Categorical composable cryptography

We formalize the simulation paradigm of cryptography in terms of category theory and show that protocols secure against abstract attacks form a symmetric monoidal category, thus giving an abstract model of composable security definitions in cryptography. Our model is able to incorporate computational security, set-up assumptions and various attack models such as colluding or independently acting subsets of adversaries in a modular, flexible fashion. We conclude by using string diagrams to rederive the security of the one-time pad and no-go results concerning the limits of bipartite and tripartite cryptography, ruling out e.g., composable commitments and broadcasting.


Introduction
Modern cryptographic protocols are complicated algorithmic entities, and their security analyses are often no simpler than the protocols themselves.Given this complexity, it would be highly desirable to be able to design protocols and reason about them compositionally, i.e., by breaking them down into smaller constituent parts.In particular, one would hope that combining protocols proven secure results in a secure protocol without need for further security proofs.However, this is not the case for stand-alone security notions that are common in cryptography.To illustrate such failures of composability, let us consider the history of quantum key distribution (QKD), as recounted in [PR14]: QKD was originally proposed in the 80s [BB84].The first security proofs against unbounded adversaries followed a decade later [May96, BBB + 00, SP00, May01].However, since composability was originally not a concern, it was later realized that the original security definitions did not provide a good enough level of security [KRBM07]-they didn't guarantee security if the keys were to be actually used, since even a partial leak of the key would compromise the rest.The story ends on a positive note, as eventually a new security criterion was proposed, together with stronger proofs [Ren05, BOHL + 05].
In this work we initiate a categorical study of composable security definitions in cryptography.In the viewpoint developed here one thinks of cryptography as a resource theory: cryptographic functionalities (e.g.secure communication channels) are viewed as resources and cryptographic protocols let one transform some starting resources to others.For instance, one can view the one-time-pad as a protocol that transforms an authenticated channel and a shared secret key into a secure channel.For a given protocol, one can then study whether it is secure against some (set of) attack model(s), and protocols secure against a fixed set of models can always be composed sequentially and in parallel.This is in fact the viewpoint taken in constructive cryptography [Mau11], which also develops the one-time-pad example above in more detail.However [Mau11] does not make a formal connection to resource theories as usually understood, whether as in quantum physics [HO13,CG19], or more generally as defined in order theoretic [Fri15] or categorical [CFS16] terms.Instead, constructive cryptography is usually combined with abstract cryptography [MR11] which is formalized in terms of a novel algebraic theory of systems [MMP + 18].
Our work can be seen as a particular formalization of the ideas behind constructive cryptography, or alternatively as giving a categorical account of the real-world-ideal-world paradigm (also known as the simulation paradigm [Lin17]), which underlies more concrete frameworks for composable security, such as universally composable cryptography [Can01] and others [PW00, BPW04, BPW07, MT13, HS15, LHM19, KTR20].We will discuss these approaches and abstract and constructive cryptography in more detail in Section 1.1 Our long-term goal is to enable cryptographers to reason about composable security at the same level of formality as stand-alone security, without having to fix all the details of a machine model nor having to master category theory.Indeed, our current results already let one define multipartite protocols and security against arbitrary subsets of malicious adversaries in any symmetric monoidal category C. Thus, as long as one's model of interactive computation results in a symmetric monoidal category, or more informally, one is willing to use pictures such as Figure 1d to depict connections between computational processes without further specifying the order in which the picture was drawn, one can use the simulation paradigm to reason about multipartite security against malicious participants composably-and specifying finer details of the computational model is only needed to the extent that it affects the validity of one's argument.Moreover, as our attack models and composition theorems are fairly general, we hope that more refined models of adversaries can be incorporated.
We now highlight our contributions to cryptography: • We show how to adapt resource theories as categorically formulated [CFS16] in order to reason abstractly about secure transformations between resources.This is done in Section 4 by formalizing the simulation paradigm in terms of an abstract attack model (Definition 4.1), designed to be general enough to capture standard attack models of interest (and more) while still structured enough to guarantee composability.This section culminates in Corollary 4.7, which shows that for any fixed set of attack models, the class of protocols secure against each of them results in a symmetric monoidal category.In Theorem 4.10 we observe that under suitable conditions, images of secure protocols under monoidal functors remain secure, which gives an abstract variant of the lifting theorem [Unr10, Theorem 15] that states that perfectly UC-secure protocols are quantum UC-secure.• We adapt this framework to model computational security in Section 5 in two ways: either by replacing equations with an equivalence relation, abstracting the idea of computational indistinguishability, or by working with a notion of distance.In the case of a distance, one can then either explicitly bound the distance between desired and actually achieved behavior, or work with sequences of protocols that converge to the target in the limit: the former models working in the finite-key regimen [TLGR12] and the latter models the kinds of asymptotic security and complexity statements that are common in cryptography.In the former case we show that errors compose additively in Lemma 5.8, and in Theorem 5.9 and in Corollary 5.10 we show that protocols that are correct in the limit can be composed at will.• We then apply the framework developed to study bipartite and tripartite cryptography.
We begin by giving a purely pictorial proof of the security of the one-time pad in Section 6, valid for any Hopf algebra in any symmetric monoidal category.We then discuss the Diffie-Hellman key exchange in Section 7. In Section 8, we reprove the no-go-theorems of [PR08, MR11, MMP + 18] concerning two-party commitments (resp.three-party broadcasting) in our setting, and reinterpret them as limits on what can be achieved securely in any compact closed category (resp.symmetric monoidal category).
The key steps of the proof are done graphically, thus opening the door for cryptographers to use such pictorial representations as rigorous tools rather than merely as illustrations.• We conclude by discussing choice of a model in Section 9 and further questions in Section 10.Moreover, we discuss some categorical constructions capturing aspects of resource theories appearing in the physics literature.These contributions may be relevant for further categorical studies on resource theories, independently of their usage here.
• In [CFS16] it is observed that many resource theories arise from an inclusion C F → C of free transformations into a larger monoidal category, by taking the resource theory of states.We observe that this amounts to applying the monoidal Grothendieck construction [MV20] to the functor C F → C hom(I,−) − −−−−− → Set.This suggests applying this construction more generally to the composite of monoidal functors F : D → C and R : C → Set.
• In Example 3.1 we note that choosing F to be the n-fold monoidal product C n → C captures resources shared by n parties and n-partite transformations between them.• In Section 5.2 we model categorically situations where there is a notion of distance between resources, and instead of exact resource conversions one either studies approximate transformations or sequences of transformations that succeed in the limit.• In Section 5.4 we discuss a variant of a construction on monoidal categories, used in special cases in [FST19] and discussed in more detail in [CGG + 22], that allows one to declare some resources to be free and thus enlarge the set of possible resource conversions.
1.1.Related work.We have already mentioned that cryptographers have developed a plethora of frameworks for composable security, such as universally composable cryptography [Can01], reactive simulatability [PW00, BPW04,BPW07] and others [MT13, HS15, LHM19, KTR20].Moreover, some of these frameworks have been adapted to the quantum setting [BOM04,Unr10,MQR09].One might hence be tempted to think that the problem of composability in cryptography has been solved.However, it is fair to say that most mainstream cryptography is not formulated composably and that composable cryptography has yet to realize its full potential.Moreover, this proliferation of frameworks should be taken as evidence of the continued importance of the issue, and is in fact reflected by the existence of a recent Dagstuhl seminar on this matter [CKLS19].Indeed, the aforementioned frameworks mostly consist of setting up fairly detailed models of interacting machines, which as an approach suffers from two drawbacks: • In order to be more realistic, the detailed models are often complicated, both to reason in terms of and to define, thus making practicing cryptographers less willing to use them.
Perhaps more importantly, it is not always clear whether the results proven in a particular model apply more generally for other kinds of machines, whether those of a competing framework or those in the real world.It is true that the choice of a concrete machine model does affect what can be securely achieved-for instance, quantum cryptography differs from classical cryptography and similarly classical cryptography behaves differently in synchronous and asynchronous settings [BOCG93,KMTZ13].Nevertheless, one might hope that composable cryptography could be studied at a similar level of formality as complexity theory, where one rarely worries about the number of tapes in a Turing machine or of other low-level details of machine models.• Changing the model slightly (to e.g.model different kinds of adversaries or to incorporate a different notion of efficiency) often requires reproving "composition theorems" of the framework or at least checking that the existing proof is not broken by the modification.
In contrast to frameworks based on detailed machine models, there are two closely related top-down approaches to cryptography: constructive cryptography [Mau11] and its cousin abstract cryptography [MR11].We are indebted to both of these approaches, and indeed our framework could be seen as formalizing the key idea of constructive cryptographynamely, cryptography as a resource theory-and thus occupying a similar space as abstract cryptography.A key difference is that constructive cryptography is usually instantiated in terms of abstract cryptography [MR11], which in turn is based on a novel algebraic theory of systems [MMP + 18].However, our work is not merely a translation from this theory to categorical language, as there are important differences and benefits that stem from formalizing cryptography in terms of a well-established and well-studied algebraic theory of systems-that of (symmetric) monoidal categories: • The fact that cryptographers wish to compose their protocols sequentially and in parallel strongly suggests using monoidal categories, that have these composition operations as primitives.In our framework, protocols secure against a fixed set of attack models results in a symmetric monoidal category.In contrast, the algebraic theory of systems [MMP + 18] on which abstract cryptography is based on takes parallel composition and internal wiring as its primitives.This design choice results in some technical kinks and tangles that are natural with any novel theory but have already been smoothed out in the case of category theory.For instance, in the algebraic theory of systems of [MMP + 18] the parallel composition is a partial operation and in particular the parallel composite of a system with itself is never defined 1 and the set of wires coming out of a system is fixed once and for all 2 .In contrast, in a monoidal category parallel composition is a total operation and 1 While the suggested fix is to assume that one has "copies" of the same system with disjoint wire labels, it is unclear how one recognizes or even defines in terms of the system algebra that two distinct systems are copies of each other.
2 Indeed, while [PMM + 17] manages to bundle and unbundle ports along isomorphism when convenient, it seems like the chosen technical foundation makes this more of a struggle than it should be.
whether one draws a box with n output wires of types A 1 , . . .A n or single output wire of type n i=1 A i is a matter of convenience.Technical differences such as these make a direct formal comparison or translation between the frameworks difficult, even if informally and superficially there are similarities.
• We do not abstract away from an attacker model, but rather make it an explicit part of the formalism that can be modified without worrying about composability.This makes it possible to consider and combine very easily different security properties, and in particular paves the way to model attackers with limited powers such as honest-but-curious adversaries.In our framework, one can first fix a protocol transforming some resource to another one, and then discuss whether this transformation is secure against different attack models.In contrast, in abstract cryptography a cryptographic resource is a tuple of functionalities, one for each set of dishonest parties, and thus has no prior existence before fixing the attack model.This makes the question "what attack models is this protocol secure against?" difficult to formalize.• As category theory is de facto the lingua franca between several subfields of mathematics and computer science, elucidating the categorical structures present in cryptography opens up the door to further connections between cryptography and other fields.For instance, game semantics readily gives models of interactive, asynchronous and probabilistic (or quantum) computation [Win13,CDVW19b,CdVW19a] in which our theory can be instantiated, and thus further paves the way for programming language theory to inform cryptographic models of concurrency.• Category theory comes with existing theory, results and tools that can readily be applied to questions of cryptographic interest.In particular the graphical calculi of symmetric monoidal and compact closed categories [Sel10] enables one to rederive impossibility results shown in [PR08, MR11, MMP + 18] purely pictorially.In fact, such pictures were already used as heuristic devices that illuminate the official proofs in [PR08, MMP + 18], and viewing these pictures categorically lets us promote them from mere illustrations to rigorous yet intuitive proofs.Indeed, in [MR11, Footnote 27] the authors suggest moving from a 1-dimensional symbolic presentation to a 2-dimensional one, and this is exactly what the graphical calculus already achieves.The approaches above result in a framework where security is defined so as to guarantee composability.In contrast, approaches based on various protocol logics [DMP01, DMP03, DDMP03b, DDMP03a, DDMP05, DDMR07] aim to characterize situations where composition can be done securely, even if one does not use composable security definitions throughout.As these approaches are based on process calculi, they are categorical under the hood [Pav97, MMP95] even if not overtly so.There is also earlier work explicitly discussing category theory in the context of cryptography [BMR19, CWW + 11, SHW20, BKM18, Heu08, Hil11, CP12, KTW17, SV13, Pav14, Hin20, Pav12], but they concern stand-alone security of particular (kinds of) cryptographic protocols, rather than categorical aspects of composable security definitions.

