Compression as a Structural Precondition: Memory-Security Co-Design for Post-Quantum Federated AI at the Edge (Mnemosyne Part III)

This work presents Part III of the Mnemosyne system design — a post-quantum secure federated learning architecture targeting deployment on 2 GB edge devices. This part establishes that compression is not a post-hoc optimisation but a structural precondition for system existence at the edge: a 7-billion-parameter language model that cannot be deployed on a 2 GB device does not operate at reduced capacity — it does not exist at the edge. The central contribution is the Distortion-Utility-Security (D-U-S) framework, which jointly optimises over Soft-ZCA whitening strength (ε) and quantisation distortion (D) to derive the achievable Pareto frontier for downstream utility (U), subject to the hard constraint H∞^δ ≥ 804 bits — a security floor anchored to physical constants via the Margolus-Levitin quantum speed limit and Lloyd's universal computational bound. This constitutes the first three-dimensional compression-privacy design space in the federated learning literature, absent from prior frameworks including JoPEQ, CEPAM, and the perception-distortion framework of Blau and Michaeli (ICML 2019). Four original contributions are presented: (1) The D-U-S framework and bₑ-parameterised security ceiling characterisation, unifying four standard embedding precisions (bₑ ∈ 2, 4, 8, 16) within a continuous analytical framework and establishing that the security constraint is naturally satisfied with 80× margin at bₑ = 16 and retains full difficulty at bₑ = 2. (2) Security semantics for Key-Dependent Quantisation Centroids (KDC), a novel mechanism that perturbs Product Quantisation centroid positions as a function of a secret key, targeting H∞^δ maximisation — departing fundamentally from the distortion-minimisation objectives of GPTQ, AWQ, and the rotation family (SmoothQuant, QuaRot, SpinQuant). (3) Stochastic Ternary Whitening (STW) — to our knowledge the first whitening result on the ternary lattice −1, 0, +1ᵈ satisfying H∞^δ ≥ 804 and BitLinear arithmetic compatibility simultaneously, using discrete optimal transport via the Sinkhorn algorithm. (4) The first explicit security impact analysis of KV cache quantisation methods (Atom, PolarQuant, QJL) on the system-level security parameter H∞^δ, with scenario-specific analysis across bKV ∈ 1, 4, 8, 16. The work additionally demonstrates that standard quantisation methods are privacy-adversarial by design — GPTQ and AWQ concentrate statistical mass at quantisation centroids targeting MSE minimisation at the measurable cost of reducing conditional entropy κ, creating information leakage hotspots — and that ZCA whitening geometrically inverts this relationship by equalising variance across PQ subspaces to maximise residual entropy. This part belongs to an information-theoretic security track unrepresented in existing federated learning compression-privacy classifications, replacing differential privacy parameters (εdp, δdp) with smooth conditional min-entropy H∞^δ as the security measure — a substitution motivated not by preference but by the failure of DP to provide worst-case guarantees over embedding vector residual entropy, as experimentally confirmed by ALGEN (ACL 2025) and LAGO (arXiv: 2505. 16008, 2025).