Mnemosyne: Post-Quantum Distributed AI Infrastructure via Physical Security Barriers, Speculative Consensus, and Proof-of-Useful-Work on Heterogeneous Edge Networks

Chapter 1: Philosophy and Conceptual Framework

1.1 Introduction: The Singularity of Computational Physics

The history of human computation stands at a perilous crossroads. Over the past six decades, the dividends of Moore's Law have obscured a fundamental contradiction within computer science, but as fabrication processes approach atomic limits (5nm TSMC, 3nm Samsung), this veil has been lifted. The development of contemporary Artificial Intelligence (AI) and distributed systems is now being squeezed between two formidable physical walls.

The first is the limit of thermodynamics. Current large language models (LLMs) rely on brute-force scaling within hyperscale data centers—GPT-4 requires approximately 25,000 NVIDIA A100 GPUs, consuming 50 MW at peak load, equivalent to the electricity consumption of a medium-sized city. This not only leads to exponential increases in energy consumption but also results in extreme centralization of computing power, creating a "computing oligarchy" in the digital age. By 2026, five technology conglomerates (Google, Microsoft, Amazon, Meta, and Alibaba) control over 80% of global cloud computing infrastructure, effectively establishing a cartel on AI capabilities.

The second is the threat of quantum mechanics. The existing internet security architecture is almost entirely built upon "computational hardness assumptions" (e.g., RSA's integer factorization, ECC's discrete logarithm problem). However, the advent of Shor's algorithm signifies that once fault-tolerant quantum computers achieve sufficient scale—current estimates range from approximately 1,730 logical qubits (Chevignard et al., 2024) to fewer than one million physical qubits under optimistic error-correction assumptions (Gidney, 2025)—the current cryptographic foundation could collapse within days. IBM's quantum roadmap projects achieving 100,000 qubits by 2033, while Google and PsiQuantum target one million physical qubits by 2030. Meanwhile, Google's Willow chip (December 2024) demonstrated quantum error correction below the break-even point, marking a pivotal moment in the race toward "Q-Day"—the day quantum computers render classical cryptography obsolete.

Q-Day Timeline Uncertainty: While current engineering milestones (Google Willow's below-threshold QEC in December 2024, IBM's 100,000-qubit roadmap targeting 2033, PsiQuantum's 1-million physical qubit target for 2030) provide reference points, the actual arrival of cryptographically relevant quantum computers carries substantial uncertainty. Optimistic estimates place Q-Day as early as 2029–2031 (based on exponential QEC improvement trends observed in 2024–2026); conservative estimates extend to 2035–2040 (accounting for engineering challenges in scaling logical qubit counts and maintaining coherence). Mnemosyne's security architecture is designed to be robust across this entire uncertainty interval: the physical barrier (Q3) does not depend on any specific Q-Day timeline, and the urgency of deploying post-quantum infrastructure is independent of which end of the interval proves correct. The 2025 Nokia Threat Intelligence Report and accompanying CISO guidance have identified the preparation window as actively closing, reinforcing the position that deployment of quantum-resistant infrastructure should not wait for Q-Day certainty.

Facing these challenges, merely patching existing protocols (like improving Paxos consensus or optimizing TLS handshakes) is futile. We need a First Principles reconstruction—a paradigm shift that questions the foundational assumptions of distributed computing, cryptography, and information theory.

This research project—Mnemosyne—proposes a post-quantum distributed computing architecture based on the Landauer Principle. We do not attempt to compete on the old track; instead, we redefine the rules of the race: True security should stem from the irreversibility of physical laws; true performance should stem from the prediction and transcendence of time; true decentralization should emerge from economic incentives, not altruism.

1.2 Problem Statement: The Three Core Crises

The design of Mnemosyne aims to simultaneously address three "Impossible Trinity" dilemmas that have plagued edge computing and AI deployment for decades.

1.2.1 Security Crisis: The Collapse of Computational Assumptions

Traditional cryptography (e.g., RSA-2048, ECDSA P-256) relies on the attacker "not being able to compute efficiently." This is a precarious foundation. In the era of quantum supremacy, this is not merely an engineering challenge but an existential threat. As long as an attacker possesses sufficient quantum computing power, mathematical puzzles that are classically intractable will eventually be solved in polynomial time.

The National Institute of Standards and Technology (NIST) released three Post-Quantum Cryptography (PQC) standards in August 2024—ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+)—as countermeasures. However, these algorithms present distinct trust profiles that must be carefully distinguished. ML-KEM and ML-DSA shift the trust anchor from integer factorization and discrete logarithm to lattice hardness (Learning With Errors / Module-LWE). While these problems are believed to resist quantum attacks, they remain unproven mathematical conjectures, as evidenced by the collapse of the Rainbow signature scheme in 2022, which was once a NIST PQC finalist. SLH-DSA, based on hash-function collision resistance, offers a qualitatively different security foundation that does not rest on lattice assumptions; however, its signature sizes are substantially larger (kilobytes vs. bytes for classical schemes), imposing practical constraints on deployment at scale. Across all three standards, the common thread is that security remains anchored in mathematical assumptions—whether algebraic or combinatorial—that are subject to unforeseen cryptanalytic breakthroughs.

Harvest Now, Decrypt Later (HNDL): A Critical Time-Dimension Threat

Beyond the direct threat of quantum computers breaking current encryption in real time, a strategically more immediate danger is the Harvest Now, Decrypt Later (HNDL) attack vector. In an HNDL attack, nation-state adversaries and sophisticated threat actors intercept and store currently encrypted communications today, with the intention of decrypting them once cryptographically relevant quantum computers become available [2][4][8]. This strategy is simple but dangerous: attackers steal and store encrypted data today, betting that they will be able to decrypt it once quantum computing matures [9].

The HNDL threat is particularly acute for data with long-term confidentiality requirements—financial records, medical data, state secrets, and critically for Mnemosyne's context, gradient transmissions and model embeddings in federated learning systems [3]. Security professionals now identify HNDL as their top concern regarding post-quantum cryptography preparedness [9]. A 2025 systematic literature review confirms that PQC solutions such as ML-KEM/Kyber and ML-DSA/Dilithium are among the most mature mitigations, but these remain anchored in mathematical hardness assumptions that HNDL exploits across a 10–30 year time horizon [10].

Mnemosyne's Natural Immunity to HNDL: Mnemosyne's physical security barrier provides a fundamentally different response to HNDL that PQC standards cannot match. When an adversary stores transmitted PQ indices today and waits indefinitely for quantum computing advances, they face the following invariant: the security parameter \kappa = H_\infty(\mathcal{X}_{\text{white}} | \mathcal{Y}) does not degrade with time—it is a mathematical property of the whitening and quantization procedure, determined at transmission time and unchanged by subsequent technological developments. More critically, Q3 (the Margolus-Levitin bound) imposes a physical limit of \sim 10^{121} total operations achievable by any physical system harnessing the entire mass-energy of the observable universe over its entire age—a limit that does not change with time, does not depend on algorithmic advances, and is not subject to the HNDL time-extension strategy. Even if an adversary stores all transmitted PQ indices today and waits indefinitely for quantum computing advances, the physical barrier (Q3) remains the binding constraint, and its 10^{121} operations limit does not change with time. This is a guarantee that no PQC scheme based on mathematical hardness assumptions can provide: if a lattice problem underlying ML-KEM is broken 20 years from now, all HNDL-stored ciphertexts encrypted today become immediately readable. Mnemosyne's physical barrier has no analogous vulnerability.

Important Caveat on HNDL Immunity: Mnemosyne's HNDL immunity is conditional on \kappa \geq 804 being verified at transmission time. If future analysis reveals structural weaknesses in the whitening transformation that render \kappa < 804, data already transmitted would retrospectively lose physical barrier protection. This differs structurally from PQC's HNDL vulnerability in an important way: PQC schemes may be undermined by future algorithmic breakthroughs that are inherently unpredictable and uncontrollable, whereas Mnemosyne's \kappa verification is a controllable engineering measurement performed before deployment. Once \kappa \geq 804 is empirically confirmed (§8.3) and the system is deployed under that verified condition, the HNDL immunity is permanent and physically grounded—because the physical constants (k_B, h, t_{\text{universe}}) that underlie Q3 do not change with time. The epistemological distinction is therefore: PQC's HNDL risk is open-ended (no bound on future algorithmic progress), whereas Mnemosyne's HNDL risk is closed by engineering verification (a one-time measurement that, once passed, permanently closes the vulnerability window).

Mnemosyne's Insight: What if we add an independent physical layer to the security foundation, so that security rests on the conjunction of physical laws and (where necessary) computational hardness, rather than on computational hardness alone? Even if future cryptanalytic breakthroughs undermine the computational layer, the physical layer provides a residual barrier that no quantum algorithm can bypass. Concretely, if cracking a key requires not computational time but thermodynamic work exceeding the total energy of the observable universe (\sim 10^{69} joules) for irreversible computation, or exceeds the maximum number of orthogonal state transitions achievable by any physical system operating on the entire mass-energy of the universe for reversible and quantum computation, then no physically realizable adversary can breach this barrier regardless of computational paradigm. This is a guarantee rooted in fundamental physical laws: Landauer's principle (for irreversible computation), and the Margolus-Levitin quantum speed limit (for all computation, including reversible and quantum). These two independent physical constraints jointly ensure that no physically realizable adversary can breach the barrier, regardless of computational paradigm. This is not a bet on unproven mathematical conjectures—it is a guarantee rooted in Boltzmann's constant (k_B), Landauer's Principle, and the Margolus-Levitin theorem, augmented by information-theoretic bounds that apply equally to classical and quantum adversaries. All quantitative security claims in this chapter are conditional on the empirical verification of the conditional entropy H_S(\mathcal{X}_{\text{white}} | \mathcal{Y}) in §8.3.

1.2.2 Latency Crisis: The Prison of the Speed of Light

In wide-area network (WAN) environments for distributed training or inference (e.g., Federated Learning across continents), the primary bottleneck is not bandwidth but the latency imposed by the speed of light. Physical round-trip times (RTT) for cross-border transmission often reach 150-300 milliseconds (e.g., San Francisco to Tokyo: $\sim$120ms; New York to Singapore: $\sim$246ms), which is fatal for AI tasks requiring frequent gradient synchronization.

Current mitigation strategies—edge caching, CDN pre-positioning, and protocol optimization—offer only marginal improvements. The fundamental constraint remains unchanged: information cannot propagate faster than c = 299{,}792 km/s.

Mnemosyne's Insight: We cannot change the speed of light, but we can change the definition of "synchronization." Using AI prediction models, we can begin computation before the data even arrives. Through Theorem 9.2 (Bidirectional Speculation), edge nodes (small AIs) and central nodes (large AIs) mutually predict each other's behaviors via Knowledge Distillation. When prediction accuracy p converges above 80%, the system's effective latency approaches zero—or even becomes negative in the system's chronological sense (i.e., results are pre-computed before the request is issued). This is not science fiction; it is a mathematically rigorous extension of speculative execution, applied at the distributed systems layer, with strict causal boundaries enforced by a Speculation Barrier to preserve external linearizability. All negative latency claims are subject to a validation overhead T_{\text{validate}} (the time to confirm speculative results against actual requests), which is formally incorporated into the latency model in §1.3.2 and proved negligible for cache-hit style validation in §9.2.

1.2.3 Resource Crisis: The Waste of Heterogeneity

Globally, there are an estimated 7 billion idle edge devices (smartphones, laptops, IoT sensors) with powerful computing capabilities. A single iPhone 15 Pro possesses 8GB of RAM and a 6-core Apple A17 Pro chip, yet 90% of its computational capacity sits idle for 22 hours per day. Meanwhile, AI training in hyperscale data centers consumes megawatts of power while these edge resources remain untapped.

The reason? Extreme heterogeneity. Traditional distributed computing frameworks (MapReduce, Spark, Ray) assume homogeneous clusters with high-bandwidth, low-latency interconnects. They cannot tolerate the variance in memory (2GB Raspberry Pi vs. 64GB workstation), CPU architecture (ARM Cortex vs. Intel x86), and network conditions (4G vs. fiber) inherent in edge environments.

Mnemosyne's Insight: As long as a device meets a minimum threshold (2GB RAM, 10 Mbps network), through a Hierarchical Memory Cost Model (HMCM, Theorem 6.1) and harmonic mean aggregation, we can fuse these fragments into a logically unified supercomputer. The key innovation is not to impose uniformity but to embrace diversity—assigning tasks dynamically based on each node's capabilities, as measured by a five-dimensional cost function (latency, bandwidth, power, compute, economic cost).

1.3 Core Philosophy: Information is Physical

The theoretical soul of this project is built upon the profound assertion made by physicist Rolf Landauer in his seminal 1961 paper: "Information is physical." Information processing is not merely abstract logical operation; it necessarily involves changes in physical states (bit flips, voltage transitions) and the dissipation of energy.

This principle, experimentally verified by Bérut et al. (2012) and Lutz et al. (2021), establishes a fundamental bridge between Shannon's information theory and Boltzmann's thermodynamics. It implies that computation is bounded not only by algorithmic complexity but also by the laws of physics.

1.3.1 Physical Laws as a Defensive Weapon: The Landauer-Margolus-Levitin Barrier

According to our derived Theorem 8.3 (The Landauer-Margolus-Levitin Barrier), the security of Mnemosyne relies on a dual physical-information barrier grounded in two independent physical principles: Landauer's thermodynamic bound on irreversible bit erasure, and the Margolus-Levitin quantum speed limit on orthogonal state transitions. However, raw data length does not equal Shannon entropy. Because LLM embeddings lie on a low-dimensional manifold, directly quantizing them leaves the discarded bits highly predictable.

To construct a true physical wall, Mnemosyne applies a Cryptographic Whitening Transformation (Theorem 8.2-Extended) before quantization, mapping the structured embedding \mathcal{X} into a high-entropy distribution \mathcal{X}_{\text{white}} designed to approximate a maximum-entropy distribution over the discrete float grid \mathcal{F}^d. When Product Quantization is applied to \mathcal{X}_{\text{white}} to produce \mathcal{Y}, the discarded information approaches the theoretical maximum conditional entropy H_S(\mathcal{X}_{\text{white}} | \mathcal{Y}).

Conditional Statement — Theorem 8.3
Theorem 8.3 is stated conditionally throughout this chapter. All security claims that follow presuppose H_\infty(\mathcal{X}_{\text{white}} | \mathcal{Y}) \geq \kappa_{\min}, where H_\infty denotes the min-entropy of the conditional distribution (defined precisely below) and \kappa_{\min} is the universal security threshold derived in this section. The empirical validation protocol in §8.3 must be considered an obligatory prerequisite for deploying any component whose security depends on these claims. In the absence of that verification, all energy barriers presented here are theoretical upper bounds on security, not absolute guarantees.

Precise Definitions of the Security Parameters

The Shannon conditional entropy of the system is:

H_S(\mathcal{X}_{\text{white}} | \mathcal{Y}) = H_S(\mathcal{X}_{\text{white}}) - I(\mathcal{X}_{\text{white}}; \mathcal{Y})

where I(\mathcal{X}_{\text{white}}; \mathcal{Y}) \geq 0 is the mutual information between the whitened embedding and the quantization index. This mutual information is bounded by the quantization fidelity: a more effective PQ system (lower distortion) implies higher I(\mathcal{X}_{\text{white}}; \mathcal{Y}) and thus lower conditional entropy.

For the purpose of quantum security arguments, the binding quantity is the min-entropy of the conditional distribution, defined as:

H_\infty(\mathcal{X}_{\text{white}} | \mathcal{Y}) \triangleq \min_{y \in \mathcal{Y}} \left[ -\log_2 \max_{x} \, P(\mathcal{X}_{\text{white}} = x \mid \mathcal{Y} = y) \right]

Min-entropy measures the difficulty of guessing the most likely outcome in the worst-case quantization cell. It coincides with Shannon conditional entropy only when the conditional distribution P(\mathcal{X}_{\text{white}} | \mathcal{Y} = y) is uniform for all y—a condition that the whitening procedure (Theorem 8.2-Extended) is designed to approximate. The degree to which this uniformity is achieved is part of the empirical verification mandate in §8.3.

Domain specification: \mathcal{X}_{\text{white}} takes values in the finite set \mathcal{F}^d where \mathcal{F} is the set of representable floating-point values in the deployed numerical format and d = 4096 is the embedding dimension. The security analysis is parameterized by the bit-width b of the floating-point format:

Format b $ \mathcal{F} IEEE 754 FP32 32 \leq 2^{32} 130,816 bits IEEE 754 FP16 16 \leq 2^{16} 65,280 bits BFloat16 16 \leq 2^{16} 65,280 bits INT8 (quantized) 8 2^8 32,512 bits

All security conclusions require only \kappa \geq \kappa_{\min} = 804 bits and are valid for any format with \kappa^{\text{ceiling}} \geq 804, which holds for all formats with b \geq 1 and d \geq 4096. The reference deployment target uses FP16 or BF16 for LLaMA-2-7B embeddings (Touvron et al., 2023); the specific format and its implications for the whitening transformation are detailed in §8.2. Numerical illustrations in this chapter use \kappa^{\text{ceiling}} = bd - M\log_2 K with b set to the deployed format's bit-width. For the Tier 2 ceiling illustrations below, b = 32 (FP32) is used as the conservative upper bound; if the deployment format is FP16 or BF16, the corresponding ceiling is \kappa^{\text{ceiling}} = 65{,}280 bits, which remains vastly above \kappa_{\min} = 804 and does not affect any security conclusion.

The cardinality |\mathcal{F}^d| \leq 2^{bd} provides the finite support required for the min-entropy definition above. (For IEEE 754 FP32, NaN and infinity encodings reduce the number of distinct finite representable values to \approx 2^{31.994} per coordinate; the resulting \sim$25-bit reduction in $\kappa^{\text{ceiling}} is negligible relative to \kappa_{\min} = 804. For FP16 and BF16, the analogous reduction is proportionally smaller and equally negligible.)

Product Quantization Configuration: Throughout this work, the Product Quantization configuration uses M = 32 subspaces and K = 256 centroids per subspace, yielding a PQ index of M \log_2 K = 32 \times 8 = 256 bits.

Notational Convention — Security Parameter \kappa

To avoid symbol collision between Shannon entropy H_S(\cdot) and the min-entropy security parameter, we introduce the dedicated symbol:

\kappa \triangleq H_\infty(\mathcal{X}_{\text{white}} \mid \mathcal{Y})

Throughout all security arguments in this chapter and subsequent chapters, \kappa denotes the worst-case conditional min-entropy defined above. Shannon entropy is always written explicitly as H_S(\cdot). This convention eliminates ambiguity between the two distinct information-theoretic quantities.

Notational Convention — Temperature vs. Time: Throughout this work, T (capital, unsubscripted or with thermodynamic subscripts such as T_{\text{cryo}}) denotes absolute temperature in Kelvin. Time durations use either lowercase t (e.g., t_{\text{universe}}) or capital T with explicitly temporal subscripts (e.g., T_{\text{user}}, T_{\text{network}}). Where both thermodynamic and temporal quantities appear in the same expression or paragraph, temperature is written as \Theta to avoid collision.

Notational Convention — Quantum Speedup Parameter vs. Reward Coefficient: Throughout §1.3.1's quantum attacker analysis, the symbol \alpha_Q \geq 1 denotes the quantum speedup exponent, parameterizing query complexity as \Omega(2^{\kappa/\alpha_Q}). In §1.4.2, the symbol \alpha \in \mathbb{R}_{>0} denotes the reward coefficient for the Memory dimension M_i. These two symbols are distinct and serve entirely separate roles; no expression in this chapter contains both simultaneously.

Remark on Convention: The definition above is the worst-case conditional min-entropy, which lower-bounds the average conditional min-entropy \tilde{H}_\infty(X|Y) = -\log_2 \mathbb{E}_y[\max_x P(X=x|Y=y)] of Dodis et al. (2008). We adopt the worst-case form because it provides a strictly stronger security guarantee: if \kappa \geq \kappa_{\min}, then \tilde{H}_\infty \geq \kappa_{\min} follows immediately, since \mathbb{E}_y[\max_x P(X=x|Y=y)] \leq \max_y \max_x P(X=x|Y=y). The empirical verification protocol in §8.3 must estimate \min_y [-\log_2 \max_x P(\mathcal{X}_{\text{white}} = x | \mathcal{Y} = y)] to match this definition.

Important Security Warning — Two-Tier Min-Entropy Analysis

All quantitative security claims in this chapter are conditional on the empirical verification that the true min-entropy \kappa = H_\infty(\mathcal{X}_{\text{white}} | \mathcal{Y}) \geq \kappa_{\min} in §8.3. Without this verification, the energy barriers presented here remain theoretical upper bounds on security, not absolute guarantees.

We distinguish two tiers of the min-entropy analysis:

Tier 1 — Security-Critical Lower Bound (Universal Threshold). The universal security threshold, below which at least one attacker model is not provably infeasible, is:

\kappa_{\min} = 804 \text{ bits}

This threshold is derived as the maximum across all attacker models (see "Complete Adversarial Energy Landscape" below):

Attacker Model Binding Constraint Required \kappa Classical (irreversible) Landauer energy at T = 10\,\text{mK} \kappa \geq 315 Classical (reversible) Margolus-Levitin time bound (Q3) \kappa \geq 402 Quantum (Grover-optimal, exact recovery) \kappa \geq 804 for guessing bound \kappa \geq 804 Quantum (FTQC) Q1 + Q2 (see §3.2) \kappa \geq 804 (subsumed)

The binding row is the quantum Grover-optimal attacker under the exact-recovery adversarial goal (see Argument Q1 below for the full adversarial goal taxonomy). The universal threshold \kappa \geq 804 is derived from the Margolus-Levitin constraint applied to the guessing-difficulty interpretation of \kappa: exceeding \sim 10^{121} operations demands \kappa/2 > 121 \times \log_2 10 \approx 401.95, i.e., \kappa > 803.9, yielding \kappa \geq 804. At \kappa \geq 804, all four attacker models are simultaneously ruled out. All security conclusions in this chapter are valid for any \kappa \geq 804.