Background on monoidal categories and string diagrams
We assume that the reader is familiar with category theory in general and with monoidal and compact closed categories in particular, so we will recall the main concepts very briefly, mostly to explain the notation and string diagrams used.General references for category theory include [Mac71, Awo10, Bor94a, Bor94b, Rie17, Lei14] and string diagrams are surveyed in [Sel10].However, a working cryptographer might find it easier to consult texts which are written with some applications in mind and introduce string diagrams concurrently with categories, such as [CP10,FS19,HV19].
Let C be a symmetric monoidal category (SMC).Roughly speaking, this means that we have a class of objects A, B, C, . . ., and a class of morphisms f, g, h, . . . .We also have functions dom and cod that give us the domain and codomain of morphisms, and we write f : A → B to express that A = dom(f ) and B = cod(f ).Morphisms can be composed sequentially, i.e., whenever f : A → B and g : B → C there is a morphism g •f = gf : A → C. In addition, there is a monoidal product ⊗ on objects and morphisms, that sends f : A → B and g : For each object there should be an identity morphism id A : A → A, and there should be a special object I called the tensor unit.This data is subject to some constraints: composition should be (strictly) associative and unital, and • and ⊗ should cooperate in that the equations (g Moreover, the monoidal product should be associative, commutative and unital up to coherent isomorphisms, see [Bor94b, Section 6.1] for the precise details.We will often assume that the variables C and D denote strict SMCs, meaning that associativity and unitality of ⊗ holds up to equality.This is mainly for notational convenience-first, any SMC is equivalent to a strict one and second, the theory we put forward could be developed without assuming strictness at the cost of some notational overhead.As an example of a (non-strict) SMC the reader could think e.g. of the category Set of sets and functions between them, with the monoidal structure given by cartesian product, or the category Vect R of real vector spaces and linear maps between them, with the monoidal structure given by tensor product.
The tersely sketched structure of an SMC is naturally internalized in the graphical calculus we use, which provides a sound and complete method for reasoning about them.Thus the reader less familiar with SMCs is invited to trust their visual intuition as it is unlikely to lead them astray.In this graphical calculus, we will denote a morphism f : A → B as A B f and composition and monoidal product as Special morphisms get special pictures: identities and symmetries are depicted as In particular a morphism I → A 1 ⊗ • • • ⊗ A n will have no incoming wires.We will call such morphisms states on A 1 ⊗ • • • ⊗ A n and depict them as triangles instead of boxes: Note that the property id A⊗B = id A ⊗ id B becomes so that whether multiple wires are packaged into one or not is largely a matter of convenience.We will often omit labeling wires with the name of the object unless necessary, and at times the label will only give partial information.For Theorem 8.1 we will assume that our ambient category C is in fact a compact closed category.This means that C is an SMC, and we are also given for every object A an object A * and morphisms Informally, this somewhat blurs the distinction between input and output wires, as one expects to happen if the boxes represent interactive and open computational processes.In particular, morphisms A → B correspond bijectively to states on A * ⊗ B, where the bijection is given by bending and unbending wires, and this correspondence should be seen as the categorical counterpart to the Choi-Jamio lkowski isomorphism from quantum information (see e.g.[CK17, Section 3.1.2.] or [HV19, Section 3.1]).We will briefly conclude this section by discussing functors between SMCs.A lax monoidal functor C → D between monoidal categories is a functor F : C → D equipped with natural maps F (A) ⊗ F (B) → F (A ⊗ B) and a morphism I D → F (I C ) subject to certain coherence equations that roughly say that it cooperates with the monoidal structures on C, D in a well-behaved manner.A strong monoidal functor is a lax monoidal one for which the structure maps F (A) ⊗ F (B) → F (A ⊗ B) and I D → F (I C ) are isomorphisms.A monoidal functor (in either sense) is symmetric if it additionally cooperates with the symmetries.We will use graphical calculus of strong monoidal functors in the proof of Theorem 4.10, but otherwise do not refer to the detailed definitions nor use this graphical language, and hence we do not go into more detail here.Full definitions can be found e.g. at [Lei04, Section I.1.2]or at [Bor94b, Section 6.4], and a graphical calculus for them is discussed in [Mel06].For us, all functors will be symmetric and either strong or lax monoidal, and we will specify which we mean whenever it makes a difference.

