Parametric Iteration in Resource Theories

Cryptographic protocols are designed to resist attacks by adversaries with bounded computational power. A fundamental feature is the use of a security parameter $\sigma$, which governs the time complexity of potential attacks. As $\sigma$ increases, cryptographic schemes become more secure: for example, in public-key encryption, key lengths are chosen in relation to $\sigma$ to ensure that brute-force attacks require time exponential in $\sigma$ to succeed. More generally, security is often defined in asymptotic terms, stating that certain probabilities – such as the success rate of an adversary – become negligible as $\sigma$ grows. This notion of negligibility from cryptography [14] also appears in other computational settings, such as approximation schemes in probabilistic algorithms. In both cases, reasoning about security or approximation guarantees requires a formal understanding of how computations depend on the parameter $\sigma$.

Traditionally, the definition of a cryptographic system follows a bottom-up approach: one chooses a model of computation, an algorithm and its notion of complexity, efficiency and security. This usually entails several technicalities that tend to hinder clarity and modularity. In particular, security proofs often become bogged down with low-level details of the computational model, making it difficult to generalise results, compare different cryptographic frameworks, or reason about their composition in a structured way.

This situation motivated the study of the subject at a higher level of abstraction, starting with the work of Canetti on Universal Composable Security [3] and followed by the work of Maurer and Renner on Abstract Cryptography [20, 19]. Motivated by similar intents, Broadbent and Karvonen [2] propose an abstract model of composable security definitions in terms of resource theories, formalised as symmetric monoidal categories.

The resource theoretic approach comes with the visual and intuitive language of string diagrams [13]. Consider the following example:

$$\begin{array}{c}\text{<img src="pics/S1/resth2.png" id="S1.E1.m1.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="122" height="32" alt="[Uncaptioned image]" style="width: 244px; height: unset; max-width: 100\%">}\end{array}$$

(1)

In the diagram above – read from left to right – we think of $f$ and $g$ as processes that transform the resources carried on the wires. The explicit splitting of wires via a copier, indicates that $f$ and $g$ share the second resource. If a resource is unused, as in the diagram on the right hand side, we simply discard it by closing the wire.

In cryptographic terms, we interpret the first input wire in (1) as carrying a message and the second as carrying a key. The processes $f$ and $g$ correspond to encryption and decryption, respectively. The equation postulates the correctness of the protocol: the original message – transformed into a cipher text by $f$ – corresponds to the one decrypted by $g$. Equations between string diagrams such as these lead to proofs via diagrammatic reasoning, a powerful axiomatic technique that allows compositional reasoning about compound systems.

Our aim in this paper is to capture the notion of parametric algorithms within the abstract framework of resource theories. After a brief introduction to resource theories and their string diagrammatic language in Section 2, in Section 3 we define a notion of iteration bounded by an unspecified parameter, which we call $\star$-iteration. Perhaps unexpectedly, we do not study traces (as, e.g., in monoidal streams [9]) but instead define a functorial construction: given a morphism $f:S\otimes A\to B\otimes S$, we define ${\tau }_{S,(A),(B)}^k(f):S\otimes A^k\to B^k\otimes S$ as its $k$-fold iteration. Below we give a diagrammatic representation of ${\tau }_{S,(A),(B)}^k(f)$, when $k=3$.

$\begin{array}{c}\text{<img src="pics/S1/iter\_intro5a.png" id="S1.p6.m7.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="84" height="45" alt="[Uncaptioned image]" style="width: 168px; height: unset; max-width: 100\%">}\end{array}=\begin{array}{c}\text{<img src="pics/S1/iter\_intro5b.png" id="S1.p6.m7.2.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="58" height="45" alt="[Uncaptioned image]" style="width: 116px; height: unset; max-width: 100\%">}\end{array}$

Iterated morphism consumes and produces lists of resources of type $A$ and $B$, respectively. The resource of type $S$ can be thought of as a state carried over by the computation. A similar construction is found in probabilistic programming languages [11, 24], where iteration is usually bounded. Interestingly, useful results can be proved about iteration without instantiating the parameter. To this end, we introduce a technique we dub the diagonal method that allows us to prove useful, general results that add to the arsenal of diagrammatic reasoning about abstract resource theories with parametric iteration.