Future-Proofing Note on \kappa_{\min} = 804: The universal threshold \kappa_{\min} = 804 already assumes perfect Grover speedup (\alpha_Q = 2), which is the information-theoretic optimum for unstructured quantum search as established by the Bennett et al. (1997) / Boyer et al. (1998) lower bounds. Improvements in quantum error correction below the fault-tolerance threshold—including the exponential logical error rate reductions observed in Google's Willow processor and its successors—cannot reduce \alpha_Q below 2, because the Grover lower bound is an information-theoretic result independent of hardware fidelity. No matter how dramatically QEC improves, the minimum number of oracle queries required for unstructured quantum search remains \Omega(2^{\kappa/2}). Therefore, \kappa_{\min} = 804 is future-proof against all QEC advances within the Grover paradigm. The only scenario requiring upward revision of \kappa_{\min} is the discovery of super-Grover quantum algorithms exploiting algebraic structure in \text{PQ} \circ \mathcal{W} (i.e., \alpha_Q > 2), which is addressed by the MC4b structural conjecture and the mandatory hybrid fallback.

Tier 2 — Theoretical Ceiling. The theoretical upper bound on achievable min-entropy is:

\kappa^{\text{ceiling}} \leq \min_y \log_2 |\text{supp}(P_{\mathcal{X}_{\text{white}} | \mathcal{Y}=y})| \leq bd - M\log_2 K

where b is the bit-width of the deployed floating-point format. The right-hand inequality holds with equality only when all K^M PQ cells contain the same number of representable float values (i.e., a uniform partition of \mathcal{F}^d). For non-uniform PQ codebooks (as produced by K-means), the smallest cell may have fewer elements, yielding a lower ceiling.

The additive structure \kappa^{\text{ceiling}} = \sum_m (b \cdot d/M - \log_2 K) implicitly assumes that the worst-case cell in the product space is the Cartesian product of per-subspace worst-case cells, which holds when the conditional distribution factors across subspaces (i.e., when subspaces are independent given \mathcal{Y}). MC2 requires §8.2 to establish that inter-subspace correlations do not cause the joint worst-case min-entropy to fall significantly below this additive ceiling.

Quantitative warning on correlation-induced degradation. In the extreme case of perfectly correlated subspaces (e.g., if the whitening transformation preserves a global structure that couples all M subspaces), the joint min-entropy could be as low as \kappa^{\text{joint}} \approx b \cdot (d/M) - \log_2 K = b \cdot 128 - 8 bits per subspace (the single-subspace ceiling), rather than M times this value. For FP32 (b = 32): single-subspace ceiling = 32 \times 128 - 8 = 4{,}088 bits. This remains above \kappa_{\min} = 804 but represents a 32\times reduction from the additive ceiling. The numerical illustrations below use the additive ceiling; the reader should note that the actual achievable \kappa lies in [\kappa^{\text{joint}}_{\text{worst}}, \kappa^{\text{ceiling}}] where \kappa^{\text{joint}}_{\text{worst}} \geq b \cdot (d/M) - \log_2 K for a single worst-case subspace. MC2 must quantify where in this range the whitened distribution falls.
Quantitative note on inter-subspace correlation. When the whitened distribution exhibits partial inter-subspace correlation parameterized by the mutual information I(\text{subspace}_i; \text{subspace}_j | \mathcal{Y}) between subspace pairs given the PQ index, the joint worst-case min-entropy follows a continuous function of this mutual information rather than jumping between the two extremes (perfect independence and perfect correlation). Specifically, the joint min-entropy satisfies: \kappa^{\text{joint}} \geq \kappa^{\text{ceiling}} - \sum_{i < j} I(\text{subspace}_i; \text{subspace}_j | \mathcal{Y})where the sum is over all \binom{M}{2} subspace pairs. When all pairwise mutual informations are zero (subspaces are conditionally independent given \mathcal{Y}), this recovers the additive ceiling. When pairwise mutual informations are large, the bound degrades toward the single-subspace ceiling. MC2 must therefore quantify the pairwise mutual informations I(\text{subspace}_i; \text{subspace}_j | \mathcal{Y}) empirically on representative LLaMA-2-7B embeddings and verify that \sum_{i<j} I(\text{subspace}_i; \text{subspace}_j | \mathcal{Y}) \leq \kappa^{\text{ceiling}} - \kappa_{\min} = \kappa^{\text{ceiling}} - 804, confirming that the joint worst-case min-entropy remains above the universal security threshold.

In practice, K-means with K = 256 centroids in 128-dimensional subspaces produces approximately equal-sized Voronoi cells for isotropic distributions (a property that the whitening transformation is designed to promote), so the ceiling formula is a good approximation. For the FP32 reference case: \kappa^{\text{ceiling}} \approx 32 \times 4096 - 256 = 130{,}816 bits. For FP16/BF16: \kappa^{\text{ceiling}} \approx 16 \times 4096 - 256 = 65{,}280 bits. In all cases the ceiling vastly exceeds \kappa_{\min} = 804.

This ceiling is achievable only if the conditional distribution P(\mathcal{X}_{\text{white}} = x \mid \mathcal{Y} = y) is exactly uniform over its support within every quantization cell. In practice, floating-point values have non-uniform spacing (for IEEE 754 formats, values are logarithmically dense near zero and sparse near the representable extremes). A whitening transformation that produces a continuous distribution (e.g., Gaussian) on \mathbb{R}^d will, when discretized to the float lattice \mathcal{F}^d, concentrate probability mass on representable values near zero, potentially reducing the min-entropy significantly below the ceiling. The degree to which Theorem 8.2-Extended's whitening transformation achieves near-maximal min-entropy over the discrete float grid—as opposed to merely over continuous \mathbb{R}^d—is the central question that §8.2 must address analytically and §8.3 must verify empirically.

Plausibility of \kappa \geq 804: A Support-Size Necessary Condition. The worst-case conditional min-entropy \kappa satisfies \kappa \leq \log_2(\min_y |\text{supp}(P(\mathcal{X}_{\text{white}}|\mathcal{Y}=y))|), with equality if and only if the conditional distribution is uniform within every PQ cell. The geometric argument below establishes that the support size is exponentially large (\gg 2^{804}), which is a necessary condition for \kappa \geq 804 but not sufficient. The sufficient condition—near-uniformity of the conditional distribution within each PQ cell over the discrete float grid \mathcal{F}^{d/M}—is the core requirement that §8.2's whitening transformation must satisfy.

For Product Quantization with M subspaces of dimension d/M, each cell is the Cartesian product of M Voronoi sub-cells. In the worst case, a sub-cell at the boundary of the support of \mathcal{X}_{\text{white}} in subspace m contains s_m representable float values. The conditional support size of cell y = (y_1, \ldots, y_M) is \prod_{m=1}^M s_m, and the worst-case support size satisfies \log_2(\min_y \prod_m s_m) \geq \sum_m \log_2(\min_{y_m} s_m). For \kappa \geq 804 to fail due to insufficient support, one would need \sum_m \log_2(\min_{y_m} s_m) < 804. With M = 32 (a typical PQ configuration), this requires \min_m \log_2(\min_{y_m} s_m) < 804/32 \approx 25.1, meaning some sub-cell in a (4096/32)=128-dimensional subspace must contain fewer than 2^{25.1} \approx 36.2 \times 10^6 representable 128-dimensional float vectors—a condition that would indicate catastrophic whitening failure in that subspace. (The text uses 2^{25} \approx 33 million as a conservative approximation; since 2^{25} < 2^{25.1}, this makes the failure condition slightly easier to trigger in the bound, hence the approximation is conservative and strengthens the argument.) The support-size necessary condition is therefore easily satisfied; the binding challenge is achieving near-uniformity within this exponentially large support.

The central challenge is that floating-point values have non-uniform spacing in IEEE 754 formats. A whitening transformation must therefore produce a distribution that is near-uniform over the discrete float grid, not merely over continuous \mathbb{R}^d. This is a non-trivial requirement that constitutes one of the primary research challenges of this work. Possible approaches include:

(a) Bit-level whitening: Apply the whitening transformation to the binary representation of the float (sign, exponent, mantissa fields separately), ensuring near-uniformity in the bit domain rather than the numerical domain. Since the IEEE 754 FP32 binary representation is a 32-bit string, if the whitening transformation achieves near-uniform conditional entropy per bit (i.e., each bit's conditional entropy approaches 1 given the PQ index), then near-maximal min-entropy over the discrete float grid follows directly—without any dependence on the non-uniform numerical spacing of IEEE 754 values. This approach avoids the logarithmic density problem entirely by operating in the bit domain, where uniformity has a direct and straightforward meaning. This approach is recommended as the primary implementation path in §8.2, as it provides the cleanest correctness argument: achieving near-uniform conditional entropy per bit is both necessary and sufficient for near-maximal min-entropy over the discrete float grid, and the condition can be verified bit-by-bit without reference to the non-uniform numerical geometry of IEEE 754 values.

(b) CDF-based uniformization: Map each coordinate through its empirical CDF, producing a near-uniform distribution on [0,1], then apply a bijection from [0,1] to the IEEE 754 representable values that equalizes the probability mass per representable value. If correctly implemented, this approach can achieve exact uniformity on the discrete float grid: step 1 maps each coordinate to a near-uniform distribution on [0,1]; step 2 applies a probability-equalizing bijection that assigns equal-probability intervals to each IEEE 754 representable value. The key sub-problems that §8.2 must address are: (i) the effect of empirical CDF estimation error on min-entropy; (ii) whether per-coordinate CDF transformation suffices or a joint CDF in each 128-dimensional subspace is required—§8.2 must verify coordinate independence within each subspace (i.e., that P(x_1, \ldots, x_{128} | y_m) \approx \prod_j P(x_j | y_m) for all subspace indices m) before concluding that per-coordinate CDF transformation is sufficient; and (iii) the interaction between CDF-based whitening and PQ codebook learning, since the codebook should ideally be learned on the post-whitening distribution.

(c) Dithered quantization: Add calibrated noise before quantization to smooth the conditional distribution, at the cost of slightly increased quantization error.

The formal analysis of these approaches and their impact on \kappa is provided in §8.2.

Throughout subsequent calculations, all security arguments are presented in parametric form as functions of \kappa, with \kappa \geq 804 as the binding requirement. When numerical illustrations are provided (e.g., for intuition about the security margin), they use \kappa^{\text{ceiling}} as the theoretical ceiling, explicitly noted as an upper bound contingent on perfect whitening uniformity over the discrete float grid and dependent on the deployed floating-point format as specified in the domain table above. The actual achievable value of \kappa may be lower; §8.3's empirical verification protocol is designed to determine the true value on real LLaMA-2-7B embeddings using min-entropy estimation methods (e.g., Jiao et al., 2015).

Mathematical Commitment to §8.2: Theorem 8.2-Extended must establish (a) that the whitening transformation achieves \kappa \geq \kappa_{\min} = 804 bits under the worst-case conditional min-entropy definition, (b) that inter-subspace correlations in the whitened distribution do not provide exploitable structure beyond what is captured by the per-cell min-entropy, (c) that the whitening is effective on the discrete float grid of the deployed numerical format (FP32, FP16, or BF16 as determined by §8.2's deployment specification), not merely on continuous \mathbb{R}^d, and (d) that the composed function \text{PQ} \circ \mathcal{W} behaves as a black-box oracle from the adversary's perspective, in the sense formalized by the reduction claim in Argument Q1 below. Failure to establish any of these four conditions would require revising the security claims in this chapter accordingly.

Operational Fallback Protocol (If \kappa < \kappa_{\min})

If the empirical verification in §8.3 determines that \kappa < \kappa_{\min} = 804 bits for a given PQ configuration and whitening transformation, the following fallback hierarchy is activated:

Parameter adjustment: Increase the embedding dimension d, reduce the number of PQ centroids K, or strengthen the whitening transformation to increase \kappa. The ceiling \kappa^{\text{ceiling}} = bd - M\log_2 K indicates that increasing d or decreasing M\log_2 K directly increases the achievable min-entropy. If the deployment format is FP16 or BF16 (b=16), increasing d has half the per-dimension ceiling contribution relative to FP32 (b=32), which should be accounted for in parameter tuning.
Hybrid mode: If parameter adjustment is insufficient, the system activates a hybrid security mode combining the physical barrier (at whatever \kappa is achievable) with a conventional post-quantum cryptographic layer (ML-KEM for key encapsulation, SLH-DSA for signatures), providing defense-in-depth where neither layer alone is sufficient but their combination provides both computational and physical security guarantees.
Minimum security enforcement: The system MUST NOT operate in physical-security-only mode if \kappa < \kappa_{\min}. A runtime check at system initialization verifies \kappa \geq \kappa_{\min} using the estimation methodology of §8.3, and refuses to start without the hybrid cryptographic fallback if the check fails.

This fallback hierarchy ensures that Mnemosyne's operational security posture degrades gracefully rather than catastrophically if the whitening transformation does not achieve the theoretical ideal. The hybrid mode preserves all functional capabilities of the system while adding a conventional cryptographic safety net; the physical barrier, even at sub-threshold \kappa, still provides a meaningful (though not sufficient) additional layer of defense.

Temperature Parameter: Precise Physical Semantics

The temperature T in Landauer's principle refers to the temperature of the heat bath into which the computing system ultimately dissipates entropy, not the operating temperature of the computing device itself. We consider two adversarial regimes:

Ambient adversary: T = 300\,\text{K} (27°C), yielding k_B T \ln 2 \approx 2.87 \times 10^{-21} J/bit.
Cryogenic adversary: T = 10\,\text{mK} (consistent with dilution refrigerators used in current quantum computing hardware, e.g., Bluefors LD series at 7 mK, Google Sycamore/Willow at \sim$15 mK), yielding $k_B T \ln 2 \approx 9.57 \times 10^{-26} J/bit.

The cryogenic regime scales the per-bit erasure cost by the ratio T_{\text{cryo}}/T_{\text{ambient}} = 10\,\text{mK}/300\,\text{K} \approx 3.3 \times 10^{-5}, i.e., reduced by a factor of 3 \times 10^4 relative to ambient temperature. Given k_B = 1.380649 \times 10^{-23} J/K and \ln 2 \approx 0.693:

k_B T \ln 2 \Big|_{T=300\,\text{K}} = 2.87 \times 10^{-21} \text{ J per bit erasure}

k_B T \ln 2 \Big|_{T=10\,\text{mK}} = 9.57 \times 10^{-26} \text{ J per bit erasure}

For the Q2 argument (§3.2), the cryogenic temperature T = 10\,\text{mK} is used as the maximally adversarial assumption, ensuring that thermodynamic cost estimates are genuine lower bounds on the adversary's expenditure. The factor of 3 \times 10^{4} reduction in per-operation cost is absorbed by the exponential security margin.

Validity Conditions for the Landauer Bound

Landauer's principle assumes the computing system dissipates heat into a reservoir in a Gibbs thermal state at temperature T. Reeb and Wolf (2014, New Journal of Physics 16, 103011) proved that the bound k_B T \ln 2 per bit of erasure holds for any erasure protocol—including non-quasi-static (finite-time) processes—provided the reservoir is in a Gibbs state. This result is derived from quantum information-theoretic principles and does not require the quasi-static assumption that is sometimes (incorrectly) attributed to Landauer's bound.

In principle, a reservoir with non-Gibbsian statistics (e.g., a squeezed-state reservoir or a bath with engineered spectral properties) could permit sub-Landauer erasure costs. We address this possibility explicitly:

No scalable physical implementation of sub-Landauer erasure via non-Gibbsian reservoirs has been demonstrated. All experimental verifications of Landauer's bound (Bérut et al., 2012; Jun et al., 2014; Lutz et al., 2021) confirm the k_B T \ln 2 limit in thermal equilibrium systems.
Even a hypothetical sub-Landauer factor of 10^{10} (far beyond any known physics) would reduce the per-bit cost to \sim 10^{-36} J at cryogenic temperatures, changing the threshold from \kappa \geq 315 (irreversible classical) to \kappa \geq 315 + \lceil\log_2(10^{10})\rceil = 315 + 34 = 349 bits—still far below the universal threshold \kappa_{\min} = 804 and the achievable min-entropy.
The Margolus-Levitin bound (Q3) provides an independent constraint that does not depend on Landauer's principle or on the thermodynamic properties of the reservoir. Q3 bounds the maximum rate of orthogonal state transitions based solely on the system's energy, providing the ultimate model-independent backstop.

We therefore treat the Landauer bound as physically robust for the purposes of this security analysis for irreversible attackers, while noting that Q3 provides a thermodynamics-independent constraint that renders the security conclusion robust even against hypothetical violations of Landauer's principle, and is the binding constraint for reversible and quantum attackers.

Narrative Clarification: Two Independent Physical Principles

The Landauer energy bound provides a self-sufficient security guarantee only against irreversible classical attackers. For reversible and quantum attackers, the binding physical constraint is the Margolus-Levitin theorem (Q3), which limits the total number of orthogonal state transitions achievable by any physical system. Q3 is not a thermodynamic statement but a consequence of the time-energy uncertainty relation in quantum mechanics—it is therefore an independent physical principle, not a corollary of Landauer's principle.

The security architecture is therefore grounded in two independent physical principles:

Landauer's principle (thermodynamic irreversibility): binding for irreversible classical attackers.
Margolus-Levitin theorem (quantum speed limit): binding for reversible classical and all quantum attackers.

We retain the name "Theorem 8.3" as a reference to the combined physical barrier, but the reader should understand that Q3 is the binding constraint for the most capable adversary models. Calling this barrier purely "thermodynamic" would be a category error; it is more accurately described as a physical barrier drawing on both thermodynamic and quantum-mechanical principles. The title of this section reflects this two-principle foundation.

Classical Attacker: Combined Physical Bound

A classical brute-force attacker must evaluate \Omega(2^\kappa) candidates under Goal 2 (exact recovery). The physical costs depend on the implementation strategy:

Irreversible implementation: Each candidate evaluation erases O(1) bits, yielding a total thermodynamic energy cost of E \geq \Omega(2^\kappa) \cdot k_B T \ln 2. This exceeds the mass-energy of the observable universe (\sim 4 \times 10^{69} J) for \kappa \geq 300 at T = 300\,\text{K}, or \kappa \geq 315 at cryogenic temperatures (T = 10\,\text{mK}). The Landauer energy bound alone is the binding constraint for irreversible implementations, and \kappa \geq 315 is sufficient for this attacker model. For any \kappa satisfying the universal requirement (\kappa \geq 804), irreversible classical search is thermodynamically impossible by a margin of \sim 2^{489}.
Reversible implementation (Bennett, 1973): In principle, intermediate computations can be performed reversibly, reducing the minimum thermodynamic dissipation to E_{\text{dissipated}} \geq \kappa \cdot k_B T \ln 2 — the irreversible cost of recording the \kappa-bit output (Bennett, 1973). This represents the heat that must be dissipated to the environment; it does not account for the operational energy required to drive the reversible circuit through \Omega(2^\kappa) gate operations at any finite speed. The operational energy is bounded below by the Margolus-Levitin theorem (Q3), which is the binding constraint for this attacker model. For \kappa = 130{,}816 at T = 300 K (FP32 ceiling), the minimum dissipated energy yields E_{\text{dissipated}} \geq 130{,}816 \times 2.87 \times 10^{-21} \approx 3.75 \times 10^{-16} J—a negligible dissipation cost less than a single photon of visible light. For \kappa = 65{,}280 (FP16/BF16 ceiling), the dissipated energy is 65{,}280 \times 2.87 \times 10^{-21} \approx 1.87 \times 10^{-16} J, equally negligible. The Landauer energy bound is not the binding constraint for reversible implementations. Instead, the binding constraint is the \Omega(2^\kappa) time complexity for Goal 2 (exact recovery): regardless of energy efficiency, the search requires at least 2^\kappa oracle evaluations to identify the specific original embedding x^* among candidates in the worst-case conditional distribution.
The \Omega(2^\kappa) classical evaluation count for Goal 2 follows from a guessing argument: under the worst-case conditional min-entropy definition, the most likely candidate in any PQ cell has probability at most 2^{-\kappa}. A deterministic classical algorithm evaluating candidates sequentially for Goal 2 (exact recovery) must identify x^* = \arg\max_x P(\mathcal{X}_{\text{white}} = x | \mathcal{Y} = y); the probability of success per evaluation is at most 2^{-\kappa}, requiring \Omega(2^\kappa) evaluations. For Goal 2, randomized classical algorithms do not benefit from birthday-type speedups, as the task is preimage-finding for a single target, not collision-finding. Each evaluation is an independent Bernoulli trial with success probability at most 2^{-\kappa}, requiring \Omega(2^\kappa) trials in expectation. For Goal 1 (any preimage), any element in the PQ cell is a valid output, so the \Omega(2^\kappa) bound does not apply; the binding constraint for Goal 1 is the Grover cost of \Omega(2^{128}) (see Argument Q1 below), which is the independent computational floor regardless of \kappa.
Each oracle evaluation requires \Omega(\text{poly}(\kappa)) elementary reversible gate operations, where \text{poly}(\kappa) is the circuit complexity of \text{PQ} \circ \mathcal{W} (both \mathcal{W} and the nearest-centroid PQ lookup are polynomial-time computable, so this is well-defined). The total number of orthogonal state transitions is therefore \Omega(2^\kappa \cdot \text{poly}(\kappa)), which we conservatively lower-bound by \Omega(2^\kappa) for the purpose of the Margolus-Levitin argument (Q3). This conservative bound is sufficient: 2^\kappa > 10^{121} for \kappa \geq 402, and the polynomial factor only strengthens the conclusion. The space requirement depends on the time-space tradeoff strategy, ranging from O(\text{poly}(\kappa)) at the cost of additional time overhead (Bennett, 1989) to O(2^\kappa) for the naive approach. By the Margolus-Levitin theorem (Q3 below)—which applies to all physical systems, classical and quantum alike—the maximum number of computational operations achievable with the entire mass-energy of the observable universe over the age of the universe is \sim 10^{121}. The reversible classical attack on Goal 2 is infeasible whenever 2^\kappa > 10^{121}, i.e., \kappa > 121 \times \log_2 10 \approx 401.95, yielding the threshold \kappa \geq 402. For any \kappa satisfying the universal requirement (\kappa \geq 804), we have 2^\kappa \geq 2^{804} \approx 10^{242} \gg 10^{121}. For the Tier 2 FP32 ceiling (\kappa = 130{,}816): 2^{130{,}816} \approx 10^{39{,}387} \gg 10^{121}. For the Tier 2 FP16/BF16 ceiling (\kappa = 65{,}280): 2^{65{,}280} \approx 10^{19{,}646} \gg 10^{121}.