Resource theories
We briefly review the categorical viewpoint on resource theories of [CFS16].Roughly speaking, a resource theory can be seen as an SMC but the change in terminology corresponds to a change in viewpoint: usually in category theory one studies global properties of a category, such as the existence of (co)limits, relationships to other categories, etc.In contrast, when one views a particular SMC C as resource theory, one is interested in local questions.One thinks of objects of C as resources, and morphisms as processes that transform a resource to another.From this point of view, one mostly wishes to understand whether hom C (X, Y ) is empty or not for resources X and Y of interest.Thus from the resource-theoretic point of view, most of the interesting information in C is already present in its preorder collapse.As concrete examples of resource-theoretic questions, one might wonder if • some noisy channels can simulate a (almost) noiseless channel [CFS16, Example 3.13.], • there is a protocol that uses only local quantum operations and classical communication and transforms a particular quantum state to another one [CLM + 14], • some non-classical statistical behavior can simulate some other such behavior [ABKM19].
In [CFS16] the authors show how many familiar resource theories arise in a uniform fashion: starting from an SMC C of processes equipped with a wide sub-SMC C F , the morphisms of which correspond to "free" processes, they build several resource theories (=SMCs).Here, the "free" processes should be understood as giving the morphisms that do not increase the resource at hand: for instance, deterministic processes form a natural choice of free operations in order to form a resource theory of randomness.Formally, the resource theory is specified by giving any C F → C and then applying one of the constructions building a resource theory out of it.Perhaps the most important of these constructions is the resource theory of states: given C F → C, the corresponding resource theory of states can be explicitly constructed by taking the objects of this resource theory to be states of C, i.e., maps r : I → A for some A, and maps r → s are maps f : A → B in C F that transform r to s as in Figure 1a.
We now turn our attention towards cryptography.As contemporary cryptography is both broad and complex in scope, any faithful model of it is likely to be complicated as well.A benefit of the categorical idiom is that we can build up to more complicated models in stages, which is what we will do in the sequel.We phrase our constructions in terms of an arbitrary SMC C, but in order to model actual cryptographic protocols, the morphisms of C should represent interactive computational machines with open "ports", with composition then amounting to connecting such machines together.Different choices of C set the background for different kinds of cryptography, so that quantum cryptographers want C to include quantum systems whereas in classical cryptography it is sufficient that these computational machines are probabilistic.Constructing such categories C in detail is not trivial but is outside our scope-we will discuss this in more detail in Section 10.Our first observation is that there is no reason to restrict to inclusions C F → C in order to construct a resource theory of states.Indeed, while it is straightforward to verify explicitly that the resource theory of states is a symmetric monoidal category, it is instructive to understand more abstractly why this is so: in effect, the constructed category is something known as the category of elements of the composite functor Moreover, this composite is lax symmetric monoidal, and it has been proven abstractly that the category of elements of any lax symmetric monoidal functor is symmetric monoidal [MV20].Thus this construction goes through for any symmetric (lax) monoidal functor into Set.In this work, such functors will arise as composites D F − → C R − → Set with C equipped with further structure in order to discuss security.Here it may be helpful to think of F as interpreting free processes into an ambient category of all processes, and R : C → Set as an operation that gives for each object A of C the set R(A) of resources of type A.
Explicitly, given symmetric monoidal functors D F − → C R − → Set, the category of elements RF has as its objects pairs (A, r) where A is an object of D and r ∈ RF (A), the intuition being that r is a resource of type F (A).A morphism (A, r) → (B, s) is given by a morphism f : A → B in D that takes r to s, i.e., satisfies RF (f )(r) = s.The symmetric monoidal structure comes from the symmetric monoidal structures of D, Set and RF .Somewhat more explicitly, (A, r) ⊗ (B, s) is defined by (A ⊗ B, r ⊗ s) where r ⊗ s is the image of (r, s) under the function RF (A) × RF (B) → RF (A ⊗ B) that is part of the monoidal structure on RF , and on morphisms of RF the monoidal product is defined from that of D.
From now on we will assume that F is strong monoidal, and while R = hom(I, −) captures our main examples of interest, we will phrase our results for an arbitrary lax monoidal R. Allowing F to be an arbitrary strong monoidal functor instead of an inclusion lets us capture the n-partite structure often used when studying cryptography, as shown next.for the n-fold monoidal product3 .The resulting resource theory has a natural interpretation in terms of n agents trying to transform resources to others: an object of this resource theory corresponds to a pair ((A i ) n i=1 , r : I → A i ), and can be thought of as an n-partite state, depicted in Figure 1b, where the ith agent has access to a port of type , s) between such resources then amounts to a protocol that prescribes, for each agent i a process f i that they should perform so that r gets transformed to s as in Figure 1c.
In this resource theory, all of the agents are equally powerful and can perform all processes allowed by C, and this might be unrealistic: first of all, C might include computational processes that are too powerful/expensive for us to use in our cryptographic protocols.Moreover, having agents with different computational powers is important to model e.g.blind quantum computing [BFK09] where a client with access only to limited, if any, quantum computation tries to securely delegate computations to a server with a powerful quantum computer.This limitation is easily remedied: we could take the ith agent to be able to implement computations in some sub-SMC C i of C, and then consider n i=1 C i → C. A more serious limitation is that such transformations have no security guarantees-they only work if each agent performs f i as prescribed by the protocol.We will fix this in the next section.
First we address another limitation: for a given C, one might want to view morphisms of C as resources, instead of just working with the resource theory of states.This can be achieved by "the resource theory of universally-combinable processes" of [CFS16, Section 3.4], which we will now show to arise as the resource theory of states of another category.Definition 3.2.Given an SMC C, the category n-comb(C) is defined as follows: objects of n-comb(C) are finite lists ) is given by permutation σ : {1, . . ., m} → {1, . . ., m} and an m-comb some objects Y i .Two such tuples are identified if, whenever one "plugs the holes" with maps of the form is given by a function f : {1, . . ., m} → {1, . . ., k} and a morphism (A i , B i ) i∈f −1 (j) → (C j , D j ) for each j.Composition is defined by nesting circuits into circuits, and the monoidal product is given by concatenation of lists.
We will elaborate on the sequential composition in n-comb(C) in the following paradigmatic situation: consider a morphism (σ, g) : (A i , B i ) m i=1 → (C, D) as depicted above, and morphisms (τ i , h i ) : Nested combs arising when composing morphisms in n-comb(C) can be composed in parallel to result in a map to (A i , B i ) m i=1 .The circuit representing the composite of this map with our starting map Remark 3.3.As remarked in [CFS16, Section 3.4], these n-combs form naturally a symmetric multicategory, a kind of category-like structure where the domain of a morphism is a list of objects but the codomain is always a single object (see e.g.[Lei04, Section 2.2.21] for the precise definition).The SMC n-comb(C) arises by a standard method of turning a symmetric multicategory into an SMC.
The tensor unit of n-comb(C) is given by the empty sequence, and a state of type is the "resource theory of universallycombinable processes" of [CFS16, Section 3.4]: its objects are now lists of morphisms in C, and a resource conversion between two such lists consists of a map in n-comb(C F ) that converts the first list to the second one.In particular, the maps g i appearing in such n-combs have to be maps of C F .
We can add a multipartite structure to this resource theory just like we did for the resource theory of states in Example 3.1.The k-fold tensor product is an example of such a resource, and general resources in this theory are then tuples of such maps.As another example, a channel letting Alice broadcast any message over a fixed message space to Eve and Bob as in Figure 4c is an example of such a resource, where now some of the input and output ports of the parties are trivial (i.e., equal to the tensor unit) and hence not drawn.
In this resource theory, all resources are "single-use" by design.This is both true for the combs, which must use each of the resources going into them exactly once, and for the general maps, which partition the starting resources to be used for each target resource.One can modify the construction of n-comb(C) so as to result in a cartesian monoidal category n-comb!(C) (i.e., a monoidal category where the monoidal product is given by the categorical product).In the resulting resource theory, all the resources are then usable arbitrarily many times.We will give the definition below, but won't use this in the sequel.The reason for this is that the protocols we study use their starting resources exactly once and hence fit already in n-comb(C).However, there is a natural embedding n-comb(C) → n-comb!(C), and using this one could view our protocols as transformations in the resource theory of reusable processes, and our security claims carry over through this inclusion.
Definition 3.4.Given an SMC C, the category n-comb!(C) is defined as follows: objects of n-comb!(C) are finite lists (A i , B i ) n i=1 of pairs of objects of C. Morphisms are defined in two stages: A morphism (A i , B i ) n i=1 → (C, D) is given by a function σ : {1, . . ., m} → {1, . . ., n} 30:13 r . . .

B σ(1)
A σ(1) , where two such m-combs are identified as in Definition 3.2.A morphism is given by a relation R : {1, . . ., m} → {1, . . ., k} and a morphism (A i , B i ) i∈R −1 (j) → (C j , D j ) for each j.Composition is defined by nesting circuits into circuits, and the monoidal product is given by concatenation of lists.