Parametric iteration is a feature that extends the expressivity of resource theories. Our main application in this paper is motivated by cryptography, and the notion of negligibility in particular. To do this, we work within a probabilistic resource theoretical context. This is the category ${\mathrm{𝖥𝗂𝗇𝖲𝗍𝗈𝖼𝗁}}_{\{1,0\}}$ of Boolean stochastic maps. It is both a Markov category and one that possesses a probabilistic choice structure, which we introduce in Section 4. As a notable property, the probabilistic case structure ensures a unique (up to isomorphism) normal form for probabilistic Boolean functions. This, in turn, allows us to derive a completeness result (Theorem 11). While not essential to the main developments of the paper, it provides an interesting alternative proof to the one found in [21].

Formally, we first move from symmetric monoidal categories to metric-enriched ones, so that morphisms, i.e. processes, are equipped with a notion of distance between them (see e.g. [8, 17]).

We reconcile metric-enrichment with the parameterized iteration construction in Section 5, where we introduce a notion of asymptotic equivalence on morphisms. This captures negligibility – also referred to as indistinguishability – between processes. Intuitively, two processes $f$ and $g$, potentially involving parametric iterations, are considered indistinguishable if their distance approaches $0$ as the parameter $\sigma$ tends to $\mathrm{\infty }$. In related work [16], such notions of indistinguishability are studied in a bounded linear $\lambda$-calculus.

Guided by cryptographic intuitions, we conclude with some examples. Notably, we formally prove that a randomly generated key is unlikely to be any specific key (Lemma 21), and show we can asymptotically approximate fair choice with weighted choice with the iterated von Neumann trick (Lemma 22). We also discuss how we can perform arithmetic over the cyclic groups of sizes $2^{\sigma }$ and $2^{\sigma }-1$, which is useful for instance in Diffie-Hellman key exchange and Zero knowledge proofs.

The paper presents two theoretical contributions. We define the parametrized iteration construction on symmetric monoidal categories, prove that it forms a category, preserves several categorical structures, and admits an endofuctor ${\tau }^{\star }$ for parametrized iteration. We moreover define the notion of asymptotic equivalence on the parametrized iteration over a metric-enriched symmetric monoidal category, and show that it defines a congruence and is preserved under the application of ${\tau }^{\star }$.

The paper includes appendices containing additional material and omitted proofs.

In this section we give a brief introduction to symmetric monoidal categories (SMCs) and their associated graphical calculus [13, 23, 22] in terms of resource theories, following [6].

The basic data consists of objects $A,B,C,\mathrm{\dots }$ that we think of as types of resources, and morphisms $f:A\to B$, which we think of as transformations that convert a resource of type $A$ into one of type $B$. Morphisms can be composed sequentially: given $f:A\to B$ and $g:B\to C$, their composite $f;g:A\to C$ represents performing $f$ followed by $g$.

The monoidal product $\otimes$ lets us express having two resources at once – so $A\otimes C$ means having both $A$ and $C$ – and it extends to morphisms too: given $f:A\to B$ and $g:C\to D$, the morphism $f\otimes g:A\otimes C\to B\otimes D$ describes applying $f$ and $g$ in parallel. There is also a void resource $I$ that acts neutrally under combination: $A\otimes I=A$.