Summary for classical attackers: For irreversible implementations, the Landauer energy bound is the binding constraint (\kappa \geq 315 suffices). For reversible implementations, the Margolus-Levitin time bound (Q3) is the binding constraint (\kappa \geq 402 suffices) for Goal 2, established via the guessing argument above. The universal threshold \kappa_{\min} = 804 (derived from the quantum attacker analysis below) subsumes both classical thresholds. All bounds apply to Goal 2 (exact recovery) and are subject to empirical verification of \kappa in §8.3.

Quantum Attacker: A Three-Layer Defense with Shared Foundation

Argument Q1 — Adversarial Goal Taxonomy and Conditional Query-Complexity Bound (requires §8.2 reduction)

We begin by precisely distinguishing the two adversarial goals, as the applicable Grover bound differs fundamentally between them.

Adversarial Goal 1 (Preimage finding — any consistent embedding): The adversary seeks any x with \mathcal{O}_y(x) = 1, i.e., any embedding consistent with the observed PQ index. The oracle \mathcal{O}_y: \mathcal{F}^d \to \{0,1\} is defined by \mathcal{O}_y(x) = 1 if and only if \text{PQ}(\mathcal{W}(x)) = y. The number of marked items is t_y = |\{x : \text{PQ}(\mathcal{W}(x)) = y\}|. For a uniform PQ partition, t_y \approx |\mathcal{F}^d| / K^M = 2^{bd} / 2^{M \log_2 K} = 2^{bd - M\log_2 K}. The Grover lower bound (Boyer et al., 1998) for finding any marked item is:

\Omega\left(\sqrt{\frac{|\mathcal{F}^d|}{t_y}}\right) = \Omega\left(\sqrt{2^{M\log_2 K}}\right) = \Omega\left(2^{M\log_2 K / 2}\right) = \Omega\left(2^{128}\right)

for the stated PQ parameters (M = 32, K = 256, M\log_2 K = 256). Since 2^{128} \approx 3.4 \times 10^{38} \ll 10^{121}, the Margolus-Levitin bound (Q3) does not rule out Grover preimage finding for this goal. The physical barrier does not protect against finding any consistent preimage. For this goal, security relies on the information-theoretic distortion bound: any preimage consistent with the PQ index differs from the original by at least the PQ quantization error, and the security-relevant question is whether this distortion is sufficient to prevent extraction of useful information from any recovered preimage. This is addressed by the distortion analysis in §7.1.

Adversarial Goal 1.5 (Approximate recovery — a preimage sufficiently close to the original): An intermediate adversarial goal that more precisely captures the threat of gradient inversion attacks is Goal 1.5: the adversary seeks any \hat{x} such that d(\hat{x}, x^*) \leq \delta_{\text{inv}} under some distance metric d (e.g., \ell_2 norm in embedding space, or semantic similarity), where \delta_{\text{inv}} is a distortion threshold below which the recovered embedding enables successful gradient inversion. Goal 1.5 lies strictly between Goal 1 (any preimage) and Goal 2 (exact recovery) in terms of difficulty. The physical barrier's protection against Goal 1.5 depends on the geometry of PQ cells relative to \delta_{\text{inv}}: if the PQ cell diameter exceeds \delta_{\text{inv}}, then any preimage in the cell may be close enough to x^* to enable gradient inversion, and the \Omega(2^{128}) Goal 1 computational floor provides the relevant security guarantee. If the PQ cell diameter is smaller than \delta_{\text{inv}}, then any preimage in the cell is sufficiently close, and Goal 1.5 collapses to Goal 1. The precise characterization of Goal 1.5 security as a function of PQ cell geometry and the distortion threshold \delta_{\text{inv}} is provided in §7.1.

Adversarial Goal 2 (Exact recovery — the specific original embedding): The adversary seeks the unique x^* that maximizes P(\mathcal{X}_{\text{white}} = x | \mathcal{Y} = y)—i.e., recovering the actual gradient or embedding that was transmitted. This is the security-relevant goal in the context of gradient inversion attacks requiring exact or near-exact recovery.

The adversary's task for Goal 2 is not oracle search for a uniquely marked element, but rather a maximum-likelihood estimation problem: given \mathcal{Y} = y, identify x^* = \arg\max_x P(\mathcal{X}_{\text{white}} = x | \mathcal{Y} = y). Crucially, the adversary does not possess an oracle that marks x^* specifically. The only oracle available is \mathcal{O}_y(x) = 1 \iff \text{PQ}(\mathcal{W}(x)) = y, which marks all \sim 2^{bd - M\log_2 K} elements in the PQ cell — not just x^*. A Grover search using \mathcal{O}_y would find any preimage (Goal 1) in \Omega(2^{128}) queries, not specifically x^*.

To identify x^* specifically, the adversary must distinguish x^* from the \sim 2^\kappa approximately equally likely candidates defined by the conditional distribution P(\mathcal{X}_{\text{white}} | \mathcal{Y} = y). An adversary constructing a distinguishing oracle \mathcal{O}_{x^*}(x) = 1 \iff x = x^* would need to already know x^*, creating a circularity. The adversary's strategy therefore proceeds in two stages:

Cell membership: Use Grover search with \mathcal{O}_y to find elements in the PQ cell (cost: \Omega(2^{128}) per found element).
Statistical discrimination: Among found elements, evaluate posterior probabilities to identify x^* — requiring sufficient samples to distinguish the most-likely element from \sim 2^\kappa alternatives.

The security of Goal 2 therefore rests on the \kappa-based guessing barrier: given that \kappa bits of min-entropy remain in the conditional distribution, identifying x^* requires \Omega(2^{\kappa/2}) quantum queries (under the Grover model, conditional on the Q1 structural conjecture).

The Dürr-Høyer Quantum Minimum Finding Algorithm as the Primary Quantum Threat for Goal 2

The most precisely characterized quantum threat to Goal 2 is the Dürr-Høyer quantum minimum finding algorithm (Dürr & Høyer, 1996), which can find the minimum (or maximum) of an unsorted list of N elements in O(\sqrt{N}) quantum queries. For Goal 2, the adversary's task is to identify the mode of the conditional distribution P(\mathcal{X}_{\text{white}} | \mathcal{Y} = y)—the element with the highest posterior probability. If the adversary can construct a quantum oracle that compares the posterior probability of two candidates P(x_1 | y) vs. P(x_2 | y), the Dürr-Høyer algorithm finds the maximum-probability candidate in O(\sqrt{2^\kappa}) = O(2^{\kappa/2}) queries. This is fully consistent with the Grover lower bound and confirms that the \Omega(2^{\kappa/2}) query complexity is the correct characterization of Goal 2 difficulty.

Critical structural observation: The Dürr-Høyer algorithm requires a comparison oracle that evaluates P(x | y) for individual candidates. For this oracle to be efficiently computable, the adversary needs access to a model of P(\mathcal{X}_{\text{white}} | \mathcal{Y} = y). If the whitening transformation \mathcal{W} is public (as per the design decision below) and PQ codebook is public, the adversary can in principle compute P(x | y) given knowledge of the prior P(\mathcal{X}). However, if the whitening transformation achieves near-uniform conditional distribution within each PQ cell (i.e., P(x_1 | y) \approx P(x_2 | y) for all x_1, x_2 in the same cell), then the comparison oracle provides negligibly useful information—all candidates are approximately equally likely, and the Dürr-Høyer algorithm degenerates to searching among \sim 2^\kappa approximately equiprobable candidates. In this regime, the algorithm must evaluate approximately 2^\kappa candidates before finding the maximizer, requiring O(\sqrt{2^\kappa}) = O(2^{\kappa/2}) oracle queries. This is the precise regime that the whitening transformation (Theorem 8.2-Extended) is designed to achieve.

The Rényi 2-entropy (collision entropy) of the conditional distribution P(\mathcal{X}_{\text{white}} | \mathcal{Y} = y), defined as H_2(\mathcal{X}_{\text{white}} | \mathcal{Y} = y) = -\log_2 \sum_x P(x|y)^2, provides a tighter characterization of the Dürr-Høyer threat than min-entropy alone: when H_2 \approx \kappa (which holds when the conditional distribution is near-uniform, as the whitening is designed to achieve), the algorithm's query complexity is \Theta(2^{\kappa/2}). The MC4b obligation in §8.2 should therefore be reframed to include: verification that the Rényi 2-entropy of the conditional distribution satisfies H_2(\mathcal{X}_{\text{white}} | \mathcal{Y} = y) \approx \kappa for all y, establishing that the Dürr-Høyer algorithm's query complexity is indeed \Omega(2^{\kappa/2}) and not less.

Quantum estimation vs. quantum search distinction. The \Omega(2^{\kappa/2}) lower bound for Goal 2 is not a direct corollary of Boyer et al. (1998), which lower-bounds the query complexity of finding a marked item in unstructured search. Goal 2 is a quantum maximum-likelihood estimation problem: the adversary must identify the mode of the conditional distribution P(\mathcal{X}_{\text{white}} | \mathcal{Y} = y), which has min-entropy \kappa. The Dürr-Høyer quantum minimum finding analysis above provides the tightest known characterization: under the near-uniformity condition of the whitening transformation, the query complexity is \Theta(2^{\kappa/2}), consistent with the Grover lower bound. The formal reduction from quantum mode-finding to quantum unstructured search—and the verification that the Dürr-Høyer comparison oracle provides O(2^{\kappa/2}) as both upper and lower bound under near-uniformity—is deferred to §8.2 as part of the MC4b obligation.

Conservative threshold adjustment. If the quantum estimation query complexity for Goal 2 is \Omega(2^{\kappa/\alpha_Q}) with \alpha_Q > 2 (e.g., \alpha_Q = 3 if quantum amplitude estimation provides a cubic root speedup for mode-finding), the universal threshold would increase to \kappa_{\min} = \lceil \alpha_Q \cdot 402 \rceil. The parametric analysis in the fallback section covers this case. Until MC4b is resolved, we adopt \alpha_Q = 2 as the working assumption and note that \kappa^{\text{ceiling}} \gg 1206 for all formats, ensuring that even an \alpha_Q = 3 scenario is within the achievable parameter range.

This bound depends on \kappa and the structural assumption that \text{PQ} \circ \mathcal{W} behaves as a pseudorandom function. There is no independent architectural lower bound of the form \Omega(2^{bd/2}) for Goal 2 that is independent of \kappa, because the distinguishing oracle for x^* is not available to the adversary. The Goal 1 Grover cost of \Omega(2^{128}) provides an independent computational floor for finding any preimage, but does not directly bound the cost of identifying the specific x^*.

For \kappa \geq 804: 2^{\kappa/2} \geq 2^{402} \approx 10^{121}, which meets or exceeds the Margolus-Levitin limit of 10^{121}.

Security conclusion from Goal taxonomy: The physical barrier (Q3) protects against exact recovery of the original embedding (Goal 2) through the \kappa-based guessing argument, conditional on the Q1 structural conjecture and empirical verification \kappa \geq 804. For Goal 1 (any preimage), the independent computational floor is \Omega(2^{128}) quantum queries, which is computationally non-trivial but within the Margolus-Levitin bound; security against Goal 1 relies on the distortion analysis in §7.1. For Goal 1.5 (approximate recovery), the applicable security guarantee depends on PQ cell geometry relative to the distortion threshold \delta_{\text{inv}}, as characterized in §7.1.

All security arguments in this chapter that invoke Q3 for Goal 2 are calibrated against the \kappa-based guessing bound \Omega(2^{\kappa/2}), which for \kappa \geq 804 exceeds 10^{121}.

We formulate the Goal 2 adversary's task as a quantum maximum-likelihood estimation problem. Given the PQ index \mathcal{Y} = y, the adversary must find x^* = \arg\max_x P(\mathcal{X}_{\text{white}} = x | \mathcal{Y} = y). The effective search space size from the adversary's perspective is determined by the min-entropy \kappa: the most likely candidate has probability at most 2^{-\kappa}, so the adversary must search through at least 2^\kappa candidates in the worst case. The oracle available to the adversary is \mathcal{O}_y as defined above. The adversary knows the PQ codebook (which is public), the whitening transformation \mathcal{W} (which is public; see Design Decision below), and the PQ encoding function.

Design Decision (binding for §8.2): Throughout this work, \mathcal{W} is a public, deterministic, unkeyed transformation. The adversary is assumed to have complete knowledge of \mathcal{W}'s algorithm and all its parameters. This is the strictly stronger adversarial assumption: any security guarantee that holds with a public \mathcal{W} also holds a fortiori with a keyed \mathcal{W}. The Q1 reduction claim (MC4b) must therefore establish that \text{PQ} \circ \mathcal{W} behaves as a black-box oracle even when the adversary knows \mathcal{W} completely—a requirement satisfied if \mathcal{W} achieves sufficient min-entropy (near-uniformity within PQ cells) such that knowledge of \mathcal{W}'s construction does not enable the adversary to identify the specific original embedding without exhaustive evaluation.

Reduction claim (Structural Conjecture — MC4b, proved in §8.2 to the extent feasible): Theorem 8.2-Extended is designed such that \mathcal{O}_y admits no quantum algorithmic speedup beyond the Grover bound for unstructured search. Specifically, §8.2 must provide maximal evidence that \text{PQ} \circ \mathcal{W} does not admit exploitable algebraic structure, including: (a) proofs that specific known quantum algorithmic paradigms (hidden subgroup, Simon's, Shor's, quantum walk) do not apply to \text{PQ} \circ \mathcal{W} under the stated parameters; (b) statistical tests for structure (Fourier analysis, autocorrelation, spectral tests) on representative instances; (c) a reduction showing that any quantum algorithm exploiting structure in \text{PQ} \circ \mathcal{W} would imply a breakthrough in a well-studied hardness problem; (d) the formal reduction from quantum mode-finding (Goal 2) to quantum unstructured search, proving that the \Omega(2^{\kappa/2}) Grover lower bound applies to the estimation problem under the pseudorandomness assumption, or else deriving the correct quantum query complexity for Goal 2 and adjusting \kappa_{\min} accordingly; and (e) specific analysis of the Dürr-Høyer quantum minimum finding algorithm as the primary quantum threat to Goal 2, verifying that the near-uniformity of the conditional distribution under the whitening transformation ensures the Dürr-Høyer comparison oracle provides no exploitable probability gradient, and that the Rényi 2-entropy satisfies H_2(\mathcal{X}_{\text{white}} | \mathcal{Y} = y) \approx \kappa for all y. If this conjecture cannot be substantiated to a confidence level comparable to standard cryptographic hardness assumptions, the hybrid PQC mode is mandatory.

Epistemological Note on MC4b: Proving that a specific, concrete, efficiently-computable function f: \mathcal{F}^d \to \{0,1\} admits no algebraic structure exploitable by any quantum algorithm is an extraordinarily strong claim—at least as hard as proving \text{BQP} \neq \text{P} for specific instances, and no such proof exists for any concrete function in the literature. The closest available results are random oracle model separations (which do not apply to concrete functions) and pseudorandomness assumptions (which are themselves computational hardness assumptions). We therefore frame MC4b as a structural conjecture with supporting evidence rather than a proof obligation, consistent with how cryptographic hardness assumptions are treated in the broader literature. This framing is honest: the Goal 1 computational floor (\Omega(2^{128}) queries) holds independently of \kappa and MC4b; MC4b is relevant specifically for the \kappa-based guessing-difficulty argument that governs Goal 2 security.

Under this reduction, the Bennett et al. (1997) / Boyer et al. (1998) lower bound applies to Goal 2:

\text{Oracle calls required} \geq \Omega\left(2^{\kappa/2}\right)

This bound is a query-complexity result: it establishes a lower bound on the number of oracle queries required to find the specific original embedding in a search space where the most likely candidate has probability 2^{-\kappa}. It depends on the structural assumption that the composed function \text{PQ} \circ \mathcal{W} behaves as a pseudorandom function from the adversary's perspective, and on the formal reduction from quantum mode-finding to quantum unstructured search established as part of MC4b. The whitening transformation (Theorem 8.2-Extended) is designed to ensure this property; the degree to which it succeeds is verified analytically in §8.2 and empirically in §8.3.

Fallback if Q1 reduction fails: If the whitening does not sufficiently eliminate structure in \mathcal{O}_y, the adversary may achieve a quantum speedup that falls anywhere within or potentially beyond the Grover spectrum. We parameterize the actual query complexity as \Omega(2^{\kappa/\alpha_Q}), where \alpha_Q \geq 1:

\alpha_Q = 2: Full Grover speedup (unstructured search lower bound).
\alpha_Q = 1: No quantum speedup; classical brute-force applies.
1 < \alpha_Q < 2: Intermediate structured quantum speedup (e.g., quantum walk algorithms).
\alpha_Q > 2: Super-Grover speedup due to exploitable algebraic structure (e.g., hidden subgroup structure enabling quantum Fourier transform-based attacks, Simon's algorithm-style period finding, or Shor-style hidden subgroup attacks). In this regime, quantum algorithms could achieve \text{poly}(\kappa) query complexity, which is trivially feasible within the 10^{121} Margolus-Levitin bound.

For \alpha_Q \in [1, 2], the Margolus-Levitin constraint (Q3) requires 2^{\kappa/\alpha_Q} > 10^{121}, yielding \kappa > \alpha_Q \cdot 121 \cdot \log_2 10 \approx 402\alpha_Q. Since 402\alpha_Q \leq 804 for all \alpha_Q \in [1,2], the universal threshold \kappa_{\min} = 804 provides security against all quantum speedup levels within this range, regardless of the achieved speedup level.

For \alpha_Q > 2 (super-Grover structural exploitation), Q3 alone cannot guarantee security for the \kappa-based guessing argument: if \alpha_Q \to \infty (polynomial-time quantum attack on the guessing problem), Q3 provides no protection since \text{poly}(\kappa) operations are trivially feasible. However, the Goal 1 computational floor remains valid as an independent barrier: even if super-Grover attacks reduce the \kappa-based query count for Goal 2, the adversary still requires \Omega(2^{128}) queries merely to find any preimage via \mathcal{O}_y. The prevention of super-Grover attacks on the Goal 2 guessing problem is therefore the central obligation of MC4b. In this scenario, the Operational Fallback Protocol's hybrid mode becomes mandatory: the system must rely on the conventional PQC layer (ML-KEM for key encapsulation, SLH-DSA for signatures) as the primary security mechanism, with the physical barrier providing supplementary defense.

Argument Q2 — Fault-Tolerant QEC Thermodynamic Cost (parametric form with dynamic update mechanism)

Each logical qubit operation in a fault-tolerant quantum computer requires continuous quantum error correction (QEC), entailing physical thermodynamic work per logical gate cycle. The total energy cost of executing the \Omega(2^{\kappa/2}) oracle calls required by Q1 is lower-bounded by:

E_{\text{QEC}}^{\text{total}} \geq G \cdot \tau_{\text{cycle}} \cdot f_{\text{QEC}} \cdot Q_{\text{logical}} \cdot r \cdot f_{\text{syndrome}} \cdot k_B T_{\text{cryo}} \ln 2

All six parameters (G, \tau_{\text{cycle}}, f_{\text{QEC}}, Q_{\text{logical}}, r, f_{\text{syndrome}}) are formally defined and numerically instantiated in §3.2, where we derive concrete energy lower bounds using current quantum error correction benchmarks (Google Surface Code, 2024; Gidney, 2025). The temperature T_{\text{cryo}} = 10\,\text{mK} is used to ensure the bound is a genuine lower bound on the adversary's thermodynamic expenditure, reflecting the cryogenic operating environment of fault-tolerant quantum computers. The parametric form is presented here to establish the structural role of Q2 within the layered defense; the reader is referred to §3.2 for the fully quantified analysis.