Cryptography as a resource theory
4.1.Attack models and security.In order for a protocol i=1 , s) to be secure, we should have some guarantees about what happens if, as a result of an attack on the protocol, something else than (f 1 , . . ., f n ) happens.For instance, some subset of the parties might deviate from the protocol and do something else instead.In the simulation paradigm [Lin17], security is then defined by saying that, anything that could happen when running the real protocol, i.e., f with r, could also happen in the ideal world, i.e., with s.A given protocol might be secure against some kinds of attacks and insecure against others, so we define security against an abstract attack model.This abstract notion of an attack model is one of the main definitions of our paper.It isolates conditions needed for the composition theorem (Theorem 4.6).It also captures our key examples that we use to illustrate the definition after giving it.
, for any such a there is a b making the following square commute: The above definition of security asks for perfect equality and corresponds to informationtheoretic security in cryptography.This is often too much to hope for, and we will relax this requirement in Section 5.
The intuition is that A gives, for each process in C, the set of behaviors that the attackers could force to happen instead of honest behavior.In particular, A(id B ) gives the behaviors that are available to attackers given access to a system of type B. Then property (i) amounts to the assumption that the adversaries could behave honestly.The first halves of properties (ii) and (iii) say that, given an attack on g and one on f , both attacks could happen when composing g and f sequentially or in parallel.The second parts of these say that attacks on composite processes can be understood as composites of attacks.However, note that (iii) does not say that an attack on a product has to be a product of attacks: the factorization says that any h ∈ A(g ⊗ f ) factorizes as in Figure 1d with g ′ ∈ A(g), f ′ ∈ A(f ) and h ′ ∈ A(id B⊗D ).The intuition is that an attacker does not have to attack two parallel protocols independently of each other, but might play the protocols against each other in complicated ways.This intuition also explains why we do not require that all morphisms in A(f ) have F (A) as their domain, despite the definition of A-security quantifying only against those: when factoring h ∈ A(g • f ) as g ′ • f ′ with g ′ ∈ A(g) and f ′ ∈ A(f ), we can no longer guarantee that F (B) is the domain of g ′ -perhaps the attackers take us elsewhere when they perform f ′ .Finally, the security definition is directly abstracted from the real-world-ideal-world paradigm, and can be seen as saying that a protocol realizes some target functionality securely if, for any attack on the protocol, there is an attack on the target functionality with identical end results.In other words, the attackers can not achieve anything during the protocol that they could not achieve with the target functionality, so that the protocol is at least as secure as the target functionality.
If one thinks of F : D → C as representing the inclusion of free processes into general processes, one also gets an explanation why we do not insist that free processes and attacks live in the same category, i.e., that F = id C .This is simply because we might wish to prove that some protocols are secure against attackers that can use more resources than we wish or can use in the protocols.
Remark 4.2.One can rewrite condition (ii) as These equations look suspiciously close to stating that A is some kind of a functor, except that • We do not require that identities are preserved.Intuitively, this corresponds to the fact that even if a protocol tells everyone to do nothing, dishonest parties might deviate arbitrarily.
to see what the codomain of A is supposed to be.We do not require A(f ) ⊆ C(A, B) as we cannot expect attackers to respect our type system: for instance, if a given party is supposed to map their system to the tensor unit (representing them discarding information), they might not do so if they're not honest.We leave understanding attack models in more familiar categorical terms for future work.
Example 4.3.For any SMC C there are two trivial attack models: the minimal one defined by A(f ) = {f } and the maximal one sending f to the class of all morphisms of C. We interpret the minimal attack model as representing honest behavior, and the maximal one as representing arbitrary malicious behavior.
Proposition 4.4.If A 1 , . . ., A n are attack models on SMCs C 1 , . . ., C n respectively, then there is a product n i=1 A i attack model on n i=1 C i defined by The required properties of n i=1 A i follow from those of each A i and the fact that operations in n i=1 C i are defined pointwise.This proposition, together with the minimal and maximal attack models, is already expressive enough to model multi-party computation where some subset of the parties might do arbitrary malicious behavior.Indeed, consider the n-partite resource theory induced by Let us first model a situation where the first n − 1 participants are honest and the last participant is dishonest.In this case we can set A = n i=1 A i where each of A 1 , . . ., A n−1 is the minimal attack model on C and A n is the maximal attack model.Then, an attack on f ) can be represented by the first n − 1 parties obeying the protocol and the nth party doing an arbitrary computation a, as depicted in the two pictures of Figure 3a, where [n] := {1, . . ., n}, (k, n] , and here k = n − 1.The latter representation will be used when we do not need to emphasize pictorially the fact that the honest parties are each performing their own individual computations. If instead of just one attacker, there are several independently acting adversaries, we can take A = n i=1 A i where A i is the minimal or maximal attack structure depending on whether the ith participant is honest or not.If the set of dishonest parties can collude and communicate arbitrarily during the process, we need the flexibility given in Definition 4.1 and have the attack structure live in a different category than where our protocols live.For simplicity of notation, assume that the first k agents are honest but the remaining parties are malicious and might do arbitrary (joint) processes in C. In particular, the action done by the dishonest parties k + 1, . . ., n need not be describable as a product n i=k+1 (a i ) of individual actions.In that case we define A as follows: we first consider our resource theory as arising and define A on C k × C as the product of the minimal attack model on C k and the maximal one on C. Concretely, this means that the first k agents always obey the protocol, but the remaining agents can choose to perform arbitrary joint behaviors in C. Then a generic attack on a protocol f can be represented exactly as before in Figure 3a, except we no longer insist that k satisfying the equation of Figure 3b.
If one is willing to draw more wire crossings, one can easily depict and define security against an arbitrary subset of the parties behaving maliciously, and henceforward this is the attack model we have in mind when we say that some n-partite protocol is secure against some subset of the parties.Moreover, for any subset J of dishonest agents, one could consider more limited kinds of attacks: for instance, the agents might have limited computational power or limited abilities to perform joint computations-as long as the attack model satisfies the conditions of Definition 4.1 one automatically gets a composable notion of secure protocols by Theorem 4.6 in Section 4.2.
We've seen that one party acting maliciously defines an attack model on C k .We now show that this also defines an attack model A on n-comb(C k ).Informally, A lets the ith party change their part of any m-comb arbitrarily, leaving everything else about morphisms of n-comb(C k ) fixed.Definition 4.5.For a fixed i ∈ {1, . . .k), we define an attack model A on n-comb(C k ) corresponding to a malicious ith party as follows.Consider first a basic morphism (σ, (g 0 , . . .g m )) : given by a permutation σ : {1, . . ., m} → {1, . . ., m} and an m-comb given by a tuple (g 0 , . . .g m ) of morphisms in C k .Note that each g j is a morphism in C k , and hence a tuple of morphisms of C. Let us write Π j : C k → C for the jth projection.We can now define A((σ, (g 0 , . . .g m ))) := {(σ, (h 0 , . . .h m )) | π j (h ℓ ) = π j (g ℓ ) for all ℓ and all j ̸ = i}.
We note that this is well-defined, as equality of morphisms in C k is defined pointwise, so that modifying the ith coordinate of an m-comb in a particular way respects the equivalence relation on m-combs.
A morphism is given by a function f : {1, . . ., m} → {1, . . ., n} and morphisms To see that this is an attack model in the sense of Definition 4.1, note first that f ∈ A(f ) for any morphism f , satisfying condition (i).We also note that if one composes sequentially a composable pair of attacks, the result is also an attack, so the first half of (ii) holds.For the other direction it suffices to consider an attack on a nested comb as in Figure 2.Such an attack corresponds to the ith party replacing their resulting m-comb with an arbitrary m-comb: however, we may think of this as resulting from the ith party first replacing each nested comb with something else, and then replacing the outer comb appropriately.This gives the other direction of (ii).Condition (iii) is clear, as by construction attacks on a parallel composite are parallel composites of attacks.Proof.We first prove the claim when F = id C .As the class of A-secure maps is a subclass of maps inside an SMC, it suffices to show it contains all coherence isomorphisms (and thus all identities) and is closed under • and ⊗.
For coherence isomorphisms we prove a stronger claim and show that all isomorphisms are A-secure.Let f : (A, r) → (B, s) be an isomorphism so that f is an isomorphism A → B in C, and consider a ∈ A(f ) with dom(a Assume now that f : (A, r) → (B, s) and g : (B, s) To show that secure maps are closed under ⊗, let f : (A, r) → (B, s) and g : (  As the top path equals R(h)(r ⊗ t) and the bottom path equals To prove the claim for an arbitrary strong monoidal F , observe first that f : (A, r) → (B, s) is A-secure in RF if, and only if The claim can now be deduced from the existence and description of pullbacks in the category of SMCs, but we give an explicit proof: the class of A-secure maps in RF contains all isomorphisms and is closed under composition because it is so in R. As F is strong monoidal, the square -secure as a composite of secure maps, which means that f ⊗ g is A-secure in RF as desired.
So far we have discussed security only against a single, fixed subset of dishonest parties, while in multi-party computation it is common to consider security against any subset containing e.g. at most n/3 or n/2 of the parties.However, as monoidal subcategories are closed under intersection, we immediately obtain composability against multiple attack models.
Corollary 4.7.Given a non-empty family of functors (D R for all i, j ∈ I and attack models A i on C i for each i, the class of maps in R that is secure against each A i is a sub-SMC of R.
Using Corollary 4.7 one readily obtains composability of protocols that are simultaneously secure against different attack models A i .Thus one could, in principle, consider composable cryptography in an n-party setting where some subsets are honest-but-curious, some might be outright malicious but have limited computational power, and some subsets might be outright malicious but not willing or able to coordinate with each other, without reproving any composition theorems.
While the security definition of f quantifies over A(f ), which may be infinite, under suitable conditions it is sufficient to check security only on a subset of A(f ), so that whether f is A-secure often reduces to finitely many equations.
and only if the security condition holds against attacks in X, i.e., if for any Let us return to the example of C n → C with the first k agents being honest and the final n − k dishonest and collaborating.Then we can take a singleton as our initial subset of attacks on f , and this is given by f | [k] ⊗ ( n i=k+1 id).Intuitively, this represents a situation where the dishonest parties k + 1, . . ., n merely stand by and forward messages between the environment and the functionality, so that initiality can be seen as explaining "completeness of the dummy adversary" [Can01, Claim 11] in UC-security.In this case the security condition can be equivalently phrased by saying that there exists b ∈ A([id b ]) satisfying the equation of Figure 3c, which reproduces the pictures of [MT13].Similarly, for classical honest-but-curious adversaries one usually only considers the initial such adversary, who follows the protocol otherwise except that they keep track of the protocol transcript.
Theorem 4.10.In the resource theory of n-partite states, if (f 1 , . . .f n ) is secure against some subset J of [n] and F is a strong monoidal, then (F f 1 , . . ., F f n ) is secure against J as well.
Proof.Let us first spell out explicitly how the domain and codomain of (F f 1 , . . ., F f n ) depend on those of f : if f : ) by precomposing with the isomorphism I D → F (I C ) and postcomposing with the isomorphism F ( n i=1 A i ) ∼ = n i=1 F (A i ) stemming from the strong monoidal structure of F .This is the state that (F f 1 , . . ., F f n ) transforms to the one induced by F (s).Let us now show that this transformation is secure provided that f is.
The heart of the argument is already apparent in the case of n = 2, so let us first show that if (f A , f B ) is secure against a malicious Bob, so is (F f A , F f B ).For this attack model, there is an initial attack, and the corresponding security constraint is depicted in Figure 3c.Then security of (F f A , F f B ) can be shown graphically using the functorial boxes of [Mel06] by considering the equations For instance, if the inclusion of classical interactive computations into quantum ones is strong monoidal, i.e., respects sequential and parallel composition (up to isomorphism), then unconditionally secure classical protocols are also secure in the quantum setting, as shown in the context of UC-security in [Unr10, Theorem 15].More generally, this result implies that the construction of the category of n-partite transformations secure against any fixed subset of [n] is functorial in C, and this is in fact also true for any family of subsets of [n] by Corollary 4.7.

Further extensions of the framework
The discussion above has been focused on perfect security, so that the equations defining security hold exactly.This is often too high a standard for security to hope for, and consequently cryptographers routinely work with computational or approximate security.We model this in two ways.The first approach replaces equations with an equivalence relation abstracting from the idea that the end results are "computationally indistinguishable" rather than strictly equal.The latter approach amounts to working in terms of a (pseudo)metric, that quantifies how close we are to the ideal resource, so that one can discuss approximately correct transformations or sequences of transformations that succeed in the limit.The first approach is mathematically straightforward and we discuss it next, while the second approach is discussed in Sections 5.2 and 5.3.The second approach, while mathematically more involved, is needed to model protocols that are "close enough" to being computationally indistinguishable from the ideal, and thus to model statements in finite-key cryptography [TLGR12].
5.1.Security up to indistinguishability. We let Equ stand for the category of equivalence relations: its objects are sets (X, ≈ X ) equipped with an equivalence relation, and morphisms (X, ≈ X ) → (Y, ≈ Y ) are given by functions f : From now on, we will omit the subscript and write ≈ for the equivalence relation associated with any object of Equ.The cartesian product of sets with the equivalence relations defined pointwise induces a symmetric monoidal structure on this category, and the operation (X, ≈) → X/ ≈ X of forming quotients gives a (strong) symmetric monoidal functor E : Equ → Set.We now relax our notions of correctness and security when we have a symmetric monoidal functor R : C → Equ.
Definition 5.1.Let R : C → Equ be a symmetric monoidal functor.Given r ∈ R(A) and

We let
Equ R denote the resource theory of ≈-correct transformations.It is also straightforward to adapt and prove Corollary 4.7 in order to state that maps that are secure up to ≈ against a set of attack models form an SMC.
Example 5.3.Let C be a category equipped with a monoidal congruence: a family of equivalence relations ≈ on each hom-set of C that respects ⊗ and • in that f ≈ f ′ and g ≈ g ′ imply gf ≈ g ′ f ′ (whenever defined) and g ⊗ f ≈ g ′ ⊗ f ′ .In other words, let C be an SMC enriched in Equ.Then hom(I, −) gives a symmetric monoidal functor C → Equ, so one can work with ≈-correct resource theory of states and with ≈-security against a malicious subset of parties.Moreover, in this situation we also obtain a symmetric monoidal functor hom(I, −) : n-comb(C) → Equ, enabling us to work with ≈-correct and ≈-secure transformations of morphisms of C.
In Section 7 we will give an example of this example, where ≈ will denote computational indistinguishability i.e., the inability of efficient computational systems to tell two systems apart (except for a negligible advantage), with Diffie-Hellman key exchange then giving rise to a transformation that is secure up to ≈.