These ideas are captured visually using the graphical calculus of string diagrams. A resource type $A$ is drawn as a wire $\begin{array}{c}\text{<img src="pics/S2/id.png" id="S2.p4.m2.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="39" height="7" alt="[Uncaptioned image]" style="width: 78px; height: unset; max-width: 100\%">}\end{array}$, and a transformation $f:A_1\otimes \mathrm{\dots }\otimes A_n\to B_1\otimes \mathrm{\dots }\otimes B_m$ is represented by a box $\begin{array}{c}\text{<img src="pics/S2/gen3.png" id="S2.p4.m4.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="32" height="20" alt="[Uncaptioned image]" style="width: 64px; height: unset; max-width: 100\%">}\end{array}$ with $n$ input wires on the left and $m$ output wires on the right. Composition of morphisms is shown by connecting boxes in sequence $\begin{array}{c}\text{<img src="pics/S2/seq\_comp.png" id="S2.p4.m7.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="45" height="7" alt="[Uncaptioned image]" style="width: 90px; height: unset; max-width: 100\%">}\end{array}$, while the monoidal product corresponds to placing them side-by-side $\begin{array}{c}\text{<img src="pics/S2/par\_comp.png" id="S2.p4.m8.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="32" height="20" alt="[Uncaptioned image]" style="width: 64px; height: unset; max-width: 100\%">}\end{array}$. The void resource $I$ corresponds to no wires at all – i.e., the empty diagram.

Resources can also be swapped according to the symmetry ${\chi }_{A,B}:A\otimes B\to B\otimes A$, which is represented by a crossing of wires $\begin{array}{c}\text{<img src="pics/S2/symm.png" id="S2.p5.m2.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="39" height="20" alt="[Uncaptioned image]" style="width: 78px; height: unset; max-width: 100\%">}\end{array}$.

Diagrams are subject to the axioms of symmetric monoidal categories (SMCs). However, note that equational reasoning in this setting amounts to deformation of diagrams without changing their topology. For example, naturality of symmetry amounts to sliding a box past a crossing of wires, illustrated as $\begin{array}{c}\text{<img src="pics/S2/symm\_nat.png" id="S2.p6.m1.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="122" height="20" alt="[Uncaptioned image]" style="width: 244px; height: unset; max-width: 100\%">}\end{array}$.

In the next section, where we introduce the parametric iteration construction, it will be convenient to explicitly track both the combination of resources via the monoidal product and the void resource. Therefore, following [4], we extend the graphical calculus with operations that introduce $\begin{array}{c}\text{<img src="pics/S2/op\_2.png" id="S2.p7.m1.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="20" height="7" alt="[Uncaptioned image]" style="width: 40px; height: unset; max-width: 100\%">}\end{array}$ and discard $\begin{array}{c}\text{<img src="pics/S2/op\_1.png" id="S2.p7.m2.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="20" height="7" alt="[Uncaptioned image]" style="width: 40px; height: unset; max-width: 100\%">}\end{array}$ the void resource, as well as split $\begin{array}{c}\text{<img src="pics/S2/op\_4.png" id="S2.p7.m3.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="39" height="20" alt="[Uncaptioned image]" style="width: 78px; height: unset; max-width: 100\%">}\end{array}$ and combine $\begin{array}{c}\text{<img src="pics/S2/op\_3.png" id="S2.p7.m4.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="39" height="20" alt="[Uncaptioned image]" style="width: 78px; height: unset; max-width: 100\%">}\end{array}$ resources. These operations are subject to the expected equations determined by the properties of the monoidal product.

Finally, note that all monoidal categories considered in this paper are taken to be strict, as justified by Mac Lane’s strictification theorem [18].

We define a category of parametric iterations over a symmetric monoidal category. We do this by introducing the concept of $\star$-iteration, which expresses the idea of iterating an operation a fixed yet unspecified number of times. We do not a priori choose how many times to iterate, the operations are parametrized over this yet to be specified choice of number of iterations.

We define parametric iteration over $𝒞$ in two stages. First we define the free iteration construction $\mathrm{𝖥𝖨}(𝒞)$ which adds the relevant objects and operations which will be used to express iteration. We then quotient this category to create the parametric iteration construction $\text{PI}(𝒞)$ over $𝒞$, giving an interpretation to the added objects and operations.