QEC Dynamic Update Mechanism: The parameters r (physical-to-logical qubit ratio) and f_{\text{syndrome}} (syndrome measurement frequency) are not static. Google's Willow processor (December 2024) achieved below-threshold QEC, demonstrating that logical error rates decrease exponentially as physical qubit count increases. Subsequent progress in 2025–2026 has demonstrated continued improvement in coherence times and error rates. §3.2 must therefore instantiate Q2 using not only current (2024–2025) QEC benchmarks but also a QEC improvement rate model: an extrapolation of the observed exponential improvement trend projecting parameter values at the assumed FTQC realization horizon (nominally 2030–2035). Specifically, §3.2 must analyze the scenario where r decreases from its current value (\sim$1,000:1) to an optimistic future value (\sim100:1) and $f_{\text{syndrome}} decreases proportionally, deriving the resulting Q2 energy lower bound at the improved parameters. If r and f_{\text{syndrome}} each decrease by a factor of 10, the Q2 lower bound decreases by a factor of 100—but the security margin at \kappa \geq 804 remains \sim 10^{111}, demonstrating that Q2's conclusion is robust across the entire plausible QEC improvement range. This forward-looking analysis ensures that Q2's security argument remains valid for at least a decade beyond the writing of this document.

Argument Q3 — Margolus-Levitin Quantum Speed Limit (universal physical bound)

Note on Universality: The Margolus-Levitin theorem is derived from quantum mechanics and applies to all physical systems—classical and quantum alike—since all physical systems are ultimately governed by quantum mechanics. Although presented here under the "Quantum Attacker" heading because its most dramatic consequence is in bounding quantum search, Q3 equally constrains classical reversible computation (as noted in the "Classical Attacker" section above). Q3 is not a thermodynamic bound but a consequence of the time-energy uncertainty relation in quantum mechanics, and is therefore independent of Landauer's principle.

We apply the Margolus-Levitin theorem (1998) in its maximal adversary form: we posit a hypothetical adversary who harnesses the entire mass-energy of the observable universe, E_{\text{universe}} \approx 4 \times 10^{69} J (Egan & Lineweaver, 2010, Astrophysical Journal, 710:1825), as the energy source of a single coherent quantum processor. This constitutes the physically absolute upper bound on any conceivable adversary's computational resources, as no physical system can exceed the energy budget of the observable universe. This is a cosmological-scale counterfactual argument: it does not claim that any realistic quantum computer operates at this scale, but rather that even under this extreme assumption, the required computation remains infeasible.

Under this assumption, the Margolus-Levitin theorem states that a quantum system with average energy E above its ground state can transition between orthogonal quantum states at a maximum rate of:

\nu_{\max} = \frac{2E}{\pi\hbar} = \frac{4E}{h}

where h = 6.62607 \times 10^{-34} J·s is Planck's constant (note: h = 2\pi\hbar, so the two expressions are equivalent). For E_{\text{universe}} \approx 4 \times 10^{69} J, the maximum operation rate is:

\nu_{\max} = \frac{4 \times 4 \times 10^{69}}{6.62607 \times 10^{-34}} \approx 2.4 \times 10^{103}\,\text{operations/second}

Over the age of the universe t_{\text{universe}} \approx 4.3 \times 10^{17} s, the maximum total number of orthogonal state transitions is:

N_{\text{ops}} \leq \nu_{\max} \cdot t_{\text{universe}} \approx 10^{121}

Note: We conservatively equate each oracle call with a single orthogonal state transition. In practice, each Grover oracle call requires a multi-gate circuit implementing both the oracle unitary and the diffusion operator, consuming multiple orthogonal state transitions. Thus, the 10^{121} bound is an upper bound on the number of oracle calls achievable, and the actual number of achievable oracle calls is strictly lower.

Since the Goal 2 \kappa-based guessing oracle call count is \Omega(2^{\kappa/2}) (conditional on the Q1 structural conjecture and the formal reduction from quantum mode-finding to quantum unstructured search established in MC4b), the required operations exceed the computational capacity of the entire observable universe whenever:

\kappa/2 > 402, i.e., \kappa > 803.9, yielding \kappa \geq 804 — the universal security threshold (guessing-difficulty guarantee, conditional on Q1 conjecture).

For the Tier 2 FP32 ceiling (\kappa = 130{,}816): 2^{130{,}816} \approx 10^{39{,}387} \gg 10^{121}. For the Tier 2 FP16/BF16 ceiling (\kappa = 65{,}280): 2^{65{,}280} \approx 10^{19{,}646} \gg 10^{121}. For the Goal 1 independent computational floor: 2^{128} \approx 3.4 \times 10^{38}, which does not exceed the Margolus-Levitin limit but nonetheless represents a non-trivial computational cost.

Dependency Structure and Layered Redundancy of the Three Arguments

The three arguments share a common information-theoretic foundation but employ independent physical principles:

Q1 (Conditional query-complexity bound) establishes the adversarial goal taxonomy and derives Grover bounds for each goal. For Goal 2 (exact recovery), the \kappa-based bound \Omega(2^{\kappa/2}) is conditional on the reduction claim proved in §8.2 (MC4b structural conjecture), including the formal reduction from quantum mode-finding to quantum unstructured search and the Dürr-Høyer threat analysis. The Goal 1 computational floor \Omega(2^{128}) is independent of \kappa and MC4b.
Q2 (QEC thermodynamic cost) and Q3 (Margolus-Levitin speed limit) are independent of each other but both depend on Q1's operation count to derive their respective infeasibility conclusions. Q2 bounds the energy cost per logical qubit operation, while Q3 bounds the maximum operation throughput of any physical system. For Goal 2's \kappa-based guarantee, Q3 applies with operation count \Omega(2^{\kappa/2}), conditional on the Q1 structural conjecture.

The layered defense operates as follows: even if Q2's specific QEC cost model proves overly conservative (e.g., due to advances in error correction efficiency), Q3 independently constrains total computational throughput. Conversely, even if Q3's cosmological energy bound is circumvented (e.g., by a hypothetical civilization harnessing energy beyond the observable universe), Q2 constrains the thermodynamic cost per operation.

The shared dependency on Q1's structural conjecture is addressed by the parametric fallback analysis: for \alpha_Q \in [1,2], Q3 alone suffices for \kappa \geq 804 in all cases. For \alpha_Q > 2 (super-Grover attacks), the Goal 1 computational floor (\Omega(2^{128})) provides an independent barrier for preimage finding, and the hybrid PQC mode provides additional protection for Goal 2 exact recovery. The security framework is therefore robust at multiple levels: the Goal 1 floor is independent of \kappa and MC4b, while the Goal 2 \kappa-based guarantee holds when the Q1 conjecture holds.

Summary: The Complete Adversarial Energy Landscape

All bounds below are functions of \kappa = H_\infty(\mathcal{X}_{\text{white}} | \mathcal{Y}) and are valid for any \kappa satisfying the universal requirement \kappa \geq \kappa_{\min} = 804 bits. Numerical illustrations use \kappa^{\text{ceiling}} as the theoretical ceiling (upper bound contingent on perfect whitening uniformity over the discrete float grid; see Two-Tier Min-Entropy Analysis above), with the specific value depending on the deployed floating-point format as specified in the domain table.

Attacker Type Binding Constraint Energy / Operation Lower Bound Per-Model Threshold Feasibility (at \kappa \geq 804) Classical (irreversible) Landauer energy \geq 2^\kappa \cdot k_B T \ln 2 \kappa \geq 315 (at T=10 mK) Thermodynamically impossible Classical (reversible) Margolus-Levitin time (Q3) \Omega(2^\kappa \cdot \text{poly}(\kappa)) time steps; \geq \kappa \cdot k_B T \ln 2 dissipated energy \kappa \geq 402 Physically impossible (Q3 is binding, not Landauer) Quantum (Grover, Goal 1 any preimage) Independent computational floor \Omega(2^{128}) oracle calls Independent of \kappa Non-trivial cost; security relies on distortion bound (§7.1) Quantum (Grover, Goal 1.5 approximate recovery) PQ cell geometry + distortion threshold \Omega(2^{128}) if cell diameter \leq \delta_{\text{inv}}; see §7.1 Depends on \delta_{\text{inv}} Security characterized by PQ cell geometry (§7.1) Quantum (Grover, Goal 2 exact recovery, \kappa-guessing) Q1 conjecture + Q3 + Dürr-Høyer analysis \Omega(2^{\kappa/2}) oracle calls \kappa \geq 804 Physically impossible (conditional on Q1 conjecture, MC4b mode-finding reduction including Dürr-Høyer analysis, and \kappa \geq 804) Quantum (FTQC) Q1 + Q2 (with QEC improvement rate model) G \cdot \tau_{\text{cycle}} \cdot f_{\text{QEC}} \cdot Q_{\text{logical}} \cdot r \cdot f_{\text{syndrome}} \cdot k_B T_{\text{cryo}} \ln 2 \kappa \geq 804 (subsumed by Q3) Thermodynamically impossible (see §3.2, including QEC improvement projections) Quantum (super-Grover, \alpha_Q > 2) MC4b conjecture (algebraic structure absence) \text{poly}(\kappa) if structure exists; Goal 1 floor \Omega(2^{128}) for preimage finding Requires MC4b evidence including mode-finding reduction and Dürr-Høyer analysis; Goal 1 floor always holds Hybrid PQC mode mandatory if MC4b unsubstantiated; Goal 1 floor provides residual protection for preimage finding

The universal threshold \kappa_{\min} = 804 is derived from the most demanding attacker model within the Grover spectrum under the guessing-difficulty interpretation (\kappa/2 > 401.95, hence \kappa \geq 804), assuming \alpha_Q = 2 as the working assumption pending MC4b's formal reduction from quantum mode-finding to quantum unstructured search including Dürr-Høyer analysis. The Goal 1 independent computational floor (\Omega(2^{128})) provides a \kappa-independent barrier for any-preimage finding. Super-Grover adversaries targeting Goal 2 exact recovery are addressed by MC4b evidence and the mandatory hybrid fallback.

Physical principle attribution note: The binding constraint for the "Classical (reversible)" and Quantum Goal 2 rows is Q3 (Margolus-Levitin), which is a quantum-mechanical speed limit, not a thermodynamic bound. Calling these rows "thermodynamically impossible" would be a category error; the correct characterization is "physically impossible" under the Margolus-Levitin quantum speed limit. The Classical (irreversible) row is the only row where Landauer's thermodynamic bound is the binding constraint.

Temperature note: All per-bit energy bounds in the "Classical" rows use T = 300\,\text{K} (ambient) unless otherwise noted. For cryogenic adversaries (T = 10\,\text{mK}), per-bit costs are scaled by the ratio T_{\text{cryo}}/T_{\text{ambient}} \approx 3.3 \times 10^{-5}, i.e., reduced by a factor of 3 \times 10^4; all conclusions are unaffected due to the exponential security margin (\kappa \geq 315 is the cryogenic irreversible threshold, far below \kappa_{\min} = 804). The FTQC row uses T_{\text{cryo}} = 10\,\text{mK} directly, as this reflects the actual operating environment of fault-tolerant quantum computers.

1.3.2 Negative Latency and the Transcendence of Time

Mnemosyne challenges the linear, deterministic view of time entrenched in distributed systems theory. Traditional consensus protocols (Paxos, Raft, PBFT) assume causality flows forward: a request arrives → consensus is reached → a response is returned. This imposes a fundamental lower bound: T_{\text{response}} \geq T_{\text{network}}, where T_{\text{network}} is dictated by the speed of light.

Through Theorem 9.2 (Bidirectional Speculation), we introduce the concept of "Negative Latency." This does not violate causality. Instead, it leverages Bidirectional Speculative Execution and Knowledge Distillation techniques. Edge nodes (small AIs, e.g., a 1B-parameter model on a smartphone) and central nodes (large AIs, e.g., a 175B-parameter model in the cloud) mutually simulate each other's behavioral models.

The edge node predicts: "Based on the central node's past behavior, if I send query Q, it will likely respond with R with probability p_{\text{edge}} \geq 0.8."

The central node predicts: "Based on the edge node's context, it will likely issue query Q' next, so I pre-compute response R' and push it proactively."

When both predictions converge (bidirectional accuracy p \geq 0.8), we must strictly distinguish between two temporal metrics: System Chronological Delta (\Delta T_{\text{sys}}) and User Experienced Latency (T_{\text{user}}).

Formal Stochastic Definitions

Let B \in \{0, 1\} be a Bernoulli random variable with \Pr[B=1] = p representing prediction success. Let \tau_H \triangleq T_{\text{headstart}}, C \triangleq T_{\text{compute}}, N \triangleq T_{\text{network}}, T_{\text{validate}} the time required to confirm that the pre-computed speculative result matches the actual request (see Speculation Barrier definition below), and P_{\text{miss}} \triangleq T_{\text{penalty}} + T_{\text{rollback}} be non-negative random variables representing the time by which the central node's proactive response precedes the edge node's actual need, the computation time, the one-way network latency, the validation overhead, and the total misprediction recovery time respectively. T_{\text{rollback}} is the time required to revert speculative state changes in the local cache coherence protocol to maintain strict linearizability.

(Note: P_{\text{miss}} is used here—rather than P—to avoid symbol collision with the Participation reward dimension P_i in the economic layer of §1.4.2.)

The System Chronological Delta measures the chronological difference between result availability at the edge and the actual request generation:

\Delta T_{\text{sys}} \triangleq \begin{cases} C + T_{\text{validate}} - \tau_H & \text{if } B = 1 \\ N + C + P_{\text{miss}} & \text{if } B = 0 \end{cases}

\mathbb{E}[\Delta T_{\text{sys}}] = p \cdot \mathbb{E}[C + T_{\text{validate}} - \tau_H \mid B = 1] + (1-p) \cdot \mathbb{E}[N + C + P_{\text{miss}} \mid B = 0]

The User Experienced Latency is bounded below by zero:

T_{\text{user}} \triangleq \begin{cases} \max(0,\, C + T_{\text{validate}} - \tau_H) & \text{if } B = 1 \\ N + C + P_{\text{miss}} & \text{if } B = 0 \end{cases}

\mathbb{E}[T_{\text{user}}] = p \cdot \mathbb{E}[\max(0,\, C + T_{\text{validate}} - \tau_H) \mid B = 1] + (1-p) \cdot \mathbb{E}[N + C + P_{\text{miss}} \mid B = 0]

These follow directly from the law of total expectation conditioned on the prediction outcome B. No independence between B and the timing variables is assumed.

We assume T_{\text{validate}} \ll N, which holds when validation is a simple equality check on the predicted vs. actual query (e.g., hash comparison, requiring O(1) microseconds against N on the order of milliseconds). For more complex validation (e.g., semantic similarity matching), T_{\text{validate}} may be non-negligible, and the latency reduction is correspondingly smaller. The formal analysis of T_{\text{validate}} for each validation mode is provided in §9.2.

Point-Estimate Illustration (Conceptual)

Substituting representative point values N = 150\,\text{ms}, \tau_H = 50\,\text{ms}, C = 5\,\text{ms}, T_{\text{validate}} = 0.1\,\text{ms}, P_{\text{miss}} = 10\,\text{ms} into the conditional expectations (treating the timing variables as degenerate random variables concentrated at these values):

\mathbb{E}[\Delta T_{\text{sys}}] = 0.8 \cdot (-44.9) + 0.2 \cdot 165 = -2.92\,\text{ms}

\mathbb{E}[T_{\text{user}}] = 0.8 \cdot 0 + 0.2 \cdot 165 = 33\,\text{ms}

The inclusion of T_{\text{validate}} = 0.1\,\text{ms} has negligible impact on the qualitative conclusions, confirming that for cache-hit style validation, T_{\text{validate}} does not materially affect the negative latency result.

Sensitivity note: The zero user-experienced latency result (T_{\text{user}}|_{B=1} = 0) requires \tau_H \geq C + T_{\text{validate}}, i.e., the prediction headstart must exceed the computation and validation time. The robustness of this condition depends on the prediction model's ability to generate accurate predictions sufficiently far in advance. As an example, with \tau_H = 6\,\text{ms} and C = 5\,\text{ms}, the headstart margin shrinks to 0.9\,\text{ms}, and for \tau_H < C + T_{\text{validate}} the zero-latency condition no longer holds. A sensitivity analysis of \mathbb{E}[T_{\text{user}}] as a function of \tau_H, C, p, and P_{\text{miss}} is provided in §9.2, including empirical characterization of the prediction headstart distribution P(\tau_H) across different application scenarios:
Federated learning gradient synchronization: During the later stages of model convergence, gradient updates follow highly predictable patterns. Empirical measurement of P(\tau_H) in this scenario is expected to show \tau_H concentrated in the range of seconds (matching the inter-synchronization interval), making the zero-latency condition easily satisfiable.
Interactive LLM dialogue: User intent prediction carries higher uncertainty. P(\tau_H) in this scenario may have a heavy tail, with a significant fraction of queries having \tau_H < C. The sensitivity analysis must characterize the conditional \mathbb{E}[T_{\text{user}}] in this regime and identify the prediction granularity (full query vs. query category vs. conversation state) that achieves \tau_H \geq C with sufficient probability. Worst-case performance bound: Even when p degrades to a lower bound p_{\min} (e.g., due to high query entropy in open-ended dialogue), the expected user-experienced latency satisfies \mathbb{E}[T_{\text{user}}] \leq (1 - p_{\min}) \cdot (N + C + \mathbb{E}[P_{\text{miss}}]). For p_{\min} = 0.5 and the representative parameters above (N = 150ms, C = 5ms, P_{\text{miss}} = 10ms), this gives \mathbb{E}[T_{\text{user}}] \leq 82.5ms—still a meaningful improvement over the non-speculative baseline of N + C = 155ms (a 47\% reduction). §9.2 must derive this worst-case bound analytically and verify it empirically for each application scenario, establishing the minimum prediction accuracy p_{\min} below which the speculative execution provides no net benefit relative to the non-speculative baseline.
Batch inference: Batch job scheduling is highly predictable. P(\tau_H) is expected to be concentrated near the batch interval, typically seconds to minutes, providing ample headstart margin.
§9.2 must provide empirical measurements of P(\tau_H) for each scenario using representative workloads, and derive the achievable \mathbb{E}[T_{\text{user}}] under realistic headstart distributions rather than the point-estimate illustration above.

Definition (Speculation Barrier — informal). A Speculation Barrier is a synchronization point in the execution model at which all speculative results must be validated against the actual request before being committed to the externally visible state. Formally, the Speculation Barrier enforces the following invariant: no speculative computation result may cross the boundary between the node's internal speculative state and the externally observable state (as defined by the linearizability specification) until the corresponding actual request has arrived and the speculative result has been confirmed to match. Results that fail validation are discarded, the speculative state changes are rolled back (incurring T_{\text{rollback}}), and the system falls back to the B = 0 path.

The Speculation Barrier partitions operations into two classes:

Speculation-safe operations: Operations whose results depend only on the predicted query and the node's local state, and whose commitment can be deferred until validation completes without violating any external ordering guarantee. Examples include: cache pre-warming, speculative inference computation, and pre-staged response assembly.
Speculation-unsafe operations: Operations that modify externally visible state (e.g., distributed ledger updates, cross-node state mutations, consensus votes). These operations MUST NOT be speculatively executed; they proceed only along the B = 0 (non-speculative) path and are subject to the full consensus protocol.

The formal specification of the Speculation Barrier, including its interaction with the Swarm Consensus protocol (Protocol 1) and the precise conditions under which speculation-safe operations may bypass the barrier, is provided in §9.2.

This transforms Mnemosyne into an organic network with "predictive capabilities"—a system that experiences time not as a linear constraint but as a probabilistic landscape where the future partially collapses into the present, without ever violating the causal structure that external observers depend upon.

This is not merely an engineering trick; it is a philosophical shift. Mnemosyne views distributed systems as temporal ecosystems where intelligent agents (AIs) negotiate shared reality through mutual prediction, akin to how humans anticipate each other's speech in conversation.

1.3.3 The Adversarial Landscape: Whom Are We Resisting?

To understand Mnemosyne's design philosophy, one must first identify the adversaries we are designed to withstand.

Tier 1: Hyperscale Cloud Oligopolies (GAFAM)

Google's Tensor Processing Units (TPUs) and proprietary TensorFlow ecosystem
Amazon Web Services (AWS) controlling 32% of global cloud infrastructure
Microsoft Azure's vertical integration with OpenAI (GPT-4, Codex)
Meta's Llama models and centralized inference APIs
Alibaba Cloud's dominance in Asia-Pacific markets

Threat Model: These entities control the means of AI production. They dictate which models are accessible, at what cost, and under what surveillance. Independent researchers, startups, and entire nations are relegated to "tenants" in a digital feudal system.

Mnemosyne's Countermeasure: By enabling 7 billion edge devices (smartphones, laptops, Raspberry Pis) to collectively form a distributed supercomputer via Protocol 1 (Swarm Consensus) and Protocol 2 (Proof of Useful Work), we democratize AI infrastructure. The minimum barrier to entry—2GB RAM, $35 USD for a Raspberry Pi 5—ensures that no single entity can achieve a monopoly.

Tier 2: State-Sponsored Surveillance Apparatuses

Five Eyes Alliance (NSA, GCHQ, ASD, CSE, GCSB)
China's Great Firewall and Ministry of State Security
Russia's Federal Security Service (FSB)

Threat Model: These adversaries possess nation-state resources: quantum computing research labs, access to undersea cable taps, and legal frameworks (FISA, Investigatory Powers Act) enabling mass surveillance. They can deploy gradient inversion attacks (Zhu et al., 2019), side-channel attacks (Kocher et al., 2019), and compel service providers to insert backdoors. Nation-state adversaries are also the primary operators of Harvest Now, Decrypt Later (HNDL) strategies, intercepting and storing encrypted communications today for future retrospective decryption once quantum capabilities mature [2][4][6][8].

