Parameter-Resident Cryptographic Material as an Unscoped Surface for Post-Quantum Migration: An Existence Proof and Audit Primitive

Federal post-quantum cryptography migration is scoped around three categories of cryptographic assets: libraries, protocols, and key stores. We argue that this scoping is incomplete. Cryptographic functions and key material can be realized in the parameters of machine learning models, and current open-source serialization-focused scanners we evaluated do not detect them. We provide an existence proof: a 30-layer feed-forward ReLU network that realizes AES-128 exactly, with the master key and all eleven round keys resident directly in layer bias vectors and recoverable by parsing. The construction validates bit-exactly against FIPS 197 and the NIST CAVP AESAVS known-answer subsets across 10⁴ random plaintext-key pairs, including under float32 quantization. We then argue analytically that ML-KEM and ML-DSA private keys hide more comfortably in modern weight tensors than AES keys do, not less, by virtue of their larger size and lower internal rigidity. The consequence under the harvest-now-decrypt-later threat model is that any long-lived cryptographic key embedded in an open-weights model artifact distributed today is recoverable by any future party with knowledge of the embedding scheme, without any quantum capability required. We propose a parameter-space cryptographic recognizer operating on structural, parametric, and functional signatures, integrated with cryptographic bill-of-materials tooling as a parameter_resident_cryptographic_content emission class extending the MBOM-PQC schema. The audit primitive is defense-in-depth: it closes the gap for known constructions and architectural fingerprints without claiming completeness against adaptive adversaries. We make no claim that any deployed model contains such an embedding; the contribution is the existence of the capability, the absence of detection, and the migration-scope consequence.