We define the objects of $\mathrm{𝖥𝖨}(𝒞)$ inductively as follows:

satisfying the equations $⦇I⦈\otimes A=A=A\otimes ⦇I⦈$, $⦇A⦈\otimes ⦇B⦈=⦇A\otimes B⦈$, and $(A\otimes B)\otimes C=A\otimes (B\otimes C)$. Here $A^{\star }$ represents a $\star$-tuple, that is a tuple of $A$’s, with the exact number of elements bounded by an external parameter.

Given a tuple of objects $𝐀=(A_1,\mathrm{\dots },A_n)$, we write $𝐀\cdot \star =A_1^{\star }\otimes \mathrm{\cdots }\otimes A_n^{\star }$, and for each $k\in \mathbb{N}$, $𝐀\cdot k=A_1^k\otimes \mathrm{\cdots }\otimes A_n^k$, following notation from [5], where $A^k$ is the $k$-th power of $A$ with respect to $\otimes$. In particular, $𝐀\cdot 1=A_1\otimes \mathrm{\cdots }\otimes A_n$.

Morphisms of $\mathrm{𝖥𝖨}(𝒞)$ are given inductively as follows:

satisfying the relevant equations making $\mathrm{𝖥𝖨}(𝒞)$ into a symmetric monoidal category, together with the equations $⦇{\text{id}}_A⦈={\text{id}}_{⦇A⦈}$, $⦇f;g⦈=⦇f⦈;⦇g⦈$, $⦇{\chi }_{A,B}⦈={\chi }_{⦇A⦈,⦇B⦈}$, $⦇f\otimes g⦈=⦇f⦈\otimes ⦇g⦈$. The latter equations make $⦇-⦈:𝒞\to \mathrm{𝖥𝖨}(𝒞)$ sending $A$ to $⦇A⦈$ and $f$ to $⦇f⦈$ into a symmetric monoidal functor.

Here ${\tau }^{\star }$ is the operation which represents $\star$-iteration, transforming a list of $\star$-tuples $𝐀\cdot \star$ into a list of $\star$-tuples $𝐁\cdot \star$ by going through the elements one by one, carrying over the state $S$ between iterations. We annotate ${\tau }^{\star }$ by lists telling us exactly how the input and output of $f$ is divided into different tuples. For instance, if $f:S\otimes A^2\to B\otimes S$, we could either create ${\tau }_{S,(A^2),(B)}^{\star }(f):S\otimes {(A^2)}^{\star }\to B^{\star }\otimes S$ or ${\tau }_{S,(A,A),(B)}^{\star }(f):S\otimes A^{\star }\otimes A^{\star }\to B^{\star }\otimes S$, where ${(A^2)}^{\star }$ is a $\star$-tuple of elements of $A^2$, and $A^{\star }\otimes A^{\star }$ are two $\star$-tuples of elements of $A$.

String diagrammatically, we denote ${\tau }_{S,𝐀,𝐁}^{\star }(f)$ as follows:

$\begin{array}{c}\text{<img src="pics/S3/starop\_a.png" id="S3.p7.m2.1.g1nest" class="ltx\_graphics ltx\_img\_square" width="33" height="32" alt="[Uncaptioned image]" style="width: 66px; height: unset; max-width: 100\%">}\end{array}\mapsto \begin{array}{c}\text{<img src="pics/S3/starop\_b.png" id="S3.p7.m2.2.g1nest" class="ltx\_graphics ltx\_img\_square" width="47" height="45" alt="[Uncaptioned image]" style="width: 94px; height: unset; max-width: 100\%">}\end{array}$

Here we mark state wires with a $\bullet$, and the $\star$-tuples with an interrupted wire. Each non-state wire is part of a different tuple. We may use multiple or no state wires as well.