Mnemosyne's Countermeasure:

Theorem 7.1 (PQ Information Quantization) bounds the total information available to an adversary. The PQ channel has a capacity of at most M \log_2 K = 256 bits. Combined with side-channel leakage \ell_{\text{side}} (encompassing quantization boundary effects and timing correlations), the total adversarial information is bounded by H_S(\mathcal{Y}) + \ell_{\text{side}} \leq 256 + \ell_{\text{side}} bits, where H_S(\mathcal{Y}) is the Shannon entropy of the PQ index. The precise derivation of \ell_{\text{side}}—separating PQ channel leakage (\leq 256 bits) from side-channel leakage—is provided in §7.1 and §8.3. The security requirement is \kappa_{\text{eff}} \geq \kappa_{\min} = 804 bits, which holds whenever \kappa_{\text{achieved}} \geq 804 + \ell_{\text{side}}^{\text{wc}}. The theoretical ceiling provides \kappa^{\text{ceiling}} - \kappa_{\min} \in \{64{,}476,\; 130{,}012\} bits (for FP16/BF16 and FP32 respectively), establishing that sufficient min-entropy capacity exists to absorb even very large side-channel leakage — but the achieved min-entropy \kappa_{\text{achieved}} must be empirically determined (§8.3) before the margin \kappa_{\text{achieved}} - 804 available for side-channel absorption can be quantified. MC5 must therefore be verified after MC4 determines \kappa_{\text{achieved}}, and the joint condition \kappa_{\text{achieved}} - \ell_{\text{side}}^{\text{wc}} \geq 804 must be confirmed on the deployed system. This renders gradient inversion attacks physically infeasible for exact recovery under the \kappa-based guessing argument, subject to confirmation of the joint condition.
Side-Channel Integration with Min-Entropy Framework: When an adversary observes both the PQ index \mathcal{Y} = y and side-channel information \mathcal{Z} = z, the effective per-observation security parameter is the worst-case conditional min-entropy:
\kappa_{\text{eff}} \triangleq \min_{y,z} H_\infty(\mathcal{X}_{\text{white}} | \mathcal{Y}=y, \mathcal{Z}=z) = \min_{y,z} \left[-\log_2 \max_x P(\mathcal{X}_{\text{white}} = x | \mathcal{Y}=y, \mathcal{Z}=z)\right]
For the Grover search lower bound, the relevant quantity is this worst-case form, since the adversary observes a specific (y,z) and searches within the corresponding conditional distribution. The adversary does not average over side-channel observations—they observe a specific (y,z) pair and then perform their search. A specific PQ cell y^* with anomalously low conditional min-entropy under side-channel observations z^* could be catastrophically weak even if the average across all cells is high; the worst-case formulation correctly captures this per-cell vulnerability.
Discreteness assumption for side-channel observations: The side-channel leakage variable \mathcal{Z} is treated throughout this analysis as a discrete (quantized) random variable. This assumption covers the practically relevant cases in Mnemosyne's deployment context: timing measurements are discretized by system clock resolution (typically nanoseconds to microseconds); power measurements are discretized by ADC bit-width; network-layer metadata (packet sizes, inter-arrival times) are inherently discrete or practically discretized. For continuous side-channel signals (e.g., high-resolution analog power traces), the analysis requires adaptation to differential entropy and probability density functions rather than probability mass functions. MC5 must specify the discretization resolution for each side-channel type and verify that the worst-case conditional min-entropy bound \kappa_{\text{eff}} \geq \kappa - \ell_{\text{side}}^{\text{wc}} holds at the chosen resolution. If a continuous side-channel model is required for any hardware platform, MC5 must switch to a mutual information upper bound I(\mathcal{X}_{\text{white}}; \mathcal{Z} | \mathcal{Y}) \leq \ell_{\text{side}}^{\text{cont}} and demonstrate that \kappa - \ell_{\text{side}}^{\text{cont}} \geq 804.
Upper bound via Bayes' theorem: While the worst-case chain rule does not hold in general, we can relate \kappa_{\text{eff}} to \kappa as follows. By Bayes' theorem, for any fixed y and z with P(\mathcal{Z}=z | \mathcal{Y}=y) > 0:
\max_x P(\mathcal{X}_{\text{white}}=x | \mathcal{Y}=y, \mathcal{Z}=z) \leq \frac{\max_x P(\mathcal{X}_{\text{white}}=x | \mathcal{Y}=y)}{P(\mathcal{Z}=z | \mathcal{Y}=y)}
Taking -\log_2 of both sides and the minimum over all (y,z):
\kappa_{\text{eff}} \geq \kappa + \min_{y,z:\, P(\mathcal{Z}=z|\mathcal{Y}=y)>0} \log_2 P(\mathcal{Z}=z | \mathcal{Y}=y)
If \mathcal{Z} has support size at most 2^{\ell_{\text{side}}} and the conditional distribution P(\mathcal{Z} | \mathcal{Y}=y) is near-uniform for all y, then \min_{y,z} \log_2 P(\mathcal{Z}=z|\mathcal{Y}=y) \approx -\ell_{\text{side}}, recovering \kappa_{\text{eff}} \geq \kappa - \ell_{\text{side}}. However, if the side-channel distribution is highly non-uniform, the worst-case degradation can exceed \ell_{\text{side}} bits. Specifically, a rare side-channel observation z^* occurs with very low probability P(\mathcal{Z}=z^* | \mathcal{Y}=y^*) for some cell y^*. Such rare observations carry maximal information about \mathcal{X}_{\text{white}} (per self-information -\log P(Z=z|Y=y)), and can concentrate the posterior distribution on a small subset of x values, potentially increasing \max_x P(X=x|Y=y^*,Z=z^*) substantially. In that case the effective bound becomes \kappa_{\text{eff}} \geq \kappa - \ell_{\text{side}}^{\text{wc}}, where \ell_{\text{side}}^{\text{wc}} \triangleq -\min_{y,z} \log_2 P(\mathcal{Z}=z|\mathcal{Y}=y) \geq \ell_{\text{side}}.
The security requirement is \kappa_{\text{eff}} \geq \kappa_{\min} = 804 bits. MC5 must therefore be verified after MC4 determines \kappa_{\text{achieved}}: the side-channel budget available is \kappa_{\text{achieved}} - 804 bits, and MC5 must verify \ell_{\text{side}}^{\text{wc}} \leq \kappa_{\text{achieved}} - 804. MC5 (§7.1, §8.3) must therefore establish not only the support size of \mathcal{Z} but also the near-uniformity of P(\mathcal{Z} | \mathcal{Y}=y) across all cells y, so that \ell_{\text{side}}^{\text{wc}} is bounded close to \ell_{\text{side}}. Empirical per-cell side-channel measurements on reference hardware (Raspberry Pi 5, iPhone 15 Pro) are required to estimate the worst-case degradation directly. If \kappa_{\text{achieved}} < 804 + \ell_{\text{side}}^{\text{wc}}, the operational fallback protocol activates.
Remark on chain rule variant: The bound above uses a direct application of Bayes' theorem to the worst-case conditional min-entropy H_\infty, rather than the Dodis et al. (2008) chain rule for average conditional min-entropy \tilde{H}_\infty. This is the appropriate formulation because the Grover security argument applies per observed (y,z) pair, not in expectation. The Dodis et al. chain rule \tilde{H}_\infty(X|Y,Z) \geq \tilde{H}_\infty(X|Y) - \ell_{\text{side}} bounds the average-case quantity and does not provide per-cell worst-case guarantees. All downstream security arguments that incorporate side-channel leakage use \kappa_{\text{eff}} \geq \kappa - \ell_{\text{side}}^{\text{wc}} as the operative bound, where \ell_{\text{side}}^{\text{wc}} is the worst-case (not average) side-channel leakage parameter estimated in §7.1 and §8.3.
MC5 Layered Verification Strategy: Given the practical challenge of directly enumerating worst-case side-channel behavior across all PQ cells, MC5 implements a two-stage verification strategy: (1) Analytical upper bound: Derive an analytical upper bound on \ell_{\text{side}}^{\text{wc}} using a formal leakage model (e.g., the bounded leakage model or the noisy leakage model of Prouff & Rivain, 2013), bounding \ell_{\text{side}}^{\text{wc}} as a function of hardware characteristics and protocol parameters. (2) Empirical spot-check: Perform per-cell side-channel measurements on a stratified sample of PQ cells (including boundary cells, high-density cells, and cells near the support boundary) on reference hardware (Raspberry Pi 5, iPhone 15 Pro), confirming consistency with the analytical bound and identifying any anomalous cells with elevated side-channel leakage. This two-stage strategy provides universal coverage via the analytical bound and empirical confidence via spot-checks, without requiring infeasible enumeration of all 2^{256} PQ cells.
Theorem 8.4 (Information-Theoretic Authentication) eliminates reliance on RSA/ECC, which are vulnerable to quantum attacks and NSA's potential backdoors (Dual_EC_DRBG precedent).
Theorem 9.3 (Physical Entropy Wall)—distinct from Theorem 9.2 (Bidirectional Speculation) discussed in §1.3.2—establishes that the combination of geographic distribution, hardware diversity, and temporal asynchrony creates a multi-dimensional physical entropy barrier against coordinated surveillance. The full statement and proof are provided in §9.3.

Tier 3: Future Quantum Supremacy — Technology-Agnostic Threat Model

Rather than enumerating specific organizations, Mnemosyne's Tier 3 threat model is organized by quantum hardware technology roadmap, reflecting the reality that as of 2025–2026, cryptographically relevant quantum computing capabilities are being pursued across multiple parallel technical approaches by numerous actors worldwide:

Superconducting qubit approaches: Google (Willow, 2024; subsequent architectures 2025–2026), IBM (100,000 qubit roadmap, 2033), Rigetti
Photonic approaches: PsiQuantum (1 million physical qubit target, 2030), Xanadu
Trapped-ion approaches: IonQ, Quantinuum
Topological qubit approaches: Microsoft
Silicon spin qubit approaches: Intel
Neutral atom approaches: QuEra, Pasqal
State-sponsored programs: China's Jiuzhang photonic quantum computer (2020) and subsequent programs; national quantum initiatives across the Five Eyes nations, EU, and other jurisdictions

Threat Model: Once large-scale, error-corrected quantum computers exist—regardless of the hardware modality by which they are realized—Shor's algorithm will factorize RSA-2048 within days (see §1.1 for updated qubit estimates), and Grover's algorithm will halve the effective key length of AES-256 (reducing it to AES-128 security). All classical cryptography based on computational hardness collapses.

Technology-Agnostic Security Property: Mnemosyne's security architecture is designed to be technology-agnostic: Q3 (the Margolus-Levitin bound) applies to all physical systems regardless of qubit modality—superconducting, photonic, trapped-ion, topological, silicon spin, or neutral atom. The 10^{121} operations limit is derived from the mass-energy of the observable universe and Planck's constant, neither of which depends on the specific physical implementation of a quantum computer. The \kappa-based guessing barrier applies equally to all quantum algorithmic paradigms operating on any hardware platform. This technology-agnostic guarantee means that Mnemosyne's security does not require predicting which of the competing hardware approaches will first achieve cryptographically relevant scale—all are equally bound by Q3.

Mnemosyne's Countermeasure: We do not compete on the quantum battlefield. Instead, we retreat to a domain where quantum computers offer no physical advantage: the intersection of information theory and irreversible physics, bounded by fundamental quantum-mechanical speed limits. Theorem 8.3 guarantees security through the three arguments Q1, Q2, and Q3 with their layered redundancy structure as established in §1.3.1, requiring \kappa \geq \kappa_{\min} = 804 bits for the guessing-difficulty guarantee (conditional on Q1 structural conjecture, the MC4b formal reduction including Dürr-Høyer analysis, and empirical verification), with the Goal 1 independent computational floor of \Omega(2^{128}) providing a \kappa-independent barrier for any-preimage finding. If MC4b cannot be established, the hybrid PQC mode provides the primary security guarantee for Goal 2.

1.4 System Architecture Concept: A Trinity of Defenses

The architecture of Mnemosyne is not a monolithic software stack but a three-dimensional ecosystem woven from logic, economics, and physics. Each layer reinforces the others, creating a defense-in-depth strategy reminiscent of Byzantine military engineering.

1.4.1 Logical Layer: Formally Verified Consistency

We reject reliance on intuition or empirical testing in concurrent systems. The history of distributed computing is littered with subtle bugs that evaded detection for years (e.g., the severe bug in Raft's single-server membership change protocol, discovered and announced by its own author in 2015 despite prior formalization efforts). Mnemosyne's consensus protocol (Protocol 1: Swarm Consensus) uses TLA+ (Temporal Logic of Actions) for formal modeling.

We define strict state machines, invariants, and temporal properties:

Safety: No two nodes hold conflicting "Modified" states for the same memory address simultaneously.
Liveness: Under the assumption of Partial Synchrony, every write request eventually completes or is explicitly rejected.
Byzantine Resilience: The system tolerates f malicious nodes, where n \ge 3f + 1.

TLA+ Conceptual Specification

The following TLA+ code presents the clock model and environment structure that governs Mnemosyne's partial synchrony formulation. This is a conceptual sketch intended to convey the epistemological design of the GST (Global Stabilization Time) model. The complete TLA+ specification—including the full expansion of all node protocol actions (NodeAction) and the complete Init/Next/Inv definitions verified by TLC—is provided in the TLA+ Appendix (Appendix A) and formally analyzed in §7.

---- MODULE MnemosyneSketch ----
EXTENDS Naturals, FiniteSets

\* WARNING: This specification is a CONCEPTUAL SKETCH and is NOT directly
\* executable by TLC without the full definitions provided in Appendix A.
\* The DeliverMessage and NodeAction sub-actions contain placeholder comments
\* (\* ...) where protocol logic would appear. The TLC-executable specification
\* is provided in Appendix A.
\*
\* CRITICAL: Running TLC on this sketch will produce MEANINGLESS verification
\* results because DeliverMessage leaves node_states, pending_writes, and
\* committed existentially quantified (any state transition is permitted).
\* Only the complete specification in Appendix A should be used for
\* verification. This sketch is provided solely for structural exposition.
\*
\* Uncomment the following line to prevent accidental TLC execution:
\* ASSUME FALSE  \* This specification is a non-executable sketch

CONSTANT Nodes         \* The set of all node identifiers
CONSTANT CorrectNodes  \* The set of non-Byzantine nodes; |CorrectNodes| >= 2f + 1
CONSTANT delta         \* Message delivery bound after GST; delta \in Nat, delta > 0
CONSTANT MaxMessages   \* Upper bound on in-flight messages for model checking
CONSTANT MaxClock      \* Upper bound on global_clock for model checking
CONSTANT MaxMsgPerTick \* Maximum messages a single node can generate per clock tick

ASSUME CorrectNodes \subseteq Nodes
ASSUME delta \in Nat /\ delta > 0
ASSUME MaxMessages \in Nat /\ MaxMessages > 0
ASSUME MaxClock \in Nat /\ MaxClock > 0
ASSUME MaxMsgPerTick \in Nat /\ MaxMsgPerTick > 0

\* --- Bounded-Unbounded Model Correspondence ---
\* The liveness property Spec => Liveness is stated for the unbounded model
\* (where the global_clock < MaxClock guard in Tick is removed). TLC verifies
\* a bounded approximation. For TLC's liveness check to be non-vacuous,
\* MaxClock must satisfy MaxClock >= 4*delta + |Nodes| + 1, ensuring
\* sufficient clock ticks for at least one complete protocol execution
\* after GST. This constraint is formally specified as an ASSUME below
\* and in the complete specification (Appendix A).
ASSUME MaxClock >= 4 * delta + Cardinality(Nodes) + 1

\* --- GST Timing Constraint for Bounded Model ---
\* To prevent spurious liveness violations in TLC due to late GST firing
\* (which would leave insufficient post-GST clock budget for protocol
\* completion), SetGST is constrained to fire early enough that at least
\* 3*delta + |Nodes| ticks remain after GST. This constraint applies only
\* to the bounded TLC model; in the unbounded mathematical model used for
\* the liveness proof, GST may occur at any finite time.
CONSTANT GSTDeadline
ASSUME GSTDeadline \in Nat
ASSUME GSTDeadline <= MaxClock - 3 * delta - Cardinality(Nodes)

\* --- Mathematical Soundness vs. TLC Feasibility ---
\* The following condition is the MATHEMATICAL SOUNDNESS requirement for
\* the unbounded model: it ensures no correct node is silenced by buffer
\* exhaustion before GST.
\*
\*   Soundness condition: MaxMessages >= Cardinality(CorrectNodes)
\*                                       * GSTDeadline * MaxMsgPerTick
\*
\* This condition is stated here as a COMMENT (not an ASSUME) because
\* satisfying it as a hard ASSUME creates TLC intractability: even for
\* modest parameters (4 correct nodes, GSTDeadline=10, MaxMsgPerTick=2),
\* it demands MaxMessages >= 80, making the 'messages' powerset state
\* space combinatorially explosive and TLC verification infeasible.
\*
\* RESOLUTION: The soundness condition and the TLC feasibility constraint
\* are separated as follows:
\*
\* (1) TLC MODEL CHECKING uses a small MaxMessages (e.g., 10-20) that
\*     permits state space exhaustion. The PreGSTMessageBudget invariant
\*     (defined below) is checked as a canary: if it is violated under
\*     these reduced parameters, the TLC run is invalid. If it is NOT
\*     violated, the safety/liveness results transfer to the unbounded
\*     model by the monotonicity argument in (3) below.
\*
\* (2) THE SOUNDNESS CONDITION is proved as a THEOREM in Appendix A
\*     (not enforced as an ASSUME), showing that the protocol logic does
\*     not depend on MaxMessages exceeding any particular threshold for
\*     safety, and that liveness depends only on post-GST message delivery
\*     (which is independent of pre-GST buffer size).
\*
\* (3) MONOTONICITY ARGUMENT: Increasing MaxMessages only adds behaviors
\*     (more messages can be in flight simultaneously). Safety properties
\*     (universally quantified over all behaviors) are preserved under
\*     behavior-set expansion. For liveness, the argument requires
\*     additional care: more messages in flight could enable new infinite
\*     behaviors. Appendix A must verify that the liveness proof is
\*     insensitive to MaxMessages above the TLC-feasible threshold, or
\*     use Apalache symbolic model checking for the full parameter range.
\*
\* (4) APALACHE FALLBACK: For parameter ranges where TLC cannot complete
\*     state space exploration, Appendix A uses Apalache's symbolic
\*     bounded model checking with --cinit to verify safety and liveness
\*     properties at the mathematically required MaxMessages values.
\*
\* Appendix A must explicitly state the TLC parameter values used for
\* verification, confirm that PreGSTMessageBudget was not violated at
\* those values, and provide either the monotonicity argument or Apalache
\* symbolic verification bridging the gap to the mathematical soundness
\* condition.

