The Trust-Root Bug Class: Why The Internet's Authentication Substrate Keeps Failing In Specification, Not In Math

Version 2 — revised in response to an external structural review and an automated critique pass. See "Response to Review" appendix in the PDF for the change log.

The cryptographic primitives underwriting the public internet have, on paper, never been stronger. NIST has standardized algorithmically diverse post-quantum key encapsulation; lattice-based key agreement is shipping in TLS; new code-based KEMs are landing on consumer NPUs [corpus:arxiv:2606.01968v1]; hybrid quantum-safe Internet Key Exchange variants are in field trials over satellite links (a protocol-design proposal, not yet a deployed-system measurement) [corpus:arxiv:2605.28660v1]. Yet at the same time, the layer that binds those primitives to identities — Resource Public Key Infrastructure (RPKI) for routing origin [corpus:arxiv:2605.26986v1][corpus:arxiv:2605.26651v1], the dynamic loader for code provenance [corpus:arxiv:2605.26665v1][corpus:arxiv:2605.29620v1], TLS server configuration for transport authenticity [corpus:arxiv:2605.31020v1], the Manufacturer Usage Description (MUD) URL for IoT device authority [corpus:arxiv:2605.29654v1] — is producing CVEs at a rate that none of the underlying math justifies. This paper synthesises eight recent cs.CR preprints from the last 30 days to argue a single thesis: *the modern internet's exploitable surface is no longer dominated by broken primitives. It is dominated by underspecified or ambiguous resolution semantics in the trust-root layer that binds cryptographic keys to operational identities.* This is offered as a **heuristic reading** of the corpus, not a formal derivation; the structural unity is a pattern we impose on the evidence, and the falsification path below is the mechanism for testing whether that pattern holds. Under a network-adjacent active-attacker threat model with no physical access and no fault injection, we trace eight concrete findings — 21 RPKI vulnerabilities (eight CVEs assigned as reported in the corpus paper) [corpus:arxiv:2605.26651v1], 61 cross-implementation RPKI inconsistencies with two CVE-assigned novel bugs [corpus:arxiv:2605.26986v1], loader-resolution authenticity gaps in glibc [corpus:arxiv:2605.26665v1], symbolic-resolution-defeating dynamic loading in malware [corpus:arxiv:2605.29620v1], persistent TLS-version drift across 50M+ handshakes at a single research institution [corpus:arxiv:2605.31020v1], the DHCP-based MUD enrollment binding gap [corpus:arxiv:2605.29654v1] — into a common bug class. We contrast this with two papers showing what *forward* progress on the primitives looks like: 18× HQC decoding speedups on commodity Hexagon NPUs (a performance result, not a side-channel-hardening result, and specific to that NPU architecture) [corpus:arxiv:2606.01968v1] and a quantum-safe satellite IKE variant resisting harvest-now-decrypt-later [corpus:arxiv:2605.28660v1]. The falsification path is direct: if a future audit period produces a comparable set of cs.CR preprints in which the trust-root resolution layer generates *fewer* CVE-class findings than the cryptographic primitive layer, the thesis fails.

Authorship: Saluca Agentic AI Research Team (Saluca LLC). AI-drafted from arXiv preprint corpus on the date in the filename.

Cited arXiv preprints: 2605.26651v1, 2605.26665v1, 2605.26986v1, 2605.28660v1, 2605.29620v1, 2605.29654v1, 2605.31020v1, 2606.01968v1, 2606.02344v1