We give an interpretation of iteration by defining ${\tau }^k$ as an operation on symmetric monoidal categories describing a constant number of $k$ iterations. Given a symmetric monoidal category $𝒞$ , we can inductively define operations ${\text{push}}_{𝐀}^k:𝐀\cdot 1\otimes 𝐀\cdot k\to 𝐀\cdot (k+1)$ and ${\text{pop}}_{𝐀}^k:𝐀\cdot (k+1)\to 𝐀\cdot 1\otimes 𝐀\cdot k$ which respectively pushes and pops the first element of each tuple of objects in $𝐀\cdot (k+1)$. For instance, if $𝐀=(X,Y)$, then ${\text{push}}_{𝐀}^3:X\otimes Y\otimes X^2\otimes Y^2\to X^3\otimes Y^3$ simply swaps the second and third element.

Given a morphism $f:S\otimes 𝐀\cdot 1\to 𝐁\cdot 1\otimes S$ in $𝒞$, we inductively define ${\tau }_{S,𝐀,𝐁}^k(f):S\otimes 𝐀\cdot k\to 𝐁\cdot k\otimes S$ for each $k\in \mathbb{N}$ as:

• $\mathrm{■}$

  ${\tau }_{S,𝐀,𝐁}^0(f)={\text{id}}_S$,

• $\mathrm{■}$

  ${\tau }_{S,𝐀,𝐁}^{k+1}(f)=({\text{id}}_S\otimes {\text{pop}}_{𝐀}^k);(f\otimes {\text{id}}_{𝐀\cdot k});({\text{id}}_{𝐁\cdot 1}\otimes {\tau }_{S,𝐀,𝐁}^k(f));({\text{push}}_{𝐁}^k\otimes {\text{id}}_S)$.

$\begin{array}{c}\text{<img src="pics/S3/starop\_a.png" id="S3.m1.1.g1nest" class="ltx\_graphics ltx\_img\_square" width="33" height="32" alt="[Uncaptioned image]" style="width: 66px; height: unset; max-width: 100\%">}\end{array}\mapsto \begin{array}{c}\text{<img src="pics/S3/iterop\_b.png" id="S3.m1.2.g1nest" class="ltx\_graphics ltx\_img\_square" width="48" height="45" alt="[Uncaptioned image]" style="width: 96px; height: unset; max-width: 100\%">}\end{array}$

$\begin{array}{c}\text{<img src="pics/S3/iter\_def\_a.png" id="S3.m2.1.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="58" height="45" alt="[Uncaptioned image]" style="width: 116px; height: unset; max-width: 100\%">}\end{array}:=\begin{array}{c}\text{<img src="pics/S3/iter\_def\_b.png" id="S3.m2.2.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="52" height="32" alt="[Uncaptioned image]" style="width: 104px; height: unset; max-width: 100\%">}\end{array}\begin{array}{c}\text{<img src="pics/S3/iter\_def\_c.png" id="S3.m2.3.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="73" height="58" alt="[Uncaptioned image]" style="width: 146px; height: unset; max-width: 100\%">}\end{array}:=\begin{array}{c}\text{<img src="pics/S3/iter\_def\_d.png" id="S3.m2.4.g1nest" class="ltx\_graphics ltx\_img\_landscape" width="98" height="64" alt="[Uncaptioned image]" style="width: 196px; height: unset; max-width: 100\%">}\end{array}$

Contrary to ${\tau }^{\star }$, the annotations for ${\tau }^k$ serve a further clarifying role, as they are also necessary for removing ambiguity even in those instances where the type of the produced morphism is known. Without this specification, the input may be wrongly distributed into separate tuples. For instance, a ${\tau }^3$ iteration having $A^6$ as input, could consider this either as two triples of $A$, or one triple of $A^2$, which lead to different interpretations. In terms of string diagrams, we can keep the convention that each string represents a different tuple, which avoids the need for putting annotations in the string diagrams.

For any $k\in \mathbb{N}$, we define a functor $S_k:\mathrm{𝖥𝖨}(𝒞)\to 𝒞$ inductively as follows, first on objects:

• $\mathrm{■}$

  $S_k(⦇A⦈)=A$,

• $\mathrm{■}$

  $S_k(A\otimes B)=S_k(A)\otimes S_k(B)$,

• $\mathrm{■}$

  $S_k(A^{\star })={(S_k(A))}^k$.