\* PreGSTMessageBudget canary invariant (checked during TLC runs):
PreGSTMessageBudget == gst_clock = 0 => Cardinality(messages) < MaxMessages

VARIABLE gst_clock
VARIABLE global_clock
VARIABLE node_states
VARIABLE messages
VARIABLE pending_writes
VARIABLE committed

\* Aggregate variable tuples for frame conditions
vars == <<gst_clock, global_clock, node_states, messages, pending_writes, committed>>
non_clock_vars == <<gst_clock, node_states, messages, pending_writes, committed>>
non_gst_vars == <<global_clock, node_states, messages, pending_writes, committed>>

\* --- Liveness predicate stubs (full definitions in Appendix A) ---
PendingWrite(n) == \E w \in pending_writes : w.node = n
Committed(n) == \E w \in committed : w.node = n

\* PLACEHOLDER: In this conceptual sketch, ExplicitlyRejected is always FALSE,
\* making the Liveness property strictly stronger than the intended specification
\* (which allows explicit rejection as a valid outcome). The full definition in
\* Appendix A introduces rejection conditions (e.g., Byzantine conflict detection,
\* resource exhaustion). With ExplicitlyRejected == FALSE, TLC verifies the
\* stronger property that every pending write is eventually committed.
\*
\* IMPORTANT: The stronger property (every pending write is eventually committed,
\* with no possibility of explicit rejection) may NOT be satisfiable in all
\* Byzantine executions. In a system with n >= 3f+1, there exist executions
\* where a correct node's write should be rejected (e.g., conflicting writes
\* from Byzantine nodes). The THEOREM below therefore does NOT claim that
\* this sketch verifies the intended liveness property — it is stated as a
\* structural placeholder only. Appendix A defines ExplicitlyRejected properly
\* and verifies the intended (weaker) property. This sketch does NOT claim
\* to verify any theorem.
\*
\* NON-EXHAUSTIVE ILLUSTRATION of valid ExplicitlyRejected conditions
\* (complete definition in Appendix A):
\*   (1) Byzantine conflict detection: A write W from correct node n is
\*       rejected when >= f+1 distinct nodes report conflicting writes
\*       W' != W targeting the same logical address, where at least one
\*       of the conflicting reporters is identified as Byzantine via the
\*       ByzantineDetect sub-action (e.g., equivocation proof, invalid
\*       signature on prepare message).
\*   (2) Quorum unavailability: Fewer than 2f+1 correct nodes acknowledge
\*       the write within the post-GST timeout window (GST + delta +
\*       processing_bound), indicating that a quorum cannot be formed.
\*   (3) Resource exhaustion: The node's pending_writes buffer exceeds
\*       MaxPendingWrites, triggering backpressure rejection to prevent
\*       unbounded memory growth under adversarial write storms.
\*   (4) Authentication failure: The write's cryptographic proof of
\*       authorship (e.g., PQ-signed PoUW certificate) fails verification,
\*       indicating either a Byzantine node or a protocol version mismatch.
\*   (5) Timeout after GST: The write has been pending for more than
\*       (GST + delta + processing_bound) without achieving quorum,
\*       triggering explicit rejection rather than indefinite suspension.
\* Appendix A must implement all five conditions and verify that the
\* liveness property []( PendingWrite(n) => <>(Committed(n) \/
\* ExplicitlyRejected(n)) ) is satisfiable in all Byzantine executions
\* with n >= 3f+1 correct nodes.
ExplicitlyRejected(n) == FALSE

Init ==
  /\ gst_clock = 0
  /\ global_clock = 0
  /\ node_states = [n \in Nodes |-> "Idle"]
  /\ messages = {}
  /\ pending_writes = {}
  /\ committed = {}

\* --- Environment sub-actions ---
SetGST ==
  /\ gst_clock = 0
  /\ global_clock > 0   \* GST occurs at a positive clock value
  /\ global_clock <= GSTDeadline  \* Ensure sufficient post-GST window (bounded model only)
  /\ gst_clock' = global_clock
  /\ UNCHANGED non_gst_vars

Tick ==
  /\ global_clock < MaxClock
  /\ global_clock' = global_clock + 1
  /\ UNCHANGED <<gst_clock, node_states, messages, pending_writes, committed>>

\* --- System sub-actions ---

\* DeliverSpecificMessage(m): delivers a specific message m from the pool.
\* Per-message strong fairness on this parameterized action guarantees that
\* every message that is infinitely often deliverable is eventually delivered,
\* closing the liveness gap that arises from existential choice in the
\* unparameterized DeliverMessage action (see Fairness Rationale below).
DeliverSpecificMessage(m) ==
  /\ m \in messages
  /\ gst_clock > 0
  /\ global_clock >= gst_clock + delta
  /\ messages' = messages \ {m}
  /\ \* node_states', pending_writes', committed' are updated
     \* according to m's type and the protocol rules.
     \* CRITICAL PLACEHOLDER: Full definition in Appendix A.
     \* All six state variables are explicitly constrained there;
     \* no variable is left existentially quantified.
  /\ UNCHANGED <<gst_clock, global_clock>>

\* DeliverMessage: existential wrapper used in Next for structural clarity.
\* Fairness is placed on DeliverSpecificMessage(m), NOT on this wrapper.
DeliverMessage == \E m \in messages : DeliverSpecificMessage(m)

\* --- Pre-GST Message Semantics: Design Commitment ---
\* DESIGN COMMITMENT: Option A (Retained Delivery) with Complete Pre-GST Blackout
\* All messages enqueued in 'messages' before GST are retained and delivered
\* post-GST when timing conditions are met. Before GST (gst_clock = 0),
\* NO messages are delivered at all — this models a complete communication
\* blackout prior to GST.
\*
\* MODEL SEMANTICS NOTE: This is strictly stronger than the standard DLS (1988)
\* partial synchrony model, in which the adversary controls message *delay*
\* (but need not prevent all delivery) before GST. The complete pre-GST
\* blackout means any property proved here holds a fortiori under the standard
\* DLS model. This "a fortiori" argument for liveness is valid because the
\* protocol's liveness proof (§7, Appendix A) relies exclusively on post-GST
\* message delivery; no liveness sub-argument depends on any message being
\* delivered before GST. Appendix A must verify this claim by confirming
\* that the liveness proof's critical path—from PendingWrite(n) to
\* Committed(n) \/ ExplicitlyRejected(n)—is enabled entirely by post-GST
\* message deliveries and node actions.
\*
\* STATE SPACE IMPLICATION: The separation of mathematical soundness from
\* TLC feasibility (see MaxMessages discussion above) ensures correct nodes
\* cannot be silenced by buffer exhaustion before GST, preventing spurious
\* liveness violations from this cause.
\*
\* Rationale for Option A: This models a network where the adversary controls
\* message *delay* but not message *loss*, appropriate for TCP-based transport
\* (which guarantees eventual delivery via retransmission). TCP guarantees
\* eventual delivery as long as the connection is not permanently severed—
\* a condition that partial synchrony (eventual GST) ensures.
\*
\* Consequence: The liveness proof in §7 relies on this assumption. A
\* sensitivity analysis in Appendix A demonstrates that all safety
\* properties hold under Options A, B, and C, while liveness under
\* Options B and C requires additional protocol-level retransmission
\* mechanisms (which are present in the full specification but not
\* exercised under Option A).

\* Next is the disjunction of ALL actions (system + environment),
\* following the standard TLA+ idiom (Lamport, Specifying Systems, Ch. 8).
\* NodeAction(n) is the disjunction of all node-level protocol sub-actions
\* (ProposeWrite, AcknowledgeWrite, CommitWrite, ByzantineDetect, etc.);
\* its full definition is provided in Appendix A.
\* Message generation within NodeAction is guarded by
\* Cardinality(messages) < MaxMessages to ensure a finite state space
\* for TLC model checking.
Next ==
  \/ \E n \in Nodes : NodeAction(n)
  \/ DeliverMessage
  \/ SetGST
  \/ Tick

Spec ==
  /\ Init
  /\ [][Next]_vars
  /\ WF_vars(SetGST)
  /\ WF_vars(Tick)
  /\ \A m \in MessagesType : SF_vars(DeliverSpecificMessage(m))
  /\ \A n \in CorrectNodes : WF_vars(NodeAction(n))

Liveness ==
  \A n \in CorrectNodes :
    [](PendingWrite(n) => <>(Committed(n) \/ ExplicitlyRejected(n)))

\* NOTE: The theorem below is a structural placeholder only.
\* With ExplicitlyRejected == FALSE, the liveness property simplifies to
\* "every pending write by a correct node is eventually committed," which
\* is strictly stronger than the intended property and may be unsatisfiable
\* in Byzantine executions. This sketch does NOT claim to verify any theorem.
\* The complete specification in Appendix A defines ExplicitlyRejected
\* properly and verifies the intended (weaker) liveness property.
\* THEOREM Spec => Liveness  \* (non-executable sketch: theorem not claimed here)

====

Fairness Rationale for DeliverSpecificMessage(m): Per-message strong fairness (SF_vars(DeliverSpecificMessage(m)) for each m \in MessagesType) replaces the previous unparameterized SF_vars(DeliverMessage). The change addresses a liveness gap in the original design: SF on the existentially quantified DeliverMessage action guarantees only that some message is eventually delivered whenever the action is infinitely often enabled, but does not guarantee that every specific message is eventually delivered. Under nondeterministic choice, repeated selection of the same message type could starve other messages indefinitely, leaving the liveness property vacuously satisfied for the chosen message but violated for the starved ones. Per-message strong fairness closes this gap: for each specific message m, if DeliverSpecificMessage(m) is enabled infinitely often (i.e., m remains in messages and the post-GST timing condition holds), it is eventually taken. This correctly models the post-GST delivery guarantee required by the partial synchrony assumption.

MessagesType is the (finite, constant) set of all possible message values, determined by Nodes, message types, and bounded payload values. Since MessagesType is a constant, the universally quantified fairness condition \A m \in MessagesType : SF_vars(DeliverSpecificMessage(m)) is well-defined in TLA+. For implementation in Appendix A, the preferred approach is FIFO queue per sender-receiver pair with weak fairness on per-queue dequeue actions, rather than per-message-content fairness annotations. The FIFO queue approach provides the same per-message delivery guarantee as parameterized strong fairness while reducing the fairness annotation count from |\text{MessagesType}| (potentially exponential in message payload size) to O(|\text{Nodes}|^2) (quadratic in node count), which is tractable for TLC verification. Since MessagesType may contain messages carrying arbitrary payload content (gradient fragments, PQ indices, etc.) that makes it exponentially large, the FIFO queue approach is the default implementation in Appendix A. Appendix A must implement and verify this approach, confirming that per-queue dequeue fairness is sufficient to establish the per-message delivery guarantee used in the liveness proof. A TLC counterexample demonstrating that the unparameterized SF_vars(DeliverMessage) permits message starvation under nondeterministic choice must also be provided, confirming that per-message fairness (via FIFO queues) is necessary for the liveness proof.

GST Timing Constraint Rationale: The GSTDeadline constant and the guard global_clock <= GSTDeadline in SetGST ensure that in the bounded TLC model, GST fires early enough to leave a sufficient post-GST window for protocol completion. Without this constraint, weak fairness on SetGST would permit behaviors where GST is set at global_clock = MaxClock - 1, leaving fewer than \delta ticks for DeliverSpecificMessage(m) to become enabled—resulting in spurious liveness violations that are artifacts of the bounded model, not genuine protocol failures. In the unbounded mathematical model used for the liveness proof (where the global_clock < MaxClock guard in Tick is removed), SetGST may occur at any finite time, and the infinite post-GST window ensures protocol completion. The GSTDeadline mechanism bridges this gap by ensuring TLC explores only behaviors with sufficient post-GST budget, matching the semantics of the unbounded model within the finite state space.

This formulation includes all actions—both system actions (NodeAction, DeliverMessage) and environment actions (SetGST, Tick)—within a single Next disjunction, following the standard TLA+ idiom (Lamport, Specifying Systems, Ch. 8). The MaxClock constant bounds global_clock for TLC model checking; in the unbounded mathematical model used for the liveness proof, the guard global_clock < MaxClock is removed, and Tick becomes unconditionally enabled. Weak fairness on Tick (WF_vars(Tick)) guarantees that global_clock advances unboundedly (up to MaxClock), eventually satisfying global_clock >= gst_clock + delta and thereby enabling DeliverSpecificMessage(m)—without this fairness condition, TLA+'s stuttering semantics would permit behaviors where Tick is never taken, leaving global_clock at 0, DeliverSpecificMessage(m) permanently disabled, and the liveness property vacuously violated. The MaxMessages constant bounds the cardinality of the messages set, ensuring TLC can exhaust the finite state space. The ASSUME MaxClock >= 4 * delta + Cardinality(Nodes) + 1 ensures that the bounded model has sufficient clock ticks for at least one complete protocol execution after GST, preventing spurious liveness violations in TLC due to premature clock exhaustion.

Weak fairness on NodeAction(n) for each correct node n \in \text{CorrectNodes} (WF_vars(NodeAction(n))) guarantees that every correct node eventually takes action when enabled. Without this fairness condition, TLA+'s stuttering semantics would permit behaviors where a correct node with a pending write never takes any protocol step, trivially violating the liveness property. Byzantine nodes (n \in \text{Nodes} \setminus \text{CorrectNodes}) have no fairness constraints, correctly modeling arbitrary adversarial behavior including permanent silence. The liveness property is correspondingly restricted to correct nodes: it asserts that every pending write by a correct node eventually completes or is explicitly rejected.

The complete formal specification in Appendix A, including the fully instantiated NodeAction, the complete definition of ExplicitlyRejected covering all valid rejection conditions (Byzantine conflict detection, resource exhaustion, etc.), and the per-message fairness condition implemented via FIFO queue per sender-receiver pair with per-queue dequeue fairness (preferred) or parameterized SF_vars(DeliverSpecificMessage(m)) (alternative), is TLC-compatible and has been verified against the safety and liveness properties listed below. Appendix A also provides a TLC counterexample demonstrating that the stronger property (without explicit rejection) is violated in a Byzantine execution, confirming that the weaker property is necessary and that the intended liveness specification correctly requires the disjunction with ExplicitlyRejected. Appendix A additionally provides a TLC counterexample demonstrating that the unparameterized SF_vars(DeliverMessage) permits message starvation under nondeterministic choice, confirming that per-message fairness is necessary for the liveness proof. Appendix A must explicitly state that the pre-GST communication blackout model is strictly stronger than standard DLS (1988) partial synchrony, and that all verified properties hold a fortiori under the standard DLS model, with the "a fortiori" claim for liveness validated by confirming that the liveness proof's critical path is enabled entirely by post-GST message deliveries and node actions.

The TLC model checker, operating on the complete specification in Appendix A with bounded parameters, exhaustively explores the finite state space, verifying:

No deadlocks (safety property)
Eventual consistency / Termination (liveness property)
No data races (mutual exclusion invariant)
Linearizability (happens-before ordering preserved)

1.4.2 Economic Layer: Proof of Useful Work (PoUW)

To break computing monopolies, we introduce Protocol 2 (Proof of Useful Work). Unlike Bitcoin's Proof of Work, which squanders 150 TWh/year on SHA-256 hash collisions (energy equivalent to the entire nation of Argentina), Mnemosyne nodes earn incentives by contributing five dimensions of value:

Memory (M_i): Providing RAM for distributed KV caches (rewarded proportionally to uptime and capacity)
Compute (C_i): Executing inference tasks (measured in FLOPS·seconds)
Storage (S_i): Hosting model checkpoints and datasets (measured in GB·days)
Verification (V_i): Validating consensus messages and detecting Byzantine behavior (rewarded for correct challenges)
Participation (P_i): Network liveness contribution (rewarded for maintaining connections, forwarding packets)

Definition (Reward Components). For node i in epoch t, the gross reward is defined as:

R_i^{(t),\text{gross}} \triangleq \alpha M_i^{(t)} + \beta C_i^{(t)} + \gamma S_i^{(t)} + \omega V_i^{(t)} + \epsilon P_i^{(t)}

This is the sum of all positive reward contributions, computed identically for all nodes regardless of fault status or participant class.

Definition (Penalty). The fault penalty for epoch t is:

\Pi_i^{(t)} \triangleq \begin{cases} \zeta L_i^{(t-1)} \cdot \rho_{\text{CTLV}} & \text{if } \mathbb{I}_{\text{fault}}(i) = 1 \text{ and } L_i^{(t-1)} \geq L_{\text{threshold}} \text{ (FSMP)} \\ 0 & \text{otherwise} \end{cases}

Definition (RP Reward Gate). The gate variable G_i^{(t)} zeroes the net payout for faulty Restricted Participants:

G_i^{(t)} \triangleq \begin{cases} 0 & \text{if } \mathbb{I}_{\text{fault}}(i) = 1 \text{ and } L_i^{(t-1)} < L_{\text{threshold}} \text{ (faulty RP)} \\ 1 & \text{otherwise} \end{cases}

Definition (Net Reward). The final epoch payout after penalty and debt service is:

R_i^{(t),\text{net}} \triangleq \max\!\left(0,\; G_i^{(t)} \cdot R_i^{(t),\text{gross}} - \Pi_i^{(t)} - D_i^{(t-1)}\right)

The gate G_i^{(t)} = 0 for faulty RPs ensures both R_i^{(t),\text{net}} = 0 and that no gross reward is applied to debt repayment for nodes whose epoch reward is zeroed by the fault mechanism. For non-faulty RPs and all FSMPs, G_i^{(t)} = 1 and the formulas reduce to the following expanded form.

For expository clarity, the net reward formula can be expressed equivalently via the three-case structure that makes each scenario explicit:

R_i^{(t),\text{net}} = \begin{cases} \max\!\left(0,\; R_i^{(t),\text{gross}} - \Pi_i^{(t)} - D_i^{(t-1)}\right) & \text{if } \mathbb{I}_{\text{fault}}(i) = 1 \text{ and } L_i^{(t-1)} \geq L_{\text{threshold}} \text{ (faulty FSMP)} \\[4pt] 0 & \text{if } \mathbb{I}_{\text{fault}}(i) = 1 \text{ and } L_i^{(t-1)} < L_{\text{threshold}} \text{ (faulty RP)} \\[4pt] \max\!\left(0,\; R_i^{(t),\text{gross}} - D_i^{(t-1)}\right) & \text{if } \mathbb{I}_{\text{fault}}(i) = 0 \text{ (non-faulty, any class)} \end{cases}

where \alpha, \beta, \gamma, \omega, \epsilon \in \mathbb{R}_{>0} are reward coefficients, \zeta \in (0, 1] is the slashing multiplier, \rho_{\text{CTLV}} \in \mathbb{R}_{>0} is the CTLV-to-MNT conversion rate (defined in the PoUW chapter), and \mathbb{I}_{\text{fault}}(i) \in \{0, 1\} is the fault indicator. All terms are denominated in MNT tokens. Note that \omega (not \delta) is used for the verification reward coefficient to avoid symbol collision with the message delivery bound \delta in the partial synchrony model of §1.4.1.

The three-case structure ensures that faulty RP nodes earn zero net reward in the fault epoch, eliminating the one-epoch Sybil extraction attack. For faulty FSMP nodes (L_i^{(t-1)} \geq L_{\text{threshold}}), the penalty term \Pi_i^{(t)} = \zeta L_i^{(t-1)} \cdot \rho_{\text{CTLV}} represents the MNT-equivalent opportunity cost of the burned CTLV. When \mathbb{I}_{\text{fault}}(i) = 1 and L_i^{(t-1)} \geq L_{\text{threshold}}, the protocol burns \lceil \zeta L_i^{(t-1)} \rceil CTLV units from the node's reputation score. If R_i^{(t),\text{net}} would become negative under this deduction, the deficit is managed by the debt mechanism below. The \rho_{\text{CTLV}} conversion rate serves solely as a commensuration factor to express heterogeneous penalties in a single MNT-denominated utility function. No CTLV-to-MNT token transfer occurs.

Epoch Processing Order and Slash Semantics

Within epoch t, the net reward R_i^{(t),\text{net}} is computed using the pre-slash value L_i^{(t-1)} (the CTLV balance at the beginning of epoch t). The CTLV update is applied after reward computation and distribution:

L_i^{(t)} = \begin{cases} \max\!\left(0,\; L_i^{(t-1)} - \lceil \zeta L_i^{(t-1)} \rceil\right) & \text{if } \mathbb{I}_{\text{fault}}(i) = 1 \\[4pt] L_i^{(t-1)} + 1 & \text{if } \mathbb{I}_{\text{fault}}(i) = 0 \text{ and node contributed valid PoUW} \\[4pt] L_i^{(t-1)} & \text{if } \mathbb{I}_{\text{fault}}(i) = 0 \text{ and node did not contribute valid PoUW} \end{cases}

Nodes that are offline or submit no PoUW during an epoch neither gain nor lose CTLV. This ensures that CTLV accumulation strictly reflects active, verified contributions, and that intermittent connectivity does not result in unintended CTLV changes. Note that the case (\mathbb{I}_{\text{fault}}(i) = 1, \text{valid PoUW} = \text{true}) is logically possible (a node contributes valid PoUW but also commits a fault in the same epoch); such cases are handled under the first case above, where fault takes priority over the PoUW contribution in determining the CTLV update.

The ceiling \lceil \zeta L_i^{(t-1)} \rceil ensures at least 1 CTLV unit is slashed for any L_i^{(t-1)} \geq 1, and that the slashed amount is always an integer, consistent with L_i \in \mathbb{Z}_{\geq 0}. The \max(0, \cdot) floor prevents L_i from becoming negative when \zeta = 1 (total CTLV wipe on maximum-severity fault). Since \zeta \in (0, 1], we have \lceil \zeta L_i \rceil \leq L_i for all L_i \geq 1, ensuring L_i^{(t)} \geq 0.

RP Fault Handling: For Restricted Participants (L_i^{(t-1)} < L_{\text{threshold}}), the gate G_i^{(t)} = 0 zeroes the epoch net reward when a fault occurs, ensuring no MNT profit is possible from single-epoch Sybil attacks. Note that for RPs with nonzero CTLV (1 \leq L_i^{(t-1)} < L_{\text{threshold}}), the penalty term \Pi_i^{(t)} = 0 (since the penalty formula applies only to FSMPs), so no debt accrues from the penalty mechanism for RPs; however, CTLV is still slashed per the CTLV update formula above. The exponential backoff on Client Puzzle difficulty—increasing the computational cost of continued participation by a factor of 2^{f_i} where f_i is the cumulative RP fault count for identity i—provides an additional deterrent against repeated participation after faulting. After f_{\max} consecutive RP faults without valid PoUW contribution, the node identity is temporarily banned for \tau_{\text{ban}} epochs. The precise values of f_{\max} and \tau_{\text{ban}} are calibrated in the PoUW chapter. This ensures that for all node states (L_i, \mathbb{I}_{\text{fault}}(i)), the effective penalty for a fault is strictly positive: CTLV-based for FSMPs (L_i^{(t-1)} \geq L_{\text{threshold}} \geq 1), and reward-zeroing plus puzzle-difficulty-based for RPs (L_i^{(t-1)} < L_{\text{threshold}}).

Debt Management Mechanism

When a slashing event causes the net reward to become negative before the \max(0, \cdot) floor (possible only for FSMP nodes where the penalty term exceeds the gross reward), the resulting deficit is managed as an outstanding debt. Let D_i^{(t)} \in \mathbb{R}_{\geq 0} denote node i's outstanding debt at the end of epoch t.

Unified debt update: The debt dynamics are governed by a single formula that applies uniformly in every epoch, handling both fault and non-fault cases:

D_i^{(t)} = (1 - \lambda_D) \cdot \max\!\left(0,\; D_i^{(t-1)} + \Pi_i^{(t)} - G_i^{(t)} \cdot R_i^{(t),\text{gross}}\right)

The gate G_i^{(t)} = 0 for faulty RPs ensures that no gross reward offsets debt in the same epoch in which the RP's net payout is zeroed, and that \Pi_i^{(t)} = 0 for RPs means no new debt is accrued from the penalty mechanism for RPs. The behavior across all cases is as follows:

Non-faulty node (G_i^{(t)} = 1, \Pi_i^{(t)} = 0): D_i^{(t)} = (1-\lambda_D) \cdot \max(0, D_i^{(t-1)} - R_i^{(t),\text{gross}}) — existing debt is first repaid from gross rewards, and the remainder decays.
Faulty FSMP (G_i^{(t)} = 1, \Pi_i^{(t)} > 0): The penalty is added to the debt obligation and offset against the gross reward. If the penalty exceeds R_i^{(t),\text{gross}}, the excess adds to existing debt; if the gross reward exceeds the penalty, the surplus reduces existing debt. In both cases, decay is applied after.
Faulty RP (G_i^{(t)} = 0, \Pi_i^{(t)} = 0): D_i^{(t)} = (1-\lambda_D) \cdot \max(0, D_i^{(t-1)}) — existing debt decays at rate \lambda_D with no gross reward offset and no new penalty accrual.