Approximately correct transformations.
We now move to the metric case.If for each A the set of resources R(A) associated to it is not just a set but has the structure of a metric space, using this additional structure enables one to construct other resource theories where instead of transforming r ∈ R(A) to s ∈ R(B) exactly we are happy to be able to get (arbitrarily) close.While such approximate (or asymptotic) conversions are readily studied in the physics literature (see e.g.[CG19, V.A and V.B]), as far as we are aware this has not been formalized in the categorical context, so we first describe the situation without security constraints.As many interesting measures of distance in cryptography are in fact pseudometrics (non-equal functionalities might have distance 0), we work in a more general setting.
Definition 5.4.An extended pseudometric space is a pair (X, d) where X is a set and ).We will denote the category of extended pseudometric spaces and short maps simply by Met.We equip Met with a monoidal structure where (X, d) ⊗ (Y, e) is given by equipping X × Y with ℓ 1 -distance, i.e., the distance between (x, y) and (x ′ , y ′ ) is given by d(x, x ′ ) + e(y, y ′ ).

The resource theory
Met R of asymptotically correct conversions is defined as follows: an object is given by a pair (A, r) where A is an object of C and r ∈ R(A).A morphism (A, r) → (B, s) is given by a sequence (f n ) n∈N of maps A → B in C that is eventually ϵ-correct for any ϵ > 0, i.e., for which R(f n )r → s as n → ∞.
In some resource theories, the relevant asymptotic transformations are allowed to use more and more copies of the resource, so that instead of a sequence of maps A → B we have a sequence (f n ) n∈N of maps A ⊗n → B taking r ⊗n to s in the limit.The theory developed here adapts easily to this variant as well, with essentially the same proofs.
Lemma 5.5.Let R : C → Met be symmetric monoidal.The composite or tensor product of an ϵ-correct map with an ϵ ′ -correct map is ϵ + ϵ ′ -correct.
Proof.Assume that f is an ϵ-correct transformation (A, r) → (B, s) and that g is an ϵ ′correct transformation (B, s) → (C, t).As R(g) is a short map, this gives Theorem 5.6.The resource theory Met R of asymptotically correct conversions induced by R : C → Met is a symmetric monoidal category.
Proof.The coherence isomorphisms are given by constant sequences of coherence isomorphisms of the resource theory induced by C R − → Met → Set, and this implies that they satisfy 30:22 the required equations of an SMC.Moreover, as they are exact resource conversions, they are also asymptotically correct.Thus it suffices to check that asymptotically correct conversions are closed under • and ⊗.But this follows from Lemma 5.5: given two asymptotically correct transformations and ϵ > 0, the two transformations are eventually ϵ/2-correct after which their composite (whether In particular, if C is Met-enriched, the functor hom(I, −) lands in Met so that one can discuss asymptotic transformations between states.
While in resource theories one first tries to understand whether a given transformation is possible at all, once some resource conversion has been shown to be possible one might ask for more.In particular, in the asymptotic setting one might want the sequence (f n ) n∈N to be efficient (and in particular computable) in n, and to converge to the target fast in terms of some measure of cost of implementing f n .One might even want to be able to give an explicit bound on the distance between R(f n )r and s, as is done for instance in finite-key cryptography [TLGR12].However, such considerations are best addressed when working inside a specific resource theory rather than being hardwired into the definitions at the abstract level.Conversely, if one can show that a given asymptotic transformation is impossible even for such a permissive notion of transformation, the resulting no-go theorem is stronger than if one worked with "efficient" sequences.

Computational security.
We now show that one can reason composably about computational security in such a metric setting.The proofs follow rather straightforwardly from the definitions we have by using the structure at hand: most importantly, from the triangle inequality of any metric space and the fact that our maps between metric spaces are contractive.For concrete models of cryptography, one might need to do nontrivial work to show that one has all this structure, after which our theorems apply.
Definition 5.7.Consider F : D → C and R : C → Met and an attack model A on C. For an ϵ > 0 and an ϵ-correct map f : (A, r) → (B, s), we say that f is an ϵ-secure transformation Let (f n ) n∈N : (A, r) → (B, s) now define an asymptotically correct conversion in Met RF .
We say that (f ) n∈N is asymptotically secure against A (or asymptotically A-secure) if it is eventually ϵ-secure for any ϵ > 0. Explicitly, (f n ) n∈N : (A, r) → (B, s) is asymptotically secure if for any ϵ > 0 there is a threshold k ∈ N such that for any n > k and any a ∈ A(F Note that while we changed our notion of security both in the presence of ≈ and in the (pseudo)metric setting, we kept our notion of an attack model the same.We expect that the theory would carry over even if one defined "attack models up to ≈" (and "metric attack models") by relaxing Definition 4.1 to state that the required factorizations only exist up to ≈ (up to every ϵ > 0).However, we do not pursue these generalizations here as they are not needed for the present work.
We now show that bounds on security compose additively.
Lemma 5.8.Let R : C → Met be lax monoidal and A an attack model on C. The composite or tensor product of an ϵ-secure map with an ϵ ′ -secure map is ϵ + ϵ ′ -secure.
Proof.We have already seen that ϵ-correctness behaves as desired in Lemma 5.5.Assume that f is an ϵ-secure transformation (A, r) → (B, s) and that g is an ϵ ′ -secure transformation (B, s) → (C, t) against A. Given h ∈ A(g • f ) with domain A, factorize it as g ′ • f ′ as guaranteed by (ii).As f is A-secure there is some b ∈ A(id B ) with d(R(f ′ )r, R(b)s) < ϵ.Now g ′ b ∈ A(g) by (ii) so that security of g implies the existence of c ∈ A(id We now give a composition theorem for asymptotically secure protocols.
Theorem 5.9.Given symmetric monoidal functors F : D → C, R : C → Met with F strong monoidal and R lax monoidal, and an attack model A on C, the class of asymptotically A-secure maps forms a wide sub-SMC of the asymptotic resource theory Met RF induced by F and R.
Proof.As with Theorem 4.6, it suffices to show that asymptotically secure maps contain all coherence isomorphisms and are closed under • and ⊗.Moreover, the reduction from the general case to F = id is the same, so we assume that F = id.It is easy to see that whenever f is A-secure in the resource theory induced by C R − → Met → Set, the constant sequence (f ) n∈N is asymptotically A-secure.Thus security of coherence isomorphisms implies their asymptotic security.
Assume now that (f n ) n∈N : (A, r) → (B, s) and (g n ) n∈N : (B, s) → (C, t) are asymptotically A-secure.Given ϵ > 0, for sufficiently large n both f n and g n are ϵ/2-secure so that their composite is ϵ-secure by Lemma 5.8.The case for ⊗ follows similarly from Lemma 5.8.
Corollary 5.10.Given a non-empty family of functors (D for all i, j ∈ I and attack models A i on C i for each i, the class of maps in Met R that is asymptotically secure against each A i is a sub-SMC of Met R. To make these abstract results closer to cryptographic practice, one would work within some explicit C and with (pseudo)metrics relevant for cryptographers.A paradigmatic case is given by metrics induced by distinguisher advantage, where one defines the distance between two behaviors by first taking the supremum over all (efficient) distinguishers d of the probability of d distinguishing the two behaviors and then normalizing this value from [1/2, 1] to [0, 1].If our starting category C contains processes that are not (efficiently) computable, such distinguisher metrics might not be contractive as composing two distinct behaviors with a very powerful behavior might help a distinguisher trying to tell them apart.However, as long as one restricts C (and consequently the behaviors available as resources, protocols and attacks) to behaviors that the relevant class of distinguishers can freely implement, this readily results in a Met-enrichment, as composing two morphisms with a fixed morphism available to the distinguishers cannot increase distinguisher advantage.For instance, if the metric is induced by distinguisher advantage of polynomial-time distinguishers, one should get a Met-enrichment on the subcategory of C corresponding to polynomial-time behaviors.Once one has specified a concrete C and a Met-enrichment on it, for any asymptotically secure protocol one can then discuss its speed of convergence, and in principle discuss which actual value of the security parameter is sufficiently secure for the task at hand.
We now wish to prove a variant of Theorem 4.10 in the approximate setting, abstracting from [Unr10, Theorem 18].Again, we specialize to the n-partite resource theory of states, where our attack models consist of some subset J ⊂ {1, . . ., n} behaving maliciously.In this case, we assume our base categories to be Met-enriched, so that hom(I, −) lands in Met.In such a setting, a protocol is a sequence ( fi ) i∈N where each fi := (f i,1 , . . .f i,n ) is an n-tuple of morphisms.
Theorem 5.11.Let C and D be Met-enriched SMCs, and let F : C → D be a strong monoidal Met-enriched functor.If ( fi ) i∈N is an asymptotic transformation between two states of C that is asymptotically secure against J ⊂ {1, . . ., n}, so is (F fi ) i∈N .
Proof.Again, it suffices to prove security against initial attacks.Now, the proof of Theorem 4.10 implies that if the desired equation in C holds up to ϵ > 0, so does the equation in D, so the claim follows.
As discussed in [Unr10], the computational version above is not as strong as the result in the case of perfect security, as the assumptions of Theorem 5.11 are rather strong.For instance, if a protocol is secure against polynomial-time classical adversaries, it does not follow that it is secure against polynomial-time quantum adversaries.Correspondingly, if we use the metric induced by "polynomial-time distinguishers", the inclusion of classical computations into quantum computations is not Met-enriched, as the distances might increase.However, if on the quantum side we use polynomial-time distinguishers, but on the classical side we use distinguishers that are able to simulate quantum polynomial-time machines, then protocols that are classically secure remain secure when thought of as quantum computations.5.4.Setup assumptions and freely usable resources.Cryptographers often prove results saying that a given functionality is impossible to realize in the plain model but is possible with some setup.For instance, in [CF01] they show that bit commitment (BC) is impossible in the plain UC-framework but it is possible assuming a common reference string (CRS)-a functionality that gives all parties the same string drawn from some fixed distribution.In our viewpoint, claims such as these can be interpreted in the categories we have already built: for instance, impossibility of commitments amounts to non-existence of a secure map I → BC that builds bit commitments out of a trivial resource I, and possibility of bit commitments given a common reference string amounts to the existence of a secure protocol CRS → BC.
A related, but distinct matter is that sometimes cryptographers wish to make some (possibly shared) functionalities freely available to all parties without having to explicitly mention them being used as a resource.For instance, so far in our framework all communication between the honest parties has been mediated by the functionality r that they start from.However, one might want to model situations where e.g.pairwise communication between parties is freely available (as is standard in multi-party computation) and does not need to be provided explicitly by the functionality one starts from.Put more abstractly, one might wish to declare some set X of functionalities "free" and think of secure protocols that build s from r and some functionalities from X just as maps r → s, without having to explicitly keep track of how many copies of which x ∈ X was used.This is in fact something that happens quite often in resource theories even before any security conditions arise, as it could happen that the free processes C F are not quite expressive enough for the resource theory at hand.While one could try to define a larger category of free processes directly, it might be technically more convenient to obtain a larger class of free processes by allowing resource transformations to consume a resource from some class that is considered free.This can be achieved via a general construction on SMCs, a special case used in [FST19] when constructing the category of learners.A special case also appears in the resource theory of contextuality as defined in [ABKM19], where one first defines deterministic free processes, and probabilistic (but classical) transformations d → e are then defined as transformations d ⊗ c → e where c is a non-contextual (and thus free) resource.This construction is discussed more generally in [CGG + 22], but we modify it slightly by allowing one to choose a class of objects as "parameters" instead of taking that class to consist of all objects: this modification is important for resource theories as it lets one control which resources are made freely available.
Proposition 5.12.Let C be an SMC and X a class of objects that contains I and is closed under ⊗.Then there is an SMC whose objects are those of C, and whose morphisms A → B are given by equivalence classes of morphisms A ⊗ X → B in C with X ∈ X , where It is easy to show graphically that these are well-defined and that this results in an SMC.
Using Proposition 5.12 we can easily model protocols that have free access to some cryptographic functionalities: one just declares a class X of functionalities (e.g.pairwise communication channels) that is closed under ⊗ to be free.In that case a protocol acting on (A n i=1 , r) can be depicted by where x ∈ X is a free resource.For example, if we are in a multi-party setting and want to treat secure pairwise communication as a solved problem as is common in multi-party computation, we could let X be generated by all pairwise channels.