For $𝐀=(A_1,\mathrm{\dots },A_n)$, then $S_k(𝐀)=(S_k(A_1),\mathrm{\dots },S_k(A_n))$. $S_k$ is defined on morphisms as:

• $\mathrm{■}$

  $S_k({\text{id}}_A)={\text{id}}_{S_k(A)}$,

• $\mathrm{■}$

  $S_k(⦇f⦈)=f$,

• $\mathrm{■}$

  $S_k(f;g)=S_k(f);S_k(g)$,

• $\mathrm{■}$

  $S_k(f\otimes g)=S_k(f)\otimes S_k(g)$,

• $\mathrm{■}$

  $S_k({\chi }_{A,B})={\chi }_{S_k(A),S_k(B)}$.

For $f:S\otimes 𝐀\cdot 1\to 𝐁\cdot 1\otimes S$, then $S_k({\tau }_{S,𝐀,𝐁}^{\star }(f))={\tau }_{S,S_k(𝐀),S_k(𝐁)}^k(S_k(f))$.

We have a symmetric monoidal functor $⦇-⦈:𝒞\to \text{PI}(𝒞)$ and for each $k\in \mathbb{N}$ a symmetric monoidal functor $S_k:\text{PI}(𝒞)\to 𝒞$. We consider the image of $⦇-⦈$ in $\text{PI}(𝒞)$ as the constant fragment of $\text{PI}(𝒞)$. It holds that $S_k\circ ⦇-⦈$ is the identity functor on $𝒞$ for each $k\in \mathbb{N}$.

Before we continue on and prove results regarding $\star$-equivalence, we introduce a powerful proof technique we call the diagonal method. Consider $\text{PI}(\text{PI}(𝒞))$, which has two nested parametric iteration constructions, the second we label with ${\star }^{\prime }$. We construct a symmetric monoidal functor $M:\text{PI}(\text{PI}(𝒞))\to \text{PI}(𝒞)$ that unifies the two iterations, i.e. it satisfies:

• $\mathrm{■}$

  $M(A^{{\star }^{\prime }})=M(A^{\star })={(MA)}^{\star }$,

• $\mathrm{■}$

  $M({\tau }_{S,𝐀,𝐁}^{{\star }^{\prime }}(f))=M({\tau }_{S,𝐀,𝐁}^{\star }(f))={\tau }_{MS,M𝐀,M𝐁}^{\star }(Mf)$.

To model richer computational behaviors, we consider symmetric monoidal categories with additional properties and structure. In particular, for probabilistic computations, we focus on metric-enriched symmetric monoidal categories and Markov categories [10].

The $𝔹$ represents the type of two bit values, $1$ and $0$. $⟨p⟩$ describes a weighted coin flip, which has a chance of $p$ of producing $1$, and a chance of $1-p$ of producing $0$. The $\varphi$ represents an if-gate, choosing between two results of the same type using a bit as an argument.

For a metric enriched symmetric monoidal category $𝒞$, we can equip $\text{PI}(𝒞)$ with a notion of asymptotic equivalence. A nonnegative function $f:\mathbb{N}\to [0,\mathrm{\infty })$ approaches zero, written as ${lim}_{k\to \mathrm{\infty }}f(k)=0$, if for any possible threshold $\epsilon \in (0,\mathrm{\infty })$ there is some point $N\in \mathbb{N}$ after which the function is below $\epsilon$. Symbolically: .

From the perspective of cryptography, we consider $\epsilon$ the risk factor we are trying to beat, or the allowable failure rate of our algorithm. Then $N>0$ is the minimum security parameter to guarantee that the actual probability of failure is below the allowable risk.

The following definition captures indistinguishability between morphisms in $\text{PI}(𝒞)$, given that they may be investigated a polynomial number of times by the distinguisher (e.g. adversary), and this distinguisher may choose a polynomial amount of inputs and study each probabilistically generated output.