The node receives net reward as defined above.

Remark on debt accounting semantics: The unified formula applies the decay factor (1-\lambda_D) to the post-repayment residual, meaning repayment and decay interact multiplicatively: the effective debt reduction per epoch is \lambda_D D_i^{(t-1)} + (1-\lambda_D) R_i^{(t),\text{gross}} when R_i^{(t),\text{gross}} < D_i^{(t-1)}. This multiplicative structure is intentional: it ensures that the decay guarantee D_i^{(t)} \leq (1-\lambda_D)^t \cdot D_i^{(0)} holds as a clean upper bound on the initial-debt component, simplifying the convergence analysis in the PoUW chapter. The alternative additive formulation D_i^{(t)} = \max(0, D_i^{(t-1)} - R_i^{(t),\text{gross}}) - \lambda_D \cdot \max(0, D_i^{(t-1)} - R_i^{(t),\text{gross}}) is algebraically identical. The PoUW chapter (MC7) must explicitly analyze this multiplicative interaction in the debt dynamics analysis, particularly for large consecutive-fault scenarios where the interaction between repayment and decay affects total debt convergence.
Numerical illustration of debt decay forgiveness: To provide intuition on the forgiveness fraction introduced by the decay mechanism, consider a representative parameter set: \lambda_D = 0.05 (5% decay per epoch), a one-time FSMP fault inducing an initial penalty-debt of \Pi_0 = 100 MNT, and a steady-state gross reward of R = 10 MNT per epoch. The total gross rewards forfeited to debt repayment before the debt reaches zero (ignoring the decay shortfall) is approximately \Pi_0 \cdot \frac{R}{\lambda_D \Pi_0 + R} = 100 \times \frac{10}{0.05 \times 100 + 10} = 100 \times \frac{10}{15} \approx 66.7 MNT. The remaining \approx 33.3 MNT of the original debt is effectively forgiven through the decay mechanism—a forgiveness fraction of \approx 33\% under these parameters. The forgiveness fraction increases with higher \lambda_D (faster decay) and decreases with higher R/\Pi_0 (faster organic repayment). MC7 must verify that this forgiveness fraction does not undermine the self-challenge attack deterrence: even after accounting for 33\% forgiveness, the effective penalty (\approx 66.7 MNT) must still exceed \Phi_{\text{fault}} for the stability constraint to hold. The strengthened self-challenge attack net payoff condition under debt decay is \Pi_0 \cdot \frac{R}{\lambda_D \Pi_0 + R} > \Phi_{\text{fault}} for all feasible (R, \Pi_0, \lambda_D).

Effective penalty under debt decay. The debt decay mechanism implies that a fraction of the penalty \Pi_i^{(t)} is effectively forgiven over time. For a node with constant gross reward R per epoch and initial penalty-induced debt \Pi_0, the total gross rewards forfeited to debt repayment before the debt reaches zero is \Pi_0 \cdot \frac{R}{\lambda_D \Pi_0 + R} (geometric series sum), which is strictly less than \Pi_0 for \lambda_D > 0. This means the protocol absorbs part of the debt through decay, which is an intentional design feature to prevent permanent exclusion due to transient network instability. However, the forgiveness fraction must not undermine the self-challenge attack analysis. MC7 must verify that the effective penalty (accounting for debt decay forgiveness) still exceeds \Phi_{\text{fault}} for the self-challenge attack analysis. Specifically, the self-challenge attack net payoff under debt decay is:

\text{Net payoff (with decay)} = \frac{k}{n} \cdot \Phi_{\text{fault}} - \Pi_0 \cdot \frac{R}{\lambda_D \Pi_0 + R}

The stability constraint must be strengthened to ensure this quantity remains negative for all feasible (k, n, R). MC7 must compute the forgiveness fraction for representative (\lambda_D, R, \Pi_0) values and verify the strengthened stability constraint.

The decay guarantee D_i^{(t)} \leq (1-\lambda_D)^t \cdot D_i^{(0)} holds as an upper bound for the initial debt component in the absence of new fault-induced additions. In the presence of consecutive faults that accumulate new debt each epoch, the total debt dynamics must be analyzed by the PoUW chapter, which provides a full characterization of debt behavior under repeated faults and derives the conditions under which the debt cap D_{\max} is reached.

\rho_{\text{CTLV}} Volatility and Stability Constraint Recovery: The stability constraint \Phi_{\text{fault}}^{(t)} < \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} depends on \rho_{\text{CTLV}}, which may fluctuate due to MNT token market dynamics. If \rho_{\text{CTLV}} decreases (e.g., due to MNT price decline), the right-hand side of the constraint may fall below \Phi_{\text{fault}}, temporarily breaking the FSMP threshold invariant.

Circuit Breaker Mechanism: To address the risk of instantaneous stability constraint violations due to rapid \rho_{\text{CTLV}} fluctuations (e.g., a flash crash in MNT token price), the protocol implements a circuit breaker that triggers immediate protective action before parameter adjustments can take effect through normal governance channels. Specifically, when \rho_{\text{CTLV}} drops such that \Phi_{\text{fault}}^{(t)} \geq \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} (i.e., the stability constraint is violated or at risk of violation within the next epoch), the circuit breaker immediately suspends all FSMP state-mutating operations—including new FSMP promotions, CTLV-based penalty assessments, and FSMP-specific consensus votes—until the stability constraint is restored. During the suspension period, FSMPs continue to participate in the network as effective RPs, preserving network liveness without exposing the protocol to self-challenge attack profitability. The suspension is automatically lifted once \rho_{\text{CTLV}} recovers or \Phi_{\text{fault}} is reduced (via the dynamic adjustment mechanism described below) to restore the strict inequality. This circuit breaker approach provides stronger security guarantees than reactive parameter adjustment alone: it eliminates the "danger window" between a \rho_{\text{CTLV}} shock and the protocol's corrective response during which adversarial self-challenge attacks would be profitable. The circuit breaker is implemented as a consensus-level protocol invariant, not a governance vote, ensuring it activates without delay even in the presence of Byzantine nodes.

MC7 must analyze the following sub-problems for \rho_{\text{CTLV}} volatility: (1) the maximum tolerable single-epoch drop in \rho_{\text{CTLV}} before the circuit breaker activates; (2) the recovery time under the dynamic adjustment mechanism (automatic reduction of \Phi_{\text{fault}} to \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} - \varepsilon) following a constraint violation; (3) the security implications during circuit-breaker-active periods—verifying that no adversarial profit is extractable while FSMP state mutations are suspended; and (4) the governance mechanism for parameter updates in a decentralized system (e.g., on-chain governance vote with time-lock, automatic oracle-based adjustment, or the circuit-breaker mechanism). The PoUW chapter must specify which governance mechanism is adopted, prove that the stability constraint is restored within a bounded number of epochs following any \rho_{\text{CTLV}} shock, and demonstrate that no adversarial profit is extractable during circuit-breaker-active periods.

Consecutive-fault dynamics (diminishing penalties): When an FSMP node faults repeatedly across consecutive epochs, note that each fault reduces L_i via slashing, thereby reducing the penalty \Pi_i^{(t)} = \zeta L_i^{(t-1)} \cdot \rho_{\text{CTLV}} in subsequent epochs. For \zeta < 1, starting from L_0 = L_{\text{threshold}}, the CTLV sequence after k consecutive faults is approximately L_k \approx L_0(1-\zeta)^k (ignoring ceiling), and the total cumulative penalty over k epochs converges to L_0(1-(1-\zeta)^k)\cdot\rho_{\text{CTLV}} \leq L_0 \cdot \rho_{\text{CTLV}} as k \to \infty. The eventual demotion to RP status (once L_i < L_{\text{threshold}}) stops further CTLV-based penalties. The PoUW chapter must explicitly analyze this consecutive-fault scenario, computing the total extracted gross reward \sum_{t'} R_i^{(t'),\text{gross}} against the total investment cost of L_{\text{threshold}} epochs of honest accumulation (plus opportunity cost), and demonstrate that the net attack profit is negative for any rational adversary with discount rate \delta_{\text{discount}} \in (0,1). This analysis must account for the parallelizable nature of multi-identity CTLV accumulation (see MC7).

Debt cap and automatic demotion: If D_i^{(t)} exceeds a maximum debt threshold D_{\max}, the node is automatically demoted to Restricted Participant (RP) status:

D_i^{(t)} > D_{\max} \implies \text{FSMP}(i) \to \text{RP}(i)

The threshold D_{\max} is defined as:

D_{\max} \triangleq \eta \cdot \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}}

where \eta \in \mathbb{R}_{>0} is a protocol parameter (calibrated in the PoUW chapter; a default value of \eta = 3 ensures that a node can sustain at most three consecutive maximum-severity slashing events before demotion).

Debt decay rate: To prevent permanent exclusion due to accumulated debt from transient network instability, outstanding debt decays at rate \lambda_D \in (0, 1) per epoch as specified in the unified update formula above. The decay rate \lambda_D is calibrated such that a single maximum-severity fault's debt is reduced to a negligible fraction \epsilon_D of its original value within \lceil \ln(1/\epsilon_D) / \lambda_D \rceil epochs of continuous honest participation, even in the absence of gross rewards. For \epsilon_D = 0.01 (99% decay), this requires approximately \lceil 4.6 / \lambda_D \rceil epochs. The precise calibration of \lambda_D and \epsilon_D, including interaction with the CTLV accumulation rate, the identity abandonment tradeoff, and debt dynamics under consecutive faults, is provided in the PoUW chapter.

Identity abandonment: If a node abandons its identity (disconnects and re-registers with a new identity), both L_i and D_i reset to 0. The rational-actor analysis of this decision—comparing the discounted future value of CTLV accumulation under debt vs. fresh start—is deferred to the PoUW chapter, where it is shown that for \lambda_D below a critical threshold, honest debt repayment dominates identity abandonment for any node with L_i > L_{\text{abandon}}, where L_{\text{abandon}} \in (0, L_{\text{threshold}}) is a protocol-dependent threshold derived in the PoUW chapter.

Participant State Classification and the CTLV Safety Invariant

Because Mnemosyne allows permissionless entry via hardware without requiring initial token staking, L_i is not a financial deposit in the traditional sense. Instead, L_i \in \mathbb{Z}_{\geq 0} is an integer-valued reputation score incremented by 1 for each epoch of valid PoUW contribution, representing the Cryptographic Time-Lock Value (CTLV). CTLV is non-transferable between node identities (preventing sale or delegation of accumulated reputation). When a node is successfully challenged, the protocol reduces L_i by \lceil \zeta L_i \rceil CTLV units, which are permanently burned (destroyed). The challenger receives a reward drawn from the per-epoch verification reward pool \Phi_{\text{fault}}, distributed proportionally among all verifiers. The slashed CTLV is not converted to MNT and is not allocated to challengers. This design separates the accumulation mechanism (time-locked reputation earned through work) from the slashing mechanism (burned reputation) and the reward mechanism (pool-funded challenger compensation), ensuring that (1) new entrants without initial capital can still face meaningful consequences through loss of future earning capacity, and (2) no CTLV-to-MNT conversion pathway exists that could be exploited by self-challenging attackers.

Identity Binding Mechanism for CTLV Non-Transferability

CTLV non-transferability is enforced through the following layered identity binding mechanism, fully specified and analyzed in the PoUW chapter:

(a) Hardware attestation (primary): Each node identity is bound to a hardware attestation key derived from a Trusted Platform Module (TPM 2.0), Secure Enclave (Apple), or Trusted Execution Environment (ARM TrustZone). The attestation key signs each epoch's PoUW contribution proof, binding CTLV accumulation to a specific physical device. Identity transfer requires physical hardware transfer, raising the cost of Sybil identity markets.

Hardware Trust Assumption and Philosophical Tension: This layer introduces a hardware trust assumption that stands in explicit tension with Mnemosyne's core philosophical commitment to grounding security in physical laws rather than institutional trust. TPM 2.0, Apple Secure Enclave, and ARM TrustZone provide strong tamper-resistance guarantees against commodity adversaries, but their security properties are engineering guarantees backed by manufacturer design and certification processes—not immutable physical laws. Nation-state adversaries with sufficient resources have demonstrated the capability to compromise specific hardware security implementations: the TPM-Fail vulnerability (CVE-2019-11090, disclosed 2019) revealed timing side-channel attacks against TPM 2.0 ECDSA key generation on Intel firmware TPMs and STMicroelectronics hardware TPMs; physical probing attacks against smart card and embedded security chips have been documented in academic literature; and sophisticated supply chain interdiction has been alleged in nation-state threat reporting. This means that for Tier 2 adversaries (§1.3.3), the CTLV non-transferability guarantee is probabilistic and engineering-dependent rather than physically absolute. We acknowledge this tension honestly: the identity binding mechanism is a pragmatic engineering solution that significantly raises the cost and complexity of Sybil attacks for all but the most sophisticated adversaries, but it does not achieve the same epistemological status as the Landauer-Margolus-Levitin physical barriers. The security of CTLV non-transferability should be understood as belonging to tier (b) of the three-tier epistemological classification (§1.5.4)—conditional on engineering assumptions—rather than tier (a) (proven from physical laws). The PoUW chapter must quantify the security degradation under partial TPM compromise and specify the protocol's response to detected attestation key compromise events.

(b) Temporal decay under fingerprint change (secondary): If a node's hardware attestation fingerprint changes (indicating potential identity transfer), the node's CTLV decays at an accelerated rate \lambda_{\text{transfer}} per epoch, where \lambda_{\text{transfer}} is calibrated such that the economic value of transferred CTLV (discounted by decay) is strictly less than the cost of accumulating fresh CTLV through honest participation. Formally, the decay rate must satisfy \lambda_{\text{transfer}} > 1 - (\text{cost of honest accumulation per CTLV unit}) / (\text{market price per CTLV unit}) to make transfer unprofitable. The precise calibration is derived in the PoUW chapter.

(c) Network graph consistency (tertiary): CTLV accumulation is weighted by the node's position in the peer connectivity graph, specifically by the node's eigenvector centrality in the communication graph over the past \tau_{\text{graph}} epochs. A freshly-transferred identity retains the accumulated CTLV integer but loses its graph-derived weight multiplier, reducing its effective CTLV for FSMP threshold calculations. This ensures that identity transfer degrades the economic utility of the transferred CTLV even if hardware attestation is compromised.

The choice of this three-layer binding mechanism involves a tradeoff between the strength of identity binding and the permissionless entry property. Nodes without TPM hardware can participate as Restricted Participants (RP) using software-only attestation, but cannot accumulate CTLV beyond L_{\text{threshold}} and thus cannot become FSMPs. The complete tradeoff analysis, including the case of compromised TPM keys and coalition attacks, is provided in the PoUW chapter.

The safety invariant \zeta L_i \cdot \rho_{\text{CTLV}} > \Phi_{\text{fault}} applies exclusively to Full State-Mutating Participants (FSMP), defined formally as:

\text{FSMP}(i) \iff L_i \geq L_{\text{threshold}} \triangleq \left\lfloor \frac{\Phi_{\text{fault}}}{\zeta \cdot \rho_{\text{CTLV}}} \right\rfloor + 1

The floor-plus-one formula yields the smallest integer L_{\text{threshold}} satisfying the strict inequality \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} > \Phi_{\text{fault}}.

For nodes with L_i < L_{\text{threshold}}, the system defines a Restricted Participant (RP) state with a strictly limited permission set.

\Phi_{\text{fault}} Funding Source and Stability Constraint

The per-epoch verification reward pool \Phi_{\text{fault}} is funded from a dedicated protocol allocation (specific funding source—protocol inflation, fixed fraction of epoch rewards, or transaction fees—to be specified in the PoUW chapter). Regardless of the funding source, the protocol enforces the following stability constraint:

\Phi_{\text{fault}}^{(t)} < \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} \quad \text{for all epochs } t

This constraint is maintained dynamically: if changes in \rho_{\text{CTLV}} or \zeta would violate the constraint, \Phi_{\text{fault}} is reduced to \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} - \varepsilon for an arbitrarily small \varepsilon > 0 before the epoch begins, or the circuit breaker is triggered (as described above) if the violation occurs faster than the dynamic adjustment can respond. The PoUW chapter must specify the funding source, prove that the stability constraint is maintained under all protocol parameter dynamics (including \rho_{\text{CTLV}} volatility scenarios as detailed above), and analyze the implications for verifier incentive levels.

Sybil and Self-Challenge Attack Prevention

To prevent self-challenging Sybil attacks, the protocol enforces that the opportunity cost of slashed CTLV (lost future earning capacity) must strictly exceed the challenger reward drawn from \Phi_{\text{fault}}. Because slashed CTLV is permanently burned rather than converted to transferable tokens, the economics of self-challenge attacks are as follows:

Single self-challenge attack: The adversary controls one sacrificial FSMP identity and k verifier identities out of n total verifiers. The sacrificial identity commits a deliberate fault and is slashed, losing \lceil \zeta L_{\text{threshold}} \rceil CTLV (burned). The k Sybil verifiers collectively capture at most \frac{k}{n} \Phi_{\text{fault}} MNT from the verification reward pool. The net payoff is:

\text{Net payoff} = \frac{k}{n} \cdot \Phi_{\text{fault}} - \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} \leq \Phi_{\text{fault}} - \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} < 0

where the final inequality follows from the FSMP threshold condition \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} > \Phi_{\text{fault}} (which itself follows from the stability constraint), and the intermediate inequality holds because k/n \leq 1. This bound holds regardless of k and n.

Repeated self-challenge attack: If the adversary sacrifices j identities across an epoch, the net payoff is at most j(\Phi_{\text{fault}} - \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}}) < 0, since each self-challenge has negative expected return. The adversary must invest j identities' worth of CTLV accumulation effort, requiring at least L_{\text{threshold}} epochs of honest participation per identity. This accumulation is parallelizable: a well-resourced adversary can operate j devices simultaneously, reducing the calendar time to L_{\text{threshold}} epochs (not j \cdot L_{\text{threshold}} epochs) regardless of j. However, the opportunity cost argument remains fully valid: each identity still requires L_{\text{threshold}} epochs of real resource expenditure, making repeated attacks increasingly costly in both total invested resources and opportunity cost, even if the calendar time does not scale with j.

No CTLV-to-MNT conversion attack is possible because slashed CTLV is burned, not transferred. The complete economic security analysis, including coalition attacks with varying L_i distributions and the parallel multi-identity CTLV accumulation strategy, is deferred to the PoUW chapter.

Client Puzzle: Complementary, Not Equivalent

To prevent the "Verifier Catch-22" and Free-Rider DoS attacks, probationary nodes must attach a lightweight, asymmetric Client Puzzle.

This transforms globally idle smartphones and laptops into valuable assets. A Raspberry Pi 5 with 4GB RAM, running 24/7, can earn an estimated 5–15 USD/month in MNT tokens, creating a sustainable economic incentive for decentralization.

1.4.3 Physical Layer: The Entropy Moat

Through the multi-layered stacking of Delta Encoding (Theorem 5.1), Product Quantization (Theorem 7.1), and Randomized Rotation (Theorem 8.2), each embedding is reduced from a bd-bit representation (where b is the deployed floating-point format's bit-width and d = 4096) to a 256-bit PQ index before transmission. The total information available to an adversary observing the transmitted index and all side channels is bounded by I(\mathcal{X}_{\text{white}}; \mathcal{Y}) + \ell_{\text{side}} \leq 256 + \ell_{\text{side}} bits, where \ell_{\text{side}} is the side-channel leakage bound derived in §7.1 and §8.3. The security-relevant quantity is the residual min-entropy \kappa = H_\infty(\mathcal{X}_{\text{white}} | \mathcal{Y}), which must satisfy \kappa \geq \kappa_{\min} = 804 bits (the universal security threshold from §1.3.1) for the guessing-difficulty guarantee. The Goal 1 independent computational floor of \Omega(2^{128}) quantum queries for any-preimage finding holds regardless of \kappa. Both conditions together contribute to the defense-in-depth of the physical barrier: the guessing-difficulty condition is a condition on the whitening quality verified in §8.3, while the Goal 1 floor is determined by the fixed PQ configuration parameters M and K.

The height of this barrier—parameterized by \kappa for the guessing-difficulty guarantee and by \Omega(2^{128}) for the Goal 1 computational floor—is enforced simultaneously by the three arguments with their layered redundancy structure established in §1.3.1.

1.5 Research Methodology and Engineering Discipline

This project adopts an extremely rigorous "theory-first, implementation-verified" approach, inspired by NASA's Formal Methods Program and the L4.verified seL4 microkernel project.

1.5.1 Phase 1: Mathematical Derivation (Chapters 3-6)

We first establish the system's boundaries and possibilities through 14 original theorems, spanning information theory, memory hierarchy optimization, privacy via compression, physical barriers, and distributed coherence.

1.5.2 Phase 2: Formal Specification (Chapter 7, TLA+ Appendix)

We use the TLA+ language to describe system behavior. The complete formal specification—including all protocol sub-actions, invariants, and verified properties—is provided in Appendix A and analyzed in detail in §7.