The one-time pad
We will now explore how the one-time pad (OTP) fits into our framework, paralleling the discussion of the OTP in [Mau11].We will start from the category FinStoch of finite sets and stochastic maps between them, with ⊗ given by cartesian product of sets.This is sufficient for the OTP over a fixed message space, even if more complicated and interactive cryptographic protocols will need a different starting category.However, the actual category C we work in is built from FinStoch as we want our resources to be morphisms of FinStoch with a tripartite structure.As we've seen at the end of Section 3, this can be achieved by working with the resource theory C induced by n-comb(FinStoch 3 ) with the three parties named Eve, Alice and Bob.We will equip n-comb(FinStoch 3 ) with the attack model from Definition 4.5, with Eve being the malicious party.
To recap, a basic resource in this resource theory is given by finite sets E i ,A i , B i for i = 1, 2, and a map f : The intuition is that ⟨(A i , B i , E i ) i∈{1,2} , f ⟩ represents a box shared by Alice, Bob and Eve, with Alice's inputs and outputs ranging over A 1 and A 2 respectively, and similarly for Bob and Eve.A general object of C then consists of a list of such basic objects, representing a list of such resources shared between Alice, Bob and Eve.We will often label the ports just by the party who accesses it, and omit labeling trivial ports.For example, if Figure 4a depicts the copy map X → X ⊗ X for some set X in FinStoch, then Figure 4b denotes an object of C representing Alice copying data in X privately, whereas Figure 4c denotes an object C that sends Alice's input unchanged to Bob and to Eve-which we view as an insecure (but authenticated) channel from Alice to Bob.
In the version of the one-time pad we discuss, our starting resources consist of an insecure but authenticated channel 4 from Alice to Bob as in Figure 4c and of a random key over the same message space, shared by Alice and Bob, depicted in Figure 4d.Here Alice and Bob having access to both of these resources is modelled by them sharing the monoidal product of these resources.The goal is to build a secure channel A B from Alice to Bob from these.
We will next describe the local ingredients needed for OTP.First of all, Alice and Bob must agree on a group structure on the message space: this consists of a multiplication with unit that is associative and unital, i.e., satisfies the equations = = = (6.1) Note that copying and deleting, denoted by a different color for convenience, satisfy similar equations In addition, multiplication and copying interact: and the map i giving inverses 5 satisfies i = = i (6.4)That the key is uniformly random is captured by 4 If the insecure channel allows Eve to tamper with the message, the analysis changes, as the resulting channel still lets Eve flip bits in the sent message, even if she cannot read the message.Consequently, one can study the OTP with a different domain and codomain than chosen here. 5usually in OTP, one works over a power of Z2 so that i is given by the identity map which amounts to saying that "adding uniform noise to a channel results in uniform noise".Moreover, producing a random key and deleting it amounts to doing nothing: $ = (6.6) Taken together, the equations describe a structure known as a Hopf algebra with an integral [Swe69] in a symmetric monoidal category.In FinStoch, if one keeps the meaning of the copy maps fixed, such structures correspond exactly to finite groups equipped with the uniform distribution, and any such group can be used to implement the one-time pad with the message space given by the set underlying the group.Concretely, this means that Alice and Bob must agree on a group structure on the message space, and the fact that this multiplication forms a group and that the key is random can be captured by these equations.
The OTP protocol is then depicted as follows: i.e., Alice adds the key to her message, broadcasts it to Eve and Bob.Eve deletes her part and Bob adds the inverse of the key to the ciphertext to recover the message.That the protocol is correct (i.e., works when everyone follows it) can be proven as follows: However, we also need to show that the protocol is secure.In this case, Eve has an initial attack given by just reading the ciphertext.We can now prove security pictorially as 30:29 follows: Taken together, these show that Eve's initial attack is equal to her just producing a random message herself when Alice and Bob share the target resource.Thus OTP represents a map shared key ⊗ authenticated channel → secure channel that is secure against Eve.In pictures, we might say that OTP is a map 7.1.The category of efficient probabilistic computations.We will now build the category we will work in.While FinStoch was a workable starting point for the OTP, it is no longer good enough for DHKE as the security constraints are computational and hence require asymptotic notions.Informally, we will work with the category whose maps are "efficient sequences of stochastic maps", where we identify efficiency with computability in polynomial-time as usual.As a first approximation, one might think of the larger category [N, FinStoch] of all sequences of stochastic maps (here N is viewed as a discrete category) and then restrict to the efficient sequences therein.However, one usually defines polynomialtime computability for functions on some standard set (e.g.N or {0, 1} * ) and then lifts this to other sets by encoding.We capture this in the following definition6 .
Definition 7.1.An efficient sequence of finite sets consists of a sequence of injections ( − n : A n → {0, 1} * ) where each A n is a finite set and the characteristic functions of the sets A n n ⊂ {0, 1} * can be computed in polynomial time.When there is no risk of confusion, we will often drop the subscript and write − instead of − n , and similarly we won't disambiguate notationally between the encoding functions − of different sets unless we really have to.When we think of the index as security parameter, we will often index with λ rather than with n.
An efficient stochastic map (A n , − ) n∈N → (B n , − ) n∈N consists of a sequence of stochastic maps (f n : A n → B n ) n∈N such that sequence of maps ( f n : A n n → B n n ) n∈N defined by f n ( a ) = f n (a) can be computed in probabilistic polynomial time.
We denote the category of efficient sequences of finite sets and efficient stochastic maps between them by Eff .Fixing some efficient bijective pairing function ⟨− , ⟩ : {0, 1} * × {0, 1} * → {0, 1} * , we will equip Eff with the structure of a symmetric monoidal category, where the monoidal structure on objects is induced by the cartesian product of sets, and the encoding of (a, b) ∈ A n × B n is given by ⟨ a , b ⟩.
We will now formalize the notion of "computational indistinguishability" as a congruence on Eff .Recall that a function f : N → R + is negligible if for any exponent c ∈ N the function f is eventually smaller than 1/x c .Definition 7.2.Given two objects A and B of Eff , a distinguisher of type A → B is informally speaking a program that tries to tell apart programs of type A → B.More precisely, a distinguisher of type A → B is a probabilistic polynomial-time algorithm that queries an oracle (taking inputs in A and giving outputs in B), and outputs a single bit.In particular, it can query the oracle multiple repeatedly, albeit only polynomially many times.Given a distinguisher D of type A → B and a map f : A → B in Eff , we let D(f ) denote the function N → R + that given n, outputs the probability that D outputs 1 given access f n as its oracle.Two parallel maps f, g : A ⇒ B in Eff are computationally indistinguishable, written f ≈ g, if for any distinguisher D of type A → B, the function |D(f ) − D(g)| is negligible.
As morphisms of Eff and our chosen distinguishers are by definition polynomial-time, for any morphism f of Eff one can always construct distinguishers that use f as a subroutine.This is at the heart of the following proposition.As the sum of two negligible functions is negligible, we have f ≈ h.We now check that ≈ respects sequential composition.Consider morphisms f, f ′ : A ⇒ B and g, g ′ : B ⇒ C with f ≈ f ′ and g ≈ g ′ .Now, as f ≈ f ′ we must have gf ≈ gf ′ , as any distinguisher D of type A → C can be used to construct a new distinguisher D g•− of type A → B, that behaves otherwise as D but whenever it receives an answer in B from the oracle, uses g to transform it to an answer in C. Similarly, gf ≈ g ′ f ′ .Taken together, we have gf ≈ gf ′ ≈ g ′ f ′ , so that by transitivity we have gf ≈ g ′ f ′ .The argument for parallel composition is similar.7.2.Resources needed for DHKE.As with the one-time pad, we want our resources to be morphisms of this base category (equipped with a chosen labeling of input and output ports telling which parties control/access which).Consequently, we will work with the resource theory given by n-comb(Eff While our protocol will actually be correct up to =, DHKE is only secure up to ≈, so we are working with security up to computational indistinguishability as in Section 5.1. We will now discuss the ingredients of the DHKE protocol.First of all, we can think of the sequence of groups G = (G λ ) λ∈N as an object in Eff , with the group structure giving rise to a similar structure as for the OTP, and the element g ∈ G (i.e., g λ ∈ G λ for λ ∈ N) is then modeled as a (deterministic) map I → G ∈ Eff .
However, Alice and Bob don't really need to use the whole group structure of G: rather, it's sufficient that they can compute the map (a, h) → h a , where h is any element of the group and a is an integer (modulo |G|).We will model this by defining the object Z n := (Z n(λ) ) where n(λ) = |G λ | equipped with some encoding, so that the map (a, h) → h a becomes a map act : Z n ⊗ G → G as in Figure 5a.In addition to these, Alice and Bob both need the availability to sample uniformly from Z n , which then becomes a state r : I → Z n as in Figure 5b, and to compute the generator g as in Figure 5c.
The shared resources needed for the protocol amount to just the broadcasting maps of type G, with one for Alice and one for Bob.Alice's broadcasting map is depicted in Figure 4c, and a depiction of Bob's broadcasting map is obtained by switching the roles of A and B in the pictures.Similarly, the target resource is a uniformly random key k sampled from G, depicted in Fig 4d.
We now discuss some properties enjoyed by these structures.First of all, both Z n and G are groups on their own right, so that together with their copy maps they satisfy the equations (6.1)-(6.4)from the previous section.Similarly, the fact that the private random distribution used by Alice and Bob is uniform is captured by the equation (6.5).Now, the map act : Z n ⊗ G → G makes G into a module over Z n , which pictorially corresponds to the following two equations Moreover, we need the following general fact: copying the result of a deterministic function (whether g or the action) is equal to copying the inputs and applying the function twice 7 .In pictures, this amounts to saying that if f : The final properties that we need are that multiplication on Z n is commutative and that copying is "cocommutative".In pictures, these are captured by = (7.This shows that when everyone follows the protocol, the end result is Alice and Bob sharing an element of the form g a for a chosen uniformly from {1, . . ., |G|}.As this gives the uniform distribution on G, the protocol is indeed correct. We will now discuss the security of the protocol.The usual formulation of the DHassumption is given by saying that when a, b, c are sampled uniformly, we have (g a , g b , g ab ) ≈ (g a , g b , g c ).For us, it's easier to work with an equivalent formulation of assuming that (g a , g b , g ab , g ab ) ≈ (g a , g b , g c , g c ), as either joint probability distribution can be derived from the other efficiently, just by copying or discarding the last element as appropriate.Now, when one turns a claim like (g a , g b , g ab , g ab ) ≈ (g a , g b , g c , g c ) into an axiom relating two pictures, one has some choices to make: after all, there are many possible diagrams that depict the probability distributions appearing in this claim.One could create a long-winded pictorial proof akin to the correctness proof by choosing appropriate starting pictures.as the left-hand side indeed depicts the distribution (g a , g b , g ab , g ab ) and the right hand side the distribution (g a , g b , g c , g c ). From this assumption, the security of DHKE is immediate: the left-hand side depicts the initial attack by Eve, and up to ≈, this is the same result as Eve sampling g a and g b on her own while Alice and Bob share g c , which is uniformly distributed.Consequently, DHKE is a secure protocol that takes two broadcast channels (one from Alice and one from Bob) and constructs a shared secret key out of them.In pictures, one might then say that DHKE is a transformation Alternatively, one could have formulated the DH-assumption as stating that For this formulation, security is no longer immediate: to conclude that the protocol is secure, one must first transform the LHS of our prior security definition into the LHS of this equation.We leave developing such a pictorial proof for the interested reader.
It is well-known that DHKE is vulnerable to an attacker-in-the-middle, where Eve pretends to be Bob when communicating with Alice and vice versa, establishing a shared secret key with both.How does this look like in our approach, especially since DHKE as analyzed above was deemed secure?The reason for this is that in our simplistic setting, the channels used by Alice and Bob are authenticated, in that both parties know that any message sent along the channel goes to the other party as-is.Moreover, these starting resources do not allow Eve to send messages to Alice and Bob.Consequently, in our model Eve simply cannot perform such an attack.However, we could instead have our starting resources to be channels between the honest parties and Eve.One could then consider the DHKE protocol in this setting, where Eve is supposed to just wire the messages onward passively.In this case, the protocol is no longer secure.For instance, if Eve behaves as an attacker-in-the-middle, both Alice and Bob end up sharing a key with Eve and not with each other, whereas there is no attack Eve can perform on the ideal key resource with an indistinguishable end result.− −−−−− → Set, whereas in this section we replaced FinStoch with Eff and moved to security up to ≈.However, it is easy to lift the OTP to Eff for any efficient sequence of groups G. Indeed, if G is our sequence of groups, it satisfies all the equations we used in the security proof of the OTP and hence results in a secure protocol in the resource theory of this section.Concretely, this amounts to thinking of the one-time pad as follows: Alice and Bob agree on an efficient sequence of groups G, and then OTP is a protocol that transforms a broadcasting map (of type G) and shared uniformly random key over G into a secure communication channel (of type G).As a result, the above composite makes sense and is computationally secure by our composition theorems.
We now illustrate a further use of the composition theorems, similar to the example in [Mau11].A major drawback of OTP, despite its perfect security, is the fact that one needs a key that is as long as the message.Now, Alice and Bob might want to use DHKE to obtain a key in the first place, but perhaps they want to communicate a longer message than allowed by the key.If they agree on a pseudo-random number generator (PRNG) with their key as the seed, they can map the short key to a longer key.If the PRNG is computationally secure, then the end-result is computationally indistinguishable from a long key, depicted by • The number of rounds for a protocol is fixed in advance, as opposed to being decided e.g.probabilistically during the protocol.• The number of parties is fixed in advance, as opposed to some real-world protocols where the number of parties can change dynamically during the protocol.
Let us now explain why choosing (let alone building) a starting category is not trivial.In general, the following desiderata pull in opposite directions • The computational model should be mathematically tractable.
• The computational model should be sufficiently expressive.One should be able to model both cryptographic protocols and realistic attacks in the model.In particular, any adversarial behavior simply assumed away creates room for side-channel attacks.
To elaborate on the required expressiveness, cryptographically reasonable models of computation should have most of the following features: • computation should be probabilistic (or quantum) as there's no security without randomness, • in general, concurrent computation should be asynchronous: after all cryptography behaves differently in synchronous and asynchronous settings [BOCG93, KMTZ13] and we cannot assume synchronicity throughout, • cryptographic protocols need not have a fixed number of communication rounds, and might instead be repeated until a success condition occurs, • the number of parties need not be fixed in advance, but can change during the protocol.
In particular, the requirement of asynchronous probabilistic computation causes some difficulties for modelling cryptography, as discussed in [MT13].To paraphrase, the issue is that traditionally concurrency in asynchronous systems is modelled by nondeterminism, so that a system describes the set of all possible behaviors.Unfortunately, this does not work too well for cryptography, where one wants to bound the probability of a successful attack.Cryptographers often solve this by letting an adversary be responsible for scheduling.This is not always a reasonable assumption, and makes the resulting models inherently less compositional.However, one can still achieve categorical models that achieve most of these features, even if many existing models are not phrased categorically.Indeed, the aforementioned [MT13] builds a model of interactive, asynchronous probabilistic computation, where composition of computations is associative (resulting in a category), with the cartesian product of sets inducing a parallel composition operation (resulting in an SMC).The resulting framework is rich enough to study many cryptographic protocols such as broadcasting and secret sharing.
Another possible source of a model stems from cryptHOL [BLS20], an approach to formally verified cryptographic protocols using higher-order-logic.While [BLS20] does not give an explicit category of probabilistic and stateful computations, we expect it to induce one despite not having verified this in detail.We base our optimism on the fact that the monadic and coalgebraic techniques used in [BLS20] are inherently categorical.Moreover cryptHOL has also been used to formalize constructive cryptography [LSBM19], and as a consequence one would expect that the same model could be phrased in categorical terms.We leave verifying this for future work as it is outside the scope of this paper.
Additional models can be found in the literature on programming language theory, and particularly from game semantics [Win13].While these models are more often expressed categorically, and even result in compact closed categories so that Theorem 8.1 applies directly, they run the risk of being too involved mathematically, at least in order to gain mainstream traction among cryptographers.
We now turn our attention to modelling quantum cryptography.Again, one can use models coming from game semantics [CDVW19b,CdVW19a] with the aforementioned caveats.Another model, this time built by and for quantum cryptographers, can be obtained from [PMM + 17].The model is rather general, as it is intended to be also suitable for relativistic quantum protocols, and indeed it has been used for such purposes in [VPDR19].As the constructions are rather involved, we restrict ourselves to giving a high-level description.As [PMM + 17] is not expressed in categorical words, we will explain why their model can equally well be interpreted as a category.
In this work, the authors work over a countable but otherwise arbitrary partial order T , and then define for each (finite-dimensional) Hilbert space A a new Hilbert-space F (A) modelling a wire with A-messages being sent/received at times given by t ∈ T .They then define causal maps A → B as certain families of CPTP-maps {F (A) → F (B) C } where C ranges over downward-closed subsets of T -the intuition being that for a causal map the output at time t ∈ T depends only on the past of t with some delay.The authors then define two ways of combining causal boxes: • parallel composition, which we will denote by ⊗, which takes causal boxes A → Moreover, the authors prove that these composition operations satisfy "composition order invariance", so that adding loops commutes with parallel composition, and the order in which loops was added does not affect the end result.While the authors phrase their constructions in terms of the algebraic theory of systems of [MMP + 18], the parallel composition operation they define is in fact a total operation, whereas in a system algebra f ⊗ f is never defined Now, composition order invariance implies that this composition operation is associative.As identity-maps are not causal (informally this is because they're delay-free), this results only in a semicategory-i.e., a category-like structure without identities.However, we can formally add identities, resulting in a symmetric monoidal category. 10Moreover, the authors equip these causal boxes with an explicit pseudometric.This pseudometric is a 10 One might be tempted to guess that any model of abstract cryptography yields a category in an analogous manner.We make the more reserved but less precise guess that this holds for those models of abstract cryptography that are "reasonable" or arise "naturally".However, we don't think there exists a simple construction of an SMC directly from any (composition-order-invariant) system algebra in the sense cryptographically well-motivated one, as the distance between f and g is defined in terms of the ability of an environment to guess whether it interacts with f or g.Consequently one can also apply the asymptotic definitions of Sections 5.2 and 5.3 in this category.

Outlook
We have presented a categorical framework providing a general, flexible and mathematically robust way of reasoning about composability in cryptography.Besides contributing a further approach to composable cryptography and potentially helping with cross-talk and comparisons between existing approaches [CKLS19], we believe that the current work opens the door for several further questions.
First, due to the generality of our approach we hope that one can, besides honest and malicious participants, reason about more refined kinds of adversaries composably.Indeed, we expect that Definition 4.1 is general enough to capture e.g.honest-but-curious adversaries 11 .It would also be interesting to see if this captures even more general attacks, e.g.situations where the sets of participants and dishonest parties can change during the protocol.This might require understanding our axiomatization of attack models more structurally and perhaps generalizing it.Does this structure (or a variant thereof) already arise in category theory?While we define an attack model on a category, perhaps one could define an attack model on a (strong) monoidal functor F , the current definition being recovered when F = id.Another approach would be to generalize the definitions and results of Section 5 into general enriched notions of an attack model and of security, with Section 5 then giving the special cases enriched over Equ and Met.
Second, we expect that rephrasing cryptographic questions categorically would enable more cross-talk between cryptography and other fields already using category theory as an organizing principle.For instance, many existing approaches to composable cryptography develop their own models of concurrent, asynchronous, probabilistic and interactive computations.As categorical models of such computation exist in the context of game semantics [Win13,CDVW19b,CdVW19a], one is left wondering whether the models of the semanticists' could be used to study and answer cryptographic questions, or conversely if the models developed by cryptographers contain valuable insights for programming language semantics.
Besides working inside concrete models-which ultimately blends into "just doing composable cryptography"-one could study axiomatically how properties of a category relate to cryptographic properties in it.As a specific conjecture in this direction, if one has an environment structure [CP12], i.e., coherent families of maps A for each A that axiomatize the idea of deleting a system, one might be able to talk about honest-but-curious adversaries at an abstract level.Similarly, having agents purify their actions is an important tool in quantum cryptography [LC97]-can categorical accounts of purification [CDP10, CH17, CP12] be used to elucidate this?Finally, we hope to get more mileage out of the tools brought in with the categorical viewpoint.For instance, can one prove further no-go results pictorially?More specifically, of [MMP + 18]: for one, in a system algebra f ⊗ f is never defined, whereas in a monoidal category f ⊗ f is always defined.Rather, we believe that natural sources of system algebras are also natural sources of SMCs.
11 Heuristically speaking this is the case: an honest-but-curious attack on g • f should be factorizable as one on g and one on f , and similarly an honest-but-curious attack on g ⊗ f should be factorizable into ones on g and f that then forward their transcripts to an attack on id ⊗ id.
given the impossibility results for two and three parties, one wonders if the "only topology matters" approach of string diagrams can be used to derive general impossibility results for n parties sharing pairwise channels.Similarly, while diagrammatic languages have been used to reason about positive cryptographic results in the stand-alone setting [KTW17, BMR19, BKM18], can one push such approaches further now that composable security definitions have a clear categorical meaning?Besides the graphical methods, thinking of cryptography as a resource theory suggests using resource-theoretic tools such as monotones.While monotones have already been applied in cryptography [WW08], a full understanding of cryptographically relevant monotones is still lacking.
on the tensor unit is denoted by the empty picture.In general, a morphism might have multiple input/output wires

