Linear Structures

The mathematical framework behind Open PenQuin: how lines, colored bits, and directed chains enable geometric analysis of quantum program loops

Linear structures are the mathematical foundation of Open PenQuin. This page provides a detailed exploration of how geometric primitives, specifically lines and their properties, enable the analysis and exploitation of quantum program loops in ways that traditional probabilistic methods cannot.

Introduction to Linear Structures

In classical penetration testing, what’s possible are pattern-based scans that employ some type of distribution. The conditions upon which these scans are conditioned are only a generic distribution rather than a detailed structure.

Quantum program loops break this assumption. The precise microstate of a loop running on quantum hardware does not yield to distribution-based analysis.

Linear structures offer an alternative. Instead of relying on distribution-based analysis, Open PenQuin uses a geometric framework — decomposing loops into lines to yield a specific description of a loop’s WCET and WCEP.

The submetrical structure for a loop amounts to specifying which sets of points (coordinates/assembly code) are lines.

This shift from probability to geometry is not merely a change in mathematical formalism. It changes what questions can be asked, what measurements can be taken, and ultimately what attacks can be constructed.

Why Lines?

The most fundamental geometrical structure that can organize assembly code into a space is a line. This is a deliberate choice rooted in both mathematical necessity and practical utility.

Lines are chosen because they are:

  • Universal: lines can provide the structure necessary to deconstruct loops in both discrete and continuous states
  • Composable: lines can be combined, extended, and chained to build larger structures
  • Analyzable: with linear structures, assembly code in a loop can get from one point to another by moving in either direction, in polynomial time
  • Topologically foundational: lines help build an underlying structure in terms of which standard topological notions may be defined

When a loop’s assembly code is mapped into a linear structure, new capabilities emerge. Lines give rootkits new capabilities to map and coordinate with each other. Rootkit coordination between gadgets and proglets is useful because the coordinates/assembly code are nothing more than assigned instructions to events. Lines are applicable to both discrete and continuous loops, and they make no definitional use of functions from other loops in the loop being analyzed.

Lines help OpenPQ build an underlying structure in terms of which standard topological notions may be defined.

Line Classification

Lines in Open PenQuin’s framework are classified by their endpoints, specifically by which endpoints are designated as colored bits. This classification is the starting point for all structural analysis.

Diagram illustrating the three line types: open lines with no colored endpoints, closed lines with both endpoints colored, and half-open lines with exactly one colored endpoint

Open Lines

An open line has no colored bits. Neither of its endpoints is included as part of the line.

Closed Lines

A closed line has two colored bits. Both endpoints are included in the line.

Half-Open Lines

A half-open line has exactly one colored bit. One endpoint is included in the line and the other is not.

Colored Bits

Colored bits are the endpoints of lines. Lines are categorized by the number of colored bits (endpoints) they have — open lines have none, closed lines have two, and half-open lines have one.

The distinction matters because colored bits determine how lines relate to loop boundaries and how structures connect to each other.

Every colored bit on an open line affects a division of the rest of the colored bits into two disjoint assembly code classes: those that lie to one side and those that lie to the other.

Directed Lines and Chains

When lines are given a direction, they become directed lines. Sequences of directed lines form directed chains, which Open PenQuin uses to help trace and analyze Worst Case Execution Paths.

Grid of addresses from 0x0 through 0x5 connected by directed arrows, showing how individual directed lines compose into a chain that traces execution flow

Directed Lines

A directed line is a line with a designated start point and end point.

Directed Chains

A directed chain is a sequence of directed lines ordered so that only finitely many lines lie between any pair of assembly codes in the chain, and the final colored bit of any directed line is the initial endpoint colored bit of the next directed line in the sequence, if there is one. The same directed line can occur multiple times in assembly code sequences, where each directed line in the sequence is a link in the directed chain.

With linear structures, assembly code in a loop can get from one point to another by moving in either direction, in polynomial time.