1.5.3 Phase 3: System-Level Implementation (Chapter 7, Rust Codebase)

We use the Rust language for high-performance, memory-safe implementation.

1.5.4 Acknowledgment of Current Limitations

We honestly acknowledge that this research is a work in progress, including the need for empirical validation of several assumptions (most critically, the min-entropy verification in §8.3) and the gap between formal proof and executable code. The security architecture combines physical guarantees (which hold by the laws of physics given architectural parameters) with conditional guarantees (which require empirical verification of \kappa and substantiation of the Q1 structural conjecture). Claims are categorized by their epistemological status throughout:

(a) Proven from accepted physics and information theory: Q3 (Margolus-Levitin quantum speed limit), Landauer's principle for irreversible classical attackers, and the Goal 1 computational floor \Omega(2^{128}). These hold by the laws of physics and information theory given the stated architectural parameters, independently of any empirical measurement or unproven conjecture.

(b) Conditional on empirical verification: \kappa \geq 804, to be verified in §8.3 through the methodology described in MC4. The HNDL immunity claim also belongs to this tier: it is permanent and physically grounded once \kappa \geq 804 is verified, but the verification itself is a prerequisite. The CTLV non-transferability guarantee via hardware attestation also belongs to this tier, being an engineering guarantee rather than a physical law (see §1.4.2).

(c) Conditional on a structural conjecture supported by evidence but not provable in full generality: MC4b—the claim that \text{PQ} \circ \mathcal{W} admits no super-Grover quantum algorithmic speedup. This governs the Goal 2 \kappa-based guessing-difficulty guarantee. If MC4b cannot be established, the hybrid PQC mode activates as mandatory, and the physical barrier provides supplementary rather than primary defense for Goal 2.

This three-tier epistemological classification is intended to make the nature and strength of each claim transparent to the reader. Claims of type (a) are unconditional. Claims of type (b) become unconditional once the specified empirical verification is completed. Claims of type (c) are permanently conditional on a conjecture, though supported by evidence and covered by a mandatory fallback mechanism.

1.5.5 Mathematical Commitments to Subsequent Chapters

The following mathematical commitments are established by Chapter 1 and must be fulfilled by the referenced sections. Failure to fulfill any commitment requires revising the corresponding claims in this chapter.

MC1: §8.2 must prove \kappa \geq 804 under the worst-case conditional min-entropy definition.
MC2: §8.2 must prove that inter-subspace correlations in the whitened distribution do not provide exploitable structure beyond what is captured by the per-cell min-entropy, and must quantify the correlation-induced degradation from the additive ceiling to the joint min-entropy by measuring the pairwise mutual informations I(\text{subspace}_i; \text{subspace}_j | \mathcal{Y}) empirically on representative LLaMA-2-7B embeddings. MC2 must verify that \sum_{i<j} I(\text{subspace}_i; \text{subspace}_j | \mathcal{Y}) \leq \kappa^{\text{ceiling}} - 804, confirming that the joint worst-case min-entropy \kappa^{\text{joint}} remains above \kappa_{\min} = 804. This quantification must go beyond the two extreme cases (perfect independence and perfect correlation) to characterize the continuous degradation as a function of pairwise mutual information.
MC3: §8.2 must prove that the whitening transformation is effective on the discrete float grid of the deployed numerical format (FP32, FP16, or BF16 as determined by §8.2's deployment specification), not merely on continuous \mathbb{R}^d. §8.2 must select and rigorously analyze one of the following whitening approaches for their effectiveness on the discrete float grid: (a) bit-level whitening (operating on sign/exponent/mantissa fields separately, ensuring near-uniformity in the bit domain and thereby avoiding the non-uniform numerical spacing problem of IEEE 754 formats)—recommended as the primary implementation path due to its clean correctness argument; (b) CDF-based uniformization (mapping each coordinate through its empirical CDF then applying a probability-equalizing bijection to IEEE 754 representable values, with analysis of estimation error, separability in 128-dimensional subspaces, and interaction with PQ codebook learning)—§8.2 must additionally verify coordinate independence within each subspace (i.e., that P(x_1, \ldots, x_{128} | y_m) \approx \prod_j P(x_j | y_m) for all m) before concluding that per-coordinate CDF transformation is sufficient; or (c) dithered quantization (adding calibrated noise before quantization at the cost of slightly increased distortion). §8.2 must provide a comparative analysis of approaches (a) and (b) and justify the selected implementation.
MC4 (revised): §8.3 must verify \kappa \geq 804 through a combination of: (a) analytical worst-case bounds: §8.2 must derive an analytical lower bound on \min_y [-\log_2 \max_x P(\mathcal{X}_{\text{white}} = x | \mathcal{Y} = y)] that holds uniformly over all y \in \mathcal{Y}, leveraging the structural properties of the whitening transformation (e.g., if \mathcal{W} produces a distribution that is \varepsilon-close to uniform within each PQ cell, the analytical bound follows directly); and (b) empirical spot-checks: §8.3 must empirically estimate the conditional distribution within a stratified sample of PQ cells (selected to include boundary cells, high-density cells, and cells near the support boundary of \mathcal{X}_{\text{white}}) on real LLaMA-2-7B embeddings, using the deployed floating-point format, to confirm consistency with the analytical bound. The empirical protocol must specify the sample size, stratification strategy, and the statistical confidence level of the min-entropy estimate. Note that literal enumeration of all 2^{256} PQ cells is infeasible; the verification strategy must rely on the analytical bound for universal coverage and empirical spot-checks for consistency confirmation. The outcome of MC4 (\kappa_{\text{achieved}}) determines the side-channel budget available for MC5: the joint condition \kappa_{\text{achieved}} - \ell_{\text{side}}^{\text{wc}} \geq 804 must be confirmed after both MC4 and MC5 are complete.
MC4b (Structural Conjecture): §8.2 must provide maximal evidence that \text{PQ} \circ \mathcal{W} does not admit exploitable algebraic structure enabling super-Grover quantum algorithms, including: (a) proofs that specific known quantum algorithmic paradigms (hidden subgroup, Simon's, Shor's, quantum walk) do not apply to \text{PQ} \circ \mathcal{W} under the stated parameters; (b) statistical tests for structure (Fourier analysis, autocorrelation, spectral tests) on representative instances; (c) a reduction showing that any quantum algorithm exploiting structure in \text{PQ} \circ \mathcal{W} would imply a breakthrough in a well-studied hardness problem; (d) the formal reduction from quantum mode-finding (Goal 2) to quantum unstructured search, proving that the \Omega(2^{\kappa/2}) Grover lower bound applies to the estimation problem under the pseudorandomness assumption, or else deriving the correct quantum query complexity for Goal 2 and adjusting \kappa_{\min} accordingly; and (e) specific analysis of the Dürr-Høyer quantum minimum finding algorithm (Dürr & Høyer, 1996) as the primary quantum threat to Goal 2—verifying that the near-uniformity of the conditional distribution under the whitening transformation ensures the Dürr-Høyer comparison oracle provides no exploitable probability gradient, and that the Rényi 2-entropy satisfies H_2(\mathcal{X}_{\text{white}} | \mathcal{Y} = y) \approx \kappa for all y, confirming that the Dürr-Høyer query complexity is indeed \Omega(2^{\kappa/2}) and not less. Note that the Goal 1 computational floor (\Omega(2^{128})) holds independently of this conjecture; MC4b is relevant specifically for the \kappa-based guessing-difficulty security argument governing Goal 2. If the conjecture cannot be substantiated to a confidence level comparable to standard cryptographic hardness assumptions, the hybrid cryptographic mode (ML-KEM + SLH-DSA) is activated as a mandatory complement rather than an optional fallback, and all \kappa-based thermodynamic-only security claims must be qualified accordingly.
MC5: §7.1 must derive \ell_{\text{side}}^{\text{wc}} \triangleq -\min_{y,z} \log_2 P(\mathcal{Z}=z|\mathcal{Y}=y) (the worst-case side-channel leakage parameter) for each side-channel model (timing, power, electromagnetic emanation, network-layer metadata) under explicit adversarial assumptions, using standard leakage models (e.g., the bounded leakage model, the noisy leakage model of Prouff and Rivain, 2013). The analysis must assume \mathcal{Z} is discrete (quantized); if continuous side-channel signals are present for any reference hardware platform, MC5 must additionally provide a mutual information upper bound I(\mathcal{X}_{\text{white}}; \mathcal{Z} | \mathcal{Y}) \leq \ell_{\text{side}}^{\text{cont}} and verify \kappa - \ell_{\text{side}}^{\text{cont}} \geq 804. The verification strategy must follow the two-stage approach described in §1.3.3: first an analytical upper bound on \ell_{\text{side}}^{\text{wc}}, then empirical spot-checks on a stratified sample of PQ cells on reference hardware (Raspberry Pi 5, iPhone 15 Pro). MC5 depends on the outcome of MC4: the side-channel budget available is \kappa_{\text{achieved}} - 804 bits, where \kappa_{\text{achieved}} is determined by MC4. MC5 must verify \ell_{\text{side}}^{\text{wc}} \leq \kappa_{\text{achieved}} - 804. Both the support size of \mathcal{Z} and the near-uniformity of P(\mathcal{Z}|\mathcal{Y}=y) across all cells must be established.
MC6: §9.2 must (a) prove Theorem 9.2 (Bidirectional Speculation) with the complete latency model including T_{\text{validate}}, (b) formally define the Speculation Barrier and prove that it preserves external linearizability, (c) characterize the set of speculation-safe vs. speculation-unsafe operations, (d) analyze the interaction between speculative execution and Byzantine fault tolerance—specifically, quantify the effect of Byzantine node fraction f/(3f+1) on the effective prediction success rate p_{\text{eff}} and derive the resulting degradation in \mathbb{E}[T_{\text{user}}], and (e) provide a sensitivity analysis of \mathbb{E}[T_{\text{user}}] as a function of \tau_H, C, p, and P_{\text{miss}} covering the full parameter space, including the worst-case performance bound \mathbb{E}[T_{\text{user}}] \leq (1 - p_{\min}) \cdot (N + C + \mathbb{E}[P_{\text{miss}}]) and the minimum prediction accuracy p_{\min} below which speculative execution provides no net benefit, with empirical characterization of the prediction headstart distribution P(\tau_H) for each application scenario (federated learning gradient synchronization, interactive LLM dialogue, batch inference).
MC7: The PoUW chapter must calibrate \lambda_D, \eta, \rho_{\text{CTLV}}, f_{\max}, \tau_{\text{ban}}, and prove the identity abandonment threshold. It must define the fault types applicable to Restricted Participants, verify that the reward-zeroing mechanism for faulty RP nodes eliminates single-epoch Sybil extraction attacks (formally: prove that no single-epoch strategy yields positive expected profit accounting for Client Puzzle cost), verify that the exponential puzzle backoff mechanism ensures strictly positive penalties for all (L_i, \mathbb{I}_{\text{fault}}(i)) combinations, and provide full debt dynamics analysis under consecutive faults including the conditions under which D_{\max} is reached. The consecutive-fault analysis must explicitly compute the total penalty \sum_{t'=t}^{t+k} \Pi_i^{(t')} for an FSMP faulting every epoch from L_i = L_{\text{threshold}} until demotion, and show that \sum \Pi_i^{(t')} + \text{opportunity cost of } L_{\text{threshold}} \text{ epochs of honest accumulation} exceeds \sum_{t'=t}^{t+k} R_i^{(t'),\text{gross}} for any rational adversary with discount rate \delta_{\text{discount}} \in (0,1). The PoUW chapter must also specify the funding source for \Phi_{\text{fault}}, prove that the stability constraint \Phi_{\text{fault}}^{(t)} < \zeta L_{\text{threshold}} \cdot \rho_{\text{CTLV}} is maintained under all protocol parameter dynamics including \rho_{\text{CTLV}} volatility (with circuit breaker mechanism specification, danger-window-free security proof, and recovery time bounds as detailed in the \rho_{\text{CTLV}} volatility section above), analyze the parallel multi-identity CTLV accumulation attack where a Tier 2 adversary simultaneously operates j devices for L_{\text{threshold}} epochs to prepare j sacrificial FSMP identities, explicitly analyze the multiplicative interaction between debt repayment and decay in the unified debt formula—particularly its effect on total debt convergence under consecutive-fault scenarios—and verify that the effective penalty accounting for debt decay forgiveness satisfies the strengthened stability constraint \Pi_0 \cdot \frac{R}{\lambda_D \Pi_0 + R} > \Phi_{\text{fault}} for all feasible (k, n, R). The PoUW chapter must also quantify the security degradation of CTLV non-transferability under partial TPM compromise (addressing the hardware trust assumption identified in §1.4.2) and specify the protocol's response to detected attestation key compromise events.
MC8: Appendix A must provide a TLC-verifiable complete TLA+ specification, implementing per-message delivery fairness via FIFO queue per sender-receiver pair with per-queue dequeue fairness (preferred over parameterized SF_vars(DeliverSpecificMessage(m)) due to TLC tractability), including: (a) the separation of mathematical soundness from TLC feasibility as described in §1.4.1: the soundness condition \text{MaxMessages} \geq |\text{CorrectNodes}| \times \text{GSTDeadline} \times \text{MaxMsgPerTick} is proved as a theorem (not enforced as an ASSUME), with TLC run at reduced parameters and the PreGSTMessageBudget canary invariant confirmed unviolated, and either a monotonicity argument or Apalache symbolic verification bridging the gap; (b) a TLC counterexample demonstrating that the unparameterized SF_vars(DeliverMessage) permits message starvation, confirming the necessity of per-message fairness; (c) the Speculation Barrier modeled as a TLA+ action with explicit pre/post-conditions, and linearizability preservation verified via a refinement mapping to a sequential specification; (d) every action in the Next disjunction explicitly constraining all six state variables (either via primed assignments or UNCHANGED), with no variable left existentially quantified; (e) a complete definition of ExplicitlyRejected(n) implementing all five rejection conditions enumerated in the TLA+ sketch above (Byzantine conflict detection, quorum unavailability, resource exhaustion, authentication failure, and timeout after GST), with verification that the liveness property is satisfiable under this complete definition in all Byzantine executions with n \geq 3f+1 correct nodes; (f) verification of the liveness property under the complete definition of ExplicitlyRejected; (g) a TLC counterexample demonstrating that the stronger property (without explicit rejection) is violated in a Byzantine execution; and (h) explicit confirmation that the liveness proof's critical path—from PendingWrite(n) to Committed(n) \/ ExplicitlyRejected(n)—is enabled entirely by post-GST message deliveries and node actions, validating the "a fortiori" claim for liveness under the standard DLS model. The documentation must explicitly state that the pre-GST communication blackout model is strictly stronger than standard DLS partial synchrony, and that all verified properties hold a fortiori under the standard DLS model.
MC9: §9.3 must state and prove Theorem 9.3 (Physical Entropy Wall), establishing that the combination of geographic distribution (G nodes across k jurisdictions), hardware diversity (h distinct hardware architectures), and temporal asynchrony (independent clock domains with bounded drift \epsilon_{\text{clock}}) creates a multi-dimensional entropy barrier. Specifically, §9.3 must quantify the minimum adversarial resources (number of compromised jurisdictions, hardware types, and synchronized attack windows) required to breach the physical entropy wall, and demonstrate that this exceeds the capabilities of the Tier 2 threat model defined in §1.3.3.

1.6 The Ideological Dimension: Digital Sovereignty in the Post-Quantum Era

When, in the course of human affairs, digital life ceases to be merely a tool and becomes the very foundation of governance, economy, and security—when cloud computing, artificial intelligence, and cryptography are no longer products but the infrastructure that decides who holds power—it becomes necessary for any community that values freedom and autonomy to declare plainly why the present order must change, what forces it opposes, and what future it intends to build.

We must regard the Mnemosyne Project not merely as a technical solution. It is a clear stance: in the post-quantum era, digital sovereignty must no longer be monopolized by a few central powers; it must return to the hands of every individual and every community.

We hold these truths to be self-evident:

First, in the twenty-first century, the core capabilities of cloud computing, AI training and inference, and cryptographic key exchange have come under the effective control of a vast alliance—Meta, Amazon, Microsoft, Apple, Nvidia, Google, and OpenAI. These corporations, intertwined with nation-state surveillance and interception systems (whether the Five Eyes network or equivalent state-level mechanisms), together form a global digital order built on centralization.

Second, the problem with this order goes far beyond simple market monopoly. It concentrates data flows into a handful of hubs, hands access decisions to algorithms, and stakes the security of the entire world on a single, quantum-vulnerable cryptographic culture (RSA, ECC, and the like). This design effectively ties financial systems, military communications, medical records, and personal identities to one single point of failure; when Q-Day arrives, the collapse will not be local—it will be systemic.

Third, the harms of this centralization are already visible and spreading:

Algorithmic colonialism: Many developing nations have become exporters of data and importers of computing power, forced to rely on foreign APIs, frameworks, GPUs, and cloud instances. Their languages, cultures, and lived experiences are harvested as fuel, only to be returned as priced, censored, and throttled services.
Surveillance capitalism: Every API call, every gradient update, every inference request can be logged, commodified, and—under state-level monitoring—tracked, linked, and reverse-engineered. This is not abstract fear; it is a documented reality, proven by programs such as PRISM and MUSCULAR and their modern equivalents.
Quantum vulnerability and the HNDL threat: When the world places its trust in one easily broken cryptographic foundation, "security" is simply delayed collapse. The Harvest Now, Decrypt Later strategy—already actively deployed by nation-state actors who intercept and archive encrypted communications today with the intent to decrypt them once quantum computers mature [2][6][8][9]—means that the quantum threat is not merely a future risk but a present one: data transmitted under today's cryptographic assumptions is already being collected for future exploitation [3][4]. A 2025 systematic literature review confirms that lattice-based PQC standards (ML-KEM, ML-DSA) represent the most mature mitigation, but these remain anchored in mathematical hardness assumptions that HNDL exploits across decade-long time horizons [10].

The urgency of quantum preparedness has intensified dramatically in 2025–2026. Security professionals have identified HNDL as their top concern regarding post-quantum cryptography preparedness [9]. Industry guidance now mandates that organizations finalize cryptographic inventories, prioritize systems using vulnerable algorithms, and prepare for deployment of NIST-standardized PQC algorithms without delay—the preparation window is actively closing. This institutional recognition validates Mnemosyne's fundamental thesis: the time to build post-quantum infrastructure is now, not after Q-Day.

Therefore, we offer a different vision: computational pluralism.

We assert that anyone with modest equipment (for example, a $35 Raspberry Pi) should be able to join the network, contribute computing power, earn rewards, and run AI inference without ever exposing their own data. Because when computation is decentralized, power itself is decentralized. When inference happens at the edge, on local devices, people no longer need to upload their lives to distant towers in exchange for convenience.

We also state clearly: Mnemosyne's physics-based security model offers a migration path that is not merely "quantum-resistant" (as PQC standards aim to be) but genuinely physics-grounded in the strongest sense—providing immunity to both known and unknown quantum algorithms, bounded only by the energy budget of the observable universe. This is a guarantee that no PQC scheme based on mathematical hardness assumptions can provide: if a lattice problem underlying ML-KEM is broken by a future cryptanalytic advance, HNDL-stored data encrypted today becomes immediately readable. Mnemosyne's physical barrier—grounded in Boltzmann's constant, Planck's constant, and the age of the universe—has no analogous vulnerability. Even if an adversary stores all transmitted PQ indices today and waits indefinitely, the physical barrier (Q3) remains the binding constraint, and its 10^{121} operations limit does not change with time. This immunity is permanent once the \kappa \geq 804 verification (§8.3) is completed—a one-time engineering measurement that closes the vulnerability window permanently, contrasted with PQC's open-ended exposure to future algorithmic breakthroughs.

We also state clearly: this is not an attack on anyone, nor is it an attempt to create new domination. It is closer to the Mohist ideal of aggressive defense—we do not strike first, but we firmly refuse to let any corporation or state seize information that another party does not wish to share. True security must rest on physically and mathematically verifiable limits; true sovereignty means every person and every community can build an impenetrable boundary around their own data.

Finally, we make this plain: this is not anarchy. It is federalism in cyberspace—power distributed among countless autonomous participants, yet order maintained through mathematical consensus (BFT, not violence) and economic incentives (PoUW, not taxation). We do not seek a world without rules; we seek a world without rules that force submission to a single center.

For these reasons, the Mnemosyne Project is not a minor improvement. It is a public declaration about who owns computation, who owns data, and who owns decision-making in the post-quantum age: the digital world's infrastructure belongs to everyone, not to a few.

1.7 Chapter Summary: The Architecture of Resistance

Mnemosyne is not merely a distributed computing protocol; it is a bold proposal for a post-quantum computing paradigm. It attempts to prove that we can use fundamental physical laws—thermodynamic irreversibility and quantum-mechanical speed limits—to protect privacy, use AI prediction to eliminate latency, and use global collaboration to break monopolies.

If successful, Mnemosyne will not replace existing cloud providers—it will render them optional. Users will have a choice: rent compute from AWS at $0.10/hour, or earn rewards by contributing their own devices to the Swarm. This is the essence of digital sovereignty—the freedom to exit centralized systems without sacrificing capability.

The revolution will not be centralized.

作者：Rosalind Pembrick

2026-03-06T03:01:01.255+00:00

Mnemosyne: Post-Quantum Distributed AI Infrastructure via Physical Security Barriers, Speculative Consensus, and Proof-of-Useful-Work on Heterogeneous Edge Networks

留言區