Example 3. 1 .
Consider the resource theory induced by C n ⊗ − → C hom(I,−) − −−−−− → Set, where we write and again, one could have a different subcategory of C for each of the parties).In the resource theory induced by n-comb(C k ) → n-comb(C) hom(I,−) − −−−−− → Set, resources are now lists of morphisms, each equipped with the structure of a k-fold tensor product on its domain and codomain.Intuitively, such a morphism corresponds to a box shared by the k parties, each with a specified (possibly trivial) input and output port.When k = 3 and the three parties are labeled Eve, Alice and Bob, any map of the form

b( c )Figure 3 .
Figure 3. Attacks and security constraints for some m ∈ N and an m-comb Definition 4.1.An attack model A on an SMC C consists of giving for each morphism f of C a class A(f ) of morphisms of C such that (i) f ∈ A(f ) for every f .(ii) For any f : A → B and g : B → C and composable g

4. 2 .
Composition theorems.Theorem 4.6.Given symmetric monoidal functors F : D → C, R : C → Set with F strong monoidal and R lax monoidal, and an attack model A on C, the class of A-secure maps forms a wide sub-SMC of the resource theory RF induced by RF .
) as guaranteed by (iii).Then security of f and g gives us b ∈ A(id B ) and d ∈ A(id D ) so that R(f ′ )r = R(b)s and R(g ′ )t = R(d)u.We now claim that the diagram where the unlabelled arrows come from the natural transformation R(−)×R(−) → R(− ⊗ −) making R lax monoidal.The top left square commutes by security of f and g, and the rightmost shape commutes by the factorization h = h ′ • (f ′ ⊗ g ′ ).The remaining two subdiagrams are naturality squares and hence commute.Hence the whole diagram commutes.
be factorized as b • a with a ∈ X and b ∈ A(id B ). Theorem 4.9.Let f : (A, r) → (B, s) define a morphism in the resource theory induced by F : D → C and R : C → Set and let A be an attack model on C.

F
where the second equation is security of the original protocol and the other two equations rely on F being strong monoidal.The case of an arbitrary n can be shown similarly by drawing a similar picture with n − 1 dips in the box.
Consider now symmetric monoidal functors F : D → C, R : C → Equ with F strong monoidal and R lax monoidal and an attack model A on C. Let f : (A, r) → (B, s) define a morphism in the resource theory Equ RF .We say that f is secure up to ≈ against an attack model A on C (or A-secure up to ≈) if for any a ∈ A(F (f )) with dom(a) = F (A) there is b ∈ A(id F (B) ) with dom(b) = F (B) such that R(a)r ≈ R(b)s, i.e., the square from Definition 4.1 commutes up to ≈. Corollary 5.2.Let R, F, A be as in Definition 5.1.The category Equ RF is a symmetric monoidal category, and the category of ≈-secure transformations against A is a wide sub-SMC of it.Proof.Consider the composite ERF , where E : Equ → Set sends a set with an equivalence relation to its set of equivalence classes.It is straightforward to check that f : A → B defines a map (A, r) → (B, s) in Equ RF iff it defines a map (A, [r]) → (B, [s]) in ERF , implying the first claim.Similarly, f is secure up to ≈ in Equ RF iff it is secure in ERF , so the second claim follows from Theorem 4.6.

Figure 4 .
Figure 4. Variants of the copy map Diffie-Hellman key exchangeWe now turn our attention to the problem of obtaining keys in the first place, by modelling Diffie-Hellman key exchange (DHKE).Let us first recall DHKE as usually described.First of all, Alice and Bob agree on a finite cyclic group G with generator g (in fact, the group might depend on the security parameter, so one could think of them as agreeing on a sequence of groups).Alice and Bob uniformly sample a and b from Z n where n = |G|.Alice and Bob then broadcast g a and g b over a public channel, after which Alice computes k a := (g b ) a and Bob computes k b := (g a ) b .As k a = k b = g ab , they've now agreed on a key.If the group (or sequence of them) is chosen well, the distribution (g a , g b , g ab ) for uniformly sampled a, b "looks like" the distribution (g a , g b , g c ) for uniformly sampled a, b, c, and this is in fact often taken as the definition of security [KL15, Section 7.3.2].

7
Correctness and security of DHKE.We have now discussed all of the building blocks of DHKE, and can now depict the protocol pictorially as follows.In fact, this is often taken as the definition of deterministic morphisms in categorical approaches probability[Fri20, Definition 10.1]This picture corresponds to our earlier description of the protocol, where Alice and Bob first uniformly sample a and b from Z n where n = |G|.Alice and Bob then broadcast g a and g b over a public channel, after which Alice computes k a := (g b ) a and Bob computes k b := (g a ) b , with Eve supposed to delete the public messages.We can now prove that the protocol is correct using the properties we have laid out.
However, we can make things easier for us, and formalize the DH-assumption by stating that a

7. 4 .B
Composing with other protocols.Now, DHKE gives a transformation There is only one problem: in the previous section we worked with the resource theory induced by n-comb(FinStoch 3 ) n-comb(⊗) −−−−−−→ n-comb(FinStoch) hom(I,−) B and C → D and produces a causal box A ⊗ C → B ⊗ D. • An internal wiring operation, which takes as input a causal box A ⊗ B → B ⊗ C, and produces a causal box A ⊗ C. The intuition is that the resulting causal box is obtained by wiring the output B-wire into the the input B-wire.
[MMP + 18, Definition 3.1].This allows us to extract a category from [PMM + 17].The objects of this category are given by (finite-dimensional) message spaces A, B, C, . . ., and morphisms A → B are given by T -causal maps A → B. The composite of f : A → B and g : B → C is given internally wiring the B-ports together in g ⊗ f , pictorially represented by