)\right]$ for an input $[x]$ (square brackets indicate a shared value):

Choose a quadratic nonresidue $\alpha$

Precompute a random square $[s^2]$ and a random bit $[b]$

Open the value $t \leftarrow \mathrm{Open}([x] [s^2]([b] + (1 [b]) \alpha) )$

Compute $u = \left(\frac{t}{p}\right)$ on the open value $t$

The result of the computation is $y = u (2 [b] 1 )$
Suitability for ZKP
Similarly, the evaluation of this PRF can be proved efficiently in ZKP over $\mathbb{F}_{p}$. Let $n$ be any quadratic nonresidue in $\mathbb{F}_{p}$. To validate $L_{p, K}(x) = b$ for $x, b \in \mathbb{F}_p$:

Prove in ZKP that $b\cdot (1  b) = 0$

For $b = 0$, compute $a = \sqrt{n(K + x)}$; for $b = 1$, compute $a = \sqrt{K + x}$

Allocate $a$ as a witness to the ZKP protocol

Prove in ZKP that $a^2 = ((1  b)n + b)\cdot (K+x)$
Bounties
Because of its suitability for MPCs, the Legendre PRF is used in a construction for the Ethereum 2.0 protocol. In order to encourage research in this PRF, we announced some bounties at Crypto'19. See bounties.
Further reading
 On using the Legendre PRF as a proof of custody: Ethresearch post
 Concrete proof of custody construction (TBA)
Research papers
 Damgård, Ivan Bjerre: On The Randomness of Legendre and Jacobi Sequences (1988)
 Lorenzo Grassi, Christian Rechberger, Dragos Rotaru, Peter Scholl, Nigel P. Smart: MPCFriendly Symmetric Key Primitives (2016)
 Alexander Russell, Igor Shparlinski: Classical and Quantum Polynomial Reconstruction via Legendre Symbol Evaluation (2002)
 Dmitry Khovratovich: Key recovery attacks on the Legendre PRFs within the birthday bound (2019)
 Ward Beullens, Tim Beyne, Aleksei Udovenko, Giuseppe Vitto: Cryptanalysis of the Legendre PRF and generalizations (2019)
 Novak Kaluđerović, Thorsten Kleinjung and Dušan Kostić: Cryptanalysis of the generalised Legendre pseudorandom function (2020)