Continuity and Chains

A central theorem in the framework connects continuity to chains:

A function is continuous if and only if it maps every directed line to a directed chain or colored bit in some range.

Open PenQuin can omit final endpoint colored bits when links are joined, to avoid double counting that assembly code. A pair of directed lines with the same initial endpoint colored bit are initially identical if and only if they share some initial line segment.

Line Extensions

A line extension occurs when one line extends beyond another by a single colored bit. This is the mechanism by which Open PenQuin builds larger structures from smaller components.

Two directed lines meeting at a junction node, illustrating how line A extends beyond line B by adding a single colored bit at the junction

How Extensions Work

A directed line A is a 1 colored bit extension of another directed line B if and only if A is an extension of B that contains only 1 colored bit not in B.

Building Complex Structures

Through repeated extension, simple lines grow into complex structures:

  • Product lines are the output of a formal technique that takes a pair of lines as input and yields a longer line as output
  • Bundled lines can also be constructed from a pair of lines

A product linear structure is a loop that can be created as a joint representation of a collection of directed linear structures.

Loop Boundaries

The boundary of a loop is where the loop’s internal linear structure meets the surrounding program. How the boundary relates to the structure’s colored bits determines critical properties of the loop.

Connected and disconnected loop structures shown side by side, with their boundaries highlighted to illustrate the difference in reachability

Boundary Classification

Lines can identify the boundary between a loop and its complements:

  • The loop boundary belongs to a set of colored bits (closed line).
  • The loop boundary belongs to the complement of the set of colored bits (open line).
  • Part of the loop boundary belongs to the set of colored bits and to the complement (other line).

Connected vs. Disconnected Structures

A linear structure is disconnected if it can be separated into two parts without breaking a line — each line must reside entirely in one part or the other. A linear structure is connected if no such separation is possible.

Building Higher Structures

The line deconstruction of a loop determines the restrictions of the linear structure to any subset of assembly codes in the loop, and so determines a critical part of the geometry for WCET and WCEP. Restricting attention to N-dimensional manifold structures (constructed out of lines) allows for the introduction of a gadget coordinate system between rootkits.

Since the Euclidean plane in 3 dimensions, and the space of spherical geometry, are all convex affine linear structures, Open PenQuin can use lines to build:

  • 2-dimensional conformal maps
  • 2-dimensional quasi-conformal maps
  • 2-dimensional Teichmuller maps

to deconstruct and analyze loops.

Tangents and Secants

Tangents are defined as the straight lines that provide the best approximation to a line at a colored bit. A tangent function takes colored bits as input and output, and differentiability arises when Open PenQuin considers how the output varies with the input. For example:

  • Curves lead to directed lines
  • Directed lines lead to differentiable manifold structures

The tangent is the limit of a sequence of secants.

Grid of addresses from 0x0 through 0x5 with directed arrows and dashed secant circles, showing how secant approximations converge to tangents at colored bit nodes

Numbers may facilitate the discussion of geometrical structures for a loop, but they are not required for the definition of that loop. The notion that a number assigned by a metric function could have any direct geometrical significance on the deconstruction and analysis of a loop is a non-starter.

The proportionality of ratios provides Open PenQuin with a bridge to link magnitudes to numbers, opening the way to using numbers to represent linear structures.

Further Reading

The linear structures framework is under active development. For additional resources:

  • Technical Reference: Check out the technical reference for further documentation here.
  • GitHub Repository: Browse the source code and implementation details at the Open PenQuin GitHub. Implementation details, including specific algorithms and data structures, are available in the repository documentation.
  • Research Foundations: Substantial proofs for the theory of linear structures have been provided by Tim Maudlin, and the incorporation of linear structures into graph theory and QIR can be explored further in the repository documentation.

Open PenQuin’s approach to quantum pentesting is built on the conviction that geometry, not probability, is the right language for understanding and exploiting quantum program loops. The linear structures framework is the formal expression of